[House Hearing, 106 Congress]
[From the U.S. Government Printing Office]






                   CONFIDENTIALITY OF PATIENT RECORDS

=======================================================================

                                HEARING

                               before the

                         SUBCOMMITTEE ON HEALTH

                                 of the

                      COMMITTEE ON WAYS AND MEANS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 17, 2000

                               __________

                             Serial 106-89

                               __________

         Printed for the use of the Committee on Ways and Means


                    U.S. GOVERNMENT PRINTING OFFICE
66-897 CC                   WASHINGTON : 2001

_______________________________________________________________________

            For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 
                                 20402




                      COMMITTEE ON WAYS AND MEANS

                      BILL ARCHER, Texas, Chairman

PHILIP M. CRANE, Illinois            CHARLES B. RANGEL, New York
BILL THOMAS, California              FORTNEY PETE STARK, California
E. CLAY SHAW, Jr., Florida           ROBERT T. MATSUI, California
NANCY L. JOHNSON, Connecticut        WILLIAM J. COYNE, Pennsylvania
AMO HOUGHTON, New York               SANDER M. LEVIN, Michigan
WALLY HERGER, California             BENJAMIN L. CARDIN, Maryland
JIM McCRERY, Louisiana               JIM McDERMOTT, Washington
DAVE CAMP, Michigan                  GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota               JOHN LEWIS, Georgia
JIM NUSSLE, Iowa                     RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas                   MICHAEL R. McNULTY, New York
JENNIFER DUNN, Washington            WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia                 JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio                    XAVIER BECERRA, California
PHILIP S. ENGLISH, Pennsylvania      KAREN L. THURMAN, Florida
WES WATKINS, Oklahoma                LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri
SCOTT McINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida

                     A.L. Singleton, Chief of Staff

                  Janice Mays, Minority Chief Counsel

                                 ______

                         Subcommittee on Health

                   BILL THOMAS, California, Chairman

NANCY L. JOHNSON, Connecticut        FORTNEY PETE STARK, California
JIM McCRERY, Louisiana               GERALD D. KLECZKA, Wisconsin
PHILIP M. CRANE, Illinois            JOHN LEWIS, Georgia
SAM JOHNSON, Texas                   JIM McDERMOTT, Washington
DAVE CAMP, Michigan                  KAREN L. THURMAN, Florida
JIM RAMSTAD, Minnesota
PHILIP S. ENGLISH, Pennsylvania


Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Ways and Means are also published 
in electronic form. The printed hearing record remains the official 
version. Because electronic submissions are used to prepare both 
printed and electronic versions of the hearing record, the process of 
converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.




                            C O N T E N T S

                               __________

                                                                   Page

Advisory of February 11, 2000, announcing the hearing............     2

                               WITNESSES

U.S. Department of Health and Human Services, Hon. Margaret A. 
  Hamburg, M.D., Assistant Secretary for Planning and Evaluation, 
  accompanied by Gary Claxton, Deputy Assistant Secretary for 
  Health Policy..................................................    11

                                 ______

American Medical Association, William G. Plested, III, M.D.......    40
Blue Cross Blue Shield Association, Alissa Fox...................    47
Goldman, Janlori, Institute for Health Care Research and Policy, 
  Georgetown University..........................................    55
Healthcare Leadership Council, Mary R. Grealy....................    63
Synergy Health Care, N. Stephen Ober, M.D........................    73

                       SUBMISSIONS FOR THE RECORD

American Academy of Pediatrics, statement........................    88
American College of Physicians-American Society of Internal 
  Medicine, Whitney W. Addington, letter.........................    89
American College of Surgeons, Thomas R. Russell, letter and 
  attachment.....................................................    98
American Council of Life Insurers, statement and attachment......    99
American Federation of State, County and Municipal Employees, 
  AFL-CIO, Charles M. Loveless, letter...........................   105
American Healthways, Inc., Nashville, TN, statement..............   106
American Psychoanalytic Association, New York, NY, statement.....   109
Association for Healthcare Philanthropy, Falls Church, VA, 
  William C. McGinly, statement and attachments..................   110
Association of American Medical Colleges, statement..............   116
Association of American Physicians and Surgeons, Inc., Tucson, 
  AZ, Jane M. Orient, statement..................................   118
Condit, Hon. Gary A., a Representative in Congress from the State 
  of California; Hon. Henry A. Waxman, a Representative in 
  Congress from the State of California; Hon. Edward J. Markey, a 
  Representative in Congress from the State of Massachusetts; 
  Hon. John D. Dingell, a Representative in Congress from the 
  State of Michigan; Hon. Sherrod Brown, a Representative in 
  Congress from the State of Ohio; Hon. Edolphus Towns, a 
  Representative in Congress from the State of New York; Hon. 
  David E. Bonior, a Representative in Congress from the State of 
  Michigan; Hon. Major R. Owens, a Representative in Congress 
  from the State of New York; Hon. Patsy T. Mink, a 
  Representative in Congress from the State of Hawaii; Hon. Gene 
  Green, a Representative in Congress from the State of Texas; 
  Hon. Barney Frank, a Representative in Congress from the State 
  of Massachusetts; Hon. Lucille Roybal-Allard, a Representative 
  in Congress from the State of California; Hon. Paul E. 
  Kanjorski, a Representative in Congress from the State of 
  Pennsylvania; Hon. Albert Russell Wynn, a Representative in 
  Congress from the State of Maryland; Hon. Fortney Pete Stark, a 
  Representative in Congress from the State of California; Hon. 
  Lynn C. Woolsey, a Representative in Congress from the State of 
  California; Hon. William D. Delahunt, a Representative in 
  Congress from the State of Maryland; Hon. Mike Thompson, a 
  Representative in Congress from the State of California; Hon. 
  John F. Tierney, a Representative in Congress from the State of 
  Massachusetts; Hon. Carlos A. Romero-Barcelo, a Resident 
  Commissioner in Congress from the U.S. Territory of Puerto 
  Rico; Hon. Jim McDermott, a Representative in Congress from the 
  State of Washington; Hon. Janice D. Schakowsky, a 
  Representative in Congress from the State of Illinois; Hon. 
  Neil Abercrombie, a Representative in Congress from the State 
  of Hawaii; Hon. Eleanor Holmes Norton, a Delegate in Congress 
  from the District of Colombia; Hon. Carolyn B. Maloney, a 
  Representative in Congress from the State of New York; Hon. 
  Harold E. Ford, Jr., a Representative in Congress from the 
  State of Tennessee; Hon. John Joseph Moakley, a Representative 
  in Congress from the State of Massachusetts; Hon. James P. 
  McGovern, a Representative in Congress from the State of 
  Massachusetts; Hon. Dennis J. Kucinich, a Representative in 
  Congress from the State of Ohio; Hon. Ellen O. Tauscher, a 
  Representative in Congress from the State of California; Hon. 
  Sam Farr, a Representative in Congress from the State of 
  California; Hon. Bernard Sanders, a Representative in Congress 
  from the State of Vermont; Hon. Gerald D. Kleczka, a 
  Representative in Congress from the State of Wisconsin; Hon. 
  Donna MC Christensen, a Delegate in Congress from the U.S. 
  Virgin Islands; Hon. Tom Lantos, a Representative on Congress 
  from the State of California; and Hon. Louise McIntosh 
  Slaughter, a Representative in Congress from the State of New 
  York, joint letter and attachment..............................   119
Consortium for Citizens with Disabilities, statement.............   125
Family Violence Prevention Fund, San Francisco, CA, statement....   129
Health Industry Manufacturers Association, statement.............   135
Licthman, Judith L., National Partnership for Women & Families, 
  statement......................................................   165
Loveless, Charles M., American Federation of State, County and 
  Municipal Employees, AFL-CIO, letter...........................   105
LPA, Inc., Daniel V. Yager, statement............................   138
McGinly, William C., Association for Healthcare Philanthropy, 
  Falls Church, VA, statement and attachments....................   110
Medical Group Management Association, statement..................   144
National Association of Insurance Commissioners, Kathleen 
  Sebelius, letter and attachment................................   145
National Breast Cancer Coalition, Fran Visco, letter.............   160
National Partnership for Women & Families, Judith L. Licthman, 
  statement......................................................   165
Orient, Jane M., Association of American Physicians and Surgeons, 
  Inc., Tucson, AZ, statement....................................   118
Paul, Hon. Ron, a Representative in Congress from the State of 
  Texas, statement...............................................   167
Physican Insurers Association of America, Rockville, MD, 
  statement......................................................   169
Ramstad, Hon. Jim, a Representative in Congress from the State of 
  Minnesota......................................................   172
Russell, Thomas R., American College of Surgeons, letter and 
  attachment.....................................................    98
Sebelius, Kathleen, National Association of Insurance 
  Commissioners, letter and attachment...........................   145
Slaughter, Hon. Louise McIntosh, a Representative in Congress 
  from the State of New York, statement..........................   172
VHA Inc., statement..............................................   175
Visco, Fran, National Breast Cancer Coalition, letter............   160
Yager, Daniel V., LPA, Inc., statement...........................   138

 
                   CONFIDENTIALITY OF PATIENT RECORDS

                              ----------                              


                      THURSDAY, FEBRUARY 17, 2000

                  House of Representatives,
                       Committee on Ways and Means,
                                    Subcommittee on Health,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 11:37 a.m., in 
room 1100, Longworth House Office Building, Hon. Bill Thomas 
(Chairman of the Subcommittee) presiding.
    [The advisory announcing the hearing follows:]

ADVISORY

FROM THE COMMITTEE ON WAYS AND MEANS

                         SUBCOMMITTEE ON HEALTH

                                                CONTACT: (202) 225-3943
FOR IMMEDIATE RELEASE

February 11, 2000

No. HL-13

                      Thomas Announces Hearing on

                 the Confidentiality of Patient Records

    Congressman Bill Thomas (R-CA), Chairman, Subcommittee on Health of 
the Committee on Ways and Means, today announced that the Subcommittee 
will hold a hearing on the Administration's proposed regulations 
regarding privacy of individually identifiable health information. The 
hearing will take place on Thursday, February 17, 2000, in the main 
Committee hearing room, 1100 Longworth House Office Building, beginning 
at 10:00 a.m.
      
    In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. The 
Subcommittee will receive testimony from a representative of the U.S. 
Department of Health and Human Services (HHS), and from a variety of 
private sector witnesses representing different perspectives from 
within the health care system. However, any individual or organization 
not scheduled for an oral appearance may submit a written statement for 
consideration by the Committee and for inclusion in the printed record 
of the hearing.
      

BACKGROUND:

      
    Congress addressed the issue of medical record confidentiality in 
1996 when it passed administrative simplification requirements for 
electronic health transactions as part of the Health Insurance 
Portability and Accountability Act (HIPAA) P.L. 104-191). HIPAA 
required the Secretary of HHS to make recommendations to Congress about 
how to better protect the confidentiality of personal health 
information that is transmitted electronically. The Secretary submitted 
her recommendations to Congress in September of 1997. Additionally, 
Congress granted the Secretary the authority to draft regulations if a 
privacy law was not enacted by August 21, 1999. On November 3, 1999, 
HHS published a Notice of Proposed Rule Making for ``Standards for 
Privacy of Individually Identifiable Health Information.'' The comment 
period for this ruling was extended until February 17, 2000, and a 
final ruling will follow. Generally, covered entities must comply with 
these regulations no later than 24 months following the effective date 
of the final rule.
      
    The proposed rule establishes standards to protect the privacy of 
individually identifiable health information maintained or transmitted 
electronically in connection with one of the mandated electronic 
transaction standards established by HIPAA. Since the release of the 
proposed ruling, many provider groups, health care organizations, and 
privacy advocates have expressed various concerns about different 
interpretations of the regulation, and its potential implications. As a 
result, thousands of comments are expected to be submitted on the 
regulation by the end of the comment period.
      
    In announcing the hearing, Chairman Thomas stated: ``Protecting the 
confidentiality of personal health information is critical to ensuring 
patient confidence in our health care system. The Secretary has taken 
on a monumental task. She has tried to lay out a comprehensive 
framework for regulating the flow of virtually all health care 
information, while still allowing data to be used to further research 
that will improve patient care. This hearing is intended to assist us 
in determining whether the regulation will ultimately prove to be 
workable or whether legislation might be necessary.''
      

FOCUS OF THE HEARING:

      
    The hearing will focus on various aspects of the Department's 
proposed confidentiality regulation, and examine what implications the 
rule presents for Medicare and the private health sector.
      

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:

      
    Any person or organization wishing to submit a written statement 
for the printed record of the hearing should submit six (6) single-
spaced copies of their statement, along with an IBM compatible 3.5-inch 
diskette in WordPerfect or MS Word format, with their name, address, 
and hearing date noted on a label, by the close of business, Thursday, 
March 2, 2000, to A.L. Singleton, Chief of Staff, Committee on Ways and 
Means, U.S. House of Representatives, 1102 Longworth House Office 
Building, Washington, D.C. 20515. If those filing written statements 
wish to have their statements distributed to the press and interested 
public at the hearing, they may deliver 200 additional copies for this 
purpose to the Subcommittee on Health office, room 1136 Longworth House 
Office Building, by close of business the day before the hearing.
      

FORMATTING REQUIREMENTS:

      
    Each statement presented for printing to the Committee by a 
witness, any written statement or exhibit submitted for the printed 
record or any written comments in response to a request for written 
comments must conform to the guidelines listed below. Any statement or 
exhibit not in compliance with these guidelines will not be printed, 
but will be maintained in the Committee files for review and use by the 
Committee.
      
    1. All statements and any accompanying exhibits for printing must 
be submitted on an IBM compatible 3.5-inch diskette in WordPerfect or 
MS Word format, typed in single space and may not exceed a total of 10 
pages including attachments. Witnesses are advised that the Committee 
will rely on electronic submissions for printing the official hearing 
record.
      
    2. Copies of whole documents submitted as exhibit material will not 
be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
      
    3. A witness appearing at a public hearing, or submitting a 
statement for the record of a public hearing, or submitting written 
comments in response to a published request for comments by the 
Committee, must include on his statement or submission a list of all 
clients, persons, or organizations on whose behalf the witness appears.
      
    4. A supplemental sheet must accompany each statement listing the 
name, company, address, telephone and fax numbers where the witness or 
the designated representative may be reached. This supplemental sheet 
will not be included in the printed record.
      
    The above restrictions and limitations apply only to material being 
submitted for printing. Statements and exhibits or supplementary 
material submitted solely for distribution to the Members, the press 
and the public during the course of a public hearing may be submitted 
in other forms.
      

    Note: All Committee advisories and news releases are available on 
the World Wide Web at ``http://waysandmeans.house.gov''.
      

    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.
      

                                


    Chairman Thomas. The subcommittee will come to order. When 
I was younger there was a little rhyme that my mother used to 
recite to me and I never really appreciated it as much as I do 
now when the House is not going to meet and vote today, and 
members make choices. We had planned on voting today. We will 
not have as many members at this hearing as we obviously would 
like. There are others that are forced to arrive a little late 
because of other factors.
    But the little rhyme was that man works from sun to sun, a 
woman's work is never done. This committee has a decidedly 
female bent in terms of the workload that we have. But we are 
dealing with a number of issues in which we need to lay a 
hearing record fairly early, and frankly, I believe February is 
a fairly early time period, in looking at issues such as 
medical errors, prescription drug being integrated into 
Medicare.
    Nothing is probably more important since it undergirds many 
of those areas, the question of medical records, 
confidentiality of those records. But more importantly, the 
ability to use those records in a confidential way to continue 
to work on a systematic examination of medical decisions for 
outcomes policy and for making sure that with the limited 
dollars available, to try to stretch as far as we can to 
provide health care to a number of individuals in our society, 
among those the eldest and the most needy, the taxpayers' 
dollars are spent in the wisest possible way.
    Congress addressed the issue of medical record 
confidentiality in 1966, although the whole question of 
confidentiality in the general area of records has been looked 
at since the 1970s. In the legislation, the Health Insurance 
Portability and Accountability Act, there was a positive 
attempt to get at especially the area of electronic health 
transactions. We had a deadline for Congress to act, but with 
some degree of prescience said that if we did not, the 
Secretary of Health and Human Services should go forward with 
the attempt.
    The context in which we examine the Secretary's attempt, 
and indeed look at Congressional attempts, one to meet the 
deadline, and continue to try to produce policy after the 
deadline even today, is one that I think has been an honest 
effort to deal with a very difficult area. There are some I 
think who would like to politicize this area as they are 
attempting to politicize other areas, and use it for whatever 
political advantage they may think.
    As far as serving the society in the areas, for example, 
that we have held committee hearings on and this one today, I 
hope that we will try to tone down the politics. That is, the 
assumption that people who are in opposition to some attempt to 
create confidentiality in some manner have ulterior motives.
    I think when you look at it from the number of different 
perspectives that people look at it, they all see the problem 
from a slightly different perspective and try to examine it 
from how they fit into the proposed scheme. Indeed, I am 
hopeful that with the initial panel of Health Care Financing 
Administration and the other panels it will be clearly 
illustrated that to a very great extent beauty is in the eye of 
the beholder, depending upon how you see yourself within this 
larger structure.
    So we come today with the last day of the extended comment 
period closing, and that is one of the reasons I wanted to make 
sure that we had a hearing today. Now generally, covered 
entities must comply with these regulations no later than 24 
months following the effective date of the final rule. As we 
have seen with other legislation, that may be forever. Our goal 
is not to have that happen. To the degree regulations that seem 
to be generally supported cannot be finalized, then obviously 
legislation is even more critical.
    So let me just preface our discussion by stating that the 
Secretary has undertaken a monumental task. I strongly support 
the overall goals of her proposal. Within the confines of the 
health care legislation the Secretary has tried to lay out a 
comprehensive framework while still allowing the data to be 
used for research, quality improvement, case and disease 
management, and other important purposes that sometimes we fail 
to realize how important they are until someone in one 
particular niche comes to us and says, you did not think about 
me. You did not realize that we do these sorts of things.
    So this hearing is intended to assist us in determining 
whether the regulation will ultimately prove to be workable or 
whether, as I said, we really need to have legislation 
notwithstanding the best efforts. Obviously from the number of 
words on pages with this proposed ruling it is evident this is 
a complicated issue. From all indications, and I think we have 
got--hopefully in the testimony we will get some indication of 
the number of public comments. Since this is nearing the last 
day you may get additional, but you should have a pretty good 
idea of the count.
    Frankly, this is helpful, useful. This kind of scrutiny is 
good. This is a very important area that we get right. Everyone 
agrees that patient records should be kept confidential. The 
difficulties come in determining the best way to accomplish 
that goal. How much, to what degree, in what instance, how 
clear is it? To me, the importance of this issue in health 
policy cannot be overstated. In fact it undergirds our 
attempts, especially in areas such as medical errors, to get it 
right.
    So what we really need to do is listen carefully to all of 
the concerns, and indeed some of the difficulties of the 
Secretary in trying to put together a package, so that in our 
effort to maintain confidentiality we minimally hinder, if at 
all, the flow of information that is essential to the delivery 
of quality health care and improving the quality of care for 
patients in the future.
    The Secretary's effort represents the Administration's 
initial attempt after several false starts at resolving this 
very perplexing policy challenge. Today begins this committee's 
examination of whether or not the effort is minimally 
acceptable or whether we are going to have to enter the 
legislative thicket in dealing with that.
    [The opening statement follows:]

Opening Statement of Chairman William M. Thomas, a Representative in 
Congress from the State of California

    Good morning and welcome. Congress addressed the issue of 
medical record confidentiality in 1996 when it passed 
administrative simplification requirements for electronic 
health transactions. This legislation, the Health Insurance 
Portability and Accountability Act (or HIPAA), required the 
Secretary of Health and Human Services to make recommendations 
to Congress on how to better protect the confidentiality of 
personal health information that is transmitted electronically. 
The Secretary submitted her recommendations to us in September 
of 1997. Additionally, Congress granted the Secretary the 
authority to draft regulations if a confidentiality law was not 
enacted by August 21, 1999. On November 3, 1999, Health and 
Human Services published their proposed regulations for medical 
record confidentiality. The comment period for this ruling was 
extended, upon our urging, until today, February 17, 2000, and 
a final ruling will follow. Generally, covered entities must 
comply with these regulations no later than 24 months following 
the effective date of the final rule.
    Let me just preface our discussion by stating that the 
Secretary has undertaken a monumental task and I strongly 
support the overall goals of her proposal. She has tried to lay 
out a comprehensive framework for regulating the flow of health 
care information, while still allowing data to be used for 
research, quality improvement, case and disease management, and 
other important purposes that will improve patient care. Today 
the Subcommittee will be examining these proposed regulations 
and the possible effects that they may have on the health care 
system. This hearing is intended to assist us in determining 
whether the regulation will ultimately prove to be workable or 
whether additional legislation might be necessary. From the 
length of the proposed ruling, it is quite evident that this is 
a complicated issue. From all indications, HHS will have 
received a deluge of public comments by the end of today 
regarding this issue. This kind of scrutiny is good. For this 
rule will have broad implications. One thing is clear, we need 
to get this one right. Everyone agrees that patient records 
should be kept confidential, the difficulties come in 
determining the best way to accomplish this goal.
    To me, the importance of this issue in health policy cannot 
be overstated. It is imperative that we ensure the 
confidentiality of Medicare beneficiaries' health information. 
Protecting the confidentiality of this information is critical 
to ensuring patient confidence in our health care system. Yet, 
it is equally important that, in the effort to maintain 
confidentiality, we do not hinder the flow of information that 
is essential to the delivery of quality health care, and to 
improving the quality of care for patients in the future. The 
Secretary's regulation represents the Administration's initial 
attempt at resolving this perplexing policy challenge. My hope 
is that today's hearing will be instrumental in helping us 
determine whether this initial attempt strikes the right 
balance.
      

                                


    With that I would yield to my colleague from Washington, 
someone who has a significant interest in this area and has 
attempted on his own in the past to help resolve the 
difficulties in this area. The gentleman from Washington, Mr. 
McDermott.
    Mr. McDermott. Thank you, Mr. Chairman. I want to comment 
you on having this hearing, and I think that as you rightly 
state it is not a partisan issue. It is an issue of extreme 
importance I think for the health care system in this country. 
For that reason I think that it is important that we start as 
early in the session as we come airing the issues so that if we 
are going to write legislation in this session we ought to have 
an opportunity to actually let the public be involved in the 
process.
    I practiced as a psychiatrist for about 20 years so privacy 
and patient's confidence that what he or she said to me would 
remain private has always been a crucial component of my 
personal practice, but it is in all of medicine. It is the 
basis for going to a doctor and saying to a doctor what my 
problem is. If you do not trust the physician, or the nurse or 
whoever the health provider is that this information is going 
to be kept private, you are liable to withhold or tell only 
half the story or whatever. So it is important if you are going 
to get good health care that you have privacy guaranteed.
    But it is more than as an observer of standard medical 
practice that I became convinced we need strong Federal privacy 
laws. Having had surgery I have had already the impacts of 
getting a medication and then getting mailings from people that 
I did not know where they came from. I do not know who let 
these companies know that I was on a particular medication and 
therefore should send me medical device information. It is 
everywhere and everybody is being impacted on it, including 
members of Congress. This is not something that is Democrats or 
Republicans. It is everybody in this country who receives 
health care is a part of this system.
    Now Congress had, as the chairman rightly says, a chance to 
establish standards but up to this point we have not done it. 
So I would like to commend the Administration, especially 
Secretary Shalala, for doing what the Congress so far has been 
unable to do and moving forward with the medical 
confidentiality standards. I want to thank the Secretary and 
the department for working within the constraints placed upon 
them by the Congress and delivering a good regulation.
    Based on the thousands of comments--I understand the figure 
is in excess of 30,000 or 40,000--HHS has been receiving on 
this issue it is safe to say that they must be on the right 
trace, because they are coming from both sides or--there really 
is more than two sides. There are about nine sides to this 
issue.
    But in spite of the good faith efforts by the 
Administration I think we all receive that adequate systemic 
protection of medical privacy cannot be achieved simply by 
regulation. When Congress passed the Health Insurance 
Portability and Accountability Act, the so-called HIPAA, 
Congress gave itself two years to do this. And if we did not 
act we said Donna Shalala, the Secretary, should do it. But we 
imposed severe restrictions--and I want to emphasize that--on 
the Secretary. These constraints are reflected by the narrow 
scope of the regulation that we have before us. In my view it 
is a narrow scope.
    As members of the committee and as the Congress begins to 
think about this I think we have to keep in mind that we 
prevented the Secretary from doing more than is in this 
regulation. The only entities that are directly covered by the 
regulation are health care providers, health care plans, and 
health data clearinghouses. Additionally, the regulation only 
applies to electronic records.
    Now I am the only one on the dais that ever filled out a 
health care record, kept records. Most of it is written, or has 
been for a very long time. The advent of the computer has 
changed it obviously, but for the regulation only to deal with 
electronic data seems to me an unnecessary or an improper 
narrowing of the scope of the regulation.
    In addition, we also said there was a limited enforcement 
mechanism and no right to sue. If your information is used 
against you and you are unable to--if you are damaged in some 
way or feel you are, you have no right to go to the courts.
    Now by restricting the entities covered by the regulation 
we left a huge vacuum of unregulated entities. For instance, 
researchers and oversight agencies that collect, use, and 
disclose protected health information will not be directly 
covered. Clearly, the only way to ensure that all parties to 
sensitive health information are required to maintain privacy 
is through strong and comprehensive legislation. That is why I 
think the chairman is correct in holding this hearing and 
setting us on the road.
    Now I started in 1995 on this issue after I read an article 
in the New York Times Sunday magazine section about a young man 
who had a disease called Marie-Tooth disease. It is a very rare 
upper limb muscular dystrophy which makes weak upper arms. He 
was taken and they did the genetic testing on him and all of 
this, and they did the counseling with the family.
    The family thought that was the end of it until about three 
months later the father lost his auto insurance. Now he lost 
his auto insurance without a moving violation, with an 
accident. Just got a notice, you no longer are covered by our 
company. He started to investigate this and they told him that 
they had discovered that his son's disease was a genetic 
disease and they did not want anybody who had that disease to 
have their automobile insurance.
    Now you ask yourself, how did that get from the doctor's 
office to the auto insurance company that pulled his policy? It 
is because we are all open to this, the entire public at this 
point can be affected by that thing. And I hope that the 
chairman will be willing to work with members of the entire 
committee on this issue. I think we have started well and I 
think it is a good thing to do because this is an issue that 
affects everyone. It is not going to get better. It is going to 
get worse as we go down the road.
    It is increasingly difficult to ensure the privacy of 
sensitive health information because of the tremendous 
technological advances and the more efficient transmittal of 
large quantities of data. Computers have absolutely 
revolutionized the way medical information is collected, 
stored, and disseminated. If you walk through a hospital, 
doctors have computers in their lap and they are typing things 
into them and then dumping them into the larger mainframe and 
away it goes. So without adequate, enforceable controls, this 
information can easily be used to breach the privacy of 
patients and to allow discrimination against them.
    Now rightly, Americans are becoming increasingly concerned 
about this lack of privacy. If we do not step in with strong 
protections we will seriously undermine the credibility of the 
health care system. That is, the doctor-patient relationship 
which we say we want to protect. But there is another issue 
which I want to put on the table and I think in some ways this 
hearing is really a precursor for a much bigger problem down 
the road.
    The United States Government has spent billions of dollars 
in something called the human genome project. Soon we will have 
a map of the entire genetic makeup of the body. But while this 
scientific advance carries with it many promising benefits, it 
also raises significant concerns about privacy.
    One test can determine a woman's potential susceptibility 
to breast cancer. The work was done at the University of 
Washington by a Dr. Mary Claire King and I know intimately what 
went on in that whole thing. But many in this country are 
unwilling to be tested because they are fearful that if it gets 
into their record that they have the gene, or it is in their 
record and their children are also receiving treatment or need 
treatment or are wondering about it, they may lose insurance. 
The fear about having that genetic information known and in the 
computer system is a restraint on the kinds of prevention that 
would be possible if we had good assurance of privacy.
    So we must ensure that our citizens can take advantage of 
medical breakthroughs without the worry that information may be 
used against them.
    To I think we will also hear concerns from companies. Some 
of the information that I read comes from companies that make 
money from marketing of sensitive health information. But I 
believe medical records must not be commodities that are bought 
and sold. I think we may hear many claims that the new 
regulation must not interfere with those particular interests, 
but the group we have to listen to most carefully in my view 
are the patients and their families. Think about your own 
family records being available for anyone to look at and you 
immediately see what the problem is.
    Now the question we have to ask ourselves as we write 
legislation is, what value can you place on the confidentiality 
of a doctor-patient relationship? It is essential that we 
protect the privacy of individuals, including their genetic 
privacy. Good legislation can ensure that the new technologies 
are used not to deny care or to deny medical privacy, but to 
benefit all of us.
    Mr. Chairman, as I close I would like to enter in the 
record the following statements, one from Congresswoman Louise 
Slaughter, one from the American Psychiatric Association, one 
from the American Psychoanalytic Association, one from AFSME, 
one from the Consortium for Citizens for Disabilities, and one 
from the National Breast Cancer Coalition, and finally I would 
like attached a letter signed by a number of members of the 
Congress who are interested in this whole issue. This is a 
beginning of what I think is a very important process and I 
commend you on it.
    Chairman Thomas. Without objection, those will be submitted 
for the record.
    [The opening statement and material follow:]

Opening Statement of Jim McDermott, a Representative in Congress from 
the State of Washington

     want to thank Chairman Thomas and the ranking member, Mr. 
Stark, for yielding me time to talk about medical privacy, an 
issue that I have been concerned about for some time.
    Most of you know that I was a practicing psychiatrist for 
more than 30 years. Privacy, and the patient's confidence that 
what he or she says will remain private, is a crucial component 
of that profession. But more than that, as an observer of 
standard medical practices, I became convinced that we need a 
strong federal privacy law protecting patients.
    Congress had a chance to establish those standards but 
couldn't do it. So I would like to commend the Administration, 
especially Secretary Shalala, for doing what the Congress 
hasn't been able to do and moving forward with medical 
confidentiality standards.
    I thank the Secretary and the Department for working within 
the constraints placed on them by Congress and delivering a 
good regulation. Based on the thousands of comments HHS is 
receiving from all sides of the issue, it is safe to say they 
are on the right track.
    But despite those good-faith efforts by the administration, 
I think we all realize that adequate, systemic protection of 
medical privacy cannot be achieved through regulation.
    When Congress passed The Health Insurance Portability and 
Accountability Act (HIPAA), Congress gave itself two years to 
write comprehensive privacy regulations. If we did not act--and 
we didn't--then Secretary Shalala could issue rules. But we 
imposed some strict constraints on the secretary. These 
constraints are reflected by the narrow scope of the regulation 
before us.
    As the members of the subcommittee listen to the testimony 
today, I urge you to keep in mind what we prevented the 
Secretary from doing. The only entities that are directly 
covered by the regulation are health care providers, health 
plans, and health data clearinghouses. Additionally, the 
regulation only applies to electronic records--not even paper 
records are protected--and there is a limited enforcement 
mechanism, and no right to sue.
    By restricting the entities covered by the regulation, we 
have left a large vacuum of unregulated entities. For instance, 
researchers and oversight agencies that collect, use, and 
disclose protected health information will not be directly 
covered.
    I applaud the Secretary's effort to limit disclosures by 
binding the business partners of cover entities through 
contracts. This intermediary step heads in the right direction 
by ensuring the rights of patients are not violated. 
Unfortunately, it targets the liability on covered entities, 
while failing to prevent re-disclosures by entities that are 
not covered.
    The intent of HIPAA's Administrative Simplification section 
was to move the health care industry toward using electronic 
records--a worthwhile goal.
    Clearly, we must take action to apply the regulation's 
protections to all patient records. Congress' preventing 
Secretary Shalala from covering paper records doesn't pass the 
laugh test. I believe the Secretary has the authority to cover 
both paper and electronic records and encourage her to do so in 
the final rule. Applying this regulation only to electronic 
records will create a disincentive for organizations to convert 
existing records to electronic form--which is contrary to 
Congress' intent.
    Congress also failed to allow the Secretary to include 
adequate enforcement of the regulation. The enforcement 
mechanisms in this regulation are minimal at best. We have 
established rules for the use and disclosure of sensitive 
health information without providing meaningful repercussions 
for breaking them. Compounding the problem is the fact that 
Congress did not provide a right-to-sue provision in HIPAA.
    Clearly, the only way to ensure that all parties to 
sensitive health information are required to maintain privacy 
is through strong, comprehensive legislation. In May 1996, I 
introduced my first medical privacy bill. I hope the Chairman 
will be willing to work with all members of the committee in 
pursuit of a strong, comprehensive, and bipartisan bill.
    If privacy is not maintained, the public will lack 
confidence in our health care system. If individuals doubt 
their information will be kept private, they will either delay 
treatment or be less forthcoming with their physicians. This 
self-monitoring of personal health information will result in 
increased personal and financial costs. We could even see a 
decline in societal health stemming from the increase in 
transmission of communicable diseases.
    Also, it is increasingly difficult to ensure the privacy of 
sensitive health information. Tremendous technological advances 
make it easier and more efficient to transmit large quantities 
of data. Computers have revolutionized the way medical 
information is collected, stored, and disseminated. Without 
adequate, enforceable controls, this information can easily be 
used to breach the privacy of patients and to allow 
discrimination against them.
    Americans are becoming increasingly concerned about their 
lack of privacy. If we don't step in with strong protections, 
we will seriously undermine the credibility of our health care 
system.
    One technological advance which we need to address is the 
Human Genome Project. Soon, we will have a map of the entire 
genetic makeup of the body. But while this scientific advance 
carries with it many promising benefits, it also raises 
significant concerns about privacy.
    One test can determine a woman's potential susceptibility 
to breast cancer. But some women, afraid that they or even 
their daughters will be denied employment or health insurance 
if they carry the gene, won't submit to the test.
    We must ensure that our citizens can take advantage of 
medical breakthroughs without the worry that private 
information may be used against them.
    Today, we will hear concerns about companies that stand to 
make money marketing sensitive medical information. But, 
medical records must not be commodities that are bought and 
sold.
    We may hear many claims that any new legislation must not 
interfere with those particular interests. But the group we 
should listen to most will be hardest to hear: patients and 
their families. Think about your own family's medical records 
being available for anyone to look at. What value can we place 
on the confidentiality of the doctor-patient relationship? It 
is essential that we protect the privacy of individuals, 
including their genetic privacy. Good legislation can ensure 
that new technologies are used, not to deny health care or to 
deny medical privacy, but to benefit all of us.
    Mr. Chairman, I would like to enter the following 
statements into the record:
    1. Congresswoman Louise Slaughter;
    2. American Psychiatric Association;
    3. American Psychoanalytic Association;
    4. AFSME, the American Federation of State, County and 
Municipal Employees;
    5. Consortium of Citizens for Disabilities;
    6. National Breast Cancer Coalition; and
    7. The attached comment letter signed by a number of 
Democratic members of Congress who are leading health privacy 
advocates.
    Thank you.
      

                                


    Chairman Thomas. Now Dr. Hamburg, thank you very much for 
coming before us. Dr. Hamburg is the assistant secretary for 
planning and evaluation, U.S. Department of Health and Human 
Services. She is narrowly responsible, but obviously the 
Secretary is broadly responsible. And as is the case in our 
offices many times, we may be the point person but we are not 
the one that either has a broader command of the particular 
area, and Dr. Hamburg has asked Mr. Claxton to sit at the 
table. Since our goal is to try to understand rather than play 
gotcha, we are more than willing to allow that to occur.
    So Dr. Hamburg, your written testimony will be made a part 
of the record and you can address us in any way you see fit in 
the time that you have available.

    STATEMENT OF HON. MARGARET A. HAMBURG, M.D., ASSISTANT 
   SECRETARY FOR PLANNING AND EVALUATION, U.S. DEPARTMENT OF 
HEALTH AND HUMAN SERVICES; ACCOMPANIED BY GARY CLAXTON, DEPUTY 
             ASSISTANT SECRETARY FOR HEALTH POLICY

    Dr. Hamburg. Thank you very much, Mr. Chairman, and 
distinguished members of the subcommittee. I appreciate the 
opportunity to appear before you to discuss the need for 
Federal legislation to safeguard the privacy of health 
information. As you know, health information privacy is the top 
priority for the department and the Administration and we 
continue to believe that legislation is the only way to achieve 
that goal.
    I am joined by Mr. Gary Claxton, the deputy assistant 
secretary for health policy in my office who has been deeply 
involved with issues of health privacy and the development of 
the proposed reg.
    At the outset, I want to commend the members of the 
subcommittee for their interest in health care privacy and 
efforts to develop this important and complex legislation. In 
addition, we are encouraged by the recent appointment of two 
Congressional task forces to address privacy issues. These 
efforts have the potential to generate the momentum needed to 
enact legislation this year.
    We are here today to emphasize our support for passage of 
bipartisan legislation providing comprehensive privacy 
protection to people's health care information. Stories abound 
that raise concern that our sensitive medical information can 
enter the wrong hands and be misused. Almost 75 percent of our 
citizens say that they are at least somewhat concerned that 
computerized medical records will have a negative effect on 
their privacy.
    Numerous analyses by Government, industry, and professional 
groups have identified serious gaps in protections for health 
information and have recommended Federal legislation to close 
them. And of course, we have already heard your personal 
stories about this concern. If we do not act now, public 
distress could deepen and ultimately stop citizens from 
disclosing important information to their doctors or getting 
needed treatment.
    In September of 1997, Secretary Shalala presented her 
recommendations for protecting the confidentiality of 
individually identifiable health information. In that report 
the Secretary concluded that Federal legislation establishing a 
national floor of confidentiality is necessary to provide 
rights for patients and define responsibilities of 
recordkeepers. She recommended that Federal legislation focus 
on health care payers and providers and the people who receive 
health information from them.
    The Secretary legislation to implement five key principles. 
First, information about a consumer that is obtained for 
delivering and paying for health care should, with very few 
exceptions, be used and disclosed for health purposes and 
health purposes only.
    Second, those who legally receive health information should 
be required to take reasonable steps to safeguard it.
    Third, consumers should have access to their health 
records, should know how their health information is being 
used, and who has looked at it, and should be given clear 
explanations of these rights.
    Fourth, people who violate the confidentiality of our 
personal health information should be accountable.
    These first four principles must be balanced against the 
fifth principle, public responsibility. Just like our free 
speech rights, privacy rights cannot be absolute. We must 
balance our protections of privacy with our public 
responsibility to support other critical national goals: public 
health, research, quality care, and our fight against health 
care fraud and abuse.
    To prepare the proposed privacy regulation we assembled a 
team from all the relevant Federal agencies. We published the 
proposed rule on November 3rd, 1999 and the period for public 
comment, as you noted, closes today. We explained the basis for 
our proposals in detail in the preamble to the proposed rule, 
but also asked for comment on over 150 specific issues. We will 
review all the comments we receive and we will make whatever 
changes are appropriate.
    We are committed to achieving the proper balance between 
ensuring patient privacy and the needs of the health care 
system to function properly and to continue advances in health 
protection and medical treatment. Our commitment to getting it 
right led us to extend the comment period from January 3rd to 
February 17th so the public and stakeholders would have 
adequate time to consider the proposed rule.
    Since we have just begun to review the comments I will not 
be able to speculate on or debate the contents of the final 
rule today. But I can tell you that as of yesterday we had 
received about 40,000 comments by mail or hand-delivery and 
roughly another 10,000 on our web site. Further, we have met 
with dozens of individuals and groups to hear more about their 
concerns and clarify provision of the proposed rule.
    While we are moving ahead to prepare the final regulation 
let me give you a few reasons why we continue to call for 
legislation. First, the HIPAA limits the application of our 
proposed rule to three entities, health plans, clearinghouses, 
and certain providers. But it does not provide authority for 
the rule to reach many people who receive health information 
from these entities. In short, in the rule we cannot put in 
place appropriate restrictions on how such recipients of 
protected health information may use and redisclose that 
information.
    Second, we are concerned that the enforcement provisions in 
the HIPAA are not adequate. The penalty structure is not 
commensurate with the importance of privacy in our lives, and 
there is no statutory authority for a private right of action 
for individuals to enforce their privacy rights.
    There are additional reasons we continue to call for 
legislation. For example, under the HIPAA only those providers 
engaged in electronic transactions can be covered. Any provider 
who maintains a solely paper information system cannot be 
subject to these privacy standards.
    Mr. Chairman, the principles embodied in our 
recommendations and proposed regulation should guide a 
comprehensive law that will create substantive Federal 
standards and provide our citizens with real peace of mind. The 
principles represent a practical, comprehensive and balanced 
strategy to protect health care information that is collected, 
shared, and used in an increasingly complex world.
    Thank you again for giving me this opportunity to testify 
and I look forward to answering any questions that you may have 
and working closely with you as you move forward on this 
important agenda.
    [The prepared statement follows:]

Statement of Hon. Margaret A. Hamburg, M.D., Assistant Secretary for 
Planning and Evaluation, U.S. Department of Health and Human Services

    Mr. Chairman, Congressman Stark, distinguished members of 
the Committee: I appreciate the opportunity to appear before 
you to discuss the need for federal legislation to ensure 
comprehensive privacy safeguards for health information. This 
issue is a top priority for the Department and the 
Administration, and although the regulation that we recently 
proposed serves as a foundation for providing strong privacy 
protections for consumers' health information, we continue to 
believe that legislation is ultimately necessary if we are to 
appropriately protect the privacy of the health information of 
all Americans.
    As the outset, I want to commend the members of this 
Subcommittee Mr. Thomas, Mr. Stark, and Mr. McDermott, as well 
as Mr. Cardin, for their interest in health care privacy and 
efforts to develop this important and complex legislation. In 
addition, we are encouraged by the recent appointment of two 
congressional task forces to address privacy issues. The 
``Congressional Privacy Caucus'' has the potential to generate 
the momentum needed to enact legislation this year.
    As you may remember, Secretary Shalala first presented her 
recommendations, required by the Congress under Section 264 of 
the Heath Insurance Portability and Accountability Act (HIPAA), 
in September 1997.\1\ I think it is fair to say that the 
recommendations were well received and have been used to assist 
others in crafting their own legislative proposals.
---------------------------------------------------------------------------
    \1\ Confidentiality of Individually-Identifiable Health 
Information, Recommendations of the Secretary of Health and Human 
Services, pursuant to section 264 of the Health Insurance Portability 
and Accountability Act of 1996'' can be found on the HHS web site at: 
http://aspe.os.dhhs.gov/admnsimp.
---------------------------------------------------------------------------
    HIPAA also requires that if legislation establishing 
comprehensive privacy protection was not enacted by August of 
last year, HHS must prepare final regulations. We assembled an 
interagency team to assist us in preparing the proposed 
regulation, including representatives from the Departments of 
Labor, Defense, Justice, Commerce, the Social Security 
Administration, the Office of Personnel Management, the 
Department of Veterans Affairs, and the Office of Management 
and Budget. We published the proposed rule on November 3 of 
1999; the period for public comment closes today, February 17, 
2000, and we will call upon a similarly broad team to review 
and respond to the public comments.
    We explained the basis for our proposals in detail in the 
preamble to the proposed rule and asked for comments on over 
150 specific issues. We are committed to reviewing all the 
public comments. Nothing in our proposed rule is set in stone. 
We are committed to achieving the proper balance between 
ensuring patient privacy and the needs of the health care 
system to function properly and continue advances in medical 
treatment. Our commitment to 'getting it right' led us to 
extend the comment period fro January 3 to February 17, so the 
public and stakeholders would have adequate time to consider 
the proposed rule, comment, and suggest alternative proposals.
    Since we have just begun to review the comments, I will not 
speculate on or debate the contents of the final rule today. I 
can tell you that, as of yesterday, we had received over 30,000 
comments by mail or hand delivery, and another 10,000 on our 
web site. Further, we met with dozens of individuals and 
organizations to hear more about their concerns and clarify 
provision of the proposed rule.
    While we are moving ahead to prepare the final regulation, 
the President and Secretary Shalala have made it very clear 
that their first priority is to see Congress enact a health 
information privacy bill that builds upon the progress made by 
our proposed regulation and ensures comprehensive privacy 
protections. We believe our rule will be a very good start in 
providing confidentiality protections, but legislation is 
needed to complete this important task and provide the 
protections envisioned in the Secretary's recommendations. Our 
staff have been working closely with many of your staff, and 
staff in the Senate, to assist you in achieving that goal. 
Again, let me reiterate, we want to see legislation, and we 
want to work with you to make that happen.
    The issue of health information privacy is quite complex--
in order to resolve it legislatively, some difficult choices 
will have to be made. We believe that our recommendations 
strike the appropriate balance between the privacy needs of our 
citizens and the critical needs of our health care system and 
our nation. This is an issue that touches every single 
American, and to reach resolution we will need a bipartisan 
effort.

THE NEED FOR LEGISLATION

    It has been over 25 years since a public advisory committee 
appointed by former HEW Secretary Elliot Richardson set forth 
principles of fair information practices that led to the 
landmark Federal Privacy Act. The Privacy Act is premised on 
the idea that individuals have a right to know what personal 
information the government holds about them, how that 
information will be used, and the right to review that 
information. Those 25 years have brought vast changes in our 
health care system.
    Changes in our health care delivery system mean that we 
must place our trust in entire networks of insurers and health 
care professionals--both public and private. The computer and 
telecommunications revolutions mean that information no longer 
exists in one place--it can travel in real time to many 
hospitals, physicians, insurers, and across state lines.
    In addition, new discoveries in biology mean that a whole 
new world of medical tests have the potential to help prevent 
disease. However, they also reveal the most personal health 
information about an individual and his or her family. Without 
safeguards to assure citizens that getting tested will not 
endanger their families' privacy or health insurance, we could 
endanger one of the most promising areas of research our nation 
has ever seen.
    Health care privacy can be safeguarded. It must be done 
with national legislation, national education, and an on-going 
national conversation.
    Currently, when we give a physician or health insurance 
company precious health information, the level of protection 
will vary widely from state to state. We have no comprehensive 
federal health information privacy standards. Because the 
practice of health care is increasingly becoming interstate 
through mergers, complex contractual relationships and enhanced 
telecommunications, we can no longer rely on the existing 
patchwork of state laws. The patchwork does not provide 
Americans the privacy protections they need or expect. The 
Congress should seize upon this opportunity to create strong 
federal standards and reassure the public that they can trust 
their health care providers and insurers to keep their health 
information secure.
    In developing our recommendations for federal legislation, 
we learned a great deal through consultations with a variety of 
outside groups and from six days of public hearings conducted 
by the National Committee on Vital and Health Statistics, our 
statutory federal advisory committee for health data and 
privacy policy. The hearings involved over 40 witnesses from 
across the health community, including health care 
professionals, plans, insurance companies, the privacy 
community, and the public health and research communities.
    We believe our recommendations provide a balanced framework 
for legislation that can protect the privacy of medical 
records, guarantee consumers the right to inspect their 
records, and punish unauthorized disclosures of personal health 
data by hospitals, insurers, health plans, drug companies or 
others.

THE PRINCIPLES

    The Secretary's recommendations for legislation, and our 
proposed regulation, are grounded in five key principles: 
Boundaries, Security, Consumer Control, Accountability, and 
Public Responsibility.

Boundaries

    The first is the principle of Boundaries: With very few 
exceptions, personally identifiable health care information 
should be disclosed for health purposes and health purposes 
only. It should be easy to use it for those purposes, and very 
difficult to use it for other purposes.
    For example, employers should be able to use the 
information furnished by their employees to provide on-site 
care or to administer a health plan in the best interests of 
those employees. But those same employers should not be able to 
use information obtained for health care purposes to 
discriminate against individuals when making employment 
decisions--such as hiring, firing, training, placements and 
promotions. To enforce these boundaries, we recommend strong 
penalties for the inappropriate use or disclosure of medical 
records.
    We recommend that the legislation apply specifically to 
providers and payers, and to anyone who receives health 
information from a provider or payer, either with the 
authorization of the patient or as authorized explicitly by 
legislation. To the extent allowed under the HIPAA statute, we 
have taken this approach in our proposed regulation. Our 
proposed rule would authorize the use and disclosure of 
personal information by heath plans and providers without the 
person's consent for specified health care and national 
priority purposes, and would require fair and informed consent 
from individuals for all other uses. However, as discussed 
below, the statute limits our authority to ensure that 
information that leaves a health plan or provider remains 
protected.
    Our recommendations also recognize that these providers and 
payers do not act alone. In order for a provider or payer to 
operate efficiently, it may need to enlist a service 
organization to perform an administrative or operational 
function. For example, a hospital may hire an organization to 
encode and process bills, or a managed care organization may 
contract with a pharmaceutical benefit management company to 
provide information to pharmacists about what medications are 
covered and appropriate for their customers.
    The numbers and types of service organizations are 
increasing every day. While most do not have direct 
relationships with the patients, they do have access to their 
personal health care information. Therefore, we recommend that 
they should be bound by the same standards. For example, a 
health plan's contractor should be allowed to have access to 
patient lists in order to do mailings to remind patients to 
schedule appointments for preventive care. But it should not be 
able to sell the patient lists to a pharmaceutical company for 
a direct mailing announcing a new product (without the person's 
consent). With the Business Partner provisions of our proposed 
Privacy Standards, we have taken this approach to the extent 
allowed under the HIPAA statute.

