[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
MEDICAL RECORDS CONFIDENTIALITY IN THE MODERN DELIVERY OF HEALTH CARE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
HEALTH AND ENVIRONMENT
of the
COMMITTEE ON COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
__________
MAY 27, 1999
__________
Serial No. 106-34
__________
Printed for the use of the Committee on Commerce
U.S. GOVERNMENT PRINTING OFFICE
57-441CC WASHINGTON : 1999
------------------------------------------------------------------------------
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
COMMITTEE ON COMMERCE
TOM BLILEY, Virginia, Chairman
W.J. ``BILLY'' TAUZIN, Louisiana JOHN D. DINGELL, Michigan
MICHAEL G. OXLEY, Ohio HENRY A. WAXMAN, California
MICHAEL BILIRAKIS, Florida EDWARD J. MARKEY, Massachusetts
JOE BARTON, Texas RALPH M. HALL, Texas
FRED UPTON, Michigan RICK BOUCHER, Virginia
CLIFF STEARNS, Florida EDOLPHUS TOWNS, New York
PAUL E. GILLMOR, Ohio FRANK PALLONE, Jr., New Jersey
Vice Chairman SHERROD BROWN, Ohio
JAMES C. GREENWOOD, Pennsylvania BART GORDON, Tennessee
CHRISTOPHER COX, California PETER DEUTSCH, Florida
NATHAN DEAL, Georgia BOBBY L. RUSH, Illinois
STEVE LARGENT, Oklahoma ANNA G. ESHOO, California
RICHARD BURR, North Carolina RON KLINK, Pennsylvania
BRIAN P. BILBRAY, California BART STUPAK, Michigan
ED WHITFIELD, Kentucky ELIOT L. ENGEL, New York
GREG GANSKE, Iowa THOMAS C. SAWYER, Ohio
CHARLIE NORWOOD, Georgia ALBERT R. WYNN, Maryland
TOM A. COBURN, Oklahoma GENE GREEN, Texas
RICK LAZIO, New York KAREN McCARTHY, Missouri
BARBARA CUBIN, Wyoming TED STRICKLAND, Ohio
JAMES E. ROGAN, California DIANA DeGETTE, Colorado
JOHN SHIMKUS, Illinois THOMAS M. BARRETT, Wisconsin
HEATHER WILSON, New Mexico BILL LUTHER, Minnesota
JOHN B. SHADEGG, Arizona LOIS CAPPS, California
CHARLES W. ``CHIP'' PICKERING,
Mississippi
VITO FOSSELLA, New York
ROY BLUNT, Missouri
ED BRYANT, Tennessee
ROBERT L. EHRLICH, Jr., Maryland
James E. Derderian, Chief of Staff
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Health and Environment
MICHAEL BILIRAKIS, Florida, Chairman
FRED UPTON, Michigan SHERROD BROWN, Ohio
CLIFF STEARNS, Florida HENRY A. WAXMAN, California
JAMES C. GREENWOOD, Pennsylvania FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia PETER DEUTSCH, Florida
RICHARD BURR, North Carolina BART STUPAK, Michigan
BRIAN P. BILBRAY, California GENE GREEN, Texas
ED WHITFIELD, Kentucky TED STRICKLAND, Ohio
GREG GANSKE, Iowa DIANA DeGETTE, Colorado
CHARLIE NORWOOD, Georgia THOMAS M. BARRETT, Wisconsin
TOM A. COBURN, Oklahoma LOIS CAPPS, California
Vice Chairman RALPH M. HALL, Texas
RICK LAZIO, New York EDOLPHUS TOWNS, New York
BARBARA CUBIN, Wyoming ANNA G. ESHOO, California
JOHN B. SHADEGG, Arizona JOHN D. DINGELL, Michigan,
CHARLES W. ``CHIP'' PICKERING, (Ex Officio)
Mississippi
ED BRYANT, Tennessee
TOM BLILEY, Virginia,
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Amdur, Robert, Former Associate Professor of Medicine and
Chairperson, Dartmouth Committee for the Protection of
Human Subjects, Dartmouth Medical School................... 41
Gencarelli, Dawn M., Manager, Health Policy, Harvard Pilgrim
Health Care................................................ 54
Hamburg, Margaret A., Assistant Secretary for Planning and
Evaluation, Department of Health and Human Services;
accompanied by Lana Skirboll, Associate Director for
Science Policy, National Institutes of Health; and John
Eisenberg, Administrator, Agency for Health Care Policy and
Research................................................... 10
Jacobsen, Steven J., Director, Section of Clinical
Epidemiology, the Mayo Foundation.......................... 37
Koyanagi, Chris, Director of Legislative Policy, Judge
Bazelon Center for Mental Health Law, on behalf of Consumer
Coalition for Health Privacy............................... 92
Krinsky, Daniel L., Director, Patient Services and Pharmacy
Practice, Ritzman Pharmacies, Inc.......................... 62
Latanich, Terry S., Senior Vice President, Government
Affairs, Merck-Medco....................................... 68
Meyer, Roberta, Senior Counsel, American Council of Life
Insurance.................................................. 108
Meyers, Abbey, President, National Organization of Rare
Disorders.................................................. 57
O'Keefe, Mark, Commissioner of Insurance, Department of
Insurance, State of Montana................................ 100
Stump, David C., Genentech Fellow............................ 44
Visco, Fran, President, National Breast Cancer Coalition..... 50
Zubeldia, Kepa, Vice President of Technology, Envoy
Corporation................................................ 84
Material submitted for the record by:
Hamburg, Margaret A., Assistant Secretary for Planning and
Evaluation, Department of Health and Human Services, letter
enclosing response for the record.......................... 120
(iii)
MEDICAL RECORDS CONFIDENTIALITY IN THE MODERN DELIVERY OF HEALTH CARE
----------
THURSDAY, MAY 27, 1999
House of Representatives,
Committee on Commerce,
Subcommittee on Health and Environment,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2322, Rayburn House Office Building, Hon. Michael
Bilirakis (chairman) presiding.
Members present: Representatives Bilirakis, Deal, Burr,
Whitfield, Bryant, Brown, Waxman, Towns, and Eshoo.
Also present: Representative Markey.
Staff present: Marc Wheat, majority counsel; John Manthei,
majority counsel; Patrick Morrisey, majority counsel; Karen
Folk, minority professional staff; and Amy Droskoski, minority
professional staff.
Mr. Bilirakis. The hearing will come to order. Good
morning. I would like to thank all of you, particularly our
witnesses, for gathering today to begin this subcommittee's
examination of medical record confidentiality.
The purpose of today's hearing is to have an open
discussion, without focusing on any specific legislative
proposal, about several contentious issues raised in this
debate. I was proud to work on the Health Insurance Portability
and Accountability Act of 1996 which allowed portability and
removed preexisting restrictions on insurance. Under the act,
Congress is mandated to pass legislation addressing the
confidentiality of identifiable health information by August
21, 1999. Failure to do so would trigger a requirement that the
Secretary of Health and Human Services promulgate regulations
by February 1, 2000, to address the confidentiality of
administrative data stored and transmitted electronically.
It is significant to note that the Secretary's regulatory
authority is more narrow than the broader debate on patient
confidentiality. The Secretary's regulations may encompass
standards relating to patient health information that is
transmitted and stored electronically. However, while the
modern health care delivery system is increasingly
electronically based, most patient health information remains
paper-based.
Medical records contain some of our most sensitive and
personal information. There is little argument that patient
confidentiality of this information must be safeguarded.
Additionally, abuse of this information cannot be tolerated,
and everyone must be held accountable for protecting the
privacy of this information.
Yet, we must realize the unintended consequences that such
legislation may bring about. If legislation goes too far, the
quality of health care in this country may be seriously
jeopardized. The modern delivery of health care in this country
is an integrated system that in many instances no longer
involves just patients and their doctors. The system, as we
know, has innumerable benefits: disease management programs,
protection against adverse drug reactions, and controlling the
rising costs of health to ensure that more Americans have
access to care.
Additionally, we must make sure that in addressing this
problem, we do not unnecessarily compromise ongoing research
relating to drugs, medical devices and treatment regimens of
approved products. We cannot leave large gaps in our knowledge
about products already on the market and prevent new and
innovative products from ever being developed. As the
subcommittee moves forward, it is my hope that Congress will
develop responsible legislation to establish safeguards
protecting confidential medical information, encourage strict
accountability in how this information may be used, and require
tough penalties for misuse of this information.
I would like to welcome our witnesses this morning. I look
forward to--and I would like to thank all of you. I look
forward to, of course, hearing your testimony. But first I
would recognize Mr. Brown for an opening statement.
Mr. Brown. Thank you, Mr. Chairman.
I would also like to thank the witnesses. In particular, I
would like to recognize Dan Krinsky from Ritzman Pharmacies in
Wadsworth, Ohio, in my district.
Thank all of you for joining us, Dr. Hamburg, and all of
you for joining us today. I am impressed by the scope and the
diversity of today's panels. I know that it is sometimes
difficult to arrange for a fully representative and balanced
list of witnesses, but the value of these subcommittee hearings
can hinge on achieving such a balance. I hope that we can
continue to work toward that balance for future hearings.
Why is it important to pass a medical records privacy bill?
I was struck by a recent piece in The Washington Post about an
incident in Alexandria, Virginia. Apparently after a car was
stolen near a methadone clinic, the police determined that it
would be useful to see the clinical records of all of the
patients using the clinic on the premise that this information
would somehow help them identify future car thieves.
Without the consent of the patients, they demanded and
copied hundreds of private medical records. That doesn't sound
like something that should happen in this country, but it
happened not too far from the United States capital.
We need to pass a medical records privacy bill. In 1997,
Congress assigned itself the responsibility of establishing
such protections before August 1999. Several members of this
committee, including Mr. Markey and Mr. Waxman, Mr. Towns and
Mr. Greenwood have played key roles in enabling Congress to
fulfill that commitment. They have done most of the leg work
for us.
In light of the complexity of this issue, we owe them a
tremendous debt of gratitude for doing that. Now it is our turn
to take a real look at these issues. There is general consensus
around the goals, the things that we do and do not want to do.
We want to make sure that individuals can gain access to
personal medical information; we want to make sure that
individuals have the first and last say over personally
identifiable medical information, who can see it, who use it,
for what purposes.
We also want to encourage participation in medical research
by ensuring the confidentiality of any personal information
used in that research. What we do not want to do is
inappropriately hinder proper and beneficial uses of medical
information. The goals may be simple, unfortunately surely
striking the right balance between them is not. I am a
cosponsor of the Health Information Privacy Act, legislation
introduced by Mr. Waxman and Mr. Condit that I believe
reconciles these priorities in a way that makes sense and
serves the best interests of individuals and the public. But I
also think that it is important to keep an open mind as our
panelists share their perspectives on two of the most
controversial issues addressed in this bill, preemption of
State laws and authorization requirements for medical research.
I would also hope in this or a future hearing we could
discuss a relevant issue identified by Mr. Towns and addressed
in his bill, H.R. 307. That issue involves the fate of medical
records when a health care provider or carrier goes out of
business. This situation obviously raises access and privacy
issues.
The steps this Congress takes in regard to medical records
privacy are important to every individual in the United States.
Our committee will play a critical role in ensuring a strong
effective bill. I look forward, Mr. Chairman, to our future
efforts toward that end.
Mr. Bilirakis. I thank the gentleman.
Mr. Bryant for an opening statement.
Mr. Bryant. Thank you, Mr. Chairman.
I will be brief this morning as I know that we have a long
list of distinguished witnesses waiting to testify, and I am
eager to hear what you have to say.
I will have to excuse myself briefly for a short mark up
after my statement, but I do want to return and hear from you
so I will be back shortly. When we talk about trying to ensure
the confidentiality of the patient identifiable health
information in this day and age, the era of technology and
Internet and so much information stored electronically, we are
talking about no small feat. We can all agree that patient
identifiable information should be readily available for
patient treatment and securing payment for that treatment.
But there are ongoing discussions about the appropriate
uses of information for other purposes including quality
improvement, health research, public health, health oversight
and the list goes on. We in Congress are now charged with
putting together responsible legislation that sets the
parameters of how and when and under what circumstances the
patient's information can be used and what the penalties would
be for violations.
If Congress doesn't pass legislation prior to August 21 of
this year, by law, the Secretary of Health and Human Services
could put forth regulations regarding electronic medical data.
I know a representative from HHS is here today this morning to
outline what their proposal is, but I also know that it is very
important to many of my constituents that Congress take the
lead in this area. My constituents feel that Congress could do
a better job, and they don't want the HHS regulations.
This meeting is the first step in the right direction and I
want to thank the chairman and the ranking member for holding
this hearing.
I look forward to your testimony, as I said earlier. And I
am grateful to the witnesses for taking time out of their busy
schedules to be here today, and I would yield back my time.
Mr. Bilirakis. I thank the gentleman.
Ms. Eshoo for an opening statement.
Ms. Eshoo. Thank you, Mr. Chairman, for holding this very
important hearing today.
First, I want to salute my colleagues, Mr. Markey and Mr.
Waxman and the ranking member of the full committee, Mr.
Dingell, for the work that they have done in introducing
legislation on the issue of medical records privacy.
I think that it is absolutely incumbent upon this Congress
to enact a uniform Federal standard of protection for medical
records privacy. Currently there isn't any Federal standard.
There is an existing patchwork of State laws that provide
erratic protection at best. There was a time when our health
care privacy was protected by our family doctors who kept
handwritten records and those handwritten records were kept in
a big file cabinet. I can close my eyes and picture my doctor's
office and the pediatrician who took care of my children. Any
time that I had a question and I was in the office with him, he
would go to that big file cabinet and pull out a bulging file
and say they were healthy from the start and here is what we
did for them.
With the advent of managed care, increasing numbers of
people are involved in health care treatment, payment, and
oversight and given access to our very sensitive material. So
today we have to place our trust in entire networks of insurers
and health care providers. We can no longer expect that
information supplied to our doctors will remain confidential.
The American people expect and are entitled to
confidential, fair, and respectful treatment of their private
health information. But there is another bookend to this issue,
and that is research. Research cannot be hampered. It should
not be hampered. And I don't think that the American people
want it to be hampered. They understand full well what comes
from the research because they are the beneficiaries of it.
So we have to be sure that any legislation that is enacted
does not erect unnecessary barriers that would slow or impede
medical research. I have--and I have bragged about this because
I am very proud of it. I have the largest number of biotech
companies in my Congressional District more so than any other
place in California or our country or the world.
So I see firsthand the advances in medical treatments and
therapies that they have produced. Access to health data is
vital to the ability to conduct research. I think that we have
to keep that on the front burner just as we seek to protect the
confidentiality of the materials. Research has used health
records to develop treatments for childhood leukemia and
uncovered the link between DES and reproductive cancers. Access
to health data plays a critical role in protecting and
advancing public health as well.
Our local public health agencies use health records to
identify and prevent outbreaks of infectious disease like the
recent E.coli infections. Information is the life blood of
research. Without access to health data, patients would be, I
think, the real losers.
So while I believe that we must establish a uniform Federal
standard to protect the American people against the
unauthorized use of private identifiable information, I think
that we also have to be mindful of what the effects of the laws
will be on medical research and the lives that are saved as the
outcome of the research.
So thank you, Mr. Chairman, for holding this hearing. It is
a very important one. I thank all of the witnesses that are
part of today's hearing, and I am also delighted to see that
our hearing room is standing room only.
Thank you, Mr. Chairman.
Mr. Bilirakis. I thank the gentlelady.
Mr. Whitfield.
Mr. Whitfield. Mr. Chairman, thank you very much.
It is quite odd that we have this kind of crowd considering
financial modernization is right down on the first floor and I
know that it is packed down there.
Mr. Chairman, this is quite an important subject matter
that we are going to discuss this morning as we try to balance
the need for patient histories for research and adequate
medical care versus the privacy of patients. I have in my hand
right here a 23 page questionnaire that is now given to home
health care agencies when they submit medical assistance to
home bound patients.
This is referred to as the ``OASIS document'' which I
understand now is on hold. But during the question and answer
series, I would like to ask a couple of questions about this
because it makes you wonder if it is necessary to fill out 23
pages of questionnaires about patients.
So this entire subject is quite appropriate at this time. I
look forward to the hearing and yield back the balance of my
time.
Mr. Bilirakis. I thank the gentleman.
Mr. Waxman for an opening statement.
Mr. Waxman. I am very pleased that the subcommittee is
focusing today on the important issue of medical records
privacy. The testimony will be helpful as we work to address
the pressing need for legislation that would protect the
privacy of health information.
Currently, there is no comprehensive Federal law that
protects the privacy of medical records. Instead there is a
patchwork of State laws many of which provide minimal
protections. Unfortunately, there have been many incidents of
inappropriate use and disclosure of such information. Concern
about such privacy invasions has led some individuals to avoid
medical testing and to withhold information from their
physicians.
Congress should enact legislation that protects the privacy
of health information and ensures that individuals have
appropriate control over their medical records. At the same
time, we must allow appropriate access to health information
for important public health purposes such as health research
and respect the work that States are doing to address
confidentiality issues.
This week I join with Mr. Condit, Mr. Markey, Mr. Dingell,
and Mr. Brown and many of my other colleagues to introduce
legislation, the Health Information Privacy Act, that I believe
strikes the proper balance regarding these issues. We dealt
with many of the thorny issues that we will be discussing at
this hearing today, and I think that we have a balanced
compromise.
The bill is based on three fundamental principles. First,
health information should not be used or disclosed without the
authorization or knowledge of the individual except in narrow
circumstances where there is an overriding public interest.
Second, individuals should have fundamental rights
regarding their health records such as the right to access,
copy, and amend their records and the opportunity to seek
protection for especially sensitive information.
Third, Federal legislation should provide a floor, not a
ceiling, so that States and the Secretary of Health and Human
Services can establish additional protections as appropriate.
This common sense bill reflects consensus among a number of my
colleagues who have long been leaders in the area of health
care and privacy. And I believe that colleagues with a wide
variety of perspectives can support it.
I look forward to hearing from the witnesses today on the
complex issues relating to medical records privacy and to
working to advance meaningful legislation on this issue.
I thank you, Mr. Chairman, for holding this hearing.
Mr. Bilirakis. I thank the gentleman.
Mr. Deal.
Mr. Deal. Thank you, Mr. Chairman, I would like to thank
you, also, and the panelists for being here today.
Like most Members of the last Congress, I received many
communications from my constituents with regard to the
numbering system that was being proposed. I think that began an
awareness on the part of many people on this issue of privacy,
and it is certainly one that I think is a delicate balancing
act.
Mr. Whitfield alluded to the information form that was
being asked to be filled out by home health care agencies. I
had occasion recently with my 92-year-old mother who was
receiving home health care to overhear the conversation with
the home health care nurse who was asking the questions, and as
my mother is hard of hearing, it was not difficult to hear the
questioning process.
Quite frankly, the questions were so personal and so
intensive in nature that I was surprised my mother did not tell
him it was none of their business when they asked a few of
those questions. So it is something that I think all of us are
concerned with, and I thank all of you for being here.
Thank you, Mr. Chairman, for the hearing.
Mr. Bilirakis. Thank you. Mr. Towns.
Mr. Towns. Thank you, Mr. Chairman, for holding this
hearing. I want to commend you for doing this.
As other committee members have indicated, the issue of the
privacy of medical records is one that cannot be ignored.
Through the rapid growth of modern technology, health records
are now readily available for commercial use, disclosure to
employers, and restrictions on eligibility for health
insurance. That is why I am pleased to join my colleagues in
cosponsoring the Health Information Privacy Act.
I am very pleased that a provision was included in this
legislation which would require the Secretary of HHS to
promulgate regulations for the maintenance of health records
once a facility closes. Currently, there is no uniform method
for disposition of a health record if a facility or health
benefit plan ceases to exist. You may ask what does happen to
that patient's records? Well, it could be destroyed or it could
wind up in the street. We really do not know.
Speaking from personal experience of having my own patient
records found in the street after hospital closure, I can tell
you that it is a problem that will only worsen with the
consolidation and merger of various facilities. In fact, we
have just seen a number of health plans that are no longer
operating Medicare HMO. Can we, in fact, account for all of
those patients' records? I do not think so.
Similar provisions which are offered in a larger bill, H.R.
307, have been pointed out by this committee as well at the
Government Reform Committee during the last 5 years. Let us
know recognize that there is some serious problems in this. The
British example is of health record maintenance where the
health records of some British royal family members were
recently found in the street by a man walking his dog.
It is my hope that any legislation dealing with medical
records privacy would contain a means of handling health
records once a health facility shuts down or health benefit
plan ceases to do business. If we are concerned about
continuity of care, we must find a uniform way of dealing with
records. Let me also add that a solo practitioner, that when
they would expire, the part of the office and all of that would
become part of the estate and the family would sell it. But the
way that we are delivering medical care today, nobody is going
into those offices.
The question is what happens to those records. These are
the things, Mr. Chairman, that we really ought to get to the
root of if we are really serious about health care and the
continuity of it.
Thank you so much.
Mr. Bilirakis. I thank the gentleman. You have brought
those points up before. They are horror stories. No question
about it.
The opening statements of all members of the subcommittee
are made a part of the record without objection.
[Additional statements submitted for the record follow:]
Prepared Statement of Hon. Cliff Stearns, a Representative in Congress
from the State of Florida
Thank you, Chairman Bilirakis, for holding this important hearing
today. The focus of today's hearing is confidentiality of medical
records.
As we all know, H.R. 3103, the Health Insurance Portability and
Accountability Act of 1996 (HIPPA) directed that within three and one
half years after being signed into law that federal laws or federal
regulations must be in place to ensure the confidentiality of medical
records and other health information. The deadline imposed is close at
hand.
With the advances being made in biomedical research, especially
genetic research, legislation to protect the confidentiality of health
information becomes even more necessary.
Advances in computer technology and the need for administrative
efficiencies have created serious issues concerning the confidentiality
of patients' medical records.
We must look at the issues related to our changing health care
system on a bipartisan basis, maximizing input from patients, academia,
researchers, industry, professional groups, and government experts.
As we proceed with how best to craft legislation to create a
federal health privacy law, there are several key areas we should look
at. For instance, what are the risks to the ability of scientists to do
the cutting edge research needed to cure disease, both from failure to
address the potential misuse of information by employers and health
insurers, as well as from overly restrictive confidentiality
regulations?
What legislative and administrative steps can be reasonably taken
to maximize the potential for the success of future research?
Can we create an environment that protects the confidentiality
rights of the patient and prohibits overt discrimination without
infringing on the critical need for scientific progress against deadly
and disfiguring diseases?
As we all know, certain white-collar jobs are becoming globally
mobile, as employers use low-cost satellite and fiber-optic
communications to link U.S. headquarters to companies offering services
continents away.
Privacy advocates fear that insurers, employers, and pharmaceutical
companies could gain access overseas to peoples medical records. This
concerns me and needs to be addressed by Congress.
We should also look at the rights of patients. One question we need
to consider is should patients be allowed to access their own medical
records.
In conclusion, after passage of legislation to ensure
confidentiality and privacy of medical records, we should then move
toward the issue of genetic discrimination.
______
Prepared Statement of Hon. Tom Bliley, Chairman, Committee on Commerce
Thank you, Chairman Bilirakis for holding this hearing today on the
topic of medical records confidentiality.
Every American wants to know that their medical records remain
confidential, and that sensitive information that is identifiable to
them is not bought and sold and posted on the Internet. No one deserves
to have that happen to them.
Many advocates believe that information management systems,
statutory protections at the state level, and common law tort theories
do not adequately protect medical records data. Some have proposed that
a Federal medical records confidentiality ``floor'' be enacted, on
which states could build higher levels of protection.
Others, who believe that present protections are insufficient,
favor a Federal law. This approach may allow for a freer flow of
critical information, perhaps for research. A federal approach may even
cut regulatory compliance costs for enterprises operating interstate.
On Tuesday of this week the National Breast Cancer Coalition
recognized the legislative work of this Committee in the area of breast
cancer research and early identification. This is an area that is
greatly important to me and my family, and I am very pleased that the
Coalition's president, Fran Visco, is here today to testify. What
causes me concern as I review some of the legislation introduced in the
House, is that research to find the cures for diseases like breast
cancer will become much more difficult. As someone whose own family has
faced breast cancer, I do not want to see legislation going forward
that would impede research.
Many bills are being introduced to address challenges in the area
of medical records confidentiality. All well-intentioned. Some that are
very sound, others I view as mis-guided. Today this hearing affords
Members an opportunity to explore issues that directly impact Americans
and the interests we all have in privacy, and the confidentiality of
our personal information. I urge all the Subcommittee Members to study
these issues with great care. It is here in the Congress, and
specifically on this Committee, beginning with this panel chaired by
Mr. Bilirakis, that these matters will be considered and acted upon.
So, Mike, I commend you for holding this hearing, and I yield back my
time.
Thank you, Mr. Chairman, and I look forward to the testimony this
morning.
______
Prepared Statement of Hon. John D. Dingell, a Representative in
Congress from the State of Michigan
Today the Health and Environment Subcommittee will address the most
personal of health care issues, the right of an individual to have
control over his or her medical records. I would like to thank my good
friend Chairman Mike Bilirakis, for holding a hearing on this important
topic, and I look forward to more hearings on the subject in weeks to
come.
I am proud to be a cosponsor of the Health Information Privacy Act
with Mr. Waxman, Mr. Condit, Mr. Markey, Mr. Brown of Ohio, Mr. Towns,
and Mr. Turner. This bill recognizes the fundamental right of an
individual to inspect, copy, and amend his or her medical records. It
ensures that these records will not be used or disclosed without an
individual's knowledge or consent. The bill establishes a federal floor
of privacy protections, leaving States the freedom to enact stronger
laws patient protections.
Today's hearing covers but two facets of the medical records
confidentiality debate--research and preemption. Everyone agrees that
medical research is the foundation of twentieth-century medicine, and
everyone also acknowledges that protections for patients who are the
subject of research are essential. These two interests are not mutually
exclusive. Many research studies involve patients with highly sensitive
medical records, such as women with breast cancer or people with
genetic disorders. We need to enact strong safeguards to protect the
very groups who are. most likely to benefit from such research. All
research, whether federally-funded or private, should be subject to a
check by an institutional review board or a similar entity. The
potential harm from a lack of oversight is too great.
A comprehensive federal privacy law would provide many new
protections for personal medical records. However, in passing federal
legislation we must not preempt the protections that States have
already enacted. For example, some States have implemented laws that
guard the privacy of certain types of medical information, such as
mental health records. State and local laws that are more protective of
an individual's privacy rights must be allowed to stand.
There is another, equally important reason for a federal law not to
preempt stronger State and local laws. Congress has been considering
federal privacy legislation for two decades. If we pass a law this
year, it is unlikely that we will revisit the subject any time in the
near future. We must not tie the States' hands by preventing them from
responding to privacy issues that arise in years ahead.
While there are many facets to the debate over medical records
confidentiality, and these issues are often complex, the need for
federal legislation is clear. In an age where unauthorized parties may
obtain very personal information about ourselves with the click of a
computer mouse, we need to assure the public--and ourselves--that our
medical information is kept private and secure.
______
Prepared Statement of Hon. Edward J. Markey, a Representative in
Congress from the State of Massachusetts
Thank you, Mr. Chairman for holding this hearing on this critical
issue, and thank you for permitting me to take part as I am not a
member of this Subcommittee.
As you know, I introduced the first medical privacy bill in the
House in early March, H.R. 1057, The Medical Information Privacy and
Security Act, and this week I joined with my colleagues Mr. Waxman, Mr.
Brown, Mr. Dingell and Mr. Condit in introducing a consensus bill.
The August 21 deadline imposed by the Health Insurance Portability
and Accountability Act for Congress to pass medical privacy legislation
is looming before us. And now is the time for us to move forward on
this issue that is of great concern to so many Americans.
Without question, the rapid advance of the Information Age is
revolutionizing the American economy and forcing the evolution of new
relationships both good and bad. There is no area of its development
that causes more anxiety for ordinary people than the area of privacy.
And there is no area of privacy that causes more anxiety for Americans
than the privacy of their most personal health information.
Today, we are experiencing the erosion of our medical privacy. With
the stroke of a few keys on a computer, or the swipe of the
prescription drug card, our most intimate and closely held personal
health information is being accumulated and tracked.
This erosion of our privacy threatens the very heart of quality
health care--doctor/patient confidentiality. By undermining this sacred
relationship, we destroy the trust that patients rely on for peace of
mind, and doctors depend on for sound judgment.
In an HMO today, anywhere from 80-100 employees may have access to
a patient's medical record [according to the Privacy Rights
Clearinghouse in San Diego California.] With such unrestricted access
to one's personal health information, it's impossible to separate the
health privacy keepers from the ``just curious'' peepers.
Not to mention what I believe is the greatest threat to your
medical privacy--the information reapers.
The evolution of technology has provided the ability to compile,
store and cross reference personal health information, and the dawning
of the Information Age has made your intimate health history a valuable
commodity.
Last March, the Wall Street Journal wrote about the ultimate
information reaper--a company that is ``seeking the mother lode in
health `data mining' ''. This company is in the process of acquiring
medical data on millions of Americans to sell to any buyer.
Currently there is no federal medical privacy law to constrain the
information reapers as they delve into large data bases filled with the
secrets of millions of individuals. These data bases represent a
treasure chest to privacy pirates and every facet of your medical
information represents a precious jewel to be mined for commercial
gain.
With this unfettered access, patient confidentiality has become a
virtual myth, and the sale of your secrets a virtual reality.
Because of the rapid evolution of technology, we have fallen behind
in assuring a right that we have come to expect--the fundamental right
to keep our personal health information private.
The time is ripe for Congress to take action on this issue. Now is
the time to pass a strong medical privacy law that will provide
patients the right they deserve, the right to medical privacy.
Mr. Chairman, I thank you again for convening this morning's
hearing. I look forward to working with you and our colleagues on both
sides to meet the August 21 deadline and I look forward to hearing the
testimony of our witnesses presented here this morning.
Mr. Bilirakis. I do want to apologize to the witnesses and
to the audience for the late start. Obviously you must know
that we had a general vote, one of those very tough votes that
we sometimes have here, and that delayed the start.
But I would like to now welcome the first panel consisting
of Dr. Peggy Hamburg, Assistant Secretary for Planning and
Evaluation, Department of Health and Human Services.
Dr. Hamburg, we appreciate your attendance, appreciate your
patience, and obviously your written statement is a part of the
record. We appreciate it.
I will give you 10 minutes so you can complement your
statement in any way that you wish. You might want to introduce
your accompanying persons.
STATEMENTS OF MARGARET A. HAMBURG, ASSISTANT SECRETARY FOR
PLANNING AND EVALUATION, DEPARTMENT OF HEALTH AND HUMAN
SERVICES; ACCOMPANIED BY LANA SKIRBOLL, ASSOCIATE DIRECTOR FOR
SCIENCE POLICY, NATIONAL INSTITUTES OF HEALTH; AND JOHN
EISENBERG, ADMINISTRATOR, AGENCY FOR HEALTH CARE POLICY AND
RESEARCH
Ms. Hamburg. Thank you, Mr. Chairman, Congressman Brown,
distinguished members of the committee. We appreciate the
opportunity to appear before you today to discuss the need for
Federal legislation to safeguard the privacy of health
information.
With me today are Dr. Lana Skirboll from the Office of
Science Policy, National Institutes of Health, and Dr. John
Eisenberg, who is the administrator of the Agency for Health
Care Policy and Research or what we fondly call AHCPR.
I would like to commend the members of this committee, in
particular Representative Waxman, Representative Markey,
Representative Dingell, Representative Towns, and
Representative Brown for their hard work in developing medical
privacy legislation. The most recent bill was just introduced
on Tuesday, and we have not had the opportunity to review it in
detail. We have noted, however, that the authors chose to take
a new approach to the issue and in doing so have helped provide
momentum that will be needed to enact legislation this year.
We are here today to emphasize our support for passage of
bipartisan legislation providing comprehensive privacy
protection for people's health care information. Stories abound
that raise concern that our sensitive medical information can
enter the wrong hands and/or be misused. For example, at one
HMO, every clinical employee could tap into patients' computer
records and see notes from psychotherapy sessions. In another
example, the director of a work-site health clinic testified
before the National Committee on Vital and Health Statistics
that he was frequently pressed to disclose his patients' health
information to their supervisors.
These kinds of problems and others you have already spoken
to this morning, underline the legitimate fear that Americans
have about the security of their health care information.
Almost 75 percent of our citizens say that they are at least
somewhat concerned that computerized medical records would have
a negative effect on their privacy. If we don't act now, public
distrust could deepen--and ultimately stop citizens from
disclosing important information to their doctors, or getting
needed treatment, especially for sensitive concerns like mental
illness or seeking genetic testing.
The problem is not theoretical. Numerous analyses over
several years by government, industry, and professional groups
have identified serious gaps in protections for health
information and have recommended Federal legislation to close
them.
In September 1997, Secretary Shalala presented her
recommendations for protecting ``Confidentiality of
Individually-Identifiable Health Information.'' In that report,
the Secretary concluded that Federal legislation establishing a
basic national floor of confidentiality is necessary to provide
rights for patients and define responsibilities of record
keepers. She recommended that Federal legislation focus on
health care payers and providers and the information they
create and receive in providing and paying for health care.
The Secretary recommended legislation to implement five key
principles.
First, information about a consumer that is obtained for
delivering and paying for health care should, with very few
exceptions, be used and disclosed for health purposes and for
health purposes only.
Second, those who legally receive health information should
be required to take reasonable steps to safeguard it. They
should ensure that the information is available only to those
who should have access to it, and only for purposes authorized
by the patient or authorized by law.
Third, consumers should have access to their health records
and should know how their health information is being used and
who has looked at it. The consumer should be given clear
explanation of these rights.
Fourth, people who violate the confidentiality of our
personal health information should be held accountable. Those
who use this information improperly should be punished.
These first four principles must be balanced against the
fifth principle, public responsibility. Just like our free
speech rights, privacy rights cannot be absolute. We must
balance our protections of privacy with our public
responsibility to support other critical national goals--public
health, research, quality care and our fight against health
care fraud and abuse.
As a major payor for health care, our Department is aware
of the need to use personal health information for each of
these national priorities. For example, our researchers have
used health records to help us fight childhood leukemia, or to
conduct the research to learn that beta blocker therapy
resulted in fewer rehospitalizations and improved survival
among elderly survivors of acute myocardial infarction. Public
health agencies use health records to warn us of outbreaks of
emerging infectious diseases. Our efforts to improve quality in
our health care system depends critically on our ability to
review health information.
HIPAA also requires that if Congress fails to enact
comprehensive privacy legislation by August of this year, HHS
must implement final regulations by February of 2000, as the
chairman noted.
We have assembled a team from all of the relevant Federal
agencies to work on these regulations, and it is our intent to
have these regulations prepared in time for the statutory
deadline.
While we are moving ahead to have the regulation ready, the
President and Secretary Shalala have made it clear that their
first priority is to see Congress enact a comprehensive bill.
Our staff has been working closely with many of your staff, and
staff in the Senate, to assist you in achieving that goal.
Again, let me reiterate that we want to see legislation and we
want to work closely with you to make that happen.
Mr. Chairman, the principles embodied in my recommendation
should guide a comprehensive law that will create substantive
Federal standards and provide our citizens with real peace of
mind and protection. The principles represent a practical,
comprehensive and balanced strategy to protect health care
information that is collected, shared, and used in an
increasingly complex world.
Thank you again for giving us this opportunity to testify,
and we are eager to answer any questions that you may have.
[The prepared statement of Margaret A. Hamburg follows:]
Prepared Statement of Margaret A. Hamburg, Assistant Secretary for
Planning and Evaluation, Department of Health and Human Services
Mr. Chairman, Congressman Brown, distinguished members of the
Committee: I appreciate the opportunity to appear before you to discuss
the Administration's recommendations for federal legislation to protect
the privacy of health information. With me today are, Dr. Lana
Skirboll, Associate Director for Science Policy, National Institutes of
Health, and Dr. John Eisenberg, Administrator of the Agency for Health
Care Policy and Research.
I would like commend the members of this Committee, in particular,
Rep. Waxman, Rep. Markey, Rep. Dingell, and Rep. Brown for their hard
work in developing medical privacy legislation. The most recent bill
was just introduced on Tuesday, and we have not had the opportunity to
review it in detail. We have noted however, that the authors chose to
take a new approach to the issue and in doing so have helped provide
momentum that will be needed to enact legislation this year.
As you may remember, Secretary Shalala first presented her
recommendations, required by the Congress under Section 264 of the
Heath Insurance Portability and Accountability Act (HIPAA), in
September 1997.1 I think it is fair to say that the
recommendations were well received and have been used to assist others
in crafting their own legislative proposals.
---------------------------------------------------------------------------
\1\ ``Confidentiality of Individually-Identifiable Health
Information, Recommendations of the Secretary of Health and Human
Services, pursuant to section 264 of the Health Insurance Portability
and Accountability Act of 1996'' can be found on the HHS web site at:
.
---------------------------------------------------------------------------
HIPAA also requires that if Congress fails to enact comprehensive
privacy legislation by August of this year, HHS must implement final
regulations by February 2000. We have assembled an interagency team to
work on the regulations including representatives from the Departments
of Labor, Defense, Commerce, the Social Security Administration, the
Veterans Administration and the Office of Management and Budget. It is
our intent to have the regulations prepared in time to meet the
statutory deadline.
While we are moving ahead to have the regulation ready, the
President and Secretary Shalala have made it very clear that their
first priority is to see Congress enact a comprehensive health
information privacy bill. Our staff have been working closely with many
of your staff, and staff in the Senate, to assist you in achieving that
goal. Again, let me reiterate, we want to see legislation, and we want
to work with you to make that happen.
The issue of health information privacy is quite complex--in order
to resolve it legislatively, some difficult choices will have to be
made. We believe that our recommendations strike the appropriate
balance between the privacy needs of our citizens and the critical
needs of our health care system and our nation. This is an issue that
touches every single American, and to reach resolution we will need a
bipartisan effort.
the need for legislation
It has been 25 years since former HEW Secretary Elliot Richardson
set forth principles that led to the landmark Federal Privacy Act.
Those 25 years have brought vast changes in our health care
system.Revolutions in our health care delivery system mean that we must
place our trust in entire networks of insurers and health care
professionals--both public and private. The computer and
telecommunications revolutions mean that information no longer exists
in one place--it can travel in real time to many hospitals, physicians,
insurers, and across state lines.
In addition, revolutions in biology mean that a whole new world of
genetic tests have the potential to either help prevent disease or
reveal the most personal health information of a family. Without
safeguards to assure citizens that getting tested will not endanger
their families' privacy or health insurance, we could endanger one of
the most promising areas of research our nation has ever seen.
Health care privacy can be safeguarded. It must be done with
national legislation, national education, and an on-going national
conversation.
Currently, when we give a physician or health insurance company
precious health information, the level of protection will vary widely
from state to state. We have no comprehensive federal health
information privacy standards. Because the practice of health care is
increasingly becoming interstate through mergers, complex contractual
relationships and enhanced telecommunications, we can no longer rely on
the existing patchwork of state laws. The patchwork does not provide
Americans the privacy protections they need or expect. The Congress
should seize upon this opportunity to create strong federal standards
and reassure the public that they can trust their providers and
insurers to keep their health information secure.
In developing our recommendations for federal legislation, we
learned a great deal through consultations with a variety of outside
groups and from six days of public hearings conducted by the National
Committee on Vital and Health Statistics, our statutory federal
advisory committee for health data and privacy policy. The hearings
involved over 40 witnesses from across the health community, including
health care professionals, plans, insurance companies, the privacy
community, and the public health and research communities.
We believe our recommendations provide a balanced framework for
legislation that can protect the privacy of medical records, guarantee
consumers the right to inspect their records, and punish unauthorized
disclosures of personal health data by hospitals, insurers, health
plans, drug companies or others.
the principles
The Secretary's recommendations for legislation are grounded in
five key principles: Boundaries, Security, Consumer Control,
Accountability, and Public Responsibility.
Boundaries
The first is the principle of Boundaries: With very few exceptions,
personally identifiable health care information should be disclosed for
health purposes and health purposes only. It should be easy to use it
for those purposes, and very difficult to use it for other purposes.For
example, employers should be able to use the information furnished by
their employers to provide on-site care or to administer a health plan
in the best interests of those employees. But those same employers
should not be able to use information obtained for health care purposes
to discriminate against individuals when making employment decisions--
such as hiring, firing, placements and promotions. To enforce these
boundaries, we recommend strong penalties for the inappropriate use or
disclosure of medical records.
We recommend that the legislation apply specifically to providers
and payers, and to anyone who receives health information from a
provider or payer, either with the authorization of the patient or as
authorized explicitly by legislation.
However, our recommendations acknowledge that these providers and
payers do not act alone. In order for a provider or payer to operate
efficiently, it may need to enlist a service organization to perform an
administrative or operational function. For example, a hospital may
hire an organization to encode and process bills, or a managed care
organization may contract with a pharmaceutical benefit management
company to provide information to pharmacists about what medications
are covered and appropriate for their customers.
The numbers and types of service organizations are increasing every
day. While most do not have direct relationships with the patients,
they do have access to their personal health care information.
Therefore, we recommend that they should be bound by the same
standards. For example, a health plan's contractor should be allowed to
have access to patient lists in order to do mailings to remind patients
to schedule appointments for preventive care. But it should not be able
to sell the patient lists to a pharmaceutical company for a direct
mailing announcing a new product.
Because we recommend a minimum floor of protection for all records,
our report does not distinguish among types of health care information
based on sensitivity. For example, our recommendations do not include
specific provisions related to genetic information in health records.
Genetic information should be covered by the same rules. However, we
recognize that the public is especially concerned about the unique
properties of genetic information--its predictive nature, and its link
to personal identity and kinship and its ability to reveal our family
secrets.
Therefore while you are developing privacy legislation, you should
also consider how to limit the collection and disclosure of genetic
information and prohibit health insurers and employers from
discriminating against individuals on the basis of their genetic
information. Because of the speedy development of genetic technologies
and its potential for abuse, we recommend that legislation concerning
discrimination in underwriting by insurers or other improper use of
such information be considered expeditiously. We look forward to
continuing our work with you on this issue.
Security
The second principle is Security. Americans need to feel secure
that when they give out personal health care information, they are
leaving it in good hands. Information should not be used or given out
unless either the patient authorizes it or there is a clear legal basis
for doing so.
There are many different ways that private information like your
blood tests could become public. People who are allowed to see it--such
as lab technicians--can misuse it either carelessly or intentionally.
And people who should not be seeing it--such as marketers--can find a
way to access it, either because the organization holding the
information doesn't have proper safeguards or the marketers can find an
easy way around the safeguards. To give Americans the security they
expect and deserve, Congress should develop legislation that requires
those who legally receive health information to take reasonable steps
to safeguard it and face consequences for failure to do so.
What do we mean by reasonable steps? The organizations should adopt
protective administrative and management techniques, educate their
employees, and impose disciplinary sanctions against employees who use
information improperly.
We are addressing some of these steps in our Security Standards
regulation, implementing the Administrative Simplification mandate
under HIPAA. Our NPRM laid out a range of approaches for safeguarding
the information to which the HIPAA mandate applies. However, that
regulation will only cover the security of specific electronically
maintained records. We need comprehensive privacy legislation to cover
all health information that needs this kind of protection.
