b'<html>\n<title> - THE MEDICAL INFORMATION PROTECTION AND RESEARCH ENHANCEMENT ACT OF 1999</title>\n<body><pre>[House Hearing, 106 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \nTHE MEDICAL INFORMATION PROTECTION AND RESEARCH ENHANCEMENT ACT OF 1999\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                         HEALTH AND ENVIRONMENT\n\n                                 of the\n\n                         COMMITTEE ON COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 15, 1999\n\n                               __________\n\n                           Serial No. 106-53\n\n                               __________\n\n            Printed for the use of the Committee on Commerce\n\n                    ------------------------------  \n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n58-501 CC                   WASHINGTON : 1999\n\n\n\n                         COMMITTEE ON COMMERCE\n\n                     TOM BLILEY, Virginia, Chairman\n\nW.J. ``BILLY\'\' TAUZIN, Louisiana     JOHN D. DINGELL, Michigan\nMICHAEL G. OXLEY, Ohio               HENRY A. WAXMAN, California\nMICHAEL BILIRAKIS, Florida           EDWARD J. MARKEY, Massachusetts\nJOE BARTON, Texas                    RALPH M. HALL, Texas\nFRED UPTON, Michigan                 RICK BOUCHER, Virginia\nCLIFF STEARNS, Florida               EDOLPHUS TOWNS, New York\nPAUL E. GILLMOR, Ohio                FRANK PALLONE, Jr., New Jersey\n  Vice Chairman                      SHERROD BROWN, Ohio\nJAMES C. GREENWOOD, Pennsylvania     BART GORDON, Tennessee\nCHRISTOPHER COX, California          PETER DEUTSCH, Florida\nNATHAN DEAL, Georgia                 BOBBY L. RUSH, Illinois\nSTEVE LARGENT, Oklahoma              ANNA G. ESHOO, California\nRICHARD BURR, North Carolina         RON KLINK, Pennsylvania\nBRIAN P. BILBRAY, California         BART STUPAK, Michigan\nED WHITFIELD, Kentucky               ELIOT L. ENGEL, New York\nGREG GANSKE, Iowa                    THOMAS C. SAWYER, Ohio\nCHARLIE NORWOOD, Georgia             ALBERT R. WYNN, Maryland\nTOM A. COBURN, Oklahoma              GENE GREEN, Texas\nRICK LAZIO, New York                 KAREN McCARTHY, Missouri\nBARBARA CUBIN, Wyoming               TED STRICKLAND, Ohio\nJAMES E. ROGAN, California           DIANA DeGETTE, Colorado\nJOHN SHIMKUS, Illinois               THOMAS M. BARRETT, Wisconsin\nHEATHER WILSON, New Mexico           BILL LUTHER, Minnesota\nJOHN B. SHADEGG, Arizona             LOIS CAPPS, California\nCHARLES W. ``CHIP\'\' PICKERING, \nMississippi\nVITO FOSSELLA, New York\nROY BLUNT, Missouri\nED BRYANT, Tennessee\nROBERT L. EHRLICH, Jr., Maryland\n\n                   James E. Derderian, Chief of Staff\n\n                   James D. Barnette, General Counsel\n\n      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel\n\n                                 ______\n\n                 Subcommittee on Health and Environment\n\n                  MICHAEL BILIRAKIS, Florida, Chairman\n\nFRED UPTON, Michigan                 SHERROD BROWN, Ohio\nCLIFF STEARNS, Florida               HENRY A. WAXMAN, California\nJAMES C. GREENWOOD, Pennsylvania     FRANK PALLONE, Jr., New Jersey\nNATHAN DEAL, Georgia                 PETER DEUTSCH, Florida\nRICHARD BURR, North Carolina         BART STUPAK, Michigan\nBRIAN P. BILBRAY, California         GENE GREEN, Texas\nED WHITFIELD, Kentucky               TED STRICKLAND, Ohio\nGREG GANSKE, Iowa                    DIANA DeGETTE, Colorado\nCHARLIE NORWOOD, Georgia             THOMAS M. BARRETT, Wisconsin\nTOM A. COBURN, Oklahoma              LOIS CAPPS, California\n  Vice Chairman                      RALPH M. HALL, Texas\nRICK LAZIO, New York                 EDOLPHUS TOWNS, New York\nBARBARA CUBIN, Wyoming               ANNA G. ESHOO, California\nJOHN B. SHADEGG, Arizona             JOHN D. DINGELL, Michigan,\nCHARLES W. ``CHIP\'\' PICKERING,         (Ex Officio)\nMississippi\nED BRYANT, Tennessee\nTOM BLILEY, Virginia,\n  (Ex Officio)\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                               __________\n                                                                   Page\n\nTestimony of:\n    Andrews, Elizabeth B., Director of Worldwide Epidemiology, \n      Glaxo Wellcome Inc.........................................   138\n    Appelbaum, Paul, Professor and Chair, Department of \n      Psychiatry, University of Massachusetts Medical School, on \n      behalf of the American Psychiatric Association.............    32\n    Carty, Cristin, Vice President, California Health Institute..   127\n    Feldblum, Chai, Professor of Law and Director, Federal \n      Legislation Clinic, Georgetown University Law Center.......    38\n    Frey, Carolin M., Chairman, Institutional Research Review \n      Board, Pennsylvania State Geisinger Health System..........   148\n    Johnson, Randel K., Vice President, Labor and Employee \n      Benefits, U.S. Chamber of Commerce.........................   131\n    Koski, Greg, Director, Human Research Affairs, Partner Health \n      Care System, Massachusetts General Hospital................   143\n    Nielsen, John T., Senior Counsel and Director of Government \n      Relations, Intermountain Health Care.......................    19\n    Pawlak, Linda, parent........................................    31\n    Tang, Paul C., Medical Director, Clinical Informatics, Palo \n      Alto Medical Clinic........................................    27\nMaterial submitted for the record by:\n    Shays, Hon. Christopher, a Representative in Congress from \n      the State of Connecticut, prepared statement of............   164\n\n                                 (iii)\n\n  \n\n\nTHE MEDICAL INFORMATION PROTECTION AND RESEARCH ENHANCEMENT ACT OF 1999\n\n                              ----------                              \n\n\n                        THURSDAY, JULY 15, 1999\n\n                  House of Representatives,\n                             Committee on Commerce,\n                    Subcommittee on Health and Environment,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10 a.m., in \nroom 2322, Rayburn House Office Building, Hon. Michael \nBilirakis (chairman) presiding.\n    Members present: Representatives Bilirakis, Upton, \nGreenwood, Burr, Bilbray, Ganske, Norwood, Coburn, Cubin, \nBryant, Brown, Waxman, Stupak, Green, DeGette, Barrett, Capps, \nHall, and Eshoo.\n    Also present: Representative Markey.\n    Staff present: John Manthei, majority counsel; Marc Wheat, \nmajority counsel; Cliff Riccio, legislative clerk; and John \nFord, minority counsel.\n    Mr. Bilirakis. The hearing will come to order. Good \nmorning.\n    I would like to first thank all of our witnesses for \njoining us today, and particularly Justin Pawlak and his mother \nLinda. The purpose of this hearing is to explore the issues of \nmedical confidentiality.\n    Today we will have an opportunity to examine H.R. 2470, \nwhich is the Medical Information Protection and Research \nEnhancement Act of 1999.\n    I would like to start by commending our colleague Jim \nGreenwood for drafting this legislation and also to recognize \nthe efforts of Congressmen Upton, Shays, Norwood and Burr in \nworking with him to address this very complicated issue.\n    As you know, the Health Insurance Portability and \nAccountability Act of 1996 set a deadline for Congress to pass \nlegislation addressing the confidentiality of individual \nidentifiable health information. Unless Congress acts by August \n21, the Secretary of Health and Human Services is directed to \nissue regulations within 6 months to address the \nconfidentiality of administrative data stored or transmitted \nelectronically. Significantly, the Secretary\'s regulatory \nauthority is limited to establishing standards for information \nthat is transmitted and stored electronically, a more narrow \nfocus than the comprehensive approach taken in the bill before \nus.\n    While the modern health care delivery system is \nincreasingly electronic, as we well know, most patient health \ninformation remains paper based. We all know that medical \nrecords contain very personal and sensitive information. \nCertainly this information must be safeguarded and any abuse of \nit cannot be tolerated. However, we must also ensure that \nincreased protections do not inadvertently jeopardize the \nquality of health care in this country. Any legislation must \ntake into account the highly integrated and complex nature of \nour health care system.\n    In our previous hearing, I emphasized the need to develop \nresponsible legislation to safeguard confidential medical \ninformation and to impose tough penalties for abuse. We must \nensure strict accountability for the use of this information \nwhile preserving the ability to conduct important medical \nresearch.\n    I believe that H.R. 2470 is a significant step forward in \naccomplishing these goals and I hope that it serves as a \nstarting point for legislative action on a truly bipartisan \nbasis.\n    Again, I would like to thank all of our witnesses for \ntaking time to be here. I would now recognize the ranking \nmember, Mr. Brown from Ohio.\n    Mr. Brown. Thank you, Mr. Chairman, for holding this \nhearing and I would like to thank the witnesses also for \njoining us today.\n    I am glad that we are taking up the issue of medical \nrecords privacy. The statutory deadline is about 5 weeks away, \nwhich means we have no time to spare. I am disappointed the \nmajority chose to focus on only one of the privacy bills. It is \nmy experience that it is unusual to limit a legislative hearing \nto one bill when other initiatives have also been introduced: \nH.R. 1941, the bill sponsored by Mr. Condit of California, \nwhich had 57 cosponsors, and Mr. Markey of Massachusetts has a \nbill, H.R. 1057, that has 41.\n    These are other privacy bills that deserve the same \nconsideration that we are giving to H.R. 2470. The best way to \nmake progress is to compare H.R. 2470 to the bill of Mr. \nCondit. The key difference between those two bills are the core \nissues in the privacy debate:\n    Should individuals have a private right of action when \ntheir medical records have been exploited? H.R. 2470 does not \nestablish this right. Mr. Condit\'s bill does. Rights that can \nbe denied without remedy are not rights, they are only hopes.\n    Should privately funded research be treated differently \nfrom publicly funded research when it comes to protecting the \nconfidentiality of medical information? H.R. 2470 says yes; Mr. \nCondit\'s bill says no.\n    What would a participant in privately funded research say? \nI am guessing that participant would assume and expect the same \nlevel of protection regardless of who funds the research. The \ngoal is not to establish basic privacy protections for some \nindividuals, it is to establish them for all individuals.\n    Should Federal privacy laws preempt stronger State laws? \nH.R. 2470 says yes; our bill says no.\n    States are typically the first to identify consumer issues, \nand they are the innovators when it comes to addressing them. \nFederal protection should function as the floor, not the \nceiling, for medical privacy protections.\n    I look forward to hearing our witnesses with respect to \nthese issues and what I hope will be a productive and balanced \nhearing.\n    Mr. Bilirakis. Mr. Greenwood for an opening statement.\n    Mr. Greenwood. Thank you, Mr. Chairman. The title of the \nlegislation that we are considering today is the Medical \nInformation Protection and Research Enhancement Act and it is \nimportant to understand that those two goals are what we mean \nto accomplish here. Obviously the personal security and the \nwell-being of every American will be profoundly improved if we \nsucceed in accomplishing these dual purposes.\n    First on the privacy issue, our medical records contain \npersonal, sensitive, potentially humiliating information, which \nif misused could cause discrimination in the workplace and \nadversely affect one\'s ability to purchase insurance. For that \nreason we create in this legislation the definition of the term \n``protected health care information\'\' to make sure that it is \nkept private and to make sure that there are remedies and \npenalties for its misuse.\n    Second, the second goal, every one of us and every American \nin America, every one of our family members, will benefit from, \ncontinue to benefit from the ability of researchers, assurers \nof quality and others to use the awesome power of information \nprocessing to study health outcomes and thereby discover new \nand better treatment modalities and ways to deliver health care \nas effectively and efficiently as possible.\n    With the wrong public policy, these two admirable and \ncritical goals are competing adversaries. With the right public \npolicy, they are complementary colleagues. As has been \nmentioned, we do confront on August 21 a deadline, the 1996 \nKennedy-Kassebaum Health Insurance Portability and \nAccountability Act sets that date, and if we do not accomplish \na legislative remedy, the Department will issue regulations. Of \ncourse, that will be insufficient because it only applies to \nelectronic records, and most medical records are not electronic \nbut in fact still on paper.\n    The policy incorporated in H.R. 2470 does the following: It \nestablishes the individual\'s right, which does not currently \nexist at the Federal level, to inspect, copy and amend his or \nher patient records. That is brand new. It enacts strong \nuniform Federal standards which replace conflicting State laws \nand impose strong civil and criminal penalties for the misuse \nof these records, the remedies to which Mr. Brown refers; \nrequires law enforcement officials to demonstrate legitimate \nneed in order to obtain protected health information; and \nprotects patients involved in medical research trials when \nensuring information can be used to continue research \nbreakthroughs.\n    The question has been raised and will be raised throughout \nthis hearing: Why State preemption? Why is it important for the \nFederal Government and Congress to establish a unified \nstandard: The founders of our Constitution recognized the need \nto protect interstate commerce.\n    The logic of the commerce clause is plain sense. It made \nsense to ensure that buggy whips and butter churns could be \ntransported across State lines without being subjected to the \nmicro management of 13 colonies. It certainly is plain that \nmedical data transmitted at the speed of light across 50 States \nand the District of Columbia requires a uniform standard that \nensures both privacy and utility. I believe every member of \nthis committee shares the twin goals of protecting privacy and \nenhancing research.\n    H.R. 2470 is not the first bill drafted toward these ends \nand it will not be the last, but I have every confidence that \nif we reach across the aisle toward one another in good faith \nand with a positive, constructive approach, we can produce a \nfinal product that is worthy of us all, and I pledge to work \nwith all of my colleagues on both sides of this committee \ntoward that end.\n    Two footnotes: I would like to draw attention to a drafting \noversight in the last draft the inadvertent elimination of \nworkplace information protections, and I would like, Mr. \nChairman, to submit a letter indicating my desire to correct \nthat in the next draft.\n    Mr. Bilirakis. Without objection, so ordered.\n    [The information referred to follows:]\n\n                      Congress of the United States\n                                   House of representatives\n                                                      July 14, 1999\nDeborah V. Dibenedetto, MBA, RN, COHN-S, ABDA\nPresident\nAmerican Association of Occupational Health Nurses, Inc.\n2920 Brandywine Road\nAtlanta, Georgia 30341-4146\n    Dear Ms. Dibenedetto: When drafting H.R. 2470, the Medical \nInformation Protection and Research Enhancement Act, an oversight was \nmade that excluded protections for medical information used in the \nworkplace. Clearly this type of information is extremely sensitive and \ncan be used to discriminate not only against employees, but for \noccupational health nurses and other providers who sometimes must weigh \nthe threat of losing their job against protecting the information of \ntheir coworkers.\n    As originally drafted, the bill ensured that the disclosure of the \nprotected employee health information within the entity is compatible \nwith the purpose for which the information was obtained and limited to \ninformation necessary to accomplish the purpose of the disclosure. In \naddition, the draft legislation also required the employer to prohibit \nthe release, transfer or communication of the protected health \ninformation to officers, employees, or agents responsible for hiring, \npromotion, and making work assignment decisions with respect to the \nsubject of the information. It was unfortunate these protections were \ninadvertently removed in the final version of the bill. It is my \nintention to do all in my ability to add these protections back in to \nH.R. 2470.\n    I look forward to working with you in the future on this critical \npatient protection. Please do not hesitate to contact me should you \nhave additional questions or concerns.\n            Sincerely,\n                                                 James C. Greenwood\n\n    Mr. Greenwood. And I would like to take the opportunity to \nintroduce to our panel Justin Pawlak. He is the young man in \nthe center of the table there. I have learned that Justin wants \nto run for Congress someday. And, Justin, I will let you know \nwhen it is your turn.\n    Thank you, Mr. Chairman.\n    Mr. Bilirakis. Thank you. Mr. Waxman for an opening \nstatement?\n    Mr. Waxman. I will yield to Ms. Eshoo.\n    Ms. Eshoo. Thank you, Mr. Waxman, and thank you, Mr. \nChairman, for holding this important hearing today.\n    As I was walking into the Rayburn building this morning, I \nthought that the last several hearings and/or markups that I \nhave been to have dealt with the issue of privacy, and here we \nare again on the issue of privacy as it relates to medical \nrecords.\n    I would like to begin by recognizing my constituent, Dr. \nPaul Tang of Palo Alto, California. Welcome. It is a pleasure \nto see you here. I also want to welcome Cristin Carty who does \nsuperb work with the California Health Care Institute. They \nhave taken their place in a prominent way in working with \nmembers and providing a great deal of the research and \ninformation that members need in order to make informed \ndecisions.\n    With the advent of managed care increasing, numbers of \npeople are involved in health care treatment, payment and \noversight, giving them direct access to often very sensitive \nmedical information.\n    Today we have to place our trust in entire networks of \ninsurers and health care providers. And I don\'t think that we \ncan any longer expect that information supplied to our doctors \nwill indeed remain confidential. The American people expect, \nand I think they are entitled to confidential, fair and \nrespectful treatment of their private health information. It is \nincumbent upon Congress to enact a strong uniform Federal \nstandard of protection for medical records privacy.\n    Currently, of course, there is no Federal standard, and the \nexisting patchwork of State laws provide erratic protection at \nbest.\n    Unfortunately, I don\'t think that my colleague Mr. \nGreenwood\'s bill is the total answer. Rather than providing \nprivacy protections for medical records, the bill in fact, I \nthink, steps back from the issue of medical privacy. The bill \nwould allow insurers to use our private health information \nwithout consent for anything that can be called, ``health care \noperations.\'\' It is a very, very broad term that is not defined \nin the bill. The bill is written in such broad terms that \nvirtually anything the health plan writes into its contracts \ncould be considered a health care operation.\n    For example, a health plan could include a contract clause \nthat says health information will be used for marketing \npurposes. Or information can be used for insurance \nunderwriting, allowing one to be rated as a bad risk and \nharming their ability to get insurance in the future. It is a \nvery, very sensitive area for the American people.\n    Another major problem, as I see it, with the bill is the \nlack of enforcement. Providing for a right of action would give \nevery American the basic right to seek redress for violations \nof their private medical records and yet the bill is silent. It \nis often said that silence is deafening. The bill is silent on \nthis issue.\n    I would ask what good is a right if it can\'t be enforced? I \nthink we should all think about that instead of scurrying to \nideological corners. Just apply it to oneself. What good is it \nto have a right unless there is an ability to enforce it?\n    I too want to ensure that research is not hampered. I see \nfirsthand, day in and day out in my very distinguished \ncongressional district, the enormous good and the impact of \nthat good the research does day in and day out. But I think we \nneed to be sure that any legislation enacted doesn\'t erect any \nunnecessary barriers that would slow and impede medical \nresearch, and I think we can do both. I don\'t think that we \nhave to do one at the cost of the other. But I don\'t think that \nwe can risk the privacy of every American to keep their most \npersonal medical records private.\n    Again, I think we need to establish a strong Federal \nstandard to protect against unauthorized uses of our private \nhealth information while remaining mindful of the effect our \nlaws will have on medical research and the lives it can and \ndoes save every day.\n    Thank you, Mr. Chairman, for your leadership in this \nsubcommittee. I think we have a ways to go in terms of \nhammering out something if in fact we are going to do that \nbefore the laws on the book would allow the Secretary to do so.\n    I look forward to working with you and other members of our \ncommittee to produce something not only for the full committee, \nbut the full Congress that we can really be proud of. Thank you \nvery much.\n    Mr. Bilirakis. I thank the gentlelady. And we will, if we \nare willing to work together.\n    Mr. Upton for an opening statement.\n    Mr. Upton. I have a statement for the record. I would just \nlike to add that I have very strong support for this, and \nallowing Jim Greenwood to lead this charge in a bipartisan way \nwas terrific. He has been a good leader.\n    [The prepared statement of Hon. Fred Upton follows:]\n  Prepared Statement of Hon. Fred Upton, a Representative in Congress \n                       from the State of Michigan\n    Mr. Chairman, thank you for holding today\'s hearing on the Medical \nInformation Protection and Research Enhancement Act. I also want to \ncommend our colleague, Jim Greenwood, has shown in developing the \ncomprehensive, thoughtful bill we will be discussing this morning. I am \npleased to be a cosponsor of this legislation.\n    I am sure that developing this legislation was no easy undertaking. \nIt must reflect a delicate balance between the need to ensure the \nprivacy of individuals\' medical information and the need that arises to \nuse personally identifiable health information in biomedical research, \nto evaluate the safety and effectiveness of treatments and coordinate \nthe delivery of health care, and for other legitimate purposes.\n    I am looking to hearing from our witnesses today about their \nperspective on achieving this balance.\n\n    Mr. Bilirakis. Mr. Waxman.\n    Mr. Waxman. Thank you. I am pleased that we are meeting \ntoday to discuss medical records legislation. Ensuring medical \nprivacy in our multifaceted health care system is a vital \npatient protection. That is why I join together with \nRepresentative Gary Condit, Ed Markey, John Dingell, Sherrod \nBrown and others who have introduced consensus legislation that \naddresses the complex issues related to medical privacy in a \ncommonsense manner.\n    Strong Federal privacy protections for medical records are \ncritical to ensuring that our health care system operates \neffectively. Currently, only a patchwork of State laws address \nmedical privacy matters and many of these provide minimal \nprotections. As a result, individuals are withholding \ninformation from their health care providers, even avoiding \ncare for fear of privacy violations.\n    Unfortunately, the majority\'s proposal, H.R. 2470, would \nonly exacerbate individual\'s concerns. Among other provisions, \nH.R. 2470 would allow health insurers to use an individual\'s \ninformation for insurance underwriting and marketing without an \nindividual\'s consent, and for health research without an \nindividual\'s consent or any review of the research. It would \noverride carefully crafted State laws which protect the privacy \nof sensitive information such as dental health records, genetic \ninformation and HIV test results and it would block States\' \nability to address such issues in the future.\n    I think it is important to have increased uniformity by \nenacting a strong Federal standard, but it is ironic to hear \nthe Republicans deny the State\'s ability to act beyond that. \nCongress, I think, acted on this issue over 30 years ago. We \nmay not act on it again for another 30 years. In the meantime \nthe States ought to be able to respond to matters that come up \nthat are unforeseen. Who would have thought about the AIDS \nepidemic even 15 or 20 years ago?\n    I believe the Congress can and should enact legislation \nthat provides the appropriate balance between ensuring privacy \nprotections for individuals\' health records, allowing \nappropriate access to health information for public interest \npurposes, and ensuring that the States have the flexibility to \naddress specific privacy concerns.\n    The Condit-Waxman-Markey-Dingell-Brown bill achieves this \nbalance. Unfortunately, H.R. 2470 does not. I hope Congress \nmoves forward on meaningful medical privacy legislation. As \nmany here today know, the Health Insurance Portability and \nAccountability Act of 1996, known as HIPAA, set an August 21, \n1999 deadline for passage of such legislation. It is unclear \nwhether we are going to meet that deadline because none of the \nrelevant committees in the House or Senate have reported out \nlegislation.\n    Under HIPAA, if Congress fails to meet this deadline, the \nSecretary of HHS must promulgate regulations to protect medical \nprivacy. The Secretary has issued recommendations that likely \nwould be the basis of such regulations. These recommendations \nprovide for strong privacy protections in many areas. Given the \npressing need for Federal privacy protections, the Secretary \nshould move forward with these regulations if Congress does not \nmeet its deadline.\n    The worst case scenario would be for Congress to enact weak \nmedical privacy legislation or for Congress to both push the \ndeadline back for passage of legislation and prevent the \nSecretary from moving forward. This would leave millions of \nindividuals with minimal assurances of medical privacy \nprotections. There is no good policy reason for taking either \napproach.\n    I will continue to press forward with H.R. 1941 and I look \nforward to discussing this and other bills with today\'s \nwitnesses. And of course, Mr. Chairman, even though this \nhearing is unfortunately being held only on the Republican \nbill, I hope this subcommittee will work in a bipartisan \nfashion, if that is possible, to try to work out a consensus. I \nnever thought that medical privacy was a partisan issue. It \nshould not be. It is a matter that we should be working on \ntogether to find a place where we can accomplish the goals that \nI think all of us share. Thank you very much.\n    Mr. Bilirakis. I thank the gentleman. Mr. Norwood.\n    Mr. Norwood. Thank you very much and thank you for having \nthis hearing. I would like to thank Congressman Greenwood for \nhis hard work. For the panelists who have come a long way, we \nare grateful. We appreciate your help today.\n    But, Justin, we especially need your help. Anything you can \ndo will be greatly appreciated by us all. Protection of private \nmedical information obviously is a very important issue, and I \nbelieve this bill will bring us significantly closer to \nresolving the issue before the statutory deadline. We all know \nthat if we do not meet our August deadline, the Secretary of \nHHS will take the job out of our hands and impose regulations \nthat we have no control over. We are all aware of the potential \ndangers of allowing this to occur. The administration says that \nit wants to protect patients\' rights to privacy. However, the \nadministration has also considered a proposal to assign to each \ncitizen a unique health identification number to track each \nperson\'s medical information electronically. We should be very \nmindful of the consequences of Congress defaulting this \nresponsibility to the Secretary.\n    One of the issues that I believe the Greenwood bill deals \nwith well is that of State law. If someone lives and works in \nWashington, DC, goes to the doctor in Arlington, picks up their \nprescription in Bethesda, what are the consequences of having \nthree different sets of rules governing that one doctor\'s \nvisit? Considering the interstate nature of medical records and \nthe fact that 50 percent of Americans live on the border of \ntheir State, this issue should be considered within the context \nof interstate commerce.\n    This is why I strongly support the preemption clause in the \nbill. That is why I am a strong believer in allowing State laws \nto govern the practice of medicine. I believe that a uniform \nstandard is one more appropriate to govern the movement of \nmedical information. Opponents of this bill are going to have \nproblems with the fact that private cause of action for misuse \nof records has been left out of the bill. They may try to use \nthis as an excuse to stall the bill. I am not saying whether I \nwould vote for or against an amendment to include a Federal \ncause of action, but I do know that we have here the perfect \nchance for us to discuss the way we deal with penalties.\n    We must also keep in mind that the bill does have a \nprovision allowing criminal prosecution. I wondered and have \nwondered sometimes if that might not have been a better route \nfor managed care reform. Frankly, Mr. Chairman, the \ncomplexities of this issue, especially compounded with our time \nrestraint, make managed care reform look like child\'s play. I \nfeel that this bill is a viable solution to this issue and \nshould be given everyone\'s serious and open-minded \nconsideration.\n    I look forward to working with you, Mr. Chairman, and Mr. \nGreenwood and hope that we will get this done and save the \nSecretary a lot of effort. Thank you very much.\n    [The prepared statement of Hon. Charlie Norwood follows:]\n    Prepared Statement of Hon. Charlie Norwood, a Representative in \n                   Congress from the State of Georgia\n    I\'d like to begin by thanking the Chairman for holding this \nhearing. Protection of private medical information is an important \nissue, and I believe that this bill will bring us significantly closer \nto resolving the issue before the statutory deadline.\n    We all know that if we do not meet our August deadline, the \nSecretary of HHS will take the job out of our hands and impose \nregulations that we have no control over. We are all aware of the \npotential dangers of allowing this to occur. The administration says \nthat it wants to protect patients\' rights to privacy; however, the \nadministration has also considered a proposal to assign each U.S. \ncitizen a unique health identification number to tag and track each \nperson\'s medical information electronically. We should be very mindful \nof the consequences of Congress defaulting this responsibility to the \nSecretary.\n    One of the issues that I believe the Greenwood bill deals with well \nis that of state law. If someone lives and works in Washington, DC, \ngoes to a doctor in Arlington, and picks up a prescription in Bethesda, \nwhat are the consequences of having three different sets of rules \ngoverning that one doctor visit? Considering the interstate nature of \nmedical records, and the fact that fifty percent of Americans live on \nthe border of their state, this issue should be considered within the \ncontext of interstate commerce. This is why I strongly support the \npreemption clause in the bill. While I am a strong believer in allowing \nstate laws to govern the practice of medicine, I believe that a uniform \nstandard is more appropriate to govern the movement of medical \ninformation.\n    Opponents of this bill are going to have problems with the fact \nthat private cause of action for misuse of records has been left out of \nthe bill. They may even try to use this as an excuse to stall the bill. \nI\'m not saying whether I would vote for or against an amendment to \ninclude a federal cause of action, but I do know that what we have here \nis the perfect chance for us to discuss the way we deal with penalties. \nWe must also keep in mind that the bill does have a provision allowing \ncriminal prosecution. I wonder sometimes if that might not have been a \nbetter route for managed care reform.\n    Frankly, Mr. Chairman, the complexities of this issue, especially \ncompounded with our time constraint, make managed care reform seem like \nchild\'s play. I feel that this bill is a very viable solution to this \nissue and should be given everyone\'s serious and open minded \nconsideration.\n    I look forward to the witnesses testimony and yield back the \nbalance of my time.\n\n    Mr. Bilirakis. I thank the gentleman. Ms. Capps.\n    Ms. Capps. Good morning. I want to thank the chairman for \nholding this important hearing and welcome our distinguished \nwitnesses here today.\n    I also want to mention Cristin Carty because I have worked \nclosely with her. She has been very helpful on a variety of \nhealth-related issues.\n    Medical privacy is a difficult and complex issue. On the \none hand it is so imperative that we prevent the misuse of \npatients\' medical data. I believe strongly that we need to \nestablish a national policy that safeguards an individual\'s \nright to privacy with respect to personally identifiable health \ninformation. The misuse of health information can harm patients \nand families. Unauthorized use of our health plans, genetic \ninformation or our family history, can make it difficult, if \nnot impossible, for many Americans to obtain health insurance. \nPatients need to be encouraged, have the right to be encouraged \nto share with their doctors, nurses or therapists all of their \nhealth information. No diagnosis or treatment is complete \nwithout it. But if patients can\'t be sure that this sensitive \nand personal information will be kept confidential, they will \nnot be forthcoming. That will hurt patient care. And it will \nstifle research efforts. Privacy must never take a back seat to \nprofits.\n    I am supportive and mindful of the needs of the research \ncommunity as well. The University of California at Santa \nBarbara, for example, is an academic center in my district, and \nI want very much to encourage their research efforts there and \nnot to impede their work. I have a personal interest in this \ntopic. I have a daughter who is involved in a clinical trial at \nStanford, and her life may hang in the balance of that \nresearch.\n    The Medical Information Protection and Research Enhancement \nAct of 1999 was introduced just this week. It is a complex bill \nand I am still evaluating it, but I do have some initial \nconcerns. It appears that the bill does not provide individuals \nthe basic right to seek redress for privacy violations, as it \ndoes not provide for a private right of action. It also appears \nto contain inadequate provisions regarding an individual\'s \nright to notice of a health plan\'s confidentiality practices \nrequiring that a health plan need only post such a notice \ninstead of ensuring that each individual receive a copy.\n    I look forward to discussing these issues at this hearing. \nAs we navigate this complex medical privacy issue, I know we \nmust be very careful to protect patients. We in Congress must \nmake every effort to maintain the public trust, but we should \nalso encourage research. This is often a difficult balance to \nstrike. But I do believe that it is the duty of this \nsubcommittee to reach that balance. I yield back the balance of \nmy time.\n    Mr. Bilirakis. I thank the gentlelady. Mr. Bryant.\n    Mr. Bryant. Thank you, Mr. Chairman. Before I yield back \nthe balance of my time, I want to thank you for holding this \nhearing and Mr. Greenwood for his hard work on this bill and I \nwant to thank the distinguished panelists here today. Thank \nyou, Mr. Chairman.\n    Mr. Bilirakis. Thank you. Ms. DeGette.\n    Ms. DeGette. Thank you, Mr. Chairman. I am grateful that \nyou held this hearing today on what has developed into a \ncritical issue. I want to thank Mr. Greenwood also for \nintroducing this legislation and for his hard work in getting \nthis discussion started and also those on my side of the aisle \nfor their many years of work on medical privacy.\n    I think that without strong medical privacy protections, \nthe privacy of health care consumers and the integrity of \nmedical research are at risk. Medical privacy, as has been so \naptly noted by my colleagues, is an intricate matter and the \ndevil is in the details.\n    Consumers should not have to worry that their private \nmedical records will be exploited in marketing schemes or used \nto deny insurance applications if they have not signed the \nnecessary documents. We have a good opportunity to make these \nprotections more clear so consumers do not face discrimination \nor inappropriate invasions of their privacy, and so they are \nnot left questioning what do I sign, who is looking at my file, \nwhat was I not told, and what should I be doing.\n    This is a very delicate balance, as we all know: strong \nconsumer protections that reassure the public that its privacy \nwill not be invaded, and also tempered regulated access to \nmedical records so that researchers and law enforcement \nofficials can do their jobs.\n    I am particularly concerned that any medical privacy \nlegislation will establish provisions that ensure the integrity \nof medical research. While some have said that research needs \nand privacy concerns cannot be merged, I think that in \nactuality the two needs are really not that far apart. If we \nfail to reassure the public that medical records will be used \nprudently and that the privacy of individuals will be \npreserved, then the public will refuse to open the records to \nresearcher. While there is much to consider in evaluating the \nimplications medical privacy protections have on research, I am \nparticularly troubled that some have criticized proposals that \nrequire an institutional review board or similar entity to \nreview and approve research utilizing medical records. Such \nentities can ensure that the potential good of the research \noutweighs any privacy concerns and that strong privacy \nprotections are in place by preserving the confidentiality of \nthe data that is collected. IRBs and other like entities are \nused in almost every research setting. In fact, many \norganizations that privately fund research insist on an IRB to \nsafeguard the reliability of the research.\n    I think that it is naive to believe that requiring such a \ncheck would negatively affect anything other than the marketing \nplan for the researcher\'s resulting product. And I am puzzled \nthat some are anxious to differentiate between privately and \npublicly funded research for IRBs and other privacy protection \nrequirements. It seems to me that if one were to have stronger \nprivacy protections than the other, patients would be reluctant \nto participate in research that could inappropriately disclose \nprivate information. But once again, as has been noted in this \nhearing and by me, the devil is in the details, and I don\'t \nthink that the burden should be placed on the American public \nto determine what the source of the funding is for the research \nand therefore what the implications for the funding source \nholds on their privacy of their records.\n    So, therefore, I look forward to hearing what our panelists \nhave to say about medical privacy proposals on research needs, \nand how this is going to impact patients.\n    With that, Mr. Chairman, I yield back the balance of my \ntime.\n    Mr. Bilirakis. Thank you. Dr. Ganske.\n    Mr. Ganske. Thank you, Mr. Chairman. Well, if there is a \ntough problem to figure out what to do in the right way on \nCapitol Hill, the hardest one that I have seen since I have \nbeen in Congress is the issue of the right balance and walking \nthe right line on medical privacy.\n    I looked at this issue a lot when I was drafting my patient \nprotection legislation and decided it was such a complex issue \nthat I could not include a substantive provision in that bill \nor I would have something that was 200 pages long.\n    And then, of course, we got into the debate on H.R. 10, and \nI see my good friend and colleague from Massachusetts waiting \nto say a few words, so I want to say a few words about the \nmedical privacy issue on H.R. 10 because there is some \nreference to that in the testimony today.\n    It is very interesting, I am somewhat amused that there are \nthose who think that the exceptions in order for an insurance \ncompany to do its business were too broad, and yet at the same \ntime the chairman of the full committee is now getting letters \nfrom the insurance industry, saying if the exceptions are \nconstrued narrowly so as to exclude from the reach of the \nexception many aspects of the insurance business, the problems \nwill be magnified since the opt-out provisions will apply to \ntransfers integral to the business of insurance.\n    So on the one hand, those who are looking for a very \ncomprehensive bill, which I thought was beyond the reach of \nwhat we are dealing with, a financial service entity, \ninsurance, banking and securities, want to go--be much more \nstrict in the exceptions, the insurance industry or at least \nsome in the industry think that those exceptions were too \nstrict. I don\'t know, Mr. Chairman. Maybe that is demonstrating \nthat they were somewhere in the right range. I have, Mr. \nChairman, a Dear Colleague that I would like unanimous consent \nto enter into the record and also to distribute to members of \nthe committee.\n    Mr. Bilirakis. Without objection, so ordered.\n    [The information referred to follows:]\n\n                      Congress of the United States\n                                   House of representatives\n                                                      July 12, 1999\n    Dear Colleague: The medical privacy provision in H.R. 10 restricts \ndisclosures of customer health and medical information by insurers.\n    Some concerns have been raised about the exceptions to the opt-in \npolicy. I would like to take this opportunity to define some of the \nterms found in the exceptions and dispel the misinformation that is \nbeing circulated regarding these provisions.\n    Under current law, an insurance company obtains medical record \ninformation only with an individual\'s authorization. The medical \nprivacy provision in H.R. 10 relates to how an insurance company shares \nthe data after it has acquired it. The provision states that insurers \ncan only disclose this information with an individual\'s consent except \nfor limited, legitimate business purposes. These provisions would apply \nto all insurers who are currently engaged in the insurance business, \nand who have millions of contracts in force right now. Without these \nexceptions, these insurers would no longer be able to serve their \ncustomers.\n    The exceptions include ordinary functions that insurance companies \nare already doing in their day-to-day business. Such operations \ninclude:\n    Underwriting: Insurers use health information to underwrite. The \nprice someone pays for insurance is based in part on an individual\'s \nstate of health. Insurers gather medical information about applicants \nduring the application and underwriting process. Underwriting is \nfundamental to the business of insurance. During the underwriting \nprocess, an insurer may use third parties, such as labs and health care \nproviders to gather health information and/or to analyze health \ninformation. The insurer may also use third parties to perform all or \npart of the underwriting process and must disclose information to these \nthird parties, such as doctors or third party administrators, so that \nthey can enter into the contract in the first place.\n    Reinsuring Policies: Insurance companies sometimes assume a \n``risk\'\' and then further spread the risk by ``reinsuring\'\' a policy. \nWhile often a ``reinsurance\'\' arrangement is made at the initiation of \na contract, there are also times when reinsurance occurs after the \npolicy is issued. The reinsurer needs access to the first insurer\'s \nunderwriting practices as part of its due diligence. Without this \nlanguage, the wheels of the reinsurance industry could literally grind \nto a halt.\n    Account Administration, Processing Premium Payments, and Processing \nInsurance Claims: In order to pay a claim for benefits, the insurer has \nto process the claim. This is a basic business function. These \nactivities are the very reasons an individual signs up for a policy in \nthe first place. Companies may use third party billing agencies and \nadministrators to process this information. A company that doesn\'t \ntoday, may tomorrow; and we need to ensure that they can, so that \nconsumers can be served.\n    Reporting, Investigating or Preventing Fraud or Material \nMisrepresentation: There are certainly times when individuals may not \nwant to disclose all of their health information for valid reasons. \nHowever, there are those that may try to hide health information \nrelevant to whether a policy would be issued or what would be charged \nfor that policy. For example, nonsmokers usually pay less for insurance \nthan smokers. On the other hand, if you have a chronic illness your \npremium may be higher. If an individual is engaged in fraud of material \nmisrepresentation, it is highly unlikely that they would give their \nconsent so that the insurer could disclose this information, for \nexample, to its law firm to undertake an investigation of the matter or \nto the insurance commissioner or other appropriate authorities.\n    Risk Control: Credit card companies and other financial \ninstitutions involved in billing, conduct internal audits to ensure the \nintegrity of the billing system. During this process, the company \nverifies that merchants, credit card holders and transactions are \nlegitimate. These audits are done on random samples in which \ntransactions dealing with medical services are not segregated or \ntreated differently from other types of transactions. However, if this \nexception were not included, the company would be prevented from \nverifying the validity of transactions dealing with medical services. \nThis would open the door for much fraud and abuse or the inability for \nconsumers to write checks or use credit cards to pay for medical co-\npayments.\n    Research: Insurers do research for many purposes. For example, life \ninsurers will do research related to health status and mortality to \nhelp them more accurately underwrite and classify risk. This provision \nis needed so that insurers can continue to do research.\n    Information to the Customer\'s Physician: This exception is \nnecessary to allow insurers to release information to an individual\'s \nphysician. For example, during the underwriting process, an insurer may \nconduct blood test on an applicant. If the blood tests indicate that \nthere may be something wrong, the insurer needs to be able to share the \ninformation with the individual\'s designated physician or health care \nprovider so that they, together, can determine the best course of \ntreatment.\n    Enabling the Purchase, Transfer, Merger or Sale of Any Insurance \nRelated Business: No one has a crystal ball. A company does not know in \nadvance when they will engage in these activities. It would be \nimpractical if not impossible to obtain the tens of thousands of \nauthorization forms signed and returned to the company so that a \ncompany could purchase, transfer, merge or sell an insurance related \nbusiness. Without this language, companies will not be able to serve \ntheir customers by forging new business frontiers. Since the privacy \nprovision covers all insurance companies, the purchasing company will \nhave to abide by the same restrictions as the original company.\n    Or as Otherwise Required or Specifically Permitted by Federal or \nState Law: There are some states that require or specifically permit \nthe disclosure of medical information by insurance companies. For \nexample, a company may have to disclose health information to a state \ninsurance commissioner so that the commissioner can determine if the \ncompany is complying with state law banning unfair trade practices. A \ncompany may have information that would help the police in an \ninvestigation where they suspect an individual has murdered someone in \norder to collect life insurance benefits. This language is necessary \nfor these and other important public interests.\n    I hope that this brief explanation of the exceptions to the strong \n``opt-in\'\' provisions of the medical privacy provisions of H.R. 10 \nclears up some misperceptions. During floor debate, I said I would work \nto include explicit language stating that this provision does not \nprohibit the secretary of HHS from issuing regulations on medical \nprivacy as specified by HIPAA.\n    Furthermore, I hope consensus can be achieved on a comprehensive \nmedical privacy bill. However, I remain convinced that as new financial \nservices entities that combine banking, securities and insurance are \ncreated by H.R. 10, it is important that personal health data can be \nshared inside, or outside, the company only with the patient\'s \npermission. That is what the Ganske Amendment did.\n    If you need additional information, please contact Heather Ellers \nat 5-4426.\n            Sincerely,\n                                                Greg Ganske\n                                                 Member of Congress\n\n    Mr. Ganske. And this describes some of the specifics of the \nexceptions in H.R. 10 and what exactly they mean.\n    Mr. Chairman, I want to deal specifically with some of the \ntestimony today as it relates to my amendment in H.R. 10. There \nis a statement that says law enforcement entities would enjoy \nvirtually unfettered access to medical records and insurance \ncompanies could review individual records in performing \nmarketing studies. The Ganske amendment in H.R. 10 allows \ninsurance commissioners to enforce the privacy provisions. I \ndon\'t think that they are going to allow law enforcement \nentities unfettered access to medical records. And in regard to \nthe marketing studies, nowhere in the amendment in H.R. 10 is \nmarketing even mentioned.\n    Then there is a statement, Why should life insurers be able \nto routinely access patients\' entire medical records without \npatient consent or knowledge?\n    I would point out that my provision in H.R. 10 is an \nacross-the-board opt-in so that within that financial services \nor outside of the financial services, in order for that \ninsurance company to share that information, they have to get \nan okay from the patient. And I would also point out when a \nlife insurer processes an application for life insurance, many \nhealth-related factors are taken into consideration in order to \ndetermine the risk evaluation of the individual in order to \ndetermine what the appropriate premium should be. That is what \ninsurance underwriting is.\n    Then there is a statement, ``No limitations on subsequent \ndisclosures of medical records to nonaffiliated entities.\'\' I \nwould point out that we were dealing with H.R. 10 which was \ndealing specifically with these financial entities. If we had \ntried to extend that to nonaffiliated entities, it would have \nbeen ruled nongermane for H.R. 10.\n    Then there is a statement, ``nor does the legislation \nencourage the use of de-identified medical records\'\' the reason \nthat wasn\'t in my amendment is that insurance companies have \nbeen able to use that information to track specific individuals \nfor underwriting purposes. And I think that is an issue that is \nappropriate for this debate.\n    Mr. Bilirakis. If I may interrupt the gentleman, we have a \nvote on the floor and we have at least another opening \nstatement, and I would like to get through opening statements \nbefore we break.\n    Mr. Ganske. Finally, the amendment will not insure that \npatients will receive notice of confidentiality and disclosure \npractices of the insurance companies. That claim is correct. \nThe amendment does not include disclosure requirements because \nthe provision included in title V of the bill requires a \nfinancial entity to disclose all privacy policies. That is \nwhere we fit that amendment in.\n    So I would hope that the members of this committee, as we \ndeal with a larger comprehensive medical privacy bill will not \nreflexively think that we should not have something in that \nfinancial services bill related to it, something reasonable \nlike I think my amendment was. Remember, I promised on the \nfloor that I would in conference try to get in specific \nlanguage that said nothing in H.R. 10 would preclude the \nSecretary from going ahead and issuing her regulations if \nCongress cannot come up with a comprehensive bill.\n    I yield back the balance of my time.\n    Mr. Bilirakis. I thank you. I would like to finish up the \nopening statements before we run over for a vote. I yield now \nto Mr. Markey who is not a member of the subcommittee, but who \nis very much involved in this issue.\n    Mr. Markey. Thank you, and I thank you for your continuing \nindulgence for allowing me to attend these sessions. I have a \ngreat interest in privacy issues as we see each profession \nintersect with the on-line revolution, and it is clear that we \nhave to deal with it as a subject.\n    I would ask you to picture where your medical records are \nright at this moment. You probably would imagine a file that \nlooks something like this, containing the documentation of your \nmost personal and intimate details of your life: your health \nhistory. You probably imagine this file in your doctor\'s office \nor at your local hospital, locked away in a filing cabinet, the \nkeys of it dangling around the neck of a trustworthy nurse who \nlooks like your mother or your grandmother, the guardian of \nyour medical records. That nurse looks like that first nurse \nyou went to when you were 3. If this is the image you are \npicturing, let it go, for the reality of today\'s information \nage speaks of a very different tomorrow.\n    Today many medical records are no longer confined to the \nphysical barricade of a steel filing cabinet. More and more, we \nare depending on technology to provide the security once \nprovided by lock and key and the motherly town nurse. As we \napproach the 21st century, we are moving toward an information-\nbased economy where we are losing control of the ability to \nensure that there is, in fact, a lock on who has access to the \nmost personal information regarding our lives. So we need to be \nthoughtful in our approach to privacy. By being most attentive \nto the needs of commerce, we destroy the ability to control who \nwe will be in the new millennium. What we are looking for is \ncommerce with a conscience.\n    Last week we passed the financial modernization bill, H.R. \n10, after a great deal of debate which centered around access \nto financial information and who ultimately controls where that \npersonal information will go. While we made very limited \nprogress in providing privacy protections to financial \ninformation, we took steps backwards in providing privacy \nprotections to medical information.\n    Today we are conducting a legislative hearing on the \nmedical confidentiality bill, H.R. 2470, introduced on Monday \nby Mr. Greenwood along with six cosponsors, and I am very \npleased that we have a hearing on that subject. But I think it \nis also noteworthy that this committee has also produced \nanother bill that Mr. Condit, Mr. Waxman and Mr. Dingell, and \nMr. Towns, Mr. Brown and I and 57 other cosponsors have \nintroduced on the very same subject. And I think it would be \nvery helpful if that subject was also before the committee as \nwell.\n    There is a good reason why consumer groups have cosponsored \nthe bill that I just referred to. And that is that the bill \nthat is under consideration today has the support of industry, \nbut only industry. And there is a good reason. It requires no \nconsent or even an acknowledgment from the patient of her \nprivacy rights. Simply by seeking treatment or signing onto a \nhealth plan, you are unknowingly agreeing to disclose health \ninformation for an open-ended list termed health care----\n    Mr. Bilirakis. Mr. Markey, would you please summarize. You \nare entertaining us, but please summarize.