b'<html>\n<title> - PATIENT CONFIDENTIALITY</title>\n<body><pre>[House Hearing, 105 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n \n                        PATIENT CONFIDENTIALITY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                         SUBCOMMITTEE ON HEALTH\n\n                                 of the\n\n                      COMMITTEE ON WAYS AND MEANS\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED FIFTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 24, 1998\n\n                               __________\n\n                             Serial 105-23\n\n                               __________\n\n         Printed for the use of the Committee on Ways and Means\n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 1998\n\n\n\n\n                      COMMITTEE ON WAYS AND MEANS\n\n                      BILL ARCHER, Texas, Chairman\n\nPHILIP M. CRANE, Illinois            CHARLES B. RANGEL, New York\nBILL THOMAS, California              FORTNEY PETE STARK, California\nE. CLAY SHAW, Jr., Florida           ROBERT T. MATSUI, California\nNANCY L. JOHNSON, Connecticut        BARBARA B. KENNELLY, Connecticut\nJIM BUNNING, Kentucky                WILLIAM J. COYNE, Pennsylvania\nAMO HOUGHTON, New York               SANDER M. LEVIN, Michigan\nWALLY HERGER, California             BENJAMIN L. CARDIN, Maryland\nJIM McCRERY, Louisiana               JIM McDERMOTT, Washington\nDAVE CAMP, Michigan                  GERALD D. KLECZKA, Wisconsin\nJIM RAMSTAD, Minnesota               JOHN LEWIS, Georgia\nJIM NUSSLE, Iowa                     RICHARD E. NEAL, Massachusetts\nSAM JOHNSON, Texas                   MICHAEL R. McNULTY, New York\nJENNIFER DUNN, Washington            WILLIAM J. JEFFERSON, Louisiana\nMAC COLLINS, Georgia                 JOHN S. TANNER, Tennessee\nROB PORTMAN, Ohio                    XAVIER BECERRA, California\nPHILIP S. ENGLISH, Pennsylvania      KAREN L. THURMAN, Florida\nJOHN ENSIGN, Nevada\nJON CHRISTENSEN, Nebraska\nWES WATKINS, Oklahoma\nJ.D. HAYWORTH, Arizona\nJERRY WELLER, Illinois\nKENNY HULSHOF, Missouri\n\n                     A.L. Singleton, Chief of Staff\n\n                  Janice Mays, Minority Chief Counsel\n\n                                 ______\n\n                         Subcommittee on Health\n\n                   BILL THOMAS, California, Chairman\n\nNANCY L. JOHNSON, Connecticut        FORTNEY PETE STARK, California\nJIM McCRERY, Louisiana               BENJAMIN L. CARDIN, Maryland\nJOHN ENSIGN, Nevada                  GERALD D. KLECZKA, Wisconsin\nJON CHRISTENSEN, Nebraska            JOHN LEWIS, Georgia\nPHILIP M. CRANE, Illinois            XAVIER BECERRA, California\nAMO HOUGHTON, New York\nSAM JOHNSON, Texas\n\n\nPursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public \nhearing records of the Committee on Ways and Means are also published \nin electronic form. The printed hearing record remains the official \nversion. Because electronic submissions are used to prepare both \nprinted and electronic versions of the hearing record, the process of \nconverting between various electronic formats may introduce \nunintentional errors or omissions. Such occurrences are inherent in the \ncurrent publication process and should diminish as the process is \nfurther refined.\n\n\n                            C O N T E N T S\n\n                               __________\n\n                                                                   Page\n\nAdvisory of March 17, 1998, announcing the hearing...............     2\n\n                               WITNESSES\n\nAmerican Medical Management, Jim Sloane..........................    45\nBorowitz, Stephen M., M.D., University of Virginia Health \n  Sciences Center................................................    28\nGoldman, Janlori, Georgetown University..........................    34\nMacGregor Medical Association, James Birge, M.D., and Jim Sloane, \n  American Medical Management....................................    45\nMayo Clinic, Sherine E. Gabriel, M.D.............................    59\nMerck Research Laboratories, and Merck & Co., Inc., Harry A. \n  Guess, M.D.....................................................    64\nU.S. National Committee on Vital and Health Statistics, Don E. \n  Detmer, M.D....................................................     6\n\n                       SUBMISSIONS FOR THE RECORD\n\nAmerican Association of Health Plans, statement..................    77\nAmerican Association of Occupational Health Nurses, statement....    84\nAmerican College of Occupational and Environmental Medicine, \n  Arlington Heights, IL, statement...............................    90\nAmerican Hospital Association, statement.........................    91\nAvorn, Jerome L., M.D., and Elizabeth Andrews, International \n  Society for Pharmacoepidemiology, letter and attachments.......    97\nFrantz, Rita, National Pressure Ulcer Advisory Panel, Alexandria, \n  VA, statement..................................................   103\nHealthcare Leadership Council, statement.........................    94\nInternational Society for Pharmacoepidemiology, Jerome L. Avorn, \n  M.D., and Elizabeth Andrews, letter and attachments............    97\nMedical Group Management Association, statement..................    99\nNational Breast Cancer Coalition, statement......................   101\nNational Pressure Ulcer Advisory Panel, Alexandria, VA, Rita \n  Frantz, statement..............................................   103\nShays, Hon. Christopher, a Representative in Congress from the \n  State of Connecticut, statement................................   106\n\n\n                        PATIENT CONFIDENTIALITY\n\n                              ----------                              \n\n\n                        TUESDAY, MARCH 24, 1998\n\n                  House of Representatives,\n                       Committee on Ways and Means,\n                                    Subcommittee on Health,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to call, at 10 a.m., in room \n1100, Longworth House Office Building, Hon. Bill Thomas \n(Chairman of the Subcommittee) presiding.\n    [The advisory announcing the hearing follows:]\n\nADVISORY\n\nFROM THE \nCOMMITTEE\n ON WAYS \nAND \nMEANS\n\n                         SUBCOMMITTEE ON HEALTH\n\n                                                CONTACT: (202) 225-3943\nFOR IMMEDIATE RELEASE\n\nMarch 17, 1998\n\nNo. HL-20\n\n                      Thomas Announces Hearing on\n\n                        Patient Confidentiality\n\n    Congressman Bill Thomas (R-CA), Chairman, Subcommittee on Health of \nthe Committee on Ways and Means, today announced that the Subcommittee \nwill hold a hearing on patient confidentiality. The hearing will take \nplace on Tuesday, March 24, 1998, in the main Committee hearing room, \n1100 Longworth House Office Building, beginning at 10:00 a.m.\n      \n    In view of the limited time available to hear witnesses, oral \ntestimony at this hearing will be from invited witnesses only. However, \nany individual or organization not scheduled for an oral appearance may \nsubmit a written statement for consideration by the Committee and for \ninclusion in the printed record of the hearing.\n      \n\nBACKGROUND:\n\n      \n    The Health Insurance Portability and Accountability Act of 1996 \n(HIPAA) required the Secretary of Health and Human Services to submit \nto the Congress ``detailed recommendations with respect to the privacy \nof individually identifiable health information.\'\' In developing her \nrecommendations, the Secretary was required to consult with the \nNational Committee on Vital and Health Statistics and the Attorney \nGeneral. The Secretary released her report on September 11, 1997, and \nCongress has until August 1999 to pass legislation to protect \nindividual patient confidentiality. If the Congress does not enact \nlegislation, HIPAA directs the Secretary to issue her own final \nenforceable regulations by February 2000.\n      \n    Health care information is used for a variety of purposes including \nresearch, disease prevention, quality assurance, and outcomes \nmeasurements. In recent years, health care information has moved away \nfrom paper records to electronic records. This innovation provides \ntremendous opportunities for medical advances as well as new challenges \nfor maintaining patient confidentiality. The Administration\'s recent \nannouncement of a delay in the implementation of the HIPAA \nadministrative simplification provisions underscores the complexity of \nmaintaining confidentiality in an information age.\n      \n    In announcing the hearing, Chairman Thomas stated: ``Our nation has \na great history of leadership in medical advances and health care \ninnovation. I have seen, first hand, examples of health care data being \nused to help in the discovery of new medical techniques and \ntechnologies. In addition, outcomes studies and consumer information \nbased on up-to-date health care data can make our nation\'s health care \nsystem better, services more readily available, and care more \naffordable. However, it is essential that patient confidentiality \nconcerns are addressed while maintaining access to data to promote \nbetter health.\'\'\n      \n\nFOCUS OF THE HEARING:\n\n      \n    The hearing will focus on patient confidentiality from the \nperspective of the health care consumers, physicians, providers, and \nresearchers.\n      \n\nDETAILS FOR SUBMISSION OF WRITTEN COMMENTS:\n\n      \n    Any person or organization wishing to submit a written statement \nfor the printed record of the hearing should submit at least six (6) \nsingle-space legal-size copies of their statement, along with an IBM \ncompatible 3.5-inch diskette in ASCII DOS Text or WordPerfect 5.1 \nformat only, with their name, address, and hearing date noted on a \nlabel, by the close of business, Tuesday, April 7, 1998 , to A.L. \nSingleton, Chief of Staff, Committee on Ways and Means, U.S. House of \nRepresentatives, 1102 Longworth House Office Building, Washington, D.C. \n20515. If those filing written statements wish to have their statements \ndistributed to the press and interested public at the hearing, they may \ndeliver 200 additional copies for this purpose to the Subcommittee on \nHealth office, room 1136 Longworth House Office Building, at least one \nhour before the hearing begins.\n      \n\nFORMATTING REQUIREMENTS:\n\n      \n    Each statement presented for printing to the Committee by a \nwitness, any written statement or exhibit submitted for the printed \nrecord or any written comments in response to a request for written \ncomments must conform to the guidelines listed below. Any statement or \nexhibit not in compliance with these guidelines will not be printed, \nbut will be maintained in the Committee files for review and use by the \nCommittee.\n      \n    1. All statements and any accompanying exhibits for printing must \nbe typed in single space on legal-size paper and may not exceed a total \nof 10 pages including attachments. At the same time written statements \nare submitted to the Committee, witnesses are now requested to submit \ntheir statements on an IBM compatible 3.5-inch diskette in ASCII DOS \nText or WordPerfect 5.1 format. Witnesses are advised that the \nCommittee will rely on electronic submissions for printing the official \nhearing record.\n      \n    2. Copies of whole documents submitted as exhibit material will not \nbe accepted for printing. Instead, exhibit material should be \nreferenced and quoted or paraphrased. All exhibit material not meeting \nthese specifications will be maintained in the Committee files for \nreview and use by the Committee.\n      \n    3. A witness appearing at a public hearing, or submitting a \nstatement for the record of a public hearing, or submitting written \ncomments in response to a published request for comments by the \nCommittee, must include on his statement or submission a list of all \nclients, persons, or organizations on whose behalf the witness appears.\n      \n    4. A supplemental sheet must accompany each statement listing the \nname, full address, a telephone number where the witness or the \ndesignated representative may be reached and a topical outline or \nsummary of the comments and recommendations in the full statement. This \nsupplemental sheet will not be included in the printed record.\n      \n    The above restrictions and limitations apply only to material being \nsubmitted for printing. Statements and exhibits or supplementary \nmaterial submitted solely for distribution to the Members, the press \nand the public during the course of a public hearing may be submitted \nin other forms.\n      \n\n    Note: All Committee advisories and news releases are available on \nthe World Wide Web at `HTTP://WWW.HOUSE.GOV/WAYS__MEANS/\'.\n      \n\n    The Committee seeks to make its facilities accessible to persons \nwith disabilities. If you are in need of special accommodations, please \ncall 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four \nbusiness days notice is requested). Questions with regard to special \naccommodation needs in general (including availability of Committee \nmaterials in alternative formats) may be directed to the Committee as \nnoted above.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. The Subcommittee will come to order.\n    Each day, millions of Americans receive medical treatment. \nIncreasingly, patients receive their care from a multifaceted \nsystem of health care entities and professionals. As our health \ncare system has evolved from a solo practitioner to complex \nintegrated health systems and everything in between, so has the \nchallenge of ensuring that patients\' private information is not \nimproperly disclosed and used for inappropriate purposes.\n    National attention regarding the confidentiality of patient \ninformation was heightened with the passage of the Health \nInsurance Portability and Accountability Act of 1996. This act \nrequired the Secretary of Health and Human Services to consult \nwith the National Committee on Vital and Health Statistics and \nthe Attorney General and to report to the Congress her \n``detailed recommendations with respect to the privacy of \nindividually identifiable health information.\'\' The Secretary \nreleased a report on September 11, 1997. Congress now has until \nAugust 1999 to pass legislation to protect that individual \npatient confidentiality. Without legislation, the law says the \nSecretary will write her own regulations.\n    Today this Subcommittee begins its exploration of this \nimportant topic. We will hear from experts representing various \nparts of the health care system who will share with us their \nviews regarding the confidentiality of patient information. In \nreading their testimony, it was clear to me we are dealing with \na very important but very delicate issue. If the Congress errs \non the side of overprotection, we could stifle medical \ninnovation and research which would adversely impact public \nhealth. Likewise, if we fail to provide the American public \nwith adequate reassurance that their individually identifiable \ninformation is protected, some may avoid, delay, or carry out \nprotective behavioral patterns dealing with necessary \ntreatments.\n    Time is critical, not just because the Secretary will issue \nher own regulations in August 1999 if Congress does not act, \nbut as we will hear on one of our panels today, if Congress \ndoes not act, States are already acting. And we run the chance, \nif we do not provide at least guidance if not some uniformity, \nof a crazy quilt pattern confronting us in which no one\'s \nwishes are granted, and that is a very real possibility.\n    [The opening statement follows:]\n\nOpening Statement of Chairman Bill Thomas\n\n    Each day, millions of Americans receive medical treatment. \nIncreasingly, patients receive their care from a multi-faceted \nsystem of health care entities and professionals. As our health \ncare system has evolved--from the solo practitioner to complex \nintegrated health systems--so has the challenge of ensuring \nthat patients\' private information is not improperly disclosed \nand used for inappropriate purposes.\n    National attention regarding the confidentiality of patient \ninformation was heightened with the passage of the Health \nInsurance Portability and Accountability Act of 1996. This Act \nrequired the Secretary of Health and Human Services to consult \nwith the National Committee on Vital and Health Statistics and \nthe Attorney General and to report to the Congress her \n``detailed recommendations with respect to the privacy of \nindividually identifiable health information.\'\' The Secretary \nreleased her report on September 11, 1997. The Congress now has \nuntil August 1999 to pass legislation to protect individual \npatient confidentiality. Without legislation, the Secretary \nwill write her own regulations.\n    Today, this Subcommittee begins its exploration of this \nimportant topic. We will hear from several experts, \nrepresenting various parts of the health care system, who will \nshare with us their views regarding the confidentiality of \npatient information. In reading their testimony, it was clear \nto me that we are dealing with a very delicate issue. If the \nCongress errs on the side of over-protection, we could stifle \nmedical innovation and research which would adversely impact \npublic health. Likewise, if we fail to provide the American \npublic with adequate reassurance that their individually \nidentifiable information is protected, some may avoid or delay \nnecessary treatments.\n    I look forward to hearing from our first witness, Dr. Don \nDetmer, Chair of the National Committee on Vital and Health \nStatistics.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. I look forward to hearing from all of our \nwitnesses, but our first witness, Dr. Don Detmer, is the chair \nof the National Committee on Vital and Health Statistics. And \nDr. Detmer, before I recognize you, I would ask my colleague \nfrom Wisconsin if he has any opening statement. Or if he has a \nwritten statement from the Ranking Member, I would make that a \npart of the record. But I would recognize the gentleman from \nWisconsin.\n    Mr. Kleczka. Mr. Chairman, I do not know if Mr. Stark has \nan opening statement, but if he does, I would ask that that be \nincluded. I would also like to introduce into the record a \nstatement from myself on this timely issue.\n    I want to acknowledge the Chairman\'s interest in the \nsubject matter, although when he talks about overprotection, I \ndon\'t think we are anywhere near that problem when it comes to \na patient\'s records. In fact, just a short time ago in the \nlocal papers, I think two or three local drugstores were \ninvolved in selling their patient lists to drug companies. In \nresponse to that, consumers received mailings from drug \ncompanies.\n    I think privacy concerns are something we should be taking \nmore seriously in this Congress, not only as it deals with the \nInternet and Social Security numbers, but now we have seen in \nthe most recent past a series of drugstores selling their \npatient lists. I think Congress should not sit idly by while \nall this continues to happen. I think we should be proactive \nand err on the side of the consumer.\n    Thank you, Mr. Chairman.\n    [The opening statement follows:]\n\nOpening Statement of Congressman Jerry Kleczka\n\n    I am pleased Chairwoman Thomas has called this hearing on \nmedical privacy today. This public debate will draw attention \nto one of the most important issues facing the subcommittee and \nAmerican public: guaranteeing the privacy of all Americans\' \npersonal and medical information. This guarantee is \nparticularly important given the rapid technological advances \nand awe-inspiring medical discoveries being made every day.\n    I was appalled, as I am sure many of my colleagues were, to \nread in recent Washington Post articles about drugstores \nselling confidential patientprescription information to outside \ncompanies for marketing purposes. While the companies in \nquestion quickly changed their practices when consumers \nexpressed outrage at these revelations, the practice of selling \nprescription information to third parties continues to go on \nthroughout the nation.\n    Imagine simply going to the local drug store to fill a \nprescription, and, without your permission, the pharmacist \nbehind the counter transmits your medical and prescription \ninformation to a direct marketing firm. Certainly, innocent \nconsumers filling prescriptions should have at the very least \nan expectation of privacy. Sending confidential prescription \ninformation to a marketing company that has absolutely no \nmedical expertise or purpose for receiving that information \nother than to profit from it raises serious ethical questions. \nI believe legitimate checks can and should be placed on this \ntype of practice.\n    Too many Americans operate under the assumption that their \nprivate medical records are just that, private. However, in \ntoday\'s computer age where personal information can be \ntransmitted across the country quite literally at a push of a \nbutton, threats to the privacy of individuals\' medical records \nhave never been greater. While this technological innovation \nhas provided opportunities for and lead to important medical \nadvances, it has come with price--the price of sacrificing \none\'s personal privacy and security.\n    There are, of course, appropriate uses for electronically \ntransmitting medical information. For example, managed care \nnetworks, insurers, medical researchers, or benefits managers \narguably have legitimate needs for quick and easy access to \nmedical records. However, the idea that potentially thousands \nof individuals could gain access to this electronic data--\nsomething so sacred and private as a diagnosis of mental \nillness or terminal illness, for example--gives me pause. I \nfind it even more troubling that this private information can \nand is electronically transmitted for absolutely no legitimate \nmedical purpose. Transmitting this information to a third-party \nsolely to improve the profit margins of a pharmaceutical \ncompany is simply unconscionable.\n    The Health Insurance Portability and Accountability Act of \n1996 required the Secretary of Health and Human Services to \nsubmit detailed recommendations with respect to the privacy of \nindividual\'s health information. The Secretary released her \nreport this past September and we in Congress have until August \n1999 to pass legislation protecting patient confidentiality. My \nhope is that as we prepare this legislation Congress will not \nonly reflect back on the testimony heard today, but also on the \nmissteps and breaches of confidentiality that have occurred in \nthe past and place strong protections for the future.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. I thank the gentleman. Our goal is not to \nerr on either side but to pass informed legislation. Our goal \nis not to legislate by anecdote but be informed legislators. \nThat is the purpose of this hearing.\n    And with that, I recognize Dr. Detmer and tell him that the \nwritten statement he has will be made a part of the written \nrecord, without objection, and you can address us in any way \nyou see fit in the time you have available.\n    Dr. Detmer. Thank you very much, Mr. Chairman. Good \nmorning.\n    Chairman Thomas. I will tell you in advance these \nmicrophones are unidirectional and you have to speak directly \ninto them and relatively close.\n\n   STATEMENT OF DON E. DETMER, M.D., CHAIRMAN, U.S. NATIONAL \n            COMMITTEE ON VITAL AND HEALTH STATISTICS\n\n    Dr. Detmer. I appreciate the opportunity to appear before \nthe Subcommittee on this extraordinarily important legislative \nissue. Privacy, confidentiality, and security of individual \nhealth information touches the lives of all Americans in a very \npersonal way, and your actions will influence the future course \nof health care and the future of medicine itself.\n    I am a university professor and senior vice president at \nthe University of Virginia and a practicing surgeon. I am here \ntoday in my role as chair of the National Committee on Vital \nand Health Statistics. As you are aware, the committee is a \nnearly 50-year-old statutory public advisory body to the \nSecretary of Health and Human Services on health data privacy \nand health information policy. Its 18 members include four \npracticing physicians.\n    Through the mandates of the 1996 Health Insurance \nPortability and Accountability Act, the committee\'s \nresponsibilities were broadened to encompass health statistics, \nprivacy, and computer-based clinical records for both the \npublic and private sector. Last June the committee provided its \ninitial recommendations to the Secretary and she, in turn, \nsubmitted her detailed recommendations to Congress last \nSeptember.\n    All in all, the committee held over 20 days, full days, of \npublic hearings and heard from more than 200 witnesses who \ndiscussed data standards, privacy, and security issues. The \nhearings included representatives from across the entire \nspectrum of the health community. This extensive public \nconsultation was immensely helpful to us as we formulated our \nrecommendations to Secretary Shalala, and we continue to hold \nhearings to further refine our advice.\n    Our hearings showed strong and widespread support for \nFederal health privacy legislation. At the same time, it is \nclear our society has not yet reached a consensus about the \ndefinition and boundaries of privacy in an information age. The \ncommittee has concluded that our Nation faces a privacy crisis \ntoday, and legislation is urgently needed to address two policy \ndeficiencies.\n    First, we lack solid Federal legislation on fair \ninformation practices for personal health information. Second, \nwe lack sufficient antidiscrimination statutes to keep personal \nhealth information from being used against citizens in areas \nsuch as employment and insurability. With the fast pace of \nprogress in medicine and technology, this further complicates \nan already complex situation.\n    With the exception of one abstention, all the \nrecommendations from the Committee were unanimous. What does \nthe committee wish to see in this legislation?\n    We want a law that requires creators and users of \nidentifiable health information to ensure a full range of fair \ninformation practices, including the patient\'s right of access \nto his or her records, the right to seek amendment of records, \nand the right to be informed about users and uses of health \ninformation.\n    We seek reasonable restrictions and conditions on access to \nand use of personally identifiable health information that \nmaintains protections for the information as it passes into the \nhands of secondary and tertiary users, so that there are no \nloopholes that allow information to escape appropriate \ncontrols.\n    We seek adequate security for health data, no matter what \nmedia are used to create, transmit, or store data. That is, we \nwish the protections to apply to the data itself and not to \nwhatever medium or technology is used.\n    We want those who create and use personally specific health \ninformation to accept accountability for actions that affect \nprivacy interests of patients. We support sanctions when \nrestrictions are violated.\n    We wish to promote the use of nonidentifiable, coded, or \nencrypted information when a function can be fully and \nsubstantially accomplished without more specific identifiers.\n    The committee strongly supports the use of health records \nfor all forms of legitimate health research without a case-by-\ncase patient consent for access to such data, subject to \nindependent review of research protocols and other procedural \nprotections for patients.\n    The committee also strongly supports the use of health \nrecords for public health purposes, subject to substantive and \nprocedural barriers commensurate with the importance of public \nhealth function.\n    The committee believes patients need strong substantive and \nprocedural protections if their records are to be disclosed to \nlaw enforcement officials.\n    The committee strongly supports limiting use and disclosure \nof identifiable information to the minimum amount necessary to \naccomplish the purpose. The committee also strongly believes \nwhen identifiable health information is made available for \nnonhealth uses, patients deserve a strong assurance that the \ndata will not be used to harm them.\n    We urge the Congress to pass such legislation during this \nsession, since we do not believe the HIPAA privacy regulatory \nauthority is an adequate alternative to legislation.\n    Clearly, with the continued development of computer-based \npatient health records, it would be best to integrate the \nappropriate security and policy procedures into the emerging \narchitecture of such systems, and this will require action now \nrather than later since these systems are being built as I \nspeak to you. Action now should allow us to avoid a variant of \nthe ``year 2000\'\' problem in this age of computers.\n    The committee recognizes drafting and passage of the health \nprivacy law will not be easy. Health privacy legislation \npresents hard choices and difficult tradeoffs. Health records \nare primarily used for the treatment of patients, to improve \nthe quality of care, reduce the cost of health care, expand the \navailability of health care, protect the public health, and \nassure public accountability of the health care system. Privacy \ncompetes with all of these objectives, and it will not be easy \nto strike a widely accepted balance between privacy and these \nother worthy goals. The new legislation must reflect the \ncurrent structure and legislative framework for health care and \nallow for continued progress in health care.\n    In summary, two sets of legislation are needed. The first \ninvolves the relationship between privacy as defined by \nprinciples of fair information practices; and the second \nrelates to concerns about discrimination based on health status \nor conditions. The antidiscrimination provisions of HIPAA need \nto be expanded to cover all aspects.\n    Whether or not general privacy concerns and discrimination \nconcerns should be addressed together in the same piece of \nlegislation, you can best decide. An already complex health \nprivacy accountability bill may not be the best place to sort \nout responses to the important discrimination problems.\n    The National Committee on Vital and Health Statistics calls \non everyone to work together in good faith. Everyone should \nbenefit from a well-crafted set of fair information practices \nfor health information. Patients will have new rights and \ngreater protections for sensitive information. Critically \nimportant, trust in the provider-patient relationship will be \npreserved. Providers and insurers will have clearer rules and \nresponsibilities. Secondary users will know when they can and \ncannot have information and what their obligations and \npenalties are if these obligations are ignored.\n    The committee is pleased to provide a public forum for \ncontinued advice on these issues, and we look forward to \nworking with you and others to achieve a comprehensive and \nbalanced public privacy health information law.\n    Thank you, Mr. Chairman. I would be happy to answer \nquestions.\n    [The prepared statement follows:]\n\nStatement of Don E. Detmer, M.D., Chairman, U.S. National Committee on \nVital and Health Statistics\n\n                              Introduction\n\n    Thank you, Mr. Chairman. It is a pleasure to appear before \nthe Committee today to discuss health information privacy, \nconfidentiality, and security issues. I am currently University \nProfessor and Senior Vice President at the University of \nVirginia and a practicing surgeon. I appear before you today in \nmy role as chair of the National Committee on Vital and Health \nStatistics (NCVHS). The NCVHS is the statutory public advisory \nbody to the Secretary of Health and Human Services on health \ndata, privacy and national health information policy.\n    The NCVHS has a distinguished, nearly fifty year history of \nproviding the government with broad based advice on health data \nissues, including data needed to assure the quality of care, \nmeet public health needs as well as data needs for other \npurposes. In 1996, the Health Insurance Portability and \nAccountability Act (HIPAA) assigned the committee new \nresponsibilities for health information policy development on \ndata standards, privacy, and computer-based clinical records \nfor both the public and private sectors.\n    The Committee is made up of 18 members, sixteen appointed \nby the HHS Secretary, one appointed by the Speaker of the House \nand one appointed by the President pro tempore of the Senate. \nMembers are appointed from among individuals who have \ndistinguished themselves in a variety of fields ranging from \nprivacy and security of health information to the provision of \nhealth services and population-based public health. Four of the \ncurrent members are practicing physicians.\n    As a result of the passage of HIPAA, the nation has the \npotential to achieve major improvements in the quality and \neffectiveness of health care and the efficiency of the health \nsector through improved information technology. And the law \nprovides this opportunity in a national framework that protects \nthe privacy and security of health information. The primary \nfocus of the law is on private health insurance reform. \nHowever, the provisions on Administrative Simplification \noutline a new national framework for health data standards, \nsecurity and health information privacy in the U.S.\n    Today, I will focus on the health information privacy \nprovisions of HIPAA, and especially on the NCVHS\'s \nrecommendations to HHS relating to health information privacy. \nHIPAA required that the Secretary of Health and Human Services \nsubmit ``detailed recommendations\'\' to the Congress ``with \nrespect to the privacy of individually identifiable health \ninformation.\'\' In preparing her recommendations, the Secretary \nwas directed to consult with the National Committee on Vital \nand Health Statistics. Last June, the NCVHS provided our \ninitial recommendations on privacy, confidentiality, and \nsecurity to Secretary Shalala. She, in turn, submitted her \ndetailed recommendations to Congress last September.\n    Our full report is available on the NCVHS website: http://\naspe.os.dhhs.gov/ncvhs, and the Secretary\'s privacy \nrecommendations are available on the HHS administrative \nsimplification website: http://aspe.os.dhhs.gov.admnsimp.\n\n            NCVHS Health Information Privacy Recommendations\n\n    As a basis for our privacy recommendations, the NCVHS held \nsix full days of public hearings last year during which we \nheard from over 40 witnesses. All in all, we held over 20 full \ndays of public hearings and heard from more than 200 witnesses \nwho discussed data standards, privacy and security issues. The \nhearings included representatives from across the entire \nspectrum of the health community, including the privacy \ncommunity, research, public health, quality assurance, \ninsurance, managed care, law enforcement and oversight, \nproviders, claims processors, the drug industry, federal \nagencies and consumer interest groups. This public consultation \nwas immensely helpful to us as we formulated our \nrecommendations to Secretary Shalala.\n    First of all, our hearings showed strong and widespread \nsupport for federal health privacy legislation. And with the \nexception of one abstention, all recommendations of the \ncommittee were unanimous. The committee had difficulty with the \ndefinition of privacy as it relates to the confidentiality and \nsecurity of person-specific health information. It chose to use \nthe word ``privacy\'\' in its report mainly since the word has \nbeen the major term used in public discussion of this topic. \nThe culture has yet to reach a consensus on what privacy should \nmean in contemporary society.\n    Be that as it may, the committee concluded that the United \nStates is in the midst of a health privacy crisis. The \nprotection of health records has eroded significantly in the \nlast two decades. Major contributing factors are ongoing \ninstitutional changes in the structure of the health care \nsystem and the lack of modern privacy legislation. Without a \nfederal health privacy law, patient protections will continue \nto deteriorate in the future.\n    We also concluded that the importance of trust in the \nprovider-patient relationship must be preserved. Patients must \nfeel comfortable in communicating sensitive personal \ninformation. Delays in passing privacy legislation will allow \nadditional and uncontrolled uses of health information to \ndevelop. Failure to address health data privacy concerns can \nundermine public confidence in the health care system, expose \npatients to continuing invasions of privacy, subject record \nkeepers to potentially significant legal liability, and \ninterfere with the ability of health care providers and others \nto operate the health care delivery and payment system in an \neffective and efficient manner.\n    The greater the delay in imposing meaningful controls on \ninappropriate use and disclosure of identifiable health \ninformation, the more difficult it may be to generate \nenthusiasm for instituting necessary restrictions on use and \ndisclosure, or change the way that information is acquired, \nmaintained, and used. Clearly, with the continued development \nof computer-based patient record systems, it would be best to \nintegrate the appropriate security and policy procedures into \nthe emerging architecture of such systems.\n    The NCVHS recommended that the Secretary and the \nAdministration assign the highest priority to the development \nof a strong position on health privacy that provides the \nhighest possible level of protection for the privacy rights of \npatients. Any realistic proposal must properly balance the \nimportant and well-established interests of patients in the \nprotection of their health information and the legitimate needs \nof the health care system to provide and pay for health care in \nan efficient, effective and fair manner while supporting the \nresponsible use of health records for public health and health \nresearch, and other legitimate social purposes.\n    The Health Insurance Portability and Accountability Act \nprovides that if the Congress does not pass privacy legislation \nby August 1999, then the Secretary of HHS is authorized to \nissue regulations containing standards for the privacy of \nelectronic administrative and financial transactions. However, \nthe Committee found a clear and strong preference for a \ncomprehensive legislative solution, rather than addressing \nhealth privacy through the regulatory process alone.\n    It is difficult to address health privacy requirements in a \npiecemeal fashion. Rules that only cover electronic health care \ntransactions but not paper-based transactions or other types of \nhealth records could prove very difficult to develop or \nadminister. Further, the committee firmly believes that policy \non data confidentiality and security should not be contingent \nupon the form, medium, or technology used to record or work \nwith health data, e.g., paper, fax, or an electronic medium.\n    Consequently, the NCVHS strongly recommends that the \nCongress enact a health privacy law before it adjourns this \nfall. Leaders in both House and Senate should publicly endorse \nthe need for strong and effective privacy legislation that \nprovides meaningful protections to patients. Congressional \nleaders should ask relevant legislative committees to agree to \na timetable for action. The Congress should not treat the \nexistence of the regulatory authority as an adequate \nalternative to legislation.\n    The Committee calls for a law that requires creators and \nusers of identifiable health information to----\n    <bullet> ensure a full range of fair information practices, \nincluding a patient\'s right of access to records, right to seek \namendment of records, and right to be informed about uses of \nhealth information;\n    <bullet> accept reasonable restrictions and conditions on \naccess to and use of identifiable health information;\n    <bullet> maintain protections for health information as it \npasses into the hands of secondary and tertiary users so that \nthere are no loopholes that allow health information to escape \nfrom privacy controls;\n    <bullet> provide adequate security for health data no \nmatter what media are used to create, transmit, or store data;\n    <bullet> accept accountability for actions that affect the \nprivacy interests of patients;\n    <bullet> promote the use of non-identifiable, coded, or \nencrypted information when a function can be fully or \nsubstantially accomplished without more specific identifiers.\n    The law must also impose restrictions on disclosure and use \nof the information and impose sanctions for violations.\n    The Committee strongly supports the use of health records \nfor health research without a case by case patient consent for \naccess to such data, subject to independent review of research \nprotocols and other procedural protections for patients.\n    The Committee also strongly supports the use of health \nrecords for public health purposes, subject to substantive and \nprocedural barriers commensurate with the importance of the \npublic health functions.\n    The Committee believes that patients need strong \nsubstantive and procedural protections if their health records \nare to be disclosed to law enforcement officials.\n    The Committee strongly supports limiting use and disclosure \nof identifiable information to the minimum amount necessary to \naccomplish the purpose. The Committee also strongly believes \nthat when identifiable health information is made available for \nnon-health uses, patients deserve a strong assurance that the \ndata will not be used to harm them.\n    The Committee recognizes that the drafting and passage of a \nhealth privacy law will not be easy. Health privacy legislation \npresents hard choices and difficult tradeoffs. Health records \nare primarily used for the treatment of patients and to improve \nthe quality of health care, reduce the costs of health care, \nexpand the availability of health care, protect the public \nhealth, and assure public accountability of the health care \nsystem. Privacy competes with all of these objectives, and it \nwill not be easy to strike a widely accepted balance between \nprivacy and these other worthy goals. As mentioned earlier, the \ntask is not made any easier by the lack of agreement about what \nprivacy even means in contemporary American society.\n    In our hearings, users of health information uniformly \nexpressed strong support for privacy legislation. However, most \nusers also asked that no--or at most few--new restrictions be \nplaced on their ability to collect, use, and disclose health \ninformation. The Committee believes that it is unfair and \nunreasonable for any health data user to expect that health \nprivacy legislation will not require some change in policy and \npractice. Everyone--patients and record keepers alike--will \nbenefit from health privacy legislation, and everyone is likely \nto pay some price for the legislation.\n    At the same time, the Committee recognizes that privacy \nlegislation must take into account the complexity and the needs \nof the current health care delivery and payment system. New \nlegislation must reflect the current structure and legislative \nframework for health care. Changes can and must be made, but no \none can expect that the health care system will be restructured \nsolely in the interests of privacy and without regard to cost. \nIndeed, achieving cost savings from administrative \nsimplification was a key driver behind the Health Insurance \nPortability and Accountability Act of 1996. The Committee has \nno doubt that a privacy bill can be passed that balances the \ninterests of patients with the needs of the health care system.\n    The Committee also recognizes that passing legislation will \nnot end either the debate or the struggle to accomplish desired \nimprovements. Once a law passes, record keepers will have to \nchange to accommodate the new rules, federal and state agencies \nwill have to oversee implementation of the new law, and the \nCongress may be called upon to refine the law in the future. \nInternational data protection standards are being developed, \nand the United States needs to be a full partner in this \neffort.\n\n                             Special Issues\n\n    Let me now turn to several additional issues that we heard \nabout in our hearings.\n\nNeed for Anti-Discrimination Law\n\n    One issue that arose from time to time during the hearings \nwas the relationship between privacy (as defined by principles \nof fair information practices) and discrimination. Clearly some \nmotivation for protecting health information is to prevent the \ndiscriminatory use of the information both inside and outside \nthe health care setting. Patients receiving care for some \nhealth conditions or who have been the subject of genetic \ntesting have been and continue to be the subject of \ndiscrimination in employment, insurance, and elsewhere. Several \ncurrent bills address the possible discriminatory use of \ngenetic information.\n    Discrimination based on health status and condition remains \na major and important concern, and it deserves a legislative \nsolution. Whether or not general privacy concerns and \ndiscrimination concerns should be addressed together in the \nsame piece of legislation, you can best decide. However, an \nalready complex health privacy and confidentiality bill may not \nthe best place to sort out responses to equally complex \ndiscrimination problems. The Committee suggests that privacy \nand discrimination issues both deserve explicit legislative \ntreatment. The Committee urges the Congress to consider \nlegislation expanding the anti-discrimination provisions of \nHIPAA to cover all aspects of discrimination based on health \nstatus and condition.\n\nPreemption\n\n    Perhaps the most difficult conflict identified during our \nhearings is over preemption of state laws. Among large segments \nof the health industry, a major benefit to federal legislation \nis a high degree of regulatory uniformity throughout the \ncountry. The interstate nature of health care treatment and \npayment activities is readily apparent. By one estimate, \napproximately half of the U.S. population lives near the border \nof another state. To have a patient work in the District of \nColumbia, reside in Maryland, and receive care in Virginia \ncreates a nightmare for the health care system to track unless \nsubstantial uniformity of policies and procedures exists. It \nwill be difficult for many involved in electronic transfers of \nhealth data to accept any proposal that does not offer \nsignificant relief from the prospect of 50 different state laws \nestablishing separate rules.\n    On the other hand, it would be difficult for many patient \ngroups, privacy advocates and perhaps some provider groups to \naccept any proposal that does not allow states to adopt \nstronger privacy protections as specified in the HIPAA. People \ndisagree whether existing state laws offer greater protection \nthan most of the current federal proposals. There is strong \nsupport in some communities for a solid federal confidentiality \nstandard that allows states to erect stronger privacy barriers. \nThis was the approach that Secretary Shalala recommended last \nSeptember.\n    The Committee suggests, however, that this issue need not \nbe treated as a single problem with a single solution. The \nconflicts need to be broken down into components, and each \ncomponent analyzed separately. In some areas, the case for \nfederal preemption may be strong. For example, it may be \nunnecessarily complex to support 50 different patient access \nprocedures. On the other hand, the need to recognize the \ndiversity of state public health laws is already clearly \nreflected in most proposals. No one has suggested or is likely \nto support a uniform federal public health law. A narrower and \ncareful analysis of preemption may help to minimize the \nadmittedly strong conflicts here and may point to more \neffective resolutions. However, if sufficient national \nconformity is not achieved, both national and international \nobjectives cannot be met.\n    The Committee stands willing to respond to such remaining \nissues in new legislation if and as the Congress desires.\n\nUnique Health Identifier for Individuals\n\n    Because of privacy concerns, the NCVHS has recommended that \nHHS not adopt a standard for unique identifier for individuals \nas called for in HIPAA until privacy legislation is enacted. \nThe NCVHS stated that ``...it would be unwise and premature to \nproceed to select and implement such an identifier in the \nabsence of legislation to assure the confidentiality of \nindividually identifiable health information and to preserve an \nindividual\'s right to privacy.\'\'\n    The NCVHS outlined three sets of concerns. First, we noted \nthat the selection of a unique health identifier for \nindividuals will become the focus of tremendous public \nattention and interest, far beyond that afforded to other \nhealth privacy decisions. No choice, the Committee concluded, \nshould be made without more public notice, hearings and \ncomment.\n    Second, we concluded that, until a new federal law \nadequately protects the confidentiality of the health record, \nit is not possible to make a sufficiently informed choice about \nan identification number or procedure. The degree of formal \nlegal protection in such a law will have a major influence on \nboth the decision itself and the public acceptance of that \ndecision. Indeed, we would hope that passage of a comprehensive \nhealth privacy law would make the choice of an identifier \neasier, e.g., less threatening.\n    Finally, the NCVHS stated that a unique health identifier \ncould not be protected from misuses under current law, \nnotwithstanding the criminal penalties for wrongful disclosure \nenacted in HIPAA.\n    At the same time, the Committee feels an obligation to \naddress the law and provide advice on this controversial \nmatter. Accordingly, we are planning to hold several public \nhearings around the country to gather information and explore \nthe issue further. This will be done in conjunction with the \nplanned publication by HHS of a Notice of Intent to gather \ndescriptive and evaluative information on unique identifiers \nfor use in the health system on a systematic basis, including \ncurrent practices, before developing any further \nrecommendations. Lack of unanimity from the committee on this \ntopic may occur, reflecting the difficult nature of the \nproblem.\n\nComputer Technology\n\n    Testimony received by the Committee showed that computers \nare perceived differently by different individuals and groups. \nSome view them as major threats to patient privacy and others \nas tools for offering far greater protection of personal health \ndata than is achievable with paper records. In terms of \nlimiting release to selected information, computer-based data \noffers the greatest potential to avoid revealing patient \nidentifiers. Others see computerized repositories of health \ndata as magnets for hackers and other abusers and presume huge \nhealth data repositories are forthcoming. Testimony suggested \nthat the real threats to computerized information--as with \npaper records--come from insiders and not from hackers. \nUnfortunately, this debate is hampered by a lack of sufficient, \ngood health services research on the frequency and seriousness \nof problems in this area. Anecdotal information abounds with \nlegitimate questions remaining as to its validity and \nrepresentativeness.\n    Some have suggested that the patient authorization process \nshould be expanded and that patients should be asked or \npermitted to make decisions about whether their information may \nor may not be computerized. The Committee is not sympathetic to \nthe notion that patients should have a choice in the technology \nused to create, store and transmit health information. This is \nnot a choice that record subjects for records maintained by \nother third party record keepers such as banks and employers. \nRequiring health record keepers--who are spending vast sums on \ncomputerization--to retain parallel paper systems is \nimpractical and costly. It would deny the benefits and savings \nthat the Congress has already determined will result from \nincreased use of modern information technology.\n    Computers are an inevitable part of modern health care and \nindeed are intrinsic to the actual delivery of hospital care \ntoday. In addition, computer technology can provide \nstrengthened confidentiality protections for personal health \ninformation. We should move on to debate the proper protections \nfor records in a computerized environment. One response would \nbe increased criminal and civil penalties for misuse of \ncomputerized health records. These penalties should apply to \nboth inside and outside abusers of health data.\n\nLaw Enforcement\n\n    Testimony revealed sharp differences over the standards and \nprocedures that should govern law enforcement access to health \nrecords. The law enforcement community contends that its track \nrecord accessing health records is a good one and that its \naccess authority is not abused. Some health care providers and \nprivacy advocates, however, seek to establish higher standards \nthat would require law enforcement requests for records to \nobtain court orders, to provide patient notice, and to \nexpressly justify each access to records.\n    Several privacy proposals would prevent use of health \nrecords against the record subject if an investigation of a \nprovider brought to light criminal activity by the patient \nother than health care fraud.\n    This is the one major one area where the NCVHS respectfully \ndiffers from Secretary Shalala\'s recommendations. She \nrecommended no changes to existing laws relating to law \nenforcement access to personal health information. Striking a \nbalance between the needs of law enforcement and the privacy \ninterests of patients is difficult but a crucial piece of this \nentire puzzle.\n    The Committee believes that patients need strong \nsubstantive and procedural protections if their health records \nare to be disclosed to law enforcement officials. Investigators \nshould be required to justify the need for patient identifiers \nand to remove identifiers at the earliest possible opportunity. \nOther HIPAA provisions restrict the use of health information \nagainst the subject of the record unless the investigation \narises out of and is directly related to health care fraud. If \nlaw enforcement wants to use the record in another way, it must \nfirst obtain a court order. That is one procedural barrier that \nis also included in several current privacy legislative \nproposals. Other proposals go further by requiring notice to \nthe patient in some cases.\n\n                               Conclusion\n\n    The NCVHS calls on everyone to work together in good faith. \nIt is crucial that the Congress pass a balanced law as quickly \nas possible. Each year, health information becomes available \nfor new uses, often without any legal, administrative, or \npolicy barriers. Unless legislation passes soon, the risks to \nboth patients and record keepers grow.\n    Everyone should benefit from a well-crafted set of fair \ninformation practices for health information. Patients will \nhave new rights and greater protections for sensitive \ninformation. Providers and insurers will have clearer \nresponsibilities and rules. Secondary users will know when they \ncan have health information, when they cannot, what their \nobligations are, and what penalties will result if these \nobligations are ignored. None of these benefits will be \nachieved unless everyone approaches the legislative process \nwith a spirit of compromise.\n    The NCVHS is pleased to provide a public forum for \ndeliberation and advice on these issues, and we look forward to \nworking with HHS, the Executive Branch and the Congress on a \ncomprehensive and balanced health information privacy law.\n    Thank you, Mr Chairman. I would be happy to answer any \nquestions.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. Thank you very much, Doctor. I guess the \neasiest way to start would be to indicate that in your \ntestimony you said that Congress should not treat the existence \nof the regulatory authority as an adequate alternative to \nlegislation.\n    Would you expand on that? Do you have any particular \nconcerns about the Department of Health and Human Service\'s \nability to promulgate such regulations? Or is it just too \nimportant to leave up to an agency, and Congress\' \nresponsibility ought to be to grapple with this question? What \nis it that worries you about letting the process go the way the \nlegislation is structured?