[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]



 
THE MEDICAL INFORMATION PROTECTION AND RESEARCH ENHANCEMENT ACT OF 1999

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                         HEALTH AND ENVIRONMENT

                                 of the

                         COMMITTEE ON COMMERCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 15, 1999

                               __________

                           Serial No. 106-53

                               __________

            Printed for the use of the Committee on Commerce

                    ------------------------------  



                    U.S. GOVERNMENT PRINTING OFFICE
58-501 CC                   WASHINGTON : 1999



                         COMMITTEE ON COMMERCE

                     TOM BLILEY, Virginia, Chairman

W.J. ``BILLY'' TAUZIN, Louisiana     JOHN D. DINGELL, Michigan
MICHAEL G. OXLEY, Ohio               HENRY A. WAXMAN, California
MICHAEL BILIRAKIS, Florida           EDWARD J. MARKEY, Massachusetts
JOE BARTON, Texas                    RALPH M. HALL, Texas
FRED UPTON, Michigan                 RICK BOUCHER, Virginia
CLIFF STEARNS, Florida               EDOLPHUS TOWNS, New York
PAUL E. GILLMOR, Ohio                FRANK PALLONE, Jr., New Jersey
  Vice Chairman                      SHERROD BROWN, Ohio
JAMES C. GREENWOOD, Pennsylvania     BART GORDON, Tennessee
CHRISTOPHER COX, California          PETER DEUTSCH, Florida
NATHAN DEAL, Georgia                 BOBBY L. RUSH, Illinois
STEVE LARGENT, Oklahoma              ANNA G. ESHOO, California
RICHARD BURR, North Carolina         RON KLINK, Pennsylvania
BRIAN P. BILBRAY, California         BART STUPAK, Michigan
ED WHITFIELD, Kentucky               ELIOT L. ENGEL, New York
GREG GANSKE, Iowa                    THOMAS C. SAWYER, Ohio
CHARLIE NORWOOD, Georgia             ALBERT R. WYNN, Maryland
TOM A. COBURN, Oklahoma              GENE GREEN, Texas
RICK LAZIO, New York                 KAREN McCARTHY, Missouri
BARBARA CUBIN, Wyoming               TED STRICKLAND, Ohio
JAMES E. ROGAN, California           DIANA DeGETTE, Colorado
JOHN SHIMKUS, Illinois               THOMAS M. BARRETT, Wisconsin
HEATHER WILSON, New Mexico           BILL LUTHER, Minnesota
JOHN B. SHADEGG, Arizona             LOIS CAPPS, California
CHARLES W. ``CHIP'' PICKERING, 
Mississippi
VITO FOSSELLA, New York
ROY BLUNT, Missouri
ED BRYANT, Tennessee
ROBERT L. EHRLICH, Jr., Maryland

                   James E. Derderian, Chief of Staff

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

                 Subcommittee on Health and Environment

                  MICHAEL BILIRAKIS, Florida, Chairman

FRED UPTON, Michigan                 SHERROD BROWN, Ohio
CLIFF STEARNS, Florida               HENRY A. WAXMAN, California
JAMES C. GREENWOOD, Pennsylvania     FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia                 PETER DEUTSCH, Florida
RICHARD BURR, North Carolina         BART STUPAK, Michigan
BRIAN P. BILBRAY, California         GENE GREEN, Texas
ED WHITFIELD, Kentucky               TED STRICKLAND, Ohio
GREG GANSKE, Iowa                    DIANA DeGETTE, Colorado
CHARLIE NORWOOD, Georgia             THOMAS M. BARRETT, Wisconsin
TOM A. COBURN, Oklahoma              LOIS CAPPS, California
  Vice Chairman                      RALPH M. HALL, Texas
RICK LAZIO, New York                 EDOLPHUS TOWNS, New York
BARBARA CUBIN, Wyoming               ANNA G. ESHOO, California
JOHN B. SHADEGG, Arizona             JOHN D. DINGELL, Michigan,
CHARLES W. ``CHIP'' PICKERING,         (Ex Officio)
Mississippi
ED BRYANT, Tennessee
TOM BLILEY, Virginia,
  (Ex Officio)

                                  (ii)


                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Andrews, Elizabeth B., Director of Worldwide Epidemiology, 
      Glaxo Wellcome Inc.........................................   138
    Appelbaum, Paul, Professor and Chair, Department of 
      Psychiatry, University of Massachusetts Medical School, on 
      behalf of the American Psychiatric Association.............    32
    Carty, Cristin, Vice President, California Health Institute..   127
    Feldblum, Chai, Professor of Law and Director, Federal 
      Legislation Clinic, Georgetown University Law Center.......    38
    Frey, Carolin M., Chairman, Institutional Research Review 
      Board, Pennsylvania State Geisinger Health System..........   148
    Johnson, Randel K., Vice President, Labor and Employee 
      Benefits, U.S. Chamber of Commerce.........................   131
    Koski, Greg, Director, Human Research Affairs, Partner Health 
      Care System, Massachusetts General Hospital................   143
    Nielsen, John T., Senior Counsel and Director of Government 
      Relations, Intermountain Health Care.......................    19
    Pawlak, Linda, parent........................................    31
    Tang, Paul C., Medical Director, Clinical Informatics, Palo 
      Alto Medical Clinic........................................    27
Material submitted for the record by:
    Shays, Hon. Christopher, a Representative in Congress from 
      the State of Connecticut, prepared statement of............   164

                                 (iii)

  


THE MEDICAL INFORMATION PROTECTION AND RESEARCH ENHANCEMENT ACT OF 1999

                              ----------                              


                        THURSDAY, JULY 15, 1999

                  House of Representatives,
                             Committee on Commerce,
                    Subcommittee on Health and Environment,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2322, Rayburn House Office Building, Hon. Michael 
Bilirakis (chairman) presiding.
    Members present: Representatives Bilirakis, Upton, 
Greenwood, Burr, Bilbray, Ganske, Norwood, Coburn, Cubin, 
Bryant, Brown, Waxman, Stupak, Green, DeGette, Barrett, Capps, 
Hall, and Eshoo.
    Also present: Representative Markey.
    Staff present: John Manthei, majority counsel; Marc Wheat, 
majority counsel; Cliff Riccio, legislative clerk; and John 
Ford, minority counsel.
    Mr. Bilirakis. The hearing will come to order. Good 
morning.
    I would like to first thank all of our witnesses for 
joining us today, and particularly Justin Pawlak and his mother 
Linda. The purpose of this hearing is to explore the issues of 
medical confidentiality.
    Today we will have an opportunity to examine H.R. 2470, 
which is the Medical Information Protection and Research 
Enhancement Act of 1999.
    I would like to start by commending our colleague Jim 
Greenwood for drafting this legislation and also to recognize 
the efforts of Congressmen Upton, Shays, Norwood and Burr in 
working with him to address this very complicated issue.
    As you know, the Health Insurance Portability and 
Accountability Act of 1996 set a deadline for Congress to pass 
legislation addressing the confidentiality of individual 
identifiable health information. Unless Congress acts by August 
21, the Secretary of Health and Human Services is directed to 
issue regulations within 6 months to address the 
confidentiality of administrative data stored or transmitted 
electronically. Significantly, the Secretary's regulatory 
authority is limited to establishing standards for information 
that is transmitted and stored electronically, a more narrow 
focus than the comprehensive approach taken in the bill before 
us.
    While the modern health care delivery system is 
increasingly electronic, as we well know, most patient health 
information remains paper based. We all know that medical 
records contain very personal and sensitive information. 
Certainly this information must be safeguarded and any abuse of 
it cannot be tolerated. However, we must also ensure that 
increased protections do not inadvertently jeopardize the 
quality of health care in this country. Any legislation must 
take into account the highly integrated and complex nature of 
our health care system.
    In our previous hearing, I emphasized the need to develop 
responsible legislation to safeguard confidential medical 
information and to impose tough penalties for abuse. We must 
ensure strict accountability for the use of this information 
while preserving the ability to conduct important medical 
research.
    I believe that H.R. 2470 is a significant step forward in 
accomplishing these goals and I hope that it serves as a 
starting point for legislative action on a truly bipartisan 
basis.
    Again, I would like to thank all of our witnesses for 
taking time to be here. I would now recognize the ranking 
member, Mr. Brown from Ohio.
    Mr. Brown. Thank you, Mr. Chairman, for holding this 
hearing and I would like to thank the witnesses also for 
joining us today.
    I am glad that we are taking up the issue of medical 
records privacy. The statutory deadline is about 5 weeks away, 
which means we have no time to spare. I am disappointed the 
majority chose to focus on only one of the privacy bills. It is 
my experience that it is unusual to limit a legislative hearing 
to one bill when other initiatives have also been introduced: 
H.R. 1941, the bill sponsored by Mr. Condit of California, 
which had 57 cosponsors, and Mr. Markey of Massachusetts has a 
bill, H.R. 1057, that has 41.
    These are other privacy bills that deserve the same 
consideration that we are giving to H.R. 2470. The best way to 
make progress is to compare H.R. 2470 to the bill of Mr. 
Condit. The key difference between those two bills are the core 
issues in the privacy debate:
    Should individuals have a private right of action when 
their medical records have been exploited? H.R. 2470 does not 
establish this right. Mr. Condit's bill does. Rights that can 
be denied without remedy are not rights, they are only hopes.
    Should privately funded research be treated differently 
from publicly funded research when it comes to protecting the 
confidentiality of medical information? H.R. 2470 says yes; Mr. 
Condit's bill says no.
    What would a participant in privately funded research say? 
I am guessing that participant would assume and expect the same 
level of protection regardless of who funds the research. The 
goal is not to establish basic privacy protections for some 
individuals, it is to establish them for all individuals.
    Should Federal privacy laws preempt stronger State laws? 
H.R. 2470 says yes; our bill says no.
    States are typically the first to identify consumer issues, 
and they are the innovators when it comes to addressing them. 
Federal protection should function as the floor, not the 
ceiling, for medical privacy protections.
    I look forward to hearing our witnesses with respect to 
these issues and what I hope will be a productive and balanced 
hearing.
    Mr. Bilirakis. Mr. Greenwood for an opening statement.
    Mr. Greenwood. Thank you, Mr. Chairman. The title of the 
legislation that we are considering today is the Medical 
Information Protection and Research Enhancement Act and it is 
important to understand that those two goals are what we mean 
to accomplish here. Obviously the personal security and the 
well-being of every American will be profoundly improved if we 
succeed in accomplishing these dual purposes.
    First on the privacy issue, our medical records contain 
personal, sensitive, potentially humiliating information, which 
if misused could cause discrimination in the workplace and 
adversely affect one's ability to purchase insurance. For that 
reason we create in this legislation the definition of the term 
``protected health care information'' to make sure that it is 
kept private and to make sure that there are remedies and 
penalties for its misuse.
    Second, the second goal, every one of us and every American 
in America, every one of our family members, will benefit from, 
continue to benefit from the ability of researchers, assurers 
of quality and others to use the awesome power of information 
processing to study health outcomes and thereby discover new 
and better treatment modalities and ways to deliver health care 
as effectively and efficiently as possible.
    With the wrong public policy, these two admirable and 
critical goals are competing adversaries. With the right public 
policy, they are complementary colleagues. As has been 
mentioned, we do confront on August 21 a deadline, the 1996 
Kennedy-Kassebaum Health Insurance Portability and 
Accountability Act sets that date, and if we do not accomplish 
a legislative remedy, the Department will issue regulations. Of 
course, that will be insufficient because it only applies to 
electronic records, and most medical records are not electronic 
but in fact still on paper.
    The policy incorporated in H.R. 2470 does the following: It 
establishes the individual's right, which does not currently 
exist at the Federal level, to inspect, copy and amend his or 
her patient records. That is brand new. It enacts strong 
uniform Federal standards which replace conflicting State laws 
and impose strong civil and criminal penalties for the misuse 
of these records, the remedies to which Mr. Brown refers; 
requires law enforcement officials to demonstrate legitimate 
need in order to obtain protected health information; and 
protects patients involved in medical research trials when 
ensuring information can be used to continue research 
breakthroughs.
    The question has been raised and will be raised throughout 
this hearing: Why State preemption? Why is it important for the 
Federal Government and Congress to establish a unified 
standard: The founders of our Constitution recognized the need 
to protect interstate commerce.
    The logic of the commerce clause is plain sense. It made 
sense to ensure that buggy whips and butter churns could be 
transported across State lines without being subjected to the 
micro management of 13 colonies. It certainly is plain that 
medical data transmitted at the speed of light across 50 States 
and the District of Columbia requires a uniform standard that 
ensures both privacy and utility. I believe every member of 
this committee shares the twin goals of protecting privacy and 
enhancing research.
    H.R. 2470 is not the first bill drafted toward these ends 
and it will not be the last, but I have every confidence that 
if we reach across the aisle toward one another in good faith 
and with a positive, constructive approach, we can produce a 
final product that is worthy of us all, and I pledge to work 
with all of my colleagues on both sides of this committee 
toward that end.
    Two footnotes: I would like to draw attention to a drafting 
oversight in the last draft the inadvertent elimination of 
workplace information protections, and I would like, Mr. 
Chairman, to submit a letter indicating my desire to correct 
that in the next draft.
    Mr. Bilirakis. Without objection, so ordered.
    [The information referred to follows:]

                      Congress of the United States
                                   House of representatives
                                                      July 14, 1999
Deborah V. Dibenedetto, MBA, RN, COHN-S, ABDA
President
American Association of Occupational Health Nurses, Inc.
2920 Brandywine Road
Atlanta, Georgia 30341-4146
    Dear Ms. Dibenedetto: When drafting H.R. 2470, the Medical 
Information Protection and Research Enhancement Act, an oversight was 
made that excluded protections for medical information used in the 
workplace. Clearly this type of information is extremely sensitive and 
can be used to discriminate not only against employees, but for 
occupational health nurses and other providers who sometimes must weigh 
the threat of losing their job against protecting the information of 
their coworkers.
    As originally drafted, the bill ensured that the disclosure of the 
protected employee health information within the entity is compatible 
with the purpose for which the information was obtained and limited to 
information necessary to accomplish the purpose of the disclosure. In 
addition, the draft legislation also required the employer to prohibit 
the release, transfer or communication of the protected health 
information to officers, employees, or agents responsible for hiring, 
promotion, and making work assignment decisions with respect to the 
subject of the information. It was unfortunate these protections were 
inadvertently removed in the final version of the bill. It is my 
intention to do all in my ability to add these protections back in to 
H.R. 2470.
    I look forward to working with you in the future on this critical 
patient protection. Please do not hesitate to contact me should you 
have additional questions or concerns.
            Sincerely,
                                                 James C. Greenwood

    Mr. Greenwood. And I would like to take the opportunity to 
introduce to our panel Justin Pawlak. He is the young man in 
the center of the table there. I have learned that Justin wants 
to run for Congress someday. And, Justin, I will let you know 
when it is your turn.
    Thank you, Mr. Chairman.
    Mr. Bilirakis. Thank you. Mr. Waxman for an opening 
statement?
    Mr. Waxman. I will yield to Ms. Eshoo.
    Ms. Eshoo. Thank you, Mr. Waxman, and thank you, Mr. 
Chairman, for holding this important hearing today.
    As I was walking into the Rayburn building this morning, I 
thought that the last several hearings and/or markups that I 
have been to have dealt with the issue of privacy, and here we 
are again on the issue of privacy as it relates to medical 
records.
    I would like to begin by recognizing my constituent, Dr. 
Paul Tang of Palo Alto, California. Welcome. It is a pleasure 
to see you here. I also want to welcome Cristin Carty who does 
superb work with the California Health Care Institute. They 
have taken their place in a prominent way in working with 
members and providing a great deal of the research and 
information that members need in order to make informed 
decisions.
    With the advent of managed care increasing, numbers of 
people are involved in health care treatment, payment and 
oversight, giving them direct access to often very sensitive 
medical information.
    Today we have to place our trust in entire networks of 
insurers and health care providers. And I don't think that we 
can any longer expect that information supplied to our doctors 
will indeed remain confidential. The American people expect, 
and I think they are entitled to confidential, fair and 
respectful treatment of their private health information. It is 
incumbent upon Congress to enact a strong uniform Federal 
standard of protection for medical records privacy.
    Currently, of course, there is no Federal standard, and the 
existing patchwork of State laws provide erratic protection at 
best.
    Unfortunately, I don't think that my colleague Mr. 
Greenwood's bill is the total answer. Rather than providing 
privacy protections for medical records, the bill in fact, I 
think, steps back from the issue of medical privacy. The bill 
would allow insurers to use our private health information 
without consent for anything that can be called, ``health care 
operations.'' It is a very, very broad term that is not defined 
in the bill. The bill is written in such broad terms that 
virtually anything the health plan writes into its contracts 
could be considered a health care operation.
    For example, a health plan could include a contract clause 
that says health information will be used for marketing 
purposes. Or information can be used for insurance 
underwriting, allowing one to be rated as a bad risk and 
harming their ability to get insurance in the future. It is a 
very, very sensitive area for the American people.
    Another major problem, as I see it, with the bill is the 
lack of enforcement. Providing for a right of action would give 
every American the basic right to seek redress for violations 
of their private medical records and yet the bill is silent. It 
is often said that silence is deafening. The bill is silent on 
this issue.
    I would ask what good is a right if it can't be enforced? I 
think we should all think about that instead of scurrying to 
ideological corners. Just apply it to oneself. What good is it 
to have a right unless there is an ability to enforce it?
    I too want to ensure that research is not hampered. I see 
firsthand, day in and day out in my very distinguished 
congressional district, the enormous good and the impact of 
that good the research does day in and day out. But I think we 
need to be sure that any legislation enacted doesn't erect any 
unnecessary barriers that would slow and impede medical 
research, and I think we can do both. I don't think that we 
have to do one at the cost of the other. But I don't think that 
we can risk the privacy of every American to keep their most 
personal medical records private.
    Again, I think we need to establish a strong Federal 
standard to protect against unauthorized uses of our private 
health information while remaining mindful of the effect our 
laws will have on medical research and the lives it can and 
does save every day.
    Thank you, Mr. Chairman, for your leadership in this 
subcommittee. I think we have a ways to go in terms of 
hammering out something if in fact we are going to do that 
before the laws on the book would allow the Secretary to do so.
    I look forward to working with you and other members of our 
committee to produce something not only for the full committee, 
but the full Congress that we can really be proud of. Thank you 
very much.
    Mr. Bilirakis. I thank the gentlelady. And we will, if we 
are willing to work together.
    Mr. Upton for an opening statement.
    Mr. Upton. I have a statement for the record. I would just 
like to add that I have very strong support for this, and 
allowing Jim Greenwood to lead this charge in a bipartisan way 
was terrific. He has been a good leader.
    [The prepared statement of Hon. Fred Upton follows:]
  Prepared Statement of Hon. Fred Upton, a Representative in Congress 
                       from the State of Michigan
    Mr. Chairman, thank you for holding today's hearing on the Medical 
Information Protection and Research Enhancement Act. I also want to 
commend our colleague, Jim Greenwood, has shown in developing the 
comprehensive, thoughtful bill we will be discussing this morning. I am 
pleased to be a cosponsor of this legislation.
    I am sure that developing this legislation was no easy undertaking. 
It must reflect a delicate balance between the need to ensure the 
privacy of individuals' medical information and the need that arises to 
use personally identifiable health information in biomedical research, 
to evaluate the safety and effectiveness of treatments and coordinate 
the delivery of health care, and for other legitimate purposes.
    I am looking to hearing from our witnesses today about their 
perspective on achieving this balance.

    Mr. Bilirakis. Mr. Waxman.
    Mr. Waxman. Thank you. I am pleased that we are meeting 
today to discuss medical records legislation. Ensuring medical 
privacy in our multifaceted health care system is a vital 
patient protection. That is why I join together with 
Representative Gary Condit, Ed Markey, John Dingell, Sherrod 
Brown and others who have introduced consensus legislation that 
addresses the complex issues related to medical privacy in a 
commonsense manner.
    Strong Federal privacy protections for medical records are 
critical to ensuring that our health care system operates 
effectively. Currently, only a patchwork of State laws address 
medical privacy matters and many of these provide minimal 
protections. As a result, individuals are withholding 
information from their health care providers, even avoiding 
care for fear of privacy violations.
    Unfortunately, the majority's proposal, H.R. 2470, would 
only exacerbate individual's concerns. Among other provisions, 
H.R. 2470 would allow health insurers to use an individual's 
information for insurance underwriting and marketing without an 
individual's consent, and for health research without an 
individual's consent or any review of the research. It would 
override carefully crafted State laws which protect the privacy 
of sensitive information such as dental health records, genetic 
information and HIV test results and it would block States' 
ability to address such issues in the future.
    I think it is important to have increased uniformity by 
enacting a strong Federal standard, but it is ironic to hear 
the Republicans deny the State's ability to act beyond that. 
Congress, I think, acted on this issue over 30 years ago. We 
may not act on it again for another 30 years. In the meantime 
the States ought to be able to respond to matters that come up 
that are unforeseen. Who would have thought about the AIDS 
epidemic even 15 or 20 years ago?
    I believe the Congress can and should enact legislation 
that provides the appropriate balance between ensuring privacy 
protections for individuals' health records, allowing 
appropriate access to health information for public interest 
purposes, and ensuring that the States have the flexibility to 
address specific privacy concerns.
    The Condit-Waxman-Markey-Dingell-Brown bill achieves this 
balance. Unfortunately, H.R. 2470 does not. I hope Congress 
moves forward on meaningful medical privacy legislation. As 
many here today know, the Health Insurance Portability and 
Accountability Act of 1996, known as HIPAA, set an August 21, 
1999 deadline for passage of such legislation. It is unclear 
whether we are going to meet that deadline because none of the 
relevant committees in the House or Senate have reported out 
legislation.
    Under HIPAA, if Congress fails to meet this deadline, the 
Secretary of HHS must promulgate regulations to protect medical 
privacy. The Secretary has issued recommendations that likely 
would be the basis of such regulations. These recommendations 
provide for strong privacy protections in many areas. Given the 
pressing need for Federal privacy protections, the Secretary 
should move forward with these regulations if Congress does not 
meet its deadline.
    The worst case scenario would be for Congress to enact weak 
medical privacy legislation or for Congress to both push the 
deadline back for passage of legislation and prevent the 
Secretary from moving forward. This would leave millions of 
individuals with minimal assurances of medical privacy 
protections. There is no good policy reason for taking either 
approach.
    I will continue to press forward with H.R. 1941 and I look 
forward to discussing this and other bills with today's 
witnesses. And of course, Mr. Chairman, even though this 
hearing is unfortunately being held only on the Republican 
bill, I hope this subcommittee will work in a bipartisan 
fashion, if that is possible, to try to work out a consensus. I 
never thought that medical privacy was a partisan issue. It 
should not be. It is a matter that we should be working on 
together to find a place where we can accomplish the goals that 
I think all of us share. Thank you very much.
    Mr. Bilirakis. I thank the gentleman. Mr. Norwood.
    Mr. Norwood. Thank you very much and thank you for having 
this hearing. I would like to thank Congressman Greenwood for 
his hard work. For the panelists who have come a long way, we 
are grateful. We appreciate your help today.
    But, Justin, we especially need your help. Anything you can 
do will be greatly appreciated by us all. Protection of private 
medical information obviously is a very important issue, and I 
believe this bill will bring us significantly closer to 
resolving the issue before the statutory deadline. We all know 
that if we do not meet our August deadline, the Secretary of 
HHS will take the job out of our hands and impose regulations 
that we have no control over. We are all aware of the potential 
dangers of allowing this to occur. The administration says that 
it wants to protect patients' rights to privacy. However, the 
administration has also considered a proposal to assign to each 
citizen a unique health identification number to track each 
person's medical information electronically. We should be very 
mindful of the consequences of Congress defaulting this 
responsibility to the Secretary.
    One of the issues that I believe the Greenwood bill deals 
with well is that of State law. If someone lives and works in 
Washington, DC, goes to the doctor in Arlington, picks up their 
prescription in Bethesda, what are the consequences of having 
three different sets of rules governing that one doctor's 
visit? Considering the interstate nature of medical records and 
the fact that 50 percent of Americans live on the border of 
their State, this issue should be considered within the context 
of interstate commerce.
    This is why I strongly support the preemption clause in the 
bill. That is why I am a strong believer in allowing State laws 
to govern the practice of medicine. I believe that a uniform 
standard is one more appropriate to govern the movement of 
medical information. Opponents of this bill are going to have 
problems with the fact that private cause of action for misuse 
of records has been left out of the bill. They may try to use 
this as an excuse to stall the bill. I am not saying whether I 
would vote for or against an amendment to include a Federal 
cause of action, but I do know that we have here the perfect 
chance for us to discuss the way we deal with penalties.
    We must also keep in mind that the bill does have a 
provision allowing criminal prosecution. I wondered and have 
wondered sometimes if that might not have been a better route 
for managed care reform. Frankly, Mr. Chairman, the 
complexities of this issue, especially compounded with our time 
restraint, make managed care reform look like child's play. I 
feel that this bill is a viable solution to this issue and 
should be given everyone's serious and open-minded 
consideration.
    I look forward to working with you, Mr. Chairman, and Mr. 
Greenwood and hope that we will get this done and save the 
Secretary a lot of effort. Thank you very much.
    [The prepared statement of Hon. Charlie Norwood follows:]
    Prepared Statement of Hon. Charlie Norwood, a Representative in 
                   Congress from the State of Georgia
    I'd like to begin by thanking the Chairman for holding this 
hearing. Protection of private medical information is an important 
issue, and I believe that this bill will bring us significantly closer 
to resolving the issue before the statutory deadline.
    We all know that if we do not meet our August deadline, the 
Secretary of HHS will take the job out of our hands and impose 
regulations that we have no control over. We are all aware of the 
potential dangers of allowing this to occur. The administration says 
that it wants to protect patients' rights to privacy; however, the 
administration has also considered a proposal to assign each U.S. 
citizen a unique health identification number to tag and track each 
person's medical information electronically. We should be very mindful 
of the consequences of Congress defaulting this responsibility to the 
Secretary.
    One of the issues that I believe the Greenwood bill deals with well 
is that of state law. If someone lives and works in Washington, DC, 
goes to a doctor in Arlington, and picks up a prescription in Bethesda, 
what are the consequences of having three different sets of rules 
governing that one doctor visit? Considering the interstate nature of 
medical records, and the fact that fifty percent of Americans live on 
the border of their state, this issue should be considered within the 
context of interstate commerce. This is why I strongly support the 
preemption clause in the bill. While I am a strong believer in allowing 
state laws to govern the practice of medicine, I believe that a uniform 
standard is more appropriate to govern the movement of medical 
information.
    Opponents of this bill are going to have problems with the fact 
that private cause of action for misuse of records has been left out of 
the bill. They may even try to use this as an excuse to stall the bill. 
I'm not saying whether I would vote for or against an amendment to 
include a federal cause of action, but I do know that what we have here 
is the perfect chance for us to discuss the way we deal with penalties. 
We must also keep in mind that the bill does have a provision allowing 
criminal prosecution. I wonder sometimes if that might not have been a 
better route for managed care reform.
    Frankly, Mr. Chairman, the complexities of this issue, especially 
compounded with our time constraint, make managed care reform seem like 
child's play. I feel that this bill is a very viable solution to this 
issue and should be given everyone's serious and open minded 
consideration.
    I look forward to the witnesses testimony and yield back the 
balance of my time.

    Mr. Bilirakis. I thank the gentleman. Ms. Capps.
    Ms. Capps. Good morning. I want to thank the chairman for 
holding this important hearing and welcome our distinguished 
witnesses here today.
    I also want to mention Cristin Carty because I have worked 
closely with her. She has been very helpful on a variety of 
health-related issues.
    Medical privacy is a difficult and complex issue. On the 
one hand it is so imperative that we prevent the misuse of 
patients' medical data. I believe strongly that we need to 
establish a national policy that safeguards an individual's 
right to privacy with respect to personally identifiable health 
information. The misuse of health information can harm patients 
and families. Unauthorized use of our health plans, genetic 
information or our family history, can make it difficult, if 
not impossible, for many Americans to obtain health insurance. 
Patients need to be encouraged, have the right to be encouraged 
to share with their doctors, nurses or therapists all of their 
health information. No diagnosis or treatment is complete 
without it. But if patients can't be sure that this sensitive 
and personal information will be kept confidential, they will 
not be forthcoming. That will hurt patient care. And it will 
stifle research efforts. Privacy must never take a back seat to 
profits.
    I am supportive and mindful of the needs of the research 
community as well. The University of California at Santa 
Barbara, for example, is an academic center in my district, and 
I want very much to encourage their research efforts there and 
not to impede their work. I have a personal interest in this 
topic. I have a daughter who is involved in a clinical trial at 
Stanford, and her life may hang in the balance of that 
research.
    The Medical Information Protection and Research Enhancement 
Act of 1999 was introduced just this week. It is a complex bill 
and I am still evaluating it, but I do have some initial 
concerns. It appears that the bill does not provide individuals 
the basic right to seek redress for privacy violations, as it 
does not provide for a private right of action. It also appears 
to contain inadequate provisions regarding an individual's 
right to notice of a health plan's confidentiality practices 
requiring that a health plan need only post such a notice 
instead of ensuring that each individual receive a copy.
    I look forward to discussing these issues at this hearing. 
As we navigate this complex medical privacy issue, I know we 
must be very careful to protect patients. We in Congress must 
make every effort to maintain the public trust, but we should 
also encourage research. This is often a difficult balance to 
strike. But I do believe that it is the duty of this 
subcommittee to reach that balance. I yield back the balance of 
my time.
    Mr. Bilirakis. I thank the gentlelady. Mr. Bryant.
    Mr. Bryant. Thank you, Mr. Chairman. Before I yield back 
the balance of my time, I want to thank you for holding this 
hearing and Mr. Greenwood for his hard work on this bill and I 
want to thank the distinguished panelists here today. Thank 
you, Mr. Chairman.
    Mr. Bilirakis. Thank you. Ms. DeGette.
    Ms. DeGette. Thank you, Mr. Chairman. I am grateful that 
you held this hearing today on what has developed into a 
critical issue. I want to thank Mr. Greenwood also for 
introducing this legislation and for his hard work in getting 
this discussion started and also those on my side of the aisle 
for their many years of work on medical privacy.
    I think that without strong medical privacy protections, 
the privacy of health care consumers and the integrity of 
medical research are at risk. Medical privacy, as has been so 
aptly noted by my colleagues, is an intricate matter and the 
devil is in the details.
    Consumers should not have to worry that their private 
medical records will be exploited in marketing schemes or used 
to deny insurance applications if they have not signed the 
necessary documents. We have a good opportunity to make these 
protections more clear so consumers do not face discrimination 
or inappropriate invasions of their privacy, and so they are 
not left questioning what do I sign, who is looking at my file, 
what was I not told, and what should I be doing.
    This is a very delicate balance, as we all know: strong 
consumer protections that reassure the public that its privacy 
will not be invaded, and also tempered regulated access to 
medical records so that researchers and law enforcement 
officials can do their jobs.
    I am particularly concerned that any medical privacy 
legislation will establish provisions that ensure the integrity 
of medical research. While some have said that research needs 
and privacy concerns cannot be merged, I think that in 
actuality the two needs are really not that far apart. If we 
fail to reassure the public that medical records will be used 
prudently and that the privacy of individuals will be 
preserved, then the public will refuse to open the records to 
researcher. While there is much to consider in evaluating the 
implications medical privacy protections have on research, I am 
particularly troubled that some have criticized proposals that 
require an institutional review board or similar entity to 
review and approve research utilizing medical records. Such 
entities can ensure that the potential good of the research 
outweighs any privacy concerns and that strong privacy 
protections are in place by preserving the confidentiality of 
the data that is collected. IRBs and other like entities are 
used in almost every research setting. In fact, many 
organizations that privately fund research insist on an IRB to 
safeguard the reliability of the research.
    I think that it is naive to believe that requiring such a 
check would negatively affect anything other than the marketing 
plan for the researcher's resulting product. And I am puzzled 
that some are anxious to differentiate between privately and 
publicly funded research for IRBs and other privacy protection 
requirements. It seems to me that if one were to have stronger 
privacy protections than the other, patients would be reluctant 
to participate in research that could inappropriately disclose 
private information. But once again, as has been noted in this 
hearing and by me, the devil is in the details, and I don't 
think that the burden should be placed on the American public 
to determine what the source of the funding is for the research 
and therefore what the implications for the funding source 
holds on their privacy of their records.
    So, therefore, I look forward to hearing what our panelists 
have to say about medical privacy proposals on research needs, 
and how this is going to impact patients.
    With that, Mr. Chairman, I yield back the balance of my 
time.
    Mr. Bilirakis. Thank you. Dr. Ganske.
    Mr. Ganske. Thank you, Mr. Chairman. Well, if there is a 
tough problem to figure out what to do in the right way on 
Capitol Hill, the hardest one that I have seen since I have 
been in Congress is the issue of the right balance and walking 
the right line on medical privacy.
    I looked at this issue a lot when I was drafting my patient 
protection legislation and decided it was such a complex issue 
that I could not include a substantive provision in that bill 
or I would have something that was 200 pages long.
    And then, of course, we got into the debate on H.R. 10, and 
I see my good friend and colleague from Massachusetts waiting 
to say a few words, so I want to say a few words about the 
medical privacy issue on H.R. 10 because there is some 
reference to that in the testimony today.
    It is very interesting, I am somewhat amused that there are 
those who think that the exceptions in order for an insurance 
company to do its business were too broad, and yet at the same 
time the chairman of the full committee is now getting letters 
from the insurance industry, saying if the exceptions are 
construed narrowly so as to exclude from the reach of the 
exception many aspects of the insurance business, the problems 
will be magnified since the opt-out provisions will apply to 
transfers integral to the business of insurance.
    So on the one hand, those who are looking for a very 
comprehensive bill, which I thought was beyond the reach of 
what we are dealing with, a financial service entity, 
insurance, banking and securities, want to go--be much more 
strict in the exceptions, the insurance industry or at least 
some in the industry think that those exceptions were too 
strict. I don't know, Mr. Chairman. Maybe that is demonstrating 
that they were somewhere in the right range. I have, Mr. 
Chairman, a Dear Colleague that I would like unanimous consent 
to enter into the record and also to distribute to members of 
the committee.
    Mr. Bilirakis. Without objection, so ordered.
    [The information referred to follows:]

                      Congress of the United States
                                   House of representatives
                                                      July 12, 1999
    Dear Colleague: The medical privacy provision in H.R. 10 restricts 
disclosures of customer health and medical information by insurers.
    Some concerns have been raised about the exceptions to the opt-in 
policy. I would like to take this opportunity to define some of the 
terms found in the exceptions and dispel the misinformation that is 
being circulated regarding these provisions.
    Under current law, an insurance company obtains medical record 
information only with an individual's authorization. The medical 
privacy provision in H.R. 10 relates to how an insurance company shares 
the data after it has acquired it. The provision states that insurers 
can only disclose this information with an individual's consent except 
for limited, legitimate business purposes. These provisions would apply 
to all insurers who are currently engaged in the insurance business, 
and who have millions of contracts in force right now. Without these 
exceptions, these insurers would no longer be able to serve their 
customers.
    The exceptions include ordinary functions that insurance companies 
are already doing in their day-to-day business. Such operations 
include:
    Underwriting: Insurers use health information to underwrite. The 
price someone pays for insurance is based in part on an individual's 
state of health. Insurers gather medical information about applicants 
during the application and underwriting process. Underwriting is 
fundamental to the business of insurance. During the underwriting 
process, an insurer may use third parties, such as labs and health care 
providers to gather health information and/or to analyze health 
information. The insurer may also use third parties to perform all or 
part of the underwriting process and must disclose information to these 
third parties, such as doctors or third party administrators, so that 
they can enter into the contract in the first place.
    Reinsuring Policies: Insurance companies sometimes assume a 
``risk'' and then further spread the risk by ``reinsuring'' a policy. 
While often a ``reinsurance'' arrangement is made at the initiation of 
a contract, there are also times when reinsurance occurs after the 
policy is issued. The reinsurer needs access to the first insurer's 
underwriting practices as part of its due diligence. Without this 
language, the wheels of the reinsurance industry could literally grind 
to a halt.
    Account Administration, Processing Premium Payments, and Processing 
Insurance Claims: In order to pay a claim for benefits, the insurer has 
to process the claim. This is a basic business function. These 
activities are the very reasons an individual signs up for a policy in 
the first place. Companies may use third party billing agencies and 
administrators to process this information. A company that doesn't 
today, may tomorrow; and we need to ensure that they can, so that 
consumers can be served.
    Reporting, Investigating or Preventing Fraud or Material 
Misrepresentation: There are certainly times when individuals may not 
want to disclose all of their health information for valid reasons. 
However, there are those that may try to hide health information 
relevant to whether a policy would be issued or what would be charged 
for that policy. For example, nonsmokers usually pay less for insurance 
than smokers. On the other hand, if you have a chronic illness your 
premium may be higher. If an individual is engaged in fraud of material 
misrepresentation, it is highly unlikely that they would give their 
consent so that the insurer could disclose this information, for 
example, to its law firm to undertake an investigation of the matter or 
to the insurance commissioner or other appropriate authorities.
    Risk Control: Credit card companies and other financial 
institutions involved in billing, conduct internal audits to ensure the 
integrity of the billing system. During this process, the company 
verifies that merchants, credit card holders and transactions are 
legitimate. These audits are done on random samples in which 
transactions dealing with medical services are not segregated or 
treated differently from other types of transactions. However, if this 
exception were not included, the company would be prevented from 
verifying the validity of transactions dealing with medical services. 
This would open the door for much fraud and abuse or the inability for 
consumers to write checks or use credit cards to pay for medical co-
payments.
    Research: Insurers do research for many purposes. For example, life 
insurers will do research related to health status and mortality to 
help them more accurately underwrite and classify risk. This provision 
is needed so that insurers can continue to do research.
    Information to the Customer's Physician: This exception is 
necessary to allow insurers to release information to an individual's 
physician. For example, during the underwriting process, an insurer may 
conduct blood test on an applicant. If the blood tests indicate that 
there may be something wrong, the insurer needs to be able to share the 
information with the individual's designated physician or health care 
provider so that they, together, can determine the best course of 
treatment.
    Enabling the Purchase, Transfer, Merger or Sale of Any Insurance 
Related Business: No one has a crystal ball. A company does not know in 
advance when they will engage in these activities. It would be 
impractical if not impossible to obtain the tens of thousands of 
authorization forms signed and returned to the company so that a 
company could purchase, transfer, merge or sell an insurance related 
business. Without this language, companies will not be able to serve 
their customers by forging new business frontiers. Since the privacy 
provision covers all insurance companies, the purchasing company will 
have to abide by the same restrictions as the original company.
    Or as Otherwise Required or Specifically Permitted by Federal or 
State Law: There are some states that require or specifically permit 
the disclosure of medical information by insurance companies. For 
example, a company may have to disclose health information to a state 
insurance commissioner so that the commissioner can determine if the 
company is complying with state law banning unfair trade practices. A 
company may have information that would help the police in an 
investigation where they suspect an individual has murdered someone in 
order to collect life insurance benefits. This language is necessary 
for these and other important public interests.
    I hope that this brief explanation of the exceptions to the strong 
``opt-in'' provisions of the medical privacy provisions of H.R. 10 
clears up some misperceptions. During floor debate, I said I would work 
to include explicit language stating that this provision does not 
prohibit the secretary of HHS from issuing regulations on medical 
privacy as specified by HIPAA.
    Furthermore, I hope consensus can be achieved on a comprehensive 
medical privacy bill. However, I remain convinced that as new financial 
services entities that combine banking, securities and insurance are 
created by H.R. 10, it is important that personal health data can be 
shared inside, or outside, the company only with the patient's 
permission. That is what the Ganske Amendment did.
    If you need additional information, please contact Heather Ellers 
at 5-4426.
            Sincerely,
                                                Greg Ganske
                                                 Member of Congress

    Mr. Ganske. And this describes some of the specifics of the 
exceptions in H.R. 10 and what exactly they mean.
    Mr. Chairman, I want to deal specifically with some of the 
testimony today as it relates to my amendment in H.R. 10. There 
is a statement that says law enforcement entities would enjoy 
virtually unfettered access to medical records and insurance 
companies could review individual records in performing 
marketing studies. The Ganske amendment in H.R. 10 allows 
insurance commissioners to enforce the privacy provisions. I 
don't think that they are going to allow law enforcement 
entities unfettered access to medical records. And in regard to 
the marketing studies, nowhere in the amendment in H.R. 10 is 
marketing even mentioned.
    Then there is a statement, Why should life insurers be able 
to routinely access patients' entire medical records without 
patient consent or knowledge?
    I would point out that my provision in H.R. 10 is an 
across-the-board opt-in so that within that financial services 
or outside of the financial services, in order for that 
insurance company to share that information, they have to get 
an okay from the patient. And I would also point out when a 
life insurer processes an application for life insurance, many 
health-related factors are taken into consideration in order to 
determine the risk evaluation of the individual in order to 
determine what the appropriate premium should be. That is what 
insurance underwriting is.
    Then there is a statement, ``No limitations on subsequent 
disclosures of medical records to nonaffiliated entities.'' I 
would point out that we were dealing with H.R. 10 which was 
dealing specifically with these financial entities. If we had 
tried to extend that to nonaffiliated entities, it would have 
been ruled nongermane for H.R. 10.
    Then there is a statement, ``nor does the legislation 
encourage the use of de-identified medical records'' the reason 
that wasn't in my amendment is that insurance companies have 
been able to use that information to track specific individuals 
for underwriting purposes. And I think that is an issue that is 
appropriate for this debate.
    Mr. Bilirakis. If I may interrupt the gentleman, we have a 
vote on the floor and we have at least another opening 
statement, and I would like to get through opening statements 
before we break.
    Mr. Ganske. Finally, the amendment will not insure that 
patients will receive notice of confidentiality and disclosure 
practices of the insurance companies. That claim is correct. 
The amendment does not include disclosure requirements because 
the provision included in title V of the bill requires a 
financial entity to disclose all privacy policies. That is 
where we fit that amendment in.
    So I would hope that the members of this committee, as we 
deal with a larger comprehensive medical privacy bill will not 
reflexively think that we should not have something in that 
financial services bill related to it, something reasonable 
like I think my amendment was. Remember, I promised on the 
floor that I would in conference try to get in specific 
language that said nothing in H.R. 10 would preclude the 
Secretary from going ahead and issuing her regulations if 
Congress cannot come up with a comprehensive bill.
    I yield back the balance of my time.
    Mr. Bilirakis. I thank you. I would like to finish up the 
opening statements before we run over for a vote. I yield now 
to Mr. Markey who is not a member of the subcommittee, but who 
is very much involved in this issue.
    Mr. Markey. Thank you, and I thank you for your continuing 
indulgence for allowing me to attend these sessions. I have a 
great interest in privacy issues as we see each profession 
intersect with the on-line revolution, and it is clear that we 
have to deal with it as a subject.
    I would ask you to picture where your medical records are 
right at this moment. You probably would imagine a file that 
looks something like this, containing the documentation of your 
most personal and intimate details of your life: your health 
history. You probably imagine this file in your doctor's office 
or at your local hospital, locked away in a filing cabinet, the 
keys of it dangling around the neck of a trustworthy nurse who 
looks like your mother or your grandmother, the guardian of 
your medical records. That nurse looks like that first nurse 
you went to when you were 3. If this is the image you are 
picturing, let it go, for the reality of today's information 
age speaks of a very different tomorrow.
    Today many medical records are no longer confined to the 
physical barricade of a steel filing cabinet. More and more, we 
are depending on technology to provide the security once 
provided by lock and key and the motherly town nurse. As we 
approach the 21st century, we are moving toward an information-
based economy where we are losing control of the ability to 
ensure that there is, in fact, a lock on who has access to the 
most personal information regarding our lives. So we need to be 
thoughtful in our approach to privacy. By being most attentive 
to the needs of commerce, we destroy the ability to control who 
we will be in the new millennium. What we are looking for is 
commerce with a conscience.
    Last week we passed the financial modernization bill, H.R. 
10, after a great deal of debate which centered around access 
to financial information and who ultimately controls where that 
personal information will go. While we made very limited 
progress in providing privacy protections to financial 
information, we took steps backwards in providing privacy 
protections to medical information.
    Today we are conducting a legislative hearing on the 
medical confidentiality bill, H.R. 2470, introduced on Monday 
by Mr. Greenwood along with six cosponsors, and I am very 
pleased that we have a hearing on that subject. But I think it 
is also noteworthy that this committee has also produced 
another bill that Mr. Condit, Mr. Waxman and Mr. Dingell, and 
Mr. Towns, Mr. Brown and I and 57 other cosponsors have 
introduced on the very same subject. And I think it would be 
very helpful if that subject was also before the committee as 
well.
    There is a good reason why consumer groups have cosponsored 
the bill that I just referred to. And that is that the bill 
that is under consideration today has the support of industry, 
but only industry. And there is a good reason. It requires no 
consent or even an acknowledgment from the patient of her 
privacy rights. Simply by seeking treatment or signing onto a 
health plan, you are unknowingly agreeing to disclose health 
information for an open-ended list termed health care----
    Mr. Bilirakis. Mr. Markey, would you please summarize. You 
are entertaining us, but please summarize.
    Mr. Markey. Well, the point that I would make in summary, 
Mr. Chairman, is that a wide-ranging debate would include a 
full discussion of other legislation which is also now before 
the Congress, although not before this panel at this time, and 
I would hope that we would be able to discharge that. And a 
horse is a horse of course, of course. And I thank you, Mr. 
Chairman, for allowing me to testify at this time.
    [The prepared statement of Hon. Edward J. Markey follows:]
   Prepared Statement of Hon. Edward J. Markey, a Representative in 
                Congress from the State of Massachusetts
    Mr. Chairman, thank you for calling this morning's hearing on The 
Medical Information Protection and Research Enhancement Act. I would 
also like to thank you and Mr. Brown for your continued indulgence in 
permitting me to sit in on these sessions, because, as you know, the 
issues of privacy protections in general, and medical records privacy 
in particular are very important to me.
    If I were to ask you to picture where your medical records are 
right at this moment, you probably would imagine a file that looks 
somewhat like this containing the documentation of your health history 
which includes some of the most personal and intimate details of your 
life. You probably imagine this file in your doctor's office or your 
local hospital locked away in a filing cabinet, the keys to it dangling 
around the neck of a trustworthy nurse who looks like your mother or 
grandmother, the guardian of your medical records. If this is the image 
you are picturing--LET IT GO--for the reality of today's information 
age speaks to a very different tomorrow. Today, many medical records 
are no longer confined to the physical barricade of a steel filing 
cabinet. More and more we are depending on technology to provide the 
security once provided by lock and key and the motherly town nurse.
    As we approach the 21st century, we are moving toward an 
information based economy where we are losing the ability to control 
who has access to the most personal information regarding our lives. We 
need to be thoughtful in our approach to privacy. By being most 
attentive to the needs of commerce we destroy the ability to control 
who we will be in the new millenium. What we are looking for is 
commerce with a conscience. Last week we passed the Financial 
Modernization Bill, H.R. 10--a great deal of the debate centered around 
access to personal information and who ultimately controls where that 
personal information will go. While we made very limited progress in 
providing privacy protections to financial information, we took steps 
backward in providing privacy protections to medical information.
    Today, we are holding a legislative hearing on the medical 
confidentiality bill H.R. 2470 introduced late Monday night by Mr. 
Greenwood along with 6 cosponsors--I am pleased to have the opportunity 
to debate the issue of medical privacy but I'm at a loss as to why we 
are only considering a Republican proposal with 6 cosponsors when two 
other bills--both introduced by members of this Committee--are not 
being considered. In March I introduced H.R. 1057 which has the support 
of 41 cosponsors and in May I joined Mr. Condit, Mr. Waxman, Mr. 
Dingell, Mr. Brown and Mr. Towns in introducing a consensus bill H.R. 
1941 which is now up to 57 cosponsors. Both of these bills are endorsed 
by a variety of patient, provider and consumer groups while Mr. 
Greenwood's bill has the endorsement of industry and industry alone.
    There is a good reason why those most concerned with patient 
privacy do not support the Greenwood bill. It requires no consent or 
even an acknowledgment from the patient of her privacy rights. Simply 
by seeking treatment or signing on to a health plan, you unknowingly 
agree to disclose personal health information for an open-ended list of 
items termed ``health care operations''. This bill provides no real 
privacy protections for subjects of private research projects and 
preempts stronger medical privacy protections in state law. Finally, 
this bill provides no private right of action for patients to seek 
damages for violations of breaches of confidentiality.
    I am pleased to be here today to discuss this important issue but 
I'm disappointed that the other medical privacy bills sponsored by 
members of this Committee are languishing. It is my hope that the next 
legislative hearing on this issue will include the other bills offered 
by members of the Committee.
    Thank you.