Security

    The second principle is Security. Americans need to feel 
secure that when they give out personal health care 
information, they are leaving it in good hands. Information 
should not be used or given out unless either the patient 
authorizes it or there is a clear legal basis for doing so.
    There are many different ways that private information like 
your blood tests could become public. People who are allowed to 
see it--such as lab technicians--can misuse it either 
carelessly or intentionally. And people who should not be 
seeing it--such as marketers or even hackers--can find a way to 
access it, either because the organization holding the 
information doesn't have proper safeguards or the marketers can 
find an easy way around the safeguards. To give Americans the 
security they expect and deserve, Congress should develop 
legislation that requires those who legally receive health 
information to take reasonable steps to safeguard it or face 
consequences for failure to do so.
    What do we mean by reasonable steps? The organizations 
should be required to have in place protective administrative 
and management techniques, educate their employees about these 
procedures, and impose disciplinary sanctions against employees 
who use information improperly or carelessly.
    We addressed some of these steps in our Security Standards 
regulation, implementing the Administrative Simplification 
mandate under HIPAA.\2\ That NPRM laid out a range of 
approaches for safeguarding the information to which the HIPAA 
mandate applies. In the privacy NPRM we proposed related steps 
for safeguarding health information, and we will coordinate 
these requirements in the final Security and Privacy 
regulations. However, these regulations will not reach all 
health information held by health plans and providers. We need 
legislation to cover all health information that needs this 
kind of protection.
---------------------------------------------------------------------------
    \2\ The notice of proposed rule making for Security and Electronic 
Signature Standards, covering security safeguards for electronic 
information, was published on August 12, 1998.
---------------------------------------------------------------------------
    We don't believe a law can specify the details of these 
protections because each organization must keep pace with the 
new threats to our privacy and the technology that can either 
abate or exacerbate them. But a federal law can require 
everyone who holds health information to have these types of 
safeguards in place and specify the appropriate sanctions if 
the information is improperly disclosed. In our regulations, we 
have proposed such a ``scalable'' approach, to reflect the 
differences in the size and nature of the entities that hold 
health information. The proposed regulations set forth the 
basic principles and general criteria for securing health 
information, and leave the specific steps for meeting these 
principles to each regulated entity. In this way, each entity 
can take the steps most appropriate to its size, the nature of 
the information it holds, and its business practices.

Consumer Control

    The third principle is Consumer Control. The principles of 
fair information practice (formulated in 1973 by a committee 
appointed by Secretary Richardson) included as a basic right: 
``There must be a way for an individual to find out what 
information about him is in a record and how it is used.''
    With very narrow exceptions, consumers should have the 
right to find out what is contained in their records, find out 
who has looked at them, and to inspect, copy and, if necessary, 
correct them. Consumers should be given a clear explanation of 
these rights and they should understand how organizations will 
use their information. Let me give you an example of why this 
is important. According to the Privacy Rights Clearinghouse, a 
California physician in private practice was having trouble 
getting health, disability, and life insurance. She ordered a 
copy of her report from the Medical Information Bureau--an 
information service used by many insurance companies. It 
included information showing that she had a heart condition and 
Alzheimer's disease. There was only one problem. None of it was 
true. Unfortunately, under the current system these types of 
errors occur all too often. Consumers often do not have access 
to their own health records and even those who do are not 
always able to correct some of the most egregious errors.
    With that in mind, our Recommendations set forth a set of 
practices and procedures that would require that insurers and 
health care providers provide consumers with a written 
explanation of who has access to their information and how that 
information will be used, how they can restrict or limit access 
to it, and what their rights are if their information is 
disclosed improperly.
    We also recommend procedures for patients to inspect and 
copy their information, and set out the very limited 
circumstances under which patient inspection should be properly 
denied.
    Finally, we recommend a process for patients to seek 
corrections or amendments to their health information to 
resolve situations in which innocent coding errors cause 
patients to be charged for procedures they never received, or 
to be on record as having conditions or medical histories that 
are inaccurate. The proposed privacy standards follow these 
Recommendations.

Accountability

    The fourth principle is Accountability. If you are using 
information improperly, you should be punished. This flows 
directly from the second principle of security--the requirement 
to safeguard information must be followed by real and severe 
penalties for violations. Congress should send the message that 
protecting the confidentiality of health information is vitally 
important, and that people who violate that confidence will be 
held accountable.
    We recommend that offenders should be subject to criminal 
felony penalties if they knowingly obtain or use health care 
information in violation of the standards outlined in our 
report. The penalties mandated in privacy legislation should be 
higher when violations are for monetary gain. In addition, when 
there is a demonstrated pattern or practice of unauthorized 
disclosure, those committing it should be subject to civil 
monetary penalties.
    In addition to punishing the perpetrators, we must give 
redress to the victims. We believe that any individual whose 
privacy rights have been violated should be permitted to bring 
a legal action for actual damages and equitable relief. The 
standard for such actions should not be set so high as to make 
the right meaningless in practice. Attorney's fees and punitive 
damages should be available when the violation is particularly 
egregious. As described more fully below, the HIPAA legislative 
authority does not allow the regulation to accomplish these 
goals.
    These first four principles--Boundaries, Security, Consumer 
Control and Accountability--must be carefully weighed against 
the fifth principle, Public Responsibility.

Public Responsibility

    Just like our free speech rights, privacy rights can never 
be absolute. We have other critical--yet often competing--
interests and goals. We must balance our protections of privacy 
with our public responsibility to support national priorities--
public health and safety, research, quality care, and our fight 
against health care fraud and abuse and other unlawful 
activities.
    Our Department is acutely aware of the need to use personal 
health information for each of these national priorities. For 
example, researchers have used health records to help us fight 
childhood leukemia and uncover the link between DES and 
reproductive cancers. Public health agencies use health records 
to warn us of outbreaks of emerging infectious diseases. HHS 
auditors use health records to uncover kickbacks, overpayments 
and other fraudulent activity. In addition, our efforts to 
improve quality in our health care system depend on our ability 
to review health information to determine how well health 
institutions and health professionals are caring for patients.
    For public health and safety, research, quality 
evaluations, fraud investigations, and legitimate law 
enforcement purposes, it's not always possible, or desirable, 
to ask for each patient's authorization for access to the 
necessary health information. And, in many cases, doing so 
could create major obstacles in our efforts. While we must be 
able to use identifiable information when necessary for these 
purposes, we should use information that is not identifiable as 
much as possible.
    To demonstrate how access must be balanced against public 
responsibility, let me outline a few of the areas in which we 
recommend that disclosure of health information should be 
permitted without patient authorization.

Public Health and Safety

    Under certain circumstances, we recommend permitting health 
care professionals, payers, and those receiving information 
from them to disclose health information without patient 
authorization to public health authorities for disease 
reporting, adverse event reporting, public health and safety 
investigation, or intervention. This is currently how the 
public health system operates under existing State and federal 
laws.
    For example, consider the outbreak of E. coli in hamburger 
that resulted in the largest recall of meat products in 
history. Public health authorities, working with other 
officials, used personally identifiable information to identify 
quickly the source of the outbreak and thereby prevent 
thousands of other Americans from being exposed to a 
contaminated product.

Research

    An important mission for the Department of Health and Human 
Services is to fund and conduct health research. We understand 
that research is vitally important to our health care and to 
progress in medical care. Legislation should not impede this 
activity.
    Today the Federal Policy for Protection of Human Subjects 
(the Common Rule) and FDA's Human Subject Protection 
Regulations protect participants in research studies that are 
funded or regulated by the federal government. These rules help 
protect the research subjects while not impeding the conduct of 
research. To protect patient privacy, we recommend that similar 
protections should be extended to all research in which 
individually identifiable health information is disclosed 
without patient authorization, and not just federally funded or 
regulated research.
    Researchers should determine whether their research 
requires the retention of personal identifiers. There are 
research studies that can only be conducted if identifiers are 
retained; for example, outcomes studies for heart attack 
victims or the recent study which identified a correlation 
between the incidence of Sudden Infant Death Syndrome and the 
infant's sleep position. In addition, if, and when, personal 
identifiers are no longer needed, the researcher should be 
required to remove them and provide assurances that the 
information will be protected from improper use and 
unauthorized additional disclosures.
    Under the Common Rule, if personal identifiers are 
necessary, an IRB (Institutional Review Board) must review the 
research proposal and determine whether informed consent is 
required or may be waived. In order for informed consent to be 
waived, an IRB must determine that the research involves no 
more than minimal risk to participants, that the absence of 
informed consent will not adversely affect the rights and 
welfare of participants, that conducting the research would be 
impracticable if consent were required, and that whenever 
appropriate, the participants will be provided with additional 
pertinent information after participation. This kind of IRB, 
privacy board, or a similar mechanism of review should be 
applicable for all research using individually identifiable 
health information without a patient authorization, regardless 
of funding source.
    Because the Common Rule was designed for protection of 
human subjects in general, not specifically with privacy 
protection in mind, our Recommendations included additional 
criteria for release of information without the subject's 
consent. We included those criteria in our proposed rule. We 
believe that, before an IRB or privacy board can approve 
disclosure of health information without the subject's consent, 
it should determine that: the research would be impracticable 
to conduct without the identifiable health information; the 
research project is of sufficient importance to outweigh the 
privacy intrusion that would result from the disclosure; there 
is an adequate plan to protect the identifiers from improper 
use and disclosure; and there is an adequate plan to destroy 
the identifiers at the earliest opportunity, unless there is a 
health or research justification for retaining identifiers. We 
have included these additional criteria in the proposed privacy 
regulation.

PREEMPTION

    Our recommendations call for national standards. But, we do 
not recommend outright or overall federal preemption of 
existing State laws that are more protective of health 
information.
    Some protections that we recommend will be stronger than 
some existing State laws. Therefore, we recommend that Federal 
legislation replace State law only when the State law is less 
protective than the Federal law. Thus, the confidentiality 
protections provided would be cumulative and the Federal 
legislation would provide every American with a basic set of 
rights with respect to health information.
    This is consistent with the broader approach taken to 
preemption in the HIPAA statute, both in the insurance reform 
provisions and the administrative simplification and privacy 
provisions. For the most part, State laws that go further than 
the federal law are preserved. We recognize that there are some 
concerns with this approach. In fact, some of these concerns 
are recognized in the privacy provisions of the HIPAA statute, 
which create carve outs from preemptions for state laws 
governing certain public health functions as well as other 
specific activities such as fraud and abuse. At the same time, 
we believe that, if a federal law is sufficiently strong, 
states will not need to enact additional privacy legislation.

HHS PROPOSED PRIVACY STANDARDS

Process and Status

    To assist us in developing the proposed rule, we assembled 
an interagency team including representatives from all parts of 
HHS, as well as the Departments of Labor, Defense, Commerce, 
and Justice, the Social Security Administration, the Department 
of Veterans Affairs, the Office of Personnel Management, and 
the Office of Management and Budget. We published the proposed 
rule on November 3 of 1999; the period for public comment 
closes, today, February 17, 2000 and we will call upon the same 
broad team to review and respond to the public comments.
    We have also continued the consultations with outside 
groups that we began in preparing the Recommendations. Since 
the proposed rule was published, we have meet with over____, 
and many of these were coalitions representing still more 
interested parties. We have learned a great deal from these 
consultations, and will continue fact-finding outreach as 
necessary based on our review of the public comments.
    As of February 15, we had received over 30,000 comments by 
mail or hand delivered, and roughly 10,000 electronically via 
the web. Once we have logged in all the comments, we will make 
them available to the public on our web site. Although we have 
not set a target date for the final rule, largely because we do 
not know how many comments we will receive, we intend to 
continue to make this regulation a top priority and publish a 
final rule as soon as possible, consistent with our 
responsibility to take the public comments into account.
    The proposed rule is based on the five key principles 
outlined above, from the Secretary's recommendations: 
Boundaries, Security, Consumer Control, Accountability, and 
Public Responsibility. To the extent possible under the HIPAA 
statutory authority, it implements these principles as 
discussed in detail in the Recommendations.
    Because the proposed rule is widely available, we will not 
repeat it here. Rather, we will highlight a few areas in which 
we are unable to implement our Recommendation in full due to 
limitations in the Statutory authority provided under the 
HIPAA. A summary of the proposed rule is attached, and is 
available at our web site.

WHY THE REGULATION DOES NOT PROVIDE COMPLETE PROTECTION

Coverage

    The Recommendations call for legislation that applies to 
health care providers and payers who obtain identifiable health 
information from individuals and, significantly, to those who 
receive such information from providers and payers. The 
Recommendations follow health information from initial creation 
by a health plan or health care provider, through various uses 
and disclosures, and would establish protections at each step: 
``We recommend that everyone in this chain of information 
handling be covered by the same rules.''
    However, the HIPAA limits the application of our proposed 
rule to health plans, health care clearinghouses, and to any 
health care provider who transmits health information in 
electronic form in connection with transactions referred to in 
section 1173(a)(1) of the Act (the ``covered entities''). 
Unfortunately, this leaves many entities that receive, use and 
disclose protected health information outside of the system of 
protection that we propose to create.
    In particular, the statute does not directly cover many of 
the persons who obtain identifiable health information from the 
covered entities. In the rule we are, therefore, faced with 
creating new regulatory permissions for covered entities to 
disclose health information, but cannot directly put in place 
appropriate restrictions on how many of the likely recipients 
of such information may use and re-disclose such information. 
For example, the Secretary's Recommendations proposed that 
protected health information obtained by researchers not be 
further disclosed except for emergency circumstances, for a 
research project that meets certain conditions, and for 
oversight of research. In the rule, however, we cannot impose 
such restrictions directly on researchers; instead, we propose 
that plans and providers obtain proof of IRB or privacy board 
approval of the research protocol. Additional examples of 
persons who receive health information but whom we cannot reach 
with the regulation include employers, workers compensation and 
life insurance issuers, and law enforcement officers. We also 
do not have the authority to directly regulate many of the 
persons that covered entities hire to perform administrative, 
legal, accounting, and similar services on their behalf, and 
who would obtain health information in order to perform their 
duties. This inability to directly address the information 
practices of these groups leaves an important gap in the 
protections provided by the proposed rule.
    In addition, only those providers who engage in the 
electronic administrative simplification transactions can be 
covered by this rule. Any provider who maintains a solely paper 
information system would not be subject to these privacy 
standards, thus leaving another gap in the system of protection 
we propose to create.
    The need to match a regulation limited to a narrow range of 
covered entities with the reality of information sharing among 
a wide range of entities led us to consider severe limits on 
the type or scope of the disclosures that would be permitted 
under the proposed regulation. The disclosures we propose to 
allow, however, are necessary for smooth operation of the 
health care system and for promoting key public goals such as 
research, public health, and law enforcement. We decided that, 
on balance, such severe limits on disclosures could do more 
harm than good. The only appropriate way to fill this gap in 
protection is with legislation that regulates not just the 
disclosing plans and providers, but also those receiving health 
information from plans and providers.

Enforcement

    Requirements to protect individually identifiable health 
information must be supported by real and significant penalties 
for violations. We recommend federal legislation that would 
include punishment for those who misuse personal health 
information and redress for people who are harmed by its 
misuse. We believe there should be criminal penalties 
(including fines and imprisonment) for obtaining health 
information under false pretenses, and for knowingly disclosing 
or using protected health information in violation of the 
federal privacy law. We also believe that there should be civil 
monetary penalties for other violations of the law, and that 
any individual whose rights under the law have been violated 
should be permitted to bring an action for actual damages and 
equitable relief. Only if we put the force of law behind our 
rhetoric can we expect people to have confidence that their 
health information is protected, and ensure that those holding 
health information will take their responsibilities seriously.
    In HIPAA, Congress did not provide sufficient enforcement 
authority. There is no private right of action for individuals 
to enforce their rights. In addition, we are concerned that the 
penalty structure does not reflect the importance of these 
privacy protections and the need to maintain public trust in 
the system.
    For these and other reasons, we continue to call for 
federal legislation to ensure that privacy protection for 
health information will be strong and comprehensive.

CONCLUSION

    Mr. Chairman, the five principles embodied in our 
recommendations and proposed regulation--Boundaries, Security, 
Consumer Control, Accountability, and Public Responsibility--
should guide a law that will create comprehensive federal 
standards and provide our citizens with real peace of mind.
    The principles represent a practical, comprehensive and 
balanced strategy to protect health care information that is 
collected, shared, and used in an increasingly complex world.
    In addition to creating new federal standards, we must 
ensure that every single person who comes in contact with 
health care information understands why it is important to keep 
the information safe, how it can be kept safe, and what will be 
the consequences for failing to keep it safe. Most of all, we 
must help consumers understand not just their privacy rights, 
but also their responsibilities to ask questions and demand 
answers--to become active participants in their health care.
    Mr. Chairman, we in the Department and the Administration 
are eager to work with you to enact strong national medical 
privacy legislation.
    Thank you again, for giving me this opportunity to testify. 
I look forward to answering any questions that you may have.

Proposed Standards for Privacy of Individually Identifiable Health 
Information

    Statutory Requirement

    Section 264 of the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA), Public Law 104-191, enacted 
August 21, 1996, requires that, if legislation establishing 
privacy standards is not enacted ``by the date that is 36 
months after the date of the enactment of this Act, the 
Secretary of Health and Human Services shall promulgate final 
regulations containing such standards not later than the date 
that is 42 months after the date of the enactment of this 
Act.''
    The statutory deadline for Congress to enact legislation 
was August 21, 1999. Absent legislation, HHS has developed its 
proposed rule.

Overview

    The proposed rule would:
     
     allow health information to be used and shared 
easily for the treatment and for payment of health care;
     allow health information to be disclosed without 
an individual's authorization for certain national priority 
purposes (such as research, public health and oversight), but 
only under defined circumstances;
     require written authorization for use and 
disclosure of health information for other purposes, and
     create a set of fair information practices to 
inform people of how their information is used and disclosed, 
ensure that they have access to information about them, and 
require health plans and providers to maintain administrative 
and physical safeguards to protect the confidentiality of 
health information and protect against unauthorized access.

Scope

a. Entities covered by the proposed rule

     Health care providers who transmit health 
information electronically
     Health plans
     Health care clearinghouses

    b. Health information covered by the proposed rule 
(``Protected health information'')

     Protection would start when information becomes 
electronic, and would stay with the information as long as the 
information is in the hands of a covered entity.
     Information becomes electronic either by being 
sent electronically as one of the specified Administrative 
Simplification transactions or by being maintained in a 
computer system.
     The paper progeny of electronic information is 
covered; the information would not lose its protections simply 
because it is printed out of the computer.
     HIPAA protects the information itself, not the 
record in which the information appears.
     The information must be ``identifiable.'' If the 
information has any components that could be used to identify 
the subject, it would be covered.

General rules

    We propose that covered entities be prohibited from using 
or disclosing health information except: as authorized by the 
patient, or as explicitly permitted by the regulation. The 
regulation would permit use and disclosure of health 
information without authorization for purposes of health care 
treatment, payment and operations, and for specified national 
policy activities under conditions tailored for each type of 
such permitted use or disclosure.
     The amount of information to be used or disclosed 
would be restricted to the minimum amount necessary to 
accomplish the relevant purpose, taking into consideration 
practical and technological limitations.
     There would be exceptions for situations in which 
assessment of what is minimally necessary is appropriately made 
by someone other than the covered entity (e.g., such as when an 
individual authorizes a use or disclosure of information, or 
when the disclosure is mandatory under another law).
     We would allow covered entities to rely on 
requests by certain public agencies in determining the minimum 
necessary information for certain disclosures.
     Under the principle of minimum necessary use, if 
an entity consists of several different components, the entity 
would be required to create barriers between components so that 
information is not used or shared inappropriately.
     To encourage covered entities to strip identifiers 
from health information when it is possible to do so, we would 
permit a covered entity to use and disclose such de-identified 
information in any way, provided that:
     it does not disclose the key or other mechanism 
that would enable the information to be re-identified, and
     it has no reason to believe that such use or 
disclosure will result in the use or disclosure of protected 
health information (e.g., because the recipient has the means 
to re-identify the information).
     We would treat the key to coded identifiers the 
same as the information to which it pertains. A covered entity 
could use or disclose a key only as it could use or disclose 
the underlying information.
     We would permit covered entities to disclose 
protected health information to persons they hire to perform 
functions on their behalf, where such information is needed for 
that function. These ``business partners'' would include 
contractors such as lawyers, auditors, consultants, health care 
clearinghouses, and billing firms, but not members of the 
covered entity's workforce.
     Except where the business partner is providing a 
treatment consultation or referral, we would require covered 
entities to enter into contracts with their business partners 
and would require the contracts to include terms to ensure that 
the protected health information disclosed to a business 
partner remains confidential. Business partners would not be 
permitted to use or disclose protected health information in 
ways that would not be permitted of the covered entity itself. 
We use the contract as a tool for protecting information, 
because the HIPAA does not provide legislative authority for 
the rule to reach many such business partners directly.
     The uses and disclosures permitted by this rule 
would be exactly that--permitted, not required. For disclosures 
not compelled by other law, providers and payers would be free 
to disclose or not, according to their own policies and 
principles. At the same time, nothing in this rule would 
provide authority for a covered entity to refuse to make a 
disclosure mandated by other law.
     Only two disclosures would be required by this 
proposed rule: disclosure to the subject individual pursuant to 
the individual's request to inspect and copy health information 
about him or her, and certain disclosures for the purposes of 
enforcing the rule.
     Health information covered by the proposed rule 
generally would remain protected for two years after the death 
of the subject of the information, subject to certain 
exceptions.

Disclosures without authorization for health care treatment, 
payment, and operations

     Covered entities could use and disclose protected 
health information without authorization for treatment, payment 
and health care operations. This would include purposes such as 
quality assurance, utilization review, credentialing, and other 
activities that are part of ensuring appropriate treatment and 
payment.
     Individuals generally could ask a covered entity 
to restrict further use and disclosure of protected health 
information for treatment, payment, or health care operations, 
with the exception of uses or disclosures required by law. The 
covered entity would not be required to agree to such a 
request, but if the covered entity and the individual agree to 
a restriction, the covered entity would be bound by the 
agreement.

Uses and disclosures with individual authorization

     Covered entities could use or disclose protected 
health information with the individual's authorization for 
almost any lawful purpose.
     We would prohibit covered entities from 
conditioning treatment or payment on the individual agreeing to 
disclose information for other purposes, and require the 
authorization form to state this prohibition.
     While the provisions of this proposed rule are 
intended to make authorizations for treatment and payment 
purposes unnecessary, some States may continue to require them. 
Generally, this rule would not supersede such State 
requirements. However:
     the rule would impose a new requirement that such 
State-mandated authorizations must be physically separate from 
an authorization for other purposes described in this rule.
     the authorization would have to meet the rule's 
requirements for the content of such authorizations (although a 
state law could require that an authorization contain 
additional provisions).
     We would require authorizations to specify the 
information to be disclosed, who would get the information, and 
when the authorization would expire. If an authorization is 
sought so that a covered entity may sell or barter the 
information, the covered entity would have to disclose this 
fact on the authorization form.
     Use or disclosure of information by the covered 
entity inconsistent with the authorization would be unlawful.
     Individuals could revoke an authorization.

Permissible uses and disclosures for purposes other than 
treatment, payment and operations

     Covered entities could use and disclose protected 
health information without individual authorization for the 
following national priority activities:
     Oversight of the health care system, including 
quality assurance activities;
     Public health, and in emergencies affecting life 
or safety;
     Research;
     Judicial and administrative proceedings;
     Law enforcement;
     To provide information to next-of-kin;
     For identification of the body of a deceased 
person, or the cause of death;
     For government health data systems;
     For facilities' (hospitals, etc.) directories;
     To financial institutions, for processing payments 
for health care; and
     In other situations where the use or disclosure is 
mandated by other law, consistent with the requirements of the 
other law.
     Specific conditions would have to be met in order 
for the use or disclosure of protected health information to be 
permitted. These conditions are tailored to the need for each 
specific category listed above and to the types of 
organizations involved in such activities.

Individual rights

    The proposed rule would provide several basic rights for 
individuals with respect to protected health information about 
them. Individuals would have:
     The right to receive a written notice of 
information practices from health plans and providers. The 
notice must describe the types of uses and disclosures that the 
plan or provider would make with health information (not just 
those uses and disclosures that could lawfully be made). When 
plans and providers change their information practices, they 
would also have to update the notice. Plans and providers would 
be required to follow the information practices specified in 
their most current notice.
     The right to obtain access to protected health 
information about them, including a right to inspect and obtain 
a copy of the information.
     The right to request amendment or correction of 
protected health information that is inaccurate or incomplete.
     The right to receive an accounting of the 
instances where protected health information about them has 
been disclosed by a covered entity for purposes other than 
treatment, payment, or health care operations (subject to 
certain time-limited exceptions for disclosures to law 
enforcement and oversight agencies)

Administrative requirements and policy development and 
documentation

    This proposed rule would require providers and payers to 
develop and implement basic administrative procedures to 
protect health information and the rights of individuals with 
respect to that information.
     Covered entities would be required to maintain 
documentation of their policies and procedures for complying 
with the requirements of the proposed rule. The documentation 
must include a statement of the entity's practices regarding 
who would have access to protected health information, how that 
information would be used within the entity, and when that 
information would or would not be disclosed to other entities.
     Covered entities would be required to have in 
place administrative systems, appropriate to the nature and 
scope of their business, that enable them to protect health 
information in accordance with this rule. Specifically, covered 
entities would be required to:
     designate a privacy official;
     provide privacy training to members of its 
workforce;
     implement safeguards to protect health information 
from intentional or accidental misuse;
     provide a means for individuals to lodge 
complaints about the entity's information practices, and 
maintain a record of any complaints; and
     develop a system of sanctions for members of the 
workforce and business partners who violate the entity's 
policies.

Scalability

    We propose privacy standards that covered entities must 
meet, but leave the detailed policies and procedures for 
meeting these standards to the discretion of each covered 
entity.
     We intend that implementation of these standards 
be flexible and scalable, to account for nature of each covered 
entity's business, and the covered entity's size and resources. 
We would require that each covered entity assess its own needs 
and implement privacy policies appropriate to its information 
practices and business requirements.
     The preamble to the proposed rule will include 
examples of how implementation of these standards are scalable.

Preemption

    Pursuant to HIPAA, this rule will preempt state laws that 
are in conflict with the regulatory requirements and that 
provide less stringent privacy protections, with specified 
exceptions for certain public health functions and related 
activities.
Enforcement

     Under HIPAA, the Secretary is granted the 
authority to impose civil monetary penalties against those 
covered entities which fail to comply with the requirements of 
this regulation.
     HIPAA also established criminal penalties for 
certain wrongful disclosures of protected health information. 
These penalties are graduated, increasing if the offense is 
committed under false pretenses, or with intent to sell the 
information or reap other personal gain.
     Civil monetary penalties are capped at $25,000 for 
each calendar year for each standard that is violated.

What this proposed rule does not do

     The HIPAA limits the application of our proposed 
rule to the covered entities. It does not provide the authority 
for the rule to reach many entities that receive health 
information from these covered entities, so the rule cannot put 
in place appropriate restrictions on how such recipients of 
protected health information may use and re-disclose such 
information.
     Any provider who maintains a solely paper 
information system cannot be subject to these privacy 
standards.
     There is no statutory authority for a private 
right of action for individuals to enforce their privacy 
rights.
      

                                


    Chairman Thomas. Thank you, Dr. Hamburg.
    In my opening comments I indicated some concern about the 
timeline for issuing final regulations and it has become 
something of, if not a joke, at least a model for us to be 
concerned about. I am referring to the 1993 legislation that is 
commonly referred to as Stark II in terms of self-referral, 
compensation and ownership. I have long thought that the 
ownership portion made complete sense and that portion has not 
been too difficult to get a handle on. But you have been 
chasing the elusive butterfly of compensation for seven years 
now and you still have not issued final regulations.
    I am guessing, as you indicated with all of the concerns 
and frustrations with the underlying legislation, although I 
think setting up some parameters that you bumped into, some of 
which you seemed to be able to knock over and keep going for 
whatever reasons and decided to stop with the others that were 
in the legislation, it might be ultimately a useful thing so 
that we can at least focus on friction areas or problem areas. 
But in the Stark II legislation, seven years no final 
regulation in the area of compensation.
    I personally believe that if you do issue final regs all 
they will be will be intermediate final regs which will then 
have to be fine-tuned by legislation and in fact I am trying to 
short-circuit that.
    That is by way of a preamble of saying, I do not think we 
can let that history be a model in this particular area. There 
have been attempts, primarily on the Senate side, to move 
forward legislatively. I want to underscore the gratitude from 
myself, and based upon the comments, shared by other members of 
this subcommittee on your willingness to jump in and move 
relatively expeditiously.
    However, you have come up with just a couple of points that 
I would like to highlight in terms of the difficulty and invite 
your response. I do not want to go into an extensive question 
and answer period. I will submit in writing to you so you can 
feel comfortable in commenting on them about two dozen 
additional questions, some of which I might have ordinarily 
asked, so that we can better understanding your thinking in 
particular areas.
    So the questions that I would ask you are kind of general 
but highlight the concerns in particular areas. You indicate 
that you have made a cost estimate of this particular 
legislation of about $3.8 billion. Often times we joke about 
how close something is for Government work. So if you are off 
by a factor of two, that is close enough for Government work. A 
factor of three to five, that is probably sloppy Government.
    But what we are going to hear is testimony that you may be 
off as much as seven, eight, 10 times the amount of money, in 
part because, I believe, of the ripple effect to secondary 
structures otherwise known, for example, as business partners 
who are covered entities and that you require a level of 
knowledge and performance on a ripple out aspect that I have a 
hard time believing was part of your estimate contained in the 
$3.8 billion.
    Do you have a comfort level that the $3.8 billion is a 
pretty complete cost analysis on what will be hopefully, with 
minor adjustments, the final rule? Or are you planning on 
doing, based upon the comments submitted, a more complete cost 
analysis before publishing a final rule?
    Dr. Hamburg. That, of course, is a very important question. 
We had put forward a cost estimate that spanned a range, about 
$1.6 to $6.3 billion, but recognized that there were areas of 
activity contained within the proposed regs where we did not 
have very good data for doing cost analysis, and one of the 
things we asked for in the process of comment was for 
additional data that could help enlighten these concerns.
    There have been cost estimates that have been put out and 
other evaluations that we think are quite inflated, that cost 
out activities that in fact are not contained within our regs. 
Of course, we recognize that we put forward a proposed reg on a 
complex issue for which there are many, as you say, ripple 
effects, many interested parties, and the final regulation will 
be shaped very much by the kinds of comments that are coming 
in.
    We will be looking very closely the cost issues but we do 
believe that the cost estimates that have been put forward by 
some other entities really do not crosswalk with what is in the 
reg as it currently exists. We will look closely at those so 
that we can compare how they got to their numbers, how we got 
to our numbers, and we have been engaged in that. We do need to 
look at some areas where we did not feel we had adequate data 
and see if new data sheds new light.
    Chairman Thomas. I do not want anyone to assume that what 
is driving this is a cost consideration. It is just that I 
would like to have it as accurate as we can because, frankly, 
when you move to these other business partners as covered 
entities--I mean, there are existing relationships--you are 
going on top of, in many instances, State laws. And of course, 
there are preexisting State licensing requirements that deal 
with professional conduct.
    It just seems to me that as you extend this umbrella of a 
partial Federal structure as you do, it is going to require 
necessarily renegotiations of a number of contracts which may 
in fact either impede care that is out there or produce some 
disruption in the structure which will have dollar value to it. 
It may be extremely difficult to put a value on that.
    But one of the questions that I would have and you may want 
to respond briefly now but it will be a part of the written 
question area is, did you consider and why did you reject 
dealing with business partners being required to certify that 
they comply with the regulations, not take one of the covered 
entities and hold them liable for a business partner's failure 
to comply? Some degree of certification would partially shift 
the responsibility.
    Now I know you are limited by the legislative window that 
is available to you. Would this be an area in which clearly 
from a legislative point of view we would want to focus in some 
detail?
    Dr. Hamburg. I think we all share the concern that these 
privacy protections be meaningful, real, and enduring, and our 
desire in addressing the business partners question was to 
ensure that, if we had privacy protections on the covered 
entities, that information that they would be sharing with 
business partners would continue to receive the same 
protections that the consumers would now have the expectation 
of having.
    Because of, as you say, the constraints of the statute, we 
cannot directly regulate those business partners, but we felt 
that we were trying to achieve in the proposed reg just what 
you were asking about: the certification that they would comply 
with the same privacy protections, and through the contractual 
mechanism we thought that could be achieved.
    Chairman Thomas. One of the real concerns I have shared by 
the way by a colleague on this committee, Ben Cardin, as we 
have attempted to move forward in concert in a bipartisan way 
in dealing with this area is that although there is some great 
desire to maintain a State structure and a Federal structure 
and your goal was to build a floor while allowing individual 
States to have ceilings.
    But the very fact that you have got to reconcile this kind 
of crazy quilt of relationships, especially when you throw in a 
number of phrases that deal with minimums, in what way do they 
relate to State structures, that perhaps it just might be a 
better way of looking at this whole area if you do not say that 
given today's world, paper or electronic, that a Federal 
preemption providing a uniform structure across all States, 
one, might not be a better way to afford protection and 
confidentiality. But two, would eliminate this extremely 
difficult job of trying to mesh from a floor to a ceiling, 
different State as well as now, new Federal regulations and 
impositions.
    Do you personally believe that the approach that the 
legislation requires you--that is, you could not offer Federal 
preemption--that structure is in fact the better way to go?
    Dr. Hamburg. This has been the topic of great debate and 
many well-informed thoughtful thinkers weighing in on differing 
sides. I think what we are trying to achieve is, as you say, 
the establishment of a clear set of protections in which the 
consumers can have confidence. If that were to be achieved I 
think States would feel less of a need to fill in the gaps and 
create their own privacy laws.
    There are, however, different concerns in different States. 
There are different issues that emerge. There are new 
technologies that impact different places differently. So to 
allow States to continue to have some flexibility as they see 
fit to tailor the law to suit their needs seems like a 
reasonable approach. But I do think that having comprehensive 
national privacy legislation would go very far in reducing this 
patchwork approach.
    Chairman Thomas. So you have firmly established yourself on 
the one hand, and then on the other. One of the frustrations of 
this job is that I almost always want to inquire if any agency 
that is going to testify has a one-armed member of the agency 
so that when they come they would not be able to be on the one 
hand and on the other.
    For example, you actually propose to preempt State law, do 
you not, in this regulation?
    Dr. Hamburg. We propose that where the regs would be more 
stringent that it would--
    Chairman Thomas. Preempt State law.
    Dr. Hamburg. --override State law.
    Chairman Thomas. Preempt State law.
    Dr. Hamburg. Yes.
    Chairman Thomas. Override State law. Say that a State in 
its wisdom in making a decision in this was not very wise and 
we are going to impose our regulation in this area. So you 
already have what I consider to be taken the first step. You 
believe there are States whose laws should be preempted by this 
Federal standard. But then you say you are going to allow 
States to continue to make regulations in particular areas.
    We are going to enter an area, in large part based upon the 
publicity of data that is somewhat aged at the current time, in 
the area of medical errors with the publication of the 
Institute of Medicine's, To Err is Human. Would not your 
proposal, that is preempt some areas and not preempt others, 
invite States to then go ahead and pass laws in terms of 
restricting the ability to collect information which we might 
consider to be essential in removing what everyone says they 
want to remove, and that is the up to 100,000 deaths a year 
through medical errors?
    I would like you, if you could succinctly as possible, 
explain the Administration's position that in certain areas we 
want uniformity, but in the most sensitive, most extreme areas 
where we have got to gather the data that is most important, 
you think it is best to have a crazy quilt of State laws 
controlling the flow of this information. What is the rationale 
behind that approach?
    Dr. Hamburg. I think that, as I have articulated already, 
the approach that is being put forward is to create a strong 
foundation of privacy protection that would capture what is 
believed to represent a firm foundation, and then allow States 
the flexibility to respond to the issues that arise within 
their States and from their specific constituencies, and 
respond to--
    Chairman Thomas. Including a strong feeling that certain 
information, notwithstanding the fact we believe it is 
necessary by building that floor, should not be allowed to flow 
and therefore we are going to restrict it?
    Dr. Hamburg. I think that States should not be prevented to 
respond to needs that they believe have not been addressed, to 
respond to emerging concerns, and to respond--
    Chairman Thomas. You started off your statement by 
indicating that just like freedom of speech it is not absolute, 
and that in fact in some areas individual rights need to be 
weighed in relationship to the public's right to know and I 
guess public health is one of the better areas. My concern is 
that you begin to get into this thicket very clearly with the 
Administration's approach in which we are going to have to play 
catch-up, and as soon as these regulations become final, if 
they do, there is no question in my mind that a number of State 
legislatures will begin to move.
    They are not moving as rapidly now--Minnesota being one of 
the prime examples in terms of the enormous difficulty that an 
institution with as much as prestige as the Mayo Clinic has, 
has done its darnedest to get the private agreement of 
individuals, which is the requirement of the Minnesota law. And 
the foundation for the excellence of medicine at the Mayo 
Clinic is the epidemiological studies in which they are now 
looking at a 3 percent hole in their information. Somebody 
might say, gee, 97 percent is pretty good. As most of know in 
terms of collecting data or doing research, it is not. It is a 
hole in the data that makes the data sometimes absolutely 
useless.
    Very concerned about the attempt to create a structure 
which in fact will expedite our inability to go where we need 
to go, especially in the area, for example, of medical errors.
    Let me give you just one example in terms of the rule that 
I have some concern about, because the proposed rule prohibits 
the disclosure of research information unrelated to treatment 
without an individual's authorization. Would you at least, 
since obviously you have a medical background and I do not, 
indicate to me that there are sometimes disagreements as to 
what information is or is not related to treatment? That a 
phrase, unrelated to treatment, is at least open to differing 
interpretation?
    Dr. Hamburg. To respond to the broad comment that you made 
about access to information for research, there are within the 
proposed regs clear issues raised about that, and an indication 
that there should be circumstances in which researchers can 
receive data about individual patients, but that there needs to 
be a process that is clearly defined and a set of standards 
that are met in terms of that information being made available 
and then how it is handled. Not all research requires patient 
identifiers with that information. So when you do not need to 
use patient identifiers, that clearly provides more patient 
protection.
    With respect to your question of is there a fuzziness 
around whether the information that would go to a researcher is 
relevant to treatment--
    Chairman Thomas. No, not relevant. Unrelated. Not relevant. 
Unrelated is the term that is used in the proposed reg.
    Dr. Hamburg. I am not completely sure that I understand 
your question. If you are asking whether it will have--
    Chairman Thomas. I will submit it in writing and you can 
have others who were more directly involved in writing it--
    This is the kind of dilemma that I would like to leave with 
you and then I will allow my colleague some questions. What 
would the department do--just as a for instance, what would the 
department do if a State passed a privacy law that enabled 
providers to withhold what you considered to be critical public 
health information? Now again, sometimes this information is in 
the eye of the beholder.
    Or for example, that enabled providers to frustrate a 
Federal anti-fraud investigation. Not related to public health 
but related to an anti-fraud investigation. Is it still the 
Administration's position that in these particular instances 
the sovereign would be able to go in and overturn the State law 
and overturn the State law and get the information they thought 
was important?
    Dr. Hamburg. I think the proposed rule makes clear that 
where there are existing laws that require certain information 
be made available, such as with respect to public health, that 
information would be made available.
    Chairman Thomas. No, the State passed a law saying it was 
not going to be provided. So you would go in and say, 
notwithstanding what you may assume to be a State right, we are 
going to say no in this area; is that what you said?
    Dr. Hamburg. For critical issues such as--
    Chairman Thomas. Who defines the critical issue?
    Dr. Hamburg.--public health would be--
    Chairman Thomas. Who defines the critical issue? Does not 
the sovereign, does not the Federal Government define it, as 
you have done in this regulation in preempting certain State 
laws that you thought did not reach a particular level 
associated with what you considered to be appropriate?
    Dr. Hamburg. We are, as I said, going to be reviewing all 
the comments that come in. The final reg is not established 
yet, but it is the clear intent as we move forward toward 
shaping that final regulation to ensure that such critical 
national security, national health protection needs are not 
inhibited--
    Chairman Thomas. And that is a good position to rally 
around, because national security health needs--but I also 
mentioned anti-fraud. Would you then push your ability to 
overturn State laws if in withholding information it inhibited 
the inspector general or others? Because this majority has 
passed more than 65 specific assistances in going after fraud 
and abuse which the Administration has rightly touted has 
produced more than $10 billion of savings over the last several 
years in using the tools that we have provided you in stopping 
fraud and abuse.
    But if a State passed, based upon the desire to withhold 
personal information, which may in fact conflict with your 
ability to get at anti-fraud, then would you not also want to 
move in that area in terms of preemption?
    Dr. Hamburg. I think it has been very clear that on the 
public responsibility side of this, public health as well as 
the fraud and abuse areas, certain law enforcement needs, et 
cetera, have to balanced against the other protections and we 
feel that is a critical component of what we are trying to 
achieve.
    Chairman Thomas. All I am saying is that clearly I could 
name any number of specific instances in which you would choose 
for the sovereign; that is, preempting the State. My argument 
is, that is a really slippery slope. Set up a structure and 
then have this conflict over a number of years over something 
as sensitive as patient medical records, and how they are 
handled. And the crazy quilt that your basic structure would 
produce across the country.
    Perhaps we ought to just face the issue--now this is a 
Republican talking about Federal preemption. We should just 
face the issue that it ought to be done in a way that gives us 
the maximum opportunity to afford uniform security protection, 
confidentiality. And that it ought to be a Federal preemption 
rather than your Federal floor over where today you think it is 
important to preempt State laws, but where tomorrow there is no 
question you will find you are put in a choice situation in 
which you choose to preempt State laws willy-nilly, which means 
you drive other States to pass laws based upon the reaction to 
the Federal move.
    I just think that direction is fraught with danger in 
providing a uniform appropriate data collection for research, 
for error correction, commensurate with protecting the 
individual's right to confidentiality on their medical records.
    The gentleman from Washington.
    Mr. McDermott. Thank you, Mr. Chairman. I want to address 
my questions both to you, Dr. Hamburg, and also Mr. Claxton, 
because I think you had something to do with the writing. You 
are not sitting there for no reason. So whichever of you feel 
is you are the best to answer the question I think it would be 
helpful.
    In response to--it is interesting to listen to the 
chairman. I do not often hear you suggesting Federal 
preemption, big Government. So it is always interesting to 
hear.
    Chairman Thomas. Uniform Government.
    Mr. McDermott. Yes. I am sorry. It may become big, right?
    Chairman Thomas. Uniform big is better than non-uniform 
big.
    Mr. McDermott. When the bill was written--
    Chairman Thomas. In the protection of individual rights.
    [Laughter.]
    Mr. McDermott. I did not interrupt you at all. I let you 
have your go here.
    The issue of the bill having been written giving you a 
Federal preemption, you wrote your regulation with that in 
mind. The Congress said you are to preempt State laws; is that 
correct?
    Dr. Hamburg. With respect to the--yes.
    Mr. McDermott. To the narrow areas that are covered by this 
regulation.
    I make that point because on the one hand we said, preempt 
State laws and then we tied your hands. We said, you cannot 
look at the whole area of privacy, you just have to look at 
this one little narrow area. Coming from having a background in 
a State legislature, I do not know how many times we had to 
adjust our laws to fit a Federal law. It was a constant part of 
being a State legislator was always making adjustments.
    So I think the chairman raises an issue, but the reason we 
are here on this issue at the national level is because it is 
not being done at the local level in a uniform way. I think 
there are only 28 States that allow patients to actually look 
at their own record. You have a legal right to look at your 
record. In many States you cannot go in and say, I want to see 
what is in my record.
    So it seems to me that is a big part of what you are trying 
to do here is to set a floor. Now the question is, how high you 
set the floor as to how much you are going to get in the State 
legislature. Is that your anticipation?
    Dr. Hamburg. I think that you have framed it exactly right.
    Mr. McDermott. Because I listen to this and I think to 
myself, there is a specific issue that, this business about why 
you went at the business partners the way you did. The law says 
that you can regulate health plans, providers, certain 
providers, and clearinghouses. And anybody who knows anything 
about the health care delivery system realizes there is a whole 
other series of entities out there that can use, have used for 
a variety of reasons, either for research or for marketing 
purposes, this data.
    Your job was--then they tied our hands with only three, how 
do we get at these things? That is the reason why you have the 
business partner section in there; is that correct?
    Dr. Hamburg. Absolutely. I think it also underscores one of 
the reasons why we fundamentally believe that while we have 
made a very good faith effort in trying to achieve privacy 
protections through this reg, that comprehensive national 
legislation will enable a much broader and more protective 
approach.
    Mr. McDermott. If you had not reached out through this 
indirect mechanism of saying that a health care provider or 
whatever, or a clearinghouse has to have a contract with their 
business partners about this issue, it essentially would be a 
loophole big enough to drive--I do not know, anything could fly 
through it, if I understand--
    Dr. Hamburg. I think that is right, and we would not want 
to undermine the public confidence in the protections we are 
trying to put forward for them by allowing surrogates of the 
covered entities to do exactly the kinds of things with their 
health information that we are trying to prohibit through the 
proposed reg.
    Now we certainly have heard a lot of concerns about how 
this concept of reaching to the business partners should be 
structured and we will be going over the comments very 
carefully and trying to think that through, because we 
recognize from important partners that this is an arena that 
raises concerns about additional burden, additional cost, 
additional liability, and we have to look at that carefully and 
take those concerns into consideration.
    But we do feel that we cannot simply put forward 
protections that would address the covered entities and not 
recognize that, as you say, the information goes out in many 
different directions. That we have a very complex health care 
system and many people are involved, and that our reg only 
formally has the power of enforcement and authority over a very 
circumscribed element.
    Mr. McDermott. Can I ask you a question that I was sitting 
here thinking about? If you have an HMO and you have all this 
data about your patients, this regulation would prohibit you 
from selling that in some kind of commercial means to health 
marketing or to wellness whatever or any other entity outside, 
would it not?
    Dr. Hamburg. Without specific patient authorization.
    Mr. McDermott. Now if you have a wholly owned subsidiary 
and you transfer it to them, can they then put it out?
    Dr. Hamburg. If it would be to be used for marketing and 
related activities it would still, even if it was another 
entity that was part of this umbrella covered entity, it would 
still require specific patient authorization for those 
purposes.
    Mr. McDermott. But if you spun off--because of the business 
partners question or is it because it is part of one entity?
    Dr. Hamburg. Any use for marketing would require the 
patient authorization.
    Mr. Claxton. In your case, because it is part of one 
entity.
    Mr. McDermott. I am sorry?
    Mr. Claxton. In your example it is because it is part of 
one entity.
    Mr. McDermott. Part of one entity.
    Mr. Claxton. If they spun it off--
    Mr. McDermott. Now if they spun it off and it is totally 
unrelated, has an arms-length relationship with the HMO, it is 
now our data marketing organization and we have created a new 
entity, Inc., then they have that information and they can do 
whatever they wish with it unless you have this contract 
between the HMO and this arms-length company--
    Dr. Hamburg. Correct.
    Mr. McDermott.--that is marketing the data; is that 
correct?
    Mr. Claxton. Assuming that the entity could have gotten it 
in the first place as a partner. If it is doing something on 
behalf of the HMO it could have gotten the information in the 
first place, and then you need the business partner 
relationship to continue to protect the information.
    Mr. McDermott. So they give this information to a survey 
company and they are doing work for the HMO, and that would be 
the relationship. Then whatever they did with it after that is 
their own business unless you have this contract.
    Dr. Hamburg. Correct.
    Mr. McDermott. That is why I think it is important that the 
way we wrote the law you had no other way to get at that 
relationship, if I understand correctly what you were trying to 
do.
    Dr. Hamburg. That is absolutely correct.
    Mr. McDermott. Now when you look at the whole question of 
assuring--
    Chairman Thomas. The gentleman's time has expired. We will 
move to the other members. If you want to go on for a second 
round, you can do that.
    Mr. McDermott. Thank you.
    Chairman Thomas. The gentleman from Pennsylvania wish to 
inquire?
    Mr. English. I do, Mr. Chairman, and I appreciate the 
opportunity. Secretary Hamburg, reviewing these regulations 
which I think address one of the more challenging issues we in 
Congress have to face this year I wonder, we can all agree on 
the need to prohibit disclosure of patient information as a 
central tenet of protecting confidentiality. It is obviously 
disclosure of information that patients are rightly concerned 
about.
    However, this rule, this proposed rule attempts to limit 
uses of information without individual authorization, even 
within a covered entity such as a hospital. Question, do you 
really believe that you know and have included all of the 
possible current and future appropriate uses of patient 
information? If this rule had been promulgated 15 years ago, 
could you have predicted all of the innovations that the 
delivery system has today?
    Dr. Hamburg. No. I think, first of all in formulating the 
reg we tried to think as carefully through all of the many 
ramifications as well as emerging potential issues. But it is a 
very complex issue, very multi-layered, and we are hoping 
through the comment period to broaden our thinking in the short 
term. In the long term, of course, things are so rapidly 
changing both in terms of how our health care delivery system 
is structured, the technology available to support that, and of 
course the application of new technologies and procedures and 
the implications raised.
    So I think that there is not going to be one set of privacy 
regs or one comprehensive piece of privacy legislation that 
will resolve all the issues now and in the future. But what we 
are trying to do is really put forward a framework for 
addressing the problems. But we are going to have a dynamic 
process.
    Mr. English. I understand, but that is the rub. Would it 
not be more workable to focus the regulation on disclosure of 
patient information and not attempt to regulate use, 
particularly within a covered entity?
    Dr. Hamburg. I think the two are hand in hand. What we are 
trying to define are the circumstances, how information within 
a covered entity can be appropriately used and the protections 
that should apply. Then also there are needs for others outside 
of that covered entity to access that information and then to 
clearly define the circumstances under which that will occur 
and the responsibility on those outside entities or individuals 
in terms of how they appropriately handle the information.
    Mr. English. I would like to get your reaction to some 
general comments that were sent to Secretary Shalala by 
Pennsylvania's department of health. They put forward the 
following recommendation. Even though the intent of the 
regulation is clear concerning what information is allowed to 
be released absent individual authorization, DOH is concerned 
that covered entities may react to the regulations by 
overprotecting information; i.e., not releasing information to 
a public health entity for one of more of the above purposes.
    This would undermine the intent of the regulations as well 
as core public health functions. DOH will engage in public 
education efforts and request that HHS take similar steps to 
make sure the intent of the regulations is conveyed.
    Are you prepared to do that kind of a public education 
effort?
    Dr. Hamburg. I can assure you that the concerns raised by 
the Pennsylvania Department of Health will be looked at very 
seriously. On a very personal basis, I was New York City's 
health commissioner for six years prior to taking this job. 
Many of the issues they raise are very close to my heart and I 
have seen it from the other side. So we will be working 
intensively during this comment review period to look at all of 
the comments that come in and to address the concerns. But I 
can assure you that the issues that surround the issues of 
public health information will get a serious look.
    Mr. English. I take that as a very important commitment.
    One other recommendation they made, they recommend that HHS 
should indicate, perhaps in the preamble to the regulation, 
that agencies receiving information for the above--that is 
public health function purposes--remain bound by existing State 
laws which govern the use of such information. Do you agree 
with that and are you prepared to respond?
    Dr. Hamburg. I would like to be able to look at the comment 
before responding in this forum.
    Mr. English. Very good. My time has expired, Mr. Chairman, 
and I will hopefully get another shot. Thank you.
    Chairman Thomas. Thank the gentleman. Although he is not 
now a member of the subcommittee--his party rules preclude him 
from doing that--I know his heart is always with us, and it is 
a pleasure to see the body and mind attached with the heart 
today. So the gentleman from Maryland, if he wishes to inquire.
    Mr. Cardin. Thank you, Mr. Chairman. I thank you for the 
courtesy of allowing me to sit in on this panel. This is a very 
difficult subject. Secretary Hamburg, I applaud your efforts 
considering the legislative authority that we gave you. It is 
difficult to do. And considering the amount of public comment 
that you have received, you are finding out exactly how much 
interest there is out there and how many people have their own 
ideas on how they could draft privacy legislation as it relates 
to medical records.
    One thing I think is clear, Mr. Chairman, and that is, we 
need a bill. It is wonderful that HHS must go forward with a 
regulation that is required under law. But ultimately, it is 
going to be important I think for Congress to pass the 
framework for medical privacy, and to do it in a more 
comprehensive way then you are allowed to do under the 
regulation that has been submitted to you. Mr. Chairman, I do 
want to applaud your efforts to try to bring out a bill on a 
bipartisan basis because I think the only way we can do this is 
in a bipartisan way. It is a very sensitive issue to all of our 
constituents and it cries out for us to get it done right.
    I also want to talk just one minute, if I might, about this 
idea of a Federal floor and people concerned about preemption, 
or whether we preempt or whatever. I think that is the wrong 
way to really look at this. We need national standards as to 
how medical records should be kept so that we protect the 
identity of individuals. That should be a national standard. 
There should be no question about that.
    The States are clearly going to be involved. There is 
public health issues. There are public safety issues, and we 
need to make sure the States have the ability to protect their 
citizens where it is appropriate. But we also need to have 
national standards as to when identifiable information can be 
made available for research, or when it can be made available 
for payment, or for treatment. I think that is what we are 
trying to get at, the right balance.
    So the question I have for you, Secretary Hamburg, is that 
one of the issues that we are having a great deal of difficulty 
is, how do you enforce whatever standards we come up with? How 
have you done that in your regulations and how do you think is 
the best way for us to make sure that these standards, whatever 
standards are developed, that all parties that are affected by 
it comply with the standards? And how do you go about making 
sure that becomes reality?
    Dr. Hamburg. There are a set of enforcement standards that 
I believe were given to us through the HIPAA statute in terms 
of our opportunities for enforcement. And that is one of our 
concerns, one of the reasons why we feel that in fact national 
legislation would provide benefits that we cannot achieve 
through the reg process. There are both civil and criminal 
penalties that can be applied, but in truth, the enforcement 
teeth we do not feel are fully adequate.
    Mr. Cardin. So will you be coming forward to us with 
recommendations as to legislative changes as it relates to 
enforcement?
    Dr. Hamburg. We are hoping to be working closely with you 
to develop national privacy protection legislation, and within 
that context addressing the issue of enforcement.
    Mr. Cardin. But you have no specific recommendation at this 
time?
    Mr. Claxton. The Secretary's recommendations in 1997 
suggested that we thought there should be civil money penalties 
for violations criminal penalties for knowing and wrongful 
conduct. And that there should also be private right of action 
to address the rights of individual whose privacy rights were 
violated and who suffer damages.
    Mr. Cardin. This should all be Federal, or not?
    Mr. Claxton. We thought Federal law should have that in 
place, yes.
    Mr. Cardin. How does that relate to State enforcement?
    Mr. Claxton. States would have their own penalties if they 
had laws. We have not commented on the level of State penalties 
that should exist as far as I know. We have had some 
discussions with respect to specific issues such as HIV 
reporting, but nothing broad.
    Mr. Cardin. I take it an awful lot depends on the 
standards. I know I am asking a difficult question, but I think 
it is important as we get into this discussion to make sure 
that whatever system we have come up with is one that there is 
effective enforcement on so that we can in fact tell our 
constituents that we are not only telling in law the standards 
that protect their medical privacy but that it can be enforced.
    Thank you, Mr. Chairman.
    Chairman Thomas. Thank the gentleman. I find it ironic that 
your goal for Federal legislation is to make sure that you have 
uniform penalties to go after these people, but the standards, 
the collection of data, the flow of data, the uses of the data 
above whatever minimum structure you are talking about would 
not be afforded the same level of concern. The gentleman uses 
the term standards and I have no quarrel with that as long as 
they are high enough that in essence they produce a preemption 
for uniformity.
    My goal is to get your folks to look at the need for 
standardization on the other side of the ledger as to how you 
deal with this information and not just the side of the ledger 
that makes sure that when people do make mistakes in confusing 
crazy quilt structures of not only all the States and the 
Federal, but that you can wham them with a real good, uniform 
penalty. I think it has to be evenhanded on both sides or you 
do not get the uniform hammer if you do not provide the uniform 
standard codes and procedures.
    Dr. Hamburg. I can assure you we have heard your message 
and we understand the rationale that you are putting forward. I 
think it would be unfair to characterize our position as that 
we only are interested on the enforcement side for national 
standards. We very much support your leadership and that of 
your colleagues in terms of pushing for national legislation 
that will provide a very firm standard both for how data is 
utilized, but also how when there are transgressions in terms 
of appropriate use, we can enforce appropriate behavior.
    Chairman Thomas. My goal is to create a situation in which 
my friend Ben Cardin and I present to you a proposal that you 
cannot refuse.
    The gentleman from Washington.
    Mr. McDermott. Mr. Chairman, thank you. I want to clarify 
something because in listening to the chairman's questions at 
one point it sounded as though States could erect barriers 
against legitimate national purposes, and my understanding is 
that your regulation clearly makes Federal preemption in key 
national priority areas, including oversight and research and 
public health, that these are areas where the Federal 
Government is preeminent in those issues. Is that correct, that 
they can override a lesser State or an obstructive State issue?
    Mr. Claxton. In the case where there is already a 
requirement under Federal law to allow access or make reporting 
there is nothing in the regulation which would resurrect a 
State barrier to a Federal law.
    Mr. McDermott. So the States could not use regulation in 
some way that they could get around the Federal regulation?
    Mr. Claxton. No. For example, there is nothing about our 
regulation that makes a State law applicable to an ERISA plan, 
because they already have Federal preemption.
    Mr. McDermott. So you are saying that the purpose of the 
Congress; that is, looking at fraud and other medical errors 
and so forth, no State could pass a law that would prevent us 
from getting the information to do those kinds of researches?
    Mr. Claxton. As long as the Federal priority was manifested 
through a requirement on a provider. If a provider has a choice 
now, the State law could affect that provider's choice. But the 
provider in that case would not have had to comply with the 
Federal request anyway.
    Mr. McDermott. Now there is another area where it seems to 
me that there is a lot of uncertainty, this whole business of 
the pharmacy benefit managers, and pharmacy programs, and 
disease management. These are programs that are new. I mean, 
they have been going for the last four or five, or maybe eight 
or nine years, and they gather enormous data about what people 
are taking in this country. Therefore, you could extrapolate 
what their disease may be. A lot of people are concerned about 
their ability to have that data and use it in a variety of 
ways.
    Tell me what you did here, and did you consider making it a 
requirement that before these entities could use this 
information they had to have a check-off from the patient that 
they wanted to be given mailings about X, Y, or Z? If you have 
diabetes, the pharmacy knows that you have diabetes. Now you 
then are subject to having that spread all over the place for 
whatever anybody can think of that they ought to be doing for 
you. Did you consider putting a restriction or a requirement 
for a positive, I want to get further information?
    Dr. Hamburg. With respect to the issues you raise, again we 
are getting lots of comments, different interpretations, people 
mean different things when they say disease management 
programs, for example, so that there is going to be a lot of 
sorting out. But as long as within a covered entity information 
is being used as part of the ongoing care and treatment of that 
individual it does not require a specific patient 
authorization. If it is being used to send out mailings to 
market new drugs, et cetera, that would be an inappropriate 
use.
    Mr. McDermott. And that is for medical devices and 
everything else? Anything anybody would use that for a 
marketing tool, it is prevented unless there is a specific--
    Mr. Claxton. What you said is right. I think the difficult 
issue is trying to address a situation where a provider is 
rightfully trying to make his or her patient aware of new 
information or new products that might be beneficial to that 
patient and where they are actually engaged in marketing where 
the provider is relatively indifferent but just saying, here is 
someone who might be interested. Those are hard lines to draw. 
We are going to look at the comments and do our best.
    But the distinction between disease management and 
marketing is not clear every time, but it is I think something 
people feel very strongly about being able to distinguish. It 
might be that the physician has a fairly key role to play in 
that and we have heard from various sides on this and expect to 
hear a lot more.
    Mr. McDermott. If the contract that the HHS wants between 
the covered entities and the contractual ones, the business 
partners, is that possible to handle that by having a standard 
contract that you people would draw up and put out there so 
that each one of the partners or each one of the entities 
covered would have in hand something to hand to a business 
partner and say, sign this?
    Dr. Hamburg. I think that there are so many differing types 
of partners and the requirements in terms of the working 
business relationship involve different kinds of elements--not 
all the business partners are doing the exact same things--that 
it is unlikely that we would develop standard model contract 
language. We could certainly identify the critical elements of 
understanding about how data would be handled, and the 
expectations should be explicit and will be.
    We are certainly open to examining the question, but I 
think model contract language would not be the primary approach 
because they are not cookie cutter kinds of relationships where 
one size fits all. But understanding the elements that need to 
be included should be explicitly defined.
    Mr. McDermott. Thank you, Mr. Chairman.
    Chairman Thomas. The gentleman from Pennsylvania with to 
further inquire?
    Mr. English. Yes, thank you, Mr. Chairman. Secretary 
Hamburg, within your proposed regulation, Section 160.204 
outlines the process for requesting exception determinations, 
and subsection A.1 outlines the process by which a State may 
request an exception for a particular State law. Our State 
department of health has characterized this process as 
particularly burdensome given the multiple confidentiality laws 
that exist in Pennsylvania.
    I am not as familiar with what other States have, but for 
Pennsylvania this section would require multiple requests for 
exception. They argue, the department of health argues that 
request for exception should be required only when a challenge 
is brought against a particular State law. The presumption 
should lie with State laws.
    What was your philosophy in crafting this provision, and 
how do you assess the merits of the department of health's 
argument?
    Dr. Hamburg. I think I will ask Mr. Claxton to address that 
as he was intimately involved--
    Mr. English. Mr. Claxton?
    Mr. Claxton. Thank you. The HIPAA itself sets forth certain 
areas where State law--where the Secretary has to make a 
determination whether or not certain State laws are in 
conflict. We tried to carry out that section as it was in 
HIPAA. We have gotten a fair number of inquiries about this and 
tried to clarify it and we are going to look at the comments. 
To some large extent I think we are constrained by what the 
statute says, which is that the Secretary can make a 
determination with respect to State laws in certain areas.
    Mr. English. I will accept that and I would appreciate any 
further response you might want to provide in writing.
    Mr. Claxton. Certainly.
    Mr. English. Subsection A.4 limits the length of time for 
an exception to three years explicitly. I would question why it 
would be necessary, if there has been no change in State law, 
to require States to reapply for exceptions. Do you have a 
policy reason for doing that?
    Mr. Claxton. I do not recall why that is there. We will be 
happy to respond in writing.
    Mr. English. If you would be willing, I would appreciate a 
response in writing on that point as well.
    Finally, Dr. Hamburg, in HIPAA the Secretary was instructed 
to promulgate regulations that are ``consistent with the goals 
of improving the operation of the health care system and 
reducing administrative costs.'' Several of the department's 
provisions significantly increase the amount of administrative 
procedures for covered entities.
    For example, requiring the review of each protected health 
information request in order to ensure that ``minimum necessary 
standard'', requiring significant allocation of resources to 
contract with and monitor business partners. Do you not think 
that these requirements would significantly increase the 
administrative burden for health care organizations, and is 
there a better way to do this?
    Dr. Hamburg. I think in shaping the proposed reg we have 
tried very hard to balance what systems need to be put in place 
to afford appropriate protection with trying to avoid undue 
burden. As we have looked at some of the elements that you 
referred to, our sense is that while it would add in some cases 
additional administrative activities and some new burden, that 
in fact in terms of overall costs our estimates suggest it 
would be less than one-tenth of 1 percent of overall spending 
for health care when you break it down on a per-patient basis. 
It really is not an overwhelming additional cost.
    You have to think about it in terms of the additional 
benefits that would accrue in terms of improving quality of 
care, reducing the likelihood that individuals would not seek 
appropriate medical evaluation and treatment because of fears 
of their important, sensitive health information being misused. 
So it is a very difficult balancing act.
    One of the things that we are going to look at very 
carefully as we review the comments are the inputs that have 
come in concerning this issue because we want this to be 
workable. It is a balancing act and it is very complicated, as 
we all recognize, but it is an area of major focus and concern 
and it will be reflected in--
    Mr. English. And I very much appreciate that. Let me say, I 
am very sensitive to the enormous paperwork burden we are 
already putting on health care organizations which is 
distorting some of their decisions and having an indirect and 
sometimes hidden insidious effect on the quality of health care 
in this country. So if there is a way of reducing that 
paperwork burden as you put forward these regulations I think 
we should be sensitive to that as well.
    Thank you, Mr. Chairman, and I appreciate the opportunity 
to inquire.
    Chairman Thomas. Thank the gentleman. As I stated earlier, 
any written questions that any members want to submit, we will 
leave it open till the close of business because there may be 
additional questions that need to be asked. In listening to the 
gentleman's questions, a number of individuals would be envious 
of your ability to inquire on behalf of the State of 
Pennsylvania because if this goes into effect I am quite sure 
there are a number of individuals who would love to ask, which 
is stricter, the Federal or the State, and create some degree 
of comfort that they are doing the right thing. When I realized 
that the outer edges of this is ultimately is going to be 
enforced by trial lawyers, it should give us all pause.
    Thank you very much. Good luck in firming it up. I hope we 
see a product prior to the ongoing, and counting, seven years 
of attempting to write a final regulation for Stark II. You are 
going to need all the help you can get. Thank you very much, 
Dr. Hamburg, Mr. Claxton.
    Dr. Hamburg. Thank you.
    Chairman Thomas. The next panel, which I guess on an issue 
like this could extend for row after row after row of witnesses 
who believe they are going to be impacted by this regulation, 
and obviously our inability to accommodate it, I do believe 
that we have got a pretty good cross-section with this panel. 
We have Dr. William Plested who is a member of the board of 
trustees of the American Medical Association, obviously an 
interested party; Ms. Alissa Fox, executive director for 
legislative policy, Blue Cross-Blue Shield; Janlori Goldman, 
director of the health privacy project, Institute for Health 
Care Research and Policy at Georgetown University; Mary Grealy, 
president, Healthcare Leadership Council, a consortium of a 
number of interested partes; and then Dr. Stephen Ober, who is 
president and chief executive officer of Synergy from Waltham, 
Massachusetts who is an active player in the transmission of 
data and who had quite interesting testimony.
    Dr. Plested, we will just start with you and then move 
across the panel. Your written testimony will be made a part of 
the record and you can address us in the time that you have, 
which will be five minutes, to give us any flavor of your 
concern, interest, passion, et cetera.