\n    Dr. Detmer. The key limitation of the process is that the \nlaw, as written, covers electronic and computer-based \ninformation and not paper and other forms, and that is the \nprincipal concern. So, essentially, the legislation really has \na more limited scope.\n    The committee also feels the legislation dealing with this \nmore broadly can generally craft a better response.\n    Chairman Thomas. I have been impressed with the learning \ncurve of a number of individuals who have been almost \noutspoken, I guess, advocates for privacy, and their \nunderstanding of that. Electronic data can, if done properly, \nbe even better protected than paper records.\n    Do you believe there is any role currently or in the near \nfuture for a rather directed movement toward electronic rather \nthan the keeping of paper records; either carrots or sticks of \nsome sort to move more rapidly into electronic recordkeeping?\n    Dr. Detmer. Yes. First, I would echo your initial comment, \nbut very strong differences of opinion exist about this issue. \nThose of us who have actually worked in both the paper era as \nwell as, or have a professional interest in the electronic \napproach, feel that actually there are a number of advantages \nto computer-based records. You can encrypt it, you can extract \nsolely the information you are interested in and move it along, \notherwise keeping the rest of the record behind. You also have \naudit trails that can be helpful.\n    The point is that with the complexity of health care moving \nthe way it is in terms of the technology, the care itself, the \nmedical information and such, I think the only way we will have \nhigh quality, cost-effective care is with computer-based record \nsystems. And, as a country, we have not done what we could do \nto move this technology forward.\n    A key requirement for progress in this technology relates \nto what we are here today for--privacy legislation is an \nabsolutely essential foundation brick needed if we are to see \nthe real benefits of this technology develop.\n    [The following was subsequently received:]\n    In its administrative simplification requirements, the \nHealth Insurance Portability and Accountability Act of 1996 \n(HIPAA)(Public Law 104-191, Aug. 21, 1996) calls for uniform \nstandards for electronic transactions in health administration \nprecisely because separate standards developed at other than \nthe national level are not workable.\n    The Recommendations of the Secretary of Health and Human \nServices, pursuant to section 264 of the Health Insurance \nPortability and Accountability Act of 1996 (September 11, \n1997), noted that\n    [t]here is continuing movement toward a computer-based \npatient medical record, with national standards for content and \nformat, and the possibility of ready interstate transmission as \nneeded for patient care. A major impetus toward adopting this \ntype of record was a report of the Institute of Medicine in \n1991 that recommended adoption of the computer-based patient \nrecord as the standard for all patient care records. Likewise, \nincreasing use of telemedicine means that patient information \nwill often cross State lines, sometimes in real-time delivery \nof care. This promising development is an important facet of \nthe National Information Infrastructure because of its \npotential to provide greater access to quality health care for \nall Americans, especially those living in rural and remote \nareas.\n    The National Committee on Vital and Health Statistics \n(NCVHS) last year held six days of hearings involving witnesses \nfrom the full spectrum of public and private constituencies \nconcerned with privacy, consumer interests, and operation of \nthe health care system. Testimony received at these hearings \nshowed that ``computers are perceived both as threats to \npatient privacy and as tools for protecting personal health \ndata. Some see computerized information as the best way to \nsupport greater use of data without revealing patient \nidentifiers. With traditional paper records, for example, the \ndifficulties of creating non-identifiable data are typically \nsignificant. It may be impractical and very time-consuming to \nmake a complete copy of a paper record with all identifying \ndata removed. With a computer record, the administrative burden \nof creating anonymized records may be insignificant. Others see \ncomputerized repositories of health data as magnets for hackers \nand other abusers.\'\' Further testimony suggested that\n    [T]he real threats to computerized information--as with \npaper records--come from insiders and not from hackers.\n    Nevertheless, because of the important and increasing role \nof computers in health care, it is important to be sensitive to \nboth public perceptions and to the possibility that abuses of \ncomputerized health records will increase in the future. One \nresponse would be increased criminal and civil penalties for \nmisuse of computerized health records. These penalties should \napply to both inside and outside abusers of health data.\n    The Committee noted that it is often overlooked that \ncomputers contribute directly to improved patient care in many \nways, and that debates on the proper role of computers and \nelectronic records often focus only on the threats to privacy \nand not the benefits for patients. The committee concluded that \na more balanced discussion about the value and the risks of \ncomputers is essential, and\n    that we need to do more to develop and implement \ntechnological protections for health records. Technology offers \nthe possibility that we can use records for socially beneficial \npurposes while fully protecting privacy at the same time. \nGreater use of nonidentifiable, coded, or encrypted records can \nmake everyone better off at little or no cost. Technology will \nnot cure all problems related to the use of identifiable \ninformation, but it can diminish the intensity and scope of the \nproblems. This may be the most promising area for additional \ndevelopment.\n    The NCVHS has not addressed incentives or disincentives for \nthe keeping of electronic records. A new NCVHS workgroup on \nComputer-based Patient Records may address this issue in the \nfuture.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. Let me ask the question a slightly \ndifferent way. Are our efforts enhanced, do we make the job \neasier or more difficult based upon the way we approach how we \nare going to legislate; that is, try to deal with the very \nsensitive question of privacy for both individually \nidentifiable records and encrypted records, whether they be \nelectronic or paper; or if we put a serious emphasis on trying \nto create a timeline in which we move to the electronic era and \nthen deal with the same concerns about individually identified \nrecords? I am wondering which, in your opinion, would get us \nthere in the most efficacious way.\n    Dr. Detmer. I think if we acted on this issue--if you acted \non this issue in this session----\n    Chairman Thomas. I assure you it is going to be ``we.\'\'\n    Dr. Detmer. Well, I would hope so. In any event, if this is \nacted upon in this session, I honestly think the field is \nmoving forward, but there are also things that would be in the \npublic\'s interest that the Congress could also do to facilitate \nthe development of computer-based health records.\n    We have in this country fairly well-developed hospital \ninformation systems compared to those for primary care and \nsmaller care units. If you look at the United Kingdom or the \nNetherlands, for example, they have put in some tax benefits as \nwell as equipment writeoffs that really have moved that \ntechnology forward.\n    And, incidentally, they have privacy legislation in place, \nand the populations in both of those countries feel quite good \nactually in that sense about this issue. I am not saying to \nevery last person, but as a development I think it is seen as a \npositive thing.\n    Chairman Thomas. The difficulty, of course, is that Great \nBritain is a unitary country and we are a Federal system, and \nStates have proper roles to play in a number of areas. Dealing \ndirectly with individuals, for example, with regard to health \nand welfare, is one of the roles the States have to play which \nmakes our job more difficult to bridge those differences.\n    In looking at the information, one of the concerns I think \nis warranted by the individuals who do not want to err, who are \nconcerned on the side of the right to privacy, is the access to \nthose identifiable patient records. Does it seem reasonable \nthat if we, for example, move toward a system which would allow \nfor a determination of who accessed the records, to make that \naccessing of the records available to individuals?\n    I know you can place extreme punishment on people misusing \nthat information. But I think the most chilling effect often on \npeople misusing that information is to make it easily known as \nto who it is that is accessing those records. That is the first \npart of the question.\n    The second part, since that involves enforcement in a very \ndirect way, it is too simplistic to view the role of the \nFederal Government and the State legislators as perhaps \ndividing it along that line; that where there are identifiable \npersonal records, that could be a very proper and appropriate \nrole for the States to deal with how you deal with that \ninformation; and the encrypted records, primarily for research, \nfar more often travel across State lines, are collected for \npurposes that should have a set of protocols properly approved \nby an appropriate agency? Is that too simplistic a view?\n    Dr. Detmer. The difficulty, unfortunately, is we have been \ngetting testimony in some of our recent hearings in particular \nthat the ability to assure the data are securely encrypted, \nclearly identifiable, or are clearly not identifiable is not \nlikely to be that airtight.\n    The fact of the matter is, almost all of these things can \nbe open to manipulation, if you will. The most likely assurance \nyou will be getting encrypted or nonidentifiable data, which \ninvolves a lot of the information, will simply be from the fact \nthat you have strong sanctions in place. People will clearly \nwant to just use nonidentifiable data as much as possible to \navoid, obviously, the exposure to sanctions for misuse.\n    It would be tough to get back directly to your question, to \ncraft language in that kind of a dichotomous approach.\n    Chairman Thomas. But would you respond directly to the \npoint of having the ability to have a clear trail from the \nidentifiable electronic data and providing it to, for example, \nthe individual, as to who it is that has been looking at the \nrecords?\n    Dr. Detmer. Yes, I think certainly the trail, the idea of \naudit trails is a protection. It is also true, of course, \ndepending on how much information you keep relating to all the \ntrails and who is involved, that that also then becomes, if it \nis overdone, yet another set of information that could then be \nabused and hence invade privacy. So all of these things have a \nbalance that has to be struck.\n    [The following was subsequently received:]\n\n    The NCVHS provided its recommendations on adoption of \nsecurity standards in a letter to the Secretary, HHS, dated \nSeptember 9, 1997. In providing a series of principles and \nrecommendations for the Secretary\'s consideration, the \nCommittee stated that in order for health information systems \nto be secure, there must be monitoring of access. Specifically, \n``[o]rganizations should develop audit trails and mechanisms to \nreview access to information systems to identify authorized \nusers who misuse their privileges and perform unauthorized \nactions and detect attempts by intruders to access systems.\'\'\n      \n\n                                <F-dash>\n\n    Chairman Thomas. And then finally, I know it was in your \ntestimony but I want to underscore it, the administration in \nmaking its initial proposals placed a privileged category for \nlaw enforcement agencies, and you voiced some concern about \nthat.\n    My assumption is we all understand the importance of that, \nbut that in your opinion they probably carved out too big an \nisland, too exclusive an approach for law enforcement?\n    Dr. Detmer. Yes. With all respect, this was the only area \nof significant difference between the committee\'s \nrecommendations and the Secretary\'s recommendations. We urged \nsubstantive procedural protections. We felt law enforcement \nshould justify their need for personal identifiers, remove \nthose identifiers at the earliest possible moment, unless \nneeded for fraud investigation, and a court order seemed \nappropriate for access.\n    There was a huge array of issues we had to look at. We did \nnot spend a detailed amount of time on this, and probably will \ndeserve to spend more, but clearly we did differ from the \nSecretary in that and we urged more protections.\n    Chairman Thomas. Thank you very much, Doctor. Obviously, we \nwill rely on you in your ongoing examination. My belief is this \nis an area that could change relatively quickly in terms of \ntechniques that are being developed, especially when we are \nlooking at an August 1999 deadline. At least, I certainly hope \nso.\n    Thank you very much for your input.\n    Does the gentleman from Wisconsin wish to inquire?\n    Mr. Kleczka. With respect to research currently being done \nby managed care companies, is that being done with the informed \nconsent of the individuals?\n    Dr. Detmer. Right now we have very much a patchwork of \nincomplete and inadequate protections generally. I think most \nmanaged care companies do in fact--and health care \norganizations--do in fact try to protect the data of patients. \nObviously, we do not have full information. In fact, one of the \nproblems of this whole field is a relative lack of the kind of \nresearch base that would be very useful to us as a committee, \nas well as to you in your roles.\n    In general, if you have health professionals involved in \nthe work, whether it is the quality work or cost effectiveness \nor whatever, utilization work, health professionals have a \ngenuine concern for confidentiality. And I am not sure it is \nalways done ideally by health professionals, but it has been \npart of their upbringing from the time they got into the health \nprofessions. There is a bit perhaps less dedication and concern \nfor privacy as you get beyond the health professionals \nthemselves.\n    [The following was subsequently received:]\n\n    We do not know. The Committee does not have information on \nthis area.\n      \n\n                                <F-dash>\n\n    Mr. Kleczka. Later this year the European Union is \nscheduled to come down with a directive relative to \ntransferring of data to a third country, and that directive \nindicates that they want to ensure the level of protection. \nCurrently, does this country meet the criteria that is set \nforth in that directive?\n    Dr. Detmer. It is not precisely clear to me that it does. \nIf you really look at it pretty literally, I would say it does \nnot. This is not a formal committee view, that is my own \nassessment of this. The committee has not formally assessed the \nmatter.\n    But I do think it is important for us, and it does speak to \nthe issue of States\' preemption. If we do not have a Federal \nlaw that is sufficiently recognizable as a national standard, \nwe certainly could be open to the clear interpretation that we \nwould not be meeting the EU guidelines, and it would prevent us \nfrom being able to share information for purposes of research \nand other social benefit.\n    [The following was subsequently received:]\n\n    The EU directive is a very comprehensive privacy law \ncovering all personal data and designates an official with \npower to regulate private sector use of personal data. The U.S. \ndoes not have a comprehensive legal scheme of data protection, \nnor an official who has privacy protection as a sole \nresponsibility on a nationwide, or government-wide basis. \nRather, it has a number of separate State and Federal laws, but \nno privacy law generally applicable to all data.\n      \n\n                                <F-dash>\n\n    Mr. Kleczka. What would be the impact on this country in \nterms of trade and research should we not meet the criteria and \nso forth in the directive?\n    Dr. Detmer. I have not seen specific estimates, but in \nterms of looking certainly at drug development and other \nactivities that are in the public\'s interest, I think it would \nhave an adverse impact on what would otherwise be a desirable \nthing.\n    [The following was subsequently received:]\n\n    The impact is not yet clear. It is our understanding that \nthe Commerce Department and the State Department have been \ninvolved in discussions with EU staff. Within the Department of \nHealth and Human Services, the HHS Data Council is surveying \nits staff and operational divisions to determine the extent to \nwhich individually identifiable personal data moves from the EU \nto the U.S.\n      \n\n                                <F-dash>\n\n    Mr. Kleczka. It is your view, at this point at least, we do \nnot currently meet the specifics of that directive?\n    Dr. Detmer. That is my own personal interpretation, yes.\n    [The following was subsequently received:]\n\n    We believe that the U.S. may not currently meet all of the \ncriteria of the EU directive.\n      \n\n                                <F-dash>\n\n    Mr. Kleczka. What is the timing of that? It is supposed to \ncome down later this year?\n    Dr. Detmer. I do not know the specific time. I could get \nback to you on that, but it is coming along, though, that is \nfor sure. But exactly specifically----\n    Mr. Kleczka. I have information the effective date is \nOctober of this year.\n    Dr. Detmer. You sound like you have the information.\n    Mr. Kleczka. Thank you very much.\n    Chairman Thomas. Does the gentleman from Louisiana wish to \ninquire?\n    Mr. McCrery. Just a couple of questions, Mr. Chairman.\n    Dr. Detmer, I want you to expound a little bit on the \nquestion of preemption of State laws. I am a little concerned \nabout what I perceive to be the Secretary\'s recommendation that \nwe have a national law, a national standard, but that we allow \nthe States to enact stricter standards.\n    How is that going to solve the problem of uniformity? It \nseems to me to be contradictory. Can you expound upon that?\n    Dr. Detmer. Well, this is a very complex issue. The \ncommittee, to the extent it has spoken to this, feels like it \nis worth splitting out this issue and not looking at it in a \ntotally either all Federal, no State, or wide open and a weak \nFederal floor, if you will.\n    There may be areas where it might be very wise to in fact \nallow State standards. For example, the area of public health \nlaw. The States have very well-developed public health laws \nthat have been developed in very good collaboration with the \nFederal Government. So I think our general attitude would be \nyou should look at preemption piece by piece.\n    Speaking personally, you are going to be hearing from a \nwitness from Minnesota. If you do see, as the Chairman said, \nStates doing too much experimentation, 50 points of light in my \nview is not necessarily going to give us enough clarity on \nthis. If you have a sufficiently high standard, the States will \nnot seek to do more. In some areas, like public health law, it \nis probably the best approach to acknowledge that body of law.\n    [The following was subsequently received:]\n\n    Preemption of state laws was the most difficult conflict \nidentified at the hearings we held, and did not yield a clear \nanswer. The NCVHS addressed preemption specifically in its \nrecommendations to the Secretary (June 27, 1997), as follows:\n    Among large segments of the health industry, a major \nbenefit to federal legislation is a high degree of regulatory \nuniformity throughout the country. The interstate nature of \nhealth care treatment and payment activities is readily \napparent. It will be difficult for many involved in electronic \ntransfers of health data to accept any proposal that does not \noffer significant relief from the prospect of 50 different \nstate laws establishing separate rules.\n    On the other hand, it would be difficult for many patient \ngroups, privacy advocates and perhaps some provider groups to \naccept any proposal that does not allow states to adopt \nstronger privacy protections as specified in the HIPAA. People \ndisagree whether existing state laws offer greater protection \nthan most of the current federal proposals, but a proposal is \nnot a law so judgments in this area are premature. There is \nstrong support in some communities for a minimum federal \nconfidentiality standard that allows states to erect stronger \nprivacy barriers. HIPAA already reflects a policy that stronger \nstate laws should be allowed to prevail.\n    Existing proposals differ on preemption. Most preserve \nexisting state mental health and public health laws, but the \nscope of this language is unclear. H.R. 52 adds a new idea to \nthe mix by allowing states to pass additional restrictions on \naccess to health records by state officials.\n    The Committee suggests, however, that this issue need not \nbe treated as a single problem with a single solution. The \nconflicts need to be broken down into components, and each \ncomponent analyzed separately. In some areas, the case for \nfederal preemption may be stronger. For example, it may be \nunnecessarily complex to support 50 different patient access \nprocedures. On the other hand, the need to recognize the \ndiversity of state public health laws is already clearly \nreflected in most proposals. No one has suggested or is likely \nto support a uniform federal public health law. A narrower and \ncareful analysis of preemption may help to minimize the \nadmittedly strong conflicts here and may point to more \neffective resolutions. However, if sufficient national \nconformity is not achieved, both national and international \nobjectives cannot be met.\n      \n\n                                <F-dash>\n\n    Mr. McCrery. Can you briefly, if you feel comfortable doing \nthis, either on the part of the commission or on your own part, \noutline for us the reasons for having a national standard?\n    Dr. Detmer. Well, I think clearly the most critical one in \nmy view, speaking as a practicing physician and looking at the \nfact that much of the population in this country lives near \nState borders, if we have stiff penalties in place, let us say \na patient works in the District, lives in Virginia, and gets \ntheir care in Maryland. You will have different States which \nwill have different standards, with still very stiff Federal \npenalties. Trying to keep that straight, both as a patient and \nas the provider, it strikes me as really making it very \ndifficult, and we do want to have an effective law.\n    If I were just to speak to one thing, that is, in my mind, \none of the most compelling arguments to be made for strict \nFederal preemption. But, again, I would be happy to try to get \nback to you with more specific direction on this very important \nissue. Without question, it is one of the more controversial \nareas of this legislation.\n    [The following was subsequently received:]\n\n    The existing legal structure does not effectively control \ninformation about individuals\' health. Federal legislation, \nestablishing a basic national standard of confidentiality, is \nnecessary to provide rights for patients and define \nresponsibilities for record keepers. The Committee\'s position \non this is reflected in its recommendations to the Secretary \n(June 27, 1997) wherein it made a number of principal findings:\n    The United States is in the midst of a health privacy \ncrisis. The protection of health records has eroded \nsignificantly in the last two decades. Major contributing \nfactors are ongoing institutional changes in the structure of \nthe health care system and the lack of modern privacy \nlegislation. Without a federal health privacy law, patient \nprotections will continue to deteriorate in the future.\n    The importance of trust in the provider-patient \nrelationship must be preserved. Patients must feel comfortable \nin communicating sensitive personal information.\n    Delays in passing privacy legislation will allow additional \nand uncontrolled uses of health information to develop. Failure \nto address health privacy will also undermine public confidence \nin the health care system, expose patients to continuing \ninvasions of privacy, subject record keepers to potentially \nsignificant legal liability, and interfere with the ability of \nhealth care providers and others to operate the health care \ndelivery and payment system in an effective and efficient \nmanner. The greater the delay in imposing meaningful controls \non inappropriate use and disclosure of identifiable individual \ninformation, the more difficult it will be to overcome \ninstitutional resistance to restrictions on use and disclosure \nor changing the way that information is acquired and used. On \nthe other hand, the confidentiality of the provider-patient \nrelationship and the confidentiality of health records had been \nthe foundation by which the health care system helps ensure the \nbest possible health care. It is not easy to strike a fair \nbalance between these some times competing concerns.\n      \n\n                                <F-dash>\n\n    Mr. McCrery. Thank you. That would be helpful, because \nlooking over your testimony, it is not real clear to me, \nanyway, what your recommendation is.\n    Dr. Detmer. OK.\n    Mr. McCrery. If you could be more specific, that would be \nvery helpful.\n    Second question. You talk about needing to guard against \ndiscrimination in a number of areas, including insurance. Most \npeople, when they apply for insurance, are they not asked to \nreveal any health conditions that would have an impact? So what \nis the problem on discrimination in insurance?\n    If you see that as a problem, perhaps we should move to \nsome sort of community rating. That would resolve that. Do you \nwant to comment on that?\n    Dr. Detmer. We have not talked about the issue of community \nrating as an issue per se. I do think that the very concept of \nhealth insurance, though, is it is to be something that is \nthere for people when they are sick. And if indeed you reveal \nyou have illnesses and then you cannot get any coverage, or it \nis so extravagant or expensive you cannot afford it, then the \nvery concept of insurance is not there.\n    At some level this is a very important question and is \nobviously a question that goes beyond the privacy legislation, \ncertainly, but I think it is a very critical question: Do \npeople get coverage for effective services or not? That is a \ncommunity rating kind of issue.\n    [The following was subsequently received:]\n\n    To the extent that the NCVHS has addressed this matter, its \ndiscussions have included the following points. The \nrelationship between privacy (as defined by principles of fair \ninformation practices) and discrimination is an issue that was \nraised a number of times during the NCVHS hearings last year. \nSome motivation for protecting health information is to prevent \nthe discriminatory use of the information both inside and \noutside the health care setting. Patients receiving care for \nsome health conditions or who have been the subject of genetic \ntesting have been and continue to be the subject of \ndiscrimination in employment, insurance, and elsewhere. Several \ncurrent Congressional bills address the possible discriminatory \nuse of genetic information.\n    Discrimination based on health status and condition remains \na major and important concern. While the Committee has not \nfocused its full attention on discrimination, legislative \nresponses are appropriate. It is not clear, however, that \ngeneral privacy concerns and discrimination concerns must be or \nshould be addressed together in the same piece of legislation. \nAn already complex health privacy bill is not the best place to \nsort out responses to equally complex discrimination problems. \nThe Committee suggested in its recommendations to the Secretary \n(June 27, 1997) that privacy and discrimination issues deserve \nseparate legislative treatment. The problems of discrimination \nare important, but not enough work has been done to explore the \ncontent of anti-discrimination legislation. The Committee urged \nthe Secretary to propose legislation expanding the anti-\ndiscrimination provisions of HIPAA to cover all aspects of \ndiscrimination based on health status and condition.\n      \n\n                                <F-dash>\n\n    Mr. McCrery. Thank you.\n    Chairman Thomas. Does the gentleman from California wish to \ninquire?\n    Mr. Becerra. Let me ask a question, and this may be \nsomewhat premature, since we are trying to figure out what we \nbelieve confidentiality or privacy to be and how we address it, \nbut certainly some of what we want to protect will have to be \ndone through statute.\n    The preemption issue, for example, makes it clearly Federal \nversus State. We will have that dispute. But some areas are \nprobably best protected by regulation because they may need to \nchange periodically and statutes would be too difficult to have \nconstantly amended. Do you have any sense right now, Dr. \nDetmer, what areas are clearly best left to regulation versus \nstatute? What should we not do?\n    Dr. Detmer. That is a very tough question and it is one, \nobviously, I think all the Members of the Subcommittee grappled \nwith. I do not question at all the validity of your basic \ncomment. It is true that if you put too much in a statute, you \ndo not have the flexibility that can come with regulation.\n    Clearly, I think we do need a set of basic health \ninformation practice protections, and those, I think, can be a \nmatter of statute. Exactly how those play out over time are \nappropriately left to regulation. And certainly as the chair of \nthe national committee that has with a nearly 50-year history \nof advising government, I think that the NCVHS committee review \nprocess is a wonderful mechanism by which regulation can became \nmore attuned to the times and the needs.\n    Here is a group of private citizens serving and giving \nexpertise to the Government, having an opportunity to hold \nhearings for wide varieties of folks and then making \nrecommendations. The HIPAA legislation in that regard is a very \nnice model, because it did lay out a general picture, but then \nit also mandated that regulations would follow based on \nexplicit hearings and the advice of this Subcommittee.\n    Mr. Becerra. Is there any particular area you could \nidentify for us?\n    Dr. Detmer. Well, I say certainly basic health information \npractices. I will be happy to get back to you. I think it is a \nvery relevant and critical question actually to the \nlegislation.\n    Mr. Becerra. I think to the degree you can help us set the \nparameters of what we are going to do, if there is something we \nshould clearly leave off the table with regard to statutes and \nlimitations, it would help us quite a bit.\n    Dr. Detmer. Certainly.\n    [The following was subsequently received:]\n\n    Both the NCVHS in its recommendations to the Secretary \n(June 27, 1997), and the Secretary in her recommendations to \nCongress (September 11, 1997), recognized the difficulty in \ndrafting health privacy legislation and recommended a ``safety \nvalve provision.\'\' Specifically, the Secretary\'s \nrecommendations noted:\n    We recommend that there be authority to suspend, by \nregulation, any provision of the legislation for a limited \nperiod in the event of an unforeseen significant threat to \nhealth or safety, significant threat to patient privacy, major \neconomic disruption, or manifest unfairness.\n    The design of precise controls on the use and disclosure of \ninformation is a complex task, and it is possible that the \nlegislation would forbid a disclosure, or otherwise constrain \nbehavior, in a way that causes unanticipated hardship.\n    Authority to suspend a provision would ensure that \nsituations like this could be addressed, on a temporary basis, \npending Congressional consideration of amendments.\n    Federal agencies are accustomed to the flexibility provided \nby the Privacy Act of 1974, whose routine use provision (5 \nU.S.C. 552a(a)(7) and (b)(3)) permits agencies to make \nadministrative choices to disclose information beyond the \ndisclosures explicitly allowed in the statute. We do not \nrecommend administrative authority as flexible as the routine \nuse provision, which appears in a law covering all activities \nof all Federal agencies, and where a statutory catalog of all \npossible uses of information was not feasible. We recommend a \nprovision to deal with extraordinary situations that may have \nnot been foreseen, and then only for a limited time.\n      \n\n                                <F-dash>\n\n    Mr. Becerra. With regard to the whole issue of the data we \ncollect and how we keep all that information, electronic, \npaper, and so forth, what do you do with the nonprofit, the \ncommunity-based clinic that already survives on a shoestring \nbudget, if we determine that the best way to keep information \nsafe is to go toward some electronic mechanism?\n    How do we help those that are barely surviving to provide \nhealth care, to now get to the point where they will abide by \nstatute or regulation requiring them to provide protection to \nprivate information?\n    Dr. Detmer. Very good point. It came up in our hearings. In \nparticular, we had a hearing out in San Francisco where Los \nAngeles County Hospital came and said, Look, our budgets are so \nlow, the idea we can have a very wonderful, which we would \nlike, information system with what many of you might consider \nreally important and basic information is simply beyond our \nmeans.\n    There is clearly cost involved in this issue, and certainly \none of the main drivers of HIPAA was to in fact save money from \nadministration simplification. We again lack the facts and data \nthat would allow us, I think, to really know exactly how big a \nproblem this will be. We know in some areas trying to do much \nof anything would probably stretch their budget. So there is a \ntension in here and there is a cost in this.\n    On the other hand, there is also a general public concern \nabout privacy. We need to have a law but we do need to, I \nthink, look carefully at the costs that that will impose on \npeople.\n    [The following was subsequently received:]\n    Section 1173 of the Health Insurance Portability and \nAccountability Act of 1996 (Public Law 104-191, Aug. 21, 1996) \nrequires the Secretary to adopt standards for electronic data \ntransactions, but does not mandate that providers exchange \ninformation electronically. While issues regarding costs of \nmaintaining and providing information electronically have been \nraised at its hearings, the Committee has not addressed this \nissue.\n      \n\n                                <F-dash>\n\n    Mr. Becerra. Thank you, Mr. Chairman.\n    Chairman Thomas. In regard to that, though, the next panel \nwill have some comments, and I find the argument on cost a bit \nanalogous to the preventive care arguments we had, that wound \nup with us finally spending money according to the budget \nrules. Everyone involved believed that in the long run, a \ndecade, a generation, that we would save money on preventive \ncare. With adequate records, the investment and the ability to \nkeep really accurate records, that a number of areas such as \nduplicate procedures or missed procedures, that would save \ncustomers in the long run, may very well be at least \noffsetting.\n    That is not a comfort to someone who has to meet a budget \non a quarterly or a yearly basis, but we need to look at all \naspects of the decision rather than just very narrowly \nsomeone\'s quarterly accounting on the cost of changing the way \nin which we provide records both to the patient and to the \nsystem.\n    The other point I wanted to make before I ask you a final \nquestion, the gentleman from Louisiana\'s line of questioning is \nvery, very pertinent, and I have had an ongoing, mostly \npositive relationship with the insurance business trying to \nconvince them that their real job is to manage risk, not \neliminate risk.\n    Dr. Detmer. Thank you.\n    Chairman Thomas. Under the current rules, at the same time, \nwe ought not to shoot the messenger if what they do is provide \nus, under the current rules, the cost of coverage for \nparticular concerns. That then becomes an immediate problem for \nthe individual, but it becomes a problem for society in \nexamining the way in which the current rules operate.\n    And that goes to the gentleman from Louisiana\'s discussion \nabout community rating or getting better risk assessment tools \navailable to us for making these kinds of decisions, because I \ndo not want the industry to pull punches in terms of what the \ncosts of these various conditions would be to insure in the \ncurrent world. That allows us to make a realistic decision and \nnot an unrealistic one.\n    Then, finally, as we get into this area which all of us now \nI think are fairly sensitized to, as to its importance in \ndealing with privacy, we do not have a comprehensive privacy \nstatute on the books. The string theory of physics for privacy, \nI think for a very good reason. We do have, though, a number of \nstatutes on the books, and the staff has listed for me the \nPrivacy Act of 1974, Americans With Disabilities Act, the \nControlled Substances Act, and most recently, the Balanced \nBudget Act.\n    Did the committee review those? And can you give us any \nlessons learned from the implementation of these earlier \nFederal statutes, in terms of their either applicability or the \ndifficulty of converting? One of the things we do around here \nis take something that has worked in the past and apply it to \nsomething else. Do you have any cautionary words about the way \nin which we might approach this particular area of privacy vis-\na-vis what we have done in the past and what might be seen as \nsomewhat similar or related areas?\n    Dr. Detmer. Yes, and the committee has not explicitly dealt \nwith that question, particularly the Balanced Budget Act, which \nis very current. I think the question is a good one and one \nthat I will put to the committee. I think it could be useful to \nyou to get back on that.\n    In general, as an offhand comment, I do not think that the \nprocess, being the way it operates, it has been that bad. In \nfact, it has been quite good.\n    I do want to respond to an earlier comment, if I might. I \nthink my first time to ever testify before you was soon after I \nhad chaired the Institute of Medicine study on computer-based \npatient records some years ago, and I want to underscore how \nmuch I agree personally with what you are saying here. On the \nbasis of that study and other work, we will not get to truly \nvalue-based, cost-effective care, even looking at these issues \nof cost on insurability and such, until we have much finer \ngrain reliable information. That is only going to come actually \nout of computer-based analysis, properly done, with the \nappropriate confidentiality protections in place.\n    [The following was subsequently received:]\n\n    The Committee has not examined the Privacy Act or the other \nlaws in any depth in developing its recommendations.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. Well, without it I do not see how we can \ncreate some outcomes research that providers will need, that we \nwill need as smart buyers with the taxpayers\' money, but, more \nimportantly, providing a body of information to patients so \nthat they can be smart consumers as well, which is one of the \nfundamental ways we will keep a control on health care costs.\n    Dr. Detmer. Many of us are grateful for your leadership on \nthat.\n    Chairman Thomas. The final comment would be to tie in once \nagain with the gentleman from California. While you look at \nthese various particulars, the other thing I am most concerned \nabout is the balance between statute and regulations. Because, \nobviously, given the changing technology, we are not going to \nbe able to write a piece of legislation that is probably as \nflexible as we would like for the near term.\n    If you could, create some bright lines for us that would be \nmost appropriate in legislation versus areas that probably are \ngoing to be changing and we can review, lock up if necessary in \nlegislation in the future, but perhaps might lead to \nlegislation.\n    My real worry about that is that as this argument for \nprivacy continues, I do want to make sure the Federal statute \nencompasses the basic structure so that there will not be, for \nwant of a better term, an end run around what we are trying to \ndo by--particularly by States being overly zealous in \nregulating beyond what is necessary to create those clear and \nnecessary personal privacy and confidentiality protections, but \nstill allowing for the collection of data which will allow us \nto move forward, both for individuals and for medical science.\n    [The following was subsequently received from Mr. Detmer:]\n\n    As noted above in response to Q9., both the NCVHS \nrecommendations to the Secretary (June 27, 1997) and the \nSecretary\'s recommendations to Congress (September 11, 1997) \nrecognized the difficulty in drafting health privacy \nlegislation and recommended a ``safety valve provision.\'\' The \nSecretary\'s recommendations specified that ``[w]e recommend \nthat there be authority to suspend, by regulation, any \nprovision of the legislation for a limited period in the event \nof an unforeseen significant threat to health or safety, \nsignificant threat to patient privacy, major economic \ndisruption, or manifest unfairness.\'\'\n      \n\n                                <F-dash>\n\n    Any Members have any additional questions?\n    The gentleman from California.\n    Mr. Becerra. Really quickly, and again this may be \npremature, was there a great deal of discussion of what you do \nafter privacy information has been disclosed? What about the \nperson who has a mental history and those records are \ndisclosed, or has the AIDS, HIV virus? What happens in that \ncase, when the cat is out of the bag? Did you propose or \ndiscuss what should be the remedy in those cases?\n    Dr. Detmer. Well, I think we do see, as I say, sanctions \nthat should come into play if there are obvious cases of that \ntype. You mentioned both mental health as well as HIV, for \nexample. Clearly, there are some sets of health information \nthat will expose people more than other general data, like a \nsimple blood pressure, pulse reading, say.\n    The general feeling is that if you really start taking it \ncase by case and trying to look at genetic information, or HIV \nstatus, or mental health data, all in separate kinds of all \nspecial sorts of cases, that becomes something almost \nimpossible to try to manage sensitively and appropriately. The \ncommittee\'s general feeling is, Let us put in a very good \nstandard and let us have that standard be such that it protects \nthose people, so that in fact your protection does not depend \non what disease you unfortunately happen to get or what problem \nyou happen to have.\n    Mr. Becerra. If I could ask this, as you all continue, if \nyou could give some close attention to giving us some strong \nand specific recommendations on sanctions, because there will \nbe all sorts of special interests in this trying to fight to \neither make them very strong or very weak, and it would help if \nwe had some good guidance from those who are examining the \nwhole issue. Give us a sense of how strong or how weak we \nshould be with regard to sanctions, if in fact we find that \ninformation is disclosed.\n    Dr. Detmer. It is clearly a judgment call. At least I would \nadvocate that you make them sanctions that really look and feel \nlike sanctions, if it looks like a horse and feels like a \nhorse. I really think that needs to happen.\n    I think they really need to be there, but it is still a \nquestion of levels. And you are right, there will clearly be \nsome pressures to make it higher or lower. Again, I will see if \nI can try to give you some advice on that, if I can.\n    [The following was subsequently received:]\n\n    There is clear consensus that there be strong civil and \ncriminal sanctions. A federal privacy law should, as \nrecommended by the Committee (June 27, 1997) and the Secretary \n(September 11, 1997), ``provide for punishment for those who \nmisuse personal health information and redress for people who \nare harmed by its misuse. There should be criminal penalties \nfor obtaining health information under false pretenses, and for \nknowingly disclosing or using medical information in violation \nof the Federal privacy law. Individuals whose rights under the \nlaw have been violated should be permitted to bring an action \nfor damages and equitable relief.\'\'\n      \n\n                                <F-dash>\n\n    Mr. Becerra. Thank you, very much.\n    Thank you, Mr. Chairman.\n    Chairman Thomas. Looked like a horse and kicked like a \nmule.\n    The key to that is where it is personally identifiable and \nit is electronic, you will know who has done it with the audit \ntrail, and that you allow for relatively tough sanctions but \nthe court system to resolve a number of those on the intensity.\n    We obviously have access to taxpayer funds for medical \npurposes to sanction a number of people who are involved in the \nmedical end of it through research or other ways, and a \ncombination of those are what we are going to have to look at.\n    Dr. Detmer. It is not as though we have no protections or \nthings in place at this point. In fact, I think there is quite \na bit of interest and commitment to this. It is just that we do \nnot have a privacy law.\n    Chairman Thomas. And to determine which ones appropriately \nmatch up.\n    Dr. Detmer. Exactly.\n    Mr. Becerra. The bottom line is, for the patient who has \nhad this information exposed, there is little remedy he can do \nin terms of money or some type of civil or criminal sanction \nagainst that disclosure to make that person now feel whole.\n    I would think we would want to construct something that \nprovides swift sanctions and, as you said, it really has teeth. \nBecause what you want to do, as you said before, is protect the \ninformation from ever being disclosed, especially information \nthat is that sensitive of a nature.\n    Chairman Thomas. The gentleman is pursuing a line of \ndeterrence. I understand what you are saying.\n    Mr. Becerra. Prevention.\n    Chairman Thomas. You probably would not want to go down \nthat road in other areas of discussion, but I clearly think a \ngood example would be a deterrence. If you have a clear \nindication of someone violating it, a relatively swift and \nstiff punishment would occur, and we will explore those \navenues.\n    Dr. Detmer. And, in fact, unfortunately many lapses are \nessentially a person who has no business doing what they are \ndoing. And that is far more the more common area than a problem \nwith the technology itself or something else. It is somebody \nnot respectful of these kinds of data and the personal harm \nthey do to people.\n    Chairman Thomas. Well, thank you very much. This is \nobviously the beginning of a process of producing legislation \nthat will both protect individuals\' right to privacy and \nconfidentiality of records and also allow us to continue to \naccess them for legitimate medical and research purposes.\n    Thank you very much, Doctor.\n    Dr. Detmer. Thank you.\n    Chairman Thomas. We can ask our next panel to come forward.\n    This will be Dr. Stephen Borowitz, who is associate \nprofessor of pediatrics and health evaluation sciences at the \nUniversity of Virginia, Charlottesville; Janlori Goldman, \ndirector of the Health Privacy Project at Georgetown \nUniversity; Dr. James R. Birge, I believe it is, medical \ndirector and chief executive officer of the MacGregor Medical \nAssociation in Houston, Texas.\n    Dr. Borowitz, a copy of your full statement will be placed \nin the record. You may proceed in the time available in any way \nyou see fit.\n\n STATEMENT OF STEPHEN M. BOROWITZ, M.D., ASSOCIATE PROFESSOR, \n  PEDIATRICS AND HEALTH EVALUATION SCIENCES,  UNIVERSITY  OF  \nVIRGINIA  HEALTH  SCIENCES  CENTER,  CHARLOTTESVILLE,  VIRGINIA\n\n    Dr. Borowitz. Mr. Chairman and Subcommittee Members, my \nname is Stephen Borowitz and I am associate professor of \npediatrics at the University of Virginia. In the next several \nminutes I hope to show you how information technology can \nimprove health care.\n    The practice of medicine is information intensive. Forty \npercent of hospital operating costs result from patient and \nprofessional communications, and physicians and nurses spend as \nmuch as half of their time documenting. Yet 70 percent of the \ntime, physicians do not have all the information they need. The \ngreatest reason for this is that we continue to keep most \nmedical information in a paper medical record.\n    The paper record today is little different than 50 years \nago, despite an explosion of medical knowledge and technology. \nInformation is not sorted for relevance but rather by source \nand chronology, so that critical information may be deeply \nburied. Increasingly, the paper record is serving purposes it \nwas not designed for. It is the source of medical billing \ndocumentation and the principal repository for medical-legal \ninformation. There is more and more information in the record, \nmuch of which has little or no direct clinical relevance.\n    When compared to paper records, computerized records \nprovide easier and faster access to clinical information. The \ndata are of higher quality, always legible, and can be \ndisplayed in a number of different formats. Many organizations \nare already developing computer-based records.\n    This is my younger daughter\'s record at the University of \nVirginia. This and other systems are searchable. We can search \nfor all of the patient\'s blood counts, and the results are \ndisplayed quickly on a single screen and can be graphed or \nanalyzed. The system also contains text.\n    This is a hospital discharge summary of a little girl with \nulcerative colitis whom I care for. Two days after her hospital \ndischarge she returned late at night with intestinal bleeding. \nBecause of this computerized record, the emergency room \nphysician immediately knew her problem, who should be \ncontacted, and what interventions were appropriate.\n    Computerized records can contain images such as x rays or \nelectrocardiograms. By being able to view this old \nelectrocardiogram, an emergency room physician can determine \nthat this man complaining of chest pain is experiencing \nheartburn not a new heart attack.\n    Perhaps the greatest limitation of the paper-based medical \nrecord is that it actually does not exist. Every health care \nprovider who has ever seen a patient has a separate paper \nrecord, and these records are viewed as personal notes or \nreminders rather than part of a larger whole. They are often \nperceived as owned by health care providers rather than by the \npatient.\n    An excellent example of the limitations of the paper record \nis childhood immunizations. These are the safest and most cost-\neffective health interventions. Ninety-five percent of children \nbegin the recommended series, and 97 percent are fully \nimmunized upon entry into kindergarten. However, only half of \n2-year-olds are fully immunized, yet they are the group at \ngreatest risk for the diseases we are trying to prevent. The \nnumber of completely immunized 2-year-olds would go from 50 to \n85 percent if we eliminated all missed immunization \nopportunities.\n    The biggest barrier to this is the lack of data. Many \nchildren change providers or are seen by multiple providers. \nHalf of all children receive immunizations at two or more \nfacilities. This makes responsibility for immunizations \nambiguous. Who keeps track of them and who should be \nresponsible?\n    We have attempted to provide this type of information with \nProject Vaccine, a shared computerized immunization data base. \nHere is my younger\'s daughter immunization record. She is up to \ndate. While this system can recommend immunizations, providers \nwere resistant to this, so we provide current immunization \nschedules. Over the past 3 years, the rate of completely \nimmunized 2-year-olds in central Virginia has risen from 58 to \n78 percent.\n    In addition to recordkeeping, information technology is \ninfluencing the way health care is delivered. For the past 2 \nyears, we have been providing electronic mail consultations \nacross the World Wide Web. Here is the e-mail form directed to \nme. There is a disclaimer that the information is being \nconveyed across the Internet and may not be secure or \nconfidential.\n    Over the past 24 months, I have received more than 1,000 \nconsultations. Here is an example from a parent in rural North \nCarolina whose 1-year-old son had chronic abdominal \ndifficulties. Nearly 80 percent of my consultations have been \ninitiated by parents. I have received requests from 38 of the \n50 States. Clearly, many people out there are seeking \ninformation.\n    I believe information technology is helping to disseminate \nand redistribute medical information. Information that was \npreviously only available to medical professionals is now \navailable to anybody with access to a computer. This can only \nhelp patients and their families to be more active participants \nin their own health care and to make better and more informed \nhealth care decisions.\n    Thank you.\n    [The prepared statement follows:]\n\nStatement of Stephen M. Borowitz, M.D., Associate Professor, Pediatrics \nand Health Evaluation Sciences, University of Virginia Health Sciences \nCenter, Charlottesville, Virginia\n\n    Mr. Chairman, Members of the Subcommittee on Health, thank \nyou for your examination of two crucial and intertwined issues \nconfronting our health system: the confidentiality of medical \ninformation, and the use of computer and communications \ntechnology to improve patient care. My name is Stephen \nBorowitz. I am a pediatrician who specializes in \ngastroenterology and nutrition and an Associate Professor of \nPediatrics and Health Evaluation Sciences at the University of \nVirginia. I have long had interests in how information \ntechnology can be used to improve the delivery of health care \nas well as the delivery of medical education. My task today is \nto give you some idea as to the potential of information \ntechnology to improve the coordination of and access to health \ncare, and help physicians and other health care providers \nbecome lifelong learners.\n    While I speak today as an individual physician, I must note \nthat the explosion of information technologies is reaching \ndeeply into every corner of our nation. Today health data can \nbe transferred from facility to facility in seconds, read and \ninterpreted hundreds or thousands of miles away from the \npatient, stored on a variety of disks, drives, tapes, etc. In \nhealth care the global village is rapidly arriving, and \npatients in that global village could live in the smallest town \nin rural Virginia or across the world, and be treated by \nspecialists at our Health Sciences Center through the use of \ntelemedicine and other technologies.\n    I am also a member of the American Medical Informatics \nAssociation (AMIA), a national organization dedicated to the \ndevelopment and application of medical informatics in support \nof patient care, teaching, research, and health care \nadministration. AMIA\'s more than 3800 physicians, researchers, \nlibrarians, information systems managers, and other \nprofessionals with expertise in information technologies \nrecognize that the enormous potential for computer and \ncommunications technology to improve health care cannot be \nrealized unless individuals and the society-at-large are \nreasonably certain that safeguards are in place to protect the \nconfidentiality of personal health data in medical records. My \ncomments today reflect not only my own views as a physician who \nactively uses technology to improve patient care, but also \nthose of many members of AMIA.\n    The practice of medicine is information intensive. Nearly \n40% of hospital operating costs result from patient and \nprofessional communication activities. Despite the fact that \nphysicians spend more than a third of their time \n``documenting,\'\' and nurses spend nearly half of their time \n``documenting,\'\' physicians report that 70% of the time they do \nnot have all the information they need to best care for a \npatient.