We don't believe a law can specify the details of these protections
because each organization must keep pace with the new threats to our
privacy and the technology that can either abate or exacerbate them.
But a federal law can require everyone who holds health information to
have these types of safeguards in place and specify the appropriate
sanctions if the information is improperly disclosed.
Consumer Control
The third principle is Consumer Control. The principles of fair
information practice (formulated in 1973 by a committee appointed by
Secretary Richardson) included as a basic right: ``There must be a way
for an individual to find out what information about him is in a record
and how it is used.''
With very narrow exceptions, consumers should have the right to
find out what is contained in their records, find out who has looked at
them, and to inspect, copy and, if necessary, correct them. Consumers
should be given a clear explanation of these rights and they should
understand how organizations will use their information. Let me give
you an example of why this is important. According to the Privacy
Rights Clearinghouse, a California physician in private practice was
having trouble getting health, disability, and life insurance. She
ordered a copy of her report from the Medical Information Bureau--an
information service used by many insurance companies. It included
information showing that she had a heart condition and Alzheimer's
disease. There was only one problem. None of it was true.
Unfortunately, under the current system these types of errors occur all
too often. Consumers often do not have access to their own health
records and even those who do are not always able to correct some of
the most egregious errors.
With that in mind, our recommendations set forth a set of practices
and procedures that would require that insurers and health care
providers provide consumers with a written explanation detailing who
has access to their information and how that information will be used,
how they can restrict or limit access to it, and what their rights are
if their information is disclosed improperly.
We also recommend procedures for patients to inspect and copy their
information, and set out the very limited circumstances under which
patient inspection should be properly denied.
Finally, we recommend a process for patients to seek corrections or
amendments to their health information to resolve situations in which
innocent coding errors cause patients to be charged for procedures they
never received, or to be on record as having conditions or medical
histories that are inaccurate.
Accountability
The fourth principle is Accountability. If you are using
information improperly, you should be punished. This flows directly
from the second principle of security--the requirement to safeguard
information must be followed by real and severe penalties for
violations. Congress should send the message that protecting the
confidentiality of health information is vitally important, and that
people who violate that confidence will be held accountable.
We recommend that offenders should be subject to criminal felony
penalties if they knowingly obtain or use health care information in
violation of the standards outlined in our report. The penalties
mandated in privacy legislation should be higher when violations are
for monetary gain, similar to those Congress mandated in the
administrative simplification provisions of HIPAA. In addition, when
there is a demonstrated pattern or practice of unauthorized disclosure,
those committing it should be subject to civil monetary penalties.
In addition to punishing the perpetrators, we must give redress to
the victims. We believe that any individual whose privacy rights have
been violated--whether those rights were violated negligently or
knowingly--should be permitted to bring a legal action for actual
damages and equitable relief. When the violation is done knowingly,
attorney's fees and punitive damages should be available.
These first four principles--Boundaries, Security, Consumer Control
and Accountability--must be carefully weighed against the fifth
principle, Public Responsibility.
Public Responsibility
Just like our free speech rights, privacy rights can never be
absolute. We have other critical--yet often competing--interests and
goals. We must balance our protections of privacy with our public
responsibility to support national priorities--public health and
safety, research, quality care, and our fight against health care fraud
and abuse and other unlawful activities.
Our Department is acutely aware of the need to use personal health
information for each of these national priorities. For example, HHS
auditors use health records to uncover kickbacks, overpayments and
other fraudulent activity. Researchers have used health records to help
us fight childhood leukemia and uncover the link between DES and
reproductive cancers. Public health agencies use health records to warn
us of outbreaks of emerging infectious diseases. In addition, our
efforts to improve quality in our health care system depend on our
ability to review health information to determine how well health
institutions and health professionals are caring for patients.
For public health and safety, research, quality evaluations, fraud
investigations, and legitimate law enforcement purposes, it's not
always possible, or desirable, to ask for each patient's permission for
access to the necessary health information. And, in many cases, doing
so could create major obstacles in our efforts. While we must be able
to use identifiable information when necessary for these purposes, we
should use information that is not identifiable as much as possible.
To demonstrate how access must be balanced against public
responsibility, let me outline a few of the areas in which we recommend
that disclosure of health information should be permitted without
patient authorization.
Public Health
Under certain circumstances, we recommend permitting health care
professionals, payers, and those receiving information from them to
disclose health information without patient authorization to public
health authorities for disease reporting, adverse event reporting,
public health investigation, or intervention. This is currently how the
public health system operates under existing State and federal laws.
For example, consider the outbreak of E. coli in hamburger that
resulted in the largest recall of meat products in history. Public
health authorities, working with other officials, used personally
identifiable information to identify quickly the source of the outbreak
and thereby prevent thousands of other Americans from being exposed to
a contaminated product.
Research
An important mission for the Department of Health and Human
Services is to fund and conduct health research. We understand that
research is vitally important to our health care and to progress in
medical care. Legislation should not impede this activity.
Today the Federal Policy for Protection of Human Subjects and FDA's
Human Subject Regulations protect participants in most research studies
that are funded or regulated by the federal government. These rules
have worked well to protect the privacy of individuals while not
impeding the conduct of research. We recommend that similar privacy
protections should be extended to all research in which individually
identifiable health information is disclosed, and not just federally
funded or regulated research.
All researchers must determine whether their research requires the
retention of personal identifiers. There are research studies that can
only be conducted if identifiers are retained; for example, outcomes
studies for heart attack victims or the recent study which identified a
correlation between the incidence of Sudden Infant Death Syndrome and
the infant's sleep position. If, and when, personal identifiers are no
longer needed, the researcher should be required to remove them and
provide assurances that the information will be protected from improper
use and unauthorized additional disclosures.
Under the Common Rule, if personal identifiers are necessary, an
IRB must review the research proposal and determine whether informed
consent is required or may be waived. In order for informed consent to
be waived, an IRB must determine that the research involves no more
than minimal risk to participants, that the absence of informed consent
will not adversely affect the rights or welfare of participants, and
that conducting the research would be impracticable if consent were
required. This or a similar mechanism of review should be applicable
for all research using individually identifiable health information
without informed consent regardless of funding source.
This recommendation is consistent with the Federal Policy for the
Protection of Human Subjects as well as the Privacy Act--policies that
have protected federal research participants and research records for a
quarter of a century and that have saved lives and fostered countless
improvements in medical treatment.
preemption
Our recommendations call for national standards. But, we do not
recommend outright or overall federal preemption of existing State laws
that are more protective of health information.
Some protections that we recommend may be stronger than some
existing State laws. Therefore, we recommend that Federal legislation
replace State law only when the State law is less protective than the
Federal law. Thus, the confidentiality protections provided would be
cumulative and the Federal legislation would provide every American
with a basic set of rights with respect to health information.
conclusion
Mr. Chairman, the five principles embodied in our recommendations--
Boundaries, Security, Consumer Control, Accountability, and Public
Responsibility--should guide a comprehensive law that will create
substantive federal standards and provide our citizens with real peace
of mind.
The principles represent a practical, comprehensive and balanced
strategy to protect health care information that is collected, shared,
and used in an increasingly complex world.
In addition to creating new federal standards, we must ensure that
every single person who comes in contact with health care information
understands why it is important to keep the information safe, how it
can be kept safe, and what will be the consequences for failing to keep
it safe. Most of all, we must help consumers understand not just their
privacy rights, but also their responsibilities to ask questions and
demand answers--to become active participants in their health care.
We cannot expect to solve these problems all at once. With changes
in medical practices and technology occurring every day, we need to be
flexible, to change course if our strategy isn't working and meet new
challenges as they arise.
Mr. Chairman, we in the Department and the Administration are eager
to work with you to enact strong national medical privacy legislation.
Thank you again, for giving me this opportunity to testify. My
colleagues and I look forward to answering any questions that you may
have.
Mr. Bilirakis. Thank you, Doctor.
I would say virtually all of the opening statements from
members here on both sides of the aisle emphasized, obviously,
the sensitive balancing act that is involved here and certainly
emphasized the need to not come up with something that would
basically hurt research and new ideas.
Having said that, I understand that the report submitted by
the Biotechnology and Industrial Organization dated May 27,
1999, fresh off the press, entitled Confidentiality of Patient
Medical Records--this, by the way, I would ask unanimous
consent to be made part of the record at this point--has
reported and I quote them, referring to two bills, H.R. 1057
and H.R. 1941, ``contain provisions that will significantly
impede medical research by requiring that all research be
monitored by an external entity.''
[The information referred to follows:]
Statement of the Biotechnology Industry Organization (BIO)
Confidentiality of Patient Medical Records
executive summary
The Biotechnology Industry Organization (BIO) is encouraged that
the Subcommittee on Health and the Environment of the House Commerce
Committee is holding this hearing and working to develop legislation to
protect the confidentiality of patient medical records. Although it is
critical to protect patients' confidentiality rights, this legislation
must be carefully written to allow the continuation of vital medical
research. Specifically, federal legislation must recognize that medical
researchers use--and sometimes share information and should not impose
undue burdens on these efforts. Federal legislation should create
national, uniform confidentiality protections, rather than leaving
researchers subject to a patchwork of state laws. Further, legislation
should not interfere with existing FDA rules governing adverse event
reporting. While it is critical to protect patients, imposing too many
restrictions on access to important data will slow research efforts.
Federal legislation must facilitate the positive uses of medical
information to help ensure that the biotechnology industry will
continue to make breakthrough scientific achievements into the next
century.
statement
The Biotechnology Industry Organization (BIO) represents 832
companies, academic institutions and state biotechnology centers
engaged in biotechnology research on medicines, diagnostics,
agriculture, pollution control and industrial applications. BIO would
like to take this opportunity to provide input into the continuing
congressional debate on legislation to protect the confidentiality of
patient medical records.
BIO is pleased that the Congress is developing federal medical
confidentiality legislation. As you know, under existing law, if
Congress does not act by August of this year responsibility
automatically shifts to the Secretary of the Department of Health and
Human Services to prepare regulations regarding the use and disclosure
of patient information in electronic transactions. Thus, if Congress
does not enact legislation, the rules governing patient confidentiality
will be a patchwork comprised of these regulations and a myriad of
state laws. This environment could slow important research efforts.
BIO has been a supporter of national legislation to protect the
confidentiality of medical information. BIO strongly supports enactment
of a law that protects patients' confidentiality, just as we supported
barring discrimination on the part of group health plans based on
``genetic information''. We view it as a moral duty--and good public
policy--to reassure the public that the great promise of biotechnology
research will not be tarnished by abuses of this technology.
However, the legislation must be carefully written to allow the
continuation of vital medical research. This research is essential if
we are to realize the promise of developing new treatments and cures
for many diseases. Legislation that unreasonably restricts researchers'
access to and use of medical information will slow, and could halt,
research efforts, thereby creating a barrier to the development of new
drugs and biologics.
Thus, Congress must craft legislation that balances protecting
patients' confidentiality while encouraging research. We are optimistic
that this can be accomplished and want to work with you to develop
legislation that achieves this balance.
The legislation must carefully define protected health information.
The public has an interest in protecting the confidentiality of
identifiable medical information. Information that can be used to
identify an individual raises privacy concerns. Therefore, legislation
should define ``protected health information'' to include individually
identifiable information to ensure that patients' confidentiality
rights are not breached.
Information that is coded, encrypted, or otherwise made anonymous,
however, is not as threatening. Use of this data does not raise privacy
concerns and therefore should not be subject to the same strict
regulations as identifiable information. In addition, this information
is critical for health research. For example, it is often used for
outcomes research or in disease management programs. This data can
provide valuable assistance to researchers as they monitor patient
outcomes or try to determine the appropriate dosages for certain drugs.
Therefore, legislative language should include information that is
coded, encrypted, or made anonymous in its definition of
``nonidentifiable health information.''
While most of the pending bills contain such a definition, we are
concerned that HR 1941, the Health Information Privacy Act, sponsored
by Mr. Condit, Mr. Waxman, and others, does not. Legislation that
doesn't precisely define nonidentifiable information is likely to have
a chilling effect on research because researchers will fear that by
sharing certain information they are violating federal law and will be
subject to prosecution.
The legislation should not create new external review boards.
Under current law, patients who participate in clinical trials are
protected by FDA regulations and the ``common rule''. This includes
safeguards such as oversight by Institutional Review Boards (IRBs),
informed consent requirements, and other protections. In certain
situations, the common rule provides for expedited review to ensure a
timely response to a research request.
Some medical research, however, falls outside the common rule.
Examples include medical record review and certain ``preclinical''
research. Federal confidentiality legislation should not impose
excessive restrictions or layers of bureaucracy on this research.
Specifically, new legislation should not create an external review
process that will impose overly burdensome requirements. Requiring that
all research not governed by the common rule be approved by an external
review board or satisfy other external monitoring processes will impede
research.
Unfortunately, the two bills pending before this subcommittee, HR
1057, the Medical Information Privacy and Security Act, sponsored by
Representative Markey, and HR 1941 contain provisions that will
significantly impede medical research by requiring that all research be
monitored by an external entity. HR 1057 would require all medical
research, including research that is privately funded or does not
involve human subjects, to be reviewed by an IRB.
HR 1941 goes even farther. It requires that all research be
reviewed by an entity certified by the Secretary. It should be noted
that this entity is required under the bill to determine that ``the
importance of the health research outweighs the intrusion into the
privacy of the protected individuals who are the subjects of the
protected information'' before it approves the use of protected
information. This standard is more restrictive than that used by IRBs.
Rather than creating additional layers of oversight, legislation
should protect patients by establishing clear rules governing the use
of information and penalties for violations of these rules.
Federal legislation should create national, uniform protections.
Federal legislation should create national, uniform confidentiality
protections. Clinical trials are multi-state ventures. National
standards allow researchers to create informed consent and other
procedures that will be legal in all states. If federal legislation
allows individual states to impose restrictions on top of these
standards, research will be slowed.
Strong national standards will also give the public peace of mind
because they will know that their medical information is subject to
appropriate protections. This, in turn, will make them more willing to
share information with medical researchers.
Unfortunately, neither HR 1057 nor HR 1941 provide such standards.
By allowing state laws to remain in force, these bills will foster a
patchwork of standards and rules that inhibit research.
We urge Congress to enact preemption language that will supersede
all state laws that would inhibit access to information important to
research. If broad preemption language is not adopted for the
provisions of the entire bill, we urge that preemption language
governing medical research be adopted.
The legislation should not interfere with existing FDA rules governing
adverse event reporting.
The safety of drugs is monitored by existing FDA rules that require
physicians and other providers to report to drug manufacturers
instances of adverse events for safety and efficacy surveillance. These
programs, which are already regulated by the FDA, are an important
source of information about the use and efficacy of certain drugs. It
is critical that new confidentiality legislation not contain provisions
that will discourage reporting and thereby interfere with these
programs.
In our view, once again, HR 1057 and HR 1941 fall short since they
do not contain these provisions.
The Secretary's Study.
During this debate, some have argued that the Secretary of the
Department of Health and Human Services should evaluate the common
rule, with an eye toward protecting the confidentiality of patients'
medical information. We would urge you to be cautious about
legislatively authorizing such a study.
The Secretary already has the authority to study these issues since
the common rule requires IRBs to consider patient confidentiality as
one of the risks to be evaluated when considering a research request.
If federal confidentiality legislation directs her to review the common
rule, it should make clear that she should do so in a manner that
weighs all the benefits and risks to the subject of the research
including short and long term safety and discomfort, and not just focus
on confidentiality. Confidentiality concerns should not outweigh other
factors. Moreover, the legislation should make clear that the product
of any study be a report to Congress, rather than new regulations.
Given the controversial nature of this matter, the issues should
receive a full debate prior to the promulgation of new regulations.
Conclusion
As the Congress debates confidentiality legislation, we urge you to
remember that the public has a strong interest in the medical
achievements of biotechnology. The biotechnology industry is on the
cusp of developing promising new drugs and treatments for people with
serious diseases.
While it is critical to protect patients' confidentiality rights,
imposing too many restrictions on access to important data will slow
research efforts. Congress must facilitate the positive uses of medical
information to continue the breakthrough scientific achievements into
the next century.
BIO encourages you to develop this critical legislation. We
appreciate the opportunity to submit this statement for the record and
look forward to working with you in this endeavor.
Mr. Bilirakis. This is so new I am not sure whether you are
even familiar with it. I apologize to Mr. Waxman and others if
they haven't had an opportunity to see it. I just think that it
is significant as we approach it from a generic standpoint.
Do you have any comments regarding that?
Ms. Hamburg. Well, I have not seen the document that you
refer to. But, of course, we appreciate the concerns that many
have with the academic community and the private sector with
respect to impediments to ongoing research. We do believe,
though, that research can be done responsibly and move forward
in a framework that involves various levels of privacy
protection, oversight, and monitoring. Certainly the research
that is supported by the National Institutes of Health goes
forward under the circumstances and goes forward in a way that
has supported probably the premier researchers and research
accomplishments of any place in the world.
Mr. Bilirakis. Do either of you have anything that you
would care to add?
Mr. Eisenberg. Let me add one thing. I think the three
operative words are all, monitored, and external in what you
said, all research would be monitored by an external entity.
We do support the idea that research that is carried out
with any funds, not just Federal funds, have accountability to
be sure that the data that is used, the personnel information
that is used, is maintained in a confidential way.
Second, the word ``monitored'' implies something that is
much more aggressive than is usually the process for the
institutional review boards which review the proposal for the
research. We are asking that there be accountability in the
event that the confidentiality promises are breached. But the
standard IRB is not to monitor in a very odious way the
research that is carried out by investigators.
Third, the term ``external'' I think could be
misunderstood. Institutional review boards are not external
organizations. In fact, one of the very important
characteristics is that they are internal, that one member of
the IRB needs to be someone from outside the organization, but
they are internal organizations which are watch dogs to
determine that the research is carried out according to the
highest principles of research ethics.
Mr. Bilirakis. Did you have anything that you wanted to
add?
Ms. Skirboll. Yes. I would add that Federal research, that
you are well aware of, much of it is records research, health
services research, epidemiology now comes under the common
rule. The common rule requires an outside entity, if you will,
act separate from the investigator to review research.
Research is looked at for both privacy issues, for
confidentiality issues, whether research requires informed
consent or not. And this is all done in the context of both
protecting the privacy of patients, particularly protecting the
privacy of patients that volunteered to participate in
research, and, at the same time, ensuring that research can
move forward, important research can move forward.
Mr. Bilirakis. Well, as I understand it saying in the same
point here, according to the written testimony of the
Biotechnology and Industrial Organization, H.R. 1941 would
expand the Federal Government's role in private research by
requiring that all research, whether funded with private
dollars or taxpayer dollars, be reviewed by an entity certified
by the Secretary using standards that are more restrictive--
''more restrictive,'' their words--than that used by
institutional review boards.
Do you agree or disagree that expanding the scope of the
Secretary's power over private research and imposing higher
compliance costs will impede scientific research? I know that
we all are--my time is up, but I know we are all concerned with
the biotechnology industries inputs in this regard. And I don't
know to what extent the administration has worked with them in
working up your proposed regulations, but it is certainly an
area that we all need to work on. Very quickly, my time is up,
if you would like to respond.
Ms. Hamburg. I think that it is very important that these
issues get aired and discussed. We appreciate this forum and
others for that purpose.
I think that ultimately we feel very deeply that the health
of our research enterprise depends on the trust and confidence
of those participating in research, that their privacy will be
protected and confidential data will be handled appropriately.
And that if you are participateing in a research study, you
probably are not paying attention to what is the source of that
funding and distinguishing between what kinds of protections
you get from one circumstance and another.
People basically want to have some fundamental sense of
confidence that their very personal and sensitive health
information will be handled appropriately. We think there are
mechanisms to achieve that in the public and private sector.
Mr. Bilirakis. Thank you. We have a couple more panels who
will probably continue to explore that.
Mr. Brown.
Mr. Brown. Thank you, Mr. Chairman. Dr. Hamburg, obviously
private companies that conduct research have raised questions
about the impact of various privacy bills on their operations.
Run through, if you would, how the Secretary's recommendations
would affect, could affect private sector health research, say
a clinical trial for example.
Ms. Hamburg. I think that I might turn to my colleague from
NIH who has looked at this in more specific detail to give you
the best possible answer.
Ms. Skirboll. I think it would be important for us to
describe how it works for the Federal sector briefly and then
explain what the Secretary has recommended.
First of all, it is important to understand that all
federally supported research that comes under the common rule,
the 17 agencies that signed on to common rule, are protected
using both IRBs and informed consent. Walking through that, a
researcher has a proposal, the proposal comes to the IRB chair,
the IRB chair determines whether that research requires
informed consent or does not and whether it requires expedited
review or not.
Let me go first to informed consent. Informed consent is a
determination of risk, what is the risk to the patient. With
medical records, the risk really has to do with privacy and
confidentiality. That is weighed and determined whether
informed consent should be required in this study or not. If
informed consent is required, the common rule says that you
must, in the informed consent document, inform the patient the
extent to which their privacy will be protected.
If informed consent is waived, then the particular study is
considered not risky to privacy and confidentiality or to the
risk of the patient. What do I mean by that? The common rule
requires that you look at things that we all agree would be
risky with regard to confidentiality. Would it be damaging to
our financial status, to our employability? Is it stigmatizing?
Does it have an affect on reputation.
It cannot be waived if the research is--a review cannot be
waived if IRB--it could not be waived if it meets those
criteria and informed consent cannot be waived. Much research,
much records research, and I could give you examples of each,
are waived and no informed consent is required with regard to
the issues of burden associated with such IRB review.
The Secretary's recommendations very simply require this.
The Secretary's recommendations suggest that without--as long
as you are doing research in which there is no informed
consent, it does not address informed consent research, where
there is no informed consent, there should be an IRB-like
entity, some oversight entity that looks to the extent to which
confidentiality and privacy are being protected and whether
informed consent should be obtained or not.
Mr. Brown. Thank you, Mr. Chairman.
Thank you.
Mr. Bilirakis. Mr. Bryant.
Mr. Bryant. Thank you, Mr. Chairman.
Let me ask a question. Again, I apologize for missing much
of the testimony so far. We did have a short mark up, and it
was short. In terms of law enforcement and investigations that
might involve health care fraud and abuse, should a privacy
bill require--would a privacy bill that you would recommend
allow law enforcement officers to come in and just review
health care records in a general search for fraud and abuse
without any specific probable cause, or is it your view that
they ought to have probable cause and obtain a search warrant
before they do that? How would you envision any type of
legislation to make that----
Ms. Hamburg. This is obviously a complex and difficult
issue. The Secretary's recommendations recognize that there
were existing laws at the State and local level with respect to
access by law enforcement agencies for this information and
recommended that those be allowed to continue to be enforceable
and did not really address, in a more comprehensive way, that
issue.
Mr. Bryant. In that event, would you envision--in the event
of some sort of inspection by law enforcement officers, would
you envision a requirement in any type of privacy bill that the
patient whose records were reviewed be notified that they were
inspected and by whom they were inspected?
Ms. Hamburg. Again, it is a very complex issue. I am not a
lawyer, and I would hesitate to make specific comment on that
in that I really am uncertain about the legal framework in
which that question would have to be answered.
Obviously we would be happy to work with you on that
question and bring the right people and resources to bear.
Mr. Bryant. From a medical standpoint--I am a lawyer, not a
doctor. From a medical standpoint is there a difference between
privacy, the word privacy, the term privacy, and
confidentiality? You nodded your head. You have to speak now.
Ms. Skirboll. By definition, privacy is the right of an
individual to limit access and disclosure. Confidentiality is
really considered the tools by which you do that, you
accomplish that.
So privacy is your right to limit access and
confidentiality is the extent to which it actually is
disclosed, the tools that you used to keep it confidential.
That is sort of a dictionary definition of it.
Mr. Bryant. Unless any of you have any other comments to
the questions----
Mr. Eisenberg. I will just tread on dangerous territory,
too, not being a lawyer. But I do think it is important to
distinguish whether or not the legal investigation is one that
involves the patient or one that involves the provider.
As we look at this issue, we are trying to distinguish the
different ways in which the legal community would need to
notify or ask for patient permission when the patient is the
subject of the investigation versus when it is actually the
person providing the care, the patient is the subject.
Most feel that those ought to be distinguished in a
different way.
Mr. Bryant. Mr. Chairman, I yield back the balance of my
time at this point.
Mr. Bilirakis. I thank the gentleman.
Ms. Eshoo.
Ms. Eshoo. Thank you, Mr. Chairman.
I want to thank the panelists for an excellent
presentation. To Peggy, I don't know if all of the members of
our subcommittee know of the extraordinarily distinguished
family that you come from. Peggy's father most recently headed
up the Carnegie Foundation and her family has done
extraordinary work. So we have very distinguished people that
have given us very important information.
Currently all 50 States have some form of medical records
privacy laws and 34 of the States have comprehensive laws. I
know that it is not unusual to have hundreds or even thousands
of people enrolled in a clinical trial from dozens of States.
What types of burdens can you tell us about that
researchers would face if they have to comply with many
different laws; and what affects do you think these burdens
would have on research?
Ms. Hamburg. Again, I think that Dr. Skirboll is probably
in the best position to answer your question with respect to
what is a difficult issue of the patchwork of laws that govern
privacy and confidentiality.
Ms. Eshoo. We are going to have to face this in whatever is
drawn up.
Ms. Skirboll. I think I described that there are a number
of circumstances with regard to records research--Peggy gave
some examples of it and so did John--where informed consent is
not required to conduct really important research. It gathers
important information that improves all of our health and
improves the Nation's health.
It is important so that when you look at what States may
put into place. Minnesota has a law right now that requires for
informed consent for every study of a record. That is an
enormous burden to those investigators. We believe that the
system in which an IRB, a local IRB, looks at the issues of
risk to the patient, allows research to move forward without
informed consent, in every situation look at the risks
carefully, that it should be allowed to proceed.
States could put into place, in patchwork circumstances,
different regulations that would affect a single clinical trial
across many States or that would actually bring a halt to
research where such informed consent is not practical. So there
is a risk. But there needs to be--the Federal position is that
there needs--the administration position is there needs to be a
floor certainly in which everybody understands there is a
common set of rules.
Ms. Eshoo. I am not so sure that I have drawn from what you
have said the effects on research as a result of what we have
though.
Ms. Skirboll. The effects of research today? Well,
Minnesota is an example where it is one State in which being
able to conduct records research is significantly hampered
because of the requirement that one always get----
Ms. Eshoo. So it is too stringent?
Ms. Skirboll. Yes.
Mr. Eisenberg. May I add something to that?
I think there are three issues that need to be considered
when we look at the State-to-State variation that might exist.
One of them is it is understandable why the States might be
filling the vacuum now in the absence of Federal legislation
and with the uncertainty about whether strong Federal
regulation and law will exist.
It is understandable that a State would respond to the
concerns of the people in that State for privacy and
confidentiality legislation. Second, it has only been recently
that there have been experts in this field who have been
working with the States to help them to draft this kind of
legislation.
For example, there was one set of organizations that issued
model legislation, but just in February of this year. I think
that as the States start to look at--look at this kind of
legislation, they will lean upon national experts. I think we
will probably start to see more uniformity across the States
even without Federal legislation because of the commonality
that does exist among the concerned parties.
Third, it is true that the experience in Minnesota is one
that we have learned from, but I want to emphasize that we have
learned from.
One of the wonderful things about the States in this
country is they are, as they say, a cauldron for
experimentation.
Ms. Eshoo. Test kitchen.
Mr. Eisenberg. A test kitchen, yes, exactly.
And I think the people in Minnesota would be the first to
say that we have learned from the experience there and that
there have been modifications made even in Minnesota already in
that State's rules.
So as we look at this, I think that the most compelling
argument as we look at the States is we need some Federal
legislation that will, at a minimum, give as floor so that the
States can look at what the Federal Government has done and
decide whether anything else is needed.
Ms. Eshoo. Very helpful. Thank you. Thank you, Mr.
Chairman.
Mr. Bilirakis. I thank the gentlelady. Mr. Whitfield.
Mr. Whitfield. Thank you, Mr. Chairman. You had mentioned
the difference in privacy and confidentiality. And privacy, I
think all of us would view, is this information necessary to
provide me the best quality of health care that is available.
I mentioned in my opening statement the outcome and
assessment information set that is now--was actually--I guess
it was required and then HIPAA backed off of it or HHS backed
away. Could you give me an update on precisely where your
agency is on the OASIS questionnaire?
Ms. Hamburg. Perhaps the best way to do that is to provide
you specifically in follow-up to this hearing with that
information. HICFA is not present, and as you know they have
the lead responsibility.
The concerns that you have raised have been addressed.
There was, in fact, I think a hearing on the Senate side
earlier this week. Modifications have been made. We are very
sensitive to the issues, but I think that the specific
questions you are asking could best be addressed in follow-up
if that is acceptable to you.
Mr. Whitfield. Sure. It is my understanding that the
American Civil Liberties Union also expressed some concern
about those questions as well; is that correct? Are you aware?
Ms. Hamburg. I do not know the specific details. I do know
that this has obviously been the focus of a great deal of
attention.
There have been some modifications made in order to focus
really on what needs to be asked in the context of appropriate
treatment and assuring quality of care to those receiving home
care.
And we would be happy to provide you with detailed
information about the status of that.
Mr. Whitfield. I appreciate that. I recognize the
difficulty in dealing with this whole issue. But as Mr. Deal,
Nathan Deal, had mentioned as well, when we go back to the
district, these home health care agencies are more vocal on
this one issue than almost anything else right now.
I don't think there is any group more committed to
providing quality health care to the homebound than they are.
They have been quite vocal about it. After I had the
opportunity to review some of the questions which relates to
finances, plans for conception, laundering, housekeeping,
shopping, telephone use, it seems that it does go maybe a
little bit farther than it should.
While I know that you are not primarily concerned, you are
involved, I suppose, in some of the policies over there. I just
wanted to raise that issue because it is vitally important.
Thank you again for attending today, and we look forward to
working with you to address this issue.
I yield back to Mr. Waxman.
Mr. Waxman. Thank you very much. Mr. Chairman, I want to
commend Dr. Hamburg and her colleagues and the Secretary for
their leadership in this effort.
It will be very helpful for us to discuss with them these
issues as we prepare legislation. Let me go back to this point
again that we have been discussing and see if we can get it
narrowed down.
Mr. Bilirakis expressed concern about the requirement in
our bills that the IRB must determine that the importance of
health research outweighs the intrusion into the privacy of
protected individuals before approving use of the information.
Do you believe this requirement is burdensome on the review
process? I want to note that we are going to hear testimony
from the Biotech Industry Organization, BIO, where they express
the same concern, they even said that we have standards more
restrictive than used by our IRBs. Tell us more about--in the
answer to this criticism----
Ms. Hamburg. I think Dr. Eisenberg wants to take----
Mr. Waxman. [continuing] expressing legitimate concern. How
do you respond to them?
Mr. Eisenberg. I think the second comment that you made
about BIO's position is absolutely accurate. That is that the
vast majority of the researchers and the vast majority of
research organizations in this country have standards that are
even more careful, restrictive, if you want to use that word,
than we are proposing and more restrictive than current or even
future IRBs would require.
The purpose of the proposal is not to make life harder for
these organizations, but to be sure there is uniformity so that
every patient who is in every study can be sure that they are
protected in the way that the best members of BIO are
protecting the people in their studies.
I think that is also the case for universities. In all of
the universities with which I have been involved, the
universities' institutional review board has not really cared
whether the study is federally funded or privately funded. The
point is that there are patients whose confidential information
is at risk and needs to be preserved. Therefore, the standards
hold no matter what the source of funding, no matter what the
type of study, if the basic principle is followed, which is
that you have got to keep personal health information
confidential.
We are not, though, suggesting that the current pattern of
the IRB for a clinical trial needs to be replicated exactly for
the preservation of personal health information's
confidentiality. I think that we would prefer to call it an
IRB-like mechanism which means that it is an oversight group
who provides assurances to the public that that data is
maintained in confidentiality.
We would like to work with organizations like BIO and
others in the research field to be sure that if there are parts
of this process that are burdensome and not necessary that
those are eliminated.
Mr. Waxman. Do you use IRB-type organizations or IRBs
themselves when there is Federal funding for research to look
at this very issue of privacy?
Mr. Eisenberg. As Dr. Skirboll mentioned, the common rule
requires that if there is Federal funding that an IRB be used.
Mr. Waxman. Have we found a problem with that? Has it been
burdensome or difficult for researchers?
Ms. Skirboll. I first want to add that beyond the common
rule there is a separate set of regulations that FDA, when
people come in for an IND that is quite similar to the common
rule in many ways.
We believe research has been able to move forward under the
context of both the common rule and FDA regulations.
Mr. Waxman. One of the most contentious issues in the
health privacy debate is whether Federal legislation should
preempt State and local laws that are more protective of an
individual's privacy.
Proponents of preemption argue that laws that differ from
State to State would make business transactions very difficult
while opponents argue that a Federal law that preempted all
State and local laws would represent a setback to patients of
States that have already passed stronger protections.
One compromise that has been proposed is to grandfather in
existing State and local laws that are stronger than the
Federal statute while preempting any future State and local
laws. It seems to me that one drawback of this approach is that
States would not be able to respond to privacy issues that may
arise in the future, things that we haven't thought about yet.
Would you comment on this? You indicated States are a place
where we have a lot of experimentation. We learn from what the
States do.
Should we preempt them and stop them from acting in this
area?
Ms. Hamburg. I will try to be brief because I know time is
limited.
Mr. Waxman. Time is only limited for my asking the
question.
Mr. Bilirakis. And he still feels that he is chairman
sometimes.
Ms. Hamburg. Well, I think the answer is reasonably
straightforward, which is that we clearly need some sort of
national legislation which is comprehensive that will set a
clear and appropriate floor. States can then elaborate as
needed to suit their particular set of needs and concerns, but
we do need some sort of baseline and comprehensive floor.
We need that uniformity as illustrated by some of the
discussions that we have had this morning.
Mr. Waxman. Thank you. Thank you, Mr. Chairman.
Mr. Bilirakis. Thank you Mr. Waxman. Mr. Deal.
Mr. Deal. I will follow up on Representative Waxman's
question, and recognizing that all three of you disavowed being
associated with the legal profession, my question is somewhat
legal in nature but procedural also.
As I understand the timetable we are facing is under the
HIPAA Act of 1996, and unless we legislatively here at the
Congressional level establish these guidelines by statute, the
Secretary would have the responsibility of developing the
guidelines through rules and regulations.
In order to determine where we are on this issue of
preemption, is it your understanding that in the absence of
Federal action before August that the rules and regs
promulgated by the Secretary would, by the HIPAA Act, be given
the force and effect of law?
I assume the answer to that would be yes. But if they are
given the force and effect of law by that delegation of
authority to the Secretary, do they necessarily preempt State
statutes? Is there wording enough in HIPAA to preempt State
statutes? Where would that stand?
Ms. Hamburg. I think the most critical issue to put on the
table with respect to the Department moving forward with
regulations if the Congress doesn't act is that we would not
have the authority to provide the kind of comprehensive privacy
legislation that we have been talking about today.
The HIPAA requirements clearly limit the authority of the
Department in terms of the types of information and the
entities that would be regulated. So that through the HIPAA
mechanism, I don't think that we would be able to achieve the
kind of comprehensive privacy legislation that we feel is so
vitally important to the American people.
Mr. Deal. So you believe then that there is a need for
action here to address the issue in a more comprehensive
fashion?
Ms. Hamburg. I think the President and the Secretary feel
very strongly that that is the desirable approach.
Mr. Deal. Taking it one step further, we commonly pass
statutes that preempt States for the provisions of existing
State law that are not as comprehensive, but allow them to go
further than the Federal standard that is established.
My question is in the earlier discussions about the
problems that you were running into from State-to-State
variations, it was the State statutes in Minnesota, for
example, that went further that were the impediments to the
research component.
So if we pass a Federal statute, but still allow States to
go further, do we not still leave intact those impediments to
research and compilation of information by those who are so
restrictive that they are an impediment?
Ms. Hamburg. I think as Dr. Eisenberg pointed out earlier,
one of our concerns is that States are moving because they are
trying to fill a vacuum that exists because we don't have a
national approach. So it is our hope that if we do achieve a
national comprehensive legislative approach that much of what
we have seen on the State level will not be necessary.
But our health care system is very complex. How it is--how
health care is delivered varies by State to State. Technologies
are changing, and it raises different issues and States may
react differently. So that if we established uniform and a more
comprehensive set of protections at the national level, it
would address many of the concerns that States are currently
experiencing.
But there would still be flexibility for modifications
based on the particular set of needs and concerns that might
exist within a State.
Mr. Deal. One final quick question, if I might. In
reviewing the recommendations from the Southern Governors
Association and their concerns as we address this issue, one
issue they have raised is that consent forms not be so broad as
to allow consent for one purpose but be broad enough to allow
the sale of information for other purposes.
Are you seeing problems with consent forms being so broad
that a person waives rights that perhaps were never intended,
and if that is the case, is that an issue we need to focus on
in drafting legislation?
Ms. Skirboll. That is an important point. I think it is
important to note that most of the legislation that has been
drafted so far, most of the considerations that really have
been addressed in terms of privacy and confidentiality, have to
do with records for which there is no consent without
disclosure to the patient.
There hasn't been a lot of consideration if there is
consent, what that consent might look at. That is something an
IRB does, but most of the legislation has really been
addressing disclosure without patient authorization.
Mr. Deal. Thank you, Mr. Chairman.
Mr. Bilirakis. Mr. Burr.
Mr. Burr. Thank you, Mr. Chairman.
Dr. Hamburg, let me go back to Mr. Deal and Mr. Waxman's
question.
I read your testimony, and I actually wrote on that
testimony that it said you wanted to preempt. But I heard your
answer to both questions where both times you stated what we
need to do is create a floor and to allow States to go further.
And I would only ask you is that inconsistent with what your
testimony says, which is the concern of patchwork, a patchwork
situation.
And I know that you referred to the patchwork in the
context of the privacy protections that Americans need and
expect. Is it the floor or is it the preemptive ceiling that
HHS would choose?
Ms. Hamburg. It is clearly our strong desire and preference
to have a strong national privacy legislation that would
address the set of concerns that American citizens have
regardless of where they live.
We recognize also, though, that there are differing issues
in different States with respect to constituencies, how health
care is delivered, et cetera, and that we need to have a
somewhat flexible approach.
But there needs to be a floor in terms of a set of
comprehensive national standards.
Mr. Burr. I think what I just heard was a modified
preemption. Would that be an accurate depiction of it? A fluid
process; let's say?
Ms. Hamburg. A flexible approach, but I think building on a
foundation that represents a set of uniform national standards.
Mr. Burr. Ms. Skirboll--is that it? I am sorry; I came in
late.
Let me just ask--NIH has been used in the IRB for archival
research and I guess I would ask you, have you ever found
incidents of abuse? Has the NIH experienced incidents of abuse?
Ms. Skirboll. Abuse with regard to privacy and
confidentialty?
Mr. Burr. Yes, ma'am.
Ms. Skirboll. That is really under the responsibilities of
OPRR which is housed in NIH, but really is responsible for the
coverage of the common rule which is 17 agencies. You probably
have to ask the director of OPRR that. But I think, in general,
where there is regulation there certainly can be abuse, but the
purpose of this--the purpose of having the common rule and
having a local jurisdiction is that there is monitoring by the
IRB during the process of research, and that if exigencies
happen, they can be found.
Mr. Burr. I would assume if there was this horror story of
abuses, that would not be limited in the knowledge of it to
just that area of NIH, but it would be known throughout NIH.
Ms. Skirboll. Privacy is an interesting thing with regard
to abuse.
Most people, and I take this from the director of OPRR,
most people say when there has been a breach of privacy, by
definition, people don't want to talk about it because it
causes the further breach of whatever private information was
breached in the first place.
So perhaps knowledge--breaches of privacy are not known as
widely as information of other problems that may arise. So we
really haven't tracked that.
Mr. Burr. I am also not a lawyer, never professed to ever
want to be, have discomfort sitting next to one, but Dr.
Hamburg, let me ask you more of a legal question and it comes
from your testimony.
You said information should not be used or given out unless
either the patient authorizes it or there is a clear legal
basis for doing so. Can you give me an example of a clear legal
basis?
Ms. Hamburg. Well, for example, before I joined the
department, I was commissioner of health in New York City and
responsible for the public health and safety of New Yorkers.
In order to respond to unusual clusters of disease and
apparent outbreaks of an infectious disease, we often needed to
access information with identifiers so that we could do a
complete and appropriate outbreak investigation, identify the
source of whatever infectious agent or contaminant was
threatening the health of the public and ameliorate that threat
by instituting the appropriate measures.
And we had the legal authority to do that, and it was
extremely important to public health and safety.
Mr. Burr. But HHS would not see defining what a clear legal
authority would be?
Ms. Hamburg. Well, I think----
Mr. Burr. Every time I see ``clear legal authority,'' I
think that we have--we have punted to the judicial system which
is not necessarily a comfort for everybody involved to think
that either HHS would promulgate some new regs or the Congress
would pass new legislation, only for the courts to try to
figure out how to share with everybody what we meant.
Mr. Bilirakis. The gentleman's time has expired. If you
have a quick response to that, please feel free.
Ms. Hamburg. I think it is very important that we define
the set of circumstances under which health information could
be disclosed without authorization.
The example I gave of public health was one that was
identified within the secretary's recommendations. Clearly we
live in a very complicated and changing world. And I think that
we could not produce legislation that would clearly identify
and define all of the specifics, but I think that there is a
framework that is reasonably straightforward and put forward in
the Secretary's recommendations that I think can serve as the
strong basis for the crafting of appropriate legislation.
Mr. Burr. I thank you and I yield back, Mr. Chairman.
Mr. Bilirakis. Yield back. Mr. Markey who is not a member
of the subcommittee----
Mr. Eissenberg. Is there time for me to add something very
quick?
Mr. Bilirakis. Very quick. He yielded back, you understand,
time that he did not have.
Mr. Eissenberg. The other area that is very important that
we haven't talked about today is the quality of care area. And
in some of the legislation that exists and in the Secretary's
language we specify more clearly the kind of legal authority
that would be provided for assuring quality of care and the
need for personal information as well.
Mr. Bilirakis. Mr. Markey, who is not a member of the
subcommittee but whom we respect greatly.
You are more than welcome, sir, to inquire.
Mr. Markey. Thank you very much, sir, and I thank you for
your typical courtesy. You have always been gracious. I
appreciate it very much.
This issue is, without question, the other side of the
information-age coin. There is no question that because of
rapid technological change and globalization that there are
tremendous pressures upon our society to become more efficient.
And the technology drives it and it makes it possible for
consolidation across all industry lines, but it also creates
other problems for individuals.
So what is good for a corporation is no longer necessarily
good for individuals, although we can, in fact, find a way of
reconciling the differences. So the truth of the electronic era
is that there is a Dickensian quality to it. It is the best of
wires, and the worst of wires simultaneously. It has the
ability to enable and to ennoble and it has the power to
degrade and to debase all at the same time.
The question for us is whether or not we want to animate
the technologies with human values or just allow the
technologies to take their own course knowing that without
those values, that there will be a compromise of the
individual.
And I think that we have to have this debate because I
believe that we need the same values in the virtual world as we
have in the real world, and only by debating these issues do we
make sure that we separate the privacy keepers from the just
curious peepers who increasingly, on-line, have the capacity to
be able to move through all of our private lives.
