[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]



 
                 CONFIDENTIALITY OF HEALTH INFORMATION

=======================================================================

                                HEARING

                               before the

                         SUBCOMMITTEE ON HEALTH

                                 of the

                      COMMITTEE ON WAYS AND MEANS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 20, 1999

                               __________

                             Serial 106-29

                               __________

         Printed for the use of the Committee on Ways and Means



                    U.S. GOVERNMENT PRINTING OFFICE
64-128 CC                   WASHINGTON : 2000



                      COMMITTEE ON WAYS AND MEANS

                      BILL ARCHER, Texas, Chairman

PHILIP M. CRANE, Illinois            CHARLES B. RANGEL, New York
BILL THOMAS, California              FORTNEY PETE STARK, California
E. CLAY SHAW, Jr., Florida           ROBERT T. MATSUI, California
NANCY L. JOHNSON, Connecticut        WILLIAM J. COYNE, Pennsylvania
AMO HOUGHTON, New York               SANDER M. LEVIN, Michigan
WALLY HERGER, California             BENJAMIN L. CARDIN, Maryland
JIM McCRERY, Louisiana               JIM McDERMOTT, Washington
DAVE CAMP, Michigan                  GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota               JOHN LEWIS, Georgia
JIM NUSSLE, Iowa                     RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas                   MICHAEL R. McNULTY, New York
JENNIFER DUNN, Washington            WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia                 JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio                    XAVIER BECERRA, California
PHILIP S. ENGLISH, Pennsylvania      KAREN L. THURMAN, Florida
WES WATKINS, Oklahoma                LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri
SCOTT McINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida

                     A.L. Singleton, Chief of Staff

                  Janice Mays, Minority Chief Counsel

                                 ______

                         Subcommittee on Health

                   BILL THOMAS, California, Chairman

NANCY L. JOHNSON, Connecticut        FORTNEY PETE STARK, California
JIM McCRERY, Louisiana               GERALD D. KLECZKA, Wisconsin
PHILIP M. CRANE, Illinois            JOHN LEWIS, Georgia
SAM JOHNSON, Texas                   JIM McDERMOTT, Washington
DAVE CAMP, Michigan                  KAREN L. THURMAN, Florida
JIM RAMSTAD, Minnesota
PHILIP S. ENGLISH, Pennsylvania


Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Ways and Means are also published 
in electronic form. The printed hearing record remains the official 
version. Because electronic submissions are used to prepare both 
printed and electronic versions of the hearing record, the process of 
converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.



                            C O N T E N T S

                               __________
                                                                   Page
Advisories announcing the hearing................................     2

                               WITNESSES

U.S. Department of Health and Human Services, Mike Hash, Deputy 
  Director, Health Care Financing Administration.................    11
U.S. Department of Health and Human Services. Hon. Margaret 
  Hamburg, M.D., Assistant Secretary for Planning and Evaluation.    16
U.S. General Accounting Office, Leslie G. Aronovitz, Associate 
  Director, Health Financing and Public Health Issues, Health, 
  Education, and Human Services..................................    22

                                 ______

American Hospital Association, and Intermountain Health Care, 
  Paul D. Clayton................................................    53
Association of American Medical Colleges, and University of 
  Arkansas for Medical Sciences, G. Richard Smith, Jr............    59
Blue Cross and Blue Shield of Nebraska, and Blue Cross and Blue 
  Shield Association, Tom Jenkins................................    80
Goldman, Janlori, Institute for Health Care Research and Policy, 
  Georgetown University..........................................    64

                       SUBMISSIONS FOR THE RECORD

American Association of Occupational Health Nurses, Inc., 
  Atlanta, GA, statement.........................................    91
American Psychiatric Association, statement......................    94
American Society of Health-System Pharmacists, Bethesda, MD, 
  statement......................................................    97
Anderson, Joyce E., Minneapolis, MN, letter......................    98
Blevins, Sue A., Institute for Health Freedom, statement.........   104
Burcham, Matthew and Carrie, Jefferson City, MO, letter..........    99
Concerned Parents for Vaccine Safety, Ely, NV, Dawn Winkler, 
  letter.........................................................   100
Elensys, Woburn, MA, and Olsson, Frank and Weeda, P.C., Karen A. 
  Reis, letter...................................................   100
Goldman, Margo P., National Coalition for Patient Rights, 
  Lexington, MA, statement and attachments.......................   117
Greiner, Sandra K., Independence, MO, letter.....................   101
Hannon, Hon. Kemp, National Conference of State Legislatures, 
  letter and attachment..........................................   121
Health Insurance Association of America, statement...............   101
Institute for Health Freedom, Sue A. Belevins, statement.........   104
Johnson, Randel K., U.S. Chamber of Commerce, statement and 
  attachment.....................................................   124
Kane, Peter, National Coalition for Patient Rights, Lexington, 
  MA, statement and attachments..................................   117
LPA, Inc., statement.............................................   104
McDermott, Hon. Jim, a Representative in Congress from the State 
  of Washington..................................................     7
National Association of Health Underwriters, Arlington, VA, 
  statement......................................................   107
National Association of Insurance Commissioners, statement and 
  attachment.....................................................   109
National Coalition for Patient Rights, Lexington, MA, Margo P. 
  Goldman and Peter Kane, statement and attachments..............   117
National Conference of State Legislatures, Hon. Kemp Hannon, 
  letter and attachment..........................................   120
Reis, Karen A., Elensys, Woburn, MA, and Olsson, Frank and Weeda, 
  P.C. letter....................................................   100
Smock, Elizabeth S., Kansas City, MO, letter.....................   124
U.S. Chamber of Commerce, Randel K. Johnson, statement and 
  attachment.....................................................   124
Winkler, Dawn, Concerned Parents for Vaccine Safety, Ely, NV, 
  letter.........................................................   100



                 CONFIDENTIALITY OF HEALTH INFORMATION

                              ----------                              


                         TUESDAY, JULY 20, 1999

                  House of Representatives,
                       Committee on Ways and Means,
                                    Subcommittee on Health,
                                                    Washington, DC.
    The Subcommittee met, pursuant to call, at 3:20 p.m., in 
room 1100, Longworth House Office Building, Hon. Bill Thomas 
(Chairman of the Subcommittee) presiding.
    [The advisories announcing the hearing follow:]



ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                         SUBCOMMITTEE ON HEALTH

                                                CONTACT: (202) 225-3943
FOR IMMEDIATE RELEASE

July 13, 1999

No. HL-8

                      Thomas Announces Hearing on

                 Confidentiality of Health Information

    Congressman Bill Thomas (R-CA), Chairman, Subcommittee on Health of 
the Committee on Ways and Means, today announced that the Subcommittee 
will hold a hearing on proposals to protect the confidentiality of 
patients' health care information. The hearing will take place on 
Tuesday, July 20, 1999, in the main Committee hearing room, 1100 
Longworth House Office Building, beginning at 2:00 p.m.
      
    In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. However, 
any individual or organization not scheduled for an oral appearance may 
submit a written statement for consideration by the Committee and for 
inclusion in the printed record of the hearing.
      

BACKGROUND:

      
    Section 264 of the Health Insurance Portability and Accountability 
Act of 1996 (HIPAA) (P.L. 104-191) required the Secretary of Health and 
Human Services to develop policy recommendations with respect to the 
confidentiality of health information by August 1997. Specifically, the 
HIPAA mandate required that this new policy be designed to protect the 
privacy of personal health information that is transmitted 
electronically, in conjunction with one of the standardized health 
transactions established by HIPAA's administrative simplification 
provisions. Secretary Shalala submitted these recommendations to 
Congress in September of 1997. Under HIPAA, Congress has until August 
21, 1999, to enact a privacy law. If Congress fails to enact a medical 
privacy law, the Secretary is then required to issue regulations within 
six months. The law provides that, if regulations are issued, they will 
not supercede stricter State privacy laws. The Subcommittee began its 
exploration of this issue with a hearing on March 24, 1998. At that 
meeting, Subcommittee members heard from a variety of private 
witnesses, as well as Dr. Don Detmer, then Chairman of the National 
Committee on Vital Health Statistics (NCHVS). The NCVHS advised the 
Secretary in the development of her policy recommendations.
      
    In announcing the hearing, Chairman Thomas stated: ``The importance 
of information to America's modern health care delivery system cannot 
be overstated. The rapid exchange of information B much of it personal 
in nature B is critical to the delivery of high quality care, the 
increasingly complex financing of care, and ongoing efforts to improve 
quality. Protecting the confidentiality and security of this 
information is even more important. Only by protecting the 
confidentiality of health information can we give patients the 
confidence they need to seek help, even for the most personal or 
sensitive of health issues. Data integrity and system security measures 
are critical to our ongoing efforts to improve health care outcomes and 
find new cures through the application of information technology to 
medical research. Today, every patient B including 38 million Medicare 
patients B benefits from the extensive use and exchange of information 
in our health system. However, our laws need to be updated to better 
protect the confidentiality and security of this information.

FOCUS OF THE HEARING:

      
    The hearing will focus on various aspects of the patient 
confidentiality issue that have been raised by the Secretary's 
recommendations to Congress and by other laws . The Subcommittee will 
receive testimony from several public agency representatives and from a 
variety of private sector witnesses representing different perspectives 
from within the health care system.
      

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:

      
    Any person or organization wishing to submit a written statement 
for the printed record of the hearing should submit six (6) single-
spaced copies of their statement, along with an IBM compatible 3.5-inch 
diskette in WordPerfect 5.1 format, with their name, address, and 
hearing date noted on a label, by the close of business, Tuesday, 
August 3, 1999, to A.L. Singleton, Chief of Staff, Committee on Ways 
and Means, U.S. House of Representatives, 1102 Longworth House Office 
Building, Washington, D.C. 20515. If those filing written statements 
wish to have their statements distributed to the press and interested 
public at the hearing, they may deliver 200 additional copies for this 
purpose to the Subcommittee on Health office, room 1136 Longworth House 
Office Building, by close of business the day before the hearing.
      

FORMATTING REQUIREMENTS:

      
    Each statement presented for printing to the Committee by a 
witness, any written statement or exhibit submitted for the printed 
record or any written comments in response to a request for written 
comments must conform to the guidelines listed below. Any statement or 
exhibit not in compliance with these guidelines will not be printed, 
but will be maintained in the Committee files for review and use by the 
Committee.
      
    1. All statements and any accompanying exhibits for printing must 
be submitted on an IBM compatible 3.5-inch diskette in WordPerfect 5.1 
format, typed in single space and may not exceed a total of 10 pages 
including attachments. Witnesses are advised that the Committee will 
rely on electronic submissions for printing the official hearing 
record.
      
    2. Copies of whole documents submitted as exhibit material will not 
be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
      
    3. A witness appearing at a public hearing, or submitting a 
statement for the record of a public hearing, or submitting written 
comments in response to a published request for comments by the 
Committee, must include on his statement or submission a list of all 
clients, persons, or organizations on whose behalf the witness appears.
      
    4. A supplemental sheet must accompany each statement listing the 
name, company, address, telephone and fax numbers where the witness or 
the designated representative may be reached. This supplemental sheet 
will not be included in the printed record.
      
    The above restrictions and limitations apply only to material being 
submitted for printing. Statements and exhibits or supplementary 
material submitted solely for distribution to the Members, the press 
and the public during the course of a public hearing may be submitted 
in other forms.
      

    Note: All Committee advisories and news releases are available on 
the World Wide Web at `HTTP://WWW.HOUSE.GOV/WAYS__MEANS/'.
      

    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.

                                

                         NOTICE--CHANGE IN TIME

ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                         SUBCOMMITTEE ON HEALTH

                                                CONTACT: (202) 225-3943
FOR IMMEDIATE RELEASE

July 16, 1999

No. HL-8-Revised

               Change in Time for Subcommittee Hearing on

                 Confidentiality of Health Information

                         Tuesday, July 20, 1999

    Congressman Bill Thomas (R-CA), Chairman, Subcommittee on Health of 
the Committee on Ways and Means, today announced that the Subcommittee 
hearing on confidentiality of health information, previously scheduled 
for Tuesday, July 20, 1999, at 2:00 p.m., in the main Committee hearing 
room, 1100 Longworth House Office Building, will now begin at 3:00 p.m.
      
    All other details for the hearing remain the same. (See 
Subcommittee press release No. HL-8, dated July 13, 1999.)
      

                                


    Chairman Thomas. The Subcommittee will come to order. Well, 
good afternoon.
    Today, the Subcommittee will be holding its second hearing 
on the confidentiality of health care information. The Ways and 
Means Committee began focusing on this issue directly and 
intently in 1996. That was the year Congress passed the Health 
Insurance Portability and Accountability Act or, as we call it, 
HIPAA.
    Among HIPAA's many provisions was an initiative 
specifically designed to reduce the administrative costs 
associated with the processing of claims, other routine 
transactions, Medicaid, Medicare and the rest of the health 
care system. This initiative now codified in title XI of the 
Social Security Act is known as administrative simplification.
    Part of that administrative simplification effort, in 
addition to standardized health care transactions, was 
acknowledgment that there was a need for re-evaluation and 
enhancement of the confidentiality protections afforded health 
information, particularly in light of stories and knowledge 
dealing with computers and the electronic forms of 
communication that began advancing themselves in the health 
care financing system.
    We did that by including a provision in that administrative 
simplification section requiring the Secretary of Health and 
Human Services to develop and forward to the Ways and Means 
Committee and the Senate Finance Committee recommendations for 
national health care confidentiality legislation. Those 
recommendations were forwarded to us in September 1997, and 
they were a subject of this Subcommittee's hearing last spring.
    Now, there is an aspect of HIPAA that says unless Congress 
acts on the confidentiality legislation on its own by August 21 
that the Secretary has the authority to promulgate regulations 
to protect confidentiality of information transmitted 
electronically. I think all of us hope that this will not be 
necessary. As the administration has often said, and I believe 
is sincere, it would be far better if Congress acted on the 
HIPAA mandate and passed a comprehensive confidentiality 
statute than regulations promulgated by the Secretary in 
accordance with the HIPAA provisions.
    We have all been working on this issue. The Senate has 
labored, other Committees of the House have labored, and many 
of you know I have been working with a number of our 
colleagues, principally Ben Cardin, in the hopes of developing 
a bill that can be widely supported by Members on both sides of 
the aisle, by those who are involved in this issue and, most 
importantly, by providers and patients.
    We believe we are close to presenting the Subcommittee with 
the proposal, but we believe this hearing will be very 
informative and will assist us in understanding some of the 
areas that we still have not been able to finalize. And more 
specifically today, we will be looking at the many different 
ways that personal health information is used in Medicare and 
throughout the private health care system. We will be looking 
at the Secretary's proposed policy under HIPAA, and I do think, 
though, many of the hearings that we have had for background 
and resource information are valuable, this one could be one of 
the most valuable ones that we will hold.
    Our failure to act in this area may, in fact, miss a window 
to protect the confidentiality of patients' personal health 
information in a broad and significant way for individuals but 
just as importantly for health care outcomes research using the 
material that a confidentiality Federal structure would 
provide.
    And so, I look forward to the testimony from our witnesses 
and look forward to Members of this Subcommittee meeting and 
trying to resolve what I think is one of the key issues today 
and that is identify and develop policies that balance truly 
competing needs, almost competing rights. This hearing will be 
central in assisting us in doing that, and I will recognize my 
colleague if he has any statement.
    Mr. Kleczka. Thank you, Mr. Chairman.
    Mr. Chairman, what I would like to do is ask unanimous 
consent to enter into the record the opening statement by the 
Ranking Member, Pete Stark, who is under the weather today.
    Chairman Thomas. Without objection.
    [The opening statements follow:]

Opening Statement of Chairman William M. Thomas, a Representative in 
Congress from the State of California

    Good Afternoon. Today the Subcommittee will be holding its 
second hearing on the confidentiality of health care 
information. The Ways and Means Committee began its focus on 
this issue most recently, in 1996. That was the year Congress 
passed the Health Insurance Portability and Accountability Act, 
or HIPAA. Among HIPAA's many provisions, was an initiative 
specifically designed to reduce the administrative costs 
associated with the processing of claims and other routine 
transactions in Medicare, Medicaid and the rest of the health 
care system. This initiative, now codified in Title XI of the 
Social Security Act, is known as Administrative Simplification.
    As part of the Administrative Simplification effort, 
Congress acknowledged that, in addition to standardized health 
care transactions, there was a need for a reevaluation and 
enhancement of the confidentiality protections afforded health 
information--particularly in light of the increasing use of 
computers and electronic forms of communication in the health 
care financing system. Congress did this by including in the 
Administrative Simplification provisions a requirement that the 
Secretary of Health and Human Services develop and forward to 
the House Ways and Means and Commerce Committees, and the 
Senate Finance and Labor Committees, recommendations for 
national health care confidentiality legislation. The 
Secretary's recommendations were forwarded to us in September 
of 1997 and they were the subject of our last hearing on this 
issue last Spring. Unless Congress acts on confidentiality 
legislation of its own by August 21st of this year, the HIPAA 
law gives the Secretary the authority to promulgate regulations 
to protect the confidentiality of information transmitted 
electronically in connection with one of HIPAA standardized 
transactions.
    I hope that this will not be necessary. As the 
Administration has often said, I believe it would be far better 
if Congress acted on the HIPAA mandate and passed a much, more 
comprehensive confidentiality bill--a bill that would protect 
the confidentiality of all personal health information in the 
system--not just that transmitted in accordance with HIPAA.
    That is why I am intent on bringing legislation before this 
panel shortly that will meet the HIPAA mandate and go beyond, 
and establish protections for all personal health information. 
As many of you know, I have been working with my colleague, 
Representative Cardin, in the hopes of developing a bill that 
can be widely supported by Members on both sides of the aisle. 
While I believe we are close to presenting the subcommittee 
with a proposal, I believe this hearing will be very 
informative and help us greatly as we seek to hammer out the 
final details.
    More specifically, today we will be looking at the many 
different ways that personal health information is used in 
Medicare and throughout our private health care system. 
Moreover, we will be examining the possible effects of the 
Secretary's proposed policy to protect the confidentiality of 
that information. As far as I am concerned, the importance of 
this issue to health policy can not be overstated. 
Confidentiality is a fundamental value of medicine. It is 
essential to the delivery of care. Only by honoring the 
confidences of patients can the system maintain the trust that 
is critical to the patient-caregiver relationship. Only by 
protecting the confidentiality of patient's personal health 
information can we ensure that patients will continue to seek 
out care when needed.
    Similarly though, information about individual patient 
encounters with the health system is of fundamental importance 
to efforts to our improve the public health. The lessons 
learned from one patient's encounter with the system makes it 
possible to improve the care of the next patient. Finding new 
cures for disease and identifying better methods of treatment 
are dependent on information that is learned when patients 
obtain care. Finally, information about individual patient 
encounters is essential to the processing of today's 
increasingly complex and sophisticated payment arrangements--
including those we employ today to finance Medicare and 
Medicaid.
    Our challenge is to identify and develop policies that 
balance these competing needs. My hope is that today's hearing 
will be instrumental in helping us do this.
      

                                


Opening Statement of Hon. Fortney Pete Stark, a Representative in 
Congress from the State of California

    Thank you, Mr. Chairman, for holding this hearing today.
    We have a lot of questions to ask our witnesses. They are 
difficult questions that many committees have struggled to 
answer over the course of numerous hearings during the last 
several years.
    I hope we can make progress today by getting some 
thoughtful answers to some of the toughest issues in the 
medical privacy arena. The most fundamental is this: Does 
federal legislation that establishes uniform rules for all 
health care providers have to preempt state laws?
    I submit that the answer is no--that under the federal 
Supremacy Clause that we will shortly be hearing more about 
from GAO, any confidentiality legislation we enact will become 
a baseline for medical privacy in this country. This means that 
if federal law is more protective than similar state laws, then 
our legislation will become the standard. And the degree of 
public anxiety about eroding medical privacy tells me that any 
federal standard should be as clear and as protective as 
possible.
    But in those cases where a state's law is stronger--as in 
California's requirement that all law enforcement officials 
must have a warrant to access identifiable health information--
then state law should govern.
    If followed, this basic principle would provide meaning and 
shape to a debate that has often sputtered and bogged down over 
definitional squabbles that fail to produce a workable 
agreement.
    We have little enough time left to craft a consensus. And I 
regret that the panel's real expert on medical privacy, Dr. Jim 
McDermott, is not able to be with us today. As yet, we do not 
have legislation under consideration by this Subcommittee. But 
I hope that when we do, we will have plenty of time to discuss 
it and ask further questions before marking it up.
    Thank you.
      

                                


    Mr. Kleczka. And also the statement of another colleague 
from the Subcommittee, Jim McDermott, who has been very active 
in this issue. He is unable to be here. He is recuperating from 
heart surgery back in his home State of Washington.
    I talked to Jim a short time ago, and he is doing quite 
well, and he thanks all the Members of Congress for their 
concern and the friends that he has around the DC area.
    So I would ask unanimous consent that Mr. McDermott's 
statement be entered also in the record.
    Chairman Thomas. Without objection.
    [The opening statement follows:]
      

                                


Statement of Hon. Jim McDermott, a Representative in Congress from the 
State of Washington

    Mr. Chairman, thank you for inserting my statement into the 
record. I had hoped to be here for this hearing, but I am in 
Seattle recuperating from heart surgery.
    As you know, medical privacy is an issue that I have long 
cared about. As a psychiatrist and health care consumer I 
witnessed a need for strong federal privacy law protecting 
patients. It is amazing that we don't have strong privacy 
protections in place for medical records already yet we have 
one for video rental records.
    Why do we need a Federal medical privacy law? Currently, 
privacy protections are weak and vary widely from state to 
state. Only 28 states allow people to even examine their own 
medical records. This lack of strong national standards could 
allow employers, schools, marketing agencies and others access 
to what ought to be confidential files.
    Ensuring privacy in medical care is more important now than 
ever before because of new technologies like genetic testing 
and the computerization of medical records. Genetic research 
and testing has profound implications for our country's health 
care system because genetic information discloses not just our 
current health, but also purports to accurately predict our 
potential future health, and the health of our families.
    The Human Genome Project may have a draft of the entire 
genome by early next year. And, in the near future, tests will 
be available for common genetically affected conditions. These 
tests create opportunities even as they raise serious 
challenges that we need to address immediately.
    The BRCA-1 genetic test for breast cancer illustrates the 
dimensions of this debate. Women have been advised to be 
tested, but only as part of a research protocol.
    Some patients see this as paternalistic, preferring to be 
informed of the results of the test, even if those results are 
not easily interpretable at this moment. Patients are warned 
about the potential risks of whether they will be able to buy 
health insurance or even if they will be able to get a job--
should others learn of their genetic status. Understandably, 
this has discouraged some women from participating in even the 
research, where their identities should be strictly protected.
    Not everyone wants to know his or her genetic status. This 
can cause friction for families in which some members wish to 
be tested, but others do not. Sometimes the tests require 
participation by several family members to determine which 
mutation is common in that particular family. Some mothers have 
opted not to be tested to prevent anticipated discrimination 
against their daughters, while others feel compelled to be 
tested to spare their daughters the anxiety of not knowing if 
they carry the mutation.
    Genetic tests also raise the issue of cost. Many insurance 
plans do not cover genetic tests, or they do not cover the 
counseling that is an integral part of genetic therapy. If a 
woman has no health insurance, frequent mammography screenings 
for breast cancer are a considerable expense, and the results 
of the test may be worse than useless to her.
    Increasing reliance on mass computer databases further 
complicates the problem. Computers have revolutionized the way 
an individual's medical information is collected, stored, and 
disseminated. Without adequate, enforceable controls, this 
information can be used to breach the privacy of patients and 
to discriminate against them.
    In 1995, Harvard and Stanford conducted a study of 200 
people who suffered discrimination in insurance, jobs, 
education, or child adoptions because of their predisposition 
to a genetic disease. What makes their stories particularly 
disturbing is that these people had no symptoms, and perhaps 
would never develop that particular disease. These examples led 
to my concern about what the future holds if we allow 
indiscriminate use of these new technologies.
    I will introduce this year, as I have in the last two 
congresses, a bill called the ``Medical Privacy in the Age of 
New Technologies Act.'' This measure is intended to ensure that 
a patients personal health information will not be disclosed 
without that patients explicit consent, and that patients have 
access to their own records. It puts the individual in charge 
of what happens to his or her medical information, who sees it, 
and why.
    As you may know, the Congress is required to pass privacy 
legislation by this August. If we fail to meet this deadline, 
the Secretary of Health and Human Services will promulgate 
regulations. Even the Secretary agrees that regulations will 
not provide patients with the kind of strong protections that 
can be imposed by law.
    As the Subcommittee considers legislative proposals there 
are two basic principles that should be included in any privacy 
legislation:
     First, people need to be notified of how their 
personal information might be used,
     Second, they must have the opportunity for 
meaningful informed consent. Informed consent in the realm of 
health care is key. If patients fear that their records will be 
used in ways they do not know about, or will be given to third 
parties without their permission, they will not trust the 
health care system, and they will not tell their doctors the 
information necessary to provide them the best care.
    It is likely that the generalizations we use to describe 
competing privacy proposals will make the bills sound very 
similar. But, to use an often-overused phrase, the devil is in 
the details. When you examine the details of these bills you 
will find a number of distinctions. Most notably they differ on 
the issues of the informed consent, research, and the 
preemption of state laws.
    Following the basic principle that an individual has a 
right to privacy of their health information, it is important 
the patient is informed--in writing--of what information is to 
be disclosed, for what purpose, to which entity, and for what 
period of time. There should be two tiers of authorization: one 
for treatment and payment, and another for other purposes, such 
as research. Individuals can not ``opt out'' of using their 
information for treatment and payment. However, in some bills 
including my own, patients can opt out of using their 
information for the second tier ``other purposes.'' The debate 
in Congress has focused around what constitutes ``treatment and 
payment.'' Does treatment and payment include auditing, 
research, marketing, and so on?
    Research is another area of distinction. How will medical 
privacy legislation affect the ability to conduct medical 
research? The legislation I have proposed will not undermine 
research capabilities. It allows researchers to use coded 
information, meaning information that either is anonymous, but 
could be linked to protected health information by authorized 
persons, or is nonidentifiable information, which is anonymous 
and cannot be linked to anyone. Some legislation, such as the 
Bennett bill, has taken the approach that since we have all 
benefited from past medical research we are obligated to 
participate in future research. This is a tremendously 
important and difficult area to legislate. For which reason, I 
am working to find a balance between the two approaches.
    One of the most contentious issues we are grappling with is 
the issue of pre-emption of state law. I believe that the only 
meaningful medical privacy law will be one that is a ``federal 
floor'' that does not pre-empt stronger state laws. There are 
literally thousands of state laws that address the privacy of 
medical records information in non-health related areas. The 
pre-emption of all state law could have significant unintended 
consequences and will be costly to states. For instance, laws 
are on the books in many states regarding the privacy of the 
health information of victims of sexual assault. To broadly 
pre-empt these laws--not knowing what we are pre-empting and 
what the impact will be--is very short sighted.
    To argue the necessity of a ``federal ceiling'' claiming 
that we must preempt state laws to make it easier for the 
interstate health industry is incredible. For a Congress that 
has advocated sending power back to the states, I find it 
ironic that in this case they think the Federal government can 
do it better. Restricting states from passing stronger privacy 
laws would keep them from responding to many new, unique, and 
inherently local challenges in health care and public health. 
Especially, since there is no precedent in federal privacy or 
civil rights law for pre-empting stronger state laws.
    In the coming debate, many people will speak for industries 
that stand to make money from the use and misuse of 
information. For them, medical records are commodities that are 
bought and sold.
    We will hear many claims that any new legislation must not 
interfere with those particular interests. But the group we 
should listen to most will be hardest to hear: patients and 
their families. Think about your own family's medical records 
being available for anyone to look at. What value can we place 
on the confidentiality of the doctor-patient relationship? It 
is essential that we protect the privacy of individuals, 
including their genetic privacy. Good legislation can ensure 
that new technologies are used, not to deny health care or to 
deny medical privacy, but to benefit all of us.
    Thank you.
      

                                


Opening Statement of Hon. Jim Ramstad, a Representative in Congress 
from the State of Minnesota

    Mr. Chairman, thank you for calling this important hearing 
to discuss the confidentiality of medical records.
    Given the sensitive nature of personal health records, I am 
very aware of the importance of crafting appropriate 
legislation, as well as the complexities that surround this 
task. As Americans, we greatly value our personal privacy. As 
the world leaders in innovative and quality health care, we 
also understand the need to use some information in ways that 
promote research and development and quality assessments, as 
well as prevent fraud and abuse.
    Since this Subcommittee is charged with the responsibility 
of overseeing the Medicare program, I especially appreciate 
this hearing's attention to the privacy of personally 
identifiable information for the 39 million Americans enrolled 
in that important health care program.
    The General Accounting Office (GAO) will testify today 
about the importance of using personally identifiable 
information for the proper operation of the Medicare program, 
as well as the effect of state restrictions on HCFA's behavior. 
My constituents and I certainly look forward to learning more 
about HCFA's policies and practices regarding the disclosure of 
information, as well as HCFA's plans to improve the adequacy of 
its confidentiality safeguards and monitoring activities.
    Again, thank you for calling this important hearing. I look 
forward to learning more from our witnesses about the 
confidentiality of all medical records.
      

                                


    Mr. Kleczka. Mr. Chairman, I just want to say a couple of 
things on the issue of privacy.
    It is an area where I have had concerns for years now. This 
is the second session that I have introduced my Personal 
Information Privacy Act which indicates that a person's privacy 
is theirs and should not be waived or given away.
    I know the Chairman would like to have something done by 
the Committee on medical privacy, hopefully by the Congress 
before the August. However, I would caution the Committee 
against rushing and passing a bill that does not truly protect 
the privacy of the individual. Some of the things I have read 
and heard about which concern me are legislation preempting 
States' laws in this area, and provisions where a person who 
doesn't give a blanket waiver for release of their health care 
records could be denied health care services. You know, I am 
hopeful that those rumored provisions won't be in the final 
bill, but they disturb me greatly. I don't think there are 
competing interests with my health care privacy. It is mine. It 
is my medical record. It is my background. It is my past. I 
paid, along with the insurance company, for the medical care 
described in my records. We have gotten to the point in this 
country where we don't recognize these important facts.
    I happened to go to a new dentist in my home district of 
Milwaukee, Wisconsin, and I was filling out the elongated form 
before he looked at my mouth, and on the form he asked for my 
Social Security number. Well, what does my Social Security 
number have to do with my teeth? I think it has a lot more to 
do with my tax liability and the interest I get from my bank, 
so I left that blank.
    Then there was another section of the application where he 
asked whether or not he or the office could release this 
information. It didn't indicate for what purpose, but he wanted 
my blanket authorization to release the status of my teeth or 
my root canals to anyone he deemed appropriate to receive that 
information. There again I left that blank, and I think the 
consumer should have those rights.
    And the upshot, Mr. Chairman, was he treated me. Well, he 
didn't really treat me. He gave me an evaluation. The treatment 
comes this Friday, and $1,300 later I am going to be ``more 
better''. But, nevertheless, whatever is in that office and in 
my file is between my dentist and myself and my mouth. I don't 
think it should be shared on the Internet; it should not be 
shared with the world.
    If, in fact, somebody wants to do a clinical evaluation of 
Kleczka's teeth, they should ask me; and at that point I would 
probably say yes because, you know, I have no special teeth. 
But I think the legislation that we develop in this 
Subcommittee or in this Congress should recognize that the 
ultimate right of privacy is with the patient, is with the 
consumer, and I would not be willing, through my vote, to give 
away that right to any researcher, to any insurance company or 
to anyone else.
    Thank you, Mr. Chairman.
    Chairman Thomas. I thank the gentleman.
    If the first panel would come forward. The panel consists 
of Peggy Hamburg, M.D., Assistant Secretary for Planning and 
Evaluation, U.S. Department of Health and Human Services; 
Michael Hash, Deputy Administrator at HCFA; and Leslie 
Aronovitz, who is the Associate Director of Health Financing 
and Public Health Issues, Health, Education, and Human Services 
Division, United States General Accounting Office.
    Your written testimony will be made a part of the record. 
In the time that you have available you may address us in any 
way you see fit; and between the two of you, Mr. Hash, 
Honorable Hamburg, you can work out which one goes first.
    Mr. Hash. I will be happy to go first.
    Chairman Thomas. So we will start with you and move across 
the panel. Thank you very much.

STATEMENT OF MIKE HASH, DEPUTY DIRECTOR, HEALTH CARE FINANCING 
  ADMINISTRATION, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

    Mr. Hash. Thank you, Chairman Thomas and Members of the 
Health Subcommittee. We appreciate the opportunity to come and 
testify about our efforts to improve protections for personally 
identified beneficiary information that is in our program's 
possession.
    No administration has been more committed to protecting 
medical privacy. President Clinton and Vice President Gore have 
both spoken about its paramount importance. We provide much 
greater protection for sensitive personal health information in 
our programs than does the private sector. We strive to 
continually enhance our protections, and we greatly appreciate 
the evaluations and the advice of our Office of Inspector 
General at HHS, as well as the General Accounting Office.
    As the GAO has confirmed in its report to you, personally 
identifiable information on Medicare beneficiaries is essential 
to the operation of the program. We need it to make accurate 
payments in the fee-for-service portion of Medicare and to risk 
adjust the Medicare+Choice payments so that they take into 
account individual beneficiary health status information and 
reduce any disincentives for the enrollment of sicker 
beneficiaries.
    We also need personally identifiable information to conduct 
medical reviews and other activities that are essential to 
fighting waste, fraud and abuse in our programs.
    We certainly need it to coordinate benefits and ensure that 
we do not pay for claims that other insurers are liable to pay.
    And of course, we need it to protect--or to project, I 
should say, spending trends to accurately determine premium 
amounts for the Medicare Program, to develop and refine 
policies, including payment policies; to assess and improve 
quality and access; and last but far from least, we need to be 
responsive to individual beneficiary inquiries about coverage 
and payment affecting their interests.
    Medicare data are also an invaluable asset in the efforts 
to improve care and coverage for beneficiaries by our research 
colleagues at the National Institutes of Health, the Agency for 
Health Care Policy and Research, and other scientific 
investigators and policy analysts.
    Equally essential is our obligation to protect sensitive 
beneficiary information and to clearly inform beneficiaries of 
how information about them will be used in accordance with the 
requirements of the Privacy Act. Whenever concerns are raised 
about privacy, we take them seriously and we act on them 
immediately.
    That is what we did earlier this year when Vice President 
Gore and a number of Members of Congress identified potential 
problems with our home health patient Outcome and Assessment 
Information Set known as OASIS. As you may recall, we halted 
implementation of the use of that instrument and conducted a 
thorough review of it. We made some important modifications to 
ensure that only essential information would be collected and 
that it would be properly protected, and we made sure that 
beneficiaries would be fully informed on why it is being 
collected and how it would be used.
    Because protecting beneficiary information is essential to 
our mission, we are taking several new steps to strengthen our 
efforts.
    First, we have established a new Beneficiary 
Confidentiality Board to provide executive leadership in all 
aspects of privacy protection.
    Second, we are reviewing all of our beneficiary notices to 
ensure that they fully disclose in plain language how data 
collected from individual beneficiaries is to be used.
    Third, we are designing new systems that will easily track 
when and where the data are shared.
    Fourth, we are increasing efforts to ensure that 
researchers and Medicare contractors have properly protected 
patient data.
    And, finally, we have introduced a system security 
initiative across HCFA to aggressively address vulnerabilities 
that have been found through the Inspector General's 
investigations and our own reviews.
    The new steps we are taking can only strengthen our solid 
track record of protecting confidential beneficiary 
information. Our new Beneficiary Confidentiality Board in 
particular will provide an overarching executive level focus on 
our obligation to remain vigilant in this area. We encourage 
continuing oversight by the Inspector General's Office and by 
our colleagues at the General Accounting Office and others to 
help us address any new privacy concerns promptly, and we 
remain committed to swiftly addressing any related issue or 
breaches that might occur.
    Mr. Chairman, thank you for this opportunity to discuss 
these issues; and I look forward to answering any questions 
that you or other Members of the Subcommittee may have.
    [The prepared statement follows:]

Statement of Mike Hash, Deputy Director, Health Care Financing 
Administration, U.S. Department of Health and Human Services

    Chairman Thomas, Congressman Stark, distinguished 
Subcommittee members, thank you for inviting us to testify 
about our efforts to improve protections for personally 
identifiable beneficiary information. No Administration has 
been more committed to protecting medical privacy. President 
Clinton and Vice President Gore have both spoken about the 
paramount importance of medical records privacy.
    We provide much greater protection for sensitive 
information than does the private sector. We strive to 
continually enhance our protections. And we greatly appreciate 
the evaluations and advice of the HHS Inspector General (IG) 
and the General Accounting Office (GAO) in this regard.
    As the GAO recently confirmed, personally identifiable 
information on Medicare beneficiaries is essential to the 
operation of the Medicare program. We need it to:
     make accurate payments in fee-for-service and to 
risk adjust Medicare+Choice payments so they take into account 
individual beneficiaries health status and curtail the 
disincentive for plans to enroll sicker beneficiaries;
     conduct medical reviews and conduct other 
activities essential to fighting fraud, waste and abuse;
     coordinate benefits and ensure that we do not pay 
claims for which other insurers are responsible;
     project spending trends and accurately determine 
premium amounts;
     develop and refine policy to ensure proper 
coverage and payment;
     assess and improve quality and access to care, for 
example by monitoring and then working to increase the number 
of beneficiaries receiving an influenza vaccination; and,
     be responsive to individual beneficiary inquiries 
about coverage and payment.
    Medicare data are also an invaluable asset in efforts to 
improve care and coverage for beneficiaries by our research 
colleagues at the National Institutes for Health, the Agency 
for Health Care Policy and Research, and other scientific 
investigators and policy analysts.
    It is equally essential that we protect the sensitive 
beneficiary information with which we are entrusted, and that 
we clearly inform beneficiaries of how information about them 
is used in accordance with the Privacy Act. Whenever concerns 
are raised about privacy, we take immediate action to address 
them.
    For example, when Vice President Gore and members of 
Congress identified potential problems with our home health 
patient Outcome and Assessment Information Set (OASIS) earlier 
this year, we halted implementation, conducted a thorough 
review, and made important modifications to ensure that only 
essential information would be collected, that it would be 
properly protected, that disclosures would be limited to the 
minimum necessary to carry out HCFA's mission, and that 
beneficiaries would be fully informed on why it is being 
collected and how it will be used.
    Because protecting beneficiary information is essential to 
our mission, we are taking several new steps to strengthen our 
efforts.
     We have established a new Beneficiary 
Confidentiality Board to provide executive leadership in all 
aspects of privacy protection.
     We are reviewing all beneficiary notices to ensure 
that they fully disclose in plain language how data are used.
     We are designing new systems that will easily 
track when and where data are shared.
     We are increasing efforts to ensure that 
researchers and Medicare contractors have properly protected 
data.
     And we have introduced a systems security 
initiative to aggressively address vulnerabilities found 
through the Inspector General's and our own reviews.

                         Confidentiality Board

    We have established a new Beneficiary Confidentiality Board 
to coordinate and consolidate privacy policies and ensure that 
we do not collect or disseminate more information than is 
absolutely necessary. The Board is led by the Director of the 
Center for Beneficiary Services and includes senior executives 
from all Agency components that have a direct stake in privacy 
and confidentiality, including the Center for Medicaid and 
State Organizations, the Center for Health Plans and Providers, 
the Office of Clinical Standards and Quality, the Office of 
Strategic Planning, the Program Integrity Group, the Office of 
Information Services, the Office of the Actuary, and Regional 
Office representatives. Core responsibilities include:
     establishing strategic goals, overarching 
policies, and objectives for protecting data;
     establishing, coordinating, and issuing all policy 
decisions on privacy and confidentiality;
     assuring implementation and enforcement of guiding 
principles for Agency-wide strategic goals and objectives;
     providing executive oversight of compliance with 
all privacy and confidentiality statutory and regulatory 
requirements, and assuring that beneficiary protections are 
enforced;
     reviewing all current operations with regard to 
systems of records and beneficiary protections to assure that 
strategic goals and objectives and guiding principles are in 
place and effective at all levels, including contractors to 
sub-contractors;
     evaluating legislative proposals involving the 
collection, use, and disclosure of personal information by any 
entity, public or private, for consistency with legal standards 
and our guiding principles;
     assuring that use of new information technologies 
sustains protections of information that directly identifies an 
individual or from which an individual's identity can be 
deduced;
     assuring that personal information contained in 
our systems of records are handled in full compliance with fair 
information practices as set out in the Privacy Act; and,
     serving as a senior-level forum for the discussion 
and resolution of key strategic issues affecting HCFA's privacy 
and confidentiality policies and implementation strategies.
    This will help ensure a central focal point for privacy 
issues and accountability across all aspects of Agency 
business.

                          Beneficiary Notices

    Beneficiaries need to know and understand why personally 
identifiable information is collected and how it is used. This 
is both a legal requirement and an ethical obligation. There 
are many different notices to beneficiaries about why 
information is collected and how it is used.
    Some, including the newest notice for OASIS, has been 
carefully crafted to ensure that it is clear and comprehensive. 
However, we agree with the GAO that some of the earlier 
beneficiary notices do not meet the Privacy Act requirements to 
inform beneficiaries about:
     the authority under which we are collecting 
information;
     the principal purpose for which it will be used;
     the routine uses for which it may be used; and
     whether the individual is required to supply the 
information and what the consequences are if the individual 
does not supply the information
    Earlier this year, we began a systematic review of all 
beneficiary privacy notices, rewriting them as necessary, to 
ensure that they provide full disclosure in plain language.

                         Tracking Data Releases

    The Privacy Act stipulates that beneficiaries are entitled 
to know, upon request, any and all instances in which 
identifiable information about them has been shared. We have 
never had such a request, but have realized that complying with 
one would be extraordinarily labor intensive with our current 
information systems. It also is currently difficult to provide 
data on our Privacy Act compliance to the Office of Management 
and Budget (OMB) for its oversight responsibilities.
    We are now working to fully define the requirements for 
information systems that will ensure full compliance with OMB 
and Privacy Act requirements. Implementing these systems is a 
top information technology priority once we have cleared the 
Year 2000 hurdle. In the interim, we have increased our 
surveillance of these requests and are improving our existing 
tracking systems to align them more fully with OMB 
requirements.

                           Data Use Oversight

    The data files we maintain are an invaluable asset to 
medical and health policy researchers in their efforts to 
improve beneficiary care and coverage. For example:
     we are able to share the extensive information we 
have on beneficiaries with end-stage renal disease directly 
with National Institute of Health scientists that they can use 
to study and improve treatment;
     the Agency for Health Care Policy and Research 
Patient Outcome Research Teams rely upon this beneficiary 
information to develop new insights on the treatment of the 
most frequent medical conditions affecting the elderly; and,
     the data files are also critical to investigators 
under contract to us for evaluation and development of payment, 
coverage and treatment policies.
    The Privacy Act does allow for sharing data with 
researchers as long as their work promotes the Agency's 
mission, is compatible with the purpose for which the 
information was collected, and proper privacy protections are 
in place.
    Many research needs are met by ``public use files'' that we 
readily make available, and from which any data that could 
identify individual beneficiaries is removed, including 
information that could be used to deduce an individual 
beneficiary's identity. Additional research needs are met by 
encrypted data files in which data elements that explicitly 
identify individuals (such as names, claim numbers, physician 
numbers, service dates, and date of birth) are either removed, 
encrypted, or stated as a range (of dates, for example). Some 
data elements remain in these files that could possibly be 
linked with other information to a deduce specific individual's 
identity. Finally, there are some valid research endeavors for 
which individually identifiable information is essential.
    For all research requests, we conduct a careful review to 
ensure that any disclosure of information is allowed under the 
Privacy Act. For research projects outside of HHS, or not 
funded by HHS, we conduct another careful level of review to 
ensure that the request is for the bare minimum of information 
that is essential to a given research project, and that the 
project has scientific merit and sound research methodology. We 
are also diligent in making clear to researchers how data that 
could be used to identify individual beneficiaries must be 
protected.
    When proper criteria are met, we develop data use 
agreements that contain explicit protections covering the 
release and use of data. These agreements also specify that the 
user must contact us within 30 days of completion of the 
approved project for instructions on whether to return all data 
files to us or to destroy such data and execute an attestation 
to certify the destruction. We have taken swift action to 
address the rare situations that we are aware of in which 
researchers have not fully complied with Privacy Act 
requirements and our data use agreements to clarify their 
responsibilities to protect beneficiary confidentiality.
    We are now increasing efforts to verify that researchers 
have in fact complied with their data use agreements to protect 
data and dispose of it properly once projects are completed. We 
expect to reduce our backlog in half by the end of this fiscal 
year. We also look forward to working with the GAO and other 
experts to develop more systematic ways to proactively assure 
compliance with data use agreements so we can prevent problems 
before potential security breaches occur.

                            Systems Security

    We are also working to improve security in electronic data 
processing. We have introduced a systems security initiative to 
aggressively address vulnerabilities found through the 
Inspector General's and our own reviews. Our goal is to be able 
to maintain the tightest possible security as the business 
environment in which we operate changes, and to integrate 
security into every aspect of our information technology 
management activities.
    One of the first things our new Chief Information Officer, 
Gary Christoph, did when he came on board was to hire outside 
experts to search out security weaknesses in our systems so we 
could proactively address them. We also have acquired new 
technology, beefed up staff training, conducted our own risk 
assessments and internal audits, and enhanced procedures for 
guarding access to sensitive systems. However, there are no 
silver bullets, and vigilance here must be constant given the 
ever changing nature of technology and evolution of new risks.
    As we clear the Year 2000 hurdle and its demand on our 
systems, we will be able to increase our security even more 
through our comprehensive security initiative. We are now in 
the process of developing the protocols to systematically 
monitor the systems security of our claims processing 
contractors. The new evaluation process will specifically 
assess administrative, technical, and physical protection 
measures to protect beneficiary privacy.
    We also have recently restructured our contractor oversight 
operations and initiated a new contractor evaluation process 
which will incorporate the security review findings and improve 
our overall management of the contractors. In addition, the 
Administration has proposed comprehensive contracting reform 
legislation that will bring Medicare contracting authority in 
line with standard Federal government contracting procedures 
and make it easier for us to terminate contractors if we find 
they are not providing adequate privacy protections.
    We will continue to use the annual Inspector General CFO 
audits as an opportunity to identify threats to the integrity 
of our data systems and to ensure that we address 
vulnerabilities in a timely manner. We also are carrying out 
activities required by the Presidential Decision Directive 63, 
as well as security requirements in the Health Insurance 
Portability and Accountability Act, which will further 
strengthen our security protections.

                               Conclusion

    The new steps we are taking can only strengthen our solid 
track record of protecting confidential beneficiary 
information. Our new Beneficiary Confidentiality Board, in 
particular, will provide an overarching executive-level focus 
on our obligation to remain ever vigilant. We encourage the IG, 
GAO, and others to also be vigilant in raising and helping us 
to address any concerns about protections for sensitive 
information. And we remain committed to swiftly and effectively 
addressing any related issues or breaches that might arise. I 
thank you again for holding this hearing, and I am happy to 
answer any questions you might have.
      

                                


    Chairman Thomas. Thank you very much.
    Doctor.
    Dr. Hamburg. Mr. Chairman.
    Chairman Thomas. Let me caution you that these microphones 
are very unidirectional, so you need to speak directly into it. 
Thank you.

    STATEMENT OF HON. MARGARET A. HAMBURG, M.D., ASSISTANT 
   SECRETARY FOR PLANNING AND EVALUATION, U.S. DEPARTMENT OF 
                   HEALTH AND HUMAN SERVICES

    Dr. Hamburg. Thank you for this opportunity to appear 
before you to discuss the Secretary's recommendations for 
privacy legislation.
    I would also like to emphasize the administration's support 
for passage of bipartisan legislation providing comprehensive 
privacy protection for people's health care information. 
Stories abound that raise concern that our sensitive medical 
information can enter the wrong hands and be misused. For 
example, at one HMO, every clinical employee could tap into 
patients' computer records and see notes from psychotherapy 
sessions. The director of a work site health clinic testified 
before the National Committee on Vital and Health Statistics 
that he was frequently pressed to disclose his patients' health 
information to their supervisors.
    These kinds of problems underlie the legitimate fear that 
Americans have about the security of their health care 
information. Almost 75 percent of our citizens say that they 
are at least somewhat concerned that computerized medical 
records will have a negative effect on their privacy. If we 
don't act now, public distrust could deepen and ultimately stop 
citizens from disclosing important information to their doctors 
or from seeking needed medical testing or treatment, especially 
for sensitive concerns like mental illness or genetic 
disorders.
    The problem is not theoretical. Numerous analyses over 
several years by government, industry and professional groups 
have identified serious gaps in protections for health 
information and have recommended Federal legislation to close 
them.
    In September 1997, Secretary Shalala presented her 
recommendations for protecting the ``confidentiality of 
individually identifiable health information.'' In that report 
the Secretary concluded that Federal legislation establishing a 
basic, national floor of confidentiality is necessary to 
provide rights for patients and define responsibilities of 
recordkeepers. She recommended that Federal legislation focus 
on health care payers and providers and the information they 
create and receive in providing and paying for health care.
    The Secretary recommended legislation to implement five key 
principles:
    First, information about a consumer that is obtained for 
delivering and paying for health care should, with very few 
exceptions, be used and disclosed for health purposes and 
health purposes only.
    Second, those who legally receive health information should 
be required to take reasonable steps to safeguard it. They 
should ensure that the information is available only to those 
who should have access to it and only for purposes authorized 
by the patient or authorized by law.
    Third, consumers should have access to their health records 
and should know how their health information is being used and 
who has looked at it. Consumers should be given a clear 
explanation of these rights.
    Fourth, people who violate the confidentiality of our 
personal health information should be accountable. Those who 
use this information improperly should be punished.
    These first four principles must, however, be balanced 
against the fifth principle, public responsibility. Just like 
our free speech rights, privacy rights cannot be absolute. We 
must balance our protection of privacy with our public 
responsibilities to support other critical national goals, 
public health, research, quality care and our fight against 
health care fraud and abuse.
    Our Department is keenly aware of the need to use personal 
health information for each of these national priorities. For 
example, our researchers have used health records to help us 
fight childhood leukemia and to learn that beta blocker therapy 
results in fewer rehospitalizations and improved survival among 
elderly survivors of acute myocardial infarction or heart 
attack. Public health agencies use health records to warn of 
outbreaks of emerging infectious disease threats. And our 
efforts to improve quality in our health care system depend 
upon our ability to review health information.
    As you know, HIPAA requires that if Congress fails to enact 
comprehensive privacy legislation by August of this year, HHS 
must implement final regulations by February of the year 2000. 
We have assembled a team from all of the relevant Federal 
agencies to work on these regulations, and it is our intent to 
have an NPRM, Notice of Proposed Rule Making ready for 
publication by fall. While we are moving ahead to have the 
regulation ready, the President and Secretary Shalala have made 
it clear that their first priority is to see Congress enact a 
comprehensive bill. Our staff have been working closely with 
many of your staff, and staff in the Senate, to assist in 
achieving this goal. We are eager to see legislation and want 
to work with you to make this happen.
    Mr. Chairman, the principles embodied in our 
recommendations should guide a comprehensive law that will 
create substantive Federal standards and provide our citizens 
with real peace of mind. The principles represent a practical, 
comprehensive and balanced strategy to protect health care 
information that is collected, shared and used in an 
increasingly complex world.
    Thank you again for giving me this opportunity to testify. 
I look forward to answering any questions that you may have.
    [The prepared statement follows:]

Statement of the Hon. Margaret A. Hamburg, M.D., Assistant Secretary 
for Planning and Evaluation, U.S. Department of Health and Human 
Services

    Mr. Chairman, Congressman Stark, distinguished members of 
the Committee: I appreciate the opportunity to appear before 
you to discuss the Administration's recommendations for federal 
legislation to protect the privacy of health information.
    As you may remember, Secretary Shalala first presented her 
recommendations, required by the Congress under Section 264 of 
the Health Insurance Portability and Accountability Act 
(HIPAA), in September 1997.\1\ I think it is fair to say that 
the recommendations were well received and have been used to 
assist others in crafting their own legislative proposals.
---------------------------------------------------------------------------
    \1\ ``Confidentiality of Individually-Identifiable Health 
Information, Recommendations of the Secretary of Health and Human 
Services, pursuant to section 264 of the Health Insurance Portability 
and Accountability Act of 1996'' can be found on the HHS web site at: 
.
---------------------------------------------------------------------------
    HIPAA also requires that if Congress fails to enact 
comprehensive privacy legislation by August of this year, HHS 
must implement final regulations by February 2000. We have 
assembled an interagency team to work on the regulations 
including representatives from the Departments of Labor, 
Defense, Commerce, the Social Security Administration, the 
Veterans Administration and the Office of Management and 
Budget. It is our intent to have the regulations prepared in 
time to meet the statutory deadline.
    While we are moving ahead to have the regulation ready, the 
President and Secretary Shalala have made it very clear that 
their first priority is to see Congress enact a comprehensive 
health information privacy bill. Our staff have been working 
closely with many of your staff, and staff in the Senate, to 
assist you in achieving that goal. Again, let me reiterate, we 
want to see legislation, and we want to work with you to make 
that happen.
    The issue of health information privacy is quite complex--
in order to resolve it legislatively, some difficult choices 
will have to be made. We believe that our recommendations 
strike the appropriate balance between the privacy needs of our 
citizens and the critical needs of our health care system and 
our nation. This is an issue that touches every single 
American, and to reach resolution we will need a bipartisan 
effort.