\n    Perhaps the single greatest reason health care providers do \nnot have all the information they need to deliver the best care \nis that we continue to keep most medical information in paper \nmedical charts. Paper medical records have changed little over \nthe past fifty years despite an explosion of medical knowledge \nand medical technology. While there are clearly advantages to \nthe paper medical record in that it is familiar and portable, \nthis form of record keeping has many limitations. Information \nin the paper medical record is not sorted for medical \nrelevance. Rather, information in the paper record is sorted \nfirst by data source (i.e. medical orders, inpatient notes, \nlaboratory results, radiology results, nursing notes, etc.), \nand then by chronology. This often means that the most \nimportant data elements are buried within the record rather \nthan being one of the first things a health care provider sees \nwhen he or she opens that record.\n    Increasingly, the medical record is serving purposes it \nwasn\'t originally designed for. The medical record now serves \nas the principal source for medical billing documentation and \nthe major repository of medical-legal information. This means \nthat there has been a tremendous increase in the amount of \ninformation within the record, much of it with little or no \ndirect clinical relevance.\n    While there are many potential obstacles to the development \nof computer-based patient records, such systems can overcome \nmany of the limitations associated with paper-based medical \nrecords and offer health care providers better information upon \nwhich to base clinical decisions. When compared to a paper-\nbased record, a computer-based patient record provides easier \nand faster access to clinical information, the data are of \nhigher quality, clearly legible, and can be displayed in a \nnumber of different formats. Computer-based patient records can \ngenerate prompts and reminders during the delivery of care and \nprovide health care givers with decision support and links the \nmedical literature thus integrating the delivery of care with \nthe educational process.\n    Computer-based patient records can decrease some of the \ncosts associated with health care. With a completely searchable \nrecord, there will be a decrease in the number of redundant or \nunnecessary diagnostic or therapeutic procedures that are now \nperformed because of incomplete or incorrect information. A \ncomputer-based patient record can dramatically reduce the costs \nassociated with the filing, transporting, and copying the paper \nmedical record and the generation and submission of bills. In \nlarge medical centers it costs $8.00 each time a paper record \nis pulled for use and $11.00 to complete each paper-based \nbilling encounter form.\n    Perhaps the greatest limitation of the paper-based medical \nrecord is that it actually does not exist. The paper-based \nmedical record is based on the construct that people are cared \nfor by a single physician or organization across the continuum \nof care, throughout a lifetime. Given the complexity of our \ncurrent health care system and the mobile nature of our \npopulace, no individual has a single ``medical record.\'\' \nRather, every health care provider who has ever seen that \nindividual has a separate paper record, even if many of those \nhealth care providers work in the same facility. The \ninformation within these disparate and uncoordinated paper \nmedical records is often thought of as personal notes or \nreminders for that health care provider or health care \norganization rather than as part of a larger whole. These \nseparate paper medical records are viewed as being owned by the \nhealth care provider rather than by the ``patient\'\' to whom \nthey pertain.\n    One of the most illustrative examples of the limitations of \nour current paper-record based system is childhood \nimmunizations. Childhood immunizations are perhaps the safest \nand most cost-effective health interventions we currently have. \nFor every dollar we spend successfully immunizing a child, we \nsave $10.00 to $14.00 in the future. We know that 95% of \nchildren in this country begin the recommended series of \nimmunizations; the first immunization is now administered \nbefore the infant leaves the hospital. We also know that 97% of \nchildren in this country are fully vaccinated at the time of \nkindergarten entry largely because it is required. However, \nonly 37-56% of two-year old children are fully immunized \ndespite the fact that these are the children at greatest risk \nfor the diseases we are trying to prevent. Numerous studies \nhave demonstrated that underimmunization rates among two-year-\nolds do not vary substantially by ethnicity, geography, \nsocioeconomic status, or health insurance status. Children who \nreceive their health care from private pediatricians are just \nas likely to be underimmunized as are children who receive \ntheir health care from public health departments. Children who \nhave private health insurance through their parents\' employer \nare just as likely to be underimmunized as are children who \nhave no private health insurance. This is primarily due to a \nlack of reliable information. Many young children are seen by \nmultiple health care providers or change primary care providers \nduring childhood. It has been estimated that approximately half \nof all children in this country receive their immunizations at \ntwo or more unaffiliated health care facilities. This makes the \nresponsibility for administering immunizations ambiguous. Who \nkeeps track of childhood immunizations and who should be \nresponsible?\n    We know that without any changes in patient behavior, the \nrate of completely immunized two year old children could be \nincreased from 50% to 85% if the health care system eliminated \nall missed opportunities for immunization. In order to take \nadvantage of these missed opportunities, health care providers \nneed to have reliable information upon which to base their \nimmunization decisions. A shared immunization repository could \nprovide this information. If information regarding a child\'s \nimmunization history were readily available to any physician \ntreating that child, immunizations could be administered a \ntimely fashion. We have attempted to provide this information \nfor health care providers in Central Virginia with VaCCINe \n(Virginia Computerized Childhood Immunization Network) . \nPreliminary review of the available data from 16 out of 32 \nchild care centers and preschools throughout the Thomas \nJefferson Health District of Central Virginia demonstrates that \nover the past three years, the apparent rate of completely \nimmunized two year old children has risen from 58% to 78%.\n    There are no longer any technological barriers to the \ndevelopment of computer-based patient records and many \ninstitutions have implemented portions of computer-based \npatient records with varying levels of success. However, there \nare many political and organizational issues that must be \naddressed. We must develop reliable means of identifying \nindividual patients while insuring the data in their records \nare secure and confidential.\n    There is little evidence that health care providers or \nhealth researchers misuse health information. While there are \ngenuine concerns about unauthorized public release of personal \ninformation or the misuse of personal medical data by \nemployers, insurers or others to discriminate against or \notherwise harm an individual, at the same time it is crucial to \nrecognize that access to all relevant patient-specific health \ncare data is essential for those engaged in the provision of \ncare, or in research to advance medical science and improve \nhuman life, or in the direction of public health programs and \nthe protection of public safety. In the end, legislation \ngoverning health information must protect not only the \nconfidentiality of individual medical records but also the \nability of health professionals to provide care, conduct \nresearch, and prevent disease in a manner that benefits the \nentire population. Health information standards must \nthoughtfully and carefully balance the rights of the \nindividual, the capacity of the health care system to provide \nneeded care, and the interests of our nation as a whole.\n    Issues of security and confidentiality are not unique to \ncomputer-based patient records. Paper medical records are far \nfrom secure. Paper medical records are often kept in relatively \nopen public areas to afford ready access. Moreover, because of \nthe way information is stored in the paper medical record, it \nis not possible to ``sequester\'\' certain types of information \nfrom individuals who have access to that record. Anything that \nis in the paper record can be seen by anybody. Moreover, there \nis no means of creating an audit trail of who accesses a paper \nrecord, or what they do once they have the record.\n    A common concern about computer-based patient records is \nthat they may less secure and confidential than paper medical \nrecords. However, a computer-based patient record can be made \nmore secure than a paper medical record through the use of \nauthentication and authorization, and the maintenance of audit \ntrails. Authentication refers to a process that verifies the \nidentity of the user. This can be by something the user knows \n(mother\'s maiden name, ID, password), something the user has (a \nkey, a smart card, a token), by something related to who the \nuser is (signature, fingerprint, voiceprint), and/or by \nsomething indicating where the user is (an IP address, a phone \nnumber, a hardware configuration). Authorization refers to a \nprocess whereby the information and services a user can have \naccess to are limited based upon attributes of the user, \nattributes of the data, and/or attributes of the request. \nFinally, the use of audit trails can serve as strong and \nimportant deterrents to breaches in confidentiality if strong \nenough sanctions are employed. An audit trail is a record of \ninformation access events and can include the identity of the \nrequestor, the date and time the request was made, the source \nand destination of the request, a description of what \ninformation was retrieved, and what the reason was for \nretrieving the information. Organizational policies and \npractices are at least if not more important than technological \nmechanisms in protecting health information and patient \nprivacy.\n    In addition to record keeping and access, information \ntechnology is influencing the way that health care is \ndelivered. Quality health care is dependent upon good \ncommunications between physicians and patients. Successful \ncommunication results in the patient\'s understanding of the \ndiagnosis and increased compliance with therapeutic \nrecommendations and interventions. In addition to face to face \nand telephone contact, rapid written communication through \nelectronic mail (e-mail) is now widely available to patients \nand health care professionals. E-mail can provide patients with \na direct means of communicating with physicians and assuring \nthem that their messages are received and read. E-mail provides \nphysicians with the ability to follow-up or clarify advice that \nwas provided during an outpatient visit and messages can direct \npatients to educational materials or other resources available \non the Internet.\n    As of late 1996, nearly 25% of people beyond 16 years of \nage in the United States have access to the Internet and at \nleast 15% of the U.S. population was using e-mail. In certain \nregions, one fourth of patients use e-mail to communicate with \ntheir health care providers. Those patients who utilize e-mail \nto communicate with physicians perceive this means of \ncommunication as not only more convenient and faster than \ntelephone communication, but also as increasing their access to \nmedical care.\n    While e-mail is generally viewed as a good means of \ncommunicating simple information and non-urgent requests \nbetween physicians and patients (i.e. refilling prescriptions, \ncommunicating laboratory results, or making appointments), up \nto 90% of patients who use e-mail to communicate with their \nphysicians relay important and sensitive medical information \nelectronically.\n    Beginning in November of 1994, the Children\'s Medical \nCenter at the University of Virginia instituted a pilot program \nof providing electronic mail consultations in selected \npediatric subspecialties (http://www.med.virginia.edu/docs/cmc/ \ngiconslt.html). A disclaimer was included at the top of the \nform alerting people that since the information contained \nwithin the form would be conveyed across the Internet, it might \nnot be secure. All consultation replies included a copy of the \noriginal consultation request as well as a disclaimer to the \neffect that since the patient had not been physically examined \nand the entire history had not been obtained, the validity of \nthe response might be limited.\n    Between November 1, 1995 and February 28, 1998, the \nDivision of the Pediatric Gastroenterology at the Children\'s \nMedical Center of the University of Virginia received 938 \nelectronic mail consultation requests. During this 28-month \nperiod, an average of 33.5 <plus-minus> 11 consultation \nrequests was received each month with a range of 14 to 68 \nrequests. There has been a slow but steady increase in the \nnumber of consultation requests received each month.\n    The greatest number of consultation requests were initiated \nby parents or guardians (79%), however 11% of the requests came \nfrom physicians and another 10% came from other health care \nprofessionals such as nurses, pharmacists, or respiratory \ntherapists.\n    85% of the consultation requests originated within the \nUnited States. During the 28-month period, consultation \nrequests were received from 38 of the 50 U.S. states. Only 8% \nof all consultation requests originated in the states of \nVirginia or West Virginia, which comprise our traditional \nreferral area. 15% of the consultation requests originated from \nsites outside of the United States; consultation requests were \nreceived from 37 different countries. Outside of the United \nStates, the most frequent international source of consultations \nwas Canada, followed by Australia, the United Kingdom, and \nArgentina.\n    The large number of consultation requests we received from \nparents and guardians suggests that their primary health care \nproviders do not always meet a family\'s information needs, or \nthat they are dissatisfied with some of the information they \nhave received. This dissatisfaction is further highlighted by \nthe observation that nearly half of patients use some form of \nnon-conventional medical therapy, often without consulting with \nor informing their primary care physician. As a group, parents \nseeking non-conventional medical therapies for their children \nare well-educated professionals, precisely the group of people \nwho have ready access to the Internet and e-mail.\n    Many parents appear to be very comfortable seeking medical \ninformation from relatively anonymous ``electronic \nconsultants.\'\' This form of electronic communication provides \npeople with a means of identifying qualified consultants \noutside of their local health care system and to communicate \nwith these consultants directly without numerous layers of \nadministrative bureaucracy. According to many of the families \nwho consulted us, e-mail communications with an anonymous \n``electronic consultant\'\' are less intimidating than face to \nface conversations with time-pressured physicians. E-mail \nenabled many parents to ask questions that they were otherwise \ntoo timid to ask. This may in part be due to the mode of \ncommunication. E-mail is a hybrid between written and spoken \nlanguage. It allows people to choose their words carefully \nwithout the pressures of time or place. Response time with e-\nmail is substantially shorter than with written letters and yet \ne-mail offers more permanence than a face-to-face or telephone \nconversation.\n    The public\'s increasing interest in online medical \nconsultation reflects the changing nature of our health care \ndelivery system. The rapid growth of electronic communications \nhas paralleled the shift towards giving patients more \nresponsibility for their own health care decisions. As the \npublic has become better educated, they have become accustomed \nto seeking information about health care from printed media. It \nis only natural for them to turn to electronic sources of \ninformation such as Web sites and, when they have further \nquestions, to contact web-site authors. More and more people in \nthe United States receive their health care through managed \ncare organizations which limit access to specialists and \nspecialized treatments. This means that patients and their \nfamilies have new incentives to find alternative sources of \nexpert medical opinion, and when they go outside of their \nhealth care network, to seek the most time and cost-effective \nmeans of diagnosis and therapy to minimize their own out-of-\npocket costs.\n    Given the complexities of the communication process, there \nare always potential misunderstandings when physicians and \npatients exchange medical information. The potential for \nmisunderstandings may be magnified when medical information is \nexchanged across the Internet. The information could be based \nupon incomplete or incorrect assumptions, the information could \nbe misinterpreted, it could be incorrect or out-of-date, or it \ncould be more up-to-date than information provided by another \nphysician. Given the wide variation in practice patterns, \nsituations may arise in which an online consultant will \ndisagree with the advice of another physician. In the United \nStates, the law dealing with interactions between physicians \nand patients over the Internet has not been well defined. \nPotential legal issues include physicians practicing without \nlicensure in the state or country in which the patient resides, \nalleged medical negligence, and abandonment of patients should \nthe consultant not continue the relationship.\n    The availability of vast amounts of medical information on \nthe World Wide Web can have important implications for the \nfuture of our health care system. One author has called this \n``the next transformation in the delivery of health care.\'\' \nThis dissemination and redistribution of medical information \nmay influence public perceptions of the standards and quality \nof care and the nature of the doctor-patient relationship. \nMedical information on the World Wide Web can help health care \nprofessionals educate their patients, learn more about \npatients\' concerns and fears, and help patients make better and \nmore informed decisions about their own health care.\n    While information technology is already helping to reshape \nour health care system, it can also help us change some of the \nparadigms of health care. In our current environment, the \npractice of medicine, continuing medical education, and \nclinical research are separate and somewhat independent \nenterprises. The innovative development and use of information \ntechnology and computer-based patient records can help us \nintegrate clinical care with clinical research and lifelong \nlearning while helping patients and their families to be more \nactive participants in their own health care and make better \nand more informed decisions.\n\n                          Selected References\n\n    1. Bertakis, K.D. The communication of information from physician \nto patient: a method for increasing patient retention and satisfaction. \nJ Fam Practice 1977:5;217-222.\n    2. Coeira, E. The Internet\'s challenge to health care provision. \nBMJ 1996:312; 3-4.\n    3. Culver, J.D., Gerr, F., Frumkin, H. Medical information on the \nInternet --a study of an electronic bulletin board. J Gen Intern Med \n1997;12:486-470.\n    4. Dick, R.S., and Steen, E.B., eds. The Computer-based Patient \nRecord: An Essential Technology for Health Care. National Academy \nPress, Washington, D.C. 1991.\n    5. Elder, N.C., Gillcrist, A., Minz, R. Use of alternative health \ncare by family practice patients. Archives of Family Medicine \n1997;6:181-184.\n    6. Gleick, E. Picking a health plan: a how-to-guide. Time January \n22, 1996:60-61.\n    7. Harris, E.D. Electronic mail--a physician extender? Western \nJournal of Medicine 1997;166:123-125.\n    8. Impicciatore, P., Pandolfini, C., Casella, N., Bonati, M. \nReliability of health information for the public on the World Wide Web: \nsystematic survey of advice on managing fever in children at home. BMJ \n1997: 314; 1875-1881.\n    9. Kane, B., Zands, D.Z. Guidelines for the clinical use of \nelectronic mail with patients. JAMIA 1998;5:104-11.\n    10. Kassirer, J.P. The next transformation in the delivery of \nhealth care. NEJM 1995:332-52-54\n    11. Neill, R.A., Mainous, A.G., Clark, J.R., Hagen, M.D. The \nutility of electronic mail as a medium for patient-physician \ncommunication. Arch Fam Med 1994;3:268-271.\n    12. Pealer, L.N., Dorman, S.M. Evaluating health-related web sites. \nJ School Health 1997;67:232-235.\n    13. Silberg, W.M., Lundberg, G.D., Musacchio, R.A. Assessing, \ncontrolling, and assuring the quality of medical information on the \nInternet. JAMA 1997;277: 1244-1245.\n    14. Smith, R. The future of health care systems. BMJ 1997; \n314:1495-6.\n    15. Sonnenberg, F.A. Health information on the Internet. Arch \nIntern Med 1997;157:151-152.\n    16. Spigelblatt, L., Laine-Ammara, G., Pless, B., Guyver, A. The \nuse of alternative medicine by children. Pediatrics 1994:94:811-814.\n    17. Spooner, S.A. The pediatric Internet. Pediatrics 1996:98 1185-\n1192.\n    18. Widman, L.E., Tong, D.A. Requests for medical advice from \npatients and families to health care providers who publish on the World \nWide Web. Arch Int Med 1997;157:209-212.\n    19. Wyatt, J.C. Commentary: measuring quality and impact of the \nWorld Wide Web. BMJ 1997;314:1879-1881.\n\n\n                                <F-dash>\n\n    Chairman Thomas. Thank you very much, Doctor. And I will \nacknowledge I am the one who borrowed the information from your \nwritten statement to talk about the preventive aspects.\n    Ms. Goldman.\n\nSTATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY PROJECT, \n INSTITUTE FOR HEALTH CARE RESEARCH  AND  POLICY,  GEORGETOWN  \n                           UNIVERSITY\n\n    Ms. Goldman. Good morning, and thank you very much for the \nopportunity to testify here today. I am very pleased the \nSubcommittee is focusing on this issue and prepared to move \nahead, as Congress now has set a time limit on itself.\n    One of the questions that was asked earlier about existing \nprivacy laws I think is an important one as we view this in the \ncontext that we do have an existing body of privacy statutes. \nAnd while they are not terribly consistent or related to each \nother, in some ways they do bear, I think, certain \ncommonalities. I would hope that when we look at crafting a \nmedical privacy law, we try to put it within the context of \nthose existing privacy laws and, as you said, to learn \nsomething from what we have already done.\n    What Congress has recognized is that medical privacy is a \ncritical issue and we need to move forward within a certain \nperiod of time to pass legislation, and that if we are not able \nto do that, if we are not able in this body to reach some kind \nof consensus and move forward, the Secretary will then handle \nthis as a regulatory matter. I do think Congress has a greater \nrole in terms of setting enforceable rules and having remedies \nand enforcement mechanisms in place. We do have an important \nopportunity to do that work here.\n    We have seen a much greater urgency in this area, even in \njust this past year. The recent stories involving the \ndisclosures by CVS and Giant, I am sure many of you saw \nreported in the papers in the last few weeks, showed we are \ndealing in an unregulated environment. There is not now an \nexisting Federal law protecting people\'s medical records.\n    So while people are not necessarily acting with malice, \nthere are considerations that are being given when information \nis disclosed that are not patient-focused, that are not focused \non what is best for the patient or that do not directly involve \nthe patient. So the response on the part of the public to those \ndisclosures by CVS and Giant was very swift, very angry, and in \nfact both of those companies took out ads in the Post to say \nthat they were stopping the practice altogether. Not trying to \nfix it, but stopping it all together until they could recoup \nsome public confidence and decide how, if at all, they could \nmove forward with compliance and marketing programs.\n    One of the things I would like to suggest here this morning \nis that the way we have looked at privacy in the last decade in \nthis area has been to view it in conflict with achieving public \nhealth goals. So that when we talk about privacy, we often talk \nabout the costs associated or we see it as a barrier to getting \naccess to data for research purposes or public health purposes. \nI do not think that has been a useful formulation, and I do not \nthink it is an accurate formulation; such a view keeps us from \ndeveloping the consensus we need.\n    One of the things I found is that exactly the opposite is \ntrue. Privacy is not a barrier to achieving public health \npurposes, public health initiatives, and improving access to \ndata for research. In fact, it is the opposite. Privacy is \nnecessary for getting good quality data, complete data, and \naccurate data for use for those public health purposes.\n    I want to spell out a few of those areas. When people do \nnot trust that when they go to their doctor the information \nthey are sharing will be handled in a confidential way, they do \nstart to engage in certain privacy protective behaviors which \nhave some very serious consequences. It has serious \nconsequences for the individual, because if they do not \naccurately and fully share information, the doctor then does \nnot have data he or she needs to accurately diagnose, to \naccurately treat. So the patient\'s care is undermined right \nthere in the doctor\'s office.\n    But, also, doctors then are not transmitting accurate and \ncomplete data on claims forms, the encounter data that the \ninsurance industry relies on in doing the outcomes analysis \nthat researchers rely on in doing their studies, that public \nhealth officials rely on in doing their studies and creating \npopulation data bases. So when we do not protect the \ninformation at the front end, it is undermined at the back end. \nWe need this accurate and complete data. And I would say we \nneed to give people some assurance that the data will be \nprotected so that they will fully share information.\n    One of the things we have seen is that the health care \nenvironment is changing so dramatically. There was an editorial \nin Sunday\'s Post that talked about privacy being a moving \ntarget and that the industry is developing so quickly, so \nrapidly around information uses and yet there are no \nenforceable rules in place. What I want to do is suggest that \nthere are some key principles that can be built into a health \nprivacy proposal.\n    We do not have unanimity amongst all of us as to exactly \nhow that language should be written, but I want to suggest that \nthere are some key principles on which we do agree that we need \nto address. One is the very basic issue of giving people access \nto their own medical records, a fundamental right which only \nhalf the States in this country currently protect.\n    We need to have limits on disclosure. We need to be able to \nsay what information should be disclosed, how individuals make \nmeaningful, informed voluntary choices by giving them notice of \nhow information might be used, and having them sign \nauthorization forms.\n    Research, I think, is a tough area, as Dr. Detmer has said. \nOne of the things that is important to acknowledge is that we \ndo have Federal rules in place right now that apply to \nfederally funded researchers, and those rules require an \ninstitutional review board to look at informed consent, to look \nat when there is an appropriate waiver of informed consent, if \nidentifiable data is to be used, and I would suggest we take \nthose Federal regulations and apply them across the board. \nThere would be fairness and uniformity, and all researchers, \nnot just those receiving Federal funds, should have to comply \nwith those regulations.\n    The Minnesota law is a source of some concern for folks. \nAnd while I agree it is the most restrictive law in this area, \nthere have been studies done by the Mayo Clinic that show where \nconsent is asked by patients for identifiable data, only 4.5 \npercent, on an average of people who are asked, decline. Four \nand a half percent of the people withhold their permission for \nuse of the information.\n    Law enforcement. We need to have rules on government access \nto individual data. Right now every privacy law that exists on \nthe books has a law enforcement limitation, and that is \nrequired by constitutional principle. It is the right thing to \ndo.\n    Remedies. We need to have strong remedies and enforcement \nmechanisms.\n    I want to address the issue of preemption. I know it is on \npeople\'s minds. We are dealing in a difficult area, because if \nwe look at precedents of privacy laws, we currently do not ever \npreempt law in the civil rights and civil liberties area. In \nfact, Congress has been concerned about preempting State laws.\n    In the medical privacy law, we have a particular problem in \nthat we do not know what laws we would be preempting. There \ndoes not yet exist a comprehensive survey of existing State \nprivacy laws. They are located in all different areas of the \nState code, from public health to consumer protection to \ninsurance regulation.\n    We need to have a better handle on what we would be \npreempting, and we need to look at whether we can determine \npreemption on a case-by-case basis, look at particular issues, \nand whether there is a justification for a carve-out in those \nareas. Right now there is compliance with existing State laws, \nso people are functioning in this environment even though it \nmay not always be the most convenient.\n    Let me quickly mention some of the other issues.\n    Discrimination. We have an opportunity in crafting a \nprivacy law to in some ways create the first line of defense \nagainst discrimination. We have the Americans With Disabilities \nAct, but nothing in that law prohibits an employer from getting \naccess to the health information. A privacy law would do that. \nSo it would prevent, in some ways, the temptation for using \nthat information for discrimination.\n    The technology is a critical issue you have all talked \nabout. We have a chance with the increased technology to better \nprotect information, to create more security for data, and to \nrecognize that paper records are essentially a fairly \nunprotected realm. If we need it, we can take advantage of the \nsecurity opportunities we have.\n    And, overall, any health privacy law should create \nincentives to use nonidentifiable data. We should ask the \nquestion which we do not now ask: Do we need identifiable data \nin a particular project? Can we get by with nonidentifiable \ndata? And by creating those incentives, we would take certain \npeople out of the scope of the law and remove the concern.\n    I know this is not an easy challenge. We have worked on \nthis issue for a long time, but I think we now have the \nincreased political will to move forward.\n    At bottom, Americans should not have to worry when they go \nto the doctor, fill a prescription, file a claim form, or they \nget a job and do a preemployment physical; they should not have \nto worry their privacy is going to be put at risk. They should \nbe able to fully share information with their doctors and not \nworry they are going to have their care threatened or their \nemployment threatened.\n    We will know that we have really made some progress here \nwhen we protect our medical records as well as we protect our \nvideo rental lists.\n    Thank you very much.\n    [The prepared statement follows:]\n\nStatement of Janlori Goldman, Director, Health Privacy Project, \nInstitute for Health Care Research and Policy, Georgetown University\n\n                      I. Introduction and Overview\n\n    Mr. Chairman and Members of the House Ways and Means\' \nSubcommittee on Health: I very much appreciate the invitation \nto testify before you today on patient confidentiality.\n    In December 1997, I launched the Health Privacy Project at \nthe Institute for Health Care Research and Policy at Georgetown \nUniversity Medical Center. Prior to creating the Project, I \nhave focused on privacy and technology issues--particularly \nhealth privacy--for over a decade, as co-founder and Deputy \nDirector of the Center for Democracy and Technology, and as \nDirector of the Privacy and Technology Project of the American \nCivil Liberties Union.\n    At present, there is no comprehensive federal law to \nprotect the privacy of peoples\' health records. However, most \npeople mistakenly believe there is a federal privacy law that \nsafeguards their medical records, and they believe the law \ngives them the right to access their own medical records; they \nare shocked when informed otherwise (Louis Harris &amp; \nAssociates, Health Information Privacy Survey, 1993). The \nrecent debacle involving CVS and Giant Food selling customer \nprescription data to drug manufacturers for target-marketing \nand customer tracking--and the public outrage expressed over \nthis practice--is another loud and clear call for Congress to \nenact a strong health privacy law to protect people against \nsuch unauthorized use and abuse of their personal medical \nrecords.\n    I believe health privacy is one of the most important \nhealth issues facing our nation: it is critical to improving \nhealth care, and fostering valuable public health initiatives. \nFortunately, Congress recognized the urgent need for \nenforceable health privacy rules, and set itself a time limit \nin the Health Insurance Portability and Accountability Act of \n1996 to pass health privacy legislation by August 1999.\n    There are a number of proposals before the House and Senate \nwith regard to medical privacy. Representative Jim McDermott \n(D-WA) and Representative Gary Condit (D-CA) have both \nreintroduced their bills from last Congress without significant \nchange: ``Medical Privacy in the Age of New Technologies Act of \n1997\'\' (H.R. 1815) and the ``Fair Health Information Practices \nAct of 1997\'\' (H.R. 52), respectively. In the Senate, under \nconsideration are: ``The Medical Information Protection Act of \n1998,\'\' (discussion draft 2/19/98) co-authored by Senator \nRobert Bennett (R-UT) and Senator James Jeffords (R-VT), and \n``The Medical Information Privacy and Security Act,\'\' (S. 1368) \nintroduced by Senator Patrick Leahy (D-VT) and Senator Edward \nKennedy (D-MA). Last week President Clinton released the \nAdministration\'s proposal for a patients\' ``Bill of Rights,\'\' \nwhich includes a broad confidentiality provision.\n    There is a long history of congressional efforts to craft \nhealth privacy legislation, but, as yet, we have fallen short \nof achieving the necessary consensus. I believe we must take \nthe critical next step to move away from viewing privacy and \nhealth initiatives as values in conflict, and towards viewing \nprivacy as a key element in ensuring the success of health care \ngoals. In my statement, I outline a new framework for \naddressing privacy in the larger health care arena as an \nultimate good, which will foster patient trust and confidence \nin the doctor/patient relationship, and enhance the quality of \npatient data needed for improving patient care, research, and \npublic health initiatives.\n\n        II. The Value of Privacy to Individuals and Communities\n\n    The potential benefits to individuals and communities from \nthe emerging global information infrastructure are well \ndocumented. More and more, people are communicating, receiving \ninformation, and engaging in commerce through the Internet, \noften with little regard for local and national borders. \nIndividuals, governments, libraries, universities, hospitals, \nmuseums, corporations, and non-profits are expanding their \nactivities to include the use of the Internet and other \ninteractive communications technologies.\n    But there is a darker side to the ``Information Age\'\' that \nthreatens to undercut the growth and promise of these powerful \nnew developments. The same medium that makes possible the \ninstant global communication and sharing of information, also \nprovides people with the capacity to generate, capture, store, \nand reuse a tremendous amount of personal information. On a \ndaily basis, applying for a driver\'s license, seeking credit, \ntalking with a doctor, passing through a toll on the turnpike, \nmaking (or receiving) a phone call, subscribing to a magazine \nor joining an organization, logging on to a website, or even \nbuying a small item with cash, often requires that people \ndivulge a tremendous amount of detailed, sensitive information.\n    The primary issue here is not the use of the person\'s \ninformation for the purpose for which it was collected \n(evaluating credit, issuing a driver\'s license, providing \nmedical care), but the unanticipated, secondary disclosures of \nthe person\'s information. Over the course of a person\'s \nlifetime, the record of one\'s life collected through \ndistributed and largely unregulated networks can make real the \n``womb-to-tomb dossier\'\' that Harvard Professor Arthur Miller \nwarned of over thirty years ago. Once personal information is \ncollected for one purpose, the temptation to use it for other \npurposes is often irresistible.\n    In a joint statement last year, President Clinton and Vice-\nPresident Gore acknowledged the public\'s fear of losing \nprivacy: ``Americans treasure privacy, linking it to our \nconcept of personal freedom and well-being. Unfortunately, the \n[Global Information Infrastructure\'s] great promise that it \nfacilitates the collection, re-use, and instantaneous \ntransmission of information can, if not managed carefully, \ndiminish personal privacy. It is essential, therefore, to \nassure personal privacy in the networked environment if people \nare to feel comfortable doing business.\'\'\n    Significant social, political, and economic consequences \ncan result from our society\'s failure to preserve privacy. If \npeople continue to lose control over their ability to choose \nwhen, what, and to whom to divulge personal, sensitive \ninformation, they will be reluctant and unwilling to step \nforward and fully participate in society, fearing unwanted \nexposure, judgements, discrimination, surveillance, stigma, and \nloss of jobs, credit, housing, or family. A continued failure \nto protect the privacy of personal information in a variety of \nspheres--most notably health--will undermine peoples\' ability \nto fully participate in social, political, and commercial \nactivities.\n\n                      III. Privacy and Health Care\n\n    A lot of attention has been paid in recent years to how to \nimprove health care in this country, but a critical element \nthat is often overlooked and misunderstood is the role privacy \nand confidentiality plays in the health care setting. Nearly \nevery facet of health care--from health care delivery, to \npayment, prescribing medication, outcomes analysis, research, \nand marketing--is undergoing dramatic changes as our society \nmoves towards managed care and the development of integrated \nhealth data networks. As a recent editorial in The New York \nTimes observed, ``Preserving privacy in the ever-expanding \nworld of electronic medical records is a daunting task that \nhealth care organizations and public policy makers have been \nslow to address. But as managed care puts more information into \nmore hands, consumer anxiety over confidentiality makes the \nissue unavoidable.\'\'\n    A number of factors lead to privacy being viewed by some as \nbeing in conflict with other health care endeavors. These \nfactors range from fear that addressing privacy at the patient \nlevel will lead to a diminution in the quality and quantity of \nhealth data made available, to concern about a lack of \nknowledge and tools to apply in protecting personal health \ninformation in both electronic and paper form. Anxiety exists \namong some downstream users of health information that \nprotecting patient privacy means people will always choose to \nlock up their medical records in their doctors\' offices.\n    Some of those who fear privacy will reduce the flow of \nvaluable patient data claim that:\n    <bullet> There is an overriding public interest in \nfurthering their activities which trumps any individual privacy \nclaim;\n    <bullet> People will not be able to responsibly exercise \nany decision-making authority over their own information--in \nother words, they will not understand (or care about) the \nlarger social good to be gained by the use of their \ninformation;\n    <bullet> There are no horror stories of improper use or \ndisclosure of personal medical information for which they are \nresponsible;\n    <bullet> The complexity and cost of putting privacy and \nsecurity safeguards in place are too burdensome, and will choke \nthe flow of identifiable health data needed for health care-\nrelated initiatives.\n    At bottom, some health care organizations are concerned \nthat health privacy regulation will go too far on the \nconfidentiality side, and thus have a negative impact on \nbeneficial health efforts. There is a fear that protecting \nprivacy will clog the free flow of health information, and make \nless information available for outcomes analysis, research, \npublic health activities, and other health-related purposes.\n    Ultimately, the converse is true: without trust that the \npersonal, sensitive information they share with their doctors \nwill be handled with some degree of confidentiality, patients \nwill not fully participate in their own health care. In the \nabsence of such trust, patients will be reticent to accurately \nand honestly disclose personal information, or they may avoid \nseeking care altogether for fear of suffering negative \nconsequences, such as embarrassment, stigma, and \ndiscrimination. Along the continuum, if doctors and other \nhealth care providers are receiving incomplete, inaccurate \ninformation from patients, the data they disclose for payment, \nresearch, public health reporting, outcomes analysis, and other \npurposes, will carry the same vulnerabilities.\n    Initiatives to improve public health and reshape health \ncare--such as community health information networks, managed \ncare, telemedicine, outcomes analysis, disease management, the \ncreation of population data bases--could not exist, let alone \nflourish, without access to complete and reliable information. \nHowever, the current lack of privacy and security protections \nfor personal health information threatens to undermine \nsignificantly the quality of care people receive, as well as \nthe accuracy and reliability of the information being collected \nand used for outcomes analysis, cost effectiveness studies, \nresearch, and public health activities.\n    I urge that we abandon the current dialogue that places \nprivacy and public health initiatives in conflict. A new \nframework is needed that intertwines the values of protecting \npatient privacy and fostering health care initiatives. At this \njuncture, let us treat patient privacy as a ``first principle\'\' \nof ensuring quality of care for individuals and their \ncommunities. Ideally, within such a health privacy framework, \nidentifiable information patients choose to disclose outside \nthe four walls of their doctor\'s offices would be more accurate \nand complete, and thus create more reliable data for use by \ndoctors, researchers, and others working to enhance the quality \nof health care. By expanding our focus to incorporate privacy \nas an ultimate good to be achieved in the health care arena, we \nmay better advance our health care initiatives.\n\n              IV. The Role of Privacy in Care and Research\n\n    Again, without trust that the personal, sensitive information they \nshare with their doctors will be handled with some degree of \nconfidentiality, people will not fully participate in their own health \ncare. In turn, information that lacks integrity at the front-end will \nlack integrity and reliability as it moves through the health care \ninformation environment. Therefore, protecting privacy must be an \nintegral part of both ensuring good health care to individuals and \nimproving the health of the larger community. If people worry that \ntheir most sensitive information will not be treated confidentially by \ntheir doctors, and may be disclosed without their knowledge and \npermission to their employers, pharmaceutical companies, or marketers, \nthese people are likely to engage in privacy-protective behavior, such \nas withholding information from their doctors, paying out-of-pocket for \nservices to which they are entitled or avoiding health care altogether. \nAnxiety on the patient\'s part over unknown and coerced uses and \ndisclosures of their records--even for altruistic purposes--leads \npeople to withdraw from full, honest participation in their care. This \nprivacy-protective behavior serves to both jeopardize peoples\' health \ncare, as well as undermine the health care initiatives that rely on \nhigh-quality information.\n    In many ways, the relationship between people and their doctors \nbears the greatest burden in the health privacy debate; this \nrelationship is the ``hot spot,\'\' the originating point on the health \ninformation continuum. Patients are beginning to understand that the \nopen-ended waivers for disclosure they sign as a condition of receiving \nhealth care and reimbursement for services leave them vulnerable to a \nwide array of uses and reuses of their health information. It is here, \nin the first and subsequent encounters with a particular provider, that \na person decides how much to divulge, and whether that provider can be \ntrusted. There are many factors that affect a person\'s trust and \nconfidence in his or her doctors, and it is that level of trust that \nultimately determines the degree of willingness to fully divulge health \nand other personal information.\n    The public has consistently expressed a high degree of concern over \nthe vulnerability of their privacy, in particular the lack of \nprotection for their personal health information. Decades of survey \nresearch conducted by Louis Harris &amp; Associates document a growing \npublic concern with privacy. The 1995 Harris poll found that 82% of \npeople were concerned about their privacy, up from 64% in 1978.\n    A Health Information Privacy Survey released by Harris in 1993 \nfound that the majority of the public (56%) favored the enactment of \nstrong comprehensive federal legislation to protect the privacy of \nhealth care information. In fact, of that majority, eighty-five percent \n(85%) responded that protecting the confidentiality of medical records \nwas absolutely essential or very important to them. An overwhelming \npercentage wanted penalties imposed for unauthorized disclosure of \nmedical records (96%), guaranteed access to their own records (96%), \nand rules regulating third-party access to personal health information.\n    Harris\' 1996 survey elicited a disturbing public view of researcher \nuse of medical records. Only eighteen percent (18%) of the public \nconsider the use of patient records for medical research without prior \npermission to be very acceptable. Thirty-nine percent (39%) found the \nuse somewhat acceptable. The public\'s comfort level increased if the \ninformation released did not identify individual patients, but one-\nthird found it not at all acceptable for researchers to use non-\nidentifiable health information without patient consent.\n    Finally, in Harris\' 1995 survey, sixty percent (60%) of respondents \ncited instances where they refused to provide requested information. \nThis kind of privacy-protective behavior is not unfounded. Recent \nreports of abuse or misuse of peoples\' health information have \nconfirmed the public\'s fear of misuse of personal medical information. \nFor example:\n    <bullet> The chain drug store CVS, and Giant Food, recently \nadmitted to disclosing patient prescription records to a direct mail \nand pharmaceutical company to track customers who don\'t refill \nprescriptions, and send them letters encouraging them to refill, and \nconsider alterative treatments. After public outrage was expressed \nfollowing media reports of this practice, both CVS and Giant agreed to \nhalt the marketing disclosures. (``Prescription Fear, Privacy Sales,\'\' \nWashington Post, p. A1, 2/15/98)\n    <bullet> An Orlando woman recently had her doctor perform some \nroutine tests, and received a letter weeks later from a drug company \ntouting a treatment for her high cholesterol (``Many Can Hear What You \nTell Your Doctors: Records of Patients Are Not Kept Private,\'\' Orlando \nSentinel, 11/30/97, A1)\n    <bullet> New York Congresswoman Nydia Velasquez\' confidential \nmedical records--including details of a bout with depression and a \nsuicide attempt--were faxed from a New York hospital to a local \nnewspaper and television station on the eve of her 1992 primary. After \novercoming the fallout from this disclosure and winning the election, \nRep. Velasquez testified eloquently about her experiences before the \nSenate Judiciary Committee as it was considering a health privacy \nproposal.\n    <bullet> The Harvard Community Health Plan, a Boston-based HMO, \nadmitted to maintaining detailed notes of psychotherapy sessions in \ncomputer records that were accessible by all clinical employees. \nFollowing a series of press reports describing the system, the HMO \nrevamped its computer security practices.\n    <bullet> In Maryland, eight Medicaid clerks were prosecuted for \nselling computerized record printouts of recipients\' and dependents\' \nfinancial resources to sales representatives of managed care companies.\n    <bullet> In a recent survey, 206 respondents reported \ndiscrimination as a result of access to genetic information, \nculminating in loss of employment and insurance coverage, or \nineligibility for benefits.\n    <bullet> The director of a work site health clinic operated by a \nlarge manufacturing company testified that he was frequently pressured \nto provide personal information about his patients to his supervisors.\n    <bullet> The late tennis star Arthur Ashe\'s positive HIV status was \ndisclosed by a health care worker and published by a newspaper without \nhis permission.\n    <bullet> Patient Direct Metromail advertises in a pharmaceutical \nindustry journal that it has 7.6 million names of people suffering from \nallergies; 945,000 who suffer from bladder-control problems; and \n558,000 who suffer from yeast infections. (``Medical Privacy is \nEroding, Physicians and Patients Declare,\'\' San Diego Union-Tribune, 2/ \n21/98,\n    Focusing specifically on mental health care, a New York Times \nMagazine article, ``Keeping Secrets,\'\' observed: ``[A]t present it is \nunrealistic for people to assume that the raw and tender subjects they \ntalk over with their therapists will go no further than the four walls \nof the consulting room. And many patients have become legitimately \nconcerned about the possibility that the depression, suicide attempt, \nmarital problem or alcoholism being discussed could return to haunt \nthem in cyberspace. They are uncomfortably aware of the shadowy figures \nsitting in on their therapy sessions: the insurance administrator, the \nelectronic file clerk, the case reviewer, other physicians with an \nH.M.O.--even their own co-workers and supervisors.\'\' (June 16, 1996, p. \n38)\n    Peoples\' anxiety over whether they will maintain some decision-\nmaking authority over the use and disclosure of their personal health \ninformation by their doctors strongly drives their decisions to seek \ncare, how honestly and fully they interact with their health care \nprovider, whether they `doctor hop\' to avoid having all of their health \ninformation entrusted to one provider, and whether they pay out-of-\npocket or file a claim. Any lack of trust or confidence in the doctor/ \npatient relationship carries the potential of infecting all of a \nperson\'s interactions with and perceptions of the health care \nenvironment.\n    The consequences for patients, as well as the health care \ninitiatives intended to serve them, are significant:\n    <bullet> The patient may receive poor quality of care, risking \nuntreated and undetected health conditions.\n    <bullet> The doctor\'s abilities to diagnose and treat accurately \nare jeopardized by a lack of complete and reliable information from the \npatient.\n    <bullet> The integrity of the data flowing out of the doctor\'s \noffice is undermined. The information the patient provides, as well as \nthe resulting treatment and diagnosis, may be incomplete and \ninaccurate, and not fully representative of the patient\'s care or \nhealth status.\n    <bullet> A doctor may skew diagnosis or treatment codes on claim \nforms, or the doctor may keep separate records to be maintained and \nkept within the doctor\'s four walls, and send on incomplete information \nfor claims processing in order to encourage a patient to more fully \ncommunicate.\n    <bullet> The credibility of any research or analysis performed in \nreliance on the patient\'s data is called into question. Not only is the \npatient\'s health data unreliable from her medical record and claims \ndata, the downstream user (researcher, public health official) lacks \nany information as to whether the information might lack integrity or \nwhy. In other words, there may be no clue in the record that something \nis missing or false.\n    In the health care setting, when patients withhold information or \nshun care to protect their privacy, they must do so with a broad, \nundiscriminating brush--they have to calculate for every negative \npossibility. But, if people are assured that their health information \nwill be safeguarded, and if they are empowered to make informed, \nvoluntary choices about the secondary use of their health information, \npeople are likely to seek care, more fully open up to their health care \nproviders, and make educated decisions about the disclosure and use of \ntheir personal health information.\n\n           V. Consensus for a National Health Privacy Policy\n\n    A consensus exists among the public, policymakers, and a \nbroad spectrum of the health care field that a comprehensive \nhealth privacy policy is needed in this country. As a recent \neditorial in the Washington Post concluded: ``Of all the \nthreats posed to personal privacy by new information \ntechnologies, the threat to the privacy of medical records is \nby the far the most urgent.\'\' (``Medical Files, or Fishbowls?\'\' \n9/23/97, p. A16)\n    Reports of the last twenty years are unanimous in \nconcluding that a comprehensive national health privacy law is \ncritical to ensuring both the integrity of the doctor/patient \nrelationship and the continued development of this nation\'s \nhealth care system (See For The Record: Protecting Electronic \nHealth Information, National Research Council, 1997; Health \nData in the Information Age: Use, Disclosure and Privacy, \nNational Academy of Science, Institute of Medicine, 1994; \nProtecting Privacy in Computerized Medical Information, Office \nof Technology Assessment, 1993). In the past few years, every \nwitness that has testified before the U.S. Congress has stated \nthat a comprehensive federal privacy law is critical to \npreserving peoples\' trust in their doctors and in the health \ncare system.\n    Most recently, the Presidential Advisory Commission on \nConsumer Protection and Quality in the Health Care Industry \nissued its recommendations for a patients\' ``Bill of Rights,\'\' \nwhich states: ``individual patients\' medical records should be \ntreated confidentially, and disclosed only in order to treat \nthem and pay bills.\'\'\n    S. 1360, The Medical Records Confidentiality Act of 1996 \nintroduced last Congress by Senators Bennett and Leahy, quickly \ngarnered broad bi-partisan support, including co-sponsorship by \nSenators Dole, Daschle, Kassebaum, Kennedy, Jeffords, and \nFrist. Despite this powerful hand holding, agreement on the \nscope and implementation of a national health privacy policy \ncontinues to present a challenge.