And then you have this most dangerous of all categories,
and that is the information reapers, that is, companies,
corporations, software companies put together just to collect
all this data and then to market it to a third party--to third
parties, to sell it, to sell our secrets, our health, our
privacy, our financial services, any of our electronic
transactions, children's transactions on-line.
All of it is valuable information. And so the question for
us is whether or not we are going to act before the privacy
pirates move in and create a new world that is very difficult
for us legislatively to capture. My question to you, doctor, is
the biotech industry has objected to imposing any privacy
oversight over research which is privately funded.
Does privacy deserve less protection based on its source of
funding, doctor? Is the IRB oversight process a significant
barrier to good research? Isn't it true that many researchers
view IRBs as helpful in ensuring research is doing well? Is
there any reason why we can't extend the common rule in other
words, to private research?
Ms. Hamburg. As we have discussed already here this
morning, we feel that the ongoing health and vitality of the
research enterprise whether publicly supported or privately
supported is critical to the future of our health care system
and our Nation. But in order for that research enterprise to
move forward, those participating in research have to have
confidence and trust that their sensitive health information
will be protected and that the data collected on them will be
treated in a confidential and an appropriate way.
Clearly people participating in research are not looking to
see where the funding comes from and will not be attuned to the
specifics of privacy protections afforded in one context versus
another. And we believe that we can achieve the goal of having
both a healthy ongoing research enterprise and a set of privacy
protections.
I think it is very important that we hear the concerns of
people engaged in different types of research and in different
contexts for the conduct of research, but that experience
already has told us that you can move forward with good
research, quality research.
Mr. Markey. Excellent, thank you.
Let me ask you this. Genentech's written testimony opposes
any of the privacy legislation which is being proposed on our
side. Mr. Waxman, myself, others moving forward are trying to
get a debate on it, and they argue there is only minimal risk
to human subjects.
Do you consider denial of health insurance a risk? Do you
consider denial of a job a risk? Or should we just consider
those minimal?
Ms. Hamburg. I think it is clear, as your question
suggests, that there are very serious consequences to the
inappropriate divulging of certain sensitive health information
and it is clear that we need to protect individuals. And it is
ultimately in the interest of research to insure participants
in the public-at-large that research activities are sensitive
to those needs and address them.
Mr. Markey. Thank you, doctor.
Thank you, Mr. Chairman.
Mr. Bilirakis. I thank the gentleman.
Mr. Brown. Mr. Chairman, could I ask unanimous consent for
five additional questions?
Mr. Bilirakis. Without objection.
Mr. Brown. Thank you.
Dr. Hamburg, I understand the Secretary doesn't have the
authority to issue regulations as comprehensive as many of us
on this panel--and perhaps you too, but many of us want to see
addressed or are necessary. Spell out for us the areas, if you
would, the Secretary's regulations can't cover that what we, in
fact, want to protect?
Ms. Hamburg. I think that with respect to the HIPAA privacy
regulations, clearly it would be tied to information that is
electronically managed, and we are still exploring the extent
of what that means. But clearly tied to electronically managed
data and also limited to a specific set of entities, providers,
payers, and clearing houses, so that does limit the scope of
the activity.
Mr. Brown. So paper-based medical records, you cannot
promulgate regulations to govern paper-based medical records.
Ms. Hamburg. On exclusively paper-based. As I said, we are
currently exploring the extent of our authorities, and so I
cannot give you an absolute legally clear answer here, but it
is very explicit information that is tied to electronically
transmitted information.
Mr. Brown. I think, Mr. Chairman, that speaks to the
importance of--particularly since Congress has not addressed
this issue comprehensively for 20 years or so, and it may not
again in the near future, speaks to the importance of
establishing--of moving forward with legislation, establishing
a floor, and encouraging innovation in the States rather than
establishing a ceiling and putting up a disincentive for State
innovation.
I would like to yield for a couple of minutes to my friend
from California, Mr. Waxman.
Mr. Waxman. Thank you very much. I think that last point
you made was an excellent one because problems do come up that
are not anticipated, and we ought to allow the Secretary or the
States to go beyond minimum protections that we will have in
Federal law. But the Secretary also called for private right of
action to enforce the privacy provisions. Why do you think that
is important?
Ms. Hamburg. I think it is very important that individuals
have an opportunity through the legal system to redress
compromises to their privacy and confidentiality protections.
Mr. Waxman. If they don't have that legal right, it is a
promise that may not come true?
Ms. Hamburg. Well, I think that clearly if we are going to
put forward a set of legal expectations about privacy
protection and confidentiality, then we need to follow through
with some teeth and there need to be, I think, both civil and
criminal penalties for those who misuse or abuse information.
And I think that individuals whose privacy has been compromised
need some mechanism for redress.
Mr. Waxman. I thank my colleague for yielding. Mr.
Chairman, I wonder if we could keep the record open and have
them respond to questions that we may have.
By all means; we make a practice of that and if you would
be willing to--I might ask if the gentleman would yield the
balance of his time.
I guess I am not clear. I know Mr. Burr and others have
asked about the preemption portion, the need for uniformity, et
cetera. And I realize maybe it is difficult for you to give us
a yes or no answer.
I don't know how we could have uniformity to a point and
then not preempt to another point; in other words, you are
talking about this floor business.
Should we have uniformity where Federal law would preempt
all State laws?
Ms. Hamburg. I think there should be as I thought I had
indicated earlier----
Mr. Bilirakis. You have said.
Ms. Hamburg. I guess it is good I am not a lawyer.
Mr. Bilirakis. You sound like you would make a good one.
Ms. Hamburg. There should be a set of clear standards that
are in place that represent a uniform set of standards on a
national basis, but then that represents a floor, not a
ceiling, and does allow for State by State innovation based on
changing circumstances, particular concerns.
Mr. Bilirakis. What you are saying is uniformity up to a
point, but the States could--would not be preempted if they
were to add to those uniform standards?
Ms. Hamburg. This is, as you are very well aware, a complex
set of issues that are being discussed in the context of a very
complex health care system, a very complex set of research
needs and requirements and, of course, a world where technology
is changing rapidly. So we think that we need to maintain a
certain level of flexibility, but there are important issues.
And we need national legislation to address them.
Mr. Bilirakis. Couldn't we retain that flexibility on a
national scale so that the flexibility can be done again on a
national standpoint so that there would be complete uniformity?
I am not really expressing a position here. I am asking
questions because I guess I am not clear given we have been
working on this quite sometime.
Mr. Waxman. Would the chairman yield?
Mr. Bilirakis. Yes.
Mr. Waxman. I think there are times the States can see
issues that affect them that may not affect people in other
States like the HIV epidemic, for example, where we didn't
anticipate such a thing before it happened.
When it happened, it hit certain States harder first than
others. And a State might have wanted to add their own
provisions, but under no circumstances do we want to have
American citizens anywhere in this country not have certain
basic protections of privacy of medical records.
So I think what you are saying--we do this all the time in
Federal law--we are going to have certain provisions that will
apply everywhere, and then States should be able to act when
unanticipated issues come up. We don't want to tie their hands.
They're closer to these problems than the people in the Federal
Government. They can often be very innovative and we shouldn't
stifle them.
Mr. Burr. Mr. Chairman, could I ask unanimous consent for
one question?
Mr. Bilirakis. Without objection.
Mr. Burr. It really follows up, to some degree, on that,
but you talked in your testimony about the sensitivity of
genetic information. And I think one could conclude from your
testimony that there might be a belief that there needs to be a
different set of standards for genetic information than for
everything else.
Ms. Hamburg. Actually, we are not recommending that. We
believe that if we can achieve a baseline that is appropriate
and sufficiently comprehensive, it would embrace and protect
for all kinds of health information and that it would be a
mistake to begin to compartmentalize for the reasons we were
just discussing about how things will emerge that we haven't
thought about today.
Clearly today with all of the advances that are going on in
the field of genetics, genetic screening is an area of great
concern to the public, particularly because it is an area where
science hasn't fully informed us--informed us about what some
of the genetic screens actually mean.
So the potential for unintentional misuse as well as abuse
is very, very clear and present now. And people are concerned
about it, but there are many types of medical information that
are sensitive. And we believe we should be striving for a
comprehensive approach.
Mr. Burr. So you do see a uniformed approach. I thank you
and thank the Chair.
Mr. Markey. Mr. Chairman, could I ask one additional
question?
Mr. Bilirakis. After that nice note you just sent me, yes.
Ms. Eshoo. Mr. Chairman, could I just make a point of
inquiry.
Are we doing a second round of questions?
Mr. Bilirakis. No, we were not contemplating doing that
although let's face it, that is what we are doing.
If you have something more by all means.
Ms. Eshoo. I think he should go first since he asked. But
since we have done that, I would like to get mine in as well.
Mr. Markey. Thank you, Mr. Chairman. I will just ask one
quick question.
Mr. Bilirakis. By all means.
Mr. Markey. Which is a clarification on the
administration's position as to whether or not under existing
law it has the ability to put a right of action on the books
that can be exercised by individuals to protect their health
care privacy.
Does the administration believe it has that legal authority
under existing law or does it need new legislation in order to
accomplish that goal?
Ms. Hamburg. Certainly we believe it should be a part of
whatever national legislation would be enacted, and we feel
that in order to achieve the broad set of goals put forward in
the Secretary's recommendation that is the right approach
rather than to build on existing authorities.
Mr. Markey. The administration does not believe that it has
authority under existing law?
Ms. Hamburg. Under HIPAA?
Mr. Markey. Under any existing law.
Ms. Hamburg. I don't know the answer to that question.
There may be those in the department that do. We can get back
to you on this.
Mr. Markey. I think it would be very important for the
administration to clarify your position on the legal standing
that you have on that issue before we proceed.
And I want to work with you, Mr. Chairman, through Mr.
Brown who is the leader of the Democrats on these issues on the
committee. I want to work through Mr. Brown with the majority
toward, hopefully, a positive resolution.
Thank you, Mr. Brown, Mr. Chairman, for your indulgence.
Mr. Burr [presiding]. The gentleman's time has expired.
The Chair will recognize Ms. Eshoo.
Ms. Eshoo. Thank you. Mr. Chairman.
What kind of civil monetary penalties, criminal penalties
or other provisions are in the Secretary's recommendations?
Ms. Hamburg. The Secretary outlines in broad terms the
concept of the requirements for civil penalties, civil monetary
penalties for unauthorized disclosure of information and
criminal penalties for the intentional abuse of information,
release of information, and in keeping with actually what
Congress mandated under HIPAA, the point was made that the
penalties should be--well, perhaps we should get back to you in
terms of the specific details because I am afraid I might not
represent them appropriately.
Ms. Eshoo. That is more than fair.
I think it would be useful information if in fact there are
specifics. If it just states that it should be or there are----
Ms. Hamburg. It is broad in its approach, but it does
indicate the need for both civil and criminal penalties under
certain circumstances.
Ms. Eshoo. Thank you. Thanks again for each one of you
being here today. Excellent. We learned a lot. This is exactly
what a hearing should be about.
Thank you, Mr. Chairman.
Mr. Burr. I thank the gentlelady.
The Chair, seeing no requests for additional questions,
would once again thank our three witnesses today and would
dismiss the first panel and take this opportunity to call up
the second panel.
Mr. Burr. The second panel is comprised of Dr. Steven
Jacobsen with the Mayo Foundation; Dr. Robert Amdur, associate
professor and chairman, Dartmouth Committee for the Protection
of Human Subjects, Dartmouth Medical School; David Stump,
Genentech Fellow; Ms. Fran Visco, president, National Breast
Cancer Coalition; Ms. Dawn Gencarelli, Harvard Pilgrim Health
Care; Ms. Abbey Meyers, National Organization of Rare Disease;
Daniel Krinsky, Patient Services and Pharmacy Practice; and
Terry Latanich, Government Affairs, Merck-Medco.
The Chair would like to welcome our witnesses that comprise
the second panel. We realize it is rather large. I would ask
all of our witnesses today to try to hold their opening
statements to the 5-minute rule. We will attempt to try to
figure out what is going on on the House floor. I would ask all
members to try to limit to one round of questioning if we can,
but certainly the Chair would entertain any requests for
clarification.
At this time if I may, I will just start at my left--the
Chair has changed his mind. I will start at my right with Dr.
Jacobsen is recognized.
STATEMENTS OF STEVEN J. JACOBSEN, DIRECTOR, SECTION OF CLINICAL
EPIDEMIOLOGY, THE MAYO FOUNDATION; ROBERT AMDUR, FORMER
ASSOCIATE PROFESSOR OF MEDICINE AND CHAIRPERSON, DARTMOUTH
COMMITTEE FOR THE PROTECTION OF HUMAN SUBJECTS, DARTMOUTH
MEDICAL SCHOOL; DAVID C. STUMP, GENENTECH FELLOW; FRAN VISCO,
PRESIDENT, NATIONAL BREAST CANCER COALITION; DAWN M.
GENCARELLI, MANAGER, HEALTH POLICY, HARVARD PILGRIM HEALTH
CARE; ABBEY MEYERS, PRESIDENT, NATIONAL ORGANIZATION OF RARE
DISORDERS; DANIEL L. KRINSKY, DIRECTOR, PATIENT SERVICES AND
PHARMACY PRACTICE, RITZMAN PHARMACIES INC.; AND TERRY S.
LATANICH, SENIOR VICE PRESIDENT, GOVERNMENT AFFAIRS, MERCK-
MEDCO
Mr. Jacobsen. Mr. Chairman, members of the committee, I am
Dr. Steve Jacobsen, a physician researcher at Mayo Clinic. I
want to thank you for the opportunity to testify about the
importance of medical records base research and the potential
impact of legislation restricting access to medical records for
this category of research.
For the past 8-years, I have had the privilege to work at
the Mayo Clinic. I truly believe that Mayo Clinic's
international reputation as a center of excellence grew out of
its commitment to improve patient care through research, often
through the use of the medical record. Our founders, Dr.
William and Charles Mayo went on record early in this century
saying the best way to improve care was to rigorously evaluate
patient outcomes.
They and their colleagues designed systems that ensure that
all information about a patient was immediately available for
care and readily accessible for systematic reviews of the
outcomes of care. They set a precedence for the scores of
studies of the outcomes of care that have changed medical
practice at Mayo Clinic and throughout the world.
I also need to stress that Mayo Clinic maintains its
commitment to the confidentiality of medical information. One
of our most basic tenets is that information is available
because of the trust between the patient and the providers of
care. All employees are instructed on the importance of
confidentiality.
In regard to medical record-based research, I want to
emphasize that information from this type of research is vital
to patients and their physicians. This is not an issue of
society's need for information versus the patient's right to
privacy. Patients, individually, have a great need for this
information. Let me give you an example.
I have a friend who was recently diagnosed with prostate
cancer. Upon hearing of the diagnosis, he immediately had a
number of questions. What was going to happen to him? What were
the chances of complications? Were there things his sons should
know about their risk of developing the disease?
I am sure you can think of similar questions that you have
wanted to ask your own physician. The answer to these questions
are often obtained by reviewing medical records. It is because
of the importance of answering these types of questions for
patients and their physicians that Mayo Clinic maintains its
commitment to accurate medical record-based research.
My second point is that each and every one of us in this
room needs to be concerned about the potential impact of
legislation that might block access to some medical records for
research. This concern comes from the threats of the accuracy
of findings of studies that can result from missing some
records. To illustrate, let me go back to my friend.
One of the important factors in his decision about surgical
therapy was the risk of certain side effects. Imagine if over
the past several years men who experienced those side effects
were upset with their outcome. Maybe they didn't expect it.
Perhaps they blame their surgeon but regardless refuse access
to the medical record for research purposes.
A study based only on patients who did provide the
authorization, in other words, those who did not experience
those side effects, would suggest that the surgery was much
safer than in reality. Thus, my friend could have made a
decision on the basis of this information.
This potential inaccuracy is the crux of our concern for
limiting access to medical records for research purposes. At
Mayo Clinic we feel it our responsibility to provide patients
and their physicians the best possible information so the best
possible decisions can be made.
Is this threat real? I believe the answer is yes. As you
know, the State of Minnesota now limits access to medical
records for research except with prior authorization. In a
recent study, we found that refusal rates were higher among
women, persons under 6 years of age, and persons with certain
underlying illnesses such as mental disorders, breast cancer,
and reproductive problems. Unfortunately, the degree of
inaccuracy resulting from the absence of such records is
probably not knowable in any particular study. The only way to
ensure accurate information is through a complete and unbiased
conclusion of all medical records of all appropriate patients.
Finally, the third point I would like to make relates to
potential harm if the rules regarding research use of medical
records vary from State to State. The biases imposed as a
consequence of different laws could seriously hinder the
improvement of patient care. For example, in a study of the
outcomes of prostate cancer surgery in patients from the Mayo
Clinic sites in Arizona, Florida, and Minnesota, it could be
virtually impossible to sort out if any observed differences in
the outcomes of these patients were due to different patient
characteristics, different processes of care, or simply biases
introduced by the different laws. It is extremely important
that laws concerning the research use of medical records are
uniform across all States.
In closing, I would like to emphasize that medical record-
based research is vital to the continued improvement of patient
care and is essential to patients and physicians as they
consider decisions about the courses of care. This information
must be as accurate as possible.
The only way to ensure this is through complete and
unbiased information. We do recognize the need for
confidentiality of information, but we must not confuse
research access with open access to medical information.
Mr. Chairman, the restriction of these medical records for
research purposes does not ensure privacy of personal medical
information. It does not address the public's concern with
regard to the potential misuse of health information. Instead
it hinders medical research as directed toward improved patient
care and puts the public's health and well-being at risk.
Thank you.
[The prepared statement of Steven J. Jacobsen follows:]
Prepared Statement of Steven J. Jacobsen, Associate Professor of
Epidemiology, Mayo Clinic
Chairman Bilirakis, members of the committee, I am Dr. Steve
Jacobsen, a physician researcher at Mayo Clinic. Thank you for the
opportunity to testify before you regarding the important issue of
medical records confidentiality.
Today, I would like to discuss two fundamental questions bearing on
this issue. The first is: What is the importance of medical records-
based research to the public? And the second is: What is the impact of
legislation restricting access to medical records on this category of
research?
For the past eight years, I have been privileged to work at the
Mayo Clinic. I truly believe that Mayo Clinic's international
reputation as a center of excellence in medicine and surgery grew out
of its commitment to improve patient care through research, often
through the use of the medical record. In fact, our founders, Drs. Will
and Charlie Mayo went on record in the early years of this century
saying that the best way to improve care was to rigorously evaluate
patient outcomes. In order to do this, they and their colleagues
designed a ``unit medical record'' in which medical data on each
patient is stored in one self-contained packet that is kept in
perpetuity. This was done so that all information about a patient was
immediately available to the physician treating the patient and so that
a systematic review of the outcomes of care could be performed easily.
They also built indexes that identified records of patients with
specific conditions or who had undergone specific procedures. They
recognized that there was a wealth of information collected as part of
routine clinical care and that no subset of this information could be
conceived that would capture sufficient detail for all potential
studies. Through these efforts, they set the precedent for the scores
of studies of the outcomes of care that have changed medical practice
at Mayo Clinic and throughout the world.
Medical records research is vital to maintaining and improving the
health of the American public. In fact, virtually every health hazard
that we know of today has been identified using information from
medical records. Take AIDS, for example. If researchers had not been
allowed to study the medical records of patients with unusual immune
deficiency problems in the late 1970's, the characterization of the
AIDS epidemic would have been delayed at a substantial cost to the
public's health. Other examples include studies examining the benefits
and risks of estrogen treatment, as well as the health risks of
smoking, dietary fats, obesity, and certain occupations. You may have
read that an outbreak of invasive streptococcal infection was
identified at Mayo in 1995. Without access to the medical records of
patients with these unusual infections, characterization of this
syndrome and isolation of this deadly bacterial strain would have been
delayed. And over one hundred school children--which our research
showed were the unwitting carriers of this deadly germ in their
throats--would have gone untreated. This discovery led to the
designation of invasive strep as a reportable disease. Such a
designation permits earlier recognition and control of epidemics.
Medical records research is also critical for evaluating the long-term
side effects of drugs, the safety of medical devices or procedures, the
cost effectiveness of alternative medical practices, and the usefulness
of diagnostic tests.
Mayo Clinic, as I mentioned, is committed to improving the practice
of medicine and patient care though its long-standing tradition of
performing these types of studies, looking at groups of patients. This
approach is important because physicians may remember patients who have
done well with a particular treatment. Likewise, they can remember the
patients who have not. However, they cannot remember these results in
sufficient detail to quantify the likelihood of a good or bad result.
We use systematic studies of groups of patients so that we can sort out
true differences from random outcomes. Furthermore, when we perform
these studies, we have to be sure that the findings reflect any true
differences and not just the factors related to which medical records
were reviewed. I will expand on this in a moment.
Before doing so, however, I need to stress the point that Mayo
Clinic also maintains its commitment to the confidentiality of medical
information as well. It is one of our most basic tenets that this
information is available because of the trust between the patient and
the providers of care. All employees are instructed on the importance
of confidentiality; there are strict penalties, including loss of
employment, for violations of this trust.
As part of this, we strongly maintain that research access IS NOT
open access to the medical record. All studies are monitored by our
Institutional Review Board. Information is collected from the medical
record by trained individuals, usually just one or two for any given
study. All of these individuals have been thoroughly briefed about the
importance of confidentiality and procedures to help ensure it. The
information is summarized and never published in identifiable form.
This is not casual access.
As you consider legislation concerning research use of medical
records, there are several important factors that I hope you will take
into account. These include the importance of medical record research,
the potential impact of legislation blocking access to some medical
records, and the importance of consistency in the laws across all
states.
First, it is important to understand that information from medical
record research is vital to patients and their physicians. Most
advocates of increased restrictions paint the issue as one of society's
need for information versus the patient's right to privacy. However,
the patients, themselves, have a great need for this information. Let
me give you an example. I recently had a friend who was diagnosed with
prostate cancer. Upon hearing of the diagnosis, he immediately had a
number of questions. What is going to happen to me? Among each of the
treatments, what are the long-term outcomes? Are there things I should
tell my sons about their risk of developing this disease? I am sure
that if you think back to your own encounters with the medical system,
you can think of when you have asked some of those same types of
questions. These kinds of questions can only be answered by studying
the experience of large groups of patients. It is because of the
importance of answering these questions for patients and their
physicians that Mayo Clinic maintains it commitment to accurate medical
record research.
The second point is that we all need to be concerned about the
potential impact of legislation that might block access to some medical
records for research purposes. This concern comes from the potential
threats to the accuracy of findings of studies due to incomplete
ascertainment of outcomes. To illustrate, let me go back to my friend
recently diagnosed with prostate cancer. One of the important factors
in his decision about whether or not to undergo surgical therapy was
the risk of certain side effects. Imagine what would happen if, over
the past several years, men who experienced the side effects were upset
with their outcome, perhaps blamed their surgeon, and refused access to
medical record for research purposes. A study based only on those
patients who did not experience those side effects would suggest that
the surgery was much safer than in reality. Thus, my friend would be
making his decision on the basis of misinformation.
This potential threat is the crux of the concern for limiting
access to medical records for research purposes. At Mayo Clinic, we
feel it our responsibility to provide patients and their physicians the
best possible information so that the best possible decisions can be
made.
Is this threat real? I believe the answer is ``Yes''. I was
principal investigator of a study recently published in the Mayo Clinic
Proceedings, a copy of which is included in the Appendix to my written
statement. We conducted this Institutional Review Board approved study
to compare the characteristics of persons refusing to provide a general
authorization of the use of medical record for research purposes with
those who did. This was prompted by passage of a law in the State of
Minnesota that limits access to medical records for research except
with the prior authorization of the patients in question.
Institutionally, we felt it necessary to understand the potential
impact of the recent Minnesota bill on the quality of information
generated from medical record studies.
In this study among patients recently seen at Mayo Clinic, we found
that slightly over 3% of patients explicitly told us ``I do not
authorize Mayo to review medical records about me for medical
research''. Approximately 80% of patients provided us an explicit
authorization and 17% did not explicitly give us an indication of their
wishes despite three written contacts. This demonstrates the importance
of how the response of persons not explicitly expressing their wishes
are treated. If considered a ``No'', the effective refusal rate would
have been over 20%. This high proportion greatly increases the chance
that a bias such as I described in the hypothetical example, could
influence the results of any study.
Another important finding was that refusal rates were higher among
certain subgroups. In general, women were more likely to refuse
authorization than men, persons under 60 years of age were more likely
to refuse than older individuals, and patients traveling longer
distances for care at Mayo Clinic were less likely to refuse than those
from the local community. In addition, we found that persons with
certain underlying illnesses, such as mental disorders, breast cancer
and reproductive problems were also more likely to refuse
authorization. While some of these findings may be somewhat
predictable, it is not possible to know how refusal rates might
systematically differ between any particular comparison groups.
Furthermore, it is likely that our assessment of potential differences
underestimates what would likely be happening at other institutions
that don't enjoy the same level of trust and respect from their
patients. The bottom line is that the degree of inaccuracy introduced
by restricting access to medical records for research purposes is
probably not knowable in any particular study and is likely to vary
from question to question and from setting to setting. The only way to
ensure accurate information is through complete and unbiased inclusion
of all medical records.
Finally, this third point that I would like to make relates to the
potential harm of allowing the rules regarding research use of medical
records to vary from state to state. Mayo Clinic Rochester is about 60
miles west of the Wisconsin border and 40 miles north of the Iowa
border. Thus, a substantial proportion of our referral practice comes
from these two neighboring states. In fact, Mayo operates in five
states. Imagine if you will, the complexity of trying to deal with
three separate sets of laws, each with different standards for the use
of medical records for research purposes. More important, however, is
the concern for different sets of biases imposed as a consequence of
these laws. For example, imagine a study comparing the outcomes of
prostate cancer surgery in patients from the University of Iowa and
Mayo Clinic Rochester. If different laws affected the selection factors
for this study, the results would be extremely difficult to interpret.
It would be virtually impossible to sort out if any observed
differences were due to patient characteristics, processes of care, or
simply biases introduced by different laws controlling access to
medical records for research purposes. This might preclude the
investigator's ability to identify certain patient characteristics or
patterns of care that may benefit patients with prostate cancer. It is
extremely important that laws concerning the research use of medical
records are uniform across all states.
In closing, I would like to emphasize that medical record research
is vital to the continued improvement of patient care. Furthermore,
information generated from medical record research is essential to
patients and physicians as they consider decisions about courses of
care. Consequently, it is absolutely essential that this information be
as accurate as possible. The only way to ensure this is through
complete and unbiased information. At the same time, it is important to
recognize the need for confidentiality of information. We mustn't,
however, confuse research access with open access to medical
information. Mr. Chairman, legislation restricting access to medical
records for research purposes does not ensure privacy of personal
medical information and does not address the public's concerns
regarding the potential misuse of public health information. Instead,
it hinders scientific research and puts the public's health and well-
being at risk for serious harm. Your attention should be focused on
stopping the actual abuses of medical record information that harms
patients.
Thank you for your attention.
Mr. Burr. Thank you, Dr. Jacobsen.
The Chair would recognize Dr. Amdur for 5 minutes.
STATEMENT OF ROBERT AMDUR
Mr. Amdur. Good morning. I am a physician with an interest
in research ethics. I am here to urge you to pass legislation
that will require that research involving review of
confidential information from a person's medical record be held
to the same ethical standards regardless of who conducts the
research or where the funding comes from.
Most of the medical research that I perform requires
confidential information from medical records, so I know how
important it is to have access to this kind of information.
I have experience with the Federal regulations related to
research because for the past 4 years I have chaired the
institutional review board at Dartmouth. For anybody not
familiar with that term, an institutional review board is a
type of ethics committee that is charged with protecting the
rights and welfare of research participants.
When considering medical records legislation as you are, it
is important to understand two main points. The first point is
that our society currently has only one formal system for
evaluating the ethics of a research study. And this is the
system of protection described in our code of Federal
regulations. These regulations basically present a manual that
explains the procedure and criteria that should be used to
determine if a specific research proposal is acceptable from
the ethical standpoint. The basic criteria for ethical research
are common sense things like being sure that the risks to
subjects are minimized and that the risks are in proportion to
the expected benefits of the research.
The take-home message that I would like to leave you with
is that the Federal regulations are good regulations and are to
help to protect individual subjects and to maintain the
integrity of our research process. However, what many people
don't understand is that without Federal legislation--the
protections that are provided by these regulations are limited
to studies that are funded by a Federal agency or being done as
part of an application for FDA licensure.
Today, if I want to study the medical history of
congressional representatives like yourself, I don't need to
get Federal funds, I can finance it myself. I may be able to
get access to your medical records without going through any
meaningful review process. That is the problem.
The final point that I would like to make is a response to
the arguments that I have read about passing legislation about
medical records research. As I see it, the main issue of
concern is that if we require the same standard for both
privately and federally funded research, the volume of
regulated activity will increase to the point that society's
ability to conduct research will be compromised.
I don't share this concern, and I think that it reflects a
fundamental misunderstanding in two basic areas. One
misunderstanding is that there is currently a lot of privately
funded research going on outside the Federal regulatory system.
This is not true.
While we don't have definitive data on this issue, the fact
of the matter is most privately funded research is done either
as part of an FDA application for licensure which means it must
comply with Federal regulations or at academic institutions
which have signed a type of contract with the National
Institutes of Health called a multiple project assurance.
What this contract says is that the institution will
require that all research under its auspices be done in
compliance with Federal regulations, regardless of funding
source. The point is that the great majority of privately
funded research today is already going on in compliance with
Federal regulations and reviewed by the IRB system.
The second misunderstanding is that extending the authority
of the Federal regulations to privately funded research will
mean that medical centers, insurance companies, et cetera,
throughout the country will have to go through the
institutional review board system every time they want to
review medical records as part of a quality assessment effort,
utilization review, outcome evaluation, et cetera.
This is not going to happen because the regulations only
apply to medical research. Medical research in the regulations
is defined to be, ``a systematic investigation designed to
develop or contribute to generalizeable knowledge,'' a specific
definition. There is no question that the institutional review
board authority does not extend to the wide range of non-
research activities that opponents of the effort are concerned
about.
Thank you.
[The prepared statement of Robert Amdur follows:]
Prepared Statement of Robert Amdur, Former Associate Professor of
Medicine, Dartmouth Medical School
Introduction
Good morning. My name is Robert Amdur. I am a physician with an
interest in research ethics. I am here to urge you to pass legislation
that will require that research that involves review of confidential
information from a persons medical record be held to the same ethical
standard regardless of who directs the research or where the funding
comes from. Most of the medical research that I do requires
confidential information from medical records so I know how important
it is to have access to this kind of information. I am familiar with
federal research regulations because I have chaired the Institutional
Review Board at Dartmouth for the past 4 years. For those of you who
are not familiar with this term, the Institutional Review Board is a
type of ethics committee that is charged with protecting the rights and
welfare of research subjects.
Main Points
When considering medical records legislation it is important to
understand two main points:
1. The first point is that our society currently has only one
formal system for evaluating the ethics of a research study and this is
the system of protections described in our code of federal regulations.
These regulations basically present a manual that explains the
procedure and criteria that should be used to determine if a specific
research proposal is acceptable from the ethical standpoint. The basic
criteria for ethical research are common sense things like being sure
that the risks to subjects are minimized and that risks are appropriate
in relation to the expected benefits. The take home message is that
these are good regulations that help to protect individual subjects and
maintain the integrity of the research process. However, what many
people don't understand is that without federal legislation the
protections that are provided by these regulations are limited to
studies that are funded by a federal agency or being done as part of an
application for FDA licensure. Today if I want to study the medical
history of congressional representatives, and I don't use federal
funds, I may be able to get access to your medical records without
going through any meaningful review process.
2. The final point that I would like to make is a response to the
argument against passing legislation about medical record research. As
I see it, the main issue of concern is that if we require the same
standards for both privately and federally funded research, the volume
of regulated activities will increase to the point that the ability to
conduct research will be compromised. I do not share this concern and I
think it reflects a misunderstanding in two areas.
One misunderstanding is that there is currently a lot of privately
funded research that is being done outside the federal regulatory
system. This is not true. Most privately funded research is done at
institutions that sign a type of contract called a ``Multiple Project
Assurance'' with the National Institutes of Health that commits them to
conducting all research according to federal regulations regardless of
funding source. I am happy to explain why an institution would want to
establish this Assurance in the question period, but for the purpose of
this discussion the point is that passing federal legislation will not
meaningfully increase the volume of regulated research because most
privately funded research is already being reviewed according to
federal regulations.
The second misunderstanding is that extending the authority of the
federal regulations to privately funded research will mean that medical
centers throughout the country will have to go through the
Institutional Review Board system every time they want to review
medical records as part of a quality assessment or utilization review
activity. This is not going to happen because the regulations only
apply to medical record review that is being done for research
purposes. As the regulations define research to be ``a systematic
investigation designed to develop or contribute to generalizable
knowledge'' there is no question that Institutional Review Board
authority does not extend to the wide range of non-research activities
that opponents of federal legislation in this setting are concerned
about.
Mr. Burr. Thank you, doctor.
The Chair would recognize Dr. Stump for 5 minutes.
STATEMENT OF DAVID C. STUMP
Mr. Stump. Good morning, Mr. Chairman, members of the
committee.
Thank you for the opportunity to testify before you today
regarding this most important issue of confidentiality of
patient medical information.
My name is David Stump. I am a physician and vice president
of clinical research for Genentech, Incorporated, a San
Francisco, California-based biotechnology company. Genentech is
the pioneer in the biotech field responsible for the
development of several breakthrough, life-saving biological
products, including Pulmozyme for cystic fibrosis; Activase for
the treatment of heart attack and stroke; Rituxan for the
therapy of non-Hodgkins lymphoma; and most recently, Herceptin,
a new treatment for metastatic breast cancer.
Genentech has been working for several years in support of
enactment of strong uniform Federal standards designed to
safeguard the confidentiality of patient health information and
limit its use to activities which are appropriate and necessary
to the daily functioning of our dynamic health care delivery
system, including the use of information for biomedical
research.
Throughout this effort, however, we have grown to realize
that while such Federal standards are clearly needed to help
assuage concerns over the abuse of patient health information
and facilitate patient confidence in the system, it is equally
critical that new Federal law recognize that patient
information is the foundation of our growing effort to enhance
the quality of health care we deliver through accountability,
outcomes analysis, and medical research. Any failure to strike
this delicate balance could have the dramatic and unintended
consequence of stifling innovation and limiting the ability of
companies like Genentech to effectively continue its mission in
pursuing drug therapies for unmet medical needs.
In addition, any new Federal standards must create a single
uniform system of safeguards, accountability, and penalties by
which the research community must abide by preempting the
increasing patchwork of State law which is working to minimize
our ability to conduct research effectively and affordably.
I understand that this is a first hearing of this
subcommittee and that you face an August deadline for action.
While you will no doubt hear about the importance of this issue
from many other panels today, I personally want to emphasize
the critical importance of your decisions regarding patient
confidentiality to the biomedical research community and to the
patients who suffer from the illnesses we seek to study and
cure.
While we at Genentech are firmly committed to protecting
the confidentiality of every single patient whose information
we review and use each minute of each day, our ability to
hypothesize, study, develop, test, and manufacture new products
is directly related to both the quality and availability of
information.
Our founders were the first to conceptualize the process of
cloning human proteins for the purpose of manufacturing life-
saving therapies. Vital to this process then and now, nearly 20
years later, is the ability to access patient data past,
present, and future. Please understand that I will not testify
today that new Federal standards that limit our ability to
access patient data will eliminate biomedical research as we
now know it.
However, I will say without responsible access to such
information, patients themselves whom we all seek to protect
will be the ultimate losers as they will have access to fewer
important new therapies.
The medical research community depends upon uniform
standards for the performance of clinic and medical
investigations. As we consider new important legislation aimed
at protecting the privacy and confidentiality of patients from
abuse, we need to be certain that this legislation does not
erect unnecessary barriers that will slow and impede medical
research. To do so will adversely impact all future generations
who are dependent on the steady progress of medical research in
order to improve their lives as they encounter and struggle
with consequences of illness and disease.
The United States is unquestionably the world's leader in
medical research. Our leadership to date has been fostered by
ready, uniform access to key information and data contained in
the patient's medical records. Our own clinical studies involve
data from patients all over the country and the world, for that
matter. We engage in partnerships with research entities,
health plans, and others located across all 50 States of the
United States.
I know that access to data drives research, particularly
medical research, and access to patient's data has driven
medical research in the United States since the turn of the
20th century. Of particular concern to us are proposals that
would extend Federal oversight into private research where the
research involves information only and not the patients
themselves.
Unfortunately, legislation introduced recently would
accomplish this by extending the common rule to all research,
meaning that even our data and archival research would be
subject to review by an institutional review board. This is
problematic to us for a number of reasons.
First, the IRB rules and policies surrounding informed
consent are intended to ensure that human subjects
participating in clinical trials are made sufficiently aware
through the informed consent process of the potential risk of
their safety. Thus, the rules are intended to ensure the safety
of the human subject.
This legislative debate is about the use of medical
information. The health safety risks to the human subject
presented by confidential review and use of medical information
is minimal thus the application of the common rule and of IRB
review to private, archival data review is an apples to oranges
comparison.
Thank you, Mr. Chairman, for allowing me to share with you
some of Genentech's principles and concerns regarding patient
confidentiality. The subcommittee has been a vital partner in
assuring a stable and fruitful environment for biomedical
research as illustrated by your recent efforts on the Food and
Drug Administration Modernization Act.
Please understand that the ultimate impact of this issue is
no different and is directly related to our ability to continue
innovative research. Please be assured that we share your
commitment to protecting and safeguarding patient information.
After all, patients are ultimately our business.
Please also understand that information is a lifeblood of
research. We applaud this subcommittee's effort and very much
look forward to working with you and others toward the final
enactment of strong, workable and, most importantly, uniform
Federal standards protecting the confidentiality of patient
medical information.
Thank you.
[The prepared statement of David C. Stump follows:]
Prepared Statement of Dave Stump, Vice President, Clinical Development
& Genentech Fellow, Genentech, Inc.
Good morning, Mr. Chairman, and Members of the Committee. Thank you
for the opportunity to testify before you today regarding this most
important issue of the confidentiality of patient medical information.
My name is Dr. Dave Stump, and I am Vice President of Clinical
Development for Genentech, Inc., a San Francisco, California-based
biotechnology company. Genentech, Inc. is a pioneer in the
biotechnology field, responsible for the development of several
breakthrough, life-saving biological products, including Pulmozyme for
Cystic Fibrosis; Activase for cardiac disease; Rituxan, for non-
Hodgkins lymphoma; and most recently, Herceptin for metastatic breast
cancer.
Genentech, Inc. is an active member of the Pharmaceutical Research
and Manufacturers of America (PhRMA), the Biotechnology Industry
Organization (BIO) and the Healthcare Leadership Council (HLC). We have
been working closely with these organizations and numerous other
coalition partners through the HLC in support of enactment of strong,
uniform federal standards designed to safeguard the confidentiality of
patient health information and limit its use to activities which are
appropriate and necessary to the daily functioning of our dynamic
health care delivery system, including the use of information for
biomedical research.
Throughout this effort, however, we have grown to realize that
while such federal standards are needed to help assuage concerns over
the abuse of patient health information and facilitate patient
confidence in the system, it is equally critical that new federal law
recognize that patient information is the foundation of our growing
effort to enhance the quality of health care we deliver through
accountability, outcomes analysis and medical research. Any failure to
strike this delicate balance could have the dramatic and unintended
consequence of stifling innovation and limiting the ability of
companies like Genentech, Inc. to effectively continue its mission and
pursuit of drug therapies for unmet medical needs. In addition, any new
federal standards must create a single, uniform system of safeguards,
accountability and penalties by which the research community must abide
by preempting the increasing patchwork of state law which is working to
minimize our ability to conduct research effectively and affordably.
I understand that this is the first hearing of this Subcommittee,
and that you face an August deadline for action. While you will no
doubt hear about the importance of this issue from all of the other
panelists today, I want to emphasize the importance and saliency of
your decisions regarding patient confidentiality to the biomedical
research community and to the patients who suffer from the illnesses we
study. While we at Genentech, Inc. are firmly committed to protecting
the confidentiality of the patient information we review and use each
minute of each day, our ability to hypothesize, study, develop, test
and manufacture products is directly related to the quality and
availability of information.
Our founders, Herb Boyer and Bob Swanson, were the first to
conceptualize the process of cloning human proteins for the purpose of
manufacturing life-saving therapies. Vital to this process then and
now, nearly 20 years later, is the ability to access patient data--
past, present and future. I will not testify today that new federal
standards that limit our ability to access patient data will eliminate
biomedical research as we know it. I will say, however, that without
responsible access to such information, patients will be the true
losers as patients will have access to fewer, more expensive therapies.
The medical research community depends upon uniform standards for
the performance of clinical and medical investigations. As we consider
new important legislation aimed at protecting the privacy and
confidentiality of patients from abuse, we need to be certain that this
legislation does not erect unnecessary barriers that slow and impede
medical research. To do so will adversely impact all future generations
who are dependent on the steady progress of medical research in order
to improve their lives as they encounter and struggle with the
consequences of illness and disease.
The United States is unquestionably the world's leader in medical
research. With appropriate pride, we can point to our academic research
institutions, the National Institutes of Health (NIH) and the Center
for Disease Control (CDC), to name a few of the more prominent
institutions. The United States is home to leaders in all types and
varieties of medical research from epidemiology and outcomes research
on one hand to the application of novel surgical techniques on the
other. Our leadership, however, has been fostered by ready, uniform
access to the key information and data contained in the patient's
medical records. Our studies involve data as well as patients from all
over the country, and the World, for that matter. We engage in
partnerships with research entities, health plans and others also
located across the 50 United States. I know that access to data drives
research, particularly medical research, and access to patient's data
has driven medical research in the United States since the turn of the
20th century.
Of particular concern to Genentech, Inc. are proposals that would
extend federal oversight into private research where the research
involves information only, and not the patients themselves. Legislation
introduced by Representative Markey (D-MA) (H.R. 1057) accomplishes
this by extending the Common Rule to all research, meaning that even
our data and archival research would be subject to review by an
Institutional Review Board (IRB). This is problematic for a number of
reasons. First, the IRB rules and policies surrounding ``informed
consent'' are intended to ensure that human subjects participating in
clinical trials are made sufficiently aware, through the informed
consent process, of the potential risks to their safety. Thus, the
rules are intended to ensure the safety of the human subject. This
legislative debate is about the use of medical information. The
``risks'' to the human subject presented by review and use of medical
information is minimal and thus, the application of the Common Rule and
of IRB review to private, archival data review is an apples-to-oranges
comparison.
Further, I understand that IRBs do actually review archival
research projects of institutions which are otherwise subject to the
Common Rule. However, in those circumstances, the rule provides for
expedited review of such research as it is considered to present
``minimal risk'' to the individual. Even the suggestion that we would
be able to obtain expedited review of our archival research projects
would add significant new layers of unnecessary federal oversight over
private activities, depleting time and resources from our research
endeavors. What appears to be a simple, straightforward requirement
would directly result in fewer projects being initiated and fewer
products being discovered. Conversely, we support an approach which
would impose accountability on our ability to access information, limit
our use of such information to bona fide research, and impose penalties
on us for its misuse.