                        The Need for Legislation

    It has been 25 years since former HEW Secretary Elliot 
Richardson set forth principles that led to the landmark 
Federal Privacy Act. Those 25 years have brought vast changes 
in our health care system.
    Revolutions in our health care delivery system mean that we 
must place our trust in entire networks of insurers and health 
care professionals--both public and private. The computer and 
telecommunications revolutions mean that information no longer 
exists in one place--it can travel in real time to many 
hospitals, physicians, insurers, and across state lines.
    In addition, revolutions in biology mean that a whole new 
world of genetic tests have the potential to either help 
prevent disease or reveal the most personal health information 
of a family. Without safeguards to assure citizens that getting 
tested will not endanger their families' privacy or health 
insurance, we could endanger one of the most promising areas of 
research our nation has ever seen.
    Health care privacy can be safeguarded. It must be done 
with national legislation, national education, and an on-going 
national conversation.
    Currently, when we give a physician or health insurance 
company precious health information, the level of protection 
will vary widely from state to state. We have no comprehensive 
federal health information privacy standards. Because the 
practice of health care is increasingly becoming interstate 
through mergers, complex contractual relationships and enhanced 
telecommunications, we need strong federal standards. 
Establishing a baseline that provides uniformity will help 
reassure the public that they can trust their providers and 
insurers to keep their health information secure.
    In developing our recommendations for federal legislation, 
we learned a great deal through consultations with a variety of 
outside groups and from six days of public hearings conducted 
by the National Committee on Vital and Health Statistics, our 
statutory federal advisory committee for health data and 
privacy policy. The hearings involved over 40 witnesses from 
across the health community, including health care 
professionals, plans, insurance companies, the privacy 
community, and the public health and research communities.
    We believe our recommendations provide a balanced framework 
for legislation that can protect the privacy of medical 
records, guarantee consumers the right to inspect their 
records, and punish unauthorized disclosures of personal health 
data by hospitals, insurers, health plans, drug companies or 
others.

                             The Principles

    The Secretary's recommendations for legislation are 
grounded in five key principles: Boundaries, Security, Consumer 
Control, Accountability, and Public Responsibility.

Boundaries

    The first is the principle of Boundaries: With very few 
exceptions, personally identifiable health care information 
should be disclosed for health purposes and health purposes 
only. It should be easy to use it for those purposes, and very 
difficult to use it for other purposes.
    For example, employers should be able to use the 
information furnished by their employers to provide on-site 
care or to administer a health plan in the best interests of 
those employees. But those same employers should not be able to 
use information obtained for health care purposes to 
discriminate against individuals when making employment 
decisions--such as hiring, firing, placements and promotions. 
To enforce these boundaries, we recommend strong penalties for 
the inappropriate use or disclosure of medical records.
    We recommend that the legislation apply specifically to 
providers and payers, and to anyone who receives health 
information from a provider or payer, either with the 
authorization of the patient or as authorized explicitly by 
legislation.
    However, our recommendations acknowledge that these 
providers and payers do not act alone. In order for a provider 
or payer to operate efficiently, it may need to enlist a 
service organization to perform an administrative or 
operational function. For example, a hospital may hire an 
organization to encode and process bills, or a managed care 
organization may contract with a pharmaceutical benefit 
management company to provide information to pharmacists about 
what medications are covered and appropriate for their 
customers.
    The numbers and types of service organizations are 
increasing every day. While most do not have direct 
relationships with the patients, they do have access to their 
personal health care information. Therefore, we recommend that 
they should be bound by the same standards. For example, a 
health plan's contractor should be allowed to have access to 
patient lists in order to do mailings to remind patients to 
schedule appointments for preventive care. But it should not be 
able to sell the patient lists to a pharmaceutical company for 
a direct mailing announcing a new product.
    Because we recommend a minimum floor of protection for all 
records, our report does not distinguish among types of health 
care information based on sensitivity. For example, our 
recommendations do not include specific provisions related to 
genetic information in health records. Genetic information 
should be covered by the same rules. However, we recognize that 
the public is especially concerned about the unique properties 
of genetic information--its predictive nature, and its link to 
personal identity and kinship and its ability to reveal our 
family secrets.
    Therefore while you are developing privacy legislation, you 
should also consider how to limit the collection and disclosure 
of genetic information and prohibit health insurers and 
employers from discriminating against individuals on the basis 
of their genetic information. Because of the speedy development 
of genetic technologies and its potential for abuse, we 
recommend that legislation concerning discrimination in 
underwriting by insurers or other improper use of such 
information be considered expeditiously. We look forward to 
continuing our work with you on this issue.

Security

    The second principle is Security. Americans need to feel 
secure that when they give out personal health care 
information, they are leaving it in good hands. Information 
should not be used or given out unless either the patient 
authorizes it or there is a clear legal basis for doing so.
    There are many different ways that private information like 
your blood tests could become public. People who are allowed to 
see it--such as lab technicians--can misuse it either 
carelessly or intentionally. And people who should not be 
seeing it--such as marketers--can find a way to access it, 
either because the organization holding the information doesn't 
have proper safeguards or the marketers can find an easy way 
around the safeguards. To give Americans the security they 
expect and deserve, Congress should develop legislation that 
requires those who legally receive health information to take 
reasonable steps to safeguard it and face consequences for 
failure to do so.
    What do we mean by reasonable steps? The organizations 
should adopt protective administrative and management 
techniques, educate their employees, and impose disciplinary 
sanctions against employees who use information improperly.
    We are addressing some of these steps in our Security 
Standards regulation, implementing the Administrative 
Simplification mandate under HIPAA. Our NPRM laid out a range 
of approaches for safeguarding the information to which the 
HIPAA mandate applies. However, that regulation will only cover 
the security of specific electronically maintained records. We 
need comprehensive privacy legislation to cover all health 
information that needs this kind of protection.
    We don't believe a law can specify the details of these 
protections because each organization must keep pace with the 
new threats to our privacy and the technology that can either 
abate or exacerbate them. But a federal law can require 
everyone who holds health information to have these types of 
safeguards in place and specify the appropriate sanctions if 
the information is improperly disclosed.

Consumer Control

    The third principle is Consumer Control. The principles of 
fair information practice (formulated in 1973 by a committee 
appointed by Secretary Richardson) included as a basic right: 
``There must be a way for an individual to find out what 
information about him is in a record and how it is used.''
    With very narrow exceptions, consumers should have the 
right to find out what is contained in their records, find out 
who has looked at them, and to inspect, copy and, if necessary, 
correct them. Consumers should be given a clear explanation of 
these rights and they should understand how organizations will 
use their information. Let me give you an example of why this 
is important. According to the Privacy Rights Clearinghouse, a 
California physician in private practice was having trouble 
getting health, disability, and life insurance. She ordered a 
copy of her report from the Medical Information Bureau--an 
information service used by many insurance companies. It 
included information showing that she had a heart condition and 
Alzheimer's disease. There was only one problem. None of it was 
true. Unfortunately, under the current system these types of 
errors occur all too often. Consumers often do not have access 
to their own health records and even those who do are not 
always able to correct some of the most egregious errors.
    With that in mind, our recommendations set forth a set of 
practices and procedures that would require that insurers and 
health care providers provide consumers with a written 
explanation detailing who has access to their information and 
how that information will be used, how they can restrict or 
limit access to it, and what their rights are if their 
information is disclosed improperly.
    We also recommend procedures for patients to inspect and 
copy their information, and set out the very limited 
circumstances under which patient inspection should be properly 
denied.
    Finally, we recommend a process for patients to seek 
corrections or amendments to their health information to 
resolve situations in which innocent coding errors cause 
patients to be charged for procedures they never received, or 
to be on record as having conditions or medical histories that 
are inaccurate.

Accountability

    The fourth principle is Accountability. If you are using 
information improperly, you should be punished. This flows 
directly from the second principle of security--the requirement 
to safeguard information must be followed by real and severe 
penalties for violations. Congress should send the message that 
protecting the confidentiality of health information is vitally 
important, and that people who violate that confidence will be 
held accountable.
    We recommend that offenders should be subject to criminal 
felony penalties if they knowingly obtain or use health care 
information in violation of the standards outlined in our 
report. The penalties mandated in privacy legislation should be 
higher when violations are for monetary gain, similar to those 
Congress mandated in the administrative simplification 
provisions of HIPAA. In addition, when there is a demonstrated 
pattern or practice of unauthorized disclosure, those 
committing it should be subject to civil monetary penalties.
    In addition to punishing the perpetrators, we must give 
redress to the victims. We believe that any individual whose 
privacy rights have been violated--whether those rights were 
violated negligently or knowingly--should be permitted to bring 
a legal action for actual damages and equitable relief. When 
the violation is done knowingly, attorney's fees and punitive 
damages should be available.
    These first four principles--Boundaries, Security, Consumer 
Control and Accountability--must be carefully weighed against 
the fifth principle, Public Responsibility.

Public Responsibility

    Just like our free speech rights, privacy rights can never 
be absolute. We have other critical--yet often competing--
interests and goals. We must balance our protections of privacy 
with our public responsibility to support national priorities--
public health and safety, research, quality care, and our fight 
against health care fraud and abuse and other unlawful 
activities.
    Our Department is acutely aware of the need to use personal 
health information for each of these national priorities. For 
example, HHS auditors use health records to uncover kickbacks, 
overpayments and other fraudulent activity. Researchers have 
used health records to help us fight childhood leukemia and 
uncover the link between DES and reproductive cancers. Public 
health agencies use health records to warn us of outbreaks of 
emerging infectious diseases. In addition, our efforts to 
improve quality in our health care system depend on our ability 
to review health information to determine how well health 
institutions and health professionals are caring for patients.
    For public health and safety, research, quality 
evaluations, fraud investigations, and legitimate law 
enforcement purposes, it's not always possible, or desirable, 
to ask for each patient's permission for access to the 
necessary health information. And, in many cases, doing so 
could create major obstacles in our efforts. While we must be 
able to use identifiable information when necessary for these 
purposes, we should use information that is not identifiable as 
much as possible.
    To demonstrate how access must be balanced against public 
responsibility, let me outline a few of the areas in which we 
recommend that disclosure of health information should be 
permitted without patient authorization.

Public Health

    Under certain circumstances, we recommend permitting health 
care professionals, payers, and those receiving information 
from them to disclose health information without patient 
authorization to public health authorities for disease 
reporting, adverse event reporting, public health 
investigation, or intervention. This is currently how the 
public health system operates under existing State and federal 
laws.
    For example, consider the outbreak of E. coli in hamburger 
that resulted in the largest recall of meat products in 
history. Public health authorities, working with other 
officials, used personally identifiable information to identify 
quickly the source of the outbreak and thereby prevent 
thousands of other Americans from being exposed to a 
contaminated product.

Research

    An important mission for the Department of Health and Human 
Services is to fund and conduct health research. We understand 
that research is vitally important to our health care and to 
progress in medical care. Legislation should not impede this 
activity.
    Today the Federal Policy for Protection of Human Subjects 
and FDA's Human Subject Regulations protect participants in 
most research studies that are funded or regulated by the 
federal government. These rules have worked well to protect the 
privacy of individuals while not impeding the conduct of 
research. We recommend that similar privacy protections should 
be extended to all research in which individually identifiable 
health information is disclosed, and not just federally funded 
or regulated research.
    All researchers must determine whether their research 
requires the retention of personal identifiers. There are 
research studies that can only be conducted if identifiers are 
retained; for example, outcomes studies for heart attack 
victims or the recent study which identified a correlation 
between the incidence of Sudden Infant Death Syndrome and the 
infant's sleep position. If, and when, personal identifiers are 
no longer needed, the researcher should be required to remove 
them and provide assurances that the information will be 
protected from improper use and unauthorized additional 
disclosures.
    Under the Common Rule, if personal identifiers are 
necessary, an IRB must review the research proposal and 
determine whether informed consent is required or may be 
waived. In order for informed consent to be waived, an IRB must 
determine that the research involves no more than minimal risk 
to participants, that the absence of informed consent will not 
adversely affect the rights or welfare of participants, and 
that conducting the research would be impracticable if consent 
were required. This or a similar mechanism of review should be 
applicable for all research using individually identifiable 
health information without informed consent regardless of 
funding source.
    This recommendation is consistent with the Federal Policy 
for the Protection of Human Subjects as well as the Privacy 
Act--policies that have protected federal research participants 
and research records for a quarter of a century and that have 
saved lives and fostered countless improvements in medical 
treatment.

                               Preemption

    Our recommendations call for national standards. But, we do 
not recommend outright or overall federal preemption of 
existing State laws that are more protective of health 
information.
    Some protections that we recommend may be stronger than 
some existing State laws. Therefore, we recommend that Federal 
legislation replace State law only when the State law is less 
protective than the Federal law. Thus, the confidentiality 
protections provided would be cumulative and the Federal 
legislation would provide every American with a basic set of 
rights with respect to health information.

                               Conclusion

    Mr. Chairman, the five principles embodied in our 
recommendations--Boundaries, Security, Consumer Control, 
Accountability, and Public Responsibility--should guide a 
comprehensive law that will create substantive federal 
standards and provide our citizens with real peace of mind.
    The principles represent a practical, comprehensive and 
balanced strategy to protect health care information that is 
collected, shared, and used in an increasingly complex world.
    In addition to creating new federal standards, we must 
ensure that every single person who comes in contact with 
health care information understands why it is important to keep 
the information safe, how it can be kept safe, and what will be 
the consequences for failing to keep it safe. Most of all, we 
must help consumers understand not just their privacy rights, 
but also their responsibilities to ask questions and demand 
answers--to become active participants in their health care.
    We cannot expect to solve these problems all at once. With 
changes in medical practices and technology occurring every 
day, we need to be flexible, to change course if our strategy 
isn't working and meet new challenges as they arise.
    Mr. Chairman, we in the Department and the Administration 
are eager to work with you to enact strong national medical 
privacy legislation.
    Thank you again, for giving me this opportunity to testify. 
My colleagues and I look forward to answering any questions 
that you may have.
      

                                


    Chairman Thomas. Thank you very much, Doctor.
    Ms. Aronovitz.

 STATEMENT OF LESLIE G. ARONOVITZ, ASSOCIATE DIRECTOR, HEALTH 
  FINANCING AND PUBLIC HEALTH ISSUES, HEALTH, EDUCATION, AND 
    HUMAN SERVICES DIVISION, U.S. GENERAL ACCOUNTING OFFICE

    Ms. Aronovitz. Mr. Chairman and Members of the 
Subcommittee, we are pleased to be here today as you discuss 
the various issues associated with protecting the privacy of 
personally identifiable information.
    For the last several months, we have been studying the 
manner in which HCFA protects personally identifiable health 
information it collects on Medicare beneficiaries, and we are 
releasing our report today at this hearing.
    Mr. Hash has mentioned some of the initiatives HCFA is 
undertaking. I would like to step back a bit and provide some 
information on our study.
    To carry out its legislative responsibilities, HCFA needs 
to collect and maintain personally identifiable information on 
its 39 million Medicare beneficiaries. For example, it needs 
personally identifiable information about beneficiaries' 
demographics, enrollment and utilization of health care 
services to pay claims, determine the initial and ongoing 
eligibility of beneficiaries and review the care beneficiaries 
receive in terms of access, appropriateness and quality. HCFA 
also uses this information in essential research activities 
that can lead to improvements in rate setting, services 
provided, and quality of care.
    We found that HCFA's policies and practices regarding 
disclosing personally identifiable health information are 
generally consistent with the provisions of the Privacy Act. 
When beneficiaries first sign up for Medicare and then when 
they receive care or participate in a demonstration project, 
for example, they receive notices that to different degrees 
include a discussion about how their information might be used. 
HCFA may disclose information without an individual's consent 
under certain circumstances such as for research purposes or 
authorized civil and criminal law enforcement activities.
    In determining the validity of specific data requests, HCFA 
attempts to balance the needs of the requesters with the need 
to protect a beneficiary's confidentiality. Therefore, the 
agency would screen requests for sensitive information from 
non-HCFA researchers more thoroughly than it would from HCFA 
staff who need the data to conduct the agency's business.
    We did identify, however, some areas where HCFA needs to do 
a better job to assure that personally identifiable information 
is not intentionally or inadvertently shared with those not 
authorized to have it. Specifically, the HHS OIG continues to 
find vulnerabilities in HCFA and its contractors' management of 
electronic information that could lead to individuals reading, 
disclosing or simply tampering with confidential information. 
In addition, because HCFA does not routinely monitor 
contractors and others who obtain such sensitive information, 
it cannot assure that those organizations are maintaining the 
information in a safe manner.
    This being said, we found that HCFA has actually received 
very few complaints about Privacy Act violations to date. 
Nevertheless, HCFA officials told us that they are in the 
process of addressing the OIG's findings, to the extent that 
resources permit, given the need to focus on Y2K computer 
requirements in the short term, and that they are stepping up 
their oversight efforts at their Medicare contractors to assure 
that these organizations have established and are implementing 
a sound security plan.
    In regard to providing beneficiaries an accounting of the 
disclosures it makes, which is a capability called for by the 
Privacy Act, we found that HCFA would be hard pressed to do so 
without a lot of effort. We also believe that HCFA could do a 
better job in informing beneficiaries of the purposes to which 
their information may be disclosed. To address these issues, as 
Mr. Hash has mentioned, HCFA has established a new executive 
Beneficiary Confidentiality Board and initiated a number of 
actions in response to January 1999, OMB guidance to all 
agencies to review information practices for compliance with 
the Privacy Act.
    The last area we looked at was the potential effect on HCFA 
of State laws governing privacy. We found that some States 
prohibit the disclosure of sensitive health-related information 
except for very specific purposes. HCFA's practice has been to 
respect State laws to the extent possible when these laws are 
more restrictive than the Federal law. HCFA officials told us 
that these State laws have not prevented the agency from 
receiving information necessary for paying claims but may 
change its policy as the agency develops and implements payment 
systems that depend on diagnostic information.
    If HCFA had to comply with the myriad of State laws 
governing the receipt and use of health information, its 
ability to set rates, monitor quality and conduct and support 
health-related research could be hampered.
    Currently, unlike the private sector, HCFA can invoke the 
Supremacy Clause of the U.S. Constitution to get information it 
needs to carry out its mission without regard to State 
requirements, although it has not done so to date.
    Mr. Chairman, this concludes my prepared statement, and I 
also would be very happy to answer any questions you or the 
other Members of the Subcommittee might have.
    [The prepared statement follows:]

Statement of Leslie G. Aronovitz, Associate Director, Health Financing 
and Public Health Issues, Health, Education, and Human Services 
Division, U.S. General Accounting Office

    Mr. Chairman and Members of the Subcommittee:
    We are pleased to be here today to discuss how the Health 
Care Financing Administration (HCFA) protects personally 
identifiable health information on Medicare beneficiaries. 
HCFA, an agency of the Department of Health and Human Services 
(HHS), possesses the nation's largest collection of health care 
data, with information on 39 million Medicare beneficiaries. To 
operate the Medicare program, HCFA must collect personally 
identifiable information on Medicare beneficiaries, such as 
their names, addresses, and health insurance claims numbers, as 
well their diagnostic and treatment information. HCFA uses this 
information for a variety of purposes, including paying 
approximately 900 million Medicare claims annually and 
conducting health-related research to improve quality of care. 
When a person signs up for Medicare, he or she might not 
realize the variety of uses HCFA makes of his or her personally 
identifiable information or that this personal information may 
legitimately be disclosed by HCFA outside the agency.
    The personally identifiable information that HCFA collects 
on Medicare beneficiaries is protected by the Privacy Act of 
1974. This law, which governs the collection, maintenance, and 
disclosure of federal agency records, balances the government's 
need to maintain information about individuals with their right 
to be protected against unwarranted invasions of their privacy. 
State laws also protect the privacy of certain personally 
identifiable medical information, and vary significantly in 
their scope and specific provisions. To create a more uniform 
set of protections, the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA) requires that, unless 
Congress enacts a health privacy law establishing standards for 
the electronic exchange of health information by August 21, 
1999, HHS must promulgate such standards within the following 6 
months.
    Today, we are releasing a report you requested that focuses 
on four areas related to HCFA's use of personally identifiable 
information.\1\ They are:
---------------------------------------------------------------------------
    \1\ MEDICARE: Improvements Needed to Enhance Protection of 
Confidential Health Information (GAO/HEHS-99-140, July 20, 1999).
---------------------------------------------------------------------------
     HCFA's need for personally identifiable health 
information to manage the Medicare program;
     HCFA's policies and practices regarding disclosure 
of information on Medicare beneficiaries to other 
organizations;
     The adequacy of HCFA's safeguards for protecting 
the confidentiality of electronic information and its 
monitoring of other organizations that obtain information on 
Medicare beneficiaries; and
     The effect on HCFA of state restrictions on the 
disclosure of confidential health information.
    To develop our findings, we interviewed HCFA officials and 
reviewed documents HCFA provided on its confidentiality 
policies and procedures. We also reviewed guidance from the 
Office of Management and Budget (OMB) related to the Privacy 
Act, financial statement audits of HCFA from the HHS Office of 
Inspector General (OIG), and HCFA's plan for addressing 
problems identified in OIG audits. In addition, we examined the 
privacy protections of a number of state laws and obtained 
comments from HCFA officials about the effects of such laws on 
the management of the Medicare program.
    In summary, we found that personally identifiable 
information on Medicare beneficiaries is vital to the operation 
of the Medicare program, and that HCFA can disclose such 
information to other organizations consistent with provisions 
of the Privacy Act. HCFA has policies and procedures for 
evaluating requests for disclosure of personally identifiable 
health information, but HCFA's confidentiality practices have a 
number of weaknesses. These weaknesses include HCFA's inability 
to easily provide beneficiaries with an accounting of 
disclosures made of their personal information and failure to 
always give them clear notification of the purposes for which 
their personal information may be disclosed outside of HCFA as 
required by the Privacy Act. Although few complaints of 
violations have been reported to date, the HHS OIG also 
continues to report vulnerabilities in HCFA's safeguards for 
confidentiality of electronic information. These 
vulnerabilities could lead to unauthorized individuals reading, 
disclosing, or altering confidential information. Finally, 
potential conflicts exist between HCFA and state laws regarding 
the disclosure of sensitive health information. To date, 
conflicts have been minimal and the administration of Medicare 
has not been hindered, according to HCFA officials, because all 
states permit release of information for health care treatment 
and payment. However, if the same data elements were not 
available from all states, it might compromise HCFA's ability 
to conduct research and analysis to improve Medicare policies.

                               Background

    In protecting the confidentiality of beneficiaries' health 
information, HCFA's activities, like those of other federal 
agencies, are governed by the Privacy Act of 1974. The Privacy 
Act requires that agencies limit their maintenance of 
individually identifiable records to those that are relevant 
and necessary to accomplish an agency's mission. Federal 
agencies store personally identifiable information in systems 
of records. A system of records is a group of records under the 
control of a federal agency from which information can be 
retrieved using the name of an individual or an identifier such 
as a number assigned to the individual. The Privacy Act defines 
a record as any item, collection, or grouping of information 
maintained by an agency that contains an individual's name or 
other identifying information. A record, for example, could 
include information on education, financial transactions, or 
medical history. Under the Privacy Act, federal agencies must 
inform the public when they create a new system of records or 
revise an existing system. This is done through publication in 
the Federal Register. A new system of records is announced when 
an agency wishes to collect new data. Sixty-two of HCFA's 81 
systems of records relate directly to Medicare beneficiaries 
and include personally identifiable data on a Medicare 
beneficiary's enrollment and entitlement to benefits; 
demographic information such as age, race, ethnicity, and 
language preference; and diagnostic and treatment information. 
HCFA's systems of records contain information stored in 
electronic and paper forms.
    The Privacy Act generally prohibits the disclosure of 
individuals' records without their consent. However, it allows 
the disclosure of information without an individual's consent 
under 12 circumstances called conditions of disclosure. One 
example is disclosure by a federal agency to its employees 
baseD on their need for the records to perform their duties. 
Another condition of disclosure allows an agency to establish 
routine uses under which information can be disclosed to a data 
requestor. One routine use, for example, could be disclosure to 
an individual or organization for a research project related to 
an agency objective, such as prevention of disease or 
disability in HCFA's case. To establish a routine use, the 
agency must determine that a use is compatible with the 
purposes for which the information was collected and they must 
publish the notice of the routine use in the Federal Register. 
While the Privacy Act permits agencies to disclose information, 
it does not require that they do so; they can, for example, 
determine that in a particular case, the individual's privacy 
interest outweighs the public interest in disclosure.

      HCFA Needs Personally Identifiable Information on Medicare 
                             Beneficiaries

    Personally identifiable information is essential to HCFA's 
day-to-day administration of the Medicare program. Of primary 
importance is the need of the agency and its contractors to use 
personally identifiable information on Medicare patients to pay 
approximately 900 million fee-for-service claims annually. HCFA 
also uses this information to determine the initial and ongoing 
eligibility of Medicare beneficiaries, determine risk-adjusted 
payments, make monthly payments to about 400 Medicare managed 
care plans, and track which managed care plans have been 
selected by over 6 million Medicare beneficiaries. HCFA and its 
contractors use beneficiary claims data containing personally 
identifiable information to prevent fraud and abuse; administer 
the Medicare Secondary Payer program;\2\ develop fee schedules 
and payment rates used in fee-for-service claims processing; 
review the access, appropriateness, and quality of care 
received by beneficiaries; and conduct research and 
demonstrations including the development and implementation of 
new health care payment approaches and financing policies.
---------------------------------------------------------------------------
    \2\ The Medicare Secondary Payer provision limits payment under 
Medicare for otherwise covered items or services if that payment has 
been made or can be reasonably expected to be made from another source 
such as under a workmen's compensation law, automobile or liability 
insurance policy, or certain health plans. In such cases, Medicare 
payments for items or services are conditional payments and Medicare is 
entitled to reimbursement from the other sources for the full amount of 
Medicare payments.
---------------------------------------------------------------------------

 HCFA Discloses Information About Beneficiaries for Authorized Purposes

    In screening requests for identifiable information, HCFA 
determines whether disclosure is authorized by the Privacy Act. 
It also has different levels of review depending upon the type 
of organization making a request for information. HCFA's policy 
and practice is generally to limit disclosures to information 
needed to accomplish the requestor's purposes. However, we 
found weaknesses in its recordkeeping system for tracking and 
reporting on disclosures and its notices to beneficiaries that 
their information could be disclosed.

HCFA Screens Requests for Personally Identifiable Information

    In making decisions about whether to disclose information, 
HCFA's primary criterion is whether the disclosure is permitted 
under a routine use or one of the 11 other Privacy Act 
conditions of disclosure. HCFA can disclose information under 
routine uses to publicly and privately funded researchers and 
to public agencies such as the Agency for Health Care Policy 
and Research for health services research projects; to 
qualified state agencies for the purposes of determining, 
evaluating, or assessing cost effectiveness or quality of 
health care services provided in a state; and to insurers, 
underwriters, employers who self-insure, and others for 
coordination of benefits with the Medicare Secondary Payer 
program.
    When deciding whether to disclose personally identifiable 
information, HCFA has different levels of review depending on 
the type of organization making a request for information. 
According to HCFA policy, HCFA employees and claims 
administration contractors are provided access to personally 
identifiable information only when they require such 
information to perform their official duties. Other federal 
agencies and organizations, such as state governments and law 
enforcement agencies seeking information on Medicare 
beneficiaries, must submit documentation, such as a signed data 
use agreement that indicates their acceptance of the 
confidentiality requirements of the Privacy Act and HCFA's data 
use policies and procedures. These policies and procedures 
include a requirement that the data user will not publish or 
release information that could allow deduction of a 
beneficiary's identity. When reviewing documentation from 
requestors, HCFA determines whether the disclosure, is 
permitted under a routine use for a system of records or other 
condition of disclosure, as allowed by the Privacy Act. In 
screening requests from outside researchers, HCFA also requires 
the submission of a detailed study protocol. Further, 
researchers must receive approval from the HCFA Administrator 
when they request the names and addresses of Medicare 
beneficiaries they intend to contact to collect new data.

HCFA Generally Limits Disclosures to Information Needed to 
Accomplish Purposes

    HCFA officials told us their practice is to disclose the 
least amount of personally identifiable information that will 
accomplish the purpose of the individual or organization making 
the request. HCFA generally provides one of three types of data 
files--public-use files, beneficiary-encrypted files, and files 
which contain explicitly identifiable information. Public-use 
files are stripped of identifying information on beneficiaries 
and usually are summarized data. Beneficiary-encrypted files 
are data sets in which HCFA has encoded or removed the health 
insurance claim number, date of service, beneficiary name, or 
beneficiary zip code. Explicitly identifiable files contain 
such information as beneficiary names, addresses, and health 
insurance claim numbers. HCFA officials said they direct 
requestors whenever possible to either public use files or to 
beneficiary-encrypted files rather than to the files containing 
more identifiable beneficiary information. However, when HCFA 
does disclose data files with personally identifiable 
information, it generally does not customize them for the 
specific purpose of reducing the amount of information 
disclosed. HCFA officials told us that to do so would be a 
resource-intensive process; however, they are now developing 
software that will permit them to more easily customize data 
elements in the future.

HCFA's Recordkeeping System for Tracking and Reporting Has 
Weaknesses

    Although Medicare beneficiaries have the right under the 
Privacy Act to ask for and receive an accounting of disclosures 
of their personally identifiable information and to examine or 
amend their individual records, HCFA's recordkeeping system is 
incapable of readily providing an accounting of disclosures to 
beneficiaries. The Act requires that the accounting include 
information on the nature and purpose of the disclosure and the 
name and address of the person or organization to whom the 
disclosure was made. HCFA officials told us that the agency's 
computerized system for tracking disclosures cannot easily 
generate information for an individual beneficiary on 
disclosures made from HCFA's system of records. Weaknesses in 
HCFA's recordkeeping system also affect its ability to report 
on its Privacy Act activities to oversight agencies such as 
OMB.
    HCFA officials also told us that they are working on 
improving their recordkeeping system to better account for 
disclosures of personally identifiable information made by the 
agency. HCFA officials said that, as directed by OMB, they have 
begun reviewing their recordkeeping for Privacy Act activities. 
In January 1999, OMB released guidance based on a May 14, 1998, 
Presidential memorandum directing each agency to review its 
information practices to ensure compliance with the Privacy 
Act. HCFA has begun to address OMB guidance and officials told 
us that they are reviewing routine uses that allow disclosure 
of Medicare beneficiaries' information. In May 1999, HCFA 
established an executive-level Beneficiary Confidentiality 
Board to review strategic confidentiality issues including 
HCFA's policies and procedures for disclosing personally 
identifiable information.

Weaknesses in Notifications to Beneficiaries That Their 
Information Could be Disclosed

    The Privacy Act requires federal agencies to permit an 
individual to find out what records pertaining to him or her 
are collected, maintained, used, or disseminated by the 
agencies. The Act requires an agency to notify individuals of 
the following when it collects information: (1) the authority 
under which the agency is collecting the information, (2) the 
principal purpose for the information, (3) routine uses that 
may be made of the information, and (4) whether the individual 
is required to supply the information and the effects on the 
individual of not providing it.
    HCFA officials told us they use more than a dozen different 
Privacy Act notifications when collecting information from 
beneficiaries. Individuals' first exposure to a Medicare-
related Privacy Act notice is usually at the time of their 
application for Social Security retirement benefits, when they 
are provided with a multi-page Privacy Act notice. Approved 
Social Security retirement benefit applicants are automatically 
enrolled in Medicare at age 65. Beneficiaries should receive 
other Privacy Act notifications whenever HCFA collects 
information about them--for example, if they separately enroll 
in Supplemental Medical Insurance (Medicare Part B), receive 
medical care, or participate in a survey or a demonstration 
project.\3\
---------------------------------------------------------------------------
    \3\ Medicare Part B helps pay for doctors, outpatient hospital 
care, and other medical services such as physical and occupational 
therapy.
---------------------------------------------------------------------------
    While some of the HCFA Privacy Act notification forms we 
reviewed contain the required information, we found that others 
do not tell beneficiaries the purposes for which their 
information may be disclosed outside of HCFA, or they do so in 
an unclear fashion. For example, a form for beneficiaries 
receiving services in skilled nursing facilities provided the 
required information, but the Privacy Act notice for Medicare 
Part B enrollment did not identify the routine uses that would 
be made of the beneficiary's information and provided only a 
vague reference to the Federal Register as a source for such 
information. We found similar problems in a form used to 
collect information on end-stage renal disease beneficiaries.

      Inadequate HCFA Safeguards Could Compromise Confidentiality

    Although the procedures specified in HCFA's systems 
security manual generally adhere to OMB's guidance for 
safeguarding electronic information, HHS's OIG has identified 
serious control weaknesses with HCFA's safeguarding of 
confidential information.\4\ OIG's audits of fiscal years 1997 
and 1998 financial statements identified a variety of problems 
with HCFA's safeguards for electronic information at HCFA's 
central office and for selected Medicare claims administration 
contractors. The OIG reported the need for HCFA to implement an 
overall security structure and discussed weaknesses in the 
following areas: computer access controls (techniques to ensure 
that only authorized persons access the computer system), 
segregation of duties (the division of steps among different 
individuals to reduce the risk that a single individual could 
compromise security), and service continuity (the ability to 
recover from a security violation and provide service 
sufficient to meet the minimal needs of users of the system). 
The OIG also reported problems with controls over operating 
system software integrity and application development and 
change controls. However, HCFA has reported few complaints of 
potential Privacy Act violations.
---------------------------------------------------------------------------
    \4\ HHS/OIG, Report on the Financial Statement Audit of the Health 
Care Financing Administration for Fiscal Year 1996 (CIN: A-17-95-00096, 
July 17, 1997); HHS/OIG, Report on the Financial Statement Audit of the 
Health Care Financing Administration for Fiscal Year 1997 (CIN: A-17-
97-00097, Apr. 24, 1998); HHS/OIG, Report on the Financial Statement 
Audit of the Health Care Financing Administration for Fiscal Year 1998 
(CIN: A-17-98-00098, Feb. 26, 1999). See also Information Security: 
Serious Weaknesses Place Critical Federal Operations and Assets at Risk 
(GAO/AIMD-98-92, Sept. 23, 1998).
---------------------------------------------------------------------------
    When the OIG conducted work at 12 Medicare contractors for 
its fiscal year 1998 audit, auditors were able to penetrate 
security and obtain access to sensitive Medicare data at 5 of 
them. The auditors' ability to do so without using their formal 
access privileges is of particular concern because unauthorized 
users can exploit this security weakness in several ways, and 
compromise confidential medical data.
    Agency officials told us they are in the process of taking 
action to correct the weaknesses identified by OIG. However, 
HCFA's ability to make progress is currently affected by the 
agency's efforts to address computer requirements for the year 
2000 so that there will be no interruption of services and 
claims payments. HCFA, consistent with priorities established 
by OMB, has a moratorium on software and hardware changes until 
it is compliant with year 2000 computer requirements. OIG will 
evaluate the effectiveness of any corrective actions that HCFA 
is able to implement during its fiscal year 1999 financial 
statement audit.

HCFA Does Not Systematically Monitor How Organizations Protect 
the Confidentiality of Medicare Data

    Although HCFA has a process for monitoring systems security 
at its claims administration contractors, agency officials told 
us that competing demands and resource constraints have 
prevented them from monitoring whether these organizations 
follow OMB guidance for protecting the confidentiality of 
information. HCFA officials told us that, other than OIG 
reviews, there were no explicit on-site reviews of contractor's 
security protections in fiscal years 1997 and 1998 because of 
resource constraints and the assignment of staff to assess 
contractor year 2000 computer requirements. However, HCFA did 
initiate reviews of network security in 1998 for 12 Medicare 
contracts at 4 of its 60 claims processing contractors.
    In addition, HCFA officials told us that they do not have a 
system for monitoring whether organizations outside of HCFA 
have established safeguards for personally identifiable 
information received from the agency. When organizations sign 
data use agreements with HCFA, they agree to establish 
appropriate administrative, technical, and physical safeguards, 
providing a level and scope of security that is not less than 
the level and scope established by OMB. Data use agreements 
also include requirements that those receiving information from 
HCFA use the data only for their HCFA-approved purpose and that 
the data be returned to HCFA or destroyed upon completion of 
the project. HCFA does not systematically monitor how the data 
are being used. Although the agency follows up on expired data 
use agreements, HCFA currently has a backlog of about 1,400 
expired agreements. It expects to reduce the backlog by one-
half by September 30, 1999.
    HCFA's failure to monitor contractors and others who use 
personally identifiable Medicare information hampers HCFA's 
ability to prevent the occurrence of problems and to provide 
timely identification and corrective action for those that have 
occurred.

Few Complaints of Privacy Act Violations Reported

    The agency identified 7 complaints of potential violations 
of the Privacy Act it has received and resolved in the past 4 
years. Six complaints involved contractors conducting research 
for HCFA, health data organizations, and individual 
researchers; the seventh complaint was made by a Medicare 
beneficiary's attorney. The first six complaints were raised by 
similar organizations or other researchers and involved posting 
of potentially identifiable Medicare billing information on an 
Internet website, using and publishing data in a second 
research project without authorization from HCFA, and offering 
to share Medicare files at a national research conference. In 
the first six cases, HCFA provided direction on Privacy Act 
requirements to those involved. In the seventh case, HCFA 
provided the beneficiary's attorney with a letter addressing 
the issues raised.
    HCFA reported only one internal disciplinary action within 
the past 5 years relating to violations of HCFA's 
confidentiality policies. This incident involved an agency 
employee who was accessing beneficiary files more frequently 
than appeared necessary for performing his job. The employee 
admitted to looking at files of famous people. He was placed on 
administrative leave and later signed an affidavit stating that 
the files had not been sold or shared with other persons; 
accordingly, he was allowed to resign.

 Some States Restrict Disclosure of Sensitive Confidential Information

    In its oversight of the Medicare program, HCFA necessarily 
deals with beneficiaries and providers from every state. 
Although states have laws governing the confidentiality of 
health information, these laws vary significantly, resulting in 
what has been called a patchwork system of protections. For 
example, in Florida, mental health records are confidential and 
may be disclosed only under limited circumstances.
    Conflicts between HCFA and the states involving medical 
record disclosures have been minimal, according to HCFA 
officials, and HCFA officials believe its administration of the 
Medicare program has not been hindered because all states 
permit release of information for health care treatment and 
payment. If a state law prohibited disclosure of information to 
HCFA that was critical for these purposes, and a federal 
statute required such disclosure, HCFA officials told us that 
the agency would rely on the Supremacy Clause of the U.S. 
Constitution and its express statutory authority.\5\
---------------------------------------------------------------------------
    \5\ U.S. Const. Art. VI, cl.2. The Supreme Court has construed the 
Supremacy Clause of the U.S. Constitution to hold that federal law 
preempts state law where, for example: (1) the state law directly 
conflicts with federal law, (2) the federal legislative scheme leaves 
no room for state regulation, or (3) the state statute frustrates or 
conflicts with the purposes of the federal law.
---------------------------------------------------------------------------
    HCFA officials told us that if information is not critical 
to HCFA operations, HCFA's policy is to respect and abide by 
state laws that provide greater health records protection than 
would otherwise be required by federal law or regulation. For 
example, when California and Washington notified HCFA that laws 
in their states did not authorize the disclosure of diagnostic 
information related to the human immunodeficiency virus (HIV), 
acquired immunodeficiency syndrome (AIDS) and sexually 
transmitted diseases (STD), HCFA changed the system used to 
collect and analyze certain nursing home information by 
allowing the states to withhold diagnostic information 
collected about HIV/AIDS and STDs for their nursing home 
patients.\6\ HCFA told us that 15 states have exercised this 
option by blanking out identifiable codes for HIV/AIDs or STDs 
before submitting the requisite information to HCFA. According 
to HCFA officials, the deletion of diagnostic information 
collected about HIV/AIDS and STDs for nursing home patients 
generally has not affected its operations. However, HCFA 
officials told us that the agency will require diagnostic 
information as it refines its new prospective payment system 
for skilled nursing facilities as well as its other payment 
systems and may, therefore, need to change its policy of 
allowing states to withhold information.
---------------------------------------------------------------------------
    \6\ The information is used by HCFA to track changes in health and 
functional status of nursing home residents. The information system is 
known as the National Minimum Data Set (Resident Assessment Instrument) 
repository.
---------------------------------------------------------------------------
    Restricting HCFA from receiving uniform health information 
across the country could adversely affect internal operations 
such as rate-setting and monitoring for quality assurance. It 
could also affect the ability of analysts in HCFA, other 
federal agencies, and non-governmental organizations to conduct 
policy analysis and health services research because of the 
difficulty in complying with varying state laws. If the same 
data elements and health information were not available from 
all states, HCFA's ability to conduct research and analysis to 
improve Medicare policies might be compromised.

                    Conclusions and Recommendations

    In its role as administrator and overseer of the nation's 
Medicare program, HCFA must collect and maintain personally 
identifiable information on millions of beneficiaries to 
effectively operate and manage the program. As a steward of 
confidential information, HCFA must balance its need to 
effectively manage the Medicare program with the privacy 
concerns of its beneficiaries. HCFA must protect beneficiaries' 
health information from inappropriate or inadvertent 
disclosures.
    We found that HCFA's policies and practices are generally 
consistent with Privacy Act protections. However, we also found 
that the agency needs to do a better job implementing and 
enforcing certain protections. As the HHS OIG has reported, 
HCFA continues to have vulnerabilities in its information 
management systems. In addition, HCFA has not consistently 
monitored its claims administration contractors' safeguards for 
protecting confidential information. We recognize that HCFA, 
consistent with priorities set forth by OMB, has focused its 
resources on ensuring that the agency and its contractors are 
compliant with year 2000 computer requirements. Nonetheless, we 
believe that reducing the vulnerabilities in its information 
systems and increasing its monitoring of contractors are 
important concerns that HCFA must address in the coming year.
    HCFA also needs to better implement other aspects of its 
confidentiality policies and practices. The agency does not 
always fully and clearly inform beneficiaries that their 
information may be disclosed. It also lacks the ability to 
readily provide beneficiaries with an accounting of 
disclosures. In addition, HCFA does not have a formal system 
for monitoring the confidentiality protections of organizations 
to which it discloses personally identifiable information. As a 
result, HCFA is unable to systematically reduce the likelihood 
of inappropriate use of the data or identify instances of such 
misuse.
    Although few complaints about Privacy Act violations have 
been made to date, we believe that the weaknesses we and others 
have identified potentially compromise the confidentiality of 
health information on Medicare beneficiaries. However, HCFA has 
begun some important initiatives that appear promising and 
could improve its protection of Medicare beneficiary health 
information. These include the creation of a new beneficiary 
confidentiality board and actions taken in response to OMB 
guidance for agencies to reevaluate the circumstances under 
which they disclose information.
    Our report makes recommendations to the HCFA Administrator 
to improve HCFA's protection of the confidentiality of 
personally identifiable information on Medicare beneficiaries. 
In summary, we recommend that HCFA correct the vulnerabilities 
identified in its information management systems by OIG, 
systematically monitor contractors' safeguards for protecting 
confidential information; develop a system to routinely monitor 
other organizations that have received personally identifiable 
information on Medicare beneficiaries; ensure that all agency 
Privacy Act notifications contain the information required by 
the Act in a form that is clear and informative to 
beneficiaries, and implement a system that would permit HCFA to 
respond in a timely fashion to beneficiary inquiries about 
disclosure of their information outside HCFA as well as to 
provide information on Privacy Act activities to OMB and 
others.

                                 -----

    Mr. Chairman, this concludes my prepared statement. I would 
be happy to answer any questions you or the Subcommittee 
Members may have.

                   GAO Contacts and Acknowledgements

    For future contacts regarding this testimony, please call 
Leslie G. Aronovitz at (312) 220-7600 or Bruce D. Layton at 
(202) 512-6837. Key contributors to this testimony include 
Nancy Donovan, Bonnie Brown, Nila Garces-Osorio, Barry Bedrick, 
and Julian Klazkin.

                          Related GAO Products

    Medicare: Improvements Needed to Enhance Protection of 
Confidential Health Information (GAO/HEHS-99-140, July 20, 
1999).
    Year 2000 Computing Challenge: Estimated Costs, Planned 
Uses of Emergency Funding, and Future Implications (GAO/T-AIMD-
99-214, June 22, 1999).
    Year 2000 Computing Crisis: Readiness of Medicare and the 
Health Care Sector (GAO/T-AIMD-99-160, Apr. 27, 1999).
    Financial Audit: 1998 Financial Report of the United States 
Government (GAO/AIMD-99-130, Mar. 31, 1999).
    Auditing the Nation's Finances: Fiscal Year 1998 Results 
Highlight Major Issues Needing Resolution (GAO/T-AIMD-99-131, 
Mar. 31, 1999).
    Medical Records Privacy: Access Needed for Health Research, 
but Oversight of Privacy Protections Is Limited (GAO/HEHS-99-
55, Feb. 24, 1999).
    Year 2000 Computing Crisis: Readiness Improving, But Much 
Work Remains to Avoid
    Major Disruptions (GAO/T-AIMD-50, Jan. 20, 1999).
    Major Management Challenges and Program Risks: Department 
of Health and Human Services (GAO/OGC-99-7, Jan. 1999).
    Medicare Computer Systems: Year 2000 Challenges Put 
Benefits and Services in Jeopardy (GAO/AIMD-98-284, Sept. 28, 
1998).
    Information Security: Serious Weaknesses Place Critical 
Federal Operations and Assets at Risk (GAO/AIMD-98-92, Sept. 
23, 1998).
      

                                


    Chairman Thomas. Thank you very much.
    Dr. Hamburg, it has been a source of frustration for many 
of us that the administration has failed almost in every 
instance to meet a date that was prescribed for it in law and 
to provide information or structure dealing with the BBA in 
terms of prospective payment structures of the rest. So that 
source of frustration may indeed be finally useful in your 
announcing that the administration plans to produce its 
document on a particular timetable, and I feel comfortable that 
that timetable will not be carried out. This is the first time 
I feel good about the Administration not making a timetable.
    Ms. Aronovitz, in the GAO report, on page 6, you indicate 
that HCFA relies on, under current conditions, the disclosure 
structure provided for in the Privacy Act dealing with release 
of information to outside researchers and other entities; and 
you also mentioned in your testimony and on page 14 and 15 you 
note that HCFA's current recordkeeping system makes it almost 
impossible for someone to go back and determine where all 
someone's data was sent. And I know Dr. Hamburg mentioned an 
HMO in terms of disclosing this information, and I appreciate 
your pointing out this problem.
    However, in looking at GAO information the way you have it 
structured, Ms. Aronovitz, I don't see much of an indication of 
the number of these disclosures. You talk about 1,400 expired 
data use agreements. Now, the assumption is that covers a kind 
of an understanding of what information is going to be provided 
and what you are going to do with it, but those are expired 
data use agreements, 1,400 of them. How many are out there that 
are not expired? That would be one of the questions. How many 
over a time period, 1 year, 5 years, has there been in terms of 
agreements in which information has been moved? Do we have any 
indication of the total number of agreements?
    Ms. Aronovitz. No. It is actually quite a complicated 
accounting process. When you think of the Privacy Act, we 
usually think of a system of records, and that is the kind of 
denominator which we use to try to figure out disclosures. We 
could not get an accounting of the total number of times data 
that were in a particular system of records were disclosed to 
an outside requester.
    Chairman Thomas. Is HCFA required to report Privacy Act 
information activity and to whom is it supposed to report this?
    Ms. Aronovitz. HCFA has two obligations. The first is to 
the beneficiary, when the beneficiary asks for an accounting of 
disclosures. We believe that, right now, a beneficiary would 
probably have to wait for a while, because HCFA could not 
readily provide that information. HCFA also must provide 
certain types of information through HHS to OMB the information 
to be provided to OMB concerns the number of beneficiaries who 
have asked to access their own records.
    Chairman Thomas. So the only information under the Privacy 
Act that is kind of held responsible for telling folk you are 
doing it is either to the individuals or the number of 
individuals information? Who are these entities, for example, 
on the 1,400 expired data use? Who would these agreements be 
with, typically? I know they are expired, but it would be an 
indication of who they would be with if they were alive.
    Ms. Aronovitz. Data use agreements are used for a variety 
of requesters of information from HCFA. They would be almost 
everyone outside of HCFA itself.
    Chairman Thomas. Who is everyone? Are these entities?
    Mr. Hash. It would be HCFA, it would be researchers that 
HCFA is sponsoring, research or non-HCFA sponsored researchers. 
It could also be States or other Federal agencies.
    Chairman Thomas. And there is no requirement that they list 
or include who it is that they have transmitted this 
information to on a Privacy Act report to OMB?
    Mr. Hash. No, there is no requirement for disclosures to 
third parties in the OMB. It is only to the number of times a 
beneficiary has asked to access its own information.
    Chairman Thomas. Thank you.
    Do you volunteer this information anyway or do you follow 
strictly the Privacy Act?
    Mr. Hash. Mr. Chairman, we have been trying to follow the 
Privacy Act. We have actually to my knowledge not recorded any 
requests from beneficiaries for the information that Ms. 
Aronovitz----.
    Chairman Thomas. I am asking the question the other way. Do 
you keep track of who it is, the entity that you enter into 
these agreements with and to which you release personally 
identifiable information?
    Mr. Hash. We do.
    Chairman Thomas. Then tell me how many you have entered 
into over the last 1 year, 5 years.
    Mr. Hash. I will have to get you that for the record, Mr. 
Chairman.
    Chairman Thomas. Do you believe you can get it for the 
record?
    Mr. Hash. I believe we can. I believe we could determine 
the number of data use agreements that we have.
    [The following was subsequently received:]

    Within the last year 1,911 data use agreements were initiated. Of 
these, 1,261 involve identifiable data and 650 involve encrypted data. 
Within the last five years 5,167 data use agreements were initiated. Of 
these, 3,950 involve identifiable data and 1,217 involve encrypted 
data.
      