 STATEMENT OF WILLIAM G. PLESTED, III, M.D., MEMBER, BOARD OF 
             TRUSTEES, AMERICAN MEDICAL ASSOCIATION

    Dr. Plested. Mr. Chairman and members of the committee, my 
name is Dr. Bill Plested. I am a practicing vascular surgeon 
from Santa Monica, California, and a member of the AMA Board of 
Trustees. It is an honor to appear before your committee again.
    Thank you for inviting the AMA to speak to you today on an 
issue of overwhelming importance, not only to physicians, but 
to every person who finds him or herself as a patient. That is, 
protecting the confidence and trust that patients place in us.
    Trust is the foundation of the patient/physician 
relationship. My patients assume that the private information 
they discuss with me will be used to benefit them, not to 
benefit anyone else who may find a way to profit from their 
personal information.
    Frankly, we see signs that patient records are becoming 
items of commerce. With many groups clamoring for unfettered 
access to fulfill some alleged compelling need. But perceived 
need is not a right.
    Let me emphasize that, a need is not a right.
    Every business, every company, every government body that 
wants patients private information must be required to make its 
case to the American people as to why its professed need should 
override people's most basic right to keep their medical 
information private. This is AMA policy, and this is the 
approach that we have adopted in our comment letter to the 
Secretary of Health and Human Services, in response to her 
proposed rule on patient privacy.
    First, we are concerned about access to patient records 
without patient's consent, usually without their knowledge. If 
medical records were stored in our homes, we would have all 
kinds of protections, the Fourth Amendment or civil and 
criminal laws, to keep others from getting and using our 
information without our permission. Today, patients are forced 
to share private medical information in order to get the very 
help that they need. In doing so, they are vulnerable to 
exploitation by unrelated third parties looking simply for 
profit.
    Physicians are unable to stem this tide. We think the 
Secretary's regulation makes this situation worse and this is 
unacceptable.
    The Secretary identifies a series of ``national 
priorities'' where patients' private medical information would 
be used without their consent. In fact, most of these can be 
accomplished using de-identified or aggregate information.
    If some information must be individually identified, the 
first question we should ask should be why not get the 
patient's consent? Are we concerned that a truly informed 
patient would not give his or her consent? This should 
certainly give us pause.
    On the other hand, if it is not feasible to obtain consent, 
there should be an objective, accountable way to make this 
decision for the patient who is unable to do so. If someone 
wanted access to your medical information, would you not want 
to know why do they need to know who I am? Do they truly need 
information linked to my name? What is the alleged benefit and 
who stands to profit by getting personal information? What risk 
am I exposed to if such information is disclosed? What kind of 
security measures are in place to protect my records and make 
sure that people use them in the way they said they would or 
that unauthorized people do not have access?
    Such a system already exists in Federally funded research 
programs. The Secretary's proposed rule would expand such an 
evaluation to all research, regardless of who is funding this, 
and this is good. But it needs to be expanded. So-called health 
care operations that do not benefit a specific patient require 
especially close scrutiny.
    Second, we must comment on the irony that all these new 
administrative burdens and documentation requirements proposed 
by the Secretary are the result of so-called administrative 
simplification. The physicians of America are buried in paper 
with less and less time to spend with our patients. We object 
in the strongest terms to the bureaucratic school of thought 
reflected yet again by the Secretary's proposal that requires 
extensive and repetitive documentation. This kind of redundant 
paperwork requirement is for the ease of bureaucrats, not for 
physicians, and certainly not for patients.
    This burden would be especially difficult for smaller sized 
physicians' offices. These paperwork and administrative 
requirements need to be completely rethought and, if they are 
implemented at all, they should have a more realistic and 
flexible information approach for all physicians' offices.
    Let me sum up by getting back to our basic point. The 
patient/physician relationship is all about trust. It must be 
fiercely protected. Privacy is a precious right. Once it is 
lost, it can never be retrieved. We must remain focused on the 
patient as our first concern in any Federal approach to medical 
records privacy and confidentiality.
    Thank you again for the opportunity to present the AMA's 
viewpoint today.
    [The prepared statement follows:]

Statement of William G. Plested, III, M.D., Member, Board of Trustees, 
American Medical Association

    The American Medical Association (AMA), representing 
approximately 300,000 physicians and medical student members, 
appreciates the opportunity to submit testimony to the Health 
Subcommittee of the Ways and Means Committee regarding an issue 
central to the patient-physician relationship: protecting 
patient confidentiality. We particularly appreciate the chance 
to share with you our concerns regarding the Secretary of 
Health and Human Services' (HHS) proposed rule on patient 
privacy, for which public comments are due today (``Proposed 
Standards for Privacy of Individually Identifiable Health 
Information,'' 45 CFR Parts 160 through 164, 64 Fed. Reg. 59917 
(November 3, 1999)).
    Personal health information is used by various entities in 
the health care delivery system, including hospitals and health 
plans, for purposes beyond direct treatment planning and claims 
payment. Each of these entities argues it needs patient-
identifiable health information to achieve its legitimate 
objective; most believe they do not need explicit patient 
consent to receive and use such information. That philosophy is 
reflected in the Secretary's proposed rule and preamble. It is 
a philosophy rejected by the AMA.
    The AMA has consistently maintained that an expressed 
``need'' for information does not confer a right. Patient 
consent continues to be a critical consideration in the use and 
disclosure of personally identifiable health information. 
Consistent with AMA's baseline philosophy regarding individual 
privacy rights, informed consent should be obtained, where 
possible, before personally identifiable health information is 
used for any purpose. However, this is clearly not practical or 
even possible in some instances. In those situations in which 
patient consent is not feasible, either (a) the information 
should have identifying information stripped from it or (b) an 
objective, publicly-accountable entity must conclude that 
patient consent is not required after weighing the risks and 
benefits of the proposed use. A local review board system has 
already been adopted successfully by several parties to the 
health care system, including physicians, some researchers, a 
few health plans, and others.
    Some parties may reject this principle as too deferential 
to patients' rights at the expense of administrative 
feasibility. The AMA believes that this approach properly 
balances the interests at stake. Furthermore, it is the right 
thing to do. At a time when the American public is looking to 
its leaders for a strong stand on patients' rights, any other 
policy fails patients, their families and their caregivers.
    The AMA cannot support the proposed HHS regulation on 
patient privacy in its current form. The complexity of the 
task, compounded by the inherent restrictions under the Health 
Insurance Portability and Accountability Act's (HIPAA) limited 
grant of regulatory authority, have resulted in a proposed 
regulation that does not adequately protect patient 
confidentiality and privacy and that substantially and 
unacceptably increases administrative burdens for physicians.

    The AMA's overarching concerns are as follows:

     that patients' confidential information could be 
disclosed without their consent for a broad array of purposes 
unrelated to the patient's individual treatment or payment and 
extending far beyond the necessary disclosures and uses 
patients would expect when they seek health care;
     that many holders of patient information who may 
misuse such information would not be held accountable under the 
proposed regulation, despite attempts to bring them within 
regulatory reach by compelling physicians and other covered 
entities to, in effect, ``police'' them;
     that physicians will be held liable for the 
uncontrollable misdeeds of their ``business partners,'' 
although the physicians themselves are in compliance with the 
regulation's provisions;
     that the administrative burden and costs of 
implementing the proposed regulation have not been adequately 
calculated, and would have a disproportionate impact on small 
physician offices; and
     that the proposed rule contradicts the intention 
of its legislative directive under HIPAA to ``simplify'' health 
care administration and reduce costs, and does not improve 
patients' expectation of privacy in the health care system.

Applicability

    The proposed regulation does not cover a broad spectrum of 
entities that are positioned to disclose and misuse 
confidential patient information. The AMA finds unacceptable 
the Secretary's attempt to ``fill the gap'' in its legislative 
authority by requiring physicians and other health care 
practitioners to, in effect, ``police'' others who should be 
held accountable. Such a proposal is not only inherently 
unfair, it is also ineffective insofar as patients may be left 
without any recourse against a party who wrongfully discloses 
or misuses their confidential medical information.

General rules

    The proposed regulation seemingly is more concerned with 
facilitating the ease of information flow for the broadly 
defined purposes of treatment, payment, and health care 
operations than it is with protecting patients' confidentiality 
and privacy interests. AMA's policy states that ``[c]onflicts 
between a patient's right to privacy and a third party's need 
to know should be resolved in favor of patient privacy.'' In 
the AMA's view, the general rule should begin with preserving 
confidentiality and privacy and allowing disclosure only when 
it is ethically and legally justified.
    Scalability--The AMA applauds the Secretary's recognition 
that a ``single approach to implementation of these 
requirements would be neither economically feasible nor 
effective in safeguarding health information privacy.'' Though 
we appreciate the flexibility physicians and other health care 
practitioners will be accorded in implementing this proposed 
regulation, we are concerned that a lack of clear guidance 
inevitably will lead to costly disputes about compliance.
    Minimum necessary use and disclosure--We agree with the 
Secretary's goal of precluding wholesale transfers of complete 
medical records when only a small portion is pertinent to the 
patient's current treatment, but believe the proposed rule's 
solution may be unworkable. In crafting a solution to the 
question of limiting disclosures, we recommend a requirement 
for requesters to make the ``minimum necessary demand.'' While 
physicians could certainly engage the requester in a dialogue 
regarding what specific information might be needed in any 
given instance, the liability would be on the requester for 
seeking prohibited information, rather than on the physician 
for not adequately divining the motivations of the requester.
    Creation of De-Identified Information--The AMA favors any 
provisions of the rule that would have the effect of creating 
incentives to ``de-identify'' medical information. However, we 
believe the proposed rule would actually create a disincentive 
to de-identify information. We recommend revising the list of 
``identifiers'' to be removed from the medical record, combined 
with an explicit prohibition against ``linking'' or re-
identifying without authorization. This will provide entities 
with a greater incentive to de-identify information, while 
holding wrongdoers properly accountable.
    Business partners--The AMA strongly objects to the proposed 
rule's approach of holding physicians and other covered 
entities responsible for certain violations of the rule's 
requirements by their business partners. As a matter of 
fairness, the proposal fails. A physician group, for example, 
could be subject to the full weight of enforcement and 
sanctions under the regulation for prohibited activity by its 
business partners, even if the group had no knowledge or 
control over the practices of its business partner. The AMA 
objects to these provisions because they present the potential 
for significant liability for physicians who, themselves, are 
complying with the regulation's requirements.
    Component entities--We believe the proposed regulation 
should be modified to expressly recognize the necessity of 
firewalls within businesses or entities that provide health 
care as a non-core function. Examples might be school health 
clinics, on-site employee health services offered by businesses 
or, employers who operate self-funded health plans for their 
employees. We are particularly concerned about this last 
category; public polling indicates that people are deeply 
concerned that their employers are inappropriately accessing 
their private medical information. Our key concern in these 
instances is in assuring that firewalls exist between the 
health provider function and all other elements of the entity.

Uses and disclosures with individual authorization

    The AMA strongly supports a requirement for an individual's 
authorization for most uses of his or her identifiable health 
information. The Secretary notes, and the AMA agrees, that 
individuals generally do not recognize that their information 
may be used for a multitude of purposes beyond their individual 
care and payment for that care. This fact underlies the AMA's 
advocacy for a consent requirement for most uses of an 
individual's private health information.
    We strongly object to the provision that would prohibit 
physicians from seeking their patients' authorization for 
treatment, payment or health care operations. This provision 
flies in the face of medical ethics and directly contradicts 
the Secretary's expressed intent in the preamble, and should be 
deleted from the rule.

Uses and disclosures for treatment, payment and health care 
operations without patient authorization

    The AMA questions the Secretary's rationale for choosing to 
construe the terms ``treatment'' and ``payment'' so broadly. 
The definition of ``treatment,'' for example, would include 
cost containment mechanisms such as case and disease management 
that go to managing the costs of populations, rather than the 
health care of an individual.
    Patients reasonably expect that the treatment rendered by 
their physician will be revealed to their health plan or other 
insurer to pay the claim for benefits. However, patients do not 
expect, nor do they welcome, unauthorized access to health 
information disclosed in the context of a confidential 
relationship for the wide range of purposes HHS believes to be 
somehow ``compatible with and directly related'' to treatment 
or payment.
    The AMA strongly opposes any ``disease management'' 
language in the proposed rule that is not qualified by 
requiring the coordination and cooperation of the individual's 
physician. Patients should have the right to consent to-or 
refuse-participation in disease management programs offered by 
providers and plans.
    The diversity of proposed uses for information advocated by 
various groups illustrates the inherent difficulty in 
addressing these evolving functions within any static 
legislative or regulatory definition. We recommend application 
of the controlling rule iterated throughout AMA's comment 
letter: informed consent should be obtained before personally 
identifiable health information is used for any purpose. For 
those many functions or circumstances for which patient consent 
is not feasible, the information would either have to be de-
identified to be used, or the decision regarding its use 
without patient consent would be made by an objective, 
publicly-accountable process that weighs the risks against the 
benefits of the proposed use. This should apply to all 
operational uses of personally identifiable health information 
that do not go directly to the individual's specific care, as 
well as research projects that fall outside the purview of an 
IRB process.
    Right to restrict--We believe the ``right to request 
restriction'' is an unworkable ``consolation prize'' for 
patients who have had their right to consent taken away from 
them by government fiat. In addition to its ethical flaws, we 
believe that offering a right to restrict presents the 
potential to drive a wedge between patients who want to impose 
further restrictions and providers who cannot agree to such 
arrangements due to the overwhelming administrative burdens and 
potential liability that such individual arrangements would 
entail.

Permissible uses and disclosures for purposes other than 
treatment, payment and health care operations

    The preamble notes that certain ``national priority'' 
activities, as well as the ``smooth functioning of the health 
care system,'' require the extensive use of individually 
identifiable health information. The AMA believes that the 
proposed rule weighs far too heavily in favor of those who seek 
access to patients' private medical information (often the 
government), with inadequate deference paid to patients' 
fundamental right of privacy.
    Public health--While mindful that we should not create 
unduly restrictive barriers for public health researchers to 
access information, the AMA believes that epidemiologic 
research on public health and problems should be guided by the 
same principles for, and safeguards on, privacy and 
confidentiality that apply to all other medical research. These 
breaches in confidentiality for a public health purpose are no 
different from any other breach of a patient's confidentiality 
that benefits others beside the patient, barring imminent 
public health emergencies.
    Health oversight agencies--The AMA agrees with the 
Secretary that, generally, oversight activities are important 
to support national priorities; however, we believe that a 
majority of these activities could be conducted in a manner 
that is less intrusive and more sensitive to the need to 
protect confidential patient information. We believe that the 
definition's sweeping inclusion of virtually all government 
agencies that may have any connection, albeit remote, to health 
care may result in widespread fishing expeditions for 
confidential patient information. Even more troubling, is that 
the proposed regulation promotes such access knowing that there 
are few safeguards in place to protect against the government's 
wrongful disclosure or use.
    The AMA strenuously objects to the seemingly unfettered and 
unauthorized access governmental agencies will be accorded 
under the proposed regulation as it is currently drafted. We 
recommend that if identifiable information is used, it should 
be accompanied by a limitation on further uses or access by 
other entities. Our chief concern here is that access by health 
oversight agencies does not become a ``backdoor'' for law 
enforcement access.
    Judicial and Administrative Proceedings--While the AMA 
supports the general provisions of this section, we recommend 
strengthening the language to increase objectivity and to limit 
subsequent unauthorized use and re-disclosure. An order by a 
court or administrative law judge provides some opportunity for 
an objective screening mechanism to balance the interests at 
stake in the proceeding, and should be required for all access 
in judicial and administrative proceedings.
    Law Enforcement--The AMA believes strongly that the 
requesting law enforcement entity should be allowed access to 
medical records only through a court order. Our position is 
that a strong legal standard, accompanied by a set of 
parameters on need and use, is essential to protecting not only 
personal medical information, but the confidence of citizens in 
their government.
    This is not an abstract concern. Physicians and their 
patients have repeatedly experienced the intrusion of law 
enforcement into patients' personal medical information when no 
need for identifiable information is established and no 
protections are provided. The unfortunate result is less -
rather than greater-confidence in the law enforcement and 
judicial systems of this country.
    Governmental Health Data Systems--The AMA strongly objects 
to the troubling premise seemingly underlying the entire 
proposed rule, and particularly evident here, that government 
oversight of the efficiency and effectiveness of the health 
care ``system'' is somehow a more compelling national priority 
than protecting individual citizens' right to privacy. We 
cannot agree with reasoning wherein the federal government 
appears to value even marginal increments of administrative 
efficiency over the basic rights of individuals to protect the 
privacy of their own health information.
    The AMA sees no reason why government's research and policy 
analysis purposes could not be fulfilled using de-identified 
individual or aggregate information. Further, if the government 
believes it requires individually identifiable health 
information for its particular purpose, it should be required 
to obtain the individual's consent for such disclosure and use, 
or to justify the value of the proposed project and the reasons 
why obtaining consent is impracticable or impossible.
    Research--The AMA strongly supports the extension of the 
Common Rule to all entities conducting human subject research, 
regardless of their federal nexus, and applauds the Secretary's 
efforts in this important area. We agree with the Secretary's 
conclusion that the nexus of federal funding is irrelevant in 
deciding the question of whether human research subjects should 
be protected. As a matter of public policy, individuals should 
be protected if they or their information are the subject of 
health-related research. The source of the funding should not 
result in different levels of protection.

Individual rights

    The AMA supports the rights of individual to access their 
medical records, subject to limited exceptions, which is the 
approach adopted by the Secretary. We believe that the physical 
record and notes made in treating the patient belong to the 
physician; however, the information contained in the record is 
the patient's. Thus, certain rights should attach for both the 
patient and the physician.

Administrative requirements and policy development and 
documentation

    This provision sets out an extensive series of 
administrative requirements that physicians and other covered 
entities would have to incorporate into their practice or 
business. The AMA has significant concerns about the 
substantial administrative and financial burdens this might 
place on physician practices, particularly those smaller 
practices whose administrative personnel are already stretched 
to the limit with various governmental and health plan 
requirements.
    The AMA objects in the strongest terms to the school of 
bureaucratic thought that requires documentation that one is 
going to do something, followed by documentation that one is 
doing that same thing, and then requires documentation that the 
same thing has been done. Physicians and their office staffs 
are absolutely overwhelmed by current paperwork requirements 
generated by well-intended, but poorly thought out, 
regulations. Such redundant documentation requirements are for 
the administrative ease of compliance officers--not for 
physicians and certainly not for patients. Masses of 
documentation allow compliance officers to push their familiar 
paper and quibble over parenthetical clauses rather than to 
really investigate to see when a true wrong has been committed.
    The AMA recommends that the paperwork and documentation 
elements of the proposed rule be withdrawn completely and 
rethought with a more realistic and flexible implementation 
approach for smaller physician offices. After all, is the goal 
to actually protect patient privacy, or is it to create paper 
saying that we do?
    Physicians and other licensed health care professionals 
already use an array of administrative tools to honor existing 
ethical and legal obligations to keep patient information 
confidential. We believe that a prudent implementation of the 
proposed rule's administrative requirements would permit these 
covered entities to modify these existing tools, rather than 
requiring them to ``reinvent the wheel.'' The corporate 
entities that currently do little or nothing to protect patient 
privacy are those that the proposed regulation should highlight 
for additional administrative protections. In addition, we 
believe that the Secretary has not adequately calculated the 
costs of implementing the administrative requirements under the 
proposed regulation. We believe the proposed regulation would 
have a disproportionate impact on small business (individual 
and groups of physicians and other health care practitioners).

Preemption and Relationship to State Laws

    The AMA is deeply concerned that, while the proposed rule 
suggests that its preemption provision sets a federal ``floor'' 
for preemption, a raft of subsequent exceptions and qualifiers 
completely undermine the provision, creating a federal 
``basement,'' rather than a federal ``floor.''
    AMA policy supports a preemption provision that preserves 
more stringent state confidentiality laws, so that federal and 
state privacy protections would be cumulative. The proposed 
rule fails to provide due deference to the States.
    This section is also flawed by the fact that entities--
specifically physicians--regulated by the rule would not be 
able to independently ask the Secretary for clarification as to 
which law to abide by. All queries must be presented by the 
States. Two implementation problems are immediately evident:
    (1) physicians who seek to comply with state law, believing 
in good faith that it is more stringent than the federal 
standard, could be in violation of the regulation without ever 
knowing or having an opportunity to directly request guidance 
from the Secretary; and
    (2) State governments could have a conflict of interest, as 
one of the largest health data collectors, in bringing forward 
queries to the Secretary.

Compliance and Enforcement

    Due to the lack of concrete guidance in its current form, 
the proposed regulation may unwittingly expose physicians and 
other covered entities to fines for noncompliance despite good 
faith efforts to comply. The AMA is also troubled by the 
implicit federal overlap created by this rule wherein the 
traditional role of the states' medical licensure boards in 
overseeing physicians' ethical practice is usurped by federal 
enforcement.
    We are encouraged to note the Secretary's philosophy of 
providing ``a cooperative approach to obtaining compliance,'' 
that looks to an educational, rather than punitive, approach to 
resolve disputes. The AMA nevertheless questions the role of 
the Secretary or any federal officer to investigate complaints 
against physicians for breaches of patient confidentiality. 
This is the traditional realm of state medical licensing boards 
and their premier role in pursuing this type of activity is 
clearly articulated in State medical practice acts.

Cost of Compliance

    The AMA notes that the cost to comply with the proposed 
privacy regulations clearly is not a one-time cost but will be 
a perpetual and continuing commitment, and this should be 
reflected in the analysis. These continuing costs are not 
anticipated by the proposed rule. Furthermore, the proposed 
rule could impose significant new costs on physicians' 
practices, with the potential to disproportionately burden 
small physician offices. We believe this runs counter to the 
explicit intent of HIPAA's ``Administrative Simplification'' 
provisions, which require ``any standard adopted under this 
part shall be consistent with the objective of reducing the 
administrative costs of providing and paying for health care.'' 
(Sec. 262. ``Administrative Simplification,'' ``Sec. 1172(b) 
Reduction of Costs.'')

Conclusion

    The Secretary notes that she has attempted to create a 
regulation that strikes a balance between permitting important 
uses of health information while respecting an individual's 
right to privacy. We commend the Secretary for the attempt to 
address these complex issues, particularly within the 
restrictive framework permitted under HIPAA. The AMA does not 
believe, however, that the proposed regulation achieves the 
necessary and proper balance. The proposed regulation would not 
adequately protect patient privacy and confidentiality and it 
would substantially and unacceptably increase administrative 
burdens for physicians. For these reasons, we cannot support 
the proposed regulation in its current form.
    Further, the parameters set under HIPAA for regulatory 
action do not permit the full scope of protections that 
physicians believe patients deserve in any federal privacy law. 
We believe that the first step of any ultimately successful 
proposal, legislative or regulatory, must be to place the 
patient first. Each entity seeking access to patients' most 
confidential medical information must pass the stringent test 
of showing why its professed need should override individuals' 
most basic right in keeping their own information private. 
Moreover, citizens deserve a full and open discussion of 
exactly who wants their private medical information and for 
what purpose. Only then may the true balancing of interests 
take place. These are the ground rules of AMA policy and they 
should be the ground rules for the federal debate regarding 
patient privacy.
      

                                


    Chairman Thomas. Thank you, very much, Doctor. Ms. Fox?

 STATEMENT OF ALISSA FOX, EXECUTIVE DIRECTOR, OFFICE OF POLICY 
     AND REPRESENTATION, BLUE CROSS BLUE SHIELD ASSOCIATION

    Ms. Fox. Mr. Chairman and members of the committee, thank 
you very much for this opportunity to speak to you today.
    Blue Cross and Blue Shield Association agrees that 
standards are necessary to assure all consumers that their 
medical information is kept strictly confidential. For our 
plans, there is absolutely no question as to whether patient 
records should be kept private, but only as to how this should 
be done.
    We have extensive reviewed the proposed HHS rules with our 
plans and have concluded that without substantial changes, the 
proposal is operationally infeasible, extremely costly, and 
would threaten quality improvement efforts throughout the 
health care system.
    Today, we submitted over 50 pages of detailed formal 
comments, as well as recommendations to HHS. I would like to 
highlight our four top issues.
    First, as discussed earlier, this proposal would layer new 
Federal rules on top of existing state laws that will make it 
extremely confusing for everyone. HLC has an excellent chart 
illustrating this.
    For consumers, it will be extremely difficult to know what 
their rights are, and who do you call when you have questions 
or problems? Do you call the state? Which state? How many 
states? Or do you call HHS?
    Second, the new business partner requirement would force 
plans, doctors, and hospitals to assure all of their partners 
comply with these rules. This is simply unworkable and would be 
very expensive because everyone would end up monitoring 
everyone else. Hospitals monitoring doctors, plans monitoring 
hospitals. We have urged HHS to drop this requirement.
    Third, the new minimum necessary rule would require all of 
us to establish new procedures and reorganize and redesign our 
operations, so we are only disclosing the minimum information 
necessary in each and every case. This would undermine all of 
our efforts to assure that patients receive the right care at 
the right time.
    Simply put, this erects road blocks to assuring patients 
receive the best possible care and runs counter to the new 
Institute of Medicine report, which highlights the need for 
complete and timely access to patient medical information to 
prevent the wrong care.
    Fourth, we are concerned that the way the proposal is 
constructed, it may make it difficult and perhaps even 
impossible for plans to continue existing beneficial functions 
such as disease management programs. This is because the list 
of the functions in the health plan definition misses many key 
functions we do today. And we worry that it could limit what we 
do in the future as we evolve to meet consumer demands in the 
21st century, where the pace of technological advances 
continues to amaze us all.
    Finally, we are extremely concerned about the cost of 
implementing such a complicated proposal. We commissioned the 
Nolan Company to estimate the cost of several provisions and 
their estimate is over $40 billion for the entire health care 
system over a five year period. This estimate is multiple times 
higher than the HHS estimate.
    A key reason for this difference is that HHS did not 
estimate many of the provisions we believe will be extremely 
expensive. HHS has said they did not have the information and 
data to do these estimates. We hope that our study will be 
useful to them.
    Mr. Chairman and members of the committee, let me close by 
saying that we must be smart in what we ask of the health care 
system. We must evaluate new requirements very carefully to 
make sure that they are the most cost effective and efficient 
way of protecting patients. We believe that major changes are 
needed to assure we are not unnecessarily adding to the cost of 
insurance coverage or jeopardizing our health care system which 
continues to provide the best care in the world. And most 
importantly, we must avoid redirecting scarce dollars from 
benefits to administrative costs.
    Thank you very much.
    [The prepared statement follows:]

Statement of Alissa Fox, Executive Director, Office of Policy and 
Representation, Blue Cross Blue Shield Association

    Mr. Chairman and Members of the Committee, I am Alissa Fox, 
Executive Director for the Blue Cross and Blue Shield 
Association. The Blue Cross and Blue Shield Association (BCBSA) 
represents 49 independent Blue Cross and Blue Shield Plans 
across the country, covering over 74 million Americans -or one 
in every four individuals.
    Thank you for the opportunity to testify today regarding 
our major concerns with the proposed regulations setting 
privacy standards for individually identifiable health 
information issued by the Department of Health and Human 
Services (HHS) on November 3, 1999.
    BCBSA believes that safeguarding the privacy of medical 
records is of paramount importance. All consumers should be 
confident their medical information is kept confidential. For 
BCBS Plans, there is no question as to whether patient records 
should be kept confidential, but only as to how this should be 
accomplished. We look forward to working with Congress and the 
Department of Health and Human Services (HHS) to implement 
practical privacy protections that:
     allow for the timely delivery of and payment for 
health care services;
     facilitate efforts to deliver safe and high 
quality care; and,
     minimize costs and administrative paperwork for 
consumers, providers and others in fulfillment of the 
objectives of Health Insurance Portability and Accountability 
Act's (HIPAA) Administrative Simplification provisions.
    It is clear from the proposed regulation that HHS sought to 
balance the need to safeguard medical records with the ability 
of the health care system to provide health care services 
efficiently. We recognize that the staff of HHS has worked long 
hours in an attempt to develop regulations that would not 
impede our modern health care system.
    However, despite their efforts, we remain concerned that 
the proposed regulation needs significant revision. Without 
substantial changes, the proposal is operationally infeasible 
and extremely costly. It would slow the delivery and payment of 
care to providers and consumers, threaten the assurance of 
quality, and exacerbate the cost of health care.

    My testimony focuses on five key areas:

    I. Scope of the Regulation
    II. Key Concerns with the Regulation
    III. Positive Aspects of the Regulation
    IV. Cost of the Regulation
    V. Recommendations

I. Scope of the Regulation

    HIPAA provided HHS the authority to promulgate privacy 
standards for consumer health information if Congress did not 
pass legislation by August 1999. The statute directed HHS to 
issue rules governing standards with respect to the privacy of 
individually identifiable health information transmitted in 
connection with the transactions described in section 
1173(a)''--certain standardized transactions for claims payment 
and other functions. This directs the Secretary to develop a 
narrow set of privacy rules for the specific transactions that 
are developed and transmitted under Administrative 
Simplification. However, the proposed rule establishes 
standards that far exceed this mandate. The proposal would 
affect virtually all players in the health care industry as 
well as many other organizations--such as schools, employers, 
and accounting firms -and the vast majority of information.
    The proposal would require covered entities (i.e., health 
plans, providers, and clearinghouses) to:
     Obtain new authorizations from consumers before 
using or disclosing information, except for purposes of 
treatment, payment, health care operations and other limited 
circumstances;
     Allow individuals to inspect, copy and amend much 
of their medical information;
     Track all disclosures made other than for 
treatment, payment and health care operations;
     Recontract with all business partners to require 
them to use and disclose information according to the new 
privacy rules and assure that business partners are complying;
     Institute procedures to assure that only the 
minimum information necessary is used or disclosed for a given 
purpose;
     Designate a privacy official and train staff;
     Follow specific rules before using protected 
health information for research; and,
     Develop a host of new policies, procedures and 
notices.
    In understanding the full scope and implications of the 
regulation, it is important to be aware of the following:
     The Regulation is Not Limited to Electronic 
Records: Many news accounts describe the proposed regulation as 
applying to electronic records only. This is far from accurate. 
The regulation specifically applies to electronic records, as 
well as any format of a record that has ever (or will ever be) 
electronically transmitted or maintained. This broad brush 
covers millions of paper records, oral records and other 
storage formats. In addition, because it would be so difficult 
to distinguish ordinary paper records from paper records that 
had been (or would be) electronically transmitted, the 
practical effect of the regulation would be that doctors, 
health plans and other covered entities would need to apply the 
protections to all of their records, of any format.
     The Regulation Affects Internal Uses of 
Information as well as Disclosures: A common misconception 
regarding the regulation is that it simply regulates the 
disclosure of information to a third party. In fact, the 
regulation actually affects the use of information internally 
within an organization. This means that organizations would be 
required to comply with all the rules even when they use 
information internally for treatment purposes, claims 
management, utilization review and other routine health care 
purposes.
     The Regulation Affects a Broad Array of 
Organizations and Information: The definition of ``covered 
entity'' in the regulation is broad in scope--including not 
only doctors, hospitals and health plans but employers 
operating their own health plans (insured/self-funded), 
laboratories, pharmacists and many others. Many organizations 
that are not included specifically as a ``covered entity'' are 
indirectly subjected to the privacy rule through a new 
requirement that all covered entities must regulate their 
``business partners.'' For instance, lawyers, accountants and 
other non-health oriented organizations could fall into this 
category.
     In addition, the definition of ``protected health 
information'' (PHI) in the regulation is much broader than what 
most individuals consider their health information. The 
definition of PHI goes beyond an individual's medical records 
to include insurance records and status, oral information, 
demographic data, and insurance status.