    Mr. Bilirakis. Dr. Coburn.
    Mr. Coburn. I want to make two points. Confidentiality of 
medical records is important; and when the American public does 
not have confidence that that confidentiality is there, people 
get hurt. And all I would explain to you is look at the HIV 
epidemic where we have half a million people in this country 
who have HIV, who should not have it, because we didn't instill 
the confidence that people's records were going to be held in 
confidence.
    The second point I would make is that Jim Greenwood, in 
writing this bill, has the qualifications and the character to 
put patients and their information first.
    And although Mr. Markey and others may disagree with some 
of the components of this bill, we could not ask another Member 
of Congress that has the qualifications for caring for people 
in his background to write such a bill. And you can have 
confidence that whatever bill comes out of this committee with 
Mr. Greenwood's signature on it will be one that does protect 
patients' confidentiality in a way that is fair, firm, and will 
protect their future.
    And with I yield back the balance of my time.
    Mr. Bilirakis. Thank you very much, Doctor.
    [Additional statements submitted for the record follow:]
Prepared Statement of Hon. Barbara Cubin, a Representative in Congress 
                       from the State of Wyoming
    Mr. Chairman, I would like to thank you for calling this hearing. 
This is an extremely complicated, but vitally important issue that we 
must resolve ahead of the August 21 deadline imposed by HIPPA.
    Americans cherish our privacy, particularly when our medical and 
personal histories are involved. Congress must move to pass sensible, 
but effective legislation, to protect paper and electronic medical 
records. In our move to ensure valid privacy concerns, legislation must 
also recognize legitimate research requirements. For any legislation to 
be effective, it must contain strong enforcement mechanisms.
    Representative Greenwood's legislation strikes a balance between 
personal medical privacy and research needs. I appreciate the work that 
he has done on this issue, and the positive effects it will have for 
every American.
    As we delve into this complicated issue today, I look forward to 
hearing the unique perspectives of our witnesses. Thank all of you for 
coming.
                                 ______
                                 
 Prepared Statement of Hon. Tom Bliley, Chairman, Committee on Commerce
    Thank you, Chairman Bilirakis for holding this hearing today on 
H.R. 2470, the Medical Information Protection and Research Enhancement 
Act of 1999. I commend my colleague on the Committee, Mr. Greenwood of 
Pennsylvania, for his foresight and diligence in bringing comprehensive 
legislation on this important issue to the Committee.
    Mr. Greenwood has done an excellent job in improving language that 
has been crafted, reviewed, fought over, and agreed to over the last 
several years in the other body. This language has benefitted from a 
long discussion process among experts in the private and public 
sectors. It strives to preserve patient privacy, while assuring that 
medical research will continue to progress. This language is well 
understood by those in the advocacy community, and is the most well-
mapped geography of all the medical record confidentiality legislation 
in Congress.
    I wish that I could say the same for legislation that has been 
introduced by my colleagues on the other side of the aisle. Despite the 
best of intentions, the unintended consequences of bills like H.R. 1057 
and H.R. 1941 could be very dire for patients across the country. 
According to written testimony submitted by the Biotechnology 
Industrial Organization at our last hearing on confidentiality, H.R. 
1057, the Medical Information Privacy and Security Act, and H.R. 1941, 
the Health Information Privacy Act, ``contain provisions that will 
significantly impede medical research by requiring that all research be 
monitored by an external entity.'' In fact, the testimony states, 
``H.R. 1941 would expand the Federal government's role in private 
research by requiring that all research, whether funded with private 
dollars or taxpayer dollars, be reviewed by an entity certified by the 
Secretary using standards that are more restrictive than that used by 
Institutional Review Boards.''
    We should not throw the baby out with the bathwater. In our efforts 
to ensure that medical records remain confidential, we should not make 
medical research so difficult and expensive that the cures patients 
seek are unavailable. I look forward to hearing from our witnesses 
today on how we can improve the Greenwood legislation to safeguard 
patient confidentiality while ensuring a vital medical research 
industry.
    Thank you, Mr. Chairman, and I look forward to the testimony this 
morning.
                                 ______
                                 
  Prepared Statement of Hon. Gene Green, a Representative in Congress 
                        from the State of Texas
    I want to thank the Chairmen for scheduling this important hearing.
    As the deadline imposed by HIPAA for Congressional action 
approaches, I believe it is important for this subcommittee to begin 
its consideration of specific legislative language.
    Unfortunately, I believe the Republicans are making a mistake by 
essentially choosing to move a bill that does not have any bipartisan 
support and is filled with loopholes that could jeopardize our medical 
record privacy rights.
    Mr. Chairman, Americans are scared of what will happen to them if 
their medical records fall into the wrong hands. And by the term 
``wrong hands'', I am not talking about criminals--I am talking about 
potential employers and health insurance companies who discriminate 
against people based on their health history or even the likelihood of 
their future health status.
    Today's information and technology gives the world an unprecedented 
opportunity for health research and prevention. Efforts like the human 
genome project has the potential to provide scientists and doctors with 
levels of health information that was inconceivable less than ten years 
ago.
    However the benefits of the genome project and other research 
efforts will be limited if Americans don't have complete confidence 
that they will be able to control who has access to their personal 
medical information.
    I am proud to be a cosponsor of legislation to address these 
issues, including the consensus bill recently introduced by Mr. Condit. 
I believe his bill strikes a fair balance between protecting 
individual's rights and the legitimate access needs to encourage and 
assist medical research.
    I believe H.R. 2470 fails to pass this ``balanced'' litmus test.
    While complete analysis of the bill is not yet completed because it 
was only introduced three days ago, it already appears to lack basic 
and fundamental safeguards to protect individuals.
    Among these is the loosely defined exception for ``health care 
operations.'' As currently drafted in H.R. 2470, insurers could use an 
individual's health information for marketing purposes and insurance 
underwriting without consent by the individual.
    Moreover, instead of creating a federal protection floor, this bill 
actually sets a ceiling and would preempt existing state laws and 
prevent states from passing laws to address their specific concerns.
    Finally, this bill would prohibit the Secretary from taking 
additional steps in the future to address currently unforseen medical 
privacy protection issues.
    Mr. Chairman I sincerely appreciate the efforts you and Mr. 
Greenwood have made in drafting this bill and I am disappointed that I 
am unable to support this bill in it's current form.
    I look forward to working with the rest of the subcommittee Members 
on both sides to develop a fair and comprehensive bipartisan solution 
to this very bipartisan issue.
                                 ______
                                 
    Prepared Statement of Hon. John D. Dingell, a Representative in 
                  Congress from the State of Michigan
    Mr. Chairman, I want to begin by thanking you for scheduling this 
hearing. This is now our second hearing on the topic of medical records 
privacy. In view of the complex nature of the subject matter this is 
time well spent. All of us need to learn as much as we can about the 
uses and disclosures of personally identifiable medical information as 
they may occur in the modern, and I might add, ever changing, health 
care system. The proper use of such information can do great good for 
the patient, for research, and for public health and other legitimate 
purposes. But such information can also do great harm to the patient, 
to research, and other important purposes if used or disclosed 
improperly. Our job is to strike the appropriate balance between an 
individual's fundamental right to privacy and the need in certain 
circumstances for personally identifiable medical information to be 
used or disclosed by someone other than the patient.
    I want to put the timing of this hearing and any further 
legislative action on medical records privacy in context. Much is made 
of the August 1999 deadline under the Health Insurance Portability and 
Accountability Act (``HIPAA''). The Secretary may begin the process of 
writing regulations if we do not enact legislation before then. She 
undoubtedly will need some period of time thereafter to complete the 
task. In sum, we need to move with alacrity, but there should be 
sufficient time to act under current law if we are serious about doing 
so, and there should be no need to extend the HIPAA deadline.
    Mr. Chairman, today's hearing will hopefully inform us of key 
differences among competing approaches to medical records privacy 
legislation. I was pleased to join many of my colleagues, including 
Messrs. Condit, Waxman, Towns, and Markey in sponsoring H.R. 1941. I 
continue to believe that H.R. 1941 embodies sound medical records 
policies that include enforceable remedies and flexibility to meet 
future changes and challenges in this area. I see that my colleagues 
and good friends Messrs. Greenwood, Shays, Norwood, Burr, and Upton 
this week have also introduced a bill on this subject, H.R. 2470. I was 
disappointed to learn that this hearing has been captioned as dealing 
only with the Greenwood bill. Privacy is not a partisan issue.
    Today, we will hear from two outstanding panels of witnesses. They 
include some of the leading experts on the subject of medical records 
privacy and I am anxious to learn from them.
    Thank you.

    Mr. Bilirakis. We will recess until after our vote. It will 
probably be about 15 minutes.
    [Brief recess.]
    Mr. Bilirakis. The hearing will come to order.
    Panel I consists of Mr. John T. Nielsen, Senior Counsel and 
Director of Government Relations with Intermountain Health 
Care, Salt Lake City, Utah; Dr. Paul Tang, Medical Director of 
Clinical Informatics, Palo Alto Medical Clinic, Los Altos, 
California; Mr. Justin Pawlak of Harleysville, Pennsylvania; 
Dr. Paul S. Appelbaum, Professor and Chairman, Department of 
Psychiatry, University of Massachusetts Medical School; and Ms. 
Chai Feldblum, Director of Federal Legislation Clinic, 
Georgetown University Law Center.
    Welcome. Your written statement is a part of the record, 
and we will set the clock at 5 minutes and ask you to try to 
hold to it as closely as you possibly can. We will start off 
with Mr. Nielsen. Please proceed, sir.

 STATEMENTS OF JOHN T. NIELSEN, SENIOR COUNSEL AND DIRECTOR OF 
GOVERNMENT RELATIONS, INTERMOUNTAIN HEALTH CARE; PAUL C. TANG, 
   MEDICAL DIRECTOR, CLINICAL INFORMATICS, PALO ALTO MEDICAL 
  CLINIC; LINDA PAWLAK, PARENT; PAUL APPELBAUM, PROFESSOR AND 
 CHAIR, DEPARTMENT OF PSYCHIATRY, UNIVERSITY OF MASSACHUSETTS 
     MEDICAL SCHOOL, ON BEHALF OF THE AMERICAN PSYCHIATRIC 
ASSOCIATION; AND CHAI FELDBLUM, PROFESSOR OF LAW AND DIRECTOR, 
  FEDERAL LEGISLATION CLINIC, GEORGETOWN UNIVERSITY LAW CENTER

    Mr. Nielsen. Thank you, Mr. Chairman, members of the 
committee. Good morning. My name is John T. Nielsen. I am 
Senior Counsel and Director of Government Relations for 
Intermountain Health Care. IHC, as it is called, is an 
integrated, not-for-profit healthcare system based in Salt Lake 
City. We serve the States of Utah, Idaho and Wyoming. The IHC 
system consists of 23 hospitals, over 400 employed positions 
and a large health plan division.
    IHC employs 23,000 people who are keenly aware of their 
responsibility to safeguard personal health information, and we 
have invested considerable resources in order to develop 
effective protections and procedures to provide privacy 
protection for those that we serve.
    IHC is pleased to strongly support the Medical Information 
Protection and Research Enhancement Act. We are pleased that 
H.R. 2470 reflects, among other things, six important key 
principles. First, H.R. 2470 wisely adopts uniform Federal 
confidentiality standards and preempts State authority in the 
areas covered by Federal legislation. Confidentiality 
legislation must ensure national uniformity and recognition of 
the increasingly complex and interstate nature of health care 
delivery in this country. I believe Mr. Greenwood has put it, 
as well as I have heard it in his opening statement.
    Second, IHC supports H.R. 2470's statutory authorization 
approach. While it can certainly be argued that the practice of 
obtaining signed authorization has value and merit, and indeed 
a study and a report by the Health Privacy Project at 
Georgetown University, of which I was part, recommends this 
approach, IHC has long maintained that the statutory 
authorization approach makes very good sense. This approach, 
combined with the bill's strong penalties for misuse, will 
allow for appropriate access to identifiable information while 
protecting patient confidentiality.
    Mr. Greenwood's bill wisely allows the use of patient 
information only for expressly stated purposes which include 
treating, securing payment, conducting certain health care 
operations and other important purposes, including medical 
research, emergency services and public health.
    Having said this and while IHC has certainly no objection 
to the approach taken in the bill, we would also have no 
objection to the more formal, signed authorization approach. 
After all, it is our current practice and may still be.
    Third, H.R. 2470 applies Federal standards only to 
individually identifiable information, and this is the correct 
approach because patients have a legitimate expectation of 
privacy and because, perhaps more importantly, it creates a 
powerful incentive to encrypt, encode or otherwise anonymize 
patient health information.
    Fourth, the act applies equally to all types of health 
information. All patient identifiable information is sensitive 
and should be afforded equal protections against inappropriate 
disclosure.
    Fifth, the act rightly includes significant penalties for 
inappropriate use of protected information.
    And last, sixth, it establishes new Federal safeguards to 
protect patient identifiable information. We are also pleased 
that the bill provides for a Federal right that patients may 
access, copy and request amendments to their medical records.
    At IHC, in order to treat our patients and improve the 
health outcomes of the entire population we serve, we must be 
able to share information among our physicians, our hospitals 
and our health plans. IHC has developed state-of-the-art 
electronic medical records and common data bases to facilitate 
this communication, to make certain that our physicians have 
complete information when they treat patients. We have put into 
place an extensive array of enforceable confidentiality 
protections which we constantly improve and update.
    We urge you to ensure that confidentiality legislation does 
not unintentionally prevent the creation of these common 
internal data bases or limit the type of data which can be 
shared within a health delivery system. Such action would 
severely limit a health care system's ability to measure and 
improve the health care outcomes of its patients.
    Individually identifiable information and the ability to 
share it is absolutely integral to the IHC health care 
operations through which we seek to maximize the quality of 
patient health care delivered in our system. Health plans also 
play a major role in improving the health of our members. 
Health plans must be able to link information back to a 
specific individual in the event that a more effective 
treatment protocol or a previously unknown health risk is 
identified and to assist our members to manage their own health 
care.
    For all of these reasons, we respectfully urge you to 
swiftly approve before the August recess the Medical 
Information Protection and Research Enhancement Act which we 
believe will establish important Federal standards to protect 
patient confidentiality which, at the same time, allows these 
important health-enhancing activities to continue.
    Congress, not the Secretary, should set these standards in 
this critical area. We believe this bill will do just that. 
Thank you.
    [The prepared statement of John T. Nielsen follows:]
 Prepared Statement of John T. Nielsen, Senior Counsel and Director Of 
            Government Relations, Intermountain Health Care
                            i. introduction
    My name is John T. Nielsen. I am Senior Counsel and Director of 
Government Relations at Intermountain Health Care (IHC). IHC is an 
integrated health care delivery system based in Salt Lake City and 
operating in the states of Utah, Idaho, and Wyoming. The IHC system 
includes 23 hospitals, 78 clinics and physician offices, 23 outpatient 
primary care centers, 16 home health agencies, and 400 employed 
physicians. Additionally, our system operates a large Health Plans 
Division with enrollment of 475,00 directly insured plus 430,000 who 
use our networks through other insurers.
    IHC's 23,000 employees are keenly aware of their responsibility to 
safeguard personal health information and IHC has invested considerable 
resources in order to develop effective protections and procedures. IHC 
takes seriously its responsibility to use patient identifiable health 
information to optimize not only that patient's health, but the health 
of all patients in the IHC system.
                 ii. importance of federal legislation
    The Health Insurance Portability and Accountability Act of 1996 
(HIPAA) directs Congress to enact federal privacy legislation by August 
21, 1999. That deadline is little more than one month away. If Congress 
fails to act by August 21, 1999, the Department of Health and Human 
Services (HHS) is required to promulgate regulations on privacy 
protection by February 2000. IHC urges Congress to meet the HIPAA 
deadline and to enact strong federal standards which provide uniform 
patient confidentiality protections across the country. IHC is pleased 
to lend its strong and enthusiastic support to H.R. 2470, the Medical 
Information Protection and Research Enhancement Act of 1999, which is 
similar to S. 881, the Medical Information Protection Act of 1999, 
introduced by Senator Robert F. Bennett of Utah, which we also support.
    IHC is committed to working with this Subcommittee and others in 
Congress toward passage of the Greenwood/Bennett bills. The approach 
adopted by these legislators strikes an appropriate balance between 
safeguarding patient identifiable health information and facilitating 
the coordination and delivery of high quality, network-based health 
care, such as that provided at IHC.
    Indeed, striking the right balance is critical to IHC's efforts to 
deliver the best possible patient care. IHC has developed state-of-the-
art electronic medical records and common databases which we use 
extensively not just for treatment and payment but for such fundamental 
quality enhancing activities as outcomes review, disease management, 
health promotion and quality assurance. Not only are these efforts 
essential to optimizing the health of our patients but many are in fact 
required by federal and state programs and regulations and by 
accreditation standards. It is vital that federal confidentiality 
legislation not impede the ability to optimize patient health through 
the use of identifiable health information.
     iii. importance of nationally uniform patient confidentiality 
                              protections
    The delivery of health care today is vastly different than even a 
decade ago. Health care delivery increasingly crosses state lines 
through health system mergers, telecommunications, contractual 
relationships and other mechanisms. Enactment of uniform federal 
confidentiality protections is critical as technology is increasingly 
used to enhance the quality of patient care and to maximize the 
outcomes of health care provided to our patients. Confidentiality 
legislation must ensure national uniformity in recognition of the 
increasingly complex and interstate nature of health care delivery in 
this country.
    Health systems like IHC, which operate across state lines, would 
have enormous difficulty complying with different federal and state 
standards governing disclosure of protected health information. 
Individual state laws create confusion, errors and inefficiencies. The 
nation needs a common national standard for protection of 
confidentiality and privacy. Accordingly, strong federal preemption is 
vital. The Medical Information Protection and Research Enhancement Act 
rightly recognizes the importance of strong federal preemption.
        iv. ihc uses patient information to enhance patient care
    IHC is committed to providing high quality health care to the 
communities it serves, regardless of ability to pay. IHC uses patient 
information to enhance patient care. A few specific examples of IHC's 
health care operations activities undertaken to improve health care 
outcomes are set forth below. The Medical Information Protection and 
Research Enhancement Act would facilitate the appropriate use of 
patient identifiable health information for these quality enhancing 
activities.

 Improved timing of delivery of pre-operative antibiotics to 
        prevent serious post-operative wound infections. Our wound 
        infection rate fell from 1.8 percent to 0.4 percent 
        representing, at just one of our 23 hospitals, more than 50 
        patients per year who now do not suffer serious, potentially 
        life-threatening infections. We also saved the cost of treating 
        those infections, reducing health care costs by an estimated 
        $750,000 per year at that one hospital.
 Improved support for inpatient prescriptions. A computerized 
        order entry system warns physicians, at the time they place the 
        order, of potential patient allergies and drug-drug 
        interactions. It also calculates ideal dose levels, using the 
        patient's age, weight, gender, and estimates of patient 
        specific drug-absorption and excretion rates, based on 
        laboratory values. That system has reduced adverse drug events 
        (allergic reactions and drug overdoses) to less than one-third 
        of their former level--significantly reducing the primary 
        treatment-related risks that patients face while hospitalized.
 Improved management of mechanical respirators for patients 
        with acute respiratory distress syndrome (ARDS). In the most 
        seriously ill category of ARDS patients, mortality rates fell 
        from more than 90 percent to less than 60 percent. Costs of 
        care, per patient who lived, fell by about 25 percent.
 Improved management of diabetic patients in an outpatient 
        setting. The proportion of patients managed to normal blood 
        sugar levels (hemoglobin A1c < 7.0%) improved from less than 30 
        percent (typical for a general internal medicine practice) to 
        more than 70 percent. Major studies of diabetes demonstrate 
        that that shift in blood sugar control will translate to 
        significantly less blindness, kidney failure, amputation, and 
        death. Others indicate that it should reduce the costs of 
        medical treatment for diabetic patients by about $1,000 per 
        patient per year.
 Improved treatment of community-acquired pneumonia. By helping 
        physicians more appropriately identify patients who needed 
        hospitalization, choose appropriate initial antibiotics, and 
        start antibiotic therapy quickly, we were able to reduce 
        inpatient mortality rates by 26 percent. That translates to 
        about 20 patients saved in the ten small rural IHC hospitals 
        where we first worked on this aspect of care delivery. It also 
        reduced treatment costs by more than 12 percent.
 Accountability for health care delivery performance. IHC has 
        begun to assemble and report medical outcomes, patient 
        satisfaction outcomes, and cost outcomes for major clinical 
        care processes that make up more than 90 percent of our total 
        care delivery activities. We aggregate and report those data at 
        the level of individual physicians; practice groups (e.g., 
        clinics); hospitals; regions; and for our entire system. We use 
        the resulting reports to hold health care professionals and our 
        system accountable for the care we deliver to our patients, and 
        to set and achieve care improvement goals. We believe that this 
        system will eventually allow IHC to accurately report our 
        performance at a community, state and national level, to help 
        individuals and groups make better choices in the United 
        States' competitive health care marketplace.
    Nearly all of IHC's 60-plus improvement projects, including the 
examples listed above, had to do with care delivery execution--
consistently applying the best available current medical information--
rather than the generation of new biomedical knowledge. Some of these 
initiatives directly improved medical outcomes for patients. Some 
primarily produced significant reductions in the cost of health care 
while demonstrably maintaining excellent medical outcomes, thus 
improving (albeit indirectly) affordability of and access to health 
care services. Many did both at once--improved medical outcomes while 
reducing costs.
    All of these activities relied on information--not just information 
at the level of individual patients, but information on populations of 
patients. We use that population-level information for operational care 
delivery--execution--not just ``generation of new generalizable 
knowledge''--research. Medicine is inherently an information science. 
In general, the better objective data we have--with regard both to 
clinical theory, the information we use to care for a specific patient, 
and support to deliver the right care at the right time--the better 
diagnoses we can make, the better treatments we can offer and the 
better patient outcomes we can achieve.
    Many recent, significant improvements in patient medical outcomes 
grew out of better health care delivery execution--that is, health care 
delivery operations. While the distinction between health care delivery 
operations and health research are clear at the extremes, it quickly 
turns to shades of grey at the center. No one has been able to produce 
a rigorous, functional definition to distinguish the two classes except 
at the extremes. It depends upon the intent of those examining the 
data.
    National policy mistakes in this area--policies that 
inappropriately slow health care delivery, where other choices could 
have adequately protected patient confidentiality and privacy without 
raising functional barriers to care delivery execution--will be 
measured not just in increased health care costs, but in human lives. 
IHC urges this Subcommittee and others in Congress to work toward 
enactment of the Medical Information Protection and Research 
Enhancement Act because it recognizes the importance of patient 
identifiable health information and permits the appropriate flow of 
health information within a health care delivery system.
  v. ihc recognizes the central importance of the confidentiality of 
   medical records and has set forth numerous internal procedures to 
                        protect confidentiality
    IHC supports strong uniform federal confidentiality standards that 
buttress our health care delivery and clinical research work. Speaking 
through our community-based Board of Trustees, IHC has placed 
appropriate protection of patient confidentiality and privacy near the 
front of our institutional values. Those values complement a parallel 
mission to provide the best possible health maintenance and disease 
treatment to those who trust their care to our hands. On the eve of the 
21st century, the best possible health maintenance and disease 
treatment is only possible when health care delivery operations use 
population-level patient data as well as individual patient data.
    IHC uses enforceable corporate policy to maintain confidentiality 
(for health care professionals and employees, as well as patients) in 
those areas that are clearly health care delivery operations (for 
example, direct patient care delivery; billing for services; quality 
review of individual patient records, including such activities as 
mortality and morbidity conferences; resource planning, unit 
performance evaluation, quality improvement and disease management; and 
retrospective epidemiologic evaluations of program performance). The 
core of those policies and enforcement activities include:

 We require every employee, health care professional, 
        researcher or volunteer to sign a confidentiality agreement 
        stating that they will only look at or share information for 
        the specific purpose of performing their health care delivery 
        assignment on behalf of our patients.
 We require each new employee to undergo training with respect 
        to IHC confidentiality policies. These policies are set forth 
        in a draft manual, which already numbers more than 60 pages and 
        represents more than five years of careful discussion and 
        cross-testing.
 We impose consequences--including termination--for improper 
        use or handling of confidential information.
 To the extent that we have implemented an electronic medical 
        record, we are able to monitor access to patient records (an 
        ability not present in the paper record). We use that system as 
        one important means to monitor and enforce our confidentiality 
        policy. In the near future, we will bring on-line the ability 
        for any patient to review a list of every individual who has 
        ever accessed their electronic medical record, for any purpose.
 We utilize software controls including warnings on front log-
        on screens, unique log-on passwords, and computerized audit 
        trails. In the near future, we hope to be able to implement 
        biometric log-on--where anatomic features (such as 
        fingerprints) uniquely identify each computer user at each 
        interaction.
vi. irb review must not be required for health care delivery operations 
  and execution. irb review is not the most effective way to protect 
                        patient confidentiality.
    IHC requires full Institutional Review Board (IRB) review, approval 
and on-going oversight for any research project that involves (1) any 
experimental therapy; (2) patient randomization among treatment 
options; or (3) patient contact for research purposes. Indeed, the IHC 
system has 12 IRBs, but we do not look to IRBs as our sole--or even our 
primary--means to protect confidentiality. Most of the risks to patient 
confidentiality come in day-to-day patient care, as physicians and 
nurses routinely access identifiable patient medical records, both 
paper and electronic, to deliver that care. Instead, we rely upon the 
extensive array of enforceable policies and procedures discussed above. 
In the same vein, a recent GAO Report affirms that IRBs ``rely on 
organizational policies to ensure the confidentiality of information 
used in projects using personally identifiable medical information'' 
1 and that ``the organizations . . . contacted have taken 
steps to limit access to personally identifiable information.'' 
2
---------------------------------------------------------------------------
    \1\ U.S. General Accounting Office Report to Congressional 
Requesters, Medical Records Privacy: Access Needed for Health Research, 
but Oversight of Privacy Protections Is Limited, GAO/HEHS-99-55, p16.
    \2\ Id. at 4.
---------------------------------------------------------------------------
    If IRB review of each of these health care operations activities 
were required, many--if not most--of the operational care delivery and 
health outcome improvements described above could not function on a 
day-to-day basis. The volume of review would be staggering, far beyond 
the capacity of any reasonable system of individual review and follow-
up oversight. While IHC has 12 fully functioning IRBs spread throughout 
our integrated health care delivery system, we do not look to these 
IRBs to protect the confidentiality of individually identifiable 
patient information for daily care delivery operations and execution. 
That protection arises, instead, from IHC-wide policy with 
administrative enforcement.
    As the GAO report rightly recognizes ``IRB review does not ensure 
the confidentiality of medical information used in research because the 
provisions of the Common Rule related to confidentiality have 
limitations.'' 3 Moreover, the report further acknowledges 
that ``it is not clear that the current IRB-based system could 
accommodate more extensive review responsibilities.'' 4 If 
IRB review of quality improvement activities were required, our 
system's ability to conduct these fundamental quality-enhancing 
activities would be severely impeded.
---------------------------------------------------------------------------
    \3\ Id. at 3.
    \4\ Id. at 21.
---------------------------------------------------------------------------
    IHC uses patient-identifiable health information to generate 
literally hundreds of operational analyses each day that improve the 
quality of health care. These quality improvement activities focus on 
both the processes of delivering care as well as on the outcomes of 
care. They include health promotion and disease prevention, disease 
management, outcomes evaluation for internal program management, and 
utilization management. As discussed above, IHC recognizes the vital 
importance of medical records confidentiality and has established 
numerous internal procedures to protect confidentiality.
    Because it is so difficult to precisely define and distinguish 
between quality improvement-based internal operations and true clinical 
research activities, internal confidentiality policies and procedures 
accompanied by stiff penalties are far more effective in safeguarding 
patient confidentiality than mandating that quality improvement 
activities undergo IRB review. As the GAO Report acknowledges, the IRB 
process is already overburdened and is not designed to protect patient 
confidentiality. A care delivery system's ability to improve quality 
and deliver top-tier care would seriously be jeopardized if all of 
these activities were required to undergo IRB review.
    IHC endorses the approach of the Medical Information Protection and 
Research Enhancement Act which acknowledges that requiring internal 
operations activities to undergo IRB review will not safeguard patient 
confidentiality. Instead, requiring a system-wide commitment and 
process with respect to safeguarding personal health information will 
better protect privacy.
         vii. the role of institutional data review committees
    IHC's Information Security Committee recommends policy to IHC's 
Board of Trustees, and individually examines and acts upon all projects 
that fall into the definitional grey area between operations and 
research. The Information Security Committee reports directly to IHC's 
Board of Trustees. Its members include research scientists; experts in 
medical informatics; practicing clinicians; medical ethicists; a 
knowledgeable community member not associated with IHC or with other 
health care delivery or research; and senior managers from IHC's care 
delivery operations. As an extended quorum, all IRB chairpersons 
working within IHC also attend to discuss problems and recommend policy 
supporting IRB function throughout the IHC system. A full record of 
each meeting is generated and maintained.
    IHC's Information Security Committee is an example of what the 
American Medical Informatics Association, in its recommendations on 
confidentiality protection when electronic medical records are used, 
calls a Data Review Committee. While structured very like an IRB, it 
adds an essential organizational element: a Data Review Committee is 
specifically charged to generate and enforce confidentiality policies 
within an organization, in addition to reviewing specific projects. An 
organization of IHC's size generates literally hundreds of operational 
analyses that access patient information every day. Especially when 
precise definitions are impossible, enforceable organization-level 
policy is far more effective in protecting confidentiality and privacy 
than is any attempt at individual review of such massive numbers of 
projects.
 viii. electronic medical records enhance individual patient care and 
      simultaneously improve health care delivery for all patients
A. Patients Must Not be Permitted to Opt Out of Quality Enhancing 
        Activities
    IHC uses an electronic medical record because of the significant 
improvements in medical outcomes and health care costs that that tool 
has allowed. Because it is such an essential part of daily operations, 
IHC cannot functionally allow patients to opt out of using our 
electronic medical record, without sacrificing (1) our ability to 
deliver excellent care to the individual involved and (2) our ability 
to provide good care to the rest of our patients. For example, our 
laboratory analyzers feed directly into our computer system. When IHC 
committed to that link, we not only significantly improved our ability 
to deliver excellent care to all of our patients, but also necessarily 
lost our ability to process blood laboratory tests without using the 
electronic medical record. Permitting patients to opt out would cripple 
IHC's ability to improve the health care quality of all of our 
patients. Even the loss of 3-4% of a patient population would greatly 
skew results. Moreover, from a functional perspective, given our use of 
electronic medical records, IHC could not logistically provide for 
patients to opt out of the various health promotion, disease management 
and other quality enhancing activities we routinely undertake.
B. Patient Requests to Alter their Medical Records
    Because some providers like IHC are now using electronic medical 
records and other providers are increasingly using electronic medical 
records, IHC suggests that a patient's request to amend his or her 
medical record or a statement of a patient's disagreement with the 
content of a medical record be reflected in that medical record not by 
inclusion of the patient's entire written request or letter but by a 
notation or summary. The requirement in some legislative proposals for 
the inclusion of the full request or disagreement is impracticable 
given the increasing use of electronic medical records in the delivery 
of health care.
C. Patient Revocation of Authorization
    Our physicians are legally and ethically bound to provide the best 
care they can for each patient. In order to do this, complete and 
accurate medical information is needed. If patients were permitted to 
deny consent for use of their medical records information, not only 
would their individual care be compromised, but ongoing efforts to 
improve health care quality and the validity and reliability of studies 
would be seriously jeopardized. Patients must not be empowered to pick 
and choose which information from their records should be made 
available to their physician and others with responsibility for caring 
for them. Instead, federal legislation should rely on severe penalties 
for misuse of information. The Medical Information Protection and 
Research Enhancement Act appropriately recognizes the necessity of 
ensuring that health care providers base decisions on the best possible 
information.
                      ix. statutory authorization
    The Secretary of Health and Human Services proposed a statutory 
authorization in her confidentiality recommendations. The National 
Association of Insurance Commissioners likewise incorporated this 
approach in their Model Act. A statutory authorization would authorize 
by law widely accepted uses of patient identifiable health information 
such as treatment, payment and the health care operations activities 
described above.
    IHC is pleased that the Medical Information Protection and Research 
Enhancement Act of 1999 includes a statutory authorization. This 
approach, combined with the strong penalties for misuse of information 
found in all of the legislative proposals on this issue, allows for 
appropriate access to identifiable health information while protecting 
patient confidentiality.
    Ultimately, should Congress not adopt a statutory authorization, 
legislation must make clear that a signed patient authorization each 
time a provider and patient interact within a delivery system or 
network-based health plan is not required. Likewise, it is vitally 
important that the legislation allow health systems to engage in 
activities related to health promotion, disease management, quality 
assurance, utilization review, and related research without requiring 
separate patient authorization for each subsequent use of patient 
information. Such a requirement would be enormously burdensome for both 
providers and patients and, after the plans initial ``consolidated 
authorization'' is signed by the patient, would serve no additional 
purpose. IHC additionally urges that a health plan enrollee be 
permitted to sign one authorization form on behalf of that enrollee's 
covered dependents. Requiring each individual family member to sign a 
separate authorization form would be unwieldy at best, burdensome on 
the enrollee, and could result in the delay of needed care.
               x. applicability to all health information
    Federal legislation should apply equally to all types of health 
information, including genetic information. This is important because 
all individually identifiable health information is sensitive and 
should be afforded the same protections against inappropriate 
disclosure.
           xi. penalties for misuse of protected information
    All of the various legislative proposals include significant 
penalties for unauthorized use of patient identifiable health 
information. These are important to deter misuse of information. They 
should, however, be made consistent with the penalties included in 
HIPAA.
                  xii. cause of action by individuals
    If Congress is able to meet the HIPAA deadline and enact 
confidentiality legislation, patients across the country will--for the 
first time--benefit from strong federal protections for patient 
identifiable information. Given the groundbreaking nature of this 
legislation and the significant criminal and civil penalties already 
provided for in the various legislative proposals, the inclusion of a 
private right of action is unnecessary. Moreover, it is our experience 
at IHC that breaches in the confidentiality of patient identifiable 
health information are not at all common. Additionally, inclusion of a 
private right of action would likely give rise to an entirely new 
plaintiff's bar, greatly increasing expensive and unpredictable private 
litigation. The penalty provisions in the various proposals, including 
the legislation before this Subcommittee, are already stringent; the 
addition of a cause of action is not merited.
                         xiii. law enforcement
    IHC feels that patient confidentiality legislation is an 
inappropriate venue for revision of probable cause and other standards 
now governing the access to patient records of law enforcement 
officials. Instead, confidentiality legislation should be law 
enforcement neutral. To the extent that confidentiality legislation 
touches on law enforcement's access to identifiable information, access 
should only be available after a request has been approved through a 
process that involves a neutral magistrate.
                               xiv. close
    As an integrated health care delivery system, IHC is responsible 
for the health outcomes of the patients who seek care from our system. 
In order to treat our patients and improve the health outcomes of the 
entire population we serve, we must be able to share information among 
IHC corporate entities--our physicians, our hospitals, and our health 
plans. IHC has developed state-of-the-art electronic medical records 
and common databases to facilitate this communication and to make sure 
our physicians have complete information when treating patients. We 
have put in place an extensive array of enforceable confidentiality 
protections which we constantly improve and update.
    IHC urges this Subcommittee to ensure that confidentiality 
legislation does not unintentionally prevent the creation of these 
common internal, operational databases or limit the type of data which 
can be shared within an integrated delivery system. Such action would 
severely limit a health system's ability to measure and improve the 
health outcomes it provides those who seek its services.
    The outstanding health care our physicians, nurses, and others 
deliver through IHC's network-based system relies on the coordination 
of patient care and effective quality improvement activities. 
Individually identifiable health information is integral to IHC's 
health care operations, through which we seek to maximize the quality 
of patient care delivered in the IHC system. I urge you to swiftly 
approve--before the August recess--the Medical Information Protection 
and Research Enhancement Act, which will establish uniform federal 
standards to protect patient confidentiality while at the same time 
allowing these important activities to continue.

    Mr. Bilirakis. Thank you very much, Mr. Nielsen .
    Dr. Tang.