\n    We now have a new and promising opportunity for meeting \nthis challenge. The recently enacted Health Insurance \nPortability and Accountability Act of 1996 (HIPAA) includes a \nprovision mandating that either Congress or the Secretary of \nHHS establish an enforceable privacy regime to protect \npersonally identifiable health information. ( P.L. 104-191, \nalso known as Kassebaum-Kennedy) In HIPAA, Congress set itself \na time limit of August, 1999 for enacting a health privacy law. \nIf Congress fails to act by that time, the Secretary of HHS is \nrequired to promulgate health privacy regulations by January, \n2000.\n    To provide some guidance for legislation, HIPAA required \nthe Secretary to submit to Congress her blueprint for health \nprivacy legislation. In September 1997, Secretary Shalala \nissued a set of recommendations to Congress to ``enact national \nstandards that provide fundamental privacy rights for patients \nand define responsibilities for those who serve them.\'\' The \nSecretary\'s recommendations parallel to a large extent the \nrecommendations of other national bodies, as well as \nincorporating approaches taken by many of the proposed medical \nconfidentiality bills introduced in Congress over the past. The \nmajor recommendations are to:\n    <bullet> Impose new restrictions on those who pay and \nprovide for care, as well as those who receive information from \nthem. It should prohibit disclosure of patient-identifiable \ninformation except as authorized by the patient or as \nexplicitly permitted by the legislation. Disclosures of \nidentifiable information should be limited to the amount \nnecessary to accomplish the purpose of the disclosure, and \nshould be used within an organization only for the purposes for \nwhich the information was collected.\n    <bullet> Provide consumers with significant new rights to \nbe informed about how their health information will be used and \nwho has seen that information. Providers and payers should be \nrequired to advise patients in writing of their information \npractices. Patients should be able to see and get copies of \ntheir records, and propose corrections. A history of \ndisclosures should be maintained by providers and payers, and \nbe made accessible to patients.\n    <bullet> Provide for punishment for those who misuse \npersonal health information and redress for people who are \nharmed by its misuse. There should be criminal penalties for \nobtaining health information under false pretenses, and for \nknowingly disclosing or using medical information in violation \nof the Federal privacy law. Individuals whose rights under the \nlaw have been violated should be permitted to bring an action \nfor damages and equitable relief.\n    Secretary Shalala concludes that ``without safeguards to \nassure that obtaining health care will not endanger our \nprivacy, public distrust could turn the clock back on progress \nin our entire health care system.\'\' (Shalala report, pp 1,2.)\n    However, the Secretary\'s report drew fire from the Hill, \nthe media, health care providers, and health privacy experts \nfor her recommendation that law enforcement officials continue \nto have virtually unfettered access to personal health records. \nAs The New York Times editorial decried: ``The exemption for \nlaw enforcement agencies is a huge loophole The need to combat \nfraud in the nation\'s trillion-dollar health-care industry is \nindisputable. But it hardly justifies granting less privacy \nprotection to the intimate information contained in medical \nrecords than existing Federal statutes now extend to the \nrecords of banks, cable television, video rental stores, or E-\nmail users, as the Administration\'s plan bizarrely \ncontemplates.\'\' (See ``Trifling with Medical Privacy,\'\' NY \nTimes, 9/97)\n    No other federal privacy statute provides such an exemption \nfor law enforcement. In fact, most of the U.S. privacy laws \nwere enacted specifically to bring law enforcement under a \nFourth Amendment warrant mandate.\n    It is also worth noting that HIPAA includes a provision \nknown as ``Administrative Simplification.\'\' Coupled with the \nlaw\'s privacy mandate is a requirement that uniform health data \nstandards for the electronic transmission of personal health \ndata be developed by Spring 1998. The consequence of these dual \nand staggered requirements is that a time line has been \nestablished by which data standards must be created prior to \nthe development of privacy and security rules governing \npersonal health information. Both the short time frame and the \nawkward sequence of events laid out in the ``Administrative \nSimplification\'\' section pose unique challenges for health care \nentities, policymakers, and patients.\n    However, the congressionally mandated time limit to pass \nhealth privacy legislation by August 1999 shifts the political \nlandscape, and injects greater immediacy into the effort to \nfind a strong, workable privacy solution.\n\n            VI. Key Issues for Federal Health Privacy Policy\n\n    The following is a broad outline of the key elements that \nmust be incorporated in a comprehensive health privacy policy. \nMany of the health privacy proposals currently pending before \nCongress address, in various ways, these key factors.\n    <bullet> Access: People must have the right to see, copy, \nand supplement their own medical records. Only 28 states \ncurrently provide such a right.\n    <bullet> Notice: People must be given written, easy-to-\nunderstand notice of how their health information will be used \nand by whom. Only with such notice can people make informed, \nmeaningful choices about uses and disclosures of their health \ninformation.\n    <bullet> Consent: As a general rule, patient consent should \nbe obtained prior to disclosure of personal health information \nby doctors, health plans, employers, and other health care \nentities, especially if the disclosure is not related to \ntreatment or payment. There seems to be a broad recognition \nthat exceptions to the rule of consent are needed for certain \npublic health disclosures and in emergency circumstances.\n    <bullet> Research: A federal privacy law should strengthen \nand expand the reach of existing privacy safeguards for \nidentifiable health information used by researchers. Overall, a \nnational health privacy policy should create incentives for \nresearchers to use non-personally identifiable health data.\n    Specifically, there should be equity, uniformity, \naccountability and oversight in scope and application of the \nfederal regulations governing Human Subjects research and the \nuse of personally identifiable health information by \nresearchers. Regulations should be applied to both federally \nand non-federally funded researchers, and the existing standard \nfor granting waivers of informed consent for use of \nidentifiable data should be codified, strengthened and strictly \napplied.\n    Far from hindering research, a federal health privacy law \ncan benefit health research--by bolstering patient confidence \nin the use of personal health information. Again, protecting \npatient privacy can help to insure the integrity of the data at \nthe front end, when it is divulged by the patient.\n    <bullet> Security: It is important to require the \ndevelopment of security safeguards for the use and disclosure \nof personal health information. While it is critical to \nacknowledge that networked health information systems can pose \na risk of greater magnitude and harm, technology can be used to \nbetter safeguard personal health information in electronic form \nthan it would be protected if on a piece of paper in a file \ndrawer (see For the Record: Protecting Electronic Health \nInformation, National Research Council, 1997). Also, technology \ncan be used to more efficiently anonymize and de-identify \npersonal health data for public health initiatives.\n    No system--either paper or electronic--can provide 100% \nfool-proof security, but existing technology does provide us \nwith some powerful opportunities to better protect personal \ninformation. There has been some discussion about providing \npeople the option to prohibit their personal health data from \nbeing maintained and transmitted in electronic format. I \nbelieve that such an ``opt-out\'\' may create a false expectation \nthat sensitive information is better protected in paper form. \nAgain, this is not necessarily true if strong security policies \nand tools are built-in to information systems.\n    <bullet> Law Enforcement: A federal health privacy law \nshould include a court order requirement, with a standard as \nstringent if not more so than that set out in the Video Privacy \nProtection Act (better known as ``The Bork Bill\'\'). \nConstitutional principle requires that individuals should be \nshielded from unjustified government intrusion. Currently, no \nfederal privacy statute provides a broad exemption for law \nenforcement. In fact, most of the U.S. privacy laws were \nenacted specifically to bring law enforcement under a Fourth \nAmendment warrant mandate.\n    <bullet> Remedies: In order to be truly effective, a \nfederal health privacy law must have strong remedies in place. \nFor instance, strict civil penalties and criminal sanctions \nshould be imposed for violations of the law, and individuals \nshould have a private right of action against those who \nmishandle their personal medical information.\n    <bullet> Preemption: No precedent exists in our federal \nprivacy and civil rights laws for preempting state law. In the \ncase of health privacy, we do not yet have a comprehensive \nsurvey of state law that would even indicate what state laws we \nwould be preempting. Further, health care entities are \ncurrently doing business and transferring information \ninterstate, complying with various state health privacy laws.\n    Serious consideration should be given to any proposal to \npreempt state law in this area, thereby locking the states out \nof tailoring their laws to reflect particular circumstances. \nFor instance, stronger state mental health and communicable \ndisease confidentiality laws should not be preempted, given the \nlong history of stigma and discrimination against people with \nthese conditions. Moreover, given what we know of the \nresistance to testing and accessing treatment, these state \nprivacy laws help to promote broad public health interests.\n\n                            VII. Conclusion\n\n    I am optimistic that the political will exists this \nCongress to pass legislation that truly protects peoples\' \nprivacy in the health care setting, without unduly compromising \nvaluable health care initiatives. The time has come for a \ncohesive, forward-thinking health privacy paradigm that \nacknowledges privacy\'s critical role in health care, and \nintegrates it at various states throughout the health care \nsystem. People must be empowered to be more active, informed \nconsumers of health care and knowing, willing participants in \nthe broader health care activities that impact their lives and \nwell-being of their communities. If we are to achieve the oft-\ntouted goals in health care, people must have trust and \nconfidence that the health care system will safeguard their \npersonal health information. Loss of personal privacy--and \nultimately the erosion of reliable health information--must not \nbe the price of progress.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. Thank you very much.\n    Dr. Birge.\n\n  STATEMENT OF JAMES BIRGE, M.D., MEDICAL DIRECTOR AND CHIEF \n  EXECUTIVE OFFICER, MACGREGOR MEDICAL ASSOCIATION, HOUSTON, \n TEXAS; ACCOMPANIED BY JIM SLOANE, VICE PRESIDENT OF BUSINESS \n    DEVELOPMENT, AMERICAN MEDICAL MANAGEMENT, HOUSTON, TEXAS\n\n    Dr. Birge. Again, thank you for inviting us to testify \nhere. I am Dr. Birge, the medical director and the chief \nexecutive officer for MacGregor Medical Association. With me is \nJim Sloane, vice president of business development for our \ncomputer systems. We are here to describe what we have been \ndoing with electronic medical records from a clinical \nstandpoint, which I will address, and Mr. Sloane will address \nit from a security standpoint with a little show-and-tell of \nwhat it looks like.\n    Essentially, I echo everything that Dr. Borowitz said in \nhis testimony. MacGregor is a fairly large group. Right now \nthere are 22 sites in Houston, 5 in San Antonio, a total of \nabout 220 doctors. We are taking care of about 210,000 patients \nin Houston, about 40,000 in San Antonio. By the end of the \neighties it was very apparent to us that the paper medical \nrecord just did not work. We could not get the clinical \ninformation to the doctors at the time the doctor needed it. \nThe only answer we came up with was the computer, and that is \nwhat we did.\n    We installed an electronic medical record that went live at \nthe end of 1991, and all of the patients are now in that \ncomputer base. It handles 1.1 million visits a year. It makes \navailable essentially all the outpatient data for the physician \nat the time the physician needs it. We do this by providing \ncomputers in the doctors\' offices, nurses\' stations, in the ERs \nof plan hospitals, L&D, that sort of thing. They can also have \naccess at home, if the physician wants.\n    What that does is allow us to use the computerized \ninformation, which includes progress notes, lab reports, x \nrays, and problem lists, and use it in four fundamental \ncategories: The first would be taking care of that individual \npatient, so that whether the patient shows up at the office on \na scheduled visit, or they are showing up in the evening as a \nwalk-in; or they are hitting the L&D room or the ER of the plan \nhospital, the medical information is there for the physician \ntaking care of the patient. As other people have previously \ntestified, the quality of care is better that way, and \nhopefully things are more economical and expedient from a time \nstandpoint.\n    A quick example. A 70-year-old woman hits her after-hours \nfacility; feels a little tired, a little dizzy. The doctor does \na review--does not have the paper record available but does \nhave access to the clinical information in the computer. Finds \na hemoglobin at 10.1, which is slightly anemic. Is that new or \nold? Should he worry or not worry? The computer says the \nhemoglobin has been like that for the last 10 years. You are \nnot going to worry about it. There are just numerous examples \nlike that.\n    Second point: Identification of high risk patients. The \nmedical paradigm, if you allow me to use this trite word, has \nalways been episodic. We wait for the patient to intervene with \nus. We wait for them to get sick, feel lousy, something bad is \nhappening, and then the doctor jumps in and tries to save the \nday, usually with poor success.\n    What we need to do is move to the next millennium, and that \nis identifying the high risk patients before they blow up. How \ndo you do it? Information. The computer systems can look at \npatients with mild renal failure. They have not been back in to \nsee a doctor in more than 1 year. That is a high risk patient. \nSomebody whose glucose is not under tight control, hasn\'t seen \na doctor in 6 months, that is a high risk patient.\n    This is where the medical profession needs to go. It is our \nobligation to take that next step, to treat the patient as a \ncontinuum, not as an episode, and that all requires information \nlinked together chronologically.\n    The third area is quality assurance just within our \norganization. This would be data which is really not \nidentifiable by the individual but looks at all the conditions \nof how tightly controlled are diabetics, what kind of renal \nfunctions are they obtaining, that sort of thing. This comes \nback to the outcome analysis the Chairman talked about earlier.\n    And then, finally, quality assurance, or outside our \norganization; these are HEBIS initiatives; NCQA, that sort of \nthing, again where you can screen computer data as opposed to \nhordes of nurses floating through paper records one by one. It \nis a no-brainer. Obviously, the results are going to be more \nmeaningful from a statistical basis, and you can look for more \nthings using the computer than you can the paper record.\n    With that, let me turn things over to Jim Sloane.\n    Mr. Sloane. Good morning. Thank you for the opportunity. I \nwould request that I move my seat over, and hopefully my \ntechnology will work appropriately and I will demonstrate some \nof what the providers at MacGregor have access to in our \ninformation system.\n    To start off with, in addition to the confidentiality \nstatement which every employee must sign as a condition of \nemployment, every time that one of the users turns on their PC, \nthis is the statement that they are presented with. The only \noption they have, in order to continue to use the PC in any \nmanner, is to agree with this confidentiality statement. It \nserves as a constant reminder to the employees about the \nimportance of keeping the patient information confidential.\n    Chairman Thomas. I do not want to interrupt you, but what \nis the consequence of violating that statement? I am trying \nto--immediate dismissal?\n    Mr. Sloane. Correct.\n    Chairman Thomas. Is that a right that has been exercised?\n    Mr. Sloane. It has.\n    Dr. Birge. You are right, the consequence is immediate \ntermination.\n    Chairman Thomas. And it has been exercised?\n    Dr. Birge. It has been.\n    Chairman Thomas. OK.\n    Mr. Sloane. The step for the user when they attempt to \naccess the electronic medical record system is the same as many \nother systems. Each user has a unique identifier, user I.D., to \ngain access to the system. They also have a password. We do \nforce the users to routinely change their passwords so that \nthey cannot consistently use the same password. We also do not \nallow reuse of the passwords, so that they cannot bounce back \nand forth between one and two passwords.\n    These screens do have automatic timeout after certain \nperiods of inactivity and the user is logged off.\n    Once they sign on to the system, depending upon the level \nof access, and it is different depending upon what type of \nposition an employee has with the organization, they are \npresented with a menu of icons which they can choose from. Many \nof the providers start out with this view. It is basically a \nlook at their schedule; what it looks like for a given day and \na given month of the year.\n    From this particular view, the physician can select a \npatient record off of the scheduling system and start looking \nat clinical data. This information is similar to what we just \nsaw, just presented in a different format. The physicians have \naccess to laboratory results, transcriptions, immunization \nhistories, demographic information, and significant problems, \nas well as drug allergies.\n    In order to look at a particular note, the user would just \nselect which note they wanted to see off the appropriate tab. \nThis happens to be my son\'s record. That is a common \noccurrence, too. This is my son\'s actual record from within the \nsystem. This happens to be a note dictated by Dr. Patel when my \nson came in for a visit. This is the immunization flow sheet.\n    This also serves as information for what type of \nimmunizations were given and as a reminder to the provider when \nparticular immunizations should be given. This is just a view \nof the drug history.\n    We have the capability within the system to search across \nthe medical records for a given patient. In this case we search \nfor the word ``sinusitis\'\' and the system highlights which \nparticular progress notes contain that word or phrase. And \nagain we see that highlighted within this progress note.\n    I have pulled up a different patient here. This is a test \npatient within our system. We see a list of the significant \nproblems in the upper left-hand portion; on the right-hand side \nwe would see drug allergies; and below that the same \ninformation as previously seen. If you wanted to look at a \nparticular lab result, you can select it off the lab folder. \nYou see the particular details of that result and then the \nphysician has the capability of graphing the results if they \ndesire.\n    This is just a different view of the same laboratory \ninformation, providing a little more detail before you go in \nand look at a particular result.\n    That is basically what I had prepared just to give you an \nidea of what the system looks like. But to address more \nspecifically some of the security aspects, I already talked \nabout the users agreeing to the confidentiality statement. We \nalso have the capability to restrict a user\'s access to the \nsystem by day of the week, hour of the day, and location of the \ndevice from which they are accessing the system.\n    Also mentioned, we have the capability of restricting \naccess by the level of user, so that not all users see all \nlevels of patient information.\n    We do keep audit trails of access to all of the \ninformation. Every time one of those records is pulled up of a \npatient and you go into a progress note or a laboratory result, \nthat information is recorded in an audit trail.\n    And to address the opening question, that is one \ncircumstance where we monitor those audit trails on a routine \nbasis. We noticed one particular employee had an unusually \nlarge number of accesses to patient records, patient data. When \nthat employee was confronted, he immediately resigned. And we \nwould have terminated him anyway if it was inappropriate use of \nthe information.\n    We do restrict access to other employees\' information \nwithin the system, so that one employee cannot pull up another \nemployee\'s information unless they have a high level of \nsecurity in order to do so. And that can expand beyond just \nother employees. Certain individuals whose records are \ndetermined should be restricted, we have that capability.\n    As far as the future of where we are heading, the use of a \nuser I.D. and password is not the ideal situation. We continue \nto monitor the technology that is coming about. Two important \nareas are the use of fingerprint recognition devices, as well \nas retinal scanning devices. We have prototyped a fingerprint \nrecognition device. We think it is very promising.\n    Obviously, a fingerprint is not something that can be \nshared with other people. You cannot pass it on to other \npeople. The technology is improving and the devices are \nbecoming much more cost effective in order to look at \nimplementing that type of security. We think that will help \ntremendously.\n    In closing, I realize my time is up, and I would just like \nto state that I believe electronic records, with the \nappropriate controls, security, and auditing mechanisms in \nplace, can be as secure, if not more so, than the hard copy \npatient records.\n    Thank you.\n    [The prepared statements follow:]\n\nStatement of James Birge, M.D., Medical Director and Chief Executive \nOfficer, MacGregor Medical Association, Houston, Texas; Accompanied by \nJim Sloane, Vice President, Business Development, American Medical \nManagement, Houston, Texas\n\n    Mr. Chairman, thank you for the opportunity to testify \ntoday regarding the important issue of patient confidentiality. \nI am Dr. James Birge, Medical Director and CEO of MacGregor \nMedical Association. Accompanying me today is Jim Sloane, Vice \nPresident of Business Development at American Medical \nManagement. Jim will briefly demonstrate for you the superior \nsecurity system we have developed at MacGregor. This system not \nonly ensures patient health information is kept strictly \nconfidential, but also enhances our ability to provide our \npatients with the highest quality, state-of-the-art health care \navailable.\n    MacGregor Medical Association is a multispecialty clinic \nfounded in 1953 by two physicians in Houston, Texas. It \ncurrently comprises 220 providers located at 22 sites in \nHouston and 5 sites in San Antonio. In Houston the physicians \nserve approximately 185,000 commercial HMO members, 10,000 \nMedicare risk enrollees, and 15,000 fee-for-service patients. \nIn San Antonio, the operation handles 18,000 HMO paneled \nmembers and 24,000 PPO or fee-for-service patients. The total \ncombined visits for last year were 1.1 million.\n    MacGregor is illustrative of the trend toward highly \nintegrated health care systems. We have entered into a number \nof innovative arrangements with health plans and facilities and \nare responsible for several hundreds of thousands of patients. \nAlong with this trend toward integration, however, has come new \nchallenges over how to best keep patient information \nconfidential while also making the information readily \navailable for use in providing services to patients.\n    This is the challenge Congress now faces--how to enact \nstandards which ensure the highest level of patient \nconfidentiality possible without undermining the ability of \nhealth plans, physicians, and other providers to use the \ninformation for producing higher quality health care services \nand treatments.\n    Until very recently, the field of medicine has been devoted \nto mostly identifying and labeling various disease processes. \nPhysicians have been able to cure almost nothing, though \nameliorative treatment has made great strides over the past \nthree decades. I believe that things are now changing. New, \npowerful medications and procedures entice us with the prospect \nof actually curing a few things and certainly controlling \nvarious disease and conditions a lot better than before. This \npossibility will require that a physician has prompt, complete \nmedical data. Inadequate information will not only be costly in \nterms of delaying proper diagnosis and treatment, but could \npotentially be seriously harmful to the patient. In addition, \ncomplete medical information is necessary to conduct ongoing \nquality assurance activities and to continue the drive towards \nexcellence through peer review and outcomes analysis.\n    For example, today\'s medications are far more powerful than \nthose used 20 years ago. If a doctor doesn\'t know what \nmedications a patient is taking and attempts to treat another \ncondition, the results may be catastrophic. It is our opinion \nat MacGregor Medical Association that medical information must \nbe available in the context of an electronic medical record. \nNot only will the industry soon demand this technology, it will \nbe malpractice to treat a patient in the absence of complete \nmedical information. It is therefore our challenge to create a \nsystem that:\n    <bullet> Uses practical industry-wide standards\n    <bullet> Establishes safeguards to protect patient \nconfidentiality without jeopardizing the usefulness of the \nelectronic medical record\n    <bullet> Prevents medical information from being used \ninappropriately\n    <bullet> Develops a process of funding the electronic \nmedical record which does not unfairly affect the patient, \nemployer, physician, insurer, or hospital.\n    MacGregor is a pioneer in the move toward electronic \nstorage and transmission of patient data. MacGregor has \nreceived a great deal of national recognition and has won \nawards for the systems that it has developed. While this brings \nus a great deal of satisfaction, the more important matter is \nthat we believe that these systems have assisted the caregivers \nin providing cost-effective, high quality care to the patients \nthat they serve.\n    At MacGregor, patients have always been allowed to see any \nprimary care physician at any site. As a result of this policy, \nMacGregor realized by the late 1980\'s that all too often, we \nwere unable to deliver the paper medical record to one of our \noffices scattered across Houston in time for a patient visit. \nIt was decided that the only solution was a computerized \nmedical record. This instrument went on-line at the end of 1991 \nand has been successfully used ever since. In addition to the \nelectronic medical record (EMR), MacGregor continues to use a \nstandard paper chart which is protected by standard policies \nand procedures.\n    Through the EMR, a MacGregor physician has access to a \npatient\'s significant problem list, drug allergies, progress \nnotes, laboratory results, X-ray results, and immunization \ndata. This information is available at the MacGregor clinics, \nplan hospitals, and--if desired by the doctor--at the \nphysician\'s home via the Internet.\n    The Structured Query Language database, which is explained \nin more detail in our written testimony, data base allows our \nphysicians to perform a multitude of comparative studies which, \nwe think, improve overall patient care. Again, without access \nto this data, quality of care is significantly compromised. \nReports are particularly useful in identifying high-risk \nindividuals and those patients who are overdue for screening \ntests. Some examples include: women overdue for mammogram; \nwomen overdue for a PAP smear; abnormal blood tests which \nhaven\'t been repeated in a certain period of time; children who \nare due for certain immunizations; renal failure patients \noverdue for kidney tests; diabetics who have poor sugar \ncontrol; and high cholesterol patients with inadequate follow-\nup.\n    Results of such studies are patient specific so that the \nclinical department may contact the patient and arrange to have \nthe appropriate action taken.\n    Federal standards which either limit our access to this \ninformation, or requires that we obtain patient authorization \nat every point of contact, will serve only to undermine our \nquality control and enhancement efforts. Results of such \nstudies are patient specific so that the clinical department \nmay contact the patient and arrange to have the appropriate \naction taken.\n\n               Security of the Electronic Medical Record\n\n    In spite of the positive aspects and advantages of an \nelectronic medical record, we are certainly aware of the \npotential damage and danger of this information being \ndisseminated to improper individuals or being used for other \nthan the intended purpose. With that in mind, we will present \nthe security measures and procedures that MacGregor has \nimplemented to help prevent misuse.\n    We consider ourselves a pioneer in the development and use \nof these types of outpatient clinical systems. While this \nbrings us a great deal of satisfaction, the more important \nmatter is that we believe that these systems have assisted the \ncaregivers in providing cost effective, high quality care to \nthe patient that they serve. It is simply impossible to have a \nhardcopy medical record available in 30 outpatient locations, \nemergency rooms and labor and delivery areas of the local \nhospitals, all at the same time, in anticipation of a patient \nshowing up on the doorstep.\n    Our central computing facility, which houses the patient \nclinical data, has several physical security measures in place. \nThe front entrance to the building is monitored by a \nreceptionist who ensures that all visitors to the building sign \nin and list which employee they are visiting. The receptionist \nthen places a phone call to the employee letting them know that \nthey have a visitor. The visitor is accompanied during his \nvisit to our facility. The employee entrance to the building \nand the parking lot are secured 24 hours a day, seven days a \nweek, 365 days a year. Each authorized employee, who has filled \nout the proper form, is given an access card to the parking lot \nand the building. Every time the card is swiped to enter the \nparking lot or the building, an entry is made in an electronic \nlog which lists the owner of the card and the date and time \nthey entered. The section of the building that houses the \ncomputer on which the data resides is also secured by an \nadditional card reader. During off peak hours, when the \nemployees working in this area are not present, only those \nselect employees who have a need to enter the computer room are \nable to do so by swiping their card. This is also recorded in \nan electronic log.\n    With respect to the EMR application that grants users \naccess to patient data, only those users who have filled out \nthe proper forms, have been authorized and approved by their \nmanager, and have been assigned a User ID and a password are \nable to access the system. In addition, we have software in \nplace which mandates that users change their passwords on a \npredetermined basis and which prohibits reuse of passwords \nduring certain time intervals. Additionally, to limit the \npossibility of an employee leaving his system logged on \nindefinitely, the EMR application ``times out\'\' after a period \nof inactivity and the user is logged off of the system. Every \ntime that a personal computer is powered on by a user of our \nsystem, the user is presented with a confidentiality statement, \na copy of which is attached, to which he must agree in order to \ngain access to the EMR application. This serves as a constant \nreminder to our employees about the confidential nature of the \ninformation contained within our system.\n    When remote users access our system, via direct dial-up on \nthrough the Internet, in addition to the User ID and password \nthat are required to gain entry to the application, they must \nalso have a second User ID and password to gain entry to the \nremote access server. This is in addition to a piece of \nproprietary software that they must have loaded on their \npersonal computers in order to gain access remotely. All data \nthat passes through the public network is encrypted through the \nuse of this remote access software. We also use an Internet \nfirewall which prevents our systems from being directly \naccessed through the Internet. Every outside system attempting \na connection to our EMR system must first pass the criteria we \nhave established. In our environment, the EMR is not accessed \ndirectly from the Internet. Access is first passed through a \nfirewall and then to a gateway server that connects into the \nEMR system.\n    Through the use of internally developed security software, \nwe also have a great deal of control over access to the EMR and \nother applications. We have the capability to restrict a user\'s \naccess by day of the week, hour of the day, and the location of \nthe device which he is using to access the system. We can allow \nor restrict an individual user\'s access to all, or select \nelements, of patient data. We can restrict access to another \nemployees\' clinical information as well as other individuals \nwhom it is determined should have restricted access to their \nclinical data. Within each ``window\'\' of the application we \nhave the ability to restrict access to any or all of the \nfollowing functions: inquiry, add, update, or delete \ncapability. Within the MacGregor Medical Association provider \ngroup, which practices in two different cities in the state of \nTexas, we have the ability to logically separate patient\'s data \nby region code. Although patient data is not generally made \navailable to the doctors from the city in which they do not \npractice, if a patient visits the doctor in the other city and \nsigns a release form, electronic access to the data can be \ngranted.\n    In addition to all of the security measurers mentioned \nabove, we maintain an electronic log in which a record is kept \nevery time that a user accesses patient clinical data. This log \nlists the User ID that accessed the data, the date and time of \nthe access, the type of information that was accessed, and the \nterminal ID from which the access was made. This log is \nmonitored on a regular basis by the security administrator in \nan attempt to determine if patient records are being accessed \nimproperly. In one particular circumstances an employee was \nconfronted about his unusually high number of inquiries to \npatient clinical data. The employee immediately resigned. While \nsome may rightfully argue that this auditing capability is \n``after the fact,\'\' compare it to the inability to audit access \nto hardcopy patient records. While in many places a handwritten \nlog is maintained, I would argue that it is not nearly as \naccurate or effective at limiting inappropriate access to \npatient medical records.\n    We know that a User ID and password mechanism is not 100% \nfoolproof, so we continue to research and evaluate alternative \nmeans of uniquely identifying individual users of our system. \nTwo promising possibilities include fingerprint recognition and \nretinal scanning. These types of systems are becoming more and \nmore feasible as the technology improves and the cost declines.\n    There is a tremendous tradeoff between the level of \nsecurity implemented and the usefulness and usability of any \ncomputer system. If the restrictions imposed are too severe and \ntime consuming, the physicians and other providers will not use \nthe system regardless of the value it brings. I believe that \nElectronic Medical Record systems, if implemented with the \nproper controls and auditing mechanisms in conjunction with \nenforced policies and procedures, can be made as secure, if not \nmore so, than hardcopy medical records.\n    In conclusion, thank you again for the opportunity to \ntestify on this complex and important issue. As you face the \nchallenge of enacting federal confidentiality standards, \nMacGregor encourages you to reflect on the advantages of \nresponsible use of patient information and to consider the \nnegative consequences of imposing measures that are so \nrestrictive that they undermine quality.\n    The challenge is great. The rewards for the patient and the \nsystem as a whole will be fantastic.\n\n                    Confidentiality Policy Statement\n\n    All information in a patient\'s medical record is STRICTLY \nCONFIDENTIAL. This information should not be discussed with \nanyone other than MEDICAL PERSONNEL with proper authorization \nand a LEGITIMATE `NEED TO KNOW\'. Breach of confidence may be \ngrounds for immediate dismissal.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. Thank you very much. A question first to \nDr. Birge and you, Mr. Sloane, but Dr. Borowitz may want to \nrespond. The software you are utilizing, is it proprietary, is \nit off the shelf, partially off the shelf, modified for your \nown use?\n    Dr. Birge. This software was developed by us, because back \nin the late eighties we could not find anything out there we \nthought would work. We would happily talk to any entity that \nwould like to use it.\n    Chairman Thomas. So, you are still amortizing the cost of \ndevelopment. I was going to ask whether or not you were keeping \ntrack of its cost effectiveness in terms of saving dollars for \npatient care. But because you had to do a bit of creating with \nthis as well, it probably is not a fair question, because I \ndon\'t think we should require the amortization of the software \nas part of the cost effectiveness.\n    Dr. Birge. That is a very good question. We are certainly \nkeeping track of the expense. The system was written up in the \nCIO magazine and received an award a couple of years ago, and \ndid a breakdown of some cost analysis. The real problem is what \nothers have identified earlier, that when you start talking \nabout being proactive and prevention therapy, that sort of \nthing, your payback is measured in years and decades, not \nquarters or one financial year. That is an issue.\n    Chairman Thomas. Dr. Borowitz, is yours proprietary or \ncreated?\n    Dr. Borowitz. A hybrid of the two together. We do have some \ncost data regarding pharmacy errors when we brought up what is \ncalled physician order entry, where the doctors order the \nprescriptions themselves. And when doctors made the entry \ndirectly, the errors dropped to virtually zero within several \nmonths.\n    Chairman Thomas. Well, it has obviously come to my \nattention this is a two-way street; that not only are you \nallowed to make sure you are cost effective in dealing with \nwhat needs to be done in a timely way, but that those who are \nnot doing it in a timely way are exposed as well.\n    Dr. Borowitz. That is correct.\n    Chairman Thomas. Any reaction from physicians or other \nhealth care providers about big brother looking over their \nshoulder in terms of making these decisions?\n    Dr. Birge. From our standpoint the answer is really no. We \nare a group practice, and that whole culture is one where you \nknow people are looking at what you are doing and you are \nexpected to be on your best behavior.\n    Chairman Thomas. The concern about confidentiality. And, \nMs. Goldman, although I agree with you in part, I find it \ndifficult to talk about the points that you mentioned--\ndiscrimination, identifiable data versus encrypted paper \nrecords versus electronic and the rest, and start with the \nassumption that privacy is so critical and important that we \nought to immediately carve out a role for States to make \ndecisions not limited by the broader societal needs and the \nprotection of the individual, which may, in fact, create a \ncrazy quilt pattern that would deny us the opportunity.\n    I think this teeter-totter is very, very difficult to \nbalance. My concern, and Dr. Detmer\'s concern, was the \nadministration\'s position that States certainly should be able \nto go beyond what the Federal Government does in terms of \nrights of privacy. And I am trying to figure out where we wind \nup tipping in the direction of privacy which denies us, without \nreal reason, the ability to collect data. Does that concern you \nat all?\n    Ms. Goldman. Well, it absolutely concerns me, Mr. Chairman. \nIf I can just address the preemption issue for a moment to try \nto respond to your concern, right now we do have this crazy \nquilt in the States, with nothing at the Federal level. The \nStates are having to respond to the vacuum created by the \nabsence of a Federal law, so they are moving forward to pass \nprivacy legislation.\n    What we have seen in other areas, for instance the Federal \nwiretap law, is that, as all other privacy laws, it creates a \nfloor and States are able to go beyond that. The Federal law, \nfor instance, requires one-party consent before a conversation \ncan be taped or intercepted. What States have done, one-third \nof the States, not more than that, they have decided that is \nnot a strong enough protection and all parties must consent to \nthe conversation. So when law enforcement goes into a \nparticular area, they understand that that State\'s law must be \ncomplied with if it is above what the Federal law requires.\n    Now in this area I think it is a little more complicated, \nsince we are dealing with so many.\n    Chairman Thomas. You need to stand that whole argument on \nits head, do you not, as you are examining the issue? Does that \nmake sense to you?\n    Ms. Goldman. Say again.\n    Chairman Thomas. The idea perhaps, where it is identifiable \npatient records, we can create an opportunity for States to go \nsignificantly beyond what the Federal Government believes is \nappropriate. But where we have protocols for encryption \navailable, I would be very concerned about letting States go \nbeyond the level that we establish to create that opportunity \nfor uniformity of collection of data.\n    Ms. Goldman. One of the ways I think we have tried, for \ninstance, in some of the Senate proposals of last year and on \nthis side, the way we have tried to address this concern about \nuniformity, because researchers and industry representatives \nhave a valid concern, which is that it is more convenient, more \nefficient, often easier to transfer information around the \ncountry if you only have one standard with which to comply and \nyou do not have to look at all the various State laws. But we \nhave an opportunity to make that a reality without having to \nbroadly preempt State law by making sure the Federal law is \nwritten at a high enough level.\n    And, in fact, many of the proposals have been written with \nthat in mind, looking at some of the existing State laws and \nsaying, Let us make sure we do not disregard the efforts that \nCalifornia has made or that New York has made, and that we make \nsure the Federal law is set at that level, if not a little \nhigher, so we are not preempting State law. We allow those laws \nto stand and be acknowledged and respected, but we are also \nknowing at the Federal level we need to set the bar high enough \nso that there really is, in effect, one standard.\n    But I do acknowledge there may be some areas where we want \nto carve out for preemption. Research may be one of them. We \nmay want to say that the Federal policy, as related to \nresearch, is preemptive. We may want to acknowledge, though, \nthat in the public health area, as Dr. Detmer said, or in the \nmental health area, States have been fairly active, for good \nreason, to protect their citizens proactively in this area of \ncrafting privacy legislation, and we should be careful not to \npreempt those particular laws and look at where we have a \njustification for preemption.\n    Chairman Thomas. I do not want to get into a debate over \nthis, but my concern there is if we deal with the use of the \nmaterial itself, we may be missing the point. Rather than \nfocusing on identifiable records versus nonidentifiable or \nencrypted records, the question is how good is the encryption.\n    Because your point about the Minnesota law, to me, is not a \nvery valid one, and that is, Gee, we come within 95.5 percent \nof accuracy in some areas of collection of the data, especially \nin epidemiology and other areas, throw it out. It is not worth \nanything.\n    Ms. Goldman. I understand.\n    Chairman Thomas. The whole value of the Mayo Clinic in its \napproach was it was a 100-percent universe, which gave you the \nability to do certain things. When you are dealing with certain \ntypes of research, especially following on our carryback, you \nhave to have 100 percent or it is not worth anything. And to \nget Mayo Clinic to spend its own money to convince people up \nfront they should sign the waiver, which by the way is like a \n60-day window and then it is gone and you have to go back and \nget it, is, I think, not a good model to use regardless of \ntheir ability to drive that close to 100. Because I believe \nthere is now something being lost in Minnesota because of the \nMinnesota law being operative, and we will hear from someone \nelse on the panel that may not go as far as I did.\n    But the other point I want to make is, I am very concerned, \nas we talk about the timeframe in which we are going to make \nlaws, that we do not get too carried away with the anecdotal \nmodel for us to legislate with. The Minnesota, CVS-Giant \nPharmacy list, has been used by everyone. The Maryland State \nlegislature is moving to change that. Once it was identified \nand the problem was exposed, they are moving to solve the \nproblem.\n    Your argument that there are people who are carrying out \ncertain behaviors of denial in terms of the physician-patient \nrelationship because they are worried about confidentiality \nmay, in fact, be the case. But I have also heard enough \ntestimony about the failure in medical school for physicians to \nget a little bit of training in sensitivity, that perhaps the \ninability of the physician to draw out the patient, to talk \nabout this information, is a lot closer to the real world model \nthan the patient coming in and creating a defensive posture of \nnot telling the doctor everything because they are worried \nabout confidentiality.\n    I think confidentiality models clearly would come from \nsomeone who is very concerned with privacy, but the failure of \nthe doctor to do a good job of interviewing may, in fact, be \ncloser to the real world. I do not want to argue the point. I \nwant to say the anecdotal arguments are not going to be the \nones we are going to legislate on, I hope. But, frankly, with \nthe medical folk and press here, all we ever read about that \nmakes the front page is anecdotal, and that is what our \ncolleagues are going to respond to if we do not do a good job \nin trying to create a broad-based record of what the problem \nreally is.\n    Now, I will give you a chance to say something.\n    Ms. Goldman. Mr. Chairman, you make some good points, and I \nwant to respond to the concern about the Minnesota law. I am \nnot advocating we take the Minnesota law and make it the \nFederal standard. I just wanted to point out that in their----\n    Chairman Thomas. I understand.\n    Ms. Goldman [continuing]. In their efforts there is the \ncompliance rate they have gotten. What I am suggesting is that \nwhile a 4-percent error rate may suggest to epidemiologists to \nthrow out the data, it is worthless, and I think that is a very \nimportant point, what we have not yet measured because it is so \ndifficult to measure, is when people are worried about \nconfidentiality, and of course there are other factors that \nkeep people from fully disclosing information. I recognize \nthat. I just want to raise the point that privacy is one of \nthose factors.\n    Where people do not accurately share data, where they do \nnot fully disclose with their doctor or withhold or do not seek \ncare at all, that undermines the quality and reliability of the \ndata, and we have no way to measure that.\n    Chairman Thomas. I understand your point. You made it well, \nboth in written and verbal testimony. My concern is if we do \nnot move at the Federal level, the Minnesota example will be \nthe one used more often than not. That is my concern. And it is \njust not a good model, as far as I can tell. There might be \nbetter ones out there, and what we need to do is set an \nexample.\n    The concern about access, and again, Ms. Goldman, you are \nthe one who focused on this, I do believe the patient should \nhave a right to look at their medical records. The concern I \nget is that the next breath leads to, We ought to be able to \nsupplement those records, we ought to be able to add to those \nrecords, and then even to the extent we ought to be able to \ndelete from those records.\n    I just want to have some statement on the record by the two \ndoctors in front of us on this panel about their belief or \nattitude, in the material that they deal with, of patients \nbeing able to supplement their own medical records. I think the \ndeletion one is a strong one. We all agree that that is not a \nconcern. But has there been a discussion among the group or \nwith you, in terms of the e-mail you get and about the \nsupplementing of records?\n    Dr. Borowitz. We have certainly discussed it. I think the \ne-mail experience suggests that a lot of people are more \ncomfortable writing information down, if you will, to use e-\nmail as a written analog. They have an opportunity to think \nthings out without the pressure of time and being intimidated \nby a physician.\n    I also believe it is an opportunity to allow patients to \nshort circuit some of the history-taking process, because they \ncan present the physician or health care provider with data \nthey may think is important but is not readily available in a \nwritten record, so that they can put their medications, their \nallergies, the family history, and they can get down to what is \nimportant, which is the reason they showed up in the office \nthat day.\n    Chairman Thomas. Do you think that patients withhold \ninformation purposely over the concern of confidentiality?\n    Dr. Borowitz. I have no data, but my personal experience is \nwhat you have already alluded to. There is usually another \nagenda that is not addressed, and it is that we have not asked \nthe right questions to get that information; there is a fear \nthey may not even know that we need to help them articulate. My \nbrother\'s sister\'s uncle had appendicitis for 8 years, and you \nnever asked me that question.\n    Chairman Thomas. All I am trying to do is indicate there \nare a lot of reasons why it occurs, it is not just \nunidirectional.\n    Thank you very much.\n    Does the gentleman from Louisiana wish to inquire? Does the \ngentleman from California wish to inquire?\n    Mr. Becerra. Dr. Borowitz, and actually Mr. Sloane and Dr. \nBirge as well, because you mentioned how important it might be \nin the future to head toward electronic data as the main source \nof information on patients, the question I asked earlier of Dr. \nDetmer is, How do you make sure you get everyone on board, if \nyou want to make sure all patients have access to that same \ninformation and are provided the same type of health care \ncoverage and expertise? How do you make sure the person who has \nto use that nonprofit, very valuable clinic in the community \nbut is one of those that operates strictly on the margin, how \ndo you make sure they get on board quickly?\n    Dr. Borowitz. I do not have a good answer to that question, \nexcept to say there are certainly large costs in the medical \nsystem now related to the generation of information for \nbilling. The example I give in our own organization, which is \nnonprofit, is that it costs approximately $12 to collect the \nnecessary documentation to submit the bill to the billing \ncomputer system. Those data are of no clinical value.\n    If we developed clinical information systems that in fact \ncollected clinically relevant information, and as a result we \nhad standardized billing processes, there would be a lot of \nmoney available. It would probably not solve all the problems \nbut it would solve some of those problems. We would get more \nvalue for the systems already in place.\n    Dr. Birge. In our universe, that effect has certainly \nhelped us. The vast majority of our revenue is by capitation. \nSo, we are not billing, per se, to an insurer. It costs us \nabout $7 a visit for the system you saw. So, again, the dollars \nsaved on the billing side can be transferred over to the \ninformation side.\n    The other part is that we still have a paper record. It \ndoes exist. And if there would be some way to actually \neliminate that, that is additional savings. It is just we have \nnot figured out exactly how to do it.\n    Mr. Becerra. I agree with everything you have said. It is \njust how do you make up for the startup costs? You are talking \nabout institutions that probably have to get the computers and \nget the programmers and figure out how to work all of this out. \nHow do you help them with that startup cost so they can help \nsave money and start transitioning into that period where they \nare using only electronic data?\n    Dr. Borowitz. I would suggest one of the things we need to \nknow is, How much money are they already expending on \ninformation systems that are sequestered in the billing \nuniverse?\n    Mr. Becerra. But that will not end so long as they have a \npatient that came in and was tracked with paper records. That \npatient remains that way. Somehow you have to start them into \nthis new era. You are right, as soon as they get into it, they \nwill probably save money, but that will not help them to buy \nthe computer to get them there.\n    Dr. Borowitz. We are in the process of upgrading our entire \nsystem throughout the University of Virginia health system, and \none of the things we have realized is there is a core data set \nthat most physicians want. It is fairly straightforward \ninformation. It is a problem list; list of allergies, list of \nmedications, list of encounters. Those are things that can be \ncaptured fairly easily and backloaded into a system so you \nstart with value in the system right off the bat.\n    When we brought up our regional immunization registry, one \nof the things we realized is no one would use the system unless \nthere was information already in it. We had to go back and \nbackload, through office charts, 2 years\' worth of data. We \nhired a bunch of high school students to do that. You will have \nto have some data in the system up front for there to be value. \nThere are core data elements that all of us want that would \nprovide for a lot of the needs we have.\n    Dr. Birge. I would also have two suggestions, and I think \nyou stated it earlier, but in the for-profit sector you could \ndo things from a tax standpoint which could be advantageous. \nAnd for both the for-profit and not-for-profit sectors, this is \na plea, but the requirements of various agencies, governments, \ninsurers are so onerous and so expensive that if you took just \n20 percent of that away, there would be a lot of money left \nover to work with information systems.\n    Mr. Becerra. OK. Let me provide, if I may, a couple of \nother questions that I hope can be responded to quickly. I know \nI do not have much time.\n    Mr. Sloane, you mentioned that access to information on \nthis data base that you have is limited to level of user, or I \nguess you mentioned different levels, the user levels and so \nforth. What gives you access? At what point does someone at the \nhospital or this provider have access to this type of \ninformation on this data base?