\n    Mr. Markey. Well, the point that I would make in summary, \nMr. Chairman, is that a wide-ranging debate would include a \nfull discussion of other legislation which is also now before \nthe Congress, although not before this panel at this time, and \nI would hope that we would be able to discharge that. And a \nhorse is a horse of course, of course. And I thank you, Mr. \nChairman, for allowing me to testify at this time.\n    [The prepared statement of Hon. Edward J. Markey follows:]\n   Prepared Statement of Hon. Edward J. Markey, a Representative in \n                Congress from the State of Massachusetts\n    Mr. Chairman, thank you for calling this morning\'s hearing on The \nMedical Information Protection and Research Enhancement Act. I would \nalso like to thank you and Mr. Brown for your continued indulgence in \npermitting me to sit in on these sessions, because, as you know, the \nissues of privacy protections in general, and medical records privacy \nin particular are very important to me.\n    If I were to ask you to picture where your medical records are \nright at this moment, you probably would imagine a file that looks \nsomewhat like this containing the documentation of your health history \nwhich includes some of the most personal and intimate details of your \nlife. You probably imagine this file in your doctor\'s office or your \nlocal hospital locked away in a filing cabinet, the keys to it dangling \naround the neck of a trustworthy nurse who looks like your mother or \ngrandmother, the guardian of your medical records. If this is the image \nyou are picturing--LET IT GO--for the reality of today\'s information \nage speaks to a very different tomorrow. Today, many medical records \nare no longer confined to the physical barricade of a steel filing \ncabinet. More and more we are depending on technology to provide the \nsecurity once provided by lock and key and the motherly town nurse.\n    As we approach the 21st century, we are moving toward an \ninformation based economy where we are losing the ability to control \nwho has access to the most personal information regarding our lives. We \nneed to be thoughtful in our approach to privacy. By being most \nattentive to the needs of commerce we destroy the ability to control \nwho we will be in the new millenium. What we are looking for is \ncommerce with a conscience. Last week we passed the Financial \nModernization Bill, H.R. 10--a great deal of the debate centered around \naccess to personal information and who ultimately controls where that \npersonal information will go. While we made very limited progress in \nproviding privacy protections to financial information, we took steps \nbackward in providing privacy protections to medical information.\n    Today, we are holding a legislative hearing on the medical \nconfidentiality bill H.R. 2470 introduced late Monday night by Mr. \nGreenwood along with 6 cosponsors--I am pleased to have the opportunity \nto debate the issue of medical privacy but I\'m at a loss as to why we \nare only considering a Republican proposal with 6 cosponsors when two \nother bills--both introduced by members of this Committee--are not \nbeing considered. In March I introduced H.R. 1057 which has the support \nof 41 cosponsors and in May I joined Mr. Condit, Mr. Waxman, Mr. \nDingell, Mr. Brown and Mr. Towns in introducing a consensus bill H.R. \n1941 which is now up to 57 cosponsors. Both of these bills are endorsed \nby a variety of patient, provider and consumer groups while Mr. \nGreenwood\'s bill has the endorsement of industry and industry alone.\n    There is a good reason why those most concerned with patient \nprivacy do not support the Greenwood bill. It requires no consent or \neven an acknowledgment from the patient of her privacy rights. Simply \nby seeking treatment or signing on to a health plan, you unknowingly \nagree to disclose personal health information for an open-ended list of \nitems termed ``health care operations\'\'. This bill provides no real \nprivacy protections for subjects of private research projects and \npreempts stronger medical privacy protections in state law. Finally, \nthis bill provides no private right of action for patients to seek \ndamages for violations of breaches of confidentiality.\n    I am pleased to be here today to discuss this important issue but \nI\'m disappointed that the other medical privacy bills sponsored by \nmembers of this Committee are languishing. It is my hope that the next \nlegislative hearing on this issue will include the other bills offered \nby members of the Committee.\n    Thank you.\n\n    Mr. Bilirakis. Dr. Coburn.\n    Mr. Coburn. I want to make two points. Confidentiality of \nmedical records is important; and when the American public does \nnot have confidence that that confidentiality is there, people \nget hurt. And all I would explain to you is look at the HIV \nepidemic where we have half a million people in this country \nwho have HIV, who should not have it, because we didn\'t instill \nthe confidence that people\'s records were going to be held in \nconfidence.\n    The second point I would make is that Jim Greenwood, in \nwriting this bill, has the qualifications and the character to \nput patients and their information first.\n    And although Mr. Markey and others may disagree with some \nof the components of this bill, we could not ask another Member \nof Congress that has the qualifications for caring for people \nin his background to write such a bill. And you can have \nconfidence that whatever bill comes out of this committee with \nMr. Greenwood\'s signature on it will be one that does protect \npatients\' confidentiality in a way that is fair, firm, and will \nprotect their future.\n    And with I yield back the balance of my time.\n    Mr. Bilirakis. Thank you very much, Doctor.\n    [Additional statements submitted for the record follow:]\nPrepared Statement of Hon. Barbara Cubin, a Representative in Congress \n                       from the State of Wyoming\n    Mr. Chairman, I would like to thank you for calling this hearing. \nThis is an extremely complicated, but vitally important issue that we \nmust resolve ahead of the August 21 deadline imposed by HIPPA.\n    Americans cherish our privacy, particularly when our medical and \npersonal histories are involved. Congress must move to pass sensible, \nbut effective legislation, to protect paper and electronic medical \nrecords. In our move to ensure valid privacy concerns, legislation must \nalso recognize legitimate research requirements. For any legislation to \nbe effective, it must contain strong enforcement mechanisms.\n    Representative Greenwood\'s legislation strikes a balance between \npersonal medical privacy and research needs. I appreciate the work that \nhe has done on this issue, and the positive effects it will have for \nevery American.\n    As we delve into this complicated issue today, I look forward to \nhearing the unique perspectives of our witnesses. Thank all of you for \ncoming.\n                                 ______\n                                 \n Prepared Statement of Hon. Tom Bliley, Chairman, Committee on Commerce\n    Thank you, Chairman Bilirakis for holding this hearing today on \nH.R. 2470, the Medical Information Protection and Research Enhancement \nAct of 1999. I commend my colleague on the Committee, Mr. Greenwood of \nPennsylvania, for his foresight and diligence in bringing comprehensive \nlegislation on this important issue to the Committee.\n    Mr. Greenwood has done an excellent job in improving language that \nhas been crafted, reviewed, fought over, and agreed to over the last \nseveral years in the other body. This language has benefitted from a \nlong discussion process among experts in the private and public \nsectors. It strives to preserve patient privacy, while assuring that \nmedical research will continue to progress. This language is well \nunderstood by those in the advocacy community, and is the most well-\nmapped geography of all the medical record confidentiality legislation \nin Congress.\n    I wish that I could say the same for legislation that has been \nintroduced by my colleagues on the other side of the aisle. Despite the \nbest of intentions, the unintended consequences of bills like H.R. 1057 \nand H.R. 1941 could be very dire for patients across the country. \nAccording to written testimony submitted by the Biotechnology \nIndustrial Organization at our last hearing on confidentiality, H.R. \n1057, the Medical Information Privacy and Security Act, and H.R. 1941, \nthe Health Information Privacy Act, ``contain provisions that will \nsignificantly impede medical research by requiring that all research be \nmonitored by an external entity.\'\' In fact, the testimony states, \n``H.R. 1941 would expand the Federal government\'s role in private \nresearch by requiring that all research, whether funded with private \ndollars or taxpayer dollars, be reviewed by an entity certified by the \nSecretary using standards that are more restrictive than that used by \nInstitutional Review Boards.\'\'\n    We should not throw the baby out with the bathwater. In our efforts \nto ensure that medical records remain confidential, we should not make \nmedical research so difficult and expensive that the cures patients \nseek are unavailable. I look forward to hearing from our witnesses \ntoday on how we can improve the Greenwood legislation to safeguard \npatient confidentiality while ensuring a vital medical research \nindustry.\n    Thank you, Mr. Chairman, and I look forward to the testimony this \nmorning.\n                                 ______\n                                 \n  Prepared Statement of Hon. Gene Green, a Representative in Congress \n                        from the State of Texas\n    I want to thank the Chairmen for scheduling this important hearing.\n    As the deadline imposed by HIPAA for Congressional action \napproaches, I believe it is important for this subcommittee to begin \nits consideration of specific legislative language.\n    Unfortunately, I believe the Republicans are making a mistake by \nessentially choosing to move a bill that does not have any bipartisan \nsupport and is filled with loopholes that could jeopardize our medical \nrecord privacy rights.\n    Mr. Chairman, Americans are scared of what will happen to them if \ntheir medical records fall into the wrong hands. And by the term \n``wrong hands\'\', I am not talking about criminals--I am talking about \npotential employers and health insurance companies who discriminate \nagainst people based on their health history or even the likelihood of \ntheir future health status.\n    Today\'s information and technology gives the world an unprecedented \nopportunity for health research and prevention. Efforts like the human \ngenome project has the potential to provide scientists and doctors with \nlevels of health information that was inconceivable less than ten years \nago.\n    However the benefits of the genome project and other research \nefforts will be limited if Americans don\'t have complete confidence \nthat they will be able to control who has access to their personal \nmedical information.\n    I am proud to be a cosponsor of legislation to address these \nissues, including the consensus bill recently introduced by Mr. Condit. \nI believe his bill strikes a fair balance between protecting \nindividual\'s rights and the legitimate access needs to encourage and \nassist medical research.\n    I believe H.R. 2470 fails to pass this ``balanced\'\' litmus test.\n    While complete analysis of the bill is not yet completed because it \nwas only introduced three days ago, it already appears to lack basic \nand fundamental safeguards to protect individuals.\n    Among these is the loosely defined exception for ``health care \noperations.\'\' As currently drafted in H.R. 2470, insurers could use an \nindividual\'s health information for marketing purposes and insurance \nunderwriting without consent by the individual.\n    Moreover, instead of creating a federal protection floor, this bill \nactually sets a ceiling and would preempt existing state laws and \nprevent states from passing laws to address their specific concerns.\n    Finally, this bill would prohibit the Secretary from taking \nadditional steps in the future to address currently unforseen medical \nprivacy protection issues.\n    Mr. Chairman I sincerely appreciate the efforts you and Mr. \nGreenwood have made in drafting this bill and I am disappointed that I \nam unable to support this bill in it\'s current form.\n    I look forward to working with the rest of the subcommittee Members \non both sides to develop a fair and comprehensive bipartisan solution \nto this very bipartisan issue.\n                                 ______\n                                 \n    Prepared Statement of Hon. John D. Dingell, a Representative in \n                  Congress from the State of Michigan\n    Mr. Chairman, I want to begin by thanking you for scheduling this \nhearing. This is now our second hearing on the topic of medical records \nprivacy. In view of the complex nature of the subject matter this is \ntime well spent. All of us need to learn as much as we can about the \nuses and disclosures of personally identifiable medical information as \nthey may occur in the modern, and I might add, ever changing, health \ncare system. The proper use of such information can do great good for \nthe patient, for research, and for public health and other legitimate \npurposes. But such information can also do great harm to the patient, \nto research, and other important purposes if used or disclosed \nimproperly. Our job is to strike the appropriate balance between an \nindividual\'s fundamental right to privacy and the need in certain \ncircumstances for personally identifiable medical information to be \nused or disclosed by someone other than the patient.\n    I want to put the timing of this hearing and any further \nlegislative action on medical records privacy in context. Much is made \nof the August 1999 deadline under the Health Insurance Portability and \nAccountability Act (``HIPAA\'\'). The Secretary may begin the process of \nwriting regulations if we do not enact legislation before then. She \nundoubtedly will need some period of time thereafter to complete the \ntask. In sum, we need to move with alacrity, but there should be \nsufficient time to act under current law if we are serious about doing \nso, and there should be no need to extend the HIPAA deadline.\n    Mr. Chairman, today\'s hearing will hopefully inform us of key \ndifferences among competing approaches to medical records privacy \nlegislation. I was pleased to join many of my colleagues, including \nMessrs. Condit, Waxman, Towns, and Markey in sponsoring H.R. 1941. I \ncontinue to believe that H.R. 1941 embodies sound medical records \npolicies that include enforceable remedies and flexibility to meet \nfuture changes and challenges in this area. I see that my colleagues \nand good friends Messrs. Greenwood, Shays, Norwood, Burr, and Upton \nthis week have also introduced a bill on this subject, H.R. 2470. I was \ndisappointed to learn that this hearing has been captioned as dealing \nonly with the Greenwood bill. Privacy is not a partisan issue.\n    Today, we will hear from two outstanding panels of witnesses. They \ninclude some of the leading experts on the subject of medical records \nprivacy and I am anxious to learn from them.\n    Thank you.\n\n    Mr. Bilirakis. We will recess until after our vote. It will \nprobably be about 15 minutes.\n    [Brief recess.]\n    Mr. Bilirakis. The hearing will come to order.\n    Panel I consists of Mr. John T. Nielsen, Senior Counsel and \nDirector of Government Relations with Intermountain Health \nCare, Salt Lake City, Utah; Dr. Paul Tang, Medical Director of \nClinical Informatics, Palo Alto Medical Clinic, Los Altos, \nCalifornia; Mr. Justin Pawlak of Harleysville, Pennsylvania; \nDr. Paul S. Appelbaum, Professor and Chairman, Department of \nPsychiatry, University of Massachusetts Medical School; and Ms. \nChai Feldblum, Director of Federal Legislation Clinic, \nGeorgetown University Law Center.\n    Welcome. Your written statement is a part of the record, \nand we will set the clock at 5 minutes and ask you to try to \nhold to it as closely as you possibly can. We will start off \nwith Mr. Nielsen. Please proceed, sir.\n\n STATEMENTS OF JOHN T. NIELSEN, SENIOR COUNSEL AND DIRECTOR OF \nGOVERNMENT RELATIONS, INTERMOUNTAIN HEALTH CARE; PAUL C. TANG, \n   MEDICAL DIRECTOR, CLINICAL INFORMATICS, PALO ALTO MEDICAL \n  CLINIC; LINDA PAWLAK, PARENT; PAUL APPELBAUM, PROFESSOR AND \n CHAIR, DEPARTMENT OF PSYCHIATRY, UNIVERSITY OF MASSACHUSETTS \n     MEDICAL SCHOOL, ON BEHALF OF THE AMERICAN PSYCHIATRIC \nASSOCIATION; AND CHAI FELDBLUM, PROFESSOR OF LAW AND DIRECTOR, \n  FEDERAL LEGISLATION CLINIC, GEORGETOWN UNIVERSITY LAW CENTER\n\n    Mr. Nielsen. Thank you, Mr. Chairman, members of the \ncommittee. Good morning. My name is John T. Nielsen. I am \nSenior Counsel and Director of Government Relations for \nIntermountain Health Care. IHC, as it is called, is an \nintegrated, not-for-profit healthcare system based in Salt Lake \nCity. We serve the States of Utah, Idaho and Wyoming. The IHC \nsystem consists of 23 hospitals, over 400 employed positions \nand a large health plan division.\n    IHC employs 23,000 people who are keenly aware of their \nresponsibility to safeguard personal health information, and we \nhave invested considerable resources in order to develop \neffective protections and procedures to provide privacy \nprotection for those that we serve.\n    IHC is pleased to strongly support the Medical Information \nProtection and Research Enhancement Act. We are pleased that \nH.R. 2470 reflects, among other things, six important key \nprinciples. First, H.R. 2470 wisely adopts uniform Federal \nconfidentiality standards and preempts State authority in the \nareas covered by Federal legislation. Confidentiality \nlegislation must ensure national uniformity and recognition of \nthe increasingly complex and interstate nature of health care \ndelivery in this country. I believe Mr. Greenwood has put it, \nas well as I have heard it in his opening statement.\n    Second, IHC supports H.R. 2470\'s statutory authorization \napproach. While it can certainly be argued that the practice of \nobtaining signed authorization has value and merit, and indeed \na study and a report by the Health Privacy Project at \nGeorgetown University, of which I was part, recommends this \napproach, IHC has long maintained that the statutory \nauthorization approach makes very good sense. This approach, \ncombined with the bill\'s strong penalties for misuse, will \nallow for appropriate access to identifiable information while \nprotecting patient confidentiality.\n    Mr. Greenwood\'s bill wisely allows the use of patient \ninformation only for expressly stated purposes which include \ntreating, securing payment, conducting certain health care \noperations and other important purposes, including medical \nresearch, emergency services and public health.\n    Having said this and while IHC has certainly no objection \nto the approach taken in the bill, we would also have no \nobjection to the more formal, signed authorization approach. \nAfter all, it is our current practice and may still be.\n    Third, H.R. 2470 applies Federal standards only to \nindividually identifiable information, and this is the correct \napproach because patients have a legitimate expectation of \nprivacy and because, perhaps more importantly, it creates a \npowerful incentive to encrypt, encode or otherwise anonymize \npatient health information.\n    Fourth, the act applies equally to all types of health \ninformation. All patient identifiable information is sensitive \nand should be afforded equal protections against inappropriate \ndisclosure.\n    Fifth, the act rightly includes significant penalties for \ninappropriate use of protected information.\n    And last, sixth, it establishes new Federal safeguards to \nprotect patient identifiable information. We are also pleased \nthat the bill provides for a Federal right that patients may \naccess, copy and request amendments to their medical records.\n    At IHC, in order to treat our patients and improve the \nhealth outcomes of the entire population we serve, we must be \nable to share information among our physicians, our hospitals \nand our health plans. IHC has developed state-of-the-art \nelectronic medical records and common data bases to facilitate \nthis communication, to make certain that our physicians have \ncomplete information when they treat patients. We have put into \nplace an extensive array of enforceable confidentiality \nprotections which we constantly improve and update.\n    We urge you to ensure that confidentiality legislation does \nnot unintentionally prevent the creation of these common \ninternal data bases or limit the type of data which can be \nshared within a health delivery system. Such action would \nseverely limit a health care system\'s ability to measure and \nimprove the health care outcomes of its patients.\n    Individually identifiable information and the ability to \nshare it is absolutely integral to the IHC health care \noperations through which we seek to maximize the quality of \npatient health care delivered in our system. Health plans also \nplay a major role in improving the health of our members. \nHealth plans must be able to link information back to a \nspecific individual in the event that a more effective \ntreatment protocol or a previously unknown health risk is \nidentified and to assist our members to manage their own health \ncare.\n    For all of these reasons, we respectfully urge you to \nswiftly approve before the August recess the Medical \nInformation Protection and Research Enhancement Act which we \nbelieve will establish important Federal standards to protect \npatient confidentiality which, at the same time, allows these \nimportant health-enhancing activities to continue.\n    Congress, not the Secretary, should set these standards in \nthis critical area. We believe this bill will do just that. \nThank you.\n    [The prepared statement of John T. Nielsen follows:]\n Prepared Statement of John T. Nielsen, Senior Counsel and Director Of \n            Government Relations, Intermountain Health Care\n                            i. introduction\n    My name is John T. Nielsen. I am Senior Counsel and Director of \nGovernment Relations at Intermountain Health Care (IHC). IHC is an \nintegrated health care delivery system based in Salt Lake City and \noperating in the states of Utah, Idaho, and Wyoming. The IHC system \nincludes 23 hospitals, 78 clinics and physician offices, 23 outpatient \nprimary care centers, 16 home health agencies, and 400 employed \nphysicians. Additionally, our system operates a large Health Plans \nDivision with enrollment of 475,00 directly insured plus 430,000 who \nuse our networks through other insurers.\n    IHC\'s 23,000 employees are keenly aware of their responsibility to \nsafeguard personal health information and IHC has invested considerable \nresources in order to develop effective protections and procedures. IHC \ntakes seriously its responsibility to use patient identifiable health \ninformation to optimize not only that patient\'s health, but the health \nof all patients in the IHC system.\n                 ii. importance of federal legislation\n    The Health Insurance Portability and Accountability Act of 1996 \n(HIPAA) directs Congress to enact federal privacy legislation by August \n21, 1999. That deadline is little more than one month away. If Congress \nfails to act by August 21, 1999, the Department of Health and Human \nServices (HHS) is required to promulgate regulations on privacy \nprotection by February 2000. IHC urges Congress to meet the HIPAA \ndeadline and to enact strong federal standards which provide uniform \npatient confidentiality protections across the country. IHC is pleased \nto lend its strong and enthusiastic support to H.R. 2470, the Medical \nInformation Protection and Research Enhancement Act of 1999, which is \nsimilar to S. 881, the Medical Information Protection Act of 1999, \nintroduced by Senator Robert F. Bennett of Utah, which we also support.\n    IHC is committed to working with this Subcommittee and others in \nCongress toward passage of the Greenwood/Bennett bills. The approach \nadopted by these legislators strikes an appropriate balance between \nsafeguarding patient identifiable health information and facilitating \nthe coordination and delivery of high quality, network-based health \ncare, such as that provided at IHC.\n    Indeed, striking the right balance is critical to IHC\'s efforts to \ndeliver the best possible patient care. IHC has developed state-of-the-\nart electronic medical records and common databases which we use \nextensively not just for treatment and payment but for such fundamental \nquality enhancing activities as outcomes review, disease management, \nhealth promotion and quality assurance. Not only are these efforts \nessential to optimizing the health of our patients but many are in fact \nrequired by federal and state programs and regulations and by \naccreditation standards. It is vital that federal confidentiality \nlegislation not impede the ability to optimize patient health through \nthe use of identifiable health information.\n     iii. importance of nationally uniform patient confidentiality \n                              protections\n    The delivery of health care today is vastly different than even a \ndecade ago. Health care delivery increasingly crosses state lines \nthrough health system mergers, telecommunications, contractual \nrelationships and other mechanisms. Enactment of uniform federal \nconfidentiality protections is critical as technology is increasingly \nused to enhance the quality of patient care and to maximize the \noutcomes of health care provided to our patients. Confidentiality \nlegislation must ensure national uniformity in recognition of the \nincreasingly complex and interstate nature of health care delivery in \nthis country.\n    Health systems like IHC, which operate across state lines, would \nhave enormous difficulty complying with different federal and state \nstandards governing disclosure of protected health information. \nIndividual state laws create confusion, errors and inefficiencies. The \nnation needs a common national standard for protection of \nconfidentiality and privacy. Accordingly, strong federal preemption is \nvital. The Medical Information Protection and Research Enhancement Act \nrightly recognizes the importance of strong federal preemption.\n        iv. ihc uses patient information to enhance patient care\n    IHC is committed to providing high quality health care to the \ncommunities it serves, regardless of ability to pay. IHC uses patient \ninformation to enhance patient care. A few specific examples of IHC\'s \nhealth care operations activities undertaken to improve health care \noutcomes are set forth below. The Medical Information Protection and \nResearch Enhancement Act would facilitate the appropriate use of \npatient identifiable health information for these quality enhancing \nactivities.\n\n<bullet> Improved timing of delivery of pre-operative antibiotics to \n        prevent serious post-operative wound infections. Our wound \n        infection rate fell from 1.8 percent to 0.4 percent \n        representing, at just one of our 23 hospitals, more than 50 \n        patients per year who now do not suffer serious, potentially \n        life-threatening infections. We also saved the cost of treating \n        those infections, reducing health care costs by an estimated \n        $750,000 per year at that one hospital.\n<bullet> Improved support for inpatient prescriptions. A computerized \n        order entry system warns physicians, at the time they place the \n        order, of potential patient allergies and drug-drug \n        interactions. It also calculates ideal dose levels, using the \n        patient\'s age, weight, gender, and estimates of patient \n        specific drug-absorption and excretion rates, based on \n        laboratory values. That system has reduced adverse drug events \n        (allergic reactions and drug overdoses) to less than one-third \n        of their former level--significantly reducing the primary \n        treatment-related risks that patients face while hospitalized.\n<bullet> Improved management of mechanical respirators for patients \n        with acute respiratory distress syndrome (ARDS). In the most \n        seriously ill category of ARDS patients, mortality rates fell \n        from more than 90 percent to less than 60 percent. Costs of \n        care, per patient who lived, fell by about 25 percent.\n<bullet> Improved management of diabetic patients in an outpatient \n        setting. The proportion of patients managed to normal blood \n        sugar levels (hemoglobin A1c < 7.0%) improved from less than 30 \n        percent (typical for a general internal medicine practice) to \n        more than 70 percent. Major studies of diabetes demonstrate \n        that that shift in blood sugar control will translate to \n        significantly less blindness, kidney failure, amputation, and \n        death. Others indicate that it should reduce the costs of \n        medical treatment for diabetic patients by about $1,000 per \n        patient per year.\n<bullet> Improved treatment of community-acquired pneumonia. By helping \n        physicians more appropriately identify patients who needed \n        hospitalization, choose appropriate initial antibiotics, and \n        start antibiotic therapy quickly, we were able to reduce \n        inpatient mortality rates by 26 percent. That translates to \n        about 20 patients saved in the ten small rural IHC hospitals \n        where we first worked on this aspect of care delivery. It also \n        reduced treatment costs by more than 12 percent.\n<bullet> Accountability for health care delivery performance. IHC has \n        begun to assemble and report medical outcomes, patient \n        satisfaction outcomes, and cost outcomes for major clinical \n        care processes that make up more than 90 percent of our total \n        care delivery activities. We aggregate and report those data at \n        the level of individual physicians; practice groups (e.g., \n        clinics); hospitals; regions; and for our entire system. We use \n        the resulting reports to hold health care professionals and our \n        system accountable for the care we deliver to our patients, and \n        to set and achieve care improvement goals. We believe that this \n        system will eventually allow IHC to accurately report our \n        performance at a community, state and national level, to help \n        individuals and groups make better choices in the United \n        States\' competitive health care marketplace.\n    Nearly all of IHC\'s 60-plus improvement projects, including the \nexamples listed above, had to do with care delivery execution--\nconsistently applying the best available current medical information--\nrather than the generation of new biomedical knowledge. Some of these \ninitiatives directly improved medical outcomes for patients. Some \nprimarily produced significant reductions in the cost of health care \nwhile demonstrably maintaining excellent medical outcomes, thus \nimproving (albeit indirectly) affordability of and access to health \ncare services. Many did both at once--improved medical outcomes while \nreducing costs.\n    All of these activities relied on information--not just information \nat the level of individual patients, but information on populations of \npatients. We use that population-level information for operational care \ndelivery--execution--not just ``generation of new generalizable \nknowledge\'\'--research. Medicine is inherently an information science. \nIn general, the better objective data we have--with regard both to \nclinical theory, the information we use to care for a specific patient, \nand support to deliver the right care at the right time--the better \ndiagnoses we can make, the better treatments we can offer and the \nbetter patient outcomes we can achieve.\n    Many recent, significant improvements in patient medical outcomes \ngrew out of better health care delivery execution--that is, health care \ndelivery operations. While the distinction between health care delivery \noperations and health research are clear at the extremes, it quickly \nturns to shades of grey at the center. No one has been able to produce \na rigorous, functional definition to distinguish the two classes except \nat the extremes. It depends upon the intent of those examining the \ndata.\n    National policy mistakes in this area--policies that \ninappropriately slow health care delivery, where other choices could \nhave adequately protected patient confidentiality and privacy without \nraising functional barriers to care delivery execution--will be \nmeasured not just in increased health care costs, but in human lives. \nIHC urges this Subcommittee and others in Congress to work toward \nenactment of the Medical Information Protection and Research \nEnhancement Act because it recognizes the importance of patient \nidentifiable health information and permits the appropriate flow of \nhealth information within a health care delivery system.\n  v. ihc recognizes the central importance of the confidentiality of \n   medical records and has set forth numerous internal procedures to \n                        protect confidentiality\n    IHC supports strong uniform federal confidentiality standards that \nbuttress our health care delivery and clinical research work. Speaking \nthrough our community-based Board of Trustees, IHC has placed \nappropriate protection of patient confidentiality and privacy near the \nfront of our institutional values. Those values complement a parallel \nmission to provide the best possible health maintenance and disease \ntreatment to those who trust their care to our hands. On the eve of the \n21st century, the best possible health maintenance and disease \ntreatment is only possible when health care delivery operations use \npopulation-level patient data as well as individual patient data.\n    IHC uses enforceable corporate policy to maintain confidentiality \n(for health care professionals and employees, as well as patients) in \nthose areas that are clearly health care delivery operations (for \nexample, direct patient care delivery; billing for services; quality \nreview of individual patient records, including such activities as \nmortality and morbidity conferences; resource planning, unit \nperformance evaluation, quality improvement and disease management; and \nretrospective epidemiologic evaluations of program performance). The \ncore of those policies and enforcement activities include:\n\n<bullet> We require every employee, health care professional, \n        researcher or volunteer to sign a confidentiality agreement \n        stating that they will only look at or share information for \n        the specific purpose of performing their health care delivery \n        assignment on behalf of our patients.\n<bullet> We require each new employee to undergo training with respect \n        to IHC confidentiality policies. These policies are set forth \n        in a draft manual, which already numbers more than 60 pages and \n        represents more than five years of careful discussion and \n        cross-testing.\n<bullet> We impose consequences--including termination--for improper \n        use or handling of confidential information.\n<bullet> To the extent that we have implemented an electronic medical \n        record, we are able to monitor access to patient records (an \n        ability not present in the paper record). We use that system as \n        one important means to monitor and enforce our confidentiality \n        policy. In the near future, we will bring on-line the ability \n        for any patient to review a list of every individual who has \n        ever accessed their electronic medical record, for any purpose.\n<bullet> We utilize software controls including warnings on front log-\n        on screens, unique log-on passwords, and computerized audit \n        trails. In the near future, we hope to be able to implement \n        biometric log-on--where anatomic features (such as \n        fingerprints) uniquely identify each computer user at each \n        interaction.\nvi. irb review must not be required for health care delivery operations \n  and execution. irb review is not the most effective way to protect \n                        patient confidentiality.\n    IHC requires full Institutional Review Board (IRB) review, approval \nand on-going oversight for any research project that involves (1) any \nexperimental therapy; (2) patient randomization among treatment \noptions; or (3) patient contact for research purposes. Indeed, the IHC \nsystem has 12 IRBs, but we do not look to IRBs as our sole--or even our \nprimary--means to protect confidentiality. Most of the risks to patient \nconfidentiality come in day-to-day patient care, as physicians and \nnurses routinely access identifiable patient medical records, both \npaper and electronic, to deliver that care. Instead, we rely upon the \nextensive array of enforceable policies and procedures discussed above. \nIn the same vein, a recent GAO Report affirms that IRBs ``rely on \norganizational policies to ensure the confidentiality of information \nused in projects using personally identifiable medical information\'\' \n<SUP>1</SUP> and that ``the organizations . . . contacted have taken \nsteps to limit access to personally identifiable information.\'\' \n<SUP>2</SUP>\n---------------------------------------------------------------------------\n    \\1\\ U.S. General Accounting Office Report to Congressional \nRequesters, Medical Records Privacy: Access Needed for Health Research, \nbut Oversight of Privacy Protections Is Limited, GAO/HEHS-99-55, p16.\n    \\2\\ Id. at 4.\n---------------------------------------------------------------------------\n    If IRB review of each of these health care operations activities \nwere required, many--if not most--of the operational care delivery and \nhealth outcome improvements described above could not function on a \nday-to-day basis. The volume of review would be staggering, far beyond \nthe capacity of any reasonable system of individual review and follow-\nup oversight. While IHC has 12 fully functioning IRBs spread throughout \nour integrated health care delivery system, we do not look to these \nIRBs to protect the confidentiality of individually identifiable \npatient information for daily care delivery operations and execution. \nThat protection arises, instead, from IHC-wide policy with \nadministrative enforcement.\n    As the GAO report rightly recognizes ``IRB review does not ensure \nthe confidentiality of medical information used in research because the \nprovisions of the Common Rule related to confidentiality have \nlimitations.\'\' <SUP>3</SUP> Moreover, the report further acknowledges \nthat ``it is not clear that the current IRB-based system could \naccommodate more extensive review responsibilities.\'\' <SUP>4</SUP> If \nIRB review of quality improvement activities were required, our \nsystem\'s ability to conduct these fundamental quality-enhancing \nactivities would be severely impeded.\n---------------------------------------------------------------------------\n    \\3\\ Id. at 3.\n    \\4\\ Id. at 21.\n---------------------------------------------------------------------------\n    IHC uses patient-identifiable health information to generate \nliterally hundreds of operational analyses each day that improve the \nquality of health care. These quality improvement activities focus on \nboth the processes of delivering care as well as on the outcomes of \ncare. They include health promotion and disease prevention, disease \nmanagement, outcomes evaluation for internal program management, and \nutilization management. As discussed above, IHC recognizes the vital \nimportance of medical records confidentiality and has established \nnumerous internal procedures to protect confidentiality.\n    Because it is so difficult to precisely define and distinguish \nbetween quality improvement-based internal operations and true clinical \nresearch activities, internal confidentiality policies and procedures \naccompanied by stiff penalties are far more effective in safeguarding \npatient confidentiality than mandating that quality improvement \nactivities undergo IRB review. As the GAO Report acknowledges, the IRB \nprocess is already overburdened and is not designed to protect patient \nconfidentiality. A care delivery system\'s ability to improve quality \nand deliver top-tier care would seriously be jeopardized if all of \nthese activities were required to undergo IRB review.\n    IHC endorses the approach of the Medical Information Protection and \nResearch Enhancement Act which acknowledges that requiring internal \noperations activities to undergo IRB review will not safeguard patient \nconfidentiality. Instead, requiring a system-wide commitment and \nprocess with respect to safeguarding personal health information will \nbetter protect privacy.\n         vii. the role of institutional data review committees\n    IHC\'s Information Security Committee recommends policy to IHC\'s \nBoard of Trustees, and individually examines and acts upon all projects \nthat fall into the definitional grey area between operations and \nresearch. The Information Security Committee reports directly to IHC\'s \nBoard of Trustees. Its members include research scientists; experts in \nmedical informatics; practicing clinicians; medical ethicists; a \nknowledgeable community member not associated with IHC or with other \nhealth care delivery or research; and senior managers from IHC\'s care \ndelivery operations. As an extended quorum, all IRB chairpersons \nworking within IHC also attend to discuss problems and recommend policy \nsupporting IRB function throughout the IHC system. A full record of \neach meeting is generated and maintained.\n    IHC\'s Information Security Committee is an example of what the \nAmerican Medical Informatics Association, in its recommendations on \nconfidentiality protection when electronic medical records are used, \ncalls a Data Review Committee. While structured very like an IRB, it \nadds an essential organizational element: a Data Review Committee is \nspecifically charged to generate and enforce confidentiality policies \nwithin an organization, in addition to reviewing specific projects. An \norganization of IHC\'s size generates literally hundreds of operational \nanalyses that access patient information every day. Especially when \nprecise definitions are impossible, enforceable organization-level \npolicy is far more effective in protecting confidentiality and privacy \nthan is any attempt at individual review of such massive numbers of \nprojects.\n viii. electronic medical records enhance individual patient care and \n      simultaneously improve health care delivery for all patients\nA. Patients Must Not be Permitted to Opt Out of Quality Enhancing \n        Activities\n    IHC uses an electronic medical record because of the significant \nimprovements in medical outcomes and health care costs that that tool \nhas allowed. Because it is such an essential part of daily operations, \nIHC cannot functionally allow patients to opt out of using our \nelectronic medical record, without sacrificing (1) our ability to \ndeliver excellent care to the individual involved and (2) our ability \nto provide good care to the rest of our patients. For example, our \nlaboratory analyzers feed directly into our computer system. When IHC \ncommitted to that link, we not only significantly improved our ability \nto deliver excellent care to all of our patients, but also necessarily \nlost our ability to process blood laboratory tests without using the \nelectronic medical record. Permitting patients to opt out would cripple \nIHC\'s ability to improve the health care quality of all of our \npatients. Even the loss of 3-4% of a patient population would greatly \nskew results. Moreover, from a functional perspective, given our use of \nelectronic medical records, IHC could not logistically provide for \npatients to opt out of the various health promotion, disease management \nand other quality enhancing activities we routinely undertake.\nB. Patient Requests to Alter their Medical Records\n    Because some providers like IHC are now using electronic medical \nrecords and other providers are increasingly using electronic medical \nrecords, IHC suggests that a patient\'s request to amend his or her \nmedical record or a statement of a patient\'s disagreement with the \ncontent of a medical record be reflected in that medical record not by \ninclusion of the patient\'s entire written request or letter but by a \nnotation or summary. The requirement in some legislative proposals for \nthe inclusion of the full request or disagreement is impracticable \ngiven the increasing use of electronic medical records in the delivery \nof health care.\nC. Patient Revocation of Authorization\n    Our physicians are legally and ethically bound to provide the best \ncare they can for each patient. In order to do this, complete and \naccurate medical information is needed. If patients were permitted to \ndeny consent for use of their medical records information, not only \nwould their individual care be compromised, but ongoing efforts to \nimprove health care quality and the validity and reliability of studies \nwould be seriously jeopardized. Patients must not be empowered to pick \nand choose which information from their records should be made \navailable to their physician and others with responsibility for caring \nfor them. Instead, federal legislation should rely on severe penalties \nfor misuse of information. The Medical Information Protection and \nResearch Enhancement Act appropriately recognizes the necessity of \nensuring that health care providers base decisions on the best possible \ninformation.\n                      ix. statutory authorization\n    The Secretary of Health and Human Services proposed a statutory \nauthorization in her confidentiality recommendations. The National \nAssociation of Insurance Commissioners likewise incorporated this \napproach in their Model Act. A statutory authorization would authorize \nby law widely accepted uses of patient identifiable health information \nsuch as treatment, payment and the health care operations activities \ndescribed above.\n    IHC is pleased that the Medical Information Protection and Research \nEnhancement Act of 1999 includes a statutory authorization. This \napproach, combined with the strong penalties for misuse of information \nfound in all of the legislative proposals on this issue, allows for \nappropriate access to identifiable health information while protecting \npatient confidentiality.\n    Ultimately, should Congress not adopt a statutory authorization, \nlegislation must make clear that a signed patient authorization each \ntime a provider and patient interact within a delivery system or \nnetwork-based health plan is not required. Likewise, it is vitally \nimportant that the legislation allow health systems to engage in \nactivities related to health promotion, disease management, quality \nassurance, utilization review, and related research without requiring \nseparate patient authorization for each subsequent use of patient \ninformation. Such a requirement would be enormously burdensome for both \nproviders and patients and, after the plans initial ``consolidated \nauthorization\'\' is signed by the patient, would serve no additional \npurpose. IHC additionally urges that a health plan enrollee be \npermitted to sign one authorization form on behalf of that enrollee\'s \ncovered dependents. Requiring each individual family member to sign a \nseparate authorization form would be unwieldy at best, burdensome on \nthe enrollee, and could result in the delay of needed care.\n               x. applicability to all health information\n    Federal legislation should apply equally to all types of health \ninformation, including genetic information. This is important because \nall individually identifiable health information is sensitive and \nshould be afforded the same protections against inappropriate \ndisclosure.\n           xi. penalties for misuse of protected information\n    All of the various legislative proposals include significant \npenalties for unauthorized use of patient identifiable health \ninformation. These are important to deter misuse of information. They \nshould, however, be made consistent with the penalties included in \nHIPAA.\n                  xii. cause of action by individuals\n    If Congress is able to meet the HIPAA deadline and enact \nconfidentiality legislation, patients across the country will--for the \nfirst time--benefit from strong federal protections for patient \nidentifiable information. Given the groundbreaking nature of this \nlegislation and the significant criminal and civil penalties already \nprovided for in the various legislative proposals, the inclusion of a \nprivate right of action is unnecessary. Moreover, it is our experience \nat IHC that breaches in the confidentiality of patient identifiable \nhealth information are not at all common. Additionally, inclusion of a \nprivate right of action would likely give rise to an entirely new \nplaintiff\'s bar, greatly increasing expensive and unpredictable private \nlitigation. The penalty provisions in the various proposals, including \nthe legislation before this Subcommittee, are already stringent; the \naddition of a cause of action is not merited.\n                         xiii. law enforcement\n    IHC feels that patient confidentiality legislation is an \ninappropriate venue for revision of probable cause and other standards \nnow governing the access to patient records of law enforcement \nofficials. Instead, confidentiality legislation should be law \nenforcement neutral. To the extent that confidentiality legislation \ntouches on law enforcement\'s access to identifiable information, access \nshould only be available after a request has been approved through a \nprocess that involves a neutral magistrate.\n                               xiv. close\n    As an integrated health care delivery system, IHC is responsible \nfor the health outcomes of the patients who seek care from our system. \nIn order to treat our patients and improve the health outcomes of the \nentire population we serve, we must be able to share information among \nIHC corporate entities--our physicians, our hospitals, and our health \nplans. IHC has developed state-of-the-art electronic medical records \nand common databases to facilitate this communication and to make sure \nour physicians have complete information when treating patients. We \nhave put in place an extensive array of enforceable confidentiality \nprotections which we constantly improve and update.\n    IHC urges this Subcommittee to ensure that confidentiality \nlegislation does not unintentionally prevent the creation of these \ncommon internal, operational databases or limit the type of data which \ncan be shared within an integrated delivery system. Such action would \nseverely limit a health system\'s ability to measure and improve the \nhealth outcomes it provides those who seek its services.\n    The outstanding health care our physicians, nurses, and others \ndeliver through IHC\'s network-based system relies on the coordination \nof patient care and effective quality improvement activities. \nIndividually identifiable health information is integral to IHC\'s \nhealth care operations, through which we seek to maximize the quality \nof patient care delivered in the IHC system. I urge you to swiftly \napprove--before the August recess--the Medical Information Protection \nand Research Enhancement Act, which will establish uniform federal \nstandards to protect patient confidentiality while at the same time \nallowing these important activities to continue.\n\n    Mr. Bilirakis. Thank you very much, Mr. Nielsen .\n    Dr. Tang.\n\n                   STATEMENT OF PAUL C. TANG\n\n    Mr. Tang. Thank you. Mr. Chairman, Mr. Greenwood, Members \nof the committee, thank you very much for permitting me to \ntestify before you on this very important topic. My name is \nPaul Tang. I am a practicing internist and Medical Director of \nClinical Informatics at Palo Alto Medical Clinic in California \nand Vice President of Epic Research Institute, working on \ncomputer-based patient record systems, or CPRs.\n    I am here because I have a passionate desire to provide the \nbest quality care for my patients, and I think all caregivers \nhave the legal and ethical obligation to protect the \nconfidentiality of their patient\'s health data. In my mind, \nthese two objectives are inextricably linked. I would like to \nbegin by describing the status quo in medical recordkeeping, \nthen explain a little bit on how CBR has improved that \nsituation and to discuss how confidentiality legislation \nimpacts quality of care.\n    First, the status quo. In an observational study I did a \nfew years back at Stanford we found that in 81 percent of \nclinic visits physicians did not have all the information they \nneeded to take care of their patients that day. In fact, on \naverage, they were missing four pieces of information for each \nvisit. This is not optimal. Unfortunately, neither is it \natypical.\n    Regrettably, the situation in confidentiality is no better. \nIf someone requests the medical record, it is an all or nothing \nphenomenon, and if the record can be found, and 30 percent of \nthe time it can\'t be found, the request is free to look at any \npart of the record and no one will even know. It is this \nsituation that makes it impossible for us to enforce \nconfidentiality policies and to hold people accountable for \ntheir actions.\n    In 1991, the Institute of Medicine recommended that the \nUnited States adopt CPRs as the standard for medical record. \nThey did this primarily because they thought it would improve \nthe quality of care. In addition, it can increase our ability \nto protect the confidentiality of health information. For \nexample, the CPR can limit access by a patient. So in contrast \nto common practice, where in a hospital almost anyone can look \nat a record, a CPR user can be limited only to those patients \nwith which the user has a professional relationship.\n    Second, access to elements of a record can be restricted. \nSo, for example, HIV test results can be marked as sensitive \nand restricted only to the ordering physician or the primary \ncare physician.\n    Third, access to visits in mental health could be \nrestricted to mental health providers.\n    Fourth and finally, and probably most importantly, all \naccesses to and updates of the record can be logged in audit \ntrails and these audit trails can be analyzed to monitor and \nenforce confidentiality policies. Once again, in contrast to \npaper records, with the CPR, I can tell you who has access to \nyour record and what they have looked at.\n    In short, a CPR gives us tools to increase the overall bar \nof protection of confidentiality for all patient data. I know \nthat we all recognize that striking a balance between the needs \nof the caregiver and the need to protect information is \ndifficult; and we all want to do the right thing, but as we \nwork out the details of the legislation, I think we need to be \ncareful about not letting good intentions interfere with good \ncare.\n    For example, one approach to protecting patient data is to \nenumerate all the potentially sensitive personal data and to \nsegregate that data. Unfortunately, to the extent that we are \nsuccessful in hiding this information, we will undermine much \nof the benefit that computerizing records can provide us in the \nfirst place. In effect, we will have returned back to the \nstatus quo of having incomplete information for almost \neverybody.\n    An alternative approach and one that I would favor is to \ngive physicians and patients the benefit of having all \ninformation when they are making decisions and at the same time \nraising the overall bar of protection for all data.\n    Finally, let me address the uniform confidentiality laws. \nMany provider organizations take care of patients across State \nborders. I think it would be confusing to patients and \nburdensome for providers to have to face State-by-State \nregulations. Like politics, health care is local, but I think \nour ethical and legal obligations to protect the \nconfidentiality of patient data should be universal.\n    So, in summary, in my experience, CPRs can definitely \nenhance the quality of care, and they can definitely improve \nour ability to protect confidentiality of health data. However, \nwe need balanced legislation in order to permit us to \neffectively use these tools to achieve the benefits I described \nand that the Institute of Medicine envisioned.\n    I think Mr. Greenwood\'s bill introduced this week is an \nexample of balanced legislation that preserves the integrity of \nthe record while assuring uniform protection for all. In short, \nwe need confidentiality legislation to continuously improve the \nquality of health for all Americans. I thank you again for \nletting me testify before you, and I will be happy to answer \nany questions.\n    [The prepared statement of Paul C. Tang follows:]\n   Prepared Statement of Paul C. Tang, Medical Director of Clinical \n                 Informatics, Palo Alto Medical Clinic\n    Mr. Chairman, Members of the Committee, thank you for the \nopportunity to testify on this very important topic--protecting the \nconfidentiality of patient data. My name is Paul Tang. I am a \npracticing internist and Medical Director of Clinical Informatics at \nthe Palo Alto Medical Clinic in California and Vice President of Epic \nResearch Institute, working on computer-based patient record systems. I \nalso serve on the Boards of the American Medical Informatics \nAssociation (AMIA), the Joint Healthcare Information Technology \nAlliance (JHITA), the Computer-based Patient Record Institute (CPRI), \nand the American College of Medical Informatics (ACMI).