                                


    Chairman Thomas. OK. My problem is, if you can do that, Ms. 
Aronovitz, my understanding is you interviewed HCFA folk, and 
did you ask that question of them?
    Ms. Aronovitz. The data use agreement is between the 
researcher and HCFA. HCFA needs to be able to better account 
for specifically what records they are disclosing on a 
particular beneficiary.
    Chairman Thomas. So we don't even know what information is 
transmitted to these individuals? Or we do, but we can't recall 
it after it is done?
    Ms. Aronovitz. The details are kept in paper records filed 
by the requester's name, not by an individual beneficiary or by 
a system of records.
    Chairman Thomas. Now I also noted in the GAO report that 
HCFA indicated that what they did was follow the tail of the 
comet, that is, they would review on the Internet, read 
materials to see if any of this information was out there. And 
it just kind of concerns me that they don't look at the comet, 
they look at the tail of the comet, so it is already out there 
before their detection structure would function; is that 
correct?
    Ms. Aronovitz. Yes. We think they need to do a much better 
job doing more proactive monitoring of entities that they 
provide information to, making sure that they are following 
their data use agreements and, in fact, complying with the 
provisions of those agreements.
    Chairman Thomas. So, based upon Dr. Hamburg's testimony, I 
could very comfortably ask her who has HCFA released individual 
information out of HCFA to, and she probably wouldn't be able 
to tell me who she released it to. Probably just as important, 
she wouldn't be able to tell me what it was that was released, 
unless of course it appeared on the Internet being misused if 
your monitoring is 100 percent accurate after the fact. Is that 
a reasonable statement of what we have got right now with 
individualized records being sent out of HCFA to researchers 
and other entities?
    Ms. Aronovitz. I think it is reasonable. We would have to 
say that it would take quite a lot of effort, for HCFA to get 
that information.
    Chairman Thomas. Mike, you want to respond?
    Mr. Hash. Mr. Chairman, what I would like to say is that 
we, in fact, do I think have, as I mentioned a moment ago, the 
records, the data use agreements that we have entered into.
    Chairman Thomas. And you know what it is that has been 
transmitted under this agreement? You have a record of that?
    Mr. Hash. We do. We do. What would take a greater effort 
that was referred to was the identification specifically on a 
beneficiary by beneficiary basis, what various systems of 
record information was transmitted. It could be done, but 
because we maintain our records on the basis of the data use 
agreement, you would have to go in and manually identify the 
individuals that were included in that data use agreement, but 
we know what we gave and to whom we gave it.
    Chairman Thomas. You know what you gave.
    Mr. Hash. Correct.
    Chairman Thomas. Including personalized medical record 
information from an individual.
    Mr. Hash. We know the systems of records that include 
personally identified information that we made available to a 
user under a data use agreement.
    Chairman Thomas.  And do you know they honored that use 
agreement?
    Mr. Hash. I believe except for the monitoring activity we 
need to put into place stronger oversight of exactly whether 
all of the users in these data use agreements are complying 
with the requirements of the Privacy Act.
    Chairman Thomas. I appreciate the answer. The question was, 
do you know if they are living up to the agreement?
    Mr. Hash. Not in every case, Mr. Chairman.
    Chairman Thomas. And have you found some since, not in 
every case, there are some who are not?
    Mr. Hash. Very few.
    Chairman Thomas.  OK. What do you do with the few that you 
find?
    Mr. Hash. In the cases where people have violated the 
Privacy Act, we have of course withdrawn, canceled their----.
    Chairman Thomas. Don't you want to modify the statement to 
say that in those instances when we are aware they have 
violated the agreement?
    Mr. Hash. In those instances, where we believe there has 
been a violation of the Privacy Act by one of our----.
    Chairman Thomas. No, that you are able to determine--see, 
what you did was just go from a statement in which you don't do 
a very good job of keeping track of it and you have discovered 
some violations----.
    Mr. Hash. Mr. Chairman, I think we do a good job of keeping 
track of it. What we don't do as good a job of as we should is 
in oversight with these users to make sure that, once they get 
the data, they are in fact actually complying with the 
requirements of the Privacy Act.
    Chairman Thomas.  And how many agreements are there today 
in effect?
    Mr. Hash. I will be happy to try to supply that to you for 
the record. I don't have it with me, Mr. Chairman.
    [The following was subsequently received:]

    As of July 21, 1999, there are 4,377 data use agreements in effect. 
Of these, 2,924 involve identifiable data and 1,453 involve encrypted 
data. The majority are with government agencies and researchers under 
contract to do work for the government; only 515 are not with Federal 
or State agencies or researchers under contract to such agencies.
      

                                


    Chairman Thomas. OK. Now, GAO has identified, you know, 
many uses that HCFA has with the individually identified 
information. You got to do a lot of stuff. You have got payment 
activities that you have to deal with that data, claims 
processing. You do some utilization review. You got secondary 
payment enforcement, eligibility determinations. What else? 
Integrity activities, peer review, quality assurance.
    Mr. Hash. Yes, sir.
    Chairman Thomas.  What else? I mean, some research----.
    Mr. Hash. Yes, sir, for purposes of improving either our 
payment policies or our quality improvement strategies.
    Chairman Thomas. Yes. Would you classify the surveying of 
individual claims files in order to determine something like, 
say, the relative mammography rates of seniors in the 
traditional fee for Medicare service program to be a quality 
assurance activity?
    Mr. Hash. I believe we would, Mr. Chairman.
    Chairman Thomas. How about peer review and credentialing 
activities?
    Mr. Hash. If you mean by that organized systems of care, 
Mr. Chairman?
    Chairman Thomas. Yes, trying to take a look at who does 
what in the credentialing area as a kind of, in my opinion, a 
quality assurance procedure. Would you classify that, the 
credentialing, the review of the ability to live up to the 
agreement that was made for credentialing purposes, quality 
assurance?
    Mr. Hash. The situation that that suggests to me is that 
the--only one area wherein we review applications of private 
health plans and want to contract with Medicare and we look to 
those private health plans to provide us information about 
their credentialing procedures for health care professionals 
who are going to serve our enrollees.
    Chairman Thomas. OK. Let me give you an example. The 
President's recent proposal said that he is interested in 
moving toward a PPO, preferred provider organization structure, 
and my assumption is you are going to have to do some 
additional monitoring and perhaps some credentialing in that 
regard. Would that be a quality assurance activity?
    Mr. Hash. Well, we have been thinking about two approaches 
to that, Mr. Chairman. One would be to contract with existing 
PPO organizations that are already out there; and in that case, 
obviously, we would be interested in assurances that they do 
have some criteria for determining who gets admitted to their 
PPO. We had not really anticipated, at least initially, that we 
would be forming under that proposal our own PPOs.
    Chairman Thomas.  But it doesn't preclude that.
    Mr. Hash. It does not.
    Chairman Thomas.  And this line of questioning was in part 
to establish that, obviously, health information is sensitive, 
it is important, but there are truly legitimate reasons beyond 
treatment and payment that you need to utilize this kind of 
data if for no other reason quality assurance but certainly in 
terms of best practices and other activities I think are 
important.
    My real concern as we move forward in this is that we take 
a look at where we are philosophically, where we may want to be 
for public health purposes and, in fact, providing statistical 
data to be able to assist in improving individual health care 
and look at what is happening at the State level and the 
ability of the Federal Government, notwithstanding the fact it 
is a sovereign, to make sure all legitimate health entities 
have the ability to do the same thing. And I am concerned about 
the administration's position that they are less concerned 
about what is happening at the State level because of the 
sovereign position and HCFA's ability to collect information. 
But the formation of a confidentiality structure which provides 
for research collection needs to be looked at from a Federal 
perspective, not just a government but a national perspective 
for the data. Is there any reaction to that?
    Dr. Hamburg. Well, I think that the Secretary's 
recommendations definitely acknowledge the important point you 
are making and identify research as an important area of 
activity for disclosure of information, public health concerns, 
quality of care and certain emergency situations as well.
    Chairman Thomas. The gentleman from Wisconsin has already 
had his position violated by the Secretary's concerns. So since 
we have blown through his concerns, my concerns are this. I 
understand the concept of a Federal floor and allowing States 
to go beyond that. If we are dealing with things like clean 
water, clean air, it doesn't make sense to me if you are 
dealing with the collection of data to say there could be a 
Federal floor but States can impose more stringent data in 
particular areas. We may want to carve out other areas 
completely.
    I do not understand--and this is kind of a bizarre 
relationship to me--a Republican advocating Federal preemption 
in an area in which that folk at a cocktail party would think 
that would be understanding the importance of the collection of 
data for very fundamental and critical reasons in the private 
sector as well as in the public sector. And this is an area I 
think we need to resolve because I do not understand how, in 
the collection of data for useful purposes, the administration 
can comfortably say we will establish a floor and if the State 
wants to go beyond that, that is OK with us. How ever in the 
world you have an accurate, universally reliable data 
collection system with that basic organizing concept doesn't 
make sense to me, and I look forward to continuing to work with 
you.
    The gentleman from Wisconsin wishes to inquire?
    Mr. Kleczka. Thank you, Chairman Thomas.
    I don't believe the Secretary did violate my preamble for 
privacy, because I never said it was an absolute right. I said 
as the owner of those records I think I should have the right 
to express my desire for privacy. Throughout the discussion of 
the use of these records for research and for collection of 
data I think we should consider, de-identifying the records. I 
think, for billing purposes my name and data might have to be 
attached to it, but for a lot of stuff we can de-identify the 
medical record and let the research or whatever go forward.
    Mr. Hash, first let me ask a question we are all wondering 
and I guess everyone is kind of embarrassed to ask, how is the 
mother to be?
    Mr. Hash. I am glad you asked that. I just talked to her 
today, and she is expected to deliver at any moment, so she is 
very near the end of her odyssey and very excited about the 
next phase of her life.
    Mr. Kleczka. Well, we wish her well and the baby and the 
father.
    Let me ask one question. You indicated that HCFA has just 
approved the creation of a Beneficiary Confidentiality Board, 
which I assume is going to be akin to the Independent Review 
Boards that States have and some individual private 
organizations have. What do you envision the responsibility of 
this confidentiality board to be?
    Mr. Hash. Mr. Kleczka, I am glad you asked, because we felt 
we needed a high-level organization within HCFA that pulled 
together the leadership of the agency to focus on the strategic 
questions about the kind of information that needed to be 
collected to operate our programs, as well as the protections 
that need to be in place to ensure patient and individual 
confidentiality. And the mission of this new Beneficiary 
Confidentiality Board is to develop procedures and policies 
that will govern our decisions about the collection of 
information on the front end, as well as our requirements for 
data users and, in fact, our policies and procedures for 
overseeing, as I mentioned to Chairman Thomas, compliance with 
these procedures by anyone with whom we enter into a data use 
agreement.
    We are also anxious that this board be an opportunity to 
examine the existing systems of records that we have to 
determine whether they are properly secured, whether we in 
fact, in another critical area, are making adequate notices 
available to our beneficiaries so that in plain language they 
know under what authority we are collecting the information and 
specifically to what uses it could be put.
    So these are the range of broad questions that we expect 
this board to address; and, as I say, not only does it involve 
our computer and information systems people, but it is actually 
housed, for staffing purposes, in our Center for Beneficiary 
Services to focus attention that this is all about protecting 
the interests of our beneficiaries.
    Mr. Kleczka. With the thousands of contractors that you 
enter into agreements with across the country, have you seen 
any violations of the beneficiaries' medical records by 
contractors either through unauthorized viewing or sale of 
information?
    Mr. Hash. We are not aware of any serious violations. We 
think there have been instances in which the procedures for 
gaining access to personally identifiable information may have 
been breached because individuals who were not authorized by 
the nature of their work to have access may have been given 
access. When we have learned of that, we have, you know, 
revoked their access privileges and taken steps to tighten up 
on the approval of access, but, to my knowledge, we do not have 
any cases where the information has been sold or publicly 
disclosed.
    Mr. Kleczka. OK. In how many instances do you recall having 
a problem with contractors with regard to unauthorized access?
    Mr. Hash. How many instances?
    Mr. Kleczka. How many instances? Do you have any numbers?
    Mr. Hash. I think it is very few over the last 5 or 6 
years. We looked back, and I think we only found one or two 
altogether.
    Mr. Kleczka. OK. When you deal with a patient's privacy and 
the records that you are responsible for you comply with 
Federal Privacy Act, but you also defer to State law; is that 
accurate?
    Mr. Hash. We generally do respect State laws. For the most 
part, what we have found is that State laws do recognize the 
kinds of needs that we have for personally identified 
information in their own laws, for example, data for payment 
purposes, data for fraud and abuse purposes and law 
enforcement, and data for quality assurance. These are 
typically treatment, payment and health care operations 
exceptions that are found in State privacy laws, and those laws 
have allowed us to continue to have access to the data we need 
to operate our programs.
    Mr. Kleczka. OK. I will get back to Ms. Hamburg on the 
second round with some preemption questions. Thank you.
    Chairman Thomas. Gentlewoman from Connecticut wishes to 
inquire?
    Mrs. Johnson of Connecticut. I thank you for your testimony 
today.
    I want to talk a little bit more about this patient opt-out 
power as well and particularly how it interfaces with the floor 
proposal. If a patient has the right to opt-out, and I am very 
sympathetic to the opt-out provision but I want to understand 
more clearly how it works, could a Medicare beneficiary elect 
to withhold the fact that they had had a certain diagnosis?
    Mr. Hash. I think you are addressing that to me, Mrs. 
Johnson.
    Mrs. Johnson of Connecticut. Well, whoever is best suited 
to answer it.
    In other words, could they elect to withhold this 
information from the carrier, you know, from the payor? I want 
to know how far their election rights go. The doctor knows it 
clearly. Now if they can elect to withhold this information, I 
might want to do exactly what my friend did with his dentist. I 
might like to elect to withhold that I was diagnosed with 
shingles for a fear that people would fear that I was hyper 
responsive to stress-related illnesses. So, you know, how much 
could they withhold actually from the carrier?
    Mr. Hash. Well, the requirements in the Medicare Program 
are really to submit a claim to us that provides sufficient 
information on the claim form for us to determine if the 
individual is eligible, that the service provided was covered, 
and that is the basic information that comes in on a claim 
form. And if a claim form was submitted to us without the 
diagnostic information or without the identification of the 
individual or their health insurance number, then our 
contractor would be unable to process that claim.
    Mrs. Johnson of Connecticut. OK. Then in terms--because I 
want to go through a sort of series of these--in terms of 
program activities that HCFA is responsible for, could an 
individual elect not to let HCFA use specific data in research 
and development of new payment methodologies? In other words, I 
could see that they would have to submit the information so 
there would be payment, but could they prevent you from having 
access to that information for your own internal research and 
policy development?
    Mr. Hash. As I understand it, Mrs. Johnson, under our 
current notices, and the authorizations that we seek from our 
beneficiaries when they enroll in Medicare, allow us to make 
the judgment about the use of their personally identified 
information for purposes that may involve research related to 
the improvement of the payments in the program or to quality 
oversight or to fraud and abuse, those kinds of activities.
    Mrs. Johnson of Connecticut. How specific is your 
requirement to inform consumers and to ask for their 
permission? Because in the next 5 years there are people who 
are going to get much more sensitive to this whole issue and 
are going to be making different decisions. So do you inform 
them they have a right to withhold information and will there 
be subcategories that you have a right to withhold your 
information from researchers, you have a right to withhold 
information from whomever?
    Mr. Hash. That is not the substance of our notices that we 
give under the Privacy Act now. They do not have the option to 
sub-limit the use of the data for the kinds of examples that 
you were using.
    Mrs. Johnson of Connecticut. So when they say disclose or 
not disclose, do they know to whom the information may be 
disclosed and to whom it may not be disclosed?
    Mr. Hash. Of course they don't know specifically to whom it 
may be disclosed, but they do know that it may be disclosed for 
a series of purposes, and those purposes are indicated in the 
notice.
    Mrs. Johnson of Connecticut. And if they indicate they 
don't want disclosure, do you interpret that to mean that you 
simply can't disclose to an outside contractor but you can 
disclose within your agency? Do you say that you can disclose 
to other Federal agencies but not to outside contractors?
    Ms. Aronovitz. My understanding right now is that on a 
notice it is a blanket notification. We actually looked at some 
notices that say, if you do not sign this form, you will not be 
able to get benefits from Medicare.
    Mrs. Johnson of Connecticut. That is not an opt-out to say 
if you don't sign disclosure you don't get benefits under 
Medicare. This is a sledgehammer.
    Ms. Aronovitz. We don't consider that an opt-out.
    Mrs. Johnson of Connecticut. Oh, I see.
    Ms. Aronovitz. If there is an opt-out policy----.
    Chairman Thomas. It may be a literal opt-out, depending 
upon what options you need and medical service.
    Ms. Aronovitz. Currently, we don't see HCFA having an opt-
out policy.
    Mr. Hash. To my knowledge, we do not.
    Mrs. Johnson of Connecticut. I thought you were 
recommending an opt-out policy.
    Mr. Hash. I am not aware of that, Mrs. Johnson.
    Mrs. Johnson of Connecticut. My impression is that in your 
recommendations you are proposing an opt-out policy. So I kind 
of assumed from that, which I did not have the right to assume, 
that if you are recommending an opt-out policy you must already 
have one.
    Mr. Hash. Perhaps this will be helpful, Mrs. Johnson. We do 
have a procedure where if a researcher wants to contact an 
individual about their participation in a survey or some kind 
of a research protocol that we first contact that individual by 
letter and indicate to them that they may elect not to 
participate in such an activity if they do not want to. And 
that is an area of patient choice, if you will, or opt-out that 
we do routinely apply if the research protocol involves 
contacting an individual directly and asking them for 
participation in a research protocol.
    Ms. Aronovitz. There is another example that might be 
useful. Some of the notices that we looked at specifically said 
if you don't sign this form you will not get Medicare benefits. 
The OASIS notification, which we think is an improvement over 
some of the other notices, does have language that specifically 
states there are no Federal requirements for home health 
agencies to refuse you services if you do not provide this 
information. However, it takes a little bit of fortitude to 
really understand what it says.
    Mrs. Johnson of Connecticut. Sort of a backhanded way of 
saying that you can get the services even if you refuse to 
disclose.
    Ms. Aronovitz. Right, in this particular case. So there 
could be instances where you would not lose your benefits.
    Mrs. Johnson of Connecticut. So there is not currently any 
requirement that when you sign up for Medicare you have the 
right to sign a waiver that says you may not release my medical 
information.
    Ms. Aronovitz. As far as we know, that is correct.
    Mr. Hash. I believe that is correct. The authorization that 
beneficiaries sign when they enroll in Medicare is a broad 
authorization.
    Mrs. Johnson of Connecticut. Thank you. I will pursue this 
later, but I think in the new world this is a very big issue. 
Thanks.
    Chairman Thomas. Gentleman from Minnesota wishes to 
inquire?
    Mr. Ramstad. Thank you, Mr. Chairman. Thank you to today's 
witnesses.
    As a former adjunct professor of constitutional law, the 
more I get into this area I am beginning to reach the 
conclusion that health care privacy is an oxymoron given the 
state of technology, and I am real concerned about the right to 
privacy, the zone of privacy as the Supreme Court has talked 
about, that we supposedly have through the first, fourth, fifth 
and 14th amendments to the Constitution.
    And I don't understand, if I may address the first question 
to you, please, Mr. Hash, according to the GAO critique, the 
report, when HCFA discloses data files with personally 
identifiable information it doesn't customize them for the 
specific purpose of reducing the amount of information. Now, I 
thought this was departmental policy pursuant to the 1997 HHS 
recommendations on privacy, and does this mean that they are 
ignoring the issue of customizing the data you disclose?
    Mr. Hash. I think maybe, and I will let Ms. Aronovitz speak 
to that, but I think what we mean by customization is that at 
HCFA when we review a request for personally identified 
information for a research purpose, we actually go through a 
kind of three-stage evaluation. We have what are called public 
use tapes which have a lot of aggregated data which do not 
identify individuals; and we see if, in fact, research can be 
conducted with a public use tape.
    We have a second level of release of data that involves the 
encryption of identifying information. It is obviously 
conceivable that with that data set you could identify 
individuals, but it would be difficult.
    But we then, last, only as a last resort do we actually 
release a data file with person-specific identifiers in it, and 
only then when we have made a determination that there is no 
other way to conduct the research and that the research is 
vital to a purpose of administering our program.
    Ms. Aronovitz. I would agree with that. However, if HCFA 
decided that the only way to fulfill the research purpose was 
to provide personally identifiable information, it does not 
have the capacity to only provide the data elements that are 
absolutely necessary to fulfill the research purpose. At that 
point if HCFA felt that the researcher really only needed, let 
us say, five data elements from that file that is where 
customization would not occur.
    Mr. Ramstad. And it is a question or an issue of capacity 
of the resources?
    Ms. Aronovitz. That is correct.
    Mr. Ramstad. To customize to that degree?
    Ms. Aronovitz. HCFA has said it is developing software that 
in the future will enable it to do a much better job with 
customization, but right now it doesn't have the capability.
    Mr. Ramstad. Just recently I was privy to a demonstration 
by a computer expert who accessed his file at Columbia 
Presbyterian or wherever, revealed psychiatric data, other very 
confidential, sensitive data. All I could think of was this is 
Kafkaesque. I mean it was very, very unnerving, to say the 
least, and it just seems to me that we need to, this session, 
this year, we need to come to a consensus on a bill and get 
this done sooner rather than later. Would all three of you 
agree on that?
    Mr. Hash. Yes.
    Ms. Aronovitz. Yes.
    Mr. Ramstad. And then, finally, I want to ask Ms. Aronovitz 
a question just briefly in the remaining seconds I have. In 
your GAO report, you mention that HCFA has not done much to 
inform Medicare beneficiaries about their rights under the 
Privacy Act. Could you elaborate on your findings? I mean, it 
is disappointing when this Subcommittee did a lot of work 
pursuant to the Balanced Budget amendment to ensure that 
beneficiaries receive clear and complete information about the 
Medicare Program, and I was just disappointed to read that 
finding. I was just wondering if you could elaborate on that.
    Ms. Aronovitz. As I said, the OASIS notification is an 
improvement over prior ones. HCFA said it uses about a dozen or 
so different types of notifications. When somebody signs up for 
Medicare and then when they participate in the demonstration or 
obtain health care, there would be a notification. The Privacy 
Act requires a notification that has four elements, and they 
are very straightforward. You have to tell the beneficiary your 
authority for collecting the information, the principal 
purposes you will use it for, all of the routine uses you will 
make of the information and also the effects on the beneficiary 
of not providing the information.
    Well, first of all, we found that some of the forms HCFA 
uses didn't have all these elements and, therefore, were 
incomplete, in our judgment, in terms of providing information 
to the beneficiary. However, interestingly, the Privacy Act 
does not require HCFA anywhere on these notices to indicate 
that beneficiaries have a right to get an account of the 
disclosures that are made of their information. This type of 
information did not appear on any of these notices.
    Mr. Ramstad. Well, I see my time has expired, but I 
appreciate the explanation. It only makes me wonder that 
perhaps that is the reason so few seniors have ever contacted 
HCFA to see their information or to see HCFA's accounting of 
the disclosures it makes. But I look forward to working with 
all three of you and others on re-establishing the right to 
privacy in this country. A lot of this is truly alarming, and I 
don't say that talking in hyperbolic tones. I am very 
concerned, and I am glad to see you nodding affirmatively you 
share that concern.
    Thank you, Mr. Chairman.
    Chairman Thomas. I thank the gentleman.
    I do believe that it is a contest between public and 
private rights, and there are significant public rights when it 
comes to health and the effect that a single individual may 
have on the public health, and these are sometimes competing 
rights, and society historically has indicated that in certain 
instances the public's right to know to deal with the public 
health problem can even transcend privacy rights. And we are 
going to try to deal with that in balancing it, not only in 
after-the-fact information but hopefully in a successful prior-
to-the-fact management in a world in which it is far more 
complicated with computers but ironically enough also simpler 
in certain instances because of the ability to control the flow 
of data via electronic means.
    Gentlewoman from Florida wishes to inquire?
    Mrs. Thurman. Thank you, Mr. Chairman, and it kind of goes 
to that question.
    Ms. Aronovitz, when I was looking over your report--and, of 
course, it was basically to talk specifically about protecting 
beneficiaries' confidential health information, one of the 
things that struck me was that we talk about the security 
weaknesses but we also talk about the moratorium that OMB has 
placed on HCFA in securing or looking at any other kind of 
computer software. Is that something we should look at 
correcting to give them the tools that would be necessary to 
help them in this job?
    Ms. Aronovitz. Actually, the moratorium seems to be very 
appropriate under the circumstances. We think, in our Y2K work, 
that HCFA is facing quite a high risk in the fact that it is so 
close to the end of the year. We understand that HCFA needs to 
focus its resources on its immediate responsibility continuing 
to be able to pay claims. Unfortunately, the moratorium had to 
occur because it was one way for HCFA to assure itself that its 
resources would be centered on that immediate problem.
    However, we think that fixing the security systems for 
privacy issues is extraordinarily important also and should be 
addressed as soon as HCFA's systems have been tested and 
certified as Y2K compliant.
    Mrs. Thurman. And is that what OMB has indicated that, once 
that is done, that those resources would be immediately 
available for this particular issue, Mr. Hash?
    Mr. Hash. Yes, Ms. Thurman, that is my understanding; and 
it is certainly our intention that, once we pass the Y2K 
period, that this issue of installing the appropriate 
architecture for information technology security is our highest 
priority with our contractors. Because it has been pointed out 
to us by the GAO and by others that there are steps we can put 
into place, new systems, new technology that mitigate the 
possibility of breaches of those systems by unauthorized 
persons, but, you know, this is an area where the technology is 
racing ahead as fast as we can possibly think about keeping up 
with it, and I think our real challenge is to remain vigilant 
to the possibility that just when you think you may have a 
computer system that cannot be hacked into, somebody will 
undoubtedly be able to figure it out. But that doesn't relieve 
us of the responsibility of taking all the steps we can to put 
in the strongest security measures available.
    Mrs. Thurman. So you all are working on this problem 
somewhat consecutively with the Y2K? I mean, you are looking 
for those ways, vendors, people who could in fact put in this 
software?
    Mr. Hash. We are. And, in fact, another aspect of this is 
holding our contractors more accountable to, in our evaluation 
of them, that they, in fact, have put into place the 
appropriate kinds of security protections that are necessary to 
protect this data. So we recognize, as I said to Chairman 
Thomas earlier, that we need to strengthen our oversight of 
those organizations that have access to this kind of 
information to prevent unauthorized disclosures.
    Mrs. Thurman. Thank you.
    Chairman Thomas. I thank the gentlewoman.
    Gentleman from Michigan wishes to inquire?
    Mr. Camp. Thank you, Mr. Chairman.
    I thank all three of you for testifying today.
    Ms. Aronovitz, I have a question for you. In your testimony 
you note that there are different needs that HCFA has for 
individually identifiable information and that there are 
beneficial uses of that information but, also, that there are 
some problems in maintaining the security of that data, you 
know, particularly regarding some of the administrative 
procedures and managing this in the context of an information 
system. What do you think the implications would be for HCFA if 
they had to comply with 50 different State laws?
    Ms. Aronovitz. I think that it would add a tremendous 
complexity to their work and a burden and cost that we can't 
estimate, but it could certainly create quite an additional 
burden for them.
    Mr. Camp. In addition, what if Medicare patients could 
selectively demand that certain criteria were not or data 
elements were not to be used for certain purposes? 
Administratively, what do you think the impact and also that 
that information couldn't be disclosed to certain employers or 
employees or contractors?
    Ms. Aronovitz. I am not an expert on HCFA's or anyone's 
computer systems, but I certainly feel comfortable in saying 
that the point that HCFA is at right now, if somebody were to 
be very specific about the circumstance under which they wanted 
their information to be used, it would be impossible for HCFA 
to comply.
    Mr. Camp. Would you agree that the private sector providers 
would face the same administrative burdens if Federal law 
wasn't preemptive and in fact might even be worse because they 
wouldn't have the supremacy clause to ignore certain laws at 
their discretion like HCFA might have?
    Ms. Aronovitz. It seems as though they would have the same 
burden.
    On the other hand, we didn't really look at how they are 
coping right now, and ostensibly there are companies that work 
in more than one State or all 50 and somehow seem to figure out 
how to get along, but we really don't know enough about how 
they are doing it or the extent to which that burden could 
convince some of them not to do commerce in the States.
    Mr. Camp. Thank you very much.
    Mr. Hash.
    Mr. Hash. May I comment?
    Mr. Camp. Yes.
    Mr. Hash. I think there are a couple of observations I 
would like to make, and that is, they are--first, it is 
difficult to determine in advance exactly how States might in 
the future design privacy laws. And as I mentioned at the 
outset, our experience today has been that States have been 
generally sensitive to the kinds of issues that are necessary 
from our point of view to operate our programs and to meet our 
fiduciary responsibilities as well as our quality oversight 
responsibilities.
    And so I think in that sense that ties into my second 
observation which is that our position is, in the 
administration, that we believe a strong Federal floor will 
actually reduce the incentives for States to want to legislate 
further in this area.
    As an example, I might point out that in the HIPAA law 
itself that Congress passed 3 years ago, it is basically 
predicated on a notion of a very strong Federal floor, and to 
date at least I think States have not been desirous of or felt 
it was necessary to legislate beyond the HIPAA floor, and I 
think that is why we are placing so much emphasis on working 
with you and others to develop a Federal standard for 
confidentiality and protection that will reduce the need for 
additional State legislation.
    Mr. Camp. Thank you. Thank you, Mr. Chairman.
    Chairman Thomas. Well, to point out the absurdity of that 
statement, if I might, Minnesota currently has a provision 
which requires individual release for access to information. As 
a matter of fact, Mayo Clinic built its record on its 
epidemiological records which it now cannot do with any degree 
of confidence because it can only get 97 percent sign-off.
    When you are doing research in key areas, obviously any 
hole in your data causes you problems. Let us take a Medicare 
patient from Minnesota. If Johns Hopkins wants to utilize that 
Medicare patient's medical records and tries to go through the 
State of Minnesota, obviously, they are going to have go 
through a sign-off procedure. I believe it is a three-denial 
effort or get the permission of the individual to do it. If 
Johns Hopkins goes to HCFA, can HCFA under the arrangement that 
we were discussing release the information of that Medicare 
patient who happens to live in Minnesota to Johns Hopkins?
    Mr. Hash. The short answer is yes.
    Chairman Thomas. And John Hopkins being a reputable 
university and research structure would--of course you would be 
pleased to enter into an agreement with them?
    Mr. Hash. We would review their proposal as we do all other 
research proposals to first see----.
    Chairman Thomas. Careful, Ben is here and so you would 
review it very quickly.
    Mr. Hash. We would definitely review it in an expeditious 
manner and ascertain that the proposal, in fact, that the 
research questions being posed are ones that are important to 
our program, that the methodology that the proposal includes is 
one----.
    Chairman Thomas. As young people say, yada, yada, yada. The 
bottom line is, you will release that information to Johns 
Hopkins without the approval of the individual, and if Johns 
Hopkins tried to go through to get it from the State of 
Minnesota, they would have to follow a different procedure.
    Mr. Hash. I have to disagree with one statement you made, 
Mr. Chairman, and that is, we would not release it without the 
permission of the individual. The individual in Medicare has 
already given their authorization for the use of these data to 
advance the program.
    Chairman Thomas. Let me see, I believe the trigger was you 
won't get Medicare benefits if you don't sign this sheet.
    Mr. Hash. I don't believe so, Mr. Chairman. We have a 
variety of notices out there that when people sign up that 
indicates that there is a possibility that we would use 
personally identifiable data.
    Chairman Thomas. What is the turn-down ratio of Medicare 
benefits to people who refuse to receive Medicare benefits 
because they won't sign the release data?
    Mr. Hash. I am not aware that there are refusals, Mr. 
Chairman.
    Chairman Thomas. Well, all right, we can go around all 
night on this if you want to. The answer you have given me, 
once you filter all of the procedure, is Minnesota will not 
release that information to Johns Hopkins unless the individual 
person signs off or it goes through a very elaborate three-
denial check procedure.
    Johns Hopkins can come and get it from HCFA without the 
patient's knowledge, and in fact, although I know Johns Hopkins 
wouldn't do it, based upon my earlier questions, Johns Hopkins 
could provide the information, if they were someone other than 
Johns Hopkins, to somebody else and unless it was done naked, 
high noon in the town square, by the way you detect transfer of 
information, cruising the net, you wouldn't know that it was 
transferred.
    So all I am saying is it makes it very difficult for me to 
sit here and listen to you talk about building a floor and let 
the States go beyond the floor and have a structure that makes 
any sense at all because, as the sovereign, you are looking at 
the world, in my opinion, slightly differently than a private 
sector operation as reputable as Johns Hopkins in terms of its 
ability to get information.
    I understand why you are not concerned, you are the 
sovereign, but this information is essential and I might say in 
fact more valuable in some of the private research activities 
in which the only way they are able to get the information is 
to hide behind you, the sovereign.
    So when you talk about building a floor and letting States 
go beyond it, I think it gets kind of hypocritical when in fact 
that same entity can come to you and get the information they 
couldn't get from a State. It doesn't make a whole lot more 
sense to build a uniform system that protects in a uniform way 
and that lets folks opt-out in areas where there is general 
agreement that it is necessary to allow under the police powers 
of the State protections for those purposes, but otherwise a 
uniform, structured, secure, confidential, preemption 
arrangement is the better way to go.
    Gentleman from Maryland I know wants to inquire, and let me 
say before that, I am sorry he is no longer on the 
Subcommittee. I know he had to make a choice and under 
Democratic rules he became a powerful Ranking Member on another 
Subcommittee, and we don't have him here, but it is a pleasure 
to have him.
    Mr. Cardin. Well, thank you, Mr. Chairman, and let me thank 
you for your publicity on Johns Hopkins. I should point out it 
is my understanding that Johns Hopkins has a request before NIH 
for a research project related to dentistry. So I expect to get 
my friend from Wisconsin and my friend from California 
sponsoring that.
    Let me, if I might, try to follow through on some of these 
questions.
    In regards to individually identified medical records you 
are guided by the Privacy Act of 1974, I assume, and I have 
just tried to quickly read that statute and find that the 
language used there is significantly different than the 
language we are using here.
    I don't see, for example, fraud and abuse or quality 
assurance or research or public health spelled out the same way 
that we generally have used those terms, but I assume you 
believe there is statutory authority within the Privacy Act of 
1974 to release individually identified medical records for 
those particular purposes. And I guess my question to you is, 
we have been sort of dancing around this a bit, but if you were 
to be required to comply with State law and if the States had 
requirements for individual authorization for some of these 
uses, or a requirement that you individually notify the 
beneficiary of a request for information and an opportunity to 
opt-out without any further sanction to their Medicare 
benefits, is that workable for HCFA? Can you implement that? Is 
it costly to implement, and do you think that is good policy?
    Mr. Hash. Well, with regard to the last set of questions, 
Mr. Cardin, we do have a procedure on research protocols that 
involves contacting individual beneficiaries that gives them 
the prior right to indicate that they do not want to 
participate in such research protocols.
    Mr. Cardin. How fast can you implement that? Is that a 
pretty fast procedure?
    Mr. Hash. It is a pretty fast procedure. It usually 
involves a researcher who wants to draw a sample of our 
beneficiaries to contact them for some purpose that is outlined 
in their research proposal, and what we do is once we identify 
a sample, we actually write individual letters to them and give 
them this information about the opportunity to opt out if they 
do not wish to participate in it.
    Mr. Cardin. All right.
    Chairman Thomas. Will the gentleman yield briefly? Even 
Minnesota has a three follow-up kind of self-enacting 
operation. What does HCFA have if you write the letter and 
there is no response to the answer?
    Mr. Hash. We write the letter and then we require the 
researcher to wait a minimum of 10 days before contacting and 
then contact and reinquire as to whether the individual wants 
to participate or not, even though they have not replied to the 
letter they got from us.
    Mr. Cardin. If they don't reply, then that is assumed to be 
you can't release the information?
    Mr. Hash. This is a case again of, Mr. Cardin, when an 
individual beneficiary is contacted by a researcher who wants 
to interview them.
    Mr. Cardin. If you don't get notification, they don't 
reply, can you use the records or not, if the beneficiary 
doesn't respond?
    Mr. Hash. The researcher then may contact them and put the 
question again.
    Mr. Cardin. And there is still no response?
    Mr. Hash. They contact them directly, you know, orally, by 
telephone or by visit.
    Mr. Cardin. So you need to get written authorization before 
you release under that circumstance?
    Mr. Hash. I don't know that it requires a written release, 
but you have to get the authorization of the individual.
    Mr. Cardin. How do you know if you don't have it in 
writing?
    Mr. Hash. I don't have an answer for that, Mr. Cardin, but 
I think--well, except I think in the research protocol we 
actually ask them to document the records about how they 
contacted the sample.
    Mr. Cardin. Mr. Hash, my time is running out. I really want 
to get an answer to this.
    We don't know what the States could enact in this area. 
They could enact restrictions on your ability to use samples 
for fraud and abuse for all we know because of their protection 
on the individual's right of privacy, which is important. My 
question to you is, if the State of Maryland enacts a law that 
says you can't release information for fraud and abuse without 
specific authorization signed by the beneficiary, do you think 
that is a good policy to adhere to whatever the States indicate 
is the right policy on release of medical records?
    Mr. Hash. I would hope that that kind of a policy would be 
built into the Federal floor that we are talking about, and 
therefore, if there were a conflict with Maryland law, that the 
Federal floor would obviously prevail there, but it is a 
question of designing the requirements in a sound way in the 
Federal floor to make sure we speak to those kinds of things.
    Mr. Cardin. We are in complete agreement there, and I 
expect there would be a cost associated, as I think you have 
already responded, to trying to comply with 50 different State 
standards as it relates to notice to the beneficiary and 
authorization and opt-outs or things like that. There has got 
to be a cost associated with that.
    Mr. Hash. As I said, I think we need to address those 
issues in the context of what we require as a kind of uniform 
standard across all States.
    Mr. Cardin. And one last point, if I might, and that is 
that you said you were complying with the States to the extent 
possible. I was just handed the Maryland--someone compiled a 
book of all the different regulations--and in Maryland we have 
a requirement that insurers cannot disclose information except 
under a set of standards on release of information. Do you 
comply with the Maryland rules on disclosure of information 
currently?
    Mr. Hash. I am not familiar with what the Maryland rules 
are, Mr. Cardin, but I would assume they follow the same kind 
of procedures that we follow under the Privacy Act, but I 
think----.
    Mr. Cardin. They are different. I am trying to match them 
up, and they are clearly different standards. There are some 
areas that are covered here that are not covered in the Privacy 
Act. Some in the Privacy Act are not covered here.
    Mr. Hash. We follow the Privacy Act.
    Mr. Cardin. So you don't follow the Maryland general law on 
disclosure of medical information by insurers?
    Mr. Hash. I just would like to reserve the right to review 
the Maryland law and see whether, in fact, we do or don't. But 
without saying that, I am certain that we don't.
    Mr. Cardin. Is there a conscientious effort to review the 
laws of the 50 States to try to comply with their privacy acts?
    Mr. Hash. Not to my knowledge, Mr. Cardin, no. But when it 
is brought to our attention that someone asserts under a State 
law a particular right or privilege, obviously that would 
trigger our look at it and to see if there was a way that we 
could work with the State and the individual to work through 
that in a satisfactory manner. But as the Chairman points out, 
there is always a question of trying to balance the important 
rights of individuals to confidentiality and important rights 
of the State.
    Mr. Cardin. Well, I agree with your point and just 
appreciate your comment. We need to adopt adequate national 
standards in this area. I agree with the gentleman.
    Chairman Thomas. I thank the gentleman. Where is HCFA's 
headquarters?
    Mr. Hash. In Baltimore, Maryland.
    Chairman Thomas. I thank the gentleman.
    Gentlewoman from Connecticut wishes to do a follow up?
    Mrs. Johnson of Connecticut. Thank you, Mr. Chairman.
    I just wanted to go back to the issue of privacy. Under 
current practice at HCFA, do you routinely release individually 
identifiable health information to these contractors? I am 
talking about the payor contractor. I am talking about this 
1,400 or so other people.
    Mr. Hash. Researchers or other government agencies that 
have data use agreements with us, we do not routinely release 
individually identifiable data. It must go through the kinds of 
evaluation that I have outlined that are in our testimony 
before we do it. So we have a set of procedures to go through 
to determine when we will release.
    Mrs. Johnson of Connecticut. When do you ever need to 
release individually identifiable data? I can see why you would 
need to release disease and symptoms and treatment data, but 
why would you have to have the person's name?
    Mr. Hash. Well, for example, if we are engaged in an 
activity of collecting a third party liability, coordinating 
our benefits and trying to identify if the individual has 
another insurance policy that is liable----.
    Mrs. Johnson of Connecticut. I consider that a payment 
problem.
    Mr. Hash. OK. Within the context of research itself, there 
can be research projects--and I would defer to Dr. Hamburg here 
who is much more skilled in the research area than I am, but 
there can be research projects that advance our knowledge in 
terms of payment systems and how to do it more accurately or in 
terms of quality oversight that could require the use of 
personally identified information, but the presumption that we 
use at HCFA is that we start with the notion of trying to 
ascertain whether or not the research can be conducted 
successfully without personally identified information. That is 
where we start from, and only as a last resort do we agree to 
release personally identified information.
    Ms. Aronovitz. I might be able to offer one example. It 
would be a longitudinal study, for instance, where you are 
looking at a particular person over time and looking at their 
health status over time. You might want to be able to identify 
that person and their records.
    Mrs. Johnson of Connecticut. And that person has no right 
not to participate in that study? HCFA does not have to notify 
them that their data are going to be used on a longitudinal 
study?
    Ms. Aronovitz. This is going to sound a bit bureaucratic, 
but in fact the person has been notified through the routine 
use conditions of disclosure that HCFA has in terms of guiding 
whether it can give out information to researchers.
    Mrs. Johnson of Connecticut. I am interested that there are 
routine situations in which you would release somebody's 
personally identifiable information outside of HCFA. I mean, I 
understand for your payment system, but it seems to me that--
and I don't know what percentage of these use agreements 
involve the release of individually identifiable information. 
Do you have any? Any of you have any comment on that? Whether 
it is most of them or--.
    Mr. Hash. No. I think--as I say, I think our presumption is 
either to provide aggregated data whenever we can or at least 
encrypted data that is stripped of any individual----.
    Mrs. Johnson of Connecticut. I appreciate that. The thing 
is, you know, how many of your agreements provide individually 
identifiable and how many provide encrypted data.
    Mr. Hash. I would be happy to try to see if I can provide 
that for the record.
    Mrs. Johnson of Connecticut. I think we need to know that, 
because I think in any bill we need to directly confront this 
issue, and I personally think the burden is on us to make the 
case that we wouldn't have to get permission.
    [The following was subsequently received:]

    As of July 21, 1999, there are 4,377 data use agreements in effect. 
Of these, 2,924 involve identifiable data and 1,453 involve encrypted 
data. The majority are with government agencies and researchers under 
contract to do work for the government; only 515 are not with Federal 
or State agencies or researchers under contract to such agencies.
[GRAPHIC] [TIFF OMITTED] T4128.001

      

                                


    Mr. Hash. Let me say if I may, Mrs. Johnson, that another 
thing that comes to mind in terms of where an individual 
identifier might be necessary in a research project, is when 
someone might be trying to answer questions related to how 
people were treated across different settings where there are 
different data systems with the claims information, and the 
only way to access that data across the different settings, 
whether it is in-patient, hospital or outpatient or home health 
or skilled nursing, is by being able to have the identifier 
that can link the claims for an individual so that you can 
actually see what happens to the patient from a hospital 
episode to an outpatient episode to a home health episode and 
answer some research questions associated with appropriate 
types of care.
    So that is an example of where, in order to access the data 
on services that an individual has actually received, you can't 
get it unless you have an identifier number that links that 
data to a specific individual.
    Mrs. Johnson of Connecticut [presiding]. I think it is very 
concerning that people would not know when these data were 
going to be used, that, you know, agreements that you have 
literally no control over, you just really can't control the 
number of agreements you are going to have, and really this 
gives no privacy protection for Medicare participants when your 
agency has allowed access by a researcher to their files.
    So I think that we are not going to solve this here, but I 
think as we move through this bill--I mean, when I look at the 
battle that went on in H.R. 10 around privacy issues, health 
issues information is just so much more important to people 
individually that I think we are going to have to deal with 
this up front and clean, and we can't sort of mask it behind 
HCFA's judgment. At a certain point, if your information is 
going to be released with your name identified to it----.
    So, anyway, we need to move on to the next panel, but you 
get the gist of my concerns.
    Mr. Kleczka. I was waiting for the second round.
    Mrs. Johnson of Connecticut. Briefly. They want us to move 
on to the next panel because some of them have to leave.
    Mr. Kleczka. I agree with the gentlelady that where to draw 
that line is going to be very difficult for this Subcommittee 
and for this Congress. Ms. Hamburg, in your testimony you 
talked about the public responsibility. I agree with you that 
an individual's privacy and medical privacy can never be 
absolute. From the dialog that we have been listening to, some 
people are stating there is an absolute right for all these 
other entities and I am saying that is clearly wrong. I would 
rather err on the side of personal privacy than going that way.
    The gentlelady just referenced the bill we had before the 
House the other day on banking modernization, H.R. 10. I am 
sure you are aware of the controversy as it pertains to medical 
records in that bill. Do you want to comment on that and also 
briefly comment on this whole question of preemption? I am 
getting very confused here.
    First of all, we are told by the majority party that we 
have to defer to State rights because that is where all the 
knowledge and the power is. As a former legislator in the State 
of Wisconsin, I totally disagree with that. But, nevertheless, 
if they say so, maybe it is true.
    The Senate debated the Patients' Bill of Rights and, they 
argued that the States have to be recognized in their ultimate 
power over the rights of patients in medical care, and so the 
Senate only addressed the ERISA plans that cut down by almost 
two-thirds the number of people covered by that bill.
    Now on the other side of the Capitol, when it comes to 
medical privacy, the arguments is be damned with States' rights 
because we are the all-powerful and knowing.
    And so I am saying, Mrs. Johnson, to you and your 
Republican colleagues, make up your mind so I can get on the 
same script with you. I want to be helpful, but if States 
should have rights, let us do so. If States shouldn't have 
rights, I might buy into that program, but we can't have it 
both ways depending on the issue. The inconsistencies are 
abundant.
    Dr. Hamburg, would you want to respond--not to that last 
point, but to the previous point on the modernization bill?
    Dr. Hamburg. On H.R. 10?
    Mr. Kleczka. H.R. 10 and the preemption issue. Those are 
two big issues here.
    Dr. Hamburg. Starting with the preemption issue, I think 
obviously, as the discussion today has indicated and many other 
discussions in recent months, it is a very complicated issue. 
And as a relative newcomer to Washington and somewhat naive, I 
have to say that I was originally confused about where people 
were lining up on this issue. But I think that what we do all 
agree on is that there is a need for a strong and comprehensive 
set of national protections for privacy of health care 
information and that we need to be very thoughtful about what 
those are. We need to reflect many of the kinds of concerns 
discussed today, but we need a strong and comprehensive set of 
national standards.
    We think that, given how rapidly medical issues and 
technology are changing, how different certain States are in 
terms of the demographics and patterns of disease, and given 
that different States are in different places in terms of 
confidentiality and privacy protection laws at the present 
time, we don't want to put a straitjacket on States so that 
they can't be innovators and so that they cannot adapt to the 
unique needs of their States and their citizens, but I think we 
all absolutely agree on the need for a comprehensive set of 
national standards that have both breadth and depth to address 
the kind of concerns we are talking about today.
    With respect to H.R. 10, we think that the issue of medical 
privacy is sufficiently important and complicated that it 
should really be dealt with in a piece of legislation that is 
targeted to the issue of medical privacy and that it is a 
mistake to try to address it in a piecemeal fashion or as a 
rider to another bill. We would really be best served not to 
try to tinker with that, but instead to strike it all together 
and focus on this important set of issues through a piece of 
legislation that targets directly the issues we are discussing 
today.
    Mr. Kleczka. Thank you very much.
    Mrs. Johnson of Connecticut. I thank the panel for your 
testimony and we appreciate you being here this afternoon and 
let me call the next panel.
    Paul Clayton, Richard Smith, Janlori Goldman and Thomas 
Jenkins. The Chairman will be returning as soon as possible, 
but we will proceed.
    Good afternoon. We will start with Paul Clayton, Ph.D., 
Senior Informaticist, Intermountain Health Care, Salt Lake 
City, on behalf of the American Hospital Association. Please 
proceed, Dr. Clayton.