\n    Mr. Sloane. Well, each user in the system is set up with a \nuser profile. Typically, depending upon the type of position \nthey have, whether or not they are a physician, a physician\'s \nassistant, a nurse practitioner, a file room clerk, or a \nmedical assistant, we can restrict access to certain pieces of \nthe information when we set up their profile. So that within \neach window of the application that you saw, we can set up \nevery user to have either inquiry, add, update or delete \ncapability, or no access to it. So it really is determined by \nthe medical group, on a need-to-know basis, what level of \ninformation a particular user should have access to.\n    Mr. Becerra. So the data entry person--I think Dr. \nBorowitz\' high school students had entered data--how do you \nrestrict access to information if you could have a data entry \nperson be almost anyone?\n    Mr. Sloane. In our circumstance we have data entry people \nwho input information off the encounter tickets. They have \nabsolutely no access to the clinical information system at all. \nThere is not a need to have it, so they do not. They just \ncannot get into the system. Their user ID and password do not \nallow them access to the clinical information.\n    Mr. Becerra. One final question, if I may, to anyone on the \npanel. As I asked Dr. Detmer, How do you protect that \nultrasensitive information, the person who has AIDS or the \nperson who has a mental history? How do you protect that, and \nhow do you resolve the dilemma for the person who has had the \ninformation disclosed?\n    Ms. Goldman. Well, I think one of the things Congress is \ntrying to do is to create a standard of protection that allows \npeople to get notice about information practices and make real \nchoices so people can decide what is the most sensitive kind of \ninformation for them.\n    Some people would consider cancer-related information or \nmental health, genetic tests, HIV-related. Everyone has, I \nthink, a different experience, depending upon the encounter, as \nto how much they want to protect it. So I think we can build \nsome flexibility into a Federal policy that allows people to \nmake those choices with their physicians, with their health \ncare providers.\n    And the remedy piece of it, which I think you are asking \nabout, is a very important part. We have seen some of the \nfailure of the existing privacy laws related directly to lack \nof strong enforcement mechanisms or lack of strong remedies. \nRight now the CVS or Giant story may be anecdotal for people \nwho felt violated by that and felt it was an inappropriate \ndisclosure. There are very few remedies available to them.\n    Dr. Birge. I would just add that certainly it is more of a \npolitical call, I am sure, but as far as the doctor in the \ntrenches is concerned, that doctor wants all the information \nthat is available at that time, regardless of sensitivity, so \nthe trick is how to do that. And I would again toss out the \nexample you have heard, on the one side the privacy issue which \nis very, very important, but on the other hand you could have \nextremely adverse outcomes all the way up to death simply \nbecause you did not know something that you should have known, \nand the family is going to be very upset at that unfortunate \noutcome.\n    Mr. Becerra. Thank you. Thank you, Mr. Chairman.\n    Chairman Thomas. Of course, our ongoing concern is that we \ndo collect that data, and it just seems to me we fought the \nbattle on preventive care and finally won by spending the \nmoney.\n    Maybe we talk about rewarding those who provide us data in \nthe usable form to move toward that outcome. They get rewarded \nin some way in the system, and those that do not, do not, which \nwould get us the base level of data out there faster than would \notherwise be the case.\n    What I find is a bit of an anomaly. You walk into a \ndoctor\'s office and behind you are these shelves of individual \nmanila folders with patient histories, but if you give them \nyour credit card, they go to a computer and the billing is all \ncomputerized. It is the mental set of not computerizing the \nrecords because they have the hardware in the office. Perhaps \nwe need to push software development.\n    But, clearly, if there was a reward for putting it in a \nparticular form, I imagine the private sector software would be \nout there quickly, or some entrepreneurial doctor like Dr. \nBorowitz will have something on the market that has already \nbeen pretested at the University of Virginia.\n    But I want to thank all of you very much. This is an \nimportant area, and we are going to continue to rely on you to \nassist us. We do not want to legislate by anecdote and do not \nwant to make mistakes that have to be corrected, but it is an \narea we will have to move in fairly quickly.\n    Thank you very much.\n    I would call today\'s final panel, then: Dr. Sherine \nGabriel, associate professor of medicine and epidemiology at \nthe Mayo Clinic, Rochester, Minnesota; and Dr. Harry A. Guess, \nwho is head of the epidemiology department of the Merck \nResearch Laboratories.\n    I would indicate to both of you that any written statement \nyou have will be made a part of the record, and you can address \nus as you see fit, in any way you choose.\n    As soon as we move this cutting-edge technology stuff out \nof the way, Dr. Gabriel, you may begin.\n\n    STATEMENT OF SHERINE E. GABRIEL, M.D., M.SC., ASSOCIATE \n     PROFESSOR OF MEDICINE AND EPIDEMIOLOGY, MAYO CLINIC,  \n                     ROCHESTER,  MINNESOTA\n\n    Dr. Gabriel. Thank you. Chairman Thomas, Members of----\n    Chairman Thomas. I will also indicate to you, Dr. Gabriel, \nthat the microphone is very unidirectional. You will have to \npull it down and speak directly into it.\n    Dr. Gabriel. Is this better?\n    Chairman Thomas and Members of the Subcommittee, I am Dr. \nSherine Gabriel, a physician and researcher at Mayo Clinic. I \nthank you for the opportunity to testify before you regarding \nthe important issue of medical records confidentiality.\n    What I would like to do today is address two fundamental \nquestions bearing on this issue. The first is, What is the \nimportance of medical-records-based research to the public; and \nthe second is, What is the impact of legislation which \nrestricts access to medical records on this category of \nresearch?\n    I am privileged to work at a world-renowned medical \ninstitution. The Mayo Clinic\'s international reputation as a \ncenter of excellence in medicine and surgery grew out of the \ncommitment of our founders, Drs. Will and Charlie Mayo, to \nintegrate medical research and education with clinical \npractice. The Mayo brothers perceived a duty to use information \nfrom medical records to evaluate the outcomes of their care and \nto answer important public health questions and, in 1907, \npioneered the concept of the unit medical record, where medical \ndata on each patient is stored in one self-contained packet \nthat is kept in perpetuity.\n    As you heard earlier from Dr. Borowitz, that is not the \ncase virtually everywhere else in the country, where each \nprovider keeps his or her own personal records about a \nparticular patient.\n    This concept led to the formation of REP, the Rochester \nEpidemiology Project. The REP includes a complete medical \nhistory of nearly all Olmsted County residents from the time \nthey were born or moved to the county until the time they died \nor moved away.\n    The REP is a unique, national research treasury which has \nbeen continuously funded by the National Institutes of Health \nfor over 30 years. It has resulted in more than 1,000 \nscientific publications analyzing dozens of diseases and \nmedical conditions. The central element of the REP is access to \nthe complete medical records of all residents in the \ngeographically defined population.\n    Medical records research is vital to maintaining and \nimproving the health of the American public. In fact, virtually \nevery health hazard we know of today has been identified using \ninformation from medical records. Take AIDS, for example. If \nresearchers had not been allowed to study the medical records \nof patients with unusual immune deficiency problems in the late \nseventies, the characterization of the AIDS epidemic would have \nbeen delayed at a substantial cost to the public\'s health.\n    Similarly, the characterization of Lyme disease required \ncollation of information from the medical records of children \nwho were first presented with this new disease in Lyme, \nConnecticut.\n    Other examples include studies examining the benefits and \nrisks of estrogen treatment, as well as the risks of smoking, \ndietary fats, obesity, and certain occupations.\n    You may have read than an outbreak of flesh-eating strep \nwas identified at Mayo in 1995. Without access to the medical \nrecords of patients with these unusual infections, \ncharacterization of this syndrome and isolation of this deadly \nbacterial strain would have been delayed, and over 100 \nschoolchildren, which our research showed were the unwitting \ncarriers of this deadly germ in their throats, would have gone \nuntreated.\n    This discovery lead to the designation of invasive strep as \na reportable disease. Such a designation permits recognition \nand control of epidemics such as the recent outbreak you may \nhave heard about in Texas.\n    Medical records research is also critical for evaluating \nthe long-term side effects of drugs, the safety of medical \ndevices or procedures, the cost effectiveness of alternative \nmedical practices, and the usefulness of diagnostic tests. Let \nme give you an example or two in these categories.\n    Long-term side effects. Nonsteroidal anti-inflammatory \ndrugs, like Advil or Naprosyn, were on the market for decades \nbefore medical records research determined these drugs were \nassociated with a higher risk of death due to peptic ulcer \ndisease, particularly in the elderly. This work led to the \ndevelopment of a new class of nonsteroidal anti-inflammatory \ndrugs, soon to be released, which promise a much lower risk of \nthese side effects.\n    Clinical information for medical records is critical to \nstudies on the safety of medical devices or procedures. For \nexample, studies examining the risk of breast implants.\n    The cost effectiveness of alternative medical practices \ncould not be established without clinical information from \nmedical records. For example, it was medical-records-based \nresearch which determined that a 3-day course of in-hospital \nbed rest for people with acute low-back pain was just as \neffective and far less costly as the standard of care at that \ntime of about a 10-day hospital stay.\n    Finally, it was medical-records-based research at Mayo that \nled to the discovery of the serious side effects of the diet \ndrug Fen-Phen and its eventual removal from the market.\n    Every medical advance I have mentioned in the last few \nminutes relied heavily on information from patients\' medical \nrecords. Without access to this rich source of clinical \ninformation, many of these advances and countless others would \nnot have occurred.\n    Let me turn quickly to my second question, What is the----\n    Chairman Thomas. The light is a guide, Doctor, it is not an \nabsolute necessity.\n    Dr. Gabriel. Good. In scientific podiums, there is actually \na trap door; and so when the red light goes on, the trap door \nopens.\n    Chairman Thomas. We have one, too. Sit comfortably for a \nmoment.\n    Dr. Gabriel. What is the impact of legislation which \nrestricts access to medical records on this category of \nresearch?\n    Legislative restrictions limiting access to medical records \nthreaten the very existence of this entire category of medical \nresearch. This is because individuals who refuse to authorize \nthe use of their medical records for research purposes are \nsystematically different in important ways from individuals who \ndo.\n    The recent Minnesota privacy law provided us with the \nopportunity to study these differences using a protocol \napproved by our institutional review board. We found that women \nwere more likely to refuse authorization than men; that persons \nunder 60 were more likely to refuse than older individuals; and \npersons with certain underlying illnesses, such as mental \ndisorders, breast cancer, or reproductive problems were also \nmore likely to refuse authorization.\n    That means that studies describing the outcomes of these \ndiseases or the effectiveness or cost effectiveness of \ntreatments excluding these individuals would be biased. They \nwould simply give us the wrong answer. Moreover, studies \nfocusing on these conditions--diseases of women, mental \ndisorders, conditions related to reproduction--would be at even \ngreater risk for incorrect results; and this, in turn, might \nhamper advances against these important problems.\n    Finally, while our research was clear on the point that \nindividuals who refuse authorization are systematically \ndifferent from those who do not, the direction and magnitude of \nthose differences varied from topic to topic. Whereas, you \nheard the overall average was 4 percent, it varied widely. So \nnot only may such research results result in the wrong answers, \nbut it will be impossible to determine at the outset how wrong \nthey will be or in what direction. Thus, the reliability and \nvalidity of findings from such research will be suspect.\n    Let me illustrate this problem using an example. A study of \ndepression following breast cancer would underestimate the \nmagnitude of the problem if depressed women systematically \ndeclined authorization and were thereby excluded. Individuals \nwho experience unsatisfactory outcomes may also be more likely \nto refuse authorization. If so, a study of a surgical treatment \nwith a high complication rate would underestimate the risks of \nsurgery.\n    Data such as these form the basis of health care policies, \nso the examples above could lead to a decision against funding \na mental health program to treat depression in women with \nbreast cancer and to a decision to adopt a high risk surgical \nintervention. Patients need accurate information about health \nrisks, disease prognosis, and outcomes of care in order to make \ninformed decisions.\n    In closing, I would like to comment briefly on what I \nbelieve the reasons are behind the public\'s strong desire to \nkeep medical information between the patient and his or her \nphysician.\n    Our research showed that a major concern related to the \npossibility that insurers or employers might use sensitive \ninformation to an individual\'s disadvantage. This concern is \nunderstandable. Although access to medical records for research \npurposes may be the only access over which the patient is given \nany choice, there are literally dozens of other opportunities \nfor loss of confidentiality during routine medical care.\n    For example, in an average outpatient medical encounter in \nan integrated health care center, such as ours, the following \nindividuals and groups must have access to the complete medical \nrecord in order to best serve that patient\'s needs: the \nappointment office, the registration desk, the physicians, \nphysician assistants, nurses, EKG, lab, x-ray technicians who \nperform the necessary tests, and so forth.\n    In fact, for a typical inpatient encounter, it has been \nestimated that at least 75 health professionals and hospital \npersonnel have access to the medical record. After all this is \ntaken care of, a qualified nurse researcher, bound by the rules \nof an IRB and strict patient confidentiality regulations, could \nbe abstracting clinical data from the medical record which will \nbe combined with similar data from hundreds of other patients \nto answer a specific public health question. The current \nMinnesota law and other proposed legislation influence only \nthat nurse\'s access to the medical records and have no impact \nwhatsoever on the 75 other points of access.\n    Mr. Chairman, such legislation does not ensure the privacy \nof personal medical information. It does not address the \npublic\'s concerns regarding potential misuse of personal health \ninformation by insurers and employers. Instead, it hinders \nscientific research and puts the public\'s health and well-being \nat risk for serious harm.\n    Thank you for your attention.\n    [The prepared statement follows:]\n\nStatement of Sherine E. Gabriel, M.D., M.SC., Associate Professor of \nMedicine and Epidemiology, Mayo Clinic, Rochester, Minnesota\n\n    Chairman Thomas, members of the committee, I am Dr. Sherine \nGabriel, a physician and researcher at Mayo Clinic. Thank you \nfor the opportunity to testify before you regarding the \nimportant issue of medical records confidentiality.\n    Today, I would like to discuss two fundamental questions \nbearing on this issue. The first is: What is the importance of \nmedical records-based research to the public? And the second \nis: What is the impact of legislation, which restricts access \nto medical records, on this category of research?\n    I am privileged to work at a world-renowned medical \ninstitution. Mayo Clinic\'s international reputation as a center \nof excellence in medicine and surgery grew out of the \ncommitment of our founders, Drs. Will and Charlie Mayo to \nintegrate medical research and education with clinical \npractice. The Mayo brothers perceived a duty to use information \nfrom medical records to evaluate the outcomes of their care and \nto answer important public health questions and, in 1907, \npioneered the concept of the ``unit medical record\'\' where \nmedical data on each patient is stored in one self-contained \npacket that is kept in perpetuity. This concept led to the \nformation of the Rochester Epidemiology Project (REP) (See \nAppendix). The REP includes a complete medical history of \nvirtually all Olmsted County residents from the time they where \nborn or moved to the county until the time they died or moved \naway. The REP is a unique, national research resource, which \nhas been continuously funded by the National Institutes of \nHealth for over 3 decades. It has resulted in over 1000 \nscientific publications analyzing dozens of diseases and \nmedical conditions, and was ranked in the top 1% of all NIH \nproposals in 1995. The central element of the REP is access to \nthe complete medical records of all residents of a \ngeographically-defined population.\n    Medical records research is vital to maintaining and \nimproving the health of the American public. In fact, virtually \nevery health hazard that we know of today has been identified \nusing information from medical records. Take AIDS, for example. \nIf researchers had not been allowed to study the medical \nrecords of patients with unusual immune deficiency problems in \nthe late 1970\'s, the characterization of the AIDS epidemic \nwould have been delayed at a substantial cost to the public\'s \nhealth. Similarly, the characterization of Lyme disease \nrequired collation of information from the medical records of \nthe children who first presented with this new disease in Lyme, \nConnecticut. Other examples include studies examining the \nbenefits and risks of estrogen treatment, as well as the health \nrisks of smoking, dietary fats, obesity, and certain \noccupations. You may have read that an outbreak of \'flesh \neating strep\' was identified at Mayo in 1995. Without access to \nthe medical records of patients with these unusual infections, \ncharacterization of this syndrome and isolation of this deadly \nbacterial strain would have been delayed. And over one hundred \nschool children--which our research showed were the unwitting \ncarriers of this deadly germ in their throats--would have gone \nuntreated. This discovery led to the designation of invasive \nstrep as a reportable disease. Such a designation permits \nearlier recognition and control of epidemics such as the recent \noutbreak in Texas.\n    Medical records research is also critical for evaluating \nthe long-term side effects of drugs, the safety of medical \ndevices or procedures, the cost effectiveness of alternative \nmedical practices, and the usefulness of diagnostic tests. Let \nme give you an example or two in each of these categories. \nLong-term drug side effects: Non-steroidal anti-inflammatory \ndrugs (those are drugs like Advil or Naprosyn) were on the \nmarket for decades before medical records-based research \ndetermined that these drugs were associated with higher risk of \ndeath due to peptic ulcer disease, especially in the elderly. \nThis work has led to the development of a new class of non-\nsteroidal anti-inflammatory drugs (soon to be released) which \npromise a much lower risk of these side effects. Clinical \ninformation from medical records is critical to studies on the \nsafety of medical devices or procedures, for example, studies \nexamining the risks of breast implants. The cost effectiveness \nof alternative medical practices could not be established \nwithout clinical information from medical records. For example, \nit was medical records-based research which determined that a \n3-day course of in-hospital bedrest for acute low back pain was \njust as effective and far less costly as the standard of care \nat that time--a 10-day in-hospital course. Finally, it was \nmedical records-based research at Mayo that led to the \ndiscovery of the serious side effects of the diet drug Fen-Phen \nand its eventual removal from the market.\n    Every medical advance I have mentioned in the last few \nminutes has relied heavily on information from patients\' \nmedical records. Without access to this rich source of clinical \ninformation, many of these advances would not have occurred.\n    I\'d like to turn now to the second question: What is the \nimpact of legislation which restricts access to medical records \non this category of research? Legislative restrictions limiting \naccess to medical records threaten the very existence of this \nentire category of medical research. This is because \nindividuals who refuse to authorize the use of their medical \nrecords for research purposes are systematically different in \nimportant ways from individuals who do. The recent MN privacy \nlaw provided us with the opportunity to study these differences \nusing a protocol approved by our Institutional Review Board \n(IRB). We found that women were more likely to refuse \nauthorization than men, that persons under 60 were more likely \nto refuse than older individuals, and that persons with certain \nunderlying illnesses such as mental disorders, breast cancer, \nand reproductive problems, were also more likely to refuse \nauthorization. Studies describing the outcomes of diseases, or \nthe effectiveness or cost-effectiveness of treatments which \nexclude such individuals, would be biased--they would give us \nthe wrong answer. Moreover, studies focusing on these \nconditions, i.e., diseases of women, mental disorders, and \nconditions related to reproduction would be at greater risk for \nincorrect results and this, in turn, might hamper advances \nagainst these important problems. Finally, while our research \nwas clear on the point that individuals who refuse \nauthorization are systematically different from those who do \nnot refuse, the direction and magnitude of those differences \nvaried from topic to topic and, thus, are completely \nunpredictable. So not only may such research result in the \nwrong answers, but it will be impossible to determine how wrong \nthey are, or in what direction. Thus, the reliability and \nvalidity of findings from such research will be suspect.\n    Let me illustrate this problem using a couple of examples. \nA study of depression following breast cancer would \nunderestimate the magnitude of this problem if depressed women \nsystematically decline authorization and were thereby excluded. \nIndividuals who experience unsatisfactory outcomes may also be \nmore likely to refuse authorization. If so, a study of a \nsurgical treatment with a high complication rate would \nunderestimate the risks of surgery. Data such as these form the \nbasis of health care policies. So, the examples above could \nlead to a decision against funding a mental health program to \ntreat depression in women with breast cancer and to a decision \nto adopt a high risk surgical treatment.\n    Patients need accurate information about health risks, \ndisease prognosis, and outcomes of care in order to make \ninformed decisions about their own medical care. Health care \npolicy makers need high quality data on the costs and outcomes \nof care provided to all patients (not just a select group) in \norder to make responsible health care decisions for the \npopulation as a whole. The inclusion of all qualifying \nindividuals is the only way to assure that accurate conclusions \nare drawn about the prognosis of disease, the outcomes of \ntherapy, or the quality of care. Such research can be done \nwhile taking appropriate measures for maintaining patient \nconfidentiality, such as careful review and oversight by \nInstitutional Review Boards and strict adherence to procedures \nrestricting access to patient-specific medical information.\n    In closing, I would like to comment briefly on the reasons \nbehind the public\'s strong desire to keep personal medical \ninformation between the patient and his/her physician. Our \nresearch showed that a major concern related to the possibility \nthat insurers or employers might use sensitive medical \ninformation to an individual\'s disadvantage. I understand this \nconcern. Although access to medical records for research \npurposes may be the only access over which the patient is given \nany choice, there are dozens of other opportunities for loss of \nconfidentiality during routine clinical care. For example, in \nan average outpatient medical encounter in an integrated \nmedical center such as ours, the following individuals and \ngroups must have access to a patient\'s complete medical record \nin order to best serve that patient\'s needs: the appointment \noffice, the registration desk, all physicians, physician \nassistants, and nurses who provide care for the patient, as \nwell as their receptionists and secretaries, all laboratory, \nmedical, nursing and other students and their mentors, EKG, and \nx-ray technicians who perform the necessary tests, infection \ncontrol officers who regularly survey medical records for \nreportable diseases, continuous improvement officers who strive \nto improve our health care processes and ensure patient \nsatisfaction, the business office for billing, the legal \ndepartment, and insurers and other third party payers. In fact, \nfor a typical inpatient encounter, it has been estimated that \nat least 75 health professionals and hospital personnel have \naccess to a patient medical record.1 After all this is taken \ncare of, a qualified nurse researcher, bound by rules of an IRB \nand strict patient confidentiality regulations, could be \nabstracting clinical data from the medical record which will be \ncombined with similar data from hundreds of other patients to \nanswer a specific public health question. The current Minnesota \nlaw and other proposed legislation influence only that nurse\'s \naccess to the medical record and have no impact, whatsoever, on \nany of the other points of access. Mr. Chairman, such \nlegislation does not ensure privacy of personal medical \ninformation and does not address the public\'s concerns \nregarding potential misuse of personal health information by \ninsurers and employers. Instead, it hinders scientific research \nand puts the public\'s health and well-being at risk for serious \nharm. Your attention should be focused instead on stopping the \nactual abuses of medical record information that harms \npatients.\n    Thank you for your attention.\n      \n\n                                <F-dash>\n\n    Chairman Thomas. Thank you very much, Dr. Gabriel.\n    Dr. Guess.\n\n STATEMENT OF HARRY A. GUESS, M.D., PH.D., HEAD, EPIDEMIOLOGY \n      DEPARTMENT, MERCK RESEARCH LABORATORIES, BLUE BELL, \n   PENNSYLVANIA; ON BEHALF OF MERCK & CO., INC., WHITEHOUSE \n                      STATION, NEW JERSEY\n\n    Dr. Guess. Mr. Chairman and Members of the Subcommittee, \nthank you for the opportunity to speak with you today on the \nimportant issue of protecting the confidentiality of the \npatient medical record. I am Harry Guess, pediatrician, \nepidemiologist, and head of the epidemiology department at \nMerck Research Labs, a division of Merck and Co., a global, \nresearch-based pharmaceutical company.\n    As a physician, I took an oath to protect patients\' \nconfidentiality, and we at Merck support the efforts to protect \nthe confidentiality of patient-identifiable medical \ninformation. At the same time, care must be taken not to \ninadvertently harm the interests of patients by unnecessarily \nrestricting the access of medical information for medical \nresearch.\n    As you consider the confidential standards for medical \ninformation, I hope you will appreciate how essential medical \ninformation and medical records research are to maintaining and \nimproving the health of the American people. To ensure that any \nlegislation or regulations do not jeopardize biomedical \nresearch, we believe the following four guides should be \nfollowed:\n    First, legislation should exempt clinical research that is \nalready subject to regulation by FDA, the Food and Drug \nAdministration. This type of research is already stringently \nregulated by FDA, and there is strong confidentiality \nprotection for subjects in such research studies.\n    Second, that legislation would not restrict the use of \nencrypted or anonymized data. The use of these coded records is \ncritical to medical research and allows, for example, \nresearchers to link encrypted information from several \ndifferent sources, while ensuring the patients themselves \nremain unidentified.\n    Third, the legislation should not discourage collecting and \nmaintaining information necessary to monitor the safety and \neffectiveness of products that had been approved by the FDA or \nby foreign regulatory agencies.\n    Finally, any national standards should preempt conflicting \nor inconsistent State laws concerning confidentiality. To allow \nStates to add more stringent provisions would risk creating an \ninconsistent patchwork of requirements that could jeopardize \nbiomedical research. You have already heard about that this \nmorning, very eloquently, from Dr. Gabriel.\n    Let me give you one example of how regulation of medical \ninformation could inadvertently impede the conduct of research \nthat is important to ensuring the safety of medicines.\n    In 1995 Merck received FDA approval of our chicken pox \nvaccine. Despite decades of testing in thousands of children, \nyou never really can be sure of what rare yet important safety \nissues can be found once a medicine or a vaccine is \nincorporated into broad clinical use. To provide this level of \nreassurance, we undertook a study in more than 85,000 children \nto provide further information on the safety of the vaccine \nunder conditions of clinical practice. We conducted the study \nwith pediatricians at the Kaiser Permanente Medical Care \nProgram of Northern California.\n    The children received the vaccine, with parental consent, \nas part of their regular medical care. A computer-based search \nwas performed of the medical records of the children receiving \nthe vaccine and of a historical age-matched comparison group of \nchildren who had not received the vaccine. The information we \nreceived was encrypted so that Merck did not have any patient-\nidentifiable data. The only people with patient-identifiable \ndata were the pediatricians and their staff at Kaiser.\n    This study provided valuable reassurance about vaccine \nsafety under conditions of broad use in clinical practice and \nmight have been impossible to conduct if it had been required \nto obtain specific informed consent for the medical records \nsearch from all of the parents of the vaccinated children and \nfrom the historical comparison group.\n    This is just one of many examples of medical records \nresearch benefiting public health in a way that safeguards the \npatient-identifiable information.\n    I thank you once again for the opportunity to express our \nviews on this important topic. We at Merck believe that the \nconfidentiality of patient-identifiable medical information \nshould be protected. We also believe this can be accomplished \nwithout jeopardizing either biomedical research or the \nimprovements in health care resulting from the research.\n    Thank you very much.\n    [The prepared statement follows:]\n\nStatement of Harry A. Guess, M.D., Ph.D. Head, Epidemiology Department, \nMerck Research Laboratories, Blue Bell, Pennsylvania; On Behalf of \nMerck & Co., Inc., Whitehouse Station, New Jersey\n\n                            I. Introduction\n\n    Mr. Chairman, and distinguished members of the Committee, \nthank you for the opportunity to speak before you today on the \nimportant issue of protecting the confidentiality of patient \nmedical information. I am Dr. Harry Guess, and I lead the \nEpidemiology department of Merck Research Laboratories, a \ndivision of Merck & Co., Inc. Headquartered in Whitehouse \nStation, New Jersey, Merck is a global, research-driven \npharmaceutical company that discovers, develops, manufactures \nand markets a broad range of human and animal health products--\nboth directly and through its joint ventures--and provides \npharmaceutical benefit services through Merck-Medco Managed \nCare.\n    The Epidemiology department at Merck is responsible for \nproviding information on diseases to support clinical trials of \nnew drugs or vaccines, and for conducting studies to help \nevaluate the safety of drugs and vaccines after approval. This \nwork frequently involves collaboration with health care \nproviders to study the safety of drugs and vaccines as they are \nused in clinical practice. I have also served as an external \nreviewer of research proposals submitted by managed care \norganizations to the US Food and Drug Administration (FDA) and \nthe Centers for Disease Control (CDC) to conduct government-\nfunded studies of drug and vaccine safety. I am also an Adjunct \nProfessor of Epidemiology and Biostatistics at the School of \nPublic Health at the University of North Carolina at Chapel \nHill, where I teach epidemiology to graduate students.\n    The purpose of my testimony today is to describe for you \nhow important access to and the use of patient medical \ninformation are to medical research. I will (1) describe for \nyou the manner in which we conduct various types of clinical \nand epidemiological research at Merck and monitor the safety of \nour marketed products, (2) talk about the types of medical \ninformation that we use to conduct that research, and (3) \noutline some general principles regarding patient \nconfidentiality that we think are key to appropriate \nlegislation in this area.\n    Let me begin by emphasizing that we at Merck support \nefforts to protect the confidentiality of patient-identifiable \nmedical information, particularly in light of developments in \nthe area of information technology that have raised questions \nabout levels of individual privacy. All of us are patients \nourselves and we certainly recognize the need for protection of \nprivacy. However, from a public health standpoint, we are \nconcerned about simultaneously preserving necessary access to \nsuch data for research into new medicines that can cure or \nprevent disease. In protecting patients\' privacy interests, we \nmust be careful not to inadvertently harm the interests of \nindividual patients by unnecessarily restricting access to \ninformation needed to determine the safety and effectiveness of \nmedical treatments, assess the usefulness of diagnostic tests, \nidentify disease risk factors, and monitor the cost-\neffectiveness of new interventions. Such research is needed to \ncontinue to be able to provide the American people with health \ncare that meets high standards of safety, effectiveness, and \ncost-effectiveness. The key to an appropriate legislative \nsolution is to recognize and protect all of those interests.\n    Innovations in medicine are revolutionizing health care \nresearch, as the molecular basis of human disease is revealed. \nIn the past 50 years, medical science has rid the world of \nsmallpox; drastically reduced the incidence of many childhood \ndiseases such as diphtheria, tetanus, polio, measles, whooping \ncough, and rheumatic fever; and discovered highly effective \ntreatments for many chronic diseases such as asthma, peptic \nulcer disease, coronary heart disease, hypertension, diabetes, \nand osteoporosis. When I trained in Pediatrics nearly twenty \nyears ago, Haemophilus influenzae type b was the most common \nform of bacterial meningitis among children in the United \nStates, affecting nearly one in every two hundred children. \nOver the past ten years, the incidence of this devastating \ndisease has been reduced nationwide by more than 95% by the \nintroduction of vaccines.\n    Given this track record of achievement, the public has come \nto expect a steady stream of innovations in treatment and \nprevention from the research-based pharmaceutical and \nbiotechnology industries. In fact, our domestic research-based \ncompanies now discover and develop more than half of the new \nmedicines used in the United States and around the world. \nMerck, for example, has introduced nine important medicines in \njust the last three years, including CRIXIVAN<Register> for \nHIV/AIDS, FOSAMAX<Register> for osteoporosis, and \nSINGULAIR<Register> for asthma in patients as young as six \nyears old, and we are now conducting the research necessary to \ndevelop new medicines and vaccines to help patients around the \nworld. Our investment in research will also allow us to enter \nnine new therapeutic areas by the year 2002, raising our total \nto 24--the broadest in the industry.\n    Continued progress of this magnitude clearly depends on \nbroad, multi-faceted research. This includes both basic \nresearch in chemistry, molecular biology, genetics, and \npharmacology, which allows us to understand disease processes \nand identify the right compounds to combat the disease, and \nclinical research to evaluate the safety and efficacy of \npotential new medicines and vaccines. Finally, large-scale \nepidemiologic and health services research studies are needed \nto help us design new clinical trials and to monitor how well \ntreatments work in clinical practice. For example, \nepidemiologic research helped show us that while aspirin can \nreduce the risk of heart attacks in adults, it can cause a \nserious life-threatening illness called Reye\'s syndrome when \nadministered to children with chickenpox or influenza. Reye\'s \nsyndrome has been almost completely eliminated as a result of \nthis discovery.\n    With that general background in mind, we would like to \npropose the following four principles, to help guide \nlegislation on confidentiality of medical information. I will \nfirst outline the principles, then discuss the types and use of \npatient information used in medical research and safety \nmonitoring, and finally discuss each of the principles in more \ndetail.\n    (1) Clinical research that is subject to regulation by the \nFood and Drug Administration should be exempted from any new \nconfidentiality requirements because this research is already \nsubject to strict confidentiality protections;\n    (2) Only information that directly identifies an individual \nshould be subject to confidentiality requirements; use of \nanonymized, encrypted or encoded data should be excluded from \nrestrictions on access;\n    (3) Legislation should not inhibit the collection and \nmaintenance of information to monitor or verify the safety and \nefficacy of approved products; and\n    (4) There must be uniform national standards that preempt \nconflicting or inconsistent state laws.\n\n     II. Background--Different Types of Patient Medical Information\n\n    Before I describe the various ways or settings in which \npharmaceutical researchers use patient medical information, I \nthink it would be useful to explain the three different types \nof patient information that we use. First, and most pertinent \nto our discussion of confidentiality, is information that \ndirectly identifies individuals, by providing a name or \naddress, for example. For purposes of our discussion today, \nI\'ll refer to this type of information as ``patient-\nidentifiable\'\' information.\n    The second type of information is referred to as \n``encoded\'\' or ``encrypted\'\' information. In my testimony \ntoday, I will use the term ``encrypted.\'\' This type of \ninformation is patient-identifiable information from which \npersonal identifiers and means of directly contacting the \nindividual (such as name, address, and social security number) \nhave been replaced with a code, which is often in the form of a \nlong number. The identity of such an individual is not apparent \nfrom the information itself or from the code, but may be \ndetermined by use of the encryption key. Encryption keys have \ntwo important functions. One is to permit the keyholder to \nidentify the patient in the event that this becomes necessary--\nfor example if a safety problem is discovered that requires \nnotifying the patient. The second function is to be able to \n``link\'\' one data set with another data set on the same \npatients without having to reveal patient identities. For \nexample, a study may provide information on a group of patients \nwho receive medical evaluations at yearly intervals. By linking \ntogether all of the visits on each patient, one may evaluate \nchanges in medical conditions over time without having to \nreveal any patient-identifying information. One may also link \nencrypted information from pharmacy files to encrypted \ninformation from hospitalization records in such a way as to \nstudy the safety and effectiveness of drugs in very large \npopulations without revealing any patient-identifying \ninformation. Essentially all patient information used in the \nresearch that I do is in an encrypted format, and the linking \nmechanisms allow for information about an individual contained \nin two or more data sets to be combined without revealing the \nidentity of any individuals.\n    The third type of information I will refer to as \n``anonymized,\'\' which means information from which all personal \nidentifiers have been removed, and/or information that has been \naggregated in such a manner that the identities of individuals \nwho are the subjects of the information cannot be identified \nunder any circumstances. There would be no means to identify \nindividuals, dis-aggregate or link this information to other \ndata sets containing information about such individuals by use \nof a code or a key. Information that is anonymized in this \nfashion is generally much less useful for research than is \nencrypted data because it may lack the detail that is required \nfor meaningful or sophisticated analyses. Also, with anonymized \ndata it would never be possible for anyone to notify the \nsubjects if a safety problem were discovered or if it became \nhighly important to obtain additional information. \nNevertheless, we do use such anonymized information in certain \nspecific areas of research, which I will discuss in more detail \nbelow.\n    It is important to keep the differences between these types \nof patient information in mind, because concerns about privacy \nare different with information that is encrypted or anonymized \nthan they are with patient-identifiable information.\n\n          III. Use of Medical Information--In Clinical Trials\n\n    Now I would like to describe for you some of the ways in \nwhich pharmaceutical researchers use these different types of \ninformation, and how patients\' confidentiality interests are \nprotected. I would like to begin with a brief overview of the \nclinical drug development process, and the roles that FDA and \nInstitutional Review Boards (IRBs) play in that process.\n    Before testing any new drug in humans, a sponsor such as \nMerck must run a potential new drug candidate through \ncomprehensive animal pharmacology and toxicology studies. With \nthose and other pertinent data in hand, the sponsor files an \nInvestigational New Drug application, or IND, with the FDA. The \nagency has a fixed period of time to evaluate the IND \napplication and notify the sponsor if the agency judges the \napplication not to be sufficient to justify undertaking human \nclinical trials. Upon completion of the FDA review of the IND, \nthe sponsor begins the clinical study program.\n    The clinical program is designed to demonstrate the \ninvestigational drug\'s safety and efficacy in treating, \npreventing or diagnosing a disease or condition in humans. It \nis the most time-consuming and resource-intensive segment of \nthe drug development process, including third party clinical \ninvestigators, institutional review boards (IRB\'s), FDA \nregulation and involvement, and, in many cases, thousands of \nstudy subjects, or individual patients. Today the process is \nmade even more complex because companies such as Merck \ngenerally seek approval of new drugs not only in the United \nStates but in many foreign countries. Consequently, such trials \nare subject not only to FDA regulations but also to regulations \nby many foreign regulatory agencies. Safety reports must be \nfiled with these agencies and different agencies may require \ndiffering types of studies to evaluate efficacy.\n    While the design of clinical trials will vary from drug to \ndrug and from disease state to disease state, there are some \ngeneral similarities in their typical overall structure, or \n``phases\'\' of development. This phased approach allows \nresearchers to build upon information and knowledge generated \nduring the preceding phases as they broaden their study of the \ndrug.\n    ``Phase 1\'\' studies are designed primarily to assess the \nclinical safety of the drug in humans, and to determine whether \nthe compound is sufficiently safe to be studied further in \nhumans. These studies usually involve a limited number \n(approximately 20 to 80) normal healthy adults, who can be kept \nunder close medical observation and monitoring for a short \nperiod of time.\n    If the data generated during the Phase 1 studies are \nacceptable, the sponsor can begin ``Phase 2\'\' studies, which \nare intended to demonstrate (1) the drug\'s efficacy in treating \nthe disease or condition in humans, and (2) common or short-\nterm adverse effects and risks that might be associated with \nthe use of the drug. Phase 2 studies may also help establish \nthe most appropriate dose of a drug. Such studies may involve \nup to several hundred patients, who are treated under \nconditions of close medical observation and monitoring.\n    In ``Phase 3\'\' trials, the number of patients participating \nexpands significantly (involving several hundred to several \nthousand subjects) in order to study the drug\'s use in \nconditions that more closely resemble those that would exist \nafter approval. The study group should be adequately \nrepresentative in order to allow the generalization of the \nresults to the population at large. Depending on the disease or \ncondition being studied, study subjects can generally be \ntreated on an outpatient basis, and medical monitoring is \nusually less strict than during the earlier phases. Phase 3 \nstudies intended to provide the evidence of efficacy necessary \nfor drug approval must typically meet four criteria: they \nshould be (1) controlled (one group receives the \ninvestigational drug and another group receives either a \nplacebo or an active drug known to be efficacious), (2) double-\nblind (neither study subjects nor investigators know which \npatient is receiving which therapy), (3) randomized (study \nsubjects randomly assigned to treatment groups), and (4) of \nsufficient size to provide a statistically sound test of \nefficacy.\n    All of these clinical studies are subject to extensive FDA \nregulations, including protection of patient confidentiality \nand the requirement that an IRB approve the studies before they \ncan be initiated. The IRB\'s primary function is to minimize \nrisks to the subjects, and to assure that the subjects are \nadequately informed about the trial and their treatment. The \nregulations require that the IRB be sufficiently qualified \nthrough the experience and expertise of its members to promote \nand to safeguard the rights and welfare of study participants. \nThe IRB has five members, each appointed by the institution \ninvolved, such as the hospital or academic institution at which \nthe study is being conducted. Race, gender, cultural \nbackgrounds, and sensitivity to community issues may be \nconsidered in appointing members. The IRB must include \nindividuals with the necessary expertise and professional \ncompetence to review proposed research for compatibility with \ninstitutional commitments and regulations, applicable law, and \nstandards of professional conduct and practice, and should \ninclude both women and men as members. Its members may not \nconsist entirely of members of one profession. At least one \nmember must have scientific expertise, usually a physician, and \nat least one member must have a primary interest in non-\nscientific areas. One member must not be affiliated with the \ninstitution or have an immediate family member who is \naffiliated with the institution; that person is often a member \nof the clergy or other representative of the broader community.\n    The IRB reviews the study protocol, and is authorized to \nrequire changes to the protocol if necessary. The IRB weighs \nthe potential risks to the patients versus the potential \nbenefits. To approve a research study, the IRB must determine \nthat the study meets seven criteria specified in FDA \nregulations, including, ``where appropriate, [that] there are \nadequate provisions to protect the privacy of subjects and to \nmaintain the confidentiality of data.\'\'\n    FDA regulations also require that no humans may be subjects \nin FDA-regulated research unless the investigator has obtained \nthe ``legally effective informed consent of the subject or the \nsubject\'s legally authorized representative.\'\' To obtain a \nsubject\'s ``informed consent,\'\' the regulations specify that \ninformation regarding eight basic elements must be provided to \nthe subject, and six additional elements should be discussed \n``when appropriate.\'\' One of the mandatory elements is a \nstatement that describes the extent to which confidentiality of \npatient records will be maintained, and notes the possibility \nthat the Food and Drug Administration may inspect the records, \nincluding patient-identifiable information. The regulations \nalso require that the subject\'s informed consent be documented, \nusing an IRB-approved written consent form signed by the \nsubject or his or her legal representative. The IRB reviews the \npatient informed consent forms, and may require revisions to \nstrengthen or clarify them if needed.\n    The clinical investigator--the physician who is actually \nworking with the study subjects--keeps patient-identifiable \ninformation for all of the study subjects, just as any treating \nphysician would. This is critical to the investigator\'s ability \nto provide follow-up care to these patients, and to be able to \ncontact them, if necessary, if some safety issue should arise. \nThe study sponsor, such as Merck, receives only encrypted data \nfrom the investigator.\n    Thus, in a clinical trial program, the study subjects have \nexpressly consented to the researchers\' use of their medical \ninformation. The IRB assures that there are adequate provisions \nin place to protect patients\' confidentiality and the privacy \nof their data. We do not believe that there is any need to \nrequire any further protections in this area.\n    You may hear some mention of the ``Common Rule\'\' in \ndiscussions about confidentiality in research projects, and I \nwant to explain the connection between the Common Rule and the \nFDA regulations I talked about before. The Common Rule refers \nto the common standards for the protection of human subjects \ninvolved in research conducted, funded or regulated by 16 \nfederal agencies, including the Department of Health and Human \nServices (DHHS). Those standards were published as a final rule \nin the Federal Register on June 18, 1991. The FDA had \npreviously adopted regulations on the protection of human \nsubjects in research that it regulates, published at 21 CFR \nParts 50 and 56. Those regulations were largely consistent with \nthe principles embodied in the Common Rule. On June 18, 1991, \nthe FDA published a final rule that modified its existing \nregulations to conform them with the Common Rule to the extent \npossible. There are some minor variations due to FDA\'s unique \nstatutory mission under the federal Food, Drug & Cosmetic Act. \nHowever, because the DHHS has adopted the Common Rule as \napplicable to all research with human subjects that it \nregulates, funds or conducts, clinical research that is subject \nto FDA regulation is also subject to the Common Rule to the \nextent that the two are not inconsistent. Where the Common Rule \nand the FDA regulations differ, the FDA regulations would \ngovern.\n\nIV. Use of Medical Information in Epidemiological and Outcomes Research\n\n    Generally, epidemiologists study populations to understand \nthe extent, natural course and burden of disease. This \ninformation provides background for the safe and effective use \nof medicines. In contrast to clinical trials (which are \nexperimental), an epidemiologic observational study tracks \npatients in the real world of clinical medicine. It is this \nscience that is used to evaluate the risks and benefits of \nmedications in large numbers of patients in a ``real world \nsetting.\'\' Epidemiologic studies have had a major impact on the \npublic\'s health in general, and on our understanding of the \nrisks and benefits of medications, in particular. For example, \nthese studies documented the relationship between aspirin and \nReye\'s Syndrome in children, and the risk of vaginal cancer in \ndaughters of women who took diethylstilbestrol (DES) while \npregnant. They have also been instrumental in documenting risks \nand benefits of vaccines, oral contraceptives, and a number of \nother widely used medications. Clearly, epidemiologic studies \nare critical to the future of public health.\n    One of Merck\'s sources of data includes information in the \npublic domain. This type of data is encrypted by the agency or \norganization supplying the data, and can be obtained from \nregional, national and international claims-based and survey \ndata. Examples include survey data from the National Center for \nHealth Statistics, or Medicare data from the Health Care \nFinance Administration. Public-use data is provided in an \nanonymous or encrypted form in which the user is not able to \nidentify individuals who participated in the survey or study. \nThis information may be used to determine the prevalence of a \ndisease, or incidence of a disease relative to that found among \nusers of an approved drug. We are not alone in our use of these \nimportant databases--the CDC, the National Institutes of Health \n(NIH) and other government institutions utilize these \nregistries to track public health statistics, identify disease \ntrends, and assess the economic impact of new medical and \nsurgical treatments.\n    Although large public-use databases are extremely valuable, \nthey do not provide all of the necessary information needed to \nmake drugs available to patients. Therefore, additional studies \nwhich involve either direct contact with a patient or \ncollection of encrypted medical information are necessary. \nThese studies collect information on what kinds of patients are \nlikely to develop the disease, how well existing treatments \nwork, what the types and rates of complications are, what costs \nand medical care utilization are associated with the disease, \nand what the long-term consequences of the disease are. Such \ninformation is needed to design clinical trials necessary for \ndrug or vaccine approval. We generally conduct such studies in \ncollaboration with managed care organizations, universities, or \nfederal agencies such as the NIH or CDC. We use the data from \nthese sources in encrypted or anonymized aggregate form. Within \nthis context, we cannot--nor would we have the desire or need \nto--identify an individual patient who has participated in \nthese types of studies.\n    The information collected in this manner provides \nbackground for new clinical trials and also supports drugs that \nhave been approved for use. This type of research is different \nfrom a clinical trial because it involves analysis of data \nunder conditions of ordinary clinical practice, which can be \ndifferent from the conditions in a clinical trial. The \nadditional risk to the patient in being involved in this type \nof data review is minimal, since we are studying the treatment \nand care provided by the patients\' own physicians and the \nimpact of that treatment on the disease or condition. In \ncontrast to a clinical trial, researchers are not proposing any \nparticular treatment, prescribing any medications or providing \nany medical care. Medical information regarding a medical \ncondition or the patient\'s health status is obtained via \nmedical record review under the direction of the treating \nclinic or facility, or by third party patient interviews. In \neither case, Merck receives only data that is encrypted or in \nanonymized aggregate form.