II. Key Concerns with Regulation

    Today, BCBSA submitted over 50 pages of detailed formal 
comments to HHS on a whole host of important operational 
issues. This testimony highlights the four most problematic 
provisions in the regulation.
1. Preemption of State Law

    We believe doctors, health plans, and other covered 
entities will be unable to navigate the labyrinth of state and 
federal privacy laws under the complex construct of the HIPAA 
regulatory model. The regulation follows HIPAA regulatory 
construct in that state laws are preempted only if contrary to 
the regulation, and less stringent. In addition, the regulation 
specifically ``saves'' certain state statutes from preemption, 
such as those relating to health surveillance.
    Everyone in the health care system needs a clear 
understanding of the rules that guarantee privacy. We are 
concerned that the lack of a complete preemption over state law 
creates a serious problem for consumers, doctors, health plans 
and other covered entities.
    Doctors, health plans and other covered entities must 
determine, on a provision by provision basis, which parts of 
state law would be retained, and which would be replaced by 
federal law. This is further complicated by the free flow of 
patients and information in today's health care industry. For 
instance, an individual may live in the District of Columbia, 
work in Virginia, and visit a physician located in Maryland. 
Covered entities dealing with this individual must evaluate the 
interplay of three state statutes with the federal law. In 
addition, covered entities also must factor in the interplay of 
other federal laws relating to privacy. Even if each covered 
entity engaged an attorney to prepare a preemption analysis, 
different attorneys would prepare conflicting interpretations--
leading to costly litigation with the states, the federal 
government and consumers.
    This regulatory construct particularly will be confusing 
for consumers. Instead of facilitating an individual's ability 
to know their privacy rights, this complex preemption process 
is sure to confound patients. First, individuals will be hard 
pressed to determine which aspects of the state and federal 
privacy laws apply to them, so it will be impossible for them 
to determine if in fact, they have been wronged. In addition, 
consumers will not know where to direct complaints if they do 
feel that their rights are violated --Maryland? Virginia? The 
District of Columbia? The Secretary of Health and Human 
Services? It is likely that consumers will be bounced from one 
jurisdiction to the next until the consumer locates the one 
which has the law that has been violated -or the consumer 
becomes frustrated and terminates the effort.
    We recognize that a complete preemption of state law is 
outside the statutory authority of the Department of Health and 
Human Services (HHS). Therefore, we recommend HHS prepare a 
detailed privacy guide for each state on how existing state 
laws intersect with the new federal rules. The guide should 
also address whether a privacy provision is triggered by a 
consumer's residence, location of provider or other criteria. 
HHS should prepare the guide in collaboration with state 
government officials. HHS should assure this guide also 
incorporates other federal privacy laws, such as the Federal 
Privacy Act. As part of this process, each individual state 
should certify agreement with HHS' analysis so everyone has a 
clear understanding of the rules.
    It is imperative that this legal guidebook is prepared well 
in advance of the final regulations. Doctors, health plans, and 
other covered entities will need this completed analysis before 
computer systems can be redesigned, forms and notices are 
changed, consumer brochures are modified and updated, and other 
procedures can be brought into compliance. Bringing plan and 
provider operations into compliance with these complex new 
regulations will be expensive, so it is critical that these 
entities only have to modify systems and other items once. 
Therefore, we recommend that the analysis be provided two years 
prior to the effective date of the regulation.

2. Business Partners

    The business partner provisions of the regulation require 
that doctors, health plans and other covered entities enter 
into prescribed contracts with all of their ``business 
partners'' to assure these partners follow specific HHS privacy 
rules. The doctors, health plans and other covered entities 
would be considered to be in noncompliance with the regulations 
and could be subject to penalties and/or litigation if they 
``knew or reasonably should have known'' of certain privacy 
violations of their business partners. We believe these 
provisions are unworkable, as well as outside of the authority 
of HHS.
    The definition of business partner is so broad that 
physicians could be the business partners of independent 
laboratories; health plans could be the business partners of 
their lawyers and accountants; and hospitals could be the 
business partners of independent physicians that practice 
within their walls. Doctors, hospitals, Coordination of Benefit 
(COB) partners, and health plans could all be construed as 
``business partners'' of each other. These provisions also 
could result in unworkable relationships between government 
agencies. For instance, we believe the Social Security 
Administration--who makes eligibility determinations for the 
Medicare program--could be interpreted to be a business partner 
of the Health Care Financing Administration (HCFA). Medicare 
contractors could be business partners of HCFA, subjecting HCFA 
to the fines and penalties under the regulation.
    The potential liability is likely to force all of these 
doctors, health plans, and other covered entities to monitor 
each other (as well as sub-contractors). This would result in 
an enormous amount of duplicative monitoring and auditing, 
making it likely that all members of the health care industry 
would be monitoring each other (including covered entities)--an 
obvious conflict with the efficiency and cost-saving goals of 
the Administrative Simplification provisions of HIPAA. 
Moreover, these costly actions would provide little or no real 
benefit to consumers since most of these entities already would 
be covered by the regulations.
    The contractual specifications included in the regulation 
compound the problems in the unworkable business partner 
framework. For instance, one of the specified contract 
standards in the regulation is that doctors, health plans, and 
other covered entities require business partners to either 
destroy or return all protected health information (PHI) when a 
contract is terminated. But clearinghouses, for example, keep 
health data on file for some time to respond to disputes and 
complaints. Health plans, employers, and other covered entities 
and business partners must maintain PHI in order to provide 
HIPAA certificates of coverage and protect themselves from 
legal disputes, complaints, etc. In addition, some health plans 
are required by state law to keep information for a certain 
period of years for state purposes. This is only one of a 
number of examples demonstrating the operational infeasibility 
of the contract provisions. In our detailed comments, we 
identified a number of other.
    And finally, we believe the business partner provisions are 
outside of the statutory authority of the Department of Health 
and Human Services. HIPAA clearly delineates the covered 
entities subject to HHS oversight: health plans, 
clearinghouses, and providers conducting standard transactions. 
Attempts to indirectly regulate other organizations--through 
doctors, health plans and other covered entities or otherwise--
is an overreach of regulatory authority. We believe recent 
District and Supreme Court cases support this premise as well 
as the viewpoint that inherently federal powers cannot be 
delegated to non-federal authorities.

3. Minimum Necessary

    The proposed regulation instructs doctors, health plans, 
and other covered entities to use or disclose only the minimum 
information necessary to accomplish a given purpose and 
discourages the exchange of the entire medical record. This 
requirement also implies determinations should be made on an 
individual basis. At first blush, this standard seems to be a 
perfectly reasonable, common sense provision.
    However, upon an operational implementation perspective, it 
becomes increasingly clear that it would be impossible to 
implement a legal standard that only the minimum information is 
used or disclosed. First of all, it is important to recognize 
that this standard applies to the use of information as well as 
disclosure, and that the definition of disclosure includes 
broad terms such as ``provision of access to.'' We believe this 
standard would require a massive reorganization of workflow, as 
well as possible redesign of physical office space and would 
jeopardize the quality and timeliness of patient care, benefit 
determinations and other critical elements of the health care 
system. For instance:
     As part of the description regarding the minimum 
necessary standard, the regulation includes a strong 
discouragement regarding the release of entire medical records 
of patients. The complete exchange of medical information is 
absolutely critical to assuring a patient receives the right 
treatment at the right time. The recent Institute of Medicine 
report, ``To Err is Human,'' highlighted the medical mistakes 
that are common in our health care system today. The IOM report 
states that errors are more likely to occur when providers do 
not have timely access to complete patient information. The 
discouragement of complete medical records would make it more 
difficult to guard against these problems. One covered entity 
may determine that a subscriber's prescription is not relevant 
to be released. Further down the line, that lack of information 
may impede clinicians' decisionmaking.
     It is well documented that fraud and abuse is a 
costly element of our health care system. The Medicare program 
as well as private health plans have made combating fraud and 
abuse a priority. However, the minimum necessary standard is 
likely to impede fraud detection, because fraud and abuse units 
may be accused of using more than the minimum information 
necessary. Any impediment to fraud detection would increase the 
cost to consumers.
     Health plans and providers actually may be forced 
to redesign their facilities to comply with the minimum 
necessary standard. For instance, when visiting friends in 
maternity wards, there generally is a white board describing 
all of the patients and their medical needs. Any visitor may 
view the information on the board. Or take an orthopedist's 
office, where a x-ray lightboard is centrally located outside 
of the patients' rooms for easy access by the physician. Anyone 
in the office could view the x-rays, and x-rays are 
identifiable information. Would the regulation require these 
providers to renovate their facilities to comply with the 
regulation?
    These are a few examples of the types of activities that 
could fall awry of the proposed privacy regulations. If 
implemented, this would impose incredible costs on consumers--
not just in dollars and cents--but in lives as well.

4. Health Care Operations

    One of the fundamental building blocks of the regulation is 
its definition of health care operations. Items that are listed 
in this definition are exempt from the requirement to track 
disclosures of protected health information, and do not require 
a separate authorization from an individual. As changes are 
made to the final regulation, we expect the definition to 
continue to play a key role.
    We believe the current definition of health care operations 
misses important functions. As a result, covered entities may 
have to solicit authorizations for certain functions or track 
disclosures as part of routine operations. The end result would 
be that health plans could encounter major obstacles to 
conducting these activities and could be discouraged from 
conducting these important functions. The following is a sample 
of overlooked functions:
     Disease management, case management, risk 
assessment, epidemiological studies and drug interventions. 
Many of our Plans conduct these important programs that benefit 
consumers through improved health care, better outcomes, and 
lower cost. For instance, the Blue Cross and Blue Shield 
Federal Employee Program provides disease management services 
to improve care for patients with respect to congestive heart 
failure and diabetes as part of its benefit plans. When claims 
are processed, the names of enrollees that could benefit from 
disease or case management are compiled. This information also 
may be used to conduct epidemiological studies of particular 
populations within FEP or to implement drug intervention 
programs.
     Private accreditation by organizations such as 
National Committee for Quality Assurance (NCQA), as well as 
auditing, evaluating and accreditation functions performed by 
other private entities, such as associations. The NCQA and 
other private accrediting organizations sometimes require the 
review of information that could be considered as protected 
health information. In addition, other private entities--such 
as associations--sometimes perform auditing and evaluation of 
their members as part of membership or other standards.
     Routine Plan operations such as ``security 
activities,'' data processing activities and general 
maintenance: Some health plans conduct a series of security 
activities designed to assure that employees are complying with 
corporate privacy policies. For instance, they may monitor 
``same name'' look-ups, to guard against employees checking the 
records of family members, or monitor access to celebrity 
files, as well as other initiatives. With regards to computers, 
``live'' data is often used in order to assure that system 
changes and upgrades have correctly been made. Health Plans 
also must conduct a number of routine operations, for instance 
the printing of ID cards, etc.
     Health promotion and other educational activities. 
For instance, FEP has established a 24-hour nurse hotline, Blue 
Health Connection. Enrollees' PHI may be disclosed to the 
vendor responsible for Blue Health. This information is used to 
provide enrollees with health education, treatment options, and 
assistance with questions for enrollees to ask their 
physicians. We also may notify enrollees -or require our 
physicians to notify patients--regarding mammography screenings 
or immunizations.
     Insurance underwriting and other activities: While 
the regulation does specify insurance underwriting, we believe 
the proposed definition may be deficient because it relates 
only to the renewal of a contract, and to the protected health 
information of individuals already enrolled. This could inhibit 
our ability to develop an appropriate premium for group 
coverage as well as the ability of covered entities to obtain 
stop-loss coverage or reinsurance.
    This is only a sample of the types of functions that have 
been overlooked. We believe many more items will be discovered 
as doctors, health plans, and other covered entities begin 
implementing the regulation. In addition, we believe the 
definition is static, and cannot reflect the new roles and 
functions that health plans may develop in the future that 
benefit consumers, improve quality, and reduce costs. For 
instance, if this definition had been developed ten years ago, 
disease management programs would not be as common as they are 
today. We are concerned that such strict definitions could 
limit health plans' roles as they seek to redefine themselves 
to meet consumer demands of the 21st century. We believe a 
static definition of health care operations will squelch 
innovation because health plans will not invest in development 
unless they know the new program would fall under health care 
operations.

III. Positive Aspects of the Proposed Regulation

    Clearly, we believe there are significant issues in the 
proposed regulations. However, the regulations did include 
certain provisions that demonstrated interest in balancing 
operational impacts with the overall goal of privacy. We have 
urged HHS to retain these provisions in the final regulation. 
In particular:
     ``Statutory'' Authorization for Treatment, Payment 
and Health Care Operations: The proposed regulation does not 
require a new authorization for treatment, payment, and health 
care operations. We believe a ``statutory'' authorization, 
meaning that covered entities may use or disclose protected 
health information (PHI) without authorization as matter of 
law, is imperative and would oppose a requirement for new 
authorizations for these vital activities.
    Requiring health plans to obtain a new authorization from 
current subscribers would require numerous mailings and phone 
calls from health plans--a process akin to a ``late bill'' 
collections process--in order to obtain the new authorizations. 
In the interim, subscribers and providers would experience 
delays in payment and other services and confusion in the 
health care system.
     Tracking of Disclosures, Other Than For Treatment, 
Payment and Health Care Operations: The proposed regulation 
requires tracking of disclosures made for purposes other than 
treatment, payment or health care operations. This requirement 
is operationally more feasible than a requirement to track all 
disclosures. We would oppose any expansion of this standard. 
Expanding the tracking standards would result in duplicative 
and unnecessary tracking of millions of routine transactions 
that occur every day (e.g., Coordination of Benefits, lab 
disclosures to physicians, etc.) and a blizzard of paperwork 
for all, especially physicians. However, we remain concerned 
that this more reasonable tracking standard is undermined by 
provisions in the amendment and correction standard that 
requires doctors, health plans and other covered entities to 
notify previous recipients of information. If the amendment and 
correction standard is not modified, we believe it would have 
the operational effect of a ``de facto'' tracking standard for 
all disclosures, even those made for treatment, payment, and 
health care operations.
     Inspection And Copying Of PHI Contained In A 
Designated Record Set: The proposed regulation allows consumers 
to inspect and copy those records retrieved from a designated 
record set used to make substantive decisions. Using a 
designated record set standard is operationally more feasible 
than requiring access to all protected health information. 
Expansion of this standard to all records would result in reams 
of meaningless information being retrieved and copied at a 
great cost to the health care system. We oppose expansion of 
the current standard.

VI. The Cost of the Regulation

    The proposed regulation includes an estimated total cost of 
$3.8 billion over five years. We think this figure greatly 
underestimates the cost of implementation. The regulation 
itself indicates the HHS cost estimates are incomplete. The 
proposed regulation itemizes 10 standards for which HHS was 
unable to complete a cost analysis, noting that ``the cost of 
these provisions may be significant in some cases. . ..'' The 
minimum necessary standard, business partner monitoring, 
designation of privacy officials and privacy boards, and 
creation of de-identified information were all items excluded 
from the HHS cost estimate.
    Due to our concern regarding costs, we engaged the Robert 
E. Nolan Management Consulting Company to provide an 
independent estimate of several key provisions of the proposed 
regulation; the Nolan estimate is over $40 billion over five 
years to health plans, providers and other members of the 
health care community. These costs stem from:
     Business Partner Monitoring: The business partner 
provisions would make doctors, health plans and other covered 
entities liable for the compliance of their business partners, 
including lawyers, schools and other organizations. As a 
result, covered entities would monitor each other as well as 
their non-health business partners. This provision is estimated 
to cost about $4 billion over five years.
     Privacy Officials, System Changes and other 
Infrastructure: Doctors, health plans and other covered 
entities would need to retrain current employees and 
periodically recertify their employees, hire privacy officials, 
upgrade systems, and address other infrastructure issues in 
order to implement the proposed privacy regulations. This is 
estimated to cost about $23 billion over five years.
     Tracking and Disclosure: The amendment and 
correction provision requires covered entities to send amended 
records to previous recipients of the information. This could 
result in a ``de facto'' requirement to track all disclosures 
of information. As a result, this provision could cost as much 
as $9 billion over five years.
     Inspection, Copying and Amendment: Covered 
entities would have to allow individuals to inspect, copy and 
amend all information contained in a designated record set. The 
definition of accessible information extends beyond the 
traditional medical record to other electronic, or written 
information that includes an individual's name, social security 
number or other identifying feature. This provision is 
estimated to cost almost $4 billion over five years.
     Impact on Medical Management: Deficiencies in the 
term health care operations and other definitions could reduce 
the ability of health plans to conduct effective disease 
management programs. These programs improve the quality of care 
of consumers, and decrease overall medical costs. Less 
effective disease management programs is estimated to cost $3 
billion over five years.
    Obviously, estimates will vary depending on the final 
interpretations of the regulation, however we believe an 
estimate of over $40 billion remains conservative. For 
instance, it does not include the new liability costs that will 
arise from this regulation, the impact of underwriting changes, 
or the impact on health research. Ultimately, the additional 
administrative costs faced by providers and health plans will 
increase the cost of insurance coverage.

V. Recommendations

    In general, the proposed regulation require doctors, health 
plans and other covered entities to implement complex new rules 
that require extensive new procedures, documentation processes, 
form specifications and notice standards. These requirements 
would require the re-organization of workflows as well as 
possibly the physical facilities of doctors and hospitals in 
order to comply with the law. We believe the level of 
documentation and procedures is unnecessarily excessive, and 
should be rewritten to reduce the complexity, burden and cost.
    Specifically, we urge the following:
    (1) Detailed Guidance on Preemption of State Law: While we 
recommend a full preemption of state law in the privacy area, 
we understand that it is outside of the statutory authority for 
HHS. In the absence of full preemption, we recommend HHS, 
working with the states, prepare a detailed analysis of state 
and federal law to provide a clear guide on all provisions 
affecting the health care industry.
    It is critical that this guidance is available at least two 
years prior to the effective date of the regulation. Bringing 
operations into compliance with these complex new regulations 
will be expensive so it is critical that doctors, health plans, 
and other covered entities only have to modify systems and 
other items once.
    (2) Removal of Business Partner Provisions. The business 
partner provisions should be removed from the regulation 
because they are:
     Outside of the Secretary's statutory authority
     Unworkable and would create expensive and 
duplicative monitoring between doctors, health plans, and other 
covered entities
     Unnecessary since the vast majority of protected 
health information is maintained by organizations that are 
covered by the regulation.
    (3) Change the Minimum Necessary Standard from Legal 
Standard to Organizational Objective: While we believe the 
minimum necessary standard is a laudable goal, we are concerned 
that it would be impossible to implement this standard 
operationally and comply with a rigid legal standard. 
Therefore, we recommend that organizations include the minimum 
necessary standard concept as an objective, rather than as a 
legal standard.
    (4) Revise Definition of Health Care Operations: The 
current definition of health care operations is static and 
missing key elements. As the building block of the regulation, 
this definition is crucial because it triggers whether or not 
new authorizations are required, disclosures are tracked, and 
other important issues. Instead of using a narrow, prescriptive 
definition, we recommend inclusion of a definition that is 
flexible enough to incorporate the industry's current 
operations as well as new ones that develop as our ability to 
improve quality and other areas increase.
    (5) Additional Funding for Medicare Contractors and other 
Government Programs. We also urge congressional appropriators 
to factor the additional cost of privacy compliance into budget 
development regarding the Medicare fee for service contractors, 
Medicare+Choice plans, the Federal Employees Health Benefit 
Program, and other federal programs.
VI. Conclusion

    Once again, we appreciate the opportunity to testify before 
you on this critical issue.
    We would like to continue working with you, and the 
Department of Health and Human Services, on crafting privacy 
rules that meet our common goals of protecting consumers, 
improving quality, and minimizing costs.
    Thank you again for this opportunity to testify on this 
important issue.
      

                                


    Chairman Thomas. Thank you, Ms. Fox. Ms. Goldman?

STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY PROJECT, 
   INSTITUTE FOR HEALTH CARE RESEARCH AND POLICY, GEORGETOWN 
                           UNIVERSITY

    Ms. Goldman. Good morning, Mr. Chairman, Mr. McDermott, 
members of the subcommittee, thank you very much for testifying 
today.
    The Health Privacy Project at Georgetown was created a 
number of years ago to look at the impact of privacy in the 
health care setting. We have since participated in and there 
has since been numerous polls and surveys that have shown that 
the lack of privacy in health care has been a major barrier to 
people seeking care and to the quality of care that people 
receive.
    Congress, of course, acknowledged that concern and, in the 
Health Insurance Portability and Accountability Act, you 
imposed a deadline on yourselves to address this issue in a 
comprehensive way. Of course, after many bills were introduced 
and many hearings, many of which were held by this 
subcommittee, the deadline did pass and that then triggered the 
requirement on the administration to issue regulations.
    They did extend the comment period based on our request and 
a number of requests of those sitting here at this table, so 
that we had a full chance to put our comments in. That comment 
period closes today. This hearing is important because it gives 
us again another opportunity, while we are still in the draft 
stage, to make sure that this is as strong and workable a 
regulation as possible.
    What I want to focus on in my testimony are two areas. One, 
there are gaps in the Secretary's proposed regulation that are 
there because of the legal constraints on her delegation of 
authority from HIPAA. The second is to just go through quickly 
the strengths and weaknesses in the proposed regulation itself.
    There are three major gaps in the regulation, again 
stemming from the delegation of authority in HIPAA. They have 
already been covered, but let me please go through them 
quickly. The issue of electronic versus paper records. We think 
it is really senseless to have a rule that only applies to 
electronic records, because it goes against the intention in 
HIPAA which is to create a uniform standard electronic network. 
And you do not want to create a disincentive for people to put 
information into electronic form as a way of avoiding the 
privacy regulations.
    The second is the issue of covered entities. Some of the 
concerns that many of my colleagues have about how the 
regulation is drafted is based on the fact that the 
administration can only cover three entities directly, the 
plans, the providers, and the clearing houses. So the scope of 
coverage through the business partners language and through 
other prohibitions on disclosure is in there as a way of making 
this a workable regulation. And it is there because the 
screening is limited in what she is able to do in terms of 
scope. So I think that is an important issue to look at.
    The third gap obviously is on enforcement. We are very 
concerned about the weak enforcement and the weak remedies that 
are available under the proposed regulation. Again, HHS was 
constrained because of HIPAA.
    We do think though that, on balance, the regulation is 
vitally important as an intermediary step and I say that 
recognizing that Congress still has a very important role to 
play in both filling the gaps and strengthening certain 
provisions. We look forward to working with you on that. I 
think the regulation will set a baseline of protection, but we 
need to look at some of the major provisions that are being 
proposed.
    One, it gives people the right to see their own records, a 
critical right, one that is not uniformly and comprehensively 
provided for at the state level. The regulation itself creates 
an overall incentive to use de-identified data. Again, if you 
create de-identified data, you are outside the scope of the 
regulation. It provides notice to patients about how their 
information will be used and by whom. It provides for an 
authorization process.
    We are very concerned, however, that in that first tier of 
authorizations, for treatment, payment, and health care 
operations, the lack of any opportunity for individuals to sign 
a form either saying ``I understand how my data is going to be 
used'', or ``I am authorizing the use of that data''--which is 
essentially what the status quo is. We are very concerned that 
people will not truly understand how their information is 
flowing.
    While the business partners proposal, is awkward in many 
ways, it is a necessary way of creating a chain of trust in how 
information flows and to whom. In many ways, it is codifying 
what is already good business practice. You clearly do not 
disclose information to agents or others without entering into 
a written agreement about how that information will be used.
    On research, we are very pleased to see the Secretary's 
proposal to expand either the institutional review board 
structure or a privacy board to cover all research. However, we 
would like to see it be an institutional review board.
    On law enforcement, I think she has fallen short of where 
the regulation needs to be. It appears to be an improvement 
over the initial recommendation, but it allows for a kind of--
excuse the cliche--a Chinese menu of choices in determining 
what kind of legal process law enforcement needs to get. We 
think that must be strengthened.
    On remedies, again a private right of action is necessary 
to make this an effective provision. Clearly that is an 
important area for Congress to explore. All other Federal 
privacy laws include a private right of action.
    On preemption, I want to address some of the comments that 
my colleagues have made about preemption. We did a survey of 
state confidentiality laws to look at what was the state of 
health privacy right now. What we have found is that if you 
read the regulation that is being proposed, you will create 
significant uniformity in how health privacy is handled at the 
state level, because many of the laws are weaker than what is 
being proposed by the Secretary at this stage. And where they 
are more detailed and more protective are in, for the most 
part, condition specific areas, where the states have gone to 
great pains to enact detailed specific provisions dealing with 
HIV, with mental health, with reporting, with abuse and 
neglect.
    And so our state report essentially shows you will have 
substantial uniformity with the passage of a Federal law, even 
one that sets a floor. It will make the operation of the health 
care system much more efficient, more cost effective and, I 
think, more fair.
    In conclusion, Congress set the wheels in motion for where 
we are today with the Secretary's proposal. I think it was an 
important trigger mechanism so that we would have something, 
again as an intermediary step.
    This has been a tough issue for Congress. There are lots of 
different interests. It has been hard to find consensus. But in 
fulfilling the legal duty imposed under HIPAA, the Secretary 
has proposed some regulations that will take us part of the 
way.
    What we urge is for Congress to take us the rest of the 
way, to finish the job, and to fill the gaps and to strengthen 
the weaknesses. In the meantime, we hope that the proposed 
regulation will be strengthened, that the Secretary will have 
an opportunity to respond to many of the concerns that we have 
all raised, and that you have raised this morning, and that the 
regulation should go forward.
    Thank you very much.
    [The prepared statement follows:]

Statement of Janlori Goldman, Director, Health Privacy Project, 
Institute for Health Care Research and Policy, Georgetown University

I. INTRODUCTION AND OVERVIEW

    Mr. Chairman and Members of the House Subcommittee on 
Health of the Committee on Ways and Means: I very much 
appreciate the invitation to testify before you today on the 
Administration's proposed regulations regarding the privacy of 
individually identifiable health information.
    In December 1997, I launched the Health Privacy Project at 
the Institute for Health Care Research and Policy and 
Georgetown University Medical Center. The Project is dedicated 
to raising public awareness of the importance of ensuring 
health privacy in order to improve health care access and 
quality, both on an individual and a community level.
    Congress recognized the importance of protecting health 
privacy when it passed the Health Information Portability and 
Accountability Act of 1996. HIPAA requires that if Congress 
failed to pass comprehensive health privacy legislation by 
August 21, 1999, the Secretary of Health and Human Services 
must issue regulations by February 21, 2000.
    Congress did in fact fail to meet the August deadline. 
Consistent with its legal duty under HIPAA, the Administration 
did issue draft health privacy regulations November 2, 1999. 
The comment period was extended to February 17, 2000. We expect 
the regulations to be finalized in April.
    The proposed federal health privacy regulations constitute 
a significant step towards restoring the public trust and 
confidence in our nation's health care. These rules, however, 
are by no means the final solution. By virtue of the limited 
authority delegated by Congress, the proposed rules have 
limited applicability and cover only health plans, health care 
clearinghouses and health care providers who transmit health 
information (``;covered entities'') in electronic form. We 
appreciate the fact that the Secretary has made a strong effort 
to extend this coverage to a covered entity's business 
partners. But a large segment of those who hold health 
information remains beyond the scope of these regulations.
    Our testimony today focuses on two areas: 1) the 
limitations of the Secretary's authority and the role Congress 
should play to strengthen the final rule and fill remaining 
gaps in protection, and 2) the strengths and weaknesses of the 
proposed regulation.

II. PUBLIC NEED AND DEMAND FOR HEALTH PRIVACY

    A substantial barrier to improving the quality of care and 
access to care in this country has been the absence of 
enforceable privacy rules. People are withdrawing from full 
participation in their own health care because they are afraid 
their health records will fall into the wrong hands, and lead 
to discrimination, loss of benefits, stigma, and unwanted 
exposure. A January 1999 survey by the California Health Care 
Foundation found that one out of every six people engages in 
some form of privacy-protective behavior to shield themselves 
from the misuse of their health information, including lying to 
their doctors, providing inaccurate information, doctor-hopping 
to avoid a consolidated medical record, paying out of pocket 
for care that is covered by insurance, and--in the worst 
cases--avoiding care altogether. (Survey released by the 
California HealthCare Foundation, January 1999)
    Without trust that the personal, sensitive information they 
share with their doctors will be handled with some degree of 
confidentiality, people will not fully participate in their own 
health care. As a result, they risk inadequate care or 
undetected and untreated health conditions. In turn, the 
integrity of research and public health initiatives that rely 
on complete and accurate patient data may also be compromised. 
Thus, protecting privacy and promoting health care quality and 
access are values that must go hand-in-hand.

III. THE ROLE CONGRESS SHOULD PLAY

    The Secretary's authority to promulgate health privacy 
regulations is delegated to her in the Health Insurance 
Portability and Accountability Act. Due to the constraints 
imposed on her authority by HIPAA, the practical impact is that 
the draft regulation falls short in terms of scope of coverage 
and enforcement. Congress should act swiftly to fill these gaps 
to ensure that Americans have strong and comprehensive health 
privacy protections.

    A. Who is Covered: Scope Should be Expanded

    The draft rules issued by HHS only apply to certain 
entities: health care providers, health plans, and 
clearinghouses (entities that process and transmit claims 
data). We recognize that the scope of entities covered by the 
regulations is limited by the terms of HIPAA, and that the 
Secretary has attempted to cover as many entities as possible 
given her limited delegated authority. By limiting the 
regulations to health plans, health care clearinghouses, and 
certain health care providers, however, Congress has left a 
large number of entities unregulated, leaving gaps in the 
protection afforded health information. Many providers, 
researchers, and oversight agencies, for example, will not be 
subject to this regulation even though they collect, use, and 
disclose protected health information that identifies 
individuals.
    The Secretary has chosen to bind some non-covered entities 
to the principles of the draft regulation by requiring covered 
entities to establish contracts with business partners, or by 
prohibiting disclosures. This is a good intermediary step to 
fulfill the intention of the privacy language of HIPAA. 
However, this approach has significant limits, including the 
liability borne by covered entities, and the difficulty in 
prohibiting re-disclosure by non-covered entities.
    The only way to eliminate these gaps is for Congress to 
enact a comprehensive health privacy law. We therefore strongly 
urge Congress to pass a comprehensive health privacy law 
applicable to all those who generate, maintain, or receive 
protected health information.

    B. What is Covered: Paper Records Should be Protected

    The draft regulations only apply to electronic health 
information, but the vast majority of health information is 
currently maintained in paper form. We believe that the 
Secretary has the authority to extend the regulations that 
apply to all health information--whether it is maintained in 
paper or electronic format--and we recommend that she does so.
    In the event that the final regulations do not cover paper 
records, we believe that it is appropriate and necessary for 
Congress to extend the protections to cover all records 
maintained or transmitted by covered entities.
    The vast majority of health information is currently 
maintained in paper form. As proposed, the regulations 
distinguish between health information that at some point has 
been electronically maintained or transmitted and that which 
has not. This distinction is nonsensical, unworkable and 
unenforceable. At some point, some, but not all, of the 
information in the record may be transmitted electronically. 
Under the current proposal, the paper record would then contain 
both protected information (i.e., information that has been 
electronically transmitted), and unprotected information 
(information which has not been so transmitted). It would be 
burdensome and difficult to identify and designate which 
information in any particular record is protected.
    It would be easier for a covered entity to treat all 
information it maintains or transmits in the same fashion. 
Additionally, for enforcement purposes, it may prove difficult, 
if not impossible, to establish that specific health 
information at some point in its existence has been transmitted 
or maintained electronically and, therefore, is subject to the 
regulations. The best way to reduce these implementation and 
enforcement ambiguities is to make the privacy standards 
applicable to all individually identifiable health information 
transmitted or maintained by a covered entity regardless of its 
form.
    Finally, the administrative simplification provisions of 
HIPAA appear to encourage the development of a uniform 
computer-based health information system. This goal is impeded 
by allowing paper records to remain beyond the scope of the 
regulations. There is little incentive for covered entities to 
convert to computer-based health information systems if they 
may avoid regulation by maintaining paper-based systems.

    C. Enforcement: Private Right of Action Needed

    Under HIPAA, the Secretary is unable to confer on 
individuals a private right of action in the event the rules 
are violated. When finalized, the regulation will be difficult 
for HHS to oversee and enforce, and no federal remedy will be 
available to individuals. Only Congress can fill these 
significant gaps.
    In every other federal law that protects the privacy of 
peoples' records--from the Right to Financial Privacy Act to 
the Video Privacy Protection Act--Congress has seen fit to give 
people the legal right to go to court to seek injunctive relief 
and damages when the law has been violated. The remedies 
available under the proposed regulation are inadequate to 
ensure that the law will be fully, and forcefully, enforced. In 
the absence of a set of meaningful remedies, a real danger 
exists that compliance will be weak and spotty. While we 
understand the recent concern over lawsuits, we are unaware of 
significant problems that have resulted from the remedies now 
available to people under existing federal privacy statutes.

IV. STRENGTHS AND WEAKNESSES OF THE PROPOSED REGULATION

    The following is a summary of the major provisions of the 
proposed regulation, with our comments. The Health Privacy 
Project also staffs the Consumer Coalition for Health Privacy, 
whose mission is to educate and empower healthcare consumers to 
have a prominent and informed voice on health privacy issues at 
the federal, state, and local levels. (A copy of the 
principles, Steering Committee, and endorsing organizations is 
attached. Information is also available at http://
www.healthprivacy.org.) Members of the coalition are committed 
to the development and enactment of public policies and private 
standards that guarantee the confidentiality of personal health 
information and promote both access to high quality care and 
the continued viability of medical research. Funding for the 
Consumer Coalition is provided solely by the Open Society 
Institute. Many members of the Coalition are planning to submit 
their own comments on the draft Regulation. Others have 
endorsed the comments submitted by the Health Privacy Project 
and are reflected in the comments themselves.
    The full text of our comments, with the names of endorsing 
organizations, is attached. (The comments are also available at 
http://www.healthprivacy.org.)

    A. Who is Covered

    Again, by statute, the Secretary can directly regulate only 
health care providers, health plans and health care 
clearinghouses, all of which are defined as ``covered 
entities.'' We believe that the most effective way to extend 
the scope of coverage is through a comprehensive health privacy 
law that covers all entities that use and disclose individually 
identifiable health information.
    In the draft regulation, the Secretary attempts to address 
this statutory weakness by requiring covered entities to have 
contracts restricting uses and disclosures with their 
``business partners,'' i.e., certain persons and organizations 
to whom they disclose protected health information. We commend 
the Secretary on her efforts to encompass as broad a field as 
possible under the proposed regulations. In our complete 
comments, we suggest ways in which the contracts between 
business partners might be improved.
    The Secretary also attempts to address the circumstance 
under which an organization provides some health care or has 
created a health plan, but is not primarily engaged in these 
activities (such as a school that has an infirmary). Although 
the Secretary discusses treating only the health care component 
as a ``covered entity,'' the regulations do not expressly carry 
out this intent. We suggest that this intent to designate only 
the health care component of a mixed entity as a ``covered 
entity'' be incorporated in the regulations. Additionally, the 
Secretary's explanation concerning employers and how they fit 
into the regulatory scheme is somewhat confusing. We suggest 
that the Secretary clarify the responsibilities of employers 
that sponsor health plans.

B. What is Covered

    Again, the draft regulation currently only applies to 
health information maintained and transmitted in electronic 
form. We believe that the Secretary currently has the authority 
to promulgate regulations that apply to all health 
information--whether it is maintained in electronic or paper 
format--used and disclosed by covered entities.

C. Patients' Access to their Own Health Records

    The draft regulations give people the right to see and copy 
their own health information, and to request that it be 
corrected or amended. We commend this effort to extend these 
fair information practices to health information.
    We believe, however, that the Secretary has used a somewhat 
minimalist approach towards these rights. In our comments, we 
suggest a number of ways in which the right of access can be 
made more meaningful. Our major suggestions include:
     The decision to deny an individual's request for 
access to his health information should ultimately be made by a 
health care provider who is qualified to treat the patient for 
the condition that is the subject of the health information;
     There should be a meaningful appeals process for 
denials of access to health information; and
     The regulations should expressly state that a 
covered provider may not deny an individual access to his 
protected health information because of an unpaid bill for 
health care services.

D. Notice of Information Practices

    The regulations give individuals the right to receive 
adequate notice of the information practices of covered plans 
and providers. We approve of this approach. We are also pleased 
that the regulation requires the notice to address the entity's 
existing information practices, rather than possible 
information practices, and suggest that this component of the 
regulation be preserved. We recommend changes that strengthen 
the notice provisions, including a requirement that covered 
entities make a reasonable effort to obtain a signed 
acknowledgment that the individual has received and read the 
notice of information practices.

E. Patient Authorization

    The proposed rules would allow health information to be 
used and shared easily for treatment, payment and health care 
operations, without the consent of the patient. While we 
understand the need to strike a balance between individuals' 
privacy rights and the practical necessity of using and 
disclosing health information for certain purposes, we believe 
that the proposed regulations give too little weight to 
individual rights. Under the proposed rules, people have no 
ability to control or even monitor the use and disclosure of 
protected health information for purposes of treatment, payment 
and health care operations. We find this particularly 
disturbing given the Secretary's proposed construction that 
``treatment'' includes the treatment of all individuals, not 
just the individual subject of the information.
     The regulations should require authorization from 
the individual for the use and disclosure of information for 
treatment, payment and health care operations, which should be 
renewed at least once every three years or whenever the patient 
changes insurance companies, whichever occurs first. At an 
absolute minimum, covered entities should have the option to 
require patient authorization for treatment, payment and health 
care operations.
     The terms ``treatment'' and ``payment'' should be 
narrowly interpreted as applying to the individual who is the 
subject of the information.
     The definition of ``treatment'' should be amended 
to ensure that disease management programs are only conducted 
with the authorization of the treating physician.
     The regulation should expressly state that the 
term ``health care operations'' includes only disclosures made 
to the covered entity (or a business partner of such entity) on 
whose behalf the operation is being performed.
     The regulations should limit the definition of 
health care operations to include only those operations that 
cannot be carried on with reasonable effectiveness and 
efficiency without protected health information.
     Health care providers should be subject to the 
verification requirements of the regulations when the request 
for information for treatment purposes originates outside of 
the covered entity.
    We support the regulations' requirement that covered 
entities obtain an authorization from the individual for most 
uses and disclosures that are not directly related to 
treatment, payment or health care operations. We also strongly 
agree that consent must be voluntary, and cannot be tied to the 
delivery of any benefits or services. In addition to these 
requirements, we recommend that covered entities be required to 
obtain individual authorization prior to making certain 
disclosures of information pertaining to an individual's 
request or receipt of sensitive health services.

F. Minimum Necessary

    The proposed regulation requires organizations to ``make 
all reasonable efforts not to use or disclose more than the 
minimum amount of protected health information necessary to 
accomplish the intended purpose of the use or disclosure.'' We 
believe that this is the proper approach but that it does not 
go far enough because it does not apply to a large number of 
uses and disclosures. We urge the Secretary to extend this 
minimization requirement to most uses and disclosures.

G. Patient's Right to Restrict Disclosures

    The proposed regulations give an individual the right to 
request restrictions on the use and disclosure of protected 
health information for purposes of treatment, payment, and 
health care operations. That request can only be made to a 
health care provider, and it must be agreed to by that 
provider. We suggest that the regulations be amended in the 
following ways:
     Allow individuals to have a true right to restrict 
(not just the right to request restrictions on) the use and 
disclosure of their protected health information where the 
disclosure of that information could jeopardize the safety of 
the individual.
     Allow individuals who pay for their own medical 
care (self-pay) to have a true right to restrict the disclosure 
of their protected health information.
     Allow individuals to require or request 
restrictions from all covered entities, not just health care 
providers.
     Require all covered entities that receive health 
care information that are subject to a restriction to comply 
with the restriction.

H. Psychotherapy Notes

    We strongly commend the Secretary for excepting 
psychotherapy notes from the general rule allowing for the free 
flow of information for treatment, payment and health care 
operations purposes. The proposed regulations limit access to 
psychotherapy notes, absent specific consent from the 
individual. We believe, however, additional protections are 
critical for ensuring the level of privacy essential for 
effective mental health care.

I. Law Enforcement

    While we acknowledge the positive shift in the Secretary's 
approach from her 1997 position that law enforcement should 
continue to have unfettered access to medical records, this 
current proposal continues to fall far short of meaningful 
standards. We urge that the final regulation:
     Require that law enforcement officials obtain 
legal process issued by a neutral magistrate, and
     Require that legal process issue only after the 
magistrate has applied a strong legal standard in weighing the 
request.

J. Health Oversight

    We believe it is critical for the Secretary to clearly 
distinguish between law enforcement access and access to 
conduct health oversight activities.
    We are also deeply concerned that the health oversight 
section contains too few limits on access and reuse of 
protected health information. In particular, we believe that 
where health information is used in a health oversight 
investigation, there should be a prohibition on the re-use and 
re-disclosure of protected health information in actions 
against individuals. Such a limit is essential to ensure that 
the relatively easy access afforded to health oversight 
officials does not become the back-door for law enforcement 
access.
    While this prohibition may be beyond the Secretary's 
authority in this regulation, we do believe that the Executive 
Branch is empowered to issue an Executive Order barring the re-
use and re-disclosure of protected health information obtained 
pursuant to oversight. Such an order would establish legally 
enforceable limits directly on the federal employees charged 
with executing health oversight responsibilities.

K. Research

    We support the general approach towards research in the 
regulations. We are pleased that the regulation aims to 
establish uniform rules for researchers regardless of the 
source of funding. The regulation seeks to accomplish this 
goal, however, by allowing covered entities to disclose 
protected health information to researchers without patient 
authorization if the disclosure has been approved by an 
Institutional Review Board (IRB), or a newly created privacy 
board. We believe that the Secretary should eliminate the 
option of using a privacy board.
    If the regulation does not bring all research under the 
Common Rule, the proposed regulation should be revised to 
ensure that there are similar standards and equal oversight and 
accountability for both IRBs and privacy boards.

L. Enforcement

    We recognize that the Secretary is limited in addressing 
enforcement mechanisms by the delegation of authority in HIPAA. 
Thus, it is critical that the Congress act to grant people a 
private right of action to enforce their rights under this 
regulation.

M. Preemption

    We strongly support the approach in HIPAA and the proposed 
regulations that the federal privacy regulations will act as a 
floor, but not a ceiling, on privacy protections afforded by 
the States. Under this approach, weaker State health privacy 
laws are preempted (or overridden) while State laws that offer 
more protection than the federal regulations will remain. 
Furthermore, this approach allows a State, in the future, to 
enact stronger privacy protections to meet the changing needs 
of its citizens.
    We believe that the regulations should provide definitions 
of the terminology used in the preemption provisions for 
general purposes, not just for use in the Secretary's advisory 
opinions. We also believe that the regulation should treat 
state laws pertaining to disclosures about minors the same as 
other state laws generally, preempting state laws that are 
contrary to the proposed rule and less protective of the 
privacy of minors. Lastly, we are very concerned about the 
breadth of the provision under which a State may request a 
waiver that would allow a weaker State health privacy law to 
stand, essentially making the analogous federal regulation 
inapplicable in that State.

V. CONCLUSION

    On balance, we believe that the proposed health privacy 
regulations are a significant and vitally important step 
towards guaranteeing the American public a greater degree of 
privacy protection for their medical records. When finalized, 
the regulation will be the first comprehensive federal rules on 
health privacy, establishing a minimum set of standards by 
which health care providers, health plans, and others, must 
comply. As such, the regulations will not only foster greater 
public trust and confidence in our nation's health care system, 
but they will also bring much-needed uniformity and 
predictability to the privacy rules that must be adhered to 
across the country. Most importantly, the regulation will 
establish greater uniformity while leaving states the 
flexibility to act on behalf of their residents and augment the 
regulation as needed.
    We do believe that it is crucial for Congress to act to 
fill the gaps in the proposed rule: the regulation should be 
extended to cover all medical information, whether paper or 
electronic form; the regulation should cover all of those who 
generate, maintain or receive protected health information; and 
the regulation should include a private right of action.
    [An attachment is being retained in the Committee files.]
      

                                


    Chairman Thomas. Thank you very much, Ms. Goldman. Ms. 
Grealy?