                   STATEMENT OF PAUL C. TANG

    Mr. Tang. Thank you. Mr. Chairman, Mr. Greenwood, Members 
of the committee, thank you very much for permitting me to 
testify before you on this very important topic. My name is 
Paul Tang. I am a practicing internist and Medical Director of 
Clinical Informatics at Palo Alto Medical Clinic in California 
and Vice President of Epic Research Institute, working on 
computer-based patient record systems, or CPRs.
    I am here because I have a passionate desire to provide the 
best quality care for my patients, and I think all caregivers 
have the legal and ethical obligation to protect the 
confidentiality of their patient's health data. In my mind, 
these two objectives are inextricably linked. I would like to 
begin by describing the status quo in medical recordkeeping, 
then explain a little bit on how CBR has improved that 
situation and to discuss how confidentiality legislation 
impacts quality of care.
    First, the status quo. In an observational study I did a 
few years back at Stanford we found that in 81 percent of 
clinic visits physicians did not have all the information they 
needed to take care of their patients that day. In fact, on 
average, they were missing four pieces of information for each 
visit. This is not optimal. Unfortunately, neither is it 
atypical.
    Regrettably, the situation in confidentiality is no better. 
If someone requests the medical record, it is an all or nothing 
phenomenon, and if the record can be found, and 30 percent of 
the time it can't be found, the request is free to look at any 
part of the record and no one will even know. It is this 
situation that makes it impossible for us to enforce 
confidentiality policies and to hold people accountable for 
their actions.
    In 1991, the Institute of Medicine recommended that the 
United States adopt CPRs as the standard for medical record. 
They did this primarily because they thought it would improve 
the quality of care. In addition, it can increase our ability 
to protect the confidentiality of health information. For 
example, the CPR can limit access by a patient. So in contrast 
to common practice, where in a hospital almost anyone can look 
at a record, a CPR user can be limited only to those patients 
with which the user has a professional relationship.
    Second, access to elements of a record can be restricted. 
So, for example, HIV test results can be marked as sensitive 
and restricted only to the ordering physician or the primary 
care physician.
    Third, access to visits in mental health could be 
restricted to mental health providers.
    Fourth and finally, and probably most importantly, all 
accesses to and updates of the record can be logged in audit 
trails and these audit trails can be analyzed to monitor and 
enforce confidentiality policies. Once again, in contrast to 
paper records, with the CPR, I can tell you who has access to 
your record and what they have looked at.
    In short, a CPR gives us tools to increase the overall bar 
of protection of confidentiality for all patient data. I know 
that we all recognize that striking a balance between the needs 
of the caregiver and the need to protect information is 
difficult; and we all want to do the right thing, but as we 
work out the details of the legislation, I think we need to be 
careful about not letting good intentions interfere with good 
care.
    For example, one approach to protecting patient data is to 
enumerate all the potentially sensitive personal data and to 
segregate that data. Unfortunately, to the extent that we are 
successful in hiding this information, we will undermine much 
of the benefit that computerizing records can provide us in the 
first place. In effect, we will have returned back to the 
status quo of having incomplete information for almost 
everybody.
    An alternative approach and one that I would favor is to 
give physicians and patients the benefit of having all 
information when they are making decisions and at the same time 
raising the overall bar of protection for all data.
    Finally, let me address the uniform confidentiality laws. 
Many provider organizations take care of patients across State 
borders. I think it would be confusing to patients and 
burdensome for providers to have to face State-by-State 
regulations. Like politics, health care is local, but I think 
our ethical and legal obligations to protect the 
confidentiality of patient data should be universal.
    So, in summary, in my experience, CPRs can definitely 
enhance the quality of care, and they can definitely improve 
our ability to protect confidentiality of health data. However, 
we need balanced legislation in order to permit us to 
effectively use these tools to achieve the benefits I described 
and that the Institute of Medicine envisioned.
    I think Mr. Greenwood's bill introduced this week is an 
example of balanced legislation that preserves the integrity of 
the record while assuring uniform protection for all. In short, 
we need confidentiality legislation to continuously improve the 
quality of health for all Americans. I thank you again for 
letting me testify before you, and I will be happy to answer 
any questions.
    [The prepared statement of Paul C. Tang follows:]
   Prepared Statement of Paul C. Tang, Medical Director of Clinical 
                 Informatics, Palo Alto Medical Clinic
    Mr. Chairman, Members of the Committee, thank you for the 
opportunity to testify on this very important topic--protecting the 
confidentiality of patient data. My name is Paul Tang. I am a 
practicing internist and Medical Director of Clinical Informatics at 
the Palo Alto Medical Clinic in California and Vice President of Epic 
Research Institute, working on computer-based patient record systems. I 
also serve on the Boards of the American Medical Informatics 
Association (AMIA), the Joint Healthcare Information Technology 
Alliance (JHITA), the Computer-based Patient Record Institute (CPRI), 
and the American College of Medical Informatics (ACMI).
    I am here today because I have a passionate desire to provide high 
quality care for my patients and I firmly believe that all health care 
providers have an ethical obligation to protect the confidentiality of 
their patients' health data. In my mind, these two objectives are 
inextricably linked. Consequently, your decisions regarding 
confidentiality legislation will directly affect the care that I can 
deliver.
    I will begin by describing the inadequacies of the status quo in 
medical record-keeping, then speak briefly about the capabilities of 
computer-based patient records (CPRs) to address these needs, and 
conclude by discussing implications of confidentiality legislation on 
quality of care.
    First, I need to tell you more about the status quo. In 1989, the 
Institute of Medicine initiated a study to look at ways of improving 
medical records in light of new information technology. During the 
committee deliberations, it was widely felt that the paper medical 
record left much to be desired. However, the literature did not contain 
empirical information about how broken the system really was. I later 
conducted a study at Stanford to gather the missing empirical data, and 
the results do not paint a pretty picture. When we observed physicians 
making patient care decisions in ambulatory care, we found that in 81 
percent of the visits, physicians did not have all the information they 
needed in order to make decisions on their patients, even though they 
had the paper record 95% of the time. On average, physicians were 
missing 4 pieces of information during each visit. In one visit, a 
physician was missing 20 pieces of information. That is, physicians 
routinely have to choose between making a decision without the 
available information, rescheduling the patient for another visit in 
hopes that information will then become available, or repeating the 
test. Needless to say, none of these options is optimal. But, this is 
the standard of practice. In other words, we probably should be 
advising our patients that when they walk into a doctor's office they 
should expect that their physicians will be making decisions on their 
health care without all the available information.
    I recall receiving a letter from a cardiologist pointing out the 
need for computer-based patient records in the hospital. One of his 
patients sustained a rare life-threatening side effect of a medication 
and was miraculously saved by an experimental treatment only to be 
given a medication later in her hospital stay to which she was 
allergic. Fortunately, by that time, she was alert and was able to 
refuse the medication. A CPR system could have warned the physician 
ordering the medication and prevented the near mishap.
    Regrettably, the status quo for confidentiality is not much better. 
When a person requests a paper medical record, it is an all or nothing 
proposition. If the record can be found (30 percent of the time it 
cannot be found), the reader is free to look at any part of the record, 
and no one will know. The situation where a record and all of its 
contents are open to many eyes for any and all uses makes it impossible 
for us to enforce confidentiality policies and to hold people 
accountable for their actions. Like you, I find both these situations 
unacceptable--that doctors must routinely make decisions without all 
the relevant patient information and that we cannot adequately protect 
the confidentiality of patient data using paper records.
    Fortunately, both of these problems can be dealt with by following 
the recommendations of the 1991 Institute of Medicine study on medical 
records, which concluded that the computer-based patient record is an 
essential technology for health care. Based on my past experience at 
Northwestern and my recent experience at Sutter Health, I can tell you 
that using a computer-based patient record (CPR) improves the quality 
of medical decisions and compliance with clinical guidelines. Let me 
cite a brief example of this. It is well documented that giving a flu 
vaccine to people 65 years and older reduces the mortality from flu-
related complications by one-half, reduces flu-related hospital 
admissions by one-half, and reduces the cost of care by one-half. In 
effect, if you extrapolate these results, every time a flu vaccine is 
administered, it would save the country $117. Unfortunately, according 
to figures from the CDC and the literature, physicians routinely 
administer flu vaccines to approximately 50 percent of the eligible 
population. However, we and others have found that simple reminders 
provided by the computer at the time of a patient visit can 
dramatically increased the compliance with these simple, but effective 
guidelines. In a study we conducted at Northwestern, flu vaccine rates 
went up 78 percent for a group of physicians using a CPR compared to a 
control group in the same clinic that continued to use paper records.
    In addition to helping physicians deliver better healthcare, a CPR 
can substantially improve our ability to protect the confidentiality of 
patient information. The guiding operational principle is that 
healthcare professionals should only have access to those data for 
which they have a professional need to know. The CPR has a number of 
capabilities to help ensure that this is the case. First, the CPR 
system can limit access by patient. In contrast to common practice 
where almost anyone in a hospital can access any patient record, a CPR 
can limit a user's access to those patients for which the user has a 
professional relationship. Second, a CPR can limit the type of access 
based on the role of the user. For example, a physician may have 
complete access to a patient's record, but a clerk would only have 
limited access to administrative information about the patient. Third, 
access to specific elements of a record may be restricted. For example, 
an HIV test order and its results may be classified as sensitive and 
accessible only by the ordering physician or primary care provider. In 
addition, a visit where sensitive issues are discussed can be afforded 
similar protection by granting access only to the patient's physician. 
Fourth, access to visits in mental health departments could be 
restricted to mental health providers. Fifth, and probably the most 
important, all accesses to and updates of information in a CPR are 
logged and audit trails can be analyzed to monitor and enforce 
compliance with confidentiality laws and policies. Once again, in 
contrast to the paper record, with a CPR we can provide patients with a 
report of anyone who has accessed their record and what was examined. 
It is clear that using computer-based patient records gives us 
significant capability to raise the bar of protection for all 
confidential patient information.
    What are the implications for confidentiality legislation? I think 
we all recognize that striking a balance between the information needs 
of physicians caring for patients and the need to control access to 
information is difficult and we all want to do the right thing. As the 
details of the legislation are worked out, however, we need to be 
careful not to let good intentions interfere with good care. For 
example, one approach to protection of patient data is to enumerate all 
potentially sensitive personal data and to segregate those data--
rendering them more difficult to access. Unfortunately, to the extent 
that we succeed at hiding information, we will undermine much of the 
benefit of computerizing the record for the very people who care the 
most--the physician and the patient. In effect, we will have returned 
to the status quo that I described at the beginning of my testimony--
that of incomplete information for almost everybody. An alternative 
approach, and one that I favor, is to give physicians and patients the 
benefit of making decisions based on information, but at the same time 
to raise the bar of confidentiality protection for all data using the 
capabilities of CPRs.
    An analogy in patient care comes to mind. In the 1980s, health care 
providers wore gloves to protect them from blood-borne infectious 
diseases. This special precaution inadvertently became a marker for 
identifying patients with blood-borne diseases, which included AIDS 
patients. Consequently, a new policy called universal precautions was 
adopted where all patients are treated the same and gloves are worn 
anytime a health professional could potentially be exposed to blood. 
This approach accomplishes two things: it raises the general awareness 
among all caregivers about their everyday responsibility for preventing 
the spread of communicable diseases, and from the patient's 
perspective, everyone is treated the same; no one is inadvertently 
identified.
    Likewise, I propose that instead of dissecting a patient's record 
into special pieces of information, which is likely to interfere with 
the care process, we should treat all patient information as highly 
confidential. Following my analogy to universal precautions, we would 
be preventing the spread of confidential data by treating all data the 
same. I would rather promote a new standard for confidentiality and 
hold providers to that higher standard for all data.
    Under what conditions should provider organizations disclose 
identifiable patient information? The bills before Congress agree on 
treatment and payment reasons. What continues to be debated is the 
phrase ``health care operations.'' While I am not in a position to 
enumerate every conceivable activity that could be covered, I can list 
some obvious examples of activities I think need to continue without 
separate disclosures. Among these activities are quality management, 
peer review, clinical teaching, disease management, quality reporting, 
and clinical research. What should not be allowed? Use of the 
information for any discriminatory practices. As lawmakers, you must 
draw the lines between what uses of health information should be 
permitted and which should not, probably in separate anti-
discrimination laws. As a physician, however, I am concerned that 
encouraging patients to ``opt out'' of information systems (either by 
segregating information or through self-payment) can impair the quality 
of care not only for the individuals but for all of us.
    Finally, let me address the issue of uniform confidentiality laws. 
Many provider organizations care for patients from multiple states. 
Implementing confidentiality regulations on a state-by-state basis 
would be confusing for patients and burdensome for providers. The 
standards which protect the confidentiality of health information 
should not depend upon geography. Like politics, health care may be 
local, but the ethical and legal obligation to protect confidentiality 
should be universal.
    In my experience, using CPRs can definitely enhance the quality of 
care by helping physicians make informed decisions, while also 
substantially improving protection of confidentiality. However, we need 
balanced confidentiality legislation to effectively use this tool to 
achieve the benefits that I described and that the Institute of 
Medicine envisioned. In summary, we need your legislation to 
continuously improve the health of all Americans.
    Again, thank you for the opportunity to appear before you today. I 
will be happy to answer any questions.

    Mr. Bilirakis. Thank your very much, Doctor.
    Justin and Ms. Pawlak.

                    STATEMENT OF LINDA PAWLAK

    Ms. Pawlak. Good morning, Mr. Chairman and members of the 
subcommittee. My name is Linda Pawlak.
    My son Justin has asthma. Justin was diagnosed with asthma 
approximately 8\1/2\ years ago. At the moment of his diagnosis, 
our lives changed. We lived in fear, as his illness pervaded 
every aspect of our lives. Because his illness was 
unpredictable, we placed restrictions on Justin and on our 
family in a vain attempt to circumvent an asthma attack, but 
because we were not appropriately managing his asthma, we were 
ill equipped to prevent these devastating attacks. The illness 
had complete control.
    After approximately a year and half of suffering, Justin 
came under the care of a wonderful asthma specialist who taught 
us that asthma was a disease requiring diligent management, 
even when he wasn't ill. Justin's health improved. However, the 
big change didn't occur until we were told about, and began to 
participate in, an asthma management program called The Asthma 
and Allergy Support Center.
    When Justin became a part of the program, he began logging 
onto a secured Web site on a daily basis. On his own personal 
Web page Justin began entering his daily peak flows, 
medications, symptoms and the potential triggers to which he 
had been exposed. Justin's doctor also logs onto his Web page 
on a daily basis to review Justin's progress. This sharing of 
information has allowed us and Dr. Bill to identify patterns 
and trends in Justin's daily management that would otherwise 
never have become apparent. These discoveries have led to 
better control of Justin's illness and a normalization of our 
lives. This sharing of data has also provided his physician 
with valuable information, information that could provide 
future improvement not only for Justin but for many of his 
other patients as well.
    For many of his young years, Justin spoke of becoming a 
scientist so that he could find a cure for asthma. Since 
beginning on this management program, Justin no longer speaks 
of becoming a scientist in the future. He realizes that the 
information derived from his participation in this program 
could be the clue to crucial breakthroughs in asthma. He knows 
that he could be helping to find a cure for asthma today, 
tomorrow and well into the future.
    As a mother, I am eternally grateful to the physician and 
staff members who identified Justin for potential participation 
in this program. It has changed our lives, just as it and other 
similar programs could change the lives of many others who bear 
the burden of ill health. Any legislation that would impede the 
use of information for research, that could cure this disease, 
or that would prevent others from learning about similar 
disease management programs, would be a terrible mistake. That 
is why we think Congressman Greenwood's bill is a step in the 
right direction.
    If anyone is interested, we do have the computer here with 
us so that anyone who would care to can see what Justin does on 
a daily basis.
    Thank you.
    Mr. Bilirakis. Thank you, Ms. Pawlak. Justin, would you 
have anything you would like to add? Your mom has plenty of 
time left. You can do it.
    Master Pawlak. Not really. Mostly what she said in her 
speech is the same thing that I would say.
    Mr. Bilirakis. She checked with you first, though, before 
she completed it. Thank you.
    [The prepared statement of Linda Pawlak follows:]
             Prepared Statement of Linda and Justin Pawlak
    Good morning Mr. Chairman and members of the Subcommittee. My name 
is Linda Pawlak. My son, Justin, has asthma. Justin was diagnosed with 
asthma approximately eight and a half years ago. At the moment of his 
diagnosis, our lives changed. We lived in fear, as his illness pervaded 
every aspect of our lives. Because his illness was unpredictable, we 
placed restrictions on Justin, and on our family, in a vain attempt to 
circumvent an asthma attack. But because we were not appropriately 
managing his asthma, we were ill equipped to prevent these devastating 
attacks. The illness had complete control.
    After approximately a year and a half of suffering, Justin came 
under the care of a wonderful asthma specialist who taught us that 
asthma was a disease requiring diligent management, even when he wasn't 
ill. Justin's health improved. However, the big change didn't occur 
until we were told about, and began to participate in, an asthma 
management program called The Asthma and Allergy Support Center.
    When Justin became a part of the program, he began logging onto a 
secured Website on a daily basis. On his own personal webpage, Justin 
began entering his daily peak flows, medications, symptoms, and the 
potential triggers to which he had been exposed. Justin's doctor also 
logs onto his webpage on a daily basis to review Justin's progress. 
This sharing of information has allowed us (and Dr. Bill) to identify 
patterns and trends in Justin's daily management that would otherwise 
never have become apparent. These discoveries have led to better 
control of Justin's illness and a normalization of our lives. This 
sharing of data has also provided his physician with valuable 
information, information that could provide future improvement not only 
for Justin, but for many of his other patients as well.
    For many of his young years, Justin spoke of becoming a scientist 
so that he could find a cure for asthma. Since beginning on this 
management program, Justin no longer speaks of becoming a scientist in 
the future. He realizes that the information derived from his 
participation in this program could be the clue to crucial 
breakthroughs in asthma. He knows that he could be helping to find a 
cure for asthma today, tomorrow, and well into the future.
    As a mother, I am eternally grateful to the physician and staff 
members who identified Justin for potential participation in this 
program. It has changed our lives, just as it (and other similar 
programs) could change the lives of many others who bear the burden of 
ill health. Any legislation that would impede the use of information 
for research, that could cure this disease, or that would prevent 
others from learning about similar disease management programs, would 
be a terrible mistake. That's why we think Congressman Greenwood's bill 
is a step in the right direction.

    Mr. Bilirakis. Dr. Appelbaum.

                  STATEMENT OF PAUL APPELBAUM

    Mr. Appelbaum. Mr. Chairman, I am Paul Appelbaum, M.D., 
testifying on behalf of the American Psychiatric Association. I 
am Professor and Chair of the Department of Psychiatry at the 
University of Massachusetts Medical School, where I treat 
patients and oversee our department's biomedical and health 
services research, including our medical records-based 
research.
    Mr. Chairman, ranking member Brown, I would like to thank 
you for the opportunity to testify today. I would also like to 
thank the members of the committee and Representatives 
Greenwood, Waxman and Markey, in particular, who have focused 
the committee's attention on medical records privacy by 
introducing comprehensive legislation.
    Recently, several Commerce Committee members, including Mr. 
Markey and Mr. Whitfield, have raised major and, we believe, 
very important privacy concerns about the HCFA regulations, 
dubbed OASIS, and were helpful in dealing with that issue.
    Based on our initial analysis of the proposed legislation, 
the APA is particularly concerned by H.R. 2470's lack of any 
consent process for patients, the preemption of stronger State 
privacy laws and the lack of essential privacy protections for 
patients in general and employees of corporations in 
particular. Our concerns are heightened by the fact that there 
are major features of this legislation which represent 
disturbing departures from most other legislative proposals in 
this area.
    First, this legislation is the first Republican 
comprehensive medical records proposal which completely 
discards the time-tested approach of consent or authorization 
from patients before use or disclosure of medical records. If 
this legislation were enacted into law, it would mark a 
fundamental change in a key principle of patient privacy. Of 
course, to be meaningful, consent needs to be informed, 
voluntary and noncoerced, and many provisions of the 
legislation introduced by Representative Markey are valuable in 
this respect.
    Second, unlike many of the other legislative proposals, 
H.R. 2470 does not contain specific prohibitions on employer 
access to medical records. We are gratified to hear Mr. 
Greenwood's statement that he intends to address this issue.
    Third, we strongly urge reconsideration of H.R. 2470's 
blanket preemption of State medical records privacy laws. 
Again, the result of this preemption is that patients would 
lose important privacy protections that they now enjoy. Equally 
important, the States will lose the opportunity to enact 
stronger patient privacy laws in the future. In fact, at this 
point, 56 medical records confidentiality bills have passed at 
least one chamber of a State legislature this year. We support 
the approach in the Condit-Waxman-Markey bill which protects 
stronger State laws from preemption.
    I would like to give you a concrete example to illustrate 
the unintended consequences that H.R. 2470 might have. I would 
like you to imagine that you are going into your doctor's 
office, and the doctor gives you a comprehensive physical 
examination. He takes your blood, he runs some lab tests. It 
all sounds harmless enough. After all, you have never signed 
anything giving permission for your personal information to be 
broadly used and disclosed. You were never told it would be 
used in such a way, and nothing was sent to you about that. But 
it will be extensively used, and nothing under 2470 would 
prevent that from happening.
    Information from your medical records could be used for 
private research purposes without your consent or knowledge. 
Your age, sex, demographic information, psychiatric status and 
other information could be used for insurance underwriting and 
other broadly and vaguely defined health care operations 
purposes, again without your consent or knowledge. Your medical 
records can be displayed to hundreds of medical students, 
nurses and other trainees because health care operations are 
defined to include health care education. Your medical records 
information and the medications you are taking can be revealed 
to pharmaceutical companies who may even contact you at home 
about taking their new product instead.
    We have no problem with taking advantage of the 
considerable benefits of medical information and the new 
technologies that have been described here this morning. We are 
concerned that in that process we not sacrifice the privacy 
that Americans cherish.
    I would be happy to respond to your particular questions 
during the question-and-answer period, either about 2470 or 
H.R. 10, to which Mr. Ganske referred earlier.
    Thank you, Mr. Chairman. I look forward to working with the 
committee on this issue.
    [The prepared statement of Paul Appelbaum follows:]
    Prepared Statement of Paul Appelbaum on Behalf of the American 
                  Psychiatric AssociationIntroduction
    Mr. Chairman, I am Paul Appelbaum, M.D., testifying on behalf of 
the American Psychiatric Association (APA), a medical specialty 
society, representing more than 40,000 psychiatric physicians 
nationwide. I serve the APA as Vice-President and I am also Professor 
and Chair of the Department of Psychiatry at the University of 
Massachusetts Medical School. I would like to thank Chairman Bilirakis, 
Ranking Member Brown, and members of the Subcommittee for the 
opportunity to testify today.
    Mr. Chairman, we greatly appreciate your interest in passing 
medical records privacy legislation. We also appreciate the work of Mr. 
Greenwood, Mr. Waxman, and Mr. Markey, as well as several Republican 
and Democrat members of the Committee who fought to improve the privacy 
provisions of HCFA's recent OASIS medical information regulation.
    As changes in technology and health care delivery have outpaced the 
statutory, common law, and other protections that traditionally have 
ensured patient confidentiality, the level of confidentiality enjoyed 
by patients has eroded dramatically. I greatly appreciate your efforts 
to seize this valuable opportunity to protect and restore needed 
confidentiality protections.
The Need for Federal Legislation
    I believe medical records confidentiality is one of the most 
important issues to come before the Subcommittee this year. Our ability 
to find a new job, earn a promotion, obtain insurance, our family and 
social relationships, the quality of health care, and medical research 
breakthroughs can all be enhanced or tragically jeopardized by medical 
records confidentiality legislation. Our medical record, when it 
relates to conditions as varied as high blood pressure, communicable 
diseases, Alzheimer's disease, mental illness and substance abuse, 
domestic violence, sexual assault information, terminal illnesses, HIV/
AIDS, cancer, eating disorders, sexual function or reproductive health 
issues, as well as many other conditions, is highly sensitive.
    But whether or not we are affected by these illnesses, medical 
records privacy issues affect us all. Today's comprehensive medical 
assessments and wellness questionnaires can contain questions about 
patients' sexual behavior, social relationships, state of mind, and 
psychiatric status--even if patients are not receiving medical 
treatment relating to these issues. The forms can also contain 
extensive personal and financial information.
    The need for privacy legislation is compelling. In 1996, a 
federally appointed panel of experts, the National Committee on Vital 
and Health Statistics, stated that our country faces a ``health privacy 
crisis.'' And across the political spectrum, broad support exists for 
action on this issue. Many conservatives, including Phyllis Schafly, 
have decried the ``stealth assault on medical records.'' Likewise, 
liberals and civil libertarians have been fighting to secure basic 
protections to safeguard citizens from unjustified police seizure of 
their medical records. Finally, there has been bipartisan concern that 
led to the suspension of any implementation of a national patient 
identifier and the limitation of the Health Care Financing 
Administration's recent medical information collection regulation, 
dubbed OASIS. Thus, it is clear that Americans of all political 
persuasions want to keep their personal medical information 
confidential. We hope that in the current debate on medical records 
privacy, bipartisan support can develop for enacting meaningful medical 
records privacy legislation into law.
Confidentiality is a Requirement for High Quality Medical Care
    Common sense, the experience of physicians and patients, and 
research data all show that privacy is a critical component of quality 
health care. The sad fact is that the health care system has, on 
occasion, not earned the trust of patients, and many patients do not 
trust the system to keep their information confidential. In many cases, 
the result has been that physicians are not able to provide the best 
possible quality care nor reach many individuals in need of care.
    Some patients refrain from seeking medical care or drop out of 
treatment in order to avoid any risk of disclosure. And some simply 
will not provide the full information necessary for successful 
treatment. At other times, physicians are approached by patients who 
ask us not to include certain information in their medical record for 
fear that it will be indiscriminately used or disclosed. The result of 
all these behaviors resulting from patients' reasonable concerns is 
unfortunate. More patients do not receive needed care and medical 
records' data that we need for many purposes, such as outcomes 
research, is regrettably tainted in ways that we often cannot measure.
    The solution is not to take short cuts that will further deprive 
patients of their rights. Instead, we must enact into law meaningful 
medical records privacy legislation based on the voluntary informed 
consent of patients and reliance upon the fullest possible use of 
deidentified and aggregate patient data. In this way the full 
advantages of patient privacy as well as the benefits of new medical 
technology can be harnessed.
    Informed, voluntary, and non-coerced patient consent prior to the 
use and disclosure of medical records should be the foundation of 
medical records confidentiality legislation. As a general principle, we 
believe that the American Medical Association's position--that patient 
consent should be required for disclosure of information in the medical 
record with narrowly drawn and infrequent exceptions permitted for 
overriding public health purposes--is eminently reasonable.
The Special Sensitivity of Mental Health Information and the U.S. 
        Supreme Court's Jaffee Decision
    Patients often refrain from entering psychiatric treatment because 
of concerns about confidentiality. Not only do patients refrain from 
telling family members and close friends the information they share 
with their therapist, but some may not even tell their family members 
that they are receiving mental health treatment. Often, if the 
information were disclosed to a spouse or an employer it might 
jeopardize their marriage or employment. But even the privacy 
protection afforded to psychotherapy notes has eroded so much in recent 
years that many psychiatrists and other mental health professionals 
have stopped taking notes or take only very abbreviated notes. Without 
the very highest level of confidentiality, patients receiving mental 
health services will be less likely to enter treatment and less likely 
to remain in treatment. Worse yet, if confidentiality is not protected, 
the treatment they receive will usually be less effective.
    For these and other reasons, the U.S. Supreme Court recognized the 
special status of mental health information in its 1996 Jaffee v. 
Redmond decision. The court held that ``Effective psychotherapy depends 
upon an atmosphere of confidence and trust--disclosure of confidential 
communications made during counseling sessions may cause embarrassment 
or disgrace. For this reason the mere possibility of disclosure may 
impede the development of the confidential relationship necessary for 
successful treatment.''
    It is also worth recognizing that the extent of mental illness is 
widespread. According to the World Health Organization mental illnesses 
account for four out of ten of the leading causes of disability. I urge 
members of this committee not only to protect the letter of the Jaffee 
decision but indeed to protect its spirit by including appropriate 
provisions in the legislation.
Provisions Needed in Congressional Legislation
    It is not my intention to provide a detailed analysis of each bill 
before the Subcommittee but rather, I would like to recommend several 
key provisions that we believe should guide the Subcommittee in its 
deliberations, and we would be happy to provide the Committee with 
additional recommendations as well.
    Preemption. I believe the most important medical records privacy 
issue before the Committee is to insure that stronger state medical 
records privacy laws are preserved and that states' ability to enact 
stronger medical records privacy laws are preserved. States have 
adopted valuable protections for patients, including laws limiting the 
disclosure of pharmacy records and laws blocking insurers' access to 
verbatim psychiatric notes. States are also actively considering 
numerous additional proposals. In fact, the National Council of State 
Legislatures estimates that a total of 56 medical records 
confidentiality bills have passed through at least one chamber of a 
state legislature. We must not block states' efforts to protect 
citizens' medical privacy. We recommend that the provisions in H.R. 
2470 be modified to adopt a floor preemption approach as contained in 
the Condit-Waxman bill.
    Consent. APA believes three principles should govern those sections 
of the legislation concerning authorization and consent for disclosure. 
First, patients themselves should decide whether or not personal health 
information is disclosed. Consent before use and disclosure of medical 
records is critically important and this time-tested approach should be 
preserved and strengthened in order to remain meaningful in the 
changing world of health care delivery. In general, whatever problems 
may now exist with confidentiality of health information are derived 
from our failure to observe this principle. No one is in a better 
position than patients themselves to identify sensitive information and 
to determine to whom it ought not to be revealed. Those who would alter 
this traditional approach have failed to justify such a radical change.
    Second, identifiable personal health information should be released 
only when deidentified data is inadequate for the purpose at hand. 
Third, even when consent has been obtained, disclosure should be 
limited to the least amount of personal health information necessary 
for the purpose at hand. This is consistent with our recognition of the 
importance of protecting medical privacy.
    These principles have implications for some of the major policy 
questions regarding authorization of disclosure. For patients to retain 
meaningful control over personal health information, prospective 
consent for routine disclosures of identifiable information should be 
largely limited to information needed for treatment and payment 
purposes. Other health care operations can usually be accomplished with 
deidentified data. With such a provision, a strong incentive will exist 
for the use and further enhancement of technology to perform a wide 
array of administrative functions.
    We are extremely concerned because H.R. 2470 reverses the time-
tested principle of consent before disclosure. Many patients will not 
even be aware that their most sensitive information is being used or 
disclosed for a host of purposes far beyond treating their illness or 
paying for the service. Were this legislation to be enacted into law, 
we fear that gradually patients would learn how little control they 
have over disclosure of their most personal information. As a result, 
many patients would refrain from providing their physician with the 
full information about their medical condition or they would refrain 
from obtaining care.
    Unlike each one of the other three Republican bills before the 
Congress, i.e. Senate bills introduced by Senator Robert Bennett (R-UT) 
and Senator James Jeffords (R-VT) and a House bill introduced by 
Representative Chris Shays (R-CT) the Greenwood bill eliminates the 
principle of current law requiring consent before disclosure. We 
strongly urge the Committee to adopt an alternative approach based on 
the aforementioned principles.
    Health Care Operations. In particular, the APA is also very 
concerned by the definition of ``operations'' in H.R. 2470. Entities 
providing health care can use and disclose this information for 
``operations'' purposes, i.e. many purposes not directly related to 
treating a patient or performing payment or reimbursement functions. 
Some of the terms that are used to define "operations" are quite vague 
and broad and could endanger patient privacy. Do we really want to 
permit patients to be terminated from their health care coverage 
because they don't want their personal records to be used for largely 
commercial functions that can be performed with aggregate data?
    Employee Protections. Millions and millions of Americans have great 
concern about the threat to confidentiality of their medical records 
due to employer access. Whether it is idle gossip by individuals with 
access to medical records, employer review of identifiable medical 
records data, or supervisors' inappropriate interest in the personal 
lives of their employees we must protect employees right to medical 
records privacy. Wouldn't most people want to decide if anyone in their 
company, not to mention their supervisor, would know if they obtained 
medical care from a psychiatrist, from a cardiologist, from an 
obstetrician/gynecologist, or from an oncologist?
    We believe that the strong, explicit protections are needed in this 
area such as the provisions included in several bills, most notably 
those introduced by Senator Robert Bennett (R-UT) and separate 
legislation introduced by Representatives Gary Condit (D-CA) and Henry 
Waxman (D-CA). Loopholes in H.R. 2470's definition of ``health plan'' 
and ``protected health information'' also need to be closed so that 
employees can be assured of adequate medical privacy protections.
    Needed Protections for Particularly Sensitive Medical Information. 
As indicated above, especially sensitive information, including mental 
health information needs to receive a very high level of protection. 
Indeed, the U.S. Supreme Court itself in its Jaffee decision recognized 
that additional privacy protections, above and beyond those afforded to 
other health information, are needed to insure effective psychiatric 
care. APA believes that in order to promote high quality medical care 
and patient privacy, the Congress should pass legislation that provides 
a level of protection high enough so that no class of information needs 
additional protections. However, in the event that the Congress 
proceeds with legislation that does not meet this test, strong 
additional privacy protections will clearly be needed for mental health 
information.
Medical Records Provisions of H.R. 10, Financial Services Modernization 
        Legislation.
    Any discussion of current medical records legislation involving the 
House Commerce Committee must also focus on the damaging medical 
records provisions included in H.R. 10, the Financial Services 
Modernization bill soon to be discussed before a House-Senate 
Conference Committee. Despite the good intentions that led to the 
adoption of these provisions, we remain extremely concerned that this 
legislation will hurt, not help, the cause of medical records privacy, 
both because of the legislation's likely preemption of state privacy 
laws and its lack of basic medical records privacy provisions contained 
in all the medical records privacy legislation before the Congress.
    We attach a letter signed by 40 physician, provider, patient, and 
other organizations opposing these provisions. Groups opposing these 
provisions include the American Medical Association, the American 
Association of Family Physicians, the American Lung Association, the 
Service Employees International Union, and the American Federation of 
State, County and Municipal Employees.Conclusion
    As physicians, we take an oath first stated by Hippocrates that, 
``Whatsoever things I see or hear concerning the life of men, in my 
attendance on the sick--I will keep silence thereon, counting such 
things to be as sacred secrets.'' In order to make sure that doctor-
patient confidentiality continues to protect patients in the new 
millennium, I strongly urge the Committee to provide the highest 
possible level of confidentiality in your legislation.
    We thank you for this opportunity to testify, and we look forward 
to working with the Committee on these important issues.
                                 ______
                                 
    NOTE: Over 40 groups signed on to this letter including the 
American Medical Association, American Lung Association, and Service 
Employees International Union.

                                                      June 29, 1999
Member of Congress
House of Representatives
Washington, DC 20515

Medical Records Provisions of H.R. 10 Undermine Patient Privacy

    Dear Representative: The undersigned physician, provider, patient, 
and other national organizations strongly support medical records 
confidentiality not only from a personal privacy perspective, but also 
because of the critical importance of patient privacy for high quality 
medical care. We greatly appreciate the well-intentioned efforts of the 
many members that have resulted in the medical records privacy 
provisions of H.R. 10. Nevertheless, we have both serious procedural 
and substantive concerns about these provisions and urge that they be 
deleted from the bill.
    We are particularly concerned because Section 351 of the bill would 
allow the use and disclosure of medical records information without the 
consent of the patient in extraordinarily broad circumstances. To give 
just two examples, law enforcement entities would enjoy virtually 
unfettered access to medical records and insurance companies could 
review individual medical records in performing marketing studies. The 
list of entities that could obtain medical records is also extensive. 
Why should life insurers, auto insurers, and even insurers providing 
travel cancellation insurance be able to routinely access patients' 
entire medical records without patient consent or even knowledge?
    To complicate matters further, the legislation establishes no 
limitations on subsequent disclosures of medical records to non-
affiliated entities. Once a disclosure has occurred, there is no 
limitation on the types of disclosures that the recipient of this 
information may make. Thus, if an insurer contracts out a certain 
authorized service to a bill collection agency or an administrative 
support company, nothing in the legislation would prevent these 
organizations from disclosing or selling the information for a host of 
inappropriate purposes far beyond any legitimate health use.
    The legislation lacks basic protections included in all the major 
confidentiality bills before the Congress. The legislation lacks 
specific requirements for physical, technical, and administrative 
safeguards to prevent unintended disclosures of medical records. Nor 
does the legislation encourage the use of deidentified medical records 
or insure that patients will receive notice of the confidentiality, 
use, and disclosure practices of the insurance companies.
    Confidentiality between the doctor or other health care 
professional and the patient is an essential component of high quality 
health, and particularly mental health, care. Unfortunately, the 
medical records confidentiality provisions in H.R. 10 will deter many 
patients from seeking needed health care and deter patients from making 
a full and frank disclosure of critical information needed for their 
treatment.
    We also have numerous procedural concerns. Because the Senate HELP 
Committee has not yet been able to report out comprehensive medical 
records privacy provisions, H.R. 10's provisions, intended as a 
temporary measure until comprehensive legislation is enacted into law, 
could now become long-lasting. This is extremely troublesome because 
H.R. 10 is designed to address only certain narrow aspects of medical 
records privacy and leaves key issues unresolved. We are deeply 
concerned that passage of H.R. 10's current medical records privacy 
language has the potential to undermine enactment of comprehensive 
medical records privacy legislation.
    Thank you for considering these important issues. For further 
information, please contact William Bruno of the American Psychiatric 
Association at (202) 682-6194.
            Sincerely,
American Psychiatric Association; American College of Occupational 
         and Environmental Medicine; American Academy of Child and 
     Adolescent Psychiatry; American Academy of Family Physicians; 
 American Association of Occupational Health Nurses, Inc; American 
  Association for Psychosocial Rehabilitation; American College of 
Physicians--American Society of Internal Medicine; American College 
     of Surgeons; American Counseling Association; American Family 
   Association; American Family Foundation; American Federation of 
State, County, and Municipal Employees; American Lung Association; 
       American Medical Association; American Occupational Therapy 
           Association; American Osteopathic Association; American 
   Psychoanalytic Association; American Psychological Association; 
 American Society for Gastrointestinal Endoscopy; American Society 
  of Clinical Psychopharmacology; American Society of Cataract and 
Refractive Surgery; American Society of Plastic and Reconstructive 
Surgeons; American Thoracic Society; Anxiety Disorders Association 
         of America; Association for Ambulatory Behavioral Health; 
 Association for the Advancement of Psychology; Bazelon Center for 
 Mental Health Law; Corporation for the Advancement of Psychiatry; 
   Federation of Behavioral, Psychological and Cognitive Sciences; 
          Infectious Disease Society; International Association of 
     Psychosocial Rehabilitation Services; National Association of 
      Developmental Disabilities Councils; National Association of 
Psychiatric Treatment Centers for Children; National Association of 
Social Workers; National Association of State Mental Health Program 
  Directors; National Council for Community Behavioral Healthcare; 
    National Depressive and Manic Depressive Association; National 
         Foundation for Depressive Illness; National Mental Health 
  Association; Renal Physicians Association; and Service Employees 
                                               International Union.

    Mr. Bilirakis. Thank you very much, Doctor.
    Ms. Feldblum. I am sorry, did I mess up your name?

                   STATEMENT OF CHAI FELDBLUM

    Ms. Feldblum. Oh, if you did, you would join a long list. 
Actually, it is the first name that people have trouble with.
    My name is Chai Feldblum. I am a law professor at 
Georgetown Law School, and I created and run a Federal 
Legislation Clinic where I teach students what I call the art 
of legislative lawyering, which is the art of merging politics 
and law. And I will second all the comments some of you have 
made about this bill. We have been working on this for 6 years, 
and I can tell you we have had hundreds of quality teaching 
moments on his bill because of how complicated it is.
    One of the pro bono clients of the clinic is the Privacy 
Working Group of the Consortium for Citizens With Disabilities, 
that is, it is the coalition of people with disabilities. We 
represent the asthma groups, the diabetes groups, epilepsy, 
cancer, et cetera.
    For people with disabilities, having an effective health 
care system is key. We have never seen this as balancing 
privacy against an effective health care system. It has always 
been for us in the 6 years we have been working, how do we 
enhance the privacy protections in the health care system so 
people have trust in the system so that it works well. That has 
always been our goal.
    We are also a very practical group. We know we have a 
particular approach to have effective privacy and effective 
health care system, but industry stakeholders might have a 
different approach. So we have spent a significant amount of 
time in two forums finding out what are the concerns of 
industry stakeholders so that the description, Mr. Greenwood, 
you gave of the health care system you would like to see fits 
the language that is in the bill that you have authored. That 
is our goal in this clinic, that the rhetoric of the intention 
fits the actual words that are used.
    My assessment in reading 2470 and my written testimony is 
in significant detail, excruciating to some, welcome to others; 
I will give you only the highlights here. What I see in 2470 is 
absolutely the intention to achieve the goals that you have 
described. A few areas where the legal words are simply not 
going to achieve that result--I don't think any of these are 
insurmountable.
    I think some are more difficult than others. I think 
private right of action and preemption will be more difficult 
than others because of policy, but some of the other things 
that I think are problematic in the bill, I don't think are 
insurmountable. Why don't I? Because we have been working with 
industry, not just here on the House side, but over on the 
Senate side, outside of the legislative process.
    The Health Privacy Working Group that Mr. Nielsen referred 
to--and Mr. Chairman, I would like to introduce that report 
into the record if I may.
    Mr. Bilirakis. Without objection.
    [The report follows:]
    [GRAPHIC] [TIFF OMITTED] T8501.001
    