Thus, workable and uniform rules regarding how we may access and
use this gold mine of information are critical to our underlying
success. Let us consider some examples:
1. The Mayo Clinic was founded in 1907. The founders recognized the
value of looking critically at their own experience, both in
terms of the natural history of disease in their patients and
the outcomes of their surgical and medical interventions. The
Mayo Clinic has been a leader in the indexing of medical
records, the application of the information technologies needed
to search and retrieve information from their patient
databases, and in outcomes research. Dr. Melton described some
of the Mayo Clinic experience in an editorial in New England
Journal of Medicine in 1997. He noted that more than 1,000
articles have been published in the medical literature based on
the Mayo Clinic experience, and described particular
difficulties associated with a law passed in Minnesota which
has made it more difficult for the Mayo Clinic to conduct
epidemiologic research by requiring specific patient
authorization for the use of patient data.
Now that the Mayo Clinic has spread to at least three states
(Florida, Arizona, and Minnesota), and is a pioneer in the development
of a computerized medical record, we can look forward to even more
productive information stemming from their experience, assuming that
ill-advised legislation from states or the federal government relating
to patient confidentiality does not dramatically erode our ability to
use this information to further medical research.
2. The comparison of medical research done in the United States and
Europe by pharmaceutical companies reveals some important
insights. The United States is a preferred site for drug
development. I believe this relates to the presence of uniform
standards for pharmaceutical research supervised by the FDA as
well as to the similar guidelines adopted by physicians and
institutions in the United States. Compare our situation to the
diverse array of regulatory agencies one encounters in Europe,
not to mention the variations in language, culture, politics,
and standards of medical practice. The implementation of
different local standards of patient confidentiality in the
United States will have the practical effect of erecting
barriers to medical investigations of all kinds. Ultimately,
these barriers will lead to inefficiency and a loss of the
advantages now present in our country. Pharmaceutical companies
care deeply about time, resource expenditures, and
productivity. Should legislation lead to disincentives for
pharmaceutical research, drug development efforts may well be
shifted away from the United States towards more favorable
environments.
3. Recently the National Registry for Myocardial Infarction (NRMI)
showed that important differences exist between different
regions of the United States in regard to the diagnosis and
treatment of myocardial infarction or heart attacks. Women in
general, and older women in particular, were much less likely
to have their heart attack diagnosed and treated as compared to
men. These differences varied significantly by region in the
US. Uniform standards allow ``outcomes research'' to be done
across our country and detect deviations that can be addressed.
This type of research is critical for improving the quality and
reducing the cost of treatment and care.
In the past few years significant progress has been achieved in the
understanding of genomics in the metabolism of drugs and in drug
interactions. The importance of drug metabolism was initially
recognized as differences in pharmacokinetics and pharmacodynamics in
racial sub-populations. Subsequently, the differences have been
attributed to the genetic variations such as cytochrome P450 that are
responsible for the metabolism of drugs. These differences are critical
to understanding the safety and efficacy of many drugs across patient
populations. The study of relevant sub-populations has become a common
FDA requirement for the approval of many drugs. The majority of some of
these sub-populations are concentrated in a few states. State
regulations inhibiting access to patient records will have the
unintended consequence of inhibiting access to information about the
sub-populations of patients. As a result, we will know less about their
diseases, the natural history of diseases in these subgroups, and the
effects of medical and surgical treatment on their illnesses.
This is not just a theoretical argument. In the 1960's and 1970's,
we routinely excluded women and children from research involving new
drugs to ``protect them.'' As a result, we had almost no information
about the safety and activity of these drugs in women or children.
Despite the absence of critical information, these same drugs were
broadly used in the treatment of women and children once they were
approved.
Another example is the FDA's regulations for filing an
Investigational New Drug Application (NDA) prior to commencing studies
in humans. This is a significant hurdle that is not present in the
United Kingdom where research can be done on normal male volunteers
with informed consent and approval from an Institutional Review Board
(IRB). Many pharmaceutical companies, even those centered in the United
States, are performing initial human studies in the United Kingdom. I
maintain that unnecessary barriers create real disincentives for doing
medical investigations and fewer investigations are not in the
patient's best interests. Clearly, we need to avoid legislation that
will produce similar unintended consequences in the future.
The economic rationale for a uniform standard for patient
confidentiality is compelling. Diverse laws governing patient
confidentiality will create a need for individually ``tailored''
programs aimed at gaining access to the data in patient's records. The
variability and diversity between different states will create a level
of unnecessary complexity. To address the complexity, researchers will
need to spend more time and more money to accomplish their research
goals. The consequences will be to increase the cost of research and
reduce the number of investigations that are done. Smaller numbers of
more expensive studies are not in the best interests of patients or our
country.
To put this discussion in context, Genentech, Inc., as well as the
HLC coalition, support the general approach taken in legislation
introduced in April by Senator Bennett (R-UT). Senator Bennett's bill,
the ``Medical Information Protection Act of 1999,'' provides for
comprehensive standards relating to patient confidentiality and imposes
clear limits on the ability to use information for purposes of health
care delivery and medical research. Yet, the bill establishes standards
in a way that provides sufficient flexibility for each health plan,
researcher, physician and hospital to establish its own system for
ensuring compliance. Further, the bill provides very thorough
preemption of state law, creating a uniform, predictable environment
for the research community while replacing current state law with a
rational, comprehensive system of federal safeguards, responsibilities,
limits and penalties. To date, this is the only legislative proposal
that would effectively address concerns I described earlier, such as
those of the Mayo Clinic, while not sacrificing any ``protections''
provided to patients.
Conversely, the proposal introduced by Representative Markey would
undermine our ability to conduct broad, inclusive, population-based
research using patient data by subjecting us to a new federal standard
as well as several conflicting state law standards relating to use,
safeguards and patient authorization. Specifically, the Markey proposal
would not only expressly extend federal oversight into all private
research activities involving only information, the proposal also would
establish a federal ``floor,'' allowing any state law which is
considered to provide ``greater protection'' than the federal law to
remain in effect. Even disregarding the practical difficulty of
determining such a subjective standard as what constitutes ``greater
protection,'' which would undoubtedly require litigation to mediate,
this standard would clearly perpetuate the complexity and inconsistency
that is state law which stifles the industry.
Here is a practical example. In the wake of concern over genetics--
the power of genetic information and its potential for abuse--some
states require that ``genetic'' information be segregated from the rest
of the patient's medical record and subject to different standards.
Under the Markey proposal, any such state laws would likely remain in
effect, either by virtue of already being in existence or by virtue of
being considered more protective than the federal law. As a result,
health plans, hospitals and providers would have to separate out
``genetic'' information from the rest of the patient's medical
information and treat it differently.
This raises several practical concerns. First, the states may vary
in terms of what is considered ``genetic.'' Even assuming states could
agree on what they define as ``genetic,'' as a physician, I can assure
you that virtually every piece of medical information is, by its very
nature, genetic. Eye color, gender, the predisposition to breast cancer
are all examples of genetic information. So, how do we, as a practical
matter, separate this information out from other, ``non-genetic''
medical information. Second, state rules regarding segregation will
vary. As such, we would be potentially subject to 50 different sets of
rules regarding segregation and use of this critical information.
Finally, the practical implication of such limitations is devastating.
The value of so-called genetic information is immeasurable and is
directly responsible for the development of such breakthrough drugs as
Herceptin, which provides, for the first time, real hope to women
suffering from breast cancer and their families.
Rather, federal law should subject all patient health information,
including genetic information, to the same strong standards for
protection. While each of the Senate proposals would provide new
federal standards for protecting all such information (albeit
differently), the on-going ability of states to apply different law and
the attendant lack of preemption of such state law, directly undermines
this shared goal.
Thank you, Mr. Chairman, for allowing me to share with you
Genentech's principles and concerns regarding patient confidentiality.
The House Commerce Committee has been a vital partner in assuring a
stable and fruitful environment for biomedical research, as illustrated
by your recent efforts on the Food and Drug Administration
Modernization Act (FDAMA). Please understand that the ultimate impact
of this issue is no different, and is directly related to innovation
and research.
Be assured that we share your commitment to protecting and
safeguarding patient information; after all, patients ultimately are
our business. Also understand, though, that information is the
lifeblood of research and to the ability of the health care delivery
system to enhance and assure quality. Patients are deserving of one
strong law that secures all such information equally, and provides one
clear set of rules regarding how patient information must be
safeguarded, how it may be used, and the penalties that will apply for
any misuse.
We applaud this Subcommittee's effort and look very forward to
working with you and others toward the final enactment of strong,
workable and, most importantly, uniform federal standards protecting
the confidentiality of patient medical information.
Mr. Burr. Thank you, Dr. Stump.
The Chair would recognize Ms. Visco at this time for an
opening statement.
STATEMENT OF FRAN VISCO
Ms. Visco. Thank you. I am here as a breast cancer survivor
and the president of the National Breast Cancer Coalition, an
organization that represents more than 500 member organizations
from across the United States and more than 60,000 individuals.
Our focus is on eradicating breast cancer. That is our
goal, our mission. Our focus is on research, making certain
that there are sufficient high quality research to get the
answers to this disease and also policies that will support
access to care, access to quality care. And we understand that
we need more information and we need research in order to
determine what do we mean by quality care.
Access to care is not enough. It has to be access to
quality care, and we support research that will get those
answers also. But there is a problem that we are facing. And
the problem is that the public has lost confidence and trust in
the medical and scientific community. Perhaps when we had it;
it was misplaced. But the fact is that now it is lost. The
evolving health care system is--plays a major role in why we
have lost that confidence, but there it is.
Patients won't go into research. It is very difficult to
get them involved. We are very concerned about the use and
misuse of information. Information is the lifeblood of
research. It is my life and it is my blood and I have a right
to make certain that it is protected and it is used
appropriately.
We certainly don't want to hamper research. We don't want
to erect unnecessary barriers to care. No one wants to do that.
The issue is what is a necessary barrier? Losing the confidence
and trust of the people who are the subject of this research is
the No. 1 barrier to care--to research. That is what hampers
research. That is what we need to correct.
What we want to do is create an atmosphere of collaboration
and partnership where patients and the scientific community
move forward together in getting the research, where we trust
that the information that we have given is going to be used.
And we need a minimal set of Federal standards in order to
achieve that trust, to reinstate that confidence and that
atmosphere which would bring us closer more rapidly to the
answers that we need.
So what do we need? We need to make certain that, wherever
possible, the information that is used is identified. We are
looking at the explosion of technology that Mr. Markey
described and that you are all aware of. We can use that
explosion to help.
Perhaps there are ways we can use it creatively to keep
track of individuals who have participated in research, to help
get their consent. We need to have standardized consent that
will make it easier for individuals to give consent. We need to
make certain that there is IRB-type review and oversight of
both public and private research.
It hasn't created inappropriate barriers in public
research, and we know it won't in private research always. To
establish that trust once again, we have to make certain that
we have anti-discrimination legislation protecting people from
the abuse and misuse of their genetic information. And we need
to make certain that Federal legislation and Federal
regulations are a strong floor.
Once we have established the trust in the public once
again, there will be less pressure on the States to establish
their own regulations and their own laws. And if industry is
concerned about this, they can adhere to the strong estate
regulations, and they would have the uniformity that they seek.
Right now we are looking at the law in Minnesota. I think
it is a wonderful example of why Federal legislation should be
a floor. Here we have an evolving situation. The law has
already been amended once. What we need is to use that kind of
a situation to educate and inform the American public so they
understand the importance of giving their consent.
They understand that the consent they give is for the use
of research, the use of information and research that will be
well-protected and will get the answers. If we educate the
public about the importance of giving their consent, they will.
They want the answers. If they trust us that we won't abuse the
information that we are using, they will let us use it. They
want the answers. They want us to get the answers that will
further their health and the health of their families.
And finally, what we need are strong penalties. It isn't
enough to have a wonderful law in place if there is absolutely
no strong right to enforce your right under that law, and what
we need is the right to sue.
I very much look forward on behalf of the National Breast
Cancer Coalition to continuing to work with you to make certain
that we have effective Federal legislation that creates a floor
that we can buildupon.
Thank you.
[The prepared statement of Fran Visco follows:]
Prepared Statement of Fran Visco, President, National Breast Cancer
Coalition
Thank you, Mr. Chairman and members of the Committee for inviting
me to testify today. I am Fran Visco, President of the National Breast
Cancer Coalition and a breast cancer survivor. I am one of the 2.6
million women living with breast cancer in the U.S. today.
The National Breast Cancer Coalition (NBCC) is a grassroots
advocacy organization dedicated to eradicating breast cancer. We are
made up of 500 member organizations and more than 60,000 individual
women, their families and friends. The NBCC seeks to increase the
influence of breast cancer survivors and other activists over public
policy in cancer research, clinical trials, and access to quality
health care for all women.
The NBCC believes strongly that we need to establish a national
policy that ensures an individual's right to privacy with respect to
personally identifiable health information. We believe that our
illness, diagnosis, treatment and prognosis is very personal
information, whether we are breast cancer survivors, women battling
breast cancer, or women with a predisposition to breast cancer. We also
know that the misuse of our health information can harm us and our
families. Unauthorized or inadvertent disclosure of our health status,
genetic or family history can make it difficult if not impossible for
some women and their daughters to obtain health insurance. At the same
time, NBBC believes that legislation protecting privacy rights should
not impede the progress of biomedical, behavioral, epidemiological and
health services research. Research offers women diagnosed or
predisposed to breast cancer the best hope for finding a cure,
improving treatment, and someday preventing breast cancer. NBCC
believes that research can be carried out in a way that protects the
privacy rights of individuals and simultaneously enhances public trust
in medical research.
We are at a decision point where we can allow the computer
revolution to make access to our personal health information a free-
for-all or where we can harness the new communications technologies to
insure that our personal health information remains private. Because
access to health records and information is so critical to the progress
of research, we may need a new paradigm to protect an individual's
privacy--even if it should cost more. Research can not be held to a
lower standard for protecting privacy: it must be held to a higher
standard to ensure the public's support and trust.
How can we maintain the public trust? By establishing key
safeguards for personally identifiable health information. By requiring
informed consent and ensuring that it is not coerced. By limiting
disclosure to the minimal information necessary. By establishing strong
penalties for those individuals who violate these protections and by
supporting the highest quality peer-reviewed research.
NBCC believes that Congress needs to provide consumers with
important new rights, including:
Access to Medical Records. Individuals should have certain rights
with regard to their medical record and information in order to
understand how they are being used and maintained. Individuals should
have reasonable access to their records to inspect, copy, supplement or
amend their medical records. Individuals should also be able to seek
special protection for certain sensitive information that they do not
wish to be disclosed. For example, many women would not wish to
disclose genetic information such as BRCA 1 and BRCA 2 test results to
insurers or employers, but would want this information made available
to their health care providers.
Notice of Information Policies. It is also important that
individuals understand how their medical records are to be used and
when and under what circumstances information will be disclosed to a
third party. Plans and other health care providers should be required
to notify individuals about their disclosure policies and to keep
records when information is released, to whom it is provided, and for
what purpose, and make that information available to individuals.
Individuals should also be able to withdraw consent or limit what
information is disclosed.
Informed Consent. Any legislation should strictly limit the use of
identifiable health information absent an individual's informed consent
except as explicitly permitted in legislation for public-interest
purposes (such as public health for use in legally authorized disease
and injury reporting, public surveillance or a public health
investigation or intervention, health oversight, and emergency
purposes). There should be clear circumstances when protected health
information will not be disclosed, such as for marketing, insurance
underwriting, or employment purposes without authorization of the
individual. Moreover, plans, providers and others should be required to
de-identify as much protected health information as possible and limit
disclosure to only the information necessary for the approved purpose.
Medical Research: There has been much debate about what are
appropriate safeguards for personally identifiable information with
regard to research, and much discussion about whether current federal
regulations can sufficiently protect patient confidentiality.
Increasingly, much health services, epidemiological, biological and
statistical research relies on the use of medical or health records and
does not involve any interaction between the researcher and the
patients. Researchers have legitimately raised serious questions about
the feasibility of seeking authorization from thousands or possibly
millions of individuals. Other research such as retrospective or
secondary research relies on archival patient materials, including
medical records and tissue specimens also does not involve interaction
directly with individuals. And while the data can be encrypted,
researchers and epidemiologists need to link this data back to
individuals in order to generate meaningful conclusions regarding the
benefits and adverse outcomes of particular treatments, as well as
medical effectiveness.
The question for Congress, and for patient advocates like NBCC who
care deeply about the research mission and are committed to privacy
protection--is when to require voluntary informed consent to conduct
research and under what circumstances to allow the disclosure of
protected health information without patient authorization.
Under the common rule, research organizations conducting federally
funded or regulated research projects must establish and operate
institutional review boards (IRBs), which are responsible for reviewing
research protocols and for implementing federal requirements designed
to ensure the safety of human subjects. No human-subjects research may
be initiated, and no ongoing research may continue, in the absence of
IRB approval. Integral to conducting research under the common rule is
a requirement that there is proper informed consent and documentation
of that consent.
There is also a mechanism under the common rule that allows for the
IRB to waive the need for informed consent--but only under certain
limited situations where: 1) the research involves no more than minimal
risk to the subjects; 2) the waiver or alteration will not adversely
affect the rights and welfare of the subjects; 3) the research could
not practicably be carried out without the waiver or alteration; and 4)
whenever appropriate, the subjects will be provided with additional
information after participation.
Thus, IRBs currently deliberate and make decisions about when
informed consent is and is not necessary. The burden is on the
researcher to demonstrate to the members of the IRB why informed
consent is not necessary. There should be another test for deciding on
whether to waive the requirement for informed consent. The IRB should
be required (in addition to the criteria above) to determine if the
importance of the health research outweighs the intrusion into the
privacy of the individual. In this way, the IRB would be able to
successfully balance the need for the research with an individual's
right to privacy.
There are two problems with the current system I would like to
note: first, there are serious problems with institutional review
boards; and second, not all health research is subject to IRB.
Increasingly, there is health research that falls outside the common
rule. This raises questions about building a new system, with an
increased responsibility to protect privacy, on a flawed program.
Nevertheless, NBCC believes that IRBs are an appropriate paradigm
to build upon. Before doing that, we recommend that any legislation
require a serious review by the Secretary and a requirement that the
Secretary make recommendations regarding standards for protecting
privacy in research and improvements in the system to ensure its
success in meeting its responsibility to individuals involved in
research.
We also believe that Congress should extend the common rule to all
research. There is always an opportunity for protected health
information to be disclosed that could be harmful--even if that
information is eventually aggregated. There needs to be one system for
protection that applies to all research; not carve outs for this or
that type of health research.
Preemption: In order for any standard to be effective it needs to
be uniform across the states, but we would only support preemption if
it sets a floor for the states and not a ceiling. Many states have
already begun to respond to the many complex issues involved in
protecting medical privacy and have established strong laws. We should
not force them to a lower standard.
Penalties: Finally, we believe there should be strong criminal and
civil penalties for intentionally or negligently using individually
identifiable health information. Individuals should also have a civil
right of action against anyone who misuses their protected health
information.
One area that has been sorely absent in the debate over medical
privacy is the urgent need for adopting genetic anti-discrimination
legislation. Even if we pass the perfect medical privacy bill, we will
not be able to entirely prevent unlawful disclosures. When privacy is
breached, anti-discrimination legislation would prevent misuse of the
information. These two protections go hand-in-hand. Anti-discrimination
legislation in itself is hard to enforce, and therefore it is important
to provide good privacy protection.
Breast cancer remains the most common form of cancer in women. We
still do not know the cause or have a cure for this dreaded disease.
Over the past two years, there have been incredible discoveries at a
very rapid rate that offer fascinating insights into the biology of
breast cancer, such as the isolation of breast cancer susceptibility
genes and discoveries about the basic mechanisms of cancer cells. These
discoveries have brought into sharp focus some of the areas of research
that hold promise.
NBCC believes that legislation protecting medical information and
privacy should be balanced. We want to see federal standards that
safeguard personal health information and protect the ability of
researchers to conduct vital biomedical research. We don't believe that
you can have one without the other. Knowledge about how to prevent and
cure breast cancer will only come if women participate in research. But
without appropriate safeguards against misuse, public distrust will
increase and few women will be willing to participate in research
efforts, whether donating tissue or enrolling in clinical trials. Only
if women believe that their individual health information will be kept
private so that it can't be used against them by insurers or employers
or be made public will they have the confidence to participate in
clinical research. I can't emphasize enough that we must focus our
attention on building public trust. It has to be something real,
something believable, if women are to place their trust in the medical
and research process.
Mr. Chairman, and members of the Committee, thank you again for the
opportunity to testify. We look forward to working with you on this
critically important issue. I'll be happy to answer any questions you
may have.
Mr. Burr. Thank you, Ms. Visco.
The Chair would take this opportunity to announce we expect
a vote at any minute. There is also reason to believe that
there will be at least a Republican conference that Republican
members will have to leave for.
It is the Chair's intention then to put this committee in
recess probably about 12:25 or 12:30 depending on when the vote
is called until 1:15 to allow witnesses to have lunch and to
allow that conference to take place just so you know.
STATEMENT OF DAWN M. GENCARELLI
Mr. Burr. And at this time, the Chair would recognize Ms.
Gencarelli for an opening statement.
Ms. Gencarelli. Mr. Chairman and members of the committee,
thank you for the opportunity to testify before you today.
I am Dawn Gencarelli, and I am here today on behalf of
Harvard Pilgrim Health Care. Harvard Pilgrim is the largest
health plan in New England and has been caring for patients
over 25 years. Harvard Pilgrim currently provides for 1.5
million members in Massachusetts, Rhode Island, Maine, and New
Hampshire through a network that includes more than 23,000
physicians and 140 hospitals.
I am pleased to have the opportunity to testify today and
would like to review the varied patient interests that must be
considered in a thoughtful debate about medical record
confidentiality, describe Harvard Pilgrim's efforts to
reconcile these multiple interests with strong protections for
the confidentiality of our members' medical information, and
highlight the importance of the legitimate uses of medical
information to assure the quality of care that is delivered to
our members.
Harvard Pilgrim recognizes the importance of the many
issues raised by medical record confidentiality and the
challenges it poses for patients and health care providers
during this time of rapid change in both the delivery of health
care and the technology of clinical health information systems.
They are complex issues that involve a careful balance to
ensure that all of our patient interests are served even when
they appear to conflict.
Our organization has spent an extensive amount of resources
exploring our policies and practices around confidentiality. We
have conducted numerous focus groups and one-on-one interviews
with our members to better understand their concerns. Patients
do have a right to expect that their medical information will
be kept confidential as well as a strong interest in receiving
high quality integrated health care.
To assure this quality of care, clinicians must have
access, in a timely manner, to information pertaining to prior
medical history and possible drug interactions. In addition,
health plans must have access to information in order to
perform functions that are designed to promote quality of care
including quality assurance, utilization management, disease
management, case management, and peer review.
The above functions enable Harvard Pilgrim and other health
plans to eliminate unnecessary variation and treatments and
procedures, for example, cesarean sections; identify patients
who could benefit from specialized care through one of our
disease management programs; develop educational programs for
our clinicians regarding specific treatments and advance
technologies; and ensure that patients being released from the
hospital have the appropriate support to safely return home.
In addition to receiving high quality integrated health
care, patients have an interest in the advancement of research
through the collection of population-based information in the
protection of the public health and in having the systems of
their health care organizations operate smoothly and without
fraud. At Harvard Pilgrim we have worked diligently to serve
the many interests of our members even when they appear to
conflict.
Organizational flexibility, commitment by senior
management, as well as cooperation and communication between
health care providers and their patients are necessary to meet
these multiple patient needs. Harvard Pilgrim has taken steps
to optimize its organizational privacy protections including
the removal of patient identifiers from clinical and
administrative patient information whenever possible, the
creation--and the creation of a safety zone to ensure to the
fullest extent possible that patient information remains
confidential.
This safety zone is created through the implementation of a
number of policies and practices that create heightened
security around medical information. Within our organization,
we have established a confidentiality oversight committee that
is responsible for developing and maintaining a corporate
confidentiality policy. As part of this process, the committee
reviews all policies and procedures throughout the organization
relating to confidentiality.
In conjunction with our corporate policy, Harvard Pilgrim
has developed a framework for defining appropriate uses of
information by third parties as well as guidelines for the
release of information. Each of these initiatives seeks to
ensure that only that information which is necessary to meet an
appropriate clinical or health plan need is accessed or
released, that it is used by appropriate individuals for the
amount of time necessary to achieve the designated purpose,
that it is used within a secure environment, and that it is not
subject to secondary release to unauthorized users.
Harvard Pilgrim continues to explore these and other
innovative efforts in an attempt to respond to our evolving
understanding of our members' needs and to continue to serve as
a national leader on the issue of patient confidentiality.
As this committee contemplates the passage of legislation
on this very important issue, it must ensure that the
provisions of such legislation promote quality of care rather
than prevent functions that support it. As illustrated by the
recent enactment and subsequent suspension in Maine of a
medical record confidentiality bill, good intentions can
sometimes cause unintended consequences that put patients at
risk.
The Maine law prevented family members from accessing
information about the condition of their loved ones and medical
providers from obtaining information necessary for the proper
treatment of patients. To severely limit access to information
will, in fact, lead to increased confidentiality but will
jeopardize the other very important interests of our members.
Harvard Pilgrim has invested heavily in our efforts to
ensure patient confidentiality and respects this committee's
exploration of this very important issue. We must be cognizant,
however, of the very real dangers that may result from poorly
drafted legislation in this area including decreased quality of
care, increased health care costs, an unhealthy population, and
systems wrought with fraud.
Confidentiality can and must be achieved without halting
appropriate and legitimate uses of information.
I thank you for your time.
[The prepared statement of Dawn M. Gencarelli follows:]
Prepared Statement of Dawn M. Gencarelli, Harvard Pilgrim Health Care
introduction
Mr. Chairman and members of the Committee, thank you for the
opportunity to testify before you today. I am Dawn Gencarelli, Manager
of Health Policy for Harvard Pilgrim Health Care (Harvard Pilgrim).
Harvard Pilgrim is the largest health plan in New England and has been
caring for patients for over 25 years. Harvard Pilgrim currently
provides care to more than 1.5 million members in Massachusetts, Rhode
Island, Maine, and New Hampshire through a network that includes more
than 23,000 physicians and 140 hospitals.
I am pleased to have the opportunity to testify today, and would
like to:
review the varied patient interests that must be considered in
a thoughtful debate about medical record confidentiality;
describe Harvard Pilgrim's efforts to reconcile these multiple
interests with strong protections for the confidentiality of
our members' medical information; and
highlight the importance of the legitimate uses of medical
information to assure the quality of care that is delivered to
our members.
issues
Harvard Pilgrim recognizes the importance of the many issues raised
by medical record confidentiality and the challenges it poses for
patients and health care providers during this time of rapid change in
both the delivery of health care and the technology of clinical health
information systems. They are complex issues that involve a careful
balance to ensure that all of our patient interests are served, even
when they appear to conflict. Our organization has spent an extensive
amount of resources exploring our policies and practices around patient
confidentiality. We have conducted numerous focus groups and one-on-one
interviews with our members to better understand their concerns.
Patients have a right to expect that their medical information
will be kept confidential as well as a strong interest in receiving
high quality, integrated health care. To assure this quality of care,
clinicians must have access, in a timely manner, to information
pertaining to prior medical history and possible drug interactions. In
addition, health plans must have access to information in order to
perform functions that are designed to promote quality of care,
including quality assurance, utilization management, disease
management, case management, and peer review.
The above functions enable Harvard Pilgrim, and other health plans,
to eliminate unnecessary variation in treatments and procedures (i.e.,
Cesarean sections); identify patients who could benefit from
specialized care through one of our disease management programs;
develop educational programs for our clinicians regarding specific
treatments and advanced technologies; and ensure that patients being
released from the hospital have the appropriate support to safely
return home. In addition to receiving high quality, integrated health
care, patients have an interest in the advancement of research through
the collection of population-based information, in the protection of
the public health, and in having the systems of their health care
organizations operate smoothly and without fraud. At Harvard Pilgrim,
we have worked diligently to serve the many interests of our members,
even when they appear to conflict.
Organizational flexibility, commitment by senior management, as
well as cooperation and communication between health care providers and
their patients, are necessary to meet these multiple patient needs.
Harvard Pilgrim has taken steps to optimize its organizational privacy
protections, including the removal of patient identifiers from clinical
and administrative patient information whenever possible, and the
creation of a ``safety zone'' to ensure to the fullest extent possible
that patient information remains confidential.
This safety zone is created through the implementation of a number
of policies and practices that create heightened security around
medical information. Within our organization, we have established a
Confidentiality Oversight Committee that is responsible for developing
and maintaining a corporate confidentiality policy. As part of this
process, the committee reviews all policies and procedures throughout
the organization relating to confidentiality. In conjunction with our
corporate policy, Harvard Pilgrim has developed a framework for
defining appropriate uses of information by third parties, as well as
guidelines for the release of information. Each of these initiatives
seeks to ensure that only that information which is necessary to meet
an appropriate clinical or health plan need is accessed or released,
that it is used by appropriate individuals for the amount of time
necessary to achieve the designated purpose, that it is used within a
secure environment, and that it is not subject to secondary release to
unauthorized users. Harvard Pilgrim continues to explore these and
other innovative efforts, in an attempt to respond to our evolving
understanding of our members' needs and to continue to serve as a
national leader on the issue of patient confidentiality.
conclusion
As this Committee contemplates the passage of legislation on this
very important issue, it must ensure that the provisions of such
legislation promote quality of care rather than prevent functions that
support it. As illustrated by the recent enactment and subsequent
suspension, in Maine, of a medical record confidentiality bill, good
intentions can sometimes cause unintended consequences that put
patients at risk. The Maine law prevented family members from accessing
information about the condition of their loved ones and medical
providers from obtaining information necessary for the proper treatment
of patients. To severely limit access to information will in fact lead
to increased patient confidentiality, but it will jeopardize the other
very important interests of our members. As an integrated system of
care, Harvard Pilgrim relies on the internal use of information, which
must be distinguished from the external disclosure of information. The
internal use of information allows us to conduct essential functions,
including those designed to safeguard the high quality, integrated care
we deliver to our patients. In some cases, these functions are mandated
by state law or by national accrediting bodies, including the National
Committee for Quality Assurance (NCQA).
Harvard Pilgrim has invested heavily in our efforts to ensure
patient confidentiality and respects this Committee's exploration of
this very important issue. We must be cognizant, however, of the very
real dangers that may result from poorly drafted legislation in this
area, including decreased quality of care, increased health care costs,
an unhealthy population, and systems wrought with fraud. Patient
confidentiality can, and must, be achieved without halting appropriate
and legitimate uses of information.
I thank you for your time.
Mr. Burr. Thank you.
The Chair at this time would recognize Ms. Abbey Meyers for
purposes of an opening statement.
STATEMENT OF ABBEY MEYERS
Ms. Meyers. Yes, thank you very much.
The National Organization for Rare Disorders represents
approximately 20 million people with rare diseases who are
spread all over the country. It is a total of 6,000 rare
diseases, each one affecting fewer than 200,000 Americans.
Congress needs to pass a medical privacy law not only
because of the Kassebaum-Kennedy law but because the European
Union requires that E.U. countries cannot trade with any
country that does not adequately protect patient
confidentiality. So it is very important that something is done
very quickly on this issue because it is liable to turn into an
international trade problem.
But also patients want and desperately need medical
confidentiality on a national basis. People are not telling
their doctors the truth because they are afraid that if
something is written in their record, especially about a
serious disease, that they will lose their insurance, their
insurance price will go up, or they are going to be stigmatized
in some way if somebody finds out.
So it is very important that the public is guaranteed
confidentiality so that they are truthful with their
physicians. This covers not only things like sexually
transmitted diseases or maybe drug abuse problems but also the
fact that hereditary diseases can be very stigmatizing. People
are not telling their doctors that their mother or their aunt
may have had breast cancer, for example, because they are
afraid it will raise the cost of their health insurance.
So today the only problems--the only group of people who
have problems accessing medical records are patients
themselves. And this is a real problem when you walk into a
doctor's office, you want copies of your own medical records.
You have to sign a pile of papers that you don't understand
because they are written in very legal language. Some of the
waivers--actually you have to forfeit your legal rights in
order to get copies of your own records.
And you sometimes have to wait weeks or months to get those
records. And you find out that the hospital or the doctor can
charge you. And there is no standard fee, and some doctors
might charge you a dollar a page. It might turn out to cost
hundreds of dollars for a copy of your own medical records. And
we have heard of many cases where doctors refuse to give the
patient medical records probably because they are afraid of
getting sued for malpractice or some personal reason that they
have, but they absolutely refuse.
Now, the problem is that there is no Federal law that
requires that the identifiable medical records are kept in
locked files. So very often when you walk through your doctor's
office, you find somebody else's file laying there, and you can
read it. There is nothing to stop you from reading it.
Insurers can obtain information about our health that has
nothing to do with the bills they are paying. They can find out
the entire record of your mental health treatment when they
look through your files to pay for the bills for a broken leg.
Local pharmacies are releasing our prescription data to
pharmaceutical companies with no regulation at all. And once
somebody knows what drugs you are taking, they know what is
wrong with you.
All confidential information can be sent, and it is, to a
huge computer up in Massachusetts called the Medical
Information Bureau. George Orwell could not have invented a
better model of the intrusive Big Brother. It contains your
medical information and mine--millions and millions of
Americans. Anything that you thought could be kept secret in
your doctor's office is on a computer in Massachusetts that any
insurance company in this country can access.
Clerks right out of high school can get into it and find
out what your medical information is. So we must have
confidentiality assurances. We must have an absolute minimum
floor that says no State can legislate less, but States will be
allowed to legislate more.
Thank you.
[The prepared statement of Abbey Meyers follows:]
Prepared Statement of Abbey Meyers, President, National Organization
for Rare Disorders
Mr. Chairman, members of the Committee, thank you for inviting me
to testify before you today on behalf of patients with serious and
chronic diseases. I am Abbey Meyers, President of the National
Organization for Rare Disorders (NORD), which represents people with
over 6,000 rare ``orphan diseases.'' Each rare disease affects fewer
than 200,000 Americans, but combined together they all affect an
estimated 20 million Americans. Most rare diseases are genetic, and the
need for medical privacy profoundly affects not only those who have
hereditary diseases but also every member of their extended family.
Today even ``healthy'' people are learning that they are affected
by privacy issues because, as the Human Genome Project is discovering,
virtually every human being carries genetic abnormalities that will
eventually impact our lives or the lives of our children. NORD is also
an active member of the Consumer Coalition for Health Privacy, which
includes a broad range of consumer, patient, disability, and
professional groups committed to the development and enactment of
public policies and private standards that guarantee the
confidentiality of personal health information and promote both access
to high quality care and the continued viability of medical research.
Besides the obvious need for Congress to enact federal legislation
governing medical privacy--the August 21 deadline and the European
Union's privacy regulation that may diminish trade with the United
States if privacy guarantees are not firmly set in place--American
consumers are clearly demanding that Congress enacts federal privacy
guarantees that require an individual's consent before our personal
medical information is released to anyone.
The current lack of a federal law safeguarding the privacy of
medical records significantly diminishes access to and quality of
health care in the U.S. Out of fear that disclosure of their medical
records may result in denial of insurance, loss of employment or
housing, and stigmatization and embarrassment, many people withhold
information from their doctors or simply avoid seeking care. In fact, a
survey released by the California Health Care Foundation in January
found that one in five Americans believes their health information has
been used or disclosed inappropriately and one in six engages in some
form of ``privacy-protective'' behavior when they seek, receive or pay
for health care. As a result, they risk inadequate care or undetected
and untreated health conditions.
People are being forced to choose between their privacy and
receiving health care. In addition, important public health activities,
such as outcomes research, quality initiatives and population-based
studies, are compromised by incomplete or inaccurate data.
patient access to medical records
The ironic fact is, under our current patchwork system of privacy,
the only people who have trouble accessing their medical records are
consumers themselves. If you want copies of your own medical records,
you generally have to sign a myriad of legal papers (some of which are
hardly understandable to the ordinary person), you may have to sign
waivers forfeiting your legal rights, you usually have to wait days or
weeks to obtain the copies, and your physician's office or hospital can
charge you a fee for every piece of paper you request.
While consumers across the country face extraordinary problems
accessing their own medical records, pharmaceutical companies can
easily obtain sensitive information from local pharmacies revealing the
names of drugs that have been prescribed to you, your neighbor may read
your entire medical history in your doctor's office because your case
file is not kept in a locked cabinet, your insurance company can read
your confidential psychiatric record even though they may be
investigating billing for your broken leg, and they can send all of
this information to the huge Medical Information Bureau (MIB) in
Massachusetts so that clerks at all insurance companies (not just your
own insurer) will be able to investigate your medical history any time
they want to.
real-life examples
Examples of abuses of medical information are all too common and
troubling.
Just last month, Aetna health insurance claims forms blew out
of a truck en route to a recycling center and scattered on I-84
in East Hartford during rush hour. Aetna quickly dispatched
employees to scoop up the forms, which contained identifiable
personal health information. Under company policy, these papers
should have been shredded, but were not.
In another troubling example, the Harvard Community Health
Plan, a Boston-based HMO, admitted to maintaining detailed
notes of psychotherapy sessions in computer records accessible
by all clinical employees. Following a series of press reports,
the HMO revamped its computer security practices.
In a more personal case, a woman who was hurt in an auto
accident found that the defendant's lawyer subpoenaed her
medical records and announced in court that when she was 16
years old this woman had a baby outside of marriage and gave it
up for adoption. There is no reason that an attorney in a
automobile accident case should have had access to the woman's
gynecological records!
The victims of these privacy violations ranged from large groups to
a single individual and the causes ranged from negligence to bad
practices. While no federal law can prevent all future abuses, the
enactment of a strong, comprehensive law with meaningful enforcement
will help to create a regulatory and legal framework that will require
the holders of identifiable health information to protect health
information and appropriately limit its use or risk significant
penalties.
consumer rights
Obviously, insurance companies need access to medical information
for treatment and payment purposes, and scientific researchers require
access to medical records. But, consumers should give their consent
before anyone is allowed to access our records, even insurance
companies. For example, some people do not want their insurance company
to know that they took a genetic test, so they pay for the test
themselves. If the doctor writes in the patients record that the test
was positive for a hereditary disease, the insurance company should not
be privy to information that the insurance company did not pay for.
These companies should only gain access to information that is directly
relevant to the product or service they are paying for.
Let me explain that the ``consumers'' I am talking about in these
examples represent two distinct classes of people:
One class of consumers are generally healthy people who may see a
doctor irregularly for common maladies such as colds or flu, and who
may sometimes take pharmaceuticals for occasional fever, colds or pain.
These people expect the government to protect them, for example, by
assuring through regulation that treatments are effective and have
minimal risk. They cannot imagine that strangers would want to see
their medical records, they have no idea how many people have access to
this sensitive information, and it does not occur to them that there
may be a commercial value for the sale of private medical information
to others. Nevertheless, these ``healthy'' people may have had a
grandparent who died of Alzheimer's disease, an uncle with
schizophrenia or epilepsy, or a parent who had breast or prostate
cancer, and they may not want their next door neighbor to be privy to
this information nor their employer, nor even their spouse or children.
There can be medical information that a person will share only with
their physician. Without a firm guarantee of confidentiality, people
are unable to talk honestly and openly with their doctors.
The other class of ``consumers'' is composed of sick people:
Usually those with serious or chronic illness who see doctors on a
regular basis because of a health problem. These people may be willing
to take greater risks in order to identify more effective treatments,
or to locate superior medical services that might extend their life or
improve their quality of life. Many of these individuals are willing to
participate in medical research, and thus they may be willing to endure
a lesser degree of medical privacy as long as they can maintain control
over who will be privy to their medical records. If they do not want
researchers, hospitals, drug companies, etc., to pry into their medical
records, they want the option of refusing access to this information.
research
Fortunately, people who participate in federally funded research,
or research that will be used in an application for FDA approval, must
sign an ``informed consent'' document approved by an Institutional
Review Board (IRB), and they can choose not to participate if they feel
their privacy will be violated.
Certainly one of the most challenging debates now before you is how
to address privacy concerns related to privately funded research that
is not being conducted in anticipation of FDA review and therefore not
required to gain IRB approval. We know that Congress has been examining
this problem for some time, and we consumers are very aware that you
are trying to find a solution. .As an advocate for people with serious
and chronic illness let me make clear that we believe that scientific
research is extraordinarily important, and you must find a way to
protect consumer's medical information without hampering the progress
of medical research.
The best way to accomplish these goals is to expand the IRB and
informed consent process to all research, regardless of funding source.
Through the informed consent process, people who participate in
research are told how many parties will have access to their records,
and they are assured that the treating institution will not allow
access by unauthorized personnel. In those cases where the informed
consent process is excessively burdensome and the threat of a privacy
breach to the individual is minimal, the IRB can waive the informed
consent process.
The problem now is that these rules apply only to research
involving federal funds or application to the FDA. The rules must be
applied all research no matter what the funding source. The ethical
obligations that researchers have to their subjects, and the
individual's right to appropriate informed consent, do not change
depending on the funding stream.
It is also important to note that some ``medical'' research is
actually ``marketing'' research, and Congress must clearly define
parameters that protect consumers from unwanted intrusions of their
privacy by those who will not actually enhance scientific knowledge. In
most cases, simply making case records anonymous by replacing a
person's name with a code number, will solve the problem.
preemption of state law
In the absence of federal protections, the states have acted to
varying degrees to create protections for their residents and one of
the major questions before the Congress is how the federal law will
interact with these state laws. Will the federal law be the ``ceiling''
above which states are forbidden to act, or a ``floor'' above which
states can enact stronger laws.
Let me say clearly that this is a critical question for people with
rare diseases because clinical research on orphan diseases is usually
conducted at numerous sites in various states, primarily because there
are not often enough patients in any one state available for study.
Therefore, it is crucial that federal government enact a ``floor'' that
guarantees all Americans, regardless of their state of residence, a set
of minimum protections. At the same time, as people with serious and
chronic illnesses, we believe that states must maintain their right to
enact stricter privacy laws to address the specific needs of their
residents. If local laws become too strict, certainly local residents
and lobbyists will point the flaws out to local policymakers.
In other words, the federal government, by enacting a national
medical privacy law, will set absolute minimum standards that all
states must obey. Such a minimum will create broad uniformity across
the country, preempting the vast majority of state laws, which are
weaker than the federal proposals. Any state, however, that wants
stricter privacy laws should be allowed to enact and enforce them.
In addition, we firmly believe there are at least two areas of
medical information that deserve special protections: 1) genetic
information, and 2) psychiatric records. Several states have already
enacted laws to protect these very sensitive areas and more states
should be encouraged to do so. Mental health treatment notes are
particularly sensitive. Insurance companies used to ask therapists for
summarized notes and treatment plans. But in the last few years they
are asking for complete copies of patient records that reveal the most
sensitive private information that should never leave a therapists
office.
Mr. Chairman, the esteemed members of this committee should
understand that at this very moment your personal medical records may
be known to people in this room. They may know the medicines you take
and the diseases you are being treated for, as well as your spouse and
your children. Certainly you can remember a few years ago when a Vice
Presidential candidate had to withdraw his name because his psychiatric
record was made public (Senator Eagleton). Only a few years ago Senator
Pryor's medical record was made public when he had a heart attack.