 STATEMENT OF MARY R. GREALY, PRESIDENT, HEALTHCARE LEADERSHIP 
                            COUNCIL

    Ms. Grealy. Mr. Chairman and members of the subcommittee, 
thank you for this opportunity to testify regarding the 
proposed HHS regulations regarding the confidentiality of 
patient information. I am Mary Grealy, President of the 
Healthcare Leadership Council.
    The HLC is an organization of chief executives of the 
Nation's most respected health care companies and institutions. 
The views I express today are those of innovative leaders from 
the full spectrum of American health care, health plans, 
physicians, hospitals, universities, pharmaceutical, 
biotechnology, and medical device manufacturers. Our members 
formed the Healthcare Leadership Council to promote their 
vision of a consumer centered health system that offers 
accessible, affordable health care of the highest quality.
    The HLC has led a broad-based coalition of 90 organizations 
and has sought to apply this vision to the issue of patient 
confidentiality. Our goal has been, and continues to be, 
legislation that establishes strong, uniform, Federal standards 
to protect the confidentiality of patient information.
    We share the desires of the administration and many members 
of Congress in this regard. Our members know firsthand how 
important it is that patients have trust that their medical 
information will be kept confidential and disclosed only when 
appropriate.
    We appreciate and applaud you, Mr. Chairman, and 
Congressman Cardin for your efforts to move us closer to the 
very necessary uniform Federal standards for privacy.
    In the absence of legislation, however, we concentrate on 
the matter at hand, the regulations proposed by Health and 
Human Services. We share the goal of members of this committee 
and of the regulations that they must achieve a critical 
balance. We must give patients confidence that their medical 
information will be kept confidential and that those who 
violate the patient's privacy will be subjected to strong 
penalties.
    At the same time, we must ensure that no regulatory 
barriers will be erected to obstruct the flow of information 
that has led to virtually every health care advance that has 
saved and enhanced lives. Can we achieve confidentiality 
protection without establishing costly regulatory burdens that 
will divert important resources away from patient care? 
Striking that balance is the standard that these regulations 
must meet.
    We have determined that in certain critical aspects they 
fall short of reaching that balance. While there are a number 
of very positive aspects to these regulations that we can 
endorse, there are also some ambiguities, gaps and, in some 
instances, explicit language that will make compliance 
difficult if not impossible and will have a detrimental effect 
on the quality and safety of patient care.
    Let me make clear at the outset that we support the 
Department's approach of permitting patient information to be 
used for payment, treatment, and health care operations without 
requiring individual authorizations. When individual hospitals 
and other providers experience millions of patient encounters 
every day, seeking individual authorizations to disclose 
information for each of those encounters would have a 
catastrophic effect on our health care system and patient care 
delivery.
    Under tab one of my testimony is a chart that illustrates 
the many integrated components of our complex health care 
delivery system. Requiring those separate authorizations would 
impede the flow of information that is needed for the various 
activities, such as lab tests, ordering prescriptions, 
immunization programs, and a variety of other encounters, as 
well.
    HHS has handled this important issue properly, and we 
endorse the approach that they have taken. Now let me address 
some of the aspects of the regulation that we cannot, at this 
time, support. My full written testimony addresses this in much 
more detail, but let me focus on just five areas this morning.
    Number one, these regulations become unworkable by 
attempting to restrict all uses of information as opposed to 
the disclosure of information. We agree that the limits on 
disclosure are necessary and appropriate, but attempting to 
regulate all uses creates a myriad of problems.
    Let me put this into prospective. It is inconceivable that 
regulators in Washington today can predict and define today 
what necessary use of patient information will be six months 
from now, much less six years from now. An attempt to do so 
will really have a chilling effect on the efforts to develop 
beneficial new uses of patient information.
    Number two, these regulations raise questions as to whether 
population data can be used without unreasonable restrictions 
to support patient treatment and important health care 
activities. For example, many health plans today review their 
entire enrollee database and analyze patterns of emergency room 
visits and pharmaceutical usage to identify those patients who 
can benefit from asthma management programs. These are the 
kinds of things that perhaps, if this regulation is not 
implemented appropriately or is not clear enough, would be 
prevented and necessary treatment would not be given.
    Number three, there is a two word phrase in these 
regulations that can have a major detrimental impact on patient 
care. That phrase is minimally necessary. These rules stipulate 
that the covered entity must individually review every 
legitimate request for patient information and provide only 
that information that is minimally necessary. We have heard 
that discussed today in the question and answer period, but I 
think you can detect that this would be a very burdensome 
requirement given the many patient encounters that occur in our 
health care system.
    Really a catch-22 exists here where you perhaps would have 
physicians that might be reviewing that request or nurses that 
are doing the review of those patient records. They would be 
experts, but that would be a real diversion away from patient 
care in using those resources. If we decide not to use a 
physician or a nurse, and we have others do it, there is a real 
chance that critical information would not be transmitted if 
they are trying to apply that minimally necessary rule.
    Number four, it is also troublesome that the regulations 
are requiring the cumbersome use of individual authorization 
for research unrelated to treatment. It is not clear what that 
phrase unrelated to treatment means. Again, you have heard 
earlier today some of the concerns raised about the use of that 
information and the need for having it for medical research 
that is critical to our health care delivery system.
    Finally, Mr. Chairman, it is clear in reviewing these 
regulations, that HHS has tremendously underestimated the cost. 
I think Blue Cross Blue Shield has highlighted that very well 
in their testimony and the study that they had done. The cost 
burden could have a very serious effect on the cost of health 
care and the delivery cost, and also on the access to health 
insurance coverage, about which we are all very concerned.
    In this vein, it needs to be emphasized that the Secretary 
really has, we believe, reached beyond her authority by 
requiring covered entities to apply these regulations in 
contracts with their business partners, and to monitor their 
business partners' activities. We also believe that it is 
outside the Secretary's authority to impose an implied private 
right of action, as we think has been done in these 
regulations.
    It is imperative, we believe, that there be a national 
uniform standard that will provide certainty and clarity to all 
who are involved in the health care delivery system, patients, 
providers, researchers and plans.
    We look forward to working with members of this committee 
and Congress, and also working with HHS as they produce this 
regulation, to see if we can come up with some constructive 
recommendations. And we think we have done that in the comments 
that we have submitted. We look forward to working with you and 
with the Department on this very important issue. Thank you.
    [The prepared statement follows:]

Statement of Mary R. Grealy, President, Healthcare Leadership Council

    Mr. Chairman and members of the Subcommittee, thank you for 
this opportunity to testify regarding the proposed HHS 
regulations governing the confidentiality of patient 
information.
    The Healthcare Leadership Council is the organization of 
chief executives of the nation's most respected health care 
companies and institutions. The views I express today are those 
of the innovative leaders from the full spectrum of American 
health care--health plans, physicians, hospitals, universities, 
pharmaceutical, biotechnology and medical device manufacturers. 
Our members formed the HLC to promote their shared vision of a 
consumer centered system that offers accessible, affordable 
health care of the highest quality.
    The HLC has led a broad-based coalition of 90 organizations 
that has sought to apply this vision to the issue of patient 
confidentiality. My testimony this morning is on behalf of HLC. 
Our goal has been, and continues to be, legislation that 
establishes strong uniform federal standards to protect the 
confidentiality of patient information. We share the desires of 
the Administration and many members of Congress in this regard. 
Our members know first hand how important it is that patients 
have trust that their medical information will be kept 
confidential and disclosed only where appropriate.
    We appreciate and applaud you, Mr. Chairman, and 
Congressman Cardin for your joint efforts to move us closer to 
those very necessary uniform standards.
    In the absence of legislation, however, we concentrate on 
the matter at hand, and apply our consumer-centered health care 
principles to the regulations proposed by HHS. We share the 
goal of members of this Committee that these regulations must 
achieve a critical balance. Are we giving patients confidence 
that their medical information will be kept confidential, and 
that those who violate a patient's privacy will be subjected to 
strong penalties? And, at the same time, are we ensuring that 
no regulatory barriers will be erected to obstruct the flow of 
information that has led to virtually every health care advance 
and breakthrough? Can we achieve confidentiality protections 
without establishing costly regulatory burdens that will divert 
important resources away from patient care?
    Striking that balance is the standard these regulations 
must meet, Mr. Chairman, and we have determined that, in 
certain critical aspects, they fall short. There are a number 
of positive aspects to these regulations that we can endorse. 
There are, however, ambiguities, gaps and, in some cases, 
explicit language that will make compliance difficult, if not 
impossible, and will have a detrimental effect on the quality 
and safety of patient care.
    Let me make it clear at the outset that we support the 
Department's approach of permitting patient information to be 
used for payment, treatment and health care operations without 
requiring the use of individual authorizations. When individual 
hospitals and providers experience millions of patient 
encounters every day, seeking an individual authorization to 
disclose information for each of those encounters -and the 
transactions resulting from them--would have a catastrophic 
effect on our health care system and on patient care.
    Tab one of my testimony is a chart that illustrates the 
many integrated component parts of our health care system. 
Requiring separate authorizations would impede the flow of 
information needed for various activities such as lab tests, 
ordering prescriptions, immunization programs, medical research 
and case and disease management, just to name a few.
    HHS has handled this important issue properly, and we 
endorse their proposed policy in this regard.
    Let me address, though, the aspects of these regulations 
that we cannot, in the name of quality health care, support. My 
full written testimony addresses our comments in greater 
detail, but allow me to highlight this morning five areas of 
particular concern.
    Number one, these regulations become unworkable when they 
attempt to restrict all uses of patient information, as opposed 
to disclosure of information. We agree that limits on 
disclosure are necessary and appropriate. Attempting to 
regulate all uses, however, particularly uses within an entity, 
creates a myriad of problems.
    For example, the regulations create a finite list of 
narrowly-defined activities for which data can be used without 
individual authorization.
    Let's put this into perspective. In the field of health 
care, there have been more new strides, developments and 
breakthroughs, more new ideas, practices and approaches in the 
last five years than in the previous 25 years combined. It is 
inconceivable that regulators in Washington can predict and 
define today what a necessary use of patient information will 
be six months from now, let alone six years. And to attempt to 
do so could have a chilling effect on our efforts to develop 
beneficial new uses of patient data.
    Number two, these regulations raise questions as to whether 
population data can be used, without unreasonable restriction, 
to support patient treatment and important health care 
activities. For example, many health plans today will review 
their entire enrollee database and analyze patterns of 
emergency room visits and pharmaceutical usage to identify 
those patients who can benefit from an asthma management 
program. These regulations are ambiguous, at best, as to 
whether this would continue to be an acceptable use of patient 
information without first obtaining an individual's 
authorization. If it is not, too many Americans will continue 
to suffer needlessly from treatable chronic conditions.
    Number three, there is a two-word phrase in these 
regulations that can have a major detrimental impact on patient 
care. That phrase is ``minimally necessary.'' These rules 
stipulate that the covered entity must individually review 
every legitimate request for patient information and provide 
only that information that is minimally necessary.
    Beyond the burdensome nature of this requirement -and 
imagine, for just one hospital handling hundreds of thousands 
of information transactions a year, how costly and time-
consuming it will be--it creates a problematic catch-22. If 
those reviewing the information are not medical professionals, 
you run the real risk of excising information that can be 
critically important to a physician or a medical researchers. 
If, on the other hand, you assign trained nurses and physicians 
to review data to determine what is minimally necessary, you 
are taking vital resources away from patient care. In either 
case, information critical to treatment and research could be 
withheld. That could expose patients to harm.
    The minimally necessary standard, as proposed, simply will 
not work.
    Number four, it is also troublesome that the regulations 
require the cumbersome task of individual authorizations for 
research unrelated to treatment. What does that phrase mean--
research unrelated to treatment?'' The regulations are not 
clear, and that ambiguity could lead to restrictions down the 
line that undermine vital medical research. What we do know is 
that the great research facilities of this country--the Mayo 
Clinic, Johns Hopkins and so many others--do extensive medical 
research that is not targeted to a particular disease or 
condition but that results in unforseen and unanticipated 
health breakthroughs. No regulation should inhibit or undermine 
this type of research. I have detailed other concerns with the 
rule's research provisions in my written testimony.
    And, finally, Mr. Chairman, it is clear in reviewing these 
regulations that HHS has tremendously underestimated the impact 
of these rules on health care costs. The total estimated 
compliance cost of $3.8 billion over five years fails to 
account for several new requirements found in these pages. The 
cost of personnel to determine the minimally necessary amount 
of information to be disclosed. Requiring health care providers 
to monitor the practices of their business partners. 
Establishing and operating federally-mandated privacy boards. 
The list goes on and on, Mr. Chairman, and the bill to 
patients, providers and the employers who provide health 
coverage will be a high one.
    In this vein, it needs to be emphasized that the Secretary 
has reached beyond her authority by requiring covered entities 
to apply these regulations in contracts with their ``business 
partners'' and to monitor those business partners' activities. 
And, it is outside the Secretary's authority to provide an 
implied private right of action not envisioned by HIPAA.
    Ultimately, as I mentioned earlier, we hope that Congress 
will pass comprehensive confidentiality legislation. As well 
intentioned as these regulations are, the Department cannot, 
under the HIPAA law, preempt state laws that are contrary to or 
stricter than the federal rules. Thus, as illustrated in Tab 
two of my testimony, we will continue to have a situation in 
which the simple act of filling a prescription can involve the 
separate and sometimes contradictory confidentiality laws of 
half a dozen or more states.
    A nationally uniform standard would provide certainty and 
clarity for all involved in the health care delivery system--
patients, providers, researchers and plans.
    We wish to continue to work with you, Mr. Chairman, and the 
members of this committee to advocate a legislative approach 
that will protect confidentiality while, at the same time, 
allow the free flow of information that saves lives and ensures 
quality health care for the American people.
    We will also continue to work with HHS on its regulation 
and have submitted what we hope are constructive comments to 
improve this rule.
    Again, thank you for this opportunity to testify today.

Summary of HLC Comments on the Proposed HHS Regulations

    Since enactment of HIPAA, which set in motion this debate, 
the HLC has supported several general principles: (1) Patient 
information should be protected, safeguards should be provided, 
and patients should have access to their own records; (2) clear 
boundaries should be set around disclosure of patient 
information; (3) penalties for violating these requirements 
should be imposed; (4) patient information should be available 
for research; and, (5) a nationally uniform set of standards 
should replace the ``crazy quilt'' of conflicting, confusing, 
and sometimes harmful, state laws.
    The HLC has thoroughly reviewed the proposed HHS 
regulations and has submitted extensive comments from a broad 
industry-wide perspective on aspects of the rule we support, 
and others that we cannot support without substantial 
modifications. The following will highlight our comments on the 
proposed rule.

Aspects Of The Proposed Rule HLC Supports

Allowing Disclosure/Use Without Authorization For Appropriate 
Activities

    The HLC supports the Department's approach of permitting 
patient information to be used for payment, treatment, and 
healthcare operations without requiring entities to obtain 
individual authorizations. This so-called ``statutory 
authorization'' approach is clearly correct. Alternative 
approaches requiring separate authorizations from the 
individual each time information is disclosed or used for 
appropriate health care activities would seriously disrupt our 
health care system and harm patient care.
    For example, providers routinely order tests and other 
services through unrelated providers (such as laboratories or 
radiology services), not all of which have contact with a 
patient. Family members routinely pick up prescriptions for a 
sick family member at home. Each of these potential exchanges 
of information could be subject to separate authorizations by 
the individual under multiple authorization schemes.
    Health plans often cover spouses, dependents, and even 
children not living with the parent who subscribes to the plan. 
Collecting authorizations from these individuals could create 
serious obstacles for the delivery of health care services.
    The potential harm caused by such multiple authorization 
schemes is not idle speculation. Maine passed such a law that 
was so disruptive it was repealed in an ``emergency'' bill just 
14 days after taking effect.
    Some Americans still view our health care delivery system 
as the relationship between patient, doctor, hospital, and 
pharmacist. The reality, of course, is that our system has 
evolved into a highly integrated, complex, and, as a result, 
better delivery system. Tab one of HLC's testimony illustrates 
the many integrated component parts of our health care system. 
Requiring separate authorizations to allow information to move 
among these components would be highly disruptive and 
compromise patient care.
    We do have concerns with several limitations put on the 
``statutory authorization'' which are discussed later.

Including Important Health Management Activities

    The HLC also supports the inclusion of treatment, payment 
and health care operations in the activities for which no 
individual authorization is needed. We are pleased that the 
Department recognized the importance of such activities as case 
and disease management to patients by including them in their 
definitions. Disease management programs for chronic diseases 
such as asthma, diabetes, heart disease, and others are 
dramatically improving the lives of millions of Americans. We 
do have concerns with some limitations on these programs which 
we discuss later.

Other Allowed Uses and Disclosures

    The HLC supports the need for disclosure to public health 
authorities and is pleased that the rule allows disclosure to 
someone complying with such an authority. We also support the 
need for the disclosure to health oversight agencies to improve
    health care quality and protecting public health, as well 
as for government health data systems.

Research

    Finally, the HLC supports the general direction of the 
research provisions of the rule to the extent it does not 
require individual authorization for disclosure of data to 
research entities. We do have some major concerns about the 
research provisions will be discussed later in our testimony.

Provisions of the Proposed Rule of Concern to HLC

Regulating Use of Information

    While the HLC supports the need for the rule to restrict 
disclosure of patient information outside of appropriate 
entities, we are concerned about the numerous and burdensome 
restrictions on the uses of such information, particularly uses 
within a covered entity. These restrictions on use of 
information create several problems.
     The rule prohibits all internal uses of data that 
do not fall in to a relatively narrowly defined set of 
activities. The Department is, thereby, taking the position 
that it can define all conceivable appropriate uses of patient 
information. We believe that this is not only impossible for 
current uses, but such an approach would have a chilling effect 
on the development of beneficial new uses of patient 
information.
     The HLC is concerned that the rule will unduly 
limit the use of population data that is used to support 
patient treatment and other legitimate activities. This is 
because the allowable uses of patient information are closely 
tied to the provision of health care to an individual patient. 
This raises a question as to whether, for example, a health 
plan could review an entire enrollee database to identify 
specific individuals whose utilization patterns of asthma 
drugs, or emergency room visits, indicate they would benefit 
from being enrolled in an asthma management program.
     Again, because an entity's internal uses of 
patient information are so sharply restricted by the rule, 
several important internal business operations of health care 
providers and plans could be left out. For example, a national 
health plan recently undertook a study to evaluate the cost 
effectiveness of its preauthorization requirements. Audits of 
real cases containing patient information were necessary. The 
audit resulted in the plan dropping some preauthorization 
requirements, a good result for patients and the plan.
     The HLC is concerned that the definitions of 
treatment, payment, and health care operations may be diluted 
by the rule's approach broadly defined as ``marketing.'' If a 
use or disclosure is deemed to be for the purpose of 
marketing--a term not defined--an individual authorization 
would be required. This determination could be made on a 
retrospective basis and could be applied to certain types of 
disease management programs, and also the use of formularies by 
health plans, and providers (most notably hospitals). For 
instance, a candidate for an asthma disease management program 
may receive a more effective drug therapy under a disease 
management program. There is the risk that under the rules such 
activities could be viewed as marketing activity. To the extent 
arrangements fall within the definition of treatment, payment, 
or health care operations, they should not be subject to 
conflicting rules under ``marketing.''
    The HLC recommends that the rule focus on restricting 
disclosure of patient information, not use (particularly use 
within an entity). At a minimum, internal management functions 
of providers and plans that involve only the use, not 
disclosure, of patient information should be broadly included 
under the definition of health care operations.

Minimum Necessary Rule

    The rule requires that entities ``review each request for 
disclosure individually on its own merits [from preamble]'' and 
determine which information is minimally necessary. It is 
neither practical nor consistent with good medical practice to 
promote a rule that would encourage and possibly require 
excision of data in a medical record. The recent Institute of 
Medicine report underscores the potential harm to patients when 
providers have only limited access to information. The HLC 
suggests that, alternatively, entities be allowed to have 
general practices and guidelines and not be required to make 
individual determinations.

Unnecessary Administrative Burdens

     The HLC is concerned that the requirements for 
accounting for the disclosure of patient information, detailed 
provisions governing the practices of ``business partners'' and 
their relationship with covered entities, and the training and 
certification requirements will greatly increase the 
administrative burden borne by covered entities.
     The Department has exceeded the scope of its 
authority under HIPAA in several provisions, most notably in 
those provisions pertaining to the ``business partner'' of a 
covered entity. And, it is outside the Secretary's authority, 
and not envisioned by HIPAA, to provide an implied private 
right of action.

De-identifying Data

    The HLC has serious concerns that the standard for de-
identifying data in the rule sets the bar too high. Requiring 
that 19 identifiers--including even ``account numbers'' and 
``zip codes''--be removed to de-identify data would make data 
anonymized and nearly worthless to most researchers. The 
practical effect of this standard will be to discourage, rather 
than encourage, encryption and other efforts to de-identify 
records. The HLC recommends that these ``identifiers'' be 
limited to a more reasonable list of characteristics that truly 
identify individuals.

Research

     The HLC believes that modifications to the 
Institutional Review Board (IRB) process should be addressed 
separately in a comprehensive review of the IRB process and not 
via this rule. Several of the criteria to be used by an IRB (or 
``privacy board'') exceed the Department's authority by 
regulating the content of research, as opposed to overseeing 
the confidentiality of data in research.
     The requirement that individual authorization be 
obtained to use data in ``research unrelated to treatment'' is 
unworkable and unnecessary.
     The HLC is concerned that the disclosure or use of 
data may be subject to the ``minimum necessary'' requirements 
mentioned earlier.

National Uniformity

    One of the primary reasons HLC supports comprehensive 
legislation to protect confidentiality is the need to provide a 
nationally uniform standard. The confusing and contradictory 
patchwork of state laws is an ineffective -and sometimes 
harmful--approach to regulating a highly integrated and 
decidedly interstate health care delivery system.
    An illustration of why state confidentiality laws are 
inappropriate in health care is included under tab two of my 
testimony. In this example, a college student living in New 
York is prescribed a medication in New Jersey. Before the 
transaction is completed, entities in seven states are 
involved. Which state's confidentiality laws apply? The answer 
is ``all of them!''
    The HLC has examined all of the state confidentiality laws 
on the books, and many more being proposed, and concludes that 
a nationally uniform standard would do more to protect the 
confidentiality of patients' information than any other single 
reform. Such a nationally uniform standard would provide 
certainty and clarity that would at once protect patients and 
not unduly burden health providers, plans, and others.
    Of course, under HIPAA, the Department does not have 
authority to preempt state laws that are contrary or stricter 
than the federal rules. Thus, the need for comprehensive 
legislation. At the very least then, the HLC believes that it 
is incumbent upon the Department to evaluate state laws and 
provide guidance to covered entities regarding which state 
standards covered entities should follow.
[GRAPHIC] [TIFF OMITTED] T6897.001

[GRAPHIC] [TIFF OMITTED] T6897.002

      

                                


    Chairman Thomas. Thank you very much, Ms. Grealy. Dr. Ober?

    STATEMENT OF N. STEPHEN OBER, M.D., PRESIDENT AND CHIEF 
 EXECUTIVE OFFICER, SYNERGY HEALTH CARE, WALTHAM, MASSACHUSETTS

    Dr. Ober. Chairman Thomas, members of the subcommittee, 
thank you for the opportunity to appear before you today. My 
name is Stephen Ober. I am a physician and President and CEO of 
Synergy Health Care, a health research and data analytics 
company headquartered in Waltham, Massachusetts.
    Synergy is a subsidiary of Quintiles Transnational 
Corporation, the largest contract research organization in the 
world and a leader in health care informatics services. As a 
subsidiary of Quintile, Synergy is an affiliate of ENVOY, the 
largest claims clearinghouse in the United States, which 
processes an average of 3.5 million electronic data 
transactions per day, providing connectivity between 270,000 
providers and 800 payers. I have been part of a Quintiles work 
group which has closely analyzed the NPRM in relation to its 
impact on claims clearinghouses and their business partners.
    Let me begin my comments by stating that Synergy and 
Quintiles, in general, believe that the proposed NPRM standard 
to protect the privacy of individually identifiable health 
information are reasonable. However, I would like to offer four 
brief comments.
    First, clearinghouses are defined as covered entities by 
the rule. But because clearinghouses are also business partners 
of providers and health plans and do not have direct 
relationships with patients, several requirements of the rule 
appropriately do not apply to clearinghouses, such as providing 
a notice of information practices, and offering access for 
inspection or copying of records. We applaud this sensible 
approach and fully support the concept that clearinghouses and 
other business partners would not be permitted to use or 
disclose identifiable health data in ways not permitted to the 
covered entity to which such information was initially 
provided.
    We are concerned, however, by the provision that would 
require a covered entity, when acting as a business partner of 
another covered entity--as claims clearinghouses always do--to 
be bound by the health information policies and procedures of 
its partners. Thus, the health care clearinghouse would have to 
establish its own privacy policies and procedures, but then be 
required to attempt to adhere to the privacy policies and 
procedures of the thousands--and I do mean thousands--of other 
covered entities for which it acts as a business partner.
    This approach would needlessly complicate the network of 
existing relationships and be practically impossible to 
administer.
    Second, the NPRM stipulates that covered entities must have 
each business partner sign a contract which details the uses of 
identifiable health information and requires its protection. 
Again, we agree with this principle. However, we suggest that 
HHS should adhere to its stated intention of promoting de-
identification of individual health information whenever 
possible by clarifying that business partners who are in lawful 
possession of identifiable health information may create de-
identified health data and, in fact, should be encouraged to do 
so.
    Third, in the NPRM, the Department proposes to establish a 
safe harbor for the creation of de-identified health 
information if covered entities eliminate 19 potential 
individual identifiers. While we agree with the elimination of 
most of the identifiers mentioned, eliminating others would 
negatively impact the ability to use these data in research 
activity.
    For example, certain geographic identifiers and patient 
date of birth are two of the most important demographic data 
elements required in performing most health care research. The 
rule, as written today, requires elimination or modification of 
these valuable elements.
    Finally, one of the most exciting potential of health care 
clearinghouses, and the one I am personally most passionate 
about, lies in the capacity to create de-identified data on a 
large scale.
    In the NPRM, HHS comments on the ``many instances in which 
such individually identifiable health information is stripped 
of the information that could identify individual subjects and 
is used for analytical, statistical, and other related 
purposes.'' This is, in fact, what we do at Synergy.
    For instance, one study for the Centers for Disease 
Control, we showed that the use of hepatitis B vaccine by 
physicians decreased dramatically following several reports of 
adverse effects of this immunization, something CDC had been 
struggling to monitor for several months. In another, we were 
able to illustrate the positive impact of an education program 
aimed at increasing appropriate physician testing and treatment 
of the bacteria that causes peptic ulcer disease, a curable 
illness today. In working with a major drug manufacturer and 
the FDA, Synergy's timely monitoring of a patient prescription 
usage patterns lead to a withdrawal of a previously used drug.
    And yes, Mr. Chairman, we have also done work looking at 
medical errors. These are just a few examples of what are 
virtually limitless uses of de-identified health care 
information.
    While we are most supportive of the NPRM rule as a covered 
entity and a business partner, we at Synergy and Quintiles want 
to be certain that all parties realize the impact of these 
regulations, if not carefully derived, could have on the status 
of health care research.
    On behalf of Synergy Health Care and Quintiles 
Transnational, thank you for the opportunity to appear before 
you today.
    [The prepared statement follows:]

Statement of N. Stephen Ober, M.D., President and Chief Executive 
Officer, Synergy Health Care, Waltham, Massachusetts

    Chairman Thomas, Members of the Subcommittee: Thank you for 
the opportunity to appear before you today to discuss 
provisions of the proposed regulation relating to the 
operations of health care clearinghouses, the creation and use 
of de-identified health information, and the preemption of 
state laws.
    My name is Stephen Ober. I am a physician and President and 
CEO of Synergy Health Care, a health research and data 
analytics company headquartered in Waltham, Massachusetts. 
Synergy is a subsidiary of Quintiles Transnational Corporation, 
the largest contract research organization (CRO) in the world 
and a leader in healthcare informatics services. As a 
subsidiary of Quintiles, Synergy is an affiliate of ENVOY, the 
largest claims clearinghouse in the United States, which 
processes an average of 3.5 million electronic data 
transactions per day, providing connectivity between 270,000 
providers and 800 payers. Some of you may have read of the 
pending purchase of ENVOY from Quintiles by Healtheon/WebMD. As 
part of this transaction, Synergy will continue to receive de-
identified data from ENVOY, maintaining our historic ties. The 
matters before this Subcommittee regarding data privacy and 
medical research have been of constant interest to our family 
of companies. I have been part of a Quintiles workgroup, which 
has closely analyzed these matters, including the NPRM and its 
relation to the impact on claims clearinghouses and their 
business partners, and I am happy to speak to you on this topic 
today.

Health Care Clearinghouses

    As you know, one of the objectives of the Health Insurance 
Portability and Accountability Act (HIPAA) was to improve the 
efficiency and effectiveness of the health care system, ``by 
encouraging the development of a health information system 
through the establishment of standards and requirements for the 
electronic transmission of certain health information.'' One 
reason why HIPAA was so crucial is demonstrated by the rapid 
growth in the electronic transfer of health information: today 
62% of all healthcare claims are processed electronically, and 
for hospital and pharmacy claims the percentage is over 80%. In 
1998 some 2.7 billion out of a total of 4.4 billion claims were 
processed electronically, an important factor in ongoing 
efforts to improve the efficiency of our health care system and 
reduce health care costs.
    In a section on ``administrative simplification,'' HIPAA 
directed HHS to adopt a series of standards that would 
encourage uniformity for a range of electronic health 
information transactions. The proposed standards for the 
privacy of individually identifiable health information that is 
maintained or transmitted electronically were also mandated by 
HIPAA in the absence of the passage of comprehensive medical 
records privacy legislation by Congress. The NPRM proposes 
standards to protect the privacy of individually identifiable 
health information, outlines the rights of individuals who are 
the subject of this information, and defines the authorized and 
permitted uses of identifiable health information. In general, 
Synergy and Quintiles believe that the proposed rule 
establishes reasonable standards for security and efficiency of 
the health information infrastructure. We applaud HHS's efforts 
to encourage the de-identification of health care data for 
medical research.
    The ``covered entities'' defined by HIPAA include health 
plans, health care providers that transmit health data 
electronically, and health care clearinghouses. Although 
clearinghouses are indeed covered entities, the proposed rule 
recognizes that they are also ``business partners'' of the 
health care providers or health plans for whom they are 
processing the full range of administrative transactions and 
providing connectivity. Because claims clearinghouses do not 
have any relationship with individual patients, the NPRM 
appropriately does not apply several requirements that must be 
followed by health plans and providers. These include, 
providing a notice of information practices, offering access 
for inspection or copying of records, and accommodating 
requests for amendment or correction.
    We endorse this sensible approach, and support the concept 
that clearinghouses and other business partners would not be 
permitted to use or disclose identifiable health data in ways 
not permitted to the covered entity to which such information 
was initially provided. We are concerned, however, by the 
provision that would require a covered entity, when acting as a 
business partner of another covered entity (as claims 
clearinghouses always do), to be bound by the health 
information policies and procedures of its partners. Thus, a 
health care clearinghouse would have to establish its own 
privacy policies and procedures, which is entirely sensible, 
but then be required to attempt to adhere to the privacy 
policies and procedures of the thousands of other covered 
entities for which it acts as a business partner. Obviously, 
this approach would needlessly complicate the network of 
existing relationships by which health care is delivered and 
paid for today, and potentially thwarts the administrative 
``simplification'' HIPAA meant to foster. In our written 
comment, we have requested that HHS clarify this provision, as 
it appears redundant and more likely to produce confusion than 
improved protection of identifiable health information.

Creation and Use of De-Identified Health Information

    The NPRM stipulates that covered entities must have each 
business partner sign a contract which details the uses of 
identifiable health information and requires its protection. 
Again, we agree with the principles that the use of 
identifiable health information by a business partner can be 
limited by contract and that business partners are not 
permitted uses or disclosures not allowed to the covered 
entity. However, we suggest that HHS should adhere to its 
stated intention to encourage de-identification of individual 
health information whenever possible by clarifying that 
business partners who are in lawful possession of identifiable 
health information may create de-identified health data and, in 
fact, are encouraged to do so.
    In the preamble to the proposed rule, HHS suggests that 
covered entities and business partners would be encouraged to 
create de-identified health data and ``would be permitted to 
further use and disclose such de-identified information in any 
way, provided that they do not disclose the key or other 
mechanism that would enable the information to be re-
identified, and provided that they reasonably believe that such 
use or disclosure of de-identified information will not result 
in the use or disclosure of protected health information.''
    One of the most exciting potentials of health care 
clearinghouses lies in the capacity to create de-identified 
data on a large scale. Certainly, using de-identified data for 
health research affords the greatest security for patient 
privacy, and the Department hopes that de-identified data would 
always be used when it is sufficient for a given research 
purpose. In the NPRM, HHS comments on the ``many instances in 
which such individually identifiable health information is 
stripped of the information that could identify individual 
subjects and is used for analytical, statistical and other 
related purposes'' such as epidemiological studies, comparisons 
of cost, quality or specific outcomes across providers or 
payers, studies of incidence or prevalence of disease across 
populations, areas or time, and studies of access to care or 
differing use patterns across populations, areas or time.'' In 
regard to the activities of claims clearinghouses, the NPRM 
suggests that such covered entities ``could want to use codes 
or identifiers to permit data attributable to the same person 
to be accumulated over time or across different sources of 
data'' and, further, that a ``business partner generally could 
create a database of de-identified health information drawn 
from the protected health information of more than one covered 
entity with which it does business, and could use and disclose 
information and analyses from the database as they see fit, as 
long as there was no attempt to re-identify the data to create 
protected health information.''
    At Synergy we use de-identified, aggregated health 
information to provide real-time data analysis to improve 
pharmaceutical and medical service outcomes. For instance, in 
one study for the Centers for Disease Control (CDC), we showed 
that use of the Hepatitis B vaccine by physicians decreased 
following several reports of adverse effects of this 
immunization--something CDC had been struggling to monitor. In 
another, we were able to illustrate the positive impact of an 
education program aimed at increasing appropriate physician 
testing and treatment of the bacteria that causes peptic ulcer 
disease. In working with a major drug manufacturer and the FDA, 
Synergy's timely monitoring of patient prescription usage 
patterns led to the withdrawal of a previously approved drug. 
These are only three examples of what are virtually limitless 
uses of de-identified health information.
    In the NPRM, the Department proposes to establish a ``safe 
harbor'' for the creation of de-identified health information 
by stipulating that ``[a] covered entity may use protected 
health information to create de-identified information by 
removing, coding, encrypting, or otherwise eliminating or 
concealing'' nineteen potential identifiers. Thus, regardless 
of a large or small population size, anyone removing all of 
these nineteen identifiers to create de-identified information 
could safely conclude that the information is not identifiable. 
As we have posed in our comments to the NPRM, the problem is 
that the anonymized data produced by this ``safe harbor'' 
method and the resulting aggregated database has little value 
for research purposes.
    For example, the list of nineteen identifiers includes 
information such as ``city, county, zip code, and equivalent 
geocodes.'' However, in order for de-identified data to be 
useful as health research, researchers must have a means to 
track information demographically. By excluding all means of 
demographic analysis, i.e., city, county, zip code and 
equivalent geocodes, the value of such health research would be 
diminished greatly. In our written comment we recommend that to 
maintain demographic value of the de-identified data, some 
geographic locators should be excluded from the list of 
nineteen identifiers. We are aware that there is a higher 
probability of identifying an individual if a nine-digit zip 
code is included as an identifier. By retaining city, county 
and five-digit zip code in the de-identified data, however, the 
probability of identifying an individual would be reasonably 
low.
    Similarly, HHS includes ``[b]irth date'' in the list of 
identifiers that must be removed or concealed to qualify for 
the de-identification safe harbor, but would allow age to be 
retained. However, the actual date of birth is of critical 
value for research purposes. For example, without date of birth 
it would be impossible to perform research on neonatal and 
pediatric populations. In these age groups differences in 
health status are measured in weeks and months, not years. 
Access to date of birth also avoids any of the ambiguities in 
assigning patients to age cohorts that can mire research 
efforts and produce erroneous results. For example, it may be 
unclear when a patient labeled as ``35 years old'' was actually 
that age--was it when they joined their health plan, saw their 
physician, or submitted their medical claim. Accordingly, 
retaining the date of birth or, at least, month and year of 
birth would be critical to research and produce higher quality 
results.

    In the NPRM, HHS proposes an alternative method for the 
creation of de-identified data, that is, ``entities with 
appropriate statistical experience and expertise may treat 
information as de-identified'' even if it contains one or more 
of the nineteen ``identifiers.'' We appreciate that HHS has 
provided concrete guidance regarding de-identification for 
entities that need it, but allows a sophisticated entity, using 
a standard of ``reasonableness,'' to make a determination 
whether sufficient information has been removed so that ``the 
result is still a low probability of identification.'' 
Nevertheless, even sophisticated users could decide to utilize 
a reasonable ``safe harbor'' that established a presumption of 
de-identification. Such a universal safe harbor would allow a 
framework that would serve as a benchmark for all, promoting 
uniformity in the health care industry and providing greater 
comfort to individuals with respect to their privacy.
    While I have focused on the potential impact of the 
proposed rule on health care clearinghouses, and the creation 
and use of de-identified data, I must comment briefly on the 
preemption of state laws. The proposed rule would establish a 
floor and preempt only those state laws that provide ``less 
stringent'' privacy protection. However, allowing states to 
create more stringent standards governing particular kinds of 
information or certain entities will create a confusing and 
ineffectual array of requirements. The proposed rule provides a 
logical and reasonable federal standard for ``authorized'' 
uses, but without preemption of state laws there can be no 
uniformity of protections or consistent guidance concerning the 
handling of identifiable health information for health plans, 
providers, researchers or, most importantly, patients.
    On behalf of Synergy Health Care and Quintiles 
Transnational, thank you for the opportunity to appear before 
you today. I will be happy to answer any questions.
      

                                


    Chairman Thomas. Thank you very much for your testimony, 
Doctor, and I do thank all of you for the far more extensive 
written testimony. My assumption that your submission to HCFA 
is also far more extensive.
    Dr. Plested, your position is one which I think is fairly 
recognizable in terms of physicians, the desire to protect that 
relationship between the doctor and the patient. Does the AMA 
or, if they do not have a position do you as a practicing 
physician, have any concern about the fact that the access to 
data, even if we were to restrict it to just the physician and 
the patient, is a two-way street under this structure? That is, 
patients have the right to look at data and, in certain 
instances, ``correct'' the data?
    Does that concern you all about whether or not the 
integrity of the medical record could be compromised, by the 
patient's ability to make changes?
    Dr. Plested. There is no question that in certain instances 
that is true, Mr. Chairman. I am sure Dr. McDermott can tell 
you, from the point of view of a psychiatrist, that there are 
times when it is not in the best interest of a patient that he 
continually review the chart and the notes that are made about 
him. We feel that it is important that the patient be a part of 
the treatment and we have suggested repeatedly that excerpts or 
that summaries should be prepared for all patients. Whether or 
not every patient should look at everything that is written, we 
are afraid, will lead to a practice of omitting sensitive 
material from records that physicians keep.
    Chairman Thomas. One of the reasons it is really hard to 
get this done is that it goes to the heart of who we are and 
how we operate. Whenever you deal with individual rights versus 
public rights, in trying to get that proper balance, especially 
in today's information rich world, it is very difficult. Look 
at the Bill of Rights. It starts out Congress shall make no 
law, and then away we go over the centuries, making laws. So it 
is a very difficult thing.
    Doctor, in trying to reconcile this individual versus the 
public rights relationship, do you believe that it is 
appropriate for us to collect the data, notwithstanding the 
very strong statement you have made, to attempt to get at the 
heart of the accidental deaths, upwards of 100,000, that the 
Institute of Medicine's To Error is Human Report indicates? 
That is, use this data for the public good, attempting to 
collect it in a way to examine practice procedures which might 
be collected in a systemic way to reduce medical errors?
    Is that a public good that you place fairly highly or low?
    Dr. Plested. Well, there is no question that the AMA is 
strongly on record that this is an absolute public need and a 
public good, and that is why we established the National 
Patient Safety Foundation, who I am sure you are quite familiar 
with. The question is how much sensitive, personally identified 
data is necessary for this type of activity to be carried out? 
I think that is debatable. There would be those who say that 
they must have access to all.
    Clearly that is not the case. We can do this type of a job 
that must be done and we support being done without having free 
access to everything in a patient's medical record.
    Chairman Thomas. Of course, if the choice is all or 
nothing, we would not be here and we would all be home already.
    Ms. Fox, you heard the testimony of HCFA, that they felt 
fairly comfortable about their $3.8 billion cost over five 
years. You have indicated that it is somewhere near $40 
billion.
    It is very disconcerting when you get those kinds of 
ranges. My assumption is that the lower the amount, I would put 
to you, the stronger you or Ms. Grealy or others would feel 
about the number being accurate. For example, if I said let us 
just cut it in half, and you go from $40 billion to $20 
billion, and let us take their number and double it from $3.8 
billion to $7 billion, that is still a pretty wide range, in 
terms of what the costs are going to be rippling through the 
system.
    I think that is your concern. Did you submit information 
which might assist HCFA in looking at the final reg, getting a 
better understanding of what your concerns were about where the 
cost centers might be that they had not appropriately looked 
at?
    Ms. Fox. Yes, we did, Mr. Chairman. I think one aspect is 
in their preamble to their proposed rule, they stated that 
there were a number of the areas they just did not have data to 
base the estimate. Three of the 10 areas they mentioned were 
areas that we thought were particularly expensive that we did 
very detailed estimates. We have met with them. We have 
submitted all of our materials, the backup materials. We have 
also met with the General Accounting Office, the Congressional 
Budget Office, and others, because we thought it would be 
really helpful for everybody to really take a look at some of 
these assumptions.
    I will just give you one example of where they did make an 
estimate where our estimates are very different, just to give 
you a sense of perspective. The regulation requires everybody 
to train their employees about these new privacy rules. We 
estimated, we assumed that employees would spend one to two 
hours over the five year period learning about privacy rules. 
We do not know what their hourly estimates were, but I can tell 
you for health plan their preamble says an entire health plan 
would spend $100 training their employees.
    I can tell you, as an employee of Blue Cross Blue Shield 
Association, on virtually any issue we get training on, we 
spend an entire day and it is a mandatory training. I do not 
know that we would do that on this, but $100 a health plan is 
just way underestimating the cost of training your employees.
    Chairman Thomas. Especially if you get caught in the web, 
it could be $250,000. The $100 would not have been well spent. 
What usually occurs in those instances is the dollar amount 
goes up in relation to the potential downside. I agree with 
you, $100 sounds a little short, especially with what $100 can 
buy today.
    Ms. Goldman, how many pages of information did you submit 
to HCFA?
    Ms. Goldman. We submitted nearly 120 pages of comments.
    Chairman Thomas. And yet your testimony indicated you were 
pretty supportive of the direction that they were going, yet 
you found 120 pages worth of areas worthy of commenting on?
    Ms. Goldman. Not to be accused of being verbose, we were 
mindful of the request the Secretary made when she issued the 
draft, that we should comment both on the things that we 
thought should be strengthened, and on the provisions we 
thought should be maintained.
    In addition, we had a number of groups sign on to our 
comments. And so each section of the regulation that we comment 
on also has the sign on of the supportive groups. So not every 
piece of paper is taken up with substantive comments, but there 
are about 120 pages.
    Chairman Thomas. Good, because I know that you were 
instrumental in producing for the this Health Privacy Project, 
the Best Principles for Health Privacy. I just have to tell you 
that I was a little concerned, as this group pulled together, 
that given the cross-section of individuals involved, which 
again was a very representative sample, and the ability to--I 
am sure there were differences--to resolve them and present 
specific examples for principles. One has been very helpful to 
me and I know, too, the gentleman from Maryland, in our looking 
at what we are doing, so I was interested.
    You made a comment and I want people to understand it, 
because you said in the area of law enforcement it fell short. 
What you meant by saying that it fell short was that there were 
not enough individual protections, vis-a-vis the ability of 
Government to get at data for what may or may not be worthwhile 
reasons. That is what you meant by falling short?
    Ms. Goldman. Exactly.
    Chairman Thomas. Because if somebody heard it and said you 
thought law enforcement fell short they might, if they did not 
know you, think it was the other way.
    Ms. Goldman. We hope, and we have not looked obviously at 
all of the comments that have been submitted as of today, all 
of the 40,000, but our hope, based on everything we have heard 
in the last few years, after the Secretary issued her 
recommendations, is that every single group, the consumer 
groups, disability rights groups, the health plans, providers, 
researchers, all think that law enforcement should be required 
to present some kind of legal process that is issued by a 
neutral magistrate and has a strong standard in it.
    I realize internally, within the administration, there is a 
debate over how that should be handled. We are hoping that they 
come down on the right side and strengthen that section.
    Chairman Thomas. But on a continuum, would you say that it 
is fair that, in comparison to the Secretary's first attempt in 
dealing with the records and law enforcement, that this most 
recent attempt is an improvement? Have you seen movement, 
significant movement, modest movement, not enough to really 
count?
    Ms. Goldman. Her initial recommendation said we should 
maintain the status quo, which is essentially unfettered access 
by law enforcement to people's medical records. So in a few 
years they have moved from that to saying here are three 
options that law enforcement can choose from that the covered 
entities can acknowledge, three options.
    Our concern is there is no guidance in the proposal as to 
when law enforcement should choose which option. So if 
information is highly sensitive and there is a serious risk of 
abuse, they could get an investigative demand that issues 
internally and that is just as sufficient as getting a warrant 
or a subpoena.
    So in some ways, it appears to be an improvement, but I 
think that it is a little misleading.
    Chairman Thomas. It may be the appearance, rather than 
actual.
    Ms. Goldman. Exactly.
    Chairman Thomas. Dr. Ober, your background and your 
business is an interesting one. Your description of it and the 
terminology you use is more and more becoming commonplace, 
about these companies that do not make widgets but provide very 
significant services to the society. There was an old ditty 
about big bugs have bigger bugs that jump on them and bite 
them, and bigger bugs have bigger bugs and so on, ad infinitum.
    This business of having entities that you articulated very 
clearly, nevertheless creates this kind of rotational aspect. 
Did you submit information to HCFA to assist in perhaps 
breaking that--if it is not a catch-22, it certainly is a big 
bugs have bigger bugs cycle?
    Dr. Ober. Yes, we did our best.
    Chairman Thomas. Given the way you deal with information, 
are there ways to--
    Dr. Ober. Sir, I think in what we submitted we tried to be 
quite clear in the myriad of business partners that we have and 
who Synergy is and what Synergy's mission is, as distinct from 
the claims clearinghouse partners that we have that submit the 
de-identified data directly to us.
    Chairman Thomas. I am very interested in this business of 
de-identified data, notwithstanding the identifier, since 
especially in dealing with electronics you can flag and do a 
number of things that allows you to deal with de-
identification, but if something comes up you can go back and 
look up a critical or health care nature.
    But most importantly, the absolute desperate need for 
broad-based data for outcomes research and for medical errors 
correction. We simply would not be able to make significant 
progress in those two areas. One, cost saving is very 
important. And the other, lifesaving is very important and we 
appreciate the data that you have and I may want to tap into 
it.
    The gentleman from Washington?
    Mr. McDermott. Thank you, Mr. Chairman.
    I would say that, having done this for a few years, I 
recognize the technique of burying people in paper and giving 
inflated estimates and doing a lot of things to create 
confusion, which stops things. I looked at that cost estimate 
that you put out and I do not want to spend my five minutes 
going through all of it, except to say that one of the things 
that was assumed by your contractor, Ms. Fox, was that there 
would be rules requiring new authorizations from current 
subscribers to use their data for treatment, payment of claims, 
or other health care plan options. And they estimated it for 
you at about $2 billion.
    Now the fact is that the proposal does not require 
providers or health plans to obtain patient authorization to 
use data for treatment, payment, or health care operations. So 
they created a burden and put a $2 billion tag on it. That is 
just one. There are a whole series.
    I think that if we are going to make the decisions here on 
the basis of what privacy is worth, then we ought to be real 
careful about how we estimate what it is going to cost. Because 
maybe we say to the American people we do not care about your 
privacy because it is going to cost too much. If that is the 
way we make the decision here, we will have a serious problem.
    I do not think the Chairman or I, or anybody else, and I 
think when you get these kind of estimates where clearly there 
are other things in here that I can go through, you have to be 
careful about using that because I think you create a problem 
for yourself.
    Dr. Ober, let me ask you a couple of questions, because I 
have a diagram about how your company operates. I was trying to 
figure out what kind of health information do you get and from 
whom do you get it?
    Dr. Ober. Currently, our stream of health care information 
is electronic, de-identified and encrypted data from ENVOY 
Corporation, which is as I mentioned earlier the country's 
largest claims clearinghouse. It is, from Synergy's standpoint, 
a single source, as a go-between between the providers of 
health care and the payers of health care, ENVOY has set up, 
over years and years, very standard formats in encryption 
technology, such that Synergy is the daily recipient of those 
data streams.
    Mr. McDermott. It is not individually identified?
    Dr. Ober. No, sir.
    Mr. McDermott. It is all de-identified?
    Dr. Ober. It is de-identified and encrypted; that is 
correct. At Synergy's end we ``use'' the pharmacy data and the 
medical data to do our work.
    Mr. McDermott. But you use that data, it comes over the 
Internet?
    Dr. Ober. No, sir, it comes through a direct T-1 hookup 
between Nashville and Boston, Massachusetts.
    Mr. McDermott. You have one line that goes all the way?
    Dr. Ober. Yes, sir.
    Mr. McDermott. And nobody can break into that?
    Dr. Ober. No, sir, it is a dedicated, dial-up line, 
security.
    Mr. McDermott. As we have watched recently, there have been 
some privacy breaches in health-related websites. You are 
saying, in public and on the record, that there is no way 
anybody can break into your system?
    Dr. Ober. I would not be that naive, to say that there is 
no way someone could, sir. I think there is probably three or 
four levels, when you think about what we mean by security in 
the technology age today. And there is a major difference 
between Internet technology, as we know it in common parlance, 
and also the dial-up direct networks that we have set up with 
ENVOY. So that the multiple levels of security that we have, 
and certainly the fact that it is not Internet right now, and 
that it is a direct dial-up, which offers one level of 
security.
    Secondly, if someone were to get into our ``network'' as 
does happen every now and then, there are no less than three 
levels of firewall and security checks, passwords and double 
passwords and changing passwords, that one would need to crack 
that.
    But then we are also offered a third level, which I think 
is quite valuable to the business we are in. And that is, if 
somebody were, God forbid, to get into our claims level 
database, it would almost be nonsensical because it is still 
encrypted. Certainly, it is already de-identified. But on top 
of that, most of the data we have in our warehouse, in our 
database, is alpha-numeric codes that to a layperson would mean 
nothing, such as an 11-digit for a particular pharmaceutical. 
They would have to know that digit means a particular drug.
    Not infallible but certainly, we think, offers quite a bit 
of protection.
    Mr. McDermott. When your company sells ENVOY to WebMD, as 
they are in the process, what are they selling to WebMD?
    Dr. Ober. The assets of the transaction business.
    Mr. McDermott. What are you giving them?
    Dr. Ober. It is a company of X numbers, hundreds of 
employees, and the technology that goes into transacting the 
process of those claims from providers to payers.
    Mr. McDermott. But no access to any database?
    Dr. Ober. No, sir.
    Mr. McDermott. You are just selling the people; is that 
what I understand?
    Dr. Ober. Peoples, computers, hard assets.
    Mr. McDermott. Why would WebMD buy that bunch of people and 
not want the database that they have?
    Dr. Ober. You would have to ask Mr. Arnold.
    Mr. McDermott. How did they cut them off?
    Dr. Ober. Well, we still are going to--
    Mr. McDermott. Did they say we will leave this over here, 
you can buy everything but the database?
    Dr. Ober. We were very much arms-length from day one with 
ENVOY because we have set up these very elaborate encryption 
and de-identification processes.
    Mr. McDermott. It does not look like there is much arms-
length when you see this, it says product development and 
commercialization. You are down in the--
    Dr. Ober. Informatics.
    Mr. McDermott. Informatics. You gather the information and 
pass it to the product development, who then commercialize it. 
That is what your diagram, that is what your promo is?
    Dr. Ober. Yes, and that is maybe confusing. I would have to 
look at it. But what Synergy's core business is, again, it is 
medical research and it is analyzing transaction data which we 
receive encrypted and de-identified from ENVOY. It has always 
been our business, even prior to joining Quintiles and that 
organization.
    Mr. McDermott. With your indulgence for just a second, then 
what are you worried about? This is de-identified?
    Dr. Ober. Correct.
    Mr. McDermott. So what are you worried about?
    Dr. Ober. Absolutely nothing.
    Mr. McDermott. You came down here to Washington to 
testify--
    Dr. Ober. I was asked to testify, particularly I think 
based on the value of de-identified health care information for 
the public good, as we have met with Mr. Cardin and others 
throughout the last several months. Quintiles is a very large 
organization, and we have clinical research groups, 
commercialization groups, and of course informatics.
    We wanted to really rest assured that the ability for our 
business partners to do the de-identifying and continue to pass 
that very valuable stream to us, to do our business, would not 
be impeded by the regs. And as near as we can tell, it really 
is not.
    Mr. McDermott. But what is the problem, when the regulation 
simply requires the contract between you and the people who are 
shipping this de-identified information to you, you are a big 
company. Why would you bristle or object to signing a simple 
contract and say we are not going to give away information that 
we do not have anyway? What is the problem with that?
    Dr. Ober. I went over the three or four points that we were 
concerned about in my testimony, and which we have submitted. 
We wanted to really rest assured that our ability to do the de-
identification, receive de-identified data, would not be 
encumbered by the regs. And the early drafts were still 
questionable.
    I think the rule, as we have read it today, we appear to be 
very comfortable with it.
    Mr. McDermott. So you are setting up a false ghost here, 
and you are now clobbering it; right? We do not want that 
ghost? Because it is not in the regs now.
    Dr. Ober. We are certainly glad to hear you say that and we 
agree that most of what we were looking for is not in the regs, 
so we are quite pleased by that. Setting up contracts with 
individual business partners of which for example, wearing my 
ENVOY affiliate hate right now, ENVOY has thousands of business 
partners. And it becomes quite unclear whether or not those 
business partners have to execute contracts with ENVOY, of 
which there are thousands or tens of thousands, providers, 
pharmacies, payers, et cetera, et cetera.
    Mr. McDermott. When you get that data, you guarantee that 
no one can unscramble your encryption and get out names or 
anything else, or mailing lists for anything?
    Dr. Ober. It is as secure as anything that is 
technologically available, is what I can rest assured on.
    Mr. McDermott. I really find it hard to understand why you 
are here, what you are worried about. If you are not exposing 
individuals in the society--
    Dr. Ober. That is correct.
    Mr. McDermott.--in any way, why should these regulations 
bother you? It is very curious to me. Maybe somebody else knows 
what he is worried about. I do not know. Ms. Goldman, do you 
have an idea?
    Ms. Goldman. I am heartened actually to hear that he 
supports essentially the draft regulation, which I think is 
important. Because if the description is accurate, that what 
ENVOY is transmitting is de-identified, it is then not covered 
by the regulation at all. The transmission of that information 
is then not covered because it is de-identified.
    Mr. McDermott. Thank you for your indulgence for an extra 
20 seconds.
    Chairman Thomas. One of the values of this testimony, I 
think, beyond doubt, especially your somewhat incredulous 
belief that there was some value in whatever it was that these 
folks did from a business point of view--I was curious whether 
they were publicly held and how much they were selling this 
stuff for--is just an indication of how much is going on out 
there that even knowledgeable people may not be familiar with, 
but if you say something that sounds innocuous, business 
entities must and therefore in extension with other business 
partners create relationships in which you may have had no 
intention whatsoever of disrupting, but in fact you may very 
well.
    His initial statement, the description of what they do, the 
fact that someone believes there is value in it, and that they 
would have to then comply with everybody else who may or may 
not be identified as business partners, I think he has every 
right to be concerned about how HCFA in the reg does identify 
business partners, notwithstanding the content being de-
identified. I doubt if, in fact, it was going to get into de-
identifying public partners in terms of the data they have 
versus identified public partners in the data that they have, 
versus those that are merely transmitters of that data from 
someone else.
    It is that kind of complexity that is out there today 
producing value that people are willing to spend literally 
millions of dollars for that may, in fact, be significantly 
disrupted. That is the concern we have. I appreciate the 
gentleman taking valuable time out of doing whatever it is you 
do that people think is really valuable, for however much it is 
worth, to sensitize us to the concerns that you have.
    The gentleman from Maryland?
    Mr. Cardin. Thank you, Mr. Chairman.
    Of course, if we had given HHS proper authority or 
delegation or if we had passed a bill, we would not have this 
problem. I think the only reason we have this convoluted 
process is because of the desire of HHS to have an enforceable 
privacy act and under the HIPAA statute they do not have the 
ability to do it. That is why we need to enact a bill.
    Chairman Thomas. I obviously totally agree with the 
gentleman but I do hope that people understand that, by that 
inference, I do not think that you mean that the HIPAA 
legislation was designed to be perverse or to create a 
structure which would, in anticipation, create the problems?
    Mr. Cardin. No, I think we anticipated that Congress was 
going to pass a privacy act, and we have not done that.
    Chairman Thomas. Exactly.
    Mr. Cardin. All these are trade-offs. It is interesting, 
you talk about the trade-offs for privacy for the patient 
versus the need for information to be available for good 
purposes, whether it be law enforcement, whether it be 
research, or whether it be treatment. And there is trade-offs 
on cost. Every time we put additional requirements in to 
protect privacy, there is going to be some sacrifice of 
efficiency. So it is going to be all trade-offs.
    I want to just concentrate on one, which we affectionately 
call the statutory authority, or when the identifiable 
information can be made available without the specific 
authorization of the patient. If I understand Ms. Goldman's 
point, you are concerned that in the regulation the use of that 
information should be signed off by the patient. That is the 
patient gives specific authorization, but must know that 
information can be made available by signing off on a form 
indicating an acknowledgement of that. Is that correct?
    Ms. Goldman. Exactly. It essentially makes the notice 
requirement that is currently in the proposal more meaningful. 
Right now, the way the health care system operates is that 
people do not get care or enroll in a health plan unless they 
sign an authorization form. People sign at the point of care 
and the point of enrollment right now. The Secretary is 
proposing not only eliminating that practice but prohibiting 
that practice for the sharing and collection of information.
    It is not necessarily a meaningful requirement right now in 
current practice, in other words you do not have a real choice 
about withholding your authorization. But it does, I think, 
alert the public to how their information is being used and who 
might get access to it.
    Mr. Cardin. I certainly agree that notice should be given 
to patients. Patients should absolutely know that. My concern 
is what happens if the patient does not sign off on the 
acknowledgement?
    Ms. Goldman. My understanding of the way the current system 
operates is that you can withhold treatment and deny benefits 
if people do not authorize the use and disclosure of 
information for treatment and payment. And right now, they are 
authorized to release the information for a broad category--
    Mr. Cardin. There is broader reasons than just treatment 
and payment. I guess my question is if the patient does not 
sign off on the acknowledgement, or if the user does not have a 
copy of that in the file, what does that mean?
    I think we have to think that ought. Clearly, I agree with 
you, notice is absolutely essential, that the person 
understands what the information can be used for. I just do not 
know whether signing off is the right way to do it, and whether 
that does not just create more problems for Ms. Fox and Ms. 
Grealy on administrative costs.
    Dr. Plested, I want to just follow up, so I understand the 
AMA's position, because you have a narrower interpretation of 
what should be allowed. You want to have more specific 
authorization from the patient. I take it not in regards to 
treatment? Or is it in regard to treatment, also?
    If you get a request from a physician who you have referred 
a patient to, can you make that medical information available 
without a specific authorization, under your position?
    Dr. Plested. Clearly, if we have had a referral from 
another physician and the patient comes to see us, I think 
there is an implied consent that we share the information about 
that patient.
    Mr. Cardin. So you would not need specific authorization 
for that?
    Dr. Plested. No.
    Mr. Cardin. How about paying a bill? Would you require 
specific authorization for that?
    Dr. Plested. This gets a lot tougher. Because what 
information is needed to pay a bill? Today, if I submit a bill 
for a consultation, I have to submit the full consultation to 
the insurer. Why does the insurer need to know your mother's 
family history or what your sexual preference is, or anything 
else, because I saw you because you have a sore foot?
    Mr. Cardin. That is fair enough, I agree with you. It 
should be related to the need for payment.
    Dr. Plested. That is right. But now the insurer has a form 
signed that he gets everything, and I cannot get paid without 
it.
    Mr. Cardin. That is specific authorization in most cases 
today. The problem we have, and I think Ms. Goldman mentioned 
it, routinely when a person signs up for a health care plan 
they sign a lot of forms. In many cases, they do not even know 
what they are signing. And they are giving blanket authority 
right now to release everything.
    At one point we are going to have to talk about the use of 
specific authorization. But I think what HHS is trying to 
achieve, and I know what Mr. Thomas is attempting to do, is to 
have reasonable statutory authority specifically as to what 
information is really needed so that we get away from these 
blanket authorities, so that we get away from people not 
knowing that they have released so much information that is 
unnecessary, because your point is well taken. The doctor 
should not have to submit the whole family history for payment.
    And if we have proper statutory authority, I would submit, 
that would not be happening. But because of the absence of 
statutory authority in this area, we find that there is more 
information being made available through specific authorization 
than is needed.
    Dr. Plested. And if I could continue that, that goes 
directly to the Chairman's question about whether we have a 
floor or a preemptive rule, and it depends on where the bar is. 
If the bar is high like you suggest to protect patient's 
privacy for only that information that is absolutely necessary, 
the AMA says yes, we will look at a Federal preemption.
    But now the Secretary's bar is so low, protecting the 
patient and giving any entity outside all the information that 
they want, that is why we feel that stronger state laws are 
important.
    Mr. Cardin. Thank you, Mr. Chairman.
    Chairman Thomas. Thank the gentleman. I want to thank all 
of the witnesses and the members. Another question? Go ahead.
    Mr. McDermott. I appreciate your letting me ask one more 
question.
    Chairman Thomas. I reserve the right to thank all members.
    Mr. McDermott. I want to go back to Dr. Ober. The Quintiles 
1998 report states that by combining services and connections 
and information ``Quintiles is creating on the Internet a 
unique software bridge of information between pharmaceutical 
products, patients, physicians, payers and regulators.''
    Now, they do clinical trials?
    Dr. Ober. Correct.
    Mr. McDermott. So they have somebody's name then; correct?
    Dr. Ober. I am sorry, sir?
    Mr. McDermott. They have somebody's name then, when they 
are doing a clinical trial?
    Dr. Ober. For clinical trial purposes they certainly, they 
would have the names at the physicians' clinical site, but 
everybody is blinded, to the best of my knowledge, to 
information that is centralized. The clinical trial results in 
many, many sites worldwide. Where an individual would collect, 
through case report forms, a variety of critical information 
about the study at hand.
    Mr. McDermott. So Quintiles never receives anybody's name, 
ever?
    Dr. Ober. No, I cannot make that statement, sir. Actually, 
our informatics group does not work with the clinical trials 
group at all.
    Mr. McDermott. But you are all connected in this business 
relationship in your picture here; right?
    Dr. Ober. Not Synergy, sir. Not ENVOY. The clinical trials 
capability, if you will, which is emerging for administrative 
efficiency to take place over the Internet and other 
interactive connectivities, is not part of the core business of 
the informatics group at all.
    Mr. McDermott. But you are all business partners, by the 
definition of this rule and regulation; correct?
    Dr. Ober. Okay, well, business partners with respect to the 
fact if we were using that information, which we are not. We 
have nothing to do with the clinical trial site of Quintiles. 
It is a separate entity.
    I know the diagrams can be misleading, but there is no 
relationship at all between the clinical trials group and the 
information they collect is completely different information 
for very specific clinical purposes, which I believe is outside 
the reg, as opposed to what we are doing with de-identified 
information at Synergy and the informatics group. Completely 
different datasets.
    Mr. McDermott. We have the wrong guy here. We should have 
the guy from Quintiles, as to whether he lets the information 
go over to the commercialization under Inovex, right?
    Dr. Ober. I can assure you that there is no connection 
between patient names going from clinical trails to Inovex. 
That I can assure you of, sir.
    Mr. McDermott. Thank you, Mr. Chairman.
    Chairman Thomas. As they usually say, this prospectus is 
for information only and it should not be considered to be 
legal. They have a whole lot of papers on file, and you are 
working off of one little picture here.
    It is very complicated and if they have any clinical trials 
worth their salt, they are usually double-blind at the time of 
the clinical trials.
    Dr. Ober. That is exactly correct.
    Chairman Thomas. Let alone with the transmittal of 
information.
    I thank the gentleman very much.
    I also thank all of you and, as I intended to say 
initially, this is a very difficult area. I appreciate 
everybody keeping the politics down to a minimum and, in fact, 
very visible because the policy is tough enough standing on its 
own.
    Thank you very much and I look forward to working with you 
as we move forward. The subcommittee stands adjourned.
    [Whereupon, at 12:43 p.m., the hearing was adjourned.]
    [Submissions for the record follow:]