  STATEMENT OF PAUL D. CLAYTON, PH.D., SENIOR INFORMATICIST, 
 INTERMOUNTAIN HEALTH CARE, SALT LAKE CITY, UTAH, ON BEHALF OF 
               THE AMERICAN HOSPITAL ASSOCIATION

    Mr. Clayton. I am Paul Clayton of Intermountain Health 
Care, and I am also President of the American Medical 
Informatics Association, a member of the health privacy working 
group whose report was released last week, and I chaired the 
National Research Council's 1997 study ``For The Record: 
Protecting Electronic Health Information.''
    I am here today on behalf of the American Hospital 
Association, its 5,000 hospitals, health systems and other 
providers. The AHA supports strong Federal legislation 
establishing uniform national standards for all who use 
protected health information, with strong penalties for 
inappropriate use. Our comments today focus on how hospitals 
use and protect patient information. Our longstanding 
confidentiality principles cover a broader range of critical 
patient privacy issues, and I have attached them to my written 
statement.
    People who make these decisions affecting the health of 
patients must know about the medical and family history, 
allergies to drugs, previous diagnostic results, current 
medications, previous surgeries or therapies and chronic 
problems. Access to this information dramatically affects the 
level of care that can be provided.
    For the past 14 years, IHC has used clinical data systems 
to substantially improve patient care. Here are four examples.
    First, for inpatient prescriptions, a computerized order 
entry system warns physicians of potential allergies and drug-
to-drug interactions and calculates the ideal dose levels. That 
dose system has reduced adverse drug reactions by two-thirds.
    Second, improved management of mechanical respirators for 
patients with acute respiratory distress syndrome. In these 
most seriously ill patients, mortality rates fell from 90 to 60 
percent.
    Third, improved management of outpatient diabetic patients. 
The proportion of patients brought to normal blood sugar levels 
improved from less than 30 percent to more than 70 percent.
    And, fourth, accountability for our performance. IHC 
assembles and reports medical outcomes, patient satisfactions 
and cost outcomes for major clinical processes.
    These examples are all successful because patient 
identifiable information flowed smoothly among the providers 
that needed it.
    Two provisions in various proposals could stem that 
appropriate flow of information. The first is an opt-out where 
patients could pick and choose which health information 
providers could see. This mosaic of access restrictions could 
greatly hinder our ability to render care. For example, when a 
patient seeks care within our system, IHC laboratory analyzers 
feed the patient's blood tests directly into our computers. 
This improves our ability to make accurate results immediately 
available, but it also necessarily eliminates our ability to 
process laboratory tests without using the electronic medical 
record.
    Second, while we strongly support the development of policy 
to restrict access privileges, we are concerned that some 
proposals would require providers to limit the scope of 
disclosures to the minimum, however that is defined, amount 
necessary for the specific purpose at hand. This means 
providers must repeatedly predict the exact present and future 
implications for every piece of information. The intellectual 
effort needed to ensure each person's compliance becomes 
overwhelming.
    I have reviewed how we use patient information to improve 
care, and now I would like to review how we protect the 
information. Every employee, health care professional, 
researcher or volunteer must sign an agreement that they will 
only look at or share information for specific legitimate 
purposes of performing their health care delivery assignment. 
Each new employee undergoes training in IHC confidentiality 
policies which are set forth in a manual of more than 60 pages. 
We impose consequences, including termination, for improper use 
or handling of confidential information. We use audit trails to 
monitor and access the electronic patient records. In the 
electronic format, we are able to separate patient identifiers 
from the rest of the clinical record, and we require formal 
review, approval and oversight of research that uses patient 
data.
    Let me conclude by saying that the technology to protect 
patient information is available, but without a Federal mandate 
there is little incentive to make such an investment. We urge 
Congress to enact legislation that will help hospitals, 
physicians, nurses and others coordinate care and improve 
quality and, at the same time, protect our patients' medical 
information from misuse.
    Thank you.
    [The prepared statement and attachment follow:]

      Statement of Paul D. Clayton, Ph.D., Senior Informaticist, 
   Intermountain Health Care, Salt Lake City, Utah, on behalf of the 
                     American Hospital Association

    Mr. Chairman, I am Paul D. Clayton, PhD, senior 
informaticist at Intermountain Health Care (IHC) in Salt Lake 
City, UT. IHC is an integrated health care delivery system that 
operates in Utah, Idaho and Wyoming. The IHC system includes 23 
hospitals, 78 clinics and physician offices, 23 outpatient 
primary care centers, 16 home health agencies, and 400 employed 
physicians. In addition, our system operates a large Health 
Plans Division with enrollment of 475,000 directly insured, 
plus 430,000 who use our networks through other insurers.
    I am testifying today on behalf of the American Hospital 
Association (AHA), which represents nearly 5,000 hospitals, 
health systems, networks, and other providers of care. We 
appreciate this opportunity to present our views on an issue 
important to hospitals, health systems, and the patients they 
serve: the confidentiality of protected health information.

                       Protecting Patients' Trust

    Every day, thousands of Americans walk through the doors of 
America's hospitals. Each and every one of them provides 
caregivers information of the most intimate nature. They 
provide this information under the assumption that it will 
remain confidential. It is critical that this trust be 
maintained. Otherwise, patients may be less forthcoming with 
information about their conditions and needs-information that 
is essential for physicians and other caregivers to know in 
order to keep people well, ease pain, and treat and cure 
illness.
    If caregivers are not able to obtain and share patients' 
medical histories, test results, physician observations, and 
other important information, patients will not receive the most 
appropriate, high-quality care possible.
    Our members consider themselves guardians of this 
information. That is why AHA has long supported the passage of 
strong federal legislation to establish uniform national 
standards for all who use patients' personal medical 
information-what we refer to as protected health information. 
We have been asked to focus our comments today on how hospitals 
use and protect patient information to enhance the quality of 
the patient care they deliver. Our longstanding principles for 
the confidentiality of health information cover a broader range 
of critical patient privacy issues, and we have attached them 
for your information. We will measure any federal privacy 
legislation against these principles in their entirety.
    Confidentiality of health information is an issue that 
affects all of us personally. We live in a time of rapidly 
advancing technological improvement, when the world seems to 
get smaller as computers get more powerful and databases get 
bigger. This technological change can be positive--it has led 
to significant improvements for both health care providers and 
their patients--but it worries people who are justifiably 
concerned about how information about them will be used.
    In health care, we must take the steps necessary to protect 
that information from those who would misuse it. We need 
strong, uniform federal legislation to do it.
    First and foremost, because we as hospitals and health 
systems put our patients first, we must restore and maintain 
people's trust in the privacy and confidentiality of their 
personal health information. Federal legislation can do this by 
establishing a uniform national standard for the protection of 
this information--including genetic information--a standard 
that balances patient privacy with the need for information to 
flow freely among health care providers.

                   Privacy and Health Care Operations

    Health care is increasingly provided by groups and systems 
of providers, as opposed to individual providers. These new 
systems create opportunities for real improvements, but they 
rely heavily on a free flow of information among providers. 
Patient confidentiality is of the utmost importance. But in 
order to ensure that care can be coordinated and the patient's 
experience is as seamless as possible, information must be 
accessible to all providers who treat the patient.
    There is very little disagreement that access to 
information is important in the delivery of care to patients, 
and in the system of payment for that care. Controversy has 
developed, however, over the definition of ``health care 
operations''--those essential functions performed by providers 
to ensure that they maintain and improve the quality of the 
care they deliver, train current and future caregivers, and 
adhere to the laws and regulations that govern these daily 
activities. AHA believes that protected health information must 
be available to providers so that these functions can be 
performed efficiently and effectively.

             Information Breeds Health Care Success Stories

    At IHC, we believe, as does the AHA, that individuals who 
are making decisions that affect the health of another person 
must know about past medical and family history, allergies to 
drugs, previous diagnostic results, current medications, 
previous surgeries or therapies, and chronic and acute 
problems. Because the primary caregiver is not present all the 
time, because others are asked for consultive opinions, and 
because humans have limited memory, access to medical record 
information dramatically affects the level of care that can be 
provided. In some cases, the absence of information increases 
the cost of diagnosis and treatment by causing tests to be 
repeated because the results of an earlier tests are not 
available.
    Among the benefits of improved access are an enhanced 
ability to generate bills and collect payment, and to transmit 
information to payers and analyze the costs of providing care. 
Care is also improved when a caregiver has access to the 
medical record. A physician or other health care worker who 
knows what drugs a patient is taking, a list of previous 
problems, a history of family predisposition to certain 
illnesses, and current laboratory results, will make better 
decisions about how to diagnose and treat a patient.
    At IHC, we have, for the past 14 years, used clinical data 
systems to substantially improve patient care in a wide range 
of circumstances. Here are a few examples.
     Improved timing of delivery of pre-operative 
antibiotics to prevent serious post-operative wound infections. 
Our wound infection rate fell from 1.8 percent to 0.4 percent, 
representing, at just one of our 23 hospitals, more than 50 
patients per year who now do not suffer serious, potentially 
life-threatening infections. We also saved the cost of treating 
those infections, which, at that hospital, was estimated at 
$750,000.
     Improved support for inpatient prescriptions. A 
computerized order entry system warns physicians, at the time 
they place the order, of potential allergies and drug-to-drug 
interactions. It also calculates ideal dose levels, using the 
patient's age, weight, gender, and estimates of patient-
specific drug-absorption and excretion rates, based on 
laboratory values. That system has reduced allergic reactions 
and overdoses by more than two-thirds.
     Improved management of mechanical respirators for 
patients with acute respiratory distress syndrome. In the most 
seriously ill category of these patients, mortality rates fell 
from more than 90 percent to less than 60 percent.
     Improved management of diabetic patients in an 
outpatient setting. The proportion of patients brought to 
normal blood sugar levels improved from less than 30 percent to 
more than 70 percent. Major studies of diabetes demonstrate 
that this kind of shift in blood sugar translates to 
significantly less blindness, kidney failure, amputation and 
death. Others indicate it should reduce the cost of treatment 
for diabetes patients by about $1,000 per patient per year.
     Improved treatment of community-acquired 
pneumonia. By helping physicians more appropriately identify 
patients who needed hospitalization, choose appropriate initial 
antibiotics, and start antibiotic therapy quickly, we were able 
to reduce inpatient mortality rates by 26 percent. That 
translates into about 20 lives saved at 10 small rural IHC 
hospitals when we first worked on this aspect of care. It also 
reduced costs by more than 12 percent.
     Accountability for health care delivery 
performance. IHC has begun to assemble and report medical 
outcomes, patient satisfaction outcomes, and cost outcomes for 
major clinical care processes that make up more than 90 percent 
of our total care delivery activities. We aggregate and report 
those data at the level of individual physicians; practice 
groups; hospitals; regions; and for our entire system. We use 
the results to hold each health care professional and our 
system accountable for the care we deliver to our patients, and 
to set and achieve care improvement goals. We believe that this 
system will eventually allow IHC to accurately report our 
performance at community, state and national levels, and help 
individuals and groups make better health care choices.
    All of the examples above were successful because patient 
information--not just individual patient information, but also 
information about populations of patients--was available, and 
flowed smoothly among the providers that needed it.

         Potential Disruptions to the Free Flow of Information

    There are two provisions in various patient privacy 
proposals that could have the unintended effect of placing 
enormous barriers in front of providers' ability to 
appropriately use information for these and similar purposes.
    The first is what has been referred to as the ``opt out,'' 
where patients would have the ability to prevent providers from 
sharing the patient's information regardless of how important 
such a disclosure might be.
    The problem with such an opt out is that it sacrifices 
hospitals' ability to deliver high-quality care to the 
individual involved, as well as to other patients. For example, 
IHC's laboratory analyzers feed directly into our computer 
system. When we committed to that link, we not only 
significantly improved our ability to deliver excellent care to 
all of our patients, but also necessarily lost our ability to 
process blood laboratory tests without using the electronic 
medical record.
    In addition, a patient who might decide to prevent his or 
her records from being shared among providers is, effectively, 
reducing the quality of health care he or she may receive in 
the future. This is because, without access to that patient's 
records, providers simply cannot make well-informed decisions. 
At the same time, removing the patient's treatment information 
as a factor in overall health care statistics degrades the 
overall integrity of the health care information flow. In other 
words, if less is known, less can be learned, and the overall 
quality of care could be affected.
    The second potential problem we see being discussed is a 
requirement, included in several patient privacy proposals, 
that providers must limit the scope of medical information 
disclosures to no more than what is necessary for the specific 
purpose of the disclosure. Penalties would be levied, according 
to the proposals, presumably if too much information were to be 
provided.
    Health care providers, who deal with a mountain of 
information every day, simply cannot be expected to determine 
the exact need for every piece of information and the exact 
measurement of information that may be required to meet that 
need. The threat of penalties makes the proposals worse, and is 
sure to inhibit the free flow of important information. In 
addition, proper safeguards should already be in place that 
would prevent the misuse of patient information, so that 
requiring providers to justify each disclosure would be 
unnecessary.
    Proper policies and procedures will ensure that patient 
information is used only where it is needed to benefit the 
health care services provided to an individual patient, or to 
improve the overall health care system through statistics and 
analysis.

                    Safeguarding Patient Information

    IHC and the AHA support strong, uniform federal 
confidentiality standards that buttress our health care 
delivery and clinical research work. IHC has placed appropriate 
protection of patient confidentiality and privacy at the 
forefront of our institutional values. Those values complement 
a parallel mission to provide the best possible health 
maintenance and disease treatment to those who trust their care 
to our hands. Achieving this requires the use of population-
level patient data as well as individual patient data.
    IHC uses enforceable corporate policy to maintain 
confidentiality not just for patients, but for health care 
professionals and employees as well, in those areas that are 
clearly health care delivery operations (such as direct patient 
care delivery; billing for services; quality review of 
individual patient records, including mortality and morbidity 
conferences; resource planning; unit performance evaluation; 
quality improvement and disease management; and retrospective 
epidemiologic evaluations of program performance). The core of 
these policies and enforcement activities include:
     We require every employee, health care 
professional, researcher or volunteer to sign a confidentiality 
agreement stating that they will only look at or share 
information for the specific purpose of performing their health 
care delivery assignment on behalf of our patients. We require 
each new employee to undergo training in IHC confidentiality 
policies, which are set forth in a manual that numbers more 
than 60 pages and represents more than five years of discussion 
and cross-testing.
     We impose consequences--including termination--for 
improper use or handling of confidential information.
     To the extent that we have implemented an 
electronic medical record, we are able to monitor access to 
patient records (an ability not available for paper records). 
We use that system as one important method of monitoring and 
enforcing our confidentiality policy. We utilize software 
controls, including warnings on log-on screens, unique log-on 
passwords, and computerized audit trails. In the near future, 
we hope to bring on-line the ability of all patients to review 
a list of every individual who has accessed their electronic 
medical record for any purpose.
     We segregate our electronic databases, separating 
patient identifiers from the remainder of the clinical record. 
Outside of direct patient care and individual record review for 
quality assurance, most health care delivery operations do not 
require access to identifiable data. IHC's data access policies 
regulate access to patient information using strict ``need to 
know'' criteria by job description. While we afford tight 
access control to all of our information, the identifiable 
portion of the record receives the highest level of protection.
     We are studying ways to segregate the core 
clinical record itself, so that particularly sensitive 
information--for example, HIV status, reproductive history, or 
mental health status--are only available on a strict ``need to 
know'' basis, even to the front-line care delivery team.
    In addition, we require full institutional review board 
(IRB) review, approval and on-going oversight for any research 
project that involves experimental therapy, patient 
randomization among treatment options, or patient contact for 
research purposes. Indeed, the IHC system has 12 IRBs, but we 
do not look to them as our sole--or even our primary--means to 
protect confidentiality. Most of the risks to patient 
confidentiality come in day-to-day care, as physicians and 
nurses routinely access identifiable patient medical records, 
both paper and electronic, to deliver care. Instead, we rely 
upon the extensive array of enforceable policies and procedures 
listed above.
    If IRB review of each of these health care operations were 
required, many--if not most--of the operational care delivery 
and health outcome improvements described earlier could not 
function on a day-to-day basis. The volume of review would be 
staggering, far beyond the capacity of any reasonable system of 
individual review and follow-up oversight.

                               Conclusion

    As an integrated health care delivery system, IHC is 
responsible for the health outcomes of the patients who seek 
care from our system. In order to treat our patients and 
improve the health outcomes of the entire population we serve, 
we must be able to share information among IHC entities--our 
physicians, our hospitals, and our health plans. IHC has 
developed state-of-the-art electronic medical records and 
common databases to facilitate this communication, to make sure 
our physicians have complete information when treating patients 
. We have put in place an extensive array of enforceable 
confidentiality protections that are constantly updated and 
improved.
    We urge this panel to ensure that confidentiality 
legislation does not unintentionally prevent the creation of 
these common internal, operational databases, or limit the 
types of data that can be shared within an integrated delivery 
system. Such action would severely limit a health system's 
ability to measure and improve the health care it delivers.
    The outstanding care that physicians, nurses and others 
deliver at IHC and in hospitals and health systems across 
America relies more and more on coordination of care and on 
effective quality improvement. Individually identifiable health 
information is integral to such operations, and the free flow 
of this information--properly safeguarded from misuse--is 
critical to our ability to continue providing high-quality 
health care for patients and communities.

                     American Hospital Association

Principles for Confidentiality of Health Information

    Every day, thousands of Americans walk through the doors of 
America's hospitals. Each and every one of them provides caregivers 
information of the most intimate nature. They provide this information 
under the assumption that it will remain confidential. It is critical 
that this trust be maintained. Otherwise, patients may be less than 
forthcoming with information about their conditions and needs--
information that is essential for physicians and other caregivers to 
know in order to keep people well, ease pain, and treat and cure 
illness.
    If caregivers were not able to obtain and share patients' medical 
histories, test results, physician observations, and other important 
information, patients would not receive the most appropriate, high-
quality care possible. Our members consider themselves guardians of 
this information, which is why AHA has long supported the passage of 
strong federal legislation to establish uniform national standards for 
all who use health information.
    In health care, we must take the steps necessary to protect 
patients' confidential information from those who would misuse it. We 
need strong, uniform federal legislation to do it. 

AHA goals for legislation 

    First and foremost, because we as hospitals and health systems put 
our patients first, we must restore people's trust in the privacy and 
confidentiality of their personal health information. Federal 
legislation can do this by establishing a uniform national standard for 
the protection of health information--including genetic information--a 
standard that balances patient privacy with the need for information to 
flow freely among health care providers. The AHA believes that federal 
confidentiality legislation must meet the following goals:
     Allow patients and enrollees access to their medical 
information, including the opportunity, if practical, to inspect, copy, 
and, where appropriate, add to the medical record. Patients have a 
right to know what information is in their records. This level of 
accountability encourages accuracy and has the added benefit of 
encouraging patient involvement in their care.
     Preempt state laws that relate to health care 
confidentiality and privacy rights, with the exception of some public 
health laws. Health care today is delivered through providers that are 
linked together across delivery settings, and in organizations that 
cross state boundaries. AHA believes that the best way to set important 
standards for confidentiality of health information is to do so 
uniformly--through a strong federal law. This law must be both a floor 
and a ceiling, preempting all state laws with which it may conflict, 
weaker or stronger. Only through such a uniform law can patients' 
confidential information be equally protected regardless of the state 
in which they live or travel.
     Be broad in its application, covering all who generate, 
store, transmit or use individually identifiable health information, 
including but not limited to providers, payers, vendors, and employers. 
Patient confidentiality cannot be ensured unless standards are applied 
to all who may have access to their health information. Legislation 
should cover all types of individually identifiable health information, 
including sensitive issues such as substance abuse, mental health, and 
genetic information.
     Strike an appropriate balance between patient 
confidentiality and the need to share clinical information among the 
many physicians, hospitals and other caregivers involved in patient 
care. Care is increasingly provided by groups and systems of providers 
as opposed to individual providers. These new systems create 
opportunities for real improvements, but they rely heavily on a free 
flow of information among providers. Patient confidentiality is of the 
utmost importance. But in order to ensure that care can be coordinated 
and the patient's experience is as seamless as possible, information 
must be accessible to all providers who treat the patient.
     Recognize that a hierarchy of need exists among users of 
health information. Access to individually identifiable information is 
essential for patient care. Such access may also be necessary for 
provider and health care system efforts to measure and improve the 
quality of care. All internal and external uses of patient information 
must be evaluated as to whether the use of individually identifiable 
information is justified.
     To limit its potential misuse, all within the health 
system should restrict the availability of individually identifiable 
information. Technology is available to do this, through encryption, 
audit trails, and password protection, for example. Another method for 
restricting the availability of individually identifiable information 
is to aggregate information whenever possible. Patients should be 
assured that unique, identifiable information about them is available 
for their treatment, but that its availability for other uses is 
tightly controlled.
     Include sufficient civil and criminal penalties to deter 
inappropriate disclosure of individually identifiable information. The 
level of such sanctions should vary according to, the severity of the 
violation. At the same time, any penalty imposed must take into account 
good-faith efforts by providers who establish data safeguards, educate 
employees about complying with these safeguards, and attempt to 
maintain secure recordkeeping systems.
      

                                


    Mrs. Johnson of Connecticut. Thank you very much, Dr. 
Clayton.
    Dr. Richard Smith, Professor of Psychiatry at the Centers 
for Mental Health Services Research, University of Arkansas on 
behalf of the American Medical Colleges.
    Dr. Smith.

    STATEMENT OF G. RICHARD SMITH, JR., M.D., PROFESSOR OF 
  PSYCHIATRY AND MEDICINE, UNIVERSITY OF ARKANSAS FOR MEDICAL 
  SCIENCES, ON BEHALF OF THE ASSOCIATION OF AMERICAN MEDICAL 
                            COLLEGES

    Dr. Smith. Thank you, Mrs. Johnson and Members of the 
Subcommittee. I am Dr. G. Richard Smith from the University of 
Arkansas for Medical Sciences, a practicing psychiatrist and 
director of one of the Nation's largest mental health services 
research groups as well as our college of medicine's health 
services research program. I am speaking today on behalf of the 
Association of American Medical Colleges, the AAMC.
    AAMC strongly supports the general intent of current 
congressional efforts to strengthen the protection of 
individual's personally identified health information from 
inappropriate and harmful misuse that can lead to 
discrimination or stigmatization. In the interest of public 
health, this protection should take into account the need for 
health services and biomedical researchers to have ready access 
to archival materials on relevant populations required to 
generate meaningful conclusions regarding the incidents and 
expression of diseases in specified populations, the beneficial 
and adverse outcomes of particular therapies and the medical 
effectiveness and economic efficiency of the health care 
system.
    In attempting to deal with the difficult issues of medical 
information confidentiality, legislative efforts should be 
directed toward requiring the establishment of strong 
administrative, technical and fiscal safeguards to protect the 
confidentiality, security, accuracy and integrity of 
information that directly identifies an individual. Legislation 
should also specify stiff criminal, civil and administrative 
penalties for intentional or recklessly negligent actions that 
violate medical information confidentiality. With such 
stringent security requirements in place, AAMC believes 
legislation should refrain from attempting to construct 
elaborate barriers to the relatively unimpeded flow of medical 
information that is required for the promotion of a 
comprehensive national agenda medical research.
    In particular, the AAMC is concerned about secondary 
research which utilizes patients records as research material 
and does not involve interaction with individual patients. For 
example, mental health services research on patient records has 
established that pediatric patients treated for attention 
deficit disorder, or ADHD, were far less likely to use and 
become dependent upon illegal drugs during young adulthood than 
people with ADHD who did not receive appropriate information.
    Archival data was also critical to establishing the 
postmarketing safety and effectiveness of drugs. Since many 
patients with major mental illness require long-term medication 
treatment, the effects of chronic use of new drugs cannot be 
adequately assessed in conventional premarketing clinical 
trials. The consequences can only be recognized by 
retrospective study of large populations over prolonged periods 
of time. Archival data were essential in establishing the 
safety of a new generation of antidepressant drugs on the 
fetuses of mothers who had been receiving these drugs 
chronically for the treatment of depression.
    In sum, access to archival data is critical to assuring the 
health of patients with mental illness, just as with any other 
medical illness. Archival data also help us to identify the 
relative contribution of genetic, environmental and 
developmental factors related to the risk of specific mental 
disorders in families across generations.
    The uncertainty and predictability of secondary research 
make the applicability and traditional informed consent 
procedures problematic. For secondary research using medical 
information that is individually identified, the AAMC believes 
a statutory requirement of specific authorization would be 
unwise and could seriously bias and therefore undermine the 
integrity of vital research databases. Rather, the Association 
recommends that all such proposed research should be reviewed 
by an institutional review board or equivalent mechanism to 
ensure that research is credible, the need for individually 
identifiable medical information is legitimate and the 
investigators have in place confidentiality policies and 
procedures required by statutes.
    Patients' confidence in the medical research use of their 
personal medical information would be greatly enhanced by the 
inclusion of a statutory assurance of confidentiality as 
provided in S. 881, sponsored by Senator Bennett, and H.R. 
2470, sponsored by Representative Greenwood. Such an assurance 
would prohibit any unauthorized attempts to gain access for 
nonresearch purposes to individually identified health 
information contained in research databases.
    The AAMC strongly supports the position of new Federal 
information privacy legislation preempting State privacy laws. 
There is a compelling Federal interest in ensuring that medical 
research is facilitated and not hindered by this disorganized 
patchwork of State privacy laws. The AAMC commends this 
Subcommittee for convening this hearing to address the need for 
confidentiality legislation and the efforts of Chairman Thomas 
and Representative Cardin in crafting legislation that would 
enhance security of medical records.
    This concludes my statement, and I would be happy to answer 
any questions the Committee has.
    [The prepared statement follows:]

 Statement of G. Richard Smith, Jr., M.D., Professor of Psychiatry and 
Medicine, University of Arkansas for Medical Sciences, on behalf of the 
                Association of American Medical Colleges

    Mr. Chairman and members of the Subcommittee, I am Richard 
Smith, M.D., Professor of Psychiatry and Medicine at the 
University of Arkansas for Medical Sciences. I am a practicing 
psychiatrist and also conduct mental health services research. 
I lead the Centers for Mental Health Services Research at the 
University of Arkansas, which is one of the nation's largest 
mental health and services research groups, as well as our 
College of Medicine's health services research program. I am a 
recent past member of the National Mental Health Advisory 
Council for the National Institute of Mental Health (NIMH). I 
also chaired the NIMH Initial Review Group for mental health 
services research, which reviews virtually all of the mental 
health services research grant applications submitted to NIMH.
    I am speaking today on behalf of the Association of 
American Medical Colleges (AAMC). The AAMC represents the 
nation's 125 accredited medical schools, nearly 400 major 
teaching hospitals and health care systems, more than 87,000 
faculty in 89 professional and scientific societies, and the 
nation's 67,000 medical students and 102,000 residents.
    The AAMC strongly supports the general intent of current 
Congressional efforts to strengthen the protection of 
individuals' personally identified health information from 
inappropriate and harmful misuse that can lead to 
discrimination or stigmatization.
    Confidentiality legislation must acknowledge the compelling 
public interest in continuing to ensure access to patient 
records and other archival materials required to pursue 
biomedical, behavioral, epidemiological and health services 
research. Medicine has always been, and largely remains to this 
day, an empirical discipline, and the history of medical 
progress has been created over many centuries from the careful, 
systematic study of normal and diseased individuals. From those 
studies has emerged our present level of understanding of the 
definition, patterns of expression and natural history of human 
diseases, and their responses to ever improving strategies of 
diagnosis, treatment, and prevention. In particular, health 
services researchers continue to depend upon the ready 
accessibility of archival materials to collect the large and 
appropriately structured and unbiased population samples 
required to generate meaningful conclusions regarding the 
incidence and expression of diseases in specified populations, 
the beneficial and adverse outcomes of particular therapies, 
and the medical effectiveness and economic efficiency of the 
health care system. Indeed, in the present climate of major 
public concern about the costs, quality, and efficiency of our 
rapidly changing health care delivery system, the need to 
support and promote such retrospective epidemiological and 
health services research has become an urgent priority.
    The AAMC strongly believes that in attempting to deal with 
the difficult issues of medical information confidentiality, 
the most feasible and effective approach is not to erect costly 
and burdensome new barriers to accessing medical information 
required to conduct research. Rather, legislative efforts 
should be directed, as most of the current proposals attempt to 
do, toward requiring the establishment of strong 
administrative, technical and physical safeguards to protect 
the confidentiality, security, accuracy and integrity of 
information that directly identifies an individual. Included 
among these safeguards should be strong institutional policies 
of confidentiality, which might appropriately meet federal 
standards to be developed. To complete the ``security 
package,'' legislation should specify stiff criminal, civil, 
and administrative penalties for intentional or recklessly 
negligent actions that violate medical information 
confidentiality. With stringent security requirements of this 
kind in place, the AAMC believes that legislation should 
refrain from attempting to construct elaborate barriers to the 
relatively unimpeded flow of medical information that is 
required for the promotion of a comprehensive national agenda 
of medical research.
    Given the substantial penalties contained in the 
confidentiality bills now in draft or under consideration, it 
is imperative that bills' definitions be crafted with great 
clarity. Of particular importance is the definition of 
``individually identifiable health information,'' the class of 
medical information most in need of protection from 
inappropriate disclosure and harmful misuse, and 
correspondingly of ``non-individually identifiable health 
information,'' the class that would fall outside the purview of 
confidentiality legislation. The AAMC believes that the 
protected class of medical information should be sharply 
circumscribed and limited to ``information that directly 
reveals the identity or provides a direct means of identifying 
an individual.'' Such a definition is least ambiguous and 
incorporates the sum and substance of the information that the 
public is most concerned to protect.
    Correspondingly, the definition of ``nonidentifiable health 
information'' should encompass ``information that does not 
directly reveal the identity of an individual.'' This 
definition should explicitly include coded or encrypted 
information (sometimes called ``anonymized''), whether or not 
the information is linkable to individuals, as long as the 
encryption keys are secured and kept separate from the 
encrypted information itself. The justification for including 
encrypted, linkable information in the definition of 
nonidentifiable health information is significantly 
strengthened by adding additional provisions that make it a 
crime to attempt to use encrypted patient data to discover an 
individual's identity by any means other than the lawful use of 
an encryption key.
    The AAMC believes that a set of properly constructed 
definitions of protected health information and nonidentifiable 
health information will serve both to foster medical research 
and establish an incentive system for using nonidentifiable 
health information in such research to the maximum extent 
practical.
    The AAMC is especially concerned about the conduct of 
secondary research on archival patient materials. These studies 
utilize patient records as primary research materials and do 
not involve interaction with individual patients. In mental 
health services research, for example, secondary research on 
patient records has established that pediatric patients treated 
for attention deficit disorder (ADHD) were far less likely to 
use and become dependent upon illegal drugs during adolescence 
and young adulthood than patients with ADHD who had not 
received appropriate treatment. Archival data were essential in 
recently establishing the safety of the new generation of 
antidepressant drugs (selective serotonin reuptake inhibitors) 
on the fetuses of mothers who had been receiving these drugs 
chronically for the treatment of depression. As these examples 
suggest, archival patient data are critical to establishing the 
post-marketing safety and effectiveness of drugs. Since many 
patients with major mental illness require long-term medication 
treatment, and the effects of chronic use of new drugs cannot 
be adequately assessed in conventional pre-marketing clinical 
trials, the consequences can only be recognized by 
retrospective study of large populations over prolonged periods 
of time. In sum, access to archival data is critical to 
assuring the health of patients with mental illnesses.
    Archival data can also be useful in identifying risk 
factors related to the onset of a mental illness. For example, 
there continues to be strong interest in the role of genetic 
factors in the etiology of major mental illnesses such as 
schizophrenia, bipolar disorder, major depression and obsessive 
compulsive disorder. In seeking clues that could help to direct 
future research in this area, it is critical for researchers to 
be able to access archival patient care records, for example, 
of deceased family members of patients involved in genetic 
studies. It is possible that mental illnesses that are now not 
linked in any way might be found to cluster in families in a 
manner that suggests a common genetic etiology. Archival data 
can also help to clarify the relative contribution of genetic, 
environmental and developmental factors related to risk of 
specific mental disorders in families across generations.
    In contrast to the typical interventional clinical research 
study, in which researchers directly interact with patients in 
well-defined protocols and can provide them with the detailed 
information required for informed consent, the uncertainties 
and unpredictability of secondary research make the 
applicability of traditional informed consent procedures 
problematic. Accordingly, under the provisions of the federal 
Common Rule, such retrospective research has been singled out 
for special attention and, under the criterion that the 
proposed research is commonly deemed to be of no more than 
minimal risk to research subjects, has typically been handled 
by Institutional Review Boards (IRBs) by use of the expedited 
review mechanism, or even on occasion, by wavier of review.
    For secondary research using medical information that is 
individually identified, i.e. that fall within the definition 
of protected health information, the AAMC believes that a 
statutory requirement of specific authorization would be unwise 
and could seriously bias, and thereby undermine the integrity 
of these vital research databases. Rather, the Association 
recommends that all such proposed research must be reviewed by 
an IRB or equivalent mechanism. The reviewing body should be 
required to determine that (1) the organizational setting in 
which the research will be conducted is in conformity with 
statutory requirements for safeguarding medical information 
confidentiality; (2) the research requires the use of 
individually identifiable patient information and could not be 
performed without it; and (3) it would not be practicable or 
feasible for the investigators to attempt to obtain individual 
informed consent from the subject population. Such a review 
procedure would sufficiently protect the privacy interests of 
the research subjects, while at the same time continuing to 
facilitate the conduct of a broad spectrum of beneficial 
secondary research on archival patient materials. Instead of 
mandating specific consent for secondary research, the 
Association recommends that IRBs or other equivalent review 
bodies should continue to review such research and determine 
whether specific consent is necessary on a project by project 
basis.
    In addition, AAMC firmly believes that patients' confidence 
in medical research uses of their personal medical information 
would be greatly enhanced by the inclusion of a ``statutory 
assurance of confidentiality'' as provided by S. 881 sponsored 
by Senator Bennett and H.R. 2470 sponsored by Rep. Greenwood. 
Such an assurance would prohibit any unauthorized attempts to 
gain access for non-research purposes to individually 
identifiable health information contained in research 
databases, including Federal, State, or local civil, criminal, 
administrative, legislative, or other proceedings. 
Consequently, researchers could confidently assure patients 
that all individually identifiable medical information that 
might be used in the course of research would be shielded from 
forced disclosure to anyone, including family members, 
employers, insurers, health care organizations or legal or 
judiciary processes.
    The ``statutory assurance of confidentiality'' provision is 
modeled on the existing Certificate of Confidentiality issued 
by the National Institutes of Health on a project by project 
basis. The origin of the Certificate of Confidentiality dates 
back to the Vietnam War era. Scientists and policy makers were 
very concerned about the extent of heroin use by our soldiers 
in Vietnam--and the danger that they might be permanently 
addicted when they returned to the United States. Since heroin 
possession was then--and is--a crime, it would have been 
impossible to enlist the subjects necessary to conduct a 
follow-up study of heroin use in the US by these ex-GIs. The 
grant of confidentiality enabled scientists to track a cohort 
of former service men, to collect urine to screen for drugs, 
and to conduct detailed interviews. The study documented an 
extremely low percentage of heroin use in the US by former 
users in Vietnam. The Certificate of Confidentiality has been 
applied to other studies in the addictions field, for example, 
to the studies that demonstrated the effectiveness of Methadone 
substitution therapy for heroin addicts, and it continues to be 
crucial to much clinical research in this area.
    The AAMC strongly supports the argument that new federal 
legislation dealing with medical information privacy be 
preemptive of state privacy laws, with the exception of those 
state laws dealing with public health reporting requirements, 
which are well established, time tested and closely integrated 
with the nationwide data collection and evaluation activities 
of the Centers for Disease Control and Prevention. The 
Association recognizes that this recommendation is 
controversial, but argues that the support of medical research 
is a long-established and high priority of the federal 
government, and that there is therefore a compelling federal 
interest in ensuring that medical research is facilitated, and 
not hindered or blocked by a discoordinated patchwork of 
burdensome state privacy legislation. Much contemporary medical 
research, especially epidemiological and health services 
research, requires access to large, unbiased population samples 
encompassing many states. Accordingly, the Association 
recommends that any new federal confidentiality legislation 
should over-ride state laws to ensure consistent nation-wide 
governance of access to archival patient materials for 
research. The Association is troubled by legislation that allow 
states to enact tougher privacy laws or carve-out certain 
disease-specific state statutes from federal pre-emption. While 
acknowledging the sensitivity of this issue, we point out that 
many different diseases are considered especially sensitive by 
those who suffer from them and their advocates, and to single 
out a particular type of information, such as mental health 
records, for special protection opens a loophole in the 
intended federal preemption that the AAMC believes would prove 
very difficult to limit.
    The impact of managed behavioral health care on mental 
health services has been profound. The health insurance 
programs of more than 162 million Americans requires them to 
access mental health services through these carve-out 
companies. The major companies offer services across the 
country. The positive side of managed behavioral health care is 
that it has made parity of health care coverage for mental 
illness a realistic option. In addition, the companies have 
been able to amass a great deal of information on the mental 
health services being provided to the US population. On the 
down side, controversies abound regarding the quality of care 
in some managed behavioral health care programs. Health 
services researchers have a great opportunity and 
responsibility to help the American public to assess the 
quality of mental health services in these programs. This is 
not an issue that can be stopped at a state line. It is 
critical that managed behavioral health care companies be 
encouraged to work with the health services research community 
to assess quality of treatment outcomes, and that federal law 
pre-empt state privacy laws that would make this impossible.
    The AAMC commends this Subcommittee for convening this 
hearing to address the need for confidentiality legislation and 
the efforts of Chairman Thomas and Rep. Cardin in crafting 
legislation that would enhance the security of medical records. 
The Association urges Congress to be mindful of the fact that 
the facilitation of biomedical, epidemiological and health 
services research is a compelling public priority that has 
served this nation well and offers bright promise for the 
future of human health. The AAMC strongly believes that the 
combination of statutory safeguards of the security of 
individually identifiable medical information, stiff penalties 
for violations, and the creation of special protections for 
medical information that is created in research and maintained 
in research databases, as we have suggested, make it 
unnecessary to elaborate new, burdensome and potentially 
chilling restrictions of access to medical information for 
purposes of retrospective non-interventional research.
      

                                


    Mrs. Johnson of Connecticut. Thank you very much.
    Ms. Janlori Goldman, Director of Health Privacy Project for 
the Institute for Health Care Research and Policy. Nice to have 
you.

STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY PROJECT, 
   INSTITUTE FOR HEALTH CARE RESEARCH AND POLICY, GEORGETOWN 
                           UNIVERSITY

    Ms. Goldman. Thank you for inviting me to testify here 
today. I appreciate it.
    As you said, I am the Director of the Health Privacy 
Project at Georgetown University. I have been working on 
privacy and medical privacy issues for almost 13 years. What I 
would like to ask is that a revised version of my testimony, a 
neater version and one on disk, be allowed to be submitted for 
the record at a later date.
    Mrs. Johnson of Connecticut. So ordered.
    Ms. Goldman. Thank you.
    When I started the health privacy project a year and a half 
ago, I tried to position health privacy issues in a way that is 
a little bit different than how we tended to look at it in the 
past, to see protecting privacy as a critical goal to improving 
the quality of care in this country and access to care. We have 
tended to view these as values in conflict, and what we have 
found in some of our recent research is that protecting privacy 
is critical to improving health care in this country and in 
opening doors to access.
    In a recent survey that came out in January it was 
documented that one out of every six people in this country 
withdraw from fully participating in their own health care 
because they are afraid that their records will not be 
protected, so they don't fully disclose to their doctors, they 
leave information out. Sometimes they pay out of pocket to 
avoid having to file a claim or they don't seek care at all. So 
the quality of their care is undermined in those circumstances, 
and the information that is available downstream for public 
health and research is also undermined.
    So I truly believe that we need to enact strong privacy 
legislation in order to give the public trust and confidence 
that this Nation's health care system will protect their 
privacy.
    You are all well aware Congress has imposed on itself a 
deadline of August 21 to enact comprehensive legislation or the 
Secretary will issue regulations. When we started the Project, 
we tried to identify what is missing in the debate, what 
contribution can we make, and we decided that we would bring 
together the diverse stakeholders in the debate, the health 
plans, doctors, ethicists, mental health advocates, those 
representing people with AIDS and others, to say can we reach 
outside of the glare of the legislative spotlight, can we reach 
some common ground on a set of best principles for health 
privacy.
    I had the privilege of working with Dr. Paul Clayton on 
that working group, and I included for you a copy of the 
working group's principles. I want to just highlight--we 
released this report last week, so we are just in time for the 
deadline--just a few of the key findings that we made.
    We want to reverse the status quo and encourage people to 
use nonidentifiable data wherever they can, and to put in some 
real protections for individuals by having authorization 
requirements that are more meaningful than we heard about in 
the first panel, and to provide some oversight, some 
accountability for all research that is conducted in this 
country, not just the research that receives Federal funds and 
is covered by the common rule.
    We were able to reach that common ground, and I think we 
have a lot to be proud of, and I hope that Congress will look 
and see if there is some guidance that you can find in this 
report as you move forward.
    The second thing that we did, which we just released this 
morning and which has already been referred to by Congressman 
Cardin, is a report that is a comprehensive survey of the 50 
State health privacy laws. That has never been available until 
today. And so when the question was asked earlier, well, do you 
comply with the 50 State laws, the truth is no one has known 
what they are. So today we released this report.
    We have a summary of every State's law. You can look at 
your State of Connecticut, you can look at your State of 
Wisconsin and say what protections are provided to our 
citizens. And so when you are looking at this issue of 
preemption, which is one of the most controversial issues in 
the debate, you can say, what would be the impact on my State's 
law? What has my State done in moving forward to protect 
privacy?
    Now, one of the things that we found in our State report, 
which I think is very important, the State law in this area is 
not simple, and it is not easy to find, which is why it took us 
so long and so many people to put this together. There is a lot 
of law, and it exists in the nooks and crannies of the States' 
code. There are very few examples, although Wisconsin is a 
shining exception, of comprehensive law. There are very few 
States that have enacted comprehensive health privacy law. They 
tend to legislate by entity. They might have restrictions on 
hospitals, health plans or doctors, but they don't tend to take 
a very comprehensive view. But what the States have done in a 
very, I think, responsive and responsible way, is to enact 
condition-specific rules. So for people, for instance, who want 
to seek genetic testing, for people with mental illness or 
communicable disease, the cancer registries and other kinds of 
disease registries, the States have been very responsive to 
protecting the needs of their citizens in those areas. We need 
to be cautious and look at those laws before we talk about 
creating a Federal ceiling.
    What we also found is that some of the State laws are weak 
and some are strong, but they are for the most part very 
detailed and nuanced. I want to make a final point about the 
State laws. When we talk about uniformity, and this is the big 
discussion we are all having, how do we create uniformity. I 
think we all agreed that in this complex, health care 
environment with managed care and integrated health data 
networks, we all need uniformity to have good quality care in 
this country. The question is if we set the bar high enough at 
the Federal level, in other words, if we enact strong enough 
protections at the Federal level so that we don't have to worry 
about wiping out stronger laws that already exist at the State 
level, we don't have to worry about passing or enacting a 
Federal ceiling, because we will have done the best that we can 
do to create a baseline of protections for people in this 
country.
    I think we want to be very careful and respect what the 
States have already done. The States have been very responsive. 
We don't want to tie the hands of the State in being able to 
respond to future public health threats. Many of the State laws 
on the books were enacted to respond to a particular public 
health threat or a public health concern. Again, the number one 
barrier to people receiving genetic testing is they are afraid 
of how that information will be used by somebody else, in 
employment, in insurance, so the States are moving forward to 
protect, to enact protections, to encourage people to get these 
critical tests that can help improve their care, so they have 
been able to respond to these concerns. We need to be mindful 
of the regulatory powers of the State and the details of the 
State law. So I just suggest some caution. The State report, by 
its title suggests there is an uneven terrain in the States, 
but I don't want to suggest it is an unimportant terrain. The 
States have done a lot of good in this area.
    In conclusion, we should ensure that a Federal law does not 
weaken or erode the critical protections that already exist at 
the State level. Consumers have come to rely on those State 
laws for whatever protections do exist in the absence of a 
Federal law. If we do, we will jeopardize their health care and 
we might undermine their trust in public health and research. 
We should do our best to make that floor as high a level of 
baseline protections as possible.
    Thank you very much.
    [The prepared statement follows:]

    Statement of Janlori Goldman, Director, Health Privacy Project, 
  Institute for Health Care Research and Policy, Georgetown University

    Chairman Thomas and Members of the Subcommittee:
    Thank you for the opportunity to testify before you today 
on the issue of health privacy. I am Janlori Goldman, Director 
of the Health Privacy Project at Georgetown University's 
Institute for Health Care Research and Policy. In the past 
week, the Project has issued two reports on health privacy, 
which we hope will make a significant contribution to the 
ongoing policy initiatives. We include as our testimony today 
the top findings and executive summaries of these reports. The 
full text of both reports is available on our website at 
www.healthprivacy.org.
    Your continued attention to health privacy is greatly 
appreciated, and we look forward to working with you, as you, 
and the rest of the Congress, move forward to meet the August 
deadline for enacting comprehensive health privacy legislation.

                   Best Principles for Health Privacy

Executive Summary

    Privacy and confidentiality have long been recognized as essential 
elements of the doctor-patient relationship. Also essential to optimal 
care is the compilation of a complete medical record. But that same 
record is used for a wide variety of purposes--including insurance 
functions, coordination of care, and research. The long-standing 
friction between these two goals--patient privacy and access to 
information for legitimate purposes--has been heightened by the 
transition to electronic health information and a push toward 
integrated information in support of integrated health care delivery 
and health data networks. While these developments are intended to 
improve health care, they also raise many questions about the role of 
privacy in the health care environment.
    Recent polls demonstrate that the public has significant concern 
about the lack of privacy protection for their medical records and that 
it can impact how they engage with health care providers. In order to 
protect their privacy, some patients lie or withhold information from 
their providers; pay out-of-pocket for care; see multiple providers to 
avoid the creation of a consolidated record; or sometimes avoid care 
altogether. Such ``privacy-protective'' behavior can compromise both 
individual care and public health initiatives.
    The public has some reason to be concerned. Today, there is little 
consistency in approaches to patient confidentiality and no national 
standards or policies on patient confidentiality. The 1996 Health 
Insurance Portability and Accountability Act provides that if Congress 
fails to enact comprehensive health privacy legislation by August 1999, 
the Secretary of Health and Human Services must issue regulations. 
Therefore, either through legislation, government regulation, or self-
regulation, there will be significant developments with regard to 
health privacy in the next two years.
    What has been missing from the debate is a consensus document that 
offers policy recommendations regarding how best to protect patient 
confidentiality. To fill this void, the Health Privacy Project, with 
funding from the Robert Wood Johnson Foundation, created the Health 
Privacy Working Group in June 1998. Its mission was to achieve common 
ground on ``best principles'' for health privacy, while identifying a 
range of options for putting those principles into practice. The 
Working Group is comprised of diverse stakeholders, including: 
disability and mental health advocates; health plans; providers; 
employers; standards and accreditation representatives; and experts in 
public health, medical ethics, information systems, and health policy.
    The Working Group spent the past year crafting a consensus document 
that reflects ``best principles'' for health privacy. This report 
outlines the 11 principles to which the Working Group agreed and 
details the rationale behind the recommendations.
    The principles represent significant compromises between Working 
Group members and should be seen as a framework that aims to 
accommodate the various information needs of diverse interest groups. 
The principles are designed to establish a baseline of protections that 
should be considered when implementing comprehensive patient privacy 
policies and practices.
    The Working Group adopted the following 11 principles. Because 
these principles are intended to establish a comprehensive framework, 
they should be read and implemented as a whole.

1. For all uses and disclosures of health information, health care 
organizations should remove personal identifiers to the fullest extent 
possible, consistent with maintaining the usefulness of the 
information.

    Generally, the use and disclosure of information that does not 
identify individuals does not compromise patient confidentiality. As 
such, the use and disclosure of non-identifiable health information 
should ``fall outside'' the scope of policies that govern personally-
identifiable health information. Health care organizations will need to 
take into consideration the practicality and cost of using and 
disclosing non-identifiable information. Ultimately, through the 
creation and use of non-identifiable health information, more people 
can have more information, without compromising patient 
confidentiality.

2. Privacy protections should follow the data.

    All recipients of health information should be bound by all the 
protections and limitations attached to the data at the initial point 
of collection. Recipients of health information can use or disclose 
personally-identifiable health information only within the limits of 
existing authorizations. Any further uses or disclosures require 
specific, voluntary patient authorization.

3. An individual should have the right to access his or her own health 
information and the right to supplement such information.

    All patients should be allowed to copy their records and to 
supplement them if necessary. But supplementation should not be implied 
to mean ``deletion'' or ``alteration'' of the medical record. 
Furthermore, data holders may charge a reasonable fee for copying the 
records, but they cannot refuse inspection of the records simply 
because they are owed money by the individual requesting inspection.
    In certain cases, patients may be denied access to their medical 
records. Such instances include if the disclosure could endanger the 
life or physical safety of an individual; if the information identifies 
a confidential source; if the information was compiled in connection 
with a fraud or criminal investigation that is not yet complete; or if 
the information was collected as part of a clinical trial that is not 
yet complete and the patient was notified in advance about his or her 
rights to access information.

4. Individuals should be given notice about the use and disclosure of 
their health information and their rights with regard to that 
information.

    The notice should tell the patient how information will be 
collected and compiled, how the collecting organization will use or 
disclose the information, what information the patient can inspect and 
copy, steps the patient can take to limit access, and any consequences 
the patient may face by refusing to authorize disclosure of 
information.

5. Health care organizations should implement security safeguards for 
the storage, use, and disclosure of health information.

    Security safeguards consistent with the Secretary's standards, 
whether technological or administrative, should be developed to protect 
health information from unauthorized use or disclosure and should be 
appropriate for use with electronic and paper records. Any safeguards 
should recognize the trade-off between availability and confidentiality 
and should be tailored to meet needs as organizations adopt more 
sophisticated technologies.

6. Personally identifiable health information should not be disclosed 
without patient authorization, except in limited circumstances. Health 
care organizations should provide patients with certain choices about 
the use and disclosure of their health information.

    Patient authorization should be obtained prior to disclosure of any 
health information. But, at the same time, some patient information 
needs to be shared for treatment, payment, and core business functions. 
With this in mind, the Working Group recommends a two-tiered approach 
to patient authorization.
    The authorization structure allows for a health care organization 
to obtain a single, one-time authorization for core activities that are 
considered necessary or routine. These activities--identified as Tier 
One--are directly tied to treatment, payment and necessary business 
functions in keeping with medical ethics. The health care organization 
may condition the delivery of care, or payment for care upon receiving 
authorization for these activities, which can be obtained at the point 
of enrollment or at the time of treatment.
    Any activities that fall outside this core group (sometimes 
commonly referred to as uses) must be authorized separately by the 
patient and fall under Tier Two authorization. The patient can refuse 
authorization for these activities without facing any adverse 
consequences. Activities in this category include, but are not limited 
to:
     purposes of marketing;
     disclosure of psychotherapy notes;
     disclosure of personally identifiable information to an 
employer, except where necessary to provide or pay for care;
     disclosure of personally identifiable health information 
outside the health care treatment entity that collected the 
information, if other tier one authorizations do not apply; and
     disclosure of personally identifiable health information, 
if adequate notice has not been given at the point of the initial 
authorization.
    The Working Group identified a limited number of circumstances in 
which personally-identifiable health information may be disclosed 
without patient authorization. These include:
     when information is required by law, such as for public 
health reporting;
     for oversight purposes, such as in fraud and abuse 
investigations;
     when compelled by a court order or warrant; and
     for research, as described in Principle 8 below.