There may be people in this very Congress who have a stigmatizing
psychiatric diagnosis, or a history of a sexually transmitted disease
that you caught at the age of 18, or a predisposition to a genetic
disease that, if known, could put your next election at risk. These
facts ought not to become public record. In the absence of a federal
``floor'' for medical privacy, there is nothing to prevent the wrong
people from using your medical history for the wrong purposes.
No one should have access to your medical information or mine
without our knowledge and consent. This is what consumers want and
need. We urge you to do so quickly.
Mr. Burr. Thank you, Ms. Meyers.
The Chair would recognize, for purposes of an opening
statement, Mr. Krinsky.
STATEMENT OF DANIEL L. KRINSKY
Mr. Krinsky. Mr. Chairman, Congressman Brown, members of
the subcommittee, the National Association of Chain Drugstores
appreciates the opportunity to present testimony today
regarding the important issue of protecting the confidentiality
of patient medical records in today's modern health care
delivery system.
My name is Daniel Krinsky. I am a registered pharmacist. I
am the director of patient care services and pharmacy practices
at Ritzman Pharmacies in Wadsworth, Ohio. Ritzman Pharmacies is
a small family owned eight store chain located just outside of
Akron, Ohio. We specialize in a wide range of innovative and
advanced pharmacy services including diabetes management, home
infusion, and hypertension management.
Let me begin by stating that NACDS supports enactment of a
strong confidentially law that will preempt the patchwork of
existing State laws and protect patient privacy. We want our
patients to have confidence that their personal information is
secure while allowing chain pharmacies to appropriately utilize
medical information as health care providers to maintain and
improve patient care.
NACDS has worked for years to take a leading role on
protecting patient privacy. Attachment one to my statement are
``Ten Principles To Protect The Confidentiality Of Consumer
Medical Records'' that our industry created and continually
updates to ensure chain pharmacies operate with protecting
patient privacy as a top priority.
To mention some of the key pharmacy confidentiality
legislative issues--because retail pharmacies process about 50
percent of all health care payment claims, it is important that
new Federal requirements for patient confidentiality not have a
disproportionate effect on the ability of retail pharmacies to
operate efficiently or provide integrated comprehensive
patient-oriented prescription services.
NACDS supports Federal standardization of patient
confidentiality safeguards that includes:
First, Federal preemption of State laws. There are
approximately 31,000 chain community pharmacies many of which
operate across State lines. However, more and more States have
been enacting their own new and differing privacy laws and
regulations making it increasingly difficult for multistate
pharmacies to understand and comply with these laws in an
efficient manner. Adding another Federal law on top of this or
trying to determine which law is stronger as some bills call
for would create even more challenges.
Second, NACDS supports the use of a single consolidated
authorization for the purpose of obtaining patient
authorization to use and disclose patient information for
payment, treatment, and health care operations. Such
authorization is provided at the time that the patient enrolls
in a health plan or when an uninsured patient provides an
authorization for these purposes to an originating provider of
a prescription. Under this approach, the patient's prescription
will be sufficient to use patient information for the purpose
of practicing pharmacy as defined in State practice laws and by
regulatory boards. This approach also limits the recordkeeping
and recording burdens of the patient or the provider.
Since up to 40 percent of patients have others pick up or
deliver both new and refill prescriptions, obtaining the
additional separate authorization from all patients would be
next to impossible. Imposing a requirement that the patient
personally pick up a prescription would inconvenience the
patient and could jeopardize the health of the elderly,
children, or the infirm who can't otherwise physically get to
the drugstore.
In 1990, Congress passed the Omnibus Budget Reconciliation
Act, OBRA 90, which recognized that delivering pharmacy service
involves more than just filling an original prescription. The
role of the pharmacist, which continues to evolve, includes
enhancing outcomes for medication use. In part, as a result,
pharmacy providers now engage in a wide range of activities
that use patient information. These include refill reminder
programs, prospective and retrospective drug use review,
disease management, physician-pharmacy collaborative practice
agreements, and formulary management.
The definitions of health care and treatment of any
confidentiality legislation should include compliance programs,
refill reminder programs, and pharmacy programs recognized by
Federal and State agencies as disease management programs. Any
Federal confidentiality law must recognize and provide
flexibility for the evolving role of community pharmacy in the
health care system. Most recently, the Health Care Financing
Administration issued regulations reimbursing diabetes
education management programs and pharmacies and many States
recognize the value of pharmacy professionals providing
educational and counseling services.
Some legislative proposals will require pharmacies to
maintain records for 7 years and document each and every case
in which patient information was disclosed to create an audit
trail, such as the date, purpose, and description of
information disclosure even when patient information is used
for treatment or obtaining payment.
Such a proposal would result in enormous if not impossible
workload requirements on our pharmacists and disclosure records
would number in the multiple billions. The benefit of an audit
trail and how often it is used must be weighed against the
increased cost to the health care delivery system.
Patient care must not be compromised in the name of added
paperwork. Consumer costs must not be driven up by excessive
regulation and basic common sense protections for privacy must
take precedence. Let me reiterate that the use of electronic
records and technology, if carefully coordinated and protected,
results in a much safer and secure system that protects patient
confidentiality while providing for optimum care.
In conclusion, we applaud you for holding this hearing on
this complex but critical issue. With my testimony, I have also
attached a list of key implementation issues and questions for
persons to think about while drafting provisions with a
potential impact on pharmacy.
Thank you for providing me with this opportunity to testify
today on behalf of Ritzman Pharmacies and NACDS.
[The prepared statement of Daniel L. Krinsky follows:]
Prepared Statement of Daniel L. Krinsky, Director, Patient Services and
Pharmacy Practice, Ritzman Pharmacies, Inc., on Behalf of National
Association of Chain Drug Stores
Mr. Chairman and Members of the Subcommittee, The National
Association of Chain Drug Stores (NACDS) appreciates the opportunity to
present testimony today regarding the important issue of protecting the
confidentiality of patient medical records in today's modern health
care delivery system.
Founded in 1933 and based in Alexandria, Virginia, the NACDS
membership consists of over 130 retail chain community pharmacy
companies. Collectively, chain community pharmacy comprises the largest
component of pharmacy practice with over 93,000 pharmacists. The chain
community pharmacy industry is comprised of over 19,000 traditional
chain drug stores, 7,000 supermarket pharmacies and nearly 5,000 mass
merchant pharmacies. NACDS members operate more than 31,000 retail
community pharmacies with annual sales totaling over $135 billion
including prescription drugs, over-the-counter (OTC) medications and
health and beauty aids (HBA). Chain operated community retail
pharmacies fill over 60% of the more than 2.73 billion prescriptions
dispensed annually in the United States. Additionally, NACDS membership
includes more than 1,400 suppliers of goods and services to chain
community pharmacies and 96 international members from 26 foreign
countries.
Executive Summary: NACDS Supports a Strong National Law
Let me begin by stating that NACDS supports enactment of a strong
Federal confidentiality law that will preempt the patchwork of existing
state laws and protect patient privacy. We want our patients to have
confidence that their personal information is secure, while allowing
chain pharmacies to appropriately utilize medical information as health
care providers to maintain and improve patient care.
On this note, I'd like to point out that NACDS has endorsed S. 881,
``The Medical Information Protection Act of 1999,'' introduced by
Senator Robert Bennett (R-UT). Senator Bennett has been working to
perfect his legislation for over five years and the resulting ``Bennett
bill'' is the most comprehensive and thoughtful medical records privacy
legislation introduced in Congress to date. While the legislation
rightfully imposes tough penalties for the misuse of confidential
patient information, it is carefully balanced to allow providers
sufficient flexibility to appropriately utilize patient information to
optimize patient care. It would also protect patient data without the
inconvenience of burdensome paperwork on patients and providers.
NACDS also has worked for years to take a leading role on
protecting patient privacy. Attached to my statement are ten
``Principles to Protect the Confidentiality of Consumer Medical
Records'' that our industry created and continually updates to ensure
chain pharmacies operate with protecting patient privacy as a top
priority.
Key Pharmacy Confidentiality Legislative Issues
Because retail pharmacies process about fifty percent of all health
care payment claims, it is important that new Federal requirements for
patient confidentiality not have a disproportionate effect on the
ability of retail pharmacies to operate efficiently or provide
integrated, comprehensive patient-oriented prescription services. NACDS
supports Federal standardization of patient confidentiality safeguards
that includes:
Federal Preemption of State Laws: There are approximately 31,000
chain community pharmacies, many of which operate across state lines.
However, more and more states have been enacting their own new (and
differing) privacy laws and regulations, making it increasingly
difficult for multi-state pharmacies to understand and comply with
these laws in an efficient manner. Adding another Federal law on top of
this or trying to determine which law is stronger, as some bills calls
for, would create even more challenges for multi-state pharmacy
operations.
Conflicts between Federal and state law could be virtually
impossible for health care providers to identify and resolve on a
patient-specific basis. Moreover, does the law in the state in which
the patient resides prevail, or does the law in the state in which the
product or service is being provided govern the transaction? This
question is particularly important for pharmacies located near state
borders.
Without Federal preemption, patients will be required to wait
longer to obtain their prescription medications because pharmacies will
be required to take additional time to determine whether to follow a
specific provision of state or Federal law. For each patient, the
pharmacist must first identify any conflicts between provisions of
Federal and state law and then compare those provisions to determine
which is the most restrictive. The pharmacist must make these two legal
decisions while patients, or their designees, are waiting for their
medications.
Making legal decisions is a job for attorneys, NOT for health care
providers who are trying to provide medication as efficiently and
expeditiously as possible to sick patients. The impact on our patients
is our most paramount concern, and, therefore, NACDS supports a
comprehensive Federal standard that preempts state confidentiality
laws.
A Single Consolidated Authorization for the Use and Disclosure of
Personally Identifiable Health Information (PHI): NACDS supports the
use of a single consolidated authorization for the purpose of obtaining
patient authorization to use and disclose PHI for payment, treatment
and health care operations. Such authorization is provided at the time
that the patient enrolls in a health plan, or when an uninsured patient
provides an authorization for these purposes to an ``originating
provider'' of a prescription. Under this approach, the patient's
prescription will be sufficient to use PHI for the purpose of
practicing pharmacy as defined in state practice laws and by regulatory
boards. This approach also limits the recordkeeping and reporting
burdens of the patient or the provider.
To maximize patient convenience, any Federal confidentiality law
must require employers, health plans, and originating providers to
obtain from the patient a single consolidated authorization to use and
disclose that patient's personally identifiable health care information
for the purposes of treatment, payment, and health care operations.
Down-stream health care providers MUST be able to legally assume
that the single consolidated authorization has been obtained, otherwise
these providers will be forced to require patients to take the time to
fill out an additional separate authorization form to protect
themselves from litigation alleging a breach of the patient's
confidentiality.
Since up to 40% of patients have others pick up or deliver both new
and refill prescriptions, obtaining the additional separate
authorization from all patients would be next to impossible. Imposing a
requirement that the patient personally pick up a prescription would
inconvenience the patient and could jeopardize the health of the
elderly, children, or the infirm who can't otherwise physically get to
the drug store. Under some legislation already introduced,
prescriptions could not be refilled until patients have signed the
necessary multi-point authorization form, causing yet another patient
inconvenience.
Recognition of Pharmacy Practice Activities as a ``Continuum of
Care'': In 1990, Congress passed the Omnibus Budget Reconciliation Act
(OBRA 90), which recognized that delivering pharmacy services involves
more than just filling an original prescription. The role of the
pharmacist, which continues to evolve, includes enhancing outcomes from
medication use. Pharmacy providers engage in a wide range of activities
that use PHI. These include refill reminder programs, prospective and
retrospective drug use review, disease management, physician-pharmacy
collaborative practice agreements, and formulary management.
Moreover, given that over 70 percent of all prescriptions are
``managed'' by pharmacy providers for PBMs and third party payors,
pharmacies are often contractually obligated to provide some of these
services, to a range private and public plans, including
Medicare+Choice plans, Medicaid and some Federal Employee Health
Benefit (FEHBP) plans. NACDS believes that any new Federal law should
recognize that pharmacy is an evolving health profession whose role is
to enhance appropriate outcomes from medication use through a continuum
of care approach.
The definitions of health care and treatment in any confidentiality
legislation should include compliance programs, refill reminder
programs and pharmacy programs recognized by Federal and state agencies
as disease management programs. Any Federal confidentiality law must
recognize and provide flexibility for the evolving role of community
pharmacy in the health care system. Most recently, the Health Care
Financing Administration issued regulations reimbursing diabetes
education management programs in pharmacies and many states recognize
the value of pharmacy professionals providing educational and
counseling services.
Implementation Issues for Retail Pharmacies
There are several important issues for chain community pharmacy
relating to the implementation of new Federal privacy laws. Some of the
more important considerations include:
Originating Providers: NACDS supports the rights of patients to
inspect, copy and amend their medical records, and that the originating
provider is the appropriate place for these operations to occur.
Originating providers are those that initially prescribe a course of
treatment and create the historical medical record, such as health
plans, physicians or emergency rooms.
The originating provider of the prescription must be the primary
source for patients to access, copy, and amend their health care
information.
Audit Trail Related to Disclosures: Some proposals would require
pharmacies to maintain records for seven years and document each and
every case in which PHI was disclosed--such as the date, purpose, and
description of information disclosure--even when PHI is used for
treatment or obtaining payment.
Such requirements would create tremendous time and work burdens on
pharmacy providers, given that PHI is used for multiple operations each
day to assure that the patient receives the appropriate therapy, the
pharmacy meets operational guidelines of third party payors, and the
pharmacy is reimbursed for providing the service. Such a proposal would
result in enormous if not impossible workload requirements on our
pharmacists and disclosure records would number in the multiple
billions. The benefit of an audit trail and how often it is used must
be weighed against the increased costs to the health care delivery
system.
Sufficient Time to Modify Computer Systems: Like most health care
providers, chain pharmacies have invested in expensive and
sophisticated computer software systems to help process claims and help
deliver pharmacy services. NACDS believes that a realistic time frame
is needed to implement new uniform confidentiality standards, including
time to develop software and hardware, test and distribute new
products, and train employees in their use. Retail pharmacy estimates a
minimum of 18 months would be needed to implement a new confidentiality
law, once a law is passed or regulations are finalized.
Use of NCPDP Standards: The entire pharmaceutical industry relies
on the National Council for Prescription Drug Programs (NCPDP) to
establish standards for electronic transmission of prescription payment
claims. Any new Federal confidentiality law must recognize the
important role that NCPDP has and should continue to have as a
standard-setting organization for the billions of retail pharmacy
payment claims.
Other Key Issues
Other issues not specific to pharmacies are also extremely
important to the entire health care continuum. Expanding or creating
new Federal regulatory oversight of health provider operations must be
examined carefully. Patient care must not be compromised in the name of
added paperwork; consumer costs must not be driven up by excessive
regulation; and basic common sense protections for privacy must take
precedence.
For instance, creating an entire new right of private action
specific to privacy should not be necessary. Consumers currently have
legal recourse to sue if their medical records are used
inappropriately.
In addition, especially when it comes to prescription drugs,
falsely obtaining a prescription drug or controlled substance without a
valid script from a physician can result in severe penalties and
prosecution under Federal and state law. The penalties included in
legislation introduced to date are severe, and would certainly deter
any effort by a business or entity to illegally use or disclose patient
identifiable information.
Let me reiterate that the use of electronic records and technology,
if carefully coordinated and protected, results in a much safer and
secure system that protects patient confidentiality, while providing
for optimum care. Avoiding millions of pieces of paperwork that must be
filed and maintained increases the protection of health care records.
Because this issue is so complex and so dependent upon the use of
technology, detailed attention must be given to the coordination of
technology and health care systems. It is critical that legislators and
regulators ``get it right.'' As was seen earlier this year in the state
of Maine, a law that may sound good to consumers, but is not perfected
before implementation, can disrupt the entire health care system. The
Maine law was suspended by the legislature after being in effect for
just two weeks and is currently under a two-year review.
In conclusion, we applaud you for holding this hearing on this
complex but critical issue. With my testimony, I have also attached a
list of key implementation issues and questions for persons to think
about when drafting provisions with a potential impact on pharmacy.
Thank you for providing me with the opportunity to testify today on
behalf of Ritzman Pharmacies and NACDS. I'll be glad to answer any
questions you may have.
ATTACHMENT 1
NACDS Principles to Protect the Confidentiality of Consumer Medical
Records
1) Patients Have the Right to Know Who May Access, Use, Share, or
Further Disclose, Patient Identifiable Health Care Information. Insured
patients' informed consent must be in writing, signed, and obtained by
either the employer or the health plan. Uninsured patients' informed
consent must be in writing, signed, and obtained by the originating
provider who prescribes or orders the health care services.
2) A Patient's Informed Consent Should Authorize . . . health care
providers to access, use, and share or further disclose patient
identifiable health care information, to: 1) Provide treatment; 2) Seek
payment; 3) Manage programs which improve outcomes and health care
quality or result in reduced costs to consumers; and, 4) Undertake
health care operations and utilize sufficient administrative
information to support all of the above.
3) One National Law . . . must be the product of a national debate
to assure confidentiality of patient medical records, while at the same
time promoting quality of care and not unnecessarily increasing health
care costs. It will be much easier for both patient and health care
provider to understand and comply with one national law rather than 51
laws . . . a national law plus 50 different state laws.
4) Employers Must be Prohibited from Accessing Patient Identifiable
Health Care Information . . . unless the patient signs a separate
informed consent form.
5) Non-Patient Care or Marketing Activities . . . must be
authorized by a separate patient consent for programs that are outside
of the scope of treatment, payment, management of programs which
improve outcomes and health care quality or result in reduced costs to
consumers, and health care operations/administrative information.
6) ``Treatment'' . . . is defined as everything that state boards
of pharmacy allow pharmacists to do within the definition of the
practice of pharmacy, including compliance, disease management,
outcomes, and other quality assurance programs, from which patients may
freely choose to withdraw or opt-out.
7) Patients Must have the Right to Inspect, Copy, and Amend (but
not change) their Medical Records . . . at the originating provider,
for a fee to cover copying and administrative costs.
8) Computer Security Must . . . safeguard patient identifiable
health care information that is maintained or transmitted for any
purpose.
9) The National Law Must Go into Effect Within a Reasonable
Timeframe . . . to provide patient confidentiality protection as soon
as possible, but also to allow health care providers reasonable time to
develop, test, distribute, and to be trained to use new software to
help them comply with this lengthy and complex legislation.
10) Those With Legitimate Access to Patient Identifiable Data Must
Commit to Maintain and Abide by Confidentiality Laws. Penalties and
fines should be imposed if individuals or entities knowingly and
intentionally break the law.
ATTACHMENT 2
Key Pharmacy Issues with Medical Records Confidentiality Legislation
May 27, 1999
Key Issues
Full Federal preemption of the patchwork of state privacy
laws, with an allowance for exceptions for communicable disease
reporting, essential health data and vital statistics
collection, is critical. Precedent exists in the financial
institution sector. Without Federal preemption . . . pharmacies
and pharmacists will NOT be able to comply with laws that
cannot be readily found or quickly compared for conflicts
between Federal and state law.
Written authorizations should be obtained by originating
providers, such as health plans and physicians, but not be
required for downstream treatment authorized by those
providers. Pharmacies account for about 50% of all consumer
health care payment claims and patients and pharmacies could
not handle additional form requirements for each prescription
or initial visit.
Consolidated authorizations for treatment and payment must
create a ``legal presumption'' that allows pharmacies and other
downstream health care providers to rely upon: that
individuals, presenting health insurance cards or a valid
prescription, have provided the necessary authorization for
treatment and payment from their employer or health plan. The
same assumption must be recognized for the non-insured . . .
the originating provider obtained the necessary authorization.
The definition of health care or treatment should include
pharmacy compliance and disease management programs that are
often required by Federal laws and rules and are a continuation
of dispensing the prescription.
Electronic data collection and data transmission provisions
dealing with payment must not limit our ability to perform drug
utilization review (DUR) and other quality enhancement
measures, often required by Federal and state law.
Pharmacists should not be required to obtain authorizations
for counseling patients on OTC drugs.
The definition of ``individual representative'' or next of kin
should not interfere in allowing family members, friends,
caregivers or neighbors to pick up prescriptions for patients.
Pharmacy benefit cards must NOT be included in payment and
electronic payment transaction limitations. If so, pharmacies
which would no longer be allowed to transmit the NCPDP payment
claim for payment because its information is MUCH broader than
that required for payment. As a result, pharmacy benefit
managers and health plans would no longer have access to the
clinical information contained on the NCPDP payment claim
necessary for DUR.
Assurances should be made that Federal agencies will not use
new penalty authority as they have under the False Claims Act
or Controlled Substance Act to pursue providers for innocent
and technical errors. If there is no harm to the patient and
mistakes are innocent, providers should not be unduly punished
for employee error.
Key Questions in Drafting Confidentiality Legislation
Does the definition of health care include over-the-counter
(OTC) drugs and medically ``related items''? It should not, as
the workload, confusion and consumer inconvenience would be
prohibitive.
Will bill language interfere in the common tradition of
allowing relatives, friends, caregivers and neighbors pick up
prescriptions for patients?
Is it the intent of legislation to require separate, written
authorizations for each pharmacy customer, despite the fact
that patients have their choice in deciding where to deliver
prescriptions to pharmacists directly, asking for treatment and
granting permission for pharmacists to dispense and be paid?
Have members and staff contemplated the impact of
``Administrative Billing Information'' and payment provisions
and their possible impact on the use of the NCPDP prescription
payment claim forms and PBM clinical data collection used for
utilization review?
Is it clear that pharmacy benefit cards are not considered a
``payment card''?
Do lawmakers know that software experts have told industry
that 18 months is the minimum time needed to create, test, and
train pharmacists in using new software for pharmacy compliance
with a new Federal privacy law and that it is unlikely that
software can be developed and implemented for a bill that does
not substantially preempt state laws?
Is it the intent of legislators to limit the use of
prescription information to issue discount coupons for over-
the-counter drugs and products related to the treatment or
prescription by requiring a written authorization?
Mr. Burr. Thank you, Mr. Krinsky.
The Chair would recognize for purposes of an opening
statement Mr. Latanich.
STATEMENT OF TERRY S. LATANICH
Mr. Latanich. Thank you, Mr. Chairman.
I have been watching to see if I was going to be the last
witness on this panel or the first half of the recess, but I
guess I will go last.
My name is Terry Latanich. I want to thank you, Mr.
Chairman, and members of the subcommittee. I am senior vice
president of Merck-Medco Managed Care which is a subsidiary of
Merck. We do manage the prescription drug benefit for more than
1,100 health plans and cover more than 50 million people.
The patients that we serve, as well as the plant sponsors,
count on us to protect the patient's health and their
confidential medical information. We take both of these
responsibilities very seriously. I would like to begin today by
giving you one real-world example of how we use patient
identifiable information.
A member of one of the health plans that we serve was
taking a medication for an enlarged prostate. Later, this
patient was prescribed medicine to treat depression.
Unfortunately, the use of that anti-depressant not only
worsened the patient's prostate problem, it can also result in
serious problems for elderly patients like fractures.
We were able to use this patience's prescription history to
identify this potential health problem. Our pharmacist
contacted the physician who had prescribed the anti-depressant.
The physician was not aware that the patient had a prostate
problem or that he was taking medications for it. Once
informed, the physician changed the patient to an anti-
depressant that was safe for the patient and didn't exacerbate
the prostate problem.
This interaction was identified by a program which we call
Partners for Healthy Aging. Merck-Medco processes more than 300
million drug claims a year and maintains a point-of-sale data
base that includes about a billion claims. But the use of this
data set demonstrates the power of the ability to protect
patient health and safety.
Last year two drugs were voluntarily withdrawn from the
market. Posicor, a drug used to treat hypertension and angina,
and Duract which is used to manage acute pain. Studies showed
that Posicor had potentially serious interactions with nearly
two dozen commonly used drugs. Duract was withdrawn because its
use may have resulted in up to four deaths and the need for
several liver transplants.
Many physician's offices lack the computer systems to
readily identify patients using a specific drug. Merck-Medco's
immediate access for our patients' specific data base enabled
us to take immediate action. On the day that each product was
withdrawn from market, we stopped dispensing those drugs in our
pharmacies and alerted our retail pharmacy networks that no
further prescriptions of the recalled drugs should be filled.
Within days of the withdrawals, we sent out over 81,000
letters to physicians who had prescribed Posicor or Duract to
the members of any health plan that we serve. These letters
identified patients under their care who had received a
prescription for the recalled drugs. In addition, we sent more
than 233,000 letters to patients using these medications and
encouraged them to contact their doctor.
One of the emerging capabilities of prescription drug
management is improving the health of patients with chronic
diseases through patient and physician education. As indicated
by the earlier witness, we also provide programs here such as
diabetes, MS, asthma and cardiovascular disease.
We also use patient information to communicate with
physicians best medical practice guidelines. Studies indicate
that compliance with just one of these practice guidelines in
the area of cardiovascular disease reduces mortality by 30
percent and morbidity by 50 percent. Yet this practice standard
is followed less than 50 percent of the time.
Medco identifies patients through our data base who are
potential candidates for modification therapy based on these
medical practice guidelines. We inform the prescribing
physician of the practice guideline, see if the physician wants
to alter the regimen to comply with that best practice
guideline, and then give the opportunity for the physician to
make that decision.
Such use of patient identifiable information allows for
dramatic improvement in health and safety. We take seriously
our responsibility to protect patient medical information. We
use advanced security systems on our data bases to ensure that
patients inside or outside the company do not have access to
patient identifiable information unless authorized and that
authorization is strictly limited to those with a need to know.
Merck-Medco does not provide patient-identifiable
information to any marketing firm, any drug manufacturer, or
even our parent, Merck and Company. Let me emphasize this
again. No identifiable information is given to anyone for
marketing purposes. We view this being consistent with our role
as a health care provider and our professional standards of
ethics.
While we believe that our stand is sufficient to provide
medical record confidentiality, we do support the enactment of
legislation in this area. Our hope is that any legislation will
meet three tests.
First, it should not create any impediments to the kind of
activities which I just discussed and which clearly improve
patient health and safety.
Second, it is imperative that any provisions that require
patients to authorize the use of this information provide for
consolidated authorization. As an organization, to provide
services to health plans, we need to be able to rely on the
plan sponsor's enrollment of a member as evidence that
disclosure has been made and consent has been obtained. It
would be very difficult for us to collect individual consent
forms for these services. We would have to obtain more than 50
million consents annually and maybe even more under some
legislative proposal.
Finally, we strongly encourage the development of a uniform
Federal standard for medical record confidentiality that will
set the bar high enough to provide the requisite level of
protection. Without such a uniform national standard, we will
face the daunting challenge of determining which State law to
apply.
If I could just close with one example of the difficulty
that we face operating in 50 States, it may resonate with you.
A patient may live in one State, work in another, they may
receive Medicare and use pharmacies in both States. The plan
they use may be located in yet another State. The patient may
see a physician or pharmacist in another State on vacation and
the records of the health plan may be maintained in the data
base located in another.
With legislators considering a staggering number of medical
record confidentiality bills, we face the practical problem of
how you maintain confidential against a patchwork of
legislation. We would submit that a floor is very difficult for
a provider to deal with on a real world day-to-day basis. In
trying to understand which State's law to apply where there may
be conflicts is very, very difficult.
There are opportunities to look to see whether there can be
secretarial discretion so we do not have to deal with the
problem of not having the bar high enough.
We would encourage you to adopt the uniform standard and
have it be preemptive across the States.
[The prepared statement of Terry S. Latanich follows:]
Prepared Statement of Terry S. Latanich, Senior Vice President, Merck-
Medco Managed Care, L.L.C.
Good morning Mr. Chairman and members of the subcommittee. My name
is Terry S. Latanich and I am Senior Vice President for Government
Affairs for Merck-Medco Managed Care, LLC, a subsidiary of Merck & Co.,
Inc. I am responsible for directing Merck-Medco's federal legislative
and regulatory programs, including developing our legislative policy on
medical record confidentiality. In addition, however, I have
significant business responsibilities including overall management
responsibility for our largest client, the Blue Cross and Blue Shield
Federal Employee Program which covers nearly 5 million individuals. In
my testimony today I would like to focus on five issues:
1. The roles and responsibilities of managers of the pharmacy benefit;
2. The importance of developing, maintaining, and using large
computerized medical record databases to protect health and
safety;
3. The importance of using both patient-specific and encrypted data to
manage the health status or disease states of persons using
prescription drugs;
4. The importance of having a statutory authorization or consolidated
consent to enable those who manage the benefit plans to
effectively, and efficiently, administer prescription drug
benefits; and
5. The need for a uniform national standard for medical records
confidentiality.
background on merck-medco
Merck-Medco has been managing prescription drug benefits since
1982, initially as a public company called Medco Containment Services,
Inc., which was acquired by Merck & Co., Inc., in 1993. Merck-Medco
manages the prescription drug benefit for more than 50 million
Americans. Our customer base includes (1) more than 50 percent of the
Fortune 500 companies; (2) more than 20 Blue Cross and Blue Shield
plans; (3) more than 60 percent of the lives covered in the Federal
Employee Health Benefit Program (including the plans offered by BCBS,
GEHA, APWU and SAMBA); (4) several state employee/retiree programs
including CALPERS and all or part of the state employee/retiree
programs in Ohio, Texas, Massachusetts, Louisiana, and Georgia; and (5)
several union sponsored health plans.
Merck-Medco provides prescription drug care primarily through
operating subsidiaries. The first, PAID Prescriptions, processes more
than 270 million drug claims annually from 55,000 retail pharmacies
nationwide. To do this, Merck-Medco operates a highly sophisticated
point-of-sale (``POS'') claims system that verifies eligibility and
drug coverage, checks for drug interactions, and informs the retail
pharmacy of the amount it should collect as the copayment from a member
of a health plan to which we provide service. Merck-Medco's POS system
takes less than one second to process each claim once we receive it
from a retail pharmacy. Three years of history are maintained in Merck-
Medco's POS system, creating a database of nearly one billion claims.
Merck-Medco's other subsidiaries, the Merck-Medco Rx Services
pharmacy companies, constitute the largest mail service pharmacy
organization in the world. We fill more than 50 million prescriptions
annually through 12 pharmacies located in eight states. Each of these
pharmacies uses the most sophisticated dispensing technology available.
The combination of high technology and strong pharmacist involvement in
the dispensing process allows Merck-Medco to be very cost effective
while maintaining the highest dispensing accuracy rates in all of
pharmacy. Merck-Medco employs more than 11,000 employees including
1,700 pharmacists. Merck-Medco also operates two licensed pharmacies
that do not dispense drugs; but that are dedicated to counseling
patients and physicians on appropriate prescribing and prescription
drug use.
1. The Role and Responsibilities of Pharmacy Benefit Managers
Merck-Medco is sometimes referred to as a ``PBM'' or ``Pharmacy
Benefit Manager''. But there are a variety of organizations that
provide ``PBM services'' by internal management including a number of
HMOs (e.g., Kaiser Permanente), integrated health systems, hospitals,
some Blue Cross and Blue Shield plans, and a number of insurance
carriers. Whether a sponsor offering a prescription drug benefit
decides to ``build or buy'' pharmacy benefit manager capabilities, the
principal services required to manage the prescription drug benefit
include:
Processing prescription drug claims through sophisticated,
real-time point-of-sale computer systems that adjudicate claims
in a matter of seconds
Negotiating provider contracts with retail pharmacies,
including performance standards and reimbursement schedules, to
provide services to members of health plans
Providing a mail service pharmacy option through which members
can fill prescriptions for medications, generally involving
chronic conditions
Reviewing the drugs that have been prescribed, at the point-
of-sale, before those prescriptions are dispensed, to minimize
the potential for adverse or dangerous drug/drug interactions
or other potentially life-threatening problems
Creating procedures to review drugs that may (i) be
appropriate for some, but not all, members, (ii) require
special management due to especially high costs or (iii)
require controls because they are susceptible to abuse
Managing drug utilization by reviewing patterns of the use of
prescription drugs (e.g., by reviewing the claims database it
can be determined whether a patient is consistently late
refilling prescriptions for chronic illnesses which suggests
that the patient is not taking the medication as prescribed
(e.g., skipping days or taking the drug at wrong dosages)
Managing patients' health by using prescription drug history
to identify persons with specific diseases and offering them
programs and/or information to improve their health status
Managing the cost of a health plan's prescription drug program
by working with the health plan to develop strategies for
negotiating pricing concessions from pharmaceutical
manufacturers through the use of formularies or similar
strategies.
2. Maintaining and Using Large Computerized Databases
Patient-identifiable data is critical to the services provided by
Merck-Medco, whether for purposes of processing claims, auditing for
fraud and abuse, verifying prescriptions, checking for drug
interactions or dispensing prescriptions. Our data inputs are three-
fold:
Plan sponsor provided information such as eligibility files
and in some instances medical claims;
Patient supplied information including prescriptions, self-
reported information from patient profile forms, and
information submitted by the patient in health or disease
management programs; and
Physician supplied information including prescription
information and diagnoses and related information necessary to
conduct health and disease management programs.
As I noted earlier in my testimony Merck-Medco manages a database
of nearly one billion drug claims. It is our experience that
confidentiality can be maintained in such systems. At Merck-Medco
access to this database is limited to those with a ``need-to-know.'' We
employ state-of-the-art security systems for ensuring that persons
inside or outside the company do not have access to patient-
identifiable information unless specifically authorized. Most views of
the data are on a blinded basis (e.g., epidemiological research).
Systems capabilities are continuously improved, for example, improving
the ability to track and audit any instance in which a patient record
has been viewed.
Merck-Medco does not provide patient-identifiable information to
any marketing firm or drug manufacturer, including our parent Merck &
Co. We do, however, use aggregated, non-identifiable data for a variety
of purposes. Encrypted or blinded data has many important uses, such as
epidemiology, outcomes research and health economics.
An example of how our use of data is protecting patient safety was
the 1998 market withdrawal of two prescription medications due to
serious and even potentially fatal adverse drug reactions. Merck-Medco
immediately implemented safety measures to prevent dispensing of
Posicor', a drug used for hypertension and angina, when it
was voluntarily recalled by Roche Laboratories on June 8th, and when
Duract', a nonsteroidal anti-inflammatory (NSAID) used for
short-term treatment of acute pain was pulled by Wyeth-Ayerst
Laboratories on June 22nd. The voluntary withdrawal by Roche of Posicor
was due to the possible dangerous interactions with two dozen other
widely used medications. Duract was withdrawn from the market because
of several reports of deaths or liver transplants required because of
liver function problems associated with the drug.
On the day the drugs were withdrawn from the market, Merck-Medco
took several steps to prevent possible harm or death to the
beneficiaries of our health plan clients. Physicians often do not have
the office-based computer systems to readily identify patients using a
specific medicine. Identifying patients at risk involves a slow and
inefficient process of manually reviewing each patient's medical record
in the doctor's office. Merck-Medco's immediate access to patient-
specific data enabled it to take swift and decisive action to address
this situation. On the day each product was withdrawn from the market
Merck-Medco suspended dispensing of all prescriptions for Posicor and
Duract in its mail service pharmacies. Merck-Medco also sent electronic
messages to all 55,000 pharmacies in its PAID Prescriptions pharmacy
network advising them of the market withdrawals and recommending that
no further prescriptions of the recalled drugs be dispensed.
Within days of the withdrawals Merck-Medco sent letters to the
prescribing physicians for patients prescribed Posicor or Duract
reimbursed under a Merck-Medco managed prescription benefit plan. Each
physician letter was accompanied by a customized list of current or
past patients under their care who had received a prescription for the
recalled drugs to assist them in checking on those patients. Merck-
Medco sent over 233,000 letters to patients and 81,000 letters to
physicians during these two product withdrawals.
Using Patient-Identifiable Medical Records in Disease Management
Programs
One of the emerging benefits offered by health plans are programs
to help manage the progression of disease states through patient and
physician education. Merck-Medco provides a number of these programs in
areas such as diabetes, multiple sclerosis, asthma, and cardiovascular
disease. Merck-Medco can improve patient self-management of these
conditions through the patients' participation in such programs. We
identify patients who could potentially benefit from such programs by
analyzing their existing prescription drug records. In other cases,
patient-identifiable data are used in communicating with physicians
treating the patient enrolled in one of these programs to encourage
compliance with ``best medical practice standards.''
For example, the best medical practice guidelines as outlined in
the 1997, Vol. 336, New England Journal of Medicine article by Magnus
Johannesson states that a certain type of cholesterol reducing drug, an
HMG (e.g., Lipitor', Mevacor',
Pravachol' or Zocor') should be started post
myocardial infarction. Studies indicate that compliance with this
protocol reduces mortality by 30 percent and morbidity by nearly 50
percent. Yet, this practice standard is followed less than 50 percent
of the time. Through Merck-Medco's health management program for
congestive heart failure, we are able to identify those patients who
are potential candidates for this modification in therapy, contact the
prescribing physician, inform the physician of the practice guideline,
and see if the physician wishes to modify the prescribed drug regimen.
The use of patient-identifiable information and a sophisticated
database allows for this dramatic improvement in patient health and
safety.
Another compelling example of the need to continue to allow for the
use of patient-identifiable information in the management of
prescription drug benefits is found in Merck-Medco's Partners for
Healthy Aging' program which is designed to improve
appropriate prescribing and prescription drug usage among the elderly.
At the core of the Partners for Healthy Aging program are a series of
drug utilization review rules that protect seniors from drugs and
dosages that are inappropriate given their age. For example, the use by
the elderly of long-acting benzodiazapines such as Valium'
or Librium' can result in dizziness, loss of balance and
increased risk of hip fracture. Other drugs require dosage reductions
in the elderly. Merck-Medco's Partners for Health Aging program is
succeeding in improving health outcomes because of our ability to
combine and analyze patient-specific information from prescription
information and self-reported profile data from patients and to
communicate what we know from this analysis to patients and their
physicians. I have attached to my testimony a copy of the recent JAMA
article describing the outcomes of this program. Nearly 25 percent of
the time a physician was contacted through the program, the physician
either modified the prescription previously written or discontinued the
drug.
4. The importance of a Consolidated or Statutory Authorization
One of the key issues that Congress must consider in developing
legislative standards for maintaining the confidentiality of patient
identifiable medical information is whether and how to implement an
authorization process for the use and disclosure of such data--separate
from the consent to be treated by a health care provider or separate
from the enrollment by an individual in a health plan.
Ideally, Congress could draft a law that statutorily sets out and
defines certain circumstances or specific purposes or activities for
which identifiable patient information could be used or disclosed
without an individual's consent. For example, Congress could create a
``statutory'' authorization for health plans and providers to use an
individual's identifiable health information for purposes of treatment,
payment and specified ``health care operations'' once that individual
has enrolled in the health plan or consented to be treated by the
health care provider.
Some have argued that separate, discrete authorizations should be
obtained from individuals each and every time that their health care
information is accessed. Such a multiple authorization scheme would
unnecessarily interfere with, or even shut down, the ability to provide
quality, cost-effective health care.
While the statutory authorization approach may be preferable, from
our viewpoint, it may not be achievable. An alternative approach
embraced by a number of existing proposals involves the concept of a
``consolidated authorization''. We think that the ability to obtain a
single, consolidated authorization from an individual upon enrollment
in a health plan or when consenting to treatment by a health care
provider that authorizes the use of the individual's information for
purposes of providing treatment, securing payment for that treatment
and conducting health care operations of the plan or provider is
crucial. It is essential, from our perspective, that Congress
recognizes the need to use a ``consolidated'' authorization for the use
of patient-identifiable information.
Merck-Medco is an organization that provides services as an agent
to a health plan. We are not a stranger to the patients in these plans,
but a critical part of the continuum of their care. It is imperative
that we be able to rely on the plan sponsor's enrollment of a member
into its health plan as evidence that disclosure of the possible uses
of patient-identifiable information has been made and consent obtained.
It would be extremely burdensome, perhaps impossible, for a PBM to
collect individual consent forms for the services we provide. In the
case of Merck-Medco, we would have to obtain 50 million consent forms
annually, more often under some legislative proposals under
consideration. In the context of electronically adjudicating a
prescription drug transaction in under one-second we must be able to
look to the patient's enrollment in a health plan as evidence of their
authorization to use and disclose their personally identifiable health
information for treatment, payment and their plan's health care
operations activities. As a downstream provider of treatment, payment
and health care operations to a health plan, we would then have
assurance that the uses of patient-identifiable information we have
described above fall squarely within the requirements imposed under any
legislation adopted. Today, Merck-Medco and other PBMs rely on the
health plan to provide us with a list of persons eligible to use the
prescription drug benefit. The integrity of that eligibility transfer
must be maintained.
5. Creating a Federal Standard--the need for Preemption of State laws
Merck-Medco operates in a ``real-time'' electronic environment with
nearly one million transactions being adjudicated daily. Each year our
customer service representatives and pharmacists handle in-bound or
place out-bound calls to physicians and their patients across the
country more than 25 million times. Our pharmacies receive prescription
from patients in every state, and we receive refill orders by
telephone, IVRU, fax, and Internet. Absent the adoption of a uniform
national standard for the protection of medical records, companies such
as Merck-Medco will face the daunting challenge of determining which
state's law to apply to any given circumstance. This problem is growing
daily as state legislatures consider a staggering number of medical
record confidentiality bills. Enrollees in health plans often obtain
medical services or prescription drugs from multiple providers in many
states. Consider, for example, the situation that may be faced by a
Member of Congress.
The Member may:
Have a permanent residence in his or her home state;
Live in Virginia while Congress is in session;
Use a hospital in Maryland;
Fill prescriptions in DC, Virginia and Maryland
Travel to other states while on vacation, during which time
prescriptions may need to be filled or refilled;
Have a son or daughter attending college in a state other than
the Member's home state; and
Fill his or her maintenance medications through a mail service
pharmacy in yet another state.
What state law would control the prescription drug records in this
hypothetical? How should inconsistencies in state laws be resolved?
Which state's law should be considered ``primary'' in the case of
conflict? We strongly encourage the development of federal standard of
medical record confidentiality that will set the bar high enough that
its uniform application in all jurisdictions will provide the requisite
level of protection for personally identifiable health information.
Thank you Mr. Chairman and Members of the Subcommittee for the
opportunity to appear before you today. I would be happy to answer any
questions you may have.
Mr. Burr. Thank you, Mr. Latanich.
The Chair at this time would ask unanimous consent to enter
into the record a February 18, 1998, Washington Post editorial
and a February 19, 1998, correction. The editorial suggests
that CVS had arranged to supply the names of their pharmacy
customers to drug companies similar to what you said, Ms.
Meyers, in 1998. The Post went on to add a correction, that CVS
sent data to a marketing company to track, but that the company
was under contract not to release the personal data to drug
companies or to others. So the Post certainly clarified their
editorial based upon what the record was. Without objection
that would be entered into the record.
[The information referred to follows:]
When Private Means Private
[Washington Post, February 18, 1998]
Does the average person mind when, after having a prescription
filled at the pharmacist, he or she starts getting related junk mail
from drug companies to which the pharmacy has passed along his or her
name, address and medical condition? Are such customers likely to be
pleased at the convenience--as the pioneers of this new form of medical
marketing insist they ought to be--or are they likelier to bristle at
the implied violation of their privacy? Anyone who finds this a
difficult question ought to glean a big, broad hint at the answer from
the fierce consumer reaction to a report in this newspaper Sunday that
several large area pharmacies, including those at the Giant Food Inc.
and CVS chains, have entered into such arrangements with a
Massachusetts-based company called Elensys. Today, in full-page ads and
other formats, Giant announces it will stop providing such
information--reacting to what spokespeople said had been a flood of
calls from angry consumers.