\n    I am here today because I have a passionate desire to provide high \nquality care for my patients and I firmly believe that all health care \nproviders have an ethical obligation to protect the confidentiality of \ntheir patients\' health data. In my mind, these two objectives are \ninextricably linked. Consequently, your decisions regarding \nconfidentiality legislation will directly affect the care that I can \ndeliver.\n    I will begin by describing the inadequacies of the status quo in \nmedical record-keeping, then speak briefly about the capabilities of \ncomputer-based patient records (CPRs) to address these needs, and \nconclude by discussing implications of confidentiality legislation on \nquality of care.\n    First, I need to tell you more about the status quo. In 1989, the \nInstitute of Medicine initiated a study to look at ways of improving \nmedical records in light of new information technology. During the \ncommittee deliberations, it was widely felt that the paper medical \nrecord left much to be desired. However, the literature did not contain \nempirical information about how broken the system really was. I later \nconducted a study at Stanford to gather the missing empirical data, and \nthe results do not paint a pretty picture. When we observed physicians \nmaking patient care decisions in ambulatory care, we found that in 81 \npercent of the visits, physicians did not have all the information they \nneeded in order to make decisions on their patients, even though they \nhad the paper record 95% of the time. On average, physicians were \nmissing 4 pieces of information during each visit. In one visit, a \nphysician was missing 20 pieces of information. That is, physicians \nroutinely have to choose between making a decision without the \navailable information, rescheduling the patient for another visit in \nhopes that information will then become available, or repeating the \ntest. Needless to say, none of these options is optimal. But, this is \nthe standard of practice. In other words, we probably should be \nadvising our patients that when they walk into a doctor\'s office they \nshould expect that their physicians will be making decisions on their \nhealth care without all the available information.\n    I recall receiving a letter from a cardiologist pointing out the \nneed for computer-based patient records in the hospital. One of his \npatients sustained a rare life-threatening side effect of a medication \nand was miraculously saved by an experimental treatment only to be \ngiven a medication later in her hospital stay to which she was \nallergic. Fortunately, by that time, she was alert and was able to \nrefuse the medication. A CPR system could have warned the physician \nordering the medication and prevented the near mishap.\n    Regrettably, the status quo for confidentiality is not much better. \nWhen a person requests a paper medical record, it is an all or nothing \nproposition. If the record can be found (30 percent of the time it \ncannot be found), the reader is free to look at any part of the record, \nand no one will know. The situation where a record and all of its \ncontents are open to many eyes for any and all uses makes it impossible \nfor us to enforce confidentiality policies and to hold people \naccountable for their actions. Like you, I find both these situations \nunacceptable--that doctors must routinely make decisions without all \nthe relevant patient information and that we cannot adequately protect \nthe confidentiality of patient data using paper records.\n    Fortunately, both of these problems can be dealt with by following \nthe recommendations of the 1991 Institute of Medicine study on medical \nrecords, which concluded that the computer-based patient record is an \nessential technology for health care. Based on my past experience at \nNorthwestern and my recent experience at Sutter Health, I can tell you \nthat using a computer-based patient record (CPR) improves the quality \nof medical decisions and compliance with clinical guidelines. Let me \ncite a brief example of this. It is well documented that giving a flu \nvaccine to people 65 years and older reduces the mortality from flu-\nrelated complications by one-half, reduces flu-related hospital \nadmissions by one-half, and reduces the cost of care by one-half. In \neffect, if you extrapolate these results, every time a flu vaccine is \nadministered, it would save the country $117. Unfortunately, according \nto figures from the CDC and the literature, physicians routinely \nadminister flu vaccines to approximately 50 percent of the eligible \npopulation. However, we and others have found that simple reminders \nprovided by the computer at the time of a patient visit can \ndramatically increased the compliance with these simple, but effective \nguidelines. In a study we conducted at Northwestern, flu vaccine rates \nwent up 78 percent for a group of physicians using a CPR compared to a \ncontrol group in the same clinic that continued to use paper records.\n    In addition to helping physicians deliver better healthcare, a CPR \ncan substantially improve our ability to protect the confidentiality of \npatient information. The guiding operational principle is that \nhealthcare professionals should only have access to those data for \nwhich they have a professional need to know. The CPR has a number of \ncapabilities to help ensure that this is the case. First, the CPR \nsystem can limit access by patient. In contrast to common practice \nwhere almost anyone in a hospital can access any patient record, a CPR \ncan limit a user\'s access to those patients for which the user has a \nprofessional relationship. Second, a CPR can limit the type of access \nbased on the role of the user. For example, a physician may have \ncomplete access to a patient\'s record, but a clerk would only have \nlimited access to administrative information about the patient. Third, \naccess to specific elements of a record may be restricted. For example, \nan HIV test order and its results may be classified as sensitive and \naccessible only by the ordering physician or primary care provider. In \naddition, a visit where sensitive issues are discussed can be afforded \nsimilar protection by granting access only to the patient\'s physician. \nFourth, access to visits in mental health departments could be \nrestricted to mental health providers. Fifth, and probably the most \nimportant, all accesses to and updates of information in a CPR are \nlogged and audit trails can be analyzed to monitor and enforce \ncompliance with confidentiality laws and policies. Once again, in \ncontrast to the paper record, with a CPR we can provide patients with a \nreport of anyone who has accessed their record and what was examined. \nIt is clear that using computer-based patient records gives us \nsignificant capability to raise the bar of protection for all \nconfidential patient information.\n    What are the implications for confidentiality legislation? I think \nwe all recognize that striking a balance between the information needs \nof physicians caring for patients and the need to control access to \ninformation is difficult and we all want to do the right thing. As the \ndetails of the legislation are worked out, however, we need to be \ncareful not to let good intentions interfere with good care. For \nexample, one approach to protection of patient data is to enumerate all \npotentially sensitive personal data and to segregate those data--\nrendering them more difficult to access. Unfortunately, to the extent \nthat we succeed at hiding information, we will undermine much of the \nbenefit of computerizing the record for the very people who care the \nmost--the physician and the patient. In effect, we will have returned \nto the status quo that I described at the beginning of my testimony--\nthat of incomplete information for almost everybody. An alternative \napproach, and one that I favor, is to give physicians and patients the \nbenefit of making decisions based on information, but at the same time \nto raise the bar of confidentiality protection for all data using the \ncapabilities of CPRs.\n    An analogy in patient care comes to mind. In the 1980s, health care \nproviders wore gloves to protect them from blood-borne infectious \ndiseases. This special precaution inadvertently became a marker for \nidentifying patients with blood-borne diseases, which included AIDS \npatients. Consequently, a new policy called universal precautions was \nadopted where all patients are treated the same and gloves are worn \nanytime a health professional could potentially be exposed to blood. \nThis approach accomplishes two things: it raises the general awareness \namong all caregivers about their everyday responsibility for preventing \nthe spread of communicable diseases, and from the patient\'s \nperspective, everyone is treated the same; no one is inadvertently \nidentified.\n    Likewise, I propose that instead of dissecting a patient\'s record \ninto special pieces of information, which is likely to interfere with \nthe care process, we should treat all patient information as highly \nconfidential. Following my analogy to universal precautions, we would \nbe preventing the spread of confidential data by treating all data the \nsame. I would rather promote a new standard for confidentiality and \nhold providers to that higher standard for all data.\n    Under what conditions should provider organizations disclose \nidentifiable patient information? The bills before Congress agree on \ntreatment and payment reasons. What continues to be debated is the \nphrase ``health care operations.\'\' While I am not in a position to \nenumerate every conceivable activity that could be covered, I can list \nsome obvious examples of activities I think need to continue without \nseparate disclosures. Among these activities are quality management, \npeer review, clinical teaching, disease management, quality reporting, \nand clinical research. What should not be allowed? Use of the \ninformation for any discriminatory practices. As lawmakers, you must \ndraw the lines between what uses of health information should be \npermitted and which should not, probably in separate anti-\ndiscrimination laws. As a physician, however, I am concerned that \nencouraging patients to ``opt out\'\' of information systems (either by \nsegregating information or through self-payment) can impair the quality \nof care not only for the individuals but for all of us.\n    Finally, let me address the issue of uniform confidentiality laws. \nMany provider organizations care for patients from multiple states. \nImplementing confidentiality regulations on a state-by-state basis \nwould be confusing for patients and burdensome for providers. The \nstandards which protect the confidentiality of health information \nshould not depend upon geography. Like politics, health care may be \nlocal, but the ethical and legal obligation to protect confidentiality \nshould be universal.\n    In my experience, using CPRs can definitely enhance the quality of \ncare by helping physicians make informed decisions, while also \nsubstantially improving protection of confidentiality. However, we need \nbalanced confidentiality legislation to effectively use this tool to \nachieve the benefits that I described and that the Institute of \nMedicine envisioned. In summary, we need your legislation to \ncontinuously improve the health of all Americans.\n    Again, thank you for the opportunity to appear before you today. I \nwill be happy to answer any questions.\n\n    Mr. Bilirakis. Thank your very much, Doctor.\n    Justin and Ms. Pawlak.\n\n                    STATEMENT OF LINDA PAWLAK\n\n    Ms. Pawlak. Good morning, Mr. Chairman and members of the \nsubcommittee. My name is Linda Pawlak.\n    My son Justin has asthma. Justin was diagnosed with asthma \napproximately 8\\1/2\\ years ago. At the moment of his diagnosis, \nour lives changed. We lived in fear, as his illness pervaded \nevery aspect of our lives. Because his illness was \nunpredictable, we placed restrictions on Justin and on our \nfamily in a vain attempt to circumvent an asthma attack, but \nbecause we were not appropriately managing his asthma, we were \nill equipped to prevent these devastating attacks. The illness \nhad complete control.\n    After approximately a year and half of suffering, Justin \ncame under the care of a wonderful asthma specialist who taught \nus that asthma was a disease requiring diligent management, \neven when he wasn\'t ill. Justin\'s health improved. However, the \nbig change didn\'t occur until we were told about, and began to \nparticipate in, an asthma management program called The Asthma \nand Allergy Support Center.\n    When Justin became a part of the program, he began logging \nonto a secured Web site on a daily basis. On his own personal \nWeb page Justin began entering his daily peak flows, \nmedications, symptoms and the potential triggers to which he \nhad been exposed. Justin\'s doctor also logs onto his Web page \non a daily basis to review Justin\'s progress. This sharing of \ninformation has allowed us and Dr. Bill to identify patterns \nand trends in Justin\'s daily management that would otherwise \nnever have become apparent. These discoveries have led to \nbetter control of Justin\'s illness and a normalization of our \nlives. This sharing of data has also provided his physician \nwith valuable information, information that could provide \nfuture improvement not only for Justin but for many of his \nother patients as well.\n    For many of his young years, Justin spoke of becoming a \nscientist so that he could find a cure for asthma. Since \nbeginning on this management program, Justin no longer speaks \nof becoming a scientist in the future. He realizes that the \ninformation derived from his participation in this program \ncould be the clue to crucial breakthroughs in asthma. He knows \nthat he could be helping to find a cure for asthma today, \ntomorrow and well into the future.\n    As a mother, I am eternally grateful to the physician and \nstaff members who identified Justin for potential participation \nin this program. It has changed our lives, just as it and other \nsimilar programs could change the lives of many others who bear \nthe burden of ill health. Any legislation that would impede the \nuse of information for research, that could cure this disease, \nor that would prevent others from learning about similar \ndisease management programs, would be a terrible mistake. That \nis why we think Congressman Greenwood\'s bill is a step in the \nright direction.\n    If anyone is interested, we do have the computer here with \nus so that anyone who would care to can see what Justin does on \na daily basis.\n    Thank you.\n    Mr. Bilirakis. Thank you, Ms. Pawlak. Justin, would you \nhave anything you would like to add? Your mom has plenty of \ntime left. You can do it.\n    Master Pawlak. Not really. Mostly what she said in her \nspeech is the same thing that I would say.\n    Mr. Bilirakis. She checked with you first, though, before \nshe completed it. Thank you.\n    [The prepared statement of Linda Pawlak follows:]\n             Prepared Statement of Linda and Justin Pawlak\n    Good morning Mr. Chairman and members of the Subcommittee. My name \nis Linda Pawlak. My son, Justin, has asthma. Justin was diagnosed with \nasthma approximately eight and a half years ago. At the moment of his \ndiagnosis, our lives changed. We lived in fear, as his illness pervaded \nevery aspect of our lives. Because his illness was unpredictable, we \nplaced restrictions on Justin, and on our family, in a vain attempt to \ncircumvent an asthma attack. But because we were not appropriately \nmanaging his asthma, we were ill equipped to prevent these devastating \nattacks. The illness had complete control.\n    After approximately a year and a half of suffering, Justin came \nunder the care of a wonderful asthma specialist who taught us that \nasthma was a disease requiring diligent management, even when he wasn\'t \nill. Justin\'s health improved. However, the big change didn\'t occur \nuntil we were told about, and began to participate in, an asthma \nmanagement program called The Asthma and Allergy Support Center.\n    When Justin became a part of the program, he began logging onto a \nsecured Website on a daily basis. On his own personal webpage, Justin \nbegan entering his daily peak flows, medications, symptoms, and the \npotential triggers to which he had been exposed. Justin\'s doctor also \nlogs onto his webpage on a daily basis to review Justin\'s progress. \nThis sharing of information has allowed us (and Dr. Bill) to identify \npatterns and trends in Justin\'s daily management that would otherwise \nnever have become apparent. These discoveries have led to better \ncontrol of Justin\'s illness and a normalization of our lives. This \nsharing of data has also provided his physician with valuable \ninformation, information that could provide future improvement not only \nfor Justin, but for many of his other patients as well.\n    For many of his young years, Justin spoke of becoming a scientist \nso that he could find a cure for asthma. Since beginning on this \nmanagement program, Justin no longer speaks of becoming a scientist in \nthe future. He realizes that the information derived from his \nparticipation in this program could be the clue to crucial \nbreakthroughs in asthma. He knows that he could be helping to find a \ncure for asthma today, tomorrow, and well into the future.\n    As a mother, I am eternally grateful to the physician and staff \nmembers who identified Justin for potential participation in this \nprogram. It has changed our lives, just as it (and other similar \nprograms) could change the lives of many others who bear the burden of \nill health. Any legislation that would impede the use of information \nfor research, that could cure this disease, or that would prevent \nothers from learning about similar disease management programs, would \nbe a terrible mistake. That\'s why we think Congressman Greenwood\'s bill \nis a step in the right direction.\n\n    Mr. Bilirakis. Dr. Appelbaum.\n\n                  STATEMENT OF PAUL APPELBAUM\n\n    Mr. Appelbaum. Mr. Chairman, I am Paul Appelbaum, M.D., \ntestifying on behalf of the American Psychiatric Association. I \nam Professor and Chair of the Department of Psychiatry at the \nUniversity of Massachusetts Medical School, where I treat \npatients and oversee our department\'s biomedical and health \nservices research, including our medical records-based \nresearch.\n    Mr. Chairman, ranking member Brown, I would like to thank \nyou for the opportunity to testify today. I would also like to \nthank the members of the committee and Representatives \nGreenwood, Waxman and Markey, in particular, who have focused \nthe committee\'s attention on medical records privacy by \nintroducing comprehensive legislation.\n    Recently, several Commerce Committee members, including Mr. \nMarkey and Mr. Whitfield, have raised major and, we believe, \nvery important privacy concerns about the HCFA regulations, \ndubbed OASIS, and were helpful in dealing with that issue.\n    Based on our initial analysis of the proposed legislation, \nthe APA is particularly concerned by H.R. 2470\'s lack of any \nconsent process for patients, the preemption of stronger State \nprivacy laws and the lack of essential privacy protections for \npatients in general and employees of corporations in \nparticular. Our concerns are heightened by the fact that there \nare major features of this legislation which represent \ndisturbing departures from most other legislative proposals in \nthis area.\n    First, this legislation is the first Republican \ncomprehensive medical records proposal which completely \ndiscards the time-tested approach of consent or authorization \nfrom patients before use or disclosure of medical records. If \nthis legislation were enacted into law, it would mark a \nfundamental change in a key principle of patient privacy. Of \ncourse, to be meaningful, consent needs to be informed, \nvoluntary and noncoerced, and many provisions of the \nlegislation introduced by Representative Markey are valuable in \nthis respect.\n    Second, unlike many of the other legislative proposals, \nH.R. 2470 does not contain specific prohibitions on employer \naccess to medical records. We are gratified to hear Mr. \nGreenwood\'s statement that he intends to address this issue.\n    Third, we strongly urge reconsideration of H.R. 2470\'s \nblanket preemption of State medical records privacy laws. \nAgain, the result of this preemption is that patients would \nlose important privacy protections that they now enjoy. Equally \nimportant, the States will lose the opportunity to enact \nstronger patient privacy laws in the future. In fact, at this \npoint, 56 medical records confidentiality bills have passed at \nleast one chamber of a State legislature this year. We support \nthe approach in the Condit-Waxman-Markey bill which protects \nstronger State laws from preemption.\n    I would like to give you a concrete example to illustrate \nthe unintended consequences that H.R. 2470 might have. I would \nlike you to imagine that you are going into your doctor\'s \noffice, and the doctor gives you a comprehensive physical \nexamination. He takes your blood, he runs some lab tests. It \nall sounds harmless enough. After all, you have never signed \nanything giving permission for your personal information to be \nbroadly used and disclosed. You were never told it would be \nused in such a way, and nothing was sent to you about that. But \nit will be extensively used, and nothing under 2470 would \nprevent that from happening.\n    Information from your medical records could be used for \nprivate research purposes without your consent or knowledge. \nYour age, sex, demographic information, psychiatric status and \nother information could be used for insurance underwriting and \nother broadly and vaguely defined health care operations \npurposes, again without your consent or knowledge. Your medical \nrecords can be displayed to hundreds of medical students, \nnurses and other trainees because health care operations are \ndefined to include health care education. Your medical records \ninformation and the medications you are taking can be revealed \nto pharmaceutical companies who may even contact you at home \nabout taking their new product instead.\n    We have no problem with taking advantage of the \nconsiderable benefits of medical information and the new \ntechnologies that have been described here this morning. We are \nconcerned that in that process we not sacrifice the privacy \nthat Americans cherish.\n    I would be happy to respond to your particular questions \nduring the question-and-answer period, either about 2470 or \nH.R. 10, to which Mr. Ganske referred earlier.\n    Thank you, Mr. Chairman. I look forward to working with the \ncommittee on this issue.\n    [The prepared statement of Paul Appelbaum follows:]\n    Prepared Statement of Paul Appelbaum on Behalf of the American \n                  Psychiatric AssociationIntroduction\n    Mr. Chairman, I am Paul Appelbaum, M.D., testifying on behalf of \nthe American Psychiatric Association (APA), a medical specialty \nsociety, representing more than 40,000 psychiatric physicians \nnationwide. I serve the APA as Vice-President and I am also Professor \nand Chair of the Department of Psychiatry at the University of \nMassachusetts Medical School. I would like to thank Chairman Bilirakis, \nRanking Member Brown, and members of the Subcommittee for the \nopportunity to testify today.\n    Mr. Chairman, we greatly appreciate your interest in passing \nmedical records privacy legislation. We also appreciate the work of Mr. \nGreenwood, Mr. Waxman, and Mr. Markey, as well as several Republican \nand Democrat members of the Committee who fought to improve the privacy \nprovisions of HCFA\'s recent OASIS medical information regulation.\n    As changes in technology and health care delivery have outpaced the \nstatutory, common law, and other protections that traditionally have \nensured patient confidentiality, the level of confidentiality enjoyed \nby patients has eroded dramatically. I greatly appreciate your efforts \nto seize this valuable opportunity to protect and restore needed \nconfidentiality protections.\nThe Need for Federal Legislation\n    I believe medical records confidentiality is one of the most \nimportant issues to come before the Subcommittee this year. Our ability \nto find a new job, earn a promotion, obtain insurance, our family and \nsocial relationships, the quality of health care, and medical research \nbreakthroughs can all be enhanced or tragically jeopardized by medical \nrecords confidentiality legislation. Our medical record, when it \nrelates to conditions as varied as high blood pressure, communicable \ndiseases, Alzheimer\'s disease, mental illness and substance abuse, \ndomestic violence, sexual assault information, terminal illnesses, HIV/\nAIDS, cancer, eating disorders, sexual function or reproductive health \nissues, as well as many other conditions, is highly sensitive.\n    But whether or not we are affected by these illnesses, medical \nrecords privacy issues affect us all. Today\'s comprehensive medical \nassessments and wellness questionnaires can contain questions about \npatients\' sexual behavior, social relationships, state of mind, and \npsychiatric status--even if patients are not receiving medical \ntreatment relating to these issues. The forms can also contain \nextensive personal and financial information.\n    The need for privacy legislation is compelling. In 1996, a \nfederally appointed panel of experts, the National Committee on Vital \nand Health Statistics, stated that our country faces a ``health privacy \ncrisis.\'\' And across the political spectrum, broad support exists for \naction on this issue. Many conservatives, including Phyllis Schafly, \nhave decried the ``stealth assault on medical records.\'\' Likewise, \nliberals and civil libertarians have been fighting to secure basic \nprotections to safeguard citizens from unjustified police seizure of \ntheir medical records. Finally, there has been bipartisan concern that \nled to the suspension of any implementation of a national patient \nidentifier and the limitation of the Health Care Financing \nAdministration\'s recent medical information collection regulation, \ndubbed OASIS. Thus, it is clear that Americans of all political \npersuasions want to keep their personal medical information \nconfidential. We hope that in the current debate on medical records \nprivacy, bipartisan support can develop for enacting meaningful medical \nrecords privacy legislation into law.\nConfidentiality is a Requirement for High Quality Medical Care\n    Common sense, the experience of physicians and patients, and \nresearch data all show that privacy is a critical component of quality \nhealth care. The sad fact is that the health care system has, on \noccasion, not earned the trust of patients, and many patients do not \ntrust the system to keep their information confidential. In many cases, \nthe result has been that physicians are not able to provide the best \npossible quality care nor reach many individuals in need of care.\n    Some patients refrain from seeking medical care or drop out of \ntreatment in order to avoid any risk of disclosure. And some simply \nwill not provide the full information necessary for successful \ntreatment. At other times, physicians are approached by patients who \nask us not to include certain information in their medical record for \nfear that it will be indiscriminately used or disclosed. The result of \nall these behaviors resulting from patients\' reasonable concerns is \nunfortunate. More patients do not receive needed care and medical \nrecords\' data that we need for many purposes, such as outcomes \nresearch, is regrettably tainted in ways that we often cannot measure.\n    The solution is not to take short cuts that will further deprive \npatients of their rights. Instead, we must enact into law meaningful \nmedical records privacy legislation based on the voluntary informed \nconsent of patients and reliance upon the fullest possible use of \ndeidentified and aggregate patient data. In this way the full \nadvantages of patient privacy as well as the benefits of new medical \ntechnology can be harnessed.\n    Informed, voluntary, and non-coerced patient consent prior to the \nuse and disclosure of medical records should be the foundation of \nmedical records confidentiality legislation. As a general principle, we \nbelieve that the American Medical Association\'s position--that patient \nconsent should be required for disclosure of information in the medical \nrecord with narrowly drawn and infrequent exceptions permitted for \noverriding public health purposes--is eminently reasonable.\nThe Special Sensitivity of Mental Health Information and the U.S. \n        Supreme Court\'s Jaffee Decision\n    Patients often refrain from entering psychiatric treatment because \nof concerns about confidentiality. Not only do patients refrain from \ntelling family members and close friends the information they share \nwith their therapist, but some may not even tell their family members \nthat they are receiving mental health treatment. Often, if the \ninformation were disclosed to a spouse or an employer it might \njeopardize their marriage or employment. But even the privacy \nprotection afforded to psychotherapy notes has eroded so much in recent \nyears that many psychiatrists and other mental health professionals \nhave stopped taking notes or take only very abbreviated notes. Without \nthe very highest level of confidentiality, patients receiving mental \nhealth services will be less likely to enter treatment and less likely \nto remain in treatment. Worse yet, if confidentiality is not protected, \nthe treatment they receive will usually be less effective.\n    For these and other reasons, the U.S. Supreme Court recognized the \nspecial status of mental health information in its 1996 Jaffee v. \nRedmond decision. The court held that ``Effective psychotherapy depends \nupon an atmosphere of confidence and trust--disclosure of confidential \ncommunications made during counseling sessions may cause embarrassment \nor disgrace. For this reason the mere possibility of disclosure may \nimpede the development of the confidential relationship necessary for \nsuccessful treatment.\'\'\n    It is also worth recognizing that the extent of mental illness is \nwidespread. According to the World Health Organization mental illnesses \naccount for four out of ten of the leading causes of disability. I urge \nmembers of this committee not only to protect the letter of the Jaffee \ndecision but indeed to protect its spirit by including appropriate \nprovisions in the legislation.\nProvisions Needed in Congressional Legislation\n    It is not my intention to provide a detailed analysis of each bill \nbefore the Subcommittee but rather, I would like to recommend several \nkey provisions that we believe should guide the Subcommittee in its \ndeliberations, and we would be happy to provide the Committee with \nadditional recommendations as well.\n    Preemption. I believe the most important medical records privacy \nissue before the Committee is to insure that stronger state medical \nrecords privacy laws are preserved and that states\' ability to enact \nstronger medical records privacy laws are preserved. States have \nadopted valuable protections for patients, including laws limiting the \ndisclosure of pharmacy records and laws blocking insurers\' access to \nverbatim psychiatric notes. States are also actively considering \nnumerous additional proposals. In fact, the National Council of State \nLegislatures estimates that a total of 56 medical records \nconfidentiality bills have passed through at least one chamber of a \nstate legislature. We must not block states\' efforts to protect \ncitizens\' medical privacy. We recommend that the provisions in H.R. \n2470 be modified to adopt a floor preemption approach as contained in \nthe Condit-Waxman bill.\n    Consent. APA believes three principles should govern those sections \nof the legislation concerning authorization and consent for disclosure. \nFirst, patients themselves should decide whether or not personal health \ninformation is disclosed. Consent before use and disclosure of medical \nrecords is critically important and this time-tested approach should be \npreserved and strengthened in order to remain meaningful in the \nchanging world of health care delivery. In general, whatever problems \nmay now exist with confidentiality of health information are derived \nfrom our failure to observe this principle. No one is in a better \nposition than patients themselves to identify sensitive information and \nto determine to whom it ought not to be revealed. Those who would alter \nthis traditional approach have failed to justify such a radical change.\n    Second, identifiable personal health information should be released \nonly when deidentified data is inadequate for the purpose at hand. \nThird, even when consent has been obtained, disclosure should be \nlimited to the least amount of personal health information necessary \nfor the purpose at hand. This is consistent with our recognition of the \nimportance of protecting medical privacy.\n    These principles have implications for some of the major policy \nquestions regarding authorization of disclosure. For patients to retain \nmeaningful control over personal health information, prospective \nconsent for routine disclosures of identifiable information should be \nlargely limited to information needed for treatment and payment \npurposes. Other health care operations can usually be accomplished with \ndeidentified data. With such a provision, a strong incentive will exist \nfor the use and further enhancement of technology to perform a wide \narray of administrative functions.\n    We are extremely concerned because H.R. 2470 reverses the time-\ntested principle of consent before disclosure. Many patients will not \neven be aware that their most sensitive information is being used or \ndisclosed for a host of purposes far beyond treating their illness or \npaying for the service. Were this legislation to be enacted into law, \nwe fear that gradually patients would learn how little control they \nhave over disclosure of their most personal information. As a result, \nmany patients would refrain from providing their physician with the \nfull information about their medical condition or they would refrain \nfrom obtaining care.\n    Unlike each one of the other three Republican bills before the \nCongress, i.e. Senate bills introduced by Senator Robert Bennett (R-UT) \nand Senator James Jeffords (R-VT) and a House bill introduced by \nRepresentative Chris Shays (R-CT) the Greenwood bill eliminates the \nprinciple of current law requiring consent before disclosure. We \nstrongly urge the Committee to adopt an alternative approach based on \nthe aforementioned principles.\n    Health Care Operations. In particular, the APA is also very \nconcerned by the definition of ``operations\'\' in H.R. 2470. Entities \nproviding health care can use and disclose this information for \n``operations\'\' purposes, i.e. many purposes not directly related to \ntreating a patient or performing payment or reimbursement functions. \nSome of the terms that are used to define "operations" are quite vague \nand broad and could endanger patient privacy. Do we really want to \npermit patients to be terminated from their health care coverage \nbecause they don\'t want their personal records to be used for largely \ncommercial functions that can be performed with aggregate data?\n    Employee Protections. Millions and millions of Americans have great \nconcern about the threat to confidentiality of their medical records \ndue to employer access. Whether it is idle gossip by individuals with \naccess to medical records, employer review of identifiable medical \nrecords data, or supervisors\' inappropriate interest in the personal \nlives of their employees we must protect employees right to medical \nrecords privacy. Wouldn\'t most people want to decide if anyone in their \ncompany, not to mention their supervisor, would know if they obtained \nmedical care from a psychiatrist, from a cardiologist, from an \nobstetrician/gynecologist, or from an oncologist?\n    We believe that the strong, explicit protections are needed in this \narea such as the provisions included in several bills, most notably \nthose introduced by Senator Robert Bennett (R-UT) and separate \nlegislation introduced by Representatives Gary Condit (D-CA) and Henry \nWaxman (D-CA). Loopholes in H.R. 2470\'s definition of ``health plan\'\' \nand ``protected health information\'\' also need to be closed so that \nemployees can be assured of adequate medical privacy protections.\n    Needed Protections for Particularly Sensitive Medical Information. \nAs indicated above, especially sensitive information, including mental \nhealth information needs to receive a very high level of protection. \nIndeed, the U.S. Supreme Court itself in its Jaffee decision recognized \nthat additional privacy protections, above and beyond those afforded to \nother health information, are needed to insure effective psychiatric \ncare. APA believes that in order to promote high quality medical care \nand patient privacy, the Congress should pass legislation that provides \na level of protection high enough so that no class of information needs \nadditional protections. However, in the event that the Congress \nproceeds with legislation that does not meet this test, strong \nadditional privacy protections will clearly be needed for mental health \ninformation.\nMedical Records Provisions of H.R. 10, Financial Services Modernization \n        Legislation.\n    Any discussion of current medical records legislation involving the \nHouse Commerce Committee must also focus on the damaging medical \nrecords provisions included in H.R. 10, the Financial Services \nModernization bill soon to be discussed before a House-Senate \nConference Committee. Despite the good intentions that led to the \nadoption of these provisions, we remain extremely concerned that this \nlegislation will hurt, not help, the cause of medical records privacy, \nboth because of the legislation\'s likely preemption of state privacy \nlaws and its lack of basic medical records privacy provisions contained \nin all the medical records privacy legislation before the Congress.\n    We attach a letter signed by 40 physician, provider, patient, and \nother organizations opposing these provisions. Groups opposing these \nprovisions include the American Medical Association, the American \nAssociation of Family Physicians, the American Lung Association, the \nService Employees International Union, and the American Federation of \nState, County and Municipal Employees.Conclusion\n    As physicians, we take an oath first stated by Hippocrates that, \n``Whatsoever things I see or hear concerning the life of men, in my \nattendance on the sick--I will keep silence thereon, counting such \nthings to be as sacred secrets.\'\' In order to make sure that doctor-\npatient confidentiality continues to protect patients in the new \nmillennium, I strongly urge the Committee to provide the highest \npossible level of confidentiality in your legislation.\n    We thank you for this opportunity to testify, and we look forward \nto working with the Committee on these important issues.\n                                 ______\n                                 \n    NOTE: Over 40 groups signed on to this letter including the \nAmerican Medical Association, American Lung Association, and Service \nEmployees International Union.\n\n                                                      June 29, 1999\nMember of Congress\nHouse of Representatives\nWashington, DC 20515\n\nMedical Records Provisions of H.R. 10 Undermine Patient Privacy\n\n    Dear Representative: The undersigned physician, provider, patient, \nand other national organizations strongly support medical records \nconfidentiality not only from a personal privacy perspective, but also \nbecause of the critical importance of patient privacy for high quality \nmedical care. We greatly appreciate the well-intentioned efforts of the \nmany members that have resulted in the medical records privacy \nprovisions of H.R. 10. Nevertheless, we have both serious procedural \nand substantive concerns about these provisions and urge that they be \ndeleted from the bill.\n    We are particularly concerned because Section 351 of the bill would \nallow the use and disclosure of medical records information without the \nconsent of the patient in extraordinarily broad circumstances. To give \njust two examples, law enforcement entities would enjoy virtually \nunfettered access to medical records and insurance companies could \nreview individual medical records in performing marketing studies. The \nlist of entities that could obtain medical records is also extensive. \nWhy should life insurers, auto insurers, and even insurers providing \ntravel cancellation insurance be able to routinely access patients\' \nentire medical records without patient consent or even knowledge?\n    To complicate matters further, the legislation establishes no \nlimitations on subsequent disclosures of medical records to non-\naffiliated entities. Once a disclosure has occurred, there is no \nlimitation on the types of disclosures that the recipient of this \ninformation may make. Thus, if an insurer contracts out a certain \nauthorized service to a bill collection agency or an administrative \nsupport company, nothing in the legislation would prevent these \norganizations from disclosing or selling the information for a host of \ninappropriate purposes far beyond any legitimate health use.\n    The legislation lacks basic protections included in all the major \nconfidentiality bills before the Congress. The legislation lacks \nspecific requirements for physical, technical, and administrative \nsafeguards to prevent unintended disclosures of medical records. Nor \ndoes the legislation encourage the use of deidentified medical records \nor insure that patients will receive notice of the confidentiality, \nuse, and disclosure practices of the insurance companies.\n    Confidentiality between the doctor or other health care \nprofessional and the patient is an essential component of high quality \nhealth, and particularly mental health, care. Unfortunately, the \nmedical records confidentiality provisions in H.R. 10 will deter many \npatients from seeking needed health care and deter patients from making \na full and frank disclosure of critical information needed for their \ntreatment.\n    We also have numerous procedural concerns. Because the Senate HELP \nCommittee has not yet been able to report out comprehensive medical \nrecords privacy provisions, H.R. 10\'s provisions, intended as a \ntemporary measure until comprehensive legislation is enacted into law, \ncould now become long-lasting. This is extremely troublesome because \nH.R. 10 is designed to address only certain narrow aspects of medical \nrecords privacy and leaves key issues unresolved. We are deeply \nconcerned that passage of H.R. 10\'s current medical records privacy \nlanguage has the potential to undermine enactment of comprehensive \nmedical records privacy legislation.\n    Thank you for considering these important issues. For further \ninformation, please contact William Bruno of the American Psychiatric \nAssociation at (202) 682-6194.\n            Sincerely,\nAmerican Psychiatric Association; American College of Occupational \n         and Environmental Medicine; American Academy of Child and \n     Adolescent Psychiatry; American Academy of Family Physicians; \n American Association of Occupational Health Nurses, Inc; American \n  Association for Psychosocial Rehabilitation; American College of \nPhysicians--American Society of Internal Medicine; American College \n     of Surgeons; American Counseling Association; American Family \n   Association; American Family Foundation; American Federation of \nState, County, and Municipal Employees; American Lung Association; \n       American Medical Association; American Occupational Therapy \n           Association; American Osteopathic Association; American \n   Psychoanalytic Association; American Psychological Association; \n American Society for Gastrointestinal Endoscopy; American Society \n  of Clinical Psychopharmacology; American Society of Cataract and \nRefractive Surgery; American Society of Plastic and Reconstructive \nSurgeons; American Thoracic Society; Anxiety Disorders Association \n         of America; Association for Ambulatory Behavioral Health; \n Association for the Advancement of Psychology; Bazelon Center for \n Mental Health Law; Corporation for the Advancement of Psychiatry; \n   Federation of Behavioral, Psychological and Cognitive Sciences; \n          Infectious Disease Society; International Association of \n     Psychosocial Rehabilitation Services; National Association of \n      Developmental Disabilities Councils; National Association of \nPsychiatric Treatment Centers for Children; National Association of \nSocial Workers; National Association of State Mental Health Program \n  Directors; National Council for Community Behavioral Healthcare; \n    National Depressive and Manic Depressive Association; National \n         Foundation for Depressive Illness; National Mental Health \n  Association; Renal Physicians Association; and Service Employees \n                                               International Union.\n\n    Mr. Bilirakis. Thank you very much, Doctor.\n    Ms. Feldblum. I am sorry, did I mess up your name?\n\n                   STATEMENT OF CHAI FELDBLUM\n\n    Ms. Feldblum. Oh, if you did, you would join a long list. \nActually, it is the first name that people have trouble with.\n    My name is Chai Feldblum. I am a law professor at \nGeorgetown Law School, and I created and run a Federal \nLegislation Clinic where I teach students what I call the art \nof legislative lawyering, which is the art of merging politics \nand law. And I will second all the comments some of you have \nmade about this bill. We have been working on this for 6 years, \nand I can tell you we have had hundreds of quality teaching \nmoments on his bill because of how complicated it is.\n    One of the pro bono clients of the clinic is the Privacy \nWorking Group of the Consortium for Citizens With Disabilities, \nthat is, it is the coalition of people with disabilities. We \nrepresent the asthma groups, the diabetes groups, epilepsy, \ncancer, et cetera.\n    For people with disabilities, having an effective health \ncare system is key. We have never seen this as balancing \nprivacy against an effective health care system. It has always \nbeen for us in the 6 years we have been working, how do we \nenhance the privacy protections in the health care system so \npeople have trust in the system so that it works well. That has \nalways been our goal.\n    We are also a very practical group. We know we have a \nparticular approach to have effective privacy and effective \nhealth care system, but industry stakeholders might have a \ndifferent approach. So we have spent a significant amount of \ntime in two forums finding out what are the concerns of \nindustry stakeholders so that the description, Mr. Greenwood, \nyou gave of the health care system you would like to see fits \nthe language that is in the bill that you have authored. That \nis our goal in this clinic, that the rhetoric of the intention \nfits the actual words that are used.\n    My assessment in reading 2470 and my written testimony is \nin significant detail, excruciating to some, welcome to others; \nI will give you only the highlights here. What I see in 2470 is \nabsolutely the intention to achieve the goals that you have \ndescribed. A few areas where the legal words are simply not \ngoing to achieve that result--I don\'t think any of these are \ninsurmountable.\n    I think some are more difficult than others. I think \nprivate right of action and preemption will be more difficult \nthan others because of policy, but some of the other things \nthat I think are problematic in the bill, I don\'t think are \ninsurmountable. Why don\'t I? Because we have been working with \nindustry, not just here on the House side, but over on the \nSenate side, outside of the legislative process.\n    The Health Privacy Working Group that Mr. Nielsen referred \nto--and Mr. Chairman, I would like to introduce that report \ninto the record if I may.\n    Mr. Bilirakis. Without objection.\n    [The report follows:]\n    [GRAPHIC] [TIFF OMITTED] T8501.001\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.002\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.003\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.004\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.005\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.006\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.007\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.008\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.009\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.010\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.011\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.012\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.013\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.014\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.015\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.016\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.017\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.018\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.019\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.020\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.021\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.022\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.023\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.024\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.025\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.026\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.027\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.028\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.029\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.030\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.031\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.032\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.033\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.034\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.035\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.036\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.037\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.038\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.039\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.040\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.041\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.042\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.043\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.044\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.045\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.046\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.047\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.048\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.049\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.050\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.051\n    \n    [GRAPHIC] [TIFF OMITTED] T8501.052\n    \n    Ms. Feldblum. Was an effort by people from a whole range--\nconsumers, industry, providers, researchers--to come up not \nwith a template for Federal legislation, but a set of best \nprinciples that industry would voluntarily take on, that you \nnow in Congress could look to as a model as you are trying to \nmake the words fit the rhetoric.\n    Okay, so let me tell you the few things where I think the \nwords are really problematic, but not insurmountable and then a \nfew I think where the policy is difficult.\n    One, health care operations, heard this a lot. The problem \nwith health care operations, of course, is that it is in the \ncompelled authorization that when I go and I sign, go for \ntreatment, I have to sign an authorization for treatment, \npayment and health care operations. We in CCD didn\'t like the \nidea that you had to sign up for health care operations. We \nlove disease management. We want to see more of it, but we want \nit to have the chance to opt in to disease management.\n    Okay. We have basically given that up on the Senate side. \nYou know, we have said that compelled authorization is going to \ninclude some treatment which will have some forms of disease \nmanagement.\n    Now, we haven\'t given it up completely because it has to be \ntied to the individual, but we have been willing to live with \nthe compromise. Why? Because the industry was willing to live \nwith one thing. They took out the word ``including\'\' in your \ndefinition of health care operations. Right now health care \noperations is anything to the implement the terms of the \ncontract--``including,\'\' and a whole list of the things. The \nminute you have the word ``including,\'\' as a legal matter, you \nhave no boundary. So there is a change that can be made in H.R. \n2470 that can take care of that problem.\n    A much more difficult problem, and I only saw it 2 days \nago--first time I saw this change--is that I think the industry \nhad some concern about use and disclosure as it was done on the \nSenate side; and 2470 says that when a health plan or provider \nhas protected health information, it can use that information \nfor treatment, payment, health care operations and research. It \ncan just use it.\n    Now, one effect of that is that they don\'t have to get an \nauthorization, but to me that would have been a compelled \nauthorization anyway. The bigger problem is that all of the \nrules of the law that apply to disclosure, how you have to be \ncareful about disclosure, suddenly go out the window so long as \nit is a use for treatment, payment, health care operations and \nresearch. It is just a few legal words, and it completely \nundoes the rhetoric of what I understood you are trying to \nachieve.\n    Now, let me make a few comments on the three policy areas. \nOne is research. We, of all groups, want research.\n    Who was it who said that her daughter is in a research \ntrial?\n    Mr. Bilirakis. Ms. Capps.\n    Ms. Feldblum. We want research to work well, but we also \nwant an incentive for researchers to use nonidentifiable data \nwhen that will be okay for the research. Now, we in CCD say \nthere should be an IRB system. Section 208 of H.R. 2470 right \nnow has just a completely internal review system with no \nstandard. To me, that is like almost two ends of the spectrum.\n    It is worth looking at what a group that was sort of in the \nmiddle came up with, which was to have an equivalent level of \nreview and accountability. They had some issues with IRBs, but \nthey wanted an equivalent level of review and accountability. \nWhat is in 2470 right now isn\'t that. It can become that \nthrough negotiation and compromise, but it is not yet in \nresearch.\n    On private right of action, every single----\n    Mr. Bilirakis. Try to summarize if you can, Ms. Feldblum. \nWe are all fascinated here, to be honest with you, but I guess \nI can\'t let it go on too long.\n    Ms. Feldblum. In private right of action, every privacy act \nthat this Congress has passed has included a private right of \naction because if you ask any lawyer worth his or her salt, do \nyou want criminal and civil penalties where you have to depend \non someone else to have the resources to bring the case, or do \nyou want a private right of action that you can go into court, \nany lawyer worth his or her salt, if they are trying to achieve \neffective remedies will ask you for the latter. So if you don\'t \nput that latter in, you are not creating the effective \nremedies.\n    And on preemption, again, I would recommend that you look \nto some of the compromises that had been worked out on the \nSenate side. We are not thrilled with it at the moment, but it \nis a movement that at least grandfathers in existing State laws \nand allows a carve-out for certain areas where it would by very \nproblematic if you had a little vacuum cleaner preemption \nlanguage, which is what you have, causing incredible, \ninadvertent consequences.\n    So I will conclude by saying I think this Congress can pass \ngood, effective privacy legislation. It has been trying to do \nso for 20 years, and now in fact is the time you might be able \nto do it; but only, in my mind, if you build on the consensus \nand the compromise that has been happening over the last 6 \nmonths to a year, not start with something that is way back.\n    Build on the consensus that has developed already from \ndifferent arenas. Work with all of us so it is in fact a bill \nthat is bipartisan and is in fact a bill that is not just \nsupported by industry but by consumers. I can guarantee to you \ntoday there is a bill that we can support and that industry can \nsupport, and that will make a difference for this country. You \nhave to make sure that we get that opportunity to do that work \ntogether.\n    Thank you.