    [GRAPHIC] [TIFF OMITTED] T8501.002
    
    [GRAPHIC] [TIFF OMITTED] T8501.003
    
    [GRAPHIC] [TIFF OMITTED] T8501.004
    
    [GRAPHIC] [TIFF OMITTED] T8501.005
    
    [GRAPHIC] [TIFF OMITTED] T8501.006
    
    [GRAPHIC] [TIFF OMITTED] T8501.007
    
    [GRAPHIC] [TIFF OMITTED] T8501.008
    
    [GRAPHIC] [TIFF OMITTED] T8501.009
    
    [GRAPHIC] [TIFF OMITTED] T8501.010
    
    [GRAPHIC] [TIFF OMITTED] T8501.011
    
    [GRAPHIC] [TIFF OMITTED] T8501.012
    
    [GRAPHIC] [TIFF OMITTED] T8501.013
    
    [GRAPHIC] [TIFF OMITTED] T8501.014
    
    [GRAPHIC] [TIFF OMITTED] T8501.015
    
    [GRAPHIC] [TIFF OMITTED] T8501.016
    
    [GRAPHIC] [TIFF OMITTED] T8501.017
    
    [GRAPHIC] [TIFF OMITTED] T8501.018
    
    [GRAPHIC] [TIFF OMITTED] T8501.019
    
    [GRAPHIC] [TIFF OMITTED] T8501.020
    
    [GRAPHIC] [TIFF OMITTED] T8501.021
    
    [GRAPHIC] [TIFF OMITTED] T8501.022
    
    [GRAPHIC] [TIFF OMITTED] T8501.023
    
    [GRAPHIC] [TIFF OMITTED] T8501.024
    
    [GRAPHIC] [TIFF OMITTED] T8501.025
    
    [GRAPHIC] [TIFF OMITTED] T8501.026
    
    [GRAPHIC] [TIFF OMITTED] T8501.027
    
    [GRAPHIC] [TIFF OMITTED] T8501.028
    
    [GRAPHIC] [TIFF OMITTED] T8501.029
    
    [GRAPHIC] [TIFF OMITTED] T8501.030
    
    [GRAPHIC] [TIFF OMITTED] T8501.031
    
    [GRAPHIC] [TIFF OMITTED] T8501.032
    
    [GRAPHIC] [TIFF OMITTED] T8501.033
    
    [GRAPHIC] [TIFF OMITTED] T8501.034
    
    [GRAPHIC] [TIFF OMITTED] T8501.035
    
    [GRAPHIC] [TIFF OMITTED] T8501.036
    
    [GRAPHIC] [TIFF OMITTED] T8501.037
    
    [GRAPHIC] [TIFF OMITTED] T8501.038
    
    [GRAPHIC] [TIFF OMITTED] T8501.039
    
    [GRAPHIC] [TIFF OMITTED] T8501.040
    
    [GRAPHIC] [TIFF OMITTED] T8501.041
    
    [GRAPHIC] [TIFF OMITTED] T8501.042
    
    [GRAPHIC] [TIFF OMITTED] T8501.043
    
    [GRAPHIC] [TIFF OMITTED] T8501.044
    
    [GRAPHIC] [TIFF OMITTED] T8501.045
    
    [GRAPHIC] [TIFF OMITTED] T8501.046
    
    [GRAPHIC] [TIFF OMITTED] T8501.047
    
    [GRAPHIC] [TIFF OMITTED] T8501.048
    
    [GRAPHIC] [TIFF OMITTED] T8501.049
    
    [GRAPHIC] [TIFF OMITTED] T8501.050
    
    [GRAPHIC] [TIFF OMITTED] T8501.051
    
    [GRAPHIC] [TIFF OMITTED] T8501.052
    
    Ms. Feldblum. Was an effort by people from a whole range--
consumers, industry, providers, researchers--to come up not 
with a template for Federal legislation, but a set of best 
principles that industry would voluntarily take on, that you 
now in Congress could look to as a model as you are trying to 
make the words fit the rhetoric.
    Okay, so let me tell you the few things where I think the 
words are really problematic, but not insurmountable and then a 
few I think where the policy is difficult.
    One, health care operations, heard this a lot. The problem 
with health care operations, of course, is that it is in the 
compelled authorization that when I go and I sign, go for 
treatment, I have to sign an authorization for treatment, 
payment and health care operations. We in CCD didn't like the 
idea that you had to sign up for health care operations. We 
love disease management. We want to see more of it, but we want 
it to have the chance to opt in to disease management.
    Okay. We have basically given that up on the Senate side. 
You know, we have said that compelled authorization is going to 
include some treatment which will have some forms of disease 
management.
    Now, we haven't given it up completely because it has to be 
tied to the individual, but we have been willing to live with 
the compromise. Why? Because the industry was willing to live 
with one thing. They took out the word ``including'' in your 
definition of health care operations. Right now health care 
operations is anything to the implement the terms of the 
contract--``including,'' and a whole list of the things. The 
minute you have the word ``including,'' as a legal matter, you 
have no boundary. So there is a change that can be made in H.R. 
2470 that can take care of that problem.
    A much more difficult problem, and I only saw it 2 days 
ago--first time I saw this change--is that I think the industry 
had some concern about use and disclosure as it was done on the 
Senate side; and 2470 says that when a health plan or provider 
has protected health information, it can use that information 
for treatment, payment, health care operations and research. It 
can just use it.
    Now, one effect of that is that they don't have to get an 
authorization, but to me that would have been a compelled 
authorization anyway. The bigger problem is that all of the 
rules of the law that apply to disclosure, how you have to be 
careful about disclosure, suddenly go out the window so long as 
it is a use for treatment, payment, health care operations and 
research. It is just a few legal words, and it completely 
undoes the rhetoric of what I understood you are trying to 
achieve.
    Now, let me make a few comments on the three policy areas. 
One is research. We, of all groups, want research.
    Who was it who said that her daughter is in a research 
trial?
    Mr. Bilirakis. Ms. Capps.
    Ms. Feldblum. We want research to work well, but we also 
want an incentive for researchers to use nonidentifiable data 
when that will be okay for the research. Now, we in CCD say 
there should be an IRB system. Section 208 of H.R. 2470 right 
now has just a completely internal review system with no 
standard. To me, that is like almost two ends of the spectrum.
    It is worth looking at what a group that was sort of in the 
middle came up with, which was to have an equivalent level of 
review and accountability. They had some issues with IRBs, but 
they wanted an equivalent level of review and accountability. 
What is in 2470 right now isn't that. It can become that 
through negotiation and compromise, but it is not yet in 
research.
    On private right of action, every single----
    Mr. Bilirakis. Try to summarize if you can, Ms. Feldblum. 
We are all fascinated here, to be honest with you, but I guess 
I can't let it go on too long.
    Ms. Feldblum. In private right of action, every privacy act 
that this Congress has passed has included a private right of 
action because if you ask any lawyer worth his or her salt, do 
you want criminal and civil penalties where you have to depend 
on someone else to have the resources to bring the case, or do 
you want a private right of action that you can go into court, 
any lawyer worth his or her salt, if they are trying to achieve 
effective remedies will ask you for the latter. So if you don't 
put that latter in, you are not creating the effective 
remedies.
    And on preemption, again, I would recommend that you look 
to some of the compromises that had been worked out on the 
Senate side. We are not thrilled with it at the moment, but it 
is a movement that at least grandfathers in existing State laws 
and allows a carve-out for certain areas where it would by very 
problematic if you had a little vacuum cleaner preemption 
language, which is what you have, causing incredible, 
inadvertent consequences.
    So I will conclude by saying I think this Congress can pass 
good, effective privacy legislation. It has been trying to do 
so for 20 years, and now in fact is the time you might be able 
to do it; but only, in my mind, if you build on the consensus 
and the compromise that has been happening over the last 6 
months to a year, not start with something that is way back.
    Build on the consensus that has developed already from 
different arenas. Work with all of us so it is in fact a bill 
that is bipartisan and is in fact a bill that is not just 
supported by industry but by consumers. I can guarantee to you 
today there is a bill that we can support and that industry can 
support, and that will make a difference for this country. You 
have to make sure that we get that opportunity to do that work 
together.
    Thank you.
    [The prepared statement of Chai Feldblum follows:]
 Prepared Statement of Chai Feldblum on Behalf of the Privacy Working 
         Group of the Consortium for Citizens with Disabilities
                            i. introduction
    My name is Chai Feldblum and I am a Professor of Law and Director 
of the Federal Legislation Clinic at Georgetown University Law Center. 
I am here today representing one of the Clinic's pro bono clients, the 
Consortium for Citizens with Disabilities (CCD) Privacy Working Group. 
Many members of the Privacy Working Group are also members of the 
Consumer Coalition for Health Privacy, an initiative of the Health 
Policy Project at Georgetown University. Indeed, the Chair of the 
Privacy Working Group--Jeff Crowley of the National Association of 
People with AIDS--is on the steering committee of the Consumer 
Coalition for Health Privacy.
    CCD is a Washington-based coalition of nearly 100 national 
disability organizations that advocates with and on behalf of children 
and adults with disabilities and their families. All persons who 
receive health care services in this country have reason to be 
concerned with the inappropriate use of highly personal information 
that is collected about them within the health care system. As a 
coalition representing people living with disabilities, however, CCD's 
views on this issue are somewhat unique. Because people with 
disabilities have extensive medical records and sometimes stigmatizing 
conditions, such individuals feel a particular urgency to secure new 
privacy protection at the federal level. At the same time, many people 
with disabilities interact on an almost a daily basis with the medical 
establishment and thus benefit from a well-run, effective health care 
system. Such individuals do not want federal privacy protection to 
reduce the effectiveness of the health care system they must navigate 
on an ongoing basis.
    All of our work in this area has taught us that the desire for 
medical privacy and the desire for an effective health care system are 
neither in conflict with each other, nor do they require ``balancing'' 
of one interest against another. Rather, establishing privacy 
protection can enhance the operation of the health care system, by 
increasing individuals' trust and confidence in that system. A national 
survey released in January 1999 found that one in six Americans engages 
in some form of ``privacy protective behavior'' because he or she is 
afraid of confidentiality breaches regarding their sensitive medical 
information. These activities include withholding information from 
health care providers, providing inaccurate information, doctor-hopping 
to avoid a consolidated medical record, paying out of pocket for care 
that is covered by insurance, and--in some cases--avoiding care 
altogether.1 None of this is good for either consumers or 
the health care system.
---------------------------------------------------------------------------
    \1\ California HealthCare Foundation, National Survey: 
Confidentiality of Medical Records (January 1999). The survey was 
conducted by Princeton Survey Research Associates. Results are 
available at www.chcf.org/conference/survey.cfm.
---------------------------------------------------------------------------
    The CCD Privacy Working Group has developed a set of principles for 
health information privacy legislation designed to achieve the twin, 
mutually enhancing, goals of increasing privacy protection in the 
health care system and creating an effective health care system. The 
CCD Privacy Working Group has also worked with the Consumer Coalition 
for Health Privacy in the development of its principles. If there is no 
objection, I would like to submit these principles for the record.
    Because the CCD Privacy Working Group believes it is imperative for 
Congress to pass federal medical privacy legislation, we have also 
worked diligently over the past several years to understand the 
concerns of all interested stakeholders in this area--including health 
care providers, health plans, pharmaceutical companies, researchers, 
public health departments, law enforcement officials, and state 
legislatures--to help bring about a consensus between our members and 
those stakeholders. We have done that work in two forums. First, as 
part of the federal legislative process, we have engaged in discussions 
and negotiations to help develop a consensus piece of federal 
legislation. Thus far, as a legislative matter, that work has primarily 
taken place with interested stakeholders under the aegis of the Senate 
Committee on Health, Education, Labor and Pensions, and has resulted in 
a proposed Senate Committee Chairman's mark to be offered by Senator 
James Jeffords. While the CCD Privacy Working Group has some remaining 
concerns with Senator Jeffords' legislation, we believe that 
legislation represents significant movement and consensus on the part 
of all interested stakeholders in this debate.
    Second, Jeff Crowley, Chair of the CCD Privacy Working Group, 
participated in a year-long effort coordinated by the Health Privacy 
Project at Georgetown University. Under the leadership of Janlori 
Goldman, Director of the Health Privacy Project and a long-time privacy 
advocate and policy analyst, the Project convened a Health Privacy 
Working Group consisting of high-level representatives from disability 
and mental health groups, health plans, providers, employers, standards 
and accreditation organizations, and experts in public health, medical 
ethics, information systems, and health policy.2 The mission 
of the Working Group was to ``achiev[e] common ground on `best 
principles' for health privacy and identif[y] a range of options for 
putting those principles into practice.'' 3 The Working 
Group was not intended to create a template for federal legislation. 
Rather, it was designed to create a set of ``best principles'' that 
providers and plans could voluntarily put into place even before 
federal rules were enacted. Thus, some key issues for the CCD Privacy 
Working Group that are unique to federal legislation were not addressed 
by that group (but will be addressed in this testimony). Nevertheless, 
on a wide range of issues--from rules regarding use and disclosure, to 
standards for authorization, to interaction with law enforcement--the 
Health Privacy Working Group forged critically important agreements 
that may serve as guidance for Congress in the development of federal 
legislation. I would like to ask that a copy of that report be included 
in the record following my written testimony.
---------------------------------------------------------------------------
    \2\ Comprehensive member biographies are available as an Appendix 
to the Health Privacy Working Group Report. See Health Privacy Working 
Group, Best Principles for Health Privacy, at 46-50.
    \3\ Best Principles, at 12 (July 1999).
---------------------------------------------------------------------------
    With these two experiences as background--the negotiations we have 
engaged in with various stakeholders at the federal level over the past 
four years, and the Health Privacy Working Group's discussions of the 
past year--we are pleased to offer you comments on H.R. 2470, the 
Medical Information Protection Act of 1999, sponsored by 
Representatives Greenwood, Shays, Norwood, and LaTourette, and H.R. 
1941, the Health Information Privacy Act, sponsored by Representatives 
Condit, Waxman, Markey, Dingell, and Brown of Ohio. We are disappointed 
that H.R. 2470 fails to include many of the most basic provisions that 
both industry representatives and consumer groups were apparently 
willing to live with in a spirit of compromise and in a desire to move 
forward bipartisan, consensus legislation--as reflected in our 
respective public positions on Senator Jeffords' proposed committee 
mark. Thus, if anything, H.R. 2470 represents a step backwards from the 
significant movement that has been made over the past six months by all 
interested stakeholders. Nevertheless, perhaps because we are eternal 
optimists in the CCD Privacy Working Group--and certainly because we 
are committed to the passage of effective federal privacy legislation--
we hope this hearing represents an honest and committed effort on the 
part of all members of the committee to consider changes to H.R. 2470 
that will transform it into a bill that is capable of moving forward 
with broad bipartisan support.
    The CCD Privacy Working Group would prefer that H.R. 1941 be the 
basis for legislative action, because that legislation already 
represents a process of negotiation and compromise among a range of 
views. Nevertheless, we believe that certain changes to H.R. 2470 would 
create a minimally acceptable bill that the CCD Privacy Working Group 
could support, rather than a bill that we must regretfully inform our 
members and the public represents such a serious threat to health care 
privacy that it should be defeated.
    In this testimony, I will comment on almost all sections of both 
H.R. 2470 and H.R. 1941.4 I hope this analysis will 
demonstrate to the Committee that there are only a few sections of H.R. 
2470 that need to be modified in order to make the bill minimally 
acceptable. Of course, those changes deal with significant, and at 
times, contested policy determinations. Nevertheless, I believe our 
recommendations represent not only correct policy determinations, but I 
also believe--based on compromises we are willing to make in this 
legislation--that these changes are ones industry stakeholders should 
be able to agree to as well.
---------------------------------------------------------------------------
    \4\ Where the sections of the bills do not differ significantly 
from each other, and/or from CCD's principles, I have not presented an 
analysis of those sections. I would be happy to supplement my 
testimony, within the week, with an analysis of those sections as well.
---------------------------------------------------------------------------
                ii. analysis of h.r. 2470 and h.r. 1941
    The analysis of H.R. 2470 and H.R. 1941 uses the order of sections 
established in H.R. 2470.
A. Access to Records
H.R. 2470
Sec. 101. Inspection and Copying of Protected Health Information
Sec. 102. Amendment of Protected Health Information
H.R. 1941
Sec. 201. Right of Access
Sec. 202. Right of Correction and Amendment
    Both the CCD Privacy Working Group and the Consumer Coalition for 
Health Privacy include the following as one of their principles for 
federal legislation:
        Federal legislation should guarantee an individual the right to 
        access his or her own health information and the right to amend 
        such information. Individuals should have the right to access 
        and amend their own medical records so that they can make 
        informed health care decisions and can correct erroneous 
        information in their records.
    This principle was also adopted as principle #3 by the Health 
Privacy Working Group.
    Both H.R. 2470 and H.R. 1941 embody this principle. H.R. 1941 does 
so by providing individuals the right to inspect, copy, and amend their 
protected health information as set forth in the recommendations 
conveyed to Congress by the Secretary of Health and Human Services 
pursuant to the requirements of the Health Insurance Portability and 
Accountability Act of 1996 (``Secretary's HIPAA 
recommendations'').5 H.R. 2470 achieves essentially the same 
result by setting forth the rights and responsibilities of consumers, 
providers, and agents with regard to access and amendment. Although the 
CCD Privacy Working Group would prefer that there be explicit time 
limits in the legislation regarding requests for access and amendment, 
we find this section to be acceptable.6
---------------------------------------------------------------------------
    \5\ Secretary of Health and Human Services, Confidentiality of 
Individually-Identifiable Health Information (September 11, 1997). 
Recommendations submitted to the Committee on Labor and Human Resources 
and the Committee on Finance of the Senate; and the Committee on 
Commerce and the Committee on Ways and Means of the House of 
Representatives pursuant to Section 264 of the Health Insurance 
Portability and Accountability Act of 1996.
    \6\ Our concerns with regard to parents accessing the records of 
their minors are dealt with in the sections on ``next of kin'' and 
``individual representatives.''
---------------------------------------------------------------------------
B. Notice of Confidentiality Practices
H.R. 2470
Sec. 103. Notice of Confidentiality Practices
H.R. 1941
Sec. 204. Right to Notice of Information Practices and Opportunity to 
Seek Additional Protections
    The Consumer Coalition for Health Privacy includes the following as 
one of its principles:
        Individuals should be notified about how their medical records 
        are used and when their individually identifiable health 
        information is disclosed to third parties. Individuals should 
        be given written, easy-to-understand notice of how their 
        individually identifiable health information will be used and 
        by whom. With such notice people can make informed meaningful 
        choices about uses and disclosures of their health information.
    This same principle was adopted by the Health Privacy Working Group 
as Principle #4.7 The Working Group noted that components of 
such notice should include: a description of how information will be 
collected and the information source (such as a medical record, 
treatment notes, and information from third parties); how the entity 
will use the information, and how, when, and for what purposes the 
entity will request patient authorization; what information the patient 
is permitted to inspect and copy and how to access such information; 
available steps, if any, to limit access and the consequences, if any, 
of refusing to authorize disclosure; the health care organization's 
policy for making disclosures with and without patient authorization 
(such as for research purposes, to law enforcement, for treatment 
purposes, etc.); and any other information relevant to the health care 
entity's data practices.
---------------------------------------------------------------------------
    \7\ ``Individuals should be given easy-to-understand written or on-
line notice of how their information will be used and by whom.'' Best 
Principles, at 19.
---------------------------------------------------------------------------
    Section 103 of H.R. 2470 attempts to provide an adequate notice 
requirement, but fails in several regards. First, H.R. 2470 requires 
entities to post or provide notice of the entity's confidentiality 
practices. Posting notices is clearly not as efficient a means of 
informing consumers as would be providing notices to individuals in 
written or on-line form. For example, Senator Jefford's proposed 
committee mark requires that notice be posted and provided.
    Second, the notice contemplated by H.R. 2470 includes notice of 
``the uses and disclosures of protected health information authorized 
under this Act.'' Unfortunately, because section 202 of H.R. 2470 
allows entities to use a consumer's protected health information for 
treatment, payment, health care operations, and health research without 
ever obtaining an authorization from the consumer for such use, this 
part of the notice will presumably ring relatively hollow. The use 
allowed under Sec. 202 is particularly broad in light of the fact that 
``health care operations'' is defined in H.R. 2470 as any activity 
undertaken ``to implement the terms of a contract for health plan 
benefits.'' Because there is no limitation as to what a plan can put 
into its contract, there is similarly no limitation on the types of 
activities the plan may engage in to implement those terms.8 
The open-ended definition of health care operations, combined with H.R. 
2470's allowance of uses for such activities to be engaged in without 
even obtaining an authorization from the consumer, belies the title of 
this Act (``Medical Information Protection Act of 1999''). Because it 
is unclear to us whether section 202 was intended to have this drastic, 
adverse result (we certainly hope not), if section 202 is modified to 
create a more reasonable result, the notice section of H.R. 2470 (as 
well as the substance of the bill) will once again regain some meaning. 
(Such notice should, however, still be provided directly to the 
individual, as well as merely posted by the entity.)
---------------------------------------------------------------------------
    \8\ This definition stands in sharp contrast to Senator Jefford's 
proposed committee mark, which includes the same list of activities as 
``health care operations,'' but provides that health care operations 
means only those activities. To accommodate industry concerns regarding 
the possible future existence of necessary health care operations, the 
Jeffords bill includes within the definition of health care operations: 
``such other services as the Secretary determines appropriate through 
regulations (after notice and comment).'' Sec.(4)(7).
---------------------------------------------------------------------------
    The comparable provision in H.R. 1941, sec. 204, includes an 
explicit provision that a consumer be given ``a reasonable opportunity 
to seek limitations on the use and disclosure of protected health 
information in addition to the limitations provided in such 
practices,'' and that the entity ``obtain a signed acknowledgment from 
the protected individual acknowledging that the notice . . . has been 
provided to the protected individual.'' The reason H.R. 1941 includes 
these provisions is because it creates a system in which an entity is 
not required to obtain a prior authorization from the consumer in order 
to use the consumer's protected health information for purposes of 
treatment and payment. (See Sec. 301. Provision and payment for health 
care.) Although the CCD Privacy Working Group would prefer that a prior 
authorization be required, we have already agreed that health care 
providers and plans may be permitted to essentially compel such 
authorizations from the consumer by conditioning the delivery of 
service or payment on receipt of such authorization. Given that 
agreement on our part, the main purpose of a prior authorization for 
treatment or payment would have been to provide notice to the consumer 
of how protected health information would be used, and to provide that 
individual an opportunity to seek additional restrictions on use and 
disclosure. The provisions of section 204 in H.R. 1941 ultimately 
achieve those same two goals. Moreover, section 301(c) of H.R. 1941 
also includes another essential component from our perspective: it 
allows an individual who pays for the care himself or herself to 
restrict disclosure to a health care payer of the protected health 
information created or received in the course of receiving such care. 
H.R. 2470 lacks this critical component (above and beyond the fact that 
it lacks any authorization at all for the ``use'' of health care 
information for payment purposes.)
C. Establishment of Safeguards
H.R. 2470
Sec. 111. Establishment of Safeguards
H.R. 1941
Sec. 104. Safeguards Against Misuse and Prohibited Disclosures
    The Consumer Coalition for Health Privacy includes the following as 
one of its principles:
        The development of security safeguards for the use, disclosure, 
        and storage of personal health information should be required. 
        Appropriate safeguards should be in place to protect 
        individually identifiable health information from unauthorized 
        use or disclosure.
    The Health Privacy Working Group also adopted, as Principle #6, 
that ``health care organizations should implement security safeguards 
for the storage, use, and disclosure of health information.'' Although 
the Working Group did not discuss specific security controls at great 
length, there were a number of safeguards that were discussed in the 
context of ``fair information practices.'' They included:

 Health care organizations should endeavor to limit access to 
        personally identifiable health information on a need-to-know 
        basis. Employers, for example, should endeavor to restrict 
        access to personally identifiable health information strictly 
        to those employees who need access for payment or treatment 
        purposes.
 In keeping with Principle #1, health care organizations should 
        remove personal identifiers to the fullest extent possible and 
        practical, consistent with maintaining the usefulness of the 
        information.
 All disclosures of personally identifiable health information 
        should be limited to the information or portion of the medical 
        record necessary to fulfill the purpose of the disclosure.
 Health care organizations should maintain a record of 
        disclosures of information that identifies an 
        individual.Personally identifiable health information should be 
        used within an organization only when such information is 
        necessary to carry out the purpose of the activity, for 
        purposes reasonably related to the purpose for which the 
        information was collected, and for which the patient has been 
        given notice.
 Organizations should consider whether they are able to provide 
        patients with a greater degree of anonymity in certain 
        circumstances through the use of opt-outs, pseudonyms, 
        identification numbers, or tagging information for additional 
        protections.
    It appears that the six subsections of Sec. 111(b) of H.R. 2470 
attempt to approximate some of these fair information practices and we 
applaud that effort. Unfortunately, however, until section 202's broad 
allowance of ``uses'' is modified, some of these safeguards will be 
useless. For example, Sec. 111(b)(5) calls upon entities to have an 
``appropriate mechanism for limiting disclosures to the protected 
health information necessary to respond to the request for 
disclosure.'' (This parallels the substantive requirement in 
Sec. 202(c): ``Every disclosure of protected health information by a 
person under this title shall be limited to the information necessary 
to accomplish the purpose for which the information is disclosed.'') 
But under Sec. 202(a), and repeated again for double clarity in 
Sec. 202(b)(1)(B), any use of protected health information for 
treatment, payment, health care operations, and health research--
whether such use takes place within the entity or outside the entity--
is not a disclosure under H.R. 2470.
    The problem created by H.R. 2470 does not result simply from 
creating a distinction between ``use'' and ``disclosure.'' Although 
members of the CCD Privacy Working Group have never understood, as a 
conceptual matter, why a distinction needs to be adopted between 
``use'' and ``disclosure,'' the simple creation of such a distinction 
does not--in and of itself--create a privacy problem. For example, the 
Health Privacy Working Group also assumes a distinction between 
disclosure (which it defines as ``sharing of patient information 
outside an entity'') and use (which it defines as ``access or sharing 
of information within an entity, including to an agent or contractor of 
an entity.'') 9 Then in its discussions of fair information 
practices, the Working Group apparently assumed that only 
``disclosures'' of personally identifiable health information would 
need to be ``limited to the information or portion of the medical 
record necessary to fulfill the purpose of the disclosure.'' 
10 However, unlike H.R. 2470, the Working Group also assumed 
that personally identifiable health information would be ``used within 
an organization only when such information is necessary to carry out 
the purpose of the activity, for purposes reasonably related to the 
purpose for which the information was collected, and for which the 
patient has been given notice.'' 11 By contrast, H.R. 2470 
includes simply the weak statement, buried in the definition section of 
``disclosure'' (section (2)(4)), that the use of protected health 
information shall not be considered a disclosure, ``provided that the 
use is consistent with the purposes for which the information was 
lawfully obtained.'' Thus, again, H.R. 2470's rules governing use, as 
well as disclosure, must be revisited before the safeguards section of 
the bill can be assumed to mean very much to consumers.
---------------------------------------------------------------------------
    \9\ Best Principles, at 42.
    \10\ Id. at 22.
    \11\ Id.
---------------------------------------------------------------------------
    The safeguards section of H.R. 1941 is stronger, primarily because 
the underlying bill is stronger with regard to the substantive 
protections for use and disclosure of personally identifiable health 
information. In addition, we prefer that the safeguards be required to 
include administrative safeguards to ``ensure that protected health 
information is used or disclosed only when necessary,'' as H.R. 1941 
requires, rather than having the safeguards simply ``address the 
following factors,'' including ``the need for protected health 
information and whether the purpose can be accomplished with 
nonidentifiable health information,'' as H.R. 2470 requires.
D. Accounting for Disclosures
H.R. 2470
Sec. 112. Accounting for Disclosures
H.R. 1941
Sec. 203. Right to Review Disclosure History
    The Health Privacy Working Group includes, as part of its principle 
#3, that an individual should have the right to see ``an accounting of 
disclosures, when such accounting is maintained'' (emphasis added). 
This recommendation clearly does not assume there will be an accounting 
of all uses of health information within an entity. Similarly, both 
H.R. 2470 and H.R. 1941 require that an accounting be made solely of 
disclosures, and that such accounting be made available to consumers.
    The CCD Privacy Working Group has no difficulty supporting H.R. 
1941's (and the Health Privacy Working Group's) limitation of 
accounting solely to disclosures--because disclosures are defined in 
both H.R. 1941 and by the Health Privacy Working Group as providing 
access to protected health information to anyone other than an officer, 
employee, or agent of the entity holding the information. As a 
practical matter, it makes sense to require accounting solely of 
disclosures that occur outside an entity. Unfortunately, under H.R. 
2470 a disclosure outside the entity is still not considered a 
disclosure for purposes of the law as long as it is a use for 
treatment, payment, the open-ended health care operations, or health 
research. Thus, in practice, the only accounting a health provider or 
plan will ever engage in will be for those rare situations in which 
disclosures are made for some purpose other than these four broad 
areas. This radically restricts the entire concept of accounting for 
disclosures.
E. Restrictions on Use and Disclosure
H.R. 2470
Sec. 201. General Rules Regarding Use and Disclosure
Sec. 202. General Rules Regarding Use and Disclosure of Health Care 
Information
Sec. 203. Authorizations for Use or Disclosure of Protected Health 
Information Other Than for Treatment, Payment, Health Care Operations, 
or Health Research
H.R. 1941
Sec. 101. Restrictions on Use
Sec. 102. Restrictions on Disclosure
Sec. 103. Standards for Authorizations for Use and Disclosure
Sec. 301. Provision of and Payment for Health Care
    Restrictions on the use and disclosure of protected health 
information lie at the core of any federal protection for the privacy 
of personally identifiable health information. Both the CCD Privacy 
Working Group and the Consumer Coalition for Health Privacy have stated 
a similar principle:
        The use or disclosure of individually identifiable health 
        information absent an individual's informed consent should be 
        prohibited. Health care providers, health plans, insurance 
        companies, employers and others in possession of individually 
        identifiable health information should be prohibited from using 
        or disclosing such information unless authorized by the 
        individual. Use or disclosure without informed consent should 
        be permitted only under exceptional circumstances--for example, 
        if a person's life is endangered, if there is a threat to the 
        public health, or if there is a compelling law enforcement 
        need. Disclosure of individually identifiable health 
        information for marketing or commercial purposes should never 
        be permitted without informed consent. Any time information is 
        used or disclosed it should be limited to the minimum amount 
        necessary for the use or disclosure.
    The best way to ensure true informed consent on the part of the 
consumer is to allow an individual to withhold consent for use or 
disclosure of medical information, and still allow that individual to 
receive medical services without penalty. As a practical matter, 
however, health care providers and plans often need personally 
identifiable health information in order to carry out the business of 
providing treatment to the individual or reimbursement to providers. 
Given that reality, the CCD Privacy Working Group has agreed that 
authorizations for such purposes may essentially be compelled from the 
consumer by conditioning the provision of treatment or payment on the 
receipt of such authorizations. A key requirement, however, is that the 
consumer must be permitted the option of self-paying, and thus be 
permitted to retain the right to halt disclosure to a third party payer 
in such circumstances.
    The Health Privacy Working Group similarly recognizes the practical 
requirements with regard to treatment and payment, but also recognizes 
another group of activities termed ``core business functions.'' The 
Working Group agreed on the following approach:
        The Working Group agreed that, as a general rule, patient 
        authorization should be obtained prior to disclosure. At the 
        same time, patient information needs to be shared for 
        treatment, payment, and core business functions. The Working 
        Group agreed that the patient need only provide authorization 
        for these core, essential uses and disclosures once. 
        Furthermore, a health care organization can condition the 
        delivery of care or payment for care on receiving this Tier One 
        authorization. All other activities outside this core group 
        must be authorized separately by the patient and health care 
        services should not be conditioned on receiving this Tier Two 
        authorization. The Working Group also agreed that there are 
        additional, limited activities--such as public health reporting 
        and emergency circumstances--for which patient authorization 
        should not be required.12
---------------------------------------------------------------------------
    \12\ Best Principles, at 22. The Working Group also agreed that 
``where a patient self-pays, he or she can refuse to authorize 
disclosure to a payer.''
---------------------------------------------------------------------------
    Although the CCD Privacy Working Group has not issued a formal 
position on core business functions, we have stated that we find 
Senator Jefford's proposed committee mark on this issue to represent a 
minimally acceptable bill. Senator Jefford's bill is largely consistent 
with the consensus reached by the Health Privacy Working Group, 
although the bill uses a new term ``health care operations,'' rather 
than the better, more established term of ``core business functions.'' 
Nonetheless, given the definition of ``health care operations'' in the 
Jeffords bill, which establishes clear parameters for that term, the 
CCD Privacy Working Group is able to consider the Jeffords bill 
minimally acceptable in this area.
    By contrast, H.R. 2470 diverges from any previous bill (including 
the bill introduced by Senator Robert Bennett, the bill which H.R. 2470 
otherwise tracks in almost all respects), in rejecting the need for any 
authorization for use of protected health information in the areas of 
treatment, payment, open-ended health care operations, and health 
research. Instead of requiring an authorization, and instead of placing 
any real limits on the uses of personally-identifiable information in 
these four areas, H.R. 2470 offers the following simple, precatory 
language: ``An individual who furnishes protected health information in 
the context of obtaining health care or health care benefits has a 
justifiable expectation that such information will not be misused and 
that its confidentiality [will] be maintained.'' Sec. 202(a). While 
this language is a nice piece of privacy prose, given that this is a 
piece of legislation, we would like to trade the prose for some actual 
statutory protection. The only protection offered by H.R. 2470, buried 
in the definition of ``disclose,'' is that the use of protected health 
information shall not be considered a disclosure ``provided that the 
use is consistent with the purposes for which the information was 
lawfully obtained.'' In light of the fact that a plan or provider may 
establish essentially any purpose as a ``health care operation,'' this 
provides little solace to consumers.
    Some of the industry stakeholders may not have intended the drastic 
cut-back in privacy protection that results from this new section in 
H.R. 2470. (Certainly, the Health Privacy Working Group which had a 
significant representation from industry espoused no such view.) The 
catalyst for this new provision may well have been the confusion 
regarding the rules for use and disclosure that some industry 
stakeholders perceived in Senator Jeffords' committee mark. The CCD 
Privacy Working Group does not believe either consumers or industry 
benefit from confusion with regard to use and disclosure rules. Hence, 
we greatly appreciate the effort of the Health Privacy Working Group to 
forge both consensus and clarity in this area. But the manner in which 
H.R. 2470 has dealt with this issue is truly horrific. It has removed 
any confusion regarding use of protected health information by removing 
any real requirements on such use. That cannot be the appropriate 
public policy determination. It certainly is not the position our 54 
million members would recognize as a legitimate policy decision. We 
hope we can work with the committee to create a coherent and 
intelligent approach to issues of use and disclosure of protected 
health information.
F. Next of Kin and Directory Information
H.R. 2470
Sec. 204. Next of Kin and Directory Information
H.R. 1941
Sec. 307. Other Disclosures
    Although disclosures of protected health information should 
ordinarily occur only pursuant to an authorization (compelled or real) 
executed by the individual, there are circumstances in which we would 
like health care providers to be able to disclose relevant health 
information to a select group of individuals who have a close 
relationship with the person who is the subject of the information. In 
such cases, we want to ensure the individual has been notified of his 
or her right to object to such disclosures, but if such an objection 
has not been lodged, we would like to ensure the provider may disclose 
relevant, current information.
    Section 204 of H.R. 2470 essentially embodies this approach. As a 
technical matter, the section should refer to an ``individual 
representative'' as well, to include an individual who holds a power of 
attorney for another individual. In addition, the section should 
clarify that if a minor is legally permitted to receive a service 
without notifying his or her parent, that minor is also capable of 
lodging an objection to relaying protected health information regarding 
that service to the parent. (See discussion of minors below.)
G. Health Research
H.R. 2470
Sec. 208. Health Research
H.R. 1914
Sec. 304. Health Research
    The issue of health care research--and the ability of large private 
companies to continue to engage in research that uses personally 
identifiable health information without first obtaining the informed 
consent of the subjects of the information--has been one of the most 
contested battlegrounds in the development of federal privacy 
legislation. In one respect, this should come as no surprise, given the 
millions of dollars expended and recouped as profit through such 
research. The issue is complicated, however, by the mantra that ``all 
research is good,'' and an accompanying assumption that we should 
create no possible hindrances to the development of new horizons of 
knowledge.
    The CCD Privacy Working Group is acutely aware of the benefits of 
research. We are the ones that represent (and often are) the millions 
of people with disabilities who will benefit directly from public and 
private health research activities. Many people with disabilities live 
with conditions that are progressively debilitating, and, in some 
cases, fatal. Research leading to the development of new therapies or 
new habilitation and rehabilitation techniques can significantly 
enhance the quality of life for these individuals--as well as better 
ensure life itself. We want such research to proceed effectively and 
with full vigor.
    We believe, however, that the best federal privacy law is one that 
ensures research activities will go forward effectively, will create 
incentives for researchers to use nonidentifiable information whenever 
possible and appropriate, and will create structures that will best 
protect privacy whenever identifiable data is necessary for a research 
project. Our proposal to achieve this kind of federal privacy 
protection is straightforward. If a health researcher is dealing with 
live individuals, the researcher should obtain informed consent from 
these individuals, pursuant to an authorization section of federal 
privacy legislation, before using such individuals (or their medical 
information or specimens) in a research project. Delivery of treatment 
or payment for services should never be conditioned on the receipt of 
such an authorization.
    When research does not involve live human subjects, however, but 
rather involves medical records data or stored blood or tissue samples, 
it may not be feasible for a researcher to obtain the informed consent 
of the individuals who are the subject of the information. For example, 
some studies require researchers to review thousands of records for 
patients treated over a long period of time. In this instance, it would 
be quite difficult for a researcher to contact every individual whose 
medical records are contained in the database and ask for authorization 
to use their identifiable data.
    In such circumstances, we believe the researcher--whether that 
individual is using public funds or private funds for the research--
should consult with an institutional review board (IRB) to obtain a 
waiver of informed consent for those individuals whose protected health 
information will be used in the research project. We are well aware of 
the current limitations of the IRB system. Because the Common Rule that 
sets forth the guidelines for the IRB system was designed to focus on 
safety risks for human subjects, not on the confidentiality of data 
used in health research, the Common Rule currently provides little 
guidance for IRBs with respect to confidentiality. Thus, we believe a 
modification of the Common Rule would be necessary to ensure that 
informed consent and confidentiality standards are met by all research 
projects. Nevertheless, we believe it will be more efficient to modify 
the existing IRB structure rather than to attempt, through federal 
privacy legislation, to establish an entirely new oversight structure 
for confidentiality protections.
    Despite our support for the IRB system, we believe Section 304 of 
H.R. 1941, which does not necessarily contemplate using the entire IRB 
system, meets the basic principles CCD seeks to achieve in this area. 
Our main concerns are that there be an objective process by which a 
determination is made as to the need for identifiable information in 
the research project and as to the lack of feasibility in obtaining 
informed consent; that there be some accountability through government 
oversight of such determinations; and that there be a uniformity in 
decisions about when, and under what circumstances, to grant a waiver 
of informed consent. H.R. 1941 achieves these goals by requiring that 
protected health information may be disclosed without an authorization 
for health research ``only for uses that have been approved by an 
entity certified by the Secretary.'' Based on the Secretary's HIPAA 
recommendations, we can assume these entities will have some members 
who are not associated with the entity that wishes to conduct the 
research. Moreover, certification by the Secretary should allow for 
some opportunity for oversight, should potential problems arise. 
Finally, the determinations to be made by the entity (as set forth in 
the bill) can serve as the basis for uniform applications.
    By contrast, Section 208 of H.R. 2470 has no requirement for 
objective oversight of research projects, no allowance for 
accountability outside the private entity, and no uniform standard for 
determining when research may be allowed to proceed without obtaining 
informed consent.13 H.R. 2470 allows private entities that 
own ``protected health information previously created or collected'' by 
such entity (presumably, pharmacy management plans may be some of the 
largest repositories of such information) to disclose such protected 
health information to a health researcher as long as: 1) the research 
has been ``reviewed by a board, committee, or other group formally 
designated by such person to review research programs''; 2) the entity 
has an internal policy in place ``to assure the security and 
confidentiality of protected health information'' (this, of course, is 
already required under the safeguards section of the bill); 3) the 
entity enters into a written agreement with the recipient researcher 
``that specifies the permissible and impermissible uses of the 
protected health information''; and 4) the entity keeps a record of 
health researchers to whom the information has been disclosed.
---------------------------------------------------------------------------
    \13\ Of course, under section 202 of H.R. 2470, protected health 
information in the possession or control of a health provider or plan 
``shall be available for use in health research that is not 
inconsistent with the requirements of other applicable Federal laws.'' 
A plain reading of this provision is that if research is not otherwise 
governed by the Common Rule, a provider or plan may use protected 
health information for such research without even going through the 
minimal requirements of Section 208.
---------------------------------------------------------------------------
    All of these elements are certainly good, basic policies for any 
entity to have. It is striking, however, that the core elements that 
the Health Privacy Working Group--with its representation from both 
industry and research--identified as basic elements of privacy 
protection for research are completely absent from Section 208 of H.R. 
2470. Some members of the Working Group were clearly not in favor of 
requiring IRB approval for all research given the limitations of the 
current IRB system. As the report notes:
        Concerns with the current [IRB] were significant enough, 
        however, that members were open to using an alternate review 
        process in situations where IRB approval is not currently 
        required, if it could offer the same potential benefits of the 
        IRB system . . . Where IRB approval is not required . . . a 
        health care organization should have the option to either 1) 
        obtain IRB approval or 2) use an alternate process that 
        provides an equivalent level of review and accountability. 
        (emphasis added).
    As noted above, the position of the CCD Privacy Working Group is 
that IRB approval (assuming modification of the Common Rule) is the 
best approach. We are willing, however, to support a non-IRB approach 
that ``provides an equivalent level of review and accountability''--
assuming the promise of such a statement can truly be met. Section 208 
of H.R. 2470 is a far cry from meeting that promise.
H. Law Enforcement and Oversight
H.R. 2470
Sec. 210. Disclosure for Law Enforcement Purposes
Sec. 206. Oversight
H.R. 1914
Sec. 305. Law Enforcement
Sec. 302. Health Oversight
Sec. 308. Redisclosures
    Principle #9 of the Health Privacy Working Group is that ``health 
care organizations should not disclose personally identifiable health 
information to law enforcement officials, absent compulsory legal 
process, such as a warrant or court order.'' 14 The Working 
Group recognized the situation is different when government officials 
have legally authorized access to information to engage in oversight 
and enforcement of the law. In those instances, the information 
obtained for oversight purposes should not be used against an 
individual patient in an action unrelated to the oversight.
---------------------------------------------------------------------------
    \14\ Best Principles, at 39.
---------------------------------------------------------------------------
    Both H.R. 2470 and H.R. 1941 allow broad access for oversight 
purposes relating to health care fraud, or for accrediting purposes. 
Both bills, however, also ensure that protected health information 
about an individual that is disclosed during such actions may only be 
used against the individual in an action that is related to health care 
fraud.
    With regard to law enforcement, H.R. 1941 presents a simple, yet 
elegant solution to the question of what type of legal process we 
should expect from our law enforcement officials. Section 305(a) states 
that protected health information may be disclosed to a law enforcement 
official ``if the law enforcement official complies with the fourth 
amendment to the Constitution.'' Section 305(b) then explains that, in 
terms of applying the fourth amendment, ``all protected health 
information shall be treated as if it were held in a home over which 
the protected individual has exclusive authority.'' In practice, this 
means a person's health information will be provided the same level of 
fourth amendment protection that a person's private suitcase would get 
were it sitting in a closet at the person's home. Law enforcement 
officials who wish to seize or search the suitcase must either receive 
the person's consent, or obtain a warrant. Similarly, if a law 
enforcement official wishes to seize or search an individual's 
protected health information, that official should either obtain the 
individual's consent or obtain a warrant.
    Section 210 of H.R. 2470 goes some distance in requiring there be 
adequate legal process before law enforcement officials may search and 
seize protected health information. Unfortunately, allowing an 
``administrative subpoena or summons'' to be sufficient to allow 
disclosure to law enforcement officials is extremely problematic given 
the lack of any real process or standards used in executing such 
summons. The reference to those documents should be deleted.
I. Individual Representatives
H.R. 2470
Sec. 212. Individual Representatives
H.R. 1914
Sec. 401. Specific Classes of Individuals
    These sections of the two bills should not be controversial, but 
for the question of how and when parents may exercise the rights of 
their minor children under this law. The policy of the CCD Privacy 
Working Group is as follows. In most cases, we expect and want parents 
to exercise all the rights of their minor children under this Act. 
These include the right to authorize disclosures, access information, 
and sue on behalf of their minor children.
    There are limited circumstances in which we believe the minor child 
zhas the sole right to exercise the rights provided by the Act. These 
rare circumstances exist when the minor may legally obtain a medical 
service without informing his or her parents of the receipt of such 
service, and where a provider is available who is willing to provide 
such a service to the minor. These limited circumstances tend to arise 
in medical services that deal with: reproductive health (contraception; 
abortion); mental health counseling; substance abuse treatment; and 
treatment for sexually transmitted diseases. Some states have passed 
laws that provide minors the right to access particular services on 
their own; in other states, common law or constitutional law provides a 
similar right to the minor. Whatever the source of the legal right, the 
CCD Working Group believes that if a minor has the right to access a 
service on his or her own, that minor also must have the right to 
control the flow of the protected health information generated through 
that service.
    The CCD Privacy Working Group also believes it is not appropriate 
for a federal privacy law to upset state laws that may constrain the 
ability of a minor to access services on his or her own. For example, 
many states require that a minor must inform one parent before 
obtaining an abortion. (To meet constitutional requirements, these 
states also provide for a ``judicial bypass'' of this notification 
requirement under certain circumstances.) The federal privacy bill 
should not undermine the state law by allowing a minor to withhold 
information about the abortion from the one parent. For that reason, it 
is important that the bill provide that where a minor may legally 
obtain a service acting on her or his own, then (and only then) may the 
minor exercise sole rights under the Act.
    Section 212 of H.R. 2470 states simply that ``the rights of minors 
under this Act shall be exercised by a parent, the minor or other 
person as provided under applicable state law.'' This sentence is 
completely ambiguous on the question of whether a parent may exercise 
her right to access her child's medical records, in a case where the 
child does not desire the parent to have such access--and the state has 
determined the child may legally obtain the medical service without 
informing the parent. As a matter of preserving the state's decision 
making (as reflected in its statutory, common law, and constitutional 
law), the federal law should not be permitted to trump the state's 
determination on the minor's autonomy. The ambiguity in section 212 
needs to be clarified to ensure that the status quo is maintained in 
the various states on the issue of minors' rights.
J. Remedies
H.R. 2470
Sec. 301. Wrongful Disclosure of Protected Health Information
Sec. 311. Civil Penalty Violation
Sec. 312. Procedures for Imposition of Penalties
Sec. 313. Enforcement by State Insurance Commissioners
H.R. 1914
Sec. 502. Enforcement
    One of the principles of both the CCD Privacy Working Group and the 
Consumer Coalition for Health Privacy is as follows:
        Federal legislation should establish strong and effective 
        remedies for violations of privacy protections. Remedies should 
        include a private rights of action, as well as civil penalties 
        and criminal sanctions where appropriate.
    It is a truism that a right without a remedy is no right at all. 
One of the most glaring faults in H.R.2470 is the absence of any 
private right of action on behalf of ordinary citizens in this country. 
Every other piece of privacy legislation passed by Congress--whether it 
covers banks, credit reporting, video rentals, or communications--
allows private citizens to sue in court when they have been aggrieved 
by a violation of the statute.15 Indeed, this is a basic 
hallmark of a range of legislation passed by Congress.
---------------------------------------------------------------------------
    \15\ See Fair Credit Reporting Act of 1970; Right to Financial 
Privacy Act of 1978; Cable Communications Policy Act of 1984; 
Electronic Communications Privacy Act of 1986; Video Privacy Act of 
1988.
---------------------------------------------------------------------------
    There is a good, practical reason why Congress--in a range of 
laws--has deputized ``private attorney generals'' by allowing 
individual citizens to sue when violations of laws have occurred. One 
of the goals of legislation is often to make a societal impact on a 
particular problem. For example, one of the goals of federal privacy 
legislation is to change the norms by which various stakeholders 
operate. Instead of having entities assume a project will always be 
implemented with the use of personally identifiable health information, 
we want all entities to ``stop, think, and justify'' before they use 
identifiable data.
    The best way to ensure that entities experience an obligation to 
learn and comply with the law, and the best way to ensure that 
individuals who have been aggrieved by a violation of the law are made 
whole, is to provide individuals the opportunity to file a suit in 
court, prove their case, receive damages for harm suffered, and recoup 
attorney's fees if they prevail. Anything short of such a scheme will 
create a law that may (possibly) look good on paper, but will do little 
to help real people across the country.
K. Preemption
H.R. 2470
Sec. 401. Relationship to Other Laws
H.R. 1914
Sec. 503. Relationship to Other Laws
    One of the final principles of both the CCD Privacy Working Group 
and the Consumer Coalition for Health Privacy concerns the issue of 
preemption. As both coalitions note:
        Federal legislation should provide a floor for the protection 
        of individual privacy rights, not a ceiling. Like all other 
        federal civil rights and privacy laws, federal privacy 
        legislation for health information should set the minimum 
        acceptable standard. Federal legislation should not pre-empt 
        any other federal or state law or regulation that is more 
        protective of an individual's right to privacy of or access to 
        individually identifiable health information.
    Of all issues, this has been one of the most fiercely fought during 
the legislative process. Consumer groups, including the CCD Privacy 
Working Group, have stated vehemently that states must be provided the 
opportunity to continue to explore ways in which to better protect the 
privacy of medical information in their particular states. Most 
industry stakeholders have just as vehemently argued that they need (or 
at the very least, that they very much want) the ease of complete 
uniformity that sweeping federal preemption of state laws can provide 
them.
    Given the perceived intractability of both sides on this issue, it 
is surprising that the beginnings of a compromise on this issue had 
begun to be developed through Senator Jefford's proposed committee 
mark. Under this approach, all existing state laws dealing with privacy 
of medical information would remain in place. For state laws enacted 
after passage of the federal law, however, those that dealt with access 
and amendment of information, authorizations for treatment, payment, 
and health care operations, and research would be preempted. The only 
exception would be for future state laws dealing with mental health.
    While this compromise approach leaves both consumer groups and 
industry groups wanting something closer to their original stance, the 
only remaining issue in contention in this compromise concerns the 
status of future public health laws. As soon as that issue is resolved, 
there should exist a minimally acceptable compromise on preemption that 
all stakeholders can accept. That would be a truly miraculous result. 
Given how close we are to a compromise, it is truly unfortunate that 
H.R. 2470 returns to an old version of sweeping preemption that is 
disrespectful of the states and their citizens, that is unnecessary for 
the purpose of allowing industry to engage in effective business 
practices, and that will have a potential host of unintended adverse 
consequences that will put the adverse, unintended consequences of 
ERISA preemption to shame.
                            iii. conclusion
    Congress has spent twenty years thinking about, and sporadically 
working on, legislation to protect the privacy of medical information. 
This is clearly an issue that resonates with the American people: 
people are concerned that there is a lack of strong, clear privacy 
protection with regard to some of their most sensitive medical 
information.
    Although work on a federal privacy bill has proceeded for over 
twenty years, there is a sense of possibility and momentum now. 
Congress knows if it does not act to pass privacy legislation in the 
near future, the Secretary of HHS will step into the gap with 
regulations that will address a range of the privacy issues. But there 
is no reason for Congress not to act--assuming it builds intelligently 
on the consensus that has developed over time among the various 
stakeholders in the debate.
    The CCD Privacy Working Group urges this Committee to build on and 
strengthen the consensus that currently exists in the area of medical 
privacy legislation. In particular, we urge you to seriously study both 
Senator Jeffford's proposed committee mark and the newly-released 
report form the Health Privacy Working Group. The CCD Privacy Working 
Group does not agree with all elements of Senator Jefford's draft--
significant issues regarding minors, the private right of action, and 
future preemption of public health laws all remain to be resolved. Yet 
that list of major concerns is significantly shorter than the list of 
major concerns we have with H.R. 2470. Moreover, there are other 
elements of Senator Jefford's proposed mark that do not conform to our 
principles, but which we are willing to accept in the spirit of 
compromise. We would urge this committee to build on the compromises 
that have been accepted thus far by both consumer groups and industry 
groups, and help draft a bill that can be endorsed by a bipartisan 
group of Members and a wide spectrum of interested stakeholders.