7. Health care organizations should establish policies and review 
procedures regarding the collection, use, and disclosure of health 
information.

    An organization's confidentiality policies and procedures should be 
coherent, tying together authorization requirements, notice given to 
patients, safeguards, and procedures for accessing personally 
identifiable health information. Organizations should also establish 
review processes that ensure a degree of accountability for decisions 
about the use and disclosure of personally identifiable health 
information. During such a process organizations might, for example, 
wish to determine routine procedures and special procedures for some 
areas of health care where medical information is considered highly 
sensitive to the patient.

8. Health care organizations should use an objective and balanced 
process to review the use and disclosure of personally identifiable 
health information for research.

    For some areas of research, it is not always practical to obtain 
informed consent and in some cases, a consent requirement could bias 
results. Recognizing this, the Working Group advises that patient 
authorization should not always be required for research. However, any 
waivers of informed consent should only be granted through an objective 
and balanced process.
    Currently, any federally funded research is subject to the ``Common 
Rule,'' where an Institutional Review Board (IRB) is required to make a 
determination about the need for informed consent. An IRB can choose to 
give a researcher access to personally identifiable health information 
with or without informed consent. But some research falls outside the 
scope of federal regulations. In such circumstances, health care 
organizations should use a balanced and objective process before 
granting researchers access to personally-identifiable health 
information.

9. Health care organizations should not disclose personally 
identifiable health information to law enforcement officials, absent a 
compulsory legal process, such as a warrant or court order.

    Federal privacy laws generally require that some form of compulsory 
legal process, based on a standard of proof, be presented in order to 
disclose to law enforcement officers. Law enforcement access to health 
information should be held to similar standards. In some instances, 
however, government officials may access health information with legal 
process for the purposes of health care oversight. In these instances, 
the information obtained should not be used against the individual in 
an action unrelated to the oversight or enforcement of law nor should 
the information be re-disclosed, including to another law enforcement 
agency, except in conformance with the privacy protections that have 
attached to the data.

10. Health privacy protections should be implemented in such a way as 
to enhance existing laws prohibiting discrimination.

    Currently, there are state and federal laws that prohibit 
discrimination on the basis of a person's health status in areas such 
as employment or insurance underwriting. Confidentiality policies 
should be implemented in such a way as to enhance and complement these 
protections. In effect, privacy can serve as the first line of defense 
against discrimination, creating a more comprehensive framework of 
protection.

11. Strong and effective remedies for violations of privacy protections 
should be established.

    Remedies should be available for internal and external violations 
of confidentiality. Health care organizations should also establish 
appropriate employee training, sanctions, and disciplinary measures for 
employees and contractors who violate confidentiality policies.
    The 11 principles outlined above focus on information gathered in 
the context of providing patient care and are written to establish a 
broad framework for the use and disclosure of health information. 
Although the Working Group recognizes that the need for privacy 
protections in other areas is no less urgent, this consensus document 
does not address the following areas:
     special considerations about the needs of minors;
     information that locates an individual in a particular 
health care organization (sometimes referred to as ``directory 
information'');
     information provided to spouses, dependents and other next 
of kin;
     public health reporting;
     fraud and abuse investigations; and
     the appropriate relationship between state and federal 
law.
    These 11 principles are designed to serve as a baseline for 
establishing patient privacy protections. While we all agree that 
health information, used in the right hands and with the right 
safeguards, can lead to improved health and advances in research, this 
information should not be used with disregard for patient privacy. 
Patients need to know that adequate protections are in place to protect 
their health information. Our hope is that these principles will go a 
long way towards establishing appropriate protections and, in the 
process, help build public trust and confidence in our health care 
system.

             The State of Health Privacy: An Uneven Terrain

Preface

    Eighteen months ago, the Health Privacy Project launched an 
initiative to compile and publish a comprehensive survey of state 
health privacy statutes. As word spread that we had undertaken this 
effort, we heard two distinct messages, often delivered by the same 
people in the same breath: First, ``Nothing like this exists.'' Second, 
``Are you crazy? Do you have any idea what you are getting into?'' Over 
the past year and a half, we have come to appreciate both the 
importance of this effort, and the near impossibility of the task.
    At the outset, it is important to say what this report is, and what 
it is not. The State of Health Privacy includes a summary of each 
state's major statutes related to the confidentiality of personal 
health information. The survey is specifically and exclusively a survey 
of statutes, not laws. This distinction is important: we did not 
research or include regulations, or common law, both of which 
ultimately must be understood in order to appreciate the full range of 
protections at the state level.
    The survey is not exhaustive--there are many more statutes that 
address the confidentiality of health information. The summaries speak 
most directly to the use and disclosure of information gathered and 
shared in the context of providing and paying for health care. In 
particular, the condition-specific requirements are meant to be 
illustrative; we did not do an exhaustive search for mandatory 
reporting requirements or specific conditions.
    Throughout, keep in mind that medical information is used in many 
different settings, and for many different reasons. There are 
innumerable state laws that speak to the confidentiality of health 
information--such as laws on workers compensation, public health 
reporting, adoption records, birth and death records, motor vehicle 
requirements, minor's rights, and so on--that are not generally 
addressed in our summaries. For this reason, we have given four 
states--Florida, Maryland, New York, and Washington--a more exhaustive 
treatment that highlights the breadth and the depth of the state laws 
that relate to the confidentiality of health records.
    To satisfy diligent scholars and the excessively curious, we 
augment the summaries with a comprehensive list of each health privacy-
related law we discovered in the state. (Given the length of these 
lists, they are only available in the online edition at the Health 
Privacy Project's website: http://www.healthprivacy.org/resources.) We 
have also provided a number of overview documents that attempt to pull 
together the findings and provide a snapshot of how the states compare 
to each other.
    This report is not perfect. We may have missed some laws. Laws may 
have been repealed or re-interpreted by the courts. Laws may take on a 
different meaning in their application than they do in the plain 
reading. States may have issued regulations implementing their laws 
that amplify, diminish, or otherwise affect the law's impact. However, 
we determined that you-the reader-would benefit from the timely 
publication of this report, and would not be offended by our asking 
your indulgence for what we did not have the time or the resources to 
accomplish. In fact, we ask your assistance--if you discover a major 
statute we have overlooked, or if you find we mis-characterize a law, 
or if there is anything else you would like to contribute to enhance 
the accuracy and completeness of The State of Health Privacy, contact 
us. Your input is appreciated.
    Finally, and most importantly, this survey is part of a larger body 
of work undertaken by the Health Privacy Project. Throughout, we have 
tried to maintain a sense the ultimate goal: to protect the privacy of 
people's health information.
    In the health care arena, maintaining the confidentiality of 
medical information and communications has been an essential element of 
the relationship between doctors and their patients. Increasingly, 
however, major changes in health care--such as the rise of managed 
care, the development of electronic health information networks, and 
reform efforts to improve individual and community health--all depend 
on accumulation of and access to complete and reliable patient data.
    Protecting privacy and improving health and access to health care 
are values that have long been viewed as in conflict. Consumer 
advocates often view public health and research initiatives as threats 
to individual privacy, whereas public health officials and researchers 
may treat privacy as a barrier to improving health. In fact, the 
converse is true--protecting privacy and promoting health are values 
that must go hand-in-hand.
    Without trust that the personal, sensitive information that they 
share with their doctors will be handled with some degree of 
confidentiality, patients will not fully participate in their own 
health care.
    The consequences of people not fully participating in their own 
care are quite troubling, for individual patients as well as the larger 
community. For instance, incomplete or inaccurate information can 
hamper a doctor's ability to accurately diagnose and treat a patient, 
inadvertently placing a person at risk for undetected and untreated 
conditions. In turn, if doctors are receiving incomplete, inaccurate 
information, the data they disclose for payment, research, public 
health reporting, and outcome analysis will be unreliable. Ultimately, 
information that lacks integrity at the front end will lack integrity 
as it moves through the health care system. Thus, protecting patient 
privacy is integral both to improving individual care and to the 
success of public health initiatives and quality of care.
    There is no doubt that the public is deeply concerned about the 
lack of privacy in the health care environment. A survey released by 
the California Health Care Foundation in January 1999 found that 
``public distrust of private and government health insurers to keep 
personal information confidential is pervasive. No more than about a 
third of U.S. adults say they trust health plans (35%) and government 
programs like Medicare (33%) to maintain confidentiality all or most of 
the time.'' The consequences of such distrust--real or perceived--are 
significant. The Foundation's survey identified that:
     One in every five people believe their health information 
has been used or disclosed inappropriately.
     One of six people engage in some form of ``privacy-
protective'' behavior when they seek, receive, or pay for health care 
in this country. Such behavior includes paying out of pocket for care; 
intentionally seeing multiple providers to avoid the creation of a 
consolidated record; giving inaccurate or incomplete information on a 
medical history; asking a doctor to not write down the health problem 
or record a less serious or embarrassing condition; and even not 
seeking care to avoid disclosure to an employer.
    Currently, there is no comprehensive federal law protecting the 
privacy of people's medical records. Congress has acknowledged that 
such a law should be passed and imposed a deadline on itself to do so 
by August 1999. If Congress fails to meet the deadline, the Secretary 
of Health and Human Services is required to issue regulations by 
February 2000.
    Health privacy is not a new issue to the U.S. Congress. Each year 
over the past decade as debate has resumed over how to best craft a 
health privacy law, the question is inevitably raised, ``What have the 
states done? What are the state health privacy laws? What will be the 
impact on the states of any federal preemption of state law? What 
negative and positive models exist for us to learn from?'' For the most 
part, these questions have gone unanswered. Until now, no comprehensive 
compilation of state health privacy existed.
    Bear in mind as you read this report that, in the absence of a 
comprehensive federal health privacy law, the limited privacy 
protections people currently enjoy have been put in place by state 
legislatures. The terrain of state health privacy law may be uneven, 
but that shaky ground plays a significant role.

Executive Summary

    There is no comprehensive federal law that protects the privacy of 
people's health information. The U.S. Congress is moving ahead to meet 
a self-imposed deadline to enact a broad health privacy statue by 
August 1999. If the deadline is not met, the Secretary of Health and 
Human Services must issue regulations by February 2000. At this time, 
people must rely on whatever health privacy protections are built into 
their state's statutes.
    As the congressional debate over health privacy heats up, there is 
a question that is always asked but--until now--impossible to answer. 
``What state laws exist in this area? How have states responded to the 
health privacy needs of their citizens? ''
    This report is the first-ever comprehensive 50-state survey of 
health privacy statutes. In our experience, the hallmarks of 
researching state health privacy laws have been that: 1) nothing is 
simple; and 2) nothing is predictable. In the process of researching, 
analyzing, and summarizing the statutes, we reached a number of 
conclusions and made a few surprising discoveries. But in many more 
ways, the states defy categorization.
    State laws relating to health privacy have been enacted at 
different points in time, over many years, to address a wide variety of 
uses and public health concerns. One must approach each state on its 
own terms and attempt to understand the protections as a unique whole 
within the state. In striving for precision and nuance, our labels of 
state laws are accompanied by qualifiers and explanations.
    Laws relating to health privacy can be found in nearly every nook 
and cranny of a state's statutes--in obvious and obscure sections of a 
state's code, buried in regulations, developed in case law, and 
detailed in licensing rules. Florida, for example, has more than 60 
statutes that address health privacy, and it is not unique.
    A number of initial observations emerge from the state summaries:
     States legislate and regulate health privacy by entity.
    There is little mystery about why state health privacy laws are so 
extensive, vast, and detailed: the statutes reflect the diverse users 
of health information. Consider the following four types of users: 
physicians, schools, insurers, and state agencies. Each has a specific 
function in the state and a legal and regulatory structure specific to 
their roles. Thus, the statutory requirements for how they handle 
medical information are different.
    To understand what confidentiality protections do exist at the 
state level, one must first begin by examining the laws applying to the 
different entities that collect, use, maintain, and distribute health 
information. Even states that attempt to handle health privacy in a 
comprehensive fashion ultimately establish unique rules for different 
entities. In looking at a state's laws and determining what kind of 
privacy protections exist, one must always ask, ``Who's holding the 
data?'' and ``What is the medical condition at issue?''
    The end result of this legislating by entity is that state laws--
with a few notable exceptions--do not extend comprehensive protections 
to people's medical records. Thus, a state statute may impose privacy 
rules on hospitals but not dentists. The state may restrict the use and 
disclosure of information derived from a genetic test but not 
information obtained in a routine physical. Or just the opposite may be 
true in a neighboring state.
    The cumulative effect of these various statutes might appear 
erratic, but so many of the laws that do exist provide meaningful 
protections for consumers and speak to the specific needs of the 
organizations and citizens of the state. For instance, a nursing home 
may have different information needs than a public hospital, and state 
laws attempt to accommodate these differences.
     The vast majority of state statutes were never intended to 
be comprehensive.
    Virtually every state has some law aimed at the confidentiality of 
patient, but very few states have anything approaching a comprehensive 
health privacy law. Two notable exceptions are Rhode Island and 
Wisconsin, each of which has comprehensive health privacy laws. Many 
states have health privacy laws governing certain health care entities, 
such as hospitals or clinics, but no privacy protections regulating 
health plans and HMOs.
    State confidentiality requirements are part and parcel of larger 
statutes that provide consumer protections or regulate persons or 
entities. Many of the statutes, for example, are imbedded within 
licensing requirements. In this context, the provider is required to 
maintain health information in confidence in order to obtain and 
maintain a license to practice from the state. One must read all of the 
statutes together in order to glean an understanding of how health 
information is protected as it moves between persons and entities.
     An ethical duty to maintain confidentiality is often 
assumed.
    Most states appear to presume an ethical duty on the part of health 
care providers to keep information confidential. Many statutes, for 
instance, do not explicitly impose a duty of confidentiality, but they 
do stipulate a penalty for breaching patient confidentiality. It seems 
that in these instances, the states did not see a need to legislate the 
ethical duty. Unfortunately, the users of health information have 
extended well beyond those who may be bound by a professional codes of 
ethics.
     State laws have not kept pace with changes in health care 
delivery and technology.
    Most state laws do not reflect the dramatic changes in the health 
care environment or the dramatic changes in information technology. 
Today, for instance, the majority of health care is not delivered by 
physicians. Integrated delivery systems (such as HMOs and provider 
networks) and the establishment of statewide health information 
databases have created new demands for data that push well beyond the 
limits originally anticipated by the states. The variety of people and 
entities collecting, receiving and using health information has also 
extended far beyond the health care environment. A physician, for 
example, may be obligated to report a person with epilepsy to the 
Department of Motor Vehicles, which in turn may revoke a driver's 
license.
    Therefore, in many ways, the state laws defy summarization--they 
are detailed, specific, and intricate. Nevertheless, we have attempted 
to bring some coherence to this report. The summaries are arranged in 
four broad categories: Patient Right of Access, Restrictions on 
Disclosure, Privilege and Condition-specific Requirements. Our major 
findings in each category are listed below.

Key Findings

Patient Access

    States vary widely in the rights they grant to patients to receive 
and copy their own medical records. Some states have no statutory right 
of access such as Kansas and North Dakota. Three states--Alabama, 
Idaho, and New Mexico--and the District of Columbia only have a 
statutory right for patients to access their own mental health records.
    On the opposite end of the continuum, a few states--such as 
Connecticut and Minnesota--grant access to records maintained by nearly 
all of the potential sources of patient data, i.e. government agencies 
and entities, hospitals, physicians, insurers, schools, and even non-
traditional health care providers such as natureopaths. Maine and South 
Dakota, for example, have cast a particularly wide net with respect to 
providing access to records maintained by health care providers by 
using broad definitions that anticipate future users and holders of 
medical information, such as those performing in vitro fertilization 
and blood banks.
    Most states fall somewhere in the middle of these two extremes. 
Forty-four states provide some right of access, but this figure is a 
bit misleading. The right of access quickly breaks down:
     33 states provide a right of access to hospital records;
     13 states provide a right of access to HMO records; and
     16 states provide a right of access to insurance records.
    Many additional statutes cover specific providers--such as 
physicians, psychiatrists, and pharmacists. However limited the right, 
the impact of providing the right should not be underestimated. For 
example, in response to the public's desire to utilize alternative 
sources for contact lenses, Colorado and other states require 
optometrists to disclose prescriptions to their patients.
    All state statutes that grant people a right to see and copy their 
own medical records limit that right with a set of exceptions. The most 
common exception is that a patient can be refused access to his or her 
own medical record if the record holder believes that the release of 
the information could endanger the life and safety of the subject of 
the information or another person.
    Many states have also granted patients the right to amend or 
correct their medical information, particularly when the records are 
held by insurance companies. In Illinois, New Jersey and Ohio, for 
example, the statute includes a detailed procedure for resolving a 
patient's challenge to the accuracy or completeness of the record. 
Where the provider and the patient disagree, for example, the patient 
may be able to insert a statement of his or her position in the record.
    Most states allow a person or entity to charge patients for copies 
of their medical record. Some states specify a cost in the statute--in 
Kentucky, for example, a health care provider or hospital must provide 
a patient with a free copy of their medical record. A patient may be 
charged for additional copies, but not more than $1 per page. Other 
states require that the fee be waived if the patient is contesting an 
adverse underwriting decision. The most common approach is to stipulate 
that an entity may charge a ``reasonable'' fee.

Restrictions on Disclosure

    States vary widely in terms of the restrictions or prohibitions 
they impose on disclosures of medical records and medical information. 
The restrictions tend to be triggered in two instances: by the entity 
holding the data, and the kind of information being held.
    For the most part, the state statutes prohibit a person or entity 
from disclosing information unless certain conditions are met. The most 
notable impact of this approach is that it may limit the actual 
protections afforded the data. Once the information is disclosed, it 
may or may not be afforded the same protections by the receiving 
entity. For instance, the state laws may not place limits on the re-
disclosure patient data, or the receiving entity may not be under any 
legal obligation to adhere the privacy rules imposed on the disclosing 
entity.
    In comparison, a few states--such as Wisconsin and Rhode Island--
have statutes that prohibit medical information from being disclosed, 
regardless of the entity holding the record.
    Overall, the most common restriction found in state statute is that 
patient authorization must be secured prior to health information being 
disclosed. Some states specify the format and content of the 
authorization form in statute. Many states allow patients to revoke 
authorizations.
    At the same time, these statutes all specify numerous exceptions to 
this general rule in which a person or entity may disclose information 
without patient authorization. The most common instances include: for 
purposes of treatment; to secure payment for healthcare; for auditing; 
and for quality assurance activities. Most statutes allow access to 
patient data for research purposes, without any patient notification or 
authorization. (See later discussion on research.)
    Also of note is that some states do prohibit the re-disclosure of 
medical information. In such instances, an entity that receives medical 
information is prohibited from re-disclosing the information unless a 
separate authorization is secured, or the disclosure is in keeping with 
the statutory requirements. Montana has stated that although it is 
state public policy that a patient's interest in the proper use of 
health care information survives, the state is not going to statutorily 
regulate disclosures because a person' expectation of privacy changes 
when the information is held by a non-health care provider.

Privileges

    A common myth is that the doctor-patient privilege prohibits health 
care providers from sharing information about their patients. The truth 
is the law of privilege is a rule of evidence and quite limited in 
scope. Privilege applies to a patient's (or provider's) right to keep 
certain communications confidential in a legal proceeding.
    We have included a survey of states' statutory privileges for two 
reasons: 1) to date, all of the proposed federal health privacy 
legislation leaves state privilege law intact; and 2) many states' 
statutes governing the confidentiality of health care information 
maintained by HMOs provide that an HMO is entitled to claim any 
statutory privilege against disclosure that the provider of the 
information is entitled to claim. Thus, in order to understand what 
privilege an HMO might be able to exercise, it is necessary to know 
what statutory privileges exist.
    A common misconception about the physician-patient privilege is 
that it is a general prohibition against a health care provider sharing 
information about his or her patients. However, it is important to 
recognize that in legal terms, there is a distinction between 
``privilege'' and ``confidential.'' The law of privilege is generally 
seen as a rule of evidence which is limited in scope. It allows a 
patient in a legal or quasi legal proceeding to refuse to disclose and 
to prevent others from disclosing certain confidential information 
(usually communications) obtained during the course of diagnosis and 
treatment. In contrast, a health care provider's duty of 
confidentiality to her patients, arising from a code of ethics, by 
regulation, or otherwise, is a broader duty not to disclose to the 
public information obtained in a professional capacity.
    That being said, it must be noted that even legal professionals 
often use the terms interchangeably. We have attempted to note where a 
state has worded its statutory privilege in such a way as to extend it 
beyond a legal or quasi legal proceeding.
    It must be emphasized that this is a summary of statutory rules of 
privilege. Many more providers and entities may be covered by a state's 
common law privilege. The summaries do not include a discussion of when 
privilege may be waived. State law is detailed and voluminous on this 
subject, and we chose simply to indicate to whom the statutory 
privilege applies.

Condition-specific Requirements

    Nearly all states have laws that impose condition-specific privacy 
requirements, most often to shield people with mental illness, 
communicable diseases, cancer, and other sensitive, stigmatized 
illnesses from broad disclosures. Many of these laws were passed to 
respond to public fear that certain health information would be widely 
disclosed and used to deny them benefits or could result in other harm. 
Where this fear acted as a barrier to seeking health care, treatment, 
or counseling, states have moved to bolster public trust and confidence 
in the health care system by enacting heightened privacy rules in these 
specific areas. The protections tend to attach to the information at 
the point of collection, before the information is disclosed. These 
requirements may, for example, direct a provider, hospital, or 
laboratory to obtain a particular kind of authorization from the 
patient or more stringently restrict disclosure.
    In some circumstances, the condition-specific requirements allow 
for greater disclosure of the information. Some mental health statutes, 
for example, explicitly allow family members to access the mental 
health records of a family member who has been committed. Other 
statutes allow employers to share medical information about an employee 
if it affects the performance of her job.
    Most of the condition-specific requirements that exist at the state 
level, however, were enacted hand-in-hand with mandatory reporting 
laws. While the summaries note the protections afforded the data, it is 
important not to lose sight of the fact that these privacy laws were 
enacted on the backend of laws requiring doctors and other health care 
providers to report to state officials identifiable patient data 
related to certain illnesses and conditions. Clearly, state lawmakers 
viewed such privacy protections as a necessary balm to quiet public 
fears of the government developing health information databases on 
vulnerable citizens. Our inclusion of the public health reporting 
requirements and related privacy protections are not comprehensive, but 
we point out that many states' reporting requirements are aimed beyond 
communicable or infectious diseases. Many states collect health 
information to study costs, outcomes, and quality--all of which rely on 
extensive patient data. In turn, there is a great demand--often 
answered in the affirmative--for access to this data.
    All states have laws designed to control the spread of contagious 
diseases, which include requirements that named individuals with 
particular illnesses or conditions be reported to health authorities. 
Again, in the vast majority of these condition-specific requirements, 
the privacy protections are linked to the mandatory reporting 
requirements. In such instances, the confidentiality requirements and 
protections only apply to the agency collecting the data. Many states, 
for example, require providers to report birth defects to the state's 
registry. The statute then limits how the registry can use and disclose 
the information. These protections, however, do not apply to any other 
entity holding the same information--such as a provider, hospital or 
insurance company.

Remedies and Penalties

    Most state health privacy statutes contain some form of remedies 
and penalties that are triggered by violations of the law. Commonly 
found are private right of action provisions granting people the 
ability to bring lawsuits when the statute has been violated, without 
first having to meet any additional standard of proof, i.e. that the 
violation was willful or intentional. It is enough that the law was 
violated. A full range of damages, remedies, and attorney's fees and 
costs are usually available, however the monetary damages are often set 
quite low. In some cases, these statutory remedies may be construed as 
exclusive, thereby barring people from raising other claims, such as 
privacy torts or other common law claims.

Government-maintained Records

    Across the board, records held by government agencies and officials 
are treated differently--and are usually more protected--than the 
medical information collected and held by the private sector. In some 
instances, the medical records held by the government are the only 
records protected in statute. In effect, a state statute may impose 
confidentiality requirements only on public hospitals, leaving people 
who are treated in private hospitals without the same legal safeguards. 
In Oregon, for example, the statutory prohibitions on disclosure, 
including authorizations, apply only to public providers of health 
care. Private health care providers are simply ``encouraged, but not 
required to adopt voluntary guidelines limiting the disclosure of 
medical records...''
    Although this legal distinction--between public and private holders 
of medical information--is rooted in the constitutional principle that 
there must be limits on government action vis-a-vis the individual, it 
may not be particularly meaningful to health care consumers. Therefore, 
privacy protections have been extended in a number of federal and state 
privacy statutes to restrict the private sector's collection and use of 
personal information.

Research

    Again, there is little uniformity in how state statutes regulate 
researcher access to people's medical information. The vast majority of 
laws, however, do allow researchers broad access to patient records. As 
the laws apply to private entities, researcher access is almost always 
built in as an exception to a statute's patient authorization 
requirements. What limits do exist usually speak only to specific 
information--such as genetic information or HIV/AIDS information.
    On the other hand, researcher access to patient data held by 
government entities, i.e., agencies, registries, is in some instances 
more detailed. Some registries, for example, have strict conditions 
that must be met before researchers can access data and may require 
that personal identifiers be removed before a researcher can access 
information. Laws applying to government entities are also more likely 
to prohibit researchers from re-disclosing patient data.

Conclusion

    Again, there is no comprehensive federal law protecting the privacy 
of people's medical records. Congress has acknowledged that such a law 
should be passed and imposed a deadline on itself to do so by August 
1999. If Congress fails to meet the deadline, the Secretary of Health 
and Human Services is required to issue regulations by February 2000. 
We hope these reports are useful to you as you move forward. We are 
available to work with you.
    The Health Privacy Working Group Members: Dr. Bernard Lo, 
University of California-San Francisco; Paul Clayton, Columbia 
Pesbyterian Medical Center; Jeff Crowley, National Association of 
People with AIDS; John Glaser, Partners Health Care System, Inc.; Nan 
Hunter, Brooklyn Law School; Shannah Koss, IBM; Chris Koyanagi, Bazelon 
Center for Mental Health Law; John Nielsen, Intermountain Healthcare; 
Linda Shelton, National Committee for Quality Assurance; and Margaret 
VanAmringe, Joint Commission on Accreditation of Healthcare 
Organizations.
    As this report documents, there is little probability that any 
federal law could match the breadth and scope of the existing state 
laws. As such, any federal law that fully preempted state law would 
eliminate for consumers some of the rights and protections they 
currently enjoy and disrupt current state legal and regulatory 
structures. Here's why----
     States have been the first to respond to concerns about 
health privacy and they have enacted many strong protections.
    State health privacy statutes cover a broad range of entities and, 
not surprisingly, are both weak and strong. In terms of broad consumer 
protections, one can identify many significant gaps and weaknesses in 
most state statutes: such as a limited right for a patient to access 
his or her own medical record; little ability for patients to limit 
disclosure of their medical records; and little recourse when the laws 
are violated.
    On the other hand, state laws enacted in response to a particular 
public concern, or a public health threat--such as in the areas of 
mental illness, communicable disease, cancer, and genetic testing--are 
often strong, detailed, and aimed at the states' unique experiences 
with their citizens.
     State laws address a level of detail not considered in any 
of the federal proposals.
    The importance of the detail in state health privacy law should not 
be underestimated. Because the states legislate by entity, they are 
often able to craft laws that speak to the unique needs of the patient 
population and the information needs of particular entities. An HMO, 
for example, has very different needs than a family planning clinic.
     State law is extensive--it is impossible to predict the 
full impact of full federal preemption.
    Most importantly, it is almost impossible to predict the full 
impact of federal preemption on state laws relating to health privacy. 
Remember that these summaries are only the tip of the iceberg in terms 
of relevant state statutes. Many more laws govern areas such as 
adoption, workers compensation, public health reporting, civil, 
judicial and administrative procedures, fraud and abuse, and law 
enforcement access.
    There is widespread consensus that a federal law could help to 
provide significant new protections and to establish some basic rules 
about the use and disclosure of health information. However, until this 
point, the policy debate about preemption tended to be based on 
rhetoric, not fact. There is a large body of law before us now. While 
many of the facts are reassuring, it does not lend itself to easy 
answers.
    A significant challenge is before us. There is no doubt that such a 
comprehensive federal health privacy law could be beneficial in many 
ways. But while a federal law could substantially benefit people by 
establishing a baseline of consumer protections, a federal law that 
ignored the significant role states have played in protecting health 
information could disrupt the legal and regulatory structures at the 
state level and, in turn, some of the protections currently afforded to 
consumers.
    Our hope is that this report will serve as the factual basis upon 
which to proceed, providing us with a true opportunity to move beyond 
the rhetoric that has so far defined this debate.

                         The Preemption Debate

    At the national level, there is an ongoing debate over how a future 
federal health privacy law should relate to existing and future 
stronger state laws. Passage of any federal law will necessarily 
preempt weaker state laws. But will Congress choose to establish a 
federal ``floor'' above which states would be free to enact greater 
protections? Or will the federal law fully preempt state laws by 
creating a ``ceiling,'' thus eliminating both weaker and stronger state 
laws and preventing the passage of future stronger state laws?
    We must begin with the obvious: there is a large body of state law 
that will be impacted by any federal law. Many of these laws were 
passed over many years, and they cover significant ground. Out of 
necessity, the states have moved forward in recent years to pass health 
privacy laws to fill a vacuum that might otherwise be addressed in a 
federal law--such as in the areas of genetic testing, prescription 
records, HMO records, and integrated databases. A couple of states--
such as Rhode Island and Wisconsin--have even passed fairly 
comprehensive laws.
    Thus far, the preemption debate has played out as follows. 
Proponents of the full preemption of state law argue that a one-size-
fits-all national standard is necessary to conduct health care 
activities across state lines. Advocates for a federal floor argue that 
states must be free to enact stronger protections to shield its most 
vulnerable citizens from stigma and discrimination, and encourage them 
to seek care without fear of reprisals.
    But this debate must be about much more. As our research shows, the 
states' health privacy protections are deeply integrated into powers 
traditionally held by the states: licensing, public health, and police 
powers. As such, it would be unwise--and, in fact, unprecedented--for 
the federal law to fully preempt state law. At a minimum, the states 
must be free to enact greater protections for its citizens, to regulate 
health care entities, and to conduct vital public health functions.

Health Care Organizations Already Comply With 50 State Laws

    Consider the state of affairs today: health care entities that do a 
great deal of business across state lines are currently required to 
comply with fifty different business across state lines are currently 
required to comply with fifty different state laws. The interplay 
between state and federal laws is not unique to the health care 
environment. In the context of other complex, interstate activities, 
Congress has addressed the interplay between state and federal laws, 
such as in the Right to Financial Privacy Act, the Fair Credit 
Reporting Act, and the Electronic Communications Privacy Act, which 
regulate the banking, credit, and communications industries. In 
enacting these laws, Congress left the states free to enact more 
protective laws as they see fit.
    Some preemption supporters have expressed the fear that states will 
pass laws tat are too privacy protective, thereby interfering with 
important health-related activities. Our research documents that states 
have been quick to take corrective action to respond to the concerns of 
health plans, researchers, and others when they have `gone too far.' In 
two instances in which a state health privacy statute was deemed to 
interfere with vital health care functions, states have moved quickly 
to amend their laws. Minnesota, for example, amended its law relating 
to researcher access to medical records after hearing objections from 
health care organizations in the state. More recently, Maine repealed a 
health privacy law after objections on the part of press and family 
members and later enacted a more limited statute.
    Many states are considering pending health privacy bills in an 
attempt to fill the gap created by the absence of a federal health 
privacy law. In other contexts, however, the momentum behind such state 
initiatives drops significantly following the passage of comprehensive 
federal legislation. After passage, state activity is likely to reflect 
the standards set out in the federal law, thereby increasing 
uniformity.
    One of the more surprising--and potentially unifying--findings of 
this report is the most state laws are weaker than the standards 
proposed in many of the federal now under consideration. Therefore, a 
federal law may provide a substantial degree of uniformity simply by 
preempting weaker state laws, However, policymakers should be cautions 
not to interfere with the states' vital and established public health 
and regulatory mechanisms.

State Laws Address a Level of Detail Not Considered in Any of the 
Federal Proposals

    State health privacy laws address a level of detail not found in 
any of the federal proposals. For the most part, state health privacy 
laws are organized by entity, and the statutes include requirements and 
specifications explicitly related to that entity. There may be separate 
statutes governing many different entities: employers, nursing homes, 
health maintenance organizations, health and life insurers, 
psychiatrists, chiropractors, hospitals and insurers.
    In addition, there are numerous policy issues traditionally acted 
on at the state level that include health privacy provisions. There 
include anti-discrimination laws, commitment proceedings for the 
mentally ill, adoption, foster care, mental health treatment, 
reproductive health, parental involvement, partner notification, and 
abuse and neglect.
    In comparison, federal health privacy proposals have on the whole 
treated all health care organizations the same. The federal proposals 
would also establish--with a broad brush--general rules governing the 
use and disclosure of health information. These proposed Rules aim to 
address the vast majority of circumstances in which health information 
is used and disclosed, but they do not begin to approach the level of 
detail that has been imbedded in state law. For instance:
     In South Carolina a physician is expressly prohibited from 
selling medical records to someone other than a hospital or provider 
licensed by the state. Before a physician may sell medical records, he 
must publish a public notice of his intention to sell the records and 
of a patient's right to retrieve their records if they prefer that 
their records not be included in the sale.
     Maryland has an intricate statutory system for dealing 
with mental health records. The disclosure of mental health records is 
governed by the state's Confidentiality of Medical Records Act. One 
provision stipulates that mental health records may not be disclosed 
between health care providers unless a patient has received a current 
list of the participating providers and has signed a written agreement 
to participate in the client information system developed by the 
agency.
     In Florida, a minor may obtain treatment for sexually 
transmissible diseases without the consent to their parents or 
guardians. [Fla. Stat. Ann. Sec. 384.30.] The fact of consultation, 
examination, and treatment of the minor is co0nfidential, not subject 
to the disclosure requirements of other statutes, and cannot be 
divulged in any direct or indirect manner except as authorized by 
statute, including sending a bill to the parent or guardian.
    The level of detail illustrated above is not even contemplated by 
any of the current federal proposals, and regulating these specific and 
unique spheres is clearly not the intent of any of the federal 
proposals. If Congress decides to fully preempt state law, it will most 
likely eliminate significant consumer protections without replacing 
them with an equivalent degree of federal safeguards.

States are the First to Respond to Concerns About Privacy and Have 
Enacted Many Strong Protections

    Based on our research, it appears that many state laws governing 
the broad agrees sought to be covered in the federal law--patient 
access to records, notice of information practices, patient 
authorizations for disclosure, remedies for violations of the law--are 
weaker than many of the federal proposals. Thus, a federal law that 
established a floor could provide uniformity, while raising the overall 
privacy protections for consumers.
    However, it appears that even the strongest federal proposals would 
not set the bar as high as the condition-specific protections in 
certain state laws. Thus, a preemptive federal ceiling could cause the 
citizens of some states to actually forfeit the protections they are 
now guaranteed under their state laws. Again, states have enacted 
condition-specific protections in two main areas: 1) to provide back-
end protection to information collected as part of a mandatory 
reporting requirement; and 2) to encourage people to seek care for 
conditions that are sensitive and for which there is a high risk of 
stigma and discrimination.
     Almost every state has enacted laws specific to HIV/AIDS. 
California, for example, has enacted laws, covering testing, reporting, 
partner notification, and discovery. The results of an HIV/AIDS test 
may not be disclosed in a form that identifies an individual, without 
patient consent for each disclosure, except in very limited 
circumstances. For instance, a physician or local health officer may 
disclose HIV test results to the sex or needle-sharing partner of the 
patient without consent, but only after the patient refused or was 
unable to make the notification. The law also requires patient 
authorization in more circumstances than provided for under the Senate 
proposals. In California, an individual's health care provider may not 
disclose to another provider or health plan without written 
authorization, unless to a provider for the direct purposes of 
diagnosis, care, or treatment of the individual.
     Almost half the states now provide specific and strong 
protection for information derived from genetic information. In Georgia 
this information is considered to be strictly confidential and may be 
released only to the individual tested and to persons specifically 
authorized by such individual to receive the information. Any insurer 
that possesses information derived from genetic testing may not release 
the information to any third party without the explicit written consent 
of the individual tested.
     Every state has laws that establish rules particular to 
mental health information, covering a wide range of activities. In 
Massachusetts, for example, a psychologist needs a patient's written 
consent to disclose any confidential communications about the patient, 
including the fact that the patient is undergoing treatment. An HMO is 
prohibited from acquiring or disclosing any communication by a member 
to a psychotherapist arising out of the outpatient diagnosis or 
treatment of a mental or nervous condition without the express and 
informed written consent of the member. No such written consent may be 
made a condition of the receipt of such benefits or any other benefits 
for which the member is otherwise covered.
     Tennessee law stipulates that the state's Department of 
Health records on sexually transmitted diseases may not be released 
even under subpoena, court order, or other legal process, unless the 
court makes a specific finding concerning each of five criteria 
including: weighting probative value of the evidence against the 
individual's and public's interest in maintaining its confidentiality; 
and determining that the evidence is necessary to avoid substantial 
injustice to the party seeking it and either that the disclosure will 
not significantly harm the person whose records are at issue or that it 
would be substantially unfair as between the requesting party and the 
patient not to require disclosure.
    Many states have laws similar to the ones cited above. Again, none 
of the federal proposals reach these levels of specific protection. 
Wiping out such laws could create a public health crisis, leaving 
people vulnerable by undoing protections that encourage people to seek 
testing, counseling, and treatment for a number of conditions.

It is Impossible to Predict the Full Impact of Full Federal Preemption. 
State Law is Extensive--a Fully Preemptive Federal Law Runs the Risk of 
Significant, Unintended Consequences.

    Even a cursory glance at the state statutes reveals that laws 
relating to the confidentiality of medical information are found 
throughout state codes. Major statutes are found in the Civil Code, the 
Insurance Code, the Health and Safety Code, the Penal Code, and the 
Welfare and Institutions Code. The laws cover a wide range of 
activities including treatment, payment, insurance-related activities, 
peer review, research, and prescribing drugs. Most importantly, states 
have developed bodies of law around discrete issues that touch on the 
use of health information--such as anti-discrimination, worker's 
compensation, parental involvement, adoption, HIV/AIDS partner 
notification, and access by law enforcement, and even real estate.
    It is nearly impossible to predict in advance the full impact of 
total preemption on state law and consumer protections. Some laws, for 
example, may be tied to larger anti-discrimination statutes. A fully 
preemptive federal law may inadvertently nullify the entire statute.
     For instance, A California law that prohibits insurers 
from discriminating on the basis of a person's ``genetic 
characteristics that may, under some circumstances be associated with 
disability in that person or that person's offspring.'' The law 
includes a provision on authorization requirements for the disclosure 
of genetic information, which may open up the entire statute to 
preemption.
    Overall, the states are best equipped to respond to new, unique, 
and inherently local challenges in health care and public health. It is 
impossible to predict what issues will require prompt attention in the 
future, but a preemptive federal law would prevent states from 
responding at all.

Conclusion

    State health privacy statutes are both weak and strong. In terms of 
broad consumer protections, many gaps and weaknesses can be identified 
in most state statutes--such as a limited right for a patient to access 
his or her own medical record; little ability for patients to limit 
disclosure of their medical records; and limited recourse available to 
people when the laws are violated.
    On the other hand, state laws enacted in response to a specific and 
heightened public concern, or a public health treat--such as in the 
areas of mental illness, communicable disease, cancer, and genetic 
testing--are strong, detailed, and aimed at a state's experience with 
its own citizens.
    The level of detail in state health privacy law should not be 
underestimated. Because the states legislate by entity, they are able 
to craft laws that speak to the unique needs of their citizens, both in 
terms of the patient population, and the information needs of 
particular entities. An HMO, for example, has very different 
information needs than a family planning clinic.
    An urgency exists to pass a comprehensive federal law that protects 
the confidentiality of medical information, fueled in part by the 
congressionally-mandated deadline to do so and by escalating public 
anxiety over the lack of enforceable health privacy rules. There is 
widespread consensus that the federal government must act to protect 
the privacy of people's records. However, as this report documents, we 
must proceed with extreme caution in determining the appropriate 
relationship between any future federal law and existing and future 
state laws.
     While a federal health privacy law could significantly benefit 
consumers by establishing a baseline of consumer protections, if not 
handled properly and with an eye to the existing state laws, a federal 
law could also significantly disrupt the regulatory and legal structure 
at the state level, thereby weakening or eliminating crucial consumer 
protections.
    Bear in mind that these summaries are only the tip of the iceberg 
of the state statutes relating to health privacy. It is impossible to 
foresee all of the laws that would be affected by a preemptive federal 
law. This report is intended to be the beginning of a dialogue on 
preemption that is grounded in fact, not rhetoric and conjecture.
    The challenge before us now is to examine the impact of the passage 
of any federal health law on the privacy rights of various state 
citizens. We must also rely on this compilation of state statutes as we 
address the federal proposals' impact on state public health and 
regulatory regimes. The State of Health Privacy takes the first step to 
answering many of these challenges before us by providing the empirical 
basis on which to do so.
      

                                


    Mrs. Johnson of Connecticut. Thank you very much. Mr. 
Thomas Jenkins, the Assistant General Counsel for Blue Cross 
Blue Shield of Nebraska, on behalf of Blue Cross Blue Shield 
Association.

STATEMENT OF TOM JENKINS, ASSISTANT GENERAL COUNSEL, BLUE CROSS 
 AND BLUE SHIELD OF NEBRASKA, ON BEHALF OF THE BLUE CROSS AND 
                    BLUE SHIELD ASSOCIATION

    Mr. Jenkins. I am Thomas J. Jenkins, Assistant General 
Counsel of Blue Cross and Blue Shield in Nebraska, testifying 
today on behalf of the Association. Thank you for the 
opportunity to testify.
    Protection of the confidentiality of subscriber data is of 
paramount importance to us. As part of employee training at 
Blue Cross and Blue Shield in Nebraska, employees must sign a 
policy that stipulates confidentiality breaches may result in 
termination. While we believe that consumers must be assured 
that their records are kept confidential, we believe that 
Federal legislation must balance the need to safeguard medical 
records with the need for health plans to provide health care 
services efficiently.
    Let me highlight four areas where certain proposals on the 
table now fail to achieve this balance.
    Number one, new authorizations. One of the goals of Federal 
legislation is to guard against disclosure of personal data. Of 
course, health plans must disclose personal data in order to 
administer health benefits.
    Some bills accommodate this through a statutory 
authorization for data disclosure for treatment, payment or 
health care operations. Other legislation requires health plans 
to obtain new and multiple authorizations from all of their 
subscribers. This requires mailing authorization forms to each 
of our 550,000 subscribers, as well as developing new systems 
to track whether or not those authorizations have been 
returned.
    Even after multiple mailings, some subscribers will never 
respond. The postage costs alone would be significant, but 
would pale in comparison to the personnel and system costs 
necessary to accommodate this authorization process.
    Because of these proposals, we would be forced to cancel 
the coverage of subscribers who fail to return these 
authorizations because we could not process their claims 
without legal access to their personal data. We urge Members of 
Congress to adopt a statutory authorization as part of 
confidentiality legislation.
    Number two, static definitions. The statutory authorization 
makes it imperative that the definition of health care 
operations include all the functions we now use to administer 
benefits, but most proposals incorporate a static definition. 
They do not allow for innovative services to be added.
    This year another Blues plan adopted a new program called 
SARA, Systematic Analysis Review and Assistance. Every day 
their computer evaluates data to identify files that need 
further review. This program has improved the care of 
subscribers. For instance, a 60-year-old male had claims for 
Viagra as well as for nitrates. The combination of these two 
types of drugs has the potential to be fatal. The SARA program 
worked with his physician to resolve this conflict.
    A 1-year-old child had 15 claims for emergency room visits 
in the past 18 months. The parents were referred to an asthma 
program. No further visits to the emergency room were required 
in the next 6 months after that.
    If a prescriptive definition for health care operations had 
been legislated in, say, 1995, we could never have developed 
this program. I urge you, therefore, to assure any definition 
can accommodate innovation.
    Third, inspection and copying. This problem involves 
provisions that would allow subscribers to inspect, copy and 
amend all information that is individually identifiable. Most 
data we obtain are administrative in nature. For example, the 
claims. We believe it is important to differentiate between 
these data which must be protected from the data which must be 
produced.
    Under some proposals, we would have to produce even 
insignificant paper that may have a subscriber's name or 
identifying item on it, routine claim runs, and so forth. This 
would require us to redesign our computer systems and 
operations to centralize all data, an extremely expensive 
investment that would increase premiums. This absolute approach 
is not necessary. In my State a recent law limits the 
inspection rights to medical records held by providers. We urge 
Congress to limit inspection rights to actual medical records.
    Fourth and final, the preemption of State law. We have had 
a lot of discussion of that today. We believe any Federal 
legislation should preempt State confidentiality rules. The 
patchwork of State privacy laws are especially difficult when 
viewed from the patient-provider perspective. For instance, if 
a patient's insurance is through an employer in New York City, 
but their physician is located in New Jersey and the patient 
lives in Pennsylvania, whose confidentiality laws apply? How 
does the provider know how to comply?
    We urge Congress to provide a full preemption of State 
confidentiality laws.
    Thank you again for the opportunity to testify today.
    [The prepared statement follows:]

Statement of Tom Jenkins, Assistant General Counsel, Blue Cross and 
Blue Shield of Nebraska, on behalf of the Blue Cross and Blue Shield 
Association

    Mr. Chairman and Members of the House Ways and Means 
Subcommittee on Health, I am Tom Jenkins, Assistant General 
Counsel of Blue Cross and Blue Shield of Nebraska, testifying 
today on behalf of the Blue Cross and Blue Shield Association. 
BCBSA represents 51 independent Blue Cross and Blue Shield 
Plans throughout the nation that together provide health 
coverage to 73 million Americans. Thank you for the opportunity 
to testify on efforts to protect the confidentiality of medical 
records. I want to especially thank you Chairman Thomas for 
your work and the extensive efforts of your staff regarding 
confidentiality and other key health care issues over the last 
few years.
    During my testimony, I will discuss:
    (I) the importance of confidentiality of medical records;
    (II) general principles for confidentiality legislation; 
and
    (III) key issues raised by pending confidentiality 
legislation. These include:
     requirements for new authorizations from all 
subscribers;
     a static definition of health care operations;
     provisions mandating inspection, copying and 
amendment of individually identifiable information by 
subscribers; and
     preemption of state law.

        I. The Importance of Confidentiality of Medical Records

    Blue Cross Blue Shield of Nebraska covers 550,000 residents 
in Nebraska--or 1 out of 3 people in the state. We offer the 
choice of products that our customers demand--health 
maintenance organizations, preferred provider organizations, 
point of service products, as well as traditional indemnity 
coverage.
    Protection of the confidentiality of subscriber and patient 
information is of paramount importance to Blue Cross and Blue 
Shield Plans. We believe that health plans should make every 
effort to guard this confidentiality and should put into place 
procedures and policies that facilitate this goal.
    Since its inception, Blue Cross Blue Shield of Nebraska has 
had protections to safeguard the privacy of our subscribers. As 
part of training for all new employees, we emphasize the 
importance of the information with which they are entrusted to 
maintain and safeguard. Dissemination of confidential 
information is absolutely forbidden. Violation of 
confidentiality by an employee is grounds for disciplinary 
action or termination. Employees also are educated that it is 
completely inappropriate to share medical information with 
their fellow workers outside those whose direct function 
necessitates it.
    As a health insurer, we require medical information to pay 
claims, guard against fraud and abuse, and manage health care 
coverage. Our employees must sign a confidentiality policy with 
Blue Cross Blue Shield of Nebraska that includes recognition of 
a disciplinary policy that enforces our code of conduct.

         II. General Principles for Confidentiality Legislation

    While the Blue Cross and Blue Shield Association believes 
that consumers must be assured that their medical records are 
kept confidential, we believe that federal legislation must 
balance the need to safeguard medical records with the need for 
providers and health plans to provide and cover health care 
services efficiently.
    Federal legislation should:
     Protect consumers: All subscribers and patients 
should be confident that their medical records are kept 
confidential.
     Be practical and simple: Federal confidentiality 
rules must be practical and straightforward, so that providers 
and health plans can adopt and implement them. Consumers' 
rights must be easily understood. Complex rules will only 
confuse and frustrate consumers, and could hamper 
implementation throughout the industry.
     Allow for innovation and flexibility: The delivery 
and financing of health care continues to evolve at an 
exponential rate as new technologies and therapies are 
introduced and as e-commerce revolutionizes the way health care 
entities conduct business. Legislation must assure that health 
plans and providers can continue to evolve and provide 
innovative benefits to consumers.
     Have an achievable implementation date: 
Considering the challenges that health plans already face in 
terms of systems changes and backlogs due to Y2K, it is 
imperative that federal confidentiality legislation have a 
workable, achievable effective date. We urge an effective date 
of plan years beginning on or after 2 years after promulgation 
of final regulations.
     Provide for uniformity: Given the complex and 
interstate nature of the way information flows in today's 
health care environment, and the increasingly integrated nature 
of our health care delivery system, we believe consistent rules 
across the country are critical to assuring uniform treatment 
of confidential information.
     Avoid excessive penalties: Congress should not 
impose a new private right of action allowing individuals to 
file lawsuits against health plans, providers, employers, and 
others. Unfortunately, it is subscribers who suffer most 
because premiums would ultimately be increased to cover the 
costs of frivolous lawsuits. Moreover, some employers, 
especially smaller employers, may view the increased liability 
as an unacceptable risk and drop their employer sponsored 
health coverage altogether.

     III. Key Issues Raised By Pending Confidentiality Legislation

    Many federal proposals addressing the issue of 
confidentiality fail to incorporate all of the above 
principles. I would like to highlight several of the key issues 
we have identified with pending legislation.