\n    [The prepared statement of Chai Feldblum follows:]\n Prepared Statement of Chai Feldblum on Behalf of the Privacy Working \n         Group of the Consortium for Citizens with Disabilities\n                            i. introduction\n    My name is Chai Feldblum and I am a Professor of Law and Director \nof the Federal Legislation Clinic at Georgetown University Law Center. \nI am here today representing one of the Clinic\'s pro bono clients, the \nConsortium for Citizens with Disabilities (CCD) Privacy Working Group. \nMany members of the Privacy Working Group are also members of the \nConsumer Coalition for Health Privacy, an initiative of the Health \nPolicy Project at Georgetown University. Indeed, the Chair of the \nPrivacy Working Group--Jeff Crowley of the National Association of \nPeople with AIDS--is on the steering committee of the Consumer \nCoalition for Health Privacy.\n    CCD is a Washington-based coalition of nearly 100 national \ndisability organizations that advocates with and on behalf of children \nand adults with disabilities and their families. All persons who \nreceive health care services in this country have reason to be \nconcerned with the inappropriate use of highly personal information \nthat is collected about them within the health care system. As a \ncoalition representing people living with disabilities, however, CCD\'s \nviews on this issue are somewhat unique. Because people with \ndisabilities have extensive medical records and sometimes stigmatizing \nconditions, such individuals feel a particular urgency to secure new \nprivacy protection at the federal level. At the same time, many people \nwith disabilities interact on an almost a daily basis with the medical \nestablishment and thus benefit from a well-run, effective health care \nsystem. Such individuals do not want federal privacy protection to \nreduce the effectiveness of the health care system they must navigate \non an ongoing basis.\n    All of our work in this area has taught us that the desire for \nmedical privacy and the desire for an effective health care system are \nneither in conflict with each other, nor do they require ``balancing\'\' \nof one interest against another. Rather, establishing privacy \nprotection can enhance the operation of the health care system, by \nincreasing individuals\' trust and confidence in that system. A national \nsurvey released in January 1999 found that one in six Americans engages \nin some form of ``privacy protective behavior\'\' because he or she is \nafraid of confidentiality breaches regarding their sensitive medical \ninformation. These activities include withholding information from \nhealth care providers, providing inaccurate information, doctor-hopping \nto avoid a consolidated medical record, paying out of pocket for care \nthat is covered by insurance, and--in some cases--avoiding care \naltogether.<SUP>1</SUP> None of this is good for either consumers or \nthe health care system.\n---------------------------------------------------------------------------\n    \\1\\ California HealthCare Foundation, National Survey: \nConfidentiality of Medical Records (January 1999). The survey was \nconducted by Princeton Survey Research Associates. Results are \navailable at www.chcf.org/conference/survey.cfm.\n---------------------------------------------------------------------------\n    The CCD Privacy Working Group has developed a set of principles for \nhealth information privacy legislation designed to achieve the twin, \nmutually enhancing, goals of increasing privacy protection in the \nhealth care system and creating an effective health care system. The \nCCD Privacy Working Group has also worked with the Consumer Coalition \nfor Health Privacy in the development of its principles. If there is no \nobjection, I would like to submit these principles for the record.\n    Because the CCD Privacy Working Group believes it is imperative for \nCongress to pass federal medical privacy legislation, we have also \nworked diligently over the past several years to understand the \nconcerns of all interested stakeholders in this area--including health \ncare providers, health plans, pharmaceutical companies, researchers, \npublic health departments, law enforcement officials, and state \nlegislatures--to help bring about a consensus between our members and \nthose stakeholders. We have done that work in two forums. First, as \npart of the federal legislative process, we have engaged in discussions \nand negotiations to help develop a consensus piece of federal \nlegislation. Thus far, as a legislative matter, that work has primarily \ntaken place with interested stakeholders under the aegis of the Senate \nCommittee on Health, Education, Labor and Pensions, and has resulted in \na proposed Senate Committee Chairman\'s mark to be offered by Senator \nJames Jeffords. While the CCD Privacy Working Group has some remaining \nconcerns with Senator Jeffords\' legislation, we believe that \nlegislation represents significant movement and consensus on the part \nof all interested stakeholders in this debate.\n    Second, Jeff Crowley, Chair of the CCD Privacy Working Group, \nparticipated in a year-long effort coordinated by the Health Privacy \nProject at Georgetown University. Under the leadership of Janlori \nGoldman, Director of the Health Privacy Project and a long-time privacy \nadvocate and policy analyst, the Project convened a Health Privacy \nWorking Group consisting of high-level representatives from disability \nand mental health groups, health plans, providers, employers, standards \nand accreditation organizations, and experts in public health, medical \nethics, information systems, and health policy.<SUP>2</SUP> The mission \nof the Working Group was to ``achiev[e] common ground on `best \nprinciples\' for health privacy and identif[y] a range of options for \nputting those principles into practice.\'\' <SUP>3</SUP> The Working \nGroup was not intended to create a template for federal legislation. \nRather, it was designed to create a set of ``best principles\'\' that \nproviders and plans could voluntarily put into place even before \nfederal rules were enacted. Thus, some key issues for the CCD Privacy \nWorking Group that are unique to federal legislation were not addressed \nby that group (but will be addressed in this testimony). Nevertheless, \non a wide range of issues--from rules regarding use and disclosure, to \nstandards for authorization, to interaction with law enforcement--the \nHealth Privacy Working Group forged critically important agreements \nthat may serve as guidance for Congress in the development of federal \nlegislation. I would like to ask that a copy of that report be included \nin the record following my written testimony.\n---------------------------------------------------------------------------\n    \\2\\ Comprehensive member biographies are available as an Appendix \nto the Health Privacy Working Group Report. See Health Privacy Working \nGroup, Best Principles for Health Privacy, at 46-50.\n    \\3\\ Best Principles, at 12 (July 1999).\n---------------------------------------------------------------------------\n    With these two experiences as background--the negotiations we have \nengaged in with various stakeholders at the federal level over the past \nfour years, and the Health Privacy Working Group\'s discussions of the \npast year--we are pleased to offer you comments on H.R. 2470, the \nMedical Information Protection Act of 1999, sponsored by \nRepresentatives Greenwood, Shays, Norwood, and LaTourette, and H.R. \n1941, the Health Information Privacy Act, sponsored by Representatives \nCondit, Waxman, Markey, Dingell, and Brown of Ohio. We are disappointed \nthat H.R. 2470 fails to include many of the most basic provisions that \nboth industry representatives and consumer groups were apparently \nwilling to live with in a spirit of compromise and in a desire to move \nforward bipartisan, consensus legislation--as reflected in our \nrespective public positions on Senator Jeffords\' proposed committee \nmark. Thus, if anything, H.R. 2470 represents a step backwards from the \nsignificant movement that has been made over the past six months by all \ninterested stakeholders. Nevertheless, perhaps because we are eternal \noptimists in the CCD Privacy Working Group--and certainly because we \nare committed to the passage of effective federal privacy legislation--\nwe hope this hearing represents an honest and committed effort on the \npart of all members of the committee to consider changes to H.R. 2470 \nthat will transform it into a bill that is capable of moving forward \nwith broad bipartisan support.\n    The CCD Privacy Working Group would prefer that H.R. 1941 be the \nbasis for legislative action, because that legislation already \nrepresents a process of negotiation and compromise among a range of \nviews. Nevertheless, we believe that certain changes to H.R. 2470 would \ncreate a minimally acceptable bill that the CCD Privacy Working Group \ncould support, rather than a bill that we must regretfully inform our \nmembers and the public represents such a serious threat to health care \nprivacy that it should be defeated.\n    In this testimony, I will comment on almost all sections of both \nH.R. 2470 and H.R. 1941.<SUP>4</SUP> I hope this analysis will \ndemonstrate to the Committee that there are only a few sections of H.R. \n2470 that need to be modified in order to make the bill minimally \nacceptable. Of course, those changes deal with significant, and at \ntimes, contested policy determinations. Nevertheless, I believe our \nrecommendations represent not only correct policy determinations, but I \nalso believe--based on compromises we are willing to make in this \nlegislation--that these changes are ones industry stakeholders should \nbe able to agree to as well.\n---------------------------------------------------------------------------\n    \\4\\ Where the sections of the bills do not differ significantly \nfrom each other, and/or from CCD\'s principles, I have not presented an \nanalysis of those sections. I would be happy to supplement my \ntestimony, within the week, with an analysis of those sections as well.\n---------------------------------------------------------------------------\n                ii. analysis of h.r. 2470 and h.r. 1941\n    The analysis of H.R. 2470 and H.R. 1941 uses the order of sections \nestablished in H.R. 2470.\nA. Access to Records\nH.R. 2470\nSec. 101. Inspection and Copying of Protected Health Information\nSec. 102. Amendment of Protected Health Information\nH.R. 1941\nSec. 201. Right of Access\nSec. 202. Right of Correction and Amendment\n    Both the CCD Privacy Working Group and the Consumer Coalition for \nHealth Privacy include the following as one of their principles for \nfederal legislation:\n        Federal legislation should guarantee an individual the right to \n        access his or her own health information and the right to amend \n        such information. Individuals should have the right to access \n        and amend their own medical records so that they can make \n        informed health care decisions and can correct erroneous \n        information in their records.\n    This principle was also adopted as principle #3 by the Health \nPrivacy Working Group.\n    Both H.R. 2470 and H.R. 1941 embody this principle. H.R. 1941 does \nso by providing individuals the right to inspect, copy, and amend their \nprotected health information as set forth in the recommendations \nconveyed to Congress by the Secretary of Health and Human Services \npursuant to the requirements of the Health Insurance Portability and \nAccountability Act of 1996 (``Secretary\'s HIPAA \nrecommendations\'\').<SUP>5</SUP> H.R. 2470 achieves essentially the same \nresult by setting forth the rights and responsibilities of consumers, \nproviders, and agents with regard to access and amendment. Although the \nCCD Privacy Working Group would prefer that there be explicit time \nlimits in the legislation regarding requests for access and amendment, \nwe find this section to be acceptable.<SUP>6</SUP>\n---------------------------------------------------------------------------\n    \\5\\ Secretary of Health and Human Services, Confidentiality of \nIndividually-Identifiable Health Information (September 11, 1997). \nRecommendations submitted to the Committee on Labor and Human Resources \nand the Committee on Finance of the Senate; and the Committee on \nCommerce and the Committee on Ways and Means of the House of \nRepresentatives pursuant to Section 264 of the Health Insurance \nPortability and Accountability Act of 1996.\n    \\6\\ Our concerns with regard to parents accessing the records of \ntheir minors are dealt with in the sections on ``next of kin\'\' and \n``individual representatives.\'\'\n---------------------------------------------------------------------------\nB. Notice of Confidentiality Practices\nH.R. 2470\nSec. 103. Notice of Confidentiality Practices\nH.R. 1941\nSec. 204. Right to Notice of Information Practices and Opportunity to \nSeek Additional Protections\n    The Consumer Coalition for Health Privacy includes the following as \none of its principles:\n        Individuals should be notified about how their medical records \n        are used and when their individually identifiable health \n        information is disclosed to third parties. Individuals should \n        be given written, easy-to-understand notice of how their \n        individually identifiable health information will be used and \n        by whom. With such notice people can make informed meaningful \n        choices about uses and disclosures of their health information.\n    This same principle was adopted by the Health Privacy Working Group \nas Principle #4.<SUP>7</SUP> The Working Group noted that components of \nsuch notice should include: a description of how information will be \ncollected and the information source (such as a medical record, \ntreatment notes, and information from third parties); how the entity \nwill use the information, and how, when, and for what purposes the \nentity will request patient authorization; what information the patient \nis permitted to inspect and copy and how to access such information; \navailable steps, if any, to limit access and the consequences, if any, \nof refusing to authorize disclosure; the health care organization\'s \npolicy for making disclosures with and without patient authorization \n(such as for research purposes, to law enforcement, for treatment \npurposes, etc.); and any other information relevant to the health care \nentity\'s data practices.\n---------------------------------------------------------------------------\n    \\7\\ ``Individuals should be given easy-to-understand written or on-\nline notice of how their information will be used and by whom.\'\' Best \nPrinciples, at 19.\n---------------------------------------------------------------------------\n    Section 103 of H.R. 2470 attempts to provide an adequate notice \nrequirement, but fails in several regards. First, H.R. 2470 requires \nentities to post or provide notice of the entity\'s confidentiality \npractices. Posting notices is clearly not as efficient a means of \ninforming consumers as would be providing notices to individuals in \nwritten or on-line form. For example, Senator Jefford\'s proposed \ncommittee mark requires that notice be posted and provided.\n    Second, the notice contemplated by H.R. 2470 includes notice of \n``the uses and disclosures of protected health information authorized \nunder this Act.\'\' Unfortunately, because section 202 of H.R. 2470 \nallows entities to use a consumer\'s protected health information for \ntreatment, payment, health care operations, and health research without \never obtaining an authorization from the consumer for such use, this \npart of the notice will presumably ring relatively hollow. The use \nallowed under Sec. 202 is particularly broad in light of the fact that \n``health care operations\'\' is defined in H.R. 2470 as any activity \nundertaken ``to implement the terms of a contract for health plan \nbenefits.\'\' Because there is no limitation as to what a plan can put \ninto its contract, there is similarly no limitation on the types of \nactivities the plan may engage in to implement those terms.<SUP>8</SUP> \nThe open-ended definition of health care operations, combined with H.R. \n2470\'s allowance of uses for such activities to be engaged in without \neven obtaining an authorization from the consumer, belies the title of \nthis Act (``Medical Information Protection Act of 1999\'\'). Because it \nis unclear to us whether section 202 was intended to have this drastic, \nadverse result (we certainly hope not), if section 202 is modified to \ncreate a more reasonable result, the notice section of H.R. 2470 (as \nwell as the substance of the bill) will once again regain some meaning. \n(Such notice should, however, still be provided directly to the \nindividual, as well as merely posted by the entity.)\n---------------------------------------------------------------------------\n    \\8\\ This definition stands in sharp contrast to Senator Jefford\'s \nproposed committee mark, which includes the same list of activities as \n``health care operations,\'\' but provides that health care operations \nmeans only those activities. To accommodate industry concerns regarding \nthe possible future existence of necessary health care operations, the \nJeffords bill includes within the definition of health care operations: \n``such other services as the Secretary determines appropriate through \nregulations (after notice and comment).\'\' Sec.(4)(7).\n---------------------------------------------------------------------------\n    The comparable provision in H.R. 1941, sec. 204, includes an \nexplicit provision that a consumer be given ``a reasonable opportunity \nto seek limitations on the use and disclosure of protected health \ninformation in addition to the limitations provided in such \npractices,\'\' and that the entity ``obtain a signed acknowledgment from \nthe protected individual acknowledging that the notice . . . has been \nprovided to the protected individual.\'\' The reason H.R. 1941 includes \nthese provisions is because it creates a system in which an entity is \nnot required to obtain a prior authorization from the consumer in order \nto use the consumer\'s protected health information for purposes of \ntreatment and payment. (See Sec. 301. Provision and payment for health \ncare.) Although the CCD Privacy Working Group would prefer that a prior \nauthorization be required, we have already agreed that health care \nproviders and plans may be permitted to essentially compel such \nauthorizations from the consumer by conditioning the delivery of \nservice or payment on receipt of such authorization. Given that \nagreement on our part, the main purpose of a prior authorization for \ntreatment or payment would have been to provide notice to the consumer \nof how protected health information would be used, and to provide that \nindividual an opportunity to seek additional restrictions on use and \ndisclosure. The provisions of section 204 in H.R. 1941 ultimately \nachieve those same two goals. Moreover, section 301(c) of H.R. 1941 \nalso includes another essential component from our perspective: it \nallows an individual who pays for the care himself or herself to \nrestrict disclosure to a health care payer of the protected health \ninformation created or received in the course of receiving such care. \nH.R. 2470 lacks this critical component (above and beyond the fact that \nit lacks any authorization at all for the ``use\'\' of health care \ninformation for payment purposes.)\nC. Establishment of Safeguards\nH.R. 2470\nSec. 111. Establishment of Safeguards\nH.R. 1941\nSec. 104. Safeguards Against Misuse and Prohibited Disclosures\n    The Consumer Coalition for Health Privacy includes the following as \none of its principles:\n        The development of security safeguards for the use, disclosure, \n        and storage of personal health information should be required. \n        Appropriate safeguards should be in place to protect \n        individually identifiable health information from unauthorized \n        use or disclosure.\n    The Health Privacy Working Group also adopted, as Principle #6, \nthat ``health care organizations should implement security safeguards \nfor the storage, use, and disclosure of health information.\'\' Although \nthe Working Group did not discuss specific security controls at great \nlength, there were a number of safeguards that were discussed in the \ncontext of ``fair information practices.\'\' They included:\n\n<bullet> Health care organizations should endeavor to limit access to \n        personally identifiable health information on a need-to-know \n        basis. Employers, for example, should endeavor to restrict \n        access to personally identifiable health information strictly \n        to those employees who need access for payment or treatment \n        purposes.\n<bullet> In keeping with Principle #1, health care organizations should \n        remove personal identifiers to the fullest extent possible and \n        practical, consistent with maintaining the usefulness of the \n        information.\n<bullet> All disclosures of personally identifiable health information \n        should be limited to the information or portion of the medical \n        record necessary to fulfill the purpose of the disclosure.\n<bullet> Health care organizations should maintain a record of \n        disclosures of information that identifies an \n        individual.Personally identifiable health information should be \n        used within an organization only when such information is \n        necessary to carry out the purpose of the activity, for \n        purposes reasonably related to the purpose for which the \n        information was collected, and for which the patient has been \n        given notice.\n<bullet> Organizations should consider whether they are able to provide \n        patients with a greater degree of anonymity in certain \n        circumstances through the use of opt-outs, pseudonyms, \n        identification numbers, or tagging information for additional \n        protections.\n    It appears that the six subsections of Sec. 111(b) of H.R. 2470 \nattempt to approximate some of these fair information practices and we \napplaud that effort. Unfortunately, however, until section 202\'s broad \nallowance of ``uses\'\' is modified, some of these safeguards will be \nuseless. For example, Sec. 111(b)(5) calls upon entities to have an \n``appropriate mechanism for limiting disclosures to the protected \nhealth information necessary to respond to the request for \ndisclosure.\'\' (This parallels the substantive requirement in \nSec. 202(c): ``Every disclosure of protected health information by a \nperson under this title shall be limited to the information necessary \nto accomplish the purpose for which the information is disclosed.\'\') \nBut under Sec. 202(a), and repeated again for double clarity in \nSec. 202(b)(1)(B), any use of protected health information for \ntreatment, payment, health care operations, and health research--\nwhether such use takes place within the entity or outside the entity--\nis not a disclosure under H.R. 2470.\n    The problem created by H.R. 2470 does not result simply from \ncreating a distinction between ``use\'\' and ``disclosure.\'\' Although \nmembers of the CCD Privacy Working Group have never understood, as a \nconceptual matter, why a distinction needs to be adopted between \n``use\'\' and ``disclosure,\'\' the simple creation of such a distinction \ndoes not--in and of itself--create a privacy problem. For example, the \nHealth Privacy Working Group also assumes a distinction between \ndisclosure (which it defines as ``sharing of patient information \noutside an entity\'\') and use (which it defines as ``access or sharing \nof information within an entity, including to an agent or contractor of \nan entity.\'\') <SUP>9</SUP> Then in its discussions of fair information \npractices, the Working Group apparently assumed that only \n``disclosures\'\' of personally identifiable health information would \nneed to be ``limited to the information or portion of the medical \nrecord necessary to fulfill the purpose of the disclosure.\'\' \n<SUP>10</SUP> However, unlike H.R. 2470, the Working Group also assumed \nthat personally identifiable health information would be ``used within \nan organization only when such information is necessary to carry out \nthe purpose of the activity, for purposes reasonably related to the \npurpose for which the information was collected, and for which the \npatient has been given notice.\'\' <SUP>11</SUP> By contrast, H.R. 2470 \nincludes simply the weak statement, buried in the definition section of \n``disclosure\'\' (section (2)(4)), that the use of protected health \ninformation shall not be considered a disclosure, ``provided that the \nuse is consistent with the purposes for which the information was \nlawfully obtained.\'\' Thus, again, H.R. 2470\'s rules governing use, as \nwell as disclosure, must be revisited before the safeguards section of \nthe bill can be assumed to mean very much to consumers.\n---------------------------------------------------------------------------\n    \\9\\ Best Principles, at 42.\n    \\10\\ Id. at 22.\n    \\11\\ Id.\n---------------------------------------------------------------------------\n    The safeguards section of H.R. 1941 is stronger, primarily because \nthe underlying bill is stronger with regard to the substantive \nprotections for use and disclosure of personally identifiable health \ninformation. In addition, we prefer that the safeguards be required to \ninclude administrative safeguards to ``ensure that protected health \ninformation is used or disclosed only when necessary,\'\' as H.R. 1941 \nrequires, rather than having the safeguards simply ``address the \nfollowing factors,\'\' including ``the need for protected health \ninformation and whether the purpose can be accomplished with \nnonidentifiable health information,\'\' as H.R. 2470 requires.\nD. Accounting for Disclosures\nH.R. 2470\nSec. 112. Accounting for Disclosures\nH.R. 1941\nSec. 203. Right to Review Disclosure History\n    The Health Privacy Working Group includes, as part of its principle \n#3, that an individual should have the right to see ``an accounting of \ndisclosures, when such accounting is maintained\'\' (emphasis added). \nThis recommendation clearly does not assume there will be an accounting \nof all uses of health information within an entity. Similarly, both \nH.R. 2470 and H.R. 1941 require that an accounting be made solely of \ndisclosures, and that such accounting be made available to consumers.\n    The CCD Privacy Working Group has no difficulty supporting H.R. \n1941\'s (and the Health Privacy Working Group\'s) limitation of \naccounting solely to disclosures--because disclosures are defined in \nboth H.R. 1941 and by the Health Privacy Working Group as providing \naccess to protected health information to anyone other than an officer, \nemployee, or agent of the entity holding the information. As a \npractical matter, it makes sense to require accounting solely of \ndisclosures that occur outside an entity. Unfortunately, under H.R. \n2470 a disclosure outside the entity is still not considered a \ndisclosure for purposes of the law as long as it is a use for \ntreatment, payment, the open-ended health care operations, or health \nresearch. Thus, in practice, the only accounting a health provider or \nplan will ever engage in will be for those rare situations in which \ndisclosures are made for some purpose other than these four broad \nareas. This radically restricts the entire concept of accounting for \ndisclosures.\nE. Restrictions on Use and Disclosure\nH.R. 2470\nSec. 201. General Rules Regarding Use and Disclosure\nSec. 202. General Rules Regarding Use and Disclosure of Health Care \nInformation\nSec. 203. Authorizations for Use or Disclosure of Protected Health \nInformation Other Than for Treatment, Payment, Health Care Operations, \nor Health Research\nH.R. 1941\nSec. 101. Restrictions on Use\nSec. 102. Restrictions on Disclosure\nSec. 103. Standards for Authorizations for Use and Disclosure\nSec. 301. Provision of and Payment for Health Care\n    Restrictions on the use and disclosure of protected health \ninformation lie at the core of any federal protection for the privacy \nof personally identifiable health information. Both the CCD Privacy \nWorking Group and the Consumer Coalition for Health Privacy have stated \na similar principle:\n        The use or disclosure of individually identifiable health \n        information absent an individual\'s informed consent should be \n        prohibited. Health care providers, health plans, insurance \n        companies, employers and others in possession of individually \n        identifiable health information should be prohibited from using \n        or disclosing such information unless authorized by the \n        individual. Use or disclosure without informed consent should \n        be permitted only under exceptional circumstances--for example, \n        if a person\'s life is endangered, if there is a threat to the \n        public health, or if there is a compelling law enforcement \n        need. Disclosure of individually identifiable health \n        information for marketing or commercial purposes should never \n        be permitted without informed consent. Any time information is \n        used or disclosed it should be limited to the minimum amount \n        necessary for the use or disclosure.\n    The best way to ensure true informed consent on the part of the \nconsumer is to allow an individual to withhold consent for use or \ndisclosure of medical information, and still allow that individual to \nreceive medical services without penalty. As a practical matter, \nhowever, health care providers and plans often need personally \nidentifiable health information in order to carry out the business of \nproviding treatment to the individual or reimbursement to providers. \nGiven that reality, the CCD Privacy Working Group has agreed that \nauthorizations for such purposes may essentially be compelled from the \nconsumer by conditioning the provision of treatment or payment on the \nreceipt of such authorizations. A key requirement, however, is that the \nconsumer must be permitted the option of self-paying, and thus be \npermitted to retain the right to halt disclosure to a third party payer \nin such circumstances.\n    The Health Privacy Working Group similarly recognizes the practical \nrequirements with regard to treatment and payment, but also recognizes \nanother group of activities termed ``core business functions.\'\' The \nWorking Group agreed on the following approach:\n        The Working Group agreed that, as a general rule, patient \n        authorization should be obtained prior to disclosure. At the \n        same time, patient information needs to be shared for \n        treatment, payment, and core business functions. The Working \n        Group agreed that the patient need only provide authorization \n        for these core, essential uses and disclosures once. \n        Furthermore, a health care organization can condition the \n        delivery of care or payment for care on receiving this Tier One \n        authorization. All other activities outside this core group \n        must be authorized separately by the patient and health care \n        services should not be conditioned on receiving this Tier Two \n        authorization. The Working Group also agreed that there are \n        additional, limited activities--such as public health reporting \n        and emergency circumstances--for which patient authorization \n        should not be required.<SUP>12</SUP>\n---------------------------------------------------------------------------\n    \\12\\ Best Principles, at 22. The Working Group also agreed that \n``where a patient self-pays, he or she can refuse to authorize \ndisclosure to a payer.\'\'\n---------------------------------------------------------------------------\n    Although the CCD Privacy Working Group has not issued a formal \nposition on core business functions, we have stated that we find \nSenator Jefford\'s proposed committee mark on this issue to represent a \nminimally acceptable bill. Senator Jefford\'s bill is largely consistent \nwith the consensus reached by the Health Privacy Working Group, \nalthough the bill uses a new term ``health care operations,\'\' rather \nthan the better, more established term of ``core business functions.\'\' \nNonetheless, given the definition of ``health care operations\'\' in the \nJeffords bill, which establishes clear parameters for that term, the \nCCD Privacy Working Group is able to consider the Jeffords bill \nminimally acceptable in this area.\n    By contrast, H.R. 2470 diverges from any previous bill (including \nthe bill introduced by Senator Robert Bennett, the bill which H.R. 2470 \notherwise tracks in almost all respects), in rejecting the need for any \nauthorization for use of protected health information in the areas of \ntreatment, payment, open-ended health care operations, and health \nresearch. Instead of requiring an authorization, and instead of placing \nany real limits on the uses of personally-identifiable information in \nthese four areas, H.R. 2470 offers the following simple, precatory \nlanguage: ``An individual who furnishes protected health information in \nthe context of obtaining health care or health care benefits has a \njustifiable expectation that such information will not be misused and \nthat its confidentiality [will] be maintained.\'\' Sec. 202(a). While \nthis language is a nice piece of privacy prose, given that this is a \npiece of legislation, we would like to trade the prose for some actual \nstatutory protection. The only protection offered by H.R. 2470, buried \nin the definition of ``disclose,\'\' is that the use of protected health \ninformation shall not be considered a disclosure ``provided that the \nuse is consistent with the purposes for which the information was \nlawfully obtained.\'\' In light of the fact that a plan or provider may \nestablish essentially any purpose as a ``health care operation,\'\' this \nprovides little solace to consumers.\n    Some of the industry stakeholders may not have intended the drastic \ncut-back in privacy protection that results from this new section in \nH.R. 2470. (Certainly, the Health Privacy Working Group which had a \nsignificant representation from industry espoused no such view.) The \ncatalyst for this new provision may well have been the confusion \nregarding the rules for use and disclosure that some industry \nstakeholders perceived in Senator Jeffords\' committee mark. The CCD \nPrivacy Working Group does not believe either consumers or industry \nbenefit from confusion with regard to use and disclosure rules. Hence, \nwe greatly appreciate the effort of the Health Privacy Working Group to \nforge both consensus and clarity in this area. But the manner in which \nH.R. 2470 has dealt with this issue is truly horrific. It has removed \nany confusion regarding use of protected health information by removing \nany real requirements on such use. That cannot be the appropriate \npublic policy determination. It certainly is not the position our 54 \nmillion members would recognize as a legitimate policy decision. We \nhope we can work with the committee to create a coherent and \nintelligent approach to issues of use and disclosure of protected \nhealth information.\nF. Next of Kin and Directory Information\nH.R. 2470\nSec. 204. Next of Kin and Directory Information\nH.R. 1941\nSec. 307. Other Disclosures\n    Although disclosures of protected health information should \nordinarily occur only pursuant to an authorization (compelled or real) \nexecuted by the individual, there are circumstances in which we would \nlike health care providers to be able to disclose relevant health \ninformation to a select group of individuals who have a close \nrelationship with the person who is the subject of the information. In \nsuch cases, we want to ensure the individual has been notified of his \nor her right to object to such disclosures, but if such an objection \nhas not been lodged, we would like to ensure the provider may disclose \nrelevant, current information.\n    Section 204 of H.R. 2470 essentially embodies this approach. As a \ntechnical matter, the section should refer to an ``individual \nrepresentative\'\' as well, to include an individual who holds a power of \nattorney for another individual. In addition, the section should \nclarify that if a minor is legally permitted to receive a service \nwithout notifying his or her parent, that minor is also capable of \nlodging an objection to relaying protected health information regarding \nthat service to the parent. (See discussion of minors below.)\nG. Health Research\nH.R. 2470\nSec. 208. Health Research\nH.R. 1914\nSec. 304. Health Research\n    The issue of health care research--and the ability of large private \ncompanies to continue to engage in research that uses personally \nidentifiable health information without first obtaining the informed \nconsent of the subjects of the information--has been one of the most \ncontested battlegrounds in the development of federal privacy \nlegislation. In one respect, this should come as no surprise, given the \nmillions of dollars expended and recouped as profit through such \nresearch. The issue is complicated, however, by the mantra that ``all \nresearch is good,\'\' and an accompanying assumption that we should \ncreate no possible hindrances to the development of new horizons of \nknowledge.\n    The CCD Privacy Working Group is acutely aware of the benefits of \nresearch. We are the ones that represent (and often are) the millions \nof people with disabilities who will benefit directly from public and \nprivate health research activities. Many people with disabilities live \nwith conditions that are progressively debilitating, and, in some \ncases, fatal. Research leading to the development of new therapies or \nnew habilitation and rehabilitation techniques can significantly \nenhance the quality of life for these individuals--as well as better \nensure life itself. We want such research to proceed effectively and \nwith full vigor.\n    We believe, however, that the best federal privacy law is one that \nensures research activities will go forward effectively, will create \nincentives for researchers to use nonidentifiable information whenever \npossible and appropriate, and will create structures that will best \nprotect privacy whenever identifiable data is necessary for a research \nproject. Our proposal to achieve this kind of federal privacy \nprotection is straightforward. If a health researcher is dealing with \nlive individuals, the researcher should obtain informed consent from \nthese individuals, pursuant to an authorization section of federal \nprivacy legislation, before using such individuals (or their medical \ninformation or specimens) in a research project. Delivery of treatment \nor payment for services should never be conditioned on the receipt of \nsuch an authorization.\n    When research does not involve live human subjects, however, but \nrather involves medical records data or stored blood or tissue samples, \nit may not be feasible for a researcher to obtain the informed consent \nof the individuals who are the subject of the information. For example, \nsome studies require researchers to review thousands of records for \npatients treated over a long period of time. In this instance, it would \nbe quite difficult for a researcher to contact every individual whose \nmedical records are contained in the database and ask for authorization \nto use their identifiable data.\n    In such circumstances, we believe the researcher--whether that \nindividual is using public funds or private funds for the research--\nshould consult with an institutional review board (IRB) to obtain a \nwaiver of informed consent for those individuals whose protected health \ninformation will be used in the research project. We are well aware of \nthe current limitations of the IRB system. Because the Common Rule that \nsets forth the guidelines for the IRB system was designed to focus on \nsafety risks for human subjects, not on the confidentiality of data \nused in health research, the Common Rule currently provides little \nguidance for IRBs with respect to confidentiality. Thus, we believe a \nmodification of the Common Rule would be necessary to ensure that \ninformed consent and confidentiality standards are met by all research \nprojects. Nevertheless, we believe it will be more efficient to modify \nthe existing IRB structure rather than to attempt, through federal \nprivacy legislation, to establish an entirely new oversight structure \nfor confidentiality protections.\n    Despite our support for the IRB system, we believe Section 304 of \nH.R. 1941, which does not necessarily contemplate using the entire IRB \nsystem, meets the basic principles CCD seeks to achieve in this area. \nOur main concerns are that there be an objective process by which a \ndetermination is made as to the need for identifiable information in \nthe research project and as to the lack of feasibility in obtaining \ninformed consent; that there be some accountability through government \noversight of such determinations; and that there be a uniformity in \ndecisions about when, and under what circumstances, to grant a waiver \nof informed consent. H.R. 1941 achieves these goals by requiring that \nprotected health information may be disclosed without an authorization \nfor health research ``only for uses that have been approved by an \nentity certified by the Secretary.\'\' Based on the Secretary\'s HIPAA \nrecommendations, we can assume these entities will have some members \nwho are not associated with the entity that wishes to conduct the \nresearch. Moreover, certification by the Secretary should allow for \nsome opportunity for oversight, should potential problems arise. \nFinally, the determinations to be made by the entity (as set forth in \nthe bill) can serve as the basis for uniform applications.\n    By contrast, Section 208 of H.R. 2470 has no requirement for \nobjective oversight of research projects, no allowance for \naccountability outside the private entity, and no uniform standard for \ndetermining when research may be allowed to proceed without obtaining \ninformed consent.<SUP>13</SUP> H.R. 2470 allows private entities that \nown ``protected health information previously created or collected\'\' by \nsuch entity (presumably, pharmacy management plans may be some of the \nlargest repositories of such information) to disclose such protected \nhealth information to a health researcher as long as: 1) the research \nhas been ``reviewed by a board, committee, or other group formally \ndesignated by such person to review research programs\'\'; 2) the entity \nhas an internal policy in place ``to assure the security and \nconfidentiality of protected health information\'\' (this, of course, is \nalready required under the safeguards section of the bill); 3) the \nentity enters into a written agreement with the recipient researcher \n``that specifies the permissible and impermissible uses of the \nprotected health information\'\'; and 4) the entity keeps a record of \nhealth researchers to whom the information has been disclosed.\n---------------------------------------------------------------------------\n    \\13\\ Of course, under section 202 of H.R. 2470, protected health \ninformation in the possession or control of a health provider or plan \n``shall be available for use in health research that is not \ninconsistent with the requirements of other applicable Federal laws.\'\' \nA plain reading of this provision is that if research is not otherwise \ngoverned by the Common Rule, a provider or plan may use protected \nhealth information for such research without even going through the \nminimal requirements of Section 208.\n---------------------------------------------------------------------------\n    All of these elements are certainly good, basic policies for any \nentity to have. It is striking, however, that the core elements that \nthe Health Privacy Working Group--with its representation from both \nindustry and research--identified as basic elements of privacy \nprotection for research are completely absent from Section 208 of H.R. \n2470. Some members of the Working Group were clearly not in favor of \nrequiring IRB approval for all research given the limitations of the \ncurrent IRB system. As the report notes:\n        Concerns with the current [IRB] were significant enough, \n        however, that members were open to using an alternate review \n        process in situations where IRB approval is not currently \n        required, if it could offer the same potential benefits of the \n        IRB system . . . Where IRB approval is not required . . . a \n        health care organization should have the option to either 1) \n        obtain IRB approval or 2) use an alternate process that \n        provides an equivalent level of review and accountability. \n        (emphasis added).\n    As noted above, the position of the CCD Privacy Working Group is \nthat IRB approval (assuming modification of the Common Rule) is the \nbest approach. We are willing, however, to support a non-IRB approach \nthat ``provides an equivalent level of review and accountability\'\'--\nassuming the promise of such a statement can truly be met. Section 208 \nof H.R. 2470 is a far cry from meeting that promise.\nH. Law Enforcement and Oversight\nH.R. 2470\nSec. 210. Disclosure for Law Enforcement Purposes\nSec. 206. Oversight\nH.R. 1914\nSec. 305. Law Enforcement\nSec. 302. Health Oversight\nSec. 308. Redisclosures\n    Principle #9 of the Health Privacy Working Group is that ``health \ncare organizations should not disclose personally identifiable health \ninformation to law enforcement officials, absent compulsory legal \nprocess, such as a warrant or court order.\'\' <SUP>14</SUP> The Working \nGroup recognized the situation is different when government officials \nhave legally authorized access to information to engage in oversight \nand enforcement of the law. In those instances, the information \nobtained for oversight purposes should not be used against an \nindividual patient in an action unrelated to the oversight.\n---------------------------------------------------------------------------\n    \\14\\ Best Principles, at 39.\n---------------------------------------------------------------------------\n    Both H.R. 2470 and H.R. 1941 allow broad access for oversight \npurposes relating to health care fraud, or for accrediting purposes. \nBoth bills, however, also ensure that protected health information \nabout an individual that is disclosed during such actions may only be \nused against the individual in an action that is related to health care \nfraud.\n    With regard to law enforcement, H.R. 1941 presents a simple, yet \nelegant solution to the question of what type of legal process we \nshould expect from our law enforcement officials. Section 305(a) states \nthat protected health information may be disclosed to a law enforcement \nofficial ``if the law enforcement official complies with the fourth \namendment to the Constitution.\'\' Section 305(b) then explains that, in \nterms of applying the fourth amendment, ``all protected health \ninformation shall be treated as if it were held in a home over which \nthe protected individual has exclusive authority.\'\' In practice, this \nmeans a person\'s health information will be provided the same level of \nfourth amendment protection that a person\'s private suitcase would get \nwere it sitting in a closet at the person\'s home. Law enforcement \nofficials who wish to seize or search the suitcase must either receive \nthe person\'s consent, or obtain a warrant. Similarly, if a law \nenforcement official wishes to seize or search an individual\'s \nprotected health information, that official should either obtain the \nindividual\'s consent or obtain a warrant.\n    Section 210 of H.R. 2470 goes some distance in requiring there be \nadequate legal process before law enforcement officials may search and \nseize protected health information. Unfortunately, allowing an \n``administrative subpoena or summons\'\' to be sufficient to allow \ndisclosure to law enforcement officials is extremely problematic given \nthe lack of any real process or standards used in executing such \nsummons. The reference to those documents should be deleted.\nI. Individual Representatives\nH.R. 2470\nSec. 212. Individual Representatives\nH.R. 1914\nSec. 401. Specific Classes of Individuals\n    These sections of the two bills should not be controversial, but \nfor the question of how and when parents may exercise the rights of \ntheir minor children under this law. The policy of the CCD Privacy \nWorking Group is as follows. In most cases, we expect and want parents \nto exercise all the rights of their minor children under this Act. \nThese include the right to authorize disclosures, access information, \nand sue on behalf of their minor children.\n    There are limited circumstances in which we believe the minor child \nzhas the sole right to exercise the rights provided by the Act. These \nrare circumstances exist when the minor may legally obtain a medical \nservice without informing his or her parents of the receipt of such \nservice, and where a provider is available who is willing to provide \nsuch a service to the minor. These limited circumstances tend to arise \nin medical services that deal with: reproductive health (contraception; \nabortion); mental health counseling; substance abuse treatment; and \ntreatment for sexually transmitted diseases. Some states have passed \nlaws that provide minors the right to access particular services on \ntheir own; in other states, common law or constitutional law provides a \nsimilar right to the minor. Whatever the source of the legal right, the \nCCD Working Group believes that if a minor has the right to access a \nservice on his or her own, that minor also must have the right to \ncontrol the flow of the protected health information generated through \nthat service.\n    The CCD Privacy Working Group also believes it is not appropriate \nfor a federal privacy law to upset state laws that may constrain the \nability of a minor to access services on his or her own. For example, \nmany states require that a minor must inform one parent before \nobtaining an abortion. (To meet constitutional requirements, these \nstates also provide for a ``judicial bypass\'\' of this notification \nrequirement under certain circumstances.) The federal privacy bill \nshould not undermine the state law by allowing a minor to withhold \ninformation about the abortion from the one parent. For that reason, it \nis important that the bill provide that where a minor may legally \nobtain a service acting on her or his own, then (and only then) may the \nminor exercise sole rights under the Act.\n    Section 212 of H.R. 2470 states simply that ``the rights of minors \nunder this Act shall be exercised by a parent, the minor or other \nperson as provided under applicable state law.\'\' This sentence is \ncompletely ambiguous on the question of whether a parent may exercise \nher right to access her child\'s medical records, in a case where the \nchild does not desire the parent to have such access--and the state has \ndetermined the child may legally obtain the medical service without \ninforming the parent. As a matter of preserving the state\'s decision \nmaking (as reflected in its statutory, common law, and constitutional \nlaw), the federal law should not be permitted to trump the state\'s \ndetermination on the minor\'s autonomy. The ambiguity in section 212 \nneeds to be clarified to ensure that the status quo is maintained in \nthe various states on the issue of minors\' rights.\nJ. Remedies\nH.R. 2470\nSec. 301. Wrongful Disclosure of Protected Health Information\nSec. 311. Civil Penalty Violation\nSec. 312. Procedures for Imposition of Penalties\nSec. 313. Enforcement by State Insurance Commissioners\nH.R. 1914\nSec. 502. Enforcement\n    One of the principles of both the CCD Privacy Working Group and the \nConsumer Coalition for Health Privacy is as follows:\n        Federal legislation should establish strong and effective \n        remedies for violations of privacy protections. Remedies should \n        include a private rights of action, as well as civil penalties \n        and criminal sanctions where appropriate.\n    It is a truism that a right without a remedy is no right at all. \nOne of the most glaring faults in H.R.2470 is the absence of any \nprivate right of action on behalf of ordinary citizens in this country. \nEvery other piece of privacy legislation passed by Congress--whether it \ncovers banks, credit reporting, video rentals, or communications--\nallows private citizens to sue in court when they have been aggrieved \nby a violation of the statute.<SUP>15</SUP> Indeed, this is a basic \nhallmark of a range of legislation passed by Congress.\n---------------------------------------------------------------------------\n    \\15\\ See Fair Credit Reporting Act of 1970; Right to Financial \nPrivacy Act of 1978; Cable Communications Policy Act of 1984; \nElectronic Communications Privacy Act of 1986; Video Privacy Act of \n1988.\n---------------------------------------------------------------------------\n    There is a good, practical reason why Congress--in a range of \nlaws--has deputized ``private attorney generals\'\' by allowing \nindividual citizens to sue when violations of laws have occurred. One \nof the goals of legislation is often to make a societal impact on a \nparticular problem. For example, one of the goals of federal privacy \nlegislation is to change the norms by which various stakeholders \noperate. Instead of having entities assume a project will always be \nimplemented with the use of personally identifiable health information, \nwe want all entities to ``stop, think, and justify\'\' before they use \nidentifiable data.\n    The best way to ensure that entities experience an obligation to \nlearn and comply with the law, and the best way to ensure that \nindividuals who have been aggrieved by a violation of the law are made \nwhole, is to provide individuals the opportunity to file a suit in \ncourt, prove their case, receive damages for harm suffered, and recoup \nattorney\'s fees if they prevail. Anything short of such a scheme will \ncreate a law that may (possibly) look good on paper, but will do little \nto help real people across the country.\nK. Preemption\nH.R. 2470\nSec. 401. Relationship to Other Laws\nH.R. 1914\nSec. 503. Relationship to Other Laws\n    One of the final principles of both the CCD Privacy Working Group \nand the Consumer Coalition for Health Privacy concerns the issue of \npreemption. As both coalitions note:\n        Federal legislation should provide a floor for the protection \n        of individual privacy rights, not a ceiling. Like all other \n        federal civil rights and privacy laws, federal privacy \n        legislation for health information should set the minimum \n        acceptable standard. Federal legislation should not pre-empt \n        any other federal or state law or regulation that is more \n        protective of an individual\'s right to privacy of or access to \n        individually identifiable health information.\n    Of all issues, this has been one of the most fiercely fought during \nthe legislative process. Consumer groups, including the CCD Privacy \nWorking Group, have stated vehemently that states must be provided the \nopportunity to continue to explore ways in which to better protect the \nprivacy of medical information in their particular states. Most \nindustry stakeholders have just as vehemently argued that they need (or \nat the very least, that they very much want) the ease of complete \nuniformity that sweeping federal preemption of state laws can provide \nthem.\n    Given the perceived intractability of both sides on this issue, it \nis surprising that the beginnings of a compromise on this issue had \nbegun to be developed through Senator Jefford\'s proposed committee \nmark. Under this approach, all existing state laws dealing with privacy \nof medical information would remain in place. For state laws enacted \nafter passage of the federal law, however, those that dealt with access \nand amendment of information, authorizations for treatment, payment, \nand health care operations, and research would be preempted. The only \nexception would be for future state laws dealing with mental health.\n    While this compromise approach leaves both consumer groups and \nindustry groups wanting something closer to their original stance, the \nonly remaining issue in contention in this compromise concerns the \nstatus of future public health laws. As soon as that issue is resolved, \nthere should exist a minimally acceptable compromise on preemption that \nall stakeholders can accept. That would be a truly miraculous result. \nGiven how close we are to a compromise, it is truly unfortunate that \nH.R. 2470 returns to an old version of sweeping preemption that is \ndisrespectful of the states and their citizens, that is unnecessary for \nthe purpose of allowing industry to engage in effective business \npractices, and that will have a potential host of unintended adverse \nconsequences that will put the adverse, unintended consequences of \nERISA preemption to shame.