\n    In support of clinical trials, these data are used to:\n    <bullet> Determine how many patients should be included in \na clinical trial in order to minimize patient risk while \nmaximizing clinical trial results\n    <bullet> Provide background on the incidence or prevalence \nof a disease\n    <bullet> Provide information on current treatment practices\n    <bullet> Aidin determining the appropriate patient \npopulation to include in the trial\n    <bullet> Provide data on the usefulness of questionnaires \nto assess safety and quality of life\n    In addition to supporting clinical trials, outcomes and \nepidemiology research is also used to\n    <bullet> Identify risk factors for developing a disease\n    <bullet> Determine the long-term outcome of a treatment on \ndisease\n    <bullet> Identify patient populations who may not be \nreceiving state of the art treatment or therapy\n    <bullet> Identify prognostic factors and risks of disease \ncomplications\n    <bullet> Determine the impact of a treatment on quality of \nlife\n    <bullet> Assess utilization of resources and provide \ninformation on the economic benefits of a treatment\n    The importance of using encrypted patient-level data may be \ndemonstrated by several studies that have impacted the health \nof the public and aided in the development of important drugs. \nFor example, in collaboration with the government of \nSaskatchewan, we used encrypted data on all of the one million \nresidents of that Canadian province to evaluate the risk of \nrare adverse events associated with use of drugs to treat \narthritis in very elderly patients. For the past nine years we \nhave been collaborating with investigators from Mayo Clinic as \nwell as from Japan and Europe to study the long-term course of \nprostate diseases in men. This study has contributed numerous \npublications to the medical literature and greatly increased \nmedical knowledge.\n    We are currently conducting an epidemiology study in \nconjunction with a university to determine the prevalence of \nlow bone mineral density, a measure of osteoporosis, in nursing \nhome residents. This study will also determine what factors \npredict hip fracture in these patients. Patients must undergo a \nbone scan and allow the researcher access to their medical \nrecords, but the information gained from studying the records \nof these patients may provide insight into ways we can enhance \nthe quality of life of nursing home residents by preventing hip \nfractures. The university IRB has approved the study, and all \nsubjects have provided informed consent. The university \nresearchers conducting the study provide us only with encrypted \nor anonymized data.\n    In another study, we used clinical trial data combined with \ndata published in the literature to articulate the economic \nvalue of a treatment with CRIXIVAN<Register>, our protease \ninhibitor for the treatment of HIV/AIDS. The clinical trial \ndata was from our original clinical trials conducted before FDA \napproval of the product, and all study subjects had given \ninformed consent to the use of their medical information. We \nsimply re-examined those data in conjunction with the \nadditional published data to simulate the long-term progression \nof the disease. The purpose of the cost-effectiveness model is \nto assist healthcare providers, payors and other decision-\nmakers in determining health, reimbursement, and clinical \npolicies. This model suggests that initiation of therapy with \nCRIXIVAN<Register> alone and in combination with AZT and 3TC \nbefore the first AIDS-defining illness increases survival at a \ncost that is generally accepted by current standards.\n\n     V. Post-Approval Safety and Efficacy Monitoring and Reporting\n\n    In its role as the federal agency charged with helping to \nensure the public health and safety relating to the use of drug \nproducts, the FDA has established extensive regulations to \nmonitor the safety of drugs, biologics, and medical devices. \nFDA regulations impose on pharmaceutical companies mandatory \nreporting requirements for adverse experiences associated with \nthe use of drug products in humans. To meet their obligations \nunder this regulatory scheme, manufacturers must have access to \npatient medical information. These regulations contain \nstringent reporting time deadlines and record-keeping \nrequirements that apply to both investigational drugs and \nmarketed products. The purpose of the adverse experience \nreporting regulations and procedures is to support the FDA\'s \nefforts to protect the public safety by providing the agency \nwith information necessary to determine the safety profile of \ninvestigational and marketed drug products.\n    The vitality of this safety reporting system is critical to \nidentifying safety issues in use of marketed products that were \nnot identified in investigational studies. The reporting system \nis used to evaluate the seriousness of potential health \nproblems and to alert the agency and health care community to \ntake appropriate corrective actions.\n    Because of its limited resources, the FDA heavily relies on \nmanufacturers to investigate reports of adverse experiences \nwith their drug products. Manufacturers most often receive such \nreports directly from the treating physician for the patient \ninvolved. Sometimes patients themselves report their own \nadverse events. Whenever a manufacturer receives notice of an \nadverse experience associated with any of its products, the \nmanufacturer is required to investigate the incident and to \nprovide the information to the FDA. If additional information \nis not obtainable, a follow-up report is required to explain \nwhat steps were taken to obtain additional information relating \nto the adverse experience and why the information could not be \nobtained. The more detailed information that can be obtained \nabout a particular adverse experience, the better informed the \nmanufacturer, the FDA and the health care community can be \nabout the safety profile of marketed products. By necessity, \nthis requires knowledge about confidential medical record \ninformation. In fact, FDA\'s 1997 Guidance on adverse experience \nreporting specifies that before submitting any adverse \nexperience reports to the FDA, a manufacturer must have four \nspecific pieces of information, including ``an identifiable \npatient.\'\' This does not mean that the reporting physician must \nsupply the manufacturer with the patient\'s name; the reporting \nphysician can provide the manufacturer with encrypted \ninformation on a specific patient, as long as follow-up \ninformation can be obtained from the physician if necessary.\n    The FDA has issued regulations to ensure that the \nidentities of patients and those who report adverse experiences \nare held in strict confidence and are not disclosed by the FDA \nor by manufacturers who possess these reports. Manufacturers \nare required to encode patient identifying information before \nsubmitting reports to the FDA, but must maintain sufficient \ninformation to permit additional information to be obtained, if \nnecessary, from the person who reported the event. Moreover, \nthe identity of the adverse experience reporter, usually the \npatient\'s health care provider, must be deleted when reporting \nto the FDA. These privacy protections were instituted to enable \nthe FDA to continue to collect information on safety risks \nassociated with FDA-regulated products that is considered vital \nto protection of public health. In addition to the need to \ncomply with FDA reporting requirements, Merck must also comply \nwith the reporting requirements of foreign regulatory agencies. \nTypically an agency from a given country will want to be made \naware of worldwide safety information on all products which are \napproved in that country. Because of this, Merck will often \nhave to supply foreign regulatory agencies with information on \nadverse events occurring in patients in the United States. \nForeign regulatory agencies also respect the need for patient \nconfidentiality and hence do not require any patient-\nidentifiable information.\n    Learning more about the safety profile of marketed products \nmay not be limited to reports that meet the regulatory \ndefinition of adverse drug experiences but may also include \nadditional information that may lead to a better understanding \nof certain aspects of a product\'s safety profile. Thus, for \nexample, many drug and vaccine products are contraindicated for \nuse in pregnant women because of a lack of clinical study \ninformation about the safety of the product for use in that \npatient population. Yet, manufacturers may choose voluntarily \nto collect and report to the FDA information about a drug \nproduct\'s use during pregnancy even though that use is not \nassociated with an adverse experience. Information on use \nduring pregnancy may be collected from health care \nprofessionals who report such use to drug manufacturers or the \nFDA. At Merck, we treat such information in the same manner as \nwe treat information associated with adverse experience \nreports. The purpose of collecting and reporting this \ninformation is to enhance our knowledge about the overall \nsafety profile of a product in pregnant women.\n\n                     VI. Principles for Legislation\n\n    As you consider confidentiality standards for medical \ninformation, I hope you will appreciate how vital medical \ninformation and records research is to maintaining and \nimproving the health of the American public. Research on new \nmedicines vitally depends upon patients\' participation in \nclinical trials and researchers\' access to their relevant \nmedical information as well as to patient-level archival \ndatabases.\n    In order to ensure that any new legislation, regulation or \nstandards do not jeopardize biomedical research, we believe \nthat the following four guides should be followed.\n    First, clinical research subject to regulation by the Food \nand Drug Administration should be exempt from any new or \nadditional requirements. This is because, as explained above, \nthis type of research and use of information is already \nstringently regulated by the FDA through application of the \nCommon Rule, which, in turn, provides strong confidentiality \nprotection to the subjects of clinical trial research.\n    Second, access to and use of anonymized or encrypted data \nshould be excluded from any new requirements or restrictions \napplicable to information that identifies patients. Only data \nsources or collections of samples that directly identify \nindividuals should be subject to confidentiality protections, \nsince information that does not identify an individual cannot \nviolate one\'s confidentiality interest. In addition, the code \nnumbers should be permitted to be used for the purpose of \nlinking to additional information about subjects in a database \nwithout triggering unnecessary or burdensome requirements, so \nlong as the subjects remain unidentified.\n    Third, legislation should acknowledge and encourage the \ncollection and maintenance of information to verify or monitor \nthe safety and efficacy of products that have been approved by \nthe FDA or international regulatory authorities.\n    And finally, uniform national standards that preempt \nconflicting or inconsistent State laws concerning \nconfidentiality are necessary. Individual states should not be \nable to add to or detract from federal rules in this area that \nis so critical to improving the public health through research \nyielding better medicines. To allow states to add more \nstringent provisions would risk creating an inconsistent \npatchwork of requirements that will at best confuse and at \nworst seriously jeopardize biomedical research projects. \nResearchers whose primary concern should be quality and \nintegrity of study design and execution should not also be \nfaced with the additional complexities of satisfying \ninconsistent state requirements for research that crosses state \nlines.\n\n                            VII. Conclusion\n\n    I thank you once again for the opportunity to express our \nviews on this important topic. We at Merck believe that the \nconfidentiality interests of patients in their medical \ninformation can and should be protected. We also believe that \nthis can be accomplished in a way that does not jeopardize \nbiomedical research and the quality and improvements in \nhealthcare that result from that research.\n\n                                <F-dash>\n\n    Chairman Thomas. Dr. Gabriel, I guess for most of us, if \nyou say health in Minnesota, you think of the Mayo Clinic. My \nconcern was, how did Minnesota wind up passing a law which \nprobably wounded significantly one of its cash cows from a pure \nmercenary point of view? Did you work with the legislature \nprior to the passage of the law? Was there a relatively high \nlevel of understanding among the legislators of the \nconsequences of their decision?\n    Dr. Gabriel. I cannot speak directly to that because I was \nnot involved, but I know that some of my colleagues were \ninvolved, and the extent to which there was a complete \nunderstanding of the consequences, I guess I cannot speak to \nthat.\n    Chairman Thomas. Has there been a followup with the \nMinnesota legislature after the passage of the law so that they \ncould understand the consequences?\n    Dr. Gabriel. Yes, the law has recently been amended. When \nthe law was first put into place, as you may know, it required \nus to put in place a very complicated and costly computerized \nsystem, which you alluded to earlier.\n    Chairman Thomas. And you chose to do it because you thought \nit was important.\n    Dr. Gabriel. We chose to be in full compliance. And that is \nno longer required. That level of compliance is no longer \nrequired, according to the amendment.\n    Chairman Thomas. And according to your testimony, and this \nis one of my concerns, again operating, if in fact we do, on an \nanecdotal basis or an incomplete understanding of what we are \ndoing, Minnesota apparently created the system that plugged one \nleak that may or may not have been a leak of the information \nsource by dealing with the nurses but left open myriad areas of \nleakage, which, in fact, if an investigation were carried out, \nwere probably the primary sources of leaks, if leaks occurred. \nIs that a relatively accurate statement?\n    Dr. Gabriel. That is my impression. Any legislation that \nfocuses strictly on research access would do exactly the same \nthing. I listed in my written testimony not all 75 but \ncertainly all of the other points of access where leakage could \noccur.\n    I think the main concern is that legislation should address \nthe concerns of the patients. And from our research, which we \ndid on our local population, the main concern of the patient is \nnot that a nurse abstracter will collect information and remove \nidentifiers and lead to a published study. The main concerns \nare the issues of discrimination, that were brought up before, \nand the misuse of information by employers and insurers.\n    Chairman Thomas. Dr. Guess, I can understand the narrow \nfocus of your testimony in terms of Merck carrying out research \nand wanting us to stay away from FDA and the rest, but your \nexample of Kaiser providing you with a research component, that \nwas real-world and actually off of ordinarily collected data, \nwhich indicates to me that what we maybe need to focus on is \nnot ``what\'\' but ``who and why.\'\' If we can get the ``who and \nwhy\'\' right, then the ``what\'\' is less of a concern, except \nwhen you go to the patient-identifiable data level, which is of \ngreat concern.\n    I am talking more about your area of research and the \nencrypting. I am not so wild about building barriers between \nFDA and HHS in terms of collecting data. I know you are, and \nyou have to go it based upon who you are here for, but I am \nmore interested in getting it right on all of the data that may \nflow than creating pockets of accuracy or I like what I have, \nso leave me alone. Any reaction?\n    Dr. Guess. Well, sir, I really agree with the tone and the \noverall scope of your testimony. I think the concern we have \nabout FDA is that we are subject to such stringent regulation \nin so many ways with FDA that adding another layer of \ncomplexity on top of that could create problems.\n    Chairman Thomas. I would be concerned about layering, but \nif they are doing something right there, I want to borrow it \nand apply it in other areas, if it makes sense. I know it is a \nrelatively narrow area you are dealing with, but in areas where \nthere has been complete ability to maintain confidentiality, I \nwant to look at those.\n    Dr. Guess. Right. I think the issue with FDA is that, with \ndrug research under FDA regulations, it is all interventional. \nSo one can obtain informed consent from the subjects in a \nclinical trial, but in a retrospective data base search, where \nyou are looking through anonymized records of several thousand \npeople, some of whom may have moved away, because it is \nhistorical data, there would really be a problem of applying \nthat paradigm in a sort of slavish way.\n    Chairman Thomas. Thank you.\n    Does the gentleman from California wish to inquire?\n    Mr. Becerra. If I could continue that line of questioning. \nAre there then some aspects of the FDA protocol which would be \nmost useful as we are trying to come up with ways to protect \nprivacy in every other aspect of research and disclosure that \noccurs?\n    Dr. Guess. Well, I think, as I said in my testimony \nearlier, that for encrypted or anonymized data, we feel that to \nsubject that to the kinds of provisions we have with FDA \nstudies could create a real burden. I think when it comes to \npatient-identifiable data, which is really the concern, I think \nsome of the provisions we have with FDA do make sense.\n    When we collect primary data on identifiable patients or \nwhen investigators collect that, it does make sense to have \nstringent provisions on that. But when we obtain anonymized \ndata, where we do not know who the patients are, I think that \nis a very different situation.\n    Mr. Becerra. For either of the two panelists, what is the \nwhole issue of the fact that more and more we are finding that \nmedical research and answers to medical dilemmas are really \nmore than just national in scope, they are really global? The \nwhole AIDS epidemic is certainly one of those illnesses or \ndiseases that falls within that category.\n    How do you go about establishing privacy laws that will be \nsufficient if the European Union on one end has very stringent \nprivacy laws and we may have other countries in other parts of \nthe globe who probably do not have any at all, and if they do, \nthey may not be enforced? How do you go about doing the \nresearch going beyond the U.S. border and ensuring that as you \ntry to collect information which will give you the best result \nfor your research that you are also providing the privacy that \npeople deserve?\n    Dr. Guess. I would be happy to take that, since we do \nresearch on a global scale.\n    I do not claim to be an authority on what is going on in \nthe European scene, but I do know the pharmaceutical industry \nis working with the European Union to try to create a code of \nconduct that will enable pharmaceutical research, specifically \nclinical research, to be carried out in a way that is not \nimpeded by some of the privacy initiatives in Europe.\n    I feel the problem is actually more a problem with some of \nthe proposed initiatives in Europe actually inhibiting research \nin a way that becomes inappropriate and actually harmful to \nthem.\n    I will say in certain countries in Europe, such as Germany, \nfor one, and France, to a certain extent, for another, \nepidemiologic research and health services research is very \nunderdeveloped relative to what it is in the United States. As \nyou go down the list of things that Dr. Gabriel mentioned, \nvirtually all of those discoveries are American-based \ndiscoveries. We have a very strong force in that area.\n    Dr. Gabriel. Could I respond to that?\n    Mr. Becerra. Yes, of course.\n    Dr. Gabriel. I think what you said also speaks to the \nimportance of preemption, so that at least in the United \nStates, we can have a common approach and a unified approach to \nthese problems.\n    As far as the international scene, there are a number of \ninternational epidemiology and research groups that are now \nassembled. I am part of a couple of them that are devising \ninternational standards for these studies and trying to discuss \nthat with the regulatory agencies in their own settings.\n    Mr. Becerra. Thank you, Dr. Gabriel.\n    If I can follow up on that, where would you break on the \nissue of preemption in view of what you just said?\n    Dr. Gabriel. Well, Mayo Foundation operates in five \ndifferent States. That means the clinical practice as well as \nthe clinical research crosses State boundaries, and it makes \nvery little sense for us to have this patchwork of rules and \nregulations. It really hampers both the practice and the \nresearch activities. So we would be in favor of it. However, I \ndo agree with one of the previous speakers about the value of \nhaving States do their own reportable disease and public health \nwork. I think that is a different category. But, in terms of \nconfidentiality, I think it makes a lot of sense for integrated \nhealth care delivery systems such as ours that operate in more \nthan one State to have one set of rules.\n    Mr. Becerra. Dr. Guess, if I could return to the whole \nissue of what you face in Europe as you try to conduct \nresearch, is part of the difficulty that you have in Europe or \nin certain European countries, is it due more to commercial \nissues or factors here than it might be actually conducting the \nresearch where, for example, they may want to keep their \nparticular research market closed to their researchers that are \nhome based?\n    Dr. Guess. I do not actually think so. I think some of the \nprivacy initiatives there may come about because much of the \nhealth care is socialized, and so I think it is a privacy \ntradition. Also, the German privacy tradition has its origins \nin other problems, and so I do not think it is really a \ncommercial interest. I think it just stems from the way the \nhealth care is organized.\n    Mr. Becerra. You mentioned that that has caused Merck and \nother U.S. pharmaceuticals problems in trying to conduct the \nresearch necessary.\n    Dr. Guess. Well, I think if certain of the provisions were \nto go through, problems would be caused.\n    I will also say that much of the type of research we do, \nfor example the study that we did at Kaiser, could not have \nbeen done in many parts of Europe. So there are certain things \nthat, just from their very cumbersome restrictions, would be \nquite difficult to do in many parts of Europe. I do not mean to \ntake Europe as a whole, but in many parts of Europe would be \nquite difficult to do.\n    Mr. Becerra. Thank you.\n    Mr. Chairman, if I could ask one last question.\n    How does the European Union treat the various nations \nwithin the Union? Are they provided with particular discretion? \nFor example, a European Union-wide preemption. Does that exist?\n    Dr. Guess. I think the objective with the European Union \ndirective is to create some uniformity to the European \nrequirements, and they are working toward this right now. So \nthey are trying to create some sort of preemption of a \npatchwork of national laws right now. But the problem may be \nsetting the level at an appropriate level.\n    Mr. Becerra. Thank you. Thank you, Mr. Chairman.\n    Chairman Thomas. I would tell the gentleman this is going \nto be an ongoing area in which, if we do not coordinate between \nthe European Union, the more emerging union of the European \nUnion, than we have in the past, where the historical situation \nof drug companies going to Europe to do certain types of \ntesting and research because of the laws in the United States \nmaking it more difficult--that if, in fact, the European Union \nmoves on the basis in large part of anecdotal or other reasons \nfor restricting that research, we have the opportunity, were we \nto get it right, to carry on the research here.\n    But if we do not change other areas of the law, we will not \nhave the ability to do it, notwithstanding the fact that we \nhave now created an opportunity to transmit the information in \na confidential way. So that what we do here is not the complete \nstory. We have to deal with the opportunity to allow research \nto go on beyond the patient records and the collection of data.\n    It would be an ultimate irony if the European drug \ncompanies, if there are any left after those laws are passed in \nEurope, would be coming to the United States to do the kind of \nresearch where the populations make sense on an analogous \nbasis. Where they do not, Merck and other companies, obviously, \nare moving around the globe; and what I would very much like to \ndo is get it right and set a model which is appropriate so that \nwe can at least urge others to follow our example.\n    I want to thank all of you for the testimony that was \ngiven, and especially the last panel. Without any additional \nquestions, the Subcommittee stands adjourned.\n    [Whereupon, at 12:10 p.m., the hearing was adjourned.]\n    [Submissions for the record follow:]\n      \n\n                                <F-dash>\n\nAmerican Association of Health Plans\n\n                            I. Introduction\n\n    The American Association of Health Plans (AAHP) is the \nlargest national organization of health plans. AAHP represents \nmore than 1,000 health maintenance organizations (HMOs), \npreferred provider organizations (PPOs), and similar network-\nbased plans. Together, AAHP member plans provide quality health \nservices for approximately 140 million Americans. AAHP member \nplans are dedicated to a philosophy of care that puts patients \nfirst by providing coordinated, comprehensive health care.\n    The subject of today\'s hearing--how to craft federal \nlegislation to protect against inappropriate use of patient-\nidentifiable health information, while at the same time \npermitting the coordination and delivery of high quality health \ncare--is one of the most important issues facing federal health \npolicy makers today. Not only is there great potential for harm \nif patient information is misused, but our health care system \nrelies on patient trust as an essential ingredient to quality \nhealth care. The use of patient information by health care \nproviders, health plans, and health researchers has already \ngreatly improved the quality of health care. Continued use of \nthis information will enable us to build on that improvement.\n    Chairman Thomas, members of the Committee, and staff have \nbeen extremely open to discussing this issue with AAHP and our \nmember plans, and we appreciate their efforts to develop \nworkable, real-world policies and procedures regarding the \nconfidentiality of patient-identifiable health information.\n    This statement highlights how health plans currently use \npatient-identifiable health information to support quality \nassurance and improvement programs and emphasizes the \nimportance of properly structuring federal confidentiality \nlegislation in order both to preserve patient confidentiality \nand ensure that quality of patient care can continue to be \nenhanced.\n\n II. Health Plans Support Safeguarding the Confidentiality of Patient-\n                    Identifiable Health Information\n\n    AAHP and its member plans strongly support the goal of \nassuring consumers that health plans and health care providers \nwill respect the confidentiality of their identifiable health \ninformation. We believe that appropriate confidentiality \nsafeguards for patient-identifiable information are essential \nto ensuring that health plan members feel comfortable \ncommunicating honestly and openly with their physicians and \nother providers. Without open communication between patients \nand their providers, treatment decisions are based on \nincomplete or inaccurate information and quality of patient \ncare suffers.\n    AAHP\'s member plans have demonstrated their commitment to \nconfidentiality by addressing this issue as part of AAHP\'s \nongoing Putting Patients First initiative. Because AAHP is \ncommitted to addressing the issue of consumer confidence in \nhealth plans, association members must meet standards related \nto confidentiality. Member plans must safeguard the \nconfidentiality of patient-identifiable health information \nthrough policies and procedures that, consistent with federal \nand state law, (a) address safeguards to protect the \nconfidentiality of patient-identifiable health information; (b) \nprovide for appropriate training of plan staff with access to \npatient-identifiable information; and (c) identify mechanisms, \nincluding a clear disciplinary policy, to address the improper \nuse of patient-identifiable health information. The policy \nreinforces that health plans should not disclose patient-\nidentifiable health information without the patient\'s consent, \nexcept when necessary to provide care, perform essential plan \nfunctions such as quality assurance, conduct bona fide \nresearch, comply with law or court order, or for public health \npurposes.\n    This policy on confidentiality joins other policies that \nare also part of AAHP\'s Putting Patients First initiative, \ncovering areas such as information for consumers, physician-\npatient communication, choice of physician, grievance and \nappeals, physicians\' role in plan practices, and, of course, \nquality assessment and improvement.\n    Virtually all of the current federal legislative proposals \nrelated to confidentiality recognize that health plans need \naccess to patient-identifiable information for purposes of \nfacilitating treatment and securing payment for health \nservices. However, one area where there continues to be some \nconfusion over health plans\' need for information relates to \nhealth plans\' efforts to improve quality of care.\n    It is true that, for some of the quality-enhancing \nactivities health plans undertake, they are able to use non-\nidentifiable health information--information that has been \naggregated, anonymized, coded, or encrypted in such a way that \nthe information no longer reveals the identity of particular \nindividuals. Consistent with the vast majority of legislative \nconfidentiality proposals that have been considered to date, \nAAHP believes that a patient\'s interest in confidentiality is \npertinent only when his or her identifiable information is \ninvolved. Because aggregate, anonymized, coded, or encrypted \ninformation does not identify individuals, consumers need not \nbe concerned about the use of this information.\n    However, some of the fundamental, quality-enhancing \nactivities undertaken by health plans do require the use of \nidentifiable health information. The use of health information \nin health plan quality assurance and improvement activities can \ngreatly enhance the quality of health care for both the \nindividual plan member and the member population as a whole, \nand AAHP believes that health plan members should benefit from \nthese quality improvement activities. These activities are not \nonly fundamental to coordinated, quality care, but in many \ncases are also required of health plans under a variety of \nstate and federal programs and regulations, as well as under \nvoluntary private sector reporting and accreditation standards.\n\n   III. Health Plans Use Patient-Identifiable Health Information to \n                            Enhance Quality\n\n    Health plans use patient-identifiable health information in \na variety of activities that improve the quality of health \ncare. These activities, which focus on both the processes of \ndelivering care as well as on the outcomes of care, include \nhealth promotion and prevention, disease management, outcomes \nresearch, and utilization management. Health plans\' ability to \nenhance quality through these activities could be seriously \njeopardized unless federal confidentiality legislation is \nproperly structured.\n\nHealth Promotion and Prevention\n\n    Health promotion and prevention activities improve quality \nby enabling plans and providers to identify members at risk for \ncertain illnesses or eligible for certain services. Plans and \nproviders can then reach out to those members to provide \ninformation to them and encourage them to seek out services \nwhen they can benefit most from intervention and before disease \nprogresses. Often, determining who is at risk involves the use \nof patient-identifiable health information. Health plans add \nmuch of value in this area because they have access to claims \ndata and can help busy physicians accurately identify patients \nat risk of certain illnesses or who are eligible for certain \nservices--even among patients the physician may not have seen \nin some time. Once the plans have identified these members, \nthey contact them and, in many cases, the members\' physicians \nas well. Many plans encourage their physicians to follow-up \nwith the identified members to schedule the necessary \nappointments.\n    For example, nearly all plans have implemented postcard or \nphone-call mammography reminder systems for their female \nmembers. Patient-identifiable information is used to identify \nfemale enrollees of a certain age who have not received a \nrecent mammogram. United HealthCare\'s plans use patient-\nidentifiable information to single out women aged 50 to 74 who \nare overdue for a mammogram. The plans send reminder notices to \nthese women as well as to their physicians so that the \nphysicians can follow-up with their patients directly. As a \nresult of this program, in 1995, United HealthCare\'s plans \nacross the country experienced increases in mammography rates \nranging from 30-45%. This program and others like it promote \ndetection of breast cancer in the earliest and most treatable \nstages.\n\nDisease Management\n\n    Disease management activities improve quality by \nidentifying members who have been diagnosed with certain \nchronic diseases and then coordinating and monitoring their \ncare. Again, because health plans have access to claims data, \nthey are well-positioned to identify those members who will \nbenefit most from disease management programs. Health plans \nthen contact the identified members and, in many cases the \nmembers\' physicians, in order to encourage them to seek the \nappropriate care.\n    For example, according to a recent study, 45.4% of all HMOs \nhad diabetes disease management initiatives in place in January \n1996.\\1\\  Harvard Pilgrim New England has developed a \ncomprehensive gestational diabetes management program that \nincludes directed case management and regular vision \nscreenings. The plan uses patient-identifiable information to \nidentify members with diabetes and involve them in the plan\'s \ndisease management program. As a result, the plan was able to \nincrease annual retinal exams by 26%, eliminate diabetes-\nrelated newborn major malformations, and decrease the incidence \nof low blood sugar reactions in patients receiving insulin \ntherapy.\n---------------------------------------------------------------------------\n    \\1\\ The InnerStudy Competitive Edge Part II: Industry Report, \nSeptember 1996, p. 76.\n---------------------------------------------------------------------------\n    Asthma management is another area where health plans use \npatient-identifiable information to target members and improve \nthe quality of care delivered to them. As of January 1996, \n50.4% of all HMOs had asthma management programs in place.\\2\\ \nPrimeCare Health Plan, for example, examines clinic and \nhospital record information to identify children with asthma \nwho are missing an inordinate number of clinic appointments and \nwho have high hospital admission rates. Working with the \nchildren\'s pediatricians, the plan involves the children and \ntheir families in an asthma education and management program \nthat initially resulted in a 30% reduction in emergency room \nvisits and a 60% reduction in hospital admissions for \nparticipants of the program.\n---------------------------------------------------------------------------\n    \\2\\ Ibid.\n\n---------------------------------------------------------------------------\nOutcomes Research\n\n    Another method health plans use to improve the quality of \ncare is outcomes research. Health plans use patient information \nto evaluate the effect of particular treatment programs, assess \nthe typical course of a chronic disease over time, and identify \nvariations in outcomes that may be targeted for future \nimprovements in health care processes.\n    For example, Kaiser Permanente of Northern California used \npatient-identifiable information to study the most effective \ntreatment for a type of diabetes. Using identifiable health \ninformation of their members who had been treated for diabetes, \nKaiser studied whether patients who matched a certain clinical \nprofile and were treated with the drug Metformin experienced \nbetter outcomes than patients who did not have the same profile \nbut who were also treated with Metformin. The outcomes analysis \nindicated that, in fact, outcomes were better in the patients \nwho matched the profile than in those who did not match the \nprofile. This study provided Kaiser physicians with the \nclinical evidence needed to select the most effective course of \ntherapy for their diabetic patients.\n\nUtilization Management\n\n    Utilization management activities involve evaluating the \nmedical necessity and appropriateness of health care services \nboth for the purposes of payment as well as for quality \nimprovement. Utilization management enables plans to respond to \ninappropriate patterns of care. For example, evidence suggests \nthat hysterectomies and caesarean section deliveries are over-\nperformed in the U.S. Hysterectomies are the second most common \nprocedure--performed on 1 in 3 American women by the age of 60. \nIn Italy, by comparison, the figure is 1 in 6 and in France it \nis only 1 in 18. Similarly, the Centers for Disease Control \nestimated that physicians performed 349,000 unnecessary \ncaesarean section deliveries (approximately 1 out of every 12 \ndeliveries) in 1991--unnecessarily placing women at risk of \ninfection and unnecessarily exposing them to the complications \nand trauma associated with major abdominal surgery. Health \nplans\' utilization management programs require patient-\nidentifiable information to ensure that patients receive \nnecessary, appropriate, high-quality care in a cost-effective \nmanner.\n\nIntegrated Delivery of Services\n\n    Integrated delivery of services enables health plans and \nproviders to utilize patient-identifiable health information in \neven more ways to improve the quality of care. Often, \nphysicians are provided with increased access to patient \ninformation in order to aid them in their management of certain \nhealth conditions. For example, physicians at LDS Hospital in \nSalt Lake City created a computer-assisted management program \nfor antibiotics and other anti-infective agents which \nIntermountain Health Care now uses in its hospital intensive \ncare settings. The program compares historical patient data \n(rendered non-patient-identifiable) on infection \ncharacteristics and antibiotics effectively used in treatment \nto current patient infection data. The system then provides \ndecision support to physicians by recommending anti-infective \nregimens and courses of therapy based on its comparison. The \nsystem also helps to prevent adverse drug reactions and promote \ncost-effective care by enabling physicians to choose anti-\ninfective regimens that are the most effective for the lowest \ncost.\\3\\ In this example, patient-identifiable information that \nhas been rendered non-identifiable is used to link previous \npatient record information on infection causes and treatment \nregimens to the computer-assisted antibiotic management program \nto improve care for current patients.\n---------------------------------------------------------------------------\n    \\3\\ Evans RS, Pestotnik SL, Classen DC, et. al., ``A computer-\nassisted management program for antibiotics and other anti-infective \nagents,\'\' New England Journal of Medicine, January 22, 1998; 338:232-8.\n---------------------------------------------------------------------------\n    As previously mentioned, not only are these activities that \nuse patient-identifiable information fundamental to improving \npatient care, but many are also required of health plans under \na variety of state and federal programs and regulations, as \nwell as under voluntary private-sector reporting and \naccreditation standards. For example:\n    <bullet> Activities to monitor, detect, and respond to \nover- and under-utilization are required by state HMO and \nutilization review laws, federal laws, and private \naccreditation standards;\n    <bullet>  Data collection and analysis of condition-\nspecific patient outcomes are required of plans participating \nin the Federal Employees Health Benefits Program;\n    <bullet> Ongoing quality assurance programs that (1) stress \nhealth outcomes and provide for the collection, analysis, and \nreporting of data; (2) monitor and evaluate high volume and \nhigh risk services and the care of acute and chronic \nconditions; and (3) after identifying areas for improvement, \ntake action to improve quality, are required of Medicare+Choice \nplans under Medicare;\n    <bullet> Procedures to ensure health care delivery under \nreasonable quality standards, consistent with recognized \nmedical practice standards, and ongoing, focused activities to \nevaluate health care services, are required by the NAIC Model \nHMO Act, which approximately 30 states have adopted;\n    <bullet> Quality management programs that ``monitor, \nevaluate, and work to improve the quality of care and quality \nof services provided . . . utilizing a variety of quality \nmanagement studies, reviews, and evaluations such as . . . \nmedical record reviews\'\' are required of plans seeking URAC/ \nAAHCC accreditation;\n    <bullet> Quality management standards that monitor aspects \nof patient care such as disease management, acute and chronic \ncare, and preventive care are also required of plans seeking \nURAC/AAHCC accreditation;\n    <bullet> Health management systems that identify members \nwith chronic conditions and offer appropriate services and \nprograms to assist in managing their conditions are required of \nplans seeking NCQA accreditation; and\n    <bullet> Actions and interventions to improve quality by \naddressing opportunities for improved performance are also \nrequired of plans seeking NCQA accreditation.\n    It is clear that health plans\' efforts to improve patient \ncare have been recognized by state, federal, and private \nregulatory entities alike. It also should be clear that \ncompromising plans\' abilities to improve patient care--whether \nby imposing excessive regulatory requirements or by leaving \nplans with inadequate or partial information for quality \nstudies--would result in reduced quality of care. This would \npresent an obvious quandary for plans legally and contractually \nrequired to conduct quality-enhancement activities, yet at the \nsame time forbidden to use the information necessary to fulfill \nthese obligations.\n\n IV. Unduly Restricting Health Plan Use of Patient-Identifiable Health \n                    Information Would Reduce Quality\n\n    Some of the current federal confidentiality proposals \ninclude provisions which would unduly restrict health plan use \nof patient-identifiable health information and, as a result, \nseriously threaten quality of care. One of the more restrictive \nand quality-compromising approaches put forth would be to \nrequire health plans and providers to obtain patient \nauthorization each and every time they use identifiable health \ninformation. This type of authorization requirement would be \nimpractical, costly, and a major burden for patients as well as \nfor plans. Moreover, the nature of many of these plan \nactivities is that they are seeking to identify individuals at \nrisk--it would be impossible to obtain consent from individuals \nwho had not yet been identified. As a result, health plans \nwould be unable to send mammography reminder notices or \ninformation on asthma management programs to plan members in \nneed of these services.\n    A second approach to restricting the use of patient-\nidentifiable information for quality-enhancing purposes which \nhas also been proposed by some would be to permit patients to \nopt-out of participating in quality-enhancing activities, such \nas health promotion, disease management, outcomes research, and \nutilization management. Such an opt-out provision would \ndiminish the capacity of current health plan quality assurance \nprograms and be counterproductive to improving the quality of \npatient care. In fact, withholding some patients\' information \nwithin a health plan setting could make engaging in these \nquality-enhancing activities so impractical that plans and \nproviders would forgo these activities for all patients--again, \nraising the potential conflict between plan obligations to \nimprove quality and legal restrictions on the use of the \ninformation needed to fulfill those obligations. For example, \nin the case of the computer-assisted management program for \nantibiotics, if patients were permitted to object to the use of \ntheir medical record information for this program, the data \navailable to physicians would be incomplete and could skew the \ncomputer-generated treatment recommendations, potentially \nthreatening the quality of care not just for the patient who \nopts out, but for all current patients. Such a threat could \nlikely prompt the discontinuation of this innovative and much-\nlauded program. This would also be true for other quality-\nenhancement endeavors of this type.\n    Leaving plans with incomplete information could also force \ncurrent state, federal, and private reporting and quality \nimprovement requirements to be modified and weakened to reflect \nthe health plans\' diminished capacity even to report on health \noutcomes or enrollees\' use of services. This in and of itself \nwould make plan quality improvement less effective and \naccreditation status less meaningful. On a more global level, \nour national goal of finding out the most effective ways to \ndeliver health care--to make sure that patients get the best \ncare for their health dollar--would be severely compromised.\n\nV. A Statutory Authorization Would Preserve Quality of Care With Fewer \n                          Procedural Barriers\n\n    For the reasons just mentioned in the previous section, \nAAHP supports the inclusion of a statutory authorization in \nfederal confidentiality legislation. A statutory authorization \nwould authorize in law all of the widely accepted positive uses \nof patient-identifiable health information, including \nfacilitating treatment, securing payment, and conducting health \nplan quality-enhancing activities. Both the Administration\'s \nproposal and the National Association of Insurance \nCommissioners\' (NAIC) draft Health Information Privacy Model \nAct follow the statutory authorization approach. A statutory \nauthorization would achieve the goal of providing plans and \nproviders with access to identifiable health information to \nimprove quality of care. And, by working in tandem with strong \npenalties for the misuse of identifiable health information, a \nstatutory authorization would also achieve the goal of assuring \nconsumers that plans and providers will respect the \nconfidentiality of their identifiable health information. It is \nAAHP\'s recommendation that any penalties be consistent with the \npenalties already established by the Health Insurance \nPortability and Accountability Act of 1996 (HIPAA) for the \nwrongful disclosure of individually identifiable health \ninformation.\n    A slightly less effective alternative to the statutory \nauthorization that has also been proposed is the consolidated \nauthorization. As proposed, the consolidated authorization \nwould allow plans to procure a single authorization at the time \nof enrollment to use identifiable health information for the \npurposes of facilitating treatment, securing payment, and \nconducting quality improvement activities central to patient \ncare. While the consolidated authorization is a vast \nimprovement over having to obtain separate authorizations each \nand every time patient-identifiable information is used, this \napproach has limitations that the statutory authorization does \nnot.\n    For example, one legislative proposal that has followed the \nconsolidated authorization approach has also included \nprovisions permitting revocation of that consolidated \nauthorization. Yet, expecting health plans to facilitate and \npay for quality health care services after a patient has \nrevoked his or her prior authorization for use of health \ninformation is a Catch-22 for health plans. Not being able to \nuse patient-identifiable information would interfere with \nplans\' abilities to effectuate payment for services already \nrendered, facilitate and coordinate treatment, and fulfill \nlegally required operational functions--in essence, paralyzing \nplans\' ability to effectively serve patients. On the other \nhand, plans--and physicians and hospitals--could be held \ncriminally liable for continuing to facilitate high quality \ntreatment by using identifiable information.\n    This particular legislative proposal has addressed this \ndilemma by giving health plans explicit permission to disenroll \nindividuals from the plan upon the individual\'s revocation of \nhis or her authorization. While health plans prefer not to have \nto disenroll patients, revocation provisions often provide them \nno choice. In fact, given the liability involved for \nunauthorized use of information as well as for substandard \ncare, revocation by an enrolled individual should perhaps be \ntreated as disenrollment without requiring any further action \nby the plan. It should also be noted that plans may have \nunderway at the time of an individual\'s revocation quality \nimprovement activities, such as outcomes research, that would \ncontinue to require the use of the patient\'s identifiable \nhealth information lest the entire endeavor be compromised by \nan individual\'s withdrawal of his or her information mid-study. \nThis again points to the superiority of the statutory \nauthorization approach.\n\n VI. The Same Level of Protection Should Be Required for All Types of \n                Patient-Identifiable Health Information\n\n    AAHP believes that federal confidentiality legislation \nshould require the same level of protection for all types of \npatient-identifiable health information. Health care providers \nrely on the completeness of medical records in their treatment \nof patients. Segregating certain types of health information, \nsuch as genetic information, from the rest of the medical \nrecord could interfere with a provider\'s access to health \ninformation that can just as easily be a predictor of future \nhealth problems as other types of health information. Because \nof this, current practice in most health plans supports uniform \ntreatment of all health information and, in many cases, genetic \ninformation is an integral part of the medical record \nindistinguishable from other personal health information. For \nexample, given a notation of a positive marker for one of the \nbreast cancer genes in a patient\'s record, a physician can \nencourage increased mammography screenings to detect any breast \ncancer tumors at an earlier and more treatable stage.\n    Moreover, oftentimes genetic information may not be any \nmore sensitive than other medical record information. HIV \nstatus, treatment for mental health, reproductive history, or \nevidence of sexually transmitted disease can be considered \nequally sensitive information. Because many types of health \ninformation can be considered sensitive, singling out \ninformation based on its presumed sensitivity would only \npromote inconsistent protections.\n    With advanced software capabilities available, it is far \npreferable to limit access to information through the use of \npasswords and other software controls than to require plans and \nproviders to physically store different types of information \nseparately or treat different types of information differently.\n\n VII. There Should Be Nationally Consistent Rules in Areas that Affect \n                    Computerized Information Systems\n\n    AAHP believes that, given the complex and interstate nature \nof the way information flows in today\'s health care system, \nfederal confidentiality legislation should address the need for \nnationally consistent rules in areas that affect computerized \ninformation systems. Moreover, consistent rules governing \ndisclosure of various portions of computerized health records \nwill facilitate compliance by multi-state health plans and \nemployers.\n\n   VIII. Patients Should Have the Opportunity to Inspect, Copy, and \n       Request Amendment To Their Identifiable Health Information\n\n    AAHP supports patients having the opportunity to inspect, \ncopy, and request amendment to their identifiable health \ninformation. Federal confidentiality legislation should \nrecognize, however, that health plans that arrange for services \nthrough provider networks typically do not maintain central \nmedical records files. While health plans that employ salaried \nphysicians and those that contract with physician groups whose \npractice is solely focused on serving the health plan\'s members \nmay be prepared to provide their members with access to a \ncomprehensive medical record, even members of these plans may \noccasionally seek care outside of the plan\'s affiliated \nproviders. Given that it is a provider who originates health \ninformation, we believe it is appropriate for providers to be \nresponsible for facilitating access to records and appropriate \namendment procedures. Federal legislation should permit health \nplans to direct patients wishing to inspect, copy, or request \nan amendment to their record, to their physician or other \nprovider who originated the information in question.\n    In addition, some proposed legislation includes a \nrequirement to include patients\' written requests for \namendments and written statements of disagreement in the \npatient\'s medical record. However, for the growing numbers of \nplans and providers that utilize electronic medical records, \nthis requirement would entail transforming the patient\'s \nwritten statements into electronic format in order for it to \nbecome part of the medical record. Instead, AAHP suggests that \na notation concerning the patient\'s request to amend or \nstatement of disagreement fulfill any such requirement.\n\n                              IX. Research\n\n    Any provisions targeted to research in federal \nconfidentiality legislation must ensure that intra-plan quality \nimprovement and other health plan operational activities are \nnot suddenly subject to a federal oversight process that was \nintended for the protection of human subjects participating in \nclinical research and that was never intended to encompass \nroutine quality improvement activities related to health care \ntreatment and payment. Intra-plan quality improvement \nactivities should not be subject to federal oversight.\n    Federal confidentiality legislation must also ensure that \nthose health plans and providers that wish to provide patients \naccess to clinical trials may continue to do so without being \nsubject to a federal research approval process. Current federal \noversight of clinical trials already subjects researchers to \nreview by an independent board specially designed to protect \nand safeguard the interests of human subjects.\n\n                             X. Conclusion\n\n    AAHP wholeheartedly supports the goal of assuring consumers \nthat health plans and health care providers will respect the \nconfidentiality of their identifiable health information. At \nthe same time, AAHP believes that consumers should benefit from \nthe quality-enhancing activities health plans undertake--many \nof which are required by public regulators and private sector \noversight entities. In order to craft federal confidentiality \nlegislation that achieves these two goals, it is essential to \nhave a firm understanding of how our current health care system \nworks, how information flows within the system to make it work, \nand how health plans use information to improve the quality of \nhealth care.