Statement of the American Academy of Pediatrics

    The American Academy of Pediatrics was pleased to comment 
on the November 3, 1999 Notice of Proposed Rules on Standards 
for Privacy of Individually Identifiable Health Information. 
The Academy and its 55,000 members support the goal of 
protecting the privacy of identifiable health information. 
These proposed regulations are an important first step. 
However, because the Health Insurance Portability and 
Accountability Act of 1996 gives the Department of Health and 
Human Services only limited authority in this area, federal 
legislation protecting the privacy of all identifiable health 
information used by all entities is still necessary.
    Our comments address many provisions of the proposed 
regulations. In particular, we would like to highlight the 
following:
    1) Adolescents have a unique need for privacy concerning 
the many sensitive issues they often face. In many cases 
adolescents will obtain health care only if they are guaranteed 
that their parents will not learn about it. The privacy 
regulations must protect adolescents' rights. Generally, the 
regulations create a ``floor,'' preempting less stringent state 
laws on privacy of health information. However, the regulations 
have a ``hole in the floor'' since minors are not guaranteed 
that the federal regulations will preempt less stringent state 
laws concerning their confidentiality rights. The regulations 
should provide minors with a uniform privacy standard, must 
preserve health care providers' ability to treat adolescents 
confidentially and must ensure that minors and their parents 
are informed of their privacy rights.
    2) Health care providers should not be held accountable if 
protected health information is used for prohibited purposes by 
the entities to which they disclose the information. Once the 
information has been transmitted responsibly to a legitimate 
entity for a specified purpose, its privacy should be the 
responsibility of the receiving party.
    3) Privacy standards should apply to all identifiable 
health information, regardless of whether it has ever been 
electronically transmitted or maintained.
    4) The scalable nature of the regulations is very important 
in preventing an undue burden for physicians and ensuring 
effective provision of health care.
    5) The provisions regarding research require substantial 
revision and clarification to better direct Institutional 
Review Boards and privacy boards and so that responsible 
research into important health concerns is not hampered.
    The full text of the AAP comments will be available shortly 
at ``http://www.aap.org''
    The AAP comments are also endorsed by the Association of 
Medical School Pediatric Department Chairs, the American 
Pediatric Society, and the Society for Pediatric Research
      

                                


                             American College of Phsicians-
                      American Society of Internal Medicine
                                  Washington, DC 20006-1834
                                                  February 17, 2000
Margaret Ann Hamburg, M.D.
Assistant Secretary for Planning and Evaluation
U.S. Department of Health and Human Services
Attention: Privacy-P
Room G-322A, Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201

    Re: Comments on the Proposed Standards for Privacy of Individually 
Identifiable Health Information, 45 CFR Parts 160-164, 64 Fed. Reg. 
59917 (November 3, 1999)

    Dear Dr. Hamburg:

    The American College of Physicians-American Society of Internal 
Medicine (ACP-ASIM), representing 116,000 physicians who specialize in 
internal medicine and medical students, is pleased to submit comments 
in response to the Notice of Proposed Rulemaking (NPRM) issued by the 
Department of Health and Human Services (HHS) and published in the 
Federal Register dated November 3, 1999. ACP-ASIM is in a unique 
position to evaluate patient privacy legislation: our members represent 
the gamut of internal medicine, including both general internists and 
subspecialists engaged in the practice of internal medicine as 
individual practitioners, members of group practices, government 
employees, professors of medicine, and medical researchers.

Summary of Comments

     We support the flexibility that would reject a ``one size 
fits all'' approach in implementing the privacy provisions, and the 
``minimum necessary'' standard;
     We support the way the rule deals with disclosure of 
protected health information for research purposes, protecting patient 
privacy without imposing undue burdens that would impede research;
     We support providing patients with the right to inspect, 
copy and amend their patient records, and requiring notice to patients 
of their privacy rights and of how their medical information might be 
used or disclosed;
     We support the provisions regarding public health 
activities, health oversight, and judicial and administrative 
proceedings;
     In general, we oppose allowing the use and disclosure of 
confidential medical records without individual authorization for 
treatment, payment and health care operations (as defined in the NPRM);
     We are very concerned that the provisions on business 
partners would be very difficult to enforce, create open-ended and 
unpredictable liability for physicians and are unduly burdensome;
     We believe the provisions concerning law enforcement are 
too broad and would violate privacy rights;
     The costs of implementing the proposed rule have been 
vastly underestimated and would have a disproportionate impact on small 
business; and
     Physicians, especially those in small practices, will be 
subject to disproportionate administrative burdens as a result of the 
proposed rule, and should be exempted from the most onerous provisions 
of the rule. Physicians, unlike some of the other covered entities, are 
already bound by ethical obligations to uphold confidentiality and 
privacy rights of patients.

General Comments

    Confidentiality is increasingly difficult to maintain in this era 
of computerized record keeping and electronic data processing, faxing 
of patient information, third-party payment for medical services and 
sharing of patient care among numerous medical professionals and 
institutions. ACP-ASIM commends HHS for tackling this difficult and 
complex issue and for attempting to ensure protection of patient 
confidentiality without impeding or preventing access to data that is 
essential to the efficient delivery of quality patient care and for 
medical, public health and health services research. Given the 
limitations on HHS's authority, the approach of trying to protect the 
information itself is understandable. We are concerned, however, that 
the proposal generally sweeps all covered entities together under the 
same complex regulatory framework. Individual physicians, governed by 
ethical codes of conduct and state professional disciplinary codes, are 
being lumped together with large institutional providers, health plans, 
and clearinghouses. Are there data to suggest that individual health 
care professionals are routinely and intentionally breaching 
confidentiality, or that patients fear that they are? Anecdotally, 
patients express concerns about health plans, organizations and 
institutions breaching confidentiality, not their individual 
physicians. Physicians are obligated to protect patient 
confidentiality, especially in light of the increased risk for invasion 
of patients' privacy from the computerization and electronic 
transmission of medical records. We are concerned that the rule, 
proposed as ``a basic set of legal controls,'' might be viewed instead 
as all that is required of physicians, and could undermine the 
traditional ethical and professional obligations to uphold 
confidentiality. Moreover, the proposed rule does not cover entities 
that are more likely to wrongfully disclose and misuse confidential 
information.
    The ACP-ASIM recognizes the need for appropriate safeguards to 
protect patient privacy, because trust and respect are the cornerstones 
of the patient-physician relationship and quality health care. Presence 
of trust, respect, and privacy create an atmosphere in which full 
disclosure of information from patient to physician can occur, 
enhancing treatment. Patients have a basic right to privacy that 
includes the information contained in their medical records. Medical 
personnel who collect health information have a responsibility to 
protect patients from invasion of their privacy. Patients need to be 
treated in an environment in which they feel comfortable disclosing 
sensitive personal information to a physician that they trust. 
Otherwise, they may fail to fully disclose conditions and symptoms, 
thereby reducing the effectiveness of treatment and perhaps seriously 
imperiling their health, or, they may avoid seeking care altogether for 
fear of the negative consequences that could result from a disclosure. 
Physicians have a responsibility to respect patient privacy first, 
except when doing so may result in serious harm to the patient or 
others, or when required by law. See ACP-ASIM Ethics Manual (Fourth 
Edition), Annals of Internal Medicine 1998, 128: 576-594). We are 
concerned that the NPRM goes too far in the direction of disclosure of 
protected health information without individual authorization; our 
concerns in this regard are set forth in more detail under the section 
dealing with ``Treatment, Payment and Health Care Operations.''
    The NPRM is an important step in ensuring federal protection for 
the privacy of medical records and represents significant progress 
toward finding the right balance between the privacy rights of patients 
and the free flow of information that is necessary for the provision of 
effective and efficient health care services. The limited scope of 
HHS's authority pursuant to the Health Insurance Portability and 
Accountability Act (HIPAA) of 1996, however, illustrates that 
comprehensive federal privacy legislation is needed. Because of the 
limitations imposed on HHS, too many burdens for compliance are placed 
on physicians. While we are not suggesting that the medical privacy 
rule should not be applied to physicians, we do think that there should 
be a reexamination of the need for some of the provisions, as they 
would be applied to small physician offices. To the extent that small 
physician practices are not exempted from the provisions, HHS should 
apply them in the least burdensome fashion.

Introduction to General Rules

    ACP-ASIM supports the ``scalability'' approach taken in the NPRM, 
under which a ``one size fits all'' standard would be rejected for the 
implementation of the privacy provisions. It is critical that each 
affected entity be able to assess its own needs and devise, implement 
and maintain appropriate privacy policies, procedures and documentation 
to address its business requirements. Our members range from physicians 
working in solo practitioners' offices to multi-group practices to 
academic health centers, all of which have different needs and business 
practices.
    ACP-ASIM also supports the stated general approach of the rule 
whereby protected health information (PHI) could not be used or 
disclosed by covered entities except as authorized by the individual 
who is the subject of such information or as explicitly provided in 
this rule. We disagree, however, with the actual approach taken by HHS 
whereby most uses and disclosures of an individual's PHI would not 
require explicit individual authorization (see discussion below).
    Since Congress has not yet passed comprehensive confidentiality 
legislation, ACP-ASIM believes that special safeguards are needed to 
cover certain highly sensitive parts of a patient's medical record, 
such as HIV status, mental health disorders, drug and alcohol-related 
problems, sexually transmitted diseases, sickle-cell anemia, sexual 
orientation, and other highly sensitive health information.

    Treatment, Payment and Health Care Operations

    Subject to limited exceptions for psychotherapy notes and research 
information unrelated to treatment, a covered entity would be permitted 
to use or disclose protected health information (PHI) without 
individual authorization for treatment, payment or health care 
operations. The proposal would actually prohibit covered entities from 
seeking individual authorization, unless required by State or other 
applicable law. While ACP-ASIM recognizes that this proposal is 
intended to make the exchange of PHI relatively easy for health care 
purposes and more difficult for other purposes, we are very concerned 
that this approach would allow the use and disclosure of confidential 
medical records without the consent of the patient in extraordinarily 
broad circumstances. The proposed rule allow records to be shared 
without limit throughout the health care system; the confidentiality of 
medical records can be set aside for almost any reason at all. This 
approach undermines the bedrock principle critical to the physician-
patient relationship of informed consent, and will undercut traditional 
codes of medical ethics.
    Confidentiality between the doctor or other health care 
professional and the patient is an essential component of high quality 
health care. Physicians must obtain informed voluntary consent from the 
patient before their medical information is disclosed for any purpose, 
except for appropriately structured medical research (see below) or as 
required by law. (ACP-ASIM Code of Ethics; ``Confidentiality of 
Electronic Medical Records,'' Public Policy Paper 2000). At some point 
in the treatment relationship between the patient and the physician, 
preferably at the first encounter, there should be some type of signed 
written authorization that is a legal, informed consent to the release 
of PHI for treatment and payment purposes. ACP-ASIM supports the 
approach taken in S. 578 (Jeffords-Dodd), e.g., some form of 
consolidated authorization by which health care providers and 
organizations can perform their various functions without having to 
stop and obtain authorization at every point in a patient's treatment. 
Consent is particularly important since the proposal generally would 
not restrict to whom disclosures could be made for treatment, payment 
or operations. When disclosures are made to non-covered entities (other 
than business partners), the protections afforded by this rule would 
not be applicable. While this limitation points to the need for passage 
of more comprehensive privacy legislation, until such legislation is 
passed, individual's health information must be protected more strongly 
than provided under the NPRM.
    Likewise, allowing disclosure of PHI without authorization for 
health care operations is problematic, given the broad definition of 
``health care operations.'' As indicated above, ACP-ASIM supports 
requiring authorization before PHI can be used or disclosed for most 
health care operations. At the very least, the definition of what is 
considered to be health care operations should be narrowed to include 
only those activities that truly are related to treatment or payment.

Minimum Necessary

    ACP-ASIM agrees with HHS that a covered entity must make all 
reasonable efforts not to use or disclose more than the minimum amount 
of PHI necessary to accomplish the intended purpose of the use or 
disclosure. Access should be limited to only those individuals who need 
access to the information to accomplish the use or disclosure. De-
identified patient data should always be used in medical research and 
quality improvement processes, unless the nature of the research 
necessitates identification because coded data would be impracticable.
    We support the use of firewalls to limit the possibility for 
improper data uses within an entity, but note that the proposed 
scalability standard is particularly desirable in creating barriers to 
access and review of PHI. Physicians maintain records in a variety of 
settings, from large academic institutions to private offices with two 
staff members who perform all administrative functions. Current 
conditions in medical offices typically place physical barriers between 
medical records and non-staff, as well as limiting business partners' 
access to records.
    Practice management software and electronic medical record software 
packages are widely used by health care providers. Privately owned 
physician offices have limited access to technology with the capacity 
to create firewalls within their offices. Although software packages 
are available with a wide range of customizable features, they 
typically do not limit access on a field-by-field basis. Many programs 
limit access on a screen-by-screen basis or a function basis (such as 
appointment scheduling, billing, viewing laboratory results), but these 
are not completely customizable. Purchase of custom programming or 
replacement of current computer systems would represent an undue burden 
on providers who currently have as little as $300 or as much as $50,000 
invested in computer software. Encryption technology is not currently 
available to most small businesses.
    Proposed Sec. 164.506(b) generally would place the responsibility 
for determining what is the ``minimum necessary'' disclosure on the 
covered entity making the disclosure. Covered entities would be 
required to make ``reasonable efforts'' and to incur ``reasonable 
expense'' to limit the use and disclosure of PHI. This standard, while 
flexible, when combined with the scalability approach leaves a health 
care provider's staff with a large amount of discretion and complete 
liability. It is not clear what ``reasonable'' means in this context; 
there is much gray area between what is ``necessary'' information for 
medical reasons and what is too much disclosure. In addition, a covered 
entity would be required to review each request for disclosure 
individually on its own merits, rather than institute a policy to 
approve certain types of requests. This provision will require that an 
individual with authority and knowledge to make ``minimum necessary'' 
determinations must review each record request. In small practices, 
page-by-page review of multiple record requests on a daily basis could 
pose excessive administrative time requirements. In many cases, it will 
be cumbersome to determine the exact need for every piece of 
information and exact measurement of information that may be required 
to meet that need.
    We would encourage HHS to reconsider the excessive requirements 
placed upon clinical staff by transferring the burden of responding to 
medical record requests from clinical staff to administrative 
personnel. Each hour of record review is deducted from the limited time 
that physicians and nurses are able to perform their primary functions, 
caring for patients. Covered entities, particularly small businesses, 
should be allowed to create an internal policy to allow clerical staff 
to respond to many routine types of releases, including 1) disclosures 
allowed under any section of this proposed rule without patient 
authorization, and 2) any request accompanied by a written 
authorization signed by the patient. Moreover, the burden should be on 
the requestor of the information to make the ``minimum necessary 
demand.''

Right to Restrict

    ACP-ASIM generally supports the right of an individual to request 
that a covered entity restrict further uses and disclosures of PHI for 
treatment, payment or health care operations. However, administering a 
system in which some information is protected and other information is 
not poses significant challenges. In reality, this right will be 
severely hampered by health care providers' contractual obligations to 
insurers. Managed care organizations normally require that 
participating physicians not enter into private contracts for treatment 
and payment outside the physician's contract with the MCO. Thus, in its 
practical application, this right may be restricted to self-pay 
patients.
    In cases not involving reimbursement, such as release to other 
physicians, providers may make good faith efforts to avoid those 
disclosures, but implementing security systems and tracking those 
limitations will be extremely difficult due to systems limitations. 
Electronic systems do not provide the capacity to exclude transmissions 
to particular providers. Physician office groups may request paper 
records and administrative staff may be unaware of the affiliation of a 
particular provider within that group. Tracking a myriad of 
restrictions may be impractical and could result in denial of all 
requests to avoid disclosure liabilities. We would support providing 
examples in the final rule of appropriate, scalable systems that would 
be in compliance with this proposed provision.

    The Preamble notes that the proposed rule would not require a 
covered entity to agree to a request to restrict, or to treat or 
provide coverage to an individual requesting a restriction. HHS 
correctly recognizes that the medical history and records of a patient, 
particularly information about current medications and other therapies, 
are often very much relevant when new treatment is sought. Physicians 
have an ethical and in many cases legal obligation to treat a patient 
until that patient has been formally transferred to the care of another 
provider and/or discharged. Provisions should be made to accommodate 
provider treatment and disclosure after the covered entity has refused 
a non-disclosure request.

Creation of De-identified Information

    ACP-ASIM supports the approach proposed in Sec.  164.506(d) for de-
identifying identifiable information and the use of restrictions 
designed to ensure that de-identified information is not used 
inappropriately. We believe that health information should be encrypted 
before being transmitted electronically for research purposes. For the 
majority of physicians in private practice, however, development and 
implementation of procedures for stripping identifiers will be 
cumbersome. A typical physician's office has neither the technical 
ability to create de-identified data nor the staff to manually de-
identify data. We support a ``reasonableness'' standard whereby 
entities with sufficient statistical experience and expertise could 
remove or code a different combination of information.

Business Partners

    We have major concerns with and strongly object to the business 
partner provisions. While we recognize the limitations imposed on the 
authority of HHS to directly regulate entities other than health plans, 
health care providers and clearinghouses, we are concerned that under 
the business partner provisions, physicians would become regulators for 
HHS. These provisions would not only be unduly burdensome to 
physicians, but also would be exceedingly difficult to enforce. 
Physicians would be exposed to open-ended, unpredictable liability. 
Each of these concerns is discussed in further detail below.
    Under the proposal, for purposes other than consultation or 
referral for treatment, covered entities would be able to disclose PHI 
to business partners only pursuant to a written contract that would 
limit the business partner's uses and disclosures of PHI. The contract 
between the covered entity and the business partner would be required 
to include certain provisions that are specified in the proposal. Each 
specified contract term would be considered a separate implementation 
specification under the proposal, and a covered entity would be 
responsible for assuring that the business partner meets each such 
implementation standard. These complex contract terms and new 
obligations will necessitate the investment of much more time and 
resources by medical and legal personnel. Business partners may incur 
substantial expenses in meeting privacy requirements, which could 
result in more expensive contracts for health care providers.
    Non-compliance by a business partner or its sub-contractor of the 
terms of the contract could expose the physician to significant civil 
or criminal sanctions. Physicians would be in violation of the rule if 
they knew or ``reasonably'' should have known of a material breach of 
the contract by a business partner and failed to take reasonable steps 
to cure the breach or terminate the contact. Physicians would also be 
responsible for mitigating the harm caused by such violations. It will 
be very difficult, if not impossible, for most physicians to enforce 
the required contracts. No analysis has been done of the number of 
single-source business partners used by health care providers. A 
Medicare carrier acting as a fiscal intermediary, for example, would 
qualify as a business partner. However, HHS awards single-source 
contracts, leaving the physician with no viable alternative if required 
to terminate a contract. These provisions, by making physicians liable 
for disclosures by others not under their control, raise serious 
questions of fairness, and should not be included in the final rule.
    Business partners will be impacted by the need to maintain business 
records for legal and/or financial auditing purposes. This may make the 
destruction or return of all PHI unlikely or impossible in certain 
circumstances. For example, billing services are subject to HHS audit. 
If business partners cannot maintain PHI, they cannot provide 
documentation of coding or submissions material, nor protect themselves 
from claims made against them related to bookkeeping errors. Computer 
back-ups that are maintained by many business partners might include 
PHI. Business partners cannot be expected to destroy all forms of 
electronic back-up just because they have completed work for one 
particular client. Outside entities that provide financial services and 
have access to information included on standard explanation of benefits 
forms will also be required to identify and destroy substantial numbers 
of documents. Such entities could include banking entities providing 
lockbox services, billing services, third-party medical collection 
agencies, third-party coding experts, consulting and auditing services 
and third-party claims processors, such as Medicare carriers.
    Finally, and perhaps of most concern, a requirement included in the 
proposed contractual agreement would create a private right of action. 
Individuals whose PHI is disclosed by a business partner in violation 
of the rule would be considered to be third-party beneficiaries. As a 
third-party beneficiary, a patient would have a right under contract 
law to enforce the terms of the agreement by seeking damages against 
the breaching business partner and against the covered entity for 
failure to select and monitor properly the business partner. Covered 
entities would most likely have to purchase a rider under their 
insurance policies in order to be covered against such claims.
Uses and Disclosures with Individual Authorization

    The regulation would require that covered entities have 
authorization from individuals before using or disclosing their PHI for 
any purpose not otherwise recognized by this regulation. ACP-ASIM 
supports the requirement that individuals must give specific 
authorization before a covered entity could use or disclose PHI for 
purposes unrelated to health care treatment or payment. (As discussed 
earlier, ACP-ASIM opposes disclosure of PHI without patient 
authorization except in limited circumstances).
    We support the provisions in this section. Physicians must release 
information to the patient or a third party at the request of the 
patient. (ACP-ASIM Ethics Manual) Patient-initiated authorizations 
should be specific enough in terms of the information to be disclosed 
and to whom the information is to be disclosed to enable the physician 
to comply with the individual's request. Specific authorization is much 
better than the current practice of using broad disclosure forms. ACP-
ASIM supports requiring an expiration date as well as allowing 
authorization to be revoked by a patient unless action has been taken 
in reliance on the authorization. With respect to authorizations 
initiated by covered entities, we support the requirement that the 
authorization form should identify the purposes for which the 
information is sought as well as the proposed uses and disclosures of 
that information. Patients need to be able to make informed decisions. 
Finally, we support the provision stating that treatment and payment 
should not be conditioned on a patient's authorization.

Public Health Activities

    ACP-ASIM supports the provisions that would permit covered entities 
to disclose PHI without individual authorization to public health 
authorities carrying out public health activities authorized by law, to 
non-governmental entities authorized by law to carry out public health 
activities, and to persons who may be at risk of contacting or 
spreading a disease. Confidentiality may be overridden to protect the 
public health or individuals such as sexual partners at risk, or when 
the law requires it (e.g., mandatory public health reporting). However, 
before breaching confidentiality, physicians should make every effort 
to discuss the issue with the patient. (ACP-ASIM Ethics Manual).

Health Oversight

    ACP-ASIM supports allowing disclosure or use of PHI without 
individual authorization for health oversight activities. However, 
individual identifiers should be coded or encrypted whenever 
practicable.

Judicial and Administrative Proceedings

    ACP-ASIM supports permitting covered entities to disclose PHI in a 
judicial or administrative proceeding if the request for such PHI is 
made through or pursuant to an order by a court or administrative 
tribunal. A court order would not be required if the PHI being 
requested relates to a party to the proceeding whose health condition 
is at issue, and where the disclosure is made pursuant to a discovery 
order or is otherwise authorized by law. In the latter instance, 
however, we are concerned that the burden and possible liability is on 
physicians to determine whether the request relates to the PHI of a 
litigant whose health is at issue. Physicians and their staff are not 
best suited for making such determinations.

Law enforcement

    The proposed rule would permit covered entities to disclose PHI 
without individual authorization to a law enforcement official 
conducting a law enforcement inquiry authorized by law if the request 
for PHI is made pursuant to a judicial or administrative process. We 
think that these provisions are too broad. Access by law enforcement 
officials to individual health records constitutes an inherent privacy 
violation. Health information is collected to provide quality care to 
patients and to help society through use of data in public health 
research. This information is not intended for law enforcement because 
of the potential for abuse. Access by law enforcement agents should be 
restricted to searches that are not open-ended and for which there is a 
just cause. Release of confidential medical records to law enforcement 
officials should be permitted only when sustained by either subpoena or 
court order, except in limited emergency circumstances. Broad-based 
access is not an acceptable option. Law enforcement should be required 
to go through an independent review or neutral magistrate. 
Administrative subpoenas may be issued based on an individual law 
enforcement request, sometimes without any higher review. HHS should 
require that law enforcement officials obtain a judicial order

Research

    It is critical that the provisions dealing with research recognize 
the precarious balance between protecting patient privacy and expanding 
on our knowledge of health and disease. Rules need to be structured so 
that they will not unduly burden health researchers in their quest to 
further public health and other vital medical research.
    We generally support the way the proposed rule deals with research 
and the privacy of patient information. The proposal would permit 
covered entities to use and disclose PHI for research without 
individual authorization, provided that the covered entity receives 
documentation that the research protocol has been reviewed by an 
institutional review board (IRB) or equivalent body, and that the board 
found that the research protocol meets specified criteria designed to 
protect the subject. Absent such documentation, the subject's PHI could 
be disclosed for research only with the individual's authorization.
    IRBs review research requests to ensure adherence to standards of 
patient protection and treatment in medical research. The boards are 
established to ensure that patients have been fully informed and that 
they have consented to their participation in clinical research. Any 
research using patient information--whether the information is 
identified or not, whether consent is obtained or waived--should be 
approved by an IRB. IRBs are an efficient and effective way to protect 
the rights and privacy of patients who consent to sharing their health 
information for the benefit of medical research. The conduct of 
research and the protection of patient confidentiality also must be in 
compliance with professional ethical guidelines and codes of conduct.
    De-identified data should be used in medical research whenever 
possible, unless the nature of the research necessitates identification 
because coded data would be impracticable. All medical research studies 
that use potentially individually identifiable information must contain 
measures to protect the confidentiality of individual patient records 
and should be examined and approved in advance by an IRB or similar 
ethics review board.IRB functions include carefully reviewing the type 
of patient consent needed within the context of each study. Additional 
protection for subjects should be required if the information is 
identified and the waiver of consent in these instances should be 
limited.
    The use of data sets for secondary research studies should be 
allowed for statistical analyses and public health, but the records 
should remain encoded whenever possible. Patients, however, should be 
notified when information is to be used for purposes other than 
originally agreed on, and they should have the option to deny consent. 
These other purposes include billing, organizational research and 
quality improvement programs. Unfortunately, there is no clear line to 
differentiate between a routine use and a research use. Often, primary 
and secondary data uses overlap, and their definitions are dependent on 
the context within the individual studies. Uses of ``de-linked'' 
information require review by an IRB or other similar panel. While we 
recognize the limited authority of HHS over researchers who are not 
covered entities, the ACP-ASIM believes that the burden for information 
requests should be borne by those requesting access to the information; 
we realize the need for stringent review in determining who has access 
to de-identified information.

Notice of Information Practices

    We generally support the provisions in this section that would 
require health plans and providers to give notice of their 
confidentiality practices and procedures to patients. Such notice would 
be intended to inform patients about what is done with their PHI and 
about any rights they may have with respect to that information. Notice 
is an essential component of giving individuals the ability to make 
informed choices about their medical treatment. We support a flexible 
approach in allowing each provider to create a notice that reflects its 
own unique information practices.
    We do have concerns, however, about the administrative burdens and 
costs of such requirements, particularly for small practices. Small 
businesses are required to provide a notice of information practices on 
the patient's date of first service after the effective date of the 
rule. Determining the ``first service'' would place an undue 
administrative burden on many small practices. On a daily basis, staff 
would have to manually review each chart, or, in many cases, access a 
computer system to determine whether the patient has been seen since 
implementation of the rule. Internal medicine physicians average 4,000-
5,000 patient charts; approximately 2,200 charts are considered to be 
``active.'' (``active'' should be defined as those patients who have 
been seen in the last two years) The initial cost to produce, copy and 
mail notices could easily exceed the estimated $375 first year cost per 
provider office. Assuming 50 cents per authorization, the total cost 
could easily reach $1100 per provider in medical offices. Moreover, the 
cost attributed to tracking individual patient receipt of the notice 
would be extensive. These administrative costs would be incurred again 
whenever a notice is updated. Physicians who mail notices to active 
patients, prominently display the notice and provide the notice to all 
new patients should be relieved of any additional notification 
requirements.
    Requiring signed acknowledgment of the notice, which in theory 
sounds like a good practice, in reality will only increase 
administrative burdens and costs. We also suggest a clarification to 
the provisions. The proposal does not clearly define the scope of 
initial notifications required. Will notification be required if the 
patient's last treatment date was prior to the rule's effective date?

Access for Inspection or Copying

    Patients have a legal and ethical right to review information in 
their own medical records. In rare and limited circumstances, health 
information may be withheld from a patient if there is significant 
likelihood of a substantial adverse effect on the physical, mental or 
emotional health of the patient or substantial harm to a third party. 
The onus is on the provider to justify the denial of access.
    The proposed rule would allow, but not require, a researcher/
provider to deny a request for inspection and copying of the clinical 
trial record if the trial is still in progress, and the subject-patient 
had agreed to the denial of access in conjunction with the subject's 
consent to participate in the trial. The IRB or privacy board would 
determine whether such waiver of access to information is appropriate, 
as part of its review of the research protocol. In the rare instances 
in which individuals are enrolled in trials without consent (such as 
those permitted under FDA regulations), the covered entity could deny 
access to information during the course of the trial even without 
advance subject consent. However, access during the trial would be 
appropriate if a participant has a severe adverse reaction and 
disclosure of information during the clinical trial would give the 
participant adequate information for proper treatment decisions. In all 
cases, the subject would have the right to see the record after the 
trial is completed. We agree with these provisions.
    Access to current records within thirty days is reasonable for 
active patients. Medical records of patients last seen more than two 
years previously, however, may have been moved to off-site storage, 
which necessitates a longer recovery period (perhaps 60 days), and 
incurs additional cost. We suggest that a structured extension 
procedure should be included in the final rule. We do not support 
requiring an acknowledgment procedure.

Accounting of Disclosures

    While we support in principle the requirement for an accounting of 
disclosures, we have several concerns about the proposal in its current 
form. First, covered entities would be required to provide an 
accounting of all instances where PHI is disclosed for purposes other 
than treatment, payment and health care operations. However, as 
currently drafted, PHI may be disclosed without individual 
authorization for those purposes. Thus, patients could learn who has 
had access to their PHI only when such information is disclosed with 
their consent, but they do not have such a right when consent has not 
been given. It would seem that it would be more important to provide an 
accounting for disclosures where an individual has not given prior 
authorization.
    Second, we are concerned about the administrative burden and cost 
of complying with the accounting requirements. We agree that accounting 
should not be required for payment, treatment and most health care 
operations, but, as discussed earlier, we recommend that individual 
authorization should be required prior to the disclosure or use of PHI 
for such purposes.
    Finally, we suggest amending section 164.515(c)(1)(v) to clarify 
that ``copies of all requests for disclosure'' refers only to 
individual-initiated requests.

Amendment or Correction

    We support the right of patients to review the information in their 
medical records and to propose corrections. At the same time, however, 
it is critical to keep in mind that medical records provide working 
documentation for physicians and are often referred to in support of 
actions taken on the patient's behalf. The integrity of the medical 
record is critical. Therefore, medical histories should not be re-
written or deleted. Physicians are liable to health plans for providing 
supporting documentation for all information submitted and requests for 
payment. If this information is later determined to be inaccurate, 
corrections can be made and submitted as appropriate. The original 
documentation, however, is still necessary.

Training

    Many health care providers' employee training programs or employee 
handbooks currently incorporate confidentiality policies, so the 
additional burden imposed by the initial training requirement would be 
negligible. Re-certification, however, would impose a new 
administrative burden and is of questionable value when privacy 
policies remain unchanged. Re-certification should be required only 
when a provider's privacy policy significantly changes.

Safeguards

    The proposal would require that a covered entity have appropriate 
technical and physical safeguards to protect the privacy of PHI. 
Medical records intermingle electronically transmitted data, non-
electronically transmitted data, and data that is referenced in both 
formats. Therefore, providers most likely will have to presume that all 
records must be considered PHI and treated as such. Many small 
practices keep records in central areas easily accessible to all staff; 
such areas are not easily adaptable to ``locked storage'' areas. 
Replacement of an open medical chart storage cabinet with a lockable 
unit costs approximately $800 and provides little benefit. A typical 
physician has between three and ten units. A small business should be 
required instead to provide physical barriers (e.g., walls or counters) 
to limit the access of non-authorized personnel to record storage 
areas.

    The proposal also would require a covered entity to verify the 
identity and/or authority of persons requesting PHI. This places an 
unusual burden on health care providers to verify requests that are 
normally received verbally or via fax. Moreover, ascertaining whether a 
requestor has the appropriate legal authority is beyond the scope of 
the training or expertise of most employees in a physician's office. 
Health care providers must be able to reasonably rely on the authority 
of the requestor.

Sanctions

    We support the flexibility in the proposal that would allow covered 
entities to develop the sanctions policies appropriate to their 
businesses and operations. The ACP-ASIM supports holding users of 
electronic medical data accountable for protecting patient privacy. We 
are concerned, however, that a provider would be held liable for 
violations by a business partner and its subcontractors. As discussed 
earlier, we think that there are fundamental fairness issues in holding 
providers accountable for the actions of another entity that they do 
not control.

Small Business Impact

    The NPRM does not propose a specific definition for small 
businesses, but incorporates the U.S. Small Business Administration's 
(SBA) baseline revenue definition for small businesses, which is $5 
million in annual revenue. We do not believe that this proposed 
guideline, as currently defined, will include the projected 90% of 
health care providers. The Medical Group Management Association's Cost 
Survey Report for 1998 indicated that only 52.01% of group practices 
would not exceed the $5M revenue threshold. In addition, the SBA has 
proposed adjusting the revenue requirement for Doctors of Medicine (SIC 
8011), as well as certain other health care-related providers, to $7.5 
million. SBA has proposed this increase to reflect the disadvantage 
that health care providers face in a highly competitive market, even 
though their revenue has increased. We would encourage HHS to reflect 
this amended revenue standard in the final rule.
    Additionally, we encourage HHS to consider establishing an 
alternative test for small businesses, based upon number of employees. 
Health care providers in particular areas of medicine, such as 
cardiology or oncology, would exceed the revenue requirements in a 
practice of four to five physicians. To achieve parity across 
specialties with widely divergent average revenues, we encourage HHS to 
consider extending the definition of small business to any health care 
provider employing less than twenty employees. This definition is 
supported by the report, ``Employer Firms, Employment, and Estimated 
Receipts by Firm Size and Industry, 1996,'' issued by the SBA's Office 
of Advocacy, which indicates that 92% of Doctors of Medicine worked in 
firms with fewer than 20 employees.
Conclusion

    The proposed rule is an important first step in ensuring federal 
protections for the privacy of medical records. The ACP-ASIM 
appreciates your consideration of our comments and looks forward to 
working with you as the rulemaking process continues. If you have any 
questions, please do not hesitate to contact Debra Cohn, Legislative 
Counsel (202/261-4541) or Jack Ginsburg, Director of Policy Analysis 
and Research (202/261-4542).
            Sincerely,
                           Whitney W. Addington, M.D., FACP
                                                          President
      

                                


                               American College of Surgeons
                                       Washington, DC 20007
                                                  February 16, 2000
The Honorable Bill Thomas
Chair, Subcommittee on Health
Committee on Ways and Means
U.S. House of Representatives
1136 Longworth House of Building
Washington, DC 20515

    Dear Chairman Thomas:

    As you and members of your Subcommittee prepare to examine the 
extraordinarily complex issue of medical records confidentiality, the 
enclosed copy of the College's response to the Department of Health and 
Human Services (HHS) proposal on this issue may be useful.
    In its comments, the College recognizes the enormously difficult 
task the HHS Secretary faced when drafting this proposed rule, and we 
commended the Department for its effort to generate regulations that 
are consistent with sensible health information confidentiality 
principles. However, we believe strongly that the proposed rule 
overreaches its mandate in some areas, fails to take into account 
important private-sector activities that contribute to high-quality 
patient care, and imposes unreasonable burdens on physicians and their 
staff. Therefore, the College still believes that strong federal 
legislation is needed to provide a more tightly drawn blueprint for 
federal regulations.
    Some of our key concerns with the proposed rule, described in more 
detail in the enclosed text, can be summarized as follows:
     The list of covered entities included in the proposal does 
not adequately account for the wide range of those that contribute to 
the modern, integrated health care system. As an example, it is 
impossible to determine how the College's own centralized cancer 
registry, the National Cancer Data Base, would be treated and what 
requirements it would need to meet.
     Improvements can be made in the definitions that were 
developed for ``treatment,'' ``payment,'' and ``health care 
operations.'' In particular, we question how much patient identifiable 
information is necessary for fraud and abuse detection and compliance 
programs, or for general evaluation of provider performance.
     The mandate that covered entities adhere to a ``minimally 
necessary'' requirement when disclosing protected health information 
should be modified to provide more explicit guidance. Further, we 
suggest that entities requesting protected information should bear 
greater responsibility for determining the minimum amount necessary to 
complete their efforts.
     The College vigorously objects to provisions that would 
essentially require covered entities to be knowledgeable about and 
adhere to the information policies adopted by the whole assortment of 
businesses with which they are partners. We believe that HHS has 
greatly overstepped its statutory authority in this provision, and 
recommend that the standards be modified to require only that 
physicians and other covered entities make reasonable efforts to 
enforce their contracts; they should not be held responsible for their 
business partners' transgressions.
     The list of data elements that would need to be stripped 
from the medical record to be considered ``de-identified'' is far too 
sweeping and, if implemented, will render the record unusable for many 
types of medical research and disease surveillance registries.
     The definition of health oversight agencies allowed access 
to patient information appears to include only those that are 
government-based. Other key, private sector organizations, such as the 
Joint Commission on Accreditation of Healthcare Organizations, are not 
granted equal privileges. Indeed, the College conducts programs that 
rely on patient data to assess and approve hospital-based cancer, 
trauma, and burn programs--these programs simply could not operate 
under the restrictions being proposed by HHS.
     To increase the odds of patients understanding of the 
notices they receive about a provider's information practices, HHS 
should reconsider its decision to abstain from developing a uniform 
format. The more patients see similar documents, the less likely they 
are to become disoriented when examining a new notice, particularly 
when presented with multiple notices for an episode of care that 
involves more than one provider.
    Finally, as we note in our comments, many of the problems 
encountered with current patient information management practices 
result from the patchwork of state laws that complicate our 
increasingly interstate health care delivery and financing systems. We 
urge Congress to enact legislation preempting all state laws and 
establish a single, national standard for the care and management of 
patient medical records.
    The College welcomes the Subcommittee's interest in addressing this 
remarkably complicated and important issue. We hope that you will call 
on us to assist in your efforts to develop reasonable, workable 
legislation to resolve the many difficult issues involved, including 
those problems that arise from the Secretary's limited regulatory 
authority in this area. Please do not hesitate to contact Christian 
Shalgian in our Washington Office, at (202) 337-2701, if we can be 
helpful.
            Sincerely,
                                Thomas R. Russell, MD, FACS
                                                 Executive Director

    [An attachment is being retained in the Committee files.]
      