\n                            iii. conclusion\n    Congress has spent twenty years thinking about, and sporadically \nworking on, legislation to protect the privacy of medical information. \nThis is clearly an issue that resonates with the American people: \npeople are concerned that there is a lack of strong, clear privacy \nprotection with regard to some of their most sensitive medical \ninformation.\n    Although work on a federal privacy bill has proceeded for over \ntwenty years, there is a sense of possibility and momentum now. \nCongress knows if it does not act to pass privacy legislation in the \nnear future, the Secretary of HHS will step into the gap with \nregulations that will address a range of the privacy issues. But there \nis no reason for Congress not to act--assuming it builds intelligently \non the consensus that has developed over time among the various \nstakeholders in the debate.\n    The CCD Privacy Working Group urges this Committee to build on and \nstrengthen the consensus that currently exists in the area of medical \nprivacy legislation. In particular, we urge you to seriously study both \nSenator Jeffford\'s proposed committee mark and the newly-released \nreport form the Health Privacy Working Group. The CCD Privacy Working \nGroup does not agree with all elements of Senator Jefford\'s draft--\nsignificant issues regarding minors, the private right of action, and \nfuture preemption of public health laws all remain to be resolved. Yet \nthat list of major concerns is significantly shorter than the list of \nmajor concerns we have with H.R. 2470. Moreover, there are other \nelements of Senator Jefford\'s proposed mark that do not conform to our \nprinciples, but which we are willing to accept in the spirit of \ncompromise. We would urge this committee to build on the compromises \nthat have been accepted thus far by both consumer groups and industry \ngroups, and help draft a bill that can be endorsed by a bipartisan \ngroup of Members and a wide spectrum of interested stakeholders.\n\n    Mr. Bilirakis. Thank you, ma\'am.\n    Well, I guess you have certainly verified the complexity of \nthis entire issue. Let me just try to get a little basic here.\n    Dr. Norwood, of course, brought up the point of the flow of \ninformation across State lines, and I may or may not be able to \nget to that, but he or someone else will I suppose. That is \nvery important.\n    Let me go to Mr. Nielsen. What would be the implications \nof, for example a real practical situation, female breast \ncancer patients being able to remove their patient information \nfrom a data base that tracks breast cancer treatment outcomes? \nI will make this a three-prong question: Would this incomplete \ninformation--and I think we would all agree it would be \nincomplete information--not only affect that individual patient \nwho removed her information but all future victims of breast \ncancer as well because they would not be able to benefit from \nscientifically sound outcomes and research? And going further, \nif restrictions were put in place as per the Markey-Waxman \nconfidentiality bills, et cetera, what would that to do to your \nability to provide disease management programs like Justin\'s?\n    Mr. Nielsen. Thank you, Mr. Chairman. Let me answer it \ngenerally first.\n    What you are describing is the oft-commented-on issue of \nopt-outs, with the ability of patients to direct the content of \ntheir medical record. We don\'t like that. We don\'t think it is \nin the best interest of patients. Rather than have opt-out \nprovisions or something of that nature, we think bills that \nprotect the privacy through strong penalties, through the \nrequirement that entities deal with this internally through \nstrong policies that protect privacy is by far the better \nanswer.\n    To be responsive to your question, the particularities of \nyour question, if those kinds of opt-out provisions were \npresent, our ability to comprehensively do disease management, \nto comprehensively, adequately care for patients so that \nphysicians had the full ability to know what a patient\'s \ncondition is would be significantly compromised.\n    I think Dr. Tang would agree with that and perhaps ought to \naddress the question, too.\n    Mr. Bilirakis. Dr. Tang.\n    Mr. Tang. I will be happy to. I think opt-out causes two \nlevels of harm, one is to the patient and the other is to the \nrest of us.\n    Mr. Bilirakis. That goes with my question, right.\n    Mr. Tang. So the harm to the patient is, just as Mr. \nNielsen mentioned, it is very hard to take care of a patient \nwithout complete information. For example, if one of the carve-\nouts was psychiatric information, what if I didn\'t know the \npsychiatric medication this patient was on and am about to \nprescribe something to which there would be an interaction, or \nwhat if the patient was on a psychiatric medication whose side \neffect was cardiac arrhythmias and that is what I am trying to \ntreat.\n    For the rest of us, I might have an anecdote about Laetrile \nfrom maybe the early 1980\'s. Laetrile had a particularly nasty \nside effect, death, and we didn\'t have any randomized \ncontrolled trials, so we had voluntary reporting. So let us say \nwe had several patients taking Laetrile and the ones who died \ndidn\'t actually get to report their outcomes. Our data base--in \na sense, they had been opted out--would be biased in favor of \nnot having those serious side effects show up. Now, that is an \nextreme example, but in an ongoing way, we would like to \nmeasure the outcomes of all our interventions, new and old, and \nif some people opt out, we will be deprived of that \ninformation, and that will hurt everyone, including people like \nJustin.\n    Mr. Bilirakis. Ms. Feldblum, comment?\n    Ms. Feldblum. This is exactly the conversation we had among \nthe disability folks, which is why we are seeing--as a \nminimally acceptable bill, we are willing to support over in \nthe Senate side the Jeffords committee mark. Under that bill, \nthere is essentially a compelled authorization for treatment. \nOkay. You have to sign the authorization in order to get \ntreatment, and treatment includes disease management. Now, it \nis disease management for the individual, but there is no opt-\nout capacity. We are not opposing the bill because we can\'t opt \nout because of exactly all of these issues.\n    What we have been concerned about and therefore what is of \nconcern with 2470 is that in the definition of health care \noperations there is a lot more than just disease management, \nand so the key thing really for us in terms of comfort level is \nto make sure that the parameters of what are in the compelled \nauthorization are known to us ahead of time so that we can, in \nfact, have this conversation. And I think the industry \nunderstandably, you know, understood the need for the \nparameters. We understood their need that who knows what is \ngoing to happen 10 years from now in terms of some activity, \nand so an additional piece was added in to say that the \nSecretary could add in activities to health care operations \nafter notice and comment, so you weren\'t freezing it in 1999.\n    So I don\'t think we have got a disagreement on the \nprinciple here. We still have a problem with one word in the \nbill.\n    Mr. Bilirakis. Yes, Doctor.\n    Mr. Appelbaum. Mr. Chairman, on this opt-out issue, it \nseems to me that part of this issue is real and part is a red \nherring. The disease management piece of this seems to me to be \na red herring. Disease management can\'t take place without the \ncooperation of the patient. If Justin weren\'t willing to log on \nevery day, there would be no disease management, and so a \nrequirement that patients give consent before disease \nmanagement is initiated would have no effect whatsoever on its \nefficacy.\n    As far as large-scale data bases are concerned and the \npossibility of patients ultimately benefiting from the \ninformation that they put into those data bases, that is a real \nissue, but in our system we have always allowed patients to \nmake the choice for themselves, even the choice whether or not \nto accept care, even if refusal of care would ultimately lead \nto their harm; and similarly, we would argue that patients \nshould continue to have the right to determine whether or not \nthese kinds of benefits are the benefits that they want with \ntheir medical record information, or for whatever reason they \nchoose to opt out of that that, they should have the right to \ndo so.\n    Mr. Bilirakis. Do you have anything to add to this, Ms. \nPawklak?\n    Ms. Pawlak. From a patient standpoint, if 9 years ago when \nmy husband signed up with his medical insurance I had been \ngiven the option of checking off a little box to opt out, I can \njust about guarantee I probably would have. That could have had \nterrible consequences for us down the line when Justin was \ndiagnosed with a disease that we did not know about.\n    No one knows the future. He was diagnosed with the disease. \nWe would not have had available to us the things that have been \nmade available to us and the improvement in his basic health \nthat has been made available, because his medical history of \nhaving asthma was available to someone who had a program that \ncould help us.\n    We don\'t know the future. Basically, I would hate to think \nthat through lack of knowledge, I had closed any doors. I would \nprefer to leave the doors open so that further down the line \nwhen something came up, I was able to participate and my \ninformation was there for somebody who had more knowledge than \nme to be able to see it.\n    Mr. Bilirakis. You put it well.\n    Health care operations, Ms. Feldblum particularly \nemphasized that.\n    Mr. Nielsen, what is your definition of that? Do you define \nit the same way?\n    Mr. Nielsen. Well, I am not frightened by the definition. I \nmean, I think clearly what Ms. Feldblum has indicated in terms \nof word-smithing the definition, I think we would be willing \ncertainly to entertain that, but as I look at the definition, I \nthink from a statutory construction point of view, the word \n``including\'\' indicates that this list of operations is in fact \ninclusive.\n    Most, if not all--and let me say all of them, in my view, \nare well understood in the industry; I think we know what we \nare talking about. Anything that goes beyond those, unless you \nhave patient consent, is going to be prohibited and going to be \nsubject to sanctions. Health care entities\' health plans have \nto do certain operational kinds of things. They can do and they \nshould do the sort of disease management, that has just been \ntestified to, that saves lives. I mean, we are talking about \nenacting kinds of procedures that are going to save lives, that \nare going to enormously improve the health care delivery of \nthis country. We ought not to foreclose the ability to do that \nand even protect people against themselves.\n    Mr. Bilirakis. Thank you, sir. My time is up.\n    Mr. Brown.\n    Mr. Brown. Thank you, Mr. Chairman, and I want to follow up \non Mr. Nielsen\'s statement and Ms. Feldblum\'s energized \ntestimony, if you will.\n    First of all, Mr. Chairman, if I could, I would like to ask \nunanimous consent to enter Mr. Dingell\'s statement in the \nrecord and any other members\' statements.\n    Mr. Bilirakis. Without objection, the opening statements of \nall members of the committee are made a part of the record.\n    Mr. Brown. Thank you, Mr. Chairman. Also, a letter to you \nand to me from the National Conference of State Legislatures on \nthe State preemption issue.\n    Mr. Bilirakis. Without objection.\n    [The information referred to follows:]\n\n                  National Conference of State Legislatures\n                                                      July 14, 1999\nThe Honorable Michael Bilirakis\nChairman\nHealth and Environment Subcommittee\nU.S. House of Representatives\nWashington, D.C. 20515\n\nThe Honorable Sherrod Brown\nRanking Member\nHealth and Environment Subcommittee\nU.S. House of Representatives\nWashington, D.C. 20515\n    Dear Representative Bilirakis and Representative Brown: On behalf \non the National Conference of State Legislatures (NCSL), I would like \nto take this opportunity to comment on proposals regarding medical \nrecords confidentiality.\n    NCSL firmly believes that states should regulate insurance. We \noppose preemption of state law, but we understand the desire to \nestablish a minimum standard in this area given that health information \nis transmitted across state and national boundaries. We also realize \nthat Congress must enact privacy legislation by August 21, 1999, as set \nforth by the Health Insurance Portability and Accountability Act of \n1996 (HIPAA), and we recognize that all of the current approaches set \nsome type of federal standard. Given these factors, we believe that the \nprivacy of health information is one of the few areas where it is \nappropriate for the federal government to set a minimum standard. \nFederal medical records confidentiality legislation should provide \nevery American with a basic set or rights regarding their health \ninformation. These federal standards, in concert with state law, should \nbe cumulative, providing the maximum protection for our citizens. Our \nmutual goal should be to that not one individual\'s health information \nis more vulnerable under federal law, than it was without it.\nPreemption of State Law\n    Federal legislation should establish basic consumer rights and \nshould only preempt state laws that are less protective than the \nfederal standard. Unfortunately many of the proposals pending before \nCongress take a different approach.\n    NCSL is particularly concerned about proposals that would preempt \nall state laws ``relating to\'\' medical records privacy. The universe of \nstate laws relating to medical records confidentiality is extremely \nlarge and is spread across a state\'s legal code. For example, state \nlaws regarding medical records confidentiality can be found in the \nsections of a state\'s code regarding: health, education, juvenile \njustice, criminal code, civil procedure, family law, labor and \nemployment law. There is currently no compendium of state \nconfidentiality laws. NCSL continues to work with Georgetown University \nwhere a major effort to produce such a compendium is underway. A \nblanket preemption of state law is virtually the same as throwing the \nbaby out with the bath water.\n    Should Congress seek to pass federal medical record confidentiality \nlegislation, NCSL firmly believes it should: (1) grandfather existing \nstate confidentiality laws; (2) narrowly and specifically define the \nscope of the preemption, preserving issues not addressed in the federal \nproposal for state action; and (3) permit and encourage states to enact \nlegislation that provides additional protections. If states are \nprecluded in some general way from taking action in specific areas, \nthere must be a mechanism for a state legislature to act if federal \nlegislation adversely impacts the citizens in the state due to a \ntechnical error or to unintended consequences based on state-specific \nconditions.\n    Some proposals attempt to address the preemption issue through the \ninclusion of state legislative ``carve outs.\'\' This approach attempts \nto identify all the areas that states would be permitted to continue to \nenact legislation. While well-intended, there is no way for states to \nknow the full extent and impact of the preemption and carve-outs until \nthe federal law has been implemented. NCSL and the National Association \nof Insurance Commissioners (NAIC) recommend that states be allowed to \ncontinue to legislate and regulate in any area that is not specifically \naddressed in the federal legislation. Below is language jointly \nsupported by NCSL and NAIC:\n        Nothing in this Act shall be construed as preempting, \n        superseding, or repealing, explicitly or implicitly, any \n        provision of state law or regulation currently in effect or \n        enacted in the future that establishes, implements, or \n        continues in effect, any standard or requirement relating to \n        the privacy of protected health information, if such laws or \n        regulations provide protections for the rights of individuals \n        to the privacy of, and access to, their health information that \n        are at least as protective of the privacy of protected health \n        information as those protections provided for under this Act. \n        Any state laws or regulations governing the privacy of health \n        information or health-related information that are not \n        contemplated by this Act, shall not be preempted. Federal law \n        shall not occupy the field of privacy protection. The \n        appropriate federal authority shall promulgate regulations \n        whereby states can measure their laws and regulations against \n        the federal standard.\nCurrent State Legislative Activity\n    Since January 1999, 26 states have enacted laws regarding medical \nrecords confidentiality. Montana enacted comprehensive legislation \naddressing the activities of insurers and North Dakota enacted \nlegislation that established comprehensive public health \nconfidentiality standards. After years of debate, Hawaii enacted a \ncomprehensive law that sets standards for the use and disclosure of \nboth public and private health information. Most states enacted \nlegislation building on existing state law or legislation focused on a \nspecific issue. Six laws, addressing a wide variety of medical records \nprivacy concerns, were enacted in Virginia during the 1999 legislative \nsession. Other states that enacted legislation this year are: Arkansas, \nColorado, Connecticut, Georgia, Idaho, Indiana, Iowa, Louisiana, Maine, \nMississippi, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, South \nCarolina, South Dakota, Tennessee, Texas, Utah, West Virginia and \nWyoming.\n    Several of these new laws address issues that are not addressed in \nmany of the federal proposals. For example, many states have laws \nestablishing strict confidentiality standards for medical information \nin the possession of employers. These laws would make records from \nemployee assistance programs (EAP) and workplace drug-testing results, \nprotected health care information, subject to strict disclosure and \nreporting requirements. Several states have laws that set limits on how \nmuch a health care provider can charge an individual to make copies of \ntheir medical records. These laws, designed to help assure access, \nregardless of income, would be preempted under some proposals. These \nare but a few examples that illustrate both the breadth and complexity \nof the preemption issue.\n    I thank you for this opportunity to share the perspective of NCSL \non this very important issue and look forward to working with you and \nyour colleagues over the next several months to develop a consensus \napproval that will provide basic medical records privacy protections \nfor all Americans.\n            Sincerely,\n                                              William Pound\n      Executive Director, National Conference of State Legislatures\ncc: Representative Thomas J. Bliley, Jr.,\n   Representative John D. Dingell,\n   Members, House Commerce Subcommittee on Health and Environment\n\n    Mr. Brown. The issue of health care operations, Ms. \nFeldblum, in understanding that 2470 allows for disclosure \nwithout a person\'s authorization for those health care \noperations, and I am as concerned as you are about the \ndefinition and activities it includes and that it lists that \nand not the activities that it excludes. Talk to me about some \nof those.\n    It seems that because of the language, marketing \nactivities, do they fall under this definition, insurance \nwriting, insurance underwriting, employer use other than \ntreatment and payment? What other kinds of activities might \nthat include?\n    Ms. Feldblum. Actually, the activities that are listed in \nthe bill would not include sending something to an employer. It \nwould not include sending something from marketing. I mean, Mr. \nNielsen is correct when he says those are words, that he knows \nthat this is what industry does and, if he is correct, that \nthis is all that health care operations should be, then I think \nthis is something that consumers unfortunately may need to live \nwith in a bill. In other words, all of the principles from CCD \nare, if you are going to compel our authorization for \nsomething, it should be for treatment for us and for payment \nfor us, because that is sort of how you are thinking consumer-\nwise.\n    The group that Mr. Nielsen was a part of that the \nGeorgetown Health Privacy Project put together says you also \nneed sometimes to compel authorization for core business \nfunctions, things that consumers may not be thinking about. \nWhere we have come to in the terms of the CCD privacy working \ngroup is acknowledging that there are some core business \nfunctions, but that marketing is not one of them, giving \ninformation to employers is not one of them and that the things \nthat are listed here, with the sole exception of health care \neducation, which we have some concerns with, are things which \nif these were the only things that were compelled from the \nauthorization, we could live with in the same way that we are \nliving with it on a Senate bill that we are not opposing.\n    So the whole conversation here about disease management is \nreally, I don\'t think, quite relevant.\n    The only issue really about disease management is about \nmedicine compliance programs. When you have got a disease that \nis more stigmatized, HIV, mental health, do you want to get the \nletter or the phone call about ``Did you take your medicine\'\' \nwithout anyone asking you, ``Did you want to be part of that \nprogram\'\'?\n    So health care operations, the things that are here are not \na problem so long as it becomes truly exclusive, and it is not \nenough to say, ``I read it as inclusive\'\' when the language \nsays otherwise.\n    The bigger problem that H.R. 2470 did--and we have never \nseen this before; this is as of 2 days ago--is create this idea \nof use, create this idea of use, and say that if the health \nplan has some protected health information, it has it, if it \nuses it for treatment, payment, health care operations or \nresearch, that is it. There are no other limitations. All the \nlimitations of the bill that apply to disclosures, accounting \nfor disclosures, notice, safeguards, limit to the minimum \namount necessary to achieve the purpose, all of those good \nrules don\'t apply anymore to use for treatment, payment, health \ncare operations or research.\n    I mean, you already have a problem with how health care \noperations are defined. One can fix that with one word. You \nhave to fix this new idea of use. And I understand where he was \ncoming from, but, boy, the result is truly bad.\n    Mr. Brown. So backing off--we are going back to health care \noperations for a moment and then exploring use perhaps later--\nwe can fix that by specifically excluding marketing, excluding \nemployer use beyond payment. We can generally fix that language \nsimilar to the way it is in the Condit bill, and also \nsuggesting, maybe giving authority to HHS to explicitly down \nthe road promulgate regulations so that future activities will \ncontinue to exclude that?\n    Ms. Feldblum. The main thing you need is to strike one word \non line 18 on page 5. Doing that will mean that health care \noperations is only the things that you have listed, and you can \npick up from the Condit-Waxman bill that describes the things \nthat are not to be presumed as including. I don\'t think any \nlawyer would think they would be, but there is no reason not to \nmake that clearer, and then in case there are future activities \nthat might come up, you give the Secretary the authority to add \nthose into his compelled authorization. That is how to fix \nhealth care operations. Then you move to the bigger problem of \nuse.\n    Mr. Nielsen. I think we are dealing with some semantical \nproblems here. The way that I read this is that the list that \nis contained in the bill is in fact inclusive and it does \nprovide those aspects that are permissible. It says nothing \nabout marketing, for instance.\n    Mr. Brown. So why would you not specifically--why would you \nnot specifically then, if it is not so clear, make sure that it \nis clear and specifically exclude marketing and employees \nbeyond that?\n    Mr. Nielsen. I may not have a problem with that. The \ndifficulty with the term ``marketing\'\' is what does it mean. Is \nthat where for-profit hospitals or a plan is sending out \nreminders to do things which will clearly benefit them if the \npatient comes back? Is that marketing or are we talking about \nsomething more crass than that, where people are simply trying \nto reap competitive and commercial advantage. I don\'t have any \nsignificant problem with that kind of wordsmithing.\n    Mr. Bilirakis. I thank the gentleman. Mr. Greenwood.\n    Mr. Greenwood. I thank the chairman.\n    I think that Ms. Feldblum is correct, that all of the \nmatters--many of the matters that we have discussed so far are \nmanageable. We will get to the commonality there. The tough \nones include the preemptions. Let me take the action of \npreemption, and I would like to ask Mr. Nielsen to describe for \nus the importance of preemption and then I would like to ask \nMr. Appelbaum, if he would, to describe how he would achieve \nhis goal, which is not to have preemption, and satisfy whatever \nyou think is legitimate about what Mr. Nielsen would describe \nas the needs for preemption.\n    Mr. Nielsen. I have been at this for 3\\1/2\\ years now, and \nwhat we have diligently tried to do is to fill the void that \ncurrently exists in the dearth of privacy protections that \nexist in this country. Granted, there are some States that are \nfar in advance of others, but a lot of States, maybe even the \nmajority of them have no legislation whatever.\n    Mr. Greenwood. And those that do don\'t cover the ERISA.\n    Mr. Nielsen. That is correct. It is beyond the scope of \nState regulation. What we are trying to do is achieve some sort \nof national standard that will guide and direct privacy \nthroughout this country. It doesn\'t seem to me that privacy \nconsiderations in Oregon and California are any different than \nthey are in New York and New Jersey. We are all Americans. We \nall share the same heritage and we all ought to have our \nrecords protected uniformly.\n    Now from a pragmatic standpoint, and we are an example but \nnot an extreme example, we serve patients in three States. We \nserve a lot of patients in Utah that come from southeastern \nIdaho and southern portions of Wyoming. We need to deal with \nthose States in a way that is consistent. If the different \nStates have different privacy laws, it will be virtually--it \nwill be extremely difficult, let me put it that way, to develop \nthe kinds of data bases that we are doing unless those laws are \nconsistent. The problem is significantly exacerbated here in \nthe District, in the Northeast where you have a much greater \nconcentration of people, where people live in one State and \nreceive their health care in another.\n    And in the case of the District, you know the example here. \nWe ought not have the patchwork that currently exists and will \nexist if we don\'t have a national standard.\n    One of the problems with some of the early iterations in \nthe Jeffords compromise was that we ought to grandfather in all \nof the State laws, and then give the States an 18-month window \nof opportunity to enact laws. And after that everything is \npreempted by Federal law. That is an invitation for a rush to \nthe State house for every State to enact privacy laws, and we \nare right back where we started. If we don\'t have a national \nstandard, what are we doing here?\n    Mr. Greenwood. You have heard those concerns about the \npracticality of moving data across States and the way that \ncould affect the cost of health care, and every time you raise \nthe cost of health care, you reduce accessibility. If you can \ntell us how we achieve your goal, which is to allow the State \nto not preempt the States, and meet Mr. Nielsen\'s goal, you win \nthe prize.\n    Mr. Appelbaum. You haven\'t told me what the prize is going \nto be.\n    Mr. Greenwood. I haven\'t heard your response yet.\n    Mr. Appelbaum. Mr. Greenwood, Federal legislation in any \narea is an awkward and slow-moving way of achieving change, and \nthis area demonstrates that.\n    I think our concerns are not that there might not need to \nbe in some areas, and regulation of ERISA plans is one example, \nsome consistent Federal legislation because it is the only way \nto get at some piece of the problem. Our concerns deal with a \nblanket preemption of State laws in all areas where it is \nunnecessary to achieve that change. Such preemption, it seems \nto us, would decrease or eliminate the ability of States to \nexperiment in this area, would decrease the adaptability to \nlocal needs.\n    Mr. Greenwood. I think you are speaking a little more \ntheoretically than I had hoped for. You referenced the result \nthat safeguards would be unnecessarily removed. Can you give us \nan example of what would be unnecessary, in terms of removing a \nState law, to fulfill Mr. Nielsen\'s articulated needs to move \ninformation across State lines and serve people across State \nlines without a complete mish-mash of regulations?\n    Mr. Appelbaum. Sure. We serve people in central \nMassachusetts from northern Connecticut, from Rhode Island and \nsouthern New Hampshire. Our laws are the Commonwealth of \nMassachusetts. The laws that govern our operations affect the \njurisdiction in which we exist and work. There is no confusion \nabout which laws we have to follow and no problems with moving \ninformation to--in the current system, moving information to \nprimary care physicians in these other States.\n    I have yet to see any clear documentation that these \nproblems that are alluded to actually exist as problems, \nbecause in my day-to-day experience they don\'t. You asked for a \nconcrete example. In Ohio, for example, there is a statute that \nsays that the medical records of a patient are the property and \ncreation of the physician or the caregiver and that the \nphysician or caregiver has the discretion to release the \nrecords in whole when a request comes in or to craft some more \nlimited disclosure of information.\n    That legislation was recently relied on in Ohio to reject a \npolicy of managed care companies that were managing workers\' \ncompensation disability benefits for complete copies of \npatients\' psychiatric records, including their psychotherapy \nnotes. That piece of legislation would be wiped out by a total \npreemption in a way that does not affect any of these broader \nneeds which could be addressed by a more finely crafted bill.\n    Mr. Bilirakis. Thank you. Mr. Waxman.\n    Mr. Waxman. It seems one of the problems with States \nadopting different laws is that we do live in one country; but \none of the reasons that States have adopted different laws is \nthat we have no Federal standard. If we adopt a strong Federal \nstandard, it seems to me there is no reason for States to want \nto adopt something that is weaker. They will accept this as a \nFederal standard. But if the States want to adopt something \nstronger, should we preclude them from doing so?\n    Dr. Appelbaum, you talked about the Ohio case. Some States \nhave adopted valuable patient protections like saying there \nshould not be access to verbatim psychiatric notes, and some \nother States are also looking at that. Is losing those kinds of \nprotections the kind of thing that you are worried about?\n    Mr. Appelbaum. Yes. Here in the District of Columbia, for \nexample, there is a local provision exactly along the lines \nthat you are referring to, that prevents the mandatory \ndisclosure to insurers of managed care companies of psychiatric \nrecords for purposes of utilization review. That spoke to a \nlocal need, a need that was not and would not be addressed by \nnational legislation and a need that seems entirely legitimate.\n    I think we agree with you completely that were we to be \nadopting or talking about adopting Federal legislation at an \nextremely high standard of protection of confidentiality, there \nwould be no need to allow States to go beyond that, but that is \nnot what we are talking about. We are talking about compromises \nof a variety of sorts, and given that situation, we think that \nit is important to allow the States to protect their citizens \nto a greater extent.\n    Mr. Waxman. So it comes down to the question of whether we \nadopt the legislative compromise process something which would \nbe a ceiling or which would be a floor. And if it is a floor, \nthen I think most States will say that is where they are and \nthey will accept it. But in some limited circumstances, States \nmay feel that they want to go beyond it. The way that we \napproach it in the Condit-Waxman bill is to allow States to \ncontinue to enact stronger confidentiality protections.\n    Ms. Feldblum, did you want to add something?\n    Ms.  Feldblum. I wanted to add, this is an example where \nthe rhetoric is not matching up with the legal language. The \nrhetoric is that we are operating across all State lines and so \nwe need uniformity. If you are in Massachusetts, you will do \nMassachusetts law, and in Vermont you do Vermont law. The only \nproblem right now is if you are operating in 10 different \nStates, you need to have your lawyer know those 10 different \nState laws. If you pass a Federal law, without saying a word \nabout preemption, by the act of supremacy, you have created a \nuniform national standard. So whether you are in Connecticut, \nVermont, Massachusetts, you look at that Federal law and that \nis your uniform standard and so you make it easier.\n    Mr. Waxman. I think you are being very helpful. Let\'s get a \nstrong Federal standard. I think that will be the law of the \nland in most circumstances, and rarely will States want to act, \nbut we will give them the ability to act when they feel they \nneed to.\n    Moving to another topic, Mr. Nielsen, you are a member of \nthis health privacy working group which released principles on \nwhich members reached agreement. One principle was that health \ncare organizations should use an objective and balanced process \nto review the use and disclosure of personally identifiable \nhealth information for research. In contrast, the Greenwood \nmedical records bill allows health care organizations to use an \nindividual\'s health information for health research without the \nindividual\'s consent and without any review process at all.\n    Do you believe that the Greenwood approach that allows use \nof personally identifiable health information for health \nresearch without any review meets the health privacy principles \nrequiring an objective and balanced process to review the use \nof information for research?\n    Mr. Nielsen. Let me answer it this way if I might. And I \ncan do that by best explaining to you what we do in our \ninstitution, which we think probably is the correct way. Let me \naddress it first generally. We do not believe that all research \nought to be Federalized, that is all governed by the Federal \ncommon rule concept.\n    We have within our system, and I think the American \nInfomatics Association recommends the same thing, a data review \nor access committee which is a committee that is specifically \ndesigned to review that gray area between what is required \nunder the Federal common rule and that which is archival \nresearch or internal research or, for that matter, other kinds \nof health care operations that deal with the dissemination of \nhealth information. I think the establishment of those kinds of \ninternal review committees is a very important concept, and \nperhaps one that ought to be included within legislation.\n    But I want to emphasize that I do not believe that we ought \nto require that all kinds of internal operations that have to \ndo with the use and disclosure of information and research \nthat--where we are dealing with records that maybe isn\'t human \nsubject research ought to be covered by a Federal IRB. It is \njust too cumbersome.\n    Mr. Waxman. Is it going to be an independent review? I \nwould like to have Ms. Feldblum comment on that. You in the \nworking group seemed to reach a consensus, but I am worried \nthat Mr. Greenwood\'s approach on this takes us backwards and \nmay lead us to self-interested internal review that may not be \nsufficient protection or even as good as what we now have.\n    Ms. Feldblum. Many of us believe that we should have the \nIRB system. John Nielsen is saying no. But that is the not the \nquestion.\n    The question is: Is there an independent equivalent review? \nThere are two problems with H.R. 2470. One, in the research \nsection, it is an internalized review system. It is unclear how \nyou get the objectivity. So there is something that needs to be \nfixed in section 208 of the bill.\n    Second, use for research, it makes it sound like you don\'t \nneed to go through section 208 if you are using it for \nresearch, so there is not even the internal review. I can\'t \nbelieve that you meant to do the latter because why would you \nwant to make section 208 of your bill superfluous, but you have \ndone it with those legal words.\n    Assuming you fix that mistake, section 208, how are you \nbeing consistent with what John Nielsen\'s group came up with, \nwhich is an equivalent--not IRB, they are very clear, they \ndon\'t want it to be Federalized--but how about something that \nis more equivalent in terms of objective and balanced? I don\'t \nthink that it is an insurmountable hurdle, but I think there \nneeds to be some work to get there.\n    Mr. Bilirakis. The gentleman\'s time has expired.\n    Mr. Norwood.\n    Mr. Norwood. Mr. Chairman, we started out understanding \nthat this was complex, and this panel is of great interest to \nme. I have listened to them carefully and unfortunately I agree \nwith all of them, at least on some parts of what they are \nsaying. If I might, I want to find out about who you are a \nlittle better. That may help my understanding.\n    Ms. Feldblum, if I ever need an advocate I want you to come \nwork for me. At Georgetown University Law Center, how many \nlawyers are over there?\n    Ms. Feldblum. We have about 95 faculty.\n    Mr. Norwood. So, 95 lawyers?\n    Ms. Feldblum. And we train about 600 a year.\n    Mr. Norwood. How many are expert in health care policy?\n    Ms. Feldblum. We have about 10. We have actually one of the \nstrongest health faculties in the country.\n    Mr. Norwood. Do you consider that center expert in all \nFederal legislation?\n    Ms. Feldblum. Oh, no. There is a lot of Federal legislation \nthat gets passed--we are the largest law school in the country \nso we probably have the greatest expanse of expertise, but I am \nsure that we still don\'t cover all areas.\n    Mr. Norwood. You have made some very strong statements for \nwhich I tell you with all respect, I want you on my side. The \nproblem with some of that is that if we were to put 100 lawyers \nin here, they would not agree with you at all. They wouldn\'t \nagree on anything, including the world is round, so we have to \ntake what you are saying to us and be very careful with it, \nalthough you are very positive you are right.\n    I am sitting here thinking that I know two or three lawyers \nat the University of Georgia who will not agree and be an \nadvocate against it just as well. I appreciate and admire your \nstrong feelings, but from our point of view we have to be \ncareful with what you are saying just in case there is another \nlawyer or two that might disagree with how you phrased with \nwhat is wrong.\n    So one of the things that I have learned up here, and I am \nproud I am not a lawyer, but I guarantee you this wordsmithing \ngame is a game to let lawyers do anything they want to do and \nany bill they want to do it with in order to get done their \nagenda.\n    Mr. Nielsen, are you an attorney?\n    Mr. Nielsen. I am, sir.\n    Mr. Norwood. I thought that probably was the case. Would \nyou tell me a little bit about Intermountain Health Care?\n    Mr. Nielsen. We were founded in 1975 when the Mormon Church \ndivested itself of all of its hospital systems. They were \ndetermined to no longer be central to the mission, so a not-\nfor-profit corporation was founded in 1975 which included the \nessence of that former system, plus others.\n    Mr. Norwood. Did you buy those hospitals?\n    Mr. Nielsen. They were given to us and the company was \nformed with two goals. One, that no one should personally \nprofit; and, second, that we should provide health care to \nanyone who needs it, irrespective of ability to pay.\n    Mr. Norwood. How many physicians do you have?\n    Mr. Nielsen. We employ 400-plus. Plus on the health plan, \nwe have affiliated physicians of about 2,500 others.\n    Mr. Norwood. Are they salaried positions when you say \nemployed?\n    Mr. Nielsen. They are.\n    Mr. Norwood. When they see a patient and document care as \nwell as health care history, who owns that information?\n    Mr. Nielsen. Well, the record itself is the property of the \ninstitution. The information, of course, is the individual\'s. \nWe have always maintained that they are free to access that \ninformation if they need it for any reason.\n    Mr. Norwood. So that the paper it is written on belongs to \nyou?\n    Mr. Nielsen. That is correct.\n    Mr. Norwood. But the information in there should belong to \nthe patient?\n    Mr. Nielsen. Sure.\n    Mr. Norwood. With your 400 physicians--that information \ndoes belong to the patient. Why are you seeking that \ninformation in a central room somewhere with a big computer? \nWhy do you want to compile all of that information that belongs \nto the patient, and what are you trying to get at by compiling \nit?\n    Mr. Nielsen. We are attempting to establish a longitudinal \ndata record of a patient\'s medical history that can be \navailable to health care providers when they need it. For \ninstance----\n    Mr. Norwood. About why can\'t health care providers simply \ncall up Dr. Jones and say, Listen, I am treating this patient; \nsend me over the record?\n    Mr. Nielsen. Because Dr. Jones may be out of town. Dr. \nJones may not be able to be immediately contacted. Rather than \nthat kind of archaic kind of process, we have it \ninstantaneously available to the physician. And let me give you \nan instance. A person presents themselves at the emergency room \nwith some unknown malady, maybe a drug reaction, maybe \nsomething more severe than that. The emergency room physician \ncan pull up that medical record instantly, know exactly what \nthe medical history of that person is, what drugs he or she may \nhave been taking to avoid prescribing or treating that \nindividual inappropriately.\n    Mr. Norwood. Is there any other reason you want all of this \ninformation?\n    Mr. Nielsen. You mean in a clinical setting or any setting?\n    Mr. Norwood. In any circumstance? Is there any other reason \nbesides good health care that you want all of this information \non computer? How many patients do you guys see? How many is in \nyour network?\n    Mr. Nielsen. We have almost 1 million covered.\n    Mr. Norwood. Is there any other reason you want that \nmillion patients and the health care information about them in \nyour computer? And you are testifying before Congress, so \ncareful here now; is there any other reason you want it?\n    Mr. Nielsen. I can tell you, in all candor and honesty, our \nmission is to provide the very best possible health care to the \npeople we serve and that statement would characterize why we \nare attempting to do what we are doing.\n    Mr. Norwood. You are a lawyer. Try again. Is there any \nother reason why you want that information? Of course you want \ngood health care for your patients. That is a given. Any other \nreason you want it?\n    Mr. Nielsen. There is no other reason other than to provide \noptimal health care. Now, that can be in the context of \nclinical delivery, it can be what health plans do in terms of \ndisease management. But ultimately the goal is to provide the \nvery best health care possible and that is the only reason.\n    Mr. Norwood. Of course. That is a given. Does it have \nanything to do with mathematical science? Do you favor outcomes \nas a way to help treat patients?\n    Mr. Nielsen. Of course we do.\n    Mr. Norwood. Now that is the other reason, isn\'t it?\n    Mr. Nielsen. If what you are getting at in terms of keeping \nan eye on physician practices to determine if in fact \nphysicians are utilizing the best practice protocols and so on, \nas we measure outcomes against practices, yes, we use it for \nthat purpose.\n    Mr. Norwood. I will tell you that is the best thing that \nyou and all of managed care has done in this country today. You \nhave taken a cottage industry and you have been able to put \ntogether mathematical results and outcomes and that is useful. \nThe problem is, for the rest of out there, we worry that you \ndepend on that way too much and less on medical science and the \nart of medicine.\n    Mr. Bilirakis. The gentleman\'s time has expired. Ms. Capps.\n    Ms. Capps. Thank you, Mr. Chairman. I will continue with my \ncolleague\'s going through the panelists to get, you know, \nbetter.\n    Mr. Bilirakis. Ms. Capps, forgive me. We would like to get \nthrough this panel to give you the opportunity to go home and \nthen we are going to break for an hour for lunch. I have a \nmarkup. Mr. Greenwood has a markup. And so when we say for \nlunch, it probably means that we won\'t be able to eat lunch, \nbut we are going to break. I want to set a schedle for the \nbenefit of the second panel so they can make their plans \naccordingly. I am sorry to interrupt.\n    Ms. Capps. I know that the American Psychiatric Association \nfeels strongly about privacy protections and I know that the \nHouse of Representatives passed a financial services bill, H.R. \n10, which contained medical records privacy protection. This \nbill was passed out of this very committee, and I would ask you \nto comment as you like on the medical records privacy \nprotections in H.R. 10 and whether or not you believe this bill \nis adequate to protect patients.\n    Mr. Appelbaum. As you know, we and 39 other medically \nrelated groups, including the American Medical Association, \nhave expressed our concern about provisions in H.R. 10. This \nhearing demonstrates the complexity of this issue. To think \nthat in their little more than a page of text, we might be able \nto implement confidentiality legislation that took all of these \nvarying interests into account I think is a wonderful account \nbut proved to be fruitless in its outcome.\n    In its broad sweep, H.R. 10 does away with requirement for \nconsent notification about the use of their information by the \ninsurance industry. It opens those records up in a widespread \nway to access, by law, enforcement entities. It allows internal \nuse of this information for such tasks as marketing and others \nthat were not envisioned by the people who provided this \ninformation to their insurance companies. There are no \nregulations governing secondary disclosures of this \ninformation. Once turned over under the provisions of this law, \nit would be free to be utilized in any way imaginable or \nunimaginable by the recipient. It would also preempt State \nregulation in this area, much of which is much more restrictive \nand more protective of patients\' interests. I think those \nencapsulate our concerns.\n    Ms. Capps. And for me, that gives an urgency about this \nhearing and hopefully others that we will be having on this \nimportant topic.\n    Just to allow your expertise to further enlighten us, I \nunderstand that you over at the University of Massachusetts, \nDepartment of Psychiatry--what kind of safeguards does your \ninstitution put in place to implement for privacy when you \nconduct research that we might learn from that?\n    Mr. Appelbaum.  All of our research is reviewed by our IRB \nunder a general assurance that we provide to HHS regarding our \nresearch practices. We find this to be acceptable and a \nreasonable way of accommodating researchers\' desires to gather \ndata and patients\' interests in privacy and protection of other \nsorts. As far as medical record information is concerned, our \nIRB, as I think most IRBs, uses a fairly straightforward \napproach.\n    To the extent that information is being gathered \nprospectively and patients can be asked for their consent in \nadvance, their consent is solicited. To the extent that we are \ntalking about accessing large medical data bases which have \nalready been collected and for which it would be impossible to \nobtain for secondary utilization, that consent is not required \nas long as researchers build in confidentiality protections of \ntheir data. That has proven very workable.\n    And I might note that Mr. Nielsen\'s comments surprised me \nwith the speed in which the value of a comprehensive Federal \napproach which covers the whole country disappeared as we moved \nfrom confidentiality legislation to protection of human \nsubjects in research.\n    Ms. Capps. So that might be an example for us to include in \nour legislation?\n    Mr. Appelbaum.  Absolutely.\n    Ms. Capps. Are there others--would you feel that this would \nbe a matter for preemption? That if we had this standard, that \nwe could expect that this could be followed nationwide?\n    Mr. Appelbaum.  I would believe that this is a standard \nthat could be followed nationwide and built on the existing \ncommon rule to which most research in this country already \nadheres.\n    Ms. Capps. Thank you.\n    Mr. Bilirakis. I thank the gentlelady. Mr. Burr, to \ninquire.\n    Mr. Burr. I thank the chairman. How quickly the chairman \ncleared the room of members with his announcement of lunch.\n    Let me go to another area and I really want to touch on \nwhat Mr. Waxman referred to. He suggested that it should be a \nFederal floor versus ceiling, and I will tell you that HHS \ncouldn\'t define what they were doing as to whether it was a \nfloor or a ceiling, and it has shifted as the debate has gone \non, and so I know how that movement in the water feels, Ms. \nFeldblum.\n    And he questioned should we limit States from having the \nability for stronger standards? Let me suggest to you that the \ndetermining factor in that answer should be, does it affect the \nhealth of patients?\n    I understand the group that you are in and I understand the \ngroup that you represent and I understand where you are coming \nfrom with the CRPs, and I understand from an industry \nstandpoint the challenges that you are faced with. We have not \nconcentrated much on the middle, but that is what the whole \nhealth care decision process should be based on, the human face \nright there.\n    And the question is how do all of the things that each one \nof you have brought up, how does Mr. Greenwood\'s bill and how \ndoes Mr. Markey\'s bill affect Justin? And that is really what I \nwant to deal with because, Mr. Appelbaum, you have talked about \nan opt-out, and that sounds very appealing to a patient, and I \nthink you made a great statement that I would say I would do \nthe same thing.\n    If uninformed when you signed up for your health plan, do \nyou want your information released or held? Ninety-nine percent \nof the people in this room would hold it. And we would have \nvery little information to do our clinical research from and \nclearly that would affect the health of the American people.\n    Is there a Federal need to talk about whether preemption is \nimportant? Yes, it is about the health of each individual \npatient, and that is one of the responsibilities for Congress. \nIf not, we don\'t need to debate a patients\' bill of rights or \nhave a HCFA. There are a lot of entities that we can cut out, \nincluding the Food & Drug Administration, and the litany goes \non and on.\n    So let\'s go to the heart of the opt-out, if we could. You \nfeel that individuals should have the ability to opt-out of any \nof their records being used? Is that a correct interpretation \non my part?\n    Mr. Appelbaum.  Yes, we believe that individuals should \nhave control over their medical record information and decide \nwhen it is disseminated and when it is not.\n    Mr. Burr. Let me ask for a legal interpretation from Ms. \nFeldblum. If there is an opt-out like he describes, would a \npatient have the ability to opt-out from any of their records \nbeing shared with the FDA for the post-approval review of \npharmaceuticals or medical devices?\n    Ms. Feldblum. You would have to modify that law to allow \nthe person to opt-out. There is no bill that I know of that is \nallowing patients to opt-out of having their information----\n    Mr. Burr. I realize that. I am not on any of the bills. I \nam on some of the suggestions which have been made and I think \nthe opt-out is one that--you are not the only one, Mr. \nAppelbaum, that have raised the individual power of the patient \nto say, I don\'t want my information to be shared, period, with \nanybody. An opt-out is fully opt-out or you opt in. You either \nshare it or you don\'t.\n    My question is, under that from a legal standpoint, would \nthat patient\'s information be illegal to be shared with the FDA \nwho is federally charged with the responsibility to look at \npharmaceuticals and medical devices after the approval period \nto determine whether there are adverse effects on health that \nmay materialize from a larger tested population?\n    Ms. Feldblum. If you wanted that also to be illegal, you \nwould have to amend that.\n    Mr. Burr. We would have to amend it.\n    Ms. Feldblum. You could not repeal the FDA law by \nimplication by allowing someone to opt-out.\n    Mr. Burr. So how many places, if we did an opt-out, would \nwe have to go back and change the bill to allow a valuable \npiece of information to be accessed when a person doesn\'t want \nit, because it is in the public interest and the public health \ninterest versus the individual\'s choice up front?\n    Ms. Feldblum. That is one of the reasons that we are not \nsuggesting that as a matter of policy.\n    I thought your point about preemption, the way to answer \nthe question is to say how does it affect the individual person \nis the best way to think about the question. Not convenience, \nnot what is easier, but what is better for the patient.\n    And it seems to me that the first thing that is good for \nthe patient is for Congress to do what it hasn\'t done for 20 \nyears, which is pass a uniform national standard of privacy so \nthat it doesn\'t matter whether you live in Kentucky or \nMassachusetts as to what your protections are. Then the second \nthing you should do if you care about the patient is if a State \nhas decided that there is a particular problem that they have \ndiscovered that they want to legislate on for a particular \nperson----\n    Mr. Burr. What if it is you coming to Congress saying we \nhave determined something that ought to be Federal? Are we \ngoing to start raising the bar? Part of the system is the \nunpredictability of legislation as it relates to health care \npolicy.\n    Ms. Feldblum. Nothing precludes you passing a Federal \nprivacy law now, and 5 years from now somebody saying there is \nsomething else that should be done on a Federal level. The \nwhole point about the States being the laboratories of \nexperiments--it is better if you do it--and over the 5 years \nyou discover that you were not completely brilliant, there is \nsomething you forgot, this way you leave an option for the \nStates to fill in on the gaps, and you may decide 5 years later \nthat you want to do it for the rest of the country.\n    Mr. Bilirakis. The gentleman\'s time has expired.\n    Mr. Burr. Let me just ask this question. Did Maine in their \nlaw get it right or wrong?\n    Ms. Feldblum. They got it wrong on next of kin.\n    Mr. Burr. So we are not the only ones that could get it \nwrong?\n    Ms. Feldblum. That is certainly true. But because of what \nMaine did, we will make sure that next of kin is done right \nhere.\n    Mr. Bilirakis. Dr. Ganske.\n    Mr. Ganske. Mr. Nielsen, you are a member of the health \nprivacy working group?\n    Mr. Nielsen. Yes.\n    Mr. Ganske. And we got a report today in Congress Daily \nthat you have made some progress on a number of issues and that \nyou are releasing a report?\n    Mr. Nielsen. It has been released. We have copies for \neveryone, I think. They are available.\n    Mr. Ganske. According to Congress Daily, you have made some \nprogress. Can you describe the group for the committee?\n    Mr. Nielsen. Sure. It was comprised of people who are \ntypically privacy advocates, disability advocates. It was \ncomprised of clinicians, of industry people. I think the folks \nat Georgetown tried to get as broad a cross-section of \nindividuals as they possibly could.\n    Mr. Ganske. Ms. Feldblum, were you involved in this group?\n    Ms. Feldblum. Jeff Crowley, who is the chair of the working \ngroup for whom I am the pro bono counsel, was a member of this \n15-member group. So I was involved in it via him.\n    Mr. Ganske. So you are aware of what this report is?\n    Ms. Feldblum. Yes.\n    Mr. Ganske. What is your assessment of that report?