(a) Requirements For New Authorizations

    One of the general premises of federal confidentiality 
legislation is to prohibit health providers and plans from 
inappropriately disclosing personal data. Of course, health 
plans must disclose personal data to doctors, hospitals, and 
others in order to administer health insurance benefits. Some 
legislators have tried to accommodate this need by including a 
``statutory authorization'' for the disclosure of data for 
treatment, payment or health care operations. That is, personal 
data are legally allowed to be disclosed or used without a 
separate authorization from the individual if it is needed for 
treatment, payment or health plan operations. We support this 
approach because the statutory authorization serves all parties 
well--it allows health plans to provide the services for which 
their subscribers are paying premiums in an efficient manner.
    Unfortunately, other confidentiality legislation requires 
health plans to obtain new and multiple authorizations from all 
of their subscribers and their families before data can be used 
for treatment, payment, and health care operations. This would 
require us to mail new authorization forms to our 550,000 
subscribers as well as develop new computer systems to track 
whether or not authorizations have been returned.
    Many subscribers already are inundated with ``junk'' mail 
and may inadvertently throw these authorization forms away. We 
may have to mail to our subscribers two, three or more times 
before successfully receiving the new signed authorizations. 
Some may never respond. The initial postage cost alone would be 
significant but would pale in comparison to the personnel and 
system costs necessary to accommodate the authorization 
process. Unfortunately, according to various bills, we would be 
forced to cancel the coverage of subscribers who failed to 
return these authorizations because we could not process their 
claims without legal access to their personal data. And this is 
just on the private side of our business.
    Medicare provides another example of the extraordinary 
difficulties of complying with this rule. Medicare enrolls over 
37 million individuals. Over half of the older population 
reports having at least one disability. Over 4.4 million have 
difficulty carrying out activities of daily living such as 
bathing, dressing, eating and getting around the house. And 
yet, many confidentiality bills would require these individuals 
to return a written authorization to Medicare before their 
benefits could continue. If for any reason this authorization 
was not returned, the payment process would have to be 
suspended while further attempts to obtain the needed 
authorization were made. Ultimately, payments to providers 
would be slowed down, anti-fraud and abuse efforts would be 
impeded, and it could be nearly impossible to maintain an 
efficient system.
    Similar issues are raised in the Medicaid program. The 
National Association of State Medicaid Directors recently 
reported to the Blue Cross and Blue Shield Association that the 
following issues complicate the dissemination of materials to 
Medicaid recipients:
     High turnover rates in the Medicaid program;
     Homelessness and frequent residence-changing;
     Illiteracy;
     Nursing home residence; and
     The fact that beneficiaries often overlook the 
numerous notices that they receive in the mail.
    Whether or not our customers enroll with us through our 
private business, Medicare contracts, Medicaid, or other 
government programs (e.g., CHAMPUS, Federal Employees 
Program)--they all share a common expectation: their health 
data will be used to cover their health costs. Requirements for 
new authorizations would only anger customers who already abhor 
paperwork, increase the cost of their coverage, and disrupt the 
payment of claims.
    We urge Members of Congress to adopt a statutory 
authorization as part of confidentiality legislation.

(b) Static Definition of Health Care Operations

    As I mentioned previously, a ``statutory'' authorization 
would allow health plans to use patient data for the purpose of 
health plan operations. This elevates the importance of the 
definition of health plan operations, and makes it imperative 
that it encompass the many functions a health plan now uses to 
assure the quality and cost-effectiveness of benefits for 
subscribers. Our concern is that most legislative approaches 
incorporate a static definition of health care operations--a 
prescriptive list of operations as they currently exist. They 
do not allow for innovative services to be added. This could 
deprive consumers of important--yet to be developed--services 
in the future.
    For instance, this year another Blue Plan adopted a new 
program called the Early Risk Management Program. So far, it 
covers about 100,000 of their enrollees. Every day, their 
computer program evaluates data on those enrollees to identify 
``triggers'' that indicate a need for further review of that 
patient's record. Those triggers may be a certain prescription 
drug or another admission to the hospital. On average, about 60 
patient records per day are pulled for review. If, based upon 
this review, a problem is suspected, the patient's physician is 
contacted. Through this early risk management program, they 
have been able to improve the care of subscribers. For 
instance:
     A 60 year-old male had claims indicating 
prescriptions for Viagra as well as nitrates. The combination 
of these two types of drugs has the potential to be fatal. When 
the treating physician was called, he was unaware that the 
patient had obtained a prescription for Viagra. He agreed to 
contact the patient and no further prescriptions for Viagra 
were filled.
     A one year-old child had 15 claims for emergency 
room visits in the past 18 months as well as office visit 
claims for asthma. The parents were referred to an asthma case 
management program including outreach and education. No further 
emergency room visits occurred in the next six months.
     A 49 year-old male had recent claims for abdominal 
pain with no apparent etiology. Drug claims also indicated the 
patient was taking Naproxen. The treating physician was 
contacted and the physician indicated that a prescription for 
Naproxen had been given some time ago. The physician suspected 
that the patient continued taking this drug after the original 
episode for which it was prescribed had ended--likely leading 
to the abdominal pain.
    New technology has allowed us to provide this quality 
improvement and potentially life-saving service to customers. 
But this type of program was not possible--or even 
contemplated--several years ago. If a prescriptive definition 
for health care operations had been legislated in 1995, we 
could never have developed this program.
    I want to reemphasize that the delivery and financing of 
health care continues to evolve at an exponential rate as new 
technologies and therapies are introduced and as e-commerce 
revolutionizes the way health care entities conduct business. 
We are concerned strict definitions of health care operations 
could limit health plans' roles as they seek to redefine 
themselves to meet consumer demands of the 21st century.
    I urge Members of Congress to assure that any legislative 
definition of health care operations be fluid, and easily 
adjusted over time as innovative programs that benefit 
consumers are further developed.

(c) Inspection, Copying And Amendment Of Individually 
Identifiable Information By Subscribers

    Another example of problematic pending confidentiality 
legislation involves provisions that would allow subscribers to 
inspect, copy and amend all information that is individually 
identifiable. BCBSA believes that patients should be allowed to 
inspect and copy their medical records. However, the vast 
majority of information that health plans maintain is 
administrative in nature (e.g., claims) and does not reflect 
actual patient medical records. We believe it is important to 
differentiate between what information must be protected from 
what information must be produced.
    The way most proposals are currently written, virtually 
every piece of information in a health plan could be copied and 
amended. Moreover, how a health plan would be required to 
produce or provide access to data in an intelligible format is 
a crucial question to consider.
    For example, under some legislative proposals, we would 
have to produce even insignificant paper that may have a 
subscriber's name or identifying feature on it--customer 
service telephone memos, recordings of conversations, internal 
audit memorandum, routine claim runs, etc. We have concerns 
that producing and providing access to all of this data would 
require health plans to redesign their computer systems and 
operations to centralize all Plan data--an extremely expensive 
investment. It is conceivable that we may also have to provide 
the subscriber access to our computer systems. But in order to 
accomplish this, we may have to provide a ``translator'' to 
teach the subscriber how to translate the coded information on 
the computer. And of course, we would have to design new 
systems that would prevent the consumer from accessing other 
subscriber files while reviewing their own.
    All in all, these requirements would pose administrative 
costs that would be passed along to consumers in the form of 
higher premiums. And all to create absolute access to 
information that is unlikely to provide meaningful information 
to the vast majority of subscribers. This absolute approach is 
not necessary. For instance, in my state a recent law limits 
the inspection and copying rights to medical records held by 
providers. These records are those that provide the basis for 
our operations, and are of the most interest to patients.
    We urge Congress to limit inspection, copying, and 
amendment rights to actual medical records when adopting 
federal legislation.

(d) Preemption of State Law

    Finally, we believe any federal confidentiality legislation 
should preempt state confidentiality rules. The intent of the 
Health Insurance Portability and Accountability Act (HIPAA) 
administrative simplification provisions was to simplify health 
insurance claims processes, reduce paperwork, and decrease 
administrative costs through wider use of automation and 
electronic data interchange (EDI). Federal standardization of 
confidentiality rules is essential to the integrity of that 
information. Lack of federal preemption may lead to the 
unintended consequence of a decline in use of EDI since it 
would be extremely difficult to create a computerized system 
that could assure compliance with conflicting state laws. 
Further, lack of federal preemption leads to higher compliance 
costs, which would ultimately be passed onto consumers in the 
form of higher premiums.
    The patchwork of state privacy laws are particularly 
difficult when viewed from the patient and provider 
perspective. For instance, if a patient's insurance is through 
an employer in New York City, but their physician is located in 
New Jersey and the patient lives in Pennsylvania--whose 
confidentiality laws apply to the consumer? And how does the 
provider know how to comply?
    Given the complex and interstate nature of the way 
information flows in today's health care environment, and the 
increasingly integrated nature of our health care delivery 
system, we believe consistent rules across the country are 
critical to assuring uniform treatment of confidential 
information.
    We urge Congress to provide a full preemption of state 
confidentiality laws.

                             IV. Conclusion

    The issues raised by confidentiality legislation are 
complex and fraught with potential unintended consequences. 
During my testimony, I have highlighted only a few of the 
difficult issues with this important subject. This Committee--
and Congress--must successfully navigate through a labyrinth of 
land mines in order to enact confidentiality legislation that 
provides practical, strong protections for consumers without 
disrupting the basic day-to-day services of a health plan and 
raising unnecessary administrative costs.
    On behalf of all Blue Plans, I would like to offer our 
assistance to you as you continue upon this important endeavor.
    Thank you again for the opportunity to testify.
      

                                


    Mrs. Johnson of Connecticut. Thank you very much. I 
appreciate the panel's input. I very much appreciate examples 
of how review of patient records has improved the quality of 
care.
    Ms. Goldman, you said something that was really very 
interesting. First of all, your review of State law would be 
very helpful to us and I thank you for that.
    Ms. Goldman. You are welcome.
    Mrs. Johnson of Connecticut. It is not surprising to me 
that the laws are fragmented and complex.
    Given that fact, if we pass a national comprehensive law, 
it seems to me that we should allow a certain amount of time 
for States to conform to that law. I would not be opposed to 
States then applying for a waiver to have some additional law. 
But I am very concerned about going through all of the 
difficulty of coming to agreement on national standards, which 
I think is going to be very difficult. You can tell from my 
questioning, I am pretty conflicted about it. I don't know as 
much about it as my Chairman. It is not an area on which I 
spent a lot of time, but it is an area in which I have a lot of 
anxiety, and people I represent have a lot of anxiety.
    So it is going to be hard to do this. It does seem to me 
that it is an area in which we do need uniformity. So I think 
everybody needs to sort of think about how do we deal with the 
States on this and if we do this right, there shouldn't be too 
many areas in which there is legitimate need to be different.
    Ms. Goldman. May I give an example of where there might be? 
Some may find that this is oversimplifying, but I want to just 
try to take this massive tome and create a simple conclusion.
    In the broad areas that Congress is seeking to regulate in 
the health privacy area, the right of access, limits on 
disclosure, law enforcement, restrictions on law enforcement 
access, and those broad areas, the State law tends to be weaker 
than what many of the Federal proposals put forth.
    So any Federal law that passes would create a floor. The 
question is where is that floor? The higher the floor, the 
higher the bar; the more State laws that are weaker will be 
eliminated and the greater the uniformity. In many ways there 
is an incentive on Congress if you are looking to develop 
uniformity to set that bar as high as possible because you will 
create significant uniformity given the state of the State 
laws.
    However, in these, as I pointed out, these condition-
specific areas, the protections that are on the back end of the 
cancer registries or other disease registries, where there is 
mandatory reporting requirements, but they are there for 
research purposes and the State has then enacted 
confidentiality protections to prevent redisclosure, or in the 
HIV/AIDS area, in a number of States there are very specific 
and detailed limits on the collection and use of communicable 
disease information, again to encourage people to get testing, 
counseling and treatment.
    The Federal proposals contemplate that level of detail and 
they tend not to be condition-specific. They tend to cover 
broad entities in the health care area and broad information 
that is identifiable health information.
    So I would just suggest a great deal of caution about 
creating a totally preemptive approach at the national level, 
because there will be State laws that I think will be more 
protective than what we are able to come to consensus on here 
at the national level, because there will have to be a great 
deal of consensus and compromise necessary. Also States, 
because of their unique circumstances and needs of their 
citizens, have enacted particular kinds of rules in very, as I 
said, narrow areas.
    Given that many in the industry: and the health plans, 
hospitals, doctors, right now have to comply with 50 different 
laws, that is their obligation now, we will greatly simplify 
that with a floor, with the greater simplification where we set 
that floor.
    Mrs. Johnson of Connecticut. Would you all agree that the 
rules should be the same for HCVA as for private plans and for 
all providers and all State agencies?
    Mr. Clayton. Yes. The problem is now there are no laws in 
many areas. We desperately need some laws. Where I lived in New 
York, we saw people from Connecticut and New Jersey; and if you 
build a computer program that has to look and see whether this 
person is from New Jersey before you can display their 
medication list, and have to look and see if they are from 
Connecticut before you can look at their problem list, people 
will be used to treating someone, and then when they don't see 
problems on the problem list, they may make mistakes in their 
judgments. When they use an information system, it has to be 
uniform.
    As we start going to telemedicine, which will erase all 
political boundaries in terms of where things get done, then 
the preemption issue becomes even more difficult. I would just 
point out, even though Janlori is one of my friends, that her 
opinion on preemption was not one of the conclusions of the 
working group, that that is her personal opinion, and the 
working group did not reach that conclusion.
    Dr. Smith. When you limit research to just within a 
particular State because that is the only place you can get 
permission to do that research, you have a tremendous problem 
with generalizability. In other words, is it generalizable to 
other sections of the country, are there enough patients with 
that disorder or that particular issue within that particular 
State. So the idea of being able to move beyond State 
boundaries is very important. In order to have an informed 
health policy, this not only relates to specific diseases, but 
it relates to the economics of health care, it relates to how 
we improve our health care system, it relates to how we pay for 
it, how we monitor it. It is a very broad issue, and that is 
why we need a strong Federal law.
    Mr. Jenkins. I think the truth may be also that the 
patchwork of laws may appear to be stronger in some instances 
as related there, but that may be a theoretical protection only 
if the laws are such patchwork that it is difficult to discern 
them, and that a strong national framework would, in practice, 
be actually stronger, even though an editor or writer of an 
article like that might find it had been a reduction.
    Mrs. Johnson of Connecticut. My understanding is the 
administration has not recommended overriding State law, just 
creating a floor. Do all of you agree that is the right thing?
    Mr. Jenkins. No, I don't. I think it is an area where we 
are so fluid as a nation now in this health care area, that we 
need a set of rules that is standardized and we need to be able 
to follow them.
    Mr. Clayton. I would, however, agree with Janlori, at least 
one idea, and I am thinking on my feet now. When a State 
mandates a certain data collection they are doing as a State, 
they might be able to have rules that pertain to that database.
    What we are against is the State regulating the use of 
health care information in the normal operation of delivering 
health care; if there were a certain database that was required 
just in one State, there could certainly be a law concerning 
that State-mandated database, but not one that is in the normal 
operation of delivering health care.
    So you might, following up on their suggestion, exempt 
specific types of databases, but not the ones that a physician 
or a nurse would be using in her general practice.
    Mrs. Johnson of Connecticut. Would you differentiate 
between patient-identified information and nonidentified 
information?
    Mr. Clayton. We definitely should differentiate and use, 
according to the need, legitimate need, for when it has to be 
identified.
    Mrs. Johnson of Connecticut. Mr. Kleczka.
    Mr. Kleczka. Mr. Jenkins, does your organization support a 
Patients' Bill of Rights that covers all health consumers in 
the country, or only those consumers that the Federal 
Government has control of or regulation over?
    Mr. Jenkins. We support rules that apply to the private 
plans, as well as the government plans, yes, sir.
    Mr. Kleczka. So you would support a Patients' Bill of 
Rights covering all 150-plus health care consumers, not only 
the ERISA plan consumers?
    Mr. Jenkins. I am not sure of the position of the 
association on that. I better defer in speaking.
    Mr. Kleczka. I am trying to see if you share my problem 
with inconsistency on States rights. That is what I am trying 
to ascertain.
    Mr. Jenkins. I think Mr. Thomas pointed out there are 
situations where, and I agree with his statement, there are 
situations where a full preemption is appropriate.
    Mr. Kleczka. I know your position on privacy legislation. I 
am asking your position on the Patients' Bill of Rights. There 
is a controversy in the Senate over whether or not to have the 
States control plans through their insurance commissioners' 
officers, and only have Congress deal with the federally 
controlled plans for the Patients' Bill of Rights.
    Mr. Jenkins. My Association didn't take a position on that.
    Mr. Kleczka. I think you have a note coming forward on 
that.
    Mr. Jenkins. On the Patients' Bill of Rights, the 
association supported the ERISA plan's approach that the Senate 
took. That is a note from the association staff.
    Mr. Kleczka. That indicates to me that on managed care 
reform you are letting the States govern. When it comes to 
health care privacy, the States don't know what they are doing 
and we should preempt them and the almighty Fed should 
regulate.
    Mr. Jenkins. I don't think it is a matter of them not 
having the knowledge. There are good people who are on 
different sides of this issue at various points and decisions 
can and must be made.
    Mr. Kleczka. As a former State legislator and one from a 
State which has some exemplary protections in the medical 
records area, I think State legislators and the Governor should 
have the right to provide and afford protection to any degree 
for their consumers. I don't think the national interests 
outweigh that to the extent which some of you folks on this 
panel and some on the other panel would dictate.
    Mr. Jenkins. I understand that, sir.
    Mr. Kleczka. Let me ask Dr. Clayton, who do you believe 
owns the medical records? Is it the health care provider or do 
you think that the patient is the owner of those records?
    Mr. Clayton. Most of us in the field don't believe anybody 
owns the record. We are stewards. We act as the steward of that 
information, but nobody has really established who really owns 
it.
    Mr. Kleczka. So I as the health care patient have no direct 
ownership or claim to those records?
    Mr. Clayton. I think what----.
    Mr. Kleczka. Even though I paid for them in part or at 
times in total, if I don't have insurance?
    Mr. Clayton. What most laws that are being proposed say is 
that the patient has the right to look at those records, know 
that those records exist. That is fair information practice. 
Whether they can say they own them and then physically remove 
them from a doctor's office, I don't think anyone would 
maintain that is true.
    Mr. Kleczka. Maybe I don't own them, but I do have some 
control over them?
    Mr. Clayton. If you own them, you can retrieve the 
property. But in this case you cannot retrieve it, which 
indicates to me you don't really have title. It has been a 
sticky issue that has a lot of case law, and most people agree 
that we are stewards of the records.
    Mr. Kleczka. You are the health care provider. I am the 
patient, OK. Do you think I have the right to make judgments as 
to who should see those records? Basically an opt in, not an 
opt out.
    Mr. Clayton. I think if you wish to receive care and have 
someone pay for that care, you need to be able to let the 
people who are providing care have access to the information 
they need to provide that care.
    Mr. Kleczka. For specific purposes, not for any and every 
purpose.
    Mr. Clayton. That is why I said in my statement that we 
strongly want to restrict the scope through policies. For 
example, an x-ray technician should have no information except 
the radiology results. A billing clerk who you call on the 
phone to complain, ``Why is my pharmacy bill so large? '' needs 
to see what medications you are on. They may need to see what 
laboratory tests you took to answer your complaint about how 
large the bill was. But they don't need to see the results of 
those tests.
    So we go through, we have at Columbian Presbyterian, three 
different categories of people and have listed them under what 
circumstances that person is in and what geographic location. 
In other words, if you are in the emergency room, a nurse could 
see more than if the nurse was at the nursing floor. So you 
restrict the scope of access to what is the legitimate need to 
know.
    Mr. Kleczka. That access is all pretty relevant to the 
course of business, and unless somebody is just a snoop, I 
don't see that much of a problem. The problem occurs when 
either the health care provider or some attendant group wants 
to give medical information to a third party or a fourth party, 
or when a doctor is selling patient information for a clinical 
drug trial where the physician receives rather substantial sums 
as payment for disseminating the names of patients.
    Mr. Clayton. I think when you are using it for research, 
then it has to go through an accredited body that will 
determine need--so you don't just give information. Right now 
you can, because there is no law. If you make it law, then you 
will prescribe the ways in which we can divulge knowledge that 
information.
    Mr. Kleczka. Let me ask any of the panelists, what was your 
reaction to the drugstore chain in Washington selling lists of 
customers and the drugs they were prescribed to a competing 
drug manufacturer.
    Mr. Clayton. Absolutely abhorrent.
    Mr. Kleczka. You can say it happened because of the absence 
of any medical privacy laws. What is your reaction to that?
    Mr. Clayton. Should be illegal.
    Mr. Smith. In my opinion, it is immoral, unethical, and 
should be illegal.
    Ms. Goldman. One of the wonderful things about that case is 
right after it became public, that many drugstores were making 
this information available, people around the country went 
crazy. It was a tremendous outcry and uproar. There was article 
after article, and the chain drugstores that were responsible 
for this immediately eliminated the program. They didn't fix 
it, they didn't try to retool it in some way. They were doing 
it without patient knowledge, without their consent, and they 
eliminated the program. There are a couple of lawsuits ongoing 
on this right now.
    Mr. Jenkins. The same feeling here.
    Mr. Kleczka. I don't think it is only a question of privacy 
for medical records, it is the entire question of privacy from 
the dissemination of Social Security numbers and medical 
records. We all know that Social Security number release leads 
to identity fraud. We have a Federal statute on that now. There 
is heightened public awareness in this whole issue. That is why 
when we discussed a banking bill, the big contentious issue on 
the floor of the House was the privacy provision in that bill.
    Someone got up and said, we did this bill 2 years ago. Why 
wasn't privacy a big issue then? Because even though some of us 
were talking about it then, the public is now becoming more 
aware of it. You take any poll and 85 to 95 percent of the 
people say it is a big issue.
    During my last campaign, I did a poll. We asked people 
about Medicare and Social Security. We also asked about 
privacy, because I had an interest in it. That scored the 
highest of constituent interest in my district.
    So, folks, if you think this is going to go away or we are 
going to be able to preempt States, I don't think we will get 
away with it. The public is irritated to the point now where 
politicians like yourselves should be listening.
    I have to agree with the lady from Connecticut. Are we too 
late? Is the horse out of the barn? The Internet is there. I am 
frustrated, nervous and scared. We have to do something. We 
can't let it go on. It is going to get, as they say in some 
parts of the country, worser. We don't want it to get worser. 
We want it to get more better.
    Mr. Clayton. Everybody strongly argued that there needs to 
be strong penalties and strong legislation. Not one of us would 
disagree with that.
    Mr. Kleczka. Thank you.
    Mrs. Johnson of Connecticut. Thank you. I did want to just 
add for the record that the legislation for the patient 
protection that Mr. Thomas helped write and he and I both voted 
for did apply to all health plans, unlike the Senate bill. So I 
wouldn't want to have any misinformation out there on that 
score.
    I do thank you all for your testimony. This is certainly a 
very difficult area and a very important one. We look forward 
to working with you and the administration to see if we can't 
get a bill that we can move through with some agreement on the 
difficult issues it poses.
    Thank you.
    [Whereupon, at 5:45 p.m., the hearing was adjourned.]
    [Submissions for the record follow:]

                              American Association of      
                                 Occupational Health Nurses
                                     Atlanta, GA 30341-4146
                                                      July 27, 1999
Committee on Ways and Means
U.S. House of Representatives
Subcommittee on Health
1102 Longworth House Office Building
Washington, D.C. 20515-6349

    The American Association of Occupational Health Nurses, Inc. 
(``AAOHN'') appreciates the opportunity to submit written testimony to 
the House Ways and Means Committee for the hearing record on the matter 
of confidentiality of personal health care information. Our primary 
purpose in submitting these comments is to urge Congress, in the 
strongest terms, to enact comprehensive medical records confidentiality 
legislation. We believe that for any medical record privacy bill to be 
truly meaningful, Congress must craft legislation that will ensure that 
all medical records are protected under the law regardless of the mode 
of payment or the setting where the health information is obtained or 
maintained.
    AAOHN is the professional association for more than 12,000 
occupational and environmental health nurses who provide on-the-job 
health care for the nation's workers. Occupational health nurses are 
the largest group of health care providers at the worksite. AAOHN has 
had a long-standing involvement in the confidentiality of health 
information debate and continues to work vigorously to ensure that 
employee medical records created and maintained at the worksite or any 
occupational health clinic are protected from improper disclosure.
    Personal health information generated or maintained at the 
workplace or in connection with an individual's employment is as 
personal and sensitive as that collected in more traditionally thought 
of health care settings, and therefore, must be extended the same 
confidentiality protections. AAOHN trusts Congress recognizes the high 
degree of public concern about the very real potential for employment 
discrimination based on health information. Worksite health records 
frequently document medical and/or health surveillance activities, pre-
job placement and fitness-to-work physical examinations, and employee 
assistance program assessments, as well as information collected 
through voluntary worksite wellness programs. Clearly, such 
information, if improperly disclosed, may be used in ways harmful to an 
individual's interests.

     A. Balancing Individual Employee Privacy with Employers Needs

    Indeed, AAOHN maintains that an individual employee's right to 
privacy must be balanced with employers' legitimate need for certain 
personal health information when considering fitness to work, workplace 
safety, workers' compensation benefits, disability job accommodations, 
or some employer-sponsored benefits. Employers must be permitted to 
fulfill their obligations under laws such as the Americans with 
Disabilities Act, the Family Medical Leave Act, and the Occupational 
Safety and Health Act, but employers need not be granted unfettered 
access to an employee's entire medical record to meet these legal 
requirements.
    It is well documented that employers often inappropriately use 
employees' personal health information in making personnel decisions. 
For example, a 1996 research study by the University of Illinois 
revealed that at least one-third of the Fortune 500 company respondents 
admitted using employee medical records in making employment-related 
decisions.\1\ Furthermore, AAOHN members can attest that they are often 
pressured by employers to release a worker's entire medical record or 
to divulge unnecessary personal health information of employees.\2\
---------------------------------------------------------------------------
    \1\ David F. Linowes, Privacy in the Workplace, University of 
Illinois at Urbana-Champaign, April 1996 (copy on file with AAOHN).
    \2\ See, e.g., Health Care Information Confidentiality: Hearings 
Before the Committee on Labor and Human Resources of the United States 
Senate, 105th Cong. (Feb. 26, 1998) (oral and written testimony of 
AAOHN).
---------------------------------------------------------------------------

                B. Goals of Federal Privacy Legislation

    Federal legislation can protect individual privacy and meet 
employers' legitimate needs for some employee protected health 
information (``PHI'') if it includes safeguards that (1) limit the 
scope of individually identifiable PHI disclosed to an employer to that 
information necessary to answer a legitimate workplace health-related 
question and (2) create firewalls restricting access to employees' raw 
medical record by officers, management, and other employees responsible 
for personnel decision-making. It is essential to recognize that it is 
the health care provider, not an employer's administrative, human 
resource, or management personnel, who is the professional qualified to 
interpret medical data and determine what information is relevant for a 
particular health situation and should be disclosed. For example, AAOHN 
unequivocally believes that in cases of fitness-to-work examinations 
(e.g., medical surveillance records, health screening, return-to-work 
physical records) health care professionals should provide the employer 
with a written medical determination of an employee's health status 
based upon the medical record rather than handing the employer the 
actual record itself. Any employer entity would be hard-pressed to 
assert that its administrative, human resource or management personnel 
have the requisite qualifications to render a medical judgement as to 
the health of an employee based on their review of a medical record.
    Limiting the amount of PHI an employer may learn about his or her 
employee is not a novel or untested approach. The ``bloodborne 
pathogens'' regulations issued by the Occupational Safety and Health 
Administration (``OHSA'') explicitly require that such information must 
be kept confidential and ``not disclosed or reported without the 
employee's express written consent to any person within or outside the 
workplace except when required by this section or as may required by 
law.'' \3\ The law also narrows the extent of PHI provided to employers 
to that which is necessary to make a determination regarding work 
fitness. To this end, the regulation states that the ``healthcare 
professional's written opinion . . .shall be limited to whether 
(appropriate treatment) is indicated for an employee, and if the 
employee has received such (appropriate treatment).\4\
---------------------------------------------------------------------------
    \3\ 29 C.F.R. Ch. XVII, Sec.  1910.1030 (1998).
    \4\ Id.
---------------------------------------------------------------------------

                            C. AAOHN Support

    Because of the importance of this issue, AAOHN will only support a 
federal medical records confidentiality bill that ensures worksite 
health records are recognized as PHI and that includes statutory 
language limiting intra-employer use and disclosure of PHI. To date, 
the only House bill including these types of provisions is H.R. 
1941.\5\ The ``Medical Information Protection Act of 1999,'' H.R. 2470, 
introduced by Representative Greenwood does not cover worksite medical 
records. As originally drafted the Greenwood bill contained the same 
protections found in S. 881 introduced by Senator Bennett. 
Nevertheless, Representative Greenwood has stated for the record that 
these safeguards were inadvertently removed in the final version of his 
bill and that it is his intention to do all in his ability to add these 
protections to H.R. 2470.\6\
---------------------------------------------------------------------------
    \5\ Senate bills S. 881 and S. 573 are notable for worksite 
protections.
    \6\ Legislative Hearing Regarding: H.R. 2470--Medical Information 
Protection and Research Enhancement Act of 1999 Before the Subcomm. on 
Health and Environment of the House Committee, 106th Cong. (July 15, 
1999) (opening statement of Rep. Greenwood).
---------------------------------------------------------------------------
    To ensure that worksite health records are recognized as PHI and 
that the special concerns surrounding health information generated or 
maintained at the workplace are covered, AAOHN believes that at a 
minimum the following amendments to H.R. 2470 are critical:
    1. Add the term ``assessment'' to the definition of ``health care'' 
in section 2(6) to ensure that all types of health data generated at 
the worksite are ``protected health information.''
    2. Amend the definition of ``health plan'' to exclude 42 U.S.C. 
Sec.  300gg-91(c)(1)(G), ``coverage for on-site medical clinics,'' from 
the benefits not included within the term ``health plan''
    3. Add new Sec. 201(c):
    (c) APPLICABILITY TO EMPLOYERS.--An employer may use an employee or 
agent to create, receive, or maintain protected health information in 
order to carry out an otherwise lawful activity, provided that

    (i) disclosure of protected employee health information within the 
entity is compatible with the purpose for which the information was 
obtained and limited to the information necessary to accomplish the 
purpose of disclosure and (ii) the employer prohibits the release,

    transfer or communication of the protected health information to 
officers, employees, or agents responsible for making work assignment 
decisions with respect to the subject of the information.
    (1) The determination of what constitutes the information necessary 
to accomplish the purpose for which the information is obtained shall 
be made by a health care provider, except in situations involving 
payment or health plan operations undertaken by the employer.
    AAOHN appreciates the opportunity to offer our comments regarding 
the importance of strong medical records privacy legislation to our 
nation's workers. In summary, effective federal privacy legislation 
must:
    Define PHI broadly enough to include all medical records generated 
or maintained at the worksite or in connection with employment for 
purposes other than for treatment, payment, or health care operations;
    Build barriers designed to restrict intra-entity disclosure in 
order to prevent management misuse of workers' health records without 
jeopardizing a company's ability to operate safely and efficiently; and
    Recognize that the health care professional who creates or 
maintains worksite records is the appropriate person, not employer 
administrative, human resource, or management personnel, to determine 
whether a PHI disclosure is consistent with the purpose for which the 
information was lawfully obtained and limited to the minimum disclosure 
necessary to accomplish the purposes of the disclosure.
    We urge Congress to keep these principles in mind when drafting any 
medical records privacy bill and look forward to working with Members 
of the Committee on Ways and Means on this important issue during the 
days ahead.
      

                                


Statement of American Psychiatric Association

                              Introduction

    APA, a medical specialty society representing 40,000 
psychiatric physicians nationwide, appreciates the opportunity 
to provide a statement for this hearing. We believe patient 
privacy issues are one of the key issues before the Congress, 
and we greatly appreciate the Committee's interest in passing 
medical records privacy legislation.
    As changes in technology and health care delivery have 
outpaced the statutory, common law, and other protections that 
traditionally have ensured patient confidentiality, the level 
of confidentiality enjoyed by patients has eroded dramatically. 
We must seize this valuable opportunity to protect and restore 
needed confidentiality protections.
    But APA also urges you to craft legislation that will avoid 
the unintended consequences of many of the confidentiality 
bills pending before the Congress. Let's give a couple of real 
world examples of the impact of several of these bills on 
patients.
    You go into your doctor's office, and the doctor gives you 
a comprehensive physical. He takes your blood and runs some lab 
tests. Sounds harmless enough. After all you never signed 
anything giving permission for your personal information to be 
broadly used and disclosed. You were never told your medical 
record would be broadly used, and nothing was sent to you. But 
it will be. Your medical records can be used for commercial 
research purposes. Without your consent or knowledge. Your age, 
sex, demographic information, psychiatric status and other 
information can be used for insurance underwriting and other 
broadly and vaguely defined health care operations purposes. 
Again without your consent or knowledge and even though 
aggregate, i.e. non-personally identifiable information would 
suffice. Even the banker reviewing your mortgage application 
can review your medical record without your consent or 
knowledge.
    But certainly you think at least my employer is 
specifically prohibited from gaining access to this 
information. Not true. Several of the major proposals before 
the Congress lack the strong specific protections that are 
needed to insure that supervisory personnel cannot gain 
inappropriate access to your medical record. APA urges 
Committee members to avoid including any provisions in your 
legislation that would allow these disclosures to occur.

                    The Need for Federal Legislation

    APA believes medical records confidentiality is one of the 
most important issues to come before the Committee this year. 
Our medical record, when it relates to conditions as varied as 
high blood pressure, communicable diseases, Alzheimer's 
disease, mental illness and substance abuse, domestic violence, 
sexual assault information, terminal illnesses, HIV/AIDS, 
cancer, eating disorders, sexual function or reproductive 
health issues, as well as many other conditions, is highly 
sensitive.
    But whether or not we are affected by these illnesses, 
medical records privacy issues affect us all. Today's 
comprehensive medical assessments and wellness questionnaires 
can contain questions about patients' sexual behavior, social 
relationships, state of mind, and psychiatric status--even if 
patients are not receiving medical treatment relating to these 
issues. The forms can also contain extensive personal and 
financial information.

     Confidentiality is a Requirement for High Quality Medical Care

    Common sense, the experience of physicians and patients, 
and research data all show that privacy is a critical component 
of quality health care. The sad fact is that the health care 
system has, on occasion, not earned the trust of patients, and 
many patients do not trust the system to keep their information 
confidential. In many cases, the result has been that 
physicians are not able to provide the best possible quality 
care nor reach many individuals in need of care.
    Some patients refrain from seeking medical care or drop out 
of treatment in order to avoid any risk of disclosure. And some 
simply will not provide the full information necessary for 
successful treatment. At other times, physicians are approached 
by patients who ask us not to include certain information in 
their medical record for fear that it will be indiscriminately 
used or disclosed. The result of all these behaviors resulting 
from patients' reasonable concerns is unfortunate. More 
patients do not receive needed care and medical records' data 
that we need for many purposes, such as outcomes research, is 
regrettably tainted in ways that we often cannot measure.
    The solution is not to take short cuts that will further 
deprive patients of their rights. Instead, we must enact into 
law meaningful medical records privacy legislation based on the 
voluntary informed consent of patients and reliance upon the 
fullest possible use of deidentified and aggregate patient 
data. In this way the full advantages of patient privacy as 
well as the benefits of new medical technology can be 
harnessed.
    Informed, voluntary, and non-coerced patient consent prior 
to the use and disclosure of medical records should be the 
foundation of medical records confidentiality legislation. As a 
general principle, we believe that the American Medical 
Association's position--that patient consent should be required 
for disclosure of information in the medical record with 
narrowly drawn and infrequent exceptions permitted for 
overriding public health purposes--is eminently reasonable.

   The Special Sensitivity of Mental Health Information and the U.S. 
                    Supreme Court's Jaffee Decision

    Patients often refrain from entering psychiatric treatment 
because of concerns about confidentiality. Not only do patients 
refrain from telling family members and close friends the 
information they share with their therapist, but some may not 
even tell their family members that they are receiving mental 
health treatment. Often, if the information were disclosed to a 
spouse or an employer it might jeopardize their marriage or 
employment. But even the privacy protection afforded to 
psychotherapy notes has eroded so much in recent years that 
many psychiatrists and other mental health professionals have 
stopped taking notes or take only very abbreviated notes. 
Without the very highest level of confidentiality, patients 
receiving mental health services will be less likely to enter 
treatment and less likely to remain in treatment. Worse yet, if 
confidentiality is not protected, the treatment patients 
receive will be less effective.
    For these and other reasons, the U.S. Supreme Court 
recognized the special status of mental health information in 
its 1996 Jaffee v. Redmond decision and ruled that additional 
protections for mental health information are needed. The Court 
held that ``Effective psychotherapy depends upon an atmosphere 
of confidence and trusta...disclosure of confidential 
communications made during counseling sessions may cause 
embarrassment or disgrace. For this reason the mere possibility 
of disclosure may impede the development of the confidential 
relationship necessary for successful treatment.''
    It is also worth recognizing that the extent of mental 
illness is widespread. According to the World Health 
Organization mental illnesses account for four out of ten of 
the leading causes of disability. APA urges members of this 
committee not only to protect the letter of the Jaffee decision 
but indeed to protect its spirit by including appropriate 
provisions in the legislation.

             Provisions Needed in Congressional Legislation

    It is not our intention to provide a detailed analysis of 
each bill before Congress. Instead, APA would like to recommend 
several key provisions that we believe should guide the 
Committee in its deliberations.
    Preemption. The most important medical records privacy 
issue before the Committee is to insure that stronger state 
medical records privacy laws are preserved and that states' 
ability to enact stronger medical records privacy laws are 
preserved. States have adopted valuable protections for 
patients, including laws limiting the disclosure of pharmacy 
records and laws blocking insurers' access to verbatim 
psychiatric notes. States are also actively considering 
numerous additional medical records proposals. In fact, the 
National Council of State Legislatures estimates that a total 
of 56 medical records confidentiality bills have passed through 
at least one chamber of a state legislature. We must not block 
states' efforts to protect citizens' medical privacy. We 
recommend that the Committee adopt a floor preemption approach, 
allowing stronger state medical records privacy laws to be 
preserved.
    Consent. APA believes three principles should govern 
sections of the legislation concerning authorization and 
consent for disclosure. First, patients themselves should 
decide whether or not personal health information is disclosed. 
Consent before use and disclosure of medical records is 
critically important. This time-tested approach should be 
preserved and strengthened in order to remain meaningful in the 
changing world of health care delivery. In general, whatever 
problems may now exist with confidentiality of health 
information are derived from our failure to observe this 
principle. No one is in a better position than patients 
themselves to identify sensitive information and to determine 
to whom it ought not to be revealed. Those who would alter this 
traditional approach have failed to justify such a radical 
change.
    Second, identifiable personal health information should be 
released only when deidentified data is inadequate for the 
purpose at hand. Third, even when consent has been obtained, 
disclosure should be limited to the least amount of personal 
health information necessary for the purpose at hand. This is 
consistent with our recognition of the importance of protecting 
medical privacy.
    These principles have implications for some of the major 
policy questions regarding authorization of disclosure. For 
patients to retain meaningful control over personal health 
information, prospective consent for routine disclosures of 
identifiable information should be largely limited to 
information needed for treatment and payment purposes. Other 
health care operations can usually be accomplished with 
deidentified data. With such a provision, a strong incentive 
will exist for the use and further enhancement of technology to 
perform a wide array of administrative functions.
    Employee Protections. Millions and millions of Americans 
have great concern about the threat to confidentiality of their 
medical records due to employer access. Whether it is idle 
gossip by individuals with access to medical records, employer 
review of identifiable medical records data, or supervisors' 
inappropriate interest in the personal lives of their employees 
we must protect employees right to medical records privacy. 
Wouldn't most people want to decide if anyone in their company, 
not to mention their supervisor, would know if they obtained 
medical care from a psychiatrist, from a cardiologist, from an 
obstetrician/gynecologist, or from an oncologist? We believe 
that the strong, explicit protections are needed in this area.
    Health Care Operations. APA is very concerned by the 
definition of ``health care operations'' in many of the bills 
before the Congress. Entities providing health care can use and 
disclose this information for ``operations'' purposes, i.e. 
many purposes not directly related to treating a patient or 
performing payment or reimbursement functions. Some of the 
terms that are used to define ``operations'' are quite vague 
and broad and could endanger patient privacy. Do we really want 
to permit patients to be terminated from their health care 
coverage because they don't want their personal records to be 
used for largely commercial functions that can be performed 
with aggregate data?
    Needed Protections for Particularly Sensitive Medical 
Information. As indicated above, especially sensitive 
information, including mental health information needs to 
receive a very high level of protection. Indeed, the U.S. 
Supreme Court itself in its Jaffee decision recognized that 
additional privacy protections, above and beyond those afforded 
to other health information, are needed to insure effective 
psychiatric care. APA believes that in order to promote high 
quality medical care and patient privacy, the Congress should 
pass legislation that provides a level of protection high 
enough so that no class of information needs additional 
protections. However, in the event that the Congress proceeds 
with legislation that does not meet this test, strong 
additional privacy protections will clearly be needed for 
mental health information. Most important among these are 
protections to prevent access by insurers to verbatim 
psychiatric notes.
    Self Pay. If individuals enter into a private contract with 
a physician and pay for those medical services out of their own 
pocket, it is difficult to understand why the government or a 
health plan should compel them to sign a form allowing their 
medical information to be broadly disclosed beyond the 
treatment team. Both liberal members of Congress who support 
personal privacy and members of Congress who support medical 
savings accounts and private contracting under Medicare should 
recognize the importance of strong self-pay provisions in 
medical records confidentiality legislation.
    Protections from Overzealous Actions by Police. APA 
strongly believes that strong protections are required in this 
legislation including a requirement that law enforcement agents 
obtain judicial approval based on a probable cause standard 
before they are granted access to individually identifiable 
medical records. This approach would allow legitimate law 
enforcement investigations to proceed, without unnecessarily 
jeopardizing the privacy of sensitive health information. APA 
further believes that the Committee should incorporate a 
requirement that protected health information obtained pursuant 
to a court order for one investigation should not be used for 
any other investigation, except a secondary investigation 
arising out of or directly related to the original 
investigation. Finally, APA urges that law enforcement agencies 
and officials should be subject to the same requirements for 
protecting individually identifiable health information 
obtained pursuant to a court order as apply to other recipients 
of protected health information, including health providers and 
payers.
    Conclusion
    As physicians, we take an oath first stated by Hippocrates 
that, ``Whatsoever things I see or hear concerning the life of 
men, in my attendance on the sick...I will keep silence 
thereon, counting such things to be as sacred secrets.'' In 
order to make sure that doctor-patient confidentiality 
continues to protect patients in the new millennium, I strongly 
urge the Committee to provide the highest possible level of 
confidentiality in your legislation.
    We thank you for this opportunity and we look forward to 
working with the Committee on these important issues.
      

                                


Statement of American Society of Health-System Pharmacists, Bethesda, 
MD

               Re: Confidentiality of Health Information

    The American Society of Health-System Pharmacists (ASHP) 
supports responsible federal legislation to ensure that 
patients will be comfortable communicating fully with their 
pharmacists, physicians, and other members of the health care 
team, with the knowledge that their sensitive medical 
information will not be disclosed for illegitimate purposes. 
ASHP is the 30,000-member national professional association 
that represents pharmacists who practice in hospitals, health 
maintenance organizations, long-term care facilities, home 
care, and other components of health care systems.
    ASHP believes the patient should have the right to access 
and review his/her medical records, and the ability to correct 
factual errors. Patients should also have the right to know who 
has access to their medical records, and authorize how their 
medical information is or will be used. ASHP recognizes that 
patients view certain medical information to be particularly 
sensitive. Nevertheless, ASHP believes all medical information 
is sensitive and should be treated with the utmost protection.
    ASHP believes that pharmacists must have access to patient 
health records in order to provide quality care and ensure the 
safe use of medications. ASHP also believes that with access to 
the patient's health record comes the pharmacist's professional 
responsibility to safeguard the patient's rights to privacy and 
confidentiality. Within health systems, communication among all 
authorized health care practitioners is to be encouraged and in 
no way restricted, while ensuring patient confidentiality and 
privacy.
    Pharmacists also participate extensively in many clinical 
trials involving drugs. ASHP believes that all clinical trial 
data must be recorded and stored in such a way that the 
subject's rights of privacy and confidentiality are protected. 
Adequate safeguards are already in place to protect a patient's 
health care information during the clinical trial process, 
including the storage and retrieval of data. As part of the 
established process of informed consent, patients receive a 
statement describing who will have access to patient 
identifiable information. This includes personnel from the 
study sponsor or the FDA for compliance purposes as well as 
institutional personnel who audit the information for quality 
or financial integrity.
    ASHP believes that pharmacy residency and other training 
programs must implement policies and procedures to assure the 
confidentiality of patient medical records, while recognizing 
that pharmacy students and residents must have access to 
medical records in the course of their training.
    ASHP believes that in cases where patient information is 
aggregated into a larger population and used for legitimate 
research and statistical measurement, there is no potential for 
a breach of patient confidentiality because it is not uniquely 
identifiable. Therefore, a specific authorization for access to 
this information by individual patients is unnecessary.
    ASHP believes there should be a minimum standard adopted in 
federal law for protection of patient health information.
    ASHP believes that strict governmental protections, with 
appropriate penalties for violations, must be in place to 
preclude the dissemination of patient-identifiable information 
outside of the health system (i.e., to an unauthorized third 
party) for any purposes that do not involve the direct 
provision of patient care or reimbursement. Health systems must 
have written policies and procedures in place to guard against 
the unauthorized collection, use, or disclosure of protected 
health information. Strict governmental penalties including 
criminal sanctions for egregious violations should be 
considered. However, inadvertent infractions with no intent to 
harm should be subject to the health care organization's 
disciplinary process or civil penalties.
    The American Society of Health-System Pharmacists is 
grateful for the opportunity to submit its views in writing on 
the subject of confidentiality of patient medical records. 
Questions regarding ASHP's policy in this area should be 
directed to Ellen C. Evans, Director, Federal Legislative 
Affairs, Government Affairs Division, 301-657-3000 ext. 1326.
      

                                


                                              Minneapolis, MN 55416
                                                     August 1, 1999

A.L. Singleton
Chief of Staff, Committee on Ways and Meams
U.S. House of Representatives
1102 Longworth House Office Building
Washington, DC 20515

    Dear Mr. Singleton:

    Confidentiality of my patient records is so important to me that 
should I feel it is no longer secure, I would think twice before 
receiving medical treatment for a serious illness. Thank you for giving 
me the opportunity to express my concerns to the July 20th hearing on 
medical confidentiality.
    Patients and doctors have a special relationship requiring the 
divulging of confidential information that sometimes even the best of 
friends or family members do not share. There must be trust between the 
doctor and patient to allow for sharing what could be damaging 
information in order to allow timely and appropriate medical care.
    For the integrity of this relationship and the health care system 
in general, it is important that patients have informed, voluntary 
consent prior to the sharing of information. The bills before the House 
and Senate do not protect this right. Rather, they would create a 
federal law allowing researchers, government agencies, law enforcement, 
and managed care organizations to enter my medical records at will. I 
am very uncomfortable with other people reviewing my personal medical 
records without my consent. They would also limit the right of my state 
legislators to enact stronger privacy legislation that Congress enacts.
    As an American, I am entitled to certain rights, including the 
right of protection against unlawful search and seizure by others of my 
personal property. This includes personal information about myself. 
Also, the Nuremberg Code protects me against becoming an unwilling 
research subject.
    Unconsented access to my medical records will not only violate my 
Constitutional rights as a citizen of the United States of America, it 
will leave me vulnerable to employment, insurance, and medical 
discrimination.
    I urge you to truly protect my confidentiality by assuring patient 
consent prior to all medical record access. I also urge you to make the 
research consent form separate from the authorization to treat form and 
that it be made perfectly clear to the patient that their medical care 
is not in jeopardy should they elect NOT to authorize research on there 
medical records.
    The doctor/patient relationship has eroded too much already with 
the induction of managed care into our medical community. As far as I'm 
concerned, medical privacy is the last bastion protecting that 
relationship and guaranteeing quality of care. When you destroy the 
sacred trust between a doctor and her patient, you compromise the 
physician's ability to practice medicine. Further, when patients no 
longer trust their physician, then the whole truth surrounding their 
medical condition will not be forthcoming and your research is tainted 
from the start.
    Please pass REAL medical privacy legislation that is strong on 
protection for the patient, not on protection for the researcher. 
Otherwise, it is guaranteed that PRIVACY will have its day in court.
    Thank you for your time.
            Sincerely,
                                          Joyce E. Anderson
                            Citizen of the United States of America
      

                                


                                           Jefferson City, MO 65109
                                                      July 21, 1999

Mr. A. L. Singleton
Chief of Staff
Committee on Ways and Means
U.S. House of Representatives
1102 Longworth House Office Building
Washington, D.C. 20515

    Dear Mr. Singleton:

    Confidentiality of our patient records is very important to us. 
Thank you for giving us the opportunity to lend our comments to the 
July 20th hearing on medical confidentiality.
    We would like to let you know what we, as private law-abiding 
citizens feel it is necessary for you to protect our medical records. 
Really protect it, not just say you tried to protect it, or that you 
thought you protected it.
    First and foremost, no information should be released without our 
informed voluntary consent. There should be no coercion to sign. We 
should not be threatened with denial of care or additional expenses. In 
addition, it should be clearly stated on the consent form who the 
information will go to if we give our consent, and that we can limit 
the list. It should be clearly stated that consent is not required for 
us to receive treatment. It should also be clearly stated that we can 
revoke the consent at any time. The consent should be only for a 
limited period of time. We realize that if the doctor does the billing 
or if we have insurance pay the bill, we have to release information, 
but the information released should be limited to the claim for 
payment. It concerns us that HMOs and insurance companies are creating 
patient profiles with the information they receive. We think that is 
wrong. To get health care should not mean that we must give away all 
the intimate details of our life for someone else to track and sell.
    We also want you to know that we believe that state legislatures 
should not be restricted to whatever law Congress enacts. We want our 
legislators to have the right to protect us to the greatest degree 
possible. Because the federal government's power is limited by the 
Constitution's according to the 10th Amendment, states are given the 
right to make decisions best for their own constituents. The federal 
government and Congress should not try to revoke it.
    We have heard that the federal government and medical researchers 
believe that we should give up our right to privacy for the greater 
good and the public health of all. We also read that officials want us 
to let the police look at our records without our consent. Forcing us 
to display the intimate details of our life to the government and the 
police will not benefit our health. Given our ability to cross match 
data, we're not even sure that our unidentified data is unidentifiable, 
but we would have no problem letting our information be used if it was 
guaranteed that we could not be identified or found.
    If it becomes law for the police, profit hungry researchers, and 
government to get into our records without our consent, we can assure 
you that we no longer will be forthright with our doctors. Just knowing 
the government is going to look willy-nilly through our medical records 
and create databases with our name and information on them will damage 
the relationship we have with our doctor. We're particularly concerned 
that whatever information is collected on us will be used against us. 
Maybe by insurance companies or employers, or regarding certain 
illnesses, by the people who hand out passports and drivers' licenses. 
These are not small issues.
    There are few things more necessary to our freedom than our 
privacy. Imagine having to weigh every word and nuance when we go into 
the doctor. This could bring us into the black market for medical care 
or mental health. We want to trust our doctor, not fear him. He's 
supposed to be there to protect us, not hurt us. Every day, we see 
privacy being taken away. We would like you to help us protect our 
patient and privacy rights when you write this law. We don't care about 
the inconvenience it might make for health plans and researchers. We 
have ourselves to protect. Please keep us in mind.
            Sincerely,
                                 Matthew and Carrie Burcham
      

                                


                       Concerned Parents for Vaccine Safety
                                                    Ely, NV
                                                     August 3, 1999
A.L. Singleton
Chief of Staff
Committee on Ways and Means
U.S. House of Representatives
1102 Longworth House Office Building
Washington, DC. 20515

    Dear Members of Congress:

    Please include these written comments as part of the official 
record.
    I am writing to urge all of you to pass legislation which would 
require the written consent of all patients in order to access, share, 
or enter personal medical information into any database. We, Concerned 
Parents for Vaccine Safety, are extremely concerned about the possible 
invasion of medical privacy that is about to take place in the form of 
national databases, etc.
    No one's personal medical information should be entered into ANY 
database without their written permission. Yet this is going on all 
across the country. In Washington state, infants are being entered into 
a database called Child Profile at birth without the parent's 
knowledge, much less consent. This is wrong. The government does not 
have the right to tag and track individuals for any purpose. Medical 
choices are exactly that, choices and are between the individual and 
the physician. These choices as well as other medical information 
should remain between those two parties and no one else without the 
explicit permission of the patient.
    If something is not done soon, we can never go back. Once unique 
personal identifiers are assigned and once we open the flood gates and 
let anyone and everyone have access to private citizens' medical 
information, the sky is the limit for abuse, punishment, and 
discrimination. Please allow the American public to keep what little 
freedom and privacy they have left. Do not allow the creation of unique 
personal identifiers. Do not allow access to personal health 
information to every Tom, Dick and Harry. Do not allow American 
citizens to have their last little bit of privacy violated. Do not 
allow American citizens to be tagged and tracked like a herd of cattle. 
There is no good reason to allow such things to happen. We are all 
individuals with hopes, dreams and lives. We deserve to control our own 
personal health information and we do not deserve to be punished for 
our choices or for heath histories which might leave something to be 
desired. We beg of you, PLEASE PROTECT OUR PRIVACY!!!
            Sincerely,
                                               Dawn Winkler
                                                     Vice President
      

                                

                             Olsson, Frank, and Weeda, P.C.
                                                   Attorneys at Law
                                                     August 3, 1999
The Honorable Bill Thomas
Chairman, Committee on Ways and Means
Subcommittee on Health
United States House of Representatives
Washington, DC. 20515

    Dear Chairman Thomas:

    I am writing to clarify the record of your Subcommittee's July 20, 
1999 hearing regarding confidentiality of health information. At the 
end of the July 20 hearing, a Member of the Subcommittee asked a 
question the premise of which was that last year Washington area drug 
stores sold protected health information to a competing pharmaceutical 
firm. The premise of this question was apparently based on inaccurate 
press reports that were later retracted.
    In a February 15, 1998, front-page story and February 18, 1998 
editorial, the Washington Post asserted that Elensys used patient 
prescription information it received from CVS and Giant for marketing 
purposes and implied that Elensys sold patient prescription information 
to pharmaceutical manufacturers. That is wrong. Elensys does not use 
prescription information for marketing purposes and has never sold, 
given, or provided in any way, private pharmacy customer information to 
any third party.
    Elensys is a small business with 20 employees based out of Woburn, 
Massachusetts. Elensys supports pharmacies in implementing important 
prescription compliance, therapy management, and education programs. By 
contract, all of the services Elensys performs are on behalf of and at 
the direction of the pharmacy. Elensys' contracts with pharmacies 
expressly prohibit Elensys from utilizing confidential prescription 
data for its own internal purposes or sharing the information with 
anyone outside the scope of the agency relationship.
    Elensys is committed to supporting pharmacists in offering 
important healthcare services to their customers. Most importantly, 
Elensys has always protected the privacy of each patient's health 
information.
            Sincerely,
                                     Karen A. Reis, Counsel
                                                      Elensys, Inc.