                                


Statement of the American Council of Life Insurers

I. INTRODUCTION

    The American Council of Life Insurers (ACLI) is a national 
trade association whose 435 member companies represent 73 
percent of the life insurance and 86.9 percent of the long term 
care insurance in force in the United States. The ACLI also 
represents 71 percent of the companies that provide disability 
income insurance. The ACLI is please to submit a summary of its 
comments on the proposed Standards for Privacy of Individually 
Identifiable Health Information, 45 CFR Parts 160 through 164, 
(the proposed rule) promulgated by the Department of Health and 
Human Services (Department). The entire text of the ACLI's 
comments can be found on our public web site at ACLI.com.
    The ACLI supports the goal of the Department of Health and 
Human Services (Department) to protect the privacy of 
individually identifiable health information and supports 
implementation of the privacy requirements of the 
Administrative Simplification subtitle of the Health Insurance 
Portability and Accountability Act of 1996 (P.L. 104 -191) 
(HIPAA). Life, disability income, and long term care insurers 
understand their responsibility to protect individually 
identifiable health information. ACLI member companies are 
strongly committed to the principle that individuals have a 
legitimate interest in the proper collection and handling of 
their medical information and that insurers have an obligation 
to assure individuals of the confidentiality of that 
information.
    Two years ago, the ACLI Board of Directors adopted the 
``Confidentiality of Medical Information Principles of 
Support.'' The ACLI has just amended these Principles to 
strengthen them even further to provide for support for 
prohibitions on the sharing of medical information for 
marketing and for determining eligibility for credit. A copy of 
the Principles is attached to this statement. Life, disability 
income, and long term care insurers have a long history of 
handling individually identifiable health information in a 
confidential and appropriate manner and are proud of their 
record as responsible custodians of that information.
    The ACLI strongly supports the Department's fundamental 
goal of protecting individually identifiable health 
information. We believe that the Department can pursue this 
goal in a manner consistent with the public interest in 
maintaining life, disability income, and long term care 
insurance markets which meet the private insurance needs of 
American consumers. By their very nature, the businesses of 
life, disability income, and long term care insurance involve 
personal and confidential relationships. However, insurers 
selling these lines of coverage must be able to obtain and use 
their customers' individually identifiable health information 
to perform legitimate insurance business functions, essential 
to insurers' ability to serve and fulfill their contractual 
obligations to their existing and prospective customers. We 
have analyzed the proposed rule with a view to balancing the 
goal of protecting the confidentiality of individuals' 
individually identifiable health information with life, 
disability income, and long term care insurers' need to obtain 
and use that information in order to issue, service, and 
administer insurance policies sought by individuals.
    We were pleased that Secretary Donna Shalala, as the 
Keynote Speaker at the ACLI's Annual Meeting in November of 
1997, acknowledged the importance of access to individually 
identifiable health information to the ability of insurance 
companies to provide the essential protection that only private 
insurance affords. Secretary Shalala stated: ``I know that you 
support confidentiality legislation as long as it doesn't 
jeopardize your ability to underwrite in a fair and fiscally 
prudent manner and to evaluate claims.'' This statement by the 
Secretary is a trenchant declaration of the fundamental point 
of this letter.
    It is important that the Department understand and consider 
all of the possible results of the proposed rule on covered 
entities and other entities that will be impacted by it. We are 
concerned that the proposed rule fails to take into account its 
impact on entities that are not covered entities, but which 
would be significantly impacted by the rule, particularly life 
and disability income insurers. We are also concerned that the 
proposed rule does not adequately take into account its impact 
on insurers which sell long term care insurance which are 
currently directly subject to the proposed rule.
    Appropriately, insurers selling life insurance are not 
covered entities subject to direct regulation under the 
proposed rule. However, life insurers must obtain protected 
health information, essential to underwriting and claims 
evaluation, from doctors, hospitals, and others who may only 
disclose protected health information as permitted under the 
rule.
    While it appears that disability income insurance policies 
are not intended to be health plans and that insurers which 
sell disability income insurance policies are not intended to 
be covered entities, this is not entirely clear. We believe 
that disability income insurance policies are not health plans, 
that disability income insurers are not covered entities, and 
that the proposed rule should make this clear. Also, as with 
life insurers, we are concerned with the proposed rule's impact 
on disability income insurers' ability to obtain from covered 
entities health information essential to underwriting and 
claims evaluation activities.
    We are concerned by the proposed rule's inconsistency with 
HIPAA by virtue of its inclusion of a number of HIPAA 
``excepted benefits'' within the definition of health plan, 
making insurers which sell these lines of coverage ``covered 
entities.'' This appears to be contrary to Congressional intent 
to have the rule address comprehensive medical coverages only. 
It also appears contrary to the Department's intent as 
expressed in the preamble section ``Definitions,'' in 
connection with the definition of health plan.
    We are particularly concerned by the proposed rule's 
characterization of long term care insurance policies as health 
plans, making long term care insurers covered entities. For the 
reasons explained below, we strongly believe that this is 
inappropriate. Long term care insurance policies should be 
deleted from the list of coverages defined as health plans. If 
insurers which sell long term care insurance continue to be 
covered entities in the final rule, we would be very much 
concerned by the proposed rule's impact on their activities, as 
explained below.
    There is also troublesome ambiguity in the proposed rule 
with respect to the obligations of an entity which is a covered 
entity for purposes of some of its activities and not a covered 
entity for purposes of other activities. A life insurer is not 
subject to the proposed rule as a covered entity. As the rule 
is currently drafted, a long term care insurer would be a 
covered entity. In fact, many life insurers are also long term 
care insurers. It does not appear to be the intent of the 
proposed rule to make the insurer a covered entity with respect 
to its use of protected health information in connection with 
life insurance, nor is there statutory authority to extend the 
rule in this manner. However, neither the rule nor the 
explanation in the preamble make this clear. The rule and the 
preamble should make clear that an entity involved in several 
lines of business, one of which is subject to the rule, will 
not be subject to the rule with regard to its other businesses.

II. INSURANCE AND THE ROLE OF INDIVIDUALLY IDENTIFIABLE HEALTH 
INFORMATION

    The system of classifying proposed insureds by level of 
risk is called risk classification. It enables insurers to 
group together people with similar characteristics and to 
calculate a premium based on that group's level of risk. Those 
with similar risk pay the same premiums. The process of risk 
classification provides the fundamental framework for the 
current private insurance system in the United States. It is 
essential to insurers' ability to determine premiums which are: 
(1) adequate to pay their customers' future claims; and (2) 
fair relative to the risk posed by proposed insureds.
    The price of life, disability income and long term care 
insurance is generally based on the proposed insured's gender, 
age, present and past state of health, possibly his or her job 
or hobby, and the type and amount of coverage sought. Much of 
this information is provided directly by the proposed insured.
    Depending on the proposed insured's age, medical history, 
and the amount of insurance applied for, the insurer may also 
need information from the individual's medical records. In this 
event, when the insurer's sales representative takes the 
consumer's application for insurance, he will request that the 
applicant sign an authorization, provided by the insurer, 
authorizing the insurance company to: (1) obtain his health 
information from his doctor or from a hospital where he has 
been treated; and (2) use that information to, among other 
things, underwrite that individual's application for coverage. 
Based on this information, the insurer groups insureds into 
pools so that they can share the financial risk presented by 
dying prematurely, becoming disabled, or needing long term 
care.
    If a company is unable to gather accurate information or 
have access to information already known to the proposed 
insured, an individual with a serious health condition, with a 
greater than average risk, could knowingly purchase a policy 
for standard premium rates. This is known as ``adverse 
selection.'' While a few cases of adverse selection might not 
have a significant negative impact on the life, disability 
income, or long term care insurance markets, multiple cases 
industry-wide would likely have such an effect. This would be 
particularly true if individuals were to be legally permitted 
to withhold or restrict access to medical information 
significant to their likelihood of dying prematurely, becoming 
disabled or requiring long term care. The major negative 
consequence of adverse selection would be to drive up costs for 
future customers which could price many American families out 
of the life, disability income, and long term care insurance 
markets.
    Most life and long term care insurance and much disability 
income insurance is individually underwritten. As part of the 
underwriting process, insurers selling life, disability income, 
and long term care insurance rely on an applicant's 
individually identifiable health information to determine the 
risk that he or she represents. Therefore, medical information 
is a key and essential component in the process of risk 
classification.
    Once a life, disability income, or long term care insurer 
has an individual's health information, the insurer controls 
and limits who sees it. At the same time, insurers must use and 
disclose individually identifiable health information to 
perform legitimate, core insurance business functions.
    Insurers that sell life, disability income, and long term 
care insurance must use individually identifiable health 
information to perform essential functions associated with an 
insurance contract. These basic functions include, in addition 
to underwriting, key activities such as claims evaluation and 
policy administration. In addition, insurers must also use 
individually identifiable health information to perform 
important business functions not necessarily directly related 
to a particular insurance contract, but essential to the 
administration or servicing of insurance policies generally, 
such as, for example, development and maintenance of computer 
systems.
    Also, life, disability income, and long term care insurers 
must disclose individually identifiable health information in 
order to comply with various regulatory/legal mandates and in 
furtherance of certain public policy goals such as the 
detection and deterrence of fraud. Activities in connection 
with ordinary proposed and consummated business transactions, 
such as reinsurance treaties and mergers and acquisitions, also 
necessitate insurers' use and disclosure of such information. 
Life, disability income, and long term care insurers must 
disclose individually identifiable health to: (1) state 
insurance departments in connection with general regulatory 
oversight of insurers (including regular market conduct and 
financial examinations of insurers); (2) self-regulatory 
organizations, such as the Insurance Marketplace Standards 
Association (IMSA), concerned with insurers' market conduct; 
and (3) state insurance guaranty funds, which seek to satisfy 
policyholder claims in the event of impairment or insolvency of 
an insurer or to facilitate rehabilitations or liquidations. 
Limitations on these disclosures would operate counter to the 
consumer protection purpose of these disclosure requirements.
    Life, disability income, and long term care insurers need 
to (and, in fact, in some states are required to) disclose 
individually identifiable health information in order to 
protect against or to prevent actual or potential fraud. Such 
disclosures are made to law enforcement agencies, state 
insurance departments, the Medical Information Bureau (MIB), or 
outside attorneys or investigators who work for the insurer. 
Again, any limitation on an insurer's ability to make these 
disclosures would undermine the public policy goal of reducing 
fraud, the costs of which are ultimately borne by consumers.

III. SUMMARY OF ACLI COMMENTS ON THE PROPOSED RULE

A. Comments Concerning Life and Disability Income Insurers

    The impact of the proposed rule on insurers selling life 
insurance and on insurers selling disability income insurance 
would be significant and adverse. The proposed rule generally 
encourages and, in many cases, requires limitation on 
disclosure of individually identifiable health information. As 
discussed above, such information is essential to the business 
of insurance. We are concerned that in an effort to protect 
confidentiality, the rule will jeopardize insurers' ability to 
issue, administer and service life and disability income 
insurance policies.
    It appears that the Department does not intend disability 
income insurance policies to be health plans under the rule. We 
strongly believe that this is appropriate. However, the 
proposed rule is not clear on this point. We urge the 
Department to amend the rule to specify that disability income 
insurance policies are not health plans.
    Section 164.508 requires either an authorization requested 
by the individual or by a covered entity. The authorization 
forms submitted by life and disability income insurers to 
covered entities on behalf of or as authorized by applicants 
apparently fall within the scope of Section 164.508(a), 
authorizations requested by individuals. Given the critical 
importance of protected health information to life and 
disability income insurers' ability to serve their customers, 
we believe that this section requires clarification. Section 
164.508(a)(1) should provide for the release of protected 
health information requested by the individual or authorized by 
the individual.
    Subject to limited exceptions, the proposed rule requires 
that a covered entity must make all reasonable efforts not to 
use or disclose more than the minimum amount of protected 
health information necessary to accomplish the purpose of the 
use or disclosure. If Section 164.508(a)(1) is not amended to 
accommodate authorizations submitted as authorized by the 
individual, covered entities--third parties such as doctors and 
hospitals--will be charged with determining how much protected 
health information is the ``minimum necessary'' for an insurer 
to underwrite or pay a claim. This result would appear to be 
contrary to the Department's intent as set forth in the 
preamble. It would also be inappropriate because it is the 
insurer, not the covered entity, which will bear the financial 
risk of the insurance transaction.
    We are very much concerned by the standard articulated in 
Section 164.506(c)(i) giving individuals the right to enter 
into agreements with health care provider covered entities to 
restrict the use or disclosure of specified health information. 
Although this subsection clearly provides that ``a covered 
entity that is a health care provider must permit individuals 
to request that uses or disclosures of protected health 
information for treatment, payment, or health care operations 
be restricted'' (emphasis added), the reference to this 
standard in Section 164.506(c)(2) does not similarly make it 
clear that: (1) only health care provider covered entities are 
subject to this standard; and (2) the right to restrict only 
extends to use or disclosure of protected health information 
for treatment, payment, or health care operations. We are 
gravely concerned that if Section164.506(c)(2) is not 
clarified, it may be read to permit agreements to restrict 
disclosure of information which could cause material 
information to be withheld from an insurer underwriting an 
application or evaluating a claim under a life or disability 
income insurance policy, without the insurer even knowing that 
information existed at all. This could result in serious 
adverse selection, jeopardizing the current private systems of 
life and disability income insurance. It would legalize actions 
which constitute fraud and material misrepresentation under 
current law.
    We suggest more reasonable treatment of psychotherapy notes 
and research information unrelated to treatment. We believe 
that all individually identifiable health information should be 
treated confidentially and in the same manner. We are concerned 
by discussion in the preamble that seems to sanction 
segregation of psychotherapy notes. We are concerned by the 
definition of psychotherapy notes as currently proposed which 
may bar legitimate access to anything more than ``summaries 
of'' diagnosis, functional status, etc.
    The level of specificity required in the authorization form 
and the requirement of multiple authorizations are 
impracticable. Furthermore, we are concerned that giving 
individuals an opportunity to revoke their authorization for 
disclosure of protected health information could jeopardize 
life and disability income insurers' ability to investigate 
material misrepresentation, fraud, and claims. We have provided 
the Department with specific recommendations for amendments to 
these sections.

B. Comments Concerning Long Term Care Insurance

    We believe strongly that long term insurance policies are 
inappropriately characterized as health plans, making long term 
care insurers covered entities. We believe that long term care 
insurance policies should be stricken from the list of 
coverages defined as health plans. Whether or not long term 
care insurance policies are health plans, we have the same 
concerns, as we have with respect to life and disability income 
insurers, about the proposed rule's impact on long term care 
insurers' ability to obtain from other covered entities 
protected health information essential to underwrite and pay 
claims.
    We believe Section 164.508(a) should be amended to clarify 
that authorizations may be submitted on behalf of or authorized 
by an individual. If Section 164.508(a) is not amended in this 
manner, covered entities inappropriately will be charged with 
determining the minimum amount of protected information 
necessary for long term care insurers to underwrite 
applications for long term care insurance coverage and to pay 
claims.
    We are particularly concerned about the impact on long term 
care insurers of the right to restrict use and disclosure of 
certain protected health information granted under Section 
164.506(c)(1). This provision could have a devastating effect 
on long term care insurers by virtue of the fact that it would 
permit an agreement to restrict disclosure of information 
material to ``payment'' of a long term care insurance claim 
without a long term care insurer even knowing any information 
is being withheld. Moreover, the failure of Sections 
164.506(c)(2) and 164.512(d)(ii)(B) to clarify that the right 
to restrict use and disclosure of protected health information 
is only applicable to treatment, payment, and health care 
operations could result in interpretation of these subsections 
to permit agreements to withhold information material to the 
underwriting of long term care insurance policies. On a 
widespread basis, this could jeopardize the process of risk 
classification in relation to long term care insurance.
    The special treatment of psychotherapy notes and research 
information unrelated to treatment, as well as the definition 
of psychotherapy notes also give rise to concern as they relate 
to long term care insurance. Again, we believe that all 
individually identifiable health information should be treated 
confidentially and in the same manner. We are concerned by 
discussion in the preamble that seems to sanction segregation 
of psychotherapy notes. We are concerned by the definition of 
psychotherapy notes as currently proposed which may bar 
legitimate access to anything more than ``summaries of'' 
diagnosis, functional status, etc.
    The requirements for authorizations are particularly 
troublesome as applied to long term care insurer covered 
entities. This is especially true with respect to the right to 
revoke. Given the fact that the definitions of health care 
operations and payment fail to include a number of essential 
ordinary insurance business functions of long term care 
insurers, individuals are given the right to revoke long term 
care insurers' right to use protected health information for 
some activities which are critical to the issuance, servicing 
and administration of long term care insurance policies. The 
level of specificity required in the authorizations is also 
problematic as applied to long term care insurers.
    If long term care insurers continue to be covered entities 
in the final rule, we suggest a number of amendments to 
accommodate the administrative needs of long term care insurer 
covered entities, just as an apparent attempt was made to 
accommodate the administrative needs of other covered entities. 
If long term care insurers are to be covered entities, they 
should not be treated as ``second class'' covered entities.
    As mentioned above, we are very concerned that the proposed 
definitions of health care operations and payment do not 
adequately address key activities of long term care insurers 
necessary for support of payment. As a result, Section 
164.506(a)(1)(i) does not permit long term care insurers to use 
and disclose protected health information without authorization 
to perform functions which are ``compatible with and directly 
related to . . . payment'' of claims submitted under long term 
care insurance policies. This would seem to be counter to the 
stated intent of the proposed rule'' to make the exchange of 
protected health information relatively easy for health care 
purposes.''
    We oppose the extension of the proposed rule to business 
partners of covered entity long term care insurers. We are 
particularly concerned that long term care insurers are made 
liable for violations of the proposed rule by their business 
partners. We are also opposed to the creation of a private 
right of action by making subjects of protected health 
information third party beneficiaries of contracts between long 
term care insurers and their business partners.
    We have a number of important technical concerns with the 
provisions in Section 164.510 providing for disclosures without 
an individual's authorization. We include suggestions as to how 
these matters can be resolved.
    While the ACLI supports providing individuals rights of 
notice, access, accounting for disclosures, and the opportunity 
to request amendment/correction of inaccurate information, we 
are very concerned by the burdensome nature of several of these 
requirements. For example, required and permissible disclosures 
must be distinguished in the proposed notice. This is in 
addition to a separate requirement that the notice contain a 
description of the types of disclosures that may occur. 
Moreover, the authorization section contains similar disclosure 
requirements. We suggest several ways in which these 
overlapping requirements can be simplified without compromising 
the goal of providing consumers with meaningful information 
about how a covered entity handles and protects the consumer's 
protected health information.
    The ACLI looks forward to working with the Chairman and 
members of this committee as Congress addresses the critical 
issue of protecting the confidentiality of health information.

Confidentiality of Medical Information

Principles of Support

    Life, disability income, and long-term care insurers have a 
long history of dealing with highly sensitive personal 
information, including medical information, in a professional 
and appropriate manner. The life insurance industry is proud of 
its record of protecting the confidentiality of this 
information. The industry believes that individuals have a 
legitimate interest in the proper collection and use of 
individually identifiable medical information about them and 
that insurers must continue to handle such medical information 
in a confidential manner. The industry supports the following 
principles:
    1. Medical information to be collected from third parties 
for underwriting life, disability income and long-term care 
insurance coverages should be collected only with the 
authorization of the individual.
    2. In general, any redisclosure of medical information to 
third parties should only be made with the authorization of the 
individual.
    3. Any redisclosure of medical information made without the 
individual's authorization should only be made in limited 
circumstances, such as when required by law.
    4. Medical information will not be shared for marketing 
purposes.
    5. Under no circumstances will an insurance company share 
an individual's medical information with a financial company, 
such as a bank, in determining eligibility for a loan or other 
credit--even if the insurance company and the financial company 
are commonly owned.
    6. Upon request, individuals should be entitled to learn of 
any redisclosures of medical information pertaining to them 
which may have been made to third parties.
    7. All permissible redisclosures should contain only such 
medical information as was authorized by the individual to be 
disclosed or which was otherwise permitted or required by law 
to be disclosed. Similarly, the recipient of the medical 
information should generally be prohibited from making further 
redisclosures without the authorization of the individual.
    8. Upon request, individuals should be entitled to have 
access and correction rights regarding medical information 
collected about them from third parties in connection with any 
application they make for life, disability income or long-term 
care insurance coverage.
    9. Individuals should be entitled to receive, upon request, 
a notice which describes the insurer's medical information 
confidentiality practices.
    10. Insurance companies providing life, disability income 
and long-term care coverages should document their medical 
information confidentiality policies and adopt internal 
operating procedures to restrict access to medical information 
to only those who are aware of these internal policies and who 
have a legitimate business reason to have access to such 
information.
    11. If an insurer improperly discloses medical information 
about an individual, it could be subject to a civil action for 
actual damages in a court of law.
    12. State legislation seeking to implement these principles 
should be uniform. Any federal legislation to implement the 
foregoing principles should preempt all other state 
requirements.
      

                                


                              American Federation of State,
                    County and Municipal Employees, AFL-CIO
                                  Washington, DC 20036-5687
                                                  February 16, 2000
The Honorable William Thomas
Ways and Means Committee
Health Subcommittee
U.S. House of Representatives
Washington, DC 20515

    Dear Chairman Thomas:

    The American Federation of State, County and Municipal Employees 
(AFSCME) appreciates the opportunity to submit a statement for the 
record for the February 17, 2000 hearing on the confidentiality of 
patient records. AFSCME represents over 1.3 million workers. Among 
these are 360,000 health care workers including registered and licensed 
nurses, pharmacists, physicians and nursing assistants. Therefore, we 
approach privacy regulations from the perspective of consumers of 
health care services as well as workers in the health care system.
    We commend the Department of Health and Human Services for 
addressing the crucial issue of medical record confidentiality in such 
a comprehensive proposal. The need to develop regulations that will 
serve as standard protections for the users of health care services is 
urgently needed in the rapidly changing world of health care delivery.
    AFSCME strongly supports the approach in the Health Insurance 
Portability Accountability Act (HIPAA) and the Department's proposal 
that federal regulations will serve as a floor, rather than a ceiling, 
on privacy protections afforded by states. Under this approach, a 
minimum federal standard would extend important protections to all 
consumers, but state laws providing greater protections would remain in 
place or could be enacted in the future to meet new needs.
    While the regulations create important new protections, there are 
areas where the Department stopped short of fully exercising its 
authority under HIPAA or did not provide adequate clarification in the 
regulations. We are submitting comments to the Secretary which detail 
these issues. Many of these issues are summarized below.
    The regulations should apply to both electronic and non-electronic 
health information. Consistent treatment of health information provides 
a much more workable framework for covered entities. Otherwise, covered 
entities would need to keep track of the method of transmittal of 
information from all paper records in order to determine which 
information in an individual's file is protected. Further, because most 
information is not maintained in electronic form, the failure to cover 
paper records provides a gaping hole through which much confidential 
information can be transmitted despite Congress' desire to protect the 
privacy of an individual's health records.
    The regulations must clarify that protected health information 
obtained by an employer sponsored self-funded or insured plan cannot be 
shared with other parts of the employer's organization. If it is not 
made clear that private health information cannot be shared, it will be 
used improperly by some employers to make such employment decisions as 
promotions, job assignments and firings.
    The regulations must extend privacy protections to medical records 
connected to workers' compensation claims. There is a serious problem 
of unlimited access to and misuse by employers and insurers of 
individually identifiable health information of workers who have filed 
such claims. Medical records have been used to discriminate, harass, 
blacklist and deny workers their rights under the law. We do not 
believe that Congress intended to exempt workers' compensation insurers 
from the scope of coverage and believe that the Department should 
address this subject.
    Thank you for the opportunity to submit a statement for the record 
for this important hearing.
            Sincerely,
                                        Charles M. Loveless
                                            Director of Legislation

CML:bcc
cc: Rep. Pete Stark, Ranking Member
      

                                


Statement of American Healthways, Inc., Nashville, TN

    American Healthways, Inc. (``AMHC''), the successor 
corporate name of American Healthcorp, Inc., appreciates the 
opportunity to submit the following comments for inclusion in 
the record of the House Ways and Means Health Subcommittee 
Hearing on Patient Record Confidentiality on February 17, 2000.
    Overall AMHC strongly supports the proposed privacy 
regulations published at 64 Fed. Reg. 59,918 (Nov. 3, 1998), 
particularly the inclusion of disease management in the 
definition of treatment. It is imperative to legitimate disease 
management organizations that the use and disclosure of 
identifiable health information for disease management be 
permitted without individual authorizations. This is currently 
permitted in the proposed regulations and is essential to the 
continued operation and success of disease management programs. 
AMHC and similar disease management organizations, however, are 
extremely concerned about the lack of a uniform standard. 
Accordingly, AMHC believes that complete federal preemption of 
all state medical privacy laws is imperative
    AMHC, headquartered in Nashville, Tennessee, is the 
nation's leading operator of care and disease management 
services with 160,000 lives under management. AMHC's Diabetes 
HealthwaysSM, Cardiac HealthwaysSM, and 
Respiratory HealthwaysSM programs have proved effective at 
significantly improving health status and decreasing overall 
cost for these disease populations.
    The privacy of individually identifiable health information 
is of utmost importance to AMHC. AMHC has extensive policies 
and procedures to protect patient confidentiality. As a result, 
neither AMHC nor its clients have received a single 
confidentiality or privacy complaint regarding AMHC's disease 
management programs. AMHC provides these comments to the 
Subcommittee from this perspective.

DISEASE MANAGEMENT IN THE PROPOSED REGULATIONS

    The proposed regulations allow a covered entity to use or 
disclose protected health information without individual 
authorization ``to carry out treatment, payment, or health care 
operations.'' \1\ ``Treatment'' is defined as ``the provision 
of health care by, or the coordination of health care 
(including health care management of the individual through 
risk assessment, case management, and disease management) 
among, health care providers; the referral of a patient from 
one provider to another; or the coordination of health care or 
other services among health care providers and third parties 
authorized by the health plan or the individual.'' \2\ Under 
this definition, use and disclosure of protected health 
information for disease management is permissible without 
individual authorization.
---------------------------------------------------------------------------
    \1\ 64 Fed. Reg. 59,918, 60,053 (Nov. 3, 1998).
    \2\ Id. (emphasis added).
---------------------------------------------------------------------------
    It is imperative that this be maintained. The use of 
identifiable health information without patient authorization 
is essential to the ability of disease managers such as AMHC to 
provide and obtain the greatest benefits for patients from its 
disease management services.
    AMHC has utilized both an enrollment or ``opt-in'' model 
and an engagement or ``opt-out'' model for its disease 
management programs. Under the enrollment model, individuals 
choose whether to participate in the disease management 
program. In an engagement model, plan members are automatically 
provided the benefit of the disease management program, but may 
choose to ``opt-out'' of participation. Although an argument 
might be made that the enrollment model provides greater 
privacy protection, it unnecessarily intrudes upon the existing 
coordination of care, producing vastly inferior health care 
outcomes to the engagement or ``opt-out'' model.
    By way of direct comparison, AMHC documented that with the 
engagement model AMHC's programs achieve 98 percent 
participation, compared to less than 30 percent for a typical 
enrollment model. Additionally, cost savings are dramatically 
less for an enrollment model. For example, annualized diabetes 
health care cost savings for an average 100,000 member plan 
under the engagement model is $1,738,716 as compared to only 
$443,550 for an enrollment model.
    The reason for the difference in participation rates and 
cost savings is that people with chronic diseases often suffer 
from inertia and denial about their disease. The engagement 
process circumvents this avoidance tendency. Typically, the 
individuals who opt-in are the healthier patients who are 
already highly motivated to manage their disease. These people 
are less in need of the extensive disease management programs 
and, therefore, the clinical improvements in these patients 
(with their concomitant cost savings), while still present, are 
less significant.
    An engagement model strikes the right balance between the 
competing interests of individual privacy rights on the one 
hand and the tremendous clinical and financial benefits of 
disease management on the other. Allowing individuals to opt-
out still provides individuals a choice and yet retains the 
tremendous clinical and financial benefits of disease 
management for the largest number of individuals. Moreover, 
because disease managers are business partners, confidentiality 
of protected health information remains protected from 
secondary use or disclosure. Accordingly, disease management 
programs must be allowed to continue to use and receive 
protected health information for disease management without 
patient authorization.

COMPLETE FEDERAL PREEMPTION

    In the proposed regulations, HHS states ``HIPAA provides 
that the rule promulgated by [HHS] may not preempt state laws 
that are in conflict with the regulatory requirements and that 
provide greater privacy protections.'' \3\ Although HHS may 
lack the authority to preempt state privacy laws, complete 
preemption of state laws is imperative. AMHC thus far has 
managed to operate in compliance with all applicable state 
laws. However, maneuvering around the varying and often 
incompatible requirements of so many state laws has been 
difficult. Soon, the task may be impossible. Since the nation's 
attention has been focused on medical records privacy issues, 
many states have enacted new privacy laws and almost all states 
have significant privacy legislation pending.
---------------------------------------------------------------------------
    \3\ Id. at 59,926.
---------------------------------------------------------------------------
    California recently enacted a new privacy statute which 
only allows disclosure of identifiable health information for 
disease management if the services are approved by the 
patient's primary care provider.\4\ The health plans, more 
often than providers, contract with AMHC for the provision of 
disease management services. Individuals, therefore, are 
entitled to disease management services by virtue of their 
membership in the plan, not as a function of their relationship 
with a physician. Individuals should be able to decide whether 
to ``opt-out'' of participation in the disease management 
program offered. Physicians should not be permitted to impede 
the provision of these services to their patients. The 
requirement that the physician authorize disease management 
services imposes an additional administrative burden that will 
substantially diminish the number of Californians who may 
benefit from disease management services.
---------------------------------------------------------------------------
    \4\ See Cal. Civil Code Sec.  56.10(17) (West 1999).
---------------------------------------------------------------------------
    Some state privacy laws directly conflict with others, 
making it impossible to provide the same, consistent services 
to residents of different states. Health plans that contract 
with national employers (e.g., Federal Express) want and need 
to provide a uniform set of benefits to all their employees. 
This is impossible with the varying and often conflicting state 
laws and requirements. In addition, a health plan which is 
national in scope (e.g., Cigna) needs the ability to sell and 
deliver uniform products, again extremely onerous, if not 
impossible, without one uniform standard.
    Furthermore, disease managers such as AMHC must keep 
abreast of all state laws and ensure compliance with each 
state's nuances, requirements and prohibitions. This is 
becoming extremely difficult and significantly adds to the cost 
and burdens on the delivery of health care, generally, and 
disease management services, specifically.
    Finally, it is often difficult to know which state's laws 
apply. It is conceivable that for one transfer of protected 
health information, several states' laws could be applicable. 
For example, in the disclosure of protected health information 
from a health plan to a disease management organization, the 
following state laws could apply: (1) the state in which the 
health plan (the disclosing entity) is based, (2) the state in 
which the business partner (the receiving entity) is based, (3) 
the state in which the health care services contained in the 
protected health information were rendered, (4) the state in 
which the disease management services are provided and (5) the 
state in which the individual patient resides. Thus, it is 
entirely possible that inconsistent standards and requirements 
could apply to one disclosure or use of protected health 
information. The uncertainty of which laws apply as well as the 
complexity and difficulty in complying with the various state 
laws will likely cripple the delivery of health care and 
disease management services, especially as states continue to 
enact more sophisticated, complicated and extensive health care 
privacy legislation.
    Accordingly, to preserve the continued provision of high 
quality, affordable health care including disease management 
services, complete federal preemption of state privacy laws is 
imperative. Without preemption, the processes associated with 
the delivery of health care could come to a screeching halt as 
they did in Maine when that State enacted an over-zealous 
privacy law.\5\
---------------------------------------------------------------------------
    \5\ The law was swiftly repealed.
---------------------------------------------------------------------------
    Congress should either provide HHS with such preemption 
authority or themselves exercise congressional authority to 
provide complete federal preemption of state medical privacy 
laws. One consistent, uniform standard, especially given the 
electronic world in which we now find ourselves, is absolutely 
imperative and urgently needed. Congress has the authority to 
preempt state laws in this area as the electronic exchange of 
identifiable health information involves interstate commerce as 
it is an interstate activity. Health plans, employers, 
providers and disease managers often provide services to 
individuals in multiple states. Accordingly, Congress must 
exercise its preemption authority to ensure uniformity and 
clarity in the use, disclosure and protection of identifiable 
health information.

ABOUT AMHC

    AMHC uses identifiable health information provided by its 
contractors--typically health insurance companies--in its 
Diabetes HealthwaysSM, Cardiac 
HealthwaysSM and Respiratory HealthwaysSM 
programs to identify individuals with the targeted disease, 
determine what level of intervention is required, and monitor, 
coordinate, and integrate the care of those individuals. 
Release of identifiable health information to AMHC without 
individual authorization is essential to the continued 
operation of AMHC's disease management programs. If 
authorizations were required before each use or disclosure, 
disease management programs would be impeded, if not halted, 
and their tremendous clinical and financial benefits 
diminished.\6\
---------------------------------------------------------------------------
    \6\ See Robert J. Rubin et al., Clinical and Economic Impact of 
Implementing a Comprehensive Diabetes Management Program in Managed 
Care, 83 J. Clin. Endocrinol. and Metab. 2635, 2640 (1998) for a 
discussion of the benefits of disease management.
---------------------------------------------------------------------------
    AMHC's population management programs are comprehensive 
health management systems driven by proactive interventions to 
identify, manage and coordinate the care of populations 
affected by cardiac or respiratory disease or diabetes. AMHC 
works with physicians, inpatient caretakers and other medical 
professionals to develop the best possible care plans for 
patients. AMHC's services are in the direct chain of care, 
providing extensive patient services, including health risk 
assessment, education, care plan development and management, 
concurrent care review, one-on-one self-care counseling, and 
primary care physician support and education.
    Population-based disease management programs produce 
significant clinical improvements and financial savings. AMHC's 
programs are a primary example. A peer-reviewed study of 
Diabetes Healthways' Diabetes NetCareSM program 
concluded that the program ``generated substantial gross cost 
savings'' and resulted in ``substantial improvement in all of 
the clinical measures collected.'' \7\ Specifically, 
``[m]embers were more likely to receive HbA1c tests, foot 
exams, eye exams, and cholesterol screenings while enrolled in 
the program . . . [and h]ospital utilization decreased 
dramatically for each plan's diabetic population.'' \8\ 
Hemoglobin A1c testing, a signal measure of health status among 
people with diabetes, increased 127 percent during the first 
year of the program. Cardiac HealthwaysSM also 
produces impressive clinical improvements. The ACE inhibitor, 
cholesterol testing, and beta blocker compliance, the benchmark 
cardiac care protocols, improved 23 percent, 61 percent, and 62 
percent, respectively, during year one for AMHC's cardiac 
populations.
---------------------------------------------------------------------------
    \7\ Id. at 2640.
    \8\ Id. at 2640-41.
---------------------------------------------------------------------------
    AMHC's programs also produce significant financial 
benefits. The Diabetes HealthwaysSM program resulted 
in a 12.3 percent gross financial savings during the first 
year, and increased savings each year thereafter. ``Hospital 
costs decreased by $47 per diabetic plan member per month, or 
$564 per year.'' \9\ Patients in the Cardiac 
HealthwaysSM program achieve even more dramatic 
first-year savings, an average of 62 percent for patients 
suffering from congestive heart failure. These savings also 
increase year after year as a result of AMHC's aggressive 
preventative measures for less severely ill patients that delay 
or prevent the otherwise inevitable onset of complications 
associated with diabetes and cardiac disease. Other disease 
management programs have achieved noticeable results as well.
---------------------------------------------------------------------------
    \9\ Id. at 2641.
---------------------------------------------------------------------------
    AMHC contracts with and provides disease management 
services on behalf of health plans and obtains identifiable 
health information directly from the plans. AMHC runs the 
information through an AMHC developed algorithm to determine 
which individuals likely have diabetes, cardiac or respiratory 
disease and what level of intervention is required. AMHC 
attempts to extract all individuals with diabetes, coronary or 
respiratory disease. AMHC's population management approach is 
unique in that it manages the health care of the entire 
population with certain chronic conditions, regardless of the 
severity of the illness, historical cost, co-morbid 
complications or preexisting conditions.
    The algorithm does result in some false positives. To 
ensure that an individual is not falsely identified as having 
diabetes or cardiac disease, AMHC contacts the individual's 
physician to verify the diagnosis. Any false positives are 
removed from the population and some unidentified individuals, 
missed by the algorithm, are added. If the false positives are 
not caught through this method, individuals still have the 
opportunity to opt-out of the program if they do not have the 
targeted disease (or for any reason). In addition, under the 
proposed regulations, individuals are always afforded the 
opportunity to amend any incorrect health information in their 
records. Regardless, AMHC never discloses identifiable health 
information other than to its employees or agents implementing 
the disease management program or to individuals' physicians.
    Once AMHC has the targeted disease population extracted, 
identified individuals are sent a letter, on health plan 
letterhead, describing the program. Individuals have the 
opportunity to opt-out of participation. As discussed more 
fully, infra, Diabetes HealthwaysSM has used both an 
engagement (opt-out) and enrollment (opt-in) model of 
participation. The engagement model achieves a 98 percent 
participation rate while an enrollment model results in less 
than 30 percent participation.
    Once an individual is part of the disease management 
program, AMHC assumes responsibility for all the health care of 
affected populations, whether or not related to the named 
chronic disease, and coordinates the care wherever it is 
delivered: at home, in the hospital, in the physician's office, 
or in any other outpatient or inpatient setting. Both Diabetes 
HealthwaysSM and Cardiac HealthwaysSM do, 
and Respiratory HealthwaysSM will, provide disease 
management for all individuals in the targeted disease 
population and monitor and coordinate all their health care in 
all health care settings. These comprehensive programs have 
achieved great success.
    Overall, AMHC strongly supports the proposed privacy 
regulations as drafted. AMHC appreciates the Department of 
Health and Human Services' (``HHS'') recognition of the 
importance of legitimate disease management through its 
inclusion in the definition of treatment. Disease management 
programs such as AMHC's Diabetes HealthwaysSM, 
Cardiac HealthwaysSM and Respiratory HealthwaysSM 
produce tremendous clinical benefits to the patient public (not 
to mention concomitant financial savings) and, therefore, 
should be encouraged, not hindered by the privacy regulations.
      

                                


Statement of American Psychoanalytic Association, New York, NY

    The Health Information Privacy Regulations proposed by the 
Administration on November 3, 1999 represent one of the most 
thoughtful efforts to date to address the growing threat to the 
privacy of identifiable health information. The preamble to the 
regulations sets forth the most thorough analysis of the 
importance of medical information privacy to quality health 
care and the public's confidence in the health delivery system. 
With the exception of the protection for ``psychotherapy 
notes,'' however, the privacy protections in the proposed 
regulations do not fulfill the promise of the preamble.
    As the preamble notes, the preservation of health 
information privacy is a ``major concern'' of citizens. Health 
information privacy is also essential for quality health care 
because without an assurance of privacy, individuals will not 
make the disclosures to physicians and other caregivers 
necessary for treatment and diagnosis, caregivers will not 
accurately record information in the medical record and 
individuals will refrain from seeking the care they need.
    The preamble correctly notes that an assurance of ``strict 
confidentiality'' is essential for patients to receive 
effective psychotherapy. That conclusion is supported by the 
``reason and experience'' reflected in the therapist-patient 
privilege which is recognized by the statutory laws in all 50 
states and the District of Columbia, both federal and state 
common law, the ethical standards of every mental health 
professional association, and the recently released Surgeon 
General's Report on Mental Health. The common thread of all of 
these laws and standards is that therapist-patient 
communications cannot be disclosed beyond the therapist without 
the patient's consent.
    The underlying statute directs the Secretary to issue 
regulations that address at least the rights that individuals 
``should have'' with respect to their identifiable health 
information. The preamble notes that privacy is a fundamental 
right which is an element of the constitutional right to 
liberty, but the regulations make no mention of an individual's 
right to privacy for identifiable health information.
    The regulations also eliminate the traditional requirement 
of obtaining patient consent before disclosing identifiable 
health information except for marketing and certain other 
``non-health'' related uses. Accordingly, these regulations 
would permit disclosure of most identifiable health information 
for most uses without patient notice or consent.
    In an exception to the general rule, the regulations 
require consent for the disclosure of ``psychotherapy notes'' 
for the purposes of treatment, payment and health care 
operations. The regulations, however, permit the disclosure of 
psychotherapy communications that do not come within the narrow 
definition of ``psychotherapy notes'' and do not recognize even 
that narrow exception for 13 other uses characterized as 
``national priorities.'' Accordingly, the regulations do not 
afford the protection for psychotherapy communications that is 
generally accepted as being essential for effective 
psychotherapy services.
    The preamble to the regulations recognizes that statutory 
authority has not been granted to permit effective enforcement 
of the privacy protections contained in the regulations. 
Further, the protections in the regulations are unenforceable 
because, in the absence of notice of specific disclosures or 
consent, individuals will have no way of knowing when, where 
and to whom their information was disclosed. Two of the 
principal privacy protections in the regulations--the 
limitation on disclosures to the minimum information necessary 
for the intended use and the ``right to restrict'' disclosures 
that are otherwise allowable--are particularly unenforceable. 
The information necessary for an intended use varies with the 
size and technical capability of the disclosing entity, and 
providers have a right to refuse any request to restrict 
disclosures.
    The regulations appropriately do not preempt state privacy 
laws, including state common laws, which furnish ``more 
stringent'' privacy protections. The recognition of state 
common laws is particularly appropriate because most privacy 
protections are found in state common laws, and those court 
rulings reflect the history of ``reason and experience'' in 
those states.
    The American Psychoanalytic Association believes that the 
following changes must be made in the regulations if the 
public's confidence in the health delivery system is to be 
preserved:
    1. Individuals' right to privacy for identifiable health 
information should be expressly recognized.
    2. The right of patients to give or withhold consent for 
most disclosures should be preserved.
    3. The regulations should establish ``strict 
confidentiality'' protections for mental health information and 
specify the information that may be disclosed with patient 
consent to third party payors. This approach is consistent with 
federal and state common law and has been in effect for 15-20 
years in New Jersey and the District of Columbia.
    4. The privilege recognized for psychotherapist-patient 
communications in the 1996 Supreme Court decision in Jaffee v. 
Redmond should be recognized in the regulations. They also 
should provide that any disclosure for a purpose under the 
regulations will not constitute a waiver of the federal or 
state privilege.
    5. Patients should be permitted to preserve the privacy of 
their health information by paying for services with their own 
funds.
    Privacy is essential for quality health care, but it is 
also an indispensable element of the right to liberty--one of 
the core principles of our Constitution. These principles have 
been forged and preserved through the sacrifices of prior 
generations. With the consideration of the right to medical 
privacy, we reach one of those critical points in our nation's 
history when we must decide whether we remain committed to 
those principles.
      

                                


Statement of William C. McGinly, Ph.D., CAE, President, Association for 
Healthcare Philanthropy, Falls Church, VA

    The Association for Healthcare Philanthropy (AHP) is 
pleased to present its comments for the written record on the 
proposed rules concerning the standards for privacy of 
individually identifiable health information. (At your request, 
please be advised that our comments also are submitted on an 
IBM compatible 3.5-inch diskette in MS Word format.)
    Summary and Introduction

    Established in 1967, the Association for Healthcare 
Philanthropy (AHP) is a not-for-profit organization whose 2,850 
members manage philanthropic programs in 1,700 of the nation's 
3,400 not-for-profit health care providers. As AHP's president 
and chief executive officer, I can tell you that an estimated 
75% to 80% of the U.S. population resides in the areas served 
by these providers, which include community hospitals and 
medical centers (59%), multihospital systems (14%), specialty 
institutions (8%), academic institutions (5%), long-term care 
facilities (5%), and other not-for-profit facilities (9%).
    AHP's members raised more than $5.7 billion in FY1998-$1.92 
billion more than was raised by all of United Way of America 
during the same time period.
    Funds raised by AHP's members directly support health care 
programs and services that are unfunded or underfunded by other 
sources. These include:
     programs to promote healthy behaviors;
     a vast array of community wellness programs, from 
mobile health vans to mammography screenings and hearing and 
eye exams; and
     much needed facility improvements and essential 
equipment upgrades.
    Such programs are central to the not-for-profit mission of 
AHP members' institutions and organizations. They are an 
integral part of their business. For such programs to continue, 
AHP's members must have access to their health care provider's 
database. The reason: More than 60% of funds raised each year 
come from individuals-most of whom are grateful patients.
    In approaching prospective patient donors, AHP members are 
sworn to respect the confidentiality of patient information 
through the AHP Statement of Professional Standards and Conduct 
and its companion Bill of Donor Rights. Further, AHP members 
are committed to upholding the spirit and intent of state and 
federal laws governing use of patient information. The way in 
which AHP members' institutions and organizations handle 
confidential information might be likened to how colleges 
handle student records. That is, academic records are not 
released without authorization, even to tuition-paying parents, 
yet demographic data routinely is given to the alumni office 
for fund-raising efforts that ensure the support of the 
college's long-range educational mission.
    AHP respectfully requests that the proposed regulations be 
amended so that they neither block nor reduce our members' 
ability to raise funds for not-for-profit public health care 
programs.
    More specific comments and related amendatory language 
follow.

    Background: Need for Privacy Standards
    AHP fully supports the development of standards that 
protect the confidentiality of individually identifiable health 
information. However, those standards should be moderated so 
that they also protect the public health care benefits 
generated by philanthropic gifts to not-for-profit providers.
    This balance of private need and public good is the essence 
of an underlying tenet of a democratic society, and it is one 
that AHP believes should be written into these regulations.

    Statutory Background
    AHP contends that the regulations as proposed would not 
meet the statutory requirements for the privacy standards, 
which require that any privacy standard adopted to implement 
the Health Insurance Portability and Accountability Act of 1996 
(HIPAA) ``shall be consistent with the objective of reducing 
the administrative costs of providing and paying for health 
care [emphasis added].''
    By restricting AHP members' access to patient databases, 
the proposed regulations threaten to destroy a major funding 
source for public health care, that is, grateful patients. More 
than 60% of all philanthropic gifts to not-for-profit health 
care providers come from individuals, most of whom are grateful 
patients. If access to grateful patients had been restricted in 
FY1998, when AHP members raised more than $5.7 billion for 
public health care programs, those programs might have lost as 
much as $3.42 billion.
    Thus, the proposed regulations include a substantial hidden 
cost.

    Consultations
    AHP appreciates the opportunity to increase awareness of 
health care philanthropy and its role in paying for health 
care, and to propose alternate language in a number of sections 
in the proposed regulations.
    Summary and Purpose of the Proposed Rule
    AHP supports the Secretary's recommendation for 
comprehensive rules that would, among other goals, ``(a)llow 
for the smooth flow of identifiable health information for 
treatment, payment, and related operations, and for specified 
additional purposes related to health care that are in the 
public interest [emphasis added].''
    AHP proposes that the final regulations can only meet this 
goal if they specify that not-for-profit health care providers' 
fund-raising programs are operated in the public's interest as 
an integral part of the providers' business operations; 
therefore, these programs should be included in the smooth flow 
of identifiable health information.
    Specifically, in Paragraph 5, AHP would have the fund-
raising
    activities of not-for-profit health care providers included 
under ``health care operations'' that do not require individual 
authorization.

    Applicability
    AHP endorses the applicability of the privacy standards to 
the entities that include the health care providers that employ 
AHP members, but again urges the Secretary to make philanthropy 
programs a permissible use of individually identifiable health 
information, without authorization, as part of a provider's 
``health care operations.''

    Definitions
    Health information: AHP generally supports the definition 
of ``health information'' and the applicability of the privacy 
standards to health information. However, a minimum amount of 
health information is often helpful to the professional 
development officer-if only to exclude certain constituent 
groups from messages likely to be deemed offensive. For 
instance, the following tenets usually guide AHP members when 
they handle sensitive health information:
     ``Donor acquisition'' mailings that go to former 
patients or their families simply do not refer to patients' 
recent hospitalizations or their illnesses.
     In cases where a patient has freely shared 
personal information regarding medical conditions, or has 
expressed an interest or made previous donations to a specified 
program or department, segmented appeals for related medical 
causes may occur, but these, too, do not expressly refer to 
patients' illnesses.
     Patients hospitalized or treated for psychiatric 
and substance abuse treatment are routinely omitted from donor 
acquisition approaches because of the heightened sensitivity 
commonly associated with these diagnostic groups. Also excluded 
are all minors.
     In general, philanthropy programs give careful 
thought to the audience and message of all fund-raising 
appeals, and where appropriate eliminate any constituent groups 
and/or messages deemed likely to be offensive to recipients.
    T3Business partner: AHP supports the definition of 
``business partner,'' but would like to establish an 
understanding about how the definition relates to the ways that 
health care philanthropy programs are structured.
     Nearly 70% of AHP members work not for the health 
care provider but for separately incorporated foundations, 
which are recognized as charitable entities under 501(c)(3) of 
the federal tax code. It is imperative that the proposed 
privacy standards not inadvertently close the door to 
charitable gifts that support public health programs-and 
provide donors with a valued income tax deduction.
     About 25% of AHP members work for stand-alone 
departments within the health care provider institution.
     The other 5% work in offices with some other 
structure. Whether the privacy standards apply to these various 
structures as ``covered entities'' or ``business partners,'' it 
is critical that the standards not limit the effectiveness of 
health care philanthropy programs to raise money from the 
people most likely to give, that is, grateful patients.
    Individually identifiable health information: A minimum of 
patient demographic information is essential so that health 
care philanthropy programs can carry out their not-for-profit 
mission. Age is needed to exclude minors from appeals.

    Introduction to General Rules
    The health care philanthropy programs managed by AHP 
members would not appear in conflict with this broadly stated 
intent, if ``health care'' is broadly construed to include 
public health.

    Use and Disclosure for Treatment, Payment, and Health Care 
Operations
    AHP supports the uses and disclosures permitted without 
authorization in this section, but adamantly opposes the 
exclusion of certain activities from the definition of ``health 
care operations.'' The very ability of not-for-profit health 
care providers to fulfill their altruistic mission is 
threatened by the proposed requirement that advance 
authorization is necessary for the following activities:
     marketing of health . . . services;
     marketing by a non-health related division of the 
same corporation; and
     fund raising.
    With buy-outs by for-profit health care providers 
threatening the existence of not-for-profits, marketing is 
critical to the future viability of these altruistic providers. 
Much of what is marketed by AHP members-from departments or 
divisions within a provider's corporation or from its related 
foundation (see ``definitions'' above)-has tremendous benefit 
for community health. Wellness programs, mammography screening, 
ear and eye exams, etc., are marketed by AHP members. Many of 
these programs are funded by the philanthropic programs that 
AHP members manage.
    One only need look at the hospital wings donated by 
grateful patients, or the donor recognition plaques that line 
hospital corridors, to realize that patients are grateful for 
hospital services and do not mind showing their appreciation 
with tangible gifts. AHP contends that these gifts are 
willingly made because they are asked for after services have 
been received. To ask for them in advance-which would be the 
effect of the proposed privacy standards-would easily alienate 
the largest prospect pool for philanthropic gifts to not-for-
profit health care providers.
    Finally, the kind of marketing carried out by AHP members 
is not the kind of marketing of commercial products that seems 
to be the real target of this regulation's restriction. It is 
important that the final version of the privacy standards 
distinguish between for-profit and not-for-profit ventures.
    In short, AHP would strike these activities from the list 
of activities that require prior authorization:
     marketing of health . . . services;
     marketing by a non-health related division of the 
same corporation; and
     fund raising.
    Further, AHP would expressly permit not-for-profit health 
care providers and their business partners to use and disclose 
protected information without authorization for the following 
activities that are central to their altruistic mission:
     marketing programs that promote the health of the 
community; and
     raising funds that support charitable, 
educational, or research purposes and capital improvements.