\n    Ms. Feldblum. My assessment is that it was a really good \neffort at trying to figure out best principles, and that in \nsome areas it will be very useful guidance to Congress about \nuse and disclosure, authorizations, research. Even though it \nis--not all of the positions are ones that CCD holds, because \nit was a broad group, but some very useful consensus building \non those issues. Not on all of the issues. They don\'t say \nanything about private right of action because it was not a \ntemplate for Federal legislation, it was best principles for \nindustry to do voluntarily. They can\'t create a private right \nof action so there are some issues that are unique to Congress \nthat are not in this report, but there are a bunch. I think it \nis an awesome amount and an incredible amount of good faith and \ngoodwill that went into this report.\n    Mr. Ganske. And so the Consortium of Citizens with \nDisabilities is looking very favorably on this report?\n    Ms. Feldblum. There are things that are not addressed \nbecause there is not agreement. So preemption, private right of \naction we won\'t. But on other things, yes, we think it is very \ngood.\n    Mr. Ganske. I tend to agree with many statements made by \nmembers of the panel. I think that if you do set a strong \nprivacy standard, that it tends to take away the necessity for \nStates which have not already looked at this to come up with \ntheir own, and so it tends to create a national standard.\n    I happen to believe that States--in general, that States \nshould not be preempted for stronger legislation. That is what \nI have looked at in terms of my own managed care protection as \nan example.\n    But that if you look at, for instance, the State of Iowa, \nwe just passed some patient protections in the Iowa \nlegislature, but had we had a pretty strong Federal law already \nin place, I don\'t think that the legislature would have picked \nit up.\n    So I am sympathetic to those who work across State lines in \nterms of having some uniformity. I think if we developed a \nstrong enough privacy bill it would function that way, and at \nthe same time I wouldn\'t want to preempt Texas or California \nfor some of the things that they have done.\n    I have some problems with Mr. Greenwood\'s bill, that is why \nI am not a cosponsor, but I respect the work and effort that he \nhas put into it.\n    Ms. Feldblum, I certainly appreciate how a few words can \nmake a great big difference. We are dealing with a debate in \nthe Senate right now on medical necessity where five little \nwords would make a huge difference, and that is ``not be bound \nby plan guidelines\'\' that makes all of the difference in the \nworld in terms of whether you have a strong bill or weak bill. \nSome of the things that you have pointed out in terms of this \nlegislation are similar.\n    We are going to get down to some really difficult issues in \nterms of the enforcement. And I must admit as I look at the \nenforcement provisions in the bill that we are talking about \ntoday, I have some reservations about who actually would be \nsubject to the criminal provisions. And then we are also going \nto have to get into, I think, a debate on the liability issue, \nand I haven\'t come to a decision on that yet either.\n    Ms. Feldblum, I am going to take advantage of the fact that \nI have a professor of law before me.\n    Have you looked at my provision, the Ganske provision in \nH.R. 10?\n    Ms. Feldblum. Yes, I looked at it about a week and a half \nago.\n    Mr. Ganske. I am going to do something that a trial \nattorney should never do, and that is to ask a witness for an \nopinion when you don\'t know exactly what they are going to say. \nBut I want to clear up something about opt in and opt-out. An \nopt-in by my understanding is where you\'ve got a provision that \nthe information cannot be shared unless the patient gives the \nconsent?\n    Ms. Feldblum. Right.\n    Mr. Ganske. I thought we were getting a little bit confused \nwhen we were talking about that before. The provision that I \nhad in H.R. 10 was an opt-in. It says the confidentiality of \nindividually identified customer health, genetic information, \nthe insurer may disclose that information only with the consent \nor at the direction of the customer, either with affiliates or \noutside of that health concern.\n    Then we had some specific provisions in terms of the \nstandard underwriting and some things like that, but we say and \nhere is an important word, at the end of that clause, ``or as \notherwise required and specifically permitted by Federal or \nState law.\'\'\n    Now, as a Georgetown lawyer on the faculty, is that not \nsaying that this information or that this provision does not \npreempt State law as it relates to those exceptions?\n    Ms. Feldblum. Maybe I can write you something because I \ndon\'t have the language in front of me. I will just say \nbriefly, as I understood the problem with that, is the list of \nthings that were exemptions before the ``or\'\' and whether some \nof that could be misinterpreted. My gut in reading it was it \nwas intended to be very protective of privacy, and because of \nthe point that Mr. Norwood made that there are some lawyers out \nthere who would read things which is not what your lawyer \nintended it to be, that is the problem. I think this could be \nworkable.\n    And for sake of time, I would want to get the exact \nquestion and I will commit to getting an answer in writing and \norally as to what are the potential ways that language could be \nmisused.\n    Mr. Bilirakis. The gentleman\'s time has expired.\n    Mr. Ganske. One minute?\n    Mr. Bilirakis. We have to break in a few minutes. Thirty \nseconds.\n    Mr. Ganske. It says also in compliance with Federal, State \nor local law. And then it says that this is enforced by the \nchief law enforcement officer of the State, the State insurance \ncommissioner or otherwise, and so----\n    Ms. Feldblum. I will take that into account when I respond \nto your question.\n    Mr. Ganske. Thank you.\n    Mr. Bilirakis. Mr. Markey.\n    Mr. Markey. Thank you very much, Mr. Chairman.\n    I do like the Ganske opt-in language. What I didn\'t like \nwere the loopholes built into his exceptions which included: \nOne, reporting to credit reporting agencies; two, disclosing \ninformation for research; three, disclosing information to \ninsurance underwriters; and, four, disclosing information in \nconnection with a merger or acquisition.\n    In itself it is the correct principle, but it is the \nloopholes that swallow the rule which cause the problem. I very \nquickly will go through the questions that I have.\n    On page 49 of the Greenwood bill, it says the disclosure of \na person\'s protected health information is authorized for the \npurpose of reporting to consumer reporting agencies.\n    Why in the world should Equifax or some other consumer \nreporting agency get access to my most personal medical \nrecords? Once they get it, what safeguards are there from this \ninformation being accessed by others, including any company or \ncreditor that I do business with, Ms. Feldblum?\n    Ms. Feldblum. Well, you know, this section on electronic \npayment cards, they always make a note that says superfluous, \nbecause they didn\'t really need a whole separate section for \nthemselves. And you point out a problem that once you start \nputting in a separate section for someone, the fact is with all \nof these folks it should be done under the authorization. When \nI sign up for my credit card, I should have to file an \nauthorization under section 203 which means that you can\'t \ncondition my health care services----\n    Mr. Markey. It is kind of funny that this whole thing is in \nthere. Why is it in there?\n    Ms. Feldblum. There was a lobbyist who convinced someone.\n    Mr. Markey. Let me move on to page 50.\n    Mr. Greenwood. If you know who that lobbyist is, will you \nlet me know so we can meet?\n    Ms. Feldblum. I think it happened about 4 years ago.\n    Mr. Markey. There is an immaculate inclusion of this \nprovision.\n    On page 50 it says banks, credit unions and securities \nfirms are explicitly excluded from the requirements of the bill \nto the extent that they are engaged in transaction processing, \nfunctions described in subsection (b) of section 211 of the \nbill.\n    Furthermore, to the extent that banks or credit unions or \nsecurities firms are engaged in activities that fall outside \nthe permitted activities in subsection (b), the bank \nregulations and the SEC are declared to be the exclusive \nenforcement agencies for such institutions.\n    The problem with that is neither the Federal securities \nlaws nor the banking laws specifically empowers the SEC or the \nbanks or credit union regulators to be health information \nprivacy agencies.\n    I understand that the banking laws may give some kind of \nprotection, the Fed and the credit union regulations may have \nsome general authority to enforce against violations of any \nlaws by banks or credit unions, but policing against such \nviolations is not their primary mission. And the SEC has no \nauthority in this area whatsoever so they couldn\'t take action \nagainst the securities firms that violated that section; is \nthat right, Ms. Feldblum?\n    Ms. Feldblum. Well on page 51 what they say is nothing in \nthe section shall be deemed to exempt the entities from the \nprohibition except (c). Subsection (c) says you can\'t disclose \nprotected health information.\n    So what they have done is say you can\'t disclose protected \nhealth information, but we are not covering you under the bill \nfor everything else, but do not construe that to mean that you \ncan now disclose protected health information. It is another \nexample of when you start writing things specifically for \nindividual industries, you really get in trouble because this \nis--this is a good teaching moment but a poor piece--poor \ndrafting on this--is it so horrific, it is confusing.\n    Mr. Markey. But there is a reason that we use banks, credit \nunions and Equifax. All of these very interesting provisions \nbuilt into----\n    Mr. Burr. Would the gentleman yield?\n    Mr. Markey. I will yield.\n    Mr. Burr. When you said for specific industries, would you \nalso include the FDA? If you tried to write caveats for them, \nit might have different results on everybody else as well?\n    Ms. Feldblum. There is a section in here that says you can \nreport to the FDA for the post-marketing problems. I have never \nfelt that was a necessary provision. You could have put that in \nalready by the overall system of when I authorize that \ncompelled authorization, I also authorize for information to be \ngoing to the FDA.\n    You see, in other words there is so much--when you craft a \nbill correctly, you don\'t have to do a lot--all these other \nthings.\n    Mr. Burr. Unless there is a blanket opt-out.\n    Ms. Feldblum. Yes, but we are not trying to do that.\n    Mr. Bilirakis. The gentleman\'s time has expired. Please \nproceed for another minute.\n    Mr. Markey. I thank you, Mr. Chairman.\n    The point that I am trying to make is that this bill has \nsome good things in it. But again, I believe that much like the \nGanske amendment, all of the exceptions swallow all of the good \nthings, and you wind up with a product that is not ultimately \nconsistent with public opinion, which demonstrates the \npassionate concern Americans have about not only their health \ncare and financial and on-line privacy information generally. \nSo it is an integrated kind of conversation here and it is \ndifficult to go in any direction very long before you hit other \nareas, on-line, financial. And you have to have a uniform way \nof looking at all of this, so that we are agreeing on a set of \nprinciples, what it is that we want to accomplish, and \nregarding research and other areas, and we want to carve out \nthings in other particular areas, but I don\'t think that we \nhave reached that area on the committee. I think we are still \ngrappling with the larger notion that everybody is entitled to \nthe right to know the information being gathered about them, \nand the right to say no, you don\'t want it shared.\n    You can carve out some very specific and important public \ninterest exceptions. But when banks, credit unions, Equifax, \nclearly are inside legislation, it is going to raise concerns. \nI hope that we can work together on a bipartisan basis because \nI think it is very important to work together on this, but I \ndon\'t think that we have reached that point yet where we agree \non the larger principle.\n    Mr. Bilirakis. The staff will be working very diligently \nstarting at 5 o\'clock this evening.\n    Mrs. Pawlak, because you are the only one here who \nbasically has been directly concerned and involved in this, do \nyou have any final statement that you would like to make, \nhaving heard all of this on both sides?\n    Ms. Pawlak. A lot of what I have been listening to I have \nunderstood. A lot of what I have been listening to has been \nvery confusing.\n    As a basic layperson, I have been involved in health care \nbecause of my son\'s illness. I have learned a little more about \nthe health care industry. You are talking with a basic \nlayperson who has not had the opportunity to learn more about \nit. You are talking to a person with less knowledge than I had \non the subject, and in the case of the opt-out I would need \nsomebody to protect me from me. I would have made a big \nmistake. Knowing a little bit about medicine, I would have made \na big mistake. I need people who have more knowledge to protect \nme from me and protect my health from me.\n    Mr. Bilirakis. Well put.\n    The hearing is recessed until 1:45. Thank you very much. \nThis panel is discharged. We ordinarily ask you if you are \nwilling to respond to questions in writing. You all are, are \nyou not? Thank you very much for being here.\n    [Whereupon, at 12:47 p.m., the subcommittee recessed, to \nreconvene at 1:45 p.m. This same day.]\n\n                           afternoon session\n\n    Mr. Norwood [presiding]. Committee will come to order.\n    Let me first thank the witnesses for being here, and I will \nintroduce you in just a second. We are in a very, very busy \ntime right this minute, and many members will be back shortly, \nand I expect that we are going to be called to the floor in \njust a few minutes, but what I would like to do, if I may, is \nMr. Waxman and I will introduce you, and we will at least begin \nthe process so maybe you guys can get home sometime before dark \ntonight.\n    Our first witness is Ms. Carty, Cristin, Vice President of \nthe California Health Institute. Thank you for being here.\n    Randy Johnson, Vice President of Labor and Employee \nBenefits, U.S. Chamber of Commerce; Dr. Andrews, who is \nDirector of Worldwide Epidemiology, Glaxo Wellcome. Ms. \nAndrews, thank you for coming here.\n    Dr. Carolin Frey, Chairman of the Institutional Research \nReview Board. Thank you, ma\'am, for being here.\n    And Dr. Greg Koski, Director of Human Research Affairs, \nPartners Health Care System. And thank you, sir, for coming.\n    We have already had one panel, and this is a most \ninteresting and complex subject, and we appreciate all of you \ntaking time to come and share your views with us. All of you \nhave your information that will be in the record and submitted \nin the record, and Ms. Carty, if we could start perhaps with \nyou, and we will try to limit these to 5 minutes, if we can.\n\nSTATEMENTS OF CRISTIN CARTY, VICE PRESIDENT, CALIFORNIA HEALTH \n    INSTITUTE; RANDEL K. JOHNSON, VICE PRESIDENT, LABOR AND \n   EMPLOYEE BENEFITS, U.S. CHAMBER OF COMMERCE; ELIZABETH B. \n  ANDREWS, DIRECTOR OF WORLDWIDE EPIDEMIOLOGY, GLAXO WELLCOME \n  INC.; GREG KOSKI, DIRECTOR, HUMAN RESEARCH AFFAIRS, PARTNER \nHEALTH CARE SYSTEM, MASSACHUSETTS GENERAL HOSPITAL; AND CAROLIN \n    M. FREY, CHAIRMAN, INSTITUTIONAL RESEARCH REVIEW BOARD, \n           PENNSYLVANIA STATE GEISINGER HEALTH SYSTEM\n\n    Ms. Carty. Good morning, Mr. Chairman and members of the \ncommittee. Thank you for the opportunity to present testimony \ntoday on the very important topic of the confidentiality of \npatient medical information. My name is Cristin Carty, and I am \nthe Vice President of Public Policy for the California \nHealthcare Institute. CHI\'s nearly 200 members including \nleading biotechnology, pharmaceutical, medical device companies \nand premier academic life science research institutions. \nWorking on both the State and Federal levels, CHI strives to \ncreate a favorable climate for biomedical discovery and \ninnovation, ensuring that patients have access to breakthrough \ntherapies.\n    CHI supports the enactment of strong, uniform Federal \nstandards, establishing accountability and penalties to protect \nthe confidentiality of patient health information. Use of \nmedical data should be restricted to activities that are deemed \nappropriate and necessary to quality health care and to \nresearch dedicated to improving health care outcomes.\n    Today, I will provide a snapshot of the bioscience industry \nin California and discuss the importance of framing one strong \nnational standard that will secure all patient information \nequally.\n    Proposed new Federal regulations for handling medical \ninformation will clearly affect access to patients\' medical \ndata and, in turn, influence scientific progress. The challenge \nwe face is to preserve the confidentiality of medical \ninformation without erecting barriers to the research that is \nour only hope to conquer diseases like Alzheimer\'s and breast \ncancer. In this context, I will touch on key provisions in the \nMedical Information Protection and Research Enhancement Act of \n1999. Above all, I would like to encourage the adoption of a \nset of uniform Federal standards that will preempt conflicting \nState laws and thus safeguard scientists\' ability to conduct \ncrucial medical research.\n    Over the past 20 years, California has become the global \nheadquarters for biomedical innovation. Overall, more than 2500 \nbiomedical companies and 75 university and private research \ninstitutions are actively engaged in biomedical R&D, and health \ncare technology now accounts for more than 200,000 California \njobs.\n    Sound research and clinical testing is the cornerstone of \ninventing safe and effective new therapies. Essential to this \nprocess is a researchers\' ability to utilize the full scope of \npatient data. The flow of medical information in a responsible \nand protected manner has played a vital role in the \nbiotechnology revolution that has transformed medicine and that \nholds tremendous promise for scientific progress.\n    In 1997 alone, California\'s leading medical technology \ncompanies invested nearly $11 billion in research and \ndevelopment. It typically takes more than 10 years and $500 \nmillion to bring a new molecular entity from the laboratory to \nthe bedside. New layers of restrictions on using crucial \nmedical information will simply make what is already a very \ntime-consuming and resource intensive process even more so, \ndelaying new therapies and adding greatly to their already high \ncost.\n    California\'s leading edge biomedical companies are \ncurrently exploring scientific areas that raise important and \ncomplex questions regarding the confidentiality of medical \ninformation. These include basic research on human genome \nsequencing, the capacity to place DNA information in digital \nformat, research into stem cells that will help scientists \nunderstand the causes of cell aging and death, and advanced \ndiagnostics that will clearly target and enhance the use of \ntherapies. In each of these areas, science is driven by patient \nmedical data, including genetic information, ushering in a new \nera of medical promise.\n    Consider this example: Last September, the FDA approved a \nbreakthrough treatment called Herceptin. The treatment was \napproved for use in patients with metastatic breast cancer who \nhave tumors that overexpress the HER2 protein. In this case, \nresearch involving patient information, including genetic \ninformation, and the conduct of broad clinical trials helped \nscientists determine that the treatment was most effective for \na specific population group, those who overexpressed the HER2 \nprotein. Establishing uniform Federal standards for the \ntreatment of all patient health information, including genetic \ninformation, will have a tremendous positive impact on future \ntreatment advances. Conversely, if States continue to enact \nlegislation that impedes the responsible flow of medical \ninformation, many potential new therapies will simply not be \ndeveloped.\n    While guidelines to protect the patient\'s confidentiality \nare absolutely essential, the ability of the researcher to \ncompile and access the medical data, governed by uniform and \nworkable rules, will drive the pace and quality of crucial \nresearch.\n    As a State-based organization, CHI is highly attuned to the \nlegislative developments in Sacramento. Recent attempts at the \nState level to legislate medical confidentiality, as well as \nbroader privacy requirements, now threaten the cycle of \nbiomedical innovation that has thrived in California. For \nexample, some State legislators have discussed modeling State \nconfidentiality regulations based on the European Union\'s data \ndirective requiring unambiguous consent each time data is \naccessed and barring many uses of the data. Such a model would \nsimply paralyze the important flow of medical information \nneeded to fuel medical progress.\n    Drug studies depend on research throughout the country, and \ncompanies enter into partnerships with academic institutions \nand research entities in almost every State of the Union. \nAgain, absent a uniform Federal standard as set forth in the \nGreenwood bill, a multitude of State requirements for the \nhandling of patient health information could disrupt patient \ncare and restrict the development and access to advanced \nmedical technologies.\n    Finally, I would like to stress the importance of defining \nprotected health information in precise legislative language. \nResearchers must be able to use nonidentifiable information for \noutcomes research, disease management programs, epidemiology \nstudies and disease control.\n    Mr. Chairman, thank you for the opportunity to testify \ntoday. CHI\'s members are committed to the establishment of \nuniform Federal safeguards for the handling of medical \ninformation that promote accountability and are enforced by \npenalties. With these Federal guidelines, patient information \nwill be protected and used responsibly. Also, with one uniform \nset of rules, medical progress in the areas of \nbiopharmaceuticals, medical devices and diagnostics will \ncontinue at the pace we all have come to expect.\n    Thank you.\n    [The prepared statement of Cristin Carty follows:]\n  Prepared Statement of Cristin Carty, Vice President, Public Policy, \n                    California Healthcare Institute\n    Good morning, Mr. Chairman and Members of the Committee. Thank you \nfor the opportunity to present testimony today on the very important \ntopic of the confidentiality of patient medical information. My name is \nCristin Carty, and I am the Vice President of Public Policy for the \nCalifornia Healthcare Institute (CHI). CHI\'s nearly 200 members include \nleading biotechnology, pharmaceutical, medical device companies and \npremier academic life science research institutions. CHI is a non-\nprofit, public policy research and advocacy organization for \nCalifornia\'s extensive health care technology enterprise. Working on \nboth the state and federal levels, CHI strives to create a favorable \nclimate for biomedical discovery and innovation, ensuring that patients \nhave access to breakthrough therapies.\n    CHI has been working with key partners in the industry including \nthe Pharmaceutical Research and Manufacturers of America (PhRMA) and \nthe Biotechnology Industry Organization (BIO) on the many legislative \nproposals that have been drafted in response to the requirements \noutlined in the Health Insurance Portability and Accountability Act \n(HIPAA). CHI supports the enactment of strong, uniform federal \nstandards, establishing accountability and penalties to protect the \nconfidentiality of patient health information. Use of medical data \nshould be restricted to activities that are deemed appropriate and \nnecessary to quality health care, and to research dedicated to \nimproving health care outcomes.\n    Today, I will provide a snapshot of the bioscience industry in \nCalifornia and discuss the importance of framing one strong national \nstandard that will secure all patient information equally. Proposed new \nfederal regulations for handling medical information will clearly \naffect access to patients\' medical data and, in turn, influence \nscientific progress. The challenge we face is to preserve the \nconfidentiality of medical information without erecting barriers to the \nresearch that is our only hope to conquer diseases like Alzheimer\'s and \nbreast cancer. In this context, I will touch on key provisions in the \nMedical Information Protection and Research Enhancement Act of 1999. \nAbove all, I would like to encourage the adoption of a set of uniform \nfederal standards that will preempt conflicting state laws and thus \nsafeguard scientists\' ability to conduct crucial medical research.\n    Over the past twenty years, California has become the global \nheadquarters for biomedical innovation. Overall, more than 2,500 \nbiomedical companies and 75 university and private research \ninstitutions are actively engaged in biomedical R&D. Healthcare \ntechnology now accounts for more than 200,000 California jobs. More \nthan 160,000 Californians are directly employed by organizations \ndeveloping therapeutics and diagnostics, and manufacturing medical \ndevices. Major universities, federal facilities and private research \ninstitutes employ an additional 44,000 Californians in biomedical and \nclinical research.\n     Basic and clinical research staff at California\'s nine leading \nuniversity medical centers, UCSD, UCSF, UCLA, UC Davis, UC Irvine, \nCharles Drew University, Stanford, USC and City of Hope are involved in \na full spectrum of investigation, from basic genomics to human clinical \ntrials that test the safety and efficacy of new medicines and devices. \nOutstanding private research institutions like The Salk Institute and \nThe Scripps Research Institute further contribute to an environment \nthat fosters medical innovation and discovery. The research and \nclinical trials performed at these state-of-the-art centers are fueling \nthe development of powerful new technologies to treat patients.\n    Sound research and clinical testing is the cornerstone of inventing \nsafe and effective new therapies. Essential to this process is \nresearches\' ability to access the full scope of patient data. The flow \nof medical information in a responsible and protected manner has played \na vital role in the biotechnology revolution that has transformed \nmedicine and that holds tremendous promise for scientific progress. The \naverage biotechnology company spends half of its operating expenditures \nin the development of new products for unmet needs. In 1997 alone, \nCalifornia\'s leading medical technology companies invested nearly $11 \nbillion in R&D. It typically takes more than ten years and $500 million \nto bring a new molecular entity from the laboratory to the bedside. The \nbulk of these resources are invested in the later stages of drug \ndevelopment, when a new medicine is subjected to extensive trials in \nhumans. New layers of restrictions on access to this crucial medical \ninformation will simply make what is already a time-consuming and \nresource-intensive process even more so--delaying new therapies and \nadding greatly to their already high cost.\n     I know that during a previous hearing you heard from at least two \nexpert witnesses who have first-hand knowledge of medical records-based \nresearch--Dr. Steven Jacobsen from The Mayo Foundation and Dr. John \nCurd who is now with VaxGen. Accordingly, my comments will be limited \nto two areas: patient information and its vital contribution to medical \nadvances, and how uniform national standards, as exemplified in the \nGreenwood bill, will help preserve and even expedite the current pace \nof scientific discovery and development.\n    California\'s leading-edge biomedical companies are currently \nexploring scientific areas that raise important and complex questions \nregarding the confidentiality of medical information. These include \nbasic research on human genome sequencing, the capacity to place DNA \ninformation in digital format, research into stem cells that will help \nscientists understand the causes of cell aging and death, and advanced \ndiagnostics that will clearly target and enhance the use of therapies. \nIn each of these areas, science is driven by patient medical data, \nincluding genetic information, ushering in a new era of medical \npromise.\n     Consider this example. Last September, the FDA approved a \nbreakthrough treatment called Herceptin. The treatment was approved for \nuse in patients with metastatic breast cancer who have tumors that \noverexpress the HER2 protein. In this case, research involving patient \ninformation, including genetic information, and the conduct of broad \nclinical trials helped scientists determine that the treatment was most \neffective for a specific population group--those who overexpressed the \nHER2 protein. Establishing uniform federal standards for the treatment \nof all patient health information, including genetic information, will \nhave a tremendous positive impact on future treatment advances. \nConversely, if states continue to enact legislation that impedes the \nresponsible flow of medical information, many potential new therapies \nwill simply not be developed.\n    One need to look no further than the National Institutes of Health \n(NIH) database to understand the full scope and promise of clinical \ntesting research. With about 900 clinical studies under way at the NIH \nBethesda location covering dozens of diseases and disorders, protocols \nare approved by review boards for ethics, safety, design and \nsignificance. <SUP>1</SUP> While guidelines to protect the patient\'s \nconfidentiality are absolutely essential, the ability of the researcher \nto compile and access the medical data--governed by uniform and \nworkable rules--will drive the pace and quality of crucial research.\n---------------------------------------------------------------------------\n    \\1\\ From the NIH website, The NIH Clinical Center, last best hope, \nwww.cc.nih.gov/ccc/best/hope.html\n---------------------------------------------------------------------------\n     As a state-based organization, CHI is highly attuned to the \nlegislative developments in Sacramento. Recent attempts to legislate \nstate-based medical confidentiality as well as broader privacy \nrequirements now threaten the cycle of biomedical innovation that has \nthrived in California. Under the state\'s Confidentiality of Medical \nInformation Act, medical records are considered private, and release of \npatient medical information is restricted absent patient consent. State \nproposals designed to amend this act and other sections of the \nCalifornia Civil Code could establish significant barriers to \nbiomedical research. A bill offered in the state Senate last year would \nhave prohibited ``sharing\'\' of biometric identifier information--\ndefined as any ``biologically based characteristic unique to an \nindividual.\'\' <SUP>2</SUP> The bill was targeted at the financial \nservices industry; however, it would have had the unintended \nconsequence of ending most clinical research in the state. Pending \nbills raise a host of troublesome issues that will directly impact the \nquality of health care a patient receives. Two leading proposals, \nAssembly Bill 62 (Davis) and Senate Bill 19 (Figueroa) are broadly \ndrafted and may again create unintended results. For example, both \nbills may interfere with care coordination, case management and disease \nmanagement models of care for persons with special health care needs \nsuch as the elderly, the disabled and the chronically ill. Senate Bill \n19 would also permit an omnibus category of ``contractors\'\'--whether \ncustodian, data processor or researcher--to disclose medical \ninformation in certain circumstances. In addition, other state \nlegislators have discussed modeling state confidentiality regulations \nbased on the European Union\'s data directive requiring ``unambiguous\'\' \nconsent each time data is accessed and barring many uses of the data. \nSuch a model would simply paralyze the important flow of medical \ninformation needed to fuel medical progress.\n---------------------------------------------------------------------------\n    \\2\\ California State Senate Bill 1622, introduced Feb. 12, 1998\n---------------------------------------------------------------------------\n     Drug studies depend on research throughout the country, and \ncompanies enter into partnerships with academic institutions and \nresearch entities in almost every state of the Union. Although the \nCalifornia Legislature has yet to fully approve the proposals mentioned \nabove, it is important to convey the full scope of legislation being \nconsidered on the state level. Legislation passed in Minnesota \nrestricts access to medical records for research purposes. Dr. Curd has \nalready testified on this topic, citing how the Minnesota law ``has \nmade it more difficult for the Mayo Clinic to conduct epidemiologic \nresearch by requiring specific patient authorization for the use of \npatient data.\'\' Aside from the bureaucratic challenge of complying with \nmedical information confidentiality requirements on a state-by-state \nbasis, a patchwork of laws would also influence the types of \npopulations included in clinical research--perhaps dissuading research \ninto certain sub-populations. Again, absent a uniform federal \nstandard--as set forth in the Greenwood bill--a multitude of state \nrequirements for the handling of patient health information could \ndisrupt patient care and restrict the development and access to \nadvanced medical technologies.\n     Finally, I would like to stress the importance of defining \nprotected health information in precise legislative language. It is \nabsolutely essential to understand that nonidentifiable information--\ninformation that is coded or encrypted or otherwise made anonymous (and \nthus cannot be connected with an individual)--is essential to health \nresearch. Legislation should reflect that such data does not raise \nprivacy concerns. Researchers must be able to use nonidentifiable \ninformation for outcomes research, disease management programs, \nepidemiology studies and disease control.\n     Mr. Chairman, thank you for the opportunity to testify today. \nCHI\'s members are committed to the establishment of uniform federal \nsafeguards for the handling of medical information that promote \naccountability and are enforced by penalties. With these federal \nguidelines, patient information will be protected and used responsibly. \nAlso, with one uniform set of rules, medical progress in the areas of \nbiopharmaceuticals, medical devices and diagnostics will continue at \nthe pace we all have come to expect.\n\n    Mr. Norwood. Thank you, Ms. Carty.\n    Mr. Johnson\n\n                 STATEMENT OF RANDEL K. JOHNSON\n\n    Mr. Johnson. Thank you, Mr. Chairman.\n    Mr. Chairman, I have been asked to address the narrow, but \ncritical issue of whether or not a private cause of action in \ncourt should be authorized under the legislation before you \ntoday. We believe, representing the U.S. Chamber of Commerce, \nthat the only reasonable answer to this question is no, and the \nChamber would strongly oppose inclusion of a new individual \nright to sue in addition to the severe criminal and civil \npenalties already in the legislation.\n    Contrary to the assumptions of some, it is not true that a \nnew right to sue must or should be created each time Congress \ncreates a new substantive legal right or that such a right is \nnecessary for effective enforcement--although it might be \nnecessary to keep the 600 lawyers that Ms. Feldblum referred to \nwho graduated from Georgetown employed.\n    Furthermore, experience would suggest that given the \ninherent negatives associated with court litigation, Congress \nshould reserve creation of a new, private cause of action in \ncourt for only those situations where there has been a \ndemonstrated and well-documented problem with existing \nenforcement mechanisms. This threshold criterion has not been \nmet here, obviously.\n    It should be emphasized that whatever is enacted will be an \nimportant but complicated law as evidenced by the prior panel. \nBefore we subject individuals and organizations to the expense \nand uncertainty of private litigation, we need to allow some \ntime for any uncertainties in the law to be clarified. \nHopefully, much of this will be accomplished through \nadministrative regulations which are provided for in this \nlegislation by HHS that will flesh out the many rights, \nresponsibilities and protections, a far preferable course to \nthe vagaries, expense and inconsistencies of the court system \ndeveloping policy on a case-by-case basis, depending on what \ncircuit you happen to be in.\n    And since the question of whether a private cause of action \nis necessary, I think turns on obviously what deterrence is in \nthe legislation right now, I would urge that the members take a \ncareful look at the actual proposal, starting on page 55. Let \nus take a look at the criminal penalties first.\n    Now, under this section, a person--and a ``person,\'\' by the \nway, is quite broadly defined in this legislation--a person \nthat knowingly and intentionally discloses protected health \ninformation shall--shall, not may--be fined up to $50,000, \nimprisoned not more than 1 year or both, and if the offense is \ncommitted under false pretenses, be fined not more than \n$100,000, imprisoned up to 5 years or both. If the offense is \ncommitted with the intent to sell, transfer, or use protected \nhealth information for monetary gain or malicious harm, the \nperson could be fined up to $250,000 and imprisoned not more \nthan 10 years or both. All of these penalties and prison \nsentences could be dealt with under certain circumstances.\n    Again, I note that the person who was subject to these \nfines and criminal imprisonment is defined quite broadly in the \nact. You may want to look at the definition part on page 11. It \napparently includes anybody from a clerical worker up to a top \nguy in the business. Hence, the sweep of the provisions are \nquite encompassing.\n    Now, let us take a look at the civil penalties under 311. \nAny person, again, whom the Secretary of HHS determines has \nsubstantially and materially failed to comply with the act \nshall--not may--shall be subject up to $500 for each violation \nand up to $5,000 for multiple violations under Title I, and \nwhere a violation relates to Title II, a civil penalty of up to \n10,000 for each violation and up to $50,000 in the aggregate \nfor multiple violations. A $100,000 penalty is provided for \nviolations which constitute general business practice. \nInjunctive relief is also provided for.\n    Now, I want to emphasize this point. To state the obvious, \nI can assure you that any entity, any person covered by this \nlegislation is going to take these civil and criminal penalties \nquite seriously, and I have to ask if there is anyone in this \nroom, including on the dias today, who would view these \npossible jail terms and monetary penalties lightly if they were \nsubject to this law? I doubt it, and I would ask you for one \nmoment to put yourself in the place of an individual within a \nbusiness handling health care information of whatever size and \nask yourself that question. Given the complexity of this law, I \nthink some people might say, the regulated community, well, \nbetter you than me and good luck and God bless. And too often \nthat is the problem.\n    Now to help demonstrate the extreme nature of these \ncriminal penalties and civil penalties, it might be useful for \nthe purposes of comparison to look at a few of the labor laws. \nI have run through these in my testimony. I see our time is \nrunning short, but they run from 5,000 to 70,000 under OSHA, \nimprisonment of up to 6 months. The Family Medical Leave Act, \nAge Discrimination in Employment Act, all have no criminal \npenalties except for a $100 fine for failure to post penalties; \nthe Fair Labor Standards Act, up to $10,000 and imprisonment of \nup to 6 months.\n    Now, these laws, I think everyone who can see, protect \nimportant rights, but Congress has seen fit to use civil and \ncriminal penalties at a much lower scale than exists in the \nlegislation before you; and again, I emphasize the degree of \nthose penalties to dispel any notion that there is some \nweakness in this bill that would encourage noncompliance.\n    Contrary to what may seem to be a popular conception, many \nlaws rely exclusively on government enforcement mechanisms and \ndo not include private causes of action: Davis-Bacon Act, \nService Contract Act, the Walsh-Healey Act, Executive Order \n11246, 503 of the Rehabilitation Act, perhaps most notably the \nOccupational Safety and Health Act, the Mine Safety and Health \nAct and the National Labor Relations Act.\n    Now, of course, some of these statutes do include private \ncauses of action, and in full disclosure, I am certainly not \ngoing to hide that fact; but in those cases, the remedies are \nlimited typically to economic, out-of-pocket damages, and an \natypical example is that of Title VII, the 1964 Civil Rights \nAct which, as many of you remember, was amended several years \nago after 2 years and numerous hearings, much contentious \ndebate, to include noneconomic damages capped at certain \nlevels. However, it doesn\'t exemplify the situation we are here \ntoday facing because in that case you had 30 years of \nexperience to go on which demonstrated that there was a \nproblem. Here we are working on a clean slate.\n    Finally, I have listed through here many of the problems \nwith private causes of action. There is a lot of studies \nreferenced here. I will summarize them by saying they \ninvariably conclude that about 50 percent of the money is lost \nto cure transactional costs, lawyers, other administrative \ncosts, not plaintiffs and not defendants; and I cover that in \nthree or four pages.\n    Now, I would like to close by saying, of course, there are \nthose who would argue that a business need not fear litigation \nso long as it obeys the law. So a provision for a civil court \nlitigation should only trouble those truly bad actors and not \npresent a problem to others. The only problem with this \nargument is that it is patently false. The reality of laws in \nthis country is that they are invariably complex and often \nsimply vague with the lines of compliance uncertain and often \nchanging. The Supreme Court handed down three decisions just a \nmonth ago on the Americans with Disabilities Act. No one knows \nwhen you are in compliance and when you are not. To expose \nemployers to litigation, this sort of situation strikes us as \njust wrong.\n    In closing, our opposition to inclusion of a private right \nof action is premised on the straightforward notions that the \ncivil and criminal penalties now in the legislation are quite \nsevere and provide more than adequate deterrence; many laws are \nadequately enforced without private causes of actions; and \nthree, lawsuits are a rough, blunt and expensive instrument of \njustice with many negative attributes which should only be used \nwhere there is a clear track record demonstrating the law in \nquestion currently has inadequate enforcement mechanisms, a \nrecord which certainly does not exist here. Should the Congress \nfind that after passage of this legislation and a period of \nenforcement the business community is ignoring its \nresponsibilities, it can always revisit the issue and authorize \nnew enforcement mechanisms.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Randel K. Johnson follows:]\n  Prepared Statement of Randel K. Johnson, Vice President of Labor & \n              Employee Benefits, U.S. Chamber of Commerce\n    Mr. Chairman and Members of the Committee, good morning. I am \nRandel Johnson, Vice President, Labor and Employee Benefits, U.S. \nChamber of Commerce. The U.S. Chamber of Commerce is the world\'s \nlargest business federation representing more than three million \nbusinesses and organizations of every size, sector and region.\n    Mr. Chairman, I have been asked to address the narrow issue of \nwhether or not a private cause of action in court should be authorized \nunder the legislation before you today, the ``Medical Information and \nResearch Enhancement Act of 1999.\'\' We believe the only reasonable \nanswer to this question is ``no\'\' and the Chamber would strongly oppose \ninclusion of a new individual right to sue in addition to the severe \ncivil and criminal penalties already in the legislation. Contrary to \nthe assumptions of some, it is not true that a new right to sue must, \nor should be, created each time Congress creates a new substantive \nlegal right or that such a right is necessary for effective \nenforcement. Furthermore, experience would suggest that--given the \ninherent negatives associated with court litigation--Congress reserve \ncreation of new private causes of action in court for only those \nsituations where there has been a demonstrated and well-documented \nproblem with existing enforcement mechanisms. This threshold criteria \nhas not been met here.\n    It should be emphasized that whatever is enacted will be an \nimportant, but complicated new federal law. Before we subject \nindividuals and organizations to the expense and uncertainty of private \nlitigation, we need to allow time for any uncertainties in the law to \nbe clarified. Hopefully, much of this will be accomplished through \nadministrative regulations that will flesh out the many rights, \nresponsibilities and protections in the legislation, a far preferable \ncourse than the vagaries, expense and inconsistencies of the court \nsystem developing policy on a case by case basis.\n    Since the question of whether a private cause of action is \nnecessary turns on whether or not the existing legislation has adequate \nprovisions to deter violations of its provisions, we need to look \ncarefully at what is in the legislation now. I urge the Members to \nrefer to the actual text of the legislation in this regard because \nthese existing sanctions are actually quite severe. First, let\'s review \nthe criminal penalties under proposed Section 2801 ``Wrongful \nDisclosure of Protected Health Information.\'\' Under this section, a \n``person that knowingly and intentionally\'\' <SUP>1</SUP> discloses \nprotected health information shall be fined up to $50,000, imprisoned \nnot more than one year or both; and if the offense is committed under \n``false pretenses,\'\' be fined not more than $100,000, imprisoned up to \nfive years or both. And if the offense is committed with ``the intent \nto sell, transfer, or use protected health information for monetary \ngain or malicious harm\'\' the person could be fined up to $250,000, and \nimprisoned not more than 10 years or both. All of these penalties and \nprison sentences could be doubled under certain circumstances. I also \nnote that the ``person\'\' subject to these sanctions apparently could be \nanybody employed by, or with any connection to, the health \ninformation--from a clerical worker on up; hence the sweep of these \nprovisions is quite broad.\n---------------------------------------------------------------------------\n    \\1\\  We urge the committee to define this concept to encompass only \nknowing and intentional violations of the law in the sense that the \nindividual knew his or her conduct violated the Act and intended harm.\n---------------------------------------------------------------------------\n    Now let\'s turn to the civil penalties under new Section 311. Under \nthis section, ``a person\'\' who the Secretary of Health and Human \nServices determines has ``substantially and materially failed to comply \nwith this Act\'\' shall be subject to up to $500 for each violation and \nup to $5,000 for multiple violations arising from failure to comply \nwith Title I of the act; and, where a violation relates to Title II, a \ncivil penalty of up to $10,000 for each violation, and up to $50,000 in \nthe aggregate for multiple violations, may be imposed. A $100,000 \npenalty is provided for violations which constitute a general business \npractice. This legislation also sets out detailed procedures for \nconsideration of penalties under Section 312. The Secretary is \nempowered to seek injunctive relief.\n    To state the obvious, I can assure you that any entity covered by \nthis legislation will take these civil and criminal penalties quite \nseriously, and I have to ask if there is anyone in this room today who \nwould view these possible jail terms and monetary penalties lightly if \nthey were subject to this law--I doubt it. I would ask you for one \nmoment to put yourself in the place of an individual within a business \nhandling health care information--of whatever size--and ask yourself \nthat question.\n    To help demonstrate the extreme nature of these criminal and civil \npenalties, it might be useful to refer, for the purposes of comparison, \nto a few employment laws. Under the Occupational Safety and Health Act \nwillful or repeat violations can be penalized by monetary penalties of \nbetween $5,000 and $70,000; a serious violation up to $7,000; a non-\nserious violation up to $7,000, and for failure to correct a violation, \na civil penalty of not more than $7,000. With regard to criminal \npenalties, a willful violation causing an employee\'s death can be \npunished by a fine of not more than $10,000 and imprisonment for not \nmore than 6 months or both, except that if the violation is committed \nafter a prior conviction, punishment can be doubled.<SUP>2</SUP>\n---------------------------------------------------------------------------\n    \\2\\ By operation of the 1984 Comprehensive Crime Control and \nCriminal Fine Collection Act, which standardized penalties and \nsentences for federal offenses, willful violations of the OSH Act \nresulting in a loss of human life are punishable by fines up to \n$250,000 for individuals and $500,000 for organizations.\n---------------------------------------------------------------------------\n    The Family and Medical Leave Act and Title VII of the 1964 Civil \nRights Act contain no criminal penalties and only a civil fine of $100 \nfor a willful failure to post a notice of FMLA and Title VII rights. \nThe Age Discrimination in Employment Act has a criminal penalty of up \nto $500 or imprisonment of up to 1 year for interfering with an EEOC \nagent. Similarly, the National Labor Relations Act, protecting the \nrights of employees to unionize, provides only for a fine of not more \nthan $5,000 or imprisonment for one year for interfering with a Board \nagent. The Fair Labor Standards Act contains fines of not more than \n$10,000 and imprisonment at up to 6 months for certain violations.\n     As you can see, the proposed civil and criminal penalties of the \nlegislation before you are quite severe in comparison to other laws--\nlaws which also protect important rights.\n    I led my testimony with a discussion on civil and criminal \npenalties to dispel any doubt that this legislation somehow provides an \ninvitation for non-compliance or that such penalties are not otherwise \nadequate to deter violation. Nothing could be further from the truth. \nIn this context, I turn to the question of the need for a private cause \nof action.\n    Contrary to what seems to be a popular conception, many laws rely \nexclusively on government enforcement for protection of important \nsubstantive rights, as does this legislation. In the labor area alone \nthese include: The Davis Bacon Act (requires payment of prevailing \nwages on government contracts for construction), the Service Contract \nAct (requires payment of prevailing wages on government services \ncontracts), the Walsh-Healey Act (payment of minimum wages and overtime \nto employees working on government contracts); Executive Order 11246 \n(prohibits discrimination by government contractors); Section 503 of \nthe Rehabilitation Act (prohibits discrimination by government \ncontractors on the basis of disability), and, perhaps most notably, the \nOccupational Safety and Health Act (protects employee safety and \nhealth), the Mine Safety and Health Act (protects safety and health of \nminers), and the National Labor Relations Act (protects the rights of \nemployees to engage in concerted activities, including unionization.) \n<SUP>3</SUP>\n---------------------------------------------------------------------------\n    \\3\\  Other examples include the Paperwork Reduction Act, Section \n17(a) of the Securities Exchange Act (see Touche Ross v. Redington, 442 \nU.S. 560 (1979)), and the Federal Service Labor Management Relations \nAct.\n---------------------------------------------------------------------------\n    Of course some labor statutes (in interest of full disclosure) do \nhave a private cause of action, typically with remedies keyed to \neconomic damages, such as lost pay with--in some instances--a doubling \nwhere the violation was willful or without good faith. (But let me \nagain emphasize that these laws do not have the severe criminal and \ncivil penalties contained in the privacy legislation.) An atypical \nexample is Title VII of the 1964 Civil Rights Act, which was amended in \n1991 to include non-economic damages (capped at various levels), but \nonly after two years of much contentious debate encompassing two \nseparate Congresses.\n    These changes were based on a long record of experience amassed \nover some 30 years, which demonstrated that by the 1990\'s changes were \nneeded. Even with this lengthy consideration by Congress, the results \nhave not been pretty. Litigation has exploded--tripling since 1991--\nwith discrimination cases constituting almost one of every ten cases in \nfederal court, the second highest number after prisoner \npetitions.<SUP>4</SUP> That only 5% of cases filed with the Equal \nEmployment Opportunity Commission are found to have ``reasonable \ncause\'\' and 61% ``no reasonable cause\'\', tells us that many of these \ncases are of questionable validity. I\'ve also attached for the Members\' \nreference an article entitled, ``Lawsuits Gone Wild,\'\' February 1998, \ndiscussing the plight of businesses under this surge of litigation. \nLitigation expenses alone to defend a case can approach $50,000--\n$150,000 even before trial.\n---------------------------------------------------------------------------\n    \\4\\ See study by Lawyers Committee on Civil Rights under Law, Daily \nLabor Report, March 25, 1999. The Americans with Disabilities Act \nincludes the same remedies as Title VII although it was originally \npassed and enacted with only equitable relief. The ADA was premised on \nlongstanding principles and regulations found under Section 504 of the \n1973 Rehabilitation Act. Nevertheless, it, like Title VII since amended \nby the Civil Rights Act of 1991, has resulted in considerable \nlitigation, much of it frivolous. See ``Helping Employers Comply with \nthe ADA,\'\' Report of the U.S. Commission on Civil Rights, September \n1998, pp. 274-283.\n---------------------------------------------------------------------------\n    Perhaps this isn\'t surprising given the nature of civil litigation, \nbut it does emphasize the importance of Congress carefully deliberating \nbefore it authorizes individual civil litigation as a remedy. Indeed, \nthe fact that private lawsuits are expensive, blunt enforcement \ninstruments with enormous transactional costs can hardly be argued. \nWhile I do not wish to debate tort reform here, it may be worthwhile to \nrefer to a few further facts on this issue:\n    A Tillinghast-Towers Perrin analysis (Nov. 1995) of the U.S. tort \nsystem found that when viewed as a method of compensating claimants, \nthe U.S. tort system is highly inefficient, returning less than 50 \ncents on the dollar to the people it is designed to help--and less than \n25 cents on the dollar to compensate for actual economic losses. \n(Tillinghast-Towers Perrin, ``Tort Cost Trends: An International \nPerspective,\'\' pp. 4, 8)\n    The study broke down costs as follows:\n    Awards for economic loss 24%\n    Administration 24%\n    Awards for pain and suffering 22%\n    Claimants\' attorney fees 16%\n    Defense costs 14%\nHence, even when non-economic ``pain and suffering\'\' awards are \nincluded, claimants ultimately collected only 46% of the money raised, \nthe balance going for the high transactional costs of the system.\n    These conclusions are consistent with a 1985 RAND study which \nindicated that plaintiffs in tort lawsuits in state and federal courts \nof general jurisdiction received only approximately half of the $29 \nbillion to $36 billion spent in 1985. The cost of litigation consumed \nthe other half with about 37% going to attorney\'s fees (pp. v--xi). A \n1988 RAND study of wrongful discharge cases in California found that \n``total legal fees, including defense billings, sum to over $160,000 \nper case. The defense and plaintiff lawyer fees represent more than \nhalf of the money changing hands in this litigation.