    Mr. Bilirakis. Thank you, ma'am.
    Well, I guess you have certainly verified the complexity of 
this entire issue. Let me just try to get a little basic here.
    Dr. Norwood, of course, brought up the point of the flow of 
information across State lines, and I may or may not be able to 
get to that, but he or someone else will I suppose. That is 
very important.
    Let me go to Mr. Nielsen. What would be the implications 
of, for example a real practical situation, female breast 
cancer patients being able to remove their patient information 
from a data base that tracks breast cancer treatment outcomes? 
I will make this a three-prong question: Would this incomplete 
information--and I think we would all agree it would be 
incomplete information--not only affect that individual patient 
who removed her information but all future victims of breast 
cancer as well because they would not be able to benefit from 
scientifically sound outcomes and research? And going further, 
if restrictions were put in place as per the Markey-Waxman 
confidentiality bills, et cetera, what would that to do to your 
ability to provide disease management programs like Justin's?
    Mr. Nielsen. Thank you, Mr. Chairman. Let me answer it 
generally first.
    What you are describing is the oft-commented-on issue of 
opt-outs, with the ability of patients to direct the content of 
their medical record. We don't like that. We don't think it is 
in the best interest of patients. Rather than have opt-out 
provisions or something of that nature, we think bills that 
protect the privacy through strong penalties, through the 
requirement that entities deal with this internally through 
strong policies that protect privacy is by far the better 
answer.
    To be responsive to your question, the particularities of 
your question, if those kinds of opt-out provisions were 
present, our ability to comprehensively do disease management, 
to comprehensively, adequately care for patients so that 
physicians had the full ability to know what a patient's 
condition is would be significantly compromised.
    I think Dr. Tang would agree with that and perhaps ought to 
address the question, too.
    Mr. Bilirakis. Dr. Tang.
    Mr. Tang. I will be happy to. I think opt-out causes two 
levels of harm, one is to the patient and the other is to the 
rest of us.
    Mr. Bilirakis. That goes with my question, right.
    Mr. Tang. So the harm to the patient is, just as Mr. 
Nielsen mentioned, it is very hard to take care of a patient 
without complete information. For example, if one of the carve-
outs was psychiatric information, what if I didn't know the 
psychiatric medication this patient was on and am about to 
prescribe something to which there would be an interaction, or 
what if the patient was on a psychiatric medication whose side 
effect was cardiac arrhythmias and that is what I am trying to 
treat.
    For the rest of us, I might have an anecdote about Laetrile 
from maybe the early 1980's. Laetrile had a particularly nasty 
side effect, death, and we didn't have any randomized 
controlled trials, so we had voluntary reporting. So let us say 
we had several patients taking Laetrile and the ones who died 
didn't actually get to report their outcomes. Our data base--in 
a sense, they had been opted out--would be biased in favor of 
not having those serious side effects show up. Now, that is an 
extreme example, but in an ongoing way, we would like to 
measure the outcomes of all our interventions, new and old, and 
if some people opt out, we will be deprived of that 
information, and that will hurt everyone, including people like 
Justin.
    Mr. Bilirakis. Ms. Feldblum, comment?
    Ms. Feldblum. This is exactly the conversation we had among 
the disability folks, which is why we are seeing--as a 
minimally acceptable bill, we are willing to support over in 
the Senate side the Jeffords committee mark. Under that bill, 
there is essentially a compelled authorization for treatment. 
Okay. You have to sign the authorization in order to get 
treatment, and treatment includes disease management. Now, it 
is disease management for the individual, but there is no opt-
out capacity. We are not opposing the bill because we can't opt 
out because of exactly all of these issues.
    What we have been concerned about and therefore what is of 
concern with 2470 is that in the definition of health care 
operations there is a lot more than just disease management, 
and so the key thing really for us in terms of comfort level is 
to make sure that the parameters of what are in the compelled 
authorization are known to us ahead of time so that we can, in 
fact, have this conversation. And I think the industry 
understandably, you know, understood the need for the 
parameters. We understood their need that who knows what is 
going to happen 10 years from now in terms of some activity, 
and so an additional piece was added in to say that the 
Secretary could add in activities to health care operations 
after notice and comment, so you weren't freezing it in 1999.
    So I don't think we have got a disagreement on the 
principle here. We still have a problem with one word in the 
bill.
    Mr. Bilirakis. Yes, Doctor.
    Mr. Appelbaum. Mr. Chairman, on this opt-out issue, it 
seems to me that part of this issue is real and part is a red 
herring. The disease management piece of this seems to me to be 
a red herring. Disease management can't take place without the 
cooperation of the patient. If Justin weren't willing to log on 
every day, there would be no disease management, and so a 
requirement that patients give consent before disease 
management is initiated would have no effect whatsoever on its 
efficacy.
    As far as large-scale data bases are concerned and the 
possibility of patients ultimately benefiting from the 
information that they put into those data bases, that is a real 
issue, but in our system we have always allowed patients to 
make the choice for themselves, even the choice whether or not 
to accept care, even if refusal of care would ultimately lead 
to their harm; and similarly, we would argue that patients 
should continue to have the right to determine whether or not 
these kinds of benefits are the benefits that they want with 
their medical record information, or for whatever reason they 
choose to opt out of that that, they should have the right to 
do so.
    Mr. Bilirakis. Do you have anything to add to this, Ms. 
Pawklak?
    Ms. Pawlak. From a patient standpoint, if 9 years ago when 
my husband signed up with his medical insurance I had been 
given the option of checking off a little box to opt out, I can 
just about guarantee I probably would have. That could have had 
terrible consequences for us down the line when Justin was 
diagnosed with a disease that we did not know about.
    No one knows the future. He was diagnosed with the disease. 
We would not have had available to us the things that have been 
made available to us and the improvement in his basic health 
that has been made available, because his medical history of 
having asthma was available to someone who had a program that 
could help us.
    We don't know the future. Basically, I would hate to think 
that through lack of knowledge, I had closed any doors. I would 
prefer to leave the doors open so that further down the line 
when something came up, I was able to participate and my 
information was there for somebody who had more knowledge than 
me to be able to see it.
    Mr. Bilirakis. You put it well.
    Health care operations, Ms. Feldblum particularly 
emphasized that.
    Mr. Nielsen, what is your definition of that? Do you define 
it the same way?
    Mr. Nielsen. Well, I am not frightened by the definition. I 
mean, I think clearly what Ms. Feldblum has indicated in terms 
of word-smithing the definition, I think we would be willing 
certainly to entertain that, but as I look at the definition, I 
think from a statutory construction point of view, the word 
``including'' indicates that this list of operations is in fact 
inclusive.
    Most, if not all--and let me say all of them, in my view, 
are well understood in the industry; I think we know what we 
are talking about. Anything that goes beyond those, unless you 
have patient consent, is going to be prohibited and going to be 
subject to sanctions. Health care entities' health plans have 
to do certain operational kinds of things. They can do and they 
should do the sort of disease management, that has just been 
testified to, that saves lives. I mean, we are talking about 
enacting kinds of procedures that are going to save lives, that 
are going to enormously improve the health care delivery of 
this country. We ought not to foreclose the ability to do that 
and even protect people against themselves.
    Mr. Bilirakis. Thank you, sir. My time is up.
    Mr. Brown.
    Mr. Brown. Thank you, Mr. Chairman, and I want to follow up 
on Mr. Nielsen's statement and Ms. Feldblum's energized 
testimony, if you will.
    First of all, Mr. Chairman, if I could, I would like to ask 
unanimous consent to enter Mr. Dingell's statement in the 
record and any other members' statements.
    Mr. Bilirakis. Without objection, the opening statements of 
all members of the committee are made a part of the record.
    Mr. Brown. Thank you, Mr. Chairman. Also, a letter to you 
and to me from the National Conference of State Legislatures on 
the State preemption issue.
    Mr. Bilirakis. Without objection.
    [The information referred to follows:]

                  National Conference of State Legislatures
                                                      July 14, 1999
The Honorable Michael Bilirakis
Chairman
Health and Environment Subcommittee
U.S. House of Representatives
Washington, D.C. 20515

The Honorable Sherrod Brown
Ranking Member
Health and Environment Subcommittee
U.S. House of Representatives
Washington, D.C. 20515
    Dear Representative Bilirakis and Representative Brown: On behalf 
on the National Conference of State Legislatures (NCSL), I would like 
to take this opportunity to comment on proposals regarding medical 
records confidentiality.
    NCSL firmly believes that states should regulate insurance. We 
oppose preemption of state law, but we understand the desire to 
establish a minimum standard in this area given that health information 
is transmitted across state and national boundaries. We also realize 
that Congress must enact privacy legislation by August 21, 1999, as set 
forth by the Health Insurance Portability and Accountability Act of 
1996 (HIPAA), and we recognize that all of the current approaches set 
some type of federal standard. Given these factors, we believe that the 
privacy of health information is one of the few areas where it is 
appropriate for the federal government to set a minimum standard. 
Federal medical records confidentiality legislation should provide 
every American with a basic set or rights regarding their health 
information. These federal standards, in concert with state law, should 
be cumulative, providing the maximum protection for our citizens. Our 
mutual goal should be to that not one individual's health information 
is more vulnerable under federal law, than it was without it.
Preemption of State Law
    Federal legislation should establish basic consumer rights and 
should only preempt state laws that are less protective than the 
federal standard. Unfortunately many of the proposals pending before 
Congress take a different approach.
    NCSL is particularly concerned about proposals that would preempt 
all state laws ``relating to'' medical records privacy. The universe of 
state laws relating to medical records confidentiality is extremely 
large and is spread across a state's legal code. For example, state 
laws regarding medical records confidentiality can be found in the 
sections of a state's code regarding: health, education, juvenile 
justice, criminal code, civil procedure, family law, labor and 
employment law. There is currently no compendium of state 
confidentiality laws. NCSL continues to work with Georgetown University 
where a major effort to produce such a compendium is underway. A 
blanket preemption of state law is virtually the same as throwing the 
baby out with the bath water.
    Should Congress seek to pass federal medical record confidentiality 
legislation, NCSL firmly believes it should: (1) grandfather existing 
state confidentiality laws; (2) narrowly and specifically define the 
scope of the preemption, preserving issues not addressed in the federal 
proposal for state action; and (3) permit and encourage states to enact 
legislation that provides additional protections. If states are 
precluded in some general way from taking action in specific areas, 
there must be a mechanism for a state legislature to act if federal 
legislation adversely impacts the citizens in the state due to a 
technical error or to unintended consequences based on state-specific 
conditions.
    Some proposals attempt to address the preemption issue through the 
inclusion of state legislative ``carve outs.'' This approach attempts 
to identify all the areas that states would be permitted to continue to 
enact legislation. While well-intended, there is no way for states to 
know the full extent and impact of the preemption and carve-outs until 
the federal law has been implemented. NCSL and the National Association 
of Insurance Commissioners (NAIC) recommend that states be allowed to 
continue to legislate and regulate in any area that is not specifically 
addressed in the federal legislation. Below is language jointly 
supported by NCSL and NAIC:
        Nothing in this Act shall be construed as preempting, 
        superseding, or repealing, explicitly or implicitly, any 
        provision of state law or regulation currently in effect or 
        enacted in the future that establishes, implements, or 
        continues in effect, any standard or requirement relating to 
        the privacy of protected health information, if such laws or 
        regulations provide protections for the rights of individuals 
        to the privacy of, and access to, their health information that 
        are at least as protective of the privacy of protected health 
        information as those protections provided for under this Act. 
        Any state laws or regulations governing the privacy of health 
        information or health-related information that are not 
        contemplated by this Act, shall not be preempted. Federal law 
        shall not occupy the field of privacy protection. The 
        appropriate federal authority shall promulgate regulations 
        whereby states can measure their laws and regulations against 
        the federal standard.
Current State Legislative Activity
    Since January 1999, 26 states have enacted laws regarding medical 
records confidentiality. Montana enacted comprehensive legislation 
addressing the activities of insurers and North Dakota enacted 
legislation that established comprehensive public health 
confidentiality standards. After years of debate, Hawaii enacted a 
comprehensive law that sets standards for the use and disclosure of 
both public and private health information. Most states enacted 
legislation building on existing state law or legislation focused on a 
specific issue. Six laws, addressing a wide variety of medical records 
privacy concerns, were enacted in Virginia during the 1999 legislative 
session. Other states that enacted legislation this year are: Arkansas, 
Colorado, Connecticut, Georgia, Idaho, Indiana, Iowa, Louisiana, Maine, 
Mississippi, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, South 
Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia and 
Wyoming.
    Several of these new laws address issues that are not addressed in 
many of the federal proposals. For example, many states have laws 
establishing strict confidentiality standards for medical information 
in the possession of employers. These laws would make records from 
employee assistance programs (EAP) and workplace drug-testing results, 
protected health care information, subject to strict disclosure and 
reporting requirements. Several states have laws that set limits on how 
much a health care provider can charge an individual to make copies of 
their medical records. These laws, designed to help assure access, 
regardless of income, would be preempted under some proposals. These 
are but a few examples that illustrate both the breadth and complexity 
of the preemption issue.
    I thank you for this opportunity to share the perspective of NCSL 
on this very important issue and look forward to working with you and 
your colleagues over the next several months to develop a consensus 
approval that will provide basic medical records privacy protections 
for all Americans.
            Sincerely,
                                              William Pound
      Executive Director, National Conference of State Legislatures
cc: Representative Thomas J. Bliley, Jr.,
   Representative John D. Dingell,
   Members, House Commerce Subcommittee on Health and Environment

    Mr. Brown. The issue of health care operations, Ms. 
Feldblum, in understanding that 2470 allows for disclosure 
without a person's authorization for those health care 
operations, and I am as concerned as you are about the 
definition and activities it includes and that it lists that 
and not the activities that it excludes. Talk to me about some 
of those.
    It seems that because of the language, marketing 
activities, do they fall under this definition, insurance 
writing, insurance underwriting, employer use other than 
treatment and payment? What other kinds of activities might 
that include?
    Ms. Feldblum. Actually, the activities that are listed in 
the bill would not include sending something to an employer. It 
would not include sending something from marketing. I mean, Mr. 
Nielsen is correct when he says those are words, that he knows 
that this is what industry does and, if he is correct, that 
this is all that health care operations should be, then I think 
this is something that consumers unfortunately may need to live 
with in a bill. In other words, all of the principles from CCD 
are, if you are going to compel our authorization for 
something, it should be for treatment for us and for payment 
for us, because that is sort of how you are thinking consumer-
wise.
    The group that Mr. Nielsen was a part of that the 
Georgetown Health Privacy Project put together says you also 
need sometimes to compel authorization for core business 
functions, things that consumers may not be thinking about. 
Where we have come to in the terms of the CCD privacy working 
group is acknowledging that there are some core business 
functions, but that marketing is not one of them, giving 
information to employers is not one of them and that the things 
that are listed here, with the sole exception of health care 
education, which we have some concerns with, are things which 
if these were the only things that were compelled from the 
authorization, we could live with in the same way that we are 
living with it on a Senate bill that we are not opposing.
    So the whole conversation here about disease management is 
really, I don't think, quite relevant.
    The only issue really about disease management is about 
medicine compliance programs. When you have got a disease that 
is more stigmatized, HIV, mental health, do you want to get the 
letter or the phone call about ``Did you take your medicine'' 
without anyone asking you, ``Did you want to be part of that 
program''?
    So health care operations, the things that are here are not 
a problem so long as it becomes truly exclusive, and it is not 
enough to say, ``I read it as inclusive'' when the language 
says otherwise.
    The bigger problem that H.R. 2470 did--and we have never 
seen this before; this is as of 2 days ago--is create this idea 
of use, create this idea of use, and say that if the health 
plan has some protected health information, it has it, if it 
uses it for treatment, payment, health care operations or 
research, that is it. There are no other limitations. All the 
limitations of the bill that apply to disclosures, accounting 
for disclosures, notice, safeguards, limit to the minimum 
amount necessary to achieve the purpose, all of those good 
rules don't apply anymore to use for treatment, payment, health 
care operations or research.
    I mean, you already have a problem with how health care 
operations are defined. One can fix that with one word. You 
have to fix this new idea of use. And I understand where he was 
coming from, but, boy, the result is truly bad.
    Mr. Brown. So backing off--we are going back to health care 
operations for a moment and then exploring use perhaps later--
we can fix that by specifically excluding marketing, excluding 
employer use beyond payment. We can generally fix that language 
similar to the way it is in the Condit bill, and also 
suggesting, maybe giving authority to HHS to explicitly down 
the road promulgate regulations so that future activities will 
continue to exclude that?
    Ms. Feldblum. The main thing you need is to strike one word 
on line 18 on page 5. Doing that will mean that health care 
operations is only the things that you have listed, and you can 
pick up from the Condit-Waxman bill that describes the things 
that are not to be presumed as including. I don't think any 
lawyer would think they would be, but there is no reason not to 
make that clearer, and then in case there are future activities 
that might come up, you give the Secretary the authority to add 
those into his compelled authorization. That is how to fix 
health care operations. Then you move to the bigger problem of 
use.
    Mr. Nielsen. I think we are dealing with some semantical 
problems here. The way that I read this is that the list that 
is contained in the bill is in fact inclusive and it does 
provide those aspects that are permissible. It says nothing 
about marketing, for instance.
    Mr. Brown. So why would you not specifically--why would you 
not specifically then, if it is not so clear, make sure that it 
is clear and specifically exclude marketing and employees 
beyond that?
    Mr. Nielsen. I may not have a problem with that. The 
difficulty with the term ``marketing'' is what does it mean. Is 
that where for-profit hospitals or a plan is sending out 
reminders to do things which will clearly benefit them if the 
patient comes back? Is that marketing or are we talking about 
something more crass than that, where people are simply trying 
to reap competitive and commercial advantage. I don't have any 
significant problem with that kind of wordsmithing.
    Mr. Bilirakis. I thank the gentleman. Mr. Greenwood.
    Mr. Greenwood. I thank the chairman.
    I think that Ms. Feldblum is correct, that all of the 
matters--many of the matters that we have discussed so far are 
manageable. We will get to the commonality there. The tough 
ones include the preemptions. Let me take the action of 
preemption, and I would like to ask Mr. Nielsen to describe for 
us the importance of preemption and then I would like to ask 
Mr. Appelbaum, if he would, to describe how he would achieve 
his goal, which is not to have preemption, and satisfy whatever 
you think is legitimate about what Mr. Nielsen would describe 
as the needs for preemption.
    Mr. Nielsen. I have been at this for 3\1/2\ years now, and 
what we have diligently tried to do is to fill the void that 
currently exists in the dearth of privacy protections that 
exist in this country. Granted, there are some States that are 
far in advance of others, but a lot of States, maybe even the 
majority of them have no legislation whatever.
    Mr. Greenwood. And those that do don't cover the ERISA.
    Mr. Nielsen. That is correct. It is beyond the scope of 
State regulation. What we are trying to do is achieve some sort 
of national standard that will guide and direct privacy 
throughout this country. It doesn't seem to me that privacy 
considerations in Oregon and California are any different than 
they are in New York and New Jersey. We are all Americans. We 
all share the same heritage and we all ought to have our 
records protected uniformly.
    Now from a pragmatic standpoint, and we are an example but 
not an extreme example, we serve patients in three States. We 
serve a lot of patients in Utah that come from southeastern 
Idaho and southern portions of Wyoming. We need to deal with 
those States in a way that is consistent. If the different 
States have different privacy laws, it will be virtually--it 
will be extremely difficult, let me put it that way, to develop 
the kinds of data bases that we are doing unless those laws are 
consistent. The problem is significantly exacerbated here in 
the District, in the Northeast where you have a much greater 
concentration of people, where people live in one State and 
receive their health care in another.
    And in the case of the District, you know the example here. 
We ought not have the patchwork that currently exists and will 
exist if we don't have a national standard.
    One of the problems with some of the early iterations in 
the Jeffords compromise was that we ought to grandfather in all 
of the State laws, and then give the States an 18-month window 
of opportunity to enact laws. And after that everything is 
preempted by Federal law. That is an invitation for a rush to 
the State house for every State to enact privacy laws, and we 
are right back where we started. If we don't have a national 
standard, what are we doing here?
    Mr. Greenwood. You have heard those concerns about the 
practicality of moving data across States and the way that 
could affect the cost of health care, and every time you raise 
the cost of health care, you reduce accessibility. If you can 
tell us how we achieve your goal, which is to allow the State 
to not preempt the States, and meet Mr. Nielsen's goal, you win 
the prize.
    Mr. Appelbaum. You haven't told me what the prize is going 
to be.
    Mr. Greenwood. I haven't heard your response yet.
    Mr. Appelbaum. Mr. Greenwood, Federal legislation in any 
area is an awkward and slow-moving way of achieving change, and 
this area demonstrates that.
    I think our concerns are not that there might not need to 
be in some areas, and regulation of ERISA plans is one example, 
some consistent Federal legislation because it is the only way 
to get at some piece of the problem. Our concerns deal with a 
blanket preemption of State laws in all areas where it is 
unnecessary to achieve that change. Such preemption, it seems 
to us, would decrease or eliminate the ability of States to 
experiment in this area, would decrease the adaptability to 
local needs.
    Mr. Greenwood. I think you are speaking a little more 
theoretically than I had hoped for. You referenced the result 
that safeguards would be unnecessarily removed. Can you give us 
an example of what would be unnecessary, in terms of removing a 
State law, to fulfill Mr. Nielsen's articulated needs to move 
information across State lines and serve people across State 
lines without a complete mish-mash of regulations?
    Mr. Appelbaum. Sure. We serve people in central 
Massachusetts from northern Connecticut, from Rhode Island and 
southern New Hampshire. Our laws are the Commonwealth of 
Massachusetts. The laws that govern our operations affect the 
jurisdiction in which we exist and work. There is no confusion 
about which laws we have to follow and no problems with moving 
information to--in the current system, moving information to 
primary care physicians in these other States.
    I have yet to see any clear documentation that these 
problems that are alluded to actually exist as problems, 
because in my day-to-day experience they don't. You asked for a 
concrete example. In Ohio, for example, there is a statute that 
says that the medical records of a patient are the property and 
creation of the physician or the caregiver and that the 
physician or caregiver has the discretion to release the 
records in whole when a request comes in or to craft some more 
limited disclosure of information.
    That legislation was recently relied on in Ohio to reject a 
policy of managed care companies that were managing workers' 
compensation disability benefits for complete copies of 
patients' psychiatric records, including their psychotherapy 
notes. That piece of legislation would be wiped out by a total 
preemption in a way that does not affect any of these broader 
needs which could be addressed by a more finely crafted bill.
    Mr. Bilirakis. Thank you. Mr. Waxman.
    Mr. Waxman. It seems one of the problems with States 
adopting different laws is that we do live in one country; but 
one of the reasons that States have adopted different laws is 
that we have no Federal standard. If we adopt a strong Federal 
standard, it seems to me there is no reason for States to want 
to adopt something that is weaker. They will accept this as a 
Federal standard. But if the States want to adopt something 
stronger, should we preclude them from doing so?
    Dr. Appelbaum, you talked about the Ohio case. Some States 
have adopted valuable patient protections like saying there 
should not be access to verbatim psychiatric notes, and some 
other States are also looking at that. Is losing those kinds of 
protections the kind of thing that you are worried about?
    Mr. Appelbaum. Yes. Here in the District of Columbia, for 
example, there is a local provision exactly along the lines 
that you are referring to, that prevents the mandatory 
disclosure to insurers of managed care companies of psychiatric 
records for purposes of utilization review. That spoke to a 
local need, a need that was not and would not be addressed by 
national legislation and a need that seems entirely legitimate.
    I think we agree with you completely that were we to be 
adopting or talking about adopting Federal legislation at an 
extremely high standard of protection of confidentiality, there 
would be no need to allow States to go beyond that, but that is 
not what we are talking about. We are talking about compromises 
of a variety of sorts, and given that situation, we think that 
it is important to allow the States to protect their citizens 
to a greater extent.
    Mr. Waxman. So it comes down to the question of whether we 
adopt the legislative compromise process something which would 
be a ceiling or which would be a floor. And if it is a floor, 
then I think most States will say that is where they are and 
they will accept it. But in some limited circumstances, States 
may feel that they want to go beyond it. The way that we 
approach it in the Condit-Waxman bill is to allow States to 
continue to enact stronger confidentiality protections.
    Ms. Feldblum, did you want to add something?
    Ms.  Feldblum. I wanted to add, this is an example where 
the rhetoric is not matching up with the legal language. The 
rhetoric is that we are operating across all State lines and so 
we need uniformity. If you are in Massachusetts, you will do 
Massachusetts law, and in Vermont you do Vermont law. The only 
problem right now is if you are operating in 10 different 
States, you need to have your lawyer know those 10 different 
State laws. If you pass a Federal law, without saying a word 
about preemption, by the act of supremacy, you have created a 
uniform national standard. So whether you are in Connecticut, 
Vermont, Massachusetts, you look at that Federal law and that 
is your uniform standard and so you make it easier.
    Mr. Waxman. I think you are being very helpful. Let's get a 
strong Federal standard. I think that will be the law of the 
land in most circumstances, and rarely will States want to act, 
but we will give them the ability to act when they feel they 
need to.
    Moving to another topic, Mr. Nielsen, you are a member of 
this health privacy working group which released principles on 
which members reached agreement. One principle was that health 
care organizations should use an objective and balanced process 
to review the use and disclosure of personally identifiable 
health information for research. In contrast, the Greenwood 
medical records bill allows health care organizations to use an 
individual's health information for health research without the 
individual's consent and without any review process at all.
    Do you believe that the Greenwood approach that allows use 
of personally identifiable health information for health 
research without any review meets the health privacy principles 
requiring an objective and balanced process to review the use 
of information for research?
    Mr. Nielsen. Let me answer it this way if I might. And I 
can do that by best explaining to you what we do in our 
institution, which we think probably is the correct way. Let me 
address it first generally. We do not believe that all research 
ought to be Federalized, that is all governed by the Federal 
common rule concept.
    We have within our system, and I think the American 
Infomatics Association recommends the same thing, a data review 
or access committee which is a committee that is specifically 
designed to review that gray area between what is required 
under the Federal common rule and that which is archival 
research or internal research or, for that matter, other kinds 
of health care operations that deal with the dissemination of 
health information. I think the establishment of those kinds of 
internal review committees is a very important concept, and 
perhaps one that ought to be included within legislation.
    But I want to emphasize that I do not believe that we ought 
to require that all kinds of internal operations that have to 
do with the use and disclosure of information and research 
that--where we are dealing with records that maybe isn't human 
subject research ought to be covered by a Federal IRB. It is 
just too cumbersome.
    Mr. Waxman. Is it going to be an independent review? I 
would like to have Ms. Feldblum comment on that. You in the 
working group seemed to reach a consensus, but I am worried 
that Mr. Greenwood's approach on this takes us backwards and 
may lead us to self-interested internal review that may not be 
sufficient protection or even as good as what we now have.
    Ms. Feldblum. Many of us believe that we should have the 
IRB system. John Nielsen is saying no. But that is the not the 
question.
    The question is: Is there an independent equivalent review? 
There are two problems with H.R. 2470. One, in the research 
section, it is an internalized review system. It is unclear how 
you get the objectivity. So there is something that needs to be 
fixed in section 208 of the bill.
    Second, use for research, it makes it sound like you don't 
need to go through section 208 if you are using it for 
research, so there is not even the internal review. I can't 
believe that you meant to do the latter because why would you 
want to make section 208 of your bill superfluous, but you have 
done it with those legal words.
    Assuming you fix that mistake, section 208, how are you 
being consistent with what John Nielsen's group came up with, 
which is an equivalent--not IRB, they are very clear, they 
don't want it to be Federalized--but how about something that 
is more equivalent in terms of objective and balanced? I don't 
think that it is an insurmountable hurdle, but I think there 
needs to be some work to get there.
    Mr. Bilirakis. The gentleman's time has expired.
    Mr. Norwood.
    Mr. Norwood. Mr. Chairman, we started out understanding 
that this was complex, and this panel is of great interest to 
me. I have listened to them carefully and unfortunately I agree 
with all of them, at least on some parts of what they are 
saying. If I might, I want to find out about who you are a 
little better. That may help my understanding.
    Ms. Feldblum, if I ever need an advocate I want you to come 
work for me. At Georgetown University Law Center, how many 
lawyers are over there?
    Ms. Feldblum. We have about 95 faculty.
    Mr. Norwood. So, 95 lawyers?
    Ms. Feldblum. And we train about 600 a year.
    Mr. Norwood. How many are expert in health care policy?
    Ms. Feldblum. We have about 10. We have actually one of the 
strongest health faculties in the country.
    Mr. Norwood. Do you consider that center expert in all 
Federal legislation?
    Ms. Feldblum. Oh, no. There is a lot of Federal legislation 
that gets passed--we are the largest law school in the country 
so we probably have the greatest expanse of expertise, but I am 
sure that we still don't cover all areas.
    Mr. Norwood. You have made some very strong statements for 
which I tell you with all respect, I want you on my side. The 
problem with some of that is that if we were to put 100 lawyers 
in here, they would not agree with you at all. They wouldn't 
agree on anything, including the world is round, so we have to 
take what you are saying to us and be very careful with it, 
although you are very positive you are right.
    I am sitting here thinking that I know two or three lawyers 
at the University of Georgia who will not agree and be an 
advocate against it just as well. I appreciate and admire your 
strong feelings, but from our point of view we have to be 
careful with what you are saying just in case there is another 
lawyer or two that might disagree with how you phrased with 
what is wrong.
    So one of the things that I have learned up here, and I am 
proud I am not a lawyer, but I guarantee you this wordsmithing 
game is a game to let lawyers do anything they want to do and 
any bill they want to do it with in order to get done their 
agenda.
    Mr. Nielsen, are you an attorney?
    Mr. Nielsen. I am, sir.
    Mr. Norwood. I thought that probably was the case. Would 
you tell me a little bit about Intermountain Health Care?
    Mr. Nielsen. We were founded in 1975 when the Mormon Church 
divested itself of all of its hospital systems. They were 
determined to no longer be central to the mission, so a not-
for-profit corporation was founded in 1975 which included the 
essence of that former system, plus others.
    Mr. Norwood. Did you buy those hospitals?
    Mr. Nielsen. They were given to us and the company was 
formed with two goals. One, that no one should personally 
profit; and, second, that we should provide health care to 
anyone who needs it, irrespective of ability to pay.
    Mr. Norwood. How many physicians do you have?
    Mr. Nielsen. We employ 400-plus. Plus on the health plan, 
we have affiliated physicians of about 2,500 others.
    Mr. Norwood. Are they salaried positions when you say 
employed?
    Mr. Nielsen. They are.
    Mr. Norwood. When they see a patient and document care as 
well as health care history, who owns that information?
    Mr. Nielsen. Well, the record itself is the property of the 
institution. The information, of course, is the individual's. 
We have always maintained that they are free to access that 
information if they need it for any reason.
    Mr. Norwood. So that the paper it is written on belongs to 
you?
    Mr. Nielsen. That is correct.
    Mr. Norwood. But the information in there should belong to 
the patient?
    Mr. Nielsen. Sure.
    Mr. Norwood. With your 400 physicians--that information 
does belong to the patient. Why are you seeking that 
information in a central room somewhere with a big computer? 
Why do you want to compile all of that information that belongs 
to the patient, and what are you trying to get at by compiling 
it?
    Mr. Nielsen. We are attempting to establish a longitudinal 
data record of a patient's medical history that can be 
available to health care providers when they need it. For 
instance----
    Mr. Norwood. About why can't health care providers simply 
call up Dr. Jones and say, Listen, I am treating this patient; 
send me over the record?
    Mr. Nielsen. Because Dr. Jones may be out of town. Dr. 
Jones may not be able to be immediately contacted. Rather than 
that kind of archaic kind of process, we have it 
instantaneously available to the physician. And let me give you 
an instance. A person presents themselves at the emergency room 
with some unknown malady, maybe a drug reaction, maybe 
something more severe than that. The emergency room physician 
can pull up that medical record instantly, know exactly what 
the medical history of that person is, what drugs he or she may 
have been taking to avoid prescribing or treating that 
individual inappropriately.
    Mr. Norwood. Is there any other reason you want all of this 
information?
    Mr. Nielsen. You mean in a clinical setting or any setting?
    Mr. Norwood. In any circumstance? Is there any other reason 
besides good health care that you want all of this information 
on computer? How many patients do you guys see? How many is in 
your network?
    Mr. Nielsen. We have almost 1 million covered.
    Mr. Norwood. Is there any other reason you want that 
million patients and the health care information about them in 
your computer? And you are testifying before Congress, so 
careful here now; is there any other reason you want it?
    Mr. Nielsen. I can tell you, in all candor and honesty, our 
mission is to provide the very best possible health care to the 
people we serve and that statement would characterize why we 
are attempting to do what we are doing.
    Mr. Norwood. You are a lawyer. Try again. Is there any 
other reason why you want that information? Of course you want 
good health care for your patients. That is a given. Any other 
reason you want it?
    Mr. Nielsen. There is no other reason other than to provide 
optimal health care. Now, that can be in the context of 
clinical delivery, it can be what health plans do in terms of 
disease management. But ultimately the goal is to provide the 
very best health care possible and that is the only reason.
    Mr. Norwood. Of course. That is a given. Does it have 
anything to do with mathematical science? Do you favor outcomes 
as a way to help treat patients?
    Mr. Nielsen. Of course we do.
    Mr. Norwood. Now that is the other reason, isn't it?
    Mr. Nielsen. If what you are getting at in terms of keeping 
an eye on physician practices to determine if in fact 
physicians are utilizing the best practice protocols and so on, 
as we measure outcomes against practices, yes, we use it for 
that purpose.
    Mr. Norwood. I will tell you that is the best thing that 
you and all of managed care has done in this country today. You 
have taken a cottage industry and you have been able to put 
together mathematical results and outcomes and that is useful. 
The problem is, for the rest of out there, we worry that you 
depend on that way too much and less on medical science and the 
art of medicine.
    Mr. Bilirakis. The gentleman's time has expired. Ms. Capps.
    Ms. Capps. Thank you, Mr. Chairman. I will continue with my 
colleague's going through the panelists to get, you know, 
better.
    Mr. Bilirakis. Ms. Capps, forgive me. We would like to get 
through this panel to give you the opportunity to go home and 
then we are going to break for an hour for lunch. I have a 
markup. Mr. Greenwood has a markup. And so when we say for 
lunch, it probably means that we won't be able to eat lunch, 
but we are going to break. I want to set a schedle for the 
benefit of the second panel so they can make their plans 
accordingly. I am sorry to interrupt.
    Ms. Capps. I know that the American Psychiatric Association 
feels strongly about privacy protections and I know that the 
House of Representatives passed a financial services bill, H.R. 
10, which contained medical records privacy protection. This 
bill was passed out of this very committee, and I would ask you 
to comment as you like on the medical records privacy 
protections in H.R. 10 and whether or not you believe this bill 
is adequate to protect patients.
    Mr. Appelbaum. As you know, we and 39 other medically 
related groups, including the American Medical Association, 
have expressed our concern about provisions in H.R. 10. This 
hearing demonstrates the complexity of this issue. To think 
that in their little more than a page of text, we might be able 
to implement confidentiality legislation that took all of these 
varying interests into account I think is a wonderful account 
but proved to be fruitless in its outcome.
    In its broad sweep, H.R. 10 does away with requirement for 
consent notification about the use of their information by the 
insurance industry. It opens those records up in a widespread 
way to access, by law, enforcement entities. It allows internal 
use of this information for such tasks as marketing and others 
that were not envisioned by the people who provided this 
information to their insurance companies. There are no 
regulations governing secondary disclosures of this 
information. Once turned over under the provisions of this law, 
it would be free to be utilized in any way imaginable or 
unimaginable by the recipient. It would also preempt State 
regulation in this area, much of which is much more restrictive 
and more protective of patients' interests. I think those 
encapsulate our concerns.
    Ms. Capps. And for me, that gives an urgency about this 
hearing and hopefully others that we will be having on this 
important topic.
    Just to allow your expertise to further enlighten us, I 
understand that you over at the University of Massachusetts, 
Department of Psychiatry--what kind of safeguards does your 
institution put in place to implement for privacy when you 
conduct research that we might learn from that?
    Mr. Appelbaum.  All of our research is reviewed by our IRB 
under a general assurance that we provide to HHS regarding our 
research practices. We find this to be acceptable and a 
reasonable way of accommodating researchers' desires to gather 
data and patients' interests in privacy and protection of other 
sorts. As far as medical record information is concerned, our 
IRB, as I think most IRBs, uses a fairly straightforward 
approach.
    To the extent that information is being gathered 
prospectively and patients can be asked for their consent in 
advance, their consent is solicited. To the extent that we are 
talking about accessing large medical data bases which have 
already been collected and for which it would be impossible to 
obtain for secondary utilization, that consent is not required 
as long as researchers build in confidentiality protections of 
their data. That has proven very workable.
    And I might note that Mr. Nielsen's comments surprised me 
with the speed in which the value of a comprehensive Federal 
approach which covers the whole country disappeared as we moved 
from confidentiality legislation to protection of human 
subjects in research.
    Ms. Capps. So that might be an example for us to include in 
our legislation?
    Mr. Appelbaum.  Absolutely.
    Ms. Capps. Are there others--would you feel that this would 
be a matter for preemption? That if we had this standard, that 
we could expect that this could be followed nationwide?
    Mr. Appelbaum.  I would believe that this is a standard 
that could be followed nationwide and built on the existing 
common rule to which most research in this country already 
adheres.
    Ms. Capps. Thank you.
    Mr. Bilirakis. I thank the gentlelady. Mr. Burr, to 
inquire.
    Mr. Burr. I thank the chairman. How quickly the chairman 
cleared the room of members with his announcement of lunch.
    Let me go to another area and I really want to touch on 
what Mr. Waxman referred to. He suggested that it should be a 
Federal floor versus ceiling, and I will tell you that HHS 
couldn't define what they were doing as to whether it was a 
floor or a ceiling, and it has shifted as the debate has gone 
on, and so I know how that movement in the water feels, Ms. 
Feldblum.
    And he questioned should we limit States from having the 
ability for stronger standards? Let me suggest to you that the 
determining factor in that answer should be, does it affect the 
health of patients?
    I understand the group that you are in and I understand the 
group that you represent and I understand where you are coming 
from with the CRPs, and I understand from an industry 
standpoint the challenges that you are faced with. We have not 
concentrated much on the middle, but that is what the whole 
health care decision process should be based on, the human face 
right there.
    And the question is how do all of the things that each one 
of you have brought up, how does Mr. Greenwood's bill and how 
does Mr. Markey's bill affect Justin? And that is really what I 
want to deal with because, Mr. Appelbaum, you have talked about 
an opt-out, and that sounds very appealing to a patient, and I 
think you made a great statement that I would say I would do 
the same thing.
    If uninformed when you signed up for your health plan, do 
you want your information released or held? Ninety-nine percent 
of the people in this room would hold it. And we would have 
very little information to do our clinical research from and 
clearly that would affect the health of the American people.
    Is there a Federal need to talk about whether preemption is 
important? Yes, it is about the health of each individual 
patient, and that is one of the responsibilities for Congress. 
If not, we don't need to debate a patients' bill of rights or 
have a HCFA. There are a lot of entities that we can cut out, 
including the Food & Drug Administration, and the litany goes 
on and on.
    So let's go to the heart of the opt-out, if we could. You 
feel that individuals should have the ability to opt-out of any 
of their records being used? Is that a correct interpretation 
on my part?
    Mr. Appelbaum.  Yes, we believe that individuals should 
have control over their medical record information and decide 
when it is disseminated and when it is not.
    Mr. Burr. Let me ask for a legal interpretation from Ms. 
Feldblum. If there is an opt-out like he describes, would a 
patient have the ability to opt-out from any of their records 
being shared with the FDA for the post-approval review of 
pharmaceuticals or medical devices?
    Ms. Feldblum. You would have to modify that law to allow 
the person to opt-out. There is no bill that I know of that is 
allowing patients to opt-out of having their information----
    Mr. Burr. I realize that. I am not on any of the bills. I 
am on some of the suggestions which have been made and I think 
the opt-out is one that--you are not the only one, Mr. 
Appelbaum, that have raised the individual power of the patient 
to say, I don't want my information to be shared, period, with 
anybody. An opt-out is fully opt-out or you opt in. You either 
share it or you don't.
    My question is, under that from a legal standpoint, would 
that patient's information be illegal to be shared with the FDA 
who is federally charged with the responsibility to look at 
pharmaceuticals and medical devices after the approval period 
to determine whether there are adverse effects on health that 
may materialize from a larger tested population?
    Ms. Feldblum. If you wanted that also to be illegal, you 
would have to amend that.
    Mr. Burr. We would have to amend it.
    Ms. Feldblum. You could not repeal the FDA law by 
implication by allowing someone to opt-out.
    Mr. Burr. So how many places, if we did an opt-out, would 
we have to go back and change the bill to allow a valuable 
piece of information to be accessed when a person doesn't want 
it, because it is in the public interest and the public health 
interest versus the individual's choice up front?
    Ms. Feldblum. That is one of the reasons that we are not 
suggesting that as a matter of policy.
    I thought your point about preemption, the way to answer 
the question is to say how does it affect the individual person 
is the best way to think about the question. Not convenience, 
not what is easier, but what is better for the patient.
    And it seems to me that the first thing that is good for 
the patient is for Congress to do what it hasn't done for 20 
years, which is pass a uniform national standard of privacy so 
that it doesn't matter whether you live in Kentucky or 
Massachusetts as to what your protections are. Then the second 
thing you should do if you care about the patient is if a State 
has decided that there is a particular problem that they have 
discovered that they want to legislate on for a particular 
person----
    Mr. Burr. What if it is you coming to Congress saying we 
have determined something that ought to be Federal? Are we 
going to start raising the bar? Part of the system is the 
unpredictability of legislation as it relates to health care 
policy.
    Ms. Feldblum. Nothing precludes you passing a Federal 
privacy law now, and 5 years from now somebody saying there is 
something else that should be done on a Federal level. The 
whole point about the States being the laboratories of 
experiments--it is better if you do it--and over the 5 years 
you discover that you were not completely brilliant, there is 
something you forgot, this way you leave an option for the 
States to fill in on the gaps, and you may decide 5 years later 
that you want to do it for the rest of the country.
    Mr. Bilirakis. The gentleman's time has expired.
    Mr. Burr. Let me just ask this question. Did Maine in their 
law get it right or wrong?
    Ms. Feldblum. They got it wrong on next of kin.
    Mr. Burr. So we are not the only ones that could get it 
wrong?
    Ms. Feldblum. That is certainly true. But because of what 
Maine did, we will make sure that next of kin is done right 
here.
    Mr. Bilirakis. Dr. Ganske.
    Mr. Ganske. Mr. Nielsen, you are a member of the health 
privacy working group?
    Mr. Nielsen. Yes.
    Mr. Ganske. And we got a report today in Congress Daily 
that you have made some progress on a number of issues and that 
you are releasing a report?
    Mr. Nielsen. It has been released. We have copies for 
everyone, I think. They are available.
    Mr. Ganske. According to Congress Daily, you have made some 
progress. Can you describe the group for the committee?
    Mr. Nielsen. Sure. It was comprised of people who are 
typically privacy advocates, disability advocates. It was 
comprised of clinicians, of industry people. I think the folks 
at Georgetown tried to get as broad a cross-section of 
individuals as they possibly could.
    Mr. Ganske. Ms. Feldblum, were you involved in this group?
    Ms. Feldblum. Jeff Crowley, who is the chair of the working 
group for whom I am the pro bono counsel, was a member of this 
15-member group. So I was involved in it via him.
    Mr. Ganske. So you are aware of what this report is?
    Ms. Feldblum. Yes.
    Mr. Ganske. What is your assessment of that report?
    Ms. Feldblum. My assessment is that it was a really good 
effort at trying to figure out best principles, and that in 
some areas it will be very useful guidance to Congress about 
use and disclosure, authorizations, research. Even though it 
is--not all of the positions are ones that CCD holds, because 
it was a broad group, but some very useful consensus building 
on those issues. Not on all of the issues. They don't say 
anything about private right of action because it was not a 
template for Federal legislation, it was best principles for 
industry to do voluntarily. They can't create a private right 
of action so there are some issues that are unique to Congress 
that are not in this report, but there are a bunch. I think it 
is an awesome amount and an incredible amount of good faith and 
goodwill that went into this report.
    Mr. Ganske. And so the Consortium of Citizens with 
Disabilities is looking very favorably on this report?
    Ms. Feldblum. There are things that are not addressed 
because there is not agreement. So preemption, private right of 
action we won't. But on other things, yes, we think it is very 
good.
    Mr. Ganske. I tend to agree with many statements made by 
members of the panel. I think that if you do set a strong 
privacy standard, that it tends to take away the necessity for 
States which have not already looked at this to come up with 
their own, and so it tends to create a national standard.
    I happen to believe that States--in general, that States 
should not be preempted for stronger legislation. That is what 
I have looked at in terms of my own managed care protection as 
an example.
    But that if you look at, for instance, the State of Iowa, 
we just passed some patient protections in the Iowa 
legislature, but had we had a pretty strong Federal law already 
in place, I don't think that the legislature would have picked 
it up.
    So I am sympathetic to those who work across State lines in 
terms of having some uniformity. I think if we developed a 
strong enough privacy bill it would function that way, and at 
the same time I wouldn't want to preempt Texas or California 
for some of the things that they have done.
    I have some problems with Mr. Greenwood's bill, that is why 
I am not a cosponsor, but I respect the work and effort that he 
has put into it.
    Ms. Feldblum, I certainly appreciate how a few words can 
make a great big difference. We are dealing with a debate in 
the Senate right now on medical necessity where five little 
words would make a huge difference, and that is ``not be bound 
by plan guidelines'' that makes all of the difference in the 
world in terms of whether you have a strong bill or weak bill. 
Some of the things that you have pointed out in terms of this 
legislation are similar.
    We are going to get down to some really difficult issues in 
terms of the enforcement. And I must admit as I look at the 
enforcement provisions in the bill that we are talking about 
today, I have some reservations about who actually would be 
subject to the criminal provisions. And then we are also going 
to have to get into, I think, a debate on the liability issue, 
and I haven't come to a decision on that yet either.
    Ms. Feldblum, I am going to take advantage of the fact that 
I have a professor of law before me.
    Have you looked at my provision, the Ganske provision in 
H.R. 10?
    Ms. Feldblum. Yes, I looked at it about a week and a half 
ago.
    Mr. Ganske. I am going to do something that a trial 
attorney should never do, and that is to ask a witness for an 
opinion when you don't know exactly what they are going to say. 
But I want to clear up something about opt in and opt-out. An 
opt-in by my understanding is where you've got a provision that 
the information cannot be shared unless the patient gives the 
consent?
    Ms. Feldblum. Right.
    Mr. Ganske. I thought we were getting a little bit confused 
when we were talking about that before. The provision that I 
had in H.R. 10 was an opt-in. It says the confidentiality of 
individually identified customer health, genetic information, 
the insurer may disclose that information only with the consent 
or at the direction of the customer, either with affiliates or 
outside of that health concern.
    Then we had some specific provisions in terms of the 
standard underwriting and some things like that, but we say and 
here is an important word, at the end of that clause, ``or as 
otherwise required and specifically permitted by Federal or 
State law.''
    Now, as a Georgetown lawyer on the faculty, is that not 
saying that this information or that this provision does not 
preempt State law as it relates to those exceptions?
    Ms. Feldblum. Maybe I can write you something because I 
don't have the language in front of me. I will just say 
briefly, as I understood the problem with that, is the list of 
things that were exemptions before the ``or'' and whether some 
of that could be misinterpreted. My gut in reading it was it 
was intended to be very protective of privacy, and because of 
the point that Mr. Norwood made that there are some lawyers out 
there who would read things which is not what your lawyer 
intended it to be, that is the problem. I think this could be 
workable.
    And for sake of time, I would want to get the exact 
question and I will commit to getting an answer in writing and 
orally as to what are the potential ways that language could be 
misused.
    Mr. Bilirakis. The gentleman's time has expired.
    Mr. Ganske. One minute?
    Mr. Bilirakis. We have to break in a few minutes. Thirty 
seconds.
    Mr. Ganske. It says also in compliance with Federal, State 
or local law. And then it says that this is enforced by the 
chief law enforcement officer of the State, the State insurance 
commissioner or otherwise, and so----
    Ms. Feldblum. I will take that into account when I respond 
to your question.
    Mr. Ganske. Thank you.
    Mr. Bilirakis. Mr. Markey.
    Mr. Markey. Thank you very much, Mr. Chairman.
    I do like the Ganske opt-in language. What I didn't like 
were the loopholes built into his exceptions which included: 
One, reporting to credit reporting agencies; two, disclosing 
information for research; three, disclosing information to 
insurance underwriters; and, four, disclosing information in 
connection with a merger or acquisition.
    In itself it is the correct principle, but it is the 
loopholes that swallow the rule which cause the problem. I very 
quickly will go through the questions that I have.
    On page 49 of the Greenwood bill, it says the disclosure of 
a person's protected health information is authorized for the 
purpose of reporting to consumer reporting agencies.
    Why in the world should Equifax or some other consumer 
reporting agency get access to my most personal medical 
records? Once they get it, what safeguards are there from this 
information being accessed by others, including any company or 
creditor that I do business with, Ms. Feldblum?
    Ms. Feldblum. Well, you know, this section on electronic 
payment cards, they always make a note that says superfluous, 
because they didn't really need a whole separate section for 
themselves. And you point out a problem that once you start 
putting in a separate section for someone, the fact is with all 
of these folks it should be done under the authorization. When 
I sign up for my credit card, I should have to file an 
authorization under section 203 which means that you can't 
condition my health care services----
    Mr. Markey. It is kind of funny that this whole thing is in 
there. Why is it in there?
    Ms. Feldblum. There was a lobbyist who convinced someone.
    Mr. Markey. Let me move on to page 50.
    Mr. Greenwood. If you know who that lobbyist is, will you 
let me know so we can meet?
    Ms. Feldblum. I think it happened about 4 years ago.
    Mr. Markey. There is an immaculate inclusion of this 
provision.
    On page 50 it says banks, credit unions and securities 
firms are explicitly excluded from the requirements of the bill 
to the extent that they are engaged in transaction processing, 
functions described in subsection (b) of section 211 of the 
bill.
    Furthermore, to the extent that banks or credit unions or 
securities firms are engaged in activities that fall outside 
the permitted activities in subsection (b), the bank 
regulations and the SEC are declared to be the exclusive 
enforcement agencies for such institutions.
    The problem with that is neither the Federal securities 
laws nor the banking laws specifically empowers the SEC or the 
banks or credit union regulators to be health information 
privacy agencies.
    I understand that the banking laws may give some kind of 
protection, the Fed and the credit union regulations may have 
some general authority to enforce against violations of any 
laws by banks or credit unions, but policing against such 
violations is not their primary mission. And the SEC has no 
authority in this area whatsoever so they couldn't take action 
against the securities firms that violated that section; is 
that right, Ms. Feldblum?
    Ms. Feldblum. Well on page 51 what they say is nothing in 
the section shall be deemed to exempt the entities from the 
prohibition except (c). Subsection (c) says you can't disclose 
protected health information.
    So what they have done is say you can't disclose protected 
health information, but we are not covering you under the bill 
for everything else, but do not construe that to mean that you 
can now disclose protected health information. It is another 
example of when you start writing things specifically for 
individual industries, you really get in trouble because this 
is--this is a good teaching moment but a poor piece--poor 
drafting on this--is it so horrific, it is confusing.
    Mr. Markey. But there is a reason that we use banks, credit 
unions and Equifax. All of these very interesting provisions 
built into----
    Mr. Burr. Would the gentleman yield?
    Mr. Markey. I will yield.
    Mr. Burr. When you said for specific industries, would you 
also include the FDA? If you tried to write caveats for them, 
it might have different results on everybody else as well?
    Ms. Feldblum. There is a section in here that says you can 
report to the FDA for the post-marketing problems. I have never 
felt that was a necessary provision. You could have put that in 
already by the overall system of when I authorize that 
compelled authorization, I also authorize for information to be 
going to the FDA.
    You see, in other words there is so much--when you craft a 
bill correctly, you don't have to do a lot--all these other 
things.
    Mr. Burr. Unless there is a blanket opt-out.
    Ms. Feldblum. Yes, but we are not trying to do that.
    Mr. Bilirakis. The gentleman's time has expired. Please 
proceed for another minute.
    Mr. Markey. I thank you, Mr. Chairman.
    The point that I am trying to make is that this bill has 
some good things in it. But again, I believe that much like the 
Ganske amendment, all of the exceptions swallow all of the good 
things, and you wind up with a product that is not ultimately 
consistent with public opinion, which demonstrates the 
passionate concern Americans have about not only their health 
care and financial and on-line privacy information generally. 
So it is an integrated kind of conversation here and it is 
difficult to go in any direction very long before you hit other 
areas, on-line, financial. And you have to have a uniform way 
of looking at all of this, so that we are agreeing on a set of 
principles, what it is that we want to accomplish, and 
regarding research and other areas, and we want to carve out 
things in other particular areas, but I don't think that we 
have reached that area on the committee. I think we are still 
grappling with the larger notion that everybody is entitled to 
the right to know the information being gathered about them, 
and the right to say no, you don't want it shared.
    You can carve out some very specific and important public 
interest exceptions. But when banks, credit unions, Equifax, 
clearly are inside legislation, it is going to raise concerns. 
I hope that we can work together on a bipartisan basis because 
I think it is very important to work together on this, but I 
don't think that we have reached that point yet where we agree 
on the larger principle.
    Mr. Bilirakis. The staff will be working very diligently 
starting at 5 o'clock this evening.
    Mrs. Pawlak, because you are the only one here who 
basically has been directly concerned and involved in this, do 
you have any final statement that you would like to make, 
having heard all of this on both sides?
    Ms. Pawlak. A lot of what I have been listening to I have 
understood. A lot of what I have been listening to has been 
very confusing.
    As a basic layperson, I have been involved in health care 
because of my son's illness. I have learned a little more about 
the health care industry. You are talking with a basic 
layperson who has not had the opportunity to learn more about 
it. You are talking to a person with less knowledge than I had 
on the subject, and in the case of the opt-out I would need 
somebody to protect me from me. I would have made a big 
mistake. Knowing a little bit about medicine, I would have made 
a big mistake. I need people who have more knowledge to protect 
me from me and protect my health from me.
    Mr. Bilirakis. Well put.
    The hearing is recessed until 1:45. Thank you very much. 
This panel is discharged. We ordinarily ask you if you are 
willing to respond to questions in writing. You all are, are 
you not? Thank you very much for being here.
    [Whereupon, at 12:47 p.m., the subcommittee recessed, to 
reconvene at 1:45 p.m. This same day.]