And what were pharmacists--next door to doctors in their access to
privileged, personal knowledge about people's ailments--doing marketing
such information in the first place? The answer casts some light on the
strange tensions being set up everywhere by the financial
possibilities--one might better call them temptations--of the so-called
``information economy,'' in which information about one's customers and
their needs had become a vast new resource to be mined. It shouldn't
surprise anyone that consumers feel more strongly about their medical
prescriptions than they do about the great amounts of other information
now routinely collected from every financial transaction, whether it's
traveling, shopping or browsing the Internet. But information about
people's preferences--meaning the sorts of things they are likely to
do, or read or buy--is by far the most valuable of the various sorts of
information now being briskly harvested and traded on all sides. Any
company that collects such information in the ordinary course of
business is sitting on a gold mine--and can be expected to act on that
fact in the absence of specific, spelled-out public limits.
To what extent should people's needs be allowed to be treated this
way, as some sort of naturally occurring resource available to anyone
who can grab it? The outcry over drug prescriptions suggests one such
limit. While some forms of sensitive information, such as credit
information, are now protected, the sheer variety of types of medical
data have made progress slow on protecting them.
Prescription information falls near the line between purely medical
data and commercial information, but as the reaction makes clear, that
line has been crossed. Besides being inherently more sensitive and
personal then information about shopping choices, prescriptions are
also in a real sense less optional: Nobody ``chooses'' to have a
particular ailment or to release the information about that ailment
into the wider data stream of junk mail. The arrangements with Elensys,
which contracts to manage pharmacists' data about patients and to make
selected bits of it available so drug companies can send potential
patients ``educational material'' about their inferred ailments, are
just ingenious enough to focus people's attention on where they want
that line drawn.
CORRECTION DATE: February 19, 1998
An editorial yesterday incorrectly stated that several large
pharmacies, including Giant and CVS, passed along to drug companies the
names of persons having prescriptions filled at the pharmacy. In fact,
Giant and CVS sent data to a marketing company to track and write to
pharmacy customers who had not re-filled prescriptions, but that
company was under contract not to release the personal data to drug
companies or others.
Mr. Burr. For the purposes of our witnesses at this time,
we will recess, hopefully, for 35 minutes; and we will
reconvene this hearing at 1:15.
[Brief recess.]
Mr. Burr. The Chair would call the hearing back to session.
I hope everybody had an opportunity to get enough to eat. The
Chair would recognize himself for the purposes of questions for
5 minutes.
Let me ask you, Mr. Jacobsen, could you tell me what
happened in Minnesota and specifically at Mayo with the new law
as it might or might not have affected pediatric research?
Mr. Jacobsen. Pediatric research?
Mr. Burr. Pediatric research is a tough one to get people
to commit to allow to happen anyway.
Mr. Jacobsen. Right. I am trying to think back to
information that we have got on that. I don't have that on the
top of my head.
We did look at a study of those that gave us authorization
to use the medical records versus those that didn't, but
restricted that to ages 20 and older in that study. Obviously,
I can't tell you what has happened with response rates for
pediatrics.
Mr. Burr. Let me ask you because I have got the Bowman Grey
School of Medicine, part Wake Forest University, in my
district. What would researchers there be subject to if the
Minnesota law were adopted in North Carolina?
Mr. Jacobsen. It was really quite a bit of work to try to
implement this. For those of you that don't know what this law
was, it required us to ask all patients seen after January 1997
for a general authorization to use the medical record for
research purposes.
As originally written, the default was set to no. We had to
get an explicit yes. That was the amendment alluded to earlier
so that the default was set to yes with reasonable contact. The
systems to put that into place with close to 300,000 patient
visits per year were really quite substantial. Systems to try
to contact patients before they came in for their scheduled
visits, to try to capture them at the time when they enter the
system, which you can imagine the many different portals for
entry, urgent care, emergency care, X-rays, all sorts of
places. To try to catch patients that didn't have patient
registrations ahead of time was really quite a task to put this
altogether.
Mr. Burr. You alluded to a study that you had done. Can you
tell us about the specifics of the findings of that study?
Mr. Jacobsen. Sure. What we did was we selected a sample of
patients who had been seen in the previous 3 years at Mayo and
went through the same procedures that were being used
clinically to comply with the law and asked them about their
preferences for authorization.
We had three written contacts. What we found overall about
3 percent of people explicitly refused. About 80 percent
explicitly gave us that authorization, but 17 percent didn't
express their wishes at all despite three written contacts
asking them for their wishes and explaining to them what would
happen if they didn't give it to us.
I alluded to the findings in my testimony that there were
some subject patients where their refusal rates were quite a
bit higher. It all sort of makes sense intuitively in terms of
younger persons, persons with conditions that some might
consider sensitive, and so on. I think one of the most
important things was looking at what happened with those
people, that large number of people that didn't express their
wishes despite asking them. I think that it is very important
to keep in mind that we have got to make sure that defaults to
a yes with reasonable contact with whatever legislation we
have.
Mr. Burr. Let me go to Ms. Gencarelli. You stated in your
testimony that the Maine law prevented family members from
accessing information about the condition of their loved ones
and medical providers from obtaining information necessary for
the proper treatment of patients.
What happened to the Maine law?
Ms. Gencarelli. The Maine law contained extensive
provisions and requirements that required written disclosure
for basically any and all release of information. Clearly it
was not intended in the bill, but that was the ultimate
consequence, was that it was written in such a way that
authorization was required in so many circumstances that the
things such as delivering flowers, administering last rites,
even notifying family members of a loved one's condition were
prohibited by the law and that law was sequentially suspended.
And they are currently redrafting and cleaning up that law.
Mr. Burr. How fast did they suspend that law?
Ms. Gencarelli. I believe 2 weeks.
Mr. Burr. Mr. Stump, let me ask you.
I worked closely on the pharmaceutical and biologics
portion of the FDA Modernization Act. One of my goals was to
streamline that approval process from the 12 to 15 years that
it took to bring patients a particular treatment.
I am curious what would happen to the drug development
process if archival research had conditions that--for those
patients who were no longer with us that it was left up to
their estates to access for permission to use that archival
research?
What would it do?
Mr. Stump. The ramifications would be substantive and
significant. We are obligated to do outcome research on our
products at the time they are approved. We don't have the
answer to every interesting question at the time of approval.
We need to do continuing surveillance in order to ascertain
how our product is doing once it goes into the general
prescribing population. In order to access that data, we need a
pretty efficient and streamlined process. We will do that. We
have to do that. If that process becomes so cumbersome that
resources have to be diverted to that process, which we would
do, the costs will be products like Herceptin, that development
was long and hard.
My colleague on the panel, Fran Visco, was of immense help
to us in getting the patient community to even make it happen.
It is that kind of high risk, high impact, meet the critical
need project we're talking about. The project could have easily
been sacrificed at various points along the way had we been
diverting resources away from that into more complex archival
studies.
Mr. Burr. Thank you.
My time has expired. The Chair would recognize Mr. Waxman.
Mr. Waxman. Thank you, Mr. Chairman. I thank Mr. Brown for
allowing me to start my questions first because I have another
hearing to attend.
Dr. Stump, let me ask you this. There is a common rule and
it requires informed consent, an IRB review for practically all
research conducted in this country including federally funded
research and almost all research conducted at universities,
major hospitals, and academic centers, and then there are
similar rules when working with the FDA approvals.
You object to applying the common rule requirement of
informed consent to records-based research. I hope that you are
aware that the common rule specifically provides for the waiver
of consent, waivers permitted when the research presents,
quote, no more than minimum risk of harm to subjects and
involves no procedures for which written consent is normally
required outside of the research context.
How do you justify treating your records-based research
differently from all such research sponsored today by the
Federal Government or conducted at institutions like UCLA or
Harvard?
Mr. Stump. I guess it is a question of how much time,
energy, and resources you spend overseeing what is minimally
risky investigation. I am not aware of abuse of that process.
These IRBs do perform a critical function. We use them just
like any publicly sponsored research does as well under
oversight from the FDA. I want IRBs to be paying very close
attention to that work and protecting patients from the near-
term risk of being exposed to uncertainties in their products.
I would rather not have them spending their time and energy
where there is really minimal risk.
Mr. Waxman. Well, if you think that IRBs have done a good
job and you welcome them, the IRBs are under the common rule
where we have supervision over the information disclosures, and
the common rule also explicitly grants expedited IRB review for
records-based research.
You claim that even expedited IRB review would add
unnecessary Federal oversight to some mysterious unquantified,
unidentified body of research. I want to figure out exactly
your concerns. If Genentech conducts records-based research to
support a new drug application, it would be subject to the
FDA's equivalent of the common rule; isn't that correct?
Mr. Stump. It would be in that situation.
Mr. Waxman. UCLA has multiple-project assurance with the
Federal Government. If Genentech sponsors records-based
research at UCLA, it has got to be subjected to the common
rule; right?
Mr. Stump. In that situation, yes.
Mr. Waxman. So much of the research you conduct or sponsor
is already subjected to what you call unnecessary Federal
oversight. I think you are vastly exaggerating the impact of
common rule scrutiny on the remainder of whatever research you
conduct or sponsor.
That is my view. I would like to hear you respond to it.
Mr. Stump. I guess that I would agree with you on the
preapproval research. Actually, the vast majority of outcome
research, so-called archival research, is done post-approval.
It is done in product surveillance. It is done in
establishing the outcome experience of your product after
approval by the FDA as it should have been predicted by your
approval clinical trial base. That is actually where the vast
majority of information is collected.
We have tracked most of our products. As one example, our
heart attack drug, Activase, we track about 100,000 patients a
year prospectively to determine whether that drug is working
successfully, which is save lives for heart attack patients
that we showed in early clinical trials. We show that very
well. If every IRB at every site that provides this anonymous
information had to go through the approval process, it would
add an additional significant burden.
Mr. Waxman. It would if you did it under every single case.
But if you do it under those circumstances where you are
already involved in research where there is a Federal
involvement, either FDA or research involving some other
university, what proportion of the research conducted or
sponsored by Genentech is records-based or not currently
subject to the common rule?
Mr. Stump. I don't have the fact right at hand. I could get
that and provide it to you. I could tell you along the size of
patient data bases that we collect----
Mr. Waxman. Why don't you get it for the record. Do you
conduct any human subject research which is not regulated under
the common rule? By human subject research, I mean research
involving patients?
Mr. Stump. We do no research for preapproval clinical
trials that is not covered by the common rule.
Mr. Waxman. Dr. Amdur, how do you respond to what Dr. Stump
is saying? Is this going to be unnecessary burdensome
regulation?
Mr. Amdur. I think this is one of those nice situations
where everybody can be happy because I think that Dr. Stump's
concerns about the things that he does not want to be subject
to burdensome regulations, regardless of how minimal that
burden is, indeed under the current common rule regulations
would not be burdened.
The types of activities that he is speaking of, in my
opinion as an IRB chair, are not research. We can review the
regulatory definition of research. I have it here if you would
like me to explain my answer, but these are things that are not
being done with the goal of producing scientific generalizable
knowledge. They are being done for product evaluation and
marketing information. And in my opinion, that does not satisfy
the definition of research. It is certainly not a scientific
study that any of us normally think of.
And the intent of the regulations was not to go around and
meddle in areas that do not have to do with specific and
traditional focus of research. So I think that an IRB is
inappropriately misusing its authority to try and get Dr. Stump
and his company to go through their system, and I don't think
that that will happen to any large degree.
Mr. Waxman. Maybe we need to clarify these issues because
it sounds like concerns that Dr. Stump is raising are concerns
that you think are really not valid if we draft this thing
appropriately.
Mr. Amdur. Absolutely. To answer the second part of that,
this issue of archival data on people who are deceased and
going to their estates, as a question was raised, the
regulations specifically define a human subject to be a living
individual. And so archival research on people who are deceased
is outside the authority of the Federal regulations, and
companies and investigators do not have to worry about any kind
of regulatory burden.
However, as you have mentioned in your response, the burden
is extremely small because expedited review is a one page
electronic mail application that is reviewed in real time. It
is a minimal burden.
Mr. Waxman. Thank you, Mr. Chairman.
Mr. Burr. The gentleman's time has expired.
Could I just ask Dr. Stump for a clarification for all of
the members? I think I heard you say that if we do this wrong,
we will adversely affect the post-approval review of
pharmaceuticals that enter the marketplace? Did I hear that
correctly?
Mr. Stump. That is not exactly what I intended if that is
how it came across. I think that we will continue to do what we
need to do to monitor what our products are doing post-
approval.
Mr. Burr. Will it alter your access and ability to do that?
Mr. Stump. We will figure out a way to do it. What it will
alter is our ability to maintain those early stage products
that are a higher risk who must be resourced from the same pool
that have much longer term benefits to the general public
health. We will be missing on the treatments for stroke and
heart attack and cancer that are in our pipeline now at an
early stage, but would be therapies 5 to 10 years from now.
Mr. Burr. The Chair would recognize the ranking member, Mr.
Brown.
Mr. Brown. Thank you, Mr. Chairman. First of all, Mr.
Krinsky, thank you for joining us. I don't have a question for
you, one more statement, but your comments about family,
friends, designated care givers, making sure they could pick up
medication at Ritzman or any other pharmacy is especially
important. I think that any legislation that we draft will make
sure that is protected.
Mr. Latanich, your comments I appreciate on the disease-
management programs. Again, any legislation that we come up
with as it goes through this process we will make sure that
this actually has the authority to allow that. I think that is
especially important.
Ms. Meyers, a question for you, if I could. The patients
that you represent very clearly had the most to gain from
medical research, yet you say they support the toughest form of
Federal medical records privacy legislation because of the
nature of disorders, the consequent difficulty of attracting
research dollars to them.
It seems you, perhaps among all of the witnesses, would
seem to be the most interested in making sure there were no
disincentives erected by us or anybody, disincentives to do the
kind of research that many people need. Expand, if you would,
on understanding that, on making sure that strong patient--
explain how strong patient protections are especially necessary
to cultivate and protect a robust research environment, if you
will.
Ms. Meyers. Research under the common rule gives consumers
much more protection than they get when they go to their
private doctor's office. The federally funded research and
research leading to an FDA approval for a drug give privacy
guarantees. When you sign an informed consent document, it
tells you who is going to have access to your medical records,
it will be the FDA, it will be the drug company, et cetera. It
gives you a guarantee that the university or the hospital will,
in some way, keep your record confidential and if papers are
published, your name will not be identifiable.
And so you have wonderful guarantees that don't exist
outside of the medical research arena where they are doing
clinical trials on something. There are specific areas in
private research that it doesn't cover. For example, in vitro
fertilization is not covered by any Federal regulation and
organ transplantation. So there are a number of areas where it
should apply.
What we are saying to Congress basically is that consumers
who aren't in research want the same protections that subjects
get when they go into research. They want the benefit of
signing an informed consent document that will tell them who
has access to their medical record.
And if they want to refuse, they can refuse to sign it and
refuse to be a subject in that trial.
Mr. Brown. Dr. Amdur, one of the concerns raised today
from--let me just--background reading on this from panelists
talking today is that anything that creates any administrative
burden may delay or inhibit the conduct of research. Run
through for us how much work is involved in getting IRB
approval for medical records research?
Mr. Amdur. Okay. First, if I could just as background
address something that I see as a systemic issue in all of
these questions or many of these discussions, which is the
issue of do we have a large body of privately funded research
currently that is going on outside the Federal regulations?
Meaning, that if you pass legislation that requires these
administrative issues that you are asking about, will that
create a change compared to what is going on now.
The answer is there won't be a big change because medical
research in this country, by and large today, is being done for
FDA application or at institutions that have already committed
in writing to conducting research regardless of funding source
according to Federal regulations. So enacting legislation for
medical records privacy in general may very well change a lot
of things compared to how they are done now, but for research--
for the most part research is being done with medical records
or otherwise according to the Federal regulations. So there
wouldn't be a big increase in burden compared to what it is
now.
What is the burden now? To get to your specific question.
The burden according to Federal regulations, if you will, is
stratified by risk, the potential risk to the subjects. If
there is no more than minimal risk and the data is already
existing, it has been collected for other reasons and there are
no identifiers, it doesn't even have to go through the IRB
system.
However, most research that we are discussing with medical
records and that we see in this country has identifiers. And
the regulations say that if you can put protections in place,
encryptions, that kind of thing, locked file boxes that
decrease the risk of a problem from a breach in confidentiality
to no more than minimal risk from this study, then it could be
dealt with by expedited review.
It is a minimal administrative burden for an investigator
to obtain expedited approval for their research. At our
institution it is a one page application and can be handled by
electronic mail. It is reviewed by one member of the IRB or a
small subcommittee rather than a full committee meeting. So it
is done real time. You have a study. You call on the phone. You
put a paragraph together, send it in. The next day you have
approval. So it is a very low burden thing.
Mr. Brown. Thank you. Let me shift, Ms. Visco, to you. You
talked a lot about public and private, privately--publicly and
privately funded research and your assertion that research
should be, whether it is public or private, be held to the same
standards for ensuring protection of patient confidentiality.
Do women who participate in breast cancer clinical trials,
are they generally aware of the different standards for public
and privately funded?
Is that even an issue that is raised in their mind?
Ms. Visco. No, I don't think so as all. It is one of the
things that we are trying to educate our constituency about,
but it is not something that an individual patient who walks
into her doctor's office and her doctor is knowledgeable enough
to talk to her about clinical trials. No, I don't think that
the question is ever asked.
Mr. Brown. The physician would be unlikely to raise it, and
the patient would be equally unlikely to inquire whether it is
public or private?
Ms. Visco. Yes, that is absolutely true. I think the system
that we are talking about putting into place is not expanding
the existing IRB system. There are many problems with the IRB
system that we are all aware of and there are many people
working on correcting those.
What we would like to see is an IRB-type system so that we
don't have to--we are not asking that the Minnesota law become
Federal legislation. We are asking for an oversight, a
threshold that everyone has to walk through to determine
whether face-to-face informed consent is appropriate in each
instance.
That is what we are asking for, that threshold. We are not
saying that you need to have that informed consent on a one-on-
one basis in every instance.
Mr. Brown. Okay. Thank you.
Thank you, Mr. Chairman.
Mr. Burr. Dr. Amdur, let me come back to you because I need
a clarification. Under the current law, you are not required to
get consent for deceased records, correct?
Mr. Amdur. Correct, although it is not a law.
Mr. Burr. Per regulations, excuse me. There are proposals
out there to expand that authority to include the need to get
consent for those archival records.
Would that present a problem if that were proposed and
adopted?
Mr. Amdur. Yes, I believe that it would. Let me say that
there are certain very select situations where doing research
on a deceased person's information has direct implications and
is linked in an intimate way to living people, such as very
specific genetic research or sexually transmitted disease
research.
I have never seen one of these proposals, but the point is
I could imagine a situation where we could say that the
research regulations indeed apply even though the subject is
archival information, meaning specimens, for example, of dead
people, because the very unusual nature of it directly links it
to a living person with implications with identifying
information.
That is a theoretical problem. I just want to record that
issue. But for the types of research that are going on today,
the answer is that the current regulations do not cover them,
and I think that it would be an unnecessary burden and an
expansion of regulatory authority to a lot of different areas
that really don't need that type of protection.
Mr. Burr. I hope all of you realize the difficulty that I
think most of the members are having at distinguishing a lot of
different proposals that are out there and the technical nature
and all of a sudden you cross the line and it does cause a
problem, stay on this side of the line and it doesn't cause a
problem, understanding what different recommendations are being
made for person-to-person approval and that type of thing.
I want to come back to you, Dr. Stump. I want to go back to
the question that I asked you, and I will ask it in a different
way. If we did the wrong thing, could this committee possibly
have Sidney Wolf in here telling us because we wrote it this
way, drug companies and possibly the FDA and the post-approval
review that goes on, that we limited the amount of information
that you could accumulate on the effects of a drug that had
just been approved and that was adverse to the health----
Mr. Stump. What Mr. Wolf regularly refers to is detecting
these previously unknown types of adverse events beyond the
life of approval. When this happens, it is the rare event. That
doesn't mean that it is not a severe event, it is just rather a
event. Your chance of detecting that is directly related to the
amount of information you can recover and analyze and the time
with which you can do it.
Anything that delays that time or constrains your ability
to expand that data base will delay your ability to detect
their----
Mr. Burr. There are things that we could do that would, in
fact, hurt the availability----
Mr. Stump. Yes. The process needs to be simple, and it
needs to be uniform.
Mr. Brown. Will the gentleman yield?
Mr. Burr. I would be happy to.
Mr. Brown. There is information on the other end. There is
something on the other end we could do which would cause
information to be disseminated that violated a patient's rights
that might cost her a job or cost him health insurance.
So we obviously have to walk a pretty fine line; correct?
Mr. Stump. We fully agree. There has to be accountability
and those who handle this information, ourselves included, need
to be held accountable through existing law. We take that very
seriously.
What we are asking though is find a way to do that to
protect us. All of us are patients, protect us now, but not at
the needless expense of real potential long-term benefits.
Mr. Burr. I think Dr. Hamburg covered that as well with the
need for there to be uniformity in what we do.
The Chair would take this opportunity to thank all
witnesses and also to this panel of so many, that the lack of
member participation is not an indication of lack of interest
of this issue or the understanding of the seriousness of this
issue.
It is more an indication of the schedule today and some
significant mark ups that are taking place in this building to
the significance that members on both sides of the aisle are
not able to go from the first floor to the third floor in fear
of the vote process that may be going on.
But I am sure that all members will take full opportunity
to read your statements, to read the questions and the answers,
and at this time I would recess the second panel and call up
the third panel.
This panel is going to challenge me with the pronunciation
of these names so I would take this opportunity to--Mr.
O'Keefe, I can do yours, but I apologize to the other ones
right up front. Dr. Zubeldia? Am I close?
Mr. Zubeldia. Yes.
Mr. Burr. And Ms. Koyanagi?
Ms. Koyanagi. Yes.
Mr. Burr. Mr. O'Keefe and Ms. Meyer.
The Chair would recognize the good doctor to my right.
STATEMENTS OF KEPA ZUBELDIA, VICE PRESIDENT OF TECHNOLOGY,
ENVOY CORPORATION; CHRIS KOYANAGI, DIRECTOR OF LEGISLATIVE
POLICY, JUDGE BAZELON CENTER FOR MENTAL HEALTH LAW, ON BEHALF
OF CONSUMER COALITION FOR HEALTH PRIVACY; MARK O'KEEFE,
COMMISSIONER OF INSURANCE, DEPARTMENT OF INSURANCE, STATE OF
MONTANA; AND ROBERTA MEYER, SENIOR COUNSEL, AMERICAN COUNCIL OF
LIFE INSURANCE
Mr. Zubeldia. Thank you, Mr. Chairman. My name is Kepa
Zubeldia. I am a physician, and I am here today representing
the Association for Electronic Health Care Transactions,
AFEHCT.
I am also vice president of technology for Envoy
Corporation. Envoy is the largest medical transactions
clearinghouse in the country. We process an average of 3.5
million transactions per day and provide connectivity between
270,000 providers and 800 payers.
We have been processing administrative transactions for 17
years; 62 percent of all health care claims are processed
electronically today. The AFEHCT member companies take the
issue of privacy very seriously. Since 1982 we have processed
over 15 billion transactions. No AFEHCT member has experienced
an instance in which protected health information was disclosed
without authorization or in which an individual was harmed.
My written testimony addresses several issues of importance
to your committee. First, the need for preemption to establish
a single national law protecting patient privacy and
facilitating the privacy of administrative records.
Second, the desirability of a consolidated patient consent
for the transfer of personal and identifiable information.
Third, the need to support industry-driven security
measures such as the standards adopted by the Secretary of HHS
under HIPAA.
And fourth, the encouragement of the use of nonidentified
patient information for medical research. I would center my
remarks on two of these four issues.
First, the strong preemption of State law. The member
companies of AFEHCT agree that protected health information
should be granted the best protection necessary to keep the
information confidential. Most health plans are administered at
the national level. In order to accommodate the flow of
information, it is imperative that national rules govern.
Subjecting administrative health care information to a
multitude of State-specific requirements would cause harm to
the processing infrastructure with immediate and significantly
negative consequences for providers and payers alike. Health
care is provided locally but administered nationally. We
believe that preemption in this field will facilitate patient
care, health care operations, and health research enormously.
Individual patient's rights should not be based on an accident
of geography.
My second topic is research. Legislation should encourage
the creation of nonidentified data in order to accommodate the
analysis of hundreds of millions of bytes of electronic data
that can be gathered through various systems of collection each
year. It is well to distinguish this potential for creating
non-identified data on the electronic arena from the use of
private patient records in clinical research.
In the majority of the circumstances, certainly consent
should be obtained for the use of identifying private health
information. We have heard much testimony regarding the proper
times for an exception to the consent rules in dealing with
identifiable protected health information in research
situations. This is a different case, however, from the growing
ability to create nonidentified information from electronic
records of health transactions and employ this unanimously
aggregated data in health research.
We believe that this approach provides both patient privacy
and a powerful research tool to help reduce the cost of health
care and should be favored by legislation. I wish to thank the
chairman and members of the committee for the opportunity to
speak to you today on behalf of AFEHCT, and I look forward to
working together with you and your staff on these very
important issues.
[The prepared statement of Kepa Zubeldia follows:]
Prepared Statement of Kepa Zubeldia, Vice Chair, Association for
Electronic Health Care Transactions
Mr. Chairman, members of the Committee, Ladies and Gentlemen, good
morning.
My name is Kepa Zubeldia, I am here today speaking on behalf of the
Association For Electronic Health Care Transactions (AFEHCT). I
currently serve as Vice Chair of AFEHCT, which is a trade association
whose member companies are actively involved in the electronic
transmission of health care financial and administrative transactions.
These transactions include claims and patient encounter information,
electronic remittance advice, eligibility, referrals, and related
transactions listed in section 1173(a)(2) of the Social Security Act as
amended by the ``Administrative Simplification'' provisions of the
Health Insurance Portability and Accountability Act (HIPAA). An AFEHCT
membership list is in Attachment A of my written testimony.
I am also Vice President of Technology for ENVOY Corporation, which
is an AFEHCT member. ENVOY is a healthcare administrative transactions
clearinghouse. We receive the administrative transactions specified
under HIPAA, process them to ensure they have complete and correct
information, and forward them to the health plan for payment. ENVOY is
the largest medical transactions clearinghouse in the country,
processing an average of 3.5 million transactions per day and providing
connectivity between 270,000 providers and 800 payers. We have been
processing administrative transactions for 17 years, with an
accumulated experience totaling billions of transactions. Our corporate
office is in Nashville, Tennessee, with sales offices in 14 states,
data processing centers in 6 states, and a roster of about 1,000
employees. We have recently become part of Quintiles Transnational
Corp., a diversified contract health organization based in Research
Triangle Park, North Carolina, with over 17,000 employees in 31
countries.
Clearinghouses
ENVOY and other clearinghouse members of AFEHCT receive electronic
transactions from providers, payers and vendors. The transactions are
processed to ensure they are complete and accurate, and are then
forwarded to the appropriate insurer or health plan. By processing
these transactions electronically, rather than in paper format, a
managed care referral or authorization, or a determination of
eligibility and benefits can be obtained on a real-time basis, allowing
patients to receive needed health care quickly.
Electronic claims represent a significant portion of the electronic
transactions processed by ENVOY and other such clearinghouses. The
charts in Attachment B of my written testimony show the growth of
electronic claims. Sixty two percent (62%) of all healthcare claims are
processed electronically with over 80% of hospital and pharmacy claims
being processed electronically. Out of last year's total of 4.4 billion
claims, 2.7 billion were processed electronically by ENVOY and other
clearinghouses. Members of AFEHCT are intimately involved in
administrative simplification that is currently saving the country
billions of dollars in health care costs.
Support for privacy
The AFEHCT member companies take the issue of privacy very
seriously. Since 1982, we have processed over 15 billion transactions.
We actively protect the confidentiality of the protected health
information that we process. No AFEHCT member has experienced an
instance in which protected health information was disclosed without
authorization or in which an individual was harmed. Indeed, we support
a strong federal statute addressing privacy and confidentiality, and
are actively involved in the privacy and confidentiality issues being
addressed by your Committee.
In that spirit I would like to speak on several issues of
importance to your Committee: the need for preemption to establish a
single national law protecting patient privacy and facilitating the
privacy of administrative records; the desirability of a consolidated
patient consent for the transfer of personally identifiable
information; the need to support industry driven security measures such
as the standards adopted by the Secretary of HHS under HIPAA; and the
encouragement of the use of non-identified patient information for
medical research.
Strong preemption of state law
The member companies of AFEHCT agree that protected health
information should be granted the best protection necessary to keep the
information confidential. Most health plans are administered at the
national level by a network of payors, third party administrators,
administrative services organizations, peer review systems, foundations
for quality review, and actuarial services. In order to accommodate the
flow of information over these national electronic systems, it is
imperative that national rules govern. It would be a daunting burden
for the current payment system if local laws were able to create
differing regulations for the processing and analysis of electronic
records. Subjecting administrative healthcare information to a
multitude of state specific requirements would cause harm to the
processing infrastructure with immediate and significantly negative
consequences for providers and payors alike.
The member companies of AFEHCT believe that private health
information should be granted the best protection possible. We strongly
support the desires of the states to protect medical record
information, which we believe can best be accomplished through a
comprehensive federal statute that sets out clear unified guidelines
for the handling of the millions of electronic claims that cross all
state lines.
It is a favorite truism that health care is provided locally but
administered nationally. The system receives its funding on a national
basis and record keeping of the providers and payors is accomplished on
a national basis. We believe that preemption in this field will
facilitate patient care, health care operations and health research
enormously. Individual patient's rights should not be based on an
accident of geography.
Consolidated patient authorization
To operate the intricate electronic system described above, it
would be impossible for clearinghouses to obtain consent from the
patient for each transfer of personally identifiable information along
the communication channel between the provider and the health plan.
Therefore, AFEHCT urges that legislation endorse a consolidated consent
provision to facilitate this process. The general authorization granted
by the patient at the point of health plan enrollment should stand as
this consolidated consent. It provides clear notice to the patients of
the handling of their claims information, as well a unitary guideline
for all handlers of electronic data expressing personally identifiable
health information.
Preserve administrative simplification provisions of HIPAA
We need to develop and employ from existing technologies the very
best practices in encoding data so as to make sure patient privacy is
strictly protected. Legislation before the Senate HELP Committee is
takes steps in this direction. We believe that the health care industry
should be given great incentives to adopt the highest standards for
encoding electronic data and to use non-identifiable patient
information for research. We support the Secretary of Health and Human
Services in her effort to adopt industry driven standards as the
standards adopted under HIPAA, rather than creating new standards.
Research
We agree with the stated purpose of the bipartisan legislation
being considered this week in the Senate Committee on Health Education,
Labor and Pensions (HELP) to encourage the use of non-identified health
information, both in its creation by a recipient who is authorized to
receive it and in its broad application by health researchers. This is
a sensible way to increase the ability of researchers to create ever
more powerful analytical studies while preserving patient privacy
rights. The increased use of non-identifiable health information is a
particularly attractive approach in the field of healthcare
transactions because the immediate ability to encode information
permits rapid access on an anonymous basis for health researchers.
Therefore, legislation should encourage the creation of non-identified
data--which does not require the further consent of the patient--in
order to accommodate the analysis of hundreds of millions of bits of
electronic data which can be gathered through various systems of
collection each year.
It is well to distinguish this potential for creating non-
identified data in the electronic arena from the use of private patient
records in clinical research. In the majority of circumstances,
certainly, consent should be obtained for the use of identified private
health information. You will no doubt hear much testimony regarding the
proper times for an exception to the consent rules in dealing with
identifiable protected health information in research situations. That
is a different case, however, from the growing ability to create non-
identified information from electronic records of health transactions
and employ this anonymous aggregated data in health research. We
believe that this approach provides both patient privacy and a powerful
research tool to help reduce the cost of healthcare, and should be
favored by legislation.
Conclusion
In conclusion, in order to protect patient privacy, enhance the
accurate and rapid administration of healthcare transactions, and to
fulfill the aims of health research, it is important that:
Federal standards, with state preemption, should be required
to keep secure and confidential all identifiable health
information including any administrative transactions that
utilize identifiable health information;
General authorization by means of a consolidated patient
consent at the point of health plan enrollment should be
adequate for the use of protected health information for
purposes of treatment, payment and health care operations;
The new legislation should not override, but support the
security measures adopted by the Secretary of Health and Human
Services implementing the Administrative Simplification of
HIPAA;
Conversion from personally identifiable information into non-
identifiable information for the purposes of health research
should be encouraged, while preserving the patient's privacy
and without specific consent.
I wish to thank the Chairman and the Members of the Committee for
the opportunity to speak to you today on behalf of AFEHCT. I look
forward to working together with you and your staff on these very
important issues.
ATTACHMENT A
AFEHCT
association for electronic health care transactions
Thomas J. Gilligan, Executive Director & Washington Representative;
3513 McKinley St. NW, Washington, DC 20015-2513, Tel (202) 244-6450,
Fax (202) 244-6570, E mail [email protected]
membership
The Association For Electronic Health Care Transactions (AFEHCT) is
a trade association, the membership of which include: health claims
clearinghouses; health insurers; value added networks; software
vendors; health care data processing companies; practice management
companies; data communications systems operators; and credit card
issuers.
Each of these member companies is involved in the electronic
transmission of health care financial and administrative transactions
such as those listed in section 1173(a)(2): Health claims or equivalent
encounter information; Health claims attachments; Enrollment and
disenrollment in a health plan; Eligibility for a health plan; Health
plan premium payment; First report of injury; Health claims status; and
Referral certification and authorization.
afehct membership list
ANTHEM, Indianapolis, IN; BC/BS OF GEORGIA, Columbus, GA; BEACON
PARTNERS, Hoffman Estates, IL; CARE-FULL SOLUTIONS, Cecil, PA;
CONSULTEC, Tallahassee, FL; DIFFERENTIAL INC., Cupertino, CA; EDI-COMM,
Woodland Hills, CA; EDS, Plano, TX; ELECTRONIC CLAIMS SERVICE INC.,
Houston, TX; EMPIRE BLUE CROSS, Syracuse, NY; ENVOY CORPORATION,
Nashville, TN; HBO & CO, Atlanta, GA; IDX, Malvern, PA; HEALTHEON,
Santa Clara, CA; IBM, Tampa, FL; INTEGRATED VISION SYSTEMS, Sebastion,
FL; IVANS, Tampa, FL; JOHN DEERE HEALTH CARE INC., Moline, IL;
MASTERCARD INTERNATIONAL, Purchase, NY; MEDAPHIS, Elgin, IL; MEDIC
COMPUTER SYSTEMS, Raleigh, NC; MEDE AMERICA INC. Mitchell Field, NY; M
& M COMPUTER SYSTEMS, San Antonio, TX; NATIONAL DATA CORPORATION,
Atlanta, GA; PASSPORT HEALTH COMMUNICATIONS, Nashville, TN; PARAMORE
CONSULTING, Louisville, KY; POINTSHARE, Seattle, WA; PRAGMATIX,
Elmsford, NY; QUADAX, INC., Cleveland, OH; STERLING COMMERCE, Dublin,
OH; TERBUSH & PARKER SYSTEMS, Richmond, VA; THE CENTRIS GROUP, Atlanta,
GA; THE HEALTH INFORMATION NETWORK CONNECTION (THINC), New York, NY;
UNISYS, Fairfax, VA; VISA INTERNATIONAL, San Francisco, CA; and
WELLPOINT, Los Angeles, CA.
ATTACHMENT B
[GRAPHIC] [TIFF OMITTED] T7441.001
[GRAPHIC] [TIFF OMITTED] T7441.002
[GRAPHIC] [TIFF OMITTED] T7441.003
Mr. Burr. Thank you, doctor.
The Chair would recognize Ms. Koyanagi.
STATEMENT OF CHRIS KOYANAGI
Ms. Koyanagi. Right, thank you, Mr. Chairman.
I am speaking today for a coalition of consumer and patient
groups, the consumer coalition concerned with health care
privacy. I wanted to begin by saying that we have talked a lot
about research this morning, but in terms of health care
delivery, privacy is a very, very important fundamental factor.
Some of the concerns that our group has is that, in fact,
the quality of health care is affected if individuals are not
assured of the privacy of the medical information. A recent
survey in California looking at this issue found that as many
as one in six people will engage and do engage in behaviors to
protect themselves because they fear that their medical records
will leak out.
They doctor shop, they withhold information, they give part
of the information, or they don't provide information to their
treating professionals perhaps not understanding what some of
the consequences of that might be. But that means that this is
a very, very critical area and that patient confidence is very,
very important in response to the legislation that you pass.
I was asked today to talk specifically about the issue of
preempting State laws. I want to say first that a strong
Federal floor is something that we clearly endorse and urge you
to enact. That will give patients much greater confidence with
respect to the privacy of their information.
On the other hand, there is a lot of reasons to continue to
permit States to act in this area. The strong Federal floor in
any of the bills, any of the major bills being considered in
the House or the Senate, represent a strong Federal floor
compared to all of the existing State laws.
Most of the provisions in current State laws would be
overridden by any of the bills pending in the committee. So we
are talking about a few provisions; and, in fact, we are
talking about not all of the States in terms of having stronger
provisions for privacy than might be in the Federal
legislation.
Earlier somebody was discussing the fact that States had
moved into this area because there is no Federal legislation. I
think that is very true. I think that States have been forging
new ground in a very complex arena. If there were a Federal
statute, I think it very, very likely that you would see great
uniformity across the country, that many States would conform
their legislation to the Federal legislation, and they would go
beyond it only in specific areas for specific reasons.
For example, Vermont right now has a cancer registry. They
want specific rules around privacy for that registry. They
should retain the flexibility when they have a situation like
that that is not addressed in the Federal law to have their own
provisions to protect their own citizens. I think it is
important to continue to negotiate these things on the State
level.
State legislatures do know their own local situation. They
do balance the interests of, say, a research entity in the
State and their citizens concerns. They can go back and amend
legislation. As you heard this morning, the Maine legislation
was withdrawn almost immediately when it was realized that they
had made mistakes and gone too far. The Minnesota legislation
has been amended once. If there are significant concerns and if
the citizens of Minnesota think that it has gone too far, I
assume it will be amended again.
But many things happen very quickly, much more quickly than
the Congress can respond. We don't know where we are going in
this area. With the explosion of technology and access through
the Internet, things are happening today that we never would
have dreamed much a year ago. I think that it is very important
because privacy is such a fundamental aspect of patient care
and good quality of care, and it is a fundamental concern of
Americans to have privacy in areas where they don't believe
others should be intruding.
I think it is very important that the States continue to
have that kind of flexibility and to act quickly. So we would
urge you to go ahead and pass a strong Federal floor, but to
resist the temptation to make it a ceiling.
Just in closing, I would point out that there are other
industries where you have done this. The banking industry
operates where States can go beyond the Federal statute, and
the same is true for credit card regulations.
So in conclusion, that is our recommendation, that you
enact a floor but not a ceiling. Thank you.
[The prepared statement of Chris Koyanagi follows:]
Prepared Statement of Chris Koyanagi, Policy Director, Judge David L.
Bazelon Center for Mental Health Law on Behalf of The Consumer
Coalition for Health Privacy
i. introduction and overview
Mr. Chairman and Members of the Committee: I very much appreciate
the opportunity to testify before you today on the preemption of state
laws relating to medical privacy, confidentiality, and security. I am
Chris Koyanagi, Policy Director for the Judge David L. Bazelon Center
for Mental Health Law in Washington D.C. The Bazelon Center is a legal
advocacy organization concerned with the rights of persons with mental
impairments.
I testify today on behalf of the Consumer Coalition for Health
Privacy (CCHP), a broad coalition of consumer, disability and patient
advocates. The mission of the Consumer Coalition for Health Privacy is
to educate and empower healthcare consumers to have a prominent and
informed voice on health privacy issues at the federal, state, and
local levels. Members of the coalition are committed to the development
and enactment of public policies and private standards that guarantee
the confidentiality of personal health information and promote both
access to high quality care and the continued viability of medical
research. The Coalition is an initiative of the Health Privacy Project,
Georgetown University Medical Center.
As a member of the Coalition's Steering Committee, I have been
working with my colleagues in the disability rights, consumer, and
patient advocacy communities to make the case that protecting privacy
must be a ``first principle'' of enhancing the quality of health care,
of fostering research and public health initiatives, and of broadening
access to critical health care services. We believe that without trust
that the personal sensitive information that they share with their
doctors will be handled with some degree of confidentiality, patients
will not fully participate in their own health care.
A survey released by the California Health Care Foundation in
January 1999 found that ``public distrust of private and government
health insurers to keep personal information confidential is pervasive.
No more than about a third of U.S. adults say they trust health plans
(35%) and government programs like Medicare (33%) to maintain
confidentiality all or most of the time.'' 1 The
consequences of such distrust--real or perceived--are significant. The
Foundation's survey identified that:
---------------------------------------------------------------------------
\1\ The poll was conducted for the Foundation by Princeton Survey
Research Associates. The survey topline is available at http://
www.chcf.org.
One in every five people believe their health information has
been used or disclosed inappropriately.
One of six people engage in some form of ``privacy-
protective'' behavior when they seek, receive or pay for health
care in this country. Such behavior includes paying out of
pocket for care; intentionally seeing multiple providers to
avoid the creation of a consolidated record; giving inaccurate
or incomplete information on a medical history; asking a doctor
to not write down the health problem or record a less serious
or embarrassing condition; and even not seeking care to avoid
disclosure to an employer.
The consequences of people not fully participating in their own
care are quite troubling, for individual patients as well as the larger
community. For instance, incomplete or inaccurate information can
hamper a doctor's ability to accurately diagnose and treat a patient,
inadvertently placing a person at risk for undetected and untreated
conditions. In turn, if doctors are receiving incomplete, inaccurate
information, the data they disclose for payment, research, public
health reporting, and outcome analysis will be unreliable. Ultimately,
information that lacks integrity at the front end will lack integrity
as it moves through the health care system. Thus, protecting patient
privacy is integral both to improving individual care, and to the
success of public health initiatives and quality of care.
Members of the Consumer Coalition are keenly aware of the
importance of good, solid data for research. As health care patients
and providers, our members stand to benefit the most from advances in
research, public health initiatives, and improvements in quality of
care. People with disabilities, in particular, are frequent users of
health care services, and are also deeply invested in ensuring that the
health care system operates efficiently and effectively. As such, the
Consumer Coalition for Health Privacy is committed to ensuring that
protecting privacy and promoting health are values that must go hand-
in-hand.
Towards this end, the Consumer Coalition has established a set of
health privacy principles to guide our efforts (see attached principles
and sign-on). We believe that public policy in this area should
guarantee individuals: a right to see their own medical records; the
ability to exercise voluntary, informed choices about the use of their
health information; a court order or warrant requirement for law
enforcement access to medical records; and a comprehensive set of
enforcement mechanisms.