\'\' (pp. viii, 39-\n40) (The range of jury verdicts were from $7,000 to $8 million with an \naverage of $646,855. pp. vii, 25-27, excluding defense judgements.) \n(Average award after post-trial settlement and appellate review was \nstill $356,033, p. 36)\n    A March 1998 study by the Public Policy Institute entitled, ``How \nLawsuit Lottery is Distorting Justice and Costing New Yorkers Billions \nof Dollars a Year,\'\' applied the Tillinghast-Tower\'s analysis for New \nYork\'s tort liability system and calculated that liability expenditures \nbroke out as follows:\n\n<bullet> $6.57 billion in payments to claimants (including $3.1 billion \n        in pain and suffering awards and only $3.4 billion for actual \n        economic damages).\n<bullet> $3.4 billion for administrative overhead.\n<bullet> $2 billion for defense costs.\n<bullet> And nearly $2.3 billion for plaintiffs\' attorneys.\nThe study found: ``In sum, more than half of the money extracted from \nour consumers, our taxpayers, and our economy by New York\'s \nphenomenally expensive liability system doesn\'t go to its supposed \nbeneficiaries\'\' (p. 26).\n    And a May 1995 Hudson Briefing Paper, ``The Case for Fundamental \nTort Reform\'\' noted that:\n\n<bullet> The U.S. tort system needs to be made far more efficient and \n        our society far less litigious and far larger shares of tort \n        payments should go to injured parties rather than to lawyers. \n        Currently, more than fifty cents of every dollar paid out of \n        the tort system goes to cover attorneys\' fees.\n<bullet> Lawyers monopoly of access to the courts allows them to impose \n        a 33.33 to 40 percent toll charge on all damage recoveries, \n        even in cases in which defendants are willing to pay on a rapid \n        no-dispute basis. Contingency fees, the near-uniform means of \n        compensating tort claim attorneys, can provide risk free \n        windfall profits to lawyers while harming defendants, \n        plaintiffs, and the economy as a whole.\n    The real costs of the nation\'s tort civil litigation system is \nenormous <SUP>5</SUP>, and the broader a civil action is in terms of \ngrounds for liability and damages the more incentive there is for \nfrivolous litigation--as many lawyers and plaintiffs seek to play the \nlitigation lottery in front of juries for huge monetary rewards. \nHowever, my primary point here is that simple logic dictates that a \nsystem with such heavy transactional costs should, by definition, be \nconsidered as an option of last resort.\n---------------------------------------------------------------------------\n    \\5\\ For other overviews of expenses associated with court \nlitigation, see, generally, The Illinois Tort Reform Act: Illinois\' \nLandmark Tort Reform: The Sponsor\'s Explanation, 27 Loy. University of \nChicago L. J. 805, Summer 1996. Also see Symposium: Municipal \nLiability: The Impact of Litigation on Municipalities: Total Cost, \nDriving Factors, and Cost Containment Mechanisms; 44 Syracuse Law \nReview 833, 1993.\n---------------------------------------------------------------------------\n    Of course, I realize that there are those who would argue that a \nbusiness need not fear litigation so long as it obeys the law--so a \nprovision for civil court litigation should only trouble truly bad \nactors and not present a problem to others. The only problem with this \nargument is that it is patently false. The reality of laws in this \ncountry is that they are invariably complex and, often, simply vague, \nwith the lines of compliance uncertain and often changing. The Code of \nFederal Regulations governing the workplace arena alone covers over \n4,000 pages of fine print, and hundreds of court and administrative \ndecisions provide their own gloss of what the law is, or is not, on any \ngiven day. The Supreme Court handed down three decisions on the \nAmericans with Disabilities Act just a month ago and two on what \nconstitutes sexual harassment under Title VII and one on the Age \nDiscrimination in Employment Act in the last session. Eleven Circuit \nCourts of Appeal render their own versions of the law. One treatise on \ndiscrimination law stretches over two volumes and two thousand pages of \nanalysis with more footnotes, as does another on the National Labor \nRelations Act. And these are not atypical examples of one area of the \nlaw. Even enforcement agencies, with all their expertise, cannot give \nclear answers as to what is or is not required. (See ``Workplace \nRegulation--Information on Selected Employer and Union Practices,\'\' GAO \nReport #94-138)\n    All of these problems are magnified when it comes to a new law, \nsuch as that before you today, which will, no matter how well drafted, \nbe subject to much interpretation. Many times there will not be right \nor wrong answer and that problem will be heightened if courts across \nthe country, likely combined with jury trials, are immediately faced \nwith cases to sort out every nuance--which may very well differ from \njurisdiction to jurisdiction--while the employer is faced with both \nuncertain requirements and liability.\n    In closing, our opposition to inclusion of a private right of \naction is premised on the straightforward notions that (1) the civil \nand criminal penalties now in the legislation are quite severe and \nprovide more than adequate deterrence, (2) many laws are adequately \nenforced without private causes of actions, and (3) law suits are a \nrough, blunt and expensive instrument of justice with many negative \nattributes which should only be used where there is a clear track \nrecord demonstrating that the law in question currently has inadequate \nenforcement mechanisms--a record which certainly does not exist here. \nShould the Congress find that, after passage of this legislation and a \nperiod of enforcement, the business community is ignoring its \nresponsibilities, it can always revisit the issue and authorize new \nenforcement mechanisms.\n    Thank you.\n\n    Mr. Norwood. Thank you, Mr. Johnson, and I will ask all of \nyou to excuse us for a few minutes. We have a few votes, and we \nall want to hear you. We will go into recess, and I will ask \nyou to stay very close by because we will all be back just as \nquickly as we can.\n    [Brief recess.]\n    Mr. Greenwood [presiding]. Welcome back. I am told that in \nmy absence Ms. Carty and Mr. Johnson have testified and we are \nready to hear from Dr. Andrews; is that correct?\n    In that case, if you will please proceed.\n\n                STATEMENT OF ELIZABETH B. ANDREWS\n\n    Ms. Andrews. Thank you. Mr. Chairman and members of the \ncommittee, my name is Elizabeth Andrews, and I am Director of \nWorldwide Epidemiology at Glaxo Wellcome, a research-based \npharmaceutical company that is based in Research Triangle Park, \nNorth Carolina.\n    Glaxo Wellcome is committed to the enactment of Federal \nlegislation that would protect patients\' confidentiality while \nassuring the availability of medical information for research \nand for the delivery of quality health care. For this reason, \nwe strongly support Congressman Greenwood\'s H.R. 2470, the \nMedical Information Protection and Research Enhancement Act of \n1999, because we believe this legislation best meets that goal.\n    Today, medical researchers are poised to make countless new \ndiscoveries that will alleviate the burden of disease. That \npromise will only be realized, however, if medical researchers \nare allowed to continue to have access to patient medical \ninformation for research. Both interventional research, \ninvolving collection of information directly from individuals, \nsuch as in a clinical trial, and observational research, the \nanalysis of existing medical records without contact with or \nimpact on individuals, rely on the use of individually \nidentifiable medical data. Not all research can be conducted \nusing strictly anonymized records. Federal legislation must \nfacilitate the positive uses of medical information if we are \nto continue making breakthrough scientific achievements into \nthe future. The Greenwood bill provides a strong, promising \nframework to do so.\n    The Greenwood bill would also establish uniform national \nstandards for organizations that manage health data, including \nresearch institutions, to assure they have strong safeguards \nand internal procedures for protecting that data. Moreover, the \nbill would impose penalties on institutions that fail to adopt \nor enforce the safeguards.\n    A recent GAO study on the use of medical data and research \nconcluded that safeguards already exist in many organizations \nconducting research outside the Federal system. In fact, the \nGAO\'s findings are consistent with the widespread belief in the \nresearch community that researchers are doing a thorough job of \nprotecting the confidentiality of patients while conducting \nresearch with extremely valuable public health benefit.\n    We also hope that new legislative requirements will \ncomplement existing research regulation without needlessly \ncomplicating it. We are opposed to expanding the scope of the \nFederal common rule and the approval of institutional review \nboards to all public and private research, even research using \nonly observational existing information as required in some \nlegislative proposals.\n    IRBs play a valuable role in carrying out their mandate to \nensure that research participants are fully informed of the \nrisks they incur when undergoing experimental medical \ntreatment. However, IRBs have neither the expertise nor \ncapacity to review research proposals, and to review studies \nwith respect to confidentiality practices. Requiring IRB review \nof all research in this country would threaten the system that \nis already overburdened. Expanding IRB review would needlessly \ncomplicate the important tasks already faced by IRBs and would \nharm research by subjecting each project, each hypothesis to \nburdensome review and consent requirements. The likely result \nwould be that many important research projects would never be \ninitiated.\n    In Glaxo Wellcome\'s view, the process established by the \nGreenwood bill is more protective of patient confidentiality \ninterests than the expansion of IRB review and informed consent \nrequirements. Enforceable, uniform national standards for \nconfidentiality protections would offer more appropriate, more \nconsistent and more rigorous controls than available through an \nexpansion of the IRB function.\n    With respect to patient consent, we support current Federal \nrequirements concerning the informed consent of participants in \ninterventional research. We do not believe, however, that \nobservational research programs using archives of previously \ncollected information should require informed consent. In many \ncases, it is impossible to gain consent. Patients move, they \nchange health plans, they die, and given the extremely minimal \nrisk for patients from this type of research, requiring \ninformed consent increases the burden on researchers and \npatients, but does not serve to protect the patient\'s \nconfidentiality interests. Furthermore, allowing patients to \nopt out of observational medical records research would raise \nserious questions about the scientific validity of conclusions \nreached from incomplete data bases.\n    One critically important issue for any confidentiality \nlegislation is that it must draw clear distinctions between \nprotected health information and nonidentifiable information. \nThe Markey and Condit bills define protected health information \nso broadly that almost no information could be characterized as \nnonidentifiable. As a result, every piece of health care data, \nwhether or not it identifies an individual, would be subject to \nall of the Federal restrictions and requirements applicable \nunder the law, including written consent, recordkeeping, access \nto copying and amendment notification.\n    Mr. Chairman, members of the committee, we urge you to take \nswift action on the Greenwood bill to ensure that Congress \nmeets its HIPPA deadline of August 21st, rather than allowing \nthe Secretary of Health and Human Services to promulgate \nregulations in this area. Patients, health care providers and \nresearchers have much to lose if legislators do not strike a \nbalance between protection of patient confidentiality and the \nappropriate use of medical data to enhance the quality of \nhealth care delivery in this country.\n    I look forward to working with you as you continue your \nefforts and stand ready to help the committee in any way. Thank \nyou.\n    [The prepared statement of Elizabeth B. Andrews follows:]\n    Prepared Statement of Elizabeth B. Andrews, Director, Worldwide \n                   Epidemiology, Glaxo Wellcome Inc.\nIntroduction\n    Mr. Chairman and Members of the Committee, my name is Elizabeth \nAndrews, and I am Director of World Wide Epidemiology for Glaxo \nWellcome, a leading research-based pharmaceutical company. This year, \nGlaxo Wellcome will spend nearly $2 billion on research of new \nmedicines for the treatment of cancer, diabetes, obesity, rheumatoid \narthritis, osteoporosis and viral diseases. As an industry, the \nnation\'s research-based pharmaceutical and biotechnology companies \ndiscover and develop the majority of new medicines used in the United \nStates and around the world, investing more than $24 billion this year \nalone on research and development. The industry brought 39 new \nprescription drugs and biologics to market last year to treat many \ndeadly and debilitating diseases.\nMedical Information is Essential for Research\n    Mr. Chairman, I would like to begin by thanking you for the \nopportunity to testify this morning on behalf of Glaxo Wellcome on the \nimportant issue of federal legislation to protect the confidentiality \nof medical information. As a scientist whose work is committed to \ndiscovering and improving health care interventions, I am pleased that \nthis Committee-- which has responsibility for legislation affecting \nAmerican health and health care-- will play a leading role in crafting \nthat legislation. I look forward to working with you.\n    Glaxo Wellcome strongly supports new federal legislation that would \nprotect the confidentiality of individuals\' medical records from \nunauthorized or inappropriate use. At the same time, we know that \nappropriate use of medical information is critical to the delivery of \nhigh quality health care and the development of innovative and more \neffective treatments for patients. We hope that the committee will pass \nlegislation that will result in enactment of a new federal law that \nsafeguards patients\' medical privacy while allowing appropriate uses of \nmedical information for research, treatment, payment for services and \nhealth care operations. We feel that legislation introduced by \nCongressman Jim Greenwood, H.R. 2470, ``The Medical Information \nProtection and Research Enhancement Act of 1999,\'\' achieves that \nbalance. Glaxo Wellcome strongly supports H.R. 2470, as well as similar \nlegislation, S. 881, introduced by Senator Robert Bennett. We urge the \nCongress to take action on these bills to meet the August 21, 1999 \ndeadline established by the Health Insurance Portability and \nAccountability Act of 1996 (HIPAA) to enact a medical data \nconfidentiality law.\n    The pharmaceutical and biotechnology industry can help patients \nwith unmet medical needs only if researchers have access to medical \ninformation that enables them to discover new medicines. Today, medical \nresearchers are poised to make countless new discoveries that will \nalleviate human suffering and the burden of disease. Revolutionary new \ntreatments and diagnostic tests promise to extend and enrich our lives \nand the lives of future generations. Realizing this promise depends on \nresearch: interventional research involving the collection of \ninformation directly from individuals such as clinical trials used to \ndevelop new drugs, medical devices and biologics; and observational \nresearch which relies on existing databases. Observational research \nallows us to study of the prevalence of disease, evaluate medical \ntreatments and measure the cost-effectiveness of therapies. \nObservational research can sometimes be conducted with encoded or \nencrypted data that has been stripped of individual indentifiers, while \npreserving the ability to link various databases across treatment \nsettings and over the course of time to capture a comprehensive picture \nof patient care. Having the complete picture of the patient\'s health \nand health care is what is essential for the researcher, not the \nidentity of the patient.\n    As an epidemiologist, I would like to provide to the Committee some \nexamples of research that will explain how we use medical information \nto help improve the health of patients and the quality of health care \ndelivered to them. I have been involved in the study of HIV/AIDS and \nother sexually transmitted diseases, the medicines developed for such \nconditions, and the risk of medicines when used in pregnancy. In these \nareas, we have made significant strides, coupling drug development \nprograms with company-sponsored public health monitoring activities.\n    Through such efforts, we ensure the safe use of products developed \nto treat many serious diseases. There is increasing public attention \ngiven to drug safety monitoring and a need to assess the current \nmechanisms available to evaluate the safety of medicines. Most health \nprofessionals agree we need more, not less, information on the safety \nof medicines in order to better understand the risks compared to the \nbenefits of drugs as they are used in general, not experimental, \ncircumstances. It is through the use of archival medical records that \nwe are able to understand such risks and benefits in large numbers of \npatients in the real world setting. Each of the following examples \ninvolves research using archived medical information.\n<bullet> An epidemiologic study in the early 1980s that found a strong \n        association between the potentially fatal Reye\'s syndrome and \n        children\'s use of aspirin. Eventually, this new knowledge led \n        to a decline in cases of Reye\'s syndrome in the United States, \n        improving children\'s health and reducing mortality.\n<bullet> A recent study documented both the under-use of beta-blockers \n        following myocardial infarction in the elderly, and the serious \n        consequences of that under-use. This study linked large \n        pharmacy and medical claims databases. Its finding of \n        unnecessary deaths and hospitalizations from cardiovascular \n        episodes is likely to lead to basic changes in medical practice \n        and greatly improve patient health.\n<bullet> A pharmaceutical company worked with a large managed health-\n        care plan to undertake a study of more than 85,000 children to \n        provide further information on the safety of the chicken pox \n        vaccine in clinical practice. These children received the \n        vaccine, with parental consent, as part of their regular \n        medical care. A computer-based search was performed of the \n        records of the children who received the vaccine and of a \n        historical comparison group of children who had not used the \n        vaccine. The medical records of the children who had not been \n        vaccinated were taken from the plan\'s historical archives of \n        patient records. It would have been extremely difficult, if not \n        impossible, for the health plan to track them down to gain \n        their consent. The information received by the pharmaceutical \n        company was encrypted, so that the company had no patient-\n        identifiable data. This research has provided valuable \n        reassurance about vaccine safety under conditions of broad use \n        in clinical practice.\n<bullet> A health plan was able to use medical information about its \n        enrollees to identify women with a deficient gene that is \n        linked to some breast cancers. The health plan contacted these \n        women, many of whom chose to enroll in the federally-regulated \n        and IRB-overseen clinical trial that a pharmaceutical company \n        conducted of a new drug to treat breast cancer. Had the health \n        plan been unable to review these women\'s records and contact \n        them, there would have been significant delays in finding \n        appropriate participants for the clinical trial.\n    Because of the focused and controlled nature of clinical trials, \nmuch of what we learn about drug safety and effectiveness is learned \nthrough the use of observational data after drug approval. In the area \nof HIV, for example, we learned from observational experience that \ndifferences in HIV disease progression seen by gender, race and \nintravenous drug use were not due to those patient characteristics, but \ndue to differences in treatment and access to treatment. Observational \nstudies demonstrated the effectiveness of pneumocystis carinii \npneumonia (PCP) prophylaxis, and quantified the adverse experience \nrates with antiretroviral therapies and various treatments for \nopportunistic infections. All of these findings have contributed to \nmore effective care and better outcomes for patients with HIV.\n    In addition to ongoing safety surveillance studies, health care \npayers in our cost-conscious system demand more focused outcomes \nresearch and economic analysis to select the most efficacious and cost-\neffective treatment options. For example, Harvard Medical School \nresearchers found that restrictions on the use of schizophrenia \nmedications in the New Hampshire Medicaid program proved penny-wise but \npound-foolish. The restrictions yielded some savings on prescription \ndrugs, but ultimately increased state and federal government Medicaid \nspending overall by sharply increasing the need for emergency care and \nhospitalization. The Harvard team produced these findings--which can \npromote both better health care for patients and more cost-effective \nuse of health care dollars--by linking prescription drug use databases \nwith mental health center and hospital data.\n    These examples illustrate the useful and important observational \nresearch that is being conducted with existing medical records, while \nusing various methods for safeguarding the confidentiality of patients. \nThese methods include replacing individual identifiers with a case code \nnumber and safeguarding the key from unauthorized use or disclosure, \nrestricting the subset of persons who have access to research \ndatabases, and ensuring that employees are aware of their obligation to \ntreat research data as confidential and to protect it from disclosure \nand unauthorized use.\nMedical Data Confidentiality Legislation\n    Glaxo Wellcome believes that the Greenwood bill, H.R. 2470, \nprovides a workable framework for protecting patient health information \nwhile also recognizing the need to access patient data for legitimate \nhealth care-related purposes--primarily treatment, payment, health care \noperations and medical research. It establishes very clear boundaries \naround the permissible uses and disclosures of patient medical data and \nimposes strong penalties on entities and individuals for its misuse.\n    We feel that strong federal confidentiality protections must \ncomplement existing research regulation without needlessly complicating \nit. For that reason, we are very concerned that H.R. 1941, introduced \nby Congressman Gary Condit, as well as H.R. 1057, introduced by \nCongressman Edward Markey, would extend Institutional Review Board \n(IRB) and informed consent requirements to all private research that \nhas traditionally not been subject to the federal common rule.\n    Informed consent, which is a cornerstone of the interventional \nresearch that is reviewed by IRBs, does not work in the context of \ndatabase research. In database research, the validity of the scientific \nconclusions depends on how comprehensive the database is. The \nresearcher does not affect the treatment of the individuals, rather he \nor she tries to make inferences based on observed differences in \nordinary health care settings. The validity of those inferences is \nsuspect if the researcher is missing information from some individuals. \nWhat we know based on the experience in Minnesota, which has a law that \nrequires informed consent for medical records research, is that \nindividuals who decline to give consent are not a random sample. This \nmeans that imposing informed consent requirements on research databases \nhas the effect of undermining the generality and validity of the \nconclusions that can be drawn based on research using that database.\n    Moreover, a recent General Accounting Office (GAO) report examined \nthe protection of patient medical data used in medical research. We \nwere encouraged that GAO\'s findings are consistent with the widespread \nbelief in the research community that researchers are doing a thorough \njob of protecting the confidentiality of patients while using medical \ninformation in extremely important research concerning public health \nand health care delivery. The GAO report makes some important points \nwhich accurately reflect the current status of research conducted \noutside the federal system.\n    First, the report acknowledges many uses of information and data in \nresearch, and provides examples of important research that required \nsome type of access to identifiable information. Not all research can \nbe conducted strictly using anonymized records. Research based on \narchival records with no medical risk to the patients and rigorous \nsafeguards of personally identifiable data should be encouraged, not \nimpeded.\n    Second, the report provided examples of a variety of safeguards \nthat are in place in different types of organizations that undertake \nresearch outside the federal system. The examples demonstrate clearly \nthat many safeguards already exist to protect the confidentiality of \nidentifiable patient information. Those safeguards are tailored to the \nlocal needs and circumstances within each organization. Institutions \nconducting health research take confidentiality of patient information \nvery seriously. The report aptly notes that the institutions in their \nstudy may not represent all organizations, and those not studied may \nnot meet the same high standards of those in the study. However, the \nGreenwood bill would establish uniform national standards that would be \nrequired for all organizations that manage health data. Moreover, it \nwould provide for penalties for organizations that fail to adopt or \nenforce the safeguards.\n    Third, the report provided a realistic picture of current IRB \noperations. IRBs provide a valuable function in protecting patients \nfrom unnecessary research risks. Their experience and expertise in \nreviewing studies only for review of confidentiality practices is \ninsufficient to warrant such an expansion of their roles. Moreover, \nthey do not have the capacity to handle the increased volume that would \nemerge from a new requirement to review all medical records research. \nWe feel it would be counter-productive to institute such a requirement. \nUniform national standards for confidentiality protections would offer \na more appropriate, more consistent, and more rigorous controls than \navailable through an expansion of the IRB function.\n    In Glaxo Wellcome\'s view, the process established by the Greenwood \nbill is more protective of patient confidentiality interests than the \nexpansion of IRB review and informed consent requirements that would be \nput in place under H.R. 1941 and H.R. 1057. For instead of needlessly \ncomplicating the important tasks already faced by IRBs, the Greenwood \nbill would provide federal enforcement of the safeguards and review \nprocess established by each research institution. In this regard we \nnote that GAO reports that even where they do review projects, IRBs say \nthey rely on the practices and safeguards in effect at the research \ninstitution. This fact is important, because to truly understand and \noversee what an institution does to protect the confidentiality of data \nis far beyond what an IRB can or should be charged with doing in its \nreview of a research project. The Greenwood bill would ensure that what \nGAO found to be true of the institutions it surveyed-- they have \npolicies and safeguards designed to protect confidentiality-- would be \nenforceable as a matter of federal law. The bill would provide the \nfurther assurance that every institution making medical information \navailable for research would be required to establish such federally \nenforceable policies and safeguards.\n    I would like to summarize for the committee the key issues that we \nhave identified in previous legislation that could create impediments \nto our continuing ability to conduct medical research:\n\n<bullet> Definitions. It is critically important that any \n        confidentiality legislation draw clear distinctions between \n        ``protected health information\'\' and ``non-identifiable\'\' \n        information. Both H.R. 1917 and H.R. 1057 define protected \n        health information so broadly that almost no information could \n        be characterized as ``non-identifiable.\'\' As a result, many \n        vital activities, including research, that rely on non-\n        identifiable information would be subject to burdensome prior \n        authorization requirements.\n<bullet> IRB oversight of research. Pharmaceutical and biotechnology \n        companies comply with IRB requirements when sponsoring clinical \n        trials in support of new drug or biologic and we believe that \n        IRBs effectively protect the welfare of trial participants. As \n        noted above, we do not believe that IRB oversight should be \n        extended to every analysis of medical information or to \n        research that is not federally regulated, sponsored or funded, \n        or modified to encompass unique confidentiality issues.\n<bullet> Patient consent. We support current federal requirements \n        concerning the informed consent of participants in \n        interventional research. We do not believe, however, that \n        research projects using databases or archives of previously \n        collected information and materials should require informed \n        consent. In many cases, it may be impossible to gain consent--\n        patients move, change health plans, die--and given the \n        extremely minimal risk to patients from research of this type, \n        requiring informed consent increases the burden on researchers \n        but does not serve to protect the patient\'s confidentiality \n        interests.\n<bullet> Retention of data. Researchers should not be required to \n        destroy data once the original study for which it has been \n        collected has concluded. In some cases, it is necessary to \n        retain the data in order to comply with existing federal \n        regulations. In other cases, the collected data can be \n        extremely valuable and may be reanalyzed for other purposes \n        beyond the original intent and would be beneficial to patients.\n<bullet> Provide Uniform, National Protection for All Medical \n        Information. The same confidentiality standards for all types \n        of medical information should apply nationwide. Legislative \n        distinctions among types of medical information-- genetic, \n        psychological, or physical-- would conflict with the patient\'s \n        expectation that all health care information shared with a \n        provider to obtain appropriate treatment should be maintained \n        in confidence. Further, to ensure that individuals\' \n        expectations of confidentiality of medical information are \n        valid in every jurisdiction, federal law should provide a \n        uniform set of national requirements that would preempt state \n        laws.\n<bullet> Penalties. Finally, Glaxo Wellcome supports strong penalties \n        for violations of patients\' confidentiality that have been \n        included in most of the legislative drafts. We do not believe, \n        however, that these penalties could or should include \n        enforcement tools such as exclusion from the Medicare and \n        Medicaid programs. We believe that strong penalties, including \n        civil monetary penalties, are a more effective deterrent to \n        misuse and a more appropriate punishment for violators.\nPrinciples for Protecting Patient Confidentiality\n    As is the case with other companies, Glaxo Wellcome is an active \nmember of the Pharmaceutical Research and Manufacturers of America \n(PhRMA), the Biotechnology Industry Organization (BIO) and the \nHealthcare Leadership Council (HLC). We have been working closely with \nthese organizations and other members of the health care provider \ncommunity on this important issue. We were particularly involved in \nPhRMA\'s efforts to develop a key set of principles that reflect a \ncommitment to strong protections for individuals\' medical information \nwhile ensuring the availability of medical information for research and \nfor the delivery of quality health care. A copy of these principles is \nattached.\nConclusion\n    Mr. Chairman, Members of the Committee, I again wish to express \nGlaxo Wellcome\'s appreciation for your efforts and your obvious \nattention to protecting the public\'s interest in the fruits of health \nresearch. We look forward to working with you as you continue your \nefforts, and we stand ready to help the committee in any way.\n\n    Mr. Greenwood. Thank you very much, Dr. Andrews, for your \ntestimony.\n    Dr. Koski.\n\n                     STATEMENT OF GREG KOSKI\n\n    Mr. Koski. Thank you very much, Mr. Chairman and members of \nthe committee. My name is Greg Koski, and I am the Director of \nHuman Research Affairs for the Partners Health Care System in \nBoston.\n    In both my professional and personal life, I have had an \nopportunity to consider very directly many of the issues we are \ntalking about today, both as a doctor and as a patient, as a \nscientist, as well as a research subject. I also work as a \nmanager, serve on the committees that are charged with \nformulating the confidentiality guidelines and policies and \nprocedures. I have also served for more than 15 years as a \nmember and chair of the IRB, and in my present capacity, am \nresponsible for the overall protection of human subjects in \nresearch for our entire large integrated health care system.\n    In today\'s hearing, we have heard the words ``privacy\'\' and \n``confidentiality\'\' used frequently and often interchangeably, \nand I think for the sake of clarity it is worth expanding on \nthat just a bit little bit. Clearly, the right to privacy is \nthe right that an individual has to actually choose the extent \nto which they wish to share information about themselves and \ntheir activities with other individuals, and when in the course \nof their social activities and interchanges they make the \ndecision to share that information, they are allowing the open \ndoor into their world of privacy, but in doing so, they \nestablish a centralist part of the social contract or \nconfidentiality agreement, the extent to which and the \nexpectations according to which that information is being \nshared.\n    Whenever we try to access private information without \nappropriate authorization or where we have no right to that \ninformation we are clearly invading privacy. When we have been \ngiven private information under certain expectation of \nconfidentiality and have failed to uphold it, we have breached \nconfidentiality. Both of those are egregious, and I believe \nshould have appropriate penalties associated with them.\n    But I think if we look at this realistically, it would \nsimply be impossible in our modern age to expect absolute \nprivacy in any aspect of our lives. Certainly the health care \nsystem is no exception to that, and in fact, it is absolutely \nessential in seeking care and in managing care that individual \nprivacy be compromised to a certain degree or there are risks \non both sides, both to the individuals as well as to society \nand the institutions.\n    So I think that it is clear from the discussion that we \nhave had today, that I won\'t reiterate, that we have reached a \nsituation where we have begun to lose public confidence in our \nability to protect them and their private health information; \nand I believe that now is the time to take steps to try and \nestablish appropriate procedures, policies, laws for the \nnecessary protections.\n    A few points that I would emphasize as being essential \ntoward this goal would be, in no particular order, that we \nactually collect only that information that we truly need, that \nis justified for what we need to do. By not having information \nthat you don\'t want, the risks that something might be done \nwith it that is not appropriate are greatly alleviated.\n    Similarly, information that is collected for one purpose \nshould be used for that purpose or that set of purposes and \nshould not be used for secondary purposes without some \nappropriate degree of oversight and authorization. At times, \nthat will be from the individual, at times it will be from \nanother body, but that depends upon the nature of the risks \ninvolved and sensitivity of the information.\n    Overall access to personal health information should be \nstrictly available, limited on a need-to-know basis rather than \na want-to-know basis.\n    Unauthorized uses of information should be subject to \nappropriate penalties and clearly any entity or entities that \nare actually collecting or receiving personal health \ninformation should do so under appropriate policies and only \nwith appropriate policies for properly protecting the \nconfidentiality.\n    Clearly, confidentiality in itself is the process that we \nuse to demonstrate our respect for the privacy of individuals, \nand when we accept private information, we also accept that \nmoral and legal obligation to ensure that we carry out the \nconfidentiality process in a robust manner.\n    When an institution produces or publishes its policies for \nconfidentiality, I think it is essential that those be shared \nin a very active and informed way with the individuals whose \ninformation is going to be accessed.\n    And finally, these policies should include specific \nprovisions that would minimize risk of any disclosure by, to \nthe fullest extent practicable, using nonidentifiable \ninformation when it can be used, using deidentified \ninformation, when appropriate, and only relying upon \nidentifiable information as necessary.\n    I think I have a major exception to the language describing \nnonidentifiable in Mr. Greenwood\'s bill, and we may come back \nto that later on, but I want to turn my attention specifically \nto the issues of research.\n    In this country, biomedical research is conducted according \nto a variety of codes of ethics and all, the Nuremberg Code, \nthe Declaration of Helsinki and certainly the Belmont Report, \nand three fundamental principles have been identified: respect \nfor persons, justice and beneficence. All three of those \nfundamental principles for the conduct of research require that \nwe respect the privacy of individuals who are participating in \nresearch and that we protect their confidentiality.\n    As a consequence of this and the incorporation of those \nfundamental principles into the laws, the common rule as it is \ncalled, or 45 CFR 46, as amended, all federally funded research \nis currently conducted in a manner that is consistent with \nthose ethical policies; and indeed IRBs that are responsible \nfor review and approval of all research involving human \nsubjects under this Federal law are obligated to consider not \nonly medical risks, but also psychological, social, economic \nrisks as part of their considerations in determining whether or \nnot the research should go forward.\n    With all due respect to Dr. Andrews, I think that it is \nvery misleading to suggest that IRBs are neither in possession \nof the expertise or experience to do this because, in fact, it \nis inherent in what they do in the conduct of their business \nevery day.\n    Large institutions with significant Federal funding, like \nour own, operate under an assurance to the Federal Government \nthat we will apply the principles of the laws on the common \nrule to all research that is conducted at our institutions \nregardless of the source of funding; and unfortunately, only \nabout 1,200 of the more or less 5,000 IRBs that currently \nreview research in this country come under that common rule, \nand I think that is a glaring deficiency.\n    I think it is important to note that a common rule \nspecifies when it talks about the definition of human subjects \nresearch not only the use of living human beings, but also \ninformation or specimens derived from living human beings. No \none could misconstrue that to believe that the IRBs are not \nsupposed to be reviewing research that involves identifiable \npatient information and to grant exemptions in the case where \ninformation has been rendered nonidentifiable.\n    Mr. Bilirakis. Please summarize, Doctor.\n    Mr. Koski. Thank you. I will.\n    I think what we should do at this opportunity--rather than \nto establish, as 2470 and 1941 would do, a parallel and \nprobably unequal process for review of a subset of human \nresearch in this country, what we should do would be to take \nthis opportunity, as the Secretary seems to be doing presently \nin the elevation of OPRR from NIH to a higher status at DHHS, \nto actually bring all human research under a common set of \nguidelines. I believe that this would be the highest and most \nappropriate way to actually ensure the protection of human \nsubjects in research. There are opportunities to work with \nindustry to define the mechanisms by which we can most \neffectively use deidentified information to meet their needs \nand at the same time respect the privacy of our patients.\n    I will stop there and hope to expand on some of that during \nour discussion.\n    [The prepared statement of Greg Koski follows:]\nPrepared Statement of Greg Koski, Associate Professor of Anesthesia and \n         Critical Care Medicine, Massachusetts General Hospital\n    Dear Mr. Chairman and Members of the Subcommittee: Few would argue \nthat individuals in this country reasonably expect that their privacy \nbe respected, and that sensitive personal information about themselves, \nwhatever the nature of that information might be, should not be \ndisclosed to others without authorization, except in specific \ncircumstances where there is a compelling need, and even then, only \nwith specific provisions for protecting confidentiality of such \ninformation. Health information is arguably among the most sensitive \ntypes of personal information and has always been afforded special \nconsideration when issues of privacy and confidentiality are concerned.\n    The extraordinary scope of social and technological change in our \nhealth care system over the past two decades has unavoidably and \nirrevocably changed the practice of medicine and the business of health \ncare. With this change, the public has become increasingly concerned \nabout the loss of autonomy and loss of privacy, both of which seem now \nto occur too frequently. Concerns regarding unauthorized access to \npersonal medical information arise from, and are substantiated by, \nmisuse and even abuse of information obtained during encounters with \nthe health care system. A climate of mistrust has developed in which \npatients are demanding more control over who has access to their \npersonal information and how that information is to be used. Since many \ndo not understand the complexity of our health care system and the \ngrowing need for many different parties to access patient information \nin the course of their jobs, the adverse impact that broad restriction \nof access can have on the system, and the quality of care, is not well \nappreciated.\n    Several detailed and thoughtful analyses and reports have been \npresented addressing the complex issues involved in providing and \nmanaging health care while respecting the privacy of individual persons \nand protecting the confidentiality of personal health information. \nCurrent legislative activity pertaining to these issues at both the \nstate and national levels reflects to a large degree the growing \ninterest among our citizens and the entire health care system and \nrelated industries in finding effective ways to achieve these goals. \nOne such effort is that of the Health Privacy Working Group, an \ninitiative of the Georgetown University Institute of Health Care \nResearch, which recently released its recommendations. These include a \nset of ``best principles\'\' that provide a useful framework for \ndevelopment of specific policies for effective management and use of \npersonal health care information in a manner that is well-reasoned and \nworkable. The members of the Subcommittee will certainly receive copies \nof this report and will find it informative and useful. This statement \nof principles does not, however, obviate the need for effective \nlegislation to affect necessary change and introduce appropriate \nsafeguards for protection of privacy and confidentiality of health \ninformation.\n    Several pieces of legislation are currently under consideration by \nCongress, and the Secretary of the Department of Human Services has \nintroduced a comprehensive set of recommendations as required by law \nthat may take effect if Congress does not itself take action. \nRegardless of what legislation may ultimately be enacted, it should \ninclude a requirement that all persons, institutions, agencies or other \nentities which collect personal health care information be required to \ndevelop formal written policies and procedures for use of such \ninformation, and that patients be notified and informed of these \npolicies and their rights.\n    These policies and procedures should limit access and distribution \nof information on a rigorous ``need to know\'\' basis. Information should \nonly be collected and maintained in identifiable form when necessary \nand appropriate, it should be used only for those specific purposes for \nwhich it was intended at the time of collection unless there is \nappropriate notification and authorization of other uses, and when \ninformation is no longer needed, it should be destroyed or rendered \nnonidentifiable after a reasonable period of time unless there is a \ncompelling justification for keeping it. If these general guidelines \nare kept in mind, mistrust and misuse of such information will be \nminimized.\n    I would like to thank Mr. Bilirakis and the members of the \nSubcommittee for this opportunity to offer general comments about the \nbill currently before it, H.R. 2470, otherwise known as the ``Greenwood \nBill\'\'. Those who have crafted this proposed legislation deserve a \ngreat deal of credit for their thoughtful work, as many of its \nprovisions could provide useful solutions to some of the concerns \ndiscussed above. Nevertheless, there are aspects of this bill that \ncould be improved. I will first offer a few remarks regarding the \nbroader aspects of the proposed legislation before focusing on those \nparts of the bill pertaining to appropriate conduct and oversight of \nhealth research, an area in which I can claim some experience.\n    First, for clarity, I would like to call your attention to the \ndefinition of ``nonidentifiable\'\' health information used in this bill. \nPersonal health information that can be attributed to the individual \nperson from whom it was obtained is identifiable. Only information that \ncannot be attributed to its source is nonidentifiable. When information \nis linked by a specific code number to an individual, even if all other \nspecific identifying information has been removed, that information is \nstill identifiable and special precautions must be taken to restrict \nthe use of that information in ways that have not been authorized by \nthe individual of origin. The use of this term in the proposed \nlegislation contradicts the definition set forth in the Federal \nRegulations for Protection of Human Subjects in research, is confusing \nand misleading, and will be viewed by many as being deceptive, intended \nor not. Information is either identifiable or not; these are mutually \nexclusive. Identifiable information may be anonymous, encrypted, coded, \nor deidentified in an effort to offer protection of privacy and ensure \nconfidentiality, but it is still identifiable.\n    The description of ``health care operations\'\' is useful, but the \nlist includes certain activities, such as outcome assessments, that \nfrequently overlap the research domain, which I will discuss in greater \ndetail below. Care should be taken to insure that this does not provide \na ``loop hole\'\' for individuals to circumvent review and approval \nprocesses of Institutional Review Boards (IRBs) and the protections \nsuch review can provide.\n    The bill includes provisions for disclosure of information to a \nvariety of third parties for a variety of purposes. As a general rule, \nany and all releases of identifiable health information to third \nparties outside of the health care setting in which it was obtained \nshould be authorized by the individuals from whom the information is \nobtained. Secondary ``re-disclosure\'\' to parties further removed from \nthe primary source/custodian should be prohibited and punishable by \nlaw.\n    While there is clearly a need to establish a minimum standard under \nfederal law for protections of privacy and confidentiality of personal \nhealth information, a preemptive law that would undermine or limit the \nability of States choosing to pass more stringent protective laws may \nhave a counter-productive effect, actually reducing protections for \nindividuals. Indeed, some may view such an attempt to preempt \nlegislation at the State level with skepticism and as an attempt to \nprotect special interests that may be in conflict with those of \nindividuals.\n    Turning to the provisions for access to personal health information \nfor research, I would first point out that the benefits of biomedical \nresearch to both society and individuals is widely acknowledged and \nvery highly valued by the American people. In a recent national survey, \nnearly 90% of those polled indicated strong or very strong support for \nbiomedical research activities and a personal interest in participating \nin research, provided they could be assured that their interests and \nwell-being were protected. There is a long and very productive \ntradition of using medical records and other forms of health \ninformation for research purposes in this country, and such uses have \nrarely resulted in breaches of confidentiality. The American people \nhave been very willing to accept this exception to absolute privacy of \ntheir medical information, provided the information is handled in a \nconfidential manner.\n    We are very fortunate to have in place in this country a system for \nprotection of human subjects in research, including federal laws that \nmandate oversight of research by duly constituted Institutional Review \nBoards. This system, in which I am a proud and active participant, \nalready reviews and approves most of the biomedical research conducted \nin this country, including research that relies upon the uses of \npersonal health information. The challenges faced by the IRBs are \nconsiderable, but overall, it is clear that since the IRB system was \ndeveloped two decades ago, biomedical research involving human subjects \nhas flourished and reports or serious abuses are infrequent. Even as \nthis Subcommittee considers legislation to enhance protections for \npatients\' privacy and confidentiality of health information, steps are \nbeing taken to strengthen the IRB system to make it even more \neffective. I strongly support these actions, and believe that the IRB \nprocess can and should play an integral role in oversight of all \nresearch involving health information.\n    I further support current efforts to bring all research involving \nhuman subjects, as defined in federal regulations, under the ``Common \nRule\'\' (45 CFR 46, as amended), and to develop a process to credential \nIRBs and health researchers as a further step toward strengthening the \nsystem for protection of human research subjects. While existing rules \nand regulations offer the IRBs and investigators guidance in the use of \npersonal health information, more specific guidance should be \npromulgated to address issues of informed consent, uses of identifiable \nversus nonidentifiable information, and specific mechanisms for \nprotection of confidentiality. In some cases, it may be appropriate for \ninstitutional ``confidentiality committees\'\' to oversee access to \npersonal health information at institutions that do not have sufficient \nresearch volume to justify an IRB, but even in those cases, the \nresearch should be reviewed and approved by an IRB constituted under \nthe ``Common Rule\'\' according to specific guidelines for research \naccess.\n    In large institutions and in the growing number of integrated \nhealth care systems, of which the Partners HealthCare System is an \nexample, the co-existence and close association of such confidentiality \ncommittees and IRBs afford completeness and consistency in policies and \nprocedures for access to personal health information that, at least in \nour case, has proven to be very beneficial. As information technology \nand electronic medical records systems play an ever growing and \nimportant role in modern health care and research, every practicable \neffort should be made to take advantage of new tools and methodologies \nof information science to enhance protection of sensitive information \nand patient privacy.\n    In closing, I would like to thank all of the members of the \nSubcommittee for the opportunity to express these views. I wish you all \nwell as you address the challenges that lie ahead.\n\n    Mr. Bilirakis. Thank you, Doctor.\n    Dr. Frey.\n\n                  STATEMENT OF CAROLIN M. FREY\n\n    Ms. Frey. Mr. Chairman and members of the committee, I am \nCarolin Frey, Chair of the Institutional Research Review Board \nfor the Geisinger Medical Center, part of a larger health \nsystem and managed care organization. I appreciate the \nopportunity to speak to you today, specifically about the \ncurrent role of the Institutional Review Board, or IRB, in \nprotecting privacy as it relates to research.\n    Our IRB, like others, has witnessed growth in research made \npossible by large pools of extant and identifiable medical \ninformation. We have taken a proactive role in setting \nstandards for conducting this type of research. We do this in \npart because the IRB function has a lot to do with engendering \npublic trust. To that end, the IRB\'s function is a valuable \nmodel, and I stress ``model\'\' with respect to pending privacy \nlegislation, the IRB function is exactly that, a model and not \na ready-to-use resource. The current IRB system works well in \nthe places it has been implemented, but it does not provide \nuniversal oversight for research. Legislation must distinguish \nbetween the existing IRB infrastructure and an IRB-like process \nthat could be designed.\n    I will now identify two limitations to the existing IRB \nfunction which would need to be overcome in legislating a \nprocess for universal review of research involving personal \nmedical information, should that be a goal.\n    Now, first, the existing IRB system was never designed to \nprovide universal protections. Not all institutions conducting \nhuman research have an IRB and not all IRBs review the special \nclass of research involving extant and identifiable medical \ninformation. Institutions constitute IRBs usually because they \nare federally funded for human research or have investigations \nof FDA-regulated products being conducted there. However, these \nsame institutions, such as Dr. Koski\'s and my own, may decide \nto apply the Federal regulations to all of their research. Some \nmay choose to apply it to some.\n    Also, when identifiable medical information travels between \ninstitutions, one with and one without an IRB, it is possible \nfor only a portion of an individual\'s record to be within the \npurview of an IRB. Complete, not partial, protection should be \nthe goal of national legislation.\n    So let me now propose adequate protections that an IRB-like \nsystem would include: first, an orderly process for defining \nthe purview of responsible reviewing entities to ensure \ncomplete and nonoverlapping protection; and second, be mandated \nat a sufficiently high Federal level to ensure a review board \nis available to all locations where this kind of research takes \nplace.\n    Now, a second limitation of the IRB role concerns the fact \nthat its role in protecting privacy is not well understood by \nthe public. Where an IRB is used its strength is its authority \nto require strong security measures, sometimes likened to a \nfirewall, to protect the privacy of identifiable medical \ninformation used in research. However, the specific review \nprocedures used, including exempting review altogether, the \nconditions necessary to waive consent but also the societal \nbenefits of such research are not well understood.