                           afternoon session

    Mr. Norwood [presiding]. Committee will come to order.
    Let me first thank the witnesses for being here, and I will 
introduce you in just a second. We are in a very, very busy 
time right this minute, and many members will be back shortly, 
and I expect that we are going to be called to the floor in 
just a few minutes, but what I would like to do, if I may, is 
Mr. Waxman and I will introduce you, and we will at least begin 
the process so maybe you guys can get home sometime before dark 
tonight.
    Our first witness is Ms. Carty, Cristin, Vice President of 
the California Health Institute. Thank you for being here.
    Randy Johnson, Vice President of Labor and Employee 
Benefits, U.S. Chamber of Commerce; Dr. Andrews, who is 
Director of Worldwide Epidemiology, Glaxo Wellcome. Ms. 
Andrews, thank you for coming here.
    Dr. Carolin Frey, Chairman of the Institutional Research 
Review Board. Thank you, ma'am, for being here.
    And Dr. Greg Koski, Director of Human Research Affairs, 
Partners Health Care System. And thank you, sir, for coming.
    We have already had one panel, and this is a most 
interesting and complex subject, and we appreciate all of you 
taking time to come and share your views with us. All of you 
have your information that will be in the record and submitted 
in the record, and Ms. Carty, if we could start perhaps with 
you, and we will try to limit these to 5 minutes, if we can.

STATEMENTS OF CRISTIN CARTY, VICE PRESIDENT, CALIFORNIA HEALTH 
    INSTITUTE; RANDEL K. JOHNSON, VICE PRESIDENT, LABOR AND 
   EMPLOYEE BENEFITS, U.S. CHAMBER OF COMMERCE; ELIZABETH B. 
  ANDREWS, DIRECTOR OF WORLDWIDE EPIDEMIOLOGY, GLAXO WELLCOME 
  INC.; GREG KOSKI, DIRECTOR, HUMAN RESEARCH AFFAIRS, PARTNER 
HEALTH CARE SYSTEM, MASSACHUSETTS GENERAL HOSPITAL; AND CAROLIN 
    M. FREY, CHAIRMAN, INSTITUTIONAL RESEARCH REVIEW BOARD, 
           PENNSYLVANIA STATE GEISINGER HEALTH SYSTEM

    Ms. Carty. Good morning, Mr. Chairman and members of the 
committee. Thank you for the opportunity to present testimony 
today on the very important topic of the confidentiality of 
patient medical information. My name is Cristin Carty, and I am 
the Vice President of Public Policy for the California 
Healthcare Institute. CHI's nearly 200 members including 
leading biotechnology, pharmaceutical, medical device companies 
and premier academic life science research institutions. 
Working on both the State and Federal levels, CHI strives to 
create a favorable climate for biomedical discovery and 
innovation, ensuring that patients have access to breakthrough 
therapies.
    CHI supports the enactment of strong, uniform Federal 
standards, establishing accountability and penalties to protect 
the confidentiality of patient health information. Use of 
medical data should be restricted to activities that are deemed 
appropriate and necessary to quality health care and to 
research dedicated to improving health care outcomes.
    Today, I will provide a snapshot of the bioscience industry 
in California and discuss the importance of framing one strong 
national standard that will secure all patient information 
equally.
    Proposed new Federal regulations for handling medical 
information will clearly affect access to patients' medical 
data and, in turn, influence scientific progress. The challenge 
we face is to preserve the confidentiality of medical 
information without erecting barriers to the research that is 
our only hope to conquer diseases like Alzheimer's and breast 
cancer. In this context, I will touch on key provisions in the 
Medical Information Protection and Research Enhancement Act of 
1999. Above all, I would like to encourage the adoption of a 
set of uniform Federal standards that will preempt conflicting 
State laws and thus safeguard scientists' ability to conduct 
crucial medical research.
    Over the past 20 years, California has become the global 
headquarters for biomedical innovation. Overall, more than 2500 
biomedical companies and 75 university and private research 
institutions are actively engaged in biomedical R&D, and health 
care technology now accounts for more than 200,000 California 
jobs.
    Sound research and clinical testing is the cornerstone of 
inventing safe and effective new therapies. Essential to this 
process is a researchers' ability to utilize the full scope of 
patient data. The flow of medical information in a responsible 
and protected manner has played a vital role in the 
biotechnology revolution that has transformed medicine and that 
holds tremendous promise for scientific progress.
    In 1997 alone, California's leading medical technology 
companies invested nearly $11 billion in research and 
development. It typically takes more than 10 years and $500 
million to bring a new molecular entity from the laboratory to 
the bedside. New layers of restrictions on using crucial 
medical information will simply make what is already a very 
time-consuming and resource intensive process even more so, 
delaying new therapies and adding greatly to their already high 
cost.
    California's leading edge biomedical companies are 
currently exploring scientific areas that raise important and 
complex questions regarding the confidentiality of medical 
information. These include basic research on human genome 
sequencing, the capacity to place DNA information in digital 
format, research into stem cells that will help scientists 
understand the causes of cell aging and death, and advanced 
diagnostics that will clearly target and enhance the use of 
therapies. In each of these areas, science is driven by patient 
medical data, including genetic information, ushering in a new 
era of medical promise.
    Consider this example: Last September, the FDA approved a 
breakthrough treatment called Herceptin. The treatment was 
approved for use in patients with metastatic breast cancer who 
have tumors that overexpress the HER2 protein. In this case, 
research involving patient information, including genetic 
information, and the conduct of broad clinical trials helped 
scientists determine that the treatment was most effective for 
a specific population group, those who overexpressed the HER2 
protein. Establishing uniform Federal standards for the 
treatment of all patient health information, including genetic 
information, will have a tremendous positive impact on future 
treatment advances. Conversely, if States continue to enact 
legislation that impedes the responsible flow of medical 
information, many potential new therapies will simply not be 
developed.
    While guidelines to protect the patient's confidentiality 
are absolutely essential, the ability of the researcher to 
compile and access the medical data, governed by uniform and 
workable rules, will drive the pace and quality of crucial 
research.
    As a State-based organization, CHI is highly attuned to the 
legislative developments in Sacramento. Recent attempts at the 
State level to legislate medical confidentiality, as well as 
broader privacy requirements, now threaten the cycle of 
biomedical innovation that has thrived in California. For 
example, some State legislators have discussed modeling State 
confidentiality regulations based on the European Union's data 
directive requiring unambiguous consent each time data is 
accessed and barring many uses of the data. Such a model would 
simply paralyze the important flow of medical information 
needed to fuel medical progress.
    Drug studies depend on research throughout the country, and 
companies enter into partnerships with academic institutions 
and research entities in almost every State of the Union. 
Again, absent a uniform Federal standard as set forth in the 
Greenwood bill, a multitude of State requirements for the 
handling of patient health information could disrupt patient 
care and restrict the development and access to advanced 
medical technologies.
    Finally, I would like to stress the importance of defining 
protected health information in precise legislative language. 
Researchers must be able to use nonidentifiable information for 
outcomes research, disease management programs, epidemiology 
studies and disease control.
    Mr. Chairman, thank you for the opportunity to testify 
today. CHI's members are committed to the establishment of 
uniform Federal safeguards for the handling of medical 
information that promote accountability and are enforced by 
penalties. With these Federal guidelines, patient information 
will be protected and used responsibly. Also, with one uniform 
set of rules, medical progress in the areas of 
biopharmaceuticals, medical devices and diagnostics will 
continue at the pace we all have come to expect.
    Thank you.
    [The prepared statement of Cristin Carty follows:]
  Prepared Statement of Cristin Carty, Vice President, Public Policy, 
                    California Healthcare Institute
    Good morning, Mr. Chairman and Members of the Committee. Thank you 
for the opportunity to present testimony today on the very important 
topic of the confidentiality of patient medical information. My name is 
Cristin Carty, and I am the Vice President of Public Policy for the 
California Healthcare Institute (CHI). CHI's nearly 200 members include 
leading biotechnology, pharmaceutical, medical device companies and 
premier academic life science research institutions. CHI is a non-
profit, public policy research and advocacy organization for 
California's extensive health care technology enterprise. Working on 
both the state and federal levels, CHI strives to create a favorable 
climate for biomedical discovery and innovation, ensuring that patients 
have access to breakthrough therapies.
    CHI has been working with key partners in the industry including 
the Pharmaceutical Research and Manufacturers of America (PhRMA) and 
the Biotechnology Industry Organization (BIO) on the many legislative 
proposals that have been drafted in response to the requirements 
outlined in the Health Insurance Portability and Accountability Act 
(HIPAA). CHI supports the enactment of strong, uniform federal 
standards, establishing accountability and penalties to protect the 
confidentiality of patient health information. Use of medical data 
should be restricted to activities that are deemed appropriate and 
necessary to quality health care, and to research dedicated to 
improving health care outcomes.
    Today, I will provide a snapshot of the bioscience industry in 
California and discuss the importance of framing one strong national 
standard that will secure all patient information equally. Proposed new 
federal regulations for handling medical information will clearly 
affect access to patients' medical data and, in turn, influence 
scientific progress. The challenge we face is to preserve the 
confidentiality of medical information without erecting barriers to the 
research that is our only hope to conquer diseases like Alzheimer's and 
breast cancer. In this context, I will touch on key provisions in the 
Medical Information Protection and Research Enhancement Act of 1999. 
Above all, I would like to encourage the adoption of a set of uniform 
federal standards that will preempt conflicting state laws and thus 
safeguard scientists' ability to conduct crucial medical research.
    Over the past twenty years, California has become the global 
headquarters for biomedical innovation. Overall, more than 2,500 
biomedical companies and 75 university and private research 
institutions are actively engaged in biomedical R&D. Healthcare 
technology now accounts for more than 200,000 California jobs. More 
than 160,000 Californians are directly employed by organizations 
developing therapeutics and diagnostics, and manufacturing medical 
devices. Major universities, federal facilities and private research 
institutes employ an additional 44,000 Californians in biomedical and 
clinical research.
     Basic and clinical research staff at California's nine leading 
university medical centers, UCSD, UCSF, UCLA, UC Davis, UC Irvine, 
Charles Drew University, Stanford, USC and City of Hope are involved in 
a full spectrum of investigation, from basic genomics to human clinical 
trials that test the safety and efficacy of new medicines and devices. 
Outstanding private research institutions like The Salk Institute and 
The Scripps Research Institute further contribute to an environment 
that fosters medical innovation and discovery. The research and 
clinical trials performed at these state-of-the-art centers are fueling 
the development of powerful new technologies to treat patients.
    Sound research and clinical testing is the cornerstone of inventing 
safe and effective new therapies. Essential to this process is 
researches' ability to access the full scope of patient data. The flow 
of medical information in a responsible and protected manner has played 
a vital role in the biotechnology revolution that has transformed 
medicine and that holds tremendous promise for scientific progress. The 
average biotechnology company spends half of its operating expenditures 
in the development of new products for unmet needs. In 1997 alone, 
California's leading medical technology companies invested nearly $11 
billion in R&D. It typically takes more than ten years and $500 million 
to bring a new molecular entity from the laboratory to the bedside. The 
bulk of these resources are invested in the later stages of drug 
development, when a new medicine is subjected to extensive trials in 
humans. New layers of restrictions on access to this crucial medical 
information will simply make what is already a time-consuming and 
resource-intensive process even more so--delaying new therapies and 
adding greatly to their already high cost.
     I know that during a previous hearing you heard from at least two 
expert witnesses who have first-hand knowledge of medical records-based 
research--Dr. Steven Jacobsen from The Mayo Foundation and Dr. John 
Curd who is now with VaxGen. Accordingly, my comments will be limited 
to two areas: patient information and its vital contribution to medical 
advances, and how uniform national standards, as exemplified in the 
Greenwood bill, will help preserve and even expedite the current pace 
of scientific discovery and development.
    California's leading-edge biomedical companies are currently 
exploring scientific areas that raise important and complex questions 
regarding the confidentiality of medical information. These include 
basic research on human genome sequencing, the capacity to place DNA 
information in digital format, research into stem cells that will help 
scientists understand the causes of cell aging and death, and advanced 
diagnostics that will clearly target and enhance the use of therapies. 
In each of these areas, science is driven by patient medical data, 
including genetic information, ushering in a new era of medical 
promise.
     Consider this example. Last September, the FDA approved a 
breakthrough treatment called Herceptin. The treatment was approved for 
use in patients with metastatic breast cancer who have tumors that 
overexpress the HER2 protein. In this case, research involving patient 
information, including genetic information, and the conduct of broad 
clinical trials helped scientists determine that the treatment was most 
effective for a specific population group--those who overexpressed the 
HER2 protein. Establishing uniform federal standards for the treatment 
of all patient health information, including genetic information, will 
have a tremendous positive impact on future treatment advances. 
Conversely, if states continue to enact legislation that impedes the 
responsible flow of medical information, many potential new therapies 
will simply not be developed.
    One need to look no further than the National Institutes of Health 
(NIH) database to understand the full scope and promise of clinical 
testing research. With about 900 clinical studies under way at the NIH 
Bethesda location covering dozens of diseases and disorders, protocols 
are approved by review boards for ethics, safety, design and 
significance. 1 While guidelines to protect the patient's 
confidentiality are absolutely essential, the ability of the researcher 
to compile and access the medical data--governed by uniform and 
workable rules--will drive the pace and quality of crucial research.
---------------------------------------------------------------------------
    \1\ From the NIH website, The NIH Clinical Center, last best hope, 
www.cc.nih.gov/ccc/best/hope.html
---------------------------------------------------------------------------
     As a state-based organization, CHI is highly attuned to the 
legislative developments in Sacramento. Recent attempts to legislate 
state-based medical confidentiality as well as broader privacy 
requirements now threaten the cycle of biomedical innovation that has 
thrived in California. Under the state's Confidentiality of Medical 
Information Act, medical records are considered private, and release of 
patient medical information is restricted absent patient consent. State 
proposals designed to amend this act and other sections of the 
California Civil Code could establish significant barriers to 
biomedical research. A bill offered in the state Senate last year would 
have prohibited ``sharing'' of biometric identifier information--
defined as any ``biologically based characteristic unique to an 
individual.'' 2 The bill was targeted at the financial 
services industry; however, it would have had the unintended 
consequence of ending most clinical research in the state. Pending 
bills raise a host of troublesome issues that will directly impact the 
quality of health care a patient receives. Two leading proposals, 
Assembly Bill 62 (Davis) and Senate Bill 19 (Figueroa) are broadly 
drafted and may again create unintended results. For example, both 
bills may interfere with care coordination, case management and disease 
management models of care for persons with special health care needs 
such as the elderly, the disabled and the chronically ill. Senate Bill 
19 would also permit an omnibus category of ``contractors''--whether 
custodian, data processor or researcher--to disclose medical 
information in certain circumstances. In addition, other state 
legislators have discussed modeling state confidentiality regulations 
based on the European Union's data directive requiring ``unambiguous'' 
consent each time data is accessed and barring many uses of the data. 
Such a model would simply paralyze the important flow of medical 
information needed to fuel medical progress.
---------------------------------------------------------------------------
    \2\ California State Senate Bill 1622, introduced Feb. 12, 1998
---------------------------------------------------------------------------
     Drug studies depend on research throughout the country, and 
companies enter into partnerships with academic institutions and 
research entities in almost every state of the Union. Although the 
California Legislature has yet to fully approve the proposals mentioned 
above, it is important to convey the full scope of legislation being 
considered on the state level. Legislation passed in Minnesota 
restricts access to medical records for research purposes. Dr. Curd has 
already testified on this topic, citing how the Minnesota law ``has 
made it more difficult for the Mayo Clinic to conduct epidemiologic 
research by requiring specific patient authorization for the use of 
patient data.'' Aside from the bureaucratic challenge of complying with 
medical information confidentiality requirements on a state-by-state 
basis, a patchwork of laws would also influence the types of 
populations included in clinical research--perhaps dissuading research 
into certain sub-populations. Again, absent a uniform federal 
standard--as set forth in the Greenwood bill--a multitude of state 
requirements for the handling of patient health information could 
disrupt patient care and restrict the development and access to 
advanced medical technologies.
     Finally, I would like to stress the importance of defining 
protected health information in precise legislative language. It is 
absolutely essential to understand that nonidentifiable information--
information that is coded or encrypted or otherwise made anonymous (and 
thus cannot be connected with an individual)--is essential to health 
research. Legislation should reflect that such data does not raise 
privacy concerns. Researchers must be able to use nonidentifiable 
information for outcomes research, disease management programs, 
epidemiology studies and disease control.
     Mr. Chairman, thank you for the opportunity to testify today. 
CHI's members are committed to the establishment of uniform federal 
safeguards for the handling of medical information that promote 
accountability and are enforced by penalties. With these federal 
guidelines, patient information will be protected and used responsibly. 
Also, with one uniform set of rules, medical progress in the areas of 
biopharmaceuticals, medical devices and diagnostics will continue at 
the pace we all have come to expect.

    Mr. Norwood. Thank you, Ms. Carty.
    Mr. Johnson

                 STATEMENT OF RANDEL K. JOHNSON

    Mr. Johnson. Thank you, Mr. Chairman.
    Mr. Chairman, I have been asked to address the narrow, but 
critical issue of whether or not a private cause of action in 
court should be authorized under the legislation before you 
today. We believe, representing the U.S. Chamber of Commerce, 
that the only reasonable answer to this question is no, and the 
Chamber would strongly oppose inclusion of a new individual 
right to sue in addition to the severe criminal and civil 
penalties already in the legislation.
    Contrary to the assumptions of some, it is not true that a 
new right to sue must or should be created each time Congress 
creates a new substantive legal right or that such a right is 
necessary for effective enforcement--although it might be 
necessary to keep the 600 lawyers that Ms. Feldblum referred to 
who graduated from Georgetown employed.
    Furthermore, experience would suggest that given the 
inherent negatives associated with court litigation, Congress 
should reserve creation of a new, private cause of action in 
court for only those situations where there has been a 
demonstrated and well-documented problem with existing 
enforcement mechanisms. This threshold criterion has not been 
met here, obviously.
    It should be emphasized that whatever is enacted will be an 
important but complicated law as evidenced by the prior panel. 
Before we subject individuals and organizations to the expense 
and uncertainty of private litigation, we need to allow some 
time for any uncertainties in the law to be clarified. 
Hopefully, much of this will be accomplished through 
administrative regulations which are provided for in this 
legislation by HHS that will flesh out the many rights, 
responsibilities and protections, a far preferable course to 
the vagaries, expense and inconsistencies of the court system 
developing policy on a case-by-case basis, depending on what 
circuit you happen to be in.
    And since the question of whether a private cause of action 
is necessary, I think turns on obviously what deterrence is in 
the legislation right now, I would urge that the members take a 
careful look at the actual proposal, starting on page 55. Let 
us take a look at the criminal penalties first.
    Now, under this section, a person--and a ``person,'' by the 
way, is quite broadly defined in this legislation--a person 
that knowingly and intentionally discloses protected health 
information shall--shall, not may--be fined up to $50,000, 
imprisoned not more than 1 year or both, and if the offense is 
committed under false pretenses, be fined not more than 
$100,000, imprisoned up to 5 years or both. If the offense is 
committed with the intent to sell, transfer, or use protected 
health information for monetary gain or malicious harm, the 
person could be fined up to $250,000 and imprisoned not more 
than 10 years or both. All of these penalties and prison 
sentences could be dealt with under certain circumstances.
    Again, I note that the person who was subject to these 
fines and criminal imprisonment is defined quite broadly in the 
act. You may want to look at the definition part on page 11. It 
apparently includes anybody from a clerical worker up to a top 
guy in the business. Hence, the sweep of the provisions are 
quite encompassing.
    Now, let us take a look at the civil penalties under 311. 
Any person, again, whom the Secretary of HHS determines has 
substantially and materially failed to comply with the act 
shall--not may--shall be subject up to $500 for each violation 
and up to $5,000 for multiple violations under Title I, and 
where a violation relates to Title II, a civil penalty of up to 
10,000 for each violation and up to $50,000 in the aggregate 
for multiple violations. A $100,000 penalty is provided for 
violations which constitute general business practice. 
Injunctive relief is also provided for.
    Now, I want to emphasize this point. To state the obvious, 
I can assure you that any entity, any person covered by this 
legislation is going to take these civil and criminal penalties 
quite seriously, and I have to ask if there is anyone in this 
room, including on the dias today, who would view these 
possible jail terms and monetary penalties lightly if they were 
subject to this law? I doubt it, and I would ask you for one 
moment to put yourself in the place of an individual within a 
business handling health care information of whatever size and 
ask yourself that question. Given the complexity of this law, I 
think some people might say, the regulated community, well, 
better you than me and good luck and God bless. And too often 
that is the problem.
    Now to help demonstrate the extreme nature of these 
criminal penalties and civil penalties, it might be useful for 
the purposes of comparison to look at a few of the labor laws. 
I have run through these in my testimony. I see our time is 
running short, but they run from 5,000 to 70,000 under OSHA, 
imprisonment of up to 6 months. The Family Medical Leave Act, 
Age Discrimination in Employment Act, all have no criminal 
penalties except for a $100 fine for failure to post penalties; 
the Fair Labor Standards Act, up to $10,000 and imprisonment of 
up to 6 months.
    Now, these laws, I think everyone who can see, protect 
important rights, but Congress has seen fit to use civil and 
criminal penalties at a much lower scale than exists in the 
legislation before you; and again, I emphasize the degree of 
those penalties to dispel any notion that there is some 
weakness in this bill that would encourage noncompliance.
    Contrary to what may seem to be a popular conception, many 
laws rely exclusively on government enforcement mechanisms and 
do not include private causes of action: Davis-Bacon Act, 
Service Contract Act, the Walsh-Healey Act, Executive Order 
11246, 503 of the Rehabilitation Act, perhaps most notably the 
Occupational Safety and Health Act, the Mine Safety and Health 
Act and the National Labor Relations Act.
    Now, of course, some of these statutes do include private 
causes of action, and in full disclosure, I am certainly not 
going to hide that fact; but in those cases, the remedies are 
limited typically to economic, out-of-pocket damages, and an 
atypical example is that of Title VII, the 1964 Civil Rights 
Act which, as many of you remember, was amended several years 
ago after 2 years and numerous hearings, much contentious 
debate, to include noneconomic damages capped at certain 
levels. However, it doesn't exemplify the situation we are here 
today facing because in that case you had 30 years of 
experience to go on which demonstrated that there was a 
problem. Here we are working on a clean slate.
    Finally, I have listed through here many of the problems 
with private causes of action. There is a lot of studies 
referenced here. I will summarize them by saying they 
invariably conclude that about 50 percent of the money is lost 
to cure transactional costs, lawyers, other administrative 
costs, not plaintiffs and not defendants; and I cover that in 
three or four pages.
    Now, I would like to close by saying, of course, there are 
those who would argue that a business need not fear litigation 
so long as it obeys the law. So a provision for a civil court 
litigation should only trouble those truly bad actors and not 
present a problem to others. The only problem with this 
argument is that it is patently false. The reality of laws in 
this country is that they are invariably complex and often 
simply vague with the lines of compliance uncertain and often 
changing. The Supreme Court handed down three decisions just a 
month ago on the Americans with Disabilities Act. No one knows 
when you are in compliance and when you are not. To expose 
employers to litigation, this sort of situation strikes us as 
just wrong.
    In closing, our opposition to inclusion of a private right 
of action is premised on the straightforward notions that the 
civil and criminal penalties now in the legislation are quite 
severe and provide more than adequate deterrence; many laws are 
adequately enforced without private causes of actions; and 
three, lawsuits are a rough, blunt and expensive instrument of 
justice with many negative attributes which should only be used 
where there is a clear track record demonstrating the law in 
question currently has inadequate enforcement mechanisms, a 
record which certainly does not exist here. Should the Congress 
find that after passage of this legislation and a period of 
enforcement the business community is ignoring its 
responsibilities, it can always revisit the issue and authorize 
new enforcement mechanisms.
    Thank you, Mr. Chairman.
    [The prepared statement of Randel K. Johnson follows:]
  Prepared Statement of Randel K. Johnson, Vice President of Labor & 
              Employee Benefits, U.S. Chamber of Commerce
    Mr. Chairman and Members of the Committee, good morning. I am 
Randel Johnson, Vice President, Labor and Employee Benefits, U.S. 
Chamber of Commerce. The U.S. Chamber of Commerce is the world's 
largest business federation representing more than three million 
businesses and organizations of every size, sector and region.
    Mr. Chairman, I have been asked to address the narrow issue of 
whether or not a private cause of action in court should be authorized 
under the legislation before you today, the ``Medical Information and 
Research Enhancement Act of 1999.'' We believe the only reasonable 
answer to this question is ``no'' and the Chamber would strongly oppose 
inclusion of a new individual right to sue in addition to the severe 
civil and criminal penalties already in the legislation. Contrary to 
the assumptions of some, it is not true that a new right to sue must, 
or should be, created each time Congress creates a new substantive 
legal right or that such a right is necessary for effective 
enforcement. Furthermore, experience would suggest that--given the 
inherent negatives associated with court litigation--Congress reserve 
creation of new private causes of action in court for only those 
situations where there has been a demonstrated and well-documented 
problem with existing enforcement mechanisms. This threshold criteria 
has not been met here.
    It should be emphasized that whatever is enacted will be an 
important, but complicated new federal law. Before we subject 
individuals and organizations to the expense and uncertainty of private 
litigation, we need to allow time for any uncertainties in the law to 
be clarified. Hopefully, much of this will be accomplished through 
administrative regulations that will flesh out the many rights, 
responsibilities and protections in the legislation, a far preferable 
course than the vagaries, expense and inconsistencies of the court 
system developing policy on a case by case basis.
    Since the question of whether a private cause of action is 
necessary turns on whether or not the existing legislation has adequate 
provisions to deter violations of its provisions, we need to look 
carefully at what is in the legislation now. I urge the Members to 
refer to the actual text of the legislation in this regard because 
these existing sanctions are actually quite severe. First, let's review 
the criminal penalties under proposed Section 2801 ``Wrongful 
Disclosure of Protected Health Information.'' Under this section, a 
``person that knowingly and intentionally'' 1 discloses 
protected health information shall be fined up to $50,000, imprisoned 
not more than one year or both; and if the offense is committed under 
``false pretenses,'' be fined not more than $100,000, imprisoned up to 
five years or both. And if the offense is committed with ``the intent 
to sell, transfer, or use protected health information for monetary 
gain or malicious harm'' the person could be fined up to $250,000, and 
imprisoned not more than 10 years or both. All of these penalties and 
prison sentences could be doubled under certain circumstances. I also 
note that the ``person'' subject to these sanctions apparently could be 
anybody employed by, or with any connection to, the health 
information--from a clerical worker on up; hence the sweep of these 
provisions is quite broad.
---------------------------------------------------------------------------
    \1\  We urge the committee to define this concept to encompass only 
knowing and intentional violations of the law in the sense that the 
individual knew his or her conduct violated the Act and intended harm.
---------------------------------------------------------------------------
    Now let's turn to the civil penalties under new Section 311. Under 
this section, ``a person'' who the Secretary of Health and Human 
Services determines has ``substantially and materially failed to comply 
with this Act'' shall be subject to up to $500 for each violation and 
up to $5,000 for multiple violations arising from failure to comply 
with Title I of the act; and, where a violation relates to Title II, a 
civil penalty of up to $10,000 for each violation, and up to $50,000 in 
the aggregate for multiple violations, may be imposed. A $100,000 
penalty is provided for violations which constitute a general business 
practice. This legislation also sets out detailed procedures for 
consideration of penalties under Section 312. The Secretary is 
empowered to seek injunctive relief.
    To state the obvious, I can assure you that any entity covered by 
this legislation will take these civil and criminal penalties quite 
seriously, and I have to ask if there is anyone in this room today who 
would view these possible jail terms and monetary penalties lightly if 
they were subject to this law--I doubt it. I would ask you for one 
moment to put yourself in the place of an individual within a business 
handling health care information--of whatever size--and ask yourself 
that question.
    To help demonstrate the extreme nature of these criminal and civil 
penalties, it might be useful to refer, for the purposes of comparison, 
to a few employment laws. Under the Occupational Safety and Health Act 
willful or repeat violations can be penalized by monetary penalties of 
between $5,000 and $70,000; a serious violation up to $7,000; a non-
serious violation up to $7,000, and for failure to correct a violation, 
a civil penalty of not more than $7,000. With regard to criminal 
penalties, a willful violation causing an employee's death can be 
punished by a fine of not more than $10,000 and imprisonment for not 
more than 6 months or both, except that if the violation is committed 
after a prior conviction, punishment can be doubled.2
---------------------------------------------------------------------------
    \2\ By operation of the 1984 Comprehensive Crime Control and 
Criminal Fine Collection Act, which standardized penalties and 
sentences for federal offenses, willful violations of the OSH Act 
resulting in a loss of human life are punishable by fines up to 
$250,000 for individuals and $500,000 for organizations.
---------------------------------------------------------------------------
    The Family and Medical Leave Act and Title VII of the 1964 Civil 
Rights Act contain no criminal penalties and only a civil fine of $100 
for a willful failure to post a notice of FMLA and Title VII rights. 
The Age Discrimination in Employment Act has a criminal penalty of up 
to $500 or imprisonment of up to 1 year for interfering with an EEOC 
agent. Similarly, the National Labor Relations Act, protecting the 
rights of employees to unionize, provides only for a fine of not more 
than $5,000 or imprisonment for one year for interfering with a Board 
agent. The Fair Labor Standards Act contains fines of not more than 
$10,000 and imprisonment at up to 6 months for certain violations.
     As you can see, the proposed civil and criminal penalties of the 
legislation before you are quite severe in comparison to other laws--
laws which also protect important rights.
    I led my testimony with a discussion on civil and criminal 
penalties to dispel any doubt that this legislation somehow provides an 
invitation for non-compliance or that such penalties are not otherwise 
adequate to deter violation. Nothing could be further from the truth. 
In this context, I turn to the question of the need for a private cause 
of action.
    Contrary to what seems to be a popular conception, many laws rely 
exclusively on government enforcement for protection of important 
substantive rights, as does this legislation. In the labor area alone 
these include: The Davis Bacon Act (requires payment of prevailing 
wages on government contracts for construction), the Service Contract 
Act (requires payment of prevailing wages on government services 
contracts), the Walsh-Healey Act (payment of minimum wages and overtime 
to employees working on government contracts); Executive Order 11246 
(prohibits discrimination by government contractors); Section 503 of 
the Rehabilitation Act (prohibits discrimination by government 
contractors on the basis of disability), and, perhaps most notably, the 
Occupational Safety and Health Act (protects employee safety and 
health), the Mine Safety and Health Act (protects safety and health of 
miners), and the National Labor Relations Act (protects the rights of 
employees to engage in concerted activities, including unionization.) 
3
---------------------------------------------------------------------------
    \3\  Other examples include the Paperwork Reduction Act, Section 
17(a) of the Securities Exchange Act (see Touche Ross v. Redington, 442 
U.S. 560 (1979)), and the Federal Service Labor Management Relations 
Act.
---------------------------------------------------------------------------
    Of course some labor statutes (in interest of full disclosure) do 
have a private cause of action, typically with remedies keyed to 
economic damages, such as lost pay with--in some instances--a doubling 
where the violation was willful or without good faith. (But let me 
again emphasize that these laws do not have the severe criminal and 
civil penalties contained in the privacy legislation.) An atypical 
example is Title VII of the 1964 Civil Rights Act, which was amended in 
1991 to include non-economic damages (capped at various levels), but 
only after two years of much contentious debate encompassing two 
separate Congresses.
    These changes were based on a long record of experience amassed 
over some 30 years, which demonstrated that by the 1990's changes were 
needed. Even with this lengthy consideration by Congress, the results 
have not been pretty. Litigation has exploded--tripling since 1991--
with discrimination cases constituting almost one of every ten cases in 
federal court, the second highest number after prisoner 
petitions.4 That only 5% of cases filed with the Equal 
Employment Opportunity Commission are found to have ``reasonable 
cause'' and 61% ``no reasonable cause'', tells us that many of these 
cases are of questionable validity. I've also attached for the Members' 
reference an article entitled, ``Lawsuits Gone Wild,'' February 1998, 
discussing the plight of businesses under this surge of litigation. 
Litigation expenses alone to defend a case can approach $50,000--
$150,000 even before trial.
---------------------------------------------------------------------------
    \4\ See study by Lawyers Committee on Civil Rights under Law, Daily 
Labor Report, March 25, 1999. The Americans with Disabilities Act 
includes the same remedies as Title VII although it was originally 
passed and enacted with only equitable relief. The ADA was premised on 
longstanding principles and regulations found under Section 504 of the 
1973 Rehabilitation Act. Nevertheless, it, like Title VII since amended 
by the Civil Rights Act of 1991, has resulted in considerable 
litigation, much of it frivolous. See ``Helping Employers Comply with 
the ADA,'' Report of the U.S. Commission on Civil Rights, September 
1998, pp. 274-283.
---------------------------------------------------------------------------
    Perhaps this isn't surprising given the nature of civil litigation, 
but it does emphasize the importance of Congress carefully deliberating 
before it authorizes individual civil litigation as a remedy. Indeed, 
the fact that private lawsuits are expensive, blunt enforcement 
instruments with enormous transactional costs can hardly be argued. 
While I do not wish to debate tort reform here, it may be worthwhile to 
refer to a few further facts on this issue:
    A Tillinghast-Towers Perrin analysis (Nov. 1995) of the U.S. tort 
system found that when viewed as a method of compensating claimants, 
the U.S. tort system is highly inefficient, returning less than 50 
cents on the dollar to the people it is designed to help--and less than 
25 cents on the dollar to compensate for actual economic losses. 
(Tillinghast-Towers Perrin, ``Tort Cost Trends: An International 
Perspective,'' pp. 4, 8)
    The study broke down costs as follows:
    Awards for economic loss 24%
    Administration 24%
    Awards for pain and suffering 22%
    Claimants' attorney fees 16%
    Defense costs 14%
Hence, even when non-economic ``pain and suffering'' awards are 
included, claimants ultimately collected only 46% of the money raised, 
the balance going for the high transactional costs of the system.
    These conclusions are consistent with a 1985 RAND study which 
indicated that plaintiffs in tort lawsuits in state and federal courts 
of general jurisdiction received only approximately half of the $29 
billion to $36 billion spent in 1985. The cost of litigation consumed 
the other half with about 37% going to attorney's fees (pp. v--xi). A 
1988 RAND study of wrongful discharge cases in California found that 
``total legal fees, including defense billings, sum to over $160,000 
per case. The defense and plaintiff lawyer fees represent more than 
half of the money changing hands in this litigation.'' (pp. viii, 39-
40) (The range of jury verdicts were from $7,000 to $8 million with an 
average of $646,855. pp. vii, 25-27, excluding defense judgements.) 
(Average award after post-trial settlement and appellate review was 
still $356,033, p. 36)
    A March 1998 study by the Public Policy Institute entitled, ``How 
Lawsuit Lottery is Distorting Justice and Costing New Yorkers Billions 
of Dollars a Year,'' applied the Tillinghast-Tower's analysis for New 
York's tort liability system and calculated that liability expenditures 
broke out as follows:

 $6.57 billion in payments to claimants (including $3.1 billion 
        in pain and suffering awards and only $3.4 billion for actual 
        economic damages).
 $3.4 billion for administrative overhead.
 $2 billion for defense costs.
 And nearly $2.3 billion for plaintiffs' attorneys.
The study found: ``In sum, more than half of the money extracted from 
our consumers, our taxpayers, and our economy by New York's 
phenomenally expensive liability system doesn't go to its supposed 
beneficiaries'' (p. 26).
    And a May 1995 Hudson Briefing Paper, ``The Case for Fundamental 
Tort Reform'' noted that:

 The U.S. tort system needs to be made far more efficient and 
        our society far less litigious and far larger shares of tort 
        payments should go to injured parties rather than to lawyers. 
        Currently, more than fifty cents of every dollar paid out of 
        the tort system goes to cover attorneys' fees.
 Lawyers monopoly of access to the courts allows them to impose 
        a 33.33 to 40 percent toll charge on all damage recoveries, 
        even in cases in which defendants are willing to pay on a rapid 
        no-dispute basis. Contingency fees, the near-uniform means of 
        compensating tort claim attorneys, can provide risk free 
        windfall profits to lawyers while harming defendants, 
        plaintiffs, and the economy as a whole.
    The real costs of the nation's tort civil litigation system is 
enormous 5, and the broader a civil action is in terms of 
grounds for liability and damages the more incentive there is for 
frivolous litigation--as many lawyers and plaintiffs seek to play the 
litigation lottery in front of juries for huge monetary rewards. 
However, my primary point here is that simple logic dictates that a 
system with such heavy transactional costs should, by definition, be 
considered as an option of last resort.
---------------------------------------------------------------------------
    \5\ For other overviews of expenses associated with court 
litigation, see, generally, The Illinois Tort Reform Act: Illinois' 
Landmark Tort Reform: The Sponsor's Explanation, 27 Loy. University of 
Chicago L. J. 805, Summer 1996. Also see Symposium: Municipal 
Liability: The Impact of Litigation on Municipalities: Total Cost, 
Driving Factors, and Cost Containment Mechanisms; 44 Syracuse Law 
Review 833, 1993.
---------------------------------------------------------------------------
    Of course, I realize that there are those who would argue that a 
business need not fear litigation so long as it obeys the law--so a 
provision for civil court litigation should only trouble truly bad 
actors and not present a problem to others. The only problem with this 
argument is that it is patently false. The reality of laws in this 
country is that they are invariably complex and, often, simply vague, 
with the lines of compliance uncertain and often changing. The Code of 
Federal Regulations governing the workplace arena alone covers over 
4,000 pages of fine print, and hundreds of court and administrative 
decisions provide their own gloss of what the law is, or is not, on any 
given day. The Supreme Court handed down three decisions on the 
Americans with Disabilities Act just a month ago and two on what 
constitutes sexual harassment under Title VII and one on the Age 
Discrimination in Employment Act in the last session. Eleven Circuit 
Courts of Appeal render their own versions of the law. One treatise on 
discrimination law stretches over two volumes and two thousand pages of 
analysis with more footnotes, as does another on the National Labor 
Relations Act. And these are not atypical examples of one area of the 
law. Even enforcement agencies, with all their expertise, cannot give 
clear answers as to what is or is not required. (See ``Workplace 
Regulation--Information on Selected Employer and Union Practices,'' GAO 
Report #94-138)
    All of these problems are magnified when it comes to a new law, 
such as that before you today, which will, no matter how well drafted, 
be subject to much interpretation. Many times there will not be right 
or wrong answer and that problem will be heightened if courts across 
the country, likely combined with jury trials, are immediately faced 
with cases to sort out every nuance--which may very well differ from 
jurisdiction to jurisdiction--while the employer is faced with both 
uncertain requirements and liability.
    In closing, our opposition to inclusion of a private right of 
action is premised on the straightforward notions that (1) the civil 
and criminal penalties now in the legislation are quite severe and 
provide more than adequate deterrence, (2) many laws are adequately 
enforced without private causes of actions, and (3) law suits are a 
rough, blunt and expensive instrument of justice with many negative 
attributes which should only be used where there is a clear track 
record demonstrating that the law in question currently has inadequate 
enforcement mechanisms--a record which certainly does not exist here. 
Should the Congress find that, after passage of this legislation and a 
period of enforcement, the business community is ignoring its 
responsibilities, it can always revisit the issue and authorize new 
enforcement mechanisms.
    Thank you.

    Mr. Norwood. Thank you, Mr. Johnson, and I will ask all of 
you to excuse us for a few minutes. We have a few votes, and we 
all want to hear you. We will go into recess, and I will ask 
you to stay very close by because we will all be back just as 
quickly as we can.
    [Brief recess.]
    Mr. Greenwood [presiding]. Welcome back. I am told that in 
my absence Ms. Carty and Mr. Johnson have testified and we are 
ready to hear from Dr. Andrews; is that correct?
    In that case, if you will please proceed.

                STATEMENT OF ELIZABETH B. ANDREWS

    Ms. Andrews. Thank you. Mr. Chairman and members of the 
committee, my name is Elizabeth Andrews, and I am Director of 
Worldwide Epidemiology at Glaxo Wellcome, a research-based 
pharmaceutical company that is based in Research Triangle Park, 
North Carolina.
    Glaxo Wellcome is committed to the enactment of Federal 
legislation that would protect patients' confidentiality while 
assuring the availability of medical information for research 
and for the delivery of quality health care. For this reason, 
we strongly support Congressman Greenwood's H.R. 2470, the 
Medical Information Protection and Research Enhancement Act of 
1999, because we believe this legislation best meets that goal.
    Today, medical researchers are poised to make countless new 
discoveries that will alleviate the burden of disease. That 
promise will only be realized, however, if medical researchers 
are allowed to continue to have access to patient medical 
information for research. Both interventional research, 
involving collection of information directly from individuals, 
such as in a clinical trial, and observational research, the 
analysis of existing medical records without contact with or 
impact on individuals, rely on the use of individually 
identifiable medical data. Not all research can be conducted 
using strictly anonymized records. Federal legislation must 
facilitate the positive uses of medical information if we are 
to continue making breakthrough scientific achievements into 
the future. The Greenwood bill provides a strong, promising 
framework to do so.
    The Greenwood bill would also establish uniform national 
standards for organizations that manage health data, including 
research institutions, to assure they have strong safeguards 
and internal procedures for protecting that data. Moreover, the 
bill would impose penalties on institutions that fail to adopt 
or enforce the safeguards.
    A recent GAO study on the use of medical data and research 
concluded that safeguards already exist in many organizations 
conducting research outside the Federal system. In fact, the 
GAO's findings are consistent with the widespread belief in the 
research community that researchers are doing a thorough job of 
protecting the confidentiality of patients while conducting 
research with extremely valuable public health benefit.
    We also hope that new legislative requirements will 
complement existing research regulation without needlessly 
complicating it. We are opposed to expanding the scope of the 
Federal common rule and the approval of institutional review 
boards to all public and private research, even research using 
only observational existing information as required in some 
legislative proposals.
    IRBs play a valuable role in carrying out their mandate to 
ensure that research participants are fully informed of the 
risks they incur when undergoing experimental medical 
treatment. However, IRBs have neither the expertise nor 
capacity to review research proposals, and to review studies 
with respect to confidentiality practices. Requiring IRB review 
of all research in this country would threaten the system that 
is already overburdened. Expanding IRB review would needlessly 
complicate the important tasks already faced by IRBs and would 
harm research by subjecting each project, each hypothesis to 
burdensome review and consent requirements. The likely result 
would be that many important research projects would never be 
initiated.
    In Glaxo Wellcome's view, the process established by the 
Greenwood bill is more protective of patient confidentiality 
interests than the expansion of IRB review and informed consent 
requirements. Enforceable, uniform national standards for 
confidentiality protections would offer more appropriate, more 
consistent and more rigorous controls than available through an 
expansion of the IRB function.
    With respect to patient consent, we support current Federal 
requirements concerning the informed consent of participants in 
interventional research. We do not believe, however, that 
observational research programs using archives of previously 
collected information should require informed consent. In many 
cases, it is impossible to gain consent. Patients move, they 
change health plans, they die, and given the extremely minimal 
risk for patients from this type of research, requiring 
informed consent increases the burden on researchers and 
patients, but does not serve to protect the patient's 
confidentiality interests. Furthermore, allowing patients to 
opt out of observational medical records research would raise 
serious questions about the scientific validity of conclusions 
reached from incomplete data bases.
    One critically important issue for any confidentiality 
legislation is that it must draw clear distinctions between 
protected health information and nonidentifiable information. 
The Markey and Condit bills define protected health information 
so broadly that almost no information could be characterized as 
nonidentifiable. As a result, every piece of health care data, 
whether or not it identifies an individual, would be subject to 
all of the Federal restrictions and requirements applicable 
under the law, including written consent, recordkeeping, access 
to copying and amendment notification.
    Mr. Chairman, members of the committee, we urge you to take 
swift action on the Greenwood bill to ensure that Congress 
meets its HIPPA deadline of August 21st, rather than allowing 
the Secretary of Health and Human Services to promulgate 
regulations in this area. Patients, health care providers and 
researchers have much to lose if legislators do not strike a 
balance between protection of patient confidentiality and the 
appropriate use of medical data to enhance the quality of 
health care delivery in this country.
    I look forward to working with you as you continue your 
efforts and stand ready to help the committee in any way. Thank 
you.
    [The prepared statement of Elizabeth B. Andrews follows:]
    Prepared Statement of Elizabeth B. Andrews, Director, Worldwide 
                   Epidemiology, Glaxo Wellcome Inc.
Introduction
    Mr. Chairman and Members of the Committee, my name is Elizabeth 
Andrews, and I am Director of World Wide Epidemiology for Glaxo 
Wellcome, a leading research-based pharmaceutical company. This year, 
Glaxo Wellcome will spend nearly $2 billion on research of new 
medicines for the treatment of cancer, diabetes, obesity, rheumatoid 
arthritis, osteoporosis and viral diseases. As an industry, the 
nation's research-based pharmaceutical and biotechnology companies 
discover and develop the majority of new medicines used in the United 
States and around the world, investing more than $24 billion this year 
alone on research and development. The industry brought 39 new 
prescription drugs and biologics to market last year to treat many 
deadly and debilitating diseases.
Medical Information is Essential for Research
    Mr. Chairman, I would like to begin by thanking you for the 
opportunity to testify this morning on behalf of Glaxo Wellcome on the 
important issue of federal legislation to protect the confidentiality 
of medical information. As a scientist whose work is committed to 
discovering and improving health care interventions, I am pleased that 
this Committee-- which has responsibility for legislation affecting 
American health and health care-- will play a leading role in crafting 
that legislation. I look forward to working with you.
    Glaxo Wellcome strongly supports new federal legislation that would 
protect the confidentiality of individuals' medical records from 
unauthorized or inappropriate use. At the same time, we know that 
appropriate use of medical information is critical to the delivery of 
high quality health care and the development of innovative and more 
effective treatments for patients. We hope that the committee will pass 
legislation that will result in enactment of a new federal law that 
safeguards patients' medical privacy while allowing appropriate uses of 
medical information for research, treatment, payment for services and 
health care operations. We feel that legislation introduced by 
Congressman Jim Greenwood, H.R. 2470, ``The Medical Information 
Protection and Research Enhancement Act of 1999,'' achieves that 
balance. Glaxo Wellcome strongly supports H.R. 2470, as well as similar 
legislation, S. 881, introduced by Senator Robert Bennett. We urge the 
Congress to take action on these bills to meet the August 21, 1999 
deadline established by the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA) to enact a medical data 
confidentiality law.
    The pharmaceutical and biotechnology industry can help patients 
with unmet medical needs only if researchers have access to medical 
information that enables them to discover new medicines. Today, medical 
researchers are poised to make countless new discoveries that will 
alleviate human suffering and the burden of disease. Revolutionary new 
treatments and diagnostic tests promise to extend and enrich our lives 
and the lives of future generations. Realizing this promise depends on 
research: interventional research involving the collection of 
information directly from individuals such as clinical trials used to 
develop new drugs, medical devices and biologics; and observational 
research which relies on existing databases. Observational research 
allows us to study of the prevalence of disease, evaluate medical 
treatments and measure the cost-effectiveness of therapies. 
Observational research can sometimes be conducted with encoded or 
encrypted data that has been stripped of individual indentifiers, while 
preserving the ability to link various databases across treatment 
settings and over the course of time to capture a comprehensive picture 
of patient care. Having the complete picture of the patient's health 
and health care is what is essential for the researcher, not the 
identity of the patient.
    As an epidemiologist, I would like to provide to the Committee some 
examples of research that will explain how we use medical information 
to help improve the health of patients and the quality of health care 
delivered to them. I have been involved in the study of HIV/AIDS and 
other sexually transmitted diseases, the medicines developed for such 
conditions, and the risk of medicines when used in pregnancy. In these 
areas, we have made significant strides, coupling drug development 
programs with company-sponsored public health monitoring activities.
    Through such efforts, we ensure the safe use of products developed 
to treat many serious diseases. There is increasing public attention 
given to drug safety monitoring and a need to assess the current 
mechanisms available to evaluate the safety of medicines. Most health 
professionals agree we need more, not less, information on the safety 
of medicines in order to better understand the risks compared to the 
benefits of drugs as they are used in general, not experimental, 
circumstances. It is through the use of archival medical records that 
we are able to understand such risks and benefits in large numbers of 
patients in the real world setting. Each of the following examples 
involves research using archived medical information.
 An epidemiologic study in the early 1980s that found a strong 
        association between the potentially fatal Reye's syndrome and 
        children's use of aspirin. Eventually, this new knowledge led 
        to a decline in cases of Reye's syndrome in the United States, 
        improving children's health and reducing mortality.
 A recent study documented both the under-use of beta-blockers 
        following myocardial infarction in the elderly, and the serious 
        consequences of that under-use. This study linked large 
        pharmacy and medical claims databases. Its finding of 
        unnecessary deaths and hospitalizations from cardiovascular 
        episodes is likely to lead to basic changes in medical practice 
        and greatly improve patient health.
 A pharmaceutical company worked with a large managed health-
        care plan to undertake a study of more than 85,000 children to 
        provide further information on the safety of the chicken pox 
        vaccine in clinical practice. These children received the 
        vaccine, with parental consent, as part of their regular 
        medical care. A computer-based search was performed of the 
        records of the children who received the vaccine and of a 
        historical comparison group of children who had not used the 
        vaccine. The medical records of the children who had not been 
        vaccinated were taken from the plan's historical archives of 
        patient records. It would have been extremely difficult, if not 
        impossible, for the health plan to track them down to gain 
        their consent. The information received by the pharmaceutical 
        company was encrypted, so that the company had no patient-
        identifiable data. This research has provided valuable 
        reassurance about vaccine safety under conditions of broad use 
        in clinical practice.
 A health plan was able to use medical information about its 
        enrollees to identify women with a deficient gene that is 
        linked to some breast cancers. The health plan contacted these 
        women, many of whom chose to enroll in the federally-regulated 
        and IRB-overseen clinical trial that a pharmaceutical company 
        conducted of a new drug to treat breast cancer. Had the health 
        plan been unable to review these women's records and contact 
        them, there would have been significant delays in finding 
        appropriate participants for the clinical trial.
    Because of the focused and controlled nature of clinical trials, 
much of what we learn about drug safety and effectiveness is learned 
through the use of observational data after drug approval. In the area 
of HIV, for example, we learned from observational experience that 
differences in HIV disease progression seen by gender, race and 
intravenous drug use were not due to those patient characteristics, but 
due to differences in treatment and access to treatment. Observational 
studies demonstrated the effectiveness of pneumocystis carinii 
pneumonia (PCP) prophylaxis, and quantified the adverse experience 
rates with antiretroviral therapies and various treatments for 
opportunistic infections. All of these findings have contributed to 
more effective care and better outcomes for patients with HIV.
    In addition to ongoing safety surveillance studies, health care 
payers in our cost-conscious system demand more focused outcomes 
research and economic analysis to select the most efficacious and cost-
effective treatment options. For example, Harvard Medical School 
researchers found that restrictions on the use of schizophrenia 
medications in the New Hampshire Medicaid program proved penny-wise but 
pound-foolish. The restrictions yielded some savings on prescription 
drugs, but ultimately increased state and federal government Medicaid 
spending overall by sharply increasing the need for emergency care and 
hospitalization. The Harvard team produced these findings--which can 
promote both better health care for patients and more cost-effective 
use of health care dollars--by linking prescription drug use databases 
with mental health center and hospital data.
    These examples illustrate the useful and important observational 
research that is being conducted with existing medical records, while 
using various methods for safeguarding the confidentiality of patients. 
These methods include replacing individual identifiers with a case code 
number and safeguarding the key from unauthorized use or disclosure, 
restricting the subset of persons who have access to research 
databases, and ensuring that employees are aware of their obligation to 
treat research data as confidential and to protect it from disclosure 
and unauthorized use.
Medical Data Confidentiality Legislation
    Glaxo Wellcome believes that the Greenwood bill, H.R. 2470, 
provides a workable framework for protecting patient health information 
while also recognizing the need to access patient data for legitimate 
health care-related purposes--primarily treatment, payment, health care 
operations and medical research. It establishes very clear boundaries 
around the permissible uses and disclosures of patient medical data and 
imposes strong penalties on entities and individuals for its misuse.
    We feel that strong federal confidentiality protections must 
complement existing research regulation without needlessly complicating 
it. For that reason, we are very concerned that H.R. 1941, introduced 
by Congressman Gary Condit, as well as H.R. 1057, introduced by 
Congressman Edward Markey, would extend Institutional Review Board 
(IRB) and informed consent requirements to all private research that 
has traditionally not been subject to the federal common rule.
    Informed consent, which is a cornerstone of the interventional 
research that is reviewed by IRBs, does not work in the context of 
database research. In database research, the validity of the scientific 
conclusions depends on how comprehensive the database is. The 
researcher does not affect the treatment of the individuals, rather he 
or she tries to make inferences based on observed differences in 
ordinary health care settings. The validity of those inferences is 
suspect if the researcher is missing information from some individuals. 
What we know based on the experience in Minnesota, which has a law that 
requires informed consent for medical records research, is that 
individuals who decline to give consent are not a random sample. This 
means that imposing informed consent requirements on research databases 
has the effect of undermining the generality and validity of the 
conclusions that can be drawn based on research using that database.
    Moreover, a recent General Accounting Office (GAO) report examined 
the protection of patient medical data used in medical research. We 
were encouraged that GAO's findings are consistent with the widespread 
belief in the research community that researchers are doing a thorough 
job of protecting the confidentiality of patients while using medical 
information in extremely important research concerning public health 
and health care delivery. The GAO report makes some important points 
which accurately reflect the current status of research conducted 
outside the federal system.
    First, the report acknowledges many uses of information and data in 
research, and provides examples of important research that required 
some type of access to identifiable information. Not all research can 
be conducted strictly using anonymized records. Research based on 
archival records with no medical risk to the patients and rigorous 
safeguards of personally identifiable data should be encouraged, not 
impeded.
    Second, the report provided examples of a variety of safeguards 
that are in place in different types of organizations that undertake 
research outside the federal system. The examples demonstrate clearly 
that many safeguards already exist to protect the confidentiality of 
identifiable patient information. Those safeguards are tailored to the 
local needs and circumstances within each organization. Institutions 
conducting health research take confidentiality of patient information 
very seriously. The report aptly notes that the institutions in their 
study may not represent all organizations, and those not studied may 
not meet the same high standards of those in the study. However, the 
Greenwood bill would establish uniform national standards that would be 
required for all organizations that manage health data. Moreover, it 
would provide for penalties for organizations that fail to adopt or 
enforce the safeguards.
    Third, the report provided a realistic picture of current IRB 
operations. IRBs provide a valuable function in protecting patients 
from unnecessary research risks. Their experience and expertise in 
reviewing studies only for review of confidentiality practices is 
insufficient to warrant such an expansion of their roles. Moreover, 
they do not have the capacity to handle the increased volume that would 
emerge from a new requirement to review all medical records research. 
We feel it would be counter-productive to institute such a requirement. 
Uniform national standards for confidentiality protections would offer 
a more appropriate, more consistent, and more rigorous controls than 
available through an expansion of the IRB function.
    In Glaxo Wellcome's view, the process established by the Greenwood 
bill is more protective of patient confidentiality interests than the 
expansion of IRB review and informed consent requirements that would be 
put in place under H.R. 1941 and H.R. 1057. For instead of needlessly 
complicating the important tasks already faced by IRBs, the Greenwood 
bill would provide federal enforcement of the safeguards and review 
process established by each research institution. In this regard we 
note that GAO reports that even where they do review projects, IRBs say 
they rely on the practices and safeguards in effect at the research 
institution. This fact is important, because to truly understand and 
oversee what an institution does to protect the confidentiality of data 
is far beyond what an IRB can or should be charged with doing in its 
review of a research project. The Greenwood bill would ensure that what 
GAO found to be true of the institutions it surveyed-- they have 
policies and safeguards designed to protect confidentiality-- would be 
enforceable as a matter of federal law. The bill would provide the 
further assurance that every institution making medical information 
available for research would be required to establish such federally 
enforceable policies and safeguards.
    I would like to summarize for the committee the key issues that we 
have identified in previous legislation that could create impediments 
to our continuing ability to conduct medical research:

 Definitions. It is critically important that any 
        confidentiality legislation draw clear distinctions between 
        ``protected health information'' and ``non-identifiable'' 
        information. Both H.R. 1917 and H.R. 1057 define protected 
        health information so broadly that almost no information could 
        be characterized as ``non-identifiable.'' As a result, many 
        vital activities, including research, that rely on non-
        identifiable information would be subject to burdensome prior 
        authorization requirements.
 IRB oversight of research. Pharmaceutical and biotechnology 
        companies comply with IRB requirements when sponsoring clinical 
        trials in support of new drug or biologic and we believe that 
        IRBs effectively protect the welfare of trial participants. As 
        noted above, we do not believe that IRB oversight should be 
        extended to every analysis of medical information or to 
        research that is not federally regulated, sponsored or funded, 
        or modified to encompass unique confidentiality issues.
 Patient consent. We support current federal requirements 
        concerning the informed consent of participants in 
        interventional research. We do not believe, however, that 
        research projects using databases or archives of previously 
        collected information and materials should require informed 
        consent. In many cases, it may be impossible to gain consent--
        patients move, change health plans, die--and given the 
        extremely minimal risk to patients from research of this type, 
        requiring informed consent increases the burden on researchers 
        but does not serve to protect the patient's confidentiality 
        interests.
 Retention of data. Researchers should not be required to 
        destroy data once the original study for which it has been 
        collected has concluded. In some cases, it is necessary to 
        retain the data in order to comply with existing federal 
        regulations. In other cases, the collected data can be 
        extremely valuable and may be reanalyzed for other purposes 
        beyond the original intent and would be beneficial to patients.
 Provide Uniform, National Protection for All Medical 
        Information. The same confidentiality standards for all types 
        of medical information should apply nationwide. Legislative 
        distinctions among types of medical information-- genetic, 
        psychological, or physical-- would conflict with the patient's 
        expectation that all health care information shared with a 
        provider to obtain appropriate treatment should be maintained 
        in confidence. Further, to ensure that individuals' 
        expectations of confidentiality of medical information are 
        valid in every jurisdiction, federal law should provide a 
        uniform set of national requirements that would preempt state 
        laws.
 Penalties. Finally, Glaxo Wellcome supports strong penalties 
        for violations of patients' confidentiality that have been 
        included in most of the legislative drafts. We do not believe, 
        however, that these penalties could or should include 
        enforcement tools such as exclusion from the Medicare and 
        Medicaid programs. We believe that strong penalties, including 
        civil monetary penalties, are a more effective deterrent to 
        misuse and a more appropriate punishment for violators.
Principles for Protecting Patient Confidentiality
    As is the case with other companies, Glaxo Wellcome is an active 
member of the Pharmaceutical Research and Manufacturers of America 
(PhRMA), the Biotechnology Industry Organization (BIO) and the 
Healthcare Leadership Council (HLC). We have been working closely with 
these organizations and other members of the health care provider 
community on this important issue. We were particularly involved in 
PhRMA's efforts to develop a key set of principles that reflect a 
commitment to strong protections for individuals' medical information 
while ensuring the availability of medical information for research and 
for the delivery of quality health care. A copy of these principles is 
attached.
Conclusion
    Mr. Chairman, Members of the Committee, I again wish to express 
Glaxo Wellcome's appreciation for your efforts and your obvious 
attention to protecting the public's interest in the fruits of health 
research. We look forward to working with you as you continue your 
efforts, and we stand ready to help the committee in any way.

    Mr. Greenwood. Thank you very much, Dr. Andrews, for your 
testimony.
    Dr. Koski.

                     STATEMENT OF GREG KOSKI

    Mr. Koski. Thank you very much, Mr. Chairman and members of 
the committee. My name is Greg Koski, and I am the Director of 
Human Research Affairs for the Partners Health Care System in 
Boston.
    In both my professional and personal life, I have had an 
opportunity to consider very directly many of the issues we are 
talking about today, both as a doctor and as a patient, as a 
scientist, as well as a research subject. I also work as a 
manager, serve on the committees that are charged with 
formulating the confidentiality guidelines and policies and 
procedures. I have also served for more than 15 years as a 
member and chair of the IRB, and in my present capacity, am 
responsible for the overall protection of human subjects in 
research for our entire large integrated health care system.
    In today's hearing, we have heard the words ``privacy'' and 
``confidentiality'' used frequently and often interchangeably, 
and I think for the sake of clarity it is worth expanding on 
that just a bit little bit. Clearly, the right to privacy is 
the right that an individual has to actually choose the extent 
to which they wish to share information about themselves and 
their activities with other individuals, and when in the course 
of their social activities and interchanges they make the 
decision to share that information, they are allowing the open 
door into their world of privacy, but in doing so, they 
establish a centralist part of the social contract or 
confidentiality agreement, the extent to which and the 
expectations according to which that information is being 
shared.
    Whenever we try to access private information without 
appropriate authorization or where we have no right to that 
information we are clearly invading privacy. When we have been 
given private information under certain expectation of 
confidentiality and have failed to uphold it, we have breached 
confidentiality. Both of those are egregious, and I believe 
should have appropriate penalties associated with them.
    But I think if we look at this realistically, it would 
simply be impossible in our modern age to expect absolute 
privacy in any aspect of our lives. Certainly the health care 
system is no exception to that, and in fact, it is absolutely 
essential in seeking care and in managing care that individual 
privacy be compromised to a certain degree or there are risks 
on both sides, both to the individuals as well as to society 
and the institutions.
    So I think that it is clear from the discussion that we 
have had today, that I won't reiterate, that we have reached a 
situation where we have begun to lose public confidence in our 
ability to protect them and their private health information; 
and I believe that now is the time to take steps to try and 
establish appropriate procedures, policies, laws for the 
necessary protections.
    A few points that I would emphasize as being essential 
toward this goal would be, in no particular order, that we 
actually collect only that information that we truly need, that 
is justified for what we need to do. By not having information 
that you don't want, the risks that something might be done 
with it that is not appropriate are greatly alleviated.
    Similarly, information that is collected for one purpose 
should be used for that purpose or that set of purposes and 
should not be used for secondary purposes without some 
appropriate degree of oversight and authorization. At times, 
that will be from the individual, at times it will be from 
another body, but that depends upon the nature of the risks 
involved and sensitivity of the information.
    Overall access to personal health information should be 
strictly available, limited on a need-to-know basis rather than 
a want-to-know basis.
    Unauthorized uses of information should be subject to 
appropriate penalties and clearly any entity or entities that 
are actually collecting or receiving personal health 
information should do so under appropriate policies and only 
with appropriate policies for properly protecting the 
confidentiality.
    Clearly, confidentiality in itself is the process that we 
use to demonstrate our respect for the privacy of individuals, 
and when we accept private information, we also accept that 
moral and legal obligation to ensure that we carry out the 
confidentiality process in a robust manner.
    When an institution produces or publishes its policies for 
confidentiality, I think it is essential that those be shared 
in a very active and informed way with the individuals whose 
information is going to be accessed.
    And finally, these policies should include specific 
provisions that would minimize risk of any disclosure by, to 
the fullest extent practicable, using nonidentifiable 
information when it can be used, using deidentified 
information, when appropriate, and only relying upon 
identifiable information as necessary.
    I think I have a major exception to the language describing 
nonidentifiable in Mr. Greenwood's bill, and we may come back 
to that later on, but I want to turn my attention specifically 
to the issues of research.
    In this country, biomedical research is conducted according 
to a variety of codes of ethics and all, the Nuremberg Code, 
the Declaration of Helsinki and certainly the Belmont Report, 
and three fundamental principles have been identified: respect 
for persons, justice and beneficence. All three of those 
fundamental principles for the conduct of research require that 
we respect the privacy of individuals who are participating in 
research and that we protect their confidentiality.
    As a consequence of this and the incorporation of those 
fundamental principles into the laws, the common rule as it is 
called, or 45 CFR 46, as amended, all federally funded research 
is currently conducted in a manner that is consistent with 
those ethical policies; and indeed IRBs that are responsible 
for review and approval of all research involving human 
subjects under this Federal law are obligated to consider not 
only medical risks, but also psychological, social, economic 
risks as part of their considerations in determining whether or 
not the research should go forward.
    With all due respect to Dr. Andrews, I think that it is 
very misleading to suggest that IRBs are neither in possession 
of the expertise or experience to do this because, in fact, it 
is inherent in what they do in the conduct of their business 
every day.
    Large institutions with significant Federal funding, like 
our own, operate under an assurance to the Federal Government 
that we will apply the principles of the laws on the common 
rule to all research that is conducted at our institutions 
regardless of the source of funding; and unfortunately, only 
about 1,200 of the more or less 5,000 IRBs that currently 
review research in this country come under that common rule, 
and I think that is a glaring deficiency.
    I think it is important to note that a common rule 
specifies when it talks about the definition of human subjects 
research not only the use of living human beings, but also 
information or specimens derived from living human beings. No 
one could misconstrue that to believe that the IRBs are not 
supposed to be reviewing research that involves identifiable 
patient information and to grant exemptions in the case where 
information has been rendered nonidentifiable.
    Mr. Bilirakis. Please summarize, Doctor.
    Mr. Koski. Thank you. I will.
    I think what we should do at this opportunity--rather than 
to establish, as 2470 and 1941 would do, a parallel and 
probably unequal process for review of a subset of human 
research in this country, what we should do would be to take 
this opportunity, as the Secretary seems to be doing presently 
in the elevation of OPRR from NIH to a higher status at DHHS, 
to actually bring all human research under a common set of 
guidelines. I believe that this would be the highest and most 
appropriate way to actually ensure the protection of human 
subjects in research. There are opportunities to work with 
industry to define the mechanisms by which we can most 
effectively use deidentified information to meet their needs 
and at the same time respect the privacy of our patients.
    I will stop there and hope to expand on some of that during 
our discussion.
    [The prepared statement of Greg Koski follows:]
Prepared Statement of Greg Koski, Associate Professor of Anesthesia and 
         Critical Care Medicine, Massachusetts General Hospital
    Dear Mr. Chairman and Members of the Subcommittee: Few would argue 
that individuals in this country reasonably expect that their privacy 
be respected, and that sensitive personal information about themselves, 
whatever the nature of that information might be, should not be 
disclosed to others without authorization, except in specific 
circumstances where there is a compelling need, and even then, only 
with specific provisions for protecting confidentiality of such 
information. Health information is arguably among the most sensitive 
types of personal information and has always been afforded special 
consideration when issues of privacy and confidentiality are concerned.
    The extraordinary scope of social and technological change in our 
health care system over the past two decades has unavoidably and 
irrevocably changed the practice of medicine and the business of health 
care. With this change, the public has become increasingly concerned 
about the loss of autonomy and loss of privacy, both of which seem now 
to occur too frequently. Concerns regarding unauthorized access to 
personal medical information arise from, and are substantiated by, 
misuse and even abuse of information obtained during encounters with 
the health care system. A climate of mistrust has developed in which 
patients are demanding more control over who has access to their 
personal information and how that information is to be used. Since many 
do not understand the complexity of our health care system and the 
growing need for many different parties to access patient information 
in the course of their jobs, the adverse impact that broad restriction 
of access can have on the system, and the quality of care, is not well 
appreciated.
    Several detailed and thoughtful analyses and reports have been 
presented addressing the complex issues involved in providing and 
managing health care while respecting the privacy of individual persons 
and protecting the confidentiality of personal health information. 
Current legislative activity pertaining to these issues at both the 
state and national levels reflects to a large degree the growing 
interest among our citizens and the entire health care system and 
related industries in finding effective ways to achieve these goals. 
One such effort is that of the Health Privacy Working Group, an 
initiative of the Georgetown University Institute of Health Care 
Research, which recently released its recommendations. These include a 
set of ``best principles'' that provide a useful framework for 
development of specific policies for effective management and use of 
personal health care information in a manner that is well-reasoned and 
workable. The members of the Subcommittee will certainly receive copies 
of this report and will find it informative and useful. This statement 
of principles does not, however, obviate the need for effective 
legislation to affect necessary change and introduce appropriate 
safeguards for protection of privacy and confidentiality of health 
information.
    Several pieces of legislation are currently under consideration by 
Congress, and the Secretary of the Department of Human Services has 
introduced a comprehensive set of recommendations as required by law 
that may take effect if Congress does not itself take action. 
Regardless of what legislation may ultimately be enacted, it should 
include a requirement that all persons, institutions, agencies or other 
entities which collect personal health care information be required to 
develop formal written policies and procedures for use of such 
information, and that patients be notified and informed of these 
policies and their rights.
    These policies and procedures should limit access and distribution 
of information on a rigorous ``need to know'' basis. Information should 
only be collected and maintained in identifiable form when necessary 
and appropriate, it should be used only for those specific purposes for 
which it was intended at the time of collection unless there is 
appropriate notification and authorization of other uses, and when 
information is no longer needed, it should be destroyed or rendered 
nonidentifiable after a reasonable period of time unless there is a 
compelling justification for keeping it. If these general guidelines 
are kept in mind, mistrust and misuse of such information will be 
minimized.
    I would like to thank Mr. Bilirakis and the members of the 
Subcommittee for this opportunity to offer general comments about the 
bill currently before it, H.R. 2470, otherwise known as the ``Greenwood 
Bill''. Those who have crafted this proposed legislation deserve a 
great deal of credit for their thoughtful work, as many of its 
provisions could provide useful solutions to some of the concerns 
discussed above. Nevertheless, there are aspects of this bill that 
could be improved. I will first offer a few remarks regarding the 
broader aspects of the proposed legislation before focusing on those 
parts of the bill pertaining to appropriate conduct and oversight of 
health research, an area in which I can claim some experience.
    First, for clarity, I would like to call your attention to the 
definition of ``nonidentifiable'' health information used in this bill. 
Personal health information that can be attributed to the individual 
person from whom it was obtained is identifiable. Only information that 
cannot be attributed to its source is nonidentifiable. When information 
is linked by a specific code number to an individual, even if all other 
specific identifying information has been removed, that information is 
still identifiable and special precautions must be taken to restrict 
the use of that information in ways that have not been authorized by 
the individual of origin. The use of this term in the proposed 
legislation contradicts the definition set forth in the Federal 
Regulations for Protection of Human Subjects in research, is confusing 
and misleading, and will be viewed by many as being deceptive, intended 
or not. Information is either identifiable or not; these are mutually 
exclusive. Identifiable information may be anonymous, encrypted, coded, 
or deidentified in an effort to offer protection of privacy and ensure 
confidentiality, but it is still identifiable.
    The description of ``health care operations'' is useful, but the 
list includes certain activities, such as outcome assessments, that 
frequently overlap the research domain, which I will discuss in greater 
detail below. Care should be taken to insure that this does not provide 
a ``loop hole'' for individuals to circumvent review and approval 
processes of Institutional Review Boards (IRBs) and the protections 
such review can provide.
    The bill includes provisions for disclosure of information to a 
variety of third parties for a variety of purposes. As a general rule, 
any and all releases of identifiable health information to third 
parties outside of the health care setting in which it was obtained 
should be authorized by the individuals from whom the information is 
obtained. Secondary ``re-disclosure'' to parties further removed from 
the primary source/custodian should be prohibited and punishable by 
law.
    While there is clearly a need to establish a minimum standard under 
federal law for protections of privacy and confidentiality of personal 
health information, a preemptive law that would undermine or limit the 
ability of States choosing to pass more stringent protective laws may 
have a counter-productive effect, actually reducing protections for 
individuals. Indeed, some may view such an attempt to preempt 
legislation at the State level with skepticism and as an attempt to 
protect special interests that may be in conflict with those of 
individuals.
    Turning to the provisions for access to personal health information 
for research, I would first point out that the benefits of biomedical 
research to both society and individuals is widely acknowledged and 
very highly valued by the American people. In a recent national survey, 
nearly 90% of those polled indicated strong or very strong support for 
biomedical research activities and a personal interest in participating 
in research, provided they could be assured that their interests and 
well-being were protected. There is a long and very productive 
tradition of using medical records and other forms of health 
information for research purposes in this country, and such uses have 
rarely resulted in breaches of confidentiality. The American people 
have been very willing to accept this exception to absolute privacy of 
their medical information, provided the information is handled in a 
confidential manner.
    We are very fortunate to have in place in this country a system for 
protection of human subjects in research, including federal laws that 
mandate oversight of research by duly constituted Institutional Review 
Boards. This system, in which I am a proud and active participant, 
already reviews and approves most of the biomedical research conducted 
in this country, including research that relies upon the uses of 
personal health information. The challenges faced by the IRBs are 
considerable, but overall, it is clear that since the IRB system was 
developed two decades ago, biomedical research involving human subjects 
has flourished and reports or serious abuses are infrequent. Even as 
this Subcommittee considers legislation to enhance protections for 
patients' privacy and confidentiality of health information, steps are 
being taken to strengthen the IRB system to make it even more 
effective. I strongly support these actions, and believe that the IRB 
process can and should play an integral role in oversight of all 
research involving health information.
    I further support current efforts to bring all research involving 
human subjects, as defined in federal regulations, under the ``Common 
Rule'' (45 CFR 46, as amended), and to develop a process to credential 
IRBs and health researchers as a further step toward strengthening the 
system for protection of human research subjects. While existing rules 
and regulations offer the IRBs and investigators guidance in the use of 
personal health information, more specific guidance should be 
promulgated to address issues of informed consent, uses of identifiable 
versus nonidentifiable information, and specific mechanisms for 
protection of confidentiality. In some cases, it may be appropriate for 
institutional ``confidentiality committees'' to oversee access to 
personal health information at institutions that do not have sufficient 
research volume to justify an IRB, but even in those cases, the 
research should be reviewed and approved by an IRB constituted under 
the ``Common Rule'' according to specific guidelines for research 
access.
    In large institutions and in the growing number of integrated 
health care systems, of which the Partners HealthCare System is an 
example, the co-existence and close association of such confidentiality 
committees and IRBs afford completeness and consistency in policies and 
procedures for access to personal health information that, at least in 
our case, has proven to be very beneficial. As information technology 
and electronic medical records systems play an ever growing and 
important role in modern health care and research, every practicable 
effort should be made to take advantage of new tools and methodologies 
of information science to enhance protection of sensitive information 
and patient privacy.
    In closing, I would like to thank all of the members of the 
Subcommittee for the opportunity to express these views. I wish you all 
well as you address the challenges that lie ahead.

    Mr. Bilirakis. Thank you, Doctor.
    Dr. Frey.