We hope that Congress will meet the deadline established in the
Health Insurance Portability and Accountability Act (HIPAA) to pass
comprehensive health privacy legislation by August 1999, and we also
hope that the new law will go a long way in helping us to meet these
public policy goals set forth in our principles. However, in many ways,
one of the most critical issues for the Coalition is preemption. The
Coalition arrived at a firm consensus that ``federal legislation should
provide a floor for the protection of individual privacy rights, not a
ceiling.''
At issue here is how a federal health privacy law will relate to
existing and future stronger state laws. Will Congress choose to
establish a federal ``floor'' above which states would be free to enact
greater protections? Or will the federal law fully preempt state laws
by creating a ``ceiling,'' thus eliminating both weaker and stronger
state laws and preventing the passage of future stronger state laws?
The two comprehensive health privacy bills pending in House--The
Health Information Privacy Act, co-sponsored by Reps. Waxman(D-CA),
Condit (D-CA), and Markey (D- MA), and H.R.1057, The Medical
Information Privacy and Security Act, introduced by Rep. Markey (D-
MA)--would both set a federal preemptive floor, eliminating weaker
state laws, and allowing states to continue to enact heightened
protections where necessary to guard against public health threats.
Both bills mirror the Coalition's principle on preemption. However,
a number of other proposals do include some form of preemption of
stronger state laws. Most notably, a provision in the Patient
Protection Act of 1999 (H.R. 448) includes very broad preemption
language. Particularly troubling is that it would preempt stronger
state laws relating to authorization for ``health care operations''
without replacing them with a meaningful set of federal protections.
In addition, a bill scheduled to be marked-up in the Senate HELP
Committee would preempt certain stronger state laws in the future,
grand-fathering in existing stronger protections. Again, we strongly
oppose federal preemption of state laws that provide greater consumer
protections--including heightened safeguards for certain medical
conditions and circumstances. Our testimony today is intended to
demonstrate that the federal law should establish a floor of
protections, not a ceiling. We believe that a fully-preemptive federal
law in this area is unprecedented, unwise, and may be a danger to
public health.
Our testimony highlights specific state laws at risk of being
preempted under a total preemption approach. It should be emphasized,
however, that preemption is a moving target. Until there is a consensus
bill, it will be impossible to determine the full impact of preemption.
The Consumer Coalition for Health Privacy opposes the preemption of
stronger state laws for the reasons outlined in this testimony.
ii. the need for uniformity
Congress will create a high level of uniformity by preempting
weaker state laws. Passage of proposed federal health privacy bills
will result in substantially greater uniformity, given that all the
proposals preempt weaker state laws. Simply by preempting these weaker
state laws, Congress will eliminate the vast majority of state laws and
create a high degree of uniformity.
Preliminary research on state health privacy laws conducted by the
Health Privacy Project shows that most state laws governing the broad
areas sought to be regulated by the federal bills--patient access to
records, notice of information practices, patient authorization for
disclosure, remedies for violation of the law--would fall under the
floor laid down by the House proposals.
Consider the state of affairs today: health care entities that do a
great deal of business across state lines are currently required to
comply with fifty different--and often conflicting--state laws. At the
same time, the vast majority of these laws are weaker than the
standards proposed in most the pending bills. Therefore, far from
adding additional burdens, the federal law will provide a substantial
degree of uniformity simply by preempting weaker state laws. A federal
floor--if it is set at an appropriate level--will actually standardize
the vast majority of health privacy and security practices.
Moreover, there is no evidence that the interplay between state and
federal laws in these areas significantly interferes with interstate
commerce. The Right to Financial Privacy Act, the Fair Credit Reporting
Act, and the Electronic Communications Privacy Act regulate the
banking, credit, and communications industries, all of which conduct
extensive business across state lines. All of these laws, however,
leave states free to enact more protective laws as they see fit.
iii. precedent in federal civil rights and privacy law
No precedent exists in federal privacy or civil rights law for
preempting stronger state laws. In the past, when Congress has
considered preemption, it has recognized the importance of allowing
states to address issues unique to the states and their citizens.
Historically, the federal government establishes a ``floor'' of
protections, leaving the states free to provide greater protections.
The proponents of total preemption express fear that states will
pass laws that are ``too privacy protective,'' thereby interfering with
important health-related activities. But the facts are reassuring:
states have been quick to respond to the concerns of health care plans,
researchers and others. Where a ``privacy protection'' was deemed to
interfere with vital health care functions, states have quickly amended
their laws. Minnesota, for example, amended a law relating to
researcher access to medical records after hearing objections from
health care organizations in the state. More recently, Maine postponed
implementation of a health privacy law after objections on the part of
press and family members.
Many states are considering pending health privacy bills, in an
attempt to fill the vacuum created by the existing gap in federal
health privacy law. However, in the past, following the passage of
comprehensive federal legislation, the momentum behind such state
initiatives drops significantly. After passage, state activity is
likely to reflect the standards proposed in the federal law, thereby
increasing uniformity.
iv. state laws more detailed and nuanced
State health privacy laws address a level of detail not found in
any of the federal proposals. For the most part, state health privacy
laws are organized by entity, and the statutes include requirements and
specifications explicitly related to that entity. There may be separate
statutes governing many different entities: employers, nursing homes,
Health Maintenance Organizations, health and life insurers,
psychiatrists, chiropractors, hospitals and insurers.
In addition, there are numerous issues traditionally acted on at
the state level that include privacy provisions. These include anti-
discrimination laws, commitment proceedings for the mentally ill,
adoption, foster care, mental health treatment, reproductive health,
parental involvement, partner notification, and abuse and neglect.
In comparison, the federal proposals have, on the whole, treated
all health care organizations in a similar fashion. The federal
proposals have also established--with a broad brush--general rules
about the use or disclosure of health information. These rules will
address the vast majority of circumstances in which health information
is used and disclosed, but they do not approach the level of detail
that has been developed at the state level over many years.
California law provides patients a right to see and copy their
own medical record, as do all the Senate proposals. The state
law, however, also explicitly provides that access can not be
denied because the individual owes money for past
services.2
---------------------------------------------------------------------------
\2\ California Health and Safety Code, Section 123100 et seq.
---------------------------------------------------------------------------
Maryland has an intricate statutory system for dealing with
mental health records. The disclosure of mental health records
is governed by the state's Confidentiality of Medical Records
Act. One provision stipulates that mental health records may
not be disclosed between health care providers that participate
in an approved plan of a core service agency 3 for
the delivery of mental health services unless a patient has
received a current list of the participating providers and has
signed a written agreement to participate in the client
information system developed by the agency.4
---------------------------------------------------------------------------
\3\ A ``core service agency'' is an organization approved by the
Mental Hygiene Administration to manage mental health resources and
services in a designated area or to a designated target population. Md.
Health-General Code Ann. Sec. 4-307(a)(3) (1999).
\4\ Maryland Id. At Sec. 4-307 (e).
---------------------------------------------------------------------------
Vermont requires the Health Commissioner to maintain a cancer
registry and to keep all information confidential, except in
limited circumstances.5 Most of the Senate bills
would allow for greater disclosure of the information
maintained in the registry than is currently permitted under
Vermont law. Many states have established similar cancer
registries by statute.
---------------------------------------------------------------------------
\5\ 18 V.S.A. Sections 154 et seq.
---------------------------------------------------------------------------
Such a level of detail is not even contemplated by any of the
federal proposals, and regulating these spheres is clearly not the
intent of any of the federal proposals. By fully preempting state law,
Congress would likely preempt important state laws without providing an
equal level of guidance, or necessary protections.
v. value of ``heightened protections'' at the state level
Most of the pending proposals treat health information the same.
Unlike the state laws, the proposals do not establish specific rules
for certain kinds of information. However, the Waxman-Condit-Markey
bill does allow for heightened protections for especially sensitive
information.
The result is that even the strongest federal proposals have not
set the bar as high as some state laws. If any of the current federal
health privacy proposals were to pass with a preemptive federal ceiling
included, the citizens of some states would actually forfeit the
protections they are now guaranteed under their state laws.
California has enacted a number of HIV/AIDS specific
confidentiality laws, covering testing, reporting, partner
notification, and discovery. The results of an HIV/AIDS test
may not be disclosed in a form that identifies an individual,
without patient consent for each disclosure, except in very
limited circumstances. For instance, a physician or local
health officer may disclose HIV test results to the sex or
needle-sharing partner of the patient without consent, but only
after the patient refused or was unable to make the
notification. The law also requires patient authorization in
more circumstances than provided for under the Senate
proposals. In California, an individual's health care provider
may not disclose to another provider or health plan without
written authorization, unless to a provider for the direct
purposes of diagnosis, care, or treatment of the
individual.6
---------------------------------------------------------------------------
\6\ See California Health and Safety Code, Section 120975 et seq;
121015 et seq, Insurance Code, Section 799 et seq.
---------------------------------------------------------------------------
In Georgia, heightened protection is given to information
derived from genetic testing. This information is considered to
be strictly confidential and may be released only to the
individual tested and to persons specifically authorized by
such individual to receive the information. Any insurer that
possesses information derived from genetic testing may not
release the information to any third party without the explicit
written consent of the individual tested.7
---------------------------------------------------------------------------
\7\ Ga. St. 33-54-3.
---------------------------------------------------------------------------
New York has a comprehensive set of statutes providing
additional protection of the confidentiality of HIV related
information. New York generally prohibits the disclosure of HIV
related information without the patient's consent. Accordingly,
a patient's consent to the release of HIV related information
specifically limits to whom disclosure may be made, the purpose
for such disclosure and the time period during which the
release is effective. Unlike the federal proposals, a general
authorization for the release of medical information does not
encompass the disclosure of HIV related information unless it
specifically states so.8 In enacting these statutes,
the New York legislature expressly stated that it intended to
``encourage the expansion of voluntary confidential testing for
. . . HIV so that individuals may come forward, learn their
health status, make decisions regarding the appropriate
treatment, and change the behavior that puts them and others at
risk of infection.'' 9
---------------------------------------------------------------------------
\8\ NYCLS Public Health Law Sec.2780 et seq.
\9\ NY Laws 1988, ch 584, Sec. 1.
---------------------------------------------------------------------------
Tennessee law stipulates that the State Department of Health
records on STDs may not be released even under subpoena, court
order, etc. unless the court makes a specific finding
concerning each of five criteria including: weighing probative
value of the evidence against the individual's and public's
interest in maintaining its confidentiality; and determining
that the evidence is necessary to avoid substantial injustice
to the party seeking it and either that the disclosure will not
significantly harm the person whose records are at issue or
that it would be substantially unfair as between the requesting
party and the patient not to require disclosure.10
---------------------------------------------------------------------------
\10\ Tenn. C.A. Sec. 68-10-113 6(A).
---------------------------------------------------------------------------
Many states have laws similar to the ones cited above for certain
information such as mental health, genetic tests, and HIV/AIDS. Again,
none of the federal proposals reach these levels of protection. In some
circumstances, states enacted these heightened protections to respond
to critical public health issues. Wiping out such laws could create a
public health crisis, leaving people vulnerable by undoing protections
that encourage people to seek testing, counseling, and treatment for a
number of conditions.
vi. the danger of unintended consequences
Laws relating to the confidentiality of medical information are
found throughout state codes. In California, for example, citizens have
a right to privacy in the State Constitution. Major statutes are found
in the Civil Code, the Insurance Code, the Health and Safety Code, the
Penal Code, and the Welfare and Institutions Code. The laws cover a
wide range of activities including treatment, payment, insurance-
related activities, peer review, research, and prescribing drugs. Most
importantly, states have developed bodies of law around discreet
issues--that touch on the use of health information--such as anti-
discrimination, worker's compensation, parental involvement, adoption,
HIV/AIDS partner notification, and access by law enforcement, and even
real estate.
It is not possible to predict in advance the full impact of such
broad preemption on state law and consumer protections. The ``relating
to'' language used to preempt state law in some federal proposals casts
a wide net in terms of the state laws that would be eliminated
completely. The preemption of all state law ``related to'' the federal
law could have significant unintended consequences.
At risk of being preempted is a California law that prohibits
insurers from discriminating on the basis of a person's
``genetic characteristics that may, under some circumstances be
associated with disability in that person or that person's
offspring.'' The law includes a provision on authorization
requirements for the disclosure of genetic information, which
may open up the entire statute to preemption.11
---------------------------------------------------------------------------
\11\ Insurance Code, Section 10140 et seq.
---------------------------------------------------------------------------
A larger issue is at hand. Many state health privacy laws were
enacted specifically to address public health concerns. Mental health
and HIV/AIDS confidentiality laws, for example, were enacted
specifically to encourage people to seek appropriate care, without
fearing harmful reprisals.
The states are best equipped to respond to many new, unique, and
inherently local challenges in health care and public health. It is
impossible to predict what issues will require prompt attention in the
future, but a preemptive federal law would prevent states from
responding at all.
vii. conclusion
Most importantly, Congress will create a high level of uniformity
simply by preempting weaker state law with a strong federal law. This
is true under most of the Congressional health privacy proposals' the
research of state health privacy laws bears this out. Thus, there is no
overriding justification to totally preempt state law in order to
achieve substantial uniformity.
The interests of health care consumers and providers will be best
served by Congress establishing a federal floor that leaves the states
free to enact greater protections, as Congress has done for every other
privacy and civil rights laws, regardless of how complex or interstate
the area to be regulated. Such a solution would allow the states to
address the specific--and unique--needs of their citizens while
providing a great deal of national uniformity regarding the use and
disclosure of health information. A federal ceiling, on the other hand,
could have profound negative consequences for consumers and health care
providers by inadvertently eliminating important protections, or
restricting the ability of states to respond to the privacy needs of
their residents.
Passage of a federal health privacy law will necessarily involve
compromises. The stakeholders are diverse, as are the states and their
constituencies. It is appropriate that the federal law would reflect
these compromises, but it raises a troubling possibility: that the
federal law will set a relatively low standard and preempt state law.
This is the worst-case scenario. The result would be to eliminate
existing state protections without replacing them with comparable
federal standards, locking the states out of taking steps to address
local health needs.
We urge this Committee, and the rest of the Congress, to resist the
proponents of total preemption. Such a radical approach would undo
legal protections put in place by states responding to pressing public
health concerns.
In order to encourage people to seek testing, counseling,
treatment, and other health care services, many states have established
heightened protections for people with mental illness, HIV/AIDS, drug
and alcohol dependence, and other circumstances where people face
stigma, discrimination, and embarrassment. If these safeguards were
wiped off the books, as they would be under H.R. 448, the most
vulnerable people in our communities would immediately be put at risk
of exposure, and faced with the cruel choice of either protecting their
privacy or seeking health care. Such a result, we believe, would
substantially undermine state--and national--health initiatives.
Rather than undermining our nation's existing system of checks and
balances, we should continue the tried and true practice of allowing
states to decide when it is appropriate to provide consumer protections
stronger than the federal law.
Mr. Burr. We thank you for that testimony. And there will
be some question as to whether the banking industry, after
today's mark up, you could still say that about.
I would also make one point that Maine did have the ability
to react quickly. We have not found this institution to have
the ability to fix mistakes very quickly other than the
legislative process, so I hope we will all attempt to get it
right the first time.
Mr. Brown. Mr. Chairman, we did today, when the House
adjourned. Never mind.
Mr. Burr. The gentleman just missed his questions.
Mr. O'Keefe.
Mr. O'Keefe. Mr. Chairman, members of the committee, let me
begin by asking to submit a letter from the National Conference
of State Legislatures for the record, if I could.
Mr. Burr. Without objection so ordered.
[The information referred to follows:]
National Conference of State Legislatures
Washington, DC
May 27, 1999
The Honorable Thomas J. Bliley, Jr.
Chairman, Commerce Committee
U.S. House of Representatives
Washington, D.C. 20510
Dear Chairman Bliley: On behalf of the National Conference of State
Legislatures (NCSL), I would like to take this opportunity to briefly
comment on federal proposals regarding medical records confidentiality.
NCSL will be submitting more detailed testimony for the record at a
later date.
NCSL firmly believes that states should regulate insurance. That
being said, we recognize that there is a legitimate role for the
federal government, particularly regarding the development of uniform
national standards that establish a basic level of protection for
consumers nationwide. Federal medical records confidentiality
legislation should provide every American with a basic set of rights
regarding their health information. These federal standards, in concert
with state law, should be cumulative, providing the maximum protection
for our citizens. At the end of this process, when federal legislation
has been enacted, I hope we will be able to say that not one
individual's health information is more vulnerable on that day, under
federal law, than it was the day before without it.
Preemption of State Law
Federal law should establish basic consumer rights and should only
preempt state laws that are less protective than the federal standard.
Unfortunately many of the proposals pending before Congress take a
different approach.
NCSL is particularly concerned about proposals that would preempt
all state laws ``relating to'' medical records privacy. The universe of
state laws relating to medical records confidentiality is extremely
large and is spread across a state's legal code. For example, state
laws regarding medical records confidentiality can be found in the
sections of a state's code regarding: health, education, juvenile
justice, criminal code, civil procedure, family law, labor and
employment law. There is currently no compendium of state
confidentiality laws. NCSL continues to work with Georgetown University
where a major effort to produce such a compendium is underway. A
blanket preemption of state law is virtually the same as throwing the
baby out with the bath water.
If there is going to be preemption of state law in federal medical
records confidentiality proposals they should: (1) grandfather existing
state laws; (2) narrowly and specifically define the scope of the
preemption, preserving issues not addressed in the federal proposal for
state action; and (3) permit states to enact legislation that provides
additional protections. If states are precluded in some general way
from taking action in specific areas, there should be a mechanism for a
state legislature to act, if the federal legislation adversely impacts
the citizens in the state due to a technical error in the legislation
or to unintended consequences based on state-specific conditions.
Some of the federal proposals have attempted to address the
preemption issue through the inclusion of state legislative ``carve
outs.'' This approach attempts to identify all the areas that states
would be permitted to continue enact legislation. While well-
intentioned, each bill has a different set of carve-outs and we have no
way of knowing the full extent and impact of the preemption and carve-
outs until the federal law has been implemented. In other words, we
won't know what has been missed until after the federal law is enacted.
NCSL and the National Association of Insurance Commissioners (NAIC)
recommend another approach. If an issue is not specifically addressed
in the federal law, states may continue to legislate and regulate in
the area. Below is language jointly supported by NCSL and NAIC.
Nothing in this Act shall be construed as preempting,
superseding, or repealing, explicitly or implicitly, any
provision of state law or regulation currently in effect or
enacted in the future that establishes, implements, or
continues in effect, any standard or requirement relating to
the privacy of protected health information, if such laws or
regulations provide protections for the rights of individuals
to the privacy of, and access to, their health information that
are at least as protective of the privacy of protected health
information as those protections provided for under this Act.
Any state laws or regulations governing the privacy of health
information or health-related information that are not
contemplated by this Act, shall not be preempted. Federal law
shall not occupy the field of privacy protection. The
appropriate federal authority shall promulgate regulations
whereby states can measure their laws and regulations against
the federal standard.
Current State Legislative Activity
Through the end of April 1999, sixteen states have enacted laws
regarding medical records confidentiality. We will provide an update
that will include actions taken by states that have ended their
sessions since the end of April in our more detailed testimony that we
will submit for the record. Montana enacted comprehensive legislation
addressing the activities of insurers and North Dakota enacted
legislation that established comprehensive public health
confidentiality standards. Most of the other states enacted legislation
building on existing state law or legislation focused on a specific
issue. Six laws, addressing a wide variety of medical records privacy
concerns, were enacted in Virginia during the 1999 legislative session.
Other states that enacted legislation this year are: Arkansas,
Colorado, Georgia, Idaho, Mississippi, Nebraska, Nevada, New Mexico,
Oklahoma, South Dakota, Utah, West Virginia and Wyoming.
Several of these new laws address issues that are not addressed in
many of the federal proposals. For example, several states have laws
that set limits on how much a health care provider can charge an
individual to make copies of their medical records. These laws,
designed to help assure access, regardless of income, would be
preempted under some proposals. Many states have laws establishing
strict confidentiality standards for medical information in the
possession of employers. These laws would make records from employee
assistance programs (EAP) and workplace drug-testing results, protected
health care information, subject to strict disclosure and reporting
requirements. These are but a few examples that illustrate both the
breadth and complexity of the preemption issue.
I thank you for this opportunity to briefly share the perspective
of state legislatures on this very important issue and look forward to
working with you and your colleagues over the next several months to
develop a consensus proposal that will provide basic medical records
privacy protections for all Americans.
Sincerely,
William Pound
Executive Director
cc: Members, House Commerce Committee
STATEMENT OF MARK O'KEEFE
Mr. O'Keefe. I am Mark O'Keefe. I am the elected State
auditor from the State of Montana, Montana being a fiscally
conservative State. I also serve as securities commissioner
and, for the purposes of this hearing today, insurance
commissioner for the State of Montana and have for the last 7
years.
It is a pleasure to be here this afternoon. I appreciate
the opportunity to discuss medical records confidentiality with
you.
I would like to make some brief comments recognizing the
desire for a minimum Federal standard. I will then address the
need for Congress to clarify the scope of any Federal health
information privacy legislation. And finally, I want to discuss
the enforcement issue which may seem to go beyond preemption;
but as you will see, I believe actually gets to the heart of
whether or not Congress ought to adopt a floor in this area or
completely preempt the States.
Mr. Chairman, members of the committee, the NAIC have
recognized that you must act in this area. As required by
HIPAA, you have to have privacy legislation by August 21 or we
have regulations from health and human services. In addition to
this, the European Union passed Directive 9446-EC which is a
privacy directive that requires companies exchanging
information with member companies to meet strict privacy
standards. Commerce is now involved in negotiating those
standards.
We have reviewed all of the legislation currently before
Congress--and while we would prefer to see Congress enact a law
that leaves all current State law in place, none of the bills
offered gives us this choice. Given this, the members of NAIC
would prefer to see a Federal floor rather than a total
preemption in the area.
State law in this area has not developed evenly. As far as
we know, no State has enacted one health information privacy
law that covers all aspects of health privacy. Rather a State
enacts a privacy provision when dealing with school records,
another for hospital records, a third for public health, et
cetera, et cetera, et cetera. Completely preempting all State
privacy laws may preempt many of these laws that are not
covered by the new Federal standard leaving millions of
consumers with few protections under State or Federal law.
Second, health information privacy covers a wide range of
subjects, from mental health and HIV to substance abuse and
battered spouses. Again preempting all State law could have the
unintended consequences of leaving millions of consumers with
fewer protections, not more.
Third, if the States are completely preempted in this area,
they will not be able to respond to changes in technology or
changes in the way information is used in the future. We feel
the States, as your comments a little earlier reflected, react
much quicker to what is going on than Congress does in regards
to medical information.
As I mentioned in my written statement, a Federal
preemption of State privacy laws would invalidate certain laws
in my home State of Montana, but Federal preemption in my State
goes even further. Montana's constitution contains an explicit
right of privacy for the residents of our State. A total
Federal preemption would conflict with the State constitutional
guarantee of privacy.
Montanans across the board believe that medical records
belong to the individuals whose records they are, not to some
corporation. We know how the supremacy clause works, but we as
Montanans have a strong belief that that is our belief.
Finally, Mr. Chairman, States should not be preempted
because of the enforcement issue. While the Federal bills all
include criminal sanctions for those who knowingly and
intentionally disclose this information, it is unlikely many
prosecutions will take place. States have a much bigger hammer.
Insurers and other persons such as hospitals and providers are
licensed by the States. This forces these weakened and--hold
these licenses and make sure that these rights are protected by
threatening to take them away.
A last point about enforcement is that the State
departments of insurance offer consumers a place to go with
their complaints. Right now in Montana, I receive an average of
45,000 calls a year with complaints against insurers and
securities firms in my State. I have a population of 800,000. I
am the responsible entity to deal with those complaints. Should
the Federal law pass, whom do my 800,000 people call?
Department of Labor in Kansas City? Department of Health and
Human Services in Denver? States already have an enforcement
operating plan, and we think it should stay in place.
With that, I would be glad to answer any questions you
might have. We urge you to recognize the impact of this
legislation on Federal and State laws as you debate the issue.
Mr. Chairman, we look forward to working with the subcommittee,
the committee, and the Congress in resolving these laws.
[The prepared statement of Mark O'Keefe follows:]
Prepared Statement of Mark O'Keefe, Commissioner of Insurance, State of
Montana on Behalf of the National Association of Insurance
Commissioners
i. introduction
Good morning, Mr. Chairman and members of the Subcommittee. My name
is Mark O'Keefe. I am the elected Insurance Commissioner for the state
of Montana. I am testifying this morning on behalf of the National
Association of Insurance Commissioners' (NAIC) (EX) Special Committee
on Health Insurance. I would like to thank you for providing the NAIC
with the opportunity to testify today about the preemption issue
surrounding the health information privacy legislation currently before
Congress.
The NAIC, founded in 1871, is the organization of the chief
insurance regulators from the 50 states, the District of Columbia, and
four of the U.S. territories. The NAIC's objective is to serve the
public by assisting state insurance regulators in fulfilling their
regulatory responsibilities. Protection of consumers is the fundamental
purpose of insurance regulation.
The NAIC Special Committee on Health Insurance (``Special
Committee'') is comprised of 45 state insurance regulators. The Special
Committee was established as a forum to discuss federal proposals
related to health insurance and to provide technical assistance to
Congress and the Administration on a nonpartisan basis.
My testimony today will focus on three aspects of the preemption
issue raised by the current federal legislation. First, I will discuss
the states' recognition of the desire for a minimum standard to protect
the privacy of health information. Second, I will give some examples of
what the states have done to ensure that health information is kept
confidential, and discuss the concerns we have about the preemption
language in the proposed federal legislation and how Congress can
develop a minimum standard without eliminating existing state
protections. Third, I will address the need for Congress to clarify the
scope of any federal health information privacy legislation and to
develop a way for states to measure their laws against any federal
standard for compliance.
ii. recognizing the desire for a federal minimum standard
As required by the Health Insurance Portability and Accountability
Act of 1996 (HIPAA), Congress must enact privacy legislation by August
21, 1999. Should Congress fail to act, HIPAA requires the Secretary of
Health and Human Services to promulgate regulations by February 2000.
In addition to this statutory deadline, we recognize that Congress
faces pressure to enact national legislation protecting the privacy of
health information because the European Union issued a privacy
directive that became effective in October 1998.
The states, acting through the NAIC, understand the desire for
minimum standards to protect the privacy of health information. A
minimum standard in this area is considered necessary given that health
information is transmitted across state and national boundaries. The
transmission of health information, as opposed to the delivery of
health care services, is not a local activity. This was one of our main
reasons for developing a model on this issue--The Health Information
Privacy Model Act (attached).
The NAIC adopted the Health Information Privacy Model Act in
September 1998.1 This model addresses many of the same
issues that the federal legislation does, such as: (1) providing an
individual the right to access and to amend the individual's protected
health information; (2) requiring an entity to obtain an authorization
from the individual to collect, use or disclose information; and (3)
establishing exceptions to the authorization requirement. Our model was
developed to assist the states in drafting uniform standards for
ensuring the privacy of health information.2 However,
because our jurisdiction is limited to insurance, and health
information privacy encompasses more issues than insurance and more
entities than insurers, we understand the desire for broader federal
legislation.3
---------------------------------------------------------------------------
\1\ This model was developed with state regulators, representatives
of the insurance and managed care industries, and representatives from
the provider and consumer communities. The NAIC model reflects the
excellent work that has been done by a number of states on this
difficult topic. The NAIC recognized the need to update the provisions
of its existing ``NAIC Insurance Information and Privacy Protection
Model Act,'' which was adopted by the NAIC in 1980, to reflect the
rapidly evolving marketplace for health care and health insurance and
the dramatic changes that have occurred over the past 19 years in
information technology.
\2\ The NAIC model requires carriers to establish procedures for
the treatment of all health information, whether or not it is protected
health information. The model then establishes additional rules for
protected health information. In contrast, the federal bills require
that named entities establish and maintain safeguards to protect the
confidentiality of protected health information, which is more limited.
The NAIC believes that Congress should establish procedures to assure
the accuracy and integrity of all health information, not just
protected health information.
\3\ The most obvious difference between the NAIC model and the
federal bills is in the scope of the entities to which the respective
proposals would apply. The NAIC model applies to all insurance
carriers. The federal bills are much broader and apply to health care
providers, health plans, public health authorities, health oversight
agencies, health researchers, health or life insurers, employers,
schools, universities, law enforcement officials, and agents. Different
sections of the federal bills apply to different combinations of these
named entities. However, we are concerned that the federal bills only
apply to health and life insurers and not to all insurers.
With respect to insurers, we recommend the approach of the NAIC
model, which applies to all insurance carriers and is not limited to
health and life insurers. The NAIC had an extensive public discussion
about whether the NAIC model should apply only to health insurance
carriers, or instead, to all carriers. Health and life insurance
carriers are not the only types of carriers that use health information
to transact their business. Health information is often essential to
property and casualty insurers in settling workers' compensation claims
and automobile claims involving personal injury, for example.
Reinsurers also use protected health information to write reinsurance.
The NAIC concluded that it was illogical to apply one set of rules to
health insurance carriers but different rules, or no rules, to other
carriers that were using the same type of information. Consumers
deserve the same protection with respect to their health information,
regardless of the entity using it. Nor is it equitable to subject life
and health insurance carriers to more stringent rules than those
applied to other insurers. Our model applies to all insurance carriers
and establishes uniform rules to the greatest extent possible.
---------------------------------------------------------------------------
Recognizing all of the above factors, along with the fact that all
of the health information privacy bills currently before Congress
preempt state law in one fashion or another, the members of the NAIC
have concluded that the privacy of health information is one of the few
areas where it may be appropriate for the federal government to set a
minimum standard. However, it should be noted that up until this point
there has been no federal standard in place. Rather, states have been
the protector of consumers in this area. Any federal legislation must
recognize this fact and make allowances for it.
iii. preemption
A. Existing State Laws
As this Subcommittee is well aware, the drafting of legislation to
establish standards that protect the privacy rights of individuals with
respect to highly personal health information is a very difficult task.
Like you, the members of the NAIC sought to write standards into the
NAIC Model that would not cripple the flow of useful information, that
would not impose prohibitive costs on entities affected by the
legislation, and that would not prove impossible to implement in a
world that is rapidly changing from paper to electronic records. At the
same time, the members of the NAIC recognized the need to assure
consumers that their health information is used only for the legitimate
purposes for which it was obtained, and that this information is not
disclosed without the consumer's consent or knowledge for purposes that
may harm or offend the individual.
When developing protections for health information, Congress must
recognize the impact of any federal privacy legislation on existing
federal and state laws. Although we cannot fully address the impact on
federal law, we do know that many state laws touch on protected health
information and appear in many locations within the states' statutes
and regulations. These laws do not neatly fit into a federal bill's
list of exceptions. For example, privacy laws can be found in the
insurance code, probate code, and the code of civil procedure. Numerous
privacy laws relating to health information are also contained in the
states' public health laws, which address such topics as child
immunization, laboratory testing, and the licensure of health
professionals. Other potential areas involve workers compensation laws,
automobile insurance laws, and laws regulating state agencies and
institutions. In addition, many state privacy laws only address health
programs or health-related information that are unique to a particular
state.
Let me give you some examples of the existing state laws that
protect health information.
Montana--Under Montana's laws governing health maintenance
organizations, any data or information pertaining to the diagnosis,
treatment, or health of an enrollee or applicant obtained from the
enrollee, applicant or a provider by a health maintenance organization
must be held in confidence and may not be disclosed to any person,
except upon express consent of the enrollee or applicant, pursuant to
statute or court order for the production of evidence or discovery, in
the event of a claim or litigation between the enrollee or applicant
and the health maintenance organization where in the data or
information is pertinent, or to the extent necessary to carry out the
purposes of this chapter. (Mont. Code Ann. Sec. 33-31-113). The
provisions of the state law would presumably be preempted by a total
preemption approach and would not be saved under any current exception
in the federal bills. The state law prohibits disclosure except in a
few limited cases, mostly pertaining to litigation, whereas the federal
legislation would allow health maintenance organizations (health plans)
to disclose this protected information without authorization under many
more instances.
In addition, Montana just enacted a comprehensive medical records
privacy bill targeted at insurers. This new law was modeled after the
NAIC Health Information Privacy Model Act, and it builds upon Montana's
Insurance Information and Privacy Protection Act (Mont. Code Ann.
Sec. 33-19-101 et seq.).4 The efforts and careful
consideration of the state legislature to adopt privacy legislation
would be lost, if the federal privacy legislation preempts all state
laws relating to confidentiality of health information.
---------------------------------------------------------------------------
\4\ Montana's Insurance Information and Privacy Protection Act is
very similar to Virginia's law (see next section for more discussion).
---------------------------------------------------------------------------
Virginia--Virginia has already enacted a privacy protection law for
insurance information. (Va. Code Ann. Sec. 38.2-600 et seq.). This law
applies to insurance institutions, agents and insurance-support
organizations, and it protects insurance information, including health
information, that is collected, received or maintained in connection
with insurance transactions that pertain to individuals who are
residents of the state or who engage in insurance transactions with
applicants, individuals or policyholders who are residents of the
state. It also applies to insurance transactions involving policies,
contracts or certificates of insurance delivered, issued for delivery,
or renewed in the state. This law applies to life, accident and
sickness (health), and property and casualty insurance, and therefore
to issuers of these products. The state law prohibits the disclosure of
personal or privileged information about an individual, with some
exceptions. This state law would be preempted under a federal bill that
used a total preemption approach. Arguably any health information held
by life or health insurers may still be protected under the federal
legislation; however, health information held by property and casualty
insurers, which is currently protected under this state law, would
become unprotected under the current federal legislation. Without the
opportunity for the state to implement its own laws to address these
types of insurers, the health information they hold would be vulnerable
to potential misuse or disclosure by those who hold it. In addition, if
the federal standard were to fall short of the Virginia law in some
way, the level of protection for information held by life and health
insurers would be diminished.
Michigan--Michigan's Public Health Code mandates confidentiality of
HIV testing and requires written, informed consent (Mich. Comp. Laws.
Sec. 333.5114, 333.5133). A physician or the physician's agent shall
not order an HIV test for the purpose of diagnosing HIV infection
without first receiving the written, informed consent of the test
subject. Written, informed consent must contain at a minimum all of the
following: (1) an explanation of the test, including the purpose of the
test, the potential uses and limitations of the test, and the meaning
of the test results; (2) an explanation of the rights of the test
subject, including the right to withdraw consent prior to the
administration of the test, the right to confidentiality of the test
and the results, and the right to participate in the test on an
anonymous basis; and (3) the persons or class of persons to who the
test results may be disclosed. In addition, an individual who undergoes
an HIV test at a department-approved testing site may request that the
HIV test be performed on an anonymous basis. Staff shall administer the
HIV test anonymously and shall obtain consent to the test using a coded
system that does not link the individual's identity with the request
for the HIV test or the results. The Michigan law states that consent
is not required for an HIV test performed for the purpose of research,
if the test is performed in such a manner that the identity of the test
subject is not revealed to the researcher and the test results are not
made known to the test subject. This state law risks being preempted by
the federal legislation depending on the preemption approach and the
exceptions. If state public health laws are exempt from federal law,
this state law could be left in place depending on how the federal
legislation classifies public health laws. If state public health laws
are not excepted, this state law would arguably be preempted by federal
legislation that uses a total preemption approach, but the protection
the state law offers would not be replaced with a federal equivalent.
Some of the federal bills would allow the identity of the individual to
be disclosed without the individual's consent under the public health
or research provisions.
Massachusetts--Under Massachusetts' education statutes, provisions
are established for the testing, treatment and care of persons
susceptible to genetically-linked diseases. (Mass. Ann. Laws ch.76,
Sec. 15B). The law requires the Department of Public Health to furnish
necessary laboratory and testing facilities for a voluntary screening
program for sickle cell anemia or for the sickle cell trait and for
such genetically-linked diseases as may be determined by the
Commissioner of Public Health. Records maintained as part of any
screening program must be kept confidential and will not be accessible
to anyone other than the Commissioner of Public Health or to the local
health department which is conducting the screening program, except by
permission of the parents or guardian of any child or adolescent who
has been screened. Information on the results of any particular
screening program shall be limited to notification of the parent or
guardian of the result if the person screened is under the age of 18 or
to the person himself if he is over the age of 18. The results may be
used otherwise only for collective statistical purposes. Again, this
state program may be preempted by a federal privacy law because it does
not fall under the federal bills' preemption exceptions. Under the
federal bills this health information would be at risk of disclosure
without authorization under the public health or research provisions.
Florida--Florida's Civil Rights law requires confidentiality and
informed consent for genetic testing. (Fla. Stat. Ann. Sec. 760.40).
The law provides that except for purposes of criminal prosecution,
determining paternity, or acquiring specimens from persons convicted of
certain offenses, DNA analysis may be performed only with the informed
consent of the person to be tested, and the results of such DNA
analysis, whether held by a public or private entity, are the exclusive
property of the person tested, are confidential, and may not be
disclosed without the consent of the person tested. This law arguably
would be preempted by a total preemption approach that uses the
``related to'' standard. Civil rights laws and genetic testing laws do
not fall within any of the federal bills' exceptions, so presumably DNA
tests would be governed by the provisions of federal bills. However,
the federal legislation would arguably allow DNA test results and the
identity of the individual to be disclosed without the individual's
authorization under some of the federal bills' provisions, including
the research provisions.
Ohio--Under Ohio law, information collected by the Ohio Health Care
Data Center must be kept confidential, and may only be released in
aggregate statistical form. (Ohio Rev. Code Ann. Sec. 3729.46(B)). The
Director of Health, employees of the Department of Health including
employees of the data center, and any person or governmental entity
under contract with the director shall keep confidential any
information collected that identifies an individual, including
information pertaining to medical history, genetic information, and
medical or psychological diagnosis, prognosis, and treatment. Theses
persons and entities shall not release such information without the
individual's consent, except in summary or statistical form with the
prior written permission of the Director or as necessary for the
Director to perform his duties. This state law would be preempted by a
federal privacy law that totally preempted state law or did not include
this type of law as an exception to federal preemption. The state law
only allows release of information in summary form without
identification of the individual, but this same information risks being
released as personally identifiable information under the federal
legislation. The federal legislation would end up unprotecting this
information that is currently protected under state law.
These examples should not be construed as a definitive legal
analysis of the relationship between these state laws and the federal
bills. The comments are not based on an extensive review of all
relevant state laws that might affect the ultimate conclusion about the
interaction of the federal bills and the states' laws. However, the
range of state laws relating to protected health information, and the
diversity of their purposes and of the entities that they affect, are
critical factors for assessing the impact of any federal preemption
language.
Because state laws relating to health information and privacy are
located in so many different places within each states' legal code, the
length of time and complexity involved in compiling a list of these
laws make it a nearly impossible task. Moreover, there is no federal or
state agency or other organization that has a complete compendium of
state laws that could be preempted by federal privacy legislation.
Without clear information about the laws that may be impacted by
legislation, preemption must be approached with caution.
B. The Best Approach to Developing a Federal Standard
An argument will be made that the only solution to this collection
of state privacy laws is a total preemption of state law. However, this
``solution'' is a deceptively easy response to the various state
privacy laws and will most certainly result in adverse, unintended
consequences. The language ``any State law that relates to matters
covered by this Act'' could preempt literally hundreds of state laws
that affect protected health information.5 Many state laws
that are seemingly unrelated to health information on their face affect
health information privacy and could be eliminated by a total
preemption approach without any equivalent federal protection. Health
information or health-related information that is currently protected
will end up unprotected, and states will not be able to remedy the
problem or ``re-protect'' the information. We offer this perspective
not to ``protect our turf,'' but rather as a caution against unintended
consequences to the consumer. Because of the number and scope of the
laws involved, our concerns are not limited to insurance law. We do not
want Congress to reduce or eliminate any protections already in place.
Preemption of state law is not a workable solution.
---------------------------------------------------------------------------
\5\ This language is very similar to the preemption language
contained in the Employee Retirement Income Security Act of 1974
(ERISA), which states: ``[T]he provisions of this title--shall
supersede any and all State laws insofar as they may now or hereafter
relate to any employee benefit plan . . . (emphasis added). As this
Committee is well aware, twenty-five years of litigation and numerous
Supreme Court decisions have yet to clarify the scope of the ERISA
preemption language. We would respectfully suggest that a ``relate to''
standard is not a good standard to adopt in federal legislation
regulating the use of health information. Total preemption language
will unintentionally erase important state laws but not provide
equivalent federal protections. This is the unfortunate situation that
has occurred as the result of the preemption language contained in
ERISA.
---------------------------------------------------------------------------
We believe the best approach would be to set a federal standard
that does not preempt state laws that have been protecting health
information for so many years. Up until now, there has been no federal
standard in place, and the states have been protecting consumers. We
understand the desire to establish a federal floor in this area, but it
is not appropriate to preempt stronger state laws or preempt state laws
that are outside the scope of the federal privacy legislation. As
discussed earlier, the states have enacted privacy protections for
their citizens in a variety of areas. These citizens should not lose
stronger protections for their health information or lose protections
granted by the states in areas not contemplated by the federal
legislation.
In addition, we believe that states should be allowed to enact
stronger privacy protections in the future in response to innovation in
technology and changes in the use of health information. We believe the
best approach would balance the desire for uniformity with the
recognition of the states' ability to respond quickly and to provide
additional protections to their citizens. States can quickly identify
the impact of any federal privacy law or any changes in technology or
in the use of health information and can efficiently remedy any adverse
situation. We urge Congress not to take a ``broad-brush'' approach to
preemption that would unintentionally take away protections at the
state level, eliminate the states' ability to remedy unintended
consequences that result from federal privacy legislation, or prevent
states from responding in the future.
Since Congress is certain to set some type of federal standard, we
offer the following language as a suggestion of how federal privacy
legislation may be drafted. This language sets a federal minimum
standard that leaves in place existing state laws that are at least as
protective as the federal legislation and allows states to enact
stronger laws in the future.
Nothing in this Act shall be construed as preempting,
superseding, or repealing, explicitly or implicitly, any
provision of State law or regulation currently in effect or
enacted in the future that establishes, implements, or
continues in effect any standard or requirement relating to the
privacy of protected health information, if such state laws or
regulations provide protections for the rights of individuals
to the privacy of, and access to, their health information that
are at least as protective of the privacy of protected health
information as those protections provided for under this Act.
Any state laws or regulations governing the privacy of health
information or health-related information that are not
contemplated by this Act, not addressed by this Act, or which
do not directly conflict with this Act, shall not be preempted.
Federal law shall not occupy the field of privacy protection.
The appropriate federal authority shall promulgate regulations
whereby states can measure their laws and regulations against
the federal standard.
We believe this language recognizes the desire for a federal standard
while respecting what the states have already done.
iv. scope of the legislation
In addition to adopting an approach that recognizes the privacy
protections already enacted by the states and that allows states the
flexibility to enact stronger privacy laws in the future, we urge
Congress to draft legislation that specifically outlines the areas that
Congress intends to address. Congress needs to be very specific about
the scope of any federal privacy legislation. This is of particular
concern since the current privacy legislation is silent on many issues
affecting federal and state law. The scope should not be left ambiguous
or left to the courts to decide. We believe it would be better for the
protection of consumers' health information if Congress would specify
what is addressed by the federal legislation as opposed to attempting
to list all of the state laws that are exempt from the federal
legislation.