      

                                


                                     Independence, MO 64055
                                                      July 21, 1999
A. L. Singleton, Chief of Staff
Committee on Ways and Means
US House of Representatives
1102 Longworth House Office Bldg
Washington, DC. 20515

    Dear Mr. Singleton:

    I am interested in protecting patient privacy, preventing 
discrimination, and controlling my own health information.
    Confidentiality of my patient records is very important to me. 
Thank you for giving me the opportunity to lend my comments to the July 
20th hearing on medical confidentiality.
    Patients and doctors have a special relationship requiring the 
divulging of confidential information that sometimes even the best of 
friends or family members do not share. There must be trust between the 
doctor and patient to allow for sharing what could be damaging 
information in order to allow timely and appropriate medical care.
    For the integrity of this relationship and the health care system 
in general it is important that patients have informed voluntary 
consent prior to the sharing of information. The bills before the House 
and Senate do not protect this right. Rather they would create a 
federal law allowing researchers, government agencies, law enforcement, 
and managed care organizations to enter my medical records without my 
authorization. They would also limit the right of my state legislators 
to enact stronger privacy legislation that Congress enacts.
    As an American, I am entitled to certain rights, including the 
right of protection against unlawful search and seizure by others of my 
personal property. This includes personal information about myself. 
Also, the Nuremberg Code protects me against becoming an unwilling 
research subject.
    Unconsented access to my medical records will not only violate my 
Constitutional rights as a citizen, it will leave me vulnerable to 
employment, insurance, and medical discrimination. I urge you to truly 
protect my confidentiality by assuring patient consent prior to all 
medical record access.
            Sincerely,
                                          Sandra K. Greiner

      

                                


Statement of Health Insurance Association of America

    Confidentiality of Health Information
    The Health Insurance Association of America (HIAA) 
appreciates the opportunity to submit a written statement for 
the record for the hearing on ``Courier New'' Confidentiality 
of Health Information ``Courier New'' held on July 20, 1999 by 
the Committee on Ways and Means Subcommittee on Health.
    HIAA is the nation leading advocate for the private, 
market-based health care system. Its more than 269 member 
companies provide health, long-term care, and disability income 
insurance coverage to more than 115 million Americans, and 
offer a range of health care financing products, including 
indemnity health insurance, managed care plans, preferred 
provider organization services, Medicare Supplemental 
(``Medigap'') Insurance, Medicare Select, and Medicare+Choice.
    HIAA member companies have had, and will continue to have, 
strict standards in place for protecting patient medical 
records. In addition, HIAA has been a vocal proponent of the 
need to protect individually identifiable health information 
through balanced federal legislation that protects personal 
health information from public disclosure while ensuring that 
information is available to carry out basis insurance and 
health plan functions.
    Both public and private payers require personal health 
information in order to administer health care benefits. As 
noted by the General Accounting Office (GAO), [p]ersonally 
identifiable information is essential to the Health Care 
Financing Administration (HCFA) day-to-day administration of 
the Medicare Program.'' \1\ Of primary importance is the need 
for public and private payers to use personally identifiable 
patient information to pay billions of health care claims 
annually. Other vital activities that require the use of 
personally identifiable patient information by public and 
private payers are:
---------------------------------------------------------------------------
    \1\ MEDICARE: HCFA Needs to Better Protect Beneficiaries 
Confidential Health Information (GAO/T-HEH--99-172, July 20, 1999).
---------------------------------------------------------------------------
     Determination of eligibility for benefits;
     Determination of risk-adjustment mechanisms;
     Detection and prevention of fraud and abuse; and
     Review appropriateness and quality of care 
received by beneficiaries.
    In its July 20, 1999 testimony, the GAO also noted several 
problems faced by HCFA when there are non-uniform state laws 
for confidentiality of health information. First, if HCFA could 
not receive uniform health information from sources in all 
states, there could be an adverse affect on internal operations 
such as rate setting and quality assurance monitoring. Second, 
barriers to information gathering could affect the ability of 
government analysts to perform public policy analysis and 
health services research because of the burden resulting from 
compliance with various, non-uniform state laws.
    Private payers face similar problems when state 
confidentiality laws are not uniform. The current patchwork of 
state laws relating to patient confidentiality leaves consumers 
with fewer protections in some states than in others. Moreover, 
laws and regulations governing the collection, use, 
transmission, and disclosure of health information reach to the 
heart of the insurance transactional process and thus have a 
major impact on insurers' core business and systems functions. 
These critical functions increasingly are carried out across 
state lines by insurance companies and contractors through the 
use of computerized data transaction systems. Therefore, health 
information confidentiality is an area of insurance law in 
which a significant degree of non-uniformity could impede the 
industry's ability to operate efficiently and meet the demands 
of its customers. The resources that must be devoted to 
compliance with differing state laws in this area can be 
significant. Adding a new layer of federal regulation without 
preemption of existing state confidentiality laws would only 
compound the difficulty. As a result, HIAA would support only 
those pieces of federal legislation that preempted most state 
laws.
    Consumers' concerns over the confidentiality of health 
information must be addressed. At the same time, however, we 
must be careful not to adopt overly prescriptive legislation 
that undermines the ability of the health care industry to 
provide these same consumers with the high quality, affordable 
health care services.
    Health information is the lifeblood of the health care 
system. The days of a patient seeing only a single family 
practitioner have ended. Today, patients obtain care from a 
diverse group of health care practitioners, such as specialists 
and allied health care professionals. In this environment, 
effective care can only be provided through cooperation among 
practitioners who must share (and often communicate about) a 
patient's medical information. As our nation has moved 
increasingly toward a system of integrated care and 
computerized transactions, the free flow of medical information 
becomes even more critical. Accurate, readily available health 
information is vital to determining the best course of 
treatment for a patient, and that is clearly its central and 
most important use.
    Also critical is the use of such information to help ensure 
that basic insurance functions are carried out, such as paying 
claims and preventing fraud and abuse. Finally, health 
information is used for many other purposes: to assure health 
care quality, to help measure health outcomes, and to ensure 
that patients receive preventive services, to name only a few. 
Proposed state and federal confidentiality laws generally 
contain rules affecting health insurers' and health plans' 
claims administration, enrollment and disenrollment processes, 
payment and remittance procedures, referrals and authorization 
certifications, quality improvement and research activities, 
and other areas. As such, they can have a significant impact on 
day-to-day business operations. Therefore, it is critical that 
balanced, responsible federal legislation be enacted that 
provides strong protections for consumers while not placing 
undue regulatory burdens on the private health care system.
    In May 1999, the HIAA Board of Directors adopted formal 
policy supporting the enactment of federal confidentiality 
legislation that contains several important principles:
     Federal standards for confidentiality of patient 
health information.
    As noted above, federal standards ensuring the 
confidentiality of patient health information are critical to 
guaranteeing uniform and consistent treatment of such 
information throughout the country. Congress took important 
steps in the right direction with HIPAA by requiring 
standardized electronic transmission of health care information 
with appropriate security protections. HIAA believes strongly 
that a uniform standard is the only way to avoid a dual-
regulatory environment for medical records. State authority 
should remain paramount over areas of confidentiality that do 
not conflict with national uniformity and consistency, such as 
state reporting requirements for public health and safety 
dangers.
     Strong and consistent confidentiality protections 
for all individually identifiable patient health information.
    HIAA believes that all sensitive, personal health 
information should be kept confidential. Certain types of 
health information or information about illnesses should not be 
singled out legislatively for stronger protection, or weaker 
protections.
     Facilitate appropriate use of patient health 
information and recognize that access to health information is 
helpful to patients and often critical to providing quality 
care.
    Today, most health care services are delivered through some 
form of coordinated or organized system of delivery. As health 
plans, providers, hospitals, purchasers, and others in the 
health care industry continue to design and enter into 
innovative health care delivery arrangements, it is important 
to recognize that appropriate information sharing and use must 
occur within that system to ensure patients receive appropriate 
health care. The trend toward the coordinated delivery of care 
provides greater opportunities to protect confidential patient 
health information, and to ensure such information is used 
appropriately to benefit consumers. Such coordinated systems 
enable improved tracking of an individual's health information 
to better monitor appropriate access to and uses of such 
information.
     Do not impede public and private sector efforts to 
combat health care waste, fraud, and abuse.
    Patient medical information is important to anti-fraud 
activities carried out both by the state and federal 
governments, and by insurers. A 1999 audit by the HHS Office of 
the Inspector General found that Medicare made improper 
payments of over $12 billion in fiscal year 1998 alone, and the 
General Accounting Office has estimated that health care fraud 
accounts for up to 10 percent of national health care spending 
each year.
    Insurance information and patient information are the 
vehicles through which health care fraud is committed. 
Providers cannot falsify claims and medical equipment suppliers 
cannot submit inflated bills without access to patient 
information. At the same time, this information is critical to 
combating fraud, as investigators must depend heavily upon the 
use of medical records to document fraud cases. This does not 
necessarily mean that individually identifiable patient 
information must be publicly disclosed in order to successfully 
investigate and prosecute fraud. But it does mean that fraud 
investigators in both the public and private sectors must 
continue to have access to such information. Thus, when 
developing federal legislation for confidentiality of health 
information, Congress should be mindful that overly 
prescriptive privacy protections might adversely affect health 
care fraud enforcement and ultimately be detrimental to 
consumers.
     Provide fair penalties as a strong deterrent to 
misuse of individually identifiable health information, rather 
than imposing process-oriented regulatory requirements.
    HIAA believes that strong administrative penalties should 
be put in place for those who inappropriately use or disclose 
sensitive, individually identifiable health information. New 
penalties should not be authorized for administrative mistakes 
or errors, but only for material violations that lead to 
demonstrated harm to consumers.
      

                                


Statement of Sue A. Blevins, President, Institute for Health Freedom

    Chairman Thomas and members of the Ways and Means 
Subcommittee on Health:
    Thank you for holding the important hearing on July 20, 
1999 to discuss confidentiality of health information. My name 
is Sue Blevins. I am founder and president of the Institute for 
Health Freedom (IHF), a nonpartisan, nonprofit research center 
dedicated to promoting individual freedom to choose health 
care.
    For nearly three years, Congressional leaders have known 
that they must pass a medical privacy law by August 21, 1999 or 
the Clinton Administration will be handed the authority to 
regulate Americans' medical privacy. The Health Insurance 
Portability and Accountability Act of 1996 mandates that if 
Congress fails to act by the August 21 deadline, then 
regulations governing medical privacy must be promulgated by 
February 2000. The regulations will affect millions of 
individuals across the nation, including patients, doctors, law 
enforcement officials, health insurers, researchers, and 
government agencies.
    Current proposals claiming to make medical information as 
``non-identifiable as possible'' are no guarantee for true 
medical privacy. Can such vague legislation really guarantee 
that researchers won't be able to trace back patients' personal 
information--including genetic and cellular information? With 
efforts to double the current $15 billion federal budget for 
biomedical research, it is apparent that scientists are going 
to need more data to complete research projects. But government 
has no right to allow researchers access to private-paying 
patients' medical information without first obtaining their 
consent.
    The Clinton Administration recently announced that its 
National Bioethics Advisory Commission (NBAC) completed a 
review of the ethical and medical considerations associated 
with human stem cell research. The Administration reports that 
it ``recognizes that human stem cell technology's potential 
medical benefits are compelling and worthy of pursuit, so long 
as the research is conducted according to the highest ethical 
standards. NIH is putting in place guidelines and an oversight 
system that will ensure that the cells are obtained in an 
ethically sound manner.''
    The Institute for Health Freedom urges Congress, the 
Clinton Administration, and the NIH to maintain and enforce 
strong informed consent principles. Research without consent is 
unethical.
      

                                


Statement of LPA, Inc.

    Mr. Chairman and Members of the Subcommittee:
    Thank you for allowing us to present our views to your 
Subcommittee regarding medical privacy legislation. LPA, Inc., 
formerly the Labor Policy Association, is a public policy 
advocacy organization representing senior human resource 
executives of more than 250 of the largest corporations doing 
business in the United States. LPA's purpose is to ensure that 
U.S. employment policy supports the competitive goals of its 
member companies and their employees. LPA member companies 
employ more than 12 million employees, or 12 percent of the 
private sector workforce.
    While there are numerous issues in the medical privacy area 
where we share the concerns of others within the business 
community, LPA's primary concern deals with the ability of 
employers to make critical human resource decisions that serve 
the interests of employees and the public at large. The 
principle at stake is whether employers, primarily through 
fitness-for-duty testing and drug testing, may ensure that 
employees are not only capable of performing the functions of 
their position but also that, in doing so, they do not pose a 
threat to themselves, their co-employees, or the public at 
large. This concern goes well beyond the bottom-line interests 
of the employer.
    Moreover, we urge the Subcommittee not to overlook the 
substantial protections that already exist under current law to 
ensure that employers do not abuse this responsibility. First 
and foremost, almost ten years ago, the Congress enacted 
sweeping legislation--the Americans With Disabilities Act 
(ADA)--that establishes substantial protections for employees 
regarding employment decisions based on their physical and 
mental capabilities. As part of those protections, the law 
imposes carefully crafted restrictions on what employers can 
ask and how they can use medical information about applicants 
and employees.
    Mr. Chairman, we appreciate the work your staff has done to 
learn about these issues as it drafted your version of medical 
privacy legislation. We look forward to working with them 
further to ensure that final legislation allows employers to 
meet their obligations to employees and others under current 
labor and employment laws.
    The Executive Branch has not been as responsive. In her 
September 1996 testimony before Congress, Secretary of Health 
and Human Services Donna Shalala spoke at great length about 
the need for specific and far-reaching protections for the 
personal health information of patients. However, the 
Secretary's testimony gave far less attention to the very 
legitimate need of employers for health information for the 
purposes of ensuring a safe and efficient workplace and 
complying with existing law.
    Under legislation previously introduced in the House--H.R. 
1057 and S. 573, the ``Medical Information Privacy and Security 
Act,'' H.R. 1941, the ``Health Information Privacy Act,'' H.R. 
2404, the ``Personal Medical Information Protection Act of 
1999,'' and H.R. 2470, the ``Medical Information Protection and 
Research Enhancement Act of 1999''--and in the Senate--S. 578, 
the ``Health Care Personal Information and Nondisclosure Act of 
1999'' and S. 881, the ``Medical Information Protection Act of 
1999''--the impact on these restrictions would be, at best, 
unclear. At worst, the careful balance in the ADA between the 
individual employee's interests and those of his or her co-
employees, the employer and the public would be completely 
undermined. A similar analysis applies to drug testing which, 
in many instances, employers are required or encouraged to 
perform by law.
    Since these employer activities have never been the focus 
of the medical privacy debate, we do not believe the supporters 
of medical privacy legislation would intend to disrupt them. 
Instead, it is our sense that, in the rush to enact legislation 
by the August 1999 deadline, the Congress is still gathering 
information about all the various endeavors that could be 
affected, and this is an impact that has not been fully 
considered. Indeed, after raising these concerns with the 
Senate Committee on Health, Education, Labor and Pensions, the 
medical privacy legislation currently under consideration by 
the Committee now protects these employer activities.
    Therefore, it is our purpose today to provide you with the 
necessary information to assist you in crafting legislation 
that does not pose a threat to the ability of employers to 
protect their own employees as well as the public at large.

                    Drug and Fitness for Duty Tests

    Many jobs require certain levels of physical and/or mental 
competencies. Fitness for duty examinations allow employers to 
determine whether an individual can perform the essential 
functions of the job and, if they are not able to because of a 
disability, whether a reasonable accommodation can be made to 
enable them to perform those functions.
    The Equal Employment Opportunity Commission, in its January 
1992 ``Technical Assistance Manual on the Employment Provisions 
(Title I) of the Americans With Disabilities Act,'' provides 
several examples of fitness tests, all of which are consistent 
with the ADA's protections:
     ensuring that ``prospective construction crane 
operators do not have disabilities such as uncontrolled 
seizures that would pose a significant risk to other workers;''
     testing of workers in certain health care jobs 
``to ensure they do not have a current contagious disease or 
infection that would pose a significant risk of transmission to 
others;'' and
     ensuring that an individual considered for a 
position operating power saws or other dangerous equipment is 
not someone ``disabled by narcolepsy who frequently and 
unexpectedly loses consciousness.''
    In addition to fitness for duty tests, many employers 
implement drug testing of prospective and current employees. 
Workplace drug testing, as part of a drug-free workplace 
policy, has proven extremely effective in reducing work-related 
accidents. In the 1980s, many companies implemented these 
programs and began experiencing immediate positive results in 
their health and safety records. Many of these were described 
in a 1989 study by the Employment Policy Foundation entitled 
``Winning the War on Drugs: The Role of Workplace Testing'':
     Southern Pacific Transportation Co. first 
implemented its drug testing program in 1984. According to the 
company, personal injuries per 200,000 employee hours worked 
dropped from 15.6 in 1983 to 6.5 in 1988. Train accidents 
attributable to human failure dropped from 911 incidents in 
1983 to 96 in 1988.
     Pacific Gas and Electric Co. enjoyed a 25% 
reduction in accidents and a 40% decrease in serious injuries 
after it implemented its pre-employment screening program, 
designed to alert the company to drug-using job applicants.
     Illinois Bell reported saving $459,000 in reduced 
absences, accidents and medical disability resulting from a 
rehabilitation program in which drug-using employees were 
enrolled.
    Because of the success of programs like these, testing in 
some industries is now even required by law, such as the 
mandatory drug testing programs for commercial drivers required 
by the Omnibus Transportation Employee Testing Act of 1991. 
Even where drug testing is not required, it is often 
encouraged. Thus, the Drug-Free Workplace Act of 1988 requires 
all federal contractors with contracts of at least $25,000 to 
certify that they are providing a drug-free workplace, at the 
risk of contract debarment if they fail to do so. Many 
contractors are able to provide this certification as a result 
of their drug testing programs.

                   Application of Pending Legislation

    None of the bills introduced so far in the 106th Congress 
contain specific provisions dealing with fitness for duty tests 
or drug testing. However, it seems clear that the broad 
definitions of ``protected health information'' (PHI) under the 
various bills would encompass the data obtained from those 
tests, since PHI includes all information that relates to the 
``past, present or future physical or mental health or 
condition of an individual'' that is ``created or received 
by,'' among others, an employer.
    The bills require that employers obtain a separate 
authorization from an employee before receiving such protected 
health information. If the employee refuses to provide the 
authorization, the employer is forbidden from viewing the 
results of those tests. This is specifically stated in Section 
203 of H.R. 1057 and S. 573 which provides that an employer, 
health plan, health or life insurers, or providers ``may not 
disclose protected health information to any employees or 
agents who are responsible for making employment, work 
assignment, or other personnel decisions with respect to the 
subject of the information without a separate authorization 
permitting such disclosure.'' Section 103 of H.R. 1941 provides 
that employers may not require an authorization of disclosure 
of protected health information as a condition of providing or 
paying for health care.
    The requirement for an authorization in these instances is, 
of itself, not problematic, as long as the employer may take 
appropriate action where the employee or applicant fails to 
provide the authorization. Thus, if a job applicant takes a 
mandatory fitness for duty test, but refuses to authorize 
disclosure of the results to the employer, the employer should 
be able to refuse to hire the individual on that basis, or else 
the test is no longer mandatory.
    Two of the bills--H.R. 1057 and S. 573--generally require 
employers to provide written notice to their employees of, 
among other things: ``The right of an individual not to have 
employment or the receipt of services conditioned upon the 
execution by the individual of an authorization for 
disclosure.'' This is the only place in the bills where this 
right is mentioned, but if the bills do indeed create such a 
right and become law, then an employer would violate the law by 
refusing to hire an individual who failed to authorize the 
release of the results of a drug or fitness for duty test.
    We believe that Congress has no inclination to prevent 
employer practices designed to protect the health and safety 
interests of their employees and the public, particularly in 
view of the history of strong congressional support for drug 
testing programs. Thus, we strongly urge this Subcommittee to 
clarify any medical privacy legislation that it considers to 
ensure that mandatory fitness and drug testing can continue to 
exist.

              Relationship of Legislation to Existing Laws

    A broader unintended problem is the failure to contemplate 
the interaction with other laws which may not comprehensively 
regulate disclosure of individual medical information, but 
where that information is implicated in the compliance with 
those laws. In particular, the ability of employers to comply 
with both the Americans with Disabilities Act (ADA) and the 
Family and Medical Leave Act (FMLA) could be substantially 
impaired. 
    Americans with Disabilities Act. Under the Americans with 
Disabilities Act, employers are already substantially regulated 
as to when they can require medical exams of, or request 
medical information from individuals; what they can examine or 
ask them for; and what employment decisions are permissible 
once medical information concerning the individual is acquired. 
An employer is generally prohibited from discriminating against 
a ``qualified individual with a disability,'' which means a 
disabled individual who can perform the ``essential functions 
of the job'' with or without a ``reasonable accommodation.''
    The ADA rightfully recognizes that the employer must have 
access to a certain amount of medical information about 
employees and prospective employees. Under Section 102 of the 
ADA, employers have the right to require a medical examination 
after an offer of employment has been made and prior to the 
commencement of employment. If, during the medical examination, 
the doctor discovers a condition that may affect the person's 
ability to do the job, the employer still must go through the 
``reasonable accommodation process'' to determine whether the 
individual could do the essential functions of the job with 
reasonable accommodation. Once the individual has been hired, 
the employer may not require medical examinations unless they 
are ``job-related and consistent with business necessity.''
    Meanwhile, the ADA limits the amount of medical information 
that can be obtained during employment to that information 
which is job-related and consistent with business necessity. 
Strict confidentiality requirements apply to the information. 
During the hiring process, the employer may share medical 
information only with decision makers with a ``need to know'' 
the information. Even an employee's supervisor and manager are 
not entitled to any medical information beyond what limitations 
the employee has to do the particular job. Thus, the ADA 
already protects against any improper use of critical medical 
data by the employer.
    Yet, the data obtained consistent with ADA requirements 
would clearly constitute protected health information under 
legislation introduced so far. Thus, even though the employer 
would have a right to access the data under the ADA, a new 
authorization requirement would be superimposed and employers 
could be forbidden from viewing the results of medical exams 
taken to detect or confirm the existence of a disability that 
could affect the ability of an employee to do his or her job 
competently and safely. While H.R. 1941 provides explicitly 
that it shall not preempt the Americans with Disabilities Act, 
the disclosure requirements in the bill make compliance with 
the ADA potentially problematic.
    Family and Medical Leave Act. Under the Family and Medical 
Leave Act (FMLA), employees are guaranteed a right to up to 
twelve weeks of leave annually for a serious medical condition. 
Under Section 103 of the FMLA, employees who wish to use FMLA 
medical leave can be required by their employer to provide a 
certification issued by a health care provider that discloses, 
in part:
     the date on which the employee's ``serious medical 
condition'' began;
     the probable duration of the condition;
     the ``appropriate medical facts within the 
knowledge of the health care provider'' regarding the 
condition; and
     a statement that the employee is unable to 
``perform the functions of the position.''
    Clearly, most or all of the information contained in the 
medical certification would meet the definition of protected 
health information under all the proposed bills, and would 
therefore be covered by the requirements of those bills. Thus, 
for the employer to receive the certification, the employee 
would have to provide the requisite authorization. Since the 
employer may, under the FMLA, deny leave for an alleged serious 
medical condition where no certification is provided, could an 
employee argue that his or her consent was coerced in this 
situation and thus not valid? This issue must be clarified in 
the legislation.

                               Conclusion

    In conclusion, we believe it is extremely important that 
any legislation crafted by your Subcommittee in this area 
recognize the critical role played by medical information in 
enabling employers to provide necessary protections to their 
employees as well as the general public. These protections are 
provided within a framework of existing laws that were 
carefully crafted to achieve a balance between the competing 
interests of the individual employee, his or her co-employees, 
the employer and the public. A dismantling of this framework, 
whether intended or not, would be disastrous.
      

                                


Statement of National Association of Health Underwriters, Arlington, VA

    The National Association of Health Underwriters is an 
association of insurance professionals involved in the sale and 
service of health insurance, long-term care insurance, and 
related products, serving the insurance needs of over 100 
million Americans. We have almost 16,000 members around the 
country. We appreciate this opportunity to present our comments 
regarding confidentiality of health information.
    THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 
1996 (HIPAA), called for Congress to pass legislation to 
protect the confidentiality of patient medical records no later 
than August 1, 1999. Should Congress fail to act, HIPAA 
requires the Department of Health and Human Services to write 
regulations by February 2000. While there is general agreement 
on the need for such legislation, it is clear that absolute 
confidentiality may be unobtainable, and that a balance must be 
achieved between a person's reasonable desire and expectation 
of confidentiality, and a payer's right and duty to know what 
they are paying for.
    Technological advances have vastly improved the ability of 
providers to track patient care and outcomes, develop disease 
management programs, and exchange information with other 
providers to improve patient care. These same advances have 
enabled payers and providers to exchange information quickly to 
improve the speed and accuracy of claims payment. These 
technological advances combined with new medical advances in 
the treatment, and prevention of disease have changed and 
improved the way medical care is delivered in the United 
States. When these changes are combined with a now highly 
mobile society, it becomes clear that the picture of a person's 
medical records being stored only in the family physician's 
locked filing cabinet is a thing of the past.
    In spite of these changes, NAHU believes that individuals 
should have an expectation of confidentiality with respect to 
their personal health information and records. A patient who is 
fearful that his or her medical records might be disclosed 
without authorization to a third party may withhold medical 
information, give false information, or simply not seek 
treatment for his or her medical condition, resulting in a lack 
of proper medical treatment, the wrong treatment or no 
treatment at all.
    NAHU believes that individuals have certain rights with 
respect to their medical records. Individuals should be able to 
inspect or copy their medical records, to request an amendment 
to their medical records, and to have a written copy of any 
disagreement they have with the content of their medical 
records be listed as a permanent part of their medical file, if 
their request for amendment is denied.
    Health plans, health care providers, public health 
agencies, researchers, schools, and others who must collect 
certain medical information should retain on file an 
authorization for the release of medical information. This 
authorization allows disclosure of only the medical information 
necessary to accomplish the purpose for which it is disclosed.
    Some groups have called for specialized confidentiality 
standards on certain ``specially protected'' portions of a 
person's medical records, such as information on genetic 
testing, mental health history, or HIV status. NAHU is opposed 
to this separation of records for two reasons. First, this 
approach focuses attention away from the importance of 
protecting the entire medical record. It is important to note 
that different individuals have differing ideas about which 
parts of their medical records are most sensitive. One person 
may be most sensitive about the results of a genetic test, 
while another may be concerned about a record of cosmetic 
surgery. It is impossible for us to know what each person would 
choose to keep in a ``super secret'' file, if they had the 
choice.
    Our second concern relates to the practical aspect of 
keeping two sets of files. For NAHU's members, for example, 
copies of applications are retained for individuals as well as 
employer groups that apply for coverage. On small employer 
plans, individual employees also complete medical 
questionnaires. So agents may actually have these records on 
each of 50 employees for each of the employer groups they 
service, in addition to those of all of the individuals who 
apply for coverage. Depending on what Congress decided would be 
kept in which file, not only would our members have to 
duplicate each file, but they would have to re-screen each 
application and block out information which could not be 
retained in the standard file. This merely describes the 
process for insurance agents, which handle the initial 
paperwork on an insurance application. Insurance companies 
would be required to do the same thing. Doctors would have to 
complete two different medical records, and shift back and 
forth between both records. All other providers would be 
required to do the same thing. Not only would the chance for 
errors in the delivery of medical care increase dramatically, 
it would greatly increase the cost of delivery of health care. 
For these reasons, NAHU cannot support a confidentiality 
proposal that calls for dual record keeping and disclosure 
requirements.
    Thirty-four states currently have some form of 
confidentiality standards that have been enacted at the state 
level. Secretary Shalala and some others have suggested that 
new federal standards should be a ``floor,'' allowing the 
states to adopt more stringent standards. Many others believe 
that the interstate way medical care is delivered in today's 
society, the cost implications of fifty separate sets of 
standards, and the potential confusion for providers and 
payers, especially those which operate on or near state lines, 
call for a uniform system nationwide. Confidentiality standards 
are different from insurance regulations, in that they impact 
doctors, labs, clinics, hospitals, ambulatory facilities, 
nursing homes, researchers, and law enforcement officials, in 
addition to insurance companies, insurance agents, HMOs, and 
other health plans. In order to truly protect patients, it is 
important to be absolutely certain that there is no 
misunderstanding as to the provisions of new confidentiality 
standards. NAHU believes that a uniform national system would 
be more easily understood by patients, providers, and payers, 
and that a single uniform system would be more cost effective. 
NAHU supports state enforcement authority of these uniform 
standards.
    NAHU has serious concerns about initiatives that would call 
for a private right of action for breaches of confidentiality. 
Particularly if state laws are not preempted, the complexities 
of confidentiality legislation, and the different rules in 
states that already exist for different types of medical 
information greatly enhance the opportunity for accidental non-
compliance. Legal action is expensive, and the cost will 
directly affect the cost of health care plans and the premiums 
people pay for their insurance. If plans become unaffordable, 
the ranks of the uninsured will increase.
    NAHU recognizes that, while medical researchers may 
generally not require individually identifiable health 
information, there have been many occasions where it served the 
public health interest to be able to access individual 
information, for example, when discoveries have been made 
relative to dangers associated with certain medications. NAHU 
believes that researchers subject to peer review should 
continue to have the opportunity to advise participants in 
clinical trials or their physicians of these types of negative 
findings.
    Finally, NAHU acknowledges that law enforcement may have a 
legitimate use for medical records where an authorization for 
disclosure has not been made, for example, in the lawful 
interest of public safety when investigating a felony. NAHU 
believes, however, that these uses should be the exception and 
not the rule, and that specific requirements for their use 
should be laid out in legislation, to ensure only appropriate 
release of information.
    NAHU believes that the American consumer will benefit 
greatly from reasonable and understandable standards for the 
protection of the confidentiality of medical records. These 
important protections will make for a healthier America by 
restoring confidence and trust in the confidentiality of the 
patient/provider relationship. NAHU looks forward to working 
with Congress on the passage and implementation of this very 
important legislation.
    We thank you for this opportunity to present testimony to 
the committee. Should you have any questions, please contact 
NAHU's Director of Federal Policy Analysis, Janet Trautwein at 
(703) 276-3806, [email protected].
      

                                


Statement of National Association of Insurance Commissioners, Special 
Committee on Health Insurance

                            I. Introduction

    This testimony is submitted by the National Association of 
Insurance Commissioners' (NAIC) (EX) Special Committee on 
Health Insurance. The NAIC requests that this written testimony 
be submitted as part of the record for the hearing on 
``Confidentiality of Health Information'' held by the Health 
Subcommittee of the House Ways and Means Committee.
    The NAIC, founded in 1871, is the organization of the chief 
insurance regulators from the 50 states, the District of 
Columbia, and four of the U.S. territories. The NAIC's 
objective is to serve the public by assisting state insurance 
regulators in fulfilling their regulatory responsibilities. 
Protection of consumers is the fundamental purpose of insurance 
regulation.
    The NAIC Special Committee on Health Insurance (``Special 
Committee'') is comprised of 46 state insurance regulators. The 
Special Committee was established as a forum to discuss federal 
proposals related to health insurance and to provide technical 
assistance to Congress and the Administration on a nonpartisan 
basis.
    Our testimony focuses on four aspects of the preemption 
issue raised by the current federal health information privacy 
legislation. First, we will discuss the states' recognition of 
the desire for a minimum standard to protect the privacy of 
health information. Second, we will give some examples of what 
the states have done to ensure that health information is kept 
confidential, and discuss the concerns we have about the 
preemption language in the proposed federal legislation and how 
Congress can develop a minimum standard without eliminating 
existing state protections. Third, we will address the need for 
Congress to clarify the scope of any federal health information 
privacy legislation and to develop a way for states to measure 
their laws against any federal standard for compliance. 
Finally, we will discuss the enforcement of privacy laws, which 
may seem to go beyond the issue of preemption, but actually 
gets to the heart of whether Congress should adopt a floor in 
this area or completely preempt the states.

       II. Recognizing the Desire for a Federal Minimum Standard

    As required by the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA), Congress must enact privacy 
legislation by August 21, 1999. Should Congress fail to act, 
HIPAA requires the Secretary of Health and Human Services to 
promulgate regulations by February 2000.
    The states, acting through the NAIC, understand the desire 
for minimum standards to protect the privacy of health 
information. A minimum standard in this area is considered 
necessary given that health information is transmitted across 
state and national boundaries. The transmission of health 
information, as opposed to the delivery of health care 
services, is not a local activity. This was one of our main 
reasons for developing a model on this issue--The Health 
Information Privacy Model Act (attached).
    The NAIC adopted the Health Information Privacy Model Act 
in September 1998.\1\ This model addresses many of the same 
issues that the federal legislation does, such as: (1) 
providing an individual the right to access and to amend the 
individual's protected health information; (2) requiring an 
entity to obtain an authorization from the individual to 
collect, use or disclose information; and (3) establishing 
exceptions to the authorization requirement. Our model was 
developed to assist the states in drafting uniform standards 
for ensuring the privacy of health information.\2\ However, 
because our jurisdiction is limited to insurance, and health 
information privacy encompasses more issues than insurance and 
more entities than insurers, we understand the desire for 
broader federal legislation.\3\
---------------------------------------------------------------------------
    \1\ This model was developed with state regulators, representatives 
of the insurance and managed care industries, and representatives from 
the provider and consumer communities. The NAIC model reflects the 
excellent work that has been done by a number of states on this 
difficult topic. The NAIC recognized the need to update the provisions 
of its existing ``NAIC Insurance Information and Privacy Protection 
Model Act,'' which was adopted by the NAIC in 1980, to reflect the 
rapidly evolving marketplace for health care and health insurance and 
the dramatic changes that have occurred over the past 19 years in 
information technology.
    \2\ The NAIC model requires carriers to establish procedures for 
the treatment of all health information, whether or not it is protected 
health information. The model then establishes additional rules for 
protected health information. In contrast, the federal bills require 
that named entities establish and maintain safeguards to protect the 
confidentiality of protected health information, which is more limited. 
The NAIC believes that Congress should establish procedures to assure 
the accuracy and integrity of all health information, not just 
protected health information.
    \3\ The most obvious difference between the NAIC model and the 
federal bills is in the scope of the entities to which the respective 
proposals would apply. The NAIC model applies to all insurance 
carriers. The federal bills are much broader and apply to health care 
providers, health plans, public health authorities, health oversight 
agencies, health researchers, health or life insurers, employers, 
schools, universities, law enforcement officials, and agents. Different 
sections of the federal bills apply to different combinations of these 
named entities. However, we are concerned that the federal bills only 
apply to health and life insurers and not to all insurers.
    With respect to insurers, we recommend the approach of the NAIC 
model, which applies to all insurance carriers and is not limited to 
health and life insurers. The NAIC had an extensive public discussion 
about whether the NAIC model should apply only to health insurance 
carriers, or instead, to all carriers. Health and life insurance 
carriers are not the only types of carriers that use health information 
to transact their business. Health information is often essential to 
property and casualty insurers in settling workers' compensation claims 
and automobile claims involving personal injury, for example. 
Reinsurers also use protected health information to write reinsurance. 
The NAIC concluded that it was illogical to apply one set of rules to 
health insurance carriers but different rules, or no rules, to other 
carriers that were using the same type of information. Consumers 
deserve the same protection with respect to their health information, 
regardless of the entity using it. Nor is it equitable to subject life 
and health insurance carriers to more stringent rules than those 
applied to other insurers. Our model applies to all insurance carriers 
and establishes uniform rules to the greatest extent possible.
---------------------------------------------------------------------------
    Recognizing all of the above factors, along with the fact 
that all of the health information privacy bills currently 
before Congress preempt state law in one fashion or another, 
the members of the NAIC have concluded that the privacy of 
health information is one of the few areas where it may be 
appropriate for the federal government to set a minimum 
standard. However, it should be noted that up until this point 
there has been no federal standard in place. Rather, states 
have been the protector of consumers in this area. Any federal 
legislation must recognize this fact and make allowances for 
it.

                            III. Preemption


A. Existing State Laws

    As this Subcommittee is well aware, the drafting of 
legislation to establish standards that protect the privacy 
rights of individuals with respect to highly personal health 
information is a very difficult task. Like you, the members of 
the NAIC sought to write standards into the NAIC Model that 
would not cripple the flow of useful information, that would 
not impose prohibitive costs on entities affected by the 
legislation, and that would not prove impossible to implement 
in a world that is rapidly changing from paper to electronic 
records. At the same time, the members of the NAIC recognized 
the need to assure consumers that their health information is 
used only for the legitimate purposes for which it was 
obtained, and that this information is not disclosed without 
the consumer's consent or knowledge for purposes that may harm 
or offend the individual.
    When developing protections for health information, 
Congress must recognize the impact of any federal privacy 
legislation on existing federal and state laws. Although we 
cannot fully address the impact on federal law, we do know that 
many state laws touch on protected health information and 
appear in many locations within the states' statutes and 
regulations. These laws do not neatly fit into a federal bill's 
list of exceptions. For example, privacy laws can be found in 
the insurance code, probate code, and the code of civil 
procedure. Numerous privacy laws relating to health information 
are also contained in the states' public health laws, which 
address such topics as child immunization, laboratory testing, 
and the licensure of health professionals. Other potential 
areas involve workers compensation laws, automobile insurance 
laws, and laws regulating state agencies and institutions. In 
addition, many state privacy laws only address health programs 
or health-related information that are unique to a particular 
state.
    Let us give you some examples of the existing state laws 
that protect health information.

California 

    California's Business and Professions Code provides 
protections for health information used in telemedicine, which 
is the practice of health care delivery, diagnosis, 
consultation, treatment, transfer of medical data and education 
using interactive audio, video or data communications (Cal. 
Bus. & Prof.. Code Sec.  2290.5). These protections are in 
addition to other existing confidentiality protections provided 
by law, including the ``Confidentiality of Medical 
Information'' statute in California's Civil Code (Cal. Civ. 
Code Sec.  56 et seq.). Under the telemedicine law, the health 
care practitioner must obtain verbal and written informed 
consent from the patient prior to the delivery of health care 
via telemedicine. The individual retains the option to withhold 
or withdraw consent at any time without affecting the right to 
future care or treatment or without risking the loss or 
withdrawal of any program benefits to which the individual 
would otherwise be entitled. The patient is guaranteed access 
to all medical information transmitted during a telemedicine 
consultation, and copies of this information are available for 
a reasonable fee. Dissemination of any patient-identifiable 
images or information from the telemedicine interaction to 
researchers or other entities is prohibited without the consent 
of the patient. This statute provides only three exceptions to 
the requirement of patient consent for disclosure of health 
information: (1) when a patient is not directly involved in the 
telemedicine interaction, such as when one health care 
practitioner consults with another health care practitioner; 
(2) in an emergency situation in which a patient or 
representative is unable to give informed consent; and (3) to a 
patient under the jurisdiction of the Department of 
Corrections.
    California's telemedicine statute could arguably be 
preempted by federal legislation that uses a total preemption 
approach. This statute is one example of states responding to 
changes in technology and addressing issues beyond those 
addressed in any of the federal bills. California not only 
protects the confidentiality of medical records but it protects 
health information in telemedicine. The telemedicine statute 
also requires consent for disclosing health information and has 
far fewer exceptions for disclosure without consent than any of 
the federal bills. The state law also guarantees patients the 
right to access all medical information without exception, 
whereas the federal bills have exceptions to patient access. 
Finally, the state law allows the patient to revoke consent at 
any time without affecting the right to future care or program 
benefits; however, this right is not included in the federal 
legislation. If a federal privacy bill using a total preemption 
approach is enacted, California's telemedicine protections, 
which are stronger than those in the pending federal 
legislation, would arguably be preempted.

Connecticut

    Connecticut has already enacted a privacy protection law 
for insurance information. (Conn. Gen. Stat. 38a-975 et seq.). 
This law applies to insurance institutions, agents and 
insurance-support organizations, and it protects health 
information that is collected, received or maintained in 
connection with insurance transactions that pertain to 
individuals who are residents of the state or who engage in 
insurance transactions with applicants, individuals or 
policyholders who are residents of the state. It also applies 
to insurance transactions involving policies, contracts or 
certificates of insurance delivered, issued for delivery, or 
renewed in the state. This law applies to life, health, 
disability, and property and casualty insurance, and therefore 
to issuers of these products. This state law would be preempted 
under a federal bill that used a total preemption approach. 
Arguably any health information held by life or health insurers 
may still be protected under the federal legislation; however, 
health information held by disability or property and casualty 
insurers, which is currently protected under this state law, 
would become unprotected under the current federal legislation. 
Without the opportunity for the state to implement its own laws 
to address these types of insurers, the health information they 
hold would be vulnerable to potential misuse or disclosure by 
those who hold it. In addition, if the federal standard were to 
fall short of Connecticut law in some way, the level of 
protection for information held by life and health insurers 
would be diminished.

Florida

    Florida's Civil Rights law requires confidentiality and 
informed consent for genetic testing. (Fla. Stat. Ann. 
Sec. 760.40). The law provides that except for purposes of 
criminal prosecution, determining paternity, or acquiring 
specimens from persons convicted of certain offenses, DNA 
analysis may be performed only with the informed consent of the 
person to be tested, and the results of such DNA analysis, 
whether held by a public or private entity, are the exclusive 
property of the person tested, are confidential, and may not be 
disclosed without the consent of the person tested. This law 
arguably would be preempted by a total preemption approach that 
uses the ``related to'' standard. Civil rights laws and genetic 
testing laws do not fall within any of the federal bills' 
exceptions, so presumably DNA tests would be governed by the 
provisions of federal bills. However, the federal legislation 
would arguably allow DNA test results and the identity of the 
individual to be disclosed without the individual's 
authorization under some of the federal bills' provisions, 
including the research provisions.

Massachusetts 

    Under Massachusetts' education statutes, provisions are 
established for the testing, treatment and care of persons 
susceptible to genetically-linked diseases. (Mass. Ann. Laws 
ch.76, Sec. 15B). The law requires the Department of Public 
Health to furnish necessary laboratory and testing facilities 
for a voluntary screening program for sickle cell anemia or for 
the sickle cell trait and for such genetically-linked diseases 
as may be determined by the Commissioner of Public Health. 
Records maintained as part of any screening program must be 
kept confidential and will not be accessible to anyone other 
than the Commissioner of Public Health or to the local health 
department which is conducting the screening program, except by 
permission of the parents or guardian of any child or 
adolescent who has been screened. Information on the results of 
any particular screening program shall be limited to 
notification of the parent or guardian of the result if the 
person screened is under the age of 18 or to the person himself 
if he is over the age of 18. The results may be used otherwise 
only for collective statistical purposes. Again, this state 
program may be preempted by a federal privacy law because it 
does not fall under the federal bills' preemption exceptions. 
Under the federal bills this health information would be at 
risk of disclosure without authorization under the public 
health or research provisions.

Michigan 

    Michigan's Public Health Code mandates confidentiality of 
HIV testing and requires written, informed consent (Mich. Comp. 
Laws. Sec.  333.5114, 333.5133). A physician or the physician's 
agent shall not order an HIV test for the purpose of diagnosing 
HIV infection without first receiving the written, informed 
consent of the test subject. Written, informed consent must 
contain at a minimum all of the following: (1) an explanation 
of the test, including the purpose of the test, the potential 
uses and limitations of the test, and the meaning of the test 
results; (2) an explanation of the rights of the test subject, 
including the right to withdraw consent prior to the 
administration of the test, the right to confidentiality of the 
test and the results, and the right to participate in the test 
on an anonymous basis; and (3) the persons or class of persons 
to who the test results may be disclosed. In addition, an 
individual who undergoes an HIV test at a department-approved 
testing site may request that the HIV test be performed on an 
anonymous basis. Staff shall administer the HIV test 
anonymously and shall obtain consent to the test using a coded 
system that does not link the individual's identity with the 
request for the HIV test or the results. The Michigan law 
states that consent is not required for an HIV test performed 
for the purpose of research, if the test is performed in such a 
manner that the identity of the test subject is not revealed to 
the researcher and the test results are not made known to the 
test subject. This state law risks being preempted by the 
federal legislation depending on the preemption approach and 
the exceptions. If state public health laws are exempt from 
federal law, this state law could be left in place depending on 
how the federal legislation classifies public health laws. If 
state public health laws are not excepted, this state law would 
arguably be preempted by federal legislation that uses a total 
preemption approach, but the protection the state law offers 
would not be replaced with a federal equivalent. Some of the 
federal bills would allow the identity of the individual to be 
disclosed without the individual's consent under the public 
health or research provisions.

Montana

    Under Montana's laws governing health maintenance 
organizations, any data or information pertaining to the 
diagnosis, treatment, or health of an enrollee or applicant 
obtained from the enrollee, applicant or a provider by a health 
maintenance organization must be held in confidence and may not 
be disclosed to any person, except upon express consent of the 
enrollee or applicant, pursuant to statute or court order for 
the production of evidence or discovery, in the event of a 
claim or litigation between the enrollee or applicant and the 
health maintenance organization where in the data or 
information is pertinent, or to the extent necessary to carry 
out the purposes of this chapter. (Mont. Code Ann. Sec.  33-31-
113). The provisions of the state law would presumably be 
preempted by a total preemption approach and would not be saved 
under any current exception in the federal bills. The state law 
prohibits disclosure except in a few limited cases, mostly 
pertaining to litigation, whereas the federal legislation would 
allow health maintenance organizations (health plans) to 
disclose this protected information without authorization under 
many more instances.
    In addition, Montana just enacted a comprehensive medical 
records privacy bill targeted at insurers. This new law was 
modeled after the NAIC Health Information Privacy Model Act, 
and it builds upon Montana's Insurance Information and Privacy 
Protection Act (Mont. Code Ann. Sec.  33-19-101 et seq.), which 
is very similar to Connecticut's law (see above). The efforts 
and careful consideration of the state legislature to adopt 
privacy legislation would be lost, if the federal privacy 
legislation preempts all state laws relating to confidentiality 
of health information.

Ohio

    Under Ohio law, information collected by the Ohio Health 
Care Data Center must be kept confidential, and may only be 
released in aggregate statistical form. (Ohio Rev. Code Ann. 
Sec.  3729.46(B)). The Director of Health, employees of the 
Department of Health including employees of the data center, 
and any person or governmental entity under contract with the 
director shall keep confidential any information collected that 
identifies an individual, including information pertaining to 
medical history, genetic information, and medical or 
psychological diagnosis, prognosis, and treatment. Theses 
persons and entities shall not release such information without 
the individual's consent, except in summary or statistical form 
with the prior written permission of the Director or as 
necessary for the Director to perform his duties. This state 
law would be preempted by a federal privacy law that totally 
preempted state law or did not include this type of law as an 
exception to federal preemption. The state law only allows 
release of information in summary form without identification 
of the individual, but this same information risks being 
released as personally identifiable information under the 
federal legislation. The federal legislation would end up 
unprotecting this information that is currently protected under 
state law.