\n    The IRB function broadly provides protection of human \nsubjects from physical, social, mental, privacy and \nconfidentiality risks. Use of extant personal medical \ninformation is just one special class of research. An IRB may, \nin fact, exempt from review that information which is \nessentially anonymized, but with recorded identifiers, this \nclass of research generally qualifies for an expedited review \ncarried out by a single IRB member.\n    It is important to point out that expedited IRB review does \nnot by itself result in an exception to the requirement to \nobtain the individual\'s consent. First consideration is given \nto whether the merit of the proposed research warrants an \nintrusion, and that potential risk relies to some extent on the \ndata security procedures proposed. These protect against \nsubsequent disclosures which are, in fact, the primary risk of \nthis type of research.\n    An IRB can impose security modifications toward this end as \na condition of granting approval to conduct the study. Only \nthen is an IRB waiver of consent considered, and in fact, four \nconditions must be met: the research must be no more than \nminimal risk; the waiver must not otherwise affect the rights \nand welfare of the subjects; there is an impracticably \nrequirement; and the subject must be provided with additional \npertinent information.\n    There is an enormous problem, and I will summarize quickly. \nIt has been my experience that most individuals are not aware \nthat their medical records can legitimately be included in \nresearch without their express consent. This suggests that the \nIRB process, though well conceived, may fail to engender public \ntrust if the communities so served do not fully understand the \nIRB authority to waive consent.\n    In legislation, consider such uses as uses of notices of \ninformation practices and a national educational effort to make \nclear the societal benefits of this class of research.\n    In conclusion, the current IRB function offers a strong \nmodel for protecting research uses of personal medical \ninformation. To be fully effective, however, a future IRB-like \nresearch review process would need to be widely expanded beyond \nthe current IRB infrastructure. This expansion would need to be \ndone in a way so as not to further burden the existence and the \nvital functioning of the existing IRB infrastructure.\n    Thank you.\n    [The prepared statement of Carolin M. Frey follows:]\n   Prepared Statement of Carolin Frey, Chair, Institutional Research \n                 Review Board, Geisinger Medical Center\n    Mr. Chairman and members of the Committee, I am Carolin Frey, PhD, \nChair of the Institutional Research Review Board for the Geisinger \nMedical Center. I appreciate the opportunity to speak to you today \nspecifically about the current role of the Institutional Review Board \n(or IRB) in protecting privacy as it relates to research.\nIntroduction and IRB as ``model\'\' for research review\n    The IRB I Chair reviews research originating from diverse parts of \nour multi-faceted health system which includes a distributed network of \nproviders and a health maintenance organization. The health system \nrelies on the free flow of medical information to ensure it travels \nwith each patient at possibly distant geographic points of service. Our \nIRB, like others, has witnessed growth in research made possible by \nlarge pools of extant and identifiable medical information. We have \ntaken a proactive role in setting standards for conducting this type of \nresearch. We do this, in part, because the IRB function has a lot to do \nwith engendering public trust. To that end, the IRB function is a \nvaluable model for independent review of research uses of personal \nmedical information. With respect to pending privacy legislation, the \nIRB function is, however, only a model. It is not a ready-to-use \nresource. The current IRB system works well in the places it has been \nimplemented but it does not provide universal oversight for research. \nThere is also much latitude by institutions and IRB\'s in choosing how \nand when to review research based solely on extant and identifiable \nmedical information. Legislation must distinguish between the existing \nIRB infrastructure and an ``IRB-like\'\' process that could be designed, \nalbeit at substantial cost.\n    I will identify two limitations to the existing IRB function which \nwould need to be overcome in legislating a process for universal review \nof research involving personal medical information.\nIRB\'s currently oversee only a portion of human research\n    The existing IRB system was not designed to provide universal \nprotections. Not all institutions conducting human research have an IRB \nand not all IRB\'s review the special class of research involving extant \nand identifiable medical information. Institutions constitute IRB\'s \nusually because federally funded human research or investigations of \nFDA regulated products are done there. However, institutions may decide \nwhether or not to apply the federal regulations to all research at that \nsite or to just those studies required to meet the federal minimum. \nMany institutions extend the common rule to all research. However, when \nidentifiable medical information travels between institutions it is \npossible for only portion of an individual\'s record to be within the \npurview of an IRB. For example, paper or electronic medical records in \na hospital may be protected from privacy risks in research by virtue of \nthe hospital IRB. However, when much of this same information travels \nto a third-party payor without an IRB it may no longer be protected \nshould it become part of a research study. Complete, not partial, \nprotection should be the goal of national legislation. To provide \nadequate protections, an ``IRB-like\'\' system would:\n\n1) have an orderly process for defining the purview of responsible \n        reviewing entities to ensure complete and non-overlapping \n        protections; and\n2) be mandated at a sufficiently high federal level to ensure a review \n        board is available at all locations where research on personal \n        medical information takes place.\nThe IRB role in protecting privacy is not well understood by the public\n    Where an IRB is used, its strength is in its authority to require \nstrong security measures (sometimes likened to a ``firewall\'\') to \nprotect the privacy of identifiable medical information used in \nresearch. However, the specific review procedures used, including \nexempting review altogether, the conditions necessary to waive consent \nand the societal benefits of research on personal medical information \nare not well understood. All of this amounts to inadequate \nunderstanding by the public of the risks (generally estimated to be \nsmall) and benefits (which can be quite great) of research on extant \nmedical information.\n    The IRB function broadly provides protection of human subjects from \nphysical, social, mental, privacy and confidentiality risks which might \noccur through participation in research. Much review is done during \nfully convened meetings attended by scientific and lay members both \nfrom within the institution and unaffiliated with it. Use of extant \npersonal medical information is just one special class of research \noverseen by IRB\'s. An IRB may exempt from review, and hence any \nrequirement for informed consent, some of this research if it involves \n``the collection or study of existing data, documents, records, if the \ninformation is recorded in such a manner that subjects cannot be \nidentified, directly or through identifiers linked to the subjects.\'\' \n[46.101(b)(4)]. Again, some institutions have policies that go beyond \nthe minimum regulation and require IRB review. For a variety of \nreasons, identifiers often must be retained. With recorded identifiers, \nsuch research generally qualifies for an ``expedited\'\' IRB review \ncarried out by a single IRB member--usually the IRB Chair and sometimes \na designate.\n    Expedited IRB review is a two step process. It is important to \npoint out that ``expedited\'\' IRB review of research involving extant \nand identifiable medical information does not, by itself, result in an \nexception to the requirement to obtain the individual\'s consent for \nsuch use. First, consideration is given to whether the merit of the \nproposed research potential warrants an intrusion. The potential risk \nof that intrusion relies, to some extent, on the procedures proposed to \nensure the security of the information. Security of research data \nprotects against subsequent disclosures which are the primary risk of \nthis type of research. In essence, a firewall can be built around \nresearch data and an IRB can impose security modifications towards this \nend as a condition of granting approval to conduct the study. There is \nsome discretion concerning recommended security measures. Typically \nthese include removal of personal identifiers from research records, \nuse of coded study identifiers and separate safekeeping of a key which \nlinks the two. Restrictions to the sharing of research data with off-\nsite investigators or potential future uses may also be made a \ncondition of the IRB approval.\n    In a second step, the IRB may waive the requirement to obtain \ninformed consent. This waiver is granted under the common rule only if \nthe IRB finds and documents that ``1) the research involves no more \nthan minimal risk to the subjects; 2) the waiver . . . will not \nadversely affect the rights and welfare of the subjects; 3) the \nresearch could not practicably be carried out without the waiver . . .; \nand 4) whenever appropriate, the subjects will be provided with \nadditional pertinent information after participation.\'\' [46.116(d)]\n    It has been my experience that most individuals are not aware that \ntheir medical records can legitimately be included in research without \ntheir expressed consent. This suggests that the IRB process, though \nwell conceived, may fail to engender public trust if the communities so \nserved do not fully understand this exception to gaining consent. The \nIRB review process, because it is not well understood, is not likely to \nbe seen as providing acceptable privacy protections. Legislation aimed \nat designing an ``IRB-like\'\' process should include additional \nprovisions:\n\n1) use of notices of information practices including a statement about \n        disclosures for research purposes; and\n2) a national educational effort to make clear the societal benefits of \n        research involving personal medical information without \n        consent.\nSummary\n    Coordinated implementation of recommended privacy protections will \nbe required to make these transparent to healthcare consumers. Without \ntransparency, false consumer expectations may further erode public \ntrust. Trust is key and trust will be hard to legislate. In addition to \ntransparency, uniformity through preemption of state law to provide a \n``floor\'\' (preserving greater protections by some state law) would help \nengender public trust. And finally, accountability in the form of audit \ntrails for disclosures and the right to pursue actions against \nunauthorized uses of personal medical information are needed.\n    In conclusion, the current IRB function offers a strong model for \nprotecting research uses of personal medical information. To be fully \neffective, however, a future ``IRB-like\'\' research review process would \nneed to be widely expanded beyond the current IRB infrastructure. This \nexpansion would need to be done in such a way as to not further burden \nthe existing and vital IRB function. Institutional reviewing bodies \nwould need to function with the complete support and cooperation of the \ninstitutions they represent. Most importantly, this would require, as \npart of communicating institutional information practices, complete \ndisclosure of research activities to include a statement on how and \nwhen individual consent may be waived.\n    Thank you again for the opportunity to share information about the \nIRB function as it relates to privacy of identifiable medical \ninformation. I would be glad to answer any questions you may have.\n\n    Mr. Bilirakis. Thank you very much, Dr. Frey.\n    Before I yield to open the questioning by Mr. Greenwood, I \nwould just like to remind you that the five of you are here \nbecause you are experts, because you have so much to offer to \nus, and this goes along obviously with the panel prior to \nyours. We don\'t have very much time to craft a piece of \nlegislation. We are going to try to do everything we possibly \ncan.\n    In fact, we have a meeting scheduled as early as 5 o\'clock \nthis afternoon to work with the minority to try to get \nsomething worked out. I am just inviting you to please keep \nthat in mind. Any inputs you may have from a specific sort of \nstandpoint in terms of legislation, don\'t hesitate. It will be \nvery difficult for us to be able to contact every member of \nthis panel and the other panel and get their inputs and crank \nthem into what we are doing without your taking the initiative.\n    And the Chair at this point would yield to Mr. Greenwood.\n    Mr. Greenwood. Thank you, Mr. Chairman. Let me turn to Dr. \nAndrews.\n    Dr. Koski, respectfully, I differ with you in terms of your \ninterpretation of the IRB aspects of the legislation, and Dr. \nFrey and others today have expressed differing views. I would \nlike to give you an opportunity to comment on their comments or \nrebut anything that you think needs to be rebutted.\n    Ms. Andrews. Thanks very much.\n    I would first of all say I think the IRB mechanism is an \ninvaluable one, and we depend on it heavily; and I would hate \nto overburden it because we need it desperately in cases of \nclinical research and any research that involves intervention \nor direct interaction with patients. And I think they do a \nmarvelous job of safeguarding patient\'s well-being; and in many \ncases, they do look at data confidentiality issues.\n    My main concern is with the use of safeguards for \nobservational research for which there is no medical risk to \nthe patient and which relies purely on existing medical \nrecords. The existing structure--and I think one of the other \nspeakers may have pointed out that a fairly small proportion of \nresearch that is currently being reviewed by IRBs is this type \nof information, so IRBs typically have less experience \nreviewing this kind of research. The typical procedure for \nreviewing this observational research using existing records is \nfor it to be automatically assumed to be in the category of \nminimal risk, which then allows for an expedited review of only \none member of the IRB.\n    And under the Greenwood bill, there are many more \nsafeguards that we feel would provide greater safeguards for \nthe handling of records and systematic review and procedures \nfor the evaluation of research within the institution; and we \nfeel that is much stronger, and having those safeguards in \nplace would cover not only research where most researchers and \nothers would agree there have been very few breaches of \nconfidentiality, but would apply across the health care system \nin the cases where there have been breaches.\n    Mr. Greenwood. Thank you. Earlier, in the opening \nstatements, some of the members on the other side of the aisle \nraised a legitimate point, and that is, why are we having this \nhearing just on my bill as opposed to other legislation?\n    I want to just give each of the panel members, in the time \nthat I have left, an opportunity, if they choose, to either \ncomment on, A, an aspect of--well, let us do it this way--to \ncomment on any aspect or aspects of some of the other bills \nthat have been introduced by members of this committee that you \nthink either would be problematic and we would not want to \nincorporate, for a variety of reasons, into the final package; \nor where you think they are absent from the legislation under \nconsideration today and ought to be incorporated. I won\'t put \nanybody on the spot, but if anyone would like to take that \ntack, it is an opportunity.\n    Ms. Carty. I will speak specifically to the issue that I \nraised in my earlier testimony, which is the preemption of \nState law, and I think that is a major issue because I know \nyour bill, Congressman Greenwood, very responsibly establishes \nthat ceiling that would allow the really critical research to \ncontinue uninterrupted throughout the 50 States. By \nestablishing a floor, as reflected in H.R. 1941, we would see a \nmultitude of States enacting legislation really making some \ncritical research areas completely unworkable, and it would \ncertainly, the degree--I am sorry.\n    Mr. Greenwood. If I could interrupt you, because that point \nhas been disputed by, particularly, other members of the first \npanel. Could you try to illustrate that in some way with \nsomething specific?\n    Ms. Carty. Sure, a specific example--and actually I will \nmove outside of the State of California, because we are in sort \nof a strange period right now where the State legislature is \nreviewing at least 4 or 5 bills that will probably make it \nthrough the legislature. But I know that the committee has \nalready received testimony from Dr. Steven Jacobson from the \nMayo Clinic, and I think the point that he brought in terms of \nMinnesota enacting specific requirements, consent requirements, \nand the effect that those requirements actually had on the data \nthat the researchers eventually had compiled, was quite \ntroubling. For example, women were more reluctant to go the \nextra mile in terms of giving that actual consent. People who \nare younger were more reluctant to give that consent. People \nwith history of mental health issues were more reluctant to \ngive that consent.\n    So would that skew the research? Absolutely. And compound \nthat times whatever, how many other States would enact that \ntype of legislation? Would it skew the research? Absolutely, \nand certainly the research would be carried out in a much \nslower fashion; and there are certainly some research areas \nthat would just not be explored because it would be unworkable.\n    Mr. Greenwood. At the chairman\'s discretion, are there any \nother members of the panel that want to respond?\n    Mr. Bilirakis. Any very quick responses or short responses?\n    Mr. Koski. I will try to be very quick.\n    I think that 2470, as it now stands, is the right start, \nbut it is deficient in a number of perspectives. One is, it \ncould allow release of information to third parties that is \nidentifiable information for which it may not have been \noriginally intended. I think those provisions need be tightened \nup quite extensively.\n    Also, the provision of penalties for inappropriate uses of \ninformation I think needs to be strengthened as well. There \nshould be a requirement for active information, delivered to \npatients regarding policies for how their information is going \nto be used and protected at every entity where it is going to \nbe collected; the bill is deficient there. In terms of--well, I \nwon\'t--I already covered the issue of using different classes \nof information.\n    But in this particular--this bill\'s description of \nnonidentifiable is totally inadequate. Coded information that \ncan be directly linked back to an individual is identifiable. \nIt may be coded deidentified, but it is nonetheless \nidentifiable, and if you are going to ask someone to give up \ntheir rights to determine what is done with information, \ntissues and all that can be linked back to them, you have got a \nproblem. They have to authorize that.\n    I think we need to be very explicit. Nonidentifiable and \nidentifiable are mutually exclusive. You can either tell who it \ncame from or you can\'t. So I think we need to avoid that term, \nchange that definition so that we make what is nonidentifiable. \nThat would serve a great deal of research purposes and have \nessentially no risk associated with it whatsoever and would be \nvery helpful.\n    Mr. Bilirakis. The gentleman\'s time has long expired, but \nof course, that is the sort of thing we would like to get from \nyou in writing to help us out here.\n    Mr. Koski. It is in my written testimony.\n    Mr. Bilirakis. I am not sure it is in response to the \nquestion. I think he was looking for something to the opposite.\n    Mr. Brown.\n    Mr. Brown. Thank you, Mr. Chairman.\n    Mr. Johnson, you argue in your testimony that uncertainties \nin the laws should be clarified not through private right of \naction but, quote, ``through administrative regulations that \nwill flesh out the many rights, responsibilities and \nprotections in the legislation,\'\' an interesting approach from \nthe Chamber of Commerce, asking for more government \nregulations, I might point out. But along these lines, compare \nif you would, administrative authority, if this is what you are \nreally asking for, some fleshing out through rules and \nregulations. The administrative authority in the Greenwood \nbill, what the administrative authority--language found \nthroughout the Condit bill, which is preferable, to get us to \nthe point where we really know more about private course of \naction and whether we, in fact, really need that private right \nof action?\n    Mr. Johnson. Well, Congressman, I have to admit I am not \nfamiliar with the Condit bill. I haven\'t looked at how they \nflesh out the administrative obligations there. My reference to \nthe obligation of HHS to flesh out responsibility was simply \nbased on the fact that the Greenwood bill has the kind of \ngeneral authority provision given to HHS to issue regulations. \nBut it is not inconsistent with the typical position of the \nChamber of Commerce, I don\'t think; and here we are looking \nat--we are not necessarily happy about a new law that is going \nto impose new mandates on our members. We are trying to get to \na point where it is the least objectionable possible.\n    There is no question about the fact that between an \nadministrative regulation that tries to set some guidance--and \nwe hope the rulemaking is a good one--and a private cause of \naction across the Federal courts, my members would prefer the \nformer. So we are trying to pick sort of what is the line of \nleast resistance, I believe, here. And I am not saying we are \nhappy with either one, Congressman, and I do apologize about \nthe Condit bill. I am not just not familiar with that.\n    Mr. Brown. I think that sort of illustrates how important \nit is--I know the chairman actually agrees on this--in the \nfuture, when we are considering legislation like this, we need \nto look at all the pieces of legislation that have been \noffered. The numerous Federal privacy laws relating to other \ntypes of information include a private right of action: The \nFair Credit Reporting Act, which sets forth confidentiality \nprotections on a consumer\'s credit report; the Video Privacy \nProtection Act, which sets forth confidentiality protections on \nconsumer\'s video rental records; the Cable Communications \nPolicy Act, which sets forth privacy protections related to \ninformation about cable service subscribers.\n    How can we have laws protecting allowing an individual \nright of action on cable subscribers, video rental records, Mr. \nJohnson, and not do that with something as important as medical \nprivacy, the most important, intimately important, information \nalmost and maybe, perhaps, the most intimate information \nattached to an individual?\n    Mr. Johnson. Well, Congressman, I would ask that when those \ncomparisons are made that your staff and you take a real close \nlook at those statutes and ask--they may have a private cause \nof action, do they have the same kind of very severe criminal \nand civil sanctions that the Greenwood bill does? My guess is \nno. They have one or the other, or some very moderate types of \npenalties and a private cause of action. I would also ask that \nyou look at what is the obligation that is being addressed in \nthose laws.\n    You mentioned the video rental law. Let me read the \ndefinition of what is the protected information there. The term \n``personally identifiable information\'\' includes information \nwhich identifies a person as having requested or obtained \nspecific video materials or services from a videotape service \nprovider. The defendant in that kind of case knows what their \nobligation is. The law is very narrow, what they are trying to \nregulate, which is disclosure of, did you rent or buy a \nvideotape? The law is very understandable in that case.\n    I think if you compare that definition to what is in the \nGreenwood bill or any of these bills that go to health \nconfidentiality, you will see that one is a very small, \nunderstandable legal obligation as compared to a very amorphous \nobligation. Therefore, the more amorphous an obligation is, the \nmore difficult it is to understand, the more exposure there is \nto an employer or a business in court and a vague reason, jury \ntrials. So you have to look at the whole combination of the law \nis what I am saying.\n    And third I guess I would just say that every law is \ndifferent. Every law goes through its own negotiations as it \ngoes through the congressional process. Sometimes some \nprovisions get more attention than others. I have seen that. I \nhave spent 9 years on the Hill. Sometimes provisions such as \nenforcement didn\'t get the close scrub they should have. So \nparallels sometimes I think just have to be looked at \ncarefully.\n    Last, I would say there are many important rights as \nidentified in my testimony, such as safety and health in the \nworkplace, that don\'t have private causes of action; and I \ndon\'t think any of us will argue that OSHA is a slouch in \nenforcement or the National Labor Relations Board is a slouch \nin enforcement, and yet these are very important rights that \nCongress has chosen not to protect through a private cause of \naction.\n    Mr. Brown. Some might argue that OSHA doesn\'t have the \nauthority it needs in protecting workers. Not too many of our \nmembers would argue that I am sure.\n    Mr. Bilirakis. I thank the gentleman. I am going to \nhitchhike on Mr. Brown\'s questions.\n    Mr. Johnson, are there remedies in tort law today that \nwould be available in the event an individual wanted to bring a \ncause of action as a result of breach of confidentiality?\n    Mr. Johnson. Well, it is my view, and I think it is the \nview of other people who have looked at this bill, that the \nGreenwood bill does not preempt tort laws such as intentional \ninfliction of mental distress, which would apply therefore to \nyour worse kinds of situations.\n    Mr. Bilirakis. So there are remedies in tort law existing \ntoday?\n    Mr. Johnson. It is not going to cover every single legal \nobligation.\n    Mr. Bilirakis. No law does.\n    Mr. Johnson. No law does.\n    Mr. Bilirakis. Are you aware of any cases where an \nindividual had the confidentiality of their medical records \ncompromised and yet they were unable to bring a court action?\n    Mr. Johnson. I personally have not.\n    Mr. Bilirakis. Are any of you aware of any similar case \nwhere they just weren\'t able to bring a court action because a \nremedy was not available?\n    Ms. Carty, you touched on this and, in a sense, I suppose \nmaybe you answered it. Currently 34 States, as I understand it, \nhave laws governing access to medical records. A major clinical \ntrial would be administered in possibly dozens of States, one \ntrial in possibly dozens of States. Won\'t the complexity and \ncost of research be driven up? It may even be impossible to be \nadequately conducted, if you will, if researchers instead of \nmeeting a single uniform standard must tailor their programs in \nmultiple ways in order to gain access to data in a number of \nStates?\n    Ms. Carty. Yes, Mr. Chairman. I think it is important to \nrecognize that when a biomedical company decides to pursue a \nline of medical research, there are many factors that are \ninvolved--cost, of course. If that were the case and that \ncontinues to move on in terms of the State legislation and a \nmultitude of State laws, would it increase costs? Absolutely.\n    Would it also result in some treatment simply--some lines \nof science and some treatments not being explored? Yes, \nabsolutely, it would certainly have a major impact.\n    Mr. Bilirakis. You were in the audience when Dr. Appelbaum \ntestified and used the illustration of people come from \nVermont, New Hampshire travel into Massachusetts and therefore \nit is Massachusetts law which applies, but if the research \ntouched upon people in every one of those locales, you will \nhave actually different laws that would apply. It wouldn\'t be \njust Massachusetts law; it would be Massachusetts, Vermont, New \nHampshire, Rhode Island, et cetera, right?\n    Ms. Carty. That is correct.\n    Mr. Koski. May I respond to that, Mr. Chairman?\n    Mr. Bilirakis. If you do it quickly. We have a vote on the \nfloor, unfortunately. I apologize, but that is the way things \nare up here.\n    Mr. Koski. I think that Ms. Carty\'s response there is \nreally somewhat self-serving.\n    Mr. Bilirakis. Self-serving?\n    Mr. Koski. Yes, self-serving in terms of the industry.\n    Mr. Bilirakis. You guys are tougher on each other than we \nare.\n    Mr. Koski. I think, in fact, for a clinical trial, the \nexample that you cited, in every one of those cases, a patient \nis going to be giving written informed consent. Currently, \ninstitutions all have their own requirements for access to \nmedical records. The situation that would be imposed by \nindividual legislation in different States is probably not \ngoing to be any more cumbersome with respect to doing \nmulticenter clinical trials than the current situation. Having \nsaid that, though, I would say that the concerns about \npreemption to a large extent, I think, are separated with where \none sets the floor. If you have a national standard that was \nset as a platform rather than a floor, and people were \ncomfortable with that, I suspect that, you know, a few States \nwould feel obligated to go beyond those provisions, and the \nconcerns about preemption would not----\n    Mr. Bilirakis. Not very many, in other words, would be \nobligated. A response, Ms. Carty?\n    Ms. Carty. Mr. Chairman--and I know you have to get to your \nvote, but I just want to respond by bringing up the issue of \ngenetic research.\n    If States crack down on the use of genetic information, \nforbid the use of genetic information in research studies, \nthere are whole lines of research that will not be explored; \nand not really considering this self-serving, I mean, really \ntalking about, I think, the patients, the Alzheimer\'s patients \nand the breast cancer patients would probably be happy with \nthat kind of self-serving statement because it is those lines \nof research we can hope to explore through a responsible flow \nof genetic information.\n    Mr. Bilirakis. The clock wasn\'t turned on, but I think \nprobably my time is up.\n    Mr. Waxman. I want 5 minutes but I don\'t think I have 5 \nminutes now. May we vote and then return?\n    Mr. Bilirakis. I guess we are going to have to do that.\n    Mr. Hall. I can take my 1 minute now if you would like me \nto.\n    Mr. Bilirakis. All right. The gentleman is recognized.\n    Mr. Hall. Just to respond to Mr. Johnson that I agree with \nhis ideas about OSHA, and I think they have way too much \nauthority and don\'t use it very wisely.\n    I yield back my time. That is all of it.\n    Mr. Bilirakis. Well, all right. Mr. Burr was on his way \nback, but I understand there are two votes, so he probably is \nheld up. So we are going to have to recess for just a few \nminutes until we can get back. I am sorry. Thank you.\n    [Brief recess.]\n    Mr. Bilirakis. The hearing will come to order.\n    Where were we? Mr. Waxman.\n    Mr. Waxman. Thank you, Mr. Chairman.\n    Dr. Andrews, I understand that you were the Chair of the \nInternational Society for Pharmacoepidemiology when it issued \nits 1997 recommendations on medical record confidentiality, and \nthat report stated that all pharmacoepidemiologic studies that \nuse personally identifiable data should be subject to IRB \napproval before a study commences. It noted that the IRB \nmechanism has been and should continue to be the keystone for \nprotecting patient confidentiality by evaluating the use of \npotentially identifiable data, considering such use in the \nlight of privacy and confidentiality, and further legislation \nshould protect and strengthen IRB\'s ability to waive individual \ninformed consent under these circumstances.\n    This seems different than the views you expressed today.\n    Mr. Andrews.  Let me expand on that. Our committee \ncontinues to look at this in a great deal of detail. We were \naddressing mainly the issue of studies that require review of \nvery identifiable records in medical institutions to identify \npatients to whom--who would be approached to consent to \nparticipate, for example, in a case control study of birth \ndefects. We wanted to make it very clear that there is a role \nfor IRBs to review this kind of research which would fall under \nthe category that I mentioned earlier of interventional \nresearch in which a patient will ultimately be contacted.\n    Mr. Waxman. It says to balance the individual privacy \ninterest with society\'s need for sound information based on \nmedical and public health issues, we should build on current \nlaws and ethical guidelines, including the use of institutional \nreview, ethics committees or their equivalent, that have served \nwell in the past.\n    Among their specific recommendations were the following: \nAll pharmacoepidemiologic studies which use personal, \nidentifiable data should be subject to IRB approval before \nstudy commences. The IRB mechanism has been and should continue \nto be the keystone for protecting patient confidentiality by \nevaluating the use of potentially identifiable data and \nconsidering such use in the light of privacy and \nconfidentiality.\n    Mr. Andrews.  Absolutely, and let me clarify it. I think \nthat everything revolves around the definition of what is \nconsidered identifiable or nonidentifiable. The way most \nepidemiologists and researchers would define nonidentifiable \ndata would be information which is maintained in a form in \nwhich direct patient identifiers have been stripped and \nreplaced with a code which could potentially be linked back but \nwhich are not, on the face of it, identifiable to the \nresearcher. And that information--the kinds of studies that we \nuse that kind of key coded information would be considered in \nour profession to be nonidentifiable data.\n    Mr. Waxman. Isn\'t that a common rule and wouldn\'t--let me \nput it this way, because I don\'t want to argue with you. It \nseems hard for me to reconcile your testimony here with the \nstatements which take such strong positions for IRBs when the \npatients are going to be identified. Maybe you can elaborate, \nand I would want the chairman to hold the record open if you \nwant.\n    Let me continue on because I only have 5 minutes. Dr. \nKoski, you believe IRB oversight should be extended to all \nhealth researchers. Could you elaborate on this view and \ncomment on the guidelines for health researchers\' review that \nare in the Condit-Waxman bill and the Greenwood bill?\n    Mr. Koski. I don\'t think that there is a need to extend it \nso much with respect to the common rule, but rather to make \nsure that the common rule is extended to all of the IRBs.\n    Mr. Waxman. That is what I meant. You would have it apply \nnot just to government funded studies, but all private studies?\n    Mr. Koski. Exactly. I would support that strongly. I think \nthat would provide the most robust system for protection of \nhuman subjects in research, and I think there needs to be \nappropriate resourcing to get that done.\n    I do think that 1941 has a useful section in its research \nsections that provides some beginning guidance for developing \nspecific policies, guidelines for the use of identifiable \nhealth information, and those might be valuable to consider as \nwe work toward a final type of legislation that would emerge in \nthis process.\n    Mr. Waxman. You would want to see IRBs and not something \nequivalent to IRBs?\n    Mr. Koski. Absolutely, Mr. Waxman. I believe that having a \nseparate process that causes a segregation in the whole process \nfor review and approval of research would not only undermine \nthe process that is there, it would tend to dilute the process \nfor protection of human subjects and I think that would be a \nserious error.\n    Mr. Waxman. You don\'t think that will hinder research?\n    Mr. Koski. No, it will make it better because by protecting \nhuman subjects and by letting them know that we are putting \ntheir interests in the appropriate priority, there will be a \ngreater willingness to participate in research, and I think I \nwould like to make very clear to my colleagues here that in no \nway are the IRBs opposed to research. Our institutions live on \nresearch. That is what we do. Our goal is to make sure that \nresearch is not only done, and the best research is done, but \nthat it is done right.\n    Mr. Waxman. I think I heard the bell, Mr. Chairman.\n    Mr. Bilirakis. Yes, some time ago.\n    Mr. Waxman. Well, I yield back the balance of my time.\n    Mr. Bilirakis. Mr. Burr, to inquire.\n    Mr. Burr. Thank you, Mr. Chairman. Ms. Carty, it has been \nquite awhile since you testified. I want to take the \nopportunity to restate something that I heard you say. You said \nthere are significant health benefits to national uniformity \nproviding access to medical records. Did I understand you \ncorrectly?\n    Ms. Carty. That is correct.\n    Mr. Burr. There are significant health benefits to \nuniformity?\n    Ms. Carty. Yes, within a scope of potential therapies that \ncan be researched and developed through responsible areas of \nclinical testing research.\n    Mr. Burr. Again, like I did with the last panel, I want to \ntry to bring this whole question back to the quality-of-health \nfocus on the patient. I understand, Mr. Koski, you have got a \nvery specific area that you have proposed, not even flexing \nover to a modified IRB, and I want to make sure that we all \nconcentrate on the patient for a minute when we are talking \nabout--is the IRB the best way, when we discard some potential \nresearch that might be done, let us understand who is affected. \nIt is a patient. It is somebody we don\'t know. It is somebody \nthat potentially is sick, somebody potentially that is \nterminal. And the question is: Are we going to do everything we \ncan to encourage the development? Let me ask you, if you had 50 \ndifferent State rules, what would that do to the development of \ntechnology in medicine?\n    Ms. Carty. It would slow it in some areas. It would stop it \nin some areas. And that is the range. And that means very \npractical implications for the patients and their families. Let \nme give you a very practical example.\n    The magazine Nature came out with a wonderful article \ndescribing some areas of research in Alzheimer\'s disease, the \npotential development of a vaccine. This research is moving \nfrom conduct in mice in the labs and is just about to move into \nhuman clinical trials.\n    I would absolutely submit today that if uniform standards \nare not adopted, that that will directly impact the quality of \nthat research, those clinical trials and that observational \nresearch that will be conducted over the next phase in \ndeveloping this vaccine.\n    Mr. Burr. Let me ask, because Mr. Koski talked about--you \nsuggested that the definition of nonidentifiable information in \nthe Greenwood bill is too broad and that any ability to link \nback information should render it then by definition \nidentifiable.\n    I remember meeting with a company that does research and \nthey told me about one specific study of a drug that was out, \nand the specific instructions from the manufacturer to the \nphysician was no more than one prescription because of a \npotential risk with multiple prescriptions of liver problems. \nAnd the company was so concerned that doctors didn\'t read their \ndirections that they had this company in an identifiable way go \nand research. And they found that doctors were prescribing \nmultiple prescriptions, at which time the company pulled the \nproduct off the shelf because of potential liver damage.\n    Let me ask you to talk about the nonidentifiable and \nidentifiable situation that we run into and what significant \nproblem that will create when we talk about public health.\n    Mr. Andrews.  Well, I am very concerned about the possible \nimplications for public health, because in the area \nspecifically of drug safety monitoring, we rely on large data \nbases of existing records that cross State lines and come from \nhealth maintenance organizations and other places. We simply \nmust be able to have access to that kind of information to \nrapidly address important public health questions. If that \ninformation is key-coded but the researcher has no way of \nidentifying the individual patient, the researcher does not \nwant to know who the individual patients are, but it is \nimportant to maintain the link back to the original medical \nrecord.\n    Mr. Burr. Let me ask, the company that I met with, they \nmaintain the key. Now, it is up to them to maintain the privacy \nof the key to protect its integrity. What is wrong with them \nmaintaining the key if, in fact, somebody had to for health \nreasons trace back to a particular person for public health \nreasons? Is there any problem with that?\n    Mr. Andrews.  Who would be maintaining the key?\n    Mr. Burr. Whoever we put in charge. In this particular case \nit was the company that I met with, they control the key to the \nidentifier. Things go out unidentified. What you said, even if \nit went out nonidentified, the fact that there was a key and \nthe company had the key, you could not trust the integrity of \ntheir maintaining the privacy of the key, therefore it should \nbe identifiable; is that correct, Mr. Koski?\n    Mr. Koski. More or less.\n    Mr. Burr. Without some ID capabilities, how could you ever \ntrace back a public health problem?\n    Mr. Andrews.  You probably couldn\'t. It is important to be \nable to validly evaluate public health problems. If you have \nstrictly nonidentifiable data and look through very large data \nsets, you may find a medication that is associated with several \ncases of very serious medical problems, life threatening fatal \nproblems. You would hate to take a drug off the market because \nof those problems, if you assumed the drug caused it, without \ngoing back through the appropriate channels and finding out \nmore information about those specific cases to find out if \nthere were other explanations, which inevitably there might be.\n    And that is one of the reasons that it is important to \nmaintain the key for--to validate the study, to collect \nadditional data, to supplement the study that has been done \nusing identifiable data, and those are the circumstances in \nwhich a study would normally go to an IRB or some mechanism \nthat is created to evaluate under what circumstances is it \nappropriate to go back to contact the patient.\n    Mr. Burr. If you open this process up to an IRB or modified \nIRB, let me ask you, an extended liability to the degree that \nsome have suggested, what would be the willingness of \nparticipants to participate as part of the IRB, knowing that if \nthere was a breach of the responsibility of confidentiality of \nthe IRB that they were personally liable?\n    Ms. Frey. I can\'t speak for all IRBs but in ours we are a \nfunction of the institution so our IRB members are covered with \nliability insurance on the part of the institution.\n    Mr. Burr. What would the institution\'s position be?\n    Ms. Frey. That brings up who the owner of the data is. IRBs \nserve a vital function but they are not data custodians and \nthey are not owners and they are still charged by the \ninstitutions that host the data.\n    Mr. Burr. But the individuals who make up the IRB would be \nthe people who determine whether it is appropriate to move \nforward?\n    Mr. Waxman. Will the gentleman yield?\n    Mr. Burr. I don\'t have any time, but I will be happy to \nyield.\n    Mr. Waxman. All of these questions about the dangers of \nhaving an IRB go through and look at identifiable information \nabout a patient, this is what is done now, and so much of the \nresearch----\n    Mr. Burr. I didn\'t raise a question about IRBs going in as \ncurrently written. My question to Dr. Koski and Dr. Frey was if \nwe increased--which some have suggested even today the exposure \nto liability by individuals who make decisions about whether \nprivacy should be maintained--if that privacy were breached and \nindividuals who make up the IRBs were liable individually or as \na group, my question is: Would that affect the willingness of \npeople to participate in IRBs?\n    Ms. Frey. The obvious answer is yes. I would not propose, \nhowever, that that be the chain of liability. In fact, the very \ntitle of an institutional review board is just that. It is an \ninstitutional function. And in fact, there are cases where \ninstitutional review boards are found deficient because of \ninstitutional problems, not because of any deficiencies or lack \nof knowledge on the part of the members.\n    I think it is important to keep in mind and distinguish \ndata ownership and charge of responsibility with the people who \nactually carry out the charge. The reality is that in carrying \nout that charge, there is a very extensive process of \ndocumentation, the Federal code is very clear, and I don\'t \nthink that any audit would point easily to an individual having \nmade a mistake. It would be difficult, I will not say \ninconceivable.\n    Mr. Bilirakis. The gentleman\'s time has expired.\n    Mr. Waxman. I wanted to jump in on this, but I don\'t know \nhow you want to proceed.\n    Mr. Andrews. I would like to make a comment about IRB \nparticipation if that is okay.\n    Mr. Bilirakis. Make your comment.\n    Mr. Andrews.  I think it is vital that we have people \nwilling to serve on IRBs. IRBs serve an incredibly important \nfunction in this country. I think people would be more willing \nto serve on IRBs if there were adequate protections on the \nmovement and processing of information within the institution. \nI think in the Greenwood bill there are internal processes and \nsafeguards that are set up, which IRBs tend to rely on, and \nthose safeguards are stronger than what exists now and those \nare Federal--they would be uniform and federally enforceable, \nand I think that would provide a level of safeguards higher \nthan what we have now.\n    Mr. Waxman. But that is only an accurate statement as to \nresearch that is not now touched by the common rule, because if \nit is research touched by the common rule, which means there is \nFederal nexus to that research, then there is a stricter \nrequirement that if there is use of information that is \nidentifiable to a particular patient, then either they have to \nget consent or go to an IRB to get the IRB to agree that \nconsent is not going to be necessary for this public purpose.\n    Since it is being done in so much research now, I have not \nheard why that is a problem if we applied it to research being \ndone that is strictly private. The Greenwood bill has a \nprovision for something akin to an IRB for that private \nresearch. You can say that it is better than what we have now \nbecause now there is nothing there; but it has deficiencies, as \nmany of us see it, particularly since that internal review \nprocess could involve a conflict of interest with those people \nwho are sitting on that IRB. Am I misreading that?\n    Mr. Bilirakis. We don\'t want to go on indefinitely here. \nMaybe a pro-and-con response and then we will finish up.\n    Mr. Andrews. Two quick points. You are correct, the studies \nare covered by the IRB regs, but what typically happens because \ndata studies based on existing data are considered to have \nminimal risk, they are reviewed through the expedited review \nmechanism, which means that one member, generally an employee \nof the institution, does that review.\n    The other comment is that most IRBs typically, according to \nthe GAO report, rely on the policies that are in existence in \nthe institution for the handling of archival medical records.\n    Mr. Waxman. In other words, it has worked reasonably well?\n    Mr. Andrews.  We are suggesting----\n    Mr. Waxman. Because they have these expedited procedures, \nwhy would you object to having this same procedure used for \nprivate research?\n    Mr. Andrews.  We are suggesting that it is not working \nterribly well. Not much of the observational research is going \nto IRBs. We feel that we can have greater safeguards which \nwould encourage more research to be done if we had the \nsafeguards with federally enforceable national standards that \nwould be in place.\n    Mr. Koski. I think, in fact, the answer is to be sure that \nresearch that is not currently going to IRBs does go to IRBs \nunder a reasonable set of guidelines for review of this kind of \ninformation. In fact our own policies for confidentiality and \nprivacy are far stricter than what is in the Greenwood bill. So \nif we subscribe to that, it would definitely undermine the \nprotections we already have in place. It would be a mistake.\n    Ms. Frey. I heard conflict of interest. Yes, an expedited \nreview may be carried out by one member. Institutions generally \nhave written policy concerning conflict of interest and in that \ncase the review would necessarily go to someone without a \nconflict of interest.\n    Mr. Waxman. Do you read the Greenwood bill as permitting a \npossible conflict of interest?\n    Ms. Frey. I am not familiar with the exact language of the \nbill.\n    Mr. Burr. I ask that the staff on both sides, majority and \nminority, as well as Mr. Greenwood, if they are meeting with \nDr. Feldblum tonight, since she is a lawyer from a reputable \nschool and also familiar with this situation, just ask about \nthe liability issue; because one of the further concerns would \nbe could, if the institution were liable, could it then \ninfluence the decision of the members of the IRB because of \npressure from the institution?\n    Mr. Waxman. An issue that I have not heard raised except by \nyou today.\n    Mr. Burr. I have been accused of raising things never \nraised before.\n    Mr. Greenwood. Always on the cutting edge.\n    I thank the chairman and the panel who stayed for 6 hours \nfor this hearing, and to reiterate the commitment that I made \nin my opening remarks that this is important and we all share \nthe same interest.\n    Mr. Bilirakis. It is important and we can work together \noutside of politics.\n    There are always written questions that the committee has \nof the panelists, and we would appreciate, obviously, quick \nresponses to them because we don\'t have that much time. Thank \nyou very much. It has been a good hearing and you have helped \nto make it so. The hearing is adjourned.\n    [Whereupon, at 4 p.m., the subcommittee was adjourned.]\n    [Additional material submitted for the record follows:]\n   Prepared Statement of Hon. Christopher Shays, a Representative in \n                 Congress from the State of Connecticut\n    Chairman Bilirakis, Ranking Member Brown and members of the \nSubcommittee:\n    Thank for the opportunity to provide you with my thoughts on \nmedical records confidentiality as you consider H.R. 2470, the \nBipartisan Medical Information Protection and Research Enhancement \n(MIPRE) Act, which was introduced by Representative Jim Greenwood to \nprotect the security of patients\' medical information.\n    As an original cosponsor of H.R. 2470 and a sponsor of H.R. 2455, \nthe Consumer Health and Research Technology (CHART) Protection Act, I \nfirmly believe this Congress must enact comprehensive medical records \nprivacy legislation.\n    There is currently no comprehensive, uniform standard to protect \nthe privacy of a patient\'s medical records and there have been several \nstartling examples of the potential effects of this void over the past \nseveral years. For example, USA Today reported in 1996 that a public \nhealth worker in Tampa, Florida walked away with a computer disk \ncontaining the names of 4,000 people who tested positive for HIV. The \ndisks were sent to two newspapers.\n    In addition, The National Law Journal reported in 1994 that a \nbanker who also served on his county\'s health board cross referenced \ncustomer accounts with patient information and subsequently called due \nthe mortgages of anyone suffering from cancer.\n    Under the Health Insurance Portability and Accountability Act \n(HIPAA), should Congress fail to enact comprehensive legislation to \nprotect the confidentiality of medical records by August 21 of this \nyear, the Secretary of Health and Human Services will be required to \npromulgate regulations.\n    I believe our colleagues on both sides of the aisle have come to \nrecognize the need for Congress to act before the Secretary steps in. I \nwas encouraged by the inclusion of medical records confidentiality \nprovisions in the Financial Services Act which the House recently \npassed. The provisions were an important first step toward recognizing \nthe need for legislation to ensure the confidentiality of medical \nrecords but alone they are not sufficiently comprehensive to guarantee \nthe privacy of individual patient records.\n    In my opinion, the question is no longer ``Will Congress act before \nthe August deadline?\'\' but ``How will Congress act before the August \ndeadline?\'\'\n    While this hearing is focused on the consideration of the MIPRE \nAct, I wanted to take the opportunity to bring to the Committee\'s \nattention the CHART Protection Act, which I recently reintroduced, and \nhighlight several important similarities and differences between the \ntwo pieces of legislation.\n    The CHART Protection Act shares a number of important provisions \nwith the MIPRE Act. Both bills allow patients to inspect, copy and \nwhere appropriate, amend their medical records.\n    In addition, both bills impose strong criminal and civil penalties \nto deter abuse and increase incentives to use non-identifiable \ninformation.\n    Finally, both CHART and MIPRE allow for the use of protected \ninformation for research purposes when reviewed by an Institutional \nReview Board or where the individual has provided specific \nauthorization.\n    Focusing on the differences between the two bills, I would like to \nbriefly outline the unique approach the CHART Protection Act takes to \nensure the confidentiality of medical records, and touch on how the \nlegislation differs from the MIPRE Act in two crucial areas--\nauthorization for use of individually identifiable health information \nand preemption of state law.\n    The MIPRE Act and other bills restrict the use of health \ninformation unless it is specifically authorized for disclosure. Rather \nthan spelling out the individually identifiable information which can \nbe disclosed, the CHART Protection Act sets forth the inappropriate \nuses of protected information and allows for disclosure of individually \nidentifiable information unless it is specifically prohibited in the \nbill.\n    Use of anonymous information will not be affected by the CHART \nProtection Act unless the information is intentionally decoded and used \nto identify an individual.\n    The MIPRE Act creates a statutory authorization which permits the \ndisclosure of protected information if it is permitted in statute. The \nbill sets out permissible uses of individually identifiable information \nand prohibits all other uses unless they are specifically authorized by \nan individual.\n    In my opinion, a shortcoming of this approach is that it permits \nthe disclosure of health information for a variety of activities \nwithout patient consent. In fact, there is nothing in the act requiring \nan authorization from the patient to use information if it falls within \nthe statutory authorization.\n    The approach taken in the CHART Protection Act gives patients more \ncontrol over their medical records by requiring authorization for a \nmajority of uses of individually identifiable information.\n    The CHART Protection Act creates a consolidated authorization \nprocess for the use of individually identifiable information by \nproviding the authorization up front, but allows individuals to revoke \ntheir permission for health research purposes at any time.\n    The CHART Protection Act generally preempts state law except mental \nhealth and communicable disease protections enacted by states and \nlocalities, as well as public health laws such as birth and death \nreporting.\n    In contrast, the MIPRE Act preempts state mental health and \ncommunicable disease laws, and may serve to weaken state laws which are \nmore stringent than federal statute.\n    Mr. Chairman, despite their differences, and despite my belief that \nthe overall approach taken in the CHART Protection Act offers more \nstringent protections to consumers, the MIPRE Act represents a \ncomprehensive approach to protecting the confidentiality of medical \nrecords while protecting legitimate uses of medical information.\n    It is my hope that my colleagues will work toward passing a uniform \nand comprehensive confidentiality law which serves to balance the \ninterests of patients, health care providers, data processors, law \nenforcement agencies and researchers.\n    Thank you for the opportunity to submit my testimony.\n\n\n                           -\x1a\n</pre></body></html>\n'