All of the current federal bills contain specific exceptions to the
federal preemption language for certain state laws.6
Reviewing all of the bills, these exceptions include state laws that:
(1) provide for the reporting of vital statistics such as birth or
death information; (2) require the reporting of abuse or neglect
information about any individual; (3) regulate the disclosure or
reporting of information concerning an individual's mental health; (4)
relate to public or mental health and prevent or otherwise restrict
disclosure of information otherwise permissible under the federal
legislation; (5) govern a minor's rights to access protected health
information or health care services; (6) relate to the disclosure of
protected health information or any other information about a minor to
a parent or guardian of such minor; (7) authorize the collecting,
analysis, or dissemination of information from an entity for the
purpose of developing use, cost effectiveness, performance, or quality
data; and (8) concern a privilege of a witness or person in state
court.
---------------------------------------------------------------------------
\6\ As of Friday, May 21, 1999, the Chairman's Mark of S. 578 in
the Senate Committee on Health, Education, Labor and Pensions (HELP)
contained the following exceptions to the federal preemption language
for certain state laws that: (1) relate to use and disclosure of
information pertaining to mental health and pertaining to public health
consistent with Section 207 to the extent that such state law prevents
or restricts the use and disclosure for protected health information
otherwise permissible under this Act; (2) relate to the disclosure of
protected health information or any other information about a minor to
a parent or guardian of such minor; or (3) concern a privilege of a
witness or person in state court.
---------------------------------------------------------------------------
Although each of the exceptions is appropriate and the list
represents a good start at enumerating the specific categories of state
laws that should not be preempted, these specific exceptions to the
preemption language do not alleviate our concerns. There are other
state laws that do not fit into any of the explicitcategories and that
would therefore be preempted by the broad scope of the general
preemption language. In addition, not all of these specified exceptions
are included in each of the bills. We mention this to underscore the
critical importance of clearly defining the scope of what the federal
legislation is addressing and the applicability of any specific privacy
standard or exception. We believe it wiser and easier to define what
types of health information and what state laws are within the scope of
the federal legislation, rather than what types of health information
and what state laws are outside of the scope of the federal
legislation.
In addition, we urge Congress to outline a way in the federal
privacy legislation for the states to measure their laws against any
federal standard and to provide options for states to meet those
requirements. In HIPAA, Congress gave the states three options in
meeting the requirements of that legislation. Similar guidelines are
needed in the privacy legislation. States need to be able to judge
whether their state laws are stronger than the federal law in order to
determine whether they need to take further action to revise their
laws.
v. conclusion
Establishing standards to protect the collection, use, and
disclosure of health information is a very important undertaking. The
growth of managed care, the increasing use of electronic information,
and the advances in medical science and communications technology have
dramatically increased both the availability and the importance of
health information. The efficient exchange of health information will
save thousands of lives. The information is critical for measuring and
analyzing the quality and cost effectiveness of the health care
provided to consumers. Consumer benefits from advances in health
information are vast. However, HowHowever, the potential for misuse of
this information is also vast. The information itself has become a
valuable product that can be sold for significant amounts of money, and
the consequences of unauthorized disclosure of health information can
be potentially damaging to individuals' lives. The opportunities to
exploit available health information will grow in number and value as
technology and medical science advance.
As Members of Congress address this critical topic, we would urge
you to recognize the importance of existing state law addressing the
use of health information in many contexts. Congress should be aware of
the complexity of implementing federal standards without inadvertently
displacing important provisions of state law. We urge Congress not to
take a ``broad-brush'' approach to preemption that would
unintentionally take away protections at the state level, eliminate
states' ability to remedy unintended consequences that result from
federal privacy legislation, or prevent states from responding to
future changes in technology or changes in the use of health
information. The scope of the preemption is a critical issue, and if
not carefully constructed it could lead to unintended consequences. We
urge you to recognize the impact of any privacy legislation on federal
and state laws as you debate this issue. The members of the NAIC would
be happy to work with the Members of Congress in this area. Thank you.
Mr. Burr. We thank you, Mr. O'Keefe.
The Chair would recognize Ms. Meyer for her opening
statement.
STATEMENT OF ROBERTA MEYER
Ms. Meyer. Mr. Chairman, Congressman Brown, my name is
Robbie Meyer.
I represent the American Council of Life Insurance. The
ACLI is a national trade association that represents about 493
companies which sell life insurance, disability income
insurance, and long-term care insurance. We appreciate being
given the opportunity to appear before you today.
The very nature of life insurance, disability income
insurance, and long-term care insurance involves personal and
confidential relationships. The ACLI is here today because
these insurers use health information for essential business
purposes. Life, disability income, and long-term care insurers
must use health information to evaluate consumers' applications
for insurance coverage and to process their claims for
benefits.
The legislation to be considered by the subcommittee will
govern how life, disability income, and long-term care insurers
obtain, use and disclose health information. As a result, the
actions of this subcommittee will impact fundamental and
essential functions of our business. We are strongly committed
to the principal that individuals have a legitimate interest in
seeing that their personal information is properly collected
and handled and that insurers have an obligation to insure
individuals of the confidentiality of that information.
Medical information and a life, disability income, or long
term care insurance file may be used for certain business
purposes. It is used to underwrite applications for coverage.
It is used to process claims. It is used in connection with
reinsurance. And it is used, as stated by the previous witness,
by State insurance departments on many occasions.
I would like to take this opportunity now to address just a
couple of key concerns in some of the pending pieces of medical
record confidentiality legislation. First, authorization and
revocation. Every year America's life, disability income, and
long-term care insurers enter into literally millions of
contracts with American consumers. Insurers, as I said before,
use health information in connection with those contracts to
evaluate consumers' applications for coverage and also to
process their claims. These contracts can be in effect
literally for decades and often are.
Currently, we only access medical information with an
individual's authorization. In other words, we only get
information if they say that it is okay for us to get it. The
current pieces of legislation that are under consideration now
would not only require that authorization deal with our ability
to get information but would also govern our ability to use it
and then to redisclose it as necessary in the ordinary course
of business.
In order to prevent this legislation from inadvertently
interfering with the industry's ability to perform essential
yet ordinary business functions and--very importantly--to
fulfill our contractual obligations to consumers. Life, long-
term care, and disability income insurers need to be able to
obtain a single authorization for disclosures of medical
information only in connection with the ordinary course of
business. And we need to have these authorizations remain valid
for the lifetime of the contract so that we can fulfill our
contractual obligations to our customers.
Other concerns we have with some of the pending pieces of
legislation deal with the right to self-pay, damages, and
preemption of course. Some of the bills would grant an
individual to self-pay for certain treatment and then give them
the right to prohibit or limit disclosure of information
relating to that information.
We are very concerned that that would create a situation
where there are conflicting authorizations and the health care
providers, doctors and hospitals wouldn't be sure which rule
will govern the authorization that the individual originally
gave the insurer or the direction from the individual to hold
back that information.
We are very concerned about any piece of legislation that
would provide for punitive damages. And then, finally, as
stated in our written statement and as I previously stated, we
feel very strongly that American consumers have an absolute
legitimate expectation that their health information will be
kept confidential.
A Federal Statute that outlines broadly preemptive
standards, specific standards and which provide remedies for
breach of those standards, we believe will respond to the
American public's concern about the confidentiality of their
health information. We believe that setting a national uniform
standard for health information is obviously fundamental to
this debate.
Consumers would know what the rules were that would govern
their health information regardless of where they lived. And
insurance companies doing business across the country, as many
of our member companies do, would be able to adhere to a
uniformed standard, hopefully, be able to pass the economies of
that uniform standard on to their customers. And we believe
that this would very much facilitate insurers' ability to
continue to provide financial security to American consumers.
One of the previous witnesses indicated a concern about the
fact that people were scared of what was going to happen with
respect to the confidentiality of their medical information and
that they were concerned that if their medical information was
out, that it would cause their insurance policies either to be
canceled or for their rates to go up. I did want to respond to
that since I had a few minutes.
The fact of the matter is that life, disability income, and
long-term care insurers cannot cancel their policies and they
cannot raise their rates because of the health of an
individual. Disability income and long-term care rates can be
raised, on certain occasions, for a group of insuredes but
never because of the health of an individual.
With that, thank you very much. I would be glad to answer
any questions.
[The prepared statement of Roberta Meyer follows:]
Prepared Statement of Roberta Meyer, Senior Counsel, American Council
of Life Insurance
introduction
Chairman Bilirakis, Congressman Brown, and members of the
subcommittee, I am Roberta Meyer, Senior Counsel at the American
Council of Life Insurance (ACLI). I am pleased to discuss, and offer
our assistance, as you craft legislation governing the confidentiality
of medical record information. The ACLI is a national trade association
with 493 member life insurance companies representing approximately 77
percent of the life, 81 percent of the disability income, and 88
percent of the long term care insurance in force in the United States.
The fundamental purpose of life, disability income and long term care
insurance is to provide financial security for individuals and
families.
Life insurance financially protects beneficiaries in the event
of a person's death. Proceeds from a life insurance policy may
help a surviving spouse pay a mortgage or send children to
daycare or college.
Disability income insurance replaces lost income when a person
is unable to work due to injury or illness.
Long term care insurance helps protect individuals and
families from the financial hardships associated with the costs
of services required for continuing care, for example, when
someone suffers a catastrophic or disabling illness.
Every year America's life, disability income and long term care
insurers engage in millions of contracts. Those contracts are the
promises we keep to our policyholders.
The very nature of the life, disability income and long term care
insurance businesses involves personal and confidential relationships.
The ACLI is here today because life, disability income, and long term
care insurers use health information for business purposes. We are well
aware of the unique position of responsibility we have regarding an
individual's personal medical information. We are strongly committed to
the principle that individuals have a legitimate interest in the proper
collection and handling of their health information and that insurers
have an obligation to assure individuals of the confidentiality of that
information. As an industry, life, disability income, and long term
care insurers have a long history of dealing with highly sensitive
personal information in a professionally appropriate manner. We are
proud of our record as custodians of this information.
background
When a consumer begins the search for a life, disability income, or
long term care insurance product, he or she usually begins by meeting
with an insurer's sales representative. An individual may respond to an
advertisement or the sales representative may initiate contact through
a referral. Sales representatives usually meet with potential clients
in their homes or at their place of employment. This is where the
relationship between the insurer and the individual typically begins.
During this initial meeting, the sales representative will discuss
with the individual their family's financial security needs. If the
consumer decides to apply for an individually underwritten life,
disability income, or long term care insurance policy, the sales
representative will complete an application.
Many of the application questions concern nonmedical information,
such as age, occupation, income, net worth, other insurance and
beneficiary designations. Other questions focus on the proposed
insured's health, including current medical condition and past
illnesses, injuries and medical treatments. The sales representative
also will ask the applicant to provide the name of each physician or
practitioner consulted in connection with any ailment within a
specified period of time (typically five years). Other questions will
concern past use of alcohol and drugs, smoking habits and information
about family history.
The sales representative usually asks the questions and records the
proposed insured's responses. After the individual has reviewed the
responses to be sure they are accurate and complete, he or she will
sign the application. In certain cases, the applicant and the proposed
insured may not be the same individual. This occurs when, for example,
a parent (applicant) applies for coverage on a minor child (proposed
insured) or when spouses apply for coverage on each other. In such
cases, the application for coverage will likely be signed both by the
applicant and proposed insured.
Up to this point in the process, the information the insurance
company receives about the proposed insured's health status is directly
from the individual. Depending on the age and medical history of the
proposed insured, and the amount of insurance applied for, the
insurance company may require medical record information. When the
sales representative takes the consumer's application for insurance, he
or she also will ask the individual to sign a consent form authorizing
the insurance company to verify and supplement the information
regarding the proposed insured's medical history, and to obtain
additional information if it is needed to evaluate the application.
This additional information generally is held by the proposed insured's
attending physician(s) or hospitals. If it appears that the insurance
company will need this information for the underwriting process, the
insurance company will send to the physician or hospital the signed
authorization. The insurer will reimburse the provider or hospital for
the administrative expenses in locating and sending a copy of the
information to the insurer.
The medical information that insurance companies typically request
of applicants include routine measurements, such as height and weight,
blood pressure, and cholesterol level. The insurer may also seek an
evaluation of blood, urine or oral fluid specimens for underwriting
purposes, including tobacco or drug use and HIV infection. Medical
tests are done only with the proposed insured's consent. These tests
are usually done by a licensed paramedic who typically is employed by a
paramedical company. In limited cases, the tests will be performed by a
physician in connection with a medical examination requested by the
insurer. In either case the applicant will generally be asked to sign
another authorization that will contain information concerning HIV and
other information relevant to the blood fluid analysis, depending on
the state in which the applicant resides and individual laboratory
practices. The physician or licensed paramedic may report urinalysis
results, record blood pressure and pulse readings, and record comments
regarding the proposed insured's condition, including the circulatory,
respiratory and nervous systems as well as abdomen, ears, eyes, skin,
etc.
The price someone pays for insurance is based on gender, age, the
state of health and perhaps job or hobby. Life, disability income, and
long term care insurers gather this information about applicants during
the underwriting process. Based on this information, a life insurance
company groups individuals into pools in order to share the financial
risks presented by dying prematurely, becoming disabled or needing long
term care. This system of classifying insurance applicants by level of
risk is called risk classification. It enables insurers to group
together people with similar characteristics and calculate a premium
based on that group's level of risk. Those with similar risks pay the
same premiums. For example, nonsmokers usually pay less for insurance
than smokers. On the other hand, if you have a chronic illness your
premium may be higher.
Some individuals are concerned that their medical record
information will be ``used against them'' to deny or cancel coverage,
or to increase premiums. In fact, underwriting and the process of risk
classification, based in large part on medical record information, have
made life, disability income and long term care insurance widely
available and affordable: 95 percent of individuals who apply for life
insurance are issued policies and 91 percent obtain it at standard or
better rates. Furthermore, once a life, disability income, or long term
care policy is issued, it cannot be canceled for any reason except for
nonpayment of premiums.
Premiums cannot be raised because an individual files a life,
disability income, or long term care insurance claim, or because an
individual becomes ill. However, if an individual suffers from a
serious medical problem at the time a life insurance policy was issued,
the premium could be reduced when the insured individual's health
improves. Although some disability income or long term care insurance
premiums can go up, this would never happen on an individual basis
because of information contained in a medical record. If there is a
price increase, it has to be on a whole block of policies, usually for
economic reasons to ensure that premiums collected are adequate to pay
claims.
Once an insurer has an individual's health information, that
insurer will limit who sees it. When the underwriting and risk
classification processes are complete and the policy has been issued,
the medical information in a life, disability income, or long term care
insurance file may be accessed and reviewed under certain
circumstances. For example, information could be used:
To process claims for benefits. This information allows
insurers to fulfill their contractual obligations to
policyholders and pay death, disability income, and long term
care benefits. In 1997, more than $ 26.2 billion was paid to
beneficiaries under individual life insurance policies.
By insurance regulatory authorities as part of an examination,
or by law enforcement authorities following appropriate legal
process who suspect illegal activity, such as murder for
insurance.
If the insurance company is reinsuring a block of business and
the reinsurer wishes to review the seller's underwriting
practices.
If the insured applies for additional coverage or seeks to
reinstate or change the policy.
the medical information bureau
The Medical Information Bureau (MIB) is a not-for-profit
association of life insurers. Its purpose is to reduce the cost of
insurance by helping insurers detect (and deter) attempts by insurance
applicants to conceal or misrepresent facts. As part of the application
process, consumers receive a written notice which describes MIB and its
functions. Furthermore, member companies will only request information
regarding an individual applicant from MIB after the applicant has
signed an authorization.
MIB member companies report to the bureau brief, coded summaries of
relevant information obtained during underwriting of individuals
applying for life, disability income, or long term care insurance.
Conditions most commonly reported include height and weight, blood
pressure, EKG readings and x-rays if these facts are commonly
considered significant to health and longevity. Certain nonlexical
information, such as that relating to hazardous activities or adverse
driving records, may also be reported, provided such information is
confirmed by the applicant or official records. Out of every 100
applications, only 15-20% result in a coded report sent to MIB.
Information relating to amounts of insurance issued, underwriting and
claims decisions may not be reported to MIB.
When a consumer applies to an MIB member company for individual
life, disability income, or long term care insurance coverage, the
company may ask MIB whether its records contain information on this
person. Again, member insurers may have access to MIB information only
after receiving the proposed insured's authorization. Coded reports
from MIB to insurers have two basic functions. The first function is to
serve as an alert to detect attempts by applicants to omit or
misrepresent facts. The second function is to deter applicants from
omitting or misrepresenting significant facts. If an MIB report on the
proposed insured does exist, the insurer who receives it will compare
the MIB report with information provided by the applicant. If the brief
codes in the MIB report are not consistent with other information, the
insurer must seek other information about the applicant. Insurers may
not decline an application or charge more for coverage based solely on
MIB reports.
Before accessing MIB records, an insurer must give the individual a
notice containing specified information, including procedures for
accessing and correcting information in accordance with the federal
Fair Credit Reporting Act. Disclosures to individuals or corrections to
information are usually done within 30 days.
The MIB computer system used by member companies for the
transmission of this coded information is exceptionally user unfriendly
to the terminals in its network. MIB uses state of the art technology
to verify that MIB reports are properly requested and transmitted. For
example, each member terminal has a unique code that identifies that
terminal when an inquiry is sent to MIB. The MIB computer will
disconnect from the terminal if the identification code is not
recognized. In addition, the MIB computer disconnects even after it
receives an inquiry presenting the proper identification code. The MIB
computer will then dial the company back, using another special code,
to establish communication. All access to MIB is documented.
MIB recognizes that people who are subjects of reports and public
representatives must be satisfied that the MIB system meets legitimate
expectations of confidentiality. MIB staff is required to maintain
confidentiality under a specified set of procedures, including, among
other things: educating all MIB staff as to the expectations of
confidentiality; strictly limiting access to the MIB code book and
access to the computer room to authorized personnel; and protecting the
computer center 24 hours a day with security guards and electronic
systems which control access and provide surveillance.
Only authorized personnel at member companies may have access to
MIB report information. Reports are not released to nonmember companies
or to credit or consumer reporting agencies. MIB member companies must
make an annual agreement and pledge to protect confidentiality. The
agreement is signed by the president and physician medical director of
the member company. Member companies must conduct an annual self-audit
to determine whether their procedures have protected the
confidentiality of MIB record information. These results must be
reported to the MIB. Member companies must also permit MIB to conduct
periodic audits of their confidentiality and underwriting procedures.
the industry's commitment
Life, disability income, and long term care insurers have a long
history of dealing with highly sensitive personal information,
including medical information, in a professional and appropriate
manner. Last year, the ACLI Board of Directors adopted a series of
Confidentiality of Medical Information Principles of Support. They are
attached for your review. The life insurance industry is proud of its
record of protecting the confidentiality of this information.
Individuals have a legitimate interest in the proper collection and use
of medical information about them, and insurers must continue to handle
such information in a confidential manner.
The ACLI policy position regarding the importance of protecting
personally identifiable medical record information is reflected in our
long-standing support of the National Association of Insurance
Commissioners (NAIC) Insurance Information and Privacy Protection Model
Act (NAIC Model Act). The NAIC Model Act was carefully drafted and
tailored to the special information practices involved in the insurance
context. The ACLI believes this model strikes a proper balance between
the legitimate expectations of consumers concerning the treatment of
information that insurers obtain about them, and the need of insurers
to use information responsibly for underwriting and claims
administration.
The NAIC Model Act governs insurers' practices in relation to all
types of information, including medical information. The Act provides
consumers with numerous rights and protections in addition to
safeguards regarding the confidentiality of medical information. Among
other things, it requires provision of a notice of information
practices, outlines the content of disclosure authorization forms,
imposes limitations and conditions on the disclosure of information and
provides a process by which individuals can access, correct, and amend
information about them. The NAIC Model Act also outlines remedies for
individuals harmed by disclosures made in violation of the Act. Many,
if not most, ACLI member companies doing business in at least one state
which has enacted the NAIC Model Act adhere to its requirements in all
states in which they do business.
legislative proposals
Several legislative proposals have been introduced during the 106th
Congress. We would like to address key issues of concern to the life
insurance industry for your consideration as these proposals move
forward.
Preemption
As stated previously, we strongly believe that individuals have a
legitimate expectation that their health information will be kept
confidential. A federal statute that outlines a broadly preemptive set
of specific standards to protect this information, and remedies for
breach of those standards, will respond to the American public's
concern about the confidentiality of their health information. Setting
a national, uniform standard for health information, is fundamental to
this debate. Consumers would know that they are protected by the same,
strong health information privacy law, regardless of their address.
Also, life insurance, disability income and long term care companies
engaged in business across the country would have a single standard to
facilitate the industry's ability to provide financial security to
individuals and their families.
Authorization and Revocation
Every year America's life, disability income, and long term care
insurers enter into insurance contracts with millions of American
consumers. These insurers must utilize health information to evaluate
those consumers' applications for coverage and to process their claims
for benefits. These contracts can be in effect for decades. In order to
prevent federal legislation from inadvertently interfering with the
industry's ability to engage in essential, ordinary business functions
and to fulfill its contractual obligations, life, disability income and
long term care insurers must be able to obtain a single authorization
for disclosures of information in connection with the ordinary course
of insurance business. Such authorizations should not be subject to
revocation and should remain valid as long as necessary for the insurer
to meet its obligations during the application process and during the
lifetime of the policy. Some have suggested that if an individual can
revoke his authorization, then the life, disability income or long term
care insurance company should have the opportunity to cancel that
policy. We urge you to reject this assumption. We cannot cancel our
policies. If an individual revokes an authorization, provided in
connection with a life, disability income or long term care insurance
policy for which he has paid premiums for thirty years, and the insurer
cancels the policy, the individual almost certainly will have trouble
replacing that policy--and at what price? If an individual is unhappy
with any business practice of the insurer, he always has the right to
cancel his policy--he can stop paying premiums.
Right to Self Pay and Scope of Disclosures
In an effort to enhance the confidentiality of some health
information, some legislative proposals would grant individuals a right
to self pay for treatment they receive and then limit or prohibit the
disclosure of health information related to that episode. We are
concerned that such provisions could produce conflicting
authorizations. For example, assume an individual applies for a life
insurance policy and signs an authorization for the disclosure of
health information. Pursuant to that authorization, the insurer
requests information from a health care provider, however, that health
care provider had received previous instructions from that individual
not to release certain information under a ``self pay'' arrangement.
Which rule applies? The ACLI believes that all health information
deserves careful, confidential treatment, and that all health
information should be treated uniformly.
Language in various bills restricting the ``scope of disclosure''
to the ``minimum amount necessary'' is fraught with potential problems.
Not only is the legal meaning of ``minimum amount necessary'' unclear,
but the entire philosophy behind this legislation is that individuals
should have more control over health information about them. The
authorization is the core of the debate. The authorization will govern
the scope of a disclosure. Furthermore, we are troubled by some
proposals that would have a health care provider determining exactly
what is the ``minimum amount necessary''. A third party would not be in
a position to know what information is needed by the entity requesting
the information. For example, in the life insurance context,
underwriters and medical personnel of the insurer know what information
they need to perform risk classification. A provider might not forward
information, necessary to the risk classification process, which in his
opinion was not necessary.
Damages and Enforcement
As a state regulated industry, we believe that enforcement of
federal confidentiality standards applicable to life, disability
income, and long term care insurers should be handled at the state
level by state insurance commissioners, oversight authorities familiar
with the life, disability income, and long term care insurance
industries, and their uses of health information. It would be counter
productive to create an expensive and unnecessary bureaucracy that
would duplicate elaborate and effective systems which already exist in
the states.
Bills that have been introduced in this Congress provide for an
array of remedies for breaches of health information confidentiality
standards. The bills include civil and criminal penalties, and some
include a private cause of action. The ACLI strongly objects to
punitive damages being provided in a statute. These damages are
excessive. The possibility of enormous and unjustified punitive damages
is an issue of grave concern to the industry.
Definitions
As with any piece of legislation, the definitions found in medical
record confidentiality bills is critical. These words will serve as the
foundation and the framework for the new law. At one point during the
drafting process in the Senate prior to the Health, Education, Pensions
and Labor Committee's markup of the Health Care Personal Information
Nondisclosure Act, life insurance benefits were grouped in with health
plan benefits and ``health plan'' was said to include a life insurer.
The ACLI encourages this committee to recognize the distinction between
lines of insurance, and to maintain those distinctions in the text of
the bill. For example, a life insurer is not a health plan; it can be
treated as a health plan for purposes of various provisions of the
bill, but, again, life insurance is not a health plan.
Applicability
As you know, the entities that would be governed by any federal
legislation on health information confidentiality currently obtain, use
and redisclose this information. It would be unworkable, and in many
instances impossible, to meet the requirements of these bills for
information already in the possession of insurers. Accordingly, we
strongly urge that a specific section be added to the bill to clarify
that the application of these standards is prospective in nature--
applicable to health information collected, used and disclosed after
the date of enactment.
Other Issues
We would like to work with the committee to ensure that other
issues, unique to the life insurance industry and its customers, are
addressed as this legislation moves forward. For example, the law
enforcement provisions of some proposals may unintentionally prohibit a
life insurer from turning over information to law enforcement
authorities where the insurer suspects a murder was committed for the
life insurance benefits. Also, beneficiaries must be able to release
health information to a life insurer so that they can receive the
policy benefits. We welcome the opportunity to work with you, Mr.
Chairman and other members of the Subcommittee on these and other
important issues as this legislation moves forward.
conclusion
Again, Mr. Chairman, the 493 member companies of the ACLI are
strongly committed to the principle that individuals have a legitimate
interest in the proper collection and handling of their health
information and that insurers have an obligation to assure individuals
of the confidentiality of that information. As an industry, life,
disability income, and long term care insurers have a long history of
dealing with highly sensitive personal information in a professionally
appropriate manner. We are proud of our record as custodians of this
information.
We welcome the opportunity to assist you in crafting strong
legislation to protect the confidentiality of health information and to
allow life, disability income, and long term care insurers to continue
to serve its millions of customers.
I will be happy to answer any questions.
Confidentiality of Medical Information
principles of support
Life, disability income, and long-term care insurers have a long
history of dealing with highly sensitive personal information,
including medical information, in a professional and appropriate
manner. The life insurance industry is proud of its record of
protecting the confidentiality of this information. The industry is
committed to the principles that individuals have a legitimate interest
in the proper collection and use of individually identifiable medical
information about them and that insurers must continue to handle such
information in a confidential manner.
1. Medical information to be collected from third parties for
underwriting life, disability income and long-term care
insurance coverages should be collected only with the
authorization of the individual.
2. In general, any redisclosure of medical information to third parties
should only be made with the authorization of the individual.
3. Any redisclosure of medical information made without the
individual's authorization should only be made in limited
circumstances, such as when required by law in legal
proceedings.
4. Upon request, individuals should be entitled to learn of any
redisclosures of medical information pertaining to them which
may have been made to third parties.
5. All permissible redisclosures should contain only such medical
information as was authorized by the individual to be disclosed
or which was otherwise permitted or required by law to be
disclosed. Similarly, the recipient of the medical information
should generally be prohibited from making further
redisclosures without the authorization of the individual.
6. Upon request, individuals should be entitled to have access and
correction rights regarding medical information collected about
them from third parties in connection with any application they
make for life, disability income or long-term care insurance
coverage.
7. Individuals should be entitled to receive, upon request, a notice
which describes the insurer's medical information
confidentiality practices.
8. Insurance companies providing life, disability income and long-term
care coverages should document their medical information
confidentiality policies and adopt internal operating
procedures to restrict access to medical information to only
those who are aware of these internal policies and who have a
legitimate business reason to have access to such information.
9. If an insurer improperly discloses medical information about an
individual, it could be subject to a civil action for actual
damages in a court of law.
10. Any federal legislation to implement the foregoing principles
should preempt all other state requirements.
Mr. Burr. We thank you, Ms. Meyer. I think you had a little
extra time. I think our clock is--I can assure all of you that
we do understand the severity of what we are charged to do. I
think I can only speak for this committee. I think we will try
to do our best at it.
We certainly appreciate, especially you, Mr. O'Keefe and
Ms. Meyer, for coming to this hearing room versus the one
downstairs because I am sure you are just as concerned with
what is coming out of the banking bill as it relates to
insurance.
Let me recognize myself for 5 minutes and turn to the good
doctor over here and just ask you, how would the flow of
electronic claims at Envoy be affected or in any other
companies for that fact, if you had to comply with 50 different
sets of regulatory bodies out there?
Mr. Zubeldia. Because of the complexity of those potential
differences, some of the claims would have to go on paper. Some
of the eligibility inquiries could not be handled
electronically. It would have to be handled by telephone.
A few years ago, we had an experience with one of the
States that required that their Medicaid claims be signed, and
that was a State requirement way back from when they instituted
the Medicaid program. They never considered the possibility of
having an electronic signature, and in that State all the
Medicaid claims were going on paper.
We could revert back to a scenario like that in which maybe
mental health claims would have to go on paper or cancer claims
or any claim with a diagnosis that could suggest cancer or
mental health or certain diagnosis groups would have to go on
paper because of the impossibility of handling electronically
without the patient's consent.
And we believe that handling these transactions on paper
exposes them to a much greater risk than electronic
transactions which are for the majority, maybe 80 percent or
more, adjudicated without a human hand or anybody seeing them.
They are adjudicated by a machine. So by moving to a paper
flow, we are not gaining anything, and we are getting into a
high risk area.
Mr. Burr. Let me go to you, Ms. Koyanagi. You referenced in
your statement that there were certain groups that could be
identified where privacy is a very key issue, and I think we
probably all know the meat of that list. And I think you sort
of answered the question of preemption much like Dr. Hamburg
did. I call it a modified preemption, but I am not yet
convinced nor do I have a firm opinion one way or the other.
I am not yet convinced you can do that. Under a modified
preemption, though, let's assume that we could come up and we
could craft something that the balance was there. Aren't you
still concerned that you have got these 50 individual pieces of
patchwork that still won't accomplish the confidence level for
certain groups to feel comfortable with the privacy laws?
Ms. Koyanagi. Well, I think I would like to say two or
three things about that. The first is if you enact a Federal
floor, hopefully, that provides a level of confidence. If your
floor is so low that it doesn't, then I think you, hopefully,
will revisit it. The confidence across the country can come if
there is some significant privacy protection in the Federal
floor.
Second, I think one could always come up with a lot of
hypotheticals about what 50 States might do. It is important to
see, I think, what they really do with the enactment of a
Federal bill that would put in place a set of privacy
protections that will probably be stronger than most of what
the States have already so that, in fact, you are likely to see
as, I said earlier, very few provisions in very few States that
go beyond the Federal statute.
Right now the companies deal with 50 State laws, and they
are managing to do it. I doubt that too many States will go
back and revisit whether the records should be on paper or not.
Maybe they will. But there is nothing to prevent the Federal
Government giving them the opportunity to show that, in fact,
they can behave very responsibly and, in fact, deal with their
local situations without creating chaos. If you don't like what
they have done, you can come back in a year or 2 and preempt,
not close the door.
Mr. Burr. Given that the States--you referred to the States
having moved because of the lack of any Federal statute. Given
that the States have moved and understanding that this is
really a response to the technological advances that exist, is
there any confidence that you have that current State statutes
are more apt to change to reflect the technological changes?
One of the concerns that I have is when the Federal
Government sets a floor or preempts, and I think yours is a
floor that is much closer to the ceiling than possibly where I
envision one, but that becomes a target that is hard to move
because it has to go back through this legislative process up
here. What is your level of confidence that States, as they see
this advance in technology in the absence of a Federal
initiative that preempts, would adjust their State statutes to
reflect the change in technologies?
Is there any belief in your part that that would happen?
Ms. Koyanagi. I think it is slowly happening, and I think
you would see, as usual with the States, that some would move
more rapidly than the others and some may never act.
You would get different reactions in different places, but
I think with the publication of certain proposed model State
statutes on privacy, we will begin to see if the Federal
Government does not act, that the States will step in.
Mr. Burr. Is there any reason for us to err on the side of
the floor being slightly lower than slightly higher as we try
to find that balance?
Ms. Koyanagi. I would go back to my first point which is
the protection of patients needs to be a major priority here
and patient confidence in the health care system.
I don't think most people have a clue really how their
information gets out to how many people it gets out. Think of
places such as rural areas where everyone knows everyone, and
it is rather easy to find out this kind of information. All
kinds of consequences can come from that and will come from
that. And we will get stories in the papers like we had
recently where a drug company sent records to--a pharmaceutical
drugstore sent records to a company.
Mr. Burr. I think we actually entered into the record a
clarification by the Washington Post that that did not happen,
that the drug--the pharmacy had contractual agreement that the
mailhouse could not and did not distribute to the
pharmaceutical company the name of those patients.
I would tell you that my concern--initial concern on the
rule side is exactly the opposite, the difficulty with
accessing the people. Montana might be a great example. The
people don't live exactly that close together and certainly one
of the problems that we have in rural North Carolina with the
delivery of health care is identifying the individuals that
need it. It is not with this overwhelming flow of them coming
in or with a shared access of information. It is with the
inability to disseminate the information. It is not personal
records, though.
With the ranking member's indulgence, let me just ask Ms.
Meyer one question, if I could. Your testimony said, and I
quote, setting a national uniform standard for health
information is fundamental to this debate. That along with what
you said verbally is supportive of a preemption of State law;
am I correct?
Ms. Meyer. Yes, it is.
Mr. Burr. Thank you.
The Chair would recognize the ranking member.
Mr. Brown. Thank you, Mr. Chairman.
Mr. O'Keefe, welcome. If you were--if we here were not
successful in passing privacy legislation, could you tell us
what U.S. interests might be hurt by the EU regulation that you
showed?
Mr. O'Keefe. Mr. Chairman, Congressman, you know, I feared
you might ask that, and I was thankful when it came up a little
bit earlier.
I will answer to the best of my knowledge, but the first
time I saw this was yesterday. It is my understanding that
should commerce fail to negotiate a set of agreements on
privacy with the European Union, then any company doing
business in the insurance industry, for instance, in the
medical research areas, in pharmaceuticals, could--their
product could be at risk or their cooperation with European
companies could be at risk because of the protection of the
Europeans involved in either the research, the insurance
products, and/or the medical treatment would not be protected.
Now, I am not sure and I am sure that staff at NAIC could
research that more fully and provide you with that information.
Mr. Brown. I would like that. Certainly none of us is able
to predict, but would there be a trade action, WTO trade action
filed against--by the EU against us, against the United States,
or would the U.S. file a trade action in front of the WTO and
perhaps on--against the EU on what that would do to the
American biotech or pharmaceutical industries? If you would--if
NAIC could research that----
Mr. O'Keefe. We will supply that. As I told staff this
morning, the only thing Montanans know about Europe are the
agreements having to do with wheat. So we will make sure that
staff gets that to you immediately.
Mr. Brown. Thank you. Speaking of the NAIC, tell us, you
mentioned more sort of from Montana's viewpoint and Montana's
constitution about confidentiality. Talk through, if you would,
why it is important for NAIC to have a floor understanding. Ms.
Meyer representing the trade association for insurance took the
opposite position.
Mr. O'Keefe. Well, Mr. Chairman, Congressman Brown, I think
that one thing that is interesting about NAIC is that we
realize the diversity amongst the 50 States and the different
needs in each State and in each marketplace and the way the
States historically have responded to that.
One of our major concerns is that there are States like
Montana where--and it is my understanding that we are the only
State in the last 8 months to pass a comprehensive privacy of
medical records act aimed at the insurance industry during our
State legislature, and we have been very, very aggressive about
that.
Last fall a model act was passed by NAIC in September, and
each State is considering that. We think that a floor is
necessary because anything less than a floor, you run the risk
of taking away protections from citizens that are already in
place. And we think that is a dangerous thing to do.
In Montana or Minnesota, the protections may be very high
while in other States they may be very low. I think your goal
is to have a minimum standard that protects the individual's
medical records. I don't think your goal is to take protections
away from individuals that work in the current system. And in
Montana, for instance, while our level is very high, the bill
that I led through the legislature was signed off on by
consumers, by medical researchers, by insurers, and by
regulators, so we were able to do it in a way where all of
those needs were met.
A floor should do that; and if any State sees the need to
get additional protections, they should have the right.
Mr. Brown. Could I have an additional couple of minutes?
Thank you.
Thank you, Mr. O'Keefe. Ms. Koyanagi, your testimony,
written and oral and others, have indicated that mental health
patients are, putting it mildly, not especially comfortable
with existing privacy protections.
Discuss with the subcommittee, if you would, how these
protections or lack of protections affect consumers in their
decisions to seek mental health care?
Ms. Koyanagi. There have been studies of that. If you want
it, I can provide something for the record. The behaviors that
I was describing in terms of the California poll, which was
taken of all consumers, are very prevalent in terms of people
seeking mental health care. A lot of times people will not come
in for treatment. The consequences of the stigma around mental
illness, concern that that information may get back to their
employer, people have lost their mortgages, people have lost
their jobs, people have lost their insurance as a result of
mental health utilization becoming known. Those may not be
legal behaviors but they do occur. So they are just very, very
scared of that and so they don't seek treatment, they delay
treatment or they don't provide all the information. They go to
someone who hasn't done their physical health care so there is
no coordination of care because they are trying to keep the
mental health care very private. So it has all kinds of
consequences and that has been studied.
Mr. Brown. And they are worried about what they actually
say to their mental health professional also.
Ms. Koyanagi. Absolutely.
Mr. Brown. There is physical health--it is their physician
of their physical health, their mental health counselor,
physician provider, and it is just a question of many--you
assert many people do not even seek any kind of care because of
fears of privacy.
Ms. Koyanagi. Right. Those who can afford it may private
pay, but for many of us that would not be feasible.
Mr. Brown. That is all I have, Mr. Chairman. Thank you.
Mr. Burr. Let me take this opportunity just to thank these
witnesses and to suggest to you if it seems like sometimes we
ask questions from both ends of the issue, we do. We are
desperately trying to figure this out.
I would also comment that I think I have heard floor
defined as about eight different things today and all of them
are right. And we realize that. And part of this process is to
make sure that as we go through that, we can, with confidence,
say to that mental health patient or to that AIDS patient or to
any patient out there, your records are secure; and to the
health care providers that we have done something that has not
driven health care to a point where nobody can afford it; and
to the pharmaceutical companies that our great efforts at
actual cures for terminal illness can continue and continue
with the optimism and prosperity that we have seen; and that
for all who need access to medical records with the approval of
patients that that is available.
Clearly we understand we have a very difficult job, but I
don't think that this committee will pass on this
responsibility.
I want to thank you one last time. This hearing is
adjourned.
[Whereupon, at 2:35 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Department of Health & Human Services
Office of the Assistant Secretary for Planning and
Evaluation
Washington, D.C. 20201
Ms. Karen Folk
Committee on Commerce
564 Ford House Office Building
Washington, D.C. 20515
Dear Ms. Folk, enclosed are the responses to the questions for the
record from the May 27 hearing on Medical Records Confidentiality. I
apologize for the delay in providing this information.
Please contact me if you have any further questions.
Sincerely,
Margaret A. Hamburg, M.D.
Assistant Secretary for Planning and Evaluation
question from rep. john d. dingell
Question 1. Could you elaborate on the enforcement provisions in
the Secretary's recommendations and explain why they should be included
in any privacy legislation? In particular, could you explain what you
mean by a private right of action and why it is important to give
individuals recourse for violations of their privacy protections?
Answer: We need to send the message that protecting the
confidentiality of medical information is vitally important, and that
people who violate that confidence will be held accountable. There
should be punishment for those who misuse personal health information
and redress for people who are harmed by its misuse.
Federal legislation should include criminal felony penalties for
obtaining health information under false pretenses, and for knowingly
obtaining or using health information in violation of federal
nondisclosure requirements. Penalties should be higher when violations
are for monetary gain. Legislation should also provide for the
assessment of civil money penalties against any entity that
demonstrates a pattern or practice of unauthorized disclosures.
In addition, any individual whose rights under a federal privacy
law have been violated should be permitted to bring an action for
damages and equitable relief. It is critical that federal legislation
provide individuals with the ability to seek redress. We have seen the
standards set in some legislation set so high that it would effectively
bar an individual's ability to bring a suit. We are willing to work
with you to ensure that it is set at an appropriate level.
ouestions from rep. henry a. waxman
Question 1. Do you believe that strong federal protections relating
to individually identifiable health information would increase
uniformity among state laws? Please explain the rationale for your
position on this matter.
Answer: If the Federal legislation is strong enough, then the
States may not feel the need to enact stronger laws. We can go a long
way to creating uniformity by enacting legislation with a strong
federal floor. For example, we have had this experience since the
passage of HIPAA--States are allowed to pass laws that extend beyond
the Federal floor of HIPAA, but they generally have not done so.
Question 2. Do you think it is a wise policy to ensure that states
have the flexibility to enact heightened privacy protections for health
information to address issues that may be of particular concern to
states? Please explain the rationale for your position on this matter.
Answer: The Administration's general view is that federal statutes
which establish new health protections for individuals should set a
floor upon which states can build to address their unique
circumstances. A federal privacy law should create a minimum standard,
a minimum assurance of privacy on which the public can rely. But, it is
important to preserve State options to respond to new medical privacy
challenges. The federal government cannot anticipate future needs and
developments in the health care industry, nor can we effectively
respond to the unique demands of some State systems. Therefore, it is
critical that we enact strong federal protections and at the same time,
preserve State options and flexibility for the future.
Question 3. Do you believe that the review process for health
research disclosures set forth in the recommendations is practicable?
Please explain your rationale for this position.
Answer: Today, the Common Rule and FDA's Human Subject Regulations
protect participants in most research studies that are funded or
regulated by the federal government. We recommend that similar
protections be extended to all research using individually identifiable
health information, not just federal research. It is our position that
there should always be some type of review mechanism for researchers
who wish to use medical records without obtaining a patient's prior
authorization, regardless of their funding source. Such a review
mechanism should operate under principles like those in the Common
Rule, and must have some accountability.
Based on our experience with the Common Rule and IRBs, we believe
that this type of review process is workable for privately-funded
research. NIH and other federal agencies follow requirements similar to
those outlined in the recommendations, and there is no lack of people
looking for federal funding for their research. A review process should
increase people's confidence that the privacy of their information will
be protected, and increase their willingness to participate.
Question 4. Why do you believe that it is important to ensure
privacy protections for health information?
Answer: The existing legal structure does not effectively control
information about individuals' health. Federal legislation,
establishing a basic national standard of confidentiality, is necessary
to provide rights for patients and define responsibilities for record
keepers.
There are certainly numerous examples of serious violations of the
privacy of our medical records. We have heard about an HMO that allowed
every single clinical employee to tap into patients' computer records
and see detailed notes from psychotherapy sessions, about a medical
student who copied and sold health records to medical malpractice
attorneys, and a newspaper that published information about a
congressional candidate's attempted suicide. The new owner of a used
computer that originally belonged to a pharmacy found detailed patient
records still on the hard drive.
But the more important point is that the ways we use and share
medical information are changing. Today, almost 75 percent of our
citizens say they are at least somewhat concerned that computerized
medical records will have a negative effect on their privacy. If we
don't act now, public distrust could deepen--and ultimately stop
citizens from disclosing vital information to their doctors, getting
needed treatment or seeking genetic testing. Such distrust, if left
unchecked, can undermine progress in our entire health care system.