    Minimum Necessary Use and Disclosure
    AHP members already adhere to the practice of minimal use 
and disclosure. On becoming members, they pledge to uphold the 
AHP Statement of Professional Standards and Conduct, which 
requires that an individual's right to privacy be respected and 
that information gained in the pursuit of professional duties 
remain confidential. A copy of the AHP Standards is enclosed.
    To manage effective philanthropic programs, AHP members 
minimally need the names of patients and relatives, their 
addresses and telephone numbers, and their age (to eliminate 
minors). A minimum of health information is helpful (to 
eliminate patients with sensitive diagnoses).

    Right to Restrict Uses and Disclosures
    AHP members already restrict use and disclosure of 
information gained in pursuit of their professional duties, as 
part of the AHP Statement of Professional Standards and Conduct 
(copy enclosed).

    Creation of De-Identified Information
    AHP supports the use of protected health information for 
statistical and analytical reports. In fact, AHP annually 
conducts its Survey on Giving, through which members share 
information about health care philanthropy. AHP is the only 
source of this data in the country, which each year is given to 
the American Association for Fund Raising Counsel for its 
comprehensive report, Giving USA.

    Application to Business Partners
    The philanthropy efforts of AHP members are structured in 
several ways-as foundations, as stand-alone departments or 
divisions, or in other ways. However efforts are structured, 
whether they are construed as ``covered entities'' or 
``business partners,'' it is paramount that these regulations 
permit access to protected data without authorization.

    Application to Information About Deceased Persons
    AHP supports this regulation's intent to be sensitive to 
the families of the deceased. However, AHP respectfully 
suggests that providing its members with protected information 
is more likely to achieve this goal than the converse. After 
all, AHP members cannot exclude families of the deceased from 
general appeals for philanthropic gifts if the fact of death is 
not known.
    Furthermore, when friends or family of the deceased wish to 
make a memorial gift, AHP members must have the minimum 
demographic information to accommodate this wish.

    Adherence to the Notice of Information Practices
    AHP supports the intent of this section, which requires 
that information uses and disclosures reflect the actual notice 
of such use and disclosure. Again, however, AHP urges that the 
philanthropic programs managed by its members be included under 
``health operations'' that do not require advance authorization 
for what is a central component of the mission and business of 
not-for-profit providers.

    Uses and Disclosures with Individual Authorization
    This section contains one phrase that reveals the intent of 
its authors: commercial gain. AHP could not agree more that 
individuals have the right to refuse the release of protected 
information that will result in commercial gain to the 
requesting entity. No commercial gain is possible for not-for-
profit health care providers, and privacy standards must 
distinguish between for-profit and not-for-profit entities.
    The philanthropic programs of AHP members should be 
considered an integral part of the provider's ``health 
operations'' and thus be exempt from individual authorization. 
That is the current practice, and AHP can attest to the fact 
that its members hear only rare concerns which are quickly 
resolved after they explain the health services, research, and 
educational programs that are supported by philanthropy.
    Aside from the inappropriateness of applying this standard 
to not-for-profit health care providers, the proposed 
authorization form is onerous and counterproductive. Picture a 
patient in serious condition, being admitted to a hospital, 
being handed all the usual forms and one asking for permission 
to solicit contributions at a later date. A hospital with a 
form like this would be showing very little sensitivity to the 
patient and would likely receive no gift at a later date, even 
if the patient were grateful for the medical treatment 
received.

    Introduction to Rights of Individuals
    AHP supports the rights of individuals as delineated in the 
proposed regulations and assures the Secretary that its members 
swear to respect those rights through the AHP Statement of 
Professional Standards and Conduct.

    Rights and Procedures for a Written Notice of Information 
Practices
    AHP believes that the health services, research, and 
educational programs supported by the philanthropy programs of 
not-for-profit health care providers are an integral part of 
``health operations'' and should be treated as such in this and 
other sections of the final regulations.

    Rights and Procedures for Access for Inspection and Copying
    AHP believes that the health services, research, and 
educational programs supported by the philanthropy programs of 
not-for-profit health care providers are an integral part of 
``health operations'' and should be treated as such in this and 
other sections of the final regulations.
    All of AHP's comments are offered with the sincere appeal 
that the new regulations should be structured so as to take 
into account the professional ethical standards already in 
place. These regulations must allow for the continued work of 
hospitals and health-related foundations in philanthropic 
programs that benefit individuals and communities . . . 
benefits which, if lost, would be severely detrimental to the 
quality of life. AHP looks forward to working with the 
Department in order to preserve the charitable fund-raising 
activities of not-for-profit health providers while respecting 
an individual's appropriately limited individually identifiable 
health information.
    We appreciate the opportunity to comment on the proposed 
standards. More importantly, we look forward to actively 
assisting the Department in developing protective patient 
medical record regulations while safeguarding our non-profit 
providers' obligation to meet their charitable purposes and 
fully serve their patients.
      

                                


Professional Standards and Conduct from Association for Healthcare 
Philanthropy

    Association for Healthcare Philanthropy members represent 
to the public, by personal example and conduct, both their 
employer and their profession. They have, therefore, a duty to 
faithfully adhere to the highest standards and conduct in:
    I. Their promotion of the merits of their institutions and 
of excellence in health care generally, providing community 
leadership in cooperation with health, educational, cultural, 
and other organizations;
    II. Their words and actions, embodying respect for truth, 
honesty, fairness, free inquiry, and the opinions of others, 
treating all with equality and dignity;
    III. Their respect for all individuals without regard to 
race, color, sex, creed, ethnic or national identity, handicap, 
or age;
    IV. Their commitment to strive to increase professional and 
personal skills for improved service to their donors and 
institutions, to encourage and actively participate in career 
development for themselves and others whose roles include 
support for resource development functions, and to share freely 
their knowledge and experience with others as appropriate;
    V. Their continuing effort and energy to pursue new ideas 
and modifications to improve conditions for, and benefits to, 
donors and their institution;
    VI. Their avoidance of activities that might damage the 
reputation of any donor, their institution, any other resource 
development professional or the profession as a whole, or 
themselves, and to give full credit for the ideas, words, or 
images originated by others;
    VII. Their respect for the rights of privacy of others and 
the confidentiality of information gained in the pursuit of 
their professional duties;
    VIII. Their acceptance of a compensation method freely 
agreed upon and based on their institution's usual and 
customary compensation guidelines which have been established 
and approved for general institutional use while always 
remembering that: any compensation agreement should fully 
reflect the standards of professional conduct; and, antitrust 
laws in the United States prohibit limitation on compensation 
methods;
    IX. Their respect for the law and professional ethics as a 
standard of personal conduct, with full adherence to the 
policies and procedures of their institution;
    X. Their pledge to adhere to this Statement of Professional 
Standards and Conduct, and to encourage others to join them in 
observance of its guidelines.

A Donor Bill of Rights

    Philanthropy is based on voluntary action for the common 
good. It is a tradition of giving and sharing that is primary 
to the quality of life. To assure that philanthropy merits the 
respect and trust of the general public, and that donors and 
prospective donors can have full confidence in the not-for-
profit organizations and causes they are asked to support, we 
declare that all donors have these rights:

    I. To be informed of the organization's mission, of the way 
the organization intends to use donated resources, and of its 
capacity to use donations effectively for their intended 
purposes.
    II. To be informed of the identify of those serving on the 
organization's governing board, and to expect the board to 
exercise prudent judgment in its stewardship responsibilities.
    III. To have access to the organization's most recent 
financial statements.
    IV. To be assured their gifts will be used for the purposes 
for which they were given.
    V. To receive appropriate acknowledgment and recognition.
    VI. To be assured that information about their donations is 
handled with respect and with confidentiality to the extent 
provided by law.
    VII. To expect that all relationships with individuals 
representing organizations of interest to the donor will be 
professional in nature.
    VIII. To be informed whether those seeking donations are 
volunteers, employees of the organization or hired solicitors.
    IX. To have the opportunity for their names to be deleted 
from mailing lists that an organization may intend to share.
    X. To feel free to ask questions when making a donation and 
to receive prompt, truthful and forthright answers.

    Developed by American Association of Fund Raising Counsel 
(AAFRC) Association for Healthcare Philanthropy (AHP) Council 
for Advancement and Support of Education (CASE) National 
Society of Fund Raising Executives (NSFRE). Endorsed by (in 
formation) Independent Sector National Catholic Development 
Conference (NCDC) National Committee on Planned Giving (NCPG) 
National Council for Resource Development (NCRD) United Way of 
America
      

                                


Statement of Association of American Medical Colleges

    The Association of American Medical Colleges (AAMC) is 
pleased to submit its views on the Department of Health and 
Human Services Notice of Proposed Rulemaking (NPRM) ``Standards 
for Privacy of Individually Identifiable Health Information.'' 
The AAMC represents this nation's 125 accredited medical 
schools, approximately 400 major teaching hospitals and health 
care systems, and 91 academic and professional societies 
representing over 75,000 faculty members. Our members and 
institutions provide basic and specialized healthcare services, 
conduct research leading to the discovery of medical knowledge 
and the development of innovative treatments and therapies, and 
educate and prepare physicians to meet evolving health care 
needs. Whether in utilizing health information in treating 
patients, educating future physicians, or conducting clinical 
research ranging from the etiopathogenesis of disease, 
translation and clinical trials to studies in epidemiology, 
prevention and health services, the AAMC is keenly aware of the 
need to protect the privacy of individuals and the 
confidentiality of individually identifiable health 
information.
    The AAMC strongly believes that the only comprehensive and 
nationally coherent solution to the complex and emotionally 
charged problems of ``medical information privacy'' lies in 
federal legislation, and we have steadfastly supported the 
enactment of such to strengthen the protection of individuals' 
personally identifiable health information from inappropriate 
disclosure and harmful misuse. Any legislation will require a 
balancing between protecting individuals' health information 
and allowing health care entities and providers reasonable 
access to information that can be shared for purposes of 
treatment, research, and education.
    The NPRM's preamble articulates the department's concern 
with its limited authority under the Health Insurance 
Portability and Accountability Act (HIPAA) of 1996 and the 
rationale for the stratagems it devised to craft regulations 
with the broadest possible reach in the face of those 
limitations, and it is punctuated with repeated calls for 
federal legislation as the much preferred approach. These 
points are important to understanding the structure, complexity 
and potential impact of the regulations that have been 
proposed. The preamble seeks frequent refuge in the principles 
articulated in Secretary Shalala's thoughtful report to the 
Congress in September 1997, entitled ``Confidentiality of 
Individually Identifiable Health Information.'' At the time, 
the AAMC expressed its strong general support of the 
principles, while noting their ultimate acceptability would 
turn on the details of their implementation, which the report 
did not address. Given the complexity of the proposed 
regulations, their substantial financial and administrative 
costs, and the profound operational and behavioral changes that 
they would impose at every level of the health care delivery 
system, it is ironic to note that the relevant HIPAA authority 
derives from the Administrative Simplification provisions of 
the Act (Sections 261-264).
    Although the AAMC appreciates the work the department has 
invested in this NRPM, we have very serious reservations about 
certain of the approaches and implementation steps. We fear 
that they would impose unreasonable burdens and unwise 
constraints on the day-to-day functioning of the health care 
delivery system and the conduct of medical research. While 
fully supporting the individual's right to privacy and 
respecting the need for effective, systemic protections of the 
confidentiality of individually identifiable health 
information, we believe that some of the standards, 
implementation requirements, and procedures imposed by this 
NPRM would have real costs that far outweigh their theoretical 
benefits. We believe that the NPRM requires major changes so 
that it will reasonably protect the privacy of individually 
identifiable health information without impeding the flows of 
health information required for the care of patients, the 
operations of the health care delivery system, or the conduct 
of health research. In particular, the AAMC draws attention to 
the following salient concerns:

     Impact on Delivery of Health Care: The enactment 
and implementation of any standards for medical information 
privacy will impose enormous costs and administrative burdens 
on the U.S. health care system. In this regard, any federal 
regulations must be crafted with precision and with 
understanding of and sensitivity to the complexity and 
magnitude of the flows of individually identifiable health 
information involved in the health care of patients. 
Unfortunately, the AAMC finds that many of the proposed 
provisions in the NPRM impose unreasonable burdens and unwise 
constraints on the day to day functioning of the health care 
delivery system. In particular, the AAMC believes the concepts 
and applications of ``business partners,'' ``minimum 
necessary,'' and ``de-identified protected health information'' 
are poorly devised and ill-conceived. In addition, the language 
establishing a ``code of fair information practices'' with 
respect to individual access, amendment, and correction of 
protected health information (PHI) needs to be more carefully 
tailored to the realities of the complex patterns and enormous 
volumes of continuous health information traffic that are 
necessary for the health care delivery system to function. We 
urge the department to reconsider the proposed regulations in 
the NPRM, which would unjustifiably and unnecessarily impede 
the critical functions of the day-to-day operations of the 
entire U.S. health care system.

     Intrusion on Research: The AAMC strongly opposes 
the approach taken in the NPRM to divide medical research 
information into two broad classes, one ``related,'' the other 
``unrelated,'' to treatment. HIPAA gives the HHS no authority 
to regulate researchers. However, the NPRM attempts to do so by 
regulating covered health care providers who are also 
researchers. The AAMC finds this approach unnecessary and 
poorly conceived. The distinction of research information 
categories as described by the NPRM, in fact, would serve to 
weaken the protections of confidentiality of research data that 
are currently available, while imposing heavy burdens on 
medical researchers, and would be of little or no benefit to 
the safeguarding of individually identifiable health 
information. Rather than separating research information that 
is ``related or unrelated to treatment,'' the AAMC believes 
that information obtained from research that is clinically 
relevant to the care of the subject should be entered into the 
individual's medical record. Thereby, the formal ``research 
record'' would remain separate from the medical record. It is 
the Association's strong position that research information and 
clinical information can and should be maintained separately, 
primarily to afford the research information a much higher 
degree of security than can be afforded to clinical information 
and medical records.

     Impact on Common Rule: The attempt by the 
department to regulate issues related to ``protected health 
information'' (PHI) in research is problematic. In the NPRM's 
preamble, the department notes that HIPAA gives HHS no 
authority to regulate health researchers. Research involving 
human subjects is already subject to the Common Rule. However, 
the NPRM attempts to amend the Common Rule by adding four new 
criteria to those already required of IRBs in consideration of 
waiver of individual authorization. The AAMC strongly opposes 
this effort at piece-meal modification of the Common Rule. The 
Association is unaware of any credible evidence indicating that 
protection of the confidentiality of PHI used in research is 
not being adequately respected and protected by IRBs and 
researchers working under the requirements of the existing 
Common Rule. Moreover, with the imminent relocation and 
reorganization of the OPRR in the Office of the Secretary and 
formation of a new National Advisory Council for the new 
Office, the scrutiny of human research subjects protections 
underway by the NBAC, and similar studies being conducted by 
the IOM, the department's approach is particularly untimely. 
The AAMC strongly urges the department to abandon this ill-
advised approach and continue to regulate all research and 
researchers identically under the provisions of the Common 
Rule.
     Preemption of State Law: The AAMC strongly 
believes, and has consistently argued, that the workings of the 
contemporary health care delivery system, the mobility of 
American citizens, and the needs of medical research, 
especially population-based research, all call for federal 
legislation that would strongly preempt state law (with only 
few limited exceptions for such things as public health 
reporting) and establish a single, uniform national standard of 
medical information privacy protection. The department does not 
favor such ``strong'' preemption, and in any event asserts 
correctly that it does not have authority under HIPAA to impose 
it by regulation. The NPRM would establish a federal floor of 
protections and would preempt only contrary provisions of state 
laws that are less stringent than those imposed by the 
regulation. It would thereby permit what is often described as 
a patchwork of discordant state privacy laws of variable 
effectiveness to remain in place. The NPRM's lengthy 
disquisition on the interpretations of ``contrary to,'' ``less 
stringent'' and ``more stringent'' underscores the confusion 
and significant burdens that the lack of a single, preemptive 
federal standard will place on covered entities whose 
professional activities and business transactions increasingly 
span state lines. The entities would have to comply not only 
with the federal rule but with the more stringent provisions of 
state law in every state in which they operated. The AAMC is 
deeply concerned about the chaotic business climate and 
extraordinary legal expenses that would result from the 
imposition of this regulation, and fears that as it is 
proposed, it will be unworkable. The AAMC would urge the 
Secretary to conduct a state-by-state examination and certify 
those state laws that she deems ``contary and more stringent 
than'' the federal rules. All other state laws bearing on 
medical information privacy would thereby be deemed to be 
preempted by the new rule.
    Although the AAMC appreciates the effort that the HHS has 
invested in developing this proposal, the AAMC feels that many 
of the standards in the NPRM would not in actual practice serve 
to enhance protections of the privacy and confidentiality of 
individuals proportionately to the burdens and complications 
that they would impose on critical functions of the affected 
entities. In several instances, the department has exceeded the 
authority granted to it under HIPAA, a fact that underscores 
the need for Congress to revisit this complex issue to ensure 
that a system of protection of individually identifiable health 
information is logical, coherent and nationally uniform, not 
needlessly burdensome and costly, and will neither impede 
health care delivery nor vital health research. While fully 
supporting the individual's right to privacy and respecting the 
need for effective, systemic protections of the confidentiality 
of individually identifiable health information, the 
implementation of the standards and procedures imposed by this 
NPRM would have real costs that far outweigh their theoretical 
benefits and would serve to deter legitimate and useful sharing 
of information that may be vital for treatment, research and 
medical education.
      

                                


Statement of Jane M. Orient, M.D., Association of American Physicians 
and Surgeons, Inc., Tucson, AZ

    The Association of American Physicians and Surgeons (AAPS), 
founded in 1943 to protect private medicine and the patient-
physician relationship, represents physicians in all 
specialties nationwide.
    Both Congress and the White House have expressed well-
founded concerns about the privacy of medical records. However, 
proposed legislation, as well as the standards on ``the privacy 
of individually identifiable health information'' recently 
promulgated by the Department of Health and Human Services as 
mandated by the Health Insurance Portability and Accountability 
Act, would have an effect opposite to the stated intention of 
protecting patient confidentiality. Both the proposed 
regulations and various legislative proposals establish 
procedures permitting and facilitating the disclosure of 
information for which disclosure is now either prohibited or 
practically impossible.
    The objective of writing standards for the electronic 
transmission of data has been subverted into a pretext for 
changing the fundamental ethics of the patient-physician 
relationship and the purpose of medical records.
    In the tradition of Hippocrates, the physician serves the 
patient, who trusts him to abide by the precept that ``All that 
may come to my knowledge in the exercise of my profession or 
outside of my profession or in daily commerce with men, which 
ought not to be spread abroad, I will keep secret and never 
reveal.'' The traditional medical record consists of the 
physicians' notes and other data, such as laboratory reports, 
related to the specific, narrow purpose of providing optimal 
care to the individual patient. The actual information in the 
record belongs to the patient, who traditionally has had 
control over the dissemination of that information.
    The proposed regulations overturn these basic principles. 
The patient's right to refuse consent to release his records is 
abrogated. All patients (or at least those who have any medical 
records in electronic format) are thus required to serve 
administratively determined societal objectives: ``health 
services research'' as well as medical research; the detection 
and prosecution of violations of any law, rule, or regulation; 
monitoring physician compliance with practice ``guidelines--and 
central allocation of resources. All of these are generally 
irrelevant to and may actually be contrary to the best 
interests of the patient. ``National priorities,'' undefined or 
vaguely defined, are held, at the discretion of an 
administrative agency, to override the individual's right to 
liberty (as the liberty to seek care from a physician who 
guards patients' privacy). Individual Fourth Amendment rights 
are easily swept aside by assertion of a collective ``need.'' 
Vastly expanded administrative powers trump the requirement for 
judicial procedure to obtain a search warrant.
    While medical professionals will be placed in the dilemma 
of violating their professional ethics or committing a federal 
crime by not releasing data, they will also be held 
responsible, under pain of prison and enormous fines, for 
monitoring behavior of other entities with which they contract 
but over which they have little control. Additionally, they 
will be required to implement costly and onerous notification 
and other paperwork requirements that actually provide no 
meaningful patient protection.
    In short, proposed rules and laws serve the interest of 
expanded use rather than real protections. The expanded use may 
serve some narrow special interests as well as regulators and 
prosecutors but will be of very questionable medical or 
scientific value, especially since accuracy will be compromised 
by the withholding of sensitive information.
    We recommend the following:
    1. A moratorium on the proposed regulations. (Comments 
submitted to HHS are appended.)
    2. Legislation that embodies the following basic 
principles:
    a. The right of all Americans to seek medical treatment 
outside of any medical insurance plan in which they may be 
enrolled should be explicitly guaranteed especially (but not 
exclusively) if the plan requires electronic data storage or 
transmission as a condition of coverage.
    2. Electronic data storage or transmission should require 
the patient's explicit, fully informed consent before the data 
are entered.
    3. No medical professional may be required to perform any 
act that violates his conscience as a condition of being 
permitted to practice his profession or specialty.
    4. Patients should have a cause of civil action against any 
individual, including an agent of the government, who causes 
him harm by the misuse of computerized data. To this end, any 
electronic data processing system established under this Act 
should include a mechanism for tracking all individuals who 
access identifiable records.
      

                                


                              Congress of the United States
                                   House of Representatives
                                                  February 14, 2000
The Honorable Donna E. Shalala
Secretary of Health and Human Services
200 Independence Ave. SW
Washington, D.C. 20201

    Dear Secretary Shalala:

    We are writing to comment on the proposed rule on standards for 
privacy of individually identifiable health information that was 
published in the Federal Register on November 3, 1999.
    We commend you for moving forward swiftly with this effort and for 
the thorough and thoughtful discussion contained in the proposed rule. 
Because Congress did not meet its self-imposed August 21, 1999, 
deadline for passing medical privacy legislation, the proposed rule is 
an important and necessary step toward addressing the pressing need for 
health information privacy protections.
    We believe that the proposed rule as a whole provides a solid 
foundation of privacy protections that will improve our health care 
system. It establishes strong privacy requirements while ensuring 
access to health information for important public interest purposes 
such as health research. However, several significant gaps in privacy 
protection remain. Some gaps relate to statutory constraints on your 
authority to regulate, including the lack of privacy restrictions 
applicable to entities that receive individually identifiable health 
information but are not covered by the rule and the lack of a private 
right of action that would enable individuals to seek redress for 
privacy violations. Other gaps include the exclusion from coverage of 
certain entities that provide insurance coverage for health care 
services, and the lack of sufficient restrictions on law enforcement 
access to individuals' health information.
    Congress should work to pass legislation that builds on the 
proposed rule and addresses issues the proposed rule does not cover. We 
have sponsored comprehensive medical privacy legislation that we 
believe would accomplish these goals. We hope to continue to work with 
you and other interested parties to promote the passage of meaningful 
medical privacy legislation. In the meantime, we urge you to issue 
final medical privacy regulations expeditiously, so that the public's 
medical records are protected as soon as possible.
    The following are our comments on specific aspects of the proposed 
rule.

    I. SCOPE

    We agree with the approach discussed in the proposed rule's 
``Applicability'' section to apply privacy protections to individually 
identifiable health information that has been transmitted or maintained 
electronically regardless of whether the information remains in 
electronic form. One of the goals of Congress in enacting the 1996 
Health Insurance Portability and Accountability Act (HIPAA) was to 
provide for the establishment of an effective privacy protection system 
for health information. A privacy protection policy that would deny 
access to health information when it is on a computer, but allow access 
once the information is printed off the computer onto paper or 
discussed orally by those viewing the computer screen would leave 
gaping holes in protection. To ensure a meaningful system of privacy 
protection that is consistent with congressional intent, it is 
appropriate and necessary to protect health information that has been 
transmitted or maintained in electronic form even where the information 
does not remain in electronic form.
    Nevertheless, we are concerned that the protections set forth in 
the proposed rule do not apply to health information that has never 
been maintained or transmitted electronically. We agree with your 
analysis that a primary concern of HIPAA was that computerization of 
the health care system was increasing apprehension about electronic 
dissemination of health information. Any comprehensive medical privacy 
protection system, however, should ensure that individuals' 
identifiable health information in any form will receive appropriate 
privacy protections. It should not be legal to sell an individual's 
health record for marketing purposes just because the record happens to 
have been maintained only in paper form. We have reviewed your analysis 
concluding that you have authority to apply your proposed rule to 
records maintained solely in paper form and agree that you do have such 
authority. We urge you to exercise your full authority and apply the 
proposed rule to records maintained solely in paper form.
    With respect to the scope of entities covered by the proposed rule, 
we are concerned that, in the ``Definitions'' section, the proposed 
rule excludes certain insurance entities such as auto insurers from the 
definition of ``health plan'' (referencing 29 U.S.C. 1186(c), which has 
been renumbered 29 U.S.C. 1191b(c)). Under the proposed rule, an auto 
insurer that pays health care costs associated with an individual's 
broken arm would not be subject to federal privacy restrictions 
regarding the health records used in the payment transaction. At the 
same time, a health plan that pays for treating the broken arm would be 
subject to federal privacy restrictions regarding the records used in 
the payment transaction. It does not make sense to make such a 
distinction among insurers who are paying for health care, and we do 
not believe that HIPAA mandates this distinction between insurers with 
respect to medical privacy regulations. We urge you not to exclude the 
types of insurance coverage listed in 29 U.S.C. 1191b(c) from the rule 
when such coverage pays the cost of medical care.
    Further, any comprehensive medical privacy law should apply privacy 
protection requirements to all entities that obtain protected health 
information. As you know, because statutory constraints limited the 
proposed rule's applicability only to health plans, health care 
providers, and health care clearinghouses, the proposed rule does not 
reach a number of entities that obtain individuals' health information. 
This means that, under the proposed rule, a health researcher could 
obtain health information from a health care provider for health 
research, and then disclose it to marketers or the individual's 
employer with no restrictions. We will continue to press for the 
passage of legislation which applies privacy protection requirements to 
all appropriate entities.

    II. GENERAL RULES

    The proposed rule's sections entitled ``Introduction to General 
Rules'' and ``Minimum Necessary'' set forth basic rules that are 
essential to medical privacy protection. Any comprehensive medical 
privacy law should prohibit the use or disclosure of individually 
identifiable health information without the individual's authorization 
or specific authorization by law. Medical privacy law should also 
ensure that, where use or disclosure of such information is authorized, 
entities take all reasonable steps to use non-identifiable (or de-
identified) health information instead of identifiable health 
information. Further, medical privacy law should require that 
identifiable information will be used and disclosed only to the minimum 
extent necessary to accomplish the legitimate purpose for which it was 
obtained. These ground rules establish clear presumptions that use and 
disclosure of individually identifiable health information will be 
limited and narrowly tailored to legitimate purposes. We are pleased 
that the proposed rule includes provisions that reflect these 
principles.

    III. CONTENT OF AUTHORIZATION FORM

    The proposed rule's section entitled ``Individual Authorization'' 
establishes necessary requirements for the content of authorization 
forms. Authorization forms should contain sufficient information to 
ensure that individuals can make informed authorization decisions. We 
are concerned that individuals seeking health treatment are vulnerable 
to requests from health care providers and others to authorize uses and 
disclosures of their health information for purposes beyond treatment, 
payment, and health care operations. Individuals in such a situation 
should have a clear understanding that their treatment and payment are 
not conditioned on providing authorizations to allow their health 
information to be used for marketing, by their employers, or for other 
purposes. Individuals also should be informed to the maximum extent 
practicable about how their information would be used and disclosed 
under the authorization.
    It would be insufficient, for example, to seek an authorization 
from an individual but to only describe to the individual generally 
what uses and disclosures are legal. Rather, individuals should be 
informed of the purposes for which the information is sought as well as 
the proposed uses and disclosures of the information. In addition, the 
authorization form itself should state that treatment and payment are 
not conditioned on agreeing to the authorization. The proposed rule 
includes such content requirements, and therefore we believe that the 
authorization content required by the proposed rule will facilitate 
informed consent.

    IV. INDIVIDUAL RIGHTS

    The proposed rule provides individuals with rights that are 
integral to ensuring that they have appropriate information about and 
involvement with their own health records. In the sections entitled 
``Access for Inspection or Copying'' and ``Amendment or Correction,'' 
the proposed rule providesimportant rights that enable individuals to 
access, copy, and correct their own records, so that individuals can 
have a remedy when inaccurate information in their records is being 
used in transactions that affect them. Further, the requirements in the 
``Accounting of Disclosures'' and ``Notice of Information Practices'' 
sections that covered entities must provide individuals with a notice 
of their information practices and the opportunity to review accounting 
of certain disclosures are necessary to ensure that individuals have 
appropriate information about the uses and disclosures that occur 
regarding their own health records.
    We request, however, that you review your decision not to include a 
requirement that covered entities obtain a signed acknowledgment from 
individuals stating that the individuals have received the notice and 
been informed of their rights. Such a requirement, which is included in 
H.R. 1941, legislation introduced by Mr. Condit, would enhance the 
right to notice set forth in the proposed rule by encouraging 
individuals to consider carefully their rights and the information 
practices that affect them before providing their health information to 
a covered entity. An alternative approach to encouraging individuals to 
review and reflect on their medical privacy rights is to require that 
individuals sign an authorization form before a covered entity may 
disclose their health information for any purpose. This approach is 
taken in H.R. 1057, legislation introduced by Mr. Markey.
    We recognize the logistical questions you have raised regarding 
exactly how signed acknowledgments should be provided, and the concerns 
you discuss regarding requiring authorizations for treatment, payment, 
and health care operations purposes. We are interested in and look 
forward to reviewing the comments of relevant parties on these issues. 
We urge you to continue to work to create optimal conditions for 
ensuring that individuals engage in meaningful review of their privacy 
rights and the information practices of covered entities, without 
imposing inappropriate burdens on covered entities.
    With respect to the section entitled ``Accounting of Disclosures,'' 
we believe that it is important to provide individuals with a means of 
learning about disclosures that an entity has made of their health 
information without imposing unnecessarily burdensome accounting 
requirements on the entity. As you know, the proposed rule attempts to 
balance these concerns by excluding treatment, payment, and health care 
operations disclosures from the accounting requirements. The rationale 
behind the proposed rule's effort to balance these concerns is 
reasonable. We agree with the proposed rule's analysis that individuals 
generally have the most interest in disclosures that they cannot easily 
anticipate will be made with their health information.
    However, the definitions of treatment, payment, and health care 
operations cover a broad range of activities, from determination of 
coverage, to billing, to utilization review, to disease management, to 
reviewing the competence of health care professionals, among many other 
activities. Given this breadth, individuals will not necessarily easily 
anticipate that their health information will be shared for each type 
of treatment, payment, and health care operations activity. Therefore, 
we are concerned that the proposed rule may not provide individuals 
with adequate means to learn about the disclosures that have been made 
with their health information. Accordingly, we request that you 
carefully review whether exclusion of all treatment, payment, and 
health care operations disclosures from accounting requirements is 
appropriate.
    V. UNDERWRITING

    It is our understanding that under current practice, insurers that 
seek an individual's identifiable health information to conduct 
underwriting generally first obtain an authorization from the 
individual that delineates the uses and disclosures that the insurer 
may make with the information, unless the underwriting activity 
concerns an existing insurance contract. Several congressional medical 
privacy proposals, however, contain broad language that would allow 
insurers to obtain an individual's health information for 
``underwriting'' without obtaining an individual's authorization. We 
are aware of no good policy reason to encourage in a federal law a 
change in current practice by allowing underwriting without the 
patient's permission.
    We therefore are pleased that the proposed rule makes clear, in the 
section entitled ``Definitions,'' that insurers may obtain and use an 
individual's identifiable health information for underwriting 
activities without the individual's permission only> when the 
individual is enrolled in the plan conducting the activities and the 
activities concern an existing contract. We ask that you provide 
clarification, however, on whether under the proposed rule, 
authorization from the individual is required for underwriting activity 
relating to a change in contract within the same health plan, and 
whether the proposed rule diverges from current practice on this 
specific issue.

    VI. DISCLOSURES FOR HEALTH RESEARCH PURPOSES

    Health research is critical to the effective operation of our 
health care system. Medical privacy law should ensure both access to 
data necessary for conducting health research and patient confidence in 
the confidentiality of their health information. Accordingly, we 
believe that, before individually identifiable health information is 
disclosed for health research, a board independent from the entities 
seeking or disclosing individually identifiable health information for 
health research should review the research and determine that 
appropriate privacy protections are in place. At the same time, there 
should be a means of ensuring expedited review where research poses 
minimal privacy threats. In the section entitled ``Research,'' the 
proposed rule takes a significant step forward toward accomplishing 
these goals by including requirements that incorporate elements of the 
``Common Rule'' standards that currently apply to review of federally 
funded research conducted by institutional review boards (IRBs).
    With increased federal restrictions on access to medical records, 
more and more entities seeking medical records are likely to claim that 
they are engaged in research. Therefore, review committees internal to 
such entities would likely face pressures to authorize disclosures that 
will advance the entity's financial interests. The proposed rule's 
requirements that no individual on the board reviewing the research can 
have a conflict of interest with the research and that at least one 
member of the board cannot be affiliated with the institution 
conducting the research help address this concern. We believe, however, 
that the proposed rule would be improved by also including a 
requirement that the Secretary certify that such boards meet the rule's 
criteria. This requirement, which is contained in H.R. 1941, 
establishes a third party mechanism to ensure that board are capable of 
exercising independent judgment. We urge you to incorporate this 
requirement into the final rule.
    It is worth noting that applying Common Rule standards to review of 
privately funded research is consistent with the approach advocated in 
recent testimony before the House Subcommittee on Health and 
Environment of the Committee on Commerce by both members and chairs of 
IRBs and representatives of individuals with serious health conditions 
who have a tremendous personal stake in health research, such as the 
National Breast Cancer Coalition and the National Organization for Rare 
Disorders. These witnesses underscored that extending Common Rule 
protections to all health research not only would be practicable but 
would benefit health research. For example, Dr. Greg Koski, Director of 
Human Research Affairs for Partners Health Care System in Boston, who 
has served over 15 years as a member and chair of an IRB, stated that 
applying Common Rule protections to privately funded research would 
improve health research because ``by protecting human subjects and by 
letting them know that we are putting their interests in the 
appropriate priority, there will be a greater willingness to 
participate in research.'' He also noted that additional guidance 
regarding specific mechanisms for confidentiality protection should be 
set forth for IRBs.

    VII. LAW ENFORCEMENT

    The provisions in the proposed rule's section entitled ``Law 
Enforcement'' do not establish sufficient privacy assurances to 
individuals. We believe that, except in emergency circumstances, 
disclosure of an individual's health records to law enforcement 
officials should only occur pursuant to a warrant, or if the individual 
has received notice of the proposed disclosure and has had an 
opportunity to challenge the disclosure. Such an approach, which is set 
forth in H.R. 1941, ensures that law enforcement officials do not have 
unchecked discretion to determine the necessity of obtaining 
individuals' health records. The proposed rule does not meet this 
standard, as it allows for disclosure of an individual's personal 
information to law enforcement officials pursuant to a range of 
procedures, including a grand jury subpoena, without any neutral third 
party review or notice to the individual.

    VIII. JUDICIAL AND ADMINISTRATIVE PROCEEDINGS

    We are concerned that the proposed rule, in the provisions entitled 
``Judicial and Administrative Proceedings,'' would allow the disclosure 
of an individual's health information for a judicial or administrative 
proceeding simply on the basis of a request from an agency or a counsel 
representing a party in the proceeding, if the individual's health is 
at issue in the proceeding. Individuals whose information is the 
subject of such a request should have notice of the request and an 
opportunity to challenge the request. We ask that you revise the 
proposed rule to include this requirement.

    IX. ENFORCEMENT

    No matter how strong federal privacy protections may be, they will 
be difficult to enforce unless individuals have the right to seek 
redress for privacy violations. A private right of action is an 
essential enforcement tool because the government is not likely to 
pursue civil sanctions for individual violations. Enforcement through 
criminal sanctions is also insufficient since prosecutions are brought 
selectively and face a high standard of proof. Every major privacy bill 
Congress has enacted, including the Fair Credit Reporting Act, the 
Cable Communications Policy Act, the Electronic Communications Privacy 
Act, the Video Privacy Protection Act, and the Right to Financial 
Privacy Act, has contained a private right of action. We understand 
that you did not have the authority to provide for a private right of 
action, and we will continue to press to ensure that Congress passes 
medical privacy legislation that contains this crucial enforcement 
tool.

    X. PREEMPTION

    We are pleased that, consistent with the framework set forth in 
HIPAA, the proposed rule would not preempt state laws that provide 
greater privacy protections than those in the proposed rule. Setting a 
federal floor is important because it gives states the ability to enact 
stronger state privacy laws in those circumstances where they want to 
address issues of particular concern to their citizens. For example, 
some states have enacted privacy laws to encourage individuals to get 
tested or treated for communicable diseases, alcohol and drug abuse, 
and other conditions. The ``floor'' approach also allows states the 
flexibility to protect their citizens regarding specific health crises 
or concerns that we cannot predict at this time. We will continue to 
work to ensure that any medical privacy legislation enacted by Congress 
establishes a federal floor.
    We recognize that there may be questions in some instances as to 
whether an individual state law is more protective than the federal 
law. H.R. 1941 provides a mechanism for addressing such questions by 
requiring the Secretary to give advisory opinions as to whether a state 
law is more protective. We are pleased that, in the section entitled 
``Relationship to State Laws,'' the proposed rule provides a similar 
mechanism by allowing states to request an advisory opinion. We 
believe, however, that any person, not just states, should be able to 
seek such an opinion, and urge you to revise the proposed advisory 
opinion process to allow for such requests.
    We strongly believe that state laws that provide greater 
protections than the proposed rule should not be preempted. We are 
concerned, however, about the provision in the proposed rule which 
states that the Secretary may determine that the proposed rule will not 
preempt a state law if that state law is necessary for ``the efficiency 
and effectiveness of the health care system.'' Depending on how it is 
interpreted, this vaguely worded provision could allow a broad range of 
state laws that are less protective than the proposed rule to stand. We 
request that you revise this provision to ensure that it does not 
become a wide loophole for avoiding the proposed rule's requirements.

    XI. CESSATION OF OPERATIONS

    We are concerned that the proposed rule does not clearly address 
whether privacy protections would apply to health records maintained by 
a covered entity once that entity has ceased to do business. We urge 
you to ensure that health records have appropriate protections in such 
circumstances, as suggested in H.R. 1941 and as envisioned in H.R. 307, 
legislation introduced by Mr. Towns.

    XII. CONCLUSION

    The proposed rule not only establishes a strong foundation of 
privacy protections, but it presents ideas and arguments that enhance 
the debate among parties interested in medical privacy policy. We look 
forward to reviewing the comments of others on the proposed rule and 
your response to our comments. We will work to ensure that Congress 
acts to pass legislation that incorporates the important privacy 
protections included in the proposed rule and addresses areas that 
require further protection.
            Sincerely,

                          Members of Congress

Gary A. Condit
Henry A. Waxman
Edward J. Markey
John D. Dingell
Sherrod Brown
Edolphus Towns
David E. Bonior
Major R. Owens
Patsy T. Mink
Gene Green
Barney Frank
Lucille Roybal-Allard
Paul E. Kanjorski
Albert Russell Wynn
Fortney Pete Stark
Lynn C. Woolsey
William D. Delahunt
Mike Thompson
John F. Tierney
Carlos A. Romero-Barcelo
Jim McDermott
Janice D. Schakowsky
Neil Abercrombie
Eleanor Holmes Norton
Carolyn B. Maloney
Harold E. Ford, Jr.
John Joseph Moakley
James P. McGovern
Dennis J. Kucinich
Ellen O. Tauscher
Sam Farr
Benard Sanders

cc: U.S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Attention: Privacy-P, Room G-322A
Hubert Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201
      

                                


                                                  February 16, 2000
The Honorable Secretary Donna E. Shalala
Secretary of Health and Human Services
200 Independence Avenue, SW
Washington, D.C. 20201

    Dear Secretary Shalala:

    We are writing regarding the proposed rule on standards for privacy 
of individually identifiable health information that was published in 
the Federal Register on November 3, 1999. We want to associate 
ourselves with the comments on the proposed rule that were set forth in 
the February 14, 2000 letter to you from Representatives Gary A. 
Condit, Henry A. Waxman, Edward J. Markey, John D. Dingell, and 28 
other colleagues.
    Protecting the privacy of medical records is integral to the 
effective operation of our health care system. We appreciate your 
efforts on this important issue and we look forward to continuing to 
work with you, our colleagues, and others to advance appropriate and 
comprehensive medical privacy protections.
    Sincerely,

                          Members of Congress

Gerald D. Kleczka
Donna Christian-Christensen
Tom Lantos
Louise Slaughter

cc: U.S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Attention: Privacy-P, Room G-322A
Hubert Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201
      

                                


Statement of the Consortium for Citizens with Disabilities

I. General Privacy Concerns

    The Consortium for Citizens with Disabilities (CCD) is a 
Washington-based coalition of approximately 100 national 
disability, consumer, advocacy, provider and professional 
organizations that advocate on behalf of 54 million children 
and adults with disabilities and their families in the United 
States. As advocates for people with disabilities, CCD supports 
strong privacy protections that give health care consumers 
confidence that their information will be used appropriately 
and that permit the continued viability of medical research and 
delivery of quality health care.
    All persons who receive health care services have reason to 
be concerned with the inappropriate use of highly personal 
information that is collected about them within the health care 
system. As a coalition representing people living with 
disabilities, however, CCD's views on this issue are somewhat 
unique. Because people with disabilities have extensive medical 
records and sometimes stigmatizing conditions, such individuals 
feel a particular urgency to ensure that proper privacy 
protections are in place. At the same time, many people with 
disabilities interact almost daily with the medical 
establishment and thus benefit from a well-run, effective 
health care system. Such individuals do not want privacy 
protection to reduce the effectiveness of the health care 
system they must navigate.
    CCD has been actively involved in the medical privacy 
debate, and believes that the desire for medical privacy and 
the desire for an effective health care system are neither in 
conflict with each other, nor do they require ``balancing'' of 
one interest against another. Rather, establishing privacy 
protection can enhance the operation of the health care system, 
by increasing individuals' trust and confidence in that system. 
A national survey released in January 1999 found that one in 
six Americans engages in some form of ``privacy protective 
behavior'' because he or she is afraid of confidentiality 
breaches regarding sensitive medical information. These 
activities include withholding information from health care 
providers, providing inaccurate information, doctor-hopping to 
avoid a consolidated medical record, paying out of pocket for 
care that is covered by insurance, and-in some cases-avoiding 
care altogether.\1\ None of this is good for either consumers 
or the health care system.
---------------------------------------------------------------------------
    1  California Healthcare Foundation, National Survey: 
Confidentiality of Medical Records (January 1999). The survey was 
conducted by Princeton Survey Research Associates. Results are 
available at www.chcf.org/conference/survey.crfm.

II. General Approach of the Proposed Regulations

    CCD applauded the President and the Secretary's action to 
release the proposed rule. After reviewing the proposal, we 
continue to believe that the Department of Health and Human 
Services' efforts hold the potential to significantly increase 
privacy protections, and equally important, provide people new 
assurances that their deeply personal medical information will 
be used appropriately. We also believe that the proposal 
provides an important foundation for Congress to build upon in 
protecting privacy and maintaining quality health care. We are 
particularly pleased that the proposed rule would not pre-empt 
more protective state laws and acknowledges that people with 
disabilities and other sensitive conditions may need special 
protections (such as through the handling of psychotherapy 
notes). We are also pleased that the proposed rule requires 
covered entities to contract with business partners and name as 
third party beneficiaries individuals whose protected health 
information is used or disclosed. We commend the Secretary for 
proposing that individuals be permitted to access and copy 
their health information. We are also pleased that the 
Secretary acknowledges the continued need for federal 
legislation to fill gaps the Secretary did not have authority 
to cover under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA).
    While we acknowledge the leadership of the President and 
Secretary in moving the process forward, we have found areas in 
the proposed rule that we find unworkable or that need 
bolstering.

III. The Secretary's Authority Under HIPAA

    The delegation under HIPAA limited the Secretary's 
authority in three important areas. The Secretary only had 
authority to cover health plans, health clearinghouses and 
certain health care providers, and information transmitted or 
maintained electronically. HIPAA also did not provide a private 
right of action for individuals whose health information has 
been improperly used or disclosed. We encourage Congress to 
enact legislation to fill these gaps.

    A. Covered Entities

    While the Secretary covered entities permitted under HIPAA, 
unfortunately, many entities (such as life insurers, employers 
and marketing firms) that receive, use and disclose protected 
health information are not required to comply with the 
regulations. We believe that directly covering these entities 
is necessary to adequately protect patient privacy. While we 
believe that entities who receive information should be 
directly covered at the federal level, we commend the Secretary 
for acting within the limits of HIPAA and constructing the 
business partner rules to cover entities who regularly use and 
disclose protected health information.

    B. Covered Information

    As part of administrative simplification, HIPAA limited the 
Secretary's authority to protect only information transmitted 
or maintained electronically. While the Secretary discusses her 
authority at length, we are concerned that people with 
disabilities may be reluctant to seek care or to honestly 
discuss sensitive health conditions if all of their health 
information is not confidential. Privacy is especially 
important to people with disabilities because they may have 
stigmatizing conditions which, if disclosed, could result in 
discrimination and embarrassment. Because of the complexity of 
the health care system, most patients will never know what 
information, if any, is stored electronically. Even if patients 
are able to determine what information is maintained 
electronically, they will likely fear that some portion is in 
paper format. Without privacy protection for all health 
information, people with disabilities will be reluctant to 
discuss their condition. We know that this leads to bad health 
outcomes and, in some cases, would cause people to forego 
medical care entirely. The only way to ensure patient 
confidence in the health care system is to make the proposed 
rule applicable to all information.

    C. Private Right of Action

    Under the proposed rule, individuals whose protected health 
information has been improperly used or disclosed will have no 
recourse. While we recognize that the Secretary did not have 
authority under HIPAA to create a private right of action, we 
strongly believe that Congress should enact legislation to fill 
this important gap. Many federal privacy statutes have private 
right of action provisions including the Privacy Act of 1974 (5 
U.S.C. 552a), Electronic Communications Privacy Act (18 U.S.C. 
2701 et seq.), Right to Financial Privacy Act (12 U.S.C. 3401 
et seq.), Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), 
Cable Communications Act (47 U.S.C. 551), Videotape Privacy 
Protection Act (18 U.S.C. 2710) and the Driver's Privacy 
Protection Act (18 U.S.C. 2721 et seq.).

IV. Important Areas Where the Regulation Could Be Improved

    While we have many concerns with the proposed rule, we 
believe that the rule provides greater protections than exist 
today and is an important foundation upon which to build. While 
we have submitted comprehensive comments to the Secretary, we 
have highlighted five important areas for people with 
disabilities, and believe, at a minimum, the following changes 
are necessary: (1) require covered entities to obtain a written 
authorization prior to using or disclosing protected health 
information for treatment, payment and health care operations, 
(2) require entities to obtain authorization prior to 
communicating with the individual about sensitive health 
conditions, (3) require covered entities to first determine 
whether de-identified information can be used to accomplish the 
purpose of the use or disclosure, (4) prohibit disclosure of 
protected health information for law enforcement purposes 
without a warrant from a neutral judicial officer, and (5) 
extend protections of the regulations to all individually 
identifiable health information.

    A. Signed Authorization for Treatment, Payment and Health 
Care Operations
    (Section 164.506 Uses and disclosures of protected health 
information: general rules)

    The proposed rule permits covered entities to use and 
disclose protected health information for treatment, payment 
and health care operations without individual authorization. A 
signed authorization from the individual is extremely 
important. This issue was addressed at length by the Health 
Privacy Working Group, a panel comprised of diverse 
stakeholders including disability and mental health advocates, 
health plans, providers, employers, standards and accreditation 
representatives, and experts in public health, medical ethics, 
information systems and health policy. See Best Principles for 
Health Privacy, a Report of the Health Privacy Working Group 
(July 1999). This diverse group noted that, as a general rule, 
requiring patient authorization prior to disclosure can:
     bolster patient trust in providers and health care 
organizations by acknowledging the patient's role in health 
care decisions;
     serve as recognition that notice was given and the 
patient was aware of the risks and benefits of disclosure; and
     define an ``initial moment'' in which patients can 
raise questions about privacy concerns and learn more about 
options available to them.
    We find the Secretary's proposed rule extremely troublesome 
because it does not require patient authorization, and in fact, 
prohibits covered entities from obtaining authorizations unless 
required by State law. Unless the current regulatory 
authorization for treatment, payment and health care operations 
is modified, CCD would oppose implementation of this rule. In a 
world of managed care, the Administration and many health and 
consumer interests have been dedicated to shifting popular 
culture to embrace the concept of the ``empowered patient.'' 
Many observers believe that the best way to make managed care 
work is for patients to become self-advocates, active in 
working the system so they get the care they need. Dismantling 
the current authorization system runs counter to this approach. 
The Secretary's approach disempowers patients by taking away 
their ability to actively control access to their own protected 
health information.
    Patients should be encouraged to be active participants in 
their own health care-and the authorization process should be 
an integral piece of that picture. A signed authorization 
provides a unique opportunity for the individual to understand 
the uses and disclosures of her health information. This 
process will increase individual awareness of the risks and 
benefits of such uses and disclosures. While the Secretary 
states that individuals are not