Vermont

    Vermont, like some other states, has a cancer registry. (18 
V.S.A. Sec. Sec. 154, 155, 156). The Vermont statutes require 
the Vermont Health Commissioner to keep confidential all 
information reported to the cancer registry, with exceptions 
for the exchange of confidential information with other states' 
cancer registries, federal cancer control agencies and health 
researchers under specified conditions. The provisions of these 
state laws would arguably be preempted by a federal privacy law 
that totally preempted state law or did not include state 
cancer registry laws as an exception to federal preemption. 
Presumably, a federal privacy law would allow the Vermont 
Health Commissioner to disclose protected health information in 
situations not authorized by the state's statutes, but allowed 
to be disclosed without authorization under the federal bills' 
public health or research provisions.
    These examples should not be construed as a definitive 
legal analysis of the relationship between these state laws and 
the federal bills. The comments are not based on an extensive 
review of all relevant state laws that might affect the 
ultimate conclusion about the interaction of the federal bills 
and the states' laws. However, the range of state laws relating 
to protected health information, and the diversity of their 
purposes and of the entities that they affect, are critical 
factors for assessing the impact of any federal preemption 
language.

B. The Best Approach to Developing a Federal Standard

    An argument will be made that the only solution to this 
collection of state privacy laws is a total preemption of state 
law. However, this ``solution'' is a deceptively easy response 
to the various state privacy laws and will most certainly 
result in adverse, unintended consequences. The language ``any 
State law that relates to matters covered by this Act'' could 
preempt literally hundreds of state laws that affect protected 
health information.\4\ Many state laws that are seemingly 
unrelated to health information on their face affect health 
information privacy and could be eliminated by a total 
preemption approach without any equivalent federal protection. 
Health information or health-related information that is 
currently protected will end up unprotected, and states will 
not be able to remedy the problem or ``re-protect'' the 
information. We offer this perspective not to ``protect our 
turf,'' but rather as a caution against unintended consequences 
to the consumer. Because of the number and scope of the laws 
involved, our concerns are not limited to insurance law. We do 
not want Congress to reduce or eliminate any protections 
already in place. Preemption of state law is not a workable 
solution.
---------------------------------------------------------------------------
    \4\ This language is very similar to the preemption language 
contained in the Employee Retirement Income Security Act of 1974 
(ERISA), which states: ``[T]he provisions of this title...shall 
supersede any and all State laws insofar as they may now or hereafter 
relate to any employee benefit plana....'' (emphasis added). As this 
Committee is well aware, twenty-five years of litigation and numerous 
Supreme Court decisions have yet to clarify the scope of the ERISA 
preemption language. We would respectfully suggest that a ``relate to'' 
standard is not a good standard to adopt in federal legislation 
regulating the use of health information. Total preemption language 
will unintentionally erase important state laws but not provide 
equivalent federal protections. This is the unfortunate situation that 
has occurred as the result of the preemption language contained in 
ERISA.
---------------------------------------------------------------------------
    We believe the best approach would be to set a federal 
standard that does not preempt state laws that have been 
protecting health information for so many years. Up until now, 
there has been no federal standard in place, and the states 
have been protecting consumers. We understand the desire to 
establish a federal floor in this area, but it is not 
appropriate to preempt stronger state laws or preempt state 
laws that are outside the scope of the federal privacy 
legislation. As discussed earlier, the states have enacted 
privacy protections for their citizens in a variety of areas. 
These citizens should not lose stronger protections for their 
health information or lose protections granted by the states in 
areas not contemplated by the federal legislation.
    In addition, we believe that states should be allowed to 
enact stronger privacy protections in the future in response to 
innovation in technology and changes in the use of health 
information. We believe the best approach would balance the 
desire for uniformity with the recognition of the states' 
ability to respond quickly and to provide additional 
protections to their citizens. States can quickly identify the 
impact of any federal privacy law or any changes in technology 
or in the use of health information and can efficiently remedy 
any adverse situation. We urge Congress not to take a ``broad-
brush'' approach to preemption that would unintentionally take 
away protections at the state level, eliminate the states' 
ability to remedy unintended consequences that result from 
federal privacy legislation, or prevent states from responding 
in the future.
    Since Congress is certain to set some type of federal 
standard, we offer the following language as a suggestion of 
how federal privacy legislation may be drafted. This language 
sets a federal minimum standard that leaves in place existing 
state laws that are at least as protective as the federal 
legislation and allows states to enact stronger laws in the 
future.
    Nothing in this Act shall be construed as preempting, 
superseding, or repealing, explicitly or implicitly, any 
provision of State law or regulation currently in effect or 
enacted in the future that establishes, implements, or 
continues in effect any standard or requirement relating to the 
privacy of protected health information, if such state laws or 
regulations provide protections for the rights of individuals 
to the privacy of, and access to, their health information that 
are at least as protective of the privacy of protected health 
information as those protections provided for under this Act. 
Any state laws or regulations governing the privacy of health 
information or health-related information that are not 
contemplated by this Act, not addressed by this Act, or which 
do not directly conflict with this Act, shall not be preempted. 
Federal law shall not occupy the field of privacy protection. 
The appropriate federal authority shall promulgate regulations 
whereby states can measure their laws and regulations against 
the federal standard.
    We believe this language recognizes the desire for a 
federal standard while respecting what the states have already 
done.

                      IV. Scope of the Legislation

    In addition to adopting an approach that recognizes the privacy 
protections already enacted by the states and that allows states the 
flexibility to enact stronger privacy laws in the future, we urge 
Congress to draft legislation that specifically outlines the areas that 
Congress intends to address. Congress needs to be very specific about 
the scope of any federal privacy legislation. This is of particular 
concern since the current privacy legislation is silent on many issues 
affecting federal and state law. The scope should not be left ambiguous 
or left to the courts to decide. We believe it would be better for the 
protection of consumers' health information if Congress would specify 
what is addressed by the federal legislation as opposed to attempting 
to list all of the state laws that are exempt from the federal 
legislation.
    All of the current federal bills contain specific exceptions to the 
federal preemption language for certain state laws. Reviewing all of 
the bills, these exceptions include state laws that: (1) provide for 
the reporting of vital statistics such as birth or death information; 
(2) require the reporting of abuse or neglect information about any 
individual; (3) regulate the disclosure or reporting of information 
concerning an individual's mental health; (4) relate to public or 
mental health and prevent or otherwise restrict disclosure of 
information otherwise permissible under the federal legislation; (5) 
govern a minor's rights to access protected health information or 
health care services; (6) relate to the disclosure of protected health 
information or any other information about a minor to a parent or 
guardian of such minor; (7) authorize the collecting, analysis, or 
dissemination of information from an entity for the purpose of 
developing use, cost effectiveness, performance, or quality data; and 
(8) concern a privilege of a witness or person in state court.
    Although each of the exceptions is appropriate and the list 
represents a good start at enumerating the specific categories of state 
laws that should not be preempted, these specific exceptions to the 
preemption language do not alleviate our concerns. There are other 
state laws that do not fit into any of the explicit categories and that 
would therefore be preempted by the broad scope of the general 
preemption language. In addition, not all of these specified exceptions 
are included in each of the bills. We mention this to underscore the 
critical importance of clearly defining the scope of what the federal 
legislation is addressing and the applicability of any specific privacy 
standard or exception. We believe it wiser and easier to define what 
types of health information and what state laws are within the scope of 
the federal legislation, rather than what types of health information 
and what state laws are outside of the scope of the federal 
legislation.
    In addition, we urge Congress to outline a way in the federal 
privacy legislation for the states to measure their laws against any 
federal standard and to provide options for states to meet those 
requirements. In HIPAA, Congress gave the states three options in 
meeting the requirements of that legislation. Similar guidelines are 
needed in the privacy legislation. States need to be able to judge 
whether their state laws are stronger than the federal law in order to 
determine whether they need to take further action to revise their 
laws.

                             V. Enforcement

    Finally, we strongly caution Congress against enacting legislation 
that would preempt state laws, because we have several concerns about 
the enforcement of any federal privacy law. First, while all of the 
federal bills include criminal and civil sanctions and some of the 
bills allow a private right of action, we are concerned about the level 
of penalties. All of the federal bills include criminal sanctions for 
those who ``knowingly and intentionally'' disclose protected health 
information; however, under such a strict standard, it is unlikely that 
very many prosecutions will take place at the federal level. The 
federal bills also impose civil sanctions, but the maximum penalty is 
only $100,000 for violations occurring so frequently as to be 
considered a business practice. For a multi-million dollar company, 
$100,000 can be written off as a business expense. Given the lucrative 
market for the sale of individually identifiable health information, 
such an expense could be considered a minor inconvenience.
    The states possess a more effective enforcement tool than just 
monetary penalties. Insurers and other entities, such as hospitals and 
providers who hold protected health information, are licensed by the 
state. For repeated violations, the appropriate state agency can revoke 
the entity's license to do business in the state. This type of penalty 
forces the entity involved to change its business practices to conform 
to the law. Total preemption of state law could eliminate this 
enforcement mechanism.
    Second, we also have concerns regarding the federal government's 
ability to conduct day-to-day oversight and enforcement of these laws. 
Our internal and informal surveys have shown that states get very few 
complaints from individuals about inappropriate disclosures of their 
protected health information. Consumers generally are not aware when a 
company releases their information. Instead the state agency overseeing 
that entity uncovers the violation. State insurance departments employ 
examiners who conduct on-site reviews of insurance companies' files. 
When a violation is found, it can be corrected immediately. Unless the 
federal government is prepared to duplicate this system, states should 
not be preempted from enforcing their own laws.
    In addition, state insurance departments offer consumers a place to 
register their complaints. Those consumers who believe their rights may 
have been violated can call their state insurance departments and talk 
with someone about their concerns and have their concerns investigated. 
We do not believe that this degree of interaction and involvement will 
exist at the federal level. When a consumer believes his or her rights 
may have been violated under the new federal law, who in the federal 
government will that individual call? States already have an 
enforcement structure in place. This is a structure that should be 
built upon not preempted.

                             VI. Conclusion

    Establishing standards to protect the collection, use, and 
disclosure of health information is a very important undertaking. The 
growth of managed care, the increasing use of electronic information, 
and the advances in medical science and communications technology have 
dramatically increased both the availability and the importance of 
health information. The efficient exchange of health information will 
save thousands of lives. The information is critical for measuring and 
analyzing the quality and cost effectiveness of the health care 
provided to consumers. Consumer benefits from advances in health 
information are vast. However, the potential for misuse of this 
information is also vast. The information itself has become a valuable 
product that can be sold for significant amounts of money, and the 
consequences of unauthorized disclosure of health information can be 
potentially damaging to individuals' lives. The opportunities to 
exploit available health information will grow in number and value as 
technology and medical science advance.
    As Members of Congress address this critical topic, we would urge 
you to recognize the importance of existing state laws addressing the 
use of health information in many contexts. Congress should be aware of 
the complexity of implementing federal standards without inadvertently 
displacing important provisions of state law. We urge Congress not to 
take a ``broad-brush'' approach to preemption that would 
unintentionally take away protections at the state level, eliminate 
states' ability to remedy unintended consequences that result from 
federal privacy legislation, or prevent states from responding to 
future changes in technology or changes in the use of health 
information. The scope of the preemption is a critical issue, and if 
not carefully constructed it could lead to unintended consequences. We 
urge you to recognize the impact of any privacy legislation on federal 
and state laws as you debate this issue. The members of the NAIC would 
be happy to work with the Members of Congress in this area. Thank you.
    [An attachment is being retained in the Committee files.]

Statement of Margo P. Goldman, MD, and Peter Kane, MSW, LCSW, BCD, 
National Coalition for Patient Rights, Lexington, MA

    Chairman Thomas and members of the Committee. Thank you for 
the opportunity to submit written testimony on behalf of the 
National Coalition for Patient Rights (National CPR) about 
protecting the privacy and confidentiality of health 
information.
    First, we appreciate the Chair's stated commitment to 
protecting the confidentiality and security of our health 
information. We agree that these principles are critical to the 
delivery of quality health care. A patient knowing that his 
clinician will preserve his privacy and maintain the 
confidentiality of his medical records is the first pillar to 
constructing a reliable, efficient, and first-rate health care 
system. As stated in National CPR's recently published White 
Paper (included as an attachment), ``the primary purpose for 
collecting personal medical information from a patient is for 
clinical diagnosis and treatment of that patient. 
Fundamentally, this is the reason a patient confides 
information to a physician or other health care provider in the 
first place.'' (P2) Such communication frequently occurs when a 
patient is sick, and therefore, vulnerable. It is done with the 
expectation originally set forth hundreds of years ago in the 
Hippocratic Oath--that one's health care provider will not 
disclose what they have learned about the patient unless the 
patient agrees for them to do so. This is the basis of trust in 
the doctor patient relationship.
    Unfortunately, patients can no longer trust that their most 
personal information will remain private. The state of affairs 
is in critical condition. First, rapidly advancing information 
technology has created a literal gold mine of medical records. 
And the feeding frenzy is intensifying. In 1998, CVS and Giant 
Foods sold prescription data to a Woburn Massachusetts 
marketing firm in order to promote products. Patients learned 
of this when they received mail solicitations, specific for 
their medical conditions. Second, the war against fraud and 
abuse has led to a virtual assault of patients' privacy. 
Because HCFA mandated random audits to detect fraud, local 
Medicare carriers were demanding copies of patient records, 
including psychotherapy notes, as a condition of processing 
claims. Finally, as health insurers garner their efforts to 
contain costs by managing care, more and more sensitive 
information is demanded and collected. A case in point is the 
``Erectile Dysfunction Medical Necessity Treatment'' form that 
a local health insurer required from all physicians prescribing 
medication for impotence. (Copy enclosed) This is but one 
particularly glaring example where patients are asked to choose 
between receiving treatments for the most personal of issues 
and their privacy.
    And citizens are reacting to this: A survey recently 
conducted by the California Healthcare Foundation found 15% of 
adults said they have done something ``out of the ordinary'' to 
keep medical information confidential. This includes self-
paying instead of using one's health insurance, avoiding or 
delaying needed care, giving inaccurate or partial information 
about medical histories, and asking doctors to not write 
something down in the record. (California HealthCare 
Foundation, 1999)
    If this trend is allowed to continue, quality health care 
will be impossible and we will all suffer. Physicians and other 
health care providers will diagnose and treat patients based on 
inaccurate or incomplete data. If patients delay or avoid 
needed care, they will ultimately present for treatment when 
they are sicker, and less readily (and more expensively) 
treated. Doctors will increasingly be forced to rely on their 
memories, rather than the medical record, because of patients' 
or their own reluctance to record information that may come 
back to haunt the patient. And sorely necessary biomedical 
research will be based on tainted data, unless we can ensure 
that patients trust the system enough to communicate honestly 
and openly with caregivers.
    National CPR was founded over five years ago in response to 
this grave health care crisis. As an organization whose sole 
mission has been the patient-centered protection of medical 
privacy and confidentiality, we have developed policy 
recommendations. Congress is quickly approaching the August 21 
HIPAA deadline to enact legislation; we urge you to use our 
recommendations (contained in the White Paper) as a basis for 
sound medical privacy policy. The full White Paper is included 
as an attachment to our testimony. The recommendations are as 
follows:
    Recommendation 1: Medical records should be maintained as 
confidential and private for the purpose of the clinical 
benefits of the patient. Disclosure of medical records outside 
the context of clinical care requires the consent of the 
patient.
    Recommendation 2: The right of patients to determine what 
information in their medical records is shared with other 
providers and other institutions and agencies should be 
recognized both by law and by institutional policy. Patients 
who wish not to disclose medical information to other health 
care providers that may be important in their medical care 
should be counseled about the risks of nondisclosure and sign 
an acknowledgment of their being warned.
    Recommendation 3: Patients should have the legal right to 
review and copy their medical records. Patient access to 
medical records should be facilitated by providers, and charges 
to patients limited to the cost of copying. Institutions should 
develop clear policies and procedures for patients to correct 
and amend errors in the medical record. Patients should have 
the right to review the audit trails of who have accessed their 
medical records and for what purposes.
    Recommendation 4: Third party payers of medical services 
should be required to specify in advance the medical 
information they require to assess claims and manage medical 
care. Public notice should be made to patients of the kinds of 
medical information that will be requested from their 
providers. Physician notes should not routinely be disclosed to 
third party payers, and, consistent with the Supreme Court's 
decision in Jaffe v. Redmond, psychotherapist notes should 
never be disclosed to third party payers. Patient consent 
should be required before medical records are transferred to or 
patients are enrolled in disease management programs. Disease 
management programs should be based on sound clinical research 
and arranged through the patient's own health care provider.
    Recommendation 5: Third party payers should be held 
accountable to the same standards of privacy and 
confidentiality as are medical care providers. Third party 
payers should be limited in their use of medical records to the 
terms specified in the patient consent to release medical 
records. No disclosure by third party payers to any other party 
may be made without the written freely given consent of the 
patient, i.e., participation in the health plan or other 
benefits should not be contingent upon patient consent to 
further disclosures. Patients of third party medical payers 
should have the right to review and copy the medical records 
held by these organizations, and to review the logs of whom has 
had access to their records and for what purposes. Third party 
payers should establish procedures for patients to correct 
errors in their medical information.
    Recommendation 6: The psychotherapeutic relationship is of 
such sensitivity as to require special recognition as a domain 
of absolute privacy. Records and notes of psychotherapy 
sessions should always remain confidential and third parties 
should be prohibited by law from demanding their disclosure for 
any reason. For reimbursement purposes, only the minimal amount 
of information should be disclosed to process claims.
    Recommendation 7: Research involving medical records must 
either be conducted with the freely given informed consent of 
patients, or with blanket consent which delegates to a Medical 
Records Review Board (MRRB) the authority to waive further 
consent. The MRRB should be constituted by at least a majority 
of community members (individuals not employed by or otherwise 
affiliated with the institution) in addition to appropriate 
scientific, medical and allied health personnel and 
administered by the Medical Records Trustee. MRRB decisions not 
to grant a waiver of informed consent should be final. The MRRB 
should insure that the confidentiality of patient information 
is protected as it passes through a research protocol, that the 
information is not used for other purposes without explicit 
MRRB approval, and that the purposes of research will not be 
reasonably objectionable to the patient populations involved.
    Recommendation 8: All health services research that relies 
on personal medical information should be reviewed, approved, 
and overseen by an institutional Medical Records Review Board, 
with the Medical Records Trustee being the main point of 
contact for both patients seeking information about these 
research/evaluation projects, and for those people conducting 
the research and/or evaluation projects.
    Recommendation 9: Each clinical institution maintaining 
medical records has the responsibility to safeguard their 
confidentiality by minimizing access to medical records to 
those individuals whose ``need to know'' is of clinical benefit 
to the patient or is otherwise consented to by the patient. 
Institutions should employ encryption schemes and password 
protection, and log each access to or modification of the 
medical record (e.g., computerized audit trails). Institutions 
should develop auditing programs to ensure that access to and 
use of medical records is appropriate and take appropriate 
punitive measures when it is not. Patients should have the 
right to limit access to particularly sensitive information.
    Recommendation 10: Each health care institution maintaining 
medical records or medical information should designate a 
``Medical Records Trustee'' responsible for promulgating and 
enforcing institutional confidentiality and privacy policies, 
and ensuring compliance with the law. The Medical Records 
Trustee shall be the final responsible authority for granting 
any and all access to medical records and information within 
the institution. The Medical Records Trustee should also be 
responsible for making notification to patients and the general 
public of the institution's policies for protecting patient 
privacy and confidentiality of their medical records.
    Recommendation 11: Public health investigations in which an 
imminent danger to the health of individuals or communities is 
at stake, should be permitted to access private medical records 
as necessary and as provided for under current law. The consent 
of patients is not necessary, but patients should be notified 
by their providers that their records may be opened to public 
health authorities. When providers make legally mandated 
disclosures to public health authorities they should be 
required to inform the patient of this requirement at the time 
the condition is discovered.
    Recommendation 12: In general, employers should not have 
access to clinical medical records. These records should be 
segregated from all other personnel-related information, and be 
used only in the benefits determination process (and only where 
the employer is a self-insurer). Employers should be barred 
from using this information for employment, promotion and other 
personnel decisions, and provide notification to all employees 
and prospective employees of what information they collect and 
for what purposes. Employers with access to medical records 
should be barred from disclosing this information to other 
parties, and should maintain audit trails of who has accessed 
the records and for what purposes, and made available to the 
employees.
    Recommendation 13: Health care institutions maintaining 
medical records should notify the public and patients 
individually of the offices and functions which have access to 
their medical records. Institutions should also prominently 
display their policies on maintaining confidentiality of 
medical records. The name, address, and phone number of the 
Medical Records Trustee should be provided to all patients.
    Recommendation 14: Proposals to create systems designed to 
link private medical information or otherwise collate medical 
record information, such as the Unique Patient Identifier or 
the Master Patient Index, should not be implemented without 
explicit patient informed consent. Patients should always have 
the freedom to determine for themselves what medical 
information may be collated together and for what purposes.
    Recommendation 15: Law enforcement access to medical 
records should be limited to court order. When records are thus 
obtained, they should contain only the minimal amount of 
information necessary to fulfill the purpose for which they 
were sought. Moreover, law enforcement officials should 
maintain the confidentiality of the information they obtain, 
and should only allow the least number of people access as is 
absolutely necessary. Under no circumstances should personal 
medical records become part of an open court record, where the 
patients are not parties to the court proceeding. In the 
limited case of health care fraud investigations, anonymous 
records should be used to assess patterns of fraudulent 
billing, with identified information used only where specific 
instances of fraud are suspected.
    Recommendation 16: The buying and selling of medical 
records or information derived from them, and the use of these 
records for any marketing purposes, including disease 
management programs, without the freely given informed consent 
of the patient, should be prohibited by law and institutional 
policy.
    Before we conclude, we will also comment about Federal pre-
emption of state and common law privacy protection. As noted in 
the White paper and elsewhere, a number of states have passed 
(or are considering) medical privacy legislation that is 
stronger than some of the Federal proposals. In addition, there 
exist a host of state common law protections and condition-
specific statutes (i.e. HIV, mental health, substance abuse, 
etc.) to ensure information privacy. The convenience of inter-
state information sharing that would be aided by a Federal 
ceiling of protection does not justify trumping individual and 
states' rights. Furthermore, ``there is no precedent federally 
for pre-empting state statutory and/or common laws for 
information-based industries on this sort of scale.''(White 
Paper, p7) National CPR recognizes this is a complicated issue 
due to the rapidly changing technologies. Because of this, it 
is critical for states to have legislative flexibility and 
leeway to search out the best methods of safeguarding their own 
citizens. Finally, the HIPAA mandate for medical privacy 
legislation specified that Federal legislation NOT be 
preemptive. In keeping with Congress' 1996 requirement for 
Federal law protecting medical information, National CPR 
strongly urges you to create a Federal floor, not a ceiling, of 
protection.
    Once again, we want to thank Chairman Thomas and the 
Committee for the opportunity to submit testimony. After over 
five years of working on medical information privacy, we at 
National CPR are keenly aware of the complicated nature of the 
issue and the debate. We gladly offer all possible assistance 
to the Committee and your staff as you work through this bill.
    In conclusion, if Congress fails to enact true, patient-
centered medical privacy protection, the quality and integrity 
of our entire health care system will be in danger. Ann 
Cavoukian, the Privacy and Information Commissioner in Canada 
captured this:
    ``Confidentiality is to medical records, what sterile 
procedures are to surgery. Having one without the other is not 
only undesirable, but potentially bad for your health.'' (May 
1996, Ontario, Canada)
    [Attachments are being retained in the Committee files.]
      

                                


                                 National Conference of    
                                         State Legislatures
                                                      July 19, 1999
The Honorable William M. Thomas
Chairman, Health Subcommittee
Committee on Ways and Means
U.S. House of Representatives
Washington, DC. 20515

The Honorable Fortney Stark
Ranking Member, Health Subcommittee
Committee on Ways and Means
U.S. House of Representatives
Washington, DC. 20515

    Dear Representative Thomas and Representative Stark:
    On behalf on the National Conference of State Legislatures (NCSL), 
I would like to take this opportunity to comment on proposals regarding 
medical records confidentiality.
    NCSL firmly believes that states should regulate insurance. We 
oppose preemption of state law, but we understand the desire to 
establish a minimum standard in this area given that health information 
is transmitted across state and national boundaries. We also realize 
that Congress must enact privacy legislation by August 21, 1999, as set 
forth by the Health Insurance Portability and Accountability Act of 
1996 (HIPAA), and we recognize that all of the current approaches set 
some type of federal standard. Given these factors, we believe that the 
privacy of health information is one of the few areas where it is 
appropriate for the federal government to set a minimum standard. 
Federal medical records confidentiality legislation should provide 
every American with a basic set or rights regarding their health 
information. These federal standards, in concert with state law, should 
be cumulative, providing the maximum protection for our citizens. Our 
mutual goal should be to assure that not one individual's health 
information is more vulnerable under federal law, than it was without 
it.

                        Preemption of State Law

    Federal legislation should establish basic consumer rights and 
should only preempt state laws that are less protective than the 
federal standard. Unfortunately many of the proposals pending before 
Congress take a different approach.
    NCSL is particularly concerned about proposals that would preempt 
all state laws ``relating to'' medical records privacy. The universe of 
state laws relating to medical records confidentiality is extremely 
large and is spread across a state's legal code. For example, state 
laws regarding medical records confidentiality can be found in the 
sections of a state's code regarding: health, mental health, education, 
juvenile justice, criminal code, civil procedure, family law, labor and 
employment law.
    While no compendium of state confidentiality laws exists, The 
Health Privacy Project at Georgetown University, part of the Institute 
for Health Care Research and Policy has just completed a summary of 
major state statutes related to medical records privacy. It shows that 
state law in this area is extensive and at a level of detail that is 
not contemplated in most of the federal proposals. A blanket preemption 
of state law is virtually the same as throwing the baby out with the 
bath water.
    Should Congress seek to pass federal medical record confidentiality 
legislation, NCSL firmly believes it should: (1) grandfather existing 
state confidentiality laws; (2) narrowly and specifically define the 
scope of the preemption, preserving issues not addressed in the federal 
proposal for state action; and (3) permit and encourage states to enact 
legislation that provides additional protections. If states are 
precluded in some general way from taking action in specific areas, 
there must be a mechanism for a state legislature to act if federal 
legislation adversely impacts the citizens in the state.
    Some proposals attempt to address the preemption issue through the 
inclusion of state legislative ``carve outs.'' This approach attempts 
to identify all the areas that states would be permitted to continue to 
enact legislation. While well-intended, there is no way for states to 
know the full extent and impact of the preemption and carve-outs until 
the federal law has been implemented. NCSL and the National Association 
of Insurance Commissioners (NAIC) recommend that states be allowed to 
continue to legislate and regulate in any area that is not specifically 
addressed in the federal legislation. Below is language jointly 
supported by NCSL and NAIC:
    Nothing in this Act shall be construed as preempting, superseding, 
or repealing, explicitly or implicitly, any provision of state law or 
regulation currently in effect or enacted in the future that 
establishes, implements, or continues in effect, any standard or 
requirement relating to the privacy of protected health information., 
if such laws or regulations provide protections for the rights of 
individuals to the privacy of, and access to, their health information 
that are at least as protective of the privacy of protected health 
information as those protections provided for under this Act. Any state 
laws or regulations governing the privacy of health information or 
health-related information that are not contemplated by this Act, shall 
not be preempted. Federal law shall not occupy the field of privacy 
protection. The appropriate federal authority shall promulgate 
regulations whereby states can measure their laws and regulations 
against the federal standard.

                   Current State Legislative Activity

    Since January 1999, 26 states have enacted laws regarding medical 
records confidentiality. Montana enacted comprehensive legislation 
addressing the activities of insurers and North Dakota enacted 
legislation that established comprehensive public health 
confidentiality standards. After years of debate, Hawaii enacted a 
comprehensive law that sets standards for the use and disclosure of 
both public and private health information. Most states enacted 
legislation building on existing state law or legislation focused on a 
specific issue. Six laws, addressing a wide variety of medical records 
privacy concerns, were enacted in Virginia during the 1999 legislative 
session. Other states that enacted legislation this year are: Arkansas, 
Colorado, Connecticut, Georgia, Idaho, Indiana, Iowa, Louisiana, Maine, 
Mississippi, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, South 
Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia and 
Wyoming.
    Several of these new laws address issues that are not addressed in 
many of the federal proposals. For example, many states have laws 
establishing strict confidentiality standards for medical information
    in the possession of employers. These laws would make records from 
employee assistance programs (EAP) and workplace drug-testing results, 
protected health care information, subject to strict disclosure and 
reporting requirements. Several states have laws that set limits on how 
much a health care provider can charge an individual to make copies of 
their medical records. These laws, designed to help assure access, 
regardless of income, would be preempted under some proposals. These 
are but a few examples that illustrate both the breadth and complexity 
of the preemption issue.
    I thank you for this opportunity to share the perspective of NCSL 
on this very important issue. Enclosed for your information is a copy 
of the NCSL policy, ``Principles for Federal Health Insurance Reform.'' 
I look forward to working with you and your colleagues over the next 
several months to develop a consensus proposal that will provide basic 
medical records privacy protections for all.
            Sincerely,
                                                Kemp Hannon
                                                    New York Senate
                                       Chair, NCSL Health Committee

    cc: Representative Bill Archer
    Representative Charles B. Rangel
    Members, House Ways and Means Subcommittee on Health

OFFICIAL POLICY

                          Insurance Regulation


     States should regulate insurance and should 
continue to set and enforce solvency standards and to provide 
oversight on insurance matters.
     Modifications to the Employee Retirement Income 
Security Act of 1974 (ERISA) that would eliminate states' 
preemption or strengthen the regulatory authority of the 
states, including consumer access to state remedies, should be 
adopted. Conversely, NCSL opposes initiatives that would expand 
the reach of ERISA.
     Absent changes that would permit states to 
regulate ERISA plans, Congress should impose requirements on 
ERISA plans that closely track state legislative and regulatory 
initiatives. In addition, federal remedies, that more closely 
resemble remedies available at the state level, should be 
adopted for consumers in ERISA plans.
     Federal legislation that establishes uniform 
standards, should establish a floor, but not a ceiling.
     When federal insurance reforms are adopted, the 
consumer should easily understand the implementation process 
and a massive community education effort should be an integral 
part of program implementation.
     Federal reforms, that require state enforcement, 
should be funded by the federal government.
     Any federal legislation requiring state action to 
comply with the law should allow a reasonable period of time 
for state legislatures to adequately debate and enact 
legislation. Where states already have similar legislation in 
place, a process for declaring ``substantial compliance'' 
should be developed.

                        Medical Records Privacy


Scope of Law

     No patient identifiable medical information may be 
released without written and oral informed consent of the 
patient, unless otherwise exempted.
     A federal privacy statute should define a range of 
health care conditions and services and protect patient 
identifiable information, including demographic information, 
collected during the health care process.
     A federal privacy statute also should define 
``information'' to include records held in whatever form 
possible--paper, electronic, or otherwise.
     Strong protections for individuals from the 
inappropriate disclosure of their medical records should be 
established.
     Anyone who provides or pays for healthcare or who 
receives health information from a provider, payer, or an 
individual should be required to conform to the provisions of 
the law.
     Health care providers that do not have direct 
relationships with the patient must also abide by the same 
standards.
    A payer should not be required to provide a benefit or 
commence or continue payment of a claim in the absence of 
protected health information, as set forth in each state's 
statutes, to support or deny the benefit or claim.

Security

     Information should not be used or given out unless 
either the patient authorizes it or there is a clear legal 
basis, under state or federal law, for doing so.

Consumer Rights

     Individuals should have the right to:
     Find out what information is in their medical 
record; and
     How the information is used.
     Practices and procedures must be established that 
would:
     Require a written explanation from insurers or 
health care professionals detailing who has access to an 
individual's information;
     Require insurers or health care professionals to 
tell individuals how that information is kept;
     Inform individuals how they can restrict or limit 
access to their medical records;
     Inform individuals how they can authorize 
disclosures or revoke such authorizations; and
     Inform individuals of their rights should an 
improper disclosure occur.
     In general, individuals should be permitted to 
inspect and copy information from their medical record.
     Finally, a process should be developed for 
patients to seek corrections or amendments to their health 
information to resolve situations in which coding errors cause 
patients to be charged for procedures they never receive or to 
be on record as having conditions or medical histories that are 
inaccurate.

Accountability

     Severe penalties should be imposed on individuals 
who knowingly disclose medical records improperly, or who 
misrepresent themselves to obtain health information.
     Civil monetary and/or criminal penalties should be 
imposed on individuals who have a demonstrated pattern or 
practice of unauthorized disclosure.
     Any individual whose rights under the federal 
privacy law have been violated should be permitted to bring a 
legal action for actual damages and equitable relief. If the 
violation was done knowingly, attorney's fees and punitive 
damages should be available.

Public Health

     Under certain limited circumstances, health care 
professionals, payers, and those receiving information from 
them should be permitted to disclose health information without 
patient authorization to public health authorities for disease 
reporting, public health investigation, or intervention, as 
required by state or federal law.

Research

     Research protocols and confidentiality standards 
should be continued and strengthened.

Law Enforcement

     Law enforcement representatives should be required 
to have a court order to obtain information from an 
individual's medical record.

Preemption

     Federal legislation should provide every American 
with a basic set of rights with respect to health information; 
however, confidentiality protections provided in state and 
federal law should be cumulative, and the federal legislation 
should provide a floor.
     Federal law should only preempt state laws that 
are less protective.

                     Administrative Simplification 

     Administrative simplification is a key component in 
efforts to reduce health care costs and to improve quality of care. 
Simplification initiatives should include:
     the development of uniform claims forms;
     the establishment and continued refinement of uniform 
codes;
     electronic claims processing and billing; and
     computerized medical records and ``smart cards'' for 
medical records and medical history.
     Federal and state governments should share information; 
however, confidentiality of medical records and information must be 
protected.
     Under the provisions of the Health Insurance Portability 
and Accountability Act of 1996, federal law supercedes state law, 
except when the Secretary determines that the state law is necessary:
     To prevent fraud and abuse,
     To ensure the appropriate state regulation of insurance or 
health plans,
     For addressing controlled substances, or for other 
purposes.
    NCSL supports a broad interpretation of this provision that would 
result in limited preemption of state laws.
    July 1998
      

                                


                                      Kansas City, MO 64111
                                                       22 July 1999

A.L. Singleton
Chief of Staff
Committee on Ways and Means
U.S. House of Representatives
1102 Longworth House Office Building
Washington, DC. 20515

    Dear Mr. Singleton:

    Confidentiality of my patient records is very important to me. 
Thank you for giving me the opportunity to lend my comments to the July 
20th hearing on medical confidentiality.
    Patients and doctors have a special relationship requiring the 
divulging of confidential information that sometimes even the best of 
friends or family members do not share. There must be trust between the 
doctor and patient to allow for sharing what could be damaging 
information in order to allow timely and appropriate medical care.
    For the integrity of this relationship and the health care system 
in general it is important that patients have informed voluntary 
consent prior to the sharing of information. The bills before the House 
and Senate do not protect this right. Rather they would create a 
federal law allowing researchers, government agencies, law enforcement, 
and managed care organizations to enter my medical records at will. 
They would also limit the right of my state legislators to enact 
stronger privacy legislation than Congress enacts.
    As an American, I am entitled to certain rights, including the 
right of protection against unlawful search and seizure by others of my 
personal property. This includes personal information about myself. 
Also, the Nuremberg Code protects me against becoming an unwilling 
research subject.
    Unconsented access to my medical records will not only violate my 
Constitutional rights as a citizen, it will leave me vulnerable to 
employment, insurance, and medical discrimination. I urge you to truly 
protect my confidentiality by assuring patient consent prior to all 
medical record access.
            Sincerely,
                                   Elizabeth S. Smock, M.A.
      

                                


Statement of Randel K. Johnson, Vice President of Labor and Employee 
Benefits, U.S. Chamber of Commerce

    Mr. Chairman and Members of the Committee, good morning. I 
am Randel Johnson, Vice President, Labor and Employee Benefits, 
U.S. Chamber of Commerce. The U.S. Chamber of Commerce is the 
world's largest business federation representing more than 
three million businesses and organizations of every size, 
sector and region.
    Mr. Chairman, I have been asked to address the narrow issue 
of whether or not a private cause of action in court should be 
authorized under the legislation before you today, the 
``Medical Information and Research Enhancement Act of 1999.'' 
We believe the only reasonable answer to this question is 
``no'' and the Chamber would strongly oppose inclusion of a new 
individual right to sue in addition to the severe civil and 
criminal penalties already in the legislation. Contrary to the 
assumptions of some, it is not true that a new right to sue 
must, or should be, created each time Congress creates a new 
substantive legal right or that such a right is necessary for 
effective enforcement. Furthermore, experience would suggest 
that--given the inherent negatives associated with court 
litigation--Congress reserve creation of new private causes of 
action in court for only those situations where there has been 
a demonstrated and well-documented problem with existing 
enforcement mechanisms. This threshold criteria has not been 
met here.
    It should be emphasized that whatever is enacted will be an 
important, but complicated new federal law. Before we subject 
individuals and organizations to the expense and uncertainty of 
private litigation, we need to allow time for any uncertainties 
in the law to be clarified. Hopefully, much of this will be 
accomplished through administrative regulations that will flesh 
out the many rights, responsibilities and protections in the 
legislation, a far preferable course than the vagaries, expense 
and inconsistencies of the court system developing policy on a 
case by case basis.
    Since the question of whether a private cause of action is 
necessary turns on whether or not the existing legislation has 
adequate provisions to deter violations of its provisions, we 
need to look carefully at what is in the legislation now. I 
urge the Members to refer to the actual text of the legislation 
in this regard because these existing sanctions are actually 
quite severe. First, let's review the criminal penalties under 
proposed Section 2801 ``Wrongful Disclosure of Protected Health 
Information.'' Under this section, a ``person that knowingly 
and intentionally'' \1\ discloses protected health information 
shall be fined up to $50,000, imprisoned not more than one year 
or both; and if the offense is committed under ``false 
pretenses,'' be fined not more than $100,000, imprisoned up to 
five years or both. And if the offense is committed with ``the 
intent to sell, transfer, or use protected health information 
for monetary gain or malicious harm'' the person could be fined 
up to $250,000, and imprisoned not more than 10 years or both. 
All of these penalties and prison sentences could be doubled 
under certain circumstances. I also note that the ``person'' 
subject to these sanctions apparently could be anybody employed 
by, or with any connection to, the health information--from a 
clerical worker on up; hence the sweep of these provisions is 
quite broad.
---------------------------------------------------------------------------
    \1\ We urge the committee to define this concept to encompass only 
knowing and intentional violations of the law in the sense that the 
individual knew his or her conduct violated the Act and intended harm.
---------------------------------------------------------------------------
    Now let's turn to the civil penalties under new Section 
311. Under this section, ``a person'' who the Secretary of 
Health and Human Services determines has ``substantially and 
materially failed to comply with this Act'' shall be subject to 
up to $500 for each violation and up to $5,000 for multiple 
violations arising from failure to comply with Title I of the 
act; and, where a violation relates to Title II, a civil 
penalty of up to $10,000 for each violation, and up to $50,000 
in the aggregate for multiple violations, may be imposed. A 
$100,000 penalty is provided for violations which constitute a 
general business practice. This legislation also sets out 
detailed procedures for consideration of penalties under 
Section 312. The Secretary is empowered to seek injunctive 
relief.
    To state the obvious, I can assure you that any entity 
covered by this legislation will take these civil and criminal 
penalties quite seriously, and I have to ask if there is anyone 
in this room today who would view these possible jail terms and 
monetary penalties lightly if they were subject to this law--I 
doubt it. I would ask you for one moment to put yourself in the 
place of an individual within a business handling health care 
information--of whatever size--and ask yourself that question.
    To help demonstrate the extreme nature of these criminal 
and civil penalties, it might be useful to refer, for the 
purposes of comparison, to a few employment laws. Under the 
Occupational Safety and Health Act willful or repeat violations 
can be penalized by monetary penalties of between $5,000 and 
$70,000; a serious violation up to $7,000; a non-serious 
violation up to $7,000, and for failure to correct a violation, 
a civil penalty of not more than $7,000. With regard to 
criminal penalties, a willful violation causing an employee's 
death can be punished by a fine of not more than $10,000 and 
imprisonment for not more than 6 months or both, except that if 
the violation is committed after a prior conviction, punishment 
can be doubled.\2\
---------------------------------------------------------------------------
    \2\ By operation of the 1984 Comprehensive Crime Control and 
Criminal Fine Collection Act, which standardized penalties and 
sentences for federal offenses, willful violations of the OSH Act 
resulting in a loss of human life are punishable by fines up to 
$250,000 for individuals and $500,000 for organizations.
---------------------------------------------------------------------------
    The Family and Medical Leave Act and Title VII of the 1964 
Civil Rights Act contain no criminal penalties and only a civil 
fine of $100 for a willful failure to post a notice of FMLA and 
Title VII rights. The Age Discrimination in Employment Act has 
a criminal penalty of up to $500 or imprisonment of up to 1 
year for interfering with an EEOC agent. Similarly, the 
National Labor Relations Act, protecting the rights of 
employees to unionize, provides only for a fine of not more 
than $5,000 or imprisonment for one year for interfering with a 
Board agent. The Fair Labor Standards Act contains fines of not 
more than $10,000 and imprisonment at up to 6 months for 
certain violations.
    As you can see, the proposed civil and criminal penalties 
of the legislation before you are quite severe in comparison to 
other laws--laws which also protect important rights.
    I led my testimony with a discussion on civil and criminal 
penalties to dispel any doubt that this legislation somehow 
provides an invitation for non-compliance or that such 
penalties are not otherwise adequate to deter violation. 
Nothing could be further from the truth. In this context, I 
turn to the question of the need for a private cause of action.
    Contrary to what seems to be a popular conception, many 
laws rely exclusively on government enforcement for protection 
of important substantive rights, as does this legislation. In 
the labor area alone these include: The Davis Bacon Act 
(requires payment of prevailing wages on government contracts 
for construction), the Service Contract Act (requires payment 
of prevailing wages on government services contracts), the 
Walsh-Healey Act (payment of minimum wages and overtime to 
employees working on government contracts); Executive Order 
11246 (prohibits discrimination by government contractors); 
Section 503 of the Rehabilitation Act (prohibits discrimination 
by government contractors on the basis of disability), and, 
perhaps most notably, the Occupational Safety and Health Act 
(protects employee safety and health), the Mine Safety and 
Health Act (protects safety and health of miners), and the 
National Labor Relations Act (protects the rights of employees 
to engage in concerted activities, including unionization.) \3\
---------------------------------------------------------------------------
    \3\ Other examples include the Paperwork Reduction Act, Section 
17(a) of the Securities Exchange Act (see Touche Ross v. Redington, 442 
U.S. 560 (1979)), and the Federal Service Labor Management Relations 
Act.
---------------------------------------------------------------------------
    Of course some labor statutes (in interest of full 
disclosure) do have a private cause of action, typically with 
remedies keyed to economic damages, such as lost pay with--in 
some instances--a doubling where the violation was willful or 
without good faith. (But let me again emphasize that these laws 
do not have the severe criminal and civil penalties contained 
in the privacy legislation.) An atypical example is Title VII 
of the 1964 Civil Rights Act, which was amended in 1991 to 
include non-economic damages (capped at various levels), but 
only after two years of much contentious debate encompassing 
two separate Congresses.
    These changes were based on a long record of experience 
amassed over some 30 years, which demonstrated that by the 
1990's changes were needed. Even with this lengthy 
consideration by Congress, the results have not been pretty. 
Litigation has exploded--tripling since 1991--with 
discrimination cases constituting almost one of every ten cases 
in federal court, the second highest number after prisoner 
petitions.\4\ That only 5% of cases filed with the Equal 
Employment Opportunity Commission are found to have 
``reasonable cause'' and 61% ``no reasonable cause,'' tells us 
that many of these cases are of questionable validity. I've 
also attached for the Members' reference an article entitled, 
``Lawsuits Gone Wild,'' February 1998, discussing the plight of 
businesses under this surge of litigation. Litigation expenses 
alone to defend a case can approach $50,000-$150,000 even 
before trial.
---------------------------------------------------------------------------
    \4\ See study by Lawyers Committee on Civil Rights under Law, Daily 
Labor Report, March 25, 1999. The Americans with Disabilities Act 
includes the same remedies as Title VII although it was originally 
passed and enacted with only equitable relief. The ADA was premised on 
longstanding principles and regulations found under Section 504 of the 
1973 Rehabilitation Act. Nevertheless, it, like Title VII since amended 
by the Civil Rights Act of 1991, has resulted in considerable 
litigation, much of it frivolous. See ``Helping Employers Comply with 
the ADA,'' Report of the U.S. Commission on Civil Rights, September 
1998, pp. 274-283.
---------------------------------------------------------------------------
    Perhaps this isn't surprising given the nature of civil 
litigation, but it does emphasize the importance of Congress 
carefully deliberating before it authorizes individual civil 
litigation as a remedy. Indeed, the fact that private lawsuits 
are expensive, blunt enforcement instruments with enormous 
transactional costs can hardly be argued. While I do not wish 
to debate tort reform here, it may be worthwhile to refer to a 
few further facts on this issue:
    A Tillinghast-Towers Perrin analysis (Nov. 1995) of the 
U.S. tort system found that when viewed as a method of 
compensating claimants, the U.S. tort system is highly 
inefficient, returning less than 50 cents on the dollar to the 
people it is designed to help--and less than 25 cents on the 
dollar to compensate for actual economic losses. (Tillinghast-
Towers Perrin, ``Tort Cost Trends: An International 
Perspective,'' pp. 4, 8)

The study broke down costs as follows:

              Awards for economic loss       24%
              Administration                24%
              Awards for pain and suffering  22%
              Claimants' attorney fees       16%
              Defense costs                  14%

    Hence, even when non-economic ``pain and suffering'' awards are 
included, claimants ultimately collected only 46% of the money raised, 
the balance going for the high transactional costs of the system.
    These conclusions are consistent with a 1985 RAND study which 
indicated that plaintiffs in tort lawsuits in state and federal courts 
of general jurisdiction received only approximately half of the $29 
billion to $36 billion spent in 1985. The cost of litigation consumed 
the other half with about 37% going to attorney's fees (pp. v-xi). A 
1988 RAND study of wrongful discharge cases in California found that 
``total legal fees, including defense billings, sum to over $160,000 
per case. The defense and plaintiff lawyer fees represent more than 
half of the money changing hands in this litigation.'' (pp. viii, 39-
40) (The range of jury verdicts were from $7,000 to $8 million with an 
average of $646,855. pp. vii, 25-27, excluding defense judgements.) 
(Average award after post-trial settlement and appellate review was 
still $356,033, p. 36)
    A March 1998 study by the Public Policy Institute entitled, ``How 
Lawsuit Lottery is Distorting Justice and Costing New Yorkers Billions 
of Dollars a Year,'' applied the Tillinghast-Tower's analysis for New 
York's tort liability system and calculated that liability expenditures 
broke out as follows:
     $6.57 billion in payments to claimants (including $3.1 
billion in pain and suffering awards and only $3.4 billion for actual 
economic damages).
     $3.4 billion for administrative overhead.
     $2 billion for defense costs.
     And nearly $2.3 billion for plaintiffs' attorneys.
    The study found: ``In sum, more than half of the money extracted 
from our consumers, our taxpayers, and our economy by New York's 
phenomenally expensive liability system doesn't go to its supposed 
beneficiaries'' (p. 26).
    And a May 1995 Hudson Briefing Paper, ``The Case for Fundamental 
Tort Reform'' noted that:
     The U.S. tort system needs to be made far more efficient 
and our society far less litigious and far larger shares of tort 
payments should go to injured parties rather than to lawyers. 
Currently, more than fifty cents of every dollar paid out of the tort 
system goes to cover attorneys' fees.
     Lawyers monopoly of access to the courts allows them to 
impose a 33.33 to 40 percent toll charge on all damage recoveries, even 
in cases in which defendants are willing to pay on a rapid no-dispute 
basis. Contingency fees, the near-uniform means of compensating tort 
claim attorneys, can provide risk free windfall profits to lawyers 
while harming defendants, plaintiffs, and the economy as a whole.
    The real costs of the nation's tort civil litigation system is 
enormous \5\ , and the broader a civil action is in terms of grounds 
for liability and damages the more incentive there is for frivolous 
litigation--as many lawyers and plaintiffs seek to play the litigation 
lottery in front of juries for huge monetary rewards. However, my 
primary point here is that simple logic dictates that a system with 
such heavy transactional costs should, by definition, be considered as 
an option of last resort.
---------------------------------------------------------------------------
    \5\ For other overviews of expenses associated with court 
litigation, see, generally, The Illinois Tort Reform Act: Illinois' 
Landmark Tort Reform: The Sponsor's Explanation, 27 Loy. University of 
Chicago L. J. 805, Summer 1996. Also see Symposium: Municipal 
Liability: The Impact of Litigation on Municipalities: Total Cost, 
Driving Factors, and Cost Containment Mechanisms; 44 Syracuse Law 
Review 833, 1993.
---------------------------------------------------------------------------
    Of course, I realize that there are those who would argue that a 
business need not fear litigation so long as it obeys the law--so a 
provision for civil court litigation should only trouble truly bad 
actors and not present a problem to others. The only problem with this 
argument is that it is patently false. The reality of laws in this 
country is that they are invariably complex and, often, simply vague, 
with the lines of compliance uncertain and often changing. The Code of 
Federal Regulations governing the workplace arena alone covers over 
4,000 pages of fine print, and hundreds of court and administrative 
decisions provide their own gloss of what the law is, or is not, on any 
given day. The Supreme Court handed down three decisions on the 
Americans with Disabilities Act just a month ago and two on what 
constitutes sexual harassment under Title VII and one on the Age 
Discrimination in Employment Act in the last session. Eleven Circuit 
Courts of Appeal render their own versions of the law. One treatise on 
discrimination law stretches over two volumes and two thousand pages of 
analysis with more footnotes, as does another on the National Labor 
Relations Act. And these are not atypical examples of one area of the 
law. Even enforcement agencies, with all their expertise, cannot give 
clear answers as to what is or is not required. (See ``Workplace 
Regulation--Information on Selected Employer and Union Practices,'' GAO 
Report #94-138)
    All of these problems are magnified when it comes to a new law, 
such as that before you today, which will, no matter how well drafted, 
be subject to much interpretation. Many times there will not be right 
or wrong answer and that problem will be heightened if courts across 
the country, likely combined with jury trials, are immediately faced 
with cases to sort out every nuance--which may very well differ from 
jurisdiction to jurisdiction--while the employer is faced with both 
uncertain requirements and liability.
    In closing, our opposition to inclusion of a private right of 
action is premised on the straightforward notions that (1) the civil 
and criminal penalties now in the legislation are quite severe and 
provide more than adequate deterrence, (2) many laws are adequately 
enforced without private causes of actions, and (3) law suits are a 
rough, blunt and expensive instrument of justice with many negative 
attributes which should only be used where there is a clear track 
record demonstrating that the law in question currently has inadequate 
enforcement mechanisms--a record which certainly does not exist here. 
Should the Congress find that, after passage of this legislation and a 
period of enforcement, the business community is ignoring its 
responsibilities, it can always revisit the issue and authorize new 
enforcement mechanisms.
    Thank you.
    [Attachments are being retained in Committee files.]

                                   - 