\n    In this statement, AAHP has highlighted the following \nrecommendations for federal confidentiality legislation:\n    (1) Federal confidentiality legislation should not unduly \nrestrict health plan use of patient-identifiable health \ninformation. Instead, legislation should statutorily authorize \nthe use of patient-identifiable health information for the \npurposes of facilitating treatment, securing payment, and \nconducting health plan quality improvement activities central \nto patient care. This statutory authorization would work in \ntandem with penalties for misuse that are consistent with \nHIPAA.\n    (2) Federal confidentiality legislation should require the \nsame level of protection for all types of patient-identifiable \nhealth information.\n    (3) Federal confidentiality legislation should address the \nneed for nationally consistent rules in areas that affect \ncomputerized information systems.\n    (4) Federal confidentiality legislation should permit \nhealth plans to direct patients wishing to inspect, copy, or \nrequest an amendment to their record, to their provider. In \naddition, any requirements to include written statements \nsubmitted by the patient in the patient\'s record should permit \nplans and providers to include a notation of that a written \nstatement exists if it is more technologically feasible to do \nso.\n    (5) Any research provisions included in federal \nconfidentiality legislation must be carefully constructed to \nensure that intra-plan quality improvement activities are not \nsuddenly subject to a process that was intended for the \nprotection of human subjects participating in clinical research \nand that was never intended to encompass routine quality \nimprovement activities related to health care treatment and \npayment. In addition, any research provisions must ensure that \nthose health plans and providers that wish to provide patients \naccess to clinical trials may continue to do so without being \nsubject to a federal research approval process. Current federal \noversight of clinical trials already subjects researchers to \nreview by an independent board specially designed to protect \nand safeguard the interests of human subjects.\n    We look forward to working with the Committee in its \ncontinued work on federal confidentiality legislation.\n      \n\n                                <F-dash>\n\nStatement of American Association of Occupational Health Nurses (AAOHN)\n\n    The American Association of Occupational Health Nurses, \nInc. (AAOHN) appreciates the opportunity to submit written \ntestimony to the House Committee on Ways & Means, Subcommittee \non Health for the hearing record on the matter of Health Care \nInformation Privacy and Confidentiality. We want to thank the \nChairman and express our special appreciation for his \nleadership on this important issue.\n    Our primary interest in participating in these hearings is \nto urge Congress, in the strongest terms, to enact truly \ncomprehensive medical records confidentiality legislation. In \nsummary, we believe that for Congress to be successful in this \narea, it must craft legislation that will ensure that all \nmedical records are protected under the law regardless of the \nmode of payment or the setting where the health information is \nobtained or maintained.\n    AAOHN is the professional association for more than 13,000 \noccupational and environmental health nurses who provide on-\nthe-job health care for the nation\'s workers. Occupational \nhealth nurses are the largest group of health care providers at \nthe worksite. As such, our professional nurses assume \nresponsibility for all aspects of health and safety for \nindividual workers and the work environment. AAOHN supports the \ndevelopment of uniform laws, rules and procedures governing the \nuse and disclosure of health care information. AAOHN has had a \nlong-standing interest in the debate on confidentiality of \nhealth information. The Association has developed position \nstatements and guidelines on the issue to ensure that the voice \nof the occupational and environmental health nurse is heard in \nWashington.\n\n                               Background\n\n    In the course of their jobs, occupational health \nprofessionals collect personal information about the health and \nlifestyles of their company\'s employees. AAOHN members are \nresponsible for a great deal of data collection and maintenance \nof personal health information. This often includes records \nthat document medical and/or health surveillance activities, \nwellness programs, pre-job placement and return-to-work \nphysical examinations, and other similar types of worksite \nhealth initiatives. It is our observation that, to date, the \nconfidentiality issues surrounding the protection of health \ninformation gathered and maintained at the worksite have gone \nlargely unnoticed in the confidentiality debate. Health care \ninformation obtained and maintained at the worksite is both \npersonal and sensitive. Clearly, health information records \nfound at the worksite are as important to the confidentiality \ninterests of the nation\'s workers as the patient data contained \nin the more traditionally thought of medical record. Worksite \ninformation, if improperly used or released, may be equally as \nharmful to an employee\'s interests as unauthorized disclosure \nof more traditional medical records.\n    AAOHN maintains that employers should have access only to \nthat amount of health information necessary to determine \nwhether a worker may perform his or her job in a safe manner. \nFor example, we believe that in cases of fitness for work exams \n(e.g., health surveillance, pre-job placement and physical \nexaminations, and return-to-work physical examination records) \nhealth care professionals should provide the employer with a \nwritten determination based on the medical record rather than \nhanding the employer the actual record itself.\n    Also, in cases in which workers\' compensation benefits are \nat issue, information obtained through the company\'s wellness \nor employee assistance programs should not be used to defeat \nthe claim. Employees seeking medical or disability payments \nunder state workers\' compensation laws should not be forced to \nsign releases covering their entire medical record in order to \nfile their claim. Only information directly relevant to the \nillness or injury underlying the compensation claim and any \nappropriate secondary injury determination should be available. \nNo other information should be released without meaningful, \nuncoerced consent on the employee\'s part for a more expansive \ndisclosure.\n    Limiting the amount of personal health information an \nemployer may learn about his or her employee is not a novel or \nuntested regulatory approach. The ``bloodborne pathogens\'\' \nregulations issued by the Occupational Safety and Health \nAdministration (OSHA) explicitly requires that such information \nmust be kept confidential and ``not disclosed or reported \nwithout the employee\'s express written consent to any person \nwithin or outside the workplace except when required by this \nsection or as may be required by law.\'\' \\1\\\n---------------------------------------------------------------------------\n    \\1\\ 29 CFR Ch. 1910.1030.\n---------------------------------------------------------------------------\n    The law also narrows the extent of the information provided \nto the employer to that which is necessary to make a \ndetermination regarding work fitness. For example, the \nregulation states that the ``healthcare professional\'s written \nopinion .... shall be limited to whether (a particular \ntreatment) is indicated for an employee, and if the employee \nhas received such (treatment).\'\' \\2\\\n---------------------------------------------------------------------------\n    \\2\\ Id.\n---------------------------------------------------------------------------\n    We believe that Congress should enact a law to protect \nindividually identifiable health information utilizing the \nstandards set forth in the bloodborne pathogens regulations.\n    To be clear, occupational health professionals have an \nethical obligation to safeguard health information \nconfidentiality. AAOHN\'s ethical tenets caution against \ninappropriately disclosing confidential information yet \nrecognize, however, that there are a number of appropriate \nethical and legal exceptions to the rule. For example, it is \nperfectly ethical and legal to disclose information concerning \nthreats of homicide, threats of suicide, reportable diseases, \nchild or elder abuse, any injury caused by firearms or other \nviolent acts, and other information covered by law. Other types \nof disclosures for specific purposes such as controlled \nresearch, emergencies, civil, judicial and administrative \npurposes, law enforcement, oversight and payment may also be \nappropriate.\n    Employers must be able to access certain personal health \ninformation when considering pre-placement testing, fitness for \nwork exams and work place safety health testing. Specific \nlimited information must be available to employers making \nreasonable job accommodations in cases of disability or \nreviewing claims for workers\' compensation benefits. In \naddition, because employers are also responsible for providing \na number of other types of benefits such as health and \ndisability insurance, family medical leave and employee \nassistance programs, they may require that certain specific \nhealth information be disclosed. AAOHN firmly believes that \nemployers should be allowed to administer these important \nprograms in an efficient manner.\n    Unfortunately, occupational health nurses are often \npressured by employers to release a workers\' entire medical \nrecord. As such, the occupational health professional is caught \nbetween management demands and the nurse\'s ethical \nresponsibility to protect the employee\'s confidentiality. Many \nof our members can attest to the fact that employers often \npressure occupational health nurses to divulge the confidential \nhealth information of their employees. For too many \noccupational health nurses this ethical and legal dilemma is \nnot a theoretical issue. The cases of Bettye Jane Gass and \nKathleen Easterson provide two such examples:\n\nBettye Jane Gass\n\n    Bettye Jane Gass became a registered nurse when she passed \nher Kentucky Nursing Boards in 1975. She received her degree in \nnursing from Western Kentucky University. Shortly thereafter, \nMs. Gass began working at both Western Kentucky University and \nthe Lord Corporation on a part-time basis. She later left the \nemployment of Western Kentucky University to become a full-time \nHealth Services Specialist at the Lord Corporation\'s Bowling \nGreen plant.\n    In that position Bettye Jane Gass was responsible for \nproviding treatment to employees who sustained injury or became \nill. She was also responsible for maintaining the case \nhistories of workers; coordinating paper work flow for injury \ncompensation reports; scheduling pre-employment physicals and \nfollow-up physician visits; preparing summaries and reports; \nand maintaining OSHA record-keeping requirements as well as \ncoordinating activities of the company\'s wellness program. She \nwas asked to return to part-time status in 1993 and was \nterminated on September 7, 1995, without prior notice after \napproximately thirteen and one-half years at the Lord \nCorporation.\n    On that date, the human resource manager demanded access to \nthe routine physical examinations given to all plant employees. \nBetty Jane Gass refused to turn over the keys to the filing \ncabinet where the worksite health information was kept. She \nrefused to violate her ethical obligations and despite a \nwritten company policy that expressly stated that health \nservices personnel should maintain confidentiality and provide \nlimited access to the medical files, she was fired for \n``insubordination.\'\' The state court that heard her case issued \na summary judgment stating that Ms. Gass ``failed to show that \nher discharge was in violation of any fundamental and well \ndefined public policy as evidenced by a constitutional or \nstatutory provision.\'\' Bettye Jane Gass has filed an appeal and \nthe case is still in pending litigation.\n\nKathleen Easterson\n\n    In the case of Kathleen Easterson, the issues of employer \npressure resulting in the termination of an occupational health \nnurse are again presented. Kathleen Easterson, an occupational \nhealth nurse and Assistant Director of Nursing and Director of \nEmployee Health at a New York area medical center, was \nterminated by her employer when she refused to disclose the \ncontents of a doctor\'s note containing an employee\'s non-\noccupational diagnosis of severe headache and TMJ trauma. Like \nthe case of Bettye Jane Gass, the termination occurred despite \nthe fact that there was an explicit corporate policy pertaining \nto medical records confidentiality.\n    In the court case that followed the hospital\'s actions, Ms. \nEasterson sued for wrongful discharge and reinstatement of \nemployment. Ms. Easterson explained to the court that she \nbelieved that the worker in her care had a reasonable \nexpectation of privacy with respect to the medical records kept \nin her care. She believed this to be true because of the \nexistence of the nurse-client confidential relationship. She \nexplained to the court that the employer\'s policy and practice \nof reviewing an employee\'s medical record without consent \nshould not be tolerated. If employers were allowed to continue \nthis policy, she argued, it would erode trust in the health \ncare system and should therefore, be held to be against the \ninterests of good public policy. Ms. Easterson maintained that \nthe doctor\'s note was part of the employee\'s confidential \nrecord and that there was no governmental compulsion to reveal \nthe employee\'s medical record.\n    Unfortunately, the two lower courts that heard the case \nheld that there was no nurse-client relationship between the \noccupational health nurse and the employee. In addition, the \ncourt held that the doctor\'s note at issue was not information \nacquired by the nurse in attending the employee/client. The \ncourt also found that the doctor\'s note was not necessary to \nenable the nurse to act in a nurse-client capacity. The court \ndetermined that the doctor\'s note did not create a substantial \nand specific danger to the public health. Finally, the court \ndetermined that there was no basis in law upon which to provide \nMs. Easterson with relief for her claims.\n    AAOHN believes that the lack of legal recourse in both the \nGass and Easterson cases is egregious and should be corrected \nthrough Congressional enactment of comprehensive \nconfidentiality legislation.\n\n        Greater Protections Should Be Created Under Federal Law\n\n    AAOHN maintains that workers must be allowed to feel that \ntheir private disclosures will be treated in a dignified and \nconfidential manner. The existence of the patch work of state \nlaws does not always provide such assurances in the worksite \nsetting. Under the laws of many states, employers are not \nprohibited from accessing detailed personally identifiable \nemployee health information with the company. This is true \nbecause the occupational health professional is viewed as an \nagent of the employer, not as a health care provider with a \nduty of confidentiality to the patient-employee. In addition, \ncourts have found that physicians representing employers are \nnot bound by the physician-patient duty of confidentiality.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ Rogers v. Horvath, 237 N.W. 2d 595 (Mich. 1995).\n---------------------------------------------------------------------------\n    At the same time, health care professionals have been held \nliable in some states for violations of their professional duty \nto respect privacy. For example, when a private physician \nnotified an employer that an employee had a ``long-standing \nnervous condition with feelings of anxiety, and insecurity,\'\' \nthe patient won an award for damages from the physician because \nthe patient had asked not to have the information released and \nbecause the court could find no compelling reason for the \ndisclosure.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ Horne v. Patton, 287 So.2d 824 (Ala. 1974).\n---------------------------------------------------------------------------\n    In another case, the West Virginia Supreme Court held that \nunder the state\'s workers\' compensation statute, physicians can \nallow employers access to written medical reports but not to \ninformation collected from oral communications. The court also \nruled that employees can sue both their physicians for \nreleasing confidential information and their employer for \nrequesting the information.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ Morris v. Consolidation Coal, 446 S.E.2d 648 (W.Va. 1994).\n---------------------------------------------------------------------------\n    In still other cases, health care professionals have not \nbeen held liable in at least one state that has attempted to \nprotect patients from unfair information practices, for \narguably the wrong reasons. In a Maryland case, a plaintiff \nnamed Leo Kelly, Jr., brought suit against a physician named \nDr. Brad Lerner based on medical malpractice. In that case the \nparties agreed to submit the claim to binding arbitration. The \nplaintiff hired an expert witness named Dr. Horst Schirmer to \ntestify that Dr. Lerner had breached the standard of care by \nperforming an operation known as a transurethral resection of \nthe prostate (``TURP\'\') on the plaintiff.\n    On cross-examination, Lerner\'s counsel sought to impeach \nSchirmer by introducing a copy of a pathology report that \nindicated that Dr. Schirmer had performed the identical surgery \nunder conditions he alleged constituted a breach of care on the \npart of Dr. Learner. The subject of that pathology report was \nWilliam Warner. Based on this use of his medical records, \nWarner sued Learner alleging that a violation of the Maryland \nConfidentiality Records Act of 1990, resulted from Lerner\'s \nimproper taking and use of Warner\'s medical records without his \nprior consent. Warner v. Lerner, 115 Md. App. 428, 693 A.2d 394 \n(1997). Lerner filed a motion to dismiss the case which the \nCourt granted on the grounds that the law stated that in \nlitigation ``a health care provider may disclose a medical \nrecord without the authorization of a person in interest.\'\' \nDespite the fact that the Maryland legislature intended to \nprotect patients from violations of their confidentiality, they \ndid not foresee that health care providers such as Dr. Lerner \nwould use a provision apparently intended to allow physicians \nto defend themselves in malpractice actions for other purposes. \nThe Court stated:\n    [w]e are troubled here ... [d]espite this Court\'s quite \nobvious discomfort, maybe even displeasure, or its severe \nreservations regarding just what was intended by the general \nassembly, the language of the statute is clear, and we must \ngive meaning to those words as those words set forth by that \ndeliberative body.\n    This case points out some of the more egregious perils and \npitfalls that exist in the current patch work quilt of state \nconfidentiality laws.\n    AAOHN believes that workers must be provided with adequate \nconfidentiality safeguards regardless of where the personally \nidentifiable health information is obtained or maintained. We \nbelieve that Congress, therefore, must enact comprehensive \nuniform medical record confidentiality legislation in order to \nprotect both workers and occupational health professionals. \nWithout an appropriate amount of carefully crafted legal \nprotections, health care professionals will continue to have \ndifficulty in protecting workers\' personal health care \ninformation and struggle with the burdens of carrying out their \nethical obligations.\n\n       The ``Medical Information Protection Act of 1998\'\' (Draft)\n\n    AAOHN has indicated its support for a number of elements \ncontained in the latest draft version of the ``Medical \nInformation Protection Act of 1998,\'\' prepared by Senator \nRobert Bennett (R-UT) and co-sponsored by Senator Jim Jeffords \n(R-VT). Although this bill has not been introduced in either \nthe Senate or House we commend several sections of this \nproposal to your attention. In general, we believe that this \nproposal would provide sufficient protections without creating \nunreasonable burdens on participants and providers in the \nhealth care system. The proposal prescribes the following \nfederal standards that would:\n    <bullet> provide individuals with access to their own \nhealth information and the right to make corrections;\n    <bullet> impose civil and criminal penalties for wrongful \ndisclosure and mishandling of protected medical records;\n    <bullet> limit an individual\'s personally identifiable \nhealth information that could be disclosed without consent to \ncertain specified circumstances (e.g., emergencies, health \nresearch conducted by an approved certified institutional \nreview board, fraud and abuse, etc.); and\n    <bullet> require that a notice of confidentiality practices \nbe posted in public.\n\nIn general the proposed legislation would also preempt state \nlaw.\n    AAOHN supports defining the ``term health information\'\' \nbroadly enough to include medical records obtained or \nmaintained at the worksite for purposes other than treatment or \npayment. We also support the draft bill because it would \nrequire that entities that create health information post a \nnotice of their confidentiality practices. The simple practice \nof posting such a notice, we believe, will allow employees an \nopportunity to gain a clearer understanding of their rights. It \nwill also provide employees with a better understanding that \nindividuals do, indeed, have the power under the law to take \nlegal action against violators when appropriate.\n    In addition, we are encouraged by the bill\'s criminal \nsanctions provisions because we believe it is essential that \nthose who would knowingly and intentionally obtain personally \nidentifiable health information and disclose this information \nin violation of the proposed law be penalized.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ The ``Medical Information Protection Act of 1998,\'\' Title III, \nSubtitle A, Section 301(a).\n---------------------------------------------------------------------------\n    We suggest, however, that the draft bill could be \nstrengthened by extending penalties to those circumstances in \nwhich individuals are ``attempting\'\' to obtain personally \nidentifiable information for purposes of unauthorized \ndisclosure. It is not enough, in our view, to merely penalize \nthose who are successful at inappropriately obtaining and \ndisclosing personally identifiable health information. The \nrecent news stories regarding the highly aggressive marketing \npractices of certain health related corporations remind us that \ngreater protections are essential. The change we propose would \nimprove the bill and serve as a significant deterrent against \ninappropriate disclosures. We note that at least one previous \ndraft version of the bill contained this important provision \nand suggest that any further drafts would be greatly improved \nby including the old provision in the final bill prior to its \nintroduction.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ See, ``Medical Information Confidentiality Act,\'\' Title I, \nSubtitle B, Section 311(a)(1). Version, (0:/BAI/BAI97.721). Fall 1997.\n---------------------------------------------------------------------------\n    We also support providing uniform legal protections across \nthe nation. Without a broad uniformity provision, conflicts \nwill arise due to the fact that it will not always be obvious \nthat a specific state law does provide for ``greater \nprotections\'\' than the federal law. While we believe enacting a \nweaker preemption provision would be an improvement over the \nstatus quo, we suspect that anything less than full preemption \ncould lead to more litigation and confusion rather than less.\n    Finally, AAOHN is actively working to ensure that any \nlegislation that moves through Congress includes a provision \nthat would clarify that the law should not require a health \ncare provider within an entity (e.g., a physician or nurse who \nprovides occupational health services) to disclose protected \nhealth information to others within the company or entity. This \nissue is often complicated and steeped in terminology that \ncourts may find unfamiliar. Under the Bennett-Jeffords \napproach, it appears clear that health information concerning \nwellness records and first aid would be protected but that \nother types of worksite records may not be covered. We urge you \nand others to include in any confidentiality legislation a \nprovision that would protect employee medical records related \nto fitness to work as well as those records that document the \ntreatment of illness or injuries or participation in wellness \nor employee assistance programs. While we prefer that this \nimportant concept be included in actual legislative language, \nwe want to also offer the following suggested Report language:\n    The Committee believes that the health provider who \ncreates, originates or maintains the health information within \nthe entity is the proper person to determine whether a \ndisclosure is consistent with the limitations under subsection \n(d). The intent is to protect the confidentiality of an \nindividual\'s medical records in the workplace, especially those \nrelated to an employee\'s fitness to work (e.g., medical \nsurveillance records, health screening, return-to-work physical \nexamination records).\n    In summary, we believe this type of language would limit \nthe releases of important information to protect employee \nconfidentiality while allowing employers to operate their \nworksite health programs appropriately.\n\n              The Clinton Administration\'s Recommendations\n\n    As you know, in September of 1997, Secretary of Health and \nHuman Services Donna Shalala provided your Committee with a \nnumber of recommendations regarding standards for privacy and \nprotection of individually identifiable health information. \nThese recommendations were in fulfillment of her duties \nrequired by the Health Insurance Portability and Accountability \nAct (HIPAA). While not legislation, these recommendations put \nforth the following five important principles:\n    <bullet> Boundaries: An individual\'s health care \ninformation should be used for health purposes and only for \nthose purposes, subject to a few carefully defined exceptions. \nIt should be easy to use information for those defined \npurposes, and very difficult to use it for other purposes. \nFederal health record confidentiality legislation should impose \na legal duty of confidentiality on those who provide and pay \nfor health care, and on other entities that receive health \ninformation from them;\n    <bullet> Security: Organizations to which we entrust health \ninformation ought to protect it against deliberate or \ninadvertent misuse or disclosure. Federal law should require \nsuch security measures;\n    <bullet> Consumer Control: Patients should be able to see \nwhat is in their records, get a copy, correct errors, and find \nout who else has seen them. [The Administration\'s] \nrecommendations significantly strengthen the ability of \nconsumers to understand and control what happens to their \nhealth care information;\n    <bullet> Accountability: Those who misuse personal health \ninformation should be punished, and those who are harmed by its \nmisuse should have legal recourse. Federal law should provide \nnew sanctions and new avenues for redress for consumers whose \nprivacy rights have been violated; and\n    <bullet> Public Responsibility: Individuals\' claims to \nprivacy must be balanced by their public responsibility to \ncontribute to the common good, through use of their information \nfor important, socially useful purposes, with the understanding \nthat their information will be used with respect and care and \nwill be legally protected. Federal law should identify those \nlimited arenas in which our public responsibilities warrant \nauthorization of access to our medical information, and should \nsharply limit the uses and disclosure of information in those \ncontexts.\n    AAOHN is convinced that personal health information can be \ncollected and effectively utilized in the workplace without \nsacrificing the employee\'s right to privacy if employers \nconscientiously follow Secretary Shalala\'s principles. \nUnfortunately, the Secretary envisions defining employer \n``activities that use health information\'\' too narrowly to \nfully protect the privacy interests of American workers. \nAddressing only the privacy issues raised by employers\' access \nto traditional treatment, payment, wellness and first aid \nrecords still leaves employees significantly at risk because of \nthe potential for employers\' misuse of information in other \ntypes of worksite records. AAOHN and its members know from \nexperience that business can operate effectively while adhering \nto well-thought-out policies that guarantee the confidentiality \nof personally identifiable health information. Such policies \nprovide adequate physical, administrative and technical \nsafeguards against nonconsensual intra-company disclosures of \nemployee data that exceed the scope of information legitimately \nneeded by the employer to run its business safely and \neffectively.\n    AAOHN urges Congress to expand upon Secretary Shalala\'s \nrecommendations and to enact a medical records confidentiality \nstatute that adequately protects all employee health \ninformation held at the worksite not just those records \nmentioned by the Secretary.\n\n                               Conclusion\n\n    Mr. Chairman, AAOHN greatly appreciates this opportunity to \noffer our comments for the hearing record. In addition to our \nspecific comments, we offer the following five principles that \nwe believe will be useful as Congress deliberates on this \nimportant issue:\n    <bullet> First, define health information broadly enough to \ninclude all medical records obtained or maintained at the \nworksite for purposes other than treatment or payment;\n    <bullet> Second, require entities that create or maintain \nhealth information to post a notice of their confidentiality \npractices;\n    <bullet> Third, apply the guiding principles of \ncompatibility of purpose and minimal disclosure to all \npersonally identifiable health information available to an \nemployer regardless of the reason why the employer holds or has \naccess to the records;\n    <bullet> Fourth, recognize that the health care \nprofessional who creates, originates or maintains the health \ninformation at a worksite is the appropriate person, rather \nthan management, to determine whether a disclosure is \nconsistent with the purposes underlying the reason for the \nrelease of the information;\n    <bullet> Lastly, include penalties for coercing or \nattempting to coerce inappropriate record disclosures as well \nas penalties for actual misuse.\n    These elements are essential components of any \ncomprehensive federal medical records confidentiality law \nintended to protect the personal health information of \nAmerica\'s workforce. We urge Congress to keep principles in \nmind when legislating, and we look forward to working with you \nand your colleagues as this important matter moves through the \nlegislative process.\n      \n\n                                <F-dash>\n\nStatement of American College of Occupational and Environmental \nMedicine, Arlington Heights, Illinois\n\n    The American College of Occupational and Environmental \nMedicine (ACOEM) is pleased to have the opportunity to submit \ntestimony to the House Committee on Ways and Means, \nSubcommittee on Health on the issue of confidentiality of \nmedical records and Secretary Shalala\'s recommendations for \nlegislation.\n    ACOEM, representing over 7,000 physicians, is the world\'s \nlargest medical society committed to promoting and protecting \nthe health, safety, productivity and well-being of people at \nwork and in their environment.\n    ACOEM supports the development of uniform comprehensive \nlegislation addressing the confidentiality of medical records. \nThe College feels that such legislation should include \nprovisions that encompass the treatment of employee medical \ninformation in the workplace.\n    There is great potential for a worker to be adversely \naffected by the misuse of workplace medical records. Decisions \non return to work, job placement, and promotion can be \ninfluenced by improper access to workplace medical records. \nCurrent federal law, such as the Americans with Disabilities \nAct (ADA), are inadequate in scope. For example, the medical \nrecord confidentiality requirements in the ADA go no further \nthan requiring the medical record to be kept in a separate \nfile. The ADA does not address who has access or when access is \npermitted.\n    Occupational physicians and other workplace health care \nproviders depend on the individual to completely and truthfully \ndisclose private information before rendering a professional \nopinion. An employee must feel secure that the physician will \ntreat their private disclosures in a dignified and confidential \nmanner. The physician should disclose information received in \nconfidence only in narrowly defined circumstances and only when \nit is in the best interests of the individual.\n    Employers may require access to personal information when \nconsidering requests for job accommodations, addressing threats \nto health or safety, or reviewing claims for workers\' \ncompensation benefits. Additionally, employers shoulder an \nincreasing responsibility for providing other types of benefits \nand obligations, such as health and disability insurance, \nfamily medical leave, and employee assistance programs. As a \nresult, the employer becomes inextricably and unavoidably \ninvolved in employees\' personal and medical affairs.\n    Thus, competing interests between a worker\'s desire for \nprivacy and the employer\'s legitimate interest in the health of \nworkers create sensitive ethical and legal dilemmas for \nphysicians in occupational medicine. Difficult ethical problems \narise when attempting to balance the importance of the worker\'s \nneed and right to keep medical information confidential versus \nthe employer\'s need to know.\n    Occupational physicians acknowledge the importance of \nmedical confidentiality in the College\'s Code of Ethical \nConduct. The code includes the following:\n    ``5. keep confidential all individual medical information. \nReleasing such information only when required by law or \noverriding public health considerations, or to other physicians \naccording to accepted medical practice, or to others at the \nrequest of the individual"; and\n    ``6. recognize that employers may be entitled to counsel \nabout an individual\'s medical work fitness, but not to \ndiagnosis or specific details, except in compliance with laws \nand regulations.\'\'\n    ACOEM recognizes its Code of Ethical Conduct to be the \nstandard of conduct expected from those providing occupational \nmedical services. However, the College believes that additional \nguidance by legislation is necessary to protect the worker\'s \nexpectation for confidentiality and to give the physician\'s \nethical responsibility the force of law.\n    Secretary Shalala\'s recommendations for workplace \nprotections are too narrowly crafted. The Secretary recommends \nthat employers not be ``controlled by the legislation,\'\' but be \nconsidered health care providers or payers when they actually \nperform those activities and ``be obliged to conduct themselves \naccordingly.\'\'\n    The College recommends that comprehensive federal \nlegislation reflect the following principals:\n    1. Physicians should disclose their professional opinion to \nboth the employer and the worker when the worker has undergone \na medical assessment for fitness to perform a specific job; \nhowever, the physician should not be required to give the \nemployer specific details or diagnoses unless the worker has \nauthorized the disclosure.\n    2. Supervisors and managers may be informed by the \nphysician regarding necessary restrictions on the work or \nduties of the employee and recommended accommodations. However, \nthe physician should not provide, or be coerced to provide, the \nmedical information on which the restriction or accommodation \nis based.\n    3. Physicians should recognize a consent for disclosure \nonly if the consent is informed and is made without duress.\n    4. Physicians should be a source of professional, unbiased, \nand expert opinion in the workers\' compensation or court \nsystems, and should only disclose medical information that is \nrelevant and necessary to the claim or suit. The decision on \ndisclosure of relevant and necessary medical information should \nbe solely that of the physician.\n    5. The physician should develop a written policy for the \ntreatment of medical records in their offices, clinics or \nworkplaces. The policy should address such issues as where and \nhow medical records are stored; the security of medical \nrecords, including medical databases; what happens in the event \nof employee resignation, layoff, termination, job transfer, or \nplant closure; and the mechanisms of employee access and \nconsent for disclosure.\n    6. Although workplace medical records may be considered the \nproperty of the employer, this ownership does not abrogate any \nof the principles of confidentiality. However, the custodian of \nthe record should always be the physician or responsible health \ncare provider and access to the record should be controlled by \nthe custodian. The medical record captures the confidentiality \nof communications within the patient-physician relationship. \nFor the physician to provide the best and most appropriate \nmedical care, a worker must feel that they can disclose to \ntheir physicians personal facts and information that they may \nnot want others to know. Access by corporate officials, e.g., \nemployee relations, in-house legal departments, and other \nfunctions, should proceed via the physician and in accordance \nwith procedures for disclosure.\n\n    ACOEM urges the Congress to enact comprehensive federal \nmedical records confidentiality legislation that encompasses \nprotection of an individual\'s personally-identifiable medical \ninformation in all settings, including the workplace.\n\nWashington Contact: Pat O\'Connor (202-223-6222)\n      \n\n                                <F-dash>\n\nStatement of American Hospital Association\n\n    The American Hospital Association (AHA) represents the \nnation\'s 5,000 hospitals, health care systems, networks and \nother providers of care. We appreciate this opportunity to \npresent our views on an issue of great importance to our \nmembers and the patients we serve: protecting the \nconfidentiality of private health care information.\n    As health care providers, AHA members are deeply involved \nin both the use of private health information, and in ensuring \nthat the information remains confidential. Our comments reflect \nour members\' experiences and needs in balancing these two \nimportant issues.\n\n          Protecting the Trust Between Providers and Patients\n\n    Every day, thousands of Americans walk through the doors of \nAmerica\'s hospitals. Each and every one of them provides care \ngivers information of the most intimate nature. They provide \nthis information under the assumption that it will remain \nconfidential. It is critical that this trust be maintained. \nOtherwise, patients may be less forthcoming with information \nabout their conditions and needs--information that is essential \nfor physicians and other care givers to know in order to keep \npeople well, ease pain, and treat and cure illness.\n    If care givers were not able to obtain and share patients\' \nmedical histories, test results, physician observations, and \nother important information, patients would not receive the \nmost appropriate, high-quality care possible.\n    Our members consider themselves guardians of this \ninformation, which is why AHA has long supported the passage of \nstrong federal legislation to establish uniform national \nstandards for all who use health information. We were pleased \nthat the Health Insurance Portability and Accountability Act \n(HIPAA) of 1996 pushed this issue to the forefront by requiring \nthe Secretary of Health and Human Services to issue \nrecommendations to Congress on this important topic. We commend \nCongress and this committee for taking up the difficult task of \nbalancing the needs in this area.\n    It\'s an issue that affects each of us personally. We live \nin a time of rapidly advancing technological improvement, when \nthe world seems to get smaller as computers get more powerful \nand databases get bigger. This technological change can be \npositive--it has led to significant improvements for both \nhealth care providers and their patients--but it worries people \nwho are justifiably concerned about how information about them \nwill be used.\n    In health care, we must take the steps necessary to protect \nthat information from those who would misuse it. We need \nstrong, uniform federal legislation to do it.\n\n                       AHA Goals For Legislation\n\n    First and foremost, because we as hospitals and health \nsystems put our patients first, we must restore people\'s trust \nin the privacy and confidentiality of their personal health \ninformation. Federal legislation can do this by establishing a \nuniform national standard for the protection of health \ninformation--including genetic information--a standard that \nbalances patient privacy with the need for information to flow \nfreely among health care providers. The AHA believes that \nfederal confidentiality legislation must meet the following \ngoals:\n\nAllow patients and enrollees access to their medical \ninformation, including the opportunity, if practical, to \ninspect, copy, and, where appropriate, add to the medical \nrecord.\n\n    Patients have a right to know what information is in their \nrecords. This level of accountability encourages accuracy and \nhas the added benefit of encouraging patient involvement in \ntheir care. It is not appropriate for patients or enrollees to \nrequest deletions from their records even if the information is \nincorrect. Medical or claims decisions may have been made based \non that erroneous information and it should be left in the \nrecord to ensure accuracy for future users. Any amendments or \ncorrections should be added to the original information.\n\nPreempt state laws that relate to health care confidentiality \nand privacy rights, with the exception of some public health \nlaws.\n\n    Health care today is delivered through providers that are \nlinked across delivery settings, and through organizations that \ncross state boundaries. AHA believes that the best way to set \nimportant standards for confidentiality of health information \nis to do so uniformly--through a strong federal law. This law \nmust be both a floor and a ceiling, preempting all state laws \nwith which it may conflict, weaker or stronger. Only through \nsuch a uniform law can patients\' confidential information be \nequally protected regardless of the state in which they live or \ntravel.\n\nBe broad in its application, covering all who generate, store, \ntransmit or use individually identifiable health information, \nincluding but not limited to providers, payers, vendors, and \nemployers.\n\n    Patient confidentiality cannot be ensured unless standards \nare applied to all who may have access to health information. \nLegislation should cover all types of individually identifiable \nhealth information, including sensitive issues such as \nsubstance abuse, mental health, and genetic information.\n    Because of our strong belief in this concept, the AHA has \nbeen very concerned about model privacy regulation that is \nbeing developed at the National Association of Insurance \nCommissioners (NAIC) and would apply only to insurance \ncarriers. This attempt to address enrollee privacy concerns \nthrough insurers potentially expands the ability of insurers to \nuse individually identifiable information by expanding insurer \nresponsibility into areas that are more appropriate for \nproviders. The model holds insurers responsible for amending \npatient records and establishing Institutional Review Boards \n(IRBs) for research. It also holds insurers responsible for \nmaking sure that providers with whom they contract have \nconfidentiality and security policies that are ``substantially \nsimilar\'\' to their own. This limited approach illustrates the \nproblems with addressing this problem in a piecemeal manner.\n\nStrike an appropriate balance between patient confidentiality \nand the need to share clinical information among the many \nphysicians, hospitals and other care givers involved in patient \ncare.\n\n    Care is increasingly provided by groups and systems of \nproviders as opposed to individual providers. These new systems \ncreate opportunities for real improvements, but they rely \nheavily on a free flow of information among providers. Patient \nconfidentiality is of the utmost importance. But in order to \nensure that care is coordinated and the patient\'s experience is \nas seamless as possible, information must be accessible to all \nproviders who treat the patient.\n    To ensure this smooth coordination of care, the AHA \nsupports legislation that requires a health plan to obtain from \nits enrollees authorization for the entire range of treatment \nactivities that could be needed. Providers should still be \nallowed to ask for other authorizations--for example, if a \npatient is to receive sensitive tests or procedures that might \nrequire the provider to consult with others during a course of \ntreatment. But, because it is impossible to know in advance all \nthe different practitioners who might be involved in a single \nhealth care case, multiple levels of authorization would create \nunscalable barriers to the smooth coordination of care.\n    Another important issue is how to make sure providers have \nall the information they need to treat the patient. Some \nproposals allow patients to decide which providers can and \ncannot have access to their records, and what information the \nprovider can and cannot see. While we understand the concerns \nof patients who want to limit the amount of information in \ntheir records that is made available to providers or payers, we \nbelieve strongly that decisions about what information is \nnecessary must be made by trained health personnel. At the same \ntime, however, information that is requested by a provider or \npayer must be clearly related to the purpose for which it is \ndisclosed.\n\nRecognize that a hierarchy of need exists among users of health \ninformation.\n\n    While access to individually identifiable information is \nessential for patient care, it may also be necessary for \nprovider and health care system efforts to measure and improve \nthe quality of care they deliver.\n    To limit its potential misuse, all within the health system \nshould restrict the availability of individually identifiable \ninformation. Technology is available to do this, through \nencryption, audit trails, and password protection, for example. \nAnother method for restricting the availability of individually \nidentifiable information is to aggregate information whenever \npossible. Patients should be assured that unique, identifiable \ninformation about them is available for their treatment, but \nthat its availability for other uses is tightly controlled.\n    Specific guidelines should be established to control the \ndisclosure of individually identifiable information to various \ncategories of users, including law enforcement officials, \nresearchers, and employers.\n    Regarding law enforcement, the AHA believes that leaving in \nplace current state laws--as recommended by the secretary of \nHHS--would set a dangerous precedent. Inconsistencies in these \nlaws could allow local law enforcement agencies unrestricted \naccess to confidential patient records, and free rein to re-\ndisclose the information contained in them. Federal safeguards \nneed to be put in place that ensure patient information is \nprovided only when truly necessary--and that its subsequent use \nis tightly controlled. Such decisions should be left to a \nneutral magistrate, from whom law enforcement agents must \nrequest a warrant or subpoena to obtain individually \nidentifiable patient information.\n    In the area of research, it is critical that legislative \nproposals distinguish between--on the one hand--human subject \nresearch under an IRB and non-intervention medical records \nresearch involving no contact with patients, and--on the other \nhand--the internal operations that a hospital or health system \nundertakes to improve care. For example, many institutions use \nindividual medical records to track outcomes and conduct case \nand disease management. Confidentiality legislation should \nrecognize that these activities are not research, but \nactivities integral to the basic function of a hospital or \nhealth system--continually striving to improve the health care \nthey deliver.\n    When individually identifiable information is used by \nemployers, two things are critical: the employer must have \naccess only to information needed for the functions it may \nperform as an ERISA health plan--treatment, payment or \nadministration; and this private information must be available \nonly to those who administer the health plan.\n\nInclude sufficient civil and criminal penalties to deter \ninappropriate disclosure of individually identifiable \ninformation.\n\n    The level of these sanctions should vary according to the \nseverity of the violation. At the same time, any penalty \nimposed must take into account good-faith efforts by providers \nwho establish data safeguards, educate employees about \ncomplying with the safeguards, and attempt to maintain secure \nrecord-keeping systems.\nConclusion\n\n    The smooth exchange of patient information is critical to \nproviders and patients alike as our nation\'s health system \nrapidly becomes more integrated. We need federal legislation to \nprotect this sensitive information from being misused. The AHA \nlooks forward to working with you to develop legislation that, \nby adhering to the goals stated above, protects patient \nconfidentiality, does not get in the way of high-quality health \ncare delivery, and is truly a uniform national standard.\n      \n\n                                <F-dash>\n\nStatement of Healthcare Leadership Council\n\n    The Healthcare Leadership Council (HLC) a trade association \nrepresenting all sectors of the health care industry, including \npharmaceutical companies, hospitals, managed care, providers \nand device manufacturers, submits the following statement \nregarding patient confidentiality for the record created in \nresponse to the March 24 hearing held by the House Committee on \nWays and Means, Health Subcommittee. The HLC members are the \ninnovators in the health care industry, and share a commitment \nto a consumer-focused health care system and a dedication to \nproviding high quality health care services to every patient. \nInformation is the cornerstone of innovation and quality. It \nserves as the basis for the knowledge we need to serve, treat, \ncounsel, prescribe therapies, and reimburse patients, and to \ndiscover how all of these activities can be done better and \nmore effectively. Without efficient access to information, the \nevolving health care delivery system will come to a grinding \nhalt, and consumers will be denied the real-world benefits of \nall that the health care industry has to offer today and well \ninto the future.\n    The HLC supports the passage of federal confidentiality \nlegislation, while assuring the appropriate information sharing \nneeded by network-based health plans, researchers and \npurchasers to provide high quality affordable care for \nconsumers. We applaud the recent Ways and Means Health \nSubcommittee hearing. The issues discussed will help build a \nstrong foundation for the upcoming debate Congress will have on \nthis most important issue. We appreciate the inclusion of our \nstatement in the record.\n    For more than two years, the HLC has been engaging in an \nearnest effort to work with its members and others in the \nindustry to craft workable and meaningful confidentiality \nprotections that provide important confidentiality assurances \nto the patient while at the same time allowing health plans, \nproviders and health product manufacturers to use patient \nhealth information for purposes that are necessary and \nappropriate to the provision of high quality health care \nservices.\n    In searching for a workable federal legislative solution, \nthe HLC has identified the following principles as necessary to \nstriking the right balance between the patient and the \ninformation needs of the health care industry. These basic \nprinciples are as follows:\n    (1) Support for federal standards regarding the \nconfidentiality of all patient health information; (2) \nApplication of standards only to identifiable health \ninformation, leaving non-identifiable health information (i.e., \ncoded and encrypted data) available for use in research and for \nother health-related purposes; (3) Treatment of all \nidentifiable patient health information, including genetic \ninformation, the same way to assure the same strong \nconfidentiality protections; (4) Facilitation of appropriate \nuses and sharing of patient health information with recognition \nthat access to information is not harmful, but rather helpful \nto the patient; and (5) Provision for strong and thorough \npreemption of state law.\n    1. Federal standards. Federal standards ensuring the \nconfidentiality of patient health information are critical to \nguaranteeing the uniform, consistent treatment of such \ninformation throughout the country. In 1996, the Health \nInsurance Portability and Accountability Act (HIPAA) took \nimportant steps in the right direction by requiring that a \nstandardized information transmission and storage system be \ndeveloped, and that such systems be kept secure. In addition, \nHIPAA mandates that Congress enact federal confidentiality \nstandards by August of 1999. Failure to do so will trigger \nSecretarial authority to promulgate regulations guaranteeing \nsuch protections within six months.\n    The time has come for a uniform federal standard. The HLC \nsupports federal standards regarding disclosure and use of an \nindividual\'s identifiable health information, for safeguarding \nthe confidentiality of that information, and for establishing \nan individual\'s rights to inspect and copy his or her records. \nA uniform standard is the only way to avoid a dual-regulatory \nenvironment. State authority should remain paramount over areas \nof confidentiality that do not conflict with national \nuniformity and consistency, such as state reporting \nrequirements for public health and safety dangers and licensure \nof providers.\n    2. Treat all identifiable health information in the same \nmanner. The HLC supports extending strong and consistent \nconfidentiality protections to all personally identifiable \npatient health information. As such, the HLC is concerned about \nrecent proposals, such as that introduced by Rep. Slaughter (D-\nNY) (H.R. 306), to treat genetic information separately from \nother patient health information. As a practical matter, it \nwould be difficult if not impossible for health plans and \nproviders to treat and secure genetic information differently \nthan other patient health information as almost all health \ninformation contains an important genetic component. How then \ncan we elevate certain types of health information to a higher \nstatus more deserving of protection than other information? All \npersonally identifiable patient health information should \nreceive the same strong protections against inappropriate \ndisclosure.\n    3. Scope of federal standards should apply to individually \nidentifiable information only. In its effort to craft federal \nconfidentiality standards, Congress should apply these \nprotections to individually identifiable health information \nonly where there is a legitimate need for confidentiality. The \ncurrent trend is toward anonymizing information--that is, \nrendering the information available but leaving the identity of \nthe subject individual unknown--and a more narrow focus on \nindividually identifiable health information would provide an \nimportant incentive to encrypt, encode and otherwise anonymize \npatient health information wherever possible.