                  STATEMENT OF CAROLIN M. FREY

    Ms. Frey. Mr. Chairman and members of the committee, I am 
Carolin Frey, Chair of the Institutional Research Review Board 
for the Geisinger Medical Center, part of a larger health 
system and managed care organization. I appreciate the 
opportunity to speak to you today, specifically about the 
current role of the Institutional Review Board, or IRB, in 
protecting privacy as it relates to research.
    Our IRB, like others, has witnessed growth in research made 
possible by large pools of extant and identifiable medical 
information. We have taken a proactive role in setting 
standards for conducting this type of research. We do this in 
part because the IRB function has a lot to do with engendering 
public trust. To that end, the IRB's function is a valuable 
model, and I stress ``model'' with respect to pending privacy 
legislation, the IRB function is exactly that, a model and not 
a ready-to-use resource. The current IRB system works well in 
the places it has been implemented, but it does not provide 
universal oversight for research. Legislation must distinguish 
between the existing IRB infrastructure and an IRB-like process 
that could be designed.
    I will now identify two limitations to the existing IRB 
function which would need to be overcome in legislating a 
process for universal review of research involving personal 
medical information, should that be a goal.
    Now, first, the existing IRB system was never designed to 
provide universal protections. Not all institutions conducting 
human research have an IRB and not all IRBs review the special 
class of research involving extant and identifiable medical 
information. Institutions constitute IRBs usually because they 
are federally funded for human research or have investigations 
of FDA-regulated products being conducted there. However, these 
same institutions, such as Dr. Koski's and my own, may decide 
to apply the Federal regulations to all of their research. Some 
may choose to apply it to some.
    Also, when identifiable medical information travels between 
institutions, one with and one without an IRB, it is possible 
for only a portion of an individual's record to be within the 
purview of an IRB. Complete, not partial, protection should be 
the goal of national legislation.
    So let me now propose adequate protections that an IRB-like 
system would include: first, an orderly process for defining 
the purview of responsible reviewing entities to ensure 
complete and nonoverlapping protection; and second, be mandated 
at a sufficiently high Federal level to ensure a review board 
is available to all locations where this kind of research takes 
place.
    Now, a second limitation of the IRB role concerns the fact 
that its role in protecting privacy is not well understood by 
the public. Where an IRB is used its strength is its authority 
to require strong security measures, sometimes likened to a 
firewall, to protect the privacy of identifiable medical 
information used in research. However, the specific review 
procedures used, including exempting review altogether, the 
conditions necessary to waive consent but also the societal 
benefits of such research are not well understood.
    The IRB function broadly provides protection of human 
subjects from physical, social, mental, privacy and 
confidentiality risks. Use of extant personal medical 
information is just one special class of research. An IRB may, 
in fact, exempt from review that information which is 
essentially anonymized, but with recorded identifiers, this 
class of research generally qualifies for an expedited review 
carried out by a single IRB member.
    It is important to point out that expedited IRB review does 
not by itself result in an exception to the requirement to 
obtain the individual's consent. First consideration is given 
to whether the merit of the proposed research warrants an 
intrusion, and that potential risk relies to some extent on the 
data security procedures proposed. These protect against 
subsequent disclosures which are, in fact, the primary risk of 
this type of research.
    An IRB can impose security modifications toward this end as 
a condition of granting approval to conduct the study. Only 
then is an IRB waiver of consent considered, and in fact, four 
conditions must be met: the research must be no more than 
minimal risk; the waiver must not otherwise affect the rights 
and welfare of the subjects; there is an impracticably 
requirement; and the subject must be provided with additional 
pertinent information.
    There is an enormous problem, and I will summarize quickly. 
It has been my experience that most individuals are not aware 
that their medical records can legitimately be included in 
research without their express consent. This suggests that the 
IRB process, though well conceived, may fail to engender public 
trust if the communities so served do not fully understand the 
IRB authority to waive consent.
    In legislation, consider such uses as uses of notices of 
information practices and a national educational effort to make 
clear the societal benefits of this class of research.
    In conclusion, the current IRB function offers a strong 
model for protecting research uses of personal medical 
information. To be fully effective, however, a future IRB-like 
research review process would need to be widely expanded beyond 
the current IRB infrastructure. This expansion would need to be 
done in a way so as not to further burden the existence and the 
vital functioning of the existing IRB infrastructure.
    Thank you.
    [The prepared statement of Carolin M. Frey follows:]
   Prepared Statement of Carolin Frey, Chair, Institutional Research 
                 Review Board, Geisinger Medical Center
    Mr. Chairman and members of the Committee, I am Carolin Frey, PhD, 
Chair of the Institutional Research Review Board for the Geisinger 
Medical Center. I appreciate the opportunity to speak to you today 
specifically about the current role of the Institutional Review Board 
(or IRB) in protecting privacy as it relates to research.
Introduction and IRB as ``model'' for research review
    The IRB I Chair reviews research originating from diverse parts of 
our multi-faceted health system which includes a distributed network of 
providers and a health maintenance organization. The health system 
relies on the free flow of medical information to ensure it travels 
with each patient at possibly distant geographic points of service. Our 
IRB, like others, has witnessed growth in research made possible by 
large pools of extant and identifiable medical information. We have 
taken a proactive role in setting standards for conducting this type of 
research. We do this, in part, because the IRB function has a lot to do 
with engendering public trust. To that end, the IRB function is a 
valuable model for independent review of research uses of personal 
medical information. With respect to pending privacy legislation, the 
IRB function is, however, only a model. It is not a ready-to-use 
resource. The current IRB system works well in the places it has been 
implemented but it does not provide universal oversight for research. 
There is also much latitude by institutions and IRB's in choosing how 
and when to review research based solely on extant and identifiable 
medical information. Legislation must distinguish between the existing 
IRB infrastructure and an ``IRB-like'' process that could be designed, 
albeit at substantial cost.
    I will identify two limitations to the existing IRB function which 
would need to be overcome in legislating a process for universal review 
of research involving personal medical information.
IRB's currently oversee only a portion of human research
    The existing IRB system was not designed to provide universal 
protections. Not all institutions conducting human research have an IRB 
and not all IRB's review the special class of research involving extant 
and identifiable medical information. Institutions constitute IRB's 
usually because federally funded human research or investigations of 
FDA regulated products are done there. However, institutions may decide 
whether or not to apply the federal regulations to all research at that 
site or to just those studies required to meet the federal minimum. 
Many institutions extend the common rule to all research. However, when 
identifiable medical information travels between institutions it is 
possible for only portion of an individual's record to be within the 
purview of an IRB. For example, paper or electronic medical records in 
a hospital may be protected from privacy risks in research by virtue of 
the hospital IRB. However, when much of this same information travels 
to a third-party payor without an IRB it may no longer be protected 
should it become part of a research study. Complete, not partial, 
protection should be the goal of national legislation. To provide 
adequate protections, an ``IRB-like'' system would:

1) have an orderly process for defining the purview of responsible 
        reviewing entities to ensure complete and non-overlapping 
        protections; and
2) be mandated at a sufficiently high federal level to ensure a review 
        board is available at all locations where research on personal 
        medical information takes place.
The IRB role in protecting privacy is not well understood by the public
    Where an IRB is used, its strength is in its authority to require 
strong security measures (sometimes likened to a ``firewall'') to 
protect the privacy of identifiable medical information used in 
research. However, the specific review procedures used, including 
exempting review altogether, the conditions necessary to waive consent 
and the societal benefits of research on personal medical information 
are not well understood. All of this amounts to inadequate 
understanding by the public of the risks (generally estimated to be 
small) and benefits (which can be quite great) of research on extant 
medical information.
    The IRB function broadly provides protection of human subjects from 
physical, social, mental, privacy and confidentiality risks which might 
occur through participation in research. Much review is done during 
fully convened meetings attended by scientific and lay members both 
from within the institution and unaffiliated with it. Use of extant 
personal medical information is just one special class of research 
overseen by IRB's. An IRB may exempt from review, and hence any 
requirement for informed consent, some of this research if it involves 
``the collection or study of existing data, documents, records, if the 
information is recorded in such a manner that subjects cannot be 
identified, directly or through identifiers linked to the subjects.'' 
[46.101(b)(4)]. Again, some institutions have policies that go beyond 
the minimum regulation and require IRB review. For a variety of 
reasons, identifiers often must be retained. With recorded identifiers, 
such research generally qualifies for an ``expedited'' IRB review 
carried out by a single IRB member--usually the IRB Chair and sometimes 
a designate.
    Expedited IRB review is a two step process. It is important to 
point out that ``expedited'' IRB review of research involving extant 
and identifiable medical information does not, by itself, result in an 
exception to the requirement to obtain the individual's consent for 
such use. First, consideration is given to whether the merit of the 
proposed research potential warrants an intrusion. The potential risk 
of that intrusion relies, to some extent, on the procedures proposed to 
ensure the security of the information. Security of research data 
protects against subsequent disclosures which are the primary risk of 
this type of research. In essence, a firewall can be built around 
research data and an IRB can impose security modifications towards this 
end as a condition of granting approval to conduct the study. There is 
some discretion concerning recommended security measures. Typically 
these include removal of personal identifiers from research records, 
use of coded study identifiers and separate safekeeping of a key which 
links the two. Restrictions to the sharing of research data with off-
site investigators or potential future uses may also be made a 
condition of the IRB approval.
    In a second step, the IRB may waive the requirement to obtain 
informed consent. This waiver is granted under the common rule only if 
the IRB finds and documents that ``1) the research involves no more 
than minimal risk to the subjects; 2) the waiver . . . will not 
adversely affect the rights and welfare of the subjects; 3) the 
research could not practicably be carried out without the waiver . . .; 
and 4) whenever appropriate, the subjects will be provided with 
additional pertinent information after participation.'' [46.116(d)]
    It has been my experience that most individuals are not aware that 
their medical records can legitimately be included in research without 
their expressed consent. This suggests that the IRB process, though 
well conceived, may fail to engender public trust if the communities so 
served do not fully understand this exception to gaining consent. The 
IRB review process, because it is not well understood, is not likely to 
be seen as providing acceptable privacy protections. Legislation aimed 
at designing an ``IRB-like'' process should include additional 
provisions:

1) use of notices of information practices including a statement about 
        disclosures for research purposes; and
2) a national educational effort to make clear the societal benefits of 
        research involving personal medical information without 
        consent.
Summary
    Coordinated implementation of recommended privacy protections will 
be required to make these transparent to healthcare consumers. Without 
transparency, false consumer expectations may further erode public 
trust. Trust is key and trust will be hard to legislate. In addition to 
transparency, uniformity through preemption of state law to provide a 
``floor'' (preserving greater protections by some state law) would help 
engender public trust. And finally, accountability in the form of audit 
trails for disclosures and the right to pursue actions against 
unauthorized uses of personal medical information are needed.
    In conclusion, the current IRB function offers a strong model for 
protecting research uses of personal medical information. To be fully 
effective, however, a future ``IRB-like'' research review process would 
need to be widely expanded beyond the current IRB infrastructure. This 
expansion would need to be done in such a way as to not further burden 
the existing and vital IRB function. Institutional reviewing bodies 
would need to function with the complete support and cooperation of the 
institutions they represent. Most importantly, this would require, as 
part of communicating institutional information practices, complete 
disclosure of research activities to include a statement on how and 
when individual consent may be waived.
    Thank you again for the opportunity to share information about the 
IRB function as it relates to privacy of identifiable medical 
information. I would be glad to answer any questions you may have.

    Mr. Bilirakis. Thank you very much, Dr. Frey.
    Before I yield to open the questioning by Mr. Greenwood, I 
would just like to remind you that the five of you are here 
because you are experts, because you have so much to offer to 
us, and this goes along obviously with the panel prior to 
yours. We don't have very much time to craft a piece of 
legislation. We are going to try to do everything we possibly 
can.
    In fact, we have a meeting scheduled as early as 5 o'clock 
this afternoon to work with the minority to try to get 
something worked out. I am just inviting you to please keep 
that in mind. Any inputs you may have from a specific sort of 
standpoint in terms of legislation, don't hesitate. It will be 
very difficult for us to be able to contact every member of 
this panel and the other panel and get their inputs and crank 
them into what we are doing without your taking the initiative.
    And the Chair at this point would yield to Mr. Greenwood.
    Mr. Greenwood. Thank you, Mr. Chairman. Let me turn to Dr. 
Andrews.
    Dr. Koski, respectfully, I differ with you in terms of your 
interpretation of the IRB aspects of the legislation, and Dr. 
Frey and others today have expressed differing views. I would 
like to give you an opportunity to comment on their comments or 
rebut anything that you think needs to be rebutted.
    Ms. Andrews. Thanks very much.
    I would first of all say I think the IRB mechanism is an 
invaluable one, and we depend on it heavily; and I would hate 
to overburden it because we need it desperately in cases of 
clinical research and any research that involves intervention 
or direct interaction with patients. And I think they do a 
marvelous job of safeguarding patient's well-being; and in many 
cases, they do look at data confidentiality issues.
    My main concern is with the use of safeguards for 
observational research for which there is no medical risk to 
the patient and which relies purely on existing medical 
records. The existing structure--and I think one of the other 
speakers may have pointed out that a fairly small proportion of 
research that is currently being reviewed by IRBs is this type 
of information, so IRBs typically have less experience 
reviewing this kind of research. The typical procedure for 
reviewing this observational research using existing records is 
for it to be automatically assumed to be in the category of 
minimal risk, which then allows for an expedited review of only 
one member of the IRB.
    And under the Greenwood bill, there are many more 
safeguards that we feel would provide greater safeguards for 
the handling of records and systematic review and procedures 
for the evaluation of research within the institution; and we 
feel that is much stronger, and having those safeguards in 
place would cover not only research where most researchers and 
others would agree there have been very few breaches of 
confidentiality, but would apply across the health care system 
in the cases where there have been breaches.
    Mr. Greenwood. Thank you. Earlier, in the opening 
statements, some of the members on the other side of the aisle 
raised a legitimate point, and that is, why are we having this 
hearing just on my bill as opposed to other legislation?
    I want to just give each of the panel members, in the time 
that I have left, an opportunity, if they choose, to either 
comment on, A, an aspect of--well, let us do it this way--to 
comment on any aspect or aspects of some of the other bills 
that have been introduced by members of this committee that you 
think either would be problematic and we would not want to 
incorporate, for a variety of reasons, into the final package; 
or where you think they are absent from the legislation under 
consideration today and ought to be incorporated. I won't put 
anybody on the spot, but if anyone would like to take that 
tack, it is an opportunity.
    Ms. Carty. I will speak specifically to the issue that I 
raised in my earlier testimony, which is the preemption of 
State law, and I think that is a major issue because I know 
your bill, Congressman Greenwood, very responsibly establishes 
that ceiling that would allow the really critical research to 
continue uninterrupted throughout the 50 States. By 
establishing a floor, as reflected in H.R. 1941, we would see a 
multitude of States enacting legislation really making some 
critical research areas completely unworkable, and it would 
certainly, the degree--I am sorry.
    Mr. Greenwood. If I could interrupt you, because that point 
has been disputed by, particularly, other members of the first 
panel. Could you try to illustrate that in some way with 
something specific?
    Ms. Carty. Sure, a specific example--and actually I will 
move outside of the State of California, because we are in sort 
of a strange period right now where the State legislature is 
reviewing at least 4 or 5 bills that will probably make it 
through the legislature. But I know that the committee has 
already received testimony from Dr. Steven Jacobson from the 
Mayo Clinic, and I think the point that he brought in terms of 
Minnesota enacting specific requirements, consent requirements, 
and the effect that those requirements actually had on the data 
that the researchers eventually had compiled, was quite 
troubling. For example, women were more reluctant to go the 
extra mile in terms of giving that actual consent. People who 
are younger were more reluctant to give that consent. People 
with history of mental health issues were more reluctant to 
give that consent.
    So would that skew the research? Absolutely. And compound 
that times whatever, how many other States would enact that 
type of legislation? Would it skew the research? Absolutely, 
and certainly the research would be carried out in a much 
slower fashion; and there are certainly some research areas 
that would just not be explored because it would be unworkable.
    Mr. Greenwood. At the chairman's discretion, are there any 
other members of the panel that want to respond?
    Mr. Bilirakis. Any very quick responses or short responses?
    Mr. Koski. I will try to be very quick.
    I think that 2470, as it now stands, is the right start, 
but it is deficient in a number of perspectives. One is, it 
could allow release of information to third parties that is 
identifiable information for which it may not have been 
originally intended. I think those provisions need be tightened 
up quite extensively.
    Also, the provision of penalties for inappropriate uses of 
information I think needs to be strengthened as well. There 
should be a requirement for active information, delivered to 
patients regarding policies for how their information is going 
to be used and protected at every entity where it is going to 
be collected; the bill is deficient there. In terms of--well, I 
won't--I already covered the issue of using different classes 
of information.
    But in this particular--this bill's description of 
nonidentifiable is totally inadequate. Coded information that 
can be directly linked back to an individual is identifiable. 
It may be coded deidentified, but it is nonetheless 
identifiable, and if you are going to ask someone to give up 
their rights to determine what is done with information, 
tissues and all that can be linked back to them, you have got a 
problem. They have to authorize that.
    I think we need to be very explicit. Nonidentifiable and 
identifiable are mutually exclusive. You can either tell who it 
came from or you can't. So I think we need to avoid that term, 
change that definition so that we make what is nonidentifiable. 
That would serve a great deal of research purposes and have 
essentially no risk associated with it whatsoever and would be 
very helpful.
    Mr. Bilirakis. The gentleman's time has long expired, but 
of course, that is the sort of thing we would like to get from 
you in writing to help us out here.
    Mr. Koski. It is in my written testimony.
    Mr. Bilirakis. I am not sure it is in response to the 
question. I think he was looking for something to the opposite.
    Mr. Brown.
    Mr. Brown. Thank you, Mr. Chairman.
    Mr. Johnson, you argue in your testimony that uncertainties 
in the laws should be clarified not through private right of 
action but, quote, ``through administrative regulations that 
will flesh out the many rights, responsibilities and 
protections in the legislation,'' an interesting approach from 
the Chamber of Commerce, asking for more government 
regulations, I might point out. But along these lines, compare 
if you would, administrative authority, if this is what you are 
really asking for, some fleshing out through rules and 
regulations. The administrative authority in the Greenwood 
bill, what the administrative authority--language found 
throughout the Condit bill, which is preferable, to get us to 
the point where we really know more about private course of 
action and whether we, in fact, really need that private right 
of action?
    Mr. Johnson. Well, Congressman, I have to admit I am not 
familiar with the Condit bill. I haven't looked at how they 
flesh out the administrative obligations there. My reference to 
the obligation of HHS to flesh out responsibility was simply 
based on the fact that the Greenwood bill has the kind of 
general authority provision given to HHS to issue regulations. 
But it is not inconsistent with the typical position of the 
Chamber of Commerce, I don't think; and here we are looking 
at--we are not necessarily happy about a new law that is going 
to impose new mandates on our members. We are trying to get to 
a point where it is the least objectionable possible.
    There is no question about the fact that between an 
administrative regulation that tries to set some guidance--and 
we hope the rulemaking is a good one--and a private cause of 
action across the Federal courts, my members would prefer the 
former. So we are trying to pick sort of what is the line of 
least resistance, I believe, here. And I am not saying we are 
happy with either one, Congressman, and I do apologize about 
the Condit bill. I am not just not familiar with that.
    Mr. Brown. I think that sort of illustrates how important 
it is--I know the chairman actually agrees on this--in the 
future, when we are considering legislation like this, we need 
to look at all the pieces of legislation that have been 
offered. The numerous Federal privacy laws relating to other 
types of information include a private right of action: The 
Fair Credit Reporting Act, which sets forth confidentiality 
protections on a consumer's credit report; the Video Privacy 
Protection Act, which sets forth confidentiality protections on 
consumer's video rental records; the Cable Communications 
Policy Act, which sets forth privacy protections related to 
information about cable service subscribers.
    How can we have laws protecting allowing an individual 
right of action on cable subscribers, video rental records, Mr. 
Johnson, and not do that with something as important as medical 
privacy, the most important, intimately important, information 
almost and maybe, perhaps, the most intimate information 
attached to an individual?
    Mr. Johnson. Well, Congressman, I would ask that when those 
comparisons are made that your staff and you take a real close 
look at those statutes and ask--they may have a private cause 
of action, do they have the same kind of very severe criminal 
and civil sanctions that the Greenwood bill does? My guess is 
no. They have one or the other, or some very moderate types of 
penalties and a private cause of action. I would also ask that 
you look at what is the obligation that is being addressed in 
those laws.
    You mentioned the video rental law. Let me read the 
definition of what is the protected information there. The term 
``personally identifiable information'' includes information 
which identifies a person as having requested or obtained 
specific video materials or services from a videotape service 
provider. The defendant in that kind of case knows what their 
obligation is. The law is very narrow, what they are trying to 
regulate, which is disclosure of, did you rent or buy a 
videotape? The law is very understandable in that case.
    I think if you compare that definition to what is in the 
Greenwood bill or any of these bills that go to health 
confidentiality, you will see that one is a very small, 
understandable legal obligation as compared to a very amorphous 
obligation. Therefore, the more amorphous an obligation is, the 
more difficult it is to understand, the more exposure there is 
to an employer or a business in court and a vague reason, jury 
trials. So you have to look at the whole combination of the law 
is what I am saying.
    And third I guess I would just say that every law is 
different. Every law goes through its own negotiations as it 
goes through the congressional process. Sometimes some 
provisions get more attention than others. I have seen that. I 
have spent 9 years on the Hill. Sometimes provisions such as 
enforcement didn't get the close scrub they should have. So 
parallels sometimes I think just have to be looked at 
carefully.
    Last, I would say there are many important rights as 
identified in my testimony, such as safety and health in the 
workplace, that don't have private causes of action; and I 
don't think any of us will argue that OSHA is a slouch in 
enforcement or the National Labor Relations Board is a slouch 
in enforcement, and yet these are very important rights that 
Congress has chosen not to protect through a private cause of 
action.
    Mr. Brown. Some might argue that OSHA doesn't have the 
authority it needs in protecting workers. Not too many of our 
members would argue that I am sure.
    Mr. Bilirakis. I thank the gentleman. I am going to 
hitchhike on Mr. Brown's questions.
    Mr. Johnson, are there remedies in tort law today that 
would be available in the event an individual wanted to bring a 
cause of action as a result of breach of confidentiality?
    Mr. Johnson. Well, it is my view, and I think it is the 
view of other people who have looked at this bill, that the 
Greenwood bill does not preempt tort laws such as intentional 
infliction of mental distress, which would apply therefore to 
your worse kinds of situations.
    Mr. Bilirakis. So there are remedies in tort law existing 
today?
    Mr. Johnson. It is not going to cover every single legal 
obligation.
    Mr. Bilirakis. No law does.
    Mr. Johnson. No law does.
    Mr. Bilirakis. Are you aware of any cases where an 
individual had the confidentiality of their medical records 
compromised and yet they were unable to bring a court action?
    Mr. Johnson. I personally have not.
    Mr. Bilirakis. Are any of you aware of any similar case 
where they just weren't able to bring a court action because a 
remedy was not available?
    Ms. Carty, you touched on this and, in a sense, I suppose 
maybe you answered it. Currently 34 States, as I understand it, 
have laws governing access to medical records. A major clinical 
trial would be administered in possibly dozens of States, one 
trial in possibly dozens of States. Won't the complexity and 
cost of research be driven up? It may even be impossible to be 
adequately conducted, if you will, if researchers instead of 
meeting a single uniform standard must tailor their programs in 
multiple ways in order to gain access to data in a number of 
States?
    Ms. Carty. Yes, Mr. Chairman. I think it is important to 
recognize that when a biomedical company decides to pursue a 
line of medical research, there are many factors that are 
involved--cost, of course. If that were the case and that 
continues to move on in terms of the State legislation and a 
multitude of State laws, would it increase costs? Absolutely.
    Would it also result in some treatment simply--some lines 
of science and some treatments not being explored? Yes, 
absolutely, it would certainly have a major impact.
    Mr. Bilirakis. You were in the audience when Dr. Appelbaum 
testified and used the illustration of people come from 
Vermont, New Hampshire travel into Massachusetts and therefore 
it is Massachusetts law which applies, but if the research 
touched upon people in every one of those locales, you will 
have actually different laws that would apply. It wouldn't be 
just Massachusetts law; it would be Massachusetts, Vermont, New 
Hampshire, Rhode Island, et cetera, right?
    Ms. Carty. That is correct.
    Mr. Koski. May I respond to that, Mr. Chairman?
    Mr. Bilirakis. If you do it quickly. We have a vote on the 
floor, unfortunately. I apologize, but that is the way things 
are up here.
    Mr. Koski. I think that Ms. Carty's response there is 
really somewhat self-serving.
    Mr. Bilirakis. Self-serving?
    Mr. Koski. Yes, self-serving in terms of the industry.
    Mr. Bilirakis. You guys are tougher on each other than we 
are.
    Mr. Koski. I think, in fact, for a clinical trial, the 
example that you cited, in every one of those cases, a patient 
is going to be giving written informed consent. Currently, 
institutions all have their own requirements for access to 
medical records. The situation that would be imposed by 
individual legislation in different States is probably not 
going to be any more cumbersome with respect to doing 
multicenter clinical trials than the current situation. Having 
said that, though, I would say that the concerns about 
preemption to a large extent, I think, are separated with where 
one sets the floor. If you have a national standard that was 
set as a platform rather than a floor, and people were 
comfortable with that, I suspect that, you know, a few States 
would feel obligated to go beyond those provisions, and the 
concerns about preemption would not----
    Mr. Bilirakis. Not very many, in other words, would be 
obligated. A response, Ms. Carty?
    Ms. Carty. Mr. Chairman--and I know you have to get to your 
vote, but I just want to respond by bringing up the issue of 
genetic research.
    If States crack down on the use of genetic information, 
forbid the use of genetic information in research studies, 
there are whole lines of research that will not be explored; 
and not really considering this self-serving, I mean, really 
talking about, I think, the patients, the Alzheimer's patients 
and the breast cancer patients would probably be happy with 
that kind of self-serving statement because it is those lines 
of research we can hope to explore through a responsible flow 
of genetic information.
    Mr. Bilirakis. The clock wasn't turned on, but I think 
probably my time is up.
    Mr. Waxman. I want 5 minutes but I don't think I have 5 
minutes now. May we vote and then return?
    Mr. Bilirakis. I guess we are going to have to do that.
    Mr. Hall. I can take my 1 minute now if you would like me 
to.
    Mr. Bilirakis. All right. The gentleman is recognized.
    Mr. Hall. Just to respond to Mr. Johnson that I agree with 
his ideas about OSHA, and I think they have way too much 
authority and don't use it very wisely.
    I yield back my time. That is all of it.
    Mr. Bilirakis. Well, all right. Mr. Burr was on his way 
back, but I understand there are two votes, so he probably is 
held up. So we are going to have to recess for just a few 
minutes until we can get back. I am sorry. Thank you.
    [Brief recess.]
    Mr. Bilirakis. The hearing will come to order.
    Where were we? Mr. Waxman.
    Mr. Waxman. Thank you, Mr. Chairman.
    Dr. Andrews, I understand that you were the Chair of the 
International Society for Pharmacoepidemiology when it issued 
its 1997 recommendations on medical record confidentiality, and 
that report stated that all pharmacoepidemiologic studies that 
use personally identifiable data should be subject to IRB 
approval before a study commences. It noted that the IRB 
mechanism has been and should continue to be the keystone for 
protecting patient confidentiality by evaluating the use of 
potentially identifiable data, considering such use in the 
light of privacy and confidentiality, and further legislation 
should protect and strengthen IRB's ability to waive individual 
informed consent under these circumstances.
    This seems different than the views you expressed today.
    Mr. Andrews.  Let me expand on that. Our committee 
continues to look at this in a great deal of detail. We were 
addressing mainly the issue of studies that require review of 
very identifiable records in medical institutions to identify 
patients to whom--who would be approached to consent to 
participate, for example, in a case control study of birth 
defects. We wanted to make it very clear that there is a role 
for IRBs to review this kind of research which would fall under 
the category that I mentioned earlier of interventional 
research in which a patient will ultimately be contacted.
    Mr. Waxman. It says to balance the individual privacy 
interest with society's need for sound information based on 
medical and public health issues, we should build on current 
laws and ethical guidelines, including the use of institutional 
review, ethics committees or their equivalent, that have served 
well in the past.
    Among their specific recommendations were the following: 
All pharmacoepidemiologic studies which use personal, 
identifiable data should be subject to IRB approval before 
study commences. The IRB mechanism has been and should continue 
to be the keystone for protecting patient confidentiality by 
evaluating the use of potentially identifiable data and 
considering such use in the light of privacy and 
confidentiality.
    Mr. Andrews.  Absolutely, and let me clarify it. I think 
that everything revolves around the definition of what is 
considered identifiable or nonidentifiable. The way most 
epidemiologists and researchers would define nonidentifiable 
data would be information which is maintained in a form in 
which direct patient identifiers have been stripped and 
replaced with a code which could potentially be linked back but 
which are not, on the face of it, identifiable to the 
researcher. And that information--the kinds of studies that we 
use that kind of key coded information would be considered in 
our profession to be nonidentifiable data.
    Mr. Waxman. Isn't that a common rule and wouldn't--let me 
put it this way, because I don't want to argue with you. It 
seems hard for me to reconcile your testimony here with the 
statements which take such strong positions for IRBs when the 
patients are going to be identified. Maybe you can elaborate, 
and I would want the chairman to hold the record open if you 
want.
    Let me continue on because I only have 5 minutes. Dr. 
Koski, you believe IRB oversight should be extended to all 
health researchers. Could you elaborate on this view and 
comment on the guidelines for health researchers' review that 
are in the Condit-Waxman bill and the Greenwood bill?
    Mr. Koski. I don't think that there is a need to extend it 
so much with respect to the common rule, but rather to make 
sure that the common rule is extended to all of the IRBs.
    Mr. Waxman. That is what I meant. You would have it apply 
not just to government funded studies, but all private studies?
    Mr. Koski. Exactly. I would support that strongly. I think 
that would provide the most robust system for protection of 
human subjects in research, and I think there needs to be 
appropriate resourcing to get that done.
    I do think that 1941 has a useful section in its research 
sections that provides some beginning guidance for developing 
specific policies, guidelines for the use of identifiable 
health information, and those might be valuable to consider as 
we work toward a final type of legislation that would emerge in 
this process.
    Mr. Waxman. You would want to see IRBs and not something 
equivalent to IRBs?
    Mr. Koski. Absolutely, Mr. Waxman. I believe that having a 
separate process that causes a segregation in the whole process 
for review and approval of research would not only undermine 
the process that is there, it would tend to dilute the process 
for protection of human subjects and I think that would be a 
serious error.
    Mr. Waxman. You don't think that will hinder research?
    Mr. Koski. No, it will make it better because by protecting 
human subjects and by letting them know that we are putting 
their interests in the appropriate priority, there will be a 
greater willingness to participate in research, and I think I 
would like to make very clear to my colleagues here that in no 
way are the IRBs opposed to research. Our institutions live on 
research. That is what we do. Our goal is to make sure that 
research is not only done, and the best research is done, but 
that it is done right.
    Mr. Waxman. I think I heard the bell, Mr. Chairman.
    Mr. Bilirakis. Yes, some time ago.
    Mr. Waxman. Well, I yield back the balance of my time.
    Mr. Bilirakis. Mr. Burr, to inquire.
    Mr. Burr. Thank you, Mr. Chairman. Ms. Carty, it has been 
quite awhile since you testified. I want to take the 
opportunity to restate something that I heard you say. You said 
there are significant health benefits to national uniformity 
providing access to medical records. Did I understand you 
correctly?
    Ms. Carty. That is correct.
    Mr. Burr. There are significant health benefits to 
uniformity?
    Ms. Carty. Yes, within a scope of potential therapies that 
can be researched and developed through responsible areas of 
clinical testing research.
    Mr. Burr. Again, like I did with the last panel, I want to 
try to bring this whole question back to the quality-of-health 
focus on the patient. I understand, Mr. Koski, you have got a 
very specific area that you have proposed, not even flexing 
over to a modified IRB, and I want to make sure that we all 
concentrate on the patient for a minute when we are talking 
about--is the IRB the best way, when we discard some potential 
research that might be done, let us understand who is affected. 
It is a patient. It is somebody we don't know. It is somebody 
that potentially is sick, somebody potentially that is 
terminal. And the question is: Are we going to do everything we 
can to encourage the development? Let me ask you, if you had 50 
different State rules, what would that do to the development of 
technology in medicine?
    Ms. Carty. It would slow it in some areas. It would stop it 
in some areas. And that is the range. And that means very 
practical implications for the patients and their families. Let 
me give you a very practical example.
    The magazine Nature came out with a wonderful article 
describing some areas of research in Alzheimer's disease, the 
potential development of a vaccine. This research is moving 
from conduct in mice in the labs and is just about to move into 
human clinical trials.
    I would absolutely submit today that if uniform standards 
are not adopted, that that will directly impact the quality of 
that research, those clinical trials and that observational 
research that will be conducted over the next phase in 
developing this vaccine.
    Mr. Burr. Let me ask, because Mr. Koski talked about--you 
suggested that the definition of nonidentifiable information in 
the Greenwood bill is too broad and that any ability to link 
back information should render it then by definition 
identifiable.
    I remember meeting with a company that does research and 
they told me about one specific study of a drug that was out, 
and the specific instructions from the manufacturer to the 
physician was no more than one prescription because of a 
potential risk with multiple prescriptions of liver problems. 
And the company was so concerned that doctors didn't read their 
directions that they had this company in an identifiable way go 
and research. And they found that doctors were prescribing 
multiple prescriptions, at which time the company pulled the 
product off the shelf because of potential liver damage.
    Let me ask you to talk about the nonidentifiable and 
identifiable situation that we run into and what significant 
problem that will create when we talk about public health.
    Mr. Andrews.  Well, I am very concerned about the possible 
implications for public health, because in the area 
specifically of drug safety monitoring, we rely on large data 
bases of existing records that cross State lines and come from 
health maintenance organizations and other places. We simply 
must be able to have access to that kind of information to 
rapidly address important public health questions. If that 
information is key-coded but the researcher has no way of 
identifying the individual patient, the researcher does not 
want to know who the individual patients are, but it is 
important to maintain the link back to the original medical 
record.
    Mr. Burr. Let me ask, the company that I met with, they 
maintain the key. Now, it is up to them to maintain the privacy 
of the key to protect its integrity. What is wrong with them 
maintaining the key if, in fact, somebody had to for health 
reasons trace back to a particular person for public health 
reasons? Is there any problem with that?
    Mr. Andrews.  Who would be maintaining the key?
    Mr. Burr. Whoever we put in charge. In this particular case 
it was the company that I met with, they control the key to the 
identifier. Things go out unidentified. What you said, even if 
it went out nonidentified, the fact that there was a key and 
the company had the key, you could not trust the integrity of 
their maintaining the privacy of the key, therefore it should 
be identifiable; is that correct, Mr. Koski?
    Mr. Koski. More or less.
    Mr. Burr. Without some ID capabilities, how could you ever 
trace back a public health problem?
    Mr. Andrews.  You probably couldn't. It is important to be 
able to validly evaluate public health problems. If you have 
strictly nonidentifiable data and look through very large data 
sets, you may find a medication that is associated with several 
cases of very serious medical problems, life threatening fatal 
problems. You would hate to take a drug off the market because 
of those problems, if you assumed the drug caused it, without 
going back through the appropriate channels and finding out 
more information about those specific cases to find out if 
there were other explanations, which inevitably there might be.
    And that is one of the reasons that it is important to 
maintain the key for--to validate the study, to collect 
additional data, to supplement the study that has been done 
using identifiable data, and those are the circumstances in 
which a study would normally go to an IRB or some mechanism 
that is created to evaluate under what circumstances is it 
appropriate to go back to contact the patient.
    Mr. Burr. If you open this process up to an IRB or modified 
IRB, let me ask you, an extended liability to the degree that 
some have suggested, what would be the willingness of 
participants to participate as part of the IRB, knowing that if 
there was a breach of the responsibility of confidentiality of 
the IRB that they were personally liable?
    Ms. Frey. I can't speak for all IRBs but in ours we are a 
function of the institution so our IRB members are covered with 
liability insurance on the part of the institution.
    Mr. Burr. What would the institution's position be?
    Ms. Frey. That brings up who the owner of the data is. IRBs 
serve a vital function but they are not data custodians and 
they are not owners and they are still charged by the 
institutions that host the data.
    Mr. Burr. But the individuals who make up the IRB would be 
the people who determine whether it is appropriate to move 
forward?
    Mr. Waxman. Will the gentleman yield?
    Mr. Burr. I don't have any time, but I will be happy to 
yield.
    Mr. Waxman. All of these questions about the dangers of 
having an IRB go through and look at identifiable information 
about a patient, this is what is done now, and so much of the 
research----
    Mr. Burr. I didn't raise a question about IRBs going in as 
currently written. My question to Dr. Koski and Dr. Frey was if 
we increased--which some have suggested even today the exposure 
to liability by individuals who make decisions about whether 
privacy should be maintained--if that privacy were breached and 
individuals who make up the IRBs were liable individually or as 
a group, my question is: Would that affect the willingness of 
people to participate in IRBs?
    Ms. Frey. The obvious answer is yes. I would not propose, 
however, that that be the chain of liability. In fact, the very 
title of an institutional review board is just that. It is an 
institutional function. And in fact, there are cases where 
institutional review boards are found deficient because of 
institutional problems, not because of any deficiencies or lack 
of knowledge on the part of the members.
    I think it is important to keep in mind and distinguish 
data ownership and charge of responsibility with the people who 
actually carry out the charge. The reality is that in carrying 
out that charge, there is a very extensive process of 
documentation, the Federal code is very clear, and I don't 
think that any audit would point easily to an individual having 
made a mistake. It would be difficult, I will not say 
inconceivable.
    Mr. Bilirakis. The gentleman's time has expired.
    Mr. Waxman. I wanted to jump in on this, but I don't know 
how you want to proceed.
    Mr. Andrews. I would like to make a comment about IRB 
participation if that is okay.
    Mr. Bilirakis. Make your comment.
    Mr. Andrews.  I think it is vital that we have people 
willing to serve on IRBs. IRBs serve an incredibly important 
function in this country. I think people would be more willing 
to serve on IRBs if there were adequate protections on the 
movement and processing of information within the institution. 
I think in the Greenwood bill there are internal processes and 
safeguards that are set up, which IRBs tend to rely on, and 
those safeguards are stronger than what exists now and those 
are Federal--they would be uniform and federally enforceable, 
and I think that would provide a level of safeguards higher 
than what we have now.
    Mr. Waxman. But that is only an accurate statement as to 
research that is not now touched by the common rule, because if 
it is research touched by the common rule, which means there is 
Federal nexus to that research, then there is a stricter 
requirement that if there is use of information that is 
identifiable to a particular patient, then either they have to 
get consent or go to an IRB to get the IRB to agree that 
consent is not going to be necessary for this public purpose.
    Since it is being done in so much research now, I have not 
heard why that is a problem if we applied it to research being 
done that is strictly private. The Greenwood bill has a 
provision for something akin to an IRB for that private 
research. You can say that it is better than what we have now 
because now there is nothing there; but it has deficiencies, as 
many of us see it, particularly since that internal review 
process could involve a conflict of interest with those people 
who are sitting on that IRB. Am I misreading that?
    Mr. Bilirakis. We don't want to go on indefinitely here. 
Maybe a pro-and-con response and then we will finish up.
    Mr. Andrews. Two quick points. You are correct, the studies 
are covered by the IRB regs, but what typically happens because 
data studies based on existing data are considered to have 
minimal risk, they are reviewed through the expedited review 
mechanism, which means that one member, generally an employee 
of the institution, does that review.
    The other comment is that most IRBs typically, according to 
the GAO report, rely on the policies that are in existence in 
the institution for the handling of archival medical records.
    Mr. Waxman. In other words, it has worked reasonably well?
    Mr. Andrews.  We are suggesting----
    Mr. Waxman. Because they have these expedited procedures, 
why would you object to having this same procedure used for 
private research?
    Mr. Andrews.  We are suggesting that it is not working 
terribly well. Not much of the observational research is going 
to IRBs. We feel that we can have greater safeguards which 
would encourage more research to be done if we had the 
safeguards with federally enforceable national standards that 
would be in place.
    Mr. Koski. I think, in fact, the answer is to be sure that 
research that is not currently going to IRBs does go to IRBs 
under a reasonable set of guidelines for review of this kind of 
information. In fact our own policies for confidentiality and 
privacy are far stricter than what is in the Greenwood bill. So 
if we subscribe to that, it would definitely undermine the 
protections we already have in place. It would be a mistake.
    Ms. Frey. I heard conflict of interest. Yes, an expedited 
review may be carried out by one member. Institutions generally 
have written policy concerning conflict of interest and in that 
case the review would necessarily go to someone without a 
conflict of interest.
    Mr. Waxman. Do you read the Greenwood bill as permitting a 
possible conflict of interest?
    Ms. Frey. I am not familiar with the exact language of the 
bill.
    Mr. Burr. I ask that the staff on both sides, majority and 
minority, as well as Mr. Greenwood, if they are meeting with 
Dr. Feldblum tonight, since she is a lawyer from a reputable 
school and also familiar with this situation, just ask about 
the liability issue; because one of the further concerns would 
be could, if the institution were liable, could it then 
influence the decision of the members of the IRB because of 
pressure from the institution?
    Mr. Waxman. An issue that I have not heard raised except by 
you today.
    Mr. Burr. I have been accused of raising things never 
raised before.
    Mr. Greenwood. Always on the cutting edge.
    I thank the chairman and the panel who stayed for 6 hours 
for this hearing, and to reiterate the commitment that I made 
in my opening remarks that this is important and we all share 
the same interest.
    Mr. Bilirakis. It is important and we can work together 
outside of politics.
    There are always written questions that the committee has 
of the panelists, and we would appreciate, obviously, quick 
responses to them because we don't have that much time. Thank 
you very much. It has been a good hearing and you have helped 
to make it so. The hearing is adjourned.
    [Whereupon, at 4 p.m., the subcommittee was adjourned.]
    [Additional material submitted for the record follows:]
   Prepared Statement of Hon. Christopher Shays, a Representative in 
                 Congress from the State of Connecticut
    Chairman Bilirakis, Ranking Member Brown and members of the 
Subcommittee:
    Thank for the opportunity to provide you with my thoughts on 
medical records confidentiality as you consider H.R. 2470, the 
Bipartisan Medical Information Protection and Research Enhancement 
(MIPRE) Act, which was introduced by Representative Jim Greenwood to 
protect the security of patients' medical information.
    As an original cosponsor of H.R. 2470 and a sponsor of H.R. 2455, 
the Consumer Health and Research Technology (CHART) Protection Act, I 
firmly believe this Congress must enact comprehensive medical records 
privacy legislation.
    There is currently no comprehensive, uniform standard to protect 
the privacy of a patient's medical records and there have been several 
startling examples of the potential effects of this void over the past 
several years. For example, USA Today reported in 1996 that a public 
health worker in Tampa, Florida walked away with a computer disk 
containing the names of 4,000 people who tested positive for HIV. The 
disks were sent to two newspapers.
    In addition, The National Law Journal reported in 1994 that a 
banker who also served on his county's health board cross referenced 
customer accounts with patient information and subsequently called due 
the mortgages of anyone suffering from cancer.
    Under the Health Insurance Portability and Accountability Act 
(HIPAA), should Congress fail to enact comprehensive legislation to 
protect the confidentiality of medical records by August 21 of this 
year, the Secretary of Health and Human Services will be required to 
promulgate regulations.
    I believe our colleagues on both sides of the aisle have come to 
recognize the need for Congress to act before the Secretary steps in. I 
was encouraged by the inclusion of medical records confidentiality 
provisions in the Financial Services Act which the House recently 
passed. The provisions were an important first step toward recognizing 
the need for legislation to ensure the confidentiality of medical 
records but alone they are not sufficiently comprehensive to guarantee 
the privacy of individual patient records.
    In my opinion, the question is no longer ``Will Congress act before 
the August deadline?'' but ``How will Congress act before the August 
deadline?''
    While this hearing is focused on the consideration of the MIPRE 
Act, I wanted to take the opportunity to bring to the Committee's 
attention the CHART Protection Act, which I recently reintroduced, and 
highlight several important similarities and differences between the 
two pieces of legislation.
    The CHART Protection Act shares a number of important provisions 
with the MIPRE Act. Both bills allow patients to inspect, copy and 
where appropriate, amend their medical records.
    In addition, both bills impose strong criminal and civil penalties 
to deter abuse and increase incentives to use non-identifiable 
information.
    Finally, both CHART and MIPRE allow for the use of protected 
information for research purposes when reviewed by an Institutional 
Review Board or where the individual has provided specific 
authorization.
    Focusing on the differences between the two bills, I would like to 
briefly outline the unique approach the CHART Protection Act takes to 
ensure the confidentiality of medical records, and touch on how the 
legislation differs from the MIPRE Act in two crucial areas--
authorization for use of individually identifiable health information 
and preemption of state law.
    The MIPRE Act and other bills restrict the use of health 
information unless it is specifically authorized for disclosure. Rather 
than spelling out the individually identifiable information which can 
be disclosed, the CHART Protection Act sets forth the inappropriate 
uses of protected information and allows for disclosure of individually 
identifiable information unless it is specifically prohibited in the 
bill.
    Use of anonymous information will not be affected by the CHART 
Protection Act unless the information is intentionally decoded and used 
to identify an individual.
    The MIPRE Act creates a statutory authorization which permits the 
disclosure of protected information if it is permitted in statute. The 
bill sets out permissible uses of individually identifiable information 
and prohibits all other uses unless they are specifically authorized by 
an individual.
    In my opinion, a shortcoming of this approach is that it permits 
the disclosure of health information for a variety of activities 
without patient consent. In fact, there is nothing in the act requiring 
an authorization from the patient to use information if it falls within 
the statutory authorization.
    The approach taken in the CHART Protection Act gives patients more 
control over their medical records by requiring authorization for a 
majority of uses of individually identifiable information.
    The CHART Protection Act creates a consolidated authorization 
process for the use of individually identifiable information by 
providing the authorization up front, but allows individuals to revoke 
their permission for health research purposes at any time.
    The CHART Protection Act generally preempts state law except mental 
health and communicable disease protections enacted by states and 
localities, as well as public health laws such as birth and death 
reporting.
    In contrast, the MIPRE Act preempts state mental health and 
communicable disease laws, and may serve to weaken state laws which are 
more stringent than federal statute.
    Mr. Chairman, despite their differences, and despite my belief that 
the overall approach taken in the CHART Protection Act offers more 
stringent protections to consumers, the MIPRE Act represents a 
comprehensive approach to protecting the confidentiality of medical 
records while protecting legitimate uses of medical information.
    It is my hope that my colleagues will work toward passing a uniform 
and comprehensive confidentiality law which serves to balance the 
interests of patients, health care providers, data processors, law 
enforcement agencies and researchers.
    Thank you for the opportunity to submit my testimony.


                           -