\n    The HLC strongly believes that any federal confidentiality \nstandards should provide incentives for health plans, \nproviders, purchasers and other product manufacturers to \ncontinue using non-identifiable health data to make \nadvancements, cure diseases and study the effects of new \ntreatments. Allowing the use of anonymized health data directly \nfacilitates health research and limiting its use would stifle \nthe phenomenal medical advances being made almost daily in this \ncountry. To further ensure the confidentiality of patient \nhealth information, however, the HLC strongly supports \nsubjecting any ``encryption key\'\' or other such code used to \nanonymize information to the same strong protections provider \nfor other protected, identifiable health information.\n    4. Provide for appropriate health information sharing with \nconfidentiality protections. Any federal confidentiality \nstandards adopted by Congress must adequately and effectively \nrecognize that most health care services are delivered through \nsome form of integrated delivery system. This modern health \ncare system, which is marked by a team-approach to health care \ndelivery, relies heavily on information sharing and \ncollaboration to ensure high quality services are provided to \nthe patient. As a result, it is crucial that strong patient \nconfidentiality protections allow and facilitate appropriate \ninformation sharing to further this goal. Following are several \nkey points explaining the HLC\'s perspective:\n    <bullet> An integrated health care delivery system requires \nmore information sharing. Only in focusing on what are and are \nnot appropriate ``uses\'\' of patient health information can we \ndevelop confidentiality protections that effectively \ndistinguish between what is helpful and harmful to the patient \nand to consumers generally. Our health care delivery system is \nno longer one defined by discrete encounters with a number of \ndifferent and unrelated physicians and providers. Rather, the \ncurrent delivery system is distinguished by a growing number of \ninnovative arrangements between and among physicians, health \nplans, employers, hospitals and researchers. We now have teams \nof professionals responsible for coordinating the health care \nservices provided to patients. These teams involve multiple \nindividuals, including physicians, nurses, lab technicians, \npharmaceutical manufacturers and others. Together, these varied \nparticipants are working in the interest of the patient.\n    As a result of these important improvements in the health \ncare delivery system, the HLC supports establishing strong \nconfidentiality protections consistent with the direction of \nour delivery system. Specifically, the HLC supports allowing \nthe use of patient information for purposes of providing \ntreatment, securing payment, conducting health care research \nand undertaking quality assurance activities. These activities \nare all designed to benefit the consumer.\n    Medical records research is vital to maintaining and \nimproving the health of the American public. In fact, virtually \nevery health hazard that we know of today has been identified \nusing information from medical records. Take AIDS, for example. \nIf researchers had not been allowed to study the medical \nrecords of patients with unusual immune deficiency problems in \nthe late 1970\'s, the characterization of the AIDS epidemic \nwould have been delayed at substantial cost to the public\'s \nhealth. Other examples include studies examining the benefits \nand risks of estrogen treatment, the health risks of: smoking, \ndietary fats, obesity, and certain occupations; infectious \ndisease studies which led to the development of vaccines for \npolio, measles and other infectious diseases; and studies which \nshow the effect of breast cancer screening programs.\n    Another example is the outbreak of ``flesh eating strep\'\' \nidentified at the Mayo Clinic in 1996. Without access to the \nmedical records of patients with these unusual infections, \ncharacterization of this syndrome and isolation of this deadly \nbacterial strain would have been delayed. And over a hundred \nschool children--which the Mayo research showed were the \nunwitting carriers of this deadly germ in their throats--would \nhave gone untreated. Every medical advance mentioned here has \nrelied heavily on information from patients\' medical records. \nWithout access to this rich source of clinical information, \nmany of these advances simply would not have occurred.\n    <bullet> You can\'t expect a surgeon to operate blind. \nLegislation must emphasize confidentiality and provide strong \ndisincentives for abuses of information; however, the HLC is \nconcerned over recent proposals that would appear to place the \npatient in a position of having ultimate veto power over access \nto information. To put patients, who by and large rely on lay \nknowledge, in a position of deciding whether to grant access of \ninformation to some and not to others ultimately puts them at \nrisk. Again, federal standards should focus on the \nappropriateness of information disclosure and its use.\n    <bullet> The move toward electronic transmission of \ninformation brings forth tremendous benefits for the patient, \nbut also creates fears. The Health Insurance Portability and \nAccountability Act (HIPAA) will result in numerous standards \nregarding the security of electronically transmitted \ninformation. The concept of a unified medical record is \nrevolutionary in the benefits that will inure to patients. \nThere will be fewer adverse drug reactions, fewer mistakes made \nand fewer unintended consequences. Electronic data storage \npresents a greater opportunity to secure information than in \nthe current system of open file cabinets, etc. At the same \ntime, anything new and unfamiliar can cause trepidation. It is \nthe fear of the unknown. Yet a unified medical record stored \nelectronically actually can keep information more secure than \npaper copies in files, as mentioned before. Computer records \ncan be safeguarded through encryption, password access and \nother similar technologies.\n    <bullet> The HLC is concerned over efforts to use the \nconfidentiality debate to advance other agendas, such as anti-\nmanaged care and insurance product pricing issues. The HLC \ngrows increasingly concerned that the debate over how to keep \npatient health information confidential in the current health \ncare delivery environment is becoming a vehicle for debate \nregarding the delivery system as a whole. Again, the HLC \nadvocates responsible and appropriate information sharing and \nuse. However, any debate desired about such practices as \nmedical underwriting, utilization review/utilization management \nand other quality assurance techniques should be held \nseparately and should be dealt with on the basis of their \nmerits. The HLC caution\'s Congress against effectively putting \nan end to such practices through the guise of protecting the \nconfidentiality of patient information.\n    <bullet> Confidentiality protections are already in place. \nHealth plans and providers submit to voluntary accreditation, \nwhich includes evidence of strong confidentiality protections. \nFor example, the National Committee for Quality Assurance \n(NCQA) and the Joint Commission on Accreditation of Healthcare \nOrganizations (JCAHO) are two accrediting bodies which require \nhealth plans and hospitals to have written confidentiality \npolicies and procedures in place, to take action at patient \ncare sites to guard against unauthorized or inadvertent \ndisclosure of confidential information, and to obtain patient \nconsent for information release. In addition, the Federal \nPrivacy Act imposes numerous confidentiality requirements on \nhealth plans and providers participating in the Medicare \nprogram. Similarly, the Institutional Review Board (IRB) \nprocess involving clinical research holds pharmaceutical \nmanufacturers, device manufacturers and other researchers to \nstringent confidentiality standards.\n    5. Strong federal preemption of state law. The HLC strongly \nsupports effective federal confidentiality protections for \nconsumers as long as the standards include strong and thorough \npreemption of state law in those areas in which the federal \ngovernment has legislated. Without adequate preemption, \nproviders, health plans, purchasers and manufacturers would \nessentially be subject to 52 different confidentiality laws, \nwhich is unworkable and leaves consumers vulnerable under a \npatchwork of protections.\n\n                               Conclusion\n\n    With these important HLC principles in mind, we are \nconcerned that current legislative proposals fail to recognize \nthat most health care services today are delivered in some \nintegrated delivery context. Any legislative restrictions \nlimiting access to medical records threaten our ability to \nengage in quality-enhancing activities as well as the very \nexistence of entire categories of medical research. In \naddition, we are concerned about proposals that would require \nthat we obtain patient authorization each time patient \ninformation is used. This could result in a patient\'s ability \nto revoke authorization to use information to provide essential \nservices, as well as undermine research. This is because \nindividuals who deny consent are systematically different in \nimportant ways from individuals who do consent. For example, \nindividuals who deny consent may have had worse outcomes or \nthey may be less satisfied with their care.\n    Studies describing the outcomes of diseases or the \neffectiveness or cost-effectiveness of treatments which exclude \nsuch individuals would be biased--they give us the wrong \nanswer. Moreover, while research is clear on the point that \nindividuals who deny consent are systematically different from \nthose who consent, the direction and magnitude of those \ndifferences are completely unpredictable from study to study. \nSo not only will such research result in the wrong answers, but \nit will be impossible to determine how wrong they are or in \nwhat way. Thus, the reliability and validity of findings from \nsuch research will be suspect and lead to the design of \npotentially incorrect medical treatments. The inclusion of all \nqualifying individuals is the only way to assure that accurate \nconclusions are drawn about the prognosis of disease, the \noutcomes of therapy or the quality of care.\n    The underlying motivation for many of the legislative \nproposals is to keep personal medical information between the \npatient and his or her physician. While this idea could be very \nattractive; in our complex health care environment, it is an \nunattainable ideal. For example, in an average medical visit \nthe following individuals and groups have access to a patient\'s \ncomplete medical record: the appointment office, the \nregistration desk, all physicians, physician assistants, and \nnurses who provide care for the patient as well as their \nreceptionists and secretaries, all laboratory, EKG, and x-ray \ntechnicians who perform the necessary tests, infection control \nofficers who regularly survey medical records for reportable \ndiseases, continuous improvement staff who strike to improve \nout health care processes, members of the marketing department \nwho seek to ensure patient satisfaction, the business office \nfor billing, the legal department, and insurers and other \nthird-party payers.\n    With this in mind, the Healthcare Leadership Council would \nlike to work with lawmakers in search of meaningful and \nbalanced federal confidentiality standards that allow us to \nachieve the promise of the information-based 21st Century \nhealth care delivery system. The HLC looks forward to working \nwith you and your staff.\n    Thank you for your attention and leadership on this most \nimportant issue.\n      \n\n                                <F-dash>\n\n                      International Society for            \n                               Pharmacoepidemiology        \n                           2000 L Street NW., Suite 200    \n                                       Washington, DC 20036\n                                                     March 25, 1998\n\nThe Honorable Bill Archer\nChairman, House Ways and Means Committee\nAttention: Bradley Schrieber\nRoom: 1102 LHOB\nWashington, DC 20515\n\n    RE: Written Testimony on Medical Confidentiality, March 26, 1998 \nHearing\n\n    Dear Mr. Chairman:\n\n    On behalf of the International Society for Pharmacoepidemiology \n(ISPE), we are pleased to submit written testimony in response to the \nhearing regarding the confidentiality of medical records and draft \nlegislation scheduled for March 26, 1998. Our professional society \nembraces the principle of protecting the confidentiality of \nindividually identifiable medical information while preserving \njustified research access to such information in the interest of the \npublic\'s health.\n    The research conducted by members of our society and others in our \nfield evaluates populations to understand the extent, natural course, \nand burden of diseases. Pharmacoepidemiology is an observational, non-\nexperimental science. In contrast to clinical trials, which are \nexperimental, an epidemiologic observational study observes patients in \nthe real world of clinical medicine, and the patient is at no medical \nrisk from being part of the study. It is the science of \npharmacoepidemiology that is used to evaluate the risks and benefits of \nmedications in large numbers of patients in the real world setting. \nPharmacoepidemiologic studies have had a major impact on the public\'s \nhealth in general and on our understanding of the risks and benefits of \nmedications in particular. For example, such studies documented the \nrisk of aspirin and Reye\'s Syndrome in children and the risk of vaginal \ncancer in daughters of women who took diethylstilbestrol (DES) while \npregnant. Pharm-acoepidemiologic studies will continue to be important \nin the future. ISPE urges that any new laws or changes in existing laws \naimed at further protecting data privacy be formulated with an \nacknowledgment of the value to society of pharmacoepidemiologic \nresearch.\n    We are especially concerned about legislation relating to patient \ninformed consent and the use of IRBs for certain observational research \nthat uses encrypted patient data, and we pay special attention to the \ndefinition of ``identifiable data.\'\' While the development of new \nlegislation presents an opportunity to strike a fair balance between \nindividual privacy needs and legitimate access to information for \nresearch in the public\'s interest, there is also the opportunity to \ninadvertently stifle important research, while offering no meaningful \nnew protections. We offer our help to you, your colleagues and your \nstaff in the development of legislative answers to these important and \ncomplex issues.\n\n            Yours sincerely,\n                                      Jerome L. Avorn, M.D.\n                                                          President\n                               Elizabeth Andrews, Ph.D.    \n                                     Chair, Ad Hoc Committee on    \n                                  Data Privacy in the US and Canada\n\nEnclosures\n      \n\n                                <F-dash>\n\nInternational Society for Pharmacoepidemiology ISPE Fact Sheet 1997-98\n\n                               Membership\n\n    More than 1300 members from 45 countries\n    <bullet> Pharmaceutical Industry--35.6%\n    <bullet> Academic Institutions--40.8%\n    <bullet> Government Agencies--11.0%\n    <bullet> Clinical Practice & Consulting--12.6%\n    <bullet> North America--50.1%\n    <bullet> Europe--36.1%\n    <bullet> Asia--8.6%\n    <bullet> Other Continents--5.2%\n    <bullet> Correspondents in 19 Countries\n    <bullet> National Chapters in Argentina, Belgium, \nNetherlands\n    <bullet> Associate to Member of World Health Organization \nCouncil for International Organizations of Medical Sciences \n(CIOMS).\n\n                          Membership Benefits\n\n    <bullet> Pharmacoepidemiologic Scientific Forums for \nResearch Interchange\n    <bullet> Policy Fromulation Relevant to the Professional \nand Research Work\n    <bullet> Environments\n    <bullet> Enhanced Professional Communication:\n    --Forum Networking Opportunities\n    --Reduced Registration for Annual International Conference \non Pharmacoepidemiology\n    --Subscription to the journal\n    --Reduced Subscription Price\n      \n\n                                <F-dash>\n\nSociety Objectives\n\n                           Mission Statement\n\n    The International Society for Pharmacoepidemology (ISPE) is \na non-profit international professional membership organization \ndedicated to promoting pharmacoedpidemiology, the science which \napplies epidemiological approaches to studying the use, \neffectiveness, value and safety of pharmaceuticals. ISPE is \nfirmly committed to providing an unbiased scientific forum to \nthe views of all parties with interests in drug development, \ndrug delivery, drug use, drug costs, and drug effects.\n    A. Establishment of scientific forums.\n    1. Convene an annual scientific forum where members of the \ndiscipline meet each other, present results of methodologic \ninvestigations and studies in progress, discuss public health \npolicy issues concerning pharmacoepidemiology, etc.\n    2. Convene periodic symposia on scientific and public \npolicy issues of common interest.\n    3. Sponsor industry, provider, and academic caucuses to \naddress issues of particular interest to caucus members.\n    4. Convene periodic consensus conferences.\n    B. Dissemination of scholarly and practical information.\n    1. Publish a newsletter highlighting emerging issues, news \nof the field, employment opportunities, etc.\n    2. Collect information on existing curricula and aid in \ndeveloping curricula criteria and professional training \nstandards. Provide information on worldwide training \nopportunities.\n    3. Sponsor/co-sponsor/co-sponsor superior quality peer-\nreviewed publications.\n    A. Facilitation of professional communication.\n    1. Establish a clearinghouse on data resources for \npharmacoedpidemiologic studies.\n    2. Establish a directory of pharmacoedpidemiology \nconsultants.\n    A. Capacity building.\n    1. Establish funding resources for pharmacoepidemiology \ntraining scholarships.\n    2. Act as an advocate for the field in affecting health \npolicy and the allocation of resources with government \nagencies, the pharmaceutical industry, private foundations, \nuniversities, other professional groups.\n\n    [Additional material is being held in the Committee files.]\n      \n\n                                <F-dash>\n\nStatement of Medical Group Management Association\n\n    Mr. Chairman and Members of the Subcommittee, the Medical \nGroup Management Association (MGMA) appreciates this \nopportunity to provide input on the general issue of patient \nconfidentiality. As this issue is further developed and \nlegislation is crafted, MGMA will submit a more detailed \nanalysis.\n    MGMA is the oldest and largest association representing \nphysician group practices with more than 8,900 health care \norganizations nationwide in which just under 200,000 physicians \npractice medicine. MGMA\'s membership reflects the diversity of \nphysician organizational structures today, including large tax-\nexempt integrated delivery systems, taxable multi-specialty \nclinics, small single specialty practices, hospital-based \nclinics, academic practice plans, integrated delivery systems, \nmanagement services organizations, and physician practice \nmanagement companies.\n    MGMA believes that the provider-patient bond is the most \nimportant relationship in the health care arena. Even with the \nchanges occurring in the marketplace, the trust engendered in \nthese encounters should remain constant. Physician practices \nhave a duty to patients to ensure their medical records are \nheld in confidence and are disclosed only in appropriate \nsituations. The evolution of information flow, health care \nrecords computerization, managed care contracting, and \norganizational restructuring require an appropriate balance for \nhealth care systems to thrive while simultaneously safeguarding \nthe confidentiality of medical records. The following \nrepresents MGMA\'s support of the highest level of medical \nrecords confidentiality that can be achieved without imposing \nonerous regulations on physician practices.\nApplicability to Smaller Practices\n\n    Confidentiality policy should not be predicated on new \npersonnel intensive statutes or regulations, at a time when \npressures to contain costs are forcing physician offices and \nhospitals to decrease staffing. MGMA urges Congress and the \nAdministration to consider how confidentiality legislation will \nimpact physician practices. There is no cookie cutter process \nfor all physician offices, and certain provisions, such as \nthose that are technology-based, would disproportionately \nburden small practices.\n\nMedical and Outcomes Research\n\n    Patient confidentiality legislation and regulations should \nnot unnecessarily interfere with legitimate medical research. \nMGMA believes the confidentiality of medical records must be \nbalanced against the benefits of medical research and efforts \nto improve the quality of care. Aggregating medical data, being \nable to access subjects\' profiles, and possibly contacting \nsubjects for follow-up information are vital components of \nmedical research. Institutional review boards should be \npermitted to waive informed consent requirements for the \nminimum amount of necessary disclosure, when appropriate \nstandards have been developed and have been applied to clinical \nand quality research initiatives by institutional review \nboards.\n\nScope of Statutes\n\n    Anyone who improperly discloses confidential medical \nrecords should face civil and criminal penalties. MGMA urges \npolicy makers to adopt confidentiality measures that apply to \neveryone. Whether a health care provider improperly reveals \ninformation to an employer, or a person finds medical records \nand reveals them publicly (e.g., to a newspaper), an individual \nsuffers both emotionally and financially when a person breaks a \nmedical confidence.\n\nNational Standards\n\n    Policy makers should ensure that federal preemption is part \nof confidentiality legislation. Lawmakers should build in \nprotections at the federal level to guard against specific \ntypes of disclosure and discrimination. This will ensure that \nevery patient has the security of knowing that his or her \nrecords will remain confidential, and will allow providers with \npatients residing in different states to know how \nconfidentiality standards apply to their practices. National \nuniformity will give physicians one set of standards and will \nmake compliance feasible.\n\nNotification Requirements\n\n    Notifying third parties of incorrect information within a \nmedical record is a shared responsibility. Health care \nproviders should notify those parties they have previously \nprovided with unamended information of substantial changes to a \npatient\'s health records. In addition, if patients notify \nhealth care providers that third parties are in receipt of \nincorrect information, physicians should be responsible for \nnotifying the identified party of changes which substantially \nalter the insurance risk for an individual or substantially \naffect the care rendered by another health care professional. \nIn contrast, asking physician practices to become the hub of a \nnotification cycle between contractors and others who may be in \nreceipt of incorrect information imposes unwarranted regulatory \nburdens on physician practices.\n\nIdentifying Improper Disclosure\n\n    Statutes or regulations should define explicitly improper \ndisclosure of medical records. Federal policy should carve out \nsituations where disclosure is unlawful and attach appropriate \npenalties to identified improper disclosure. This contrasts \nwith the assumption that all but narrowly defined disclosure is \nimproper. MGMA believes that lawmakers can target prohibited \nbehaviors without significantly hindering health care systems\' \noperations or medical research by assuming the impropriety of \ninformation flow. As such, MGMA supports the approach taken in \nRepresentative Chris Shays\' draft legislation, which would \nfacilitate compliance with the statute, rather than presuming \nthat all disclosure is improper.\n\nLaw Enforcement\n\n    Law enforcement access to medical records should be \nbalanced against a patient\'s right to privacy. Much as medical \nrecords confidentiality should be balanced against the above \nfactors, it should be considered in light of law enforcement \nneeds. While MGMA acknowledges law enforcement\'s investigative \nneeds, we believe that law enforcement access to records should \nnot be unfettered. Health care providers should release medical \nrecords to law enforcement officials only when police or \ninvestigators have obtained a court order which protects the \ninformation from further disclosure.\n    In closing, we would like to thank the Subcommittee for its \nconsideration of this issue and of MGMA\'s perspective. We will \ncontinue to provide comments as the confidentiality issue \ndevelops and appreciate the opportunity to comment on this \nissue.\n\nFor further information, please contact Rayna L. Richardson, \nGovernment Affairs Representative, at (202) 293-3450.\n      \n\n                                <F-dash>\n\nStatement of National Breast Cancer Coalition\n\n    Thank you, Mr. Chairman and members of the Committee for \nyour leadership efforts to begin to address the important \nissues of patient protection and the advancement of medical \nresearch inherent in the medical privacy discussion as we move \ninto a new era of research and information technology.\n    The National Breast Cancer Coalition (NBCC) is a grassroots \nadvocacy organization dedicated to eradicating breast cancer. \nWe are made up of 400 member organizations and hundreds of \nthousands of individuals. The NBCC seeks to increase the \ninfluence of breast cancer survivors and other activists over \nresearch, clinical trials, and public policy and to ensure \naccess to quality health care for all women.\n    It is critical that as the nation begins to address issues \nof medical privacy, we also address issues of genetic \ndiscrimination. The NBCC strongly believes federal legislation \nis needed to establish a national policy which ensures \nconfidentiality; protects individuals from genetic \ndiscrimination; controls the use of health information \ncollected by health care payers and providers; requires \nauthorization for the use of an individual\'s health information \nfor other purposes; and does not impede the progress of \nbiomedical, behavioral, epidemiological and health services \nresearch. We believe medical research should be encouraged and \npursued--but in a way that protects the rights of individuals \nand enhances public trust in medical research. We want to work \ntogether with policy makers and the scientific community to \nstrike the appropriate balance between the protection of \nindividual privacy rights and the pursuit of biomedical \nresearch.\n    The NBCC believes individual privacy rights are fundamental \nto being a citizen in this country. As breast cancer survivors, \nwe believe that our illness, diagnosis, treatment and prognosis \nis very personal and intimate information. It is paramount to \nNBCC, that individuals have the right to decide to whom and \nunder what circumstances their protected health information, \nincluding genetic information, will be disclosed and the right \nto inspect and copy their own medical records.\n    In addition, the NBCC believes medical privacy and \ndiscrimination around genetic testing are related issues which \nmust be addressed simultaneously. Genetic discrimination issues \ndrive many of the underlying medical privacy concerns, so to \ntry to regulate medical privacy without confronting issues of \ngenetic discrimination is ludicrous. For example, to ensure \nprotection against genetic discrimination, individuals should \nbe able to segregate certain private information to be filed \nseparately so it will not be distributed to health care payers \nwith the rest of the patient\'s chart. Breast cancer patients \nshould be able to request that genetic information such as BRCA \n1 and BRCA 2 test results are not sent to insurers or others, \nbut are sent to the radiologist to ensure the results of a \nmammogram are read accordingly.\n    The misuse of medical information must stop. We do not want \nto wake up like we did earlier this year to front-page \nnewspaper stories about major pharmacies selling medical \nrecords to marketing firms without authorization. Nor should we \nbe fearful of talking frankly with our physicians about our \nmedical conditions because the information may end up in the \nwrong hands or cost us our health insurance or jobs. The \nincreasing complexity of the current information age demands a \npublic solution to protect our rights to privacy. Federal \nlegislation must be enacted which will safeguard our privacy, \nprohibit the unauthorized disclosure of protected health \ninformation (except under very limited exceptions) and protect \nan individual\'s personally identified health information from \nmisuse.\n    We need protection against the improper use and \nunauthorized disclosure of genetic information. Everyone \ncheered the discovery of the breast cancer genes, BRCA 1 and \nBRCA 2, but if we are ever going to have the knowledge for this \ndiscovery to make a difference in eradicating breast cancer we \nmust limit disclosure of genetic information and outlaw genetic \ndiscrimination in health insurance and the workplace. Such \ndisclosure can cause significant harm to individuals, including \nstigmatization and discrimination by health insurers and \nemployers. At the very least, the NBCC believes that an entity \nshould be prohibited from disclosing genetic information \nwithout the prior written authorization of the individual. We \nalso believe legislation should include prohibitions against \ndiscrimination by employers, making it unlawful to refuse to \nhire, to discharge, or to deprive individuals of employment \nopportunities based on genetic information, including an \nindividual\'s request for genetic services. It should also \nextend such protections against genetic discrimination to \nhealth insurance and prohibit health plans from denying, \ncanceling, refusing to renew, or changing the terms, premiums \nor conditions based on genetic information.\n    In addition, federal legislation must limit authorization \nfor disclosure of protected health information only to what is \nnecessary for the provision of treatment and payment services. \nThe ability of insurance companies to share medical information \nthroughout its other divisions is a direct threat to the \nprivacy and protection of medical records. Most insurance \ncompanies are complex financial institutions. Without \nprotection, the same company that pays for health care would be \nable to share medical information across divisions, such as \nlife insurance, financial planning, disability, etc. We believe \nthere should be strong criminal and civil penalties for \nintentionally or negligently using individually identifiable \nhealth information and individuals should have a civil right of \naction against anyone who misuses their protected health \ninformation.\n    A critical piece to protecting medical information is \ninformed consent. But informed consent today affords little, if \nany, protection. These documents are rarely read because of \ntheir length and legal terminology. As patients seeking medical \ncare, we have to sign blanket waivers allowing disclosure of \nour medical information in order to obtain treatment or payment \nfor care. These authorizations do not protect us as they should \nfrom unnecessary disclosure because we have no idea how the \ninformation will be used. Women sign these documents because \nthey think their signature is necessary to receive vital health \ncare. The NBCC believes that any authorization should be \nlimited to treatment services and payment purposes and that the \ndefinition of information that can be provided be construed as \nnarrowly as possible. A legal obligation of confidentiality \nshould be imposed on those who provide and pay for health care, \nas well as on the entities that receive that health \ninformation.\n    Securing medical privacy rights, however, should not come \nat the expense of medical research. Despite our best efforts \nand your leadership, breast cancer is still the most common \nform of cancer in women. We still do not know the cause or have \na cure for this dreaded disease. Over the past few years, there \nhave been incredible discoveries at a very rapid rate that \noffer fascinating insights into the biology of breast cancer, \nsuch as the isolation of breast cancer susceptibility genes and \ndiscoveries about the basic mechanisms of cancer cells. These \ndiscoveries have brought into sharp focus some of the areas of \nresearch that hold promise.\n    The NBCC believes that legislation protecting medical \ninformation and privacy should be balanced. We want to see \nfederal standards that safeguard personal health information \nwhile protecting the ability of researchers to conduct vital \nbiomedical research. We don\'t believe that you can have one \nwithout the other. Knowledge about how to prevent and cure \nbreast cancer will only come if women participate in research. \nBut without appropriate safeguards against misuse, public \ndistrust will increase and few women will be willing to \nparticipate in research efforts, whether donating tissue or \nenrolling in clinical trials. Women will have the confidence to \nparticipate in clinical trials only if they believe that their \nindividual health information will be kept private so that it \ncan\'t be used against them by insurers or employers. In \naddition, without a guarantee of privacy, women are less likely \nto be honest with their doctors, endangering their own health \nand slowing the overall progress of improved health care for \nthe general population. It can\'t be emphasized enough that we \nmust focus our attention on building public trust. There has to \nbe real, believable protection if women are to place their \ntrust in the medical and research process.\n    The NBCC would like to see the common rule protections \nextended beyond research funded by the National Institutes of \nHealth. The NBCC believes these protections should be the same \nfor all medical research whether publicly or privately funded. \nMuch benefit to research could be obtained by giving research \nspecial privacy considerations. It may make it easier to \ndistinguish research access from clinical chart access.\n    The NBCC believes that ideally there should be one federal \nstatue that effectively guarantees privacy rights, but given \nthe reality, we think it is advisable that federal legislation \nbe seen as the floor; and that states should be able to pass \nlaws that allow more stringent safeguards that do not, at the \nsame time, inhibit medical research from going forward.\n    Mr. Chairman, and members of the Committee, thank you again \nfor your leadership on this important issue. We look forward to \nworking with you to restore public confidence and trust in our \nmedical system, and to achieve the necessary balance between \nindividual privacy and the promise of medical research.\n      \n\n                                <F-dash>\n\nStatement of National Pressure Ulcer Advisory Panel, Alexandria, \nVirginia, Rita Frantz\n\n                            I. Introduction\n\n    My name is Rita Frantz and I am the current President of \nthe National Pressure Ulcer Advisory Panel. I am also a \nProfessor at the College of Nursing at the University of Iowa. \nI am submitting this testimony on behalf of the National \nPressure Ulcer Advisory Panel (NPUAP). The NPUAP appreciates \nthe opportunity to provide written comments for the record \nregarding patient confidentiality.\n    The NPUAP is an independent, not-for-profit organization \ndedicated to the prevention and management of pressure ulcers. \nFormed in 1987, the NPUAP is comprised of fifteen leading \nauthorities, representing various disciplines, including \nmedicine, nursing, research, physical therapy and education--\nall of whom share a commitment to the prevention and management \nof pressure ulcers. The NPUAP serves as a resource to health \ncare professionals and, while not a membership organization, \nwelcomes and encourages the participation of those interested \nin the pressure ulcer issues through utilization of NPUAP \neducational materials, participation at national conferences, \nand support of NPUAP efforts in education, public policy and \nresearch.\n    Our organization was instrumental in developing the medical \ncriteria and utilization parameters adopted by the Durable \nMedical Equipment Regional Carriers. Moreover, our panel \nmembers developed a definition and staging system for pressure \nulcers. The Agency for Health Care Policy and Research used \nthese guidelines when they developed their publication, \n``Pressure Ulcers in Adults: Prediction and Prevention.\'\'\n    The goal of the NPUAP is to assist health care \nprofessionals in reducing the incidence of pressure ulcers by \n50%. In order to achieve this goal, our panel members, \nindependent of the NPUAP, conduct extensive clinical trials and \nresearch. The impending patient confidentiality issue greatly \nimpacts the clinical trials and research of our members. The \nNPUAP supports respecting and preserving patient \nconfidentiality. There is a need for enforcing privacy in \nmedical records. Any privacy initiatives, however, should not \nbe so restrictive as to hamper quality assurance, vital health \ncare research and education.\n    Specifically, NPUAP is concerned that while protecting a \npatient\'s rights to privacy, Congress\'s actions may \ninadvertently harm the interests of patients by unnecessarily \nrestricting access to information needed by researchers and \nclinicians to (1) determine the safety and effectiveness of \nmedical treatments, (2) assess the usefulness of diagnostic \ntests, (3) identify disease risk factors, (4) monitor the cost \neffectiveness of new interventions, (5) educate those entering \nthe medical profession, and (6) ensure quality assurance/ \nimprovements. Such information is necessary to continue \nproviding the public with health care.\n\n                           II. Authorization\n\n    The first issue of concern for the NPUAP regards proposed \nlanguage that requires authorization every time a patient\'s \nrecord is accessed. The NPUAP agrees that patient authorization \nis necessary. We believe that a patient\'s authorization should \nbe required in order to use a patient\'s medical record for a \nclinical or chart review study before beginning to conduct the \nstudy. However, we believe that only one authorization is \nnecessary per study. If the focus of the study changes a new \nauthorization should be sought. Requiring authorization every \ntime the patient\'s record is accessed will greatly impact \nquality assurance, research and development and clinical trials \nas discussed in more detail below.\n\nQuality Assurance\n\n    Quality assurance is required by JCAHO in every care \nsetting that it accredits. Some state health departments or \nlicensing agencies also require quality assurance activities in \nall nursing homes and home health agencies. Quality assurance \nis a standard of care. Most quality assurance activities \ninvolve chart review or collecting clinical information to \nimprove the quality or delivery of care. Requiring patient \nauthorization for every quality assurance activity would \ndramatically affect quality assurance efforts due to \nsubstantial burdens on time and labor. Furthermore, restricting \ndata as inputs to quantitative studies minimizes the \nstatistical significance of the resulting conclusions.\n    Quality improvement review of a patient\'s record requiring \nauthorization would exclude many patients who are demented or \nconfused and who do not have a legal guardian. These are the \nvery patients for whom this kind of research is important. If \nwe are unable to collect data on them because of the lack of a \nlegally appointed guardian, a large number of patients will be \nomitted from studies.\n    Chart review studies within facilities designed to monitor \nquality of care, track outcomes, provide data to develop \ncritical pathways or improve care are not truly ``Institutional \nReview Board (IRB) reviewed studies.\'\' They also do not fit \ninto the category of ``treatment or payment\'\' as defined in the \ndraft legislative proposals or in the Secretary\'s \nrecommendations. This access to medical records is an important \nquality improvement mechanism. Currently, there is no \nauthorization requirement if the chart review is for quality \nassurance purposes. There should not be additional safeguards \nplaced on facilities monitoring quality assurance or \nimprovement. The NPUAP believes that quality assurance \nmonitoring or studies should be excluded from any new or \nadditional requirements.\n    If the study is an IRB reviewed study, upon obtaining \ninformed consent, the IRB must approve the chart review \nprocess. Technically, this requires re-review for any new \nsurvey questions or tests that may be added on as an after \nthought. If the data gathered is from a previous chart review \nand it will be used for new or different analysis compared to \nthe original study\'s intent, a new consent is required. For \nexample, if a chart is reviewed to determine risk factors for \npressure ulcers and later decide to re-analyze the same data \nand publish a paper on socio-economics, a new consent is \nrequired. The NPUAP supports the current IRB system and would \nlike to see it maintained. IRB review is specifically designed \nto protect the rights of subjects, including the right of \nconfidentiality.\n\nResearch and Clinical Trials\n\n    Innovations in medicine and medical technology continually \nrevolutionize health care research. Continued progress depends \non research and clinical trials. Frequently, the clinical \ntrials and research involve collaboration with providers to \nstudy the safety of products utilized in clinical practice for \ntreatment and prevention of pressure ulcers. In addition, \nresults of research studies help design new clinical trials and \nmonitor how well treatments work in clinical practice.\n    There is a requirement to obtain authorization for human \nsubjects prior to enrolling them in a research study. All \ninstitutions that receive some type of federal funding must \nprovide for review of research involving human subjects and \nmust ensure that investigators obtain consent from subjects \nused in their research.\n    Chart review studies are a rich source for research. Many \nof the studies that the Agency for Health Care Policy and \nResearch (AHCPR) panel used in the development of the \n``Guideline for Pressure Ulcer Treatment and Prevention\'\' were \neither chart review studies or clinical trials that were built \non information gained with pilot chart review studies. For \nexample, much of what we know about risk factors for pressure \nulcer development is based on chart review studies. Chart \nreview studies are currently approved by IRB\'s without \nindividual patient authorization provided confidentiality is \nmaintained and there are no individual patient identifiers in \nthe results.\n    In general the IRBs do a good job of reviewing each \nproposal on its own merits and helping to design a process that \nprotects subjects confidentiality and safety, while trying to \nfacilitate rather then block research. Each proposal is \nreviewed based on the overall risk to patients and the true \nneed for the information. Therefore, in a clinical trial the \npatient expressly consents to the researcher\'s use of their \nmedical information. As a result, the NPUAP does not believe \nthat there is any need to require any further safeguards in \nthis area. IRB monitored chart review research should continue \nwithout individual patient authorization...given the protective \nrestrictions that currently apply.\n\n                             III. Encoding\n\n    The second topic NPUAP would like to address is the \nencoding issue. NPUAP believes that if patient identifiable \ninformation is used in research or clinical studies, it should \nbe encoded: replacing identifying information by a code. The \nidentity of the patient is not apparent from the information \nitself, but from the code issued.\n    If the patient\'s record is non-identifiable and the study \ncontains no patient identifiable information, no consent is \ncurrently necessary. In this case, a medical record person, not \nconnected with the study, makes a copy of the chart, goes \nthrough each page and blacks out any reference to patient \nidentification. Non-identifiable patient specific information \nis also information that has been aggregated in such a manner \nthat the identities of the subjects can not be identified under \nany circumstances. Under these circumstances, the charts can be \nused for any purpose desired by the researcher. This process is \nextremely labor intensive and expensive. Non-identifiable \npatient informational data is generally not as useful for \nresearch as it lacks the detail that is required for meaningful \nor sophisticated analysis. A researcher could not recheck the \nchart or gather additional information for their particular \nstudy with non-identifiable patient information. A researcher \ncould not notify the patient if they identified a problem in \nthe patients care plan or treatment.\n    For clinical studies patient authorization documents should \nstate that the researcher might need access to the patient\'s \nmedical information for auditing and source verification. \nFurthermore, the authorization document should include a \nstatement that the patient identifiable information will remain \nconfidential. By signing the consent, the patient, or the \npatient\'s representative, has given their approval to review \nthe medical record.\n    Once the authorization is obtained, patient\'s information \nbecomes randomized. A subject number is assigned to a patient. \nThis number is provided in an envelope, along with the \ntreatment assigned by the clinical product number. The \nprincipal researcher then cites the subject number and their \ninitials on each case report form for the patient. Only subject \nnumbers are used in the data listings and subsequent reports. \nThe identity of each patient can only be determined by the \nresearcher. NPUAP believes this process for research is \npractical.\n\n                             IV. Preemption\n\n    The NPUAP believes that the standards imposed by any \nlegislative proposal should be universally applied. The NPUAP \nbelieves that there should be preemption of state laws. Uniform \nstandards that preserve patient rights and that foster high \nquality clinical research efforts should be adopted.\n\n                           V. Clarifications\n\n    In the Secretary\'s recommendations, and in some of the legislative \ndrafts, there has been language suggesting that a patient can amend \ntheir medical record. It is unclear what type of amendments a patient \nwould be permitted to make. If a patient is simply amending \nadministrative items (address, phone number) that is acceptable. \nHowever, the NPUAP strongly disagrees with any language allowing a \npatient to amend medical or diagnosis information. The NPUAP believes \nthat you should either prohibit a patient from amending their medical \nrecords or clarify this language to reflect what type of amendments a \npatient could make to their record. By not having this clarification \nand stating that a patient can amend their medical records, you imply \nthey can amend their medical or diagnosis information. Besides the \nimpending medical malpractice that would result, a patient should not \nbe able to amend their medical information. NPUAP urges you to clarify \nthe language so a patient is prohibited from amending any medical or \ndiagnosis information contained in their medical record.\n    In the Secretary\'s recommendations and in drafted legislative \nproposals authorization is not required for disclosure of protected \nhealth information for payment purposes. It is unclear what is included \nin the term ``payment purposes.\'\' If a provider of services were \nrequired to obtain a certificate of medical necessity, which includes \npatient identifiable information in order to be paid, would they be \npermitted to obtain the information without authorization?\n    A patient\'s record must be accessible to providers to the extent \nthe information is needed to facilitate billing and care plan \ndevelopment. Failing to keep these records available could lead to \nduplication of services, missed diagnosis, and possibly abusive billing \npractices. Without the data required to establish medical necessity a \nprovider would either not get paid or they could not successfully \nappeal any denials. The NPUAP believes a provider should be required to \nobtain a one time billing authorization. However, to require providers \nto obtain an authorization every-time a provider needed information for \nbilling or appeals purposes would be a costly burden. The definition \nfor ``payment purposes\'\' must be clarified.\n\n                             VI. Conclusion\n\n    In summary, as your Subcommittee considers patient medical \nrecords privacy and confidentiality standards, the NPUAP \nimplores you to remember how vital medical and records research \nis to maintaining and improving health care. Research on \nprevention, new treatments and products depends on patient\'s \nparticipation in clinical trials and researcher\'s access to \ntheir relevant medical information as well patient databases.\n    Blanket signed authorizations allowing transfers of medical \ninformation to insurance companies, credit organizations, \nemployers, etc. is problematic. This information can be either \nsold or transferred to national data banks where information \nmay be used against the consumer or used for discriminatory \npurposes. This process should be stopped and medical \ninformation should be protected.\n    The NPUAP supports reasonable protections with appropriate \nsafeguards. The NPUAP supports legislative language requiring \npatient authorization. However, we believe the requirements of \nthe IRB are stringent enough and therefore, clinical research \nshould be exempt from any new or additional requirements. The \nNPUAP also believes that access to encoded data should be \nexcluded from any new requirements or restrictions applicable \nto information that identifies the patient. Only data sources \nor collections of samples that directly identify individuals \nshould be subject to confidentiality protections. Finally, \nuniform national standards that preempt state laws concerning \nconfidentiality are necessary.\n    The NPUAP thanks you for the opportunity to submit this \nwritten testimony. We would be happy to provide you with any \nadditional information or answer any questions you may have.\n      \n\n                                <F-dash>\n\nStatement of Congressman Christopher Shays\n\n    Thank you Mr. Chairman and Members of the Committee for the \nopportunity to provide you with my thoughts on medical records \nconfidentiality.\n    On September 11, Secretary Shalala testified that \nprotecting the confidentiality of medical records is critical \nas our health system enters the 21st century. I couldn\'t agree \nmore.\n    Under the Health Insurance Portability and Accountability \nAct, known as HIPAA or Kassebaum-Kennedy, Congress set a \nschedule for action on this issue. Should Congress fail to \nenact comprehensive legislation to protect the confidentiality \nof patients\' medical records by August of next year, the \nSecretary will promulgate regulations by February 2000. I do \nnot welcome the prospect that the Secretary will impose \nregulations--without Congressional debate or review--that could \nimpact all facets of our health care system.\n    I want to recognize the efforts of Senators Bennett and \nJeffords to move forward in this area. Their recognition that \nthis is a serious problem has elevated the debate to a ``must \ndo\'\' issue. Generally, the Senate has been driving the debate \non legislation to protect the confidentiality of medical \nrecords. I am concerned, however, that the approach currently \nbeing devised by the Senate Labor Committee is overly \nburdensome. That is why I have been working on a different \napproach to spark discussion on this side of Capitol Hill. It \nis an important effort that I hope this subcommittee examines \ncarefully.\n    Mr. Chairman, this is a complex problem that spans a broad \nspectrum of interests. In general, there are two opposing camps \nwith very distinct and legitimate claims. One seeks to secure \nabsolute privacy that would make it difficult, if not \nimpossible, to coordinate the delivery of health services. The \nother seeks to protect the confidentiality of medical records \nand maintain largely untouched the current low standard of \nprotections currently afforded to health information. I believe \nthe solution lies somewhere in between.\n    Those who seek to secure absolute privacy in a health \ncontext are prescribing a disaster for our health delivery \nsystem. We need to balance competing interests, between a \nperson\'s legitimate expectation of confidentiality and a \nbusiness\'s need to know what it is paying for. In my judgment, \nthe way to accomplish this is to leave the computer databases \nalone--and criminalize misuse of their data, recognizing there \nare both appropriate and inappropriate uses for medical \ninformation.\n    Unfortunately, there is no guiding legal principle in this \narea. Instead, there is a patchwork of state and federal law \nthat protects people in some states with some diagnoses but not \nothers. A strong, uniform law is necessary to preempt the quilt \nof state protections that treat medical records differently. \nMulti-state health plans that submit bills to clearinghouses \nwho then forward claims to separate payors cannot operate \nthrough a maze of differing standards, regulations and \nrestrictions.\n    The bill I intend to introduce next week, hopefully with \nthe Chairman\'s support, will protect the confidentiality of \nmedical records while protecting legitimate uses. The \nlegislation will delineate the inappropriate uses of medical \ninformation--such as intentional or negligent disclosure, sale \nor commercial publication, or the use of fraud, deceit or \nmisrepresentation to access information. These prohibitions \nrelate specifically to individually identifiable information. \nUse of anonymous information will not be affected, unless \nintentionally decoded.\n    In addition, my bill will allow patients to inspect, copy \nand, where appropriate, amend their medical records. Finally, \nthe bill will impose strong criminal and civil penalties for \ninappropriate disclosures, and will preempt state law, creating \na uniform system. Combined, these proposals should enhance the \nsecurity of the patient medical record without jeopardizing \nadvances in quality health care.\n    With current technology and future advances there are both \nreal dangers and substantial opportunities with respect to \nprotected health information. Absent strong, practical and \nworkable standards, many will fall victim to those dangers and \nopportunities will be missed.\n    Innovative developments in the delivery of health services \nand technological advancements mean health information is both \nmore important and more vulnerable. While we can all agree that \nsensitive information such as psychological evaluations and \ndrug abuse counseling needs to be kept private, we also need to \nallow health plans and researchers to review health information \nto improve education and treatment.\n    It is my hope we can pass a national confidentiality law \nassuring patients\' rights, while balancing the interests of \npayors and providers, data processors, law enforcement \nagencies, and researchers. Congress should pass legislation to \nsecure the confidentiality of medical records, and it should be \ndone this year.\n    Mr. Chairman, I appreciate the opportunity to share these \nviews with you.\n\n                                   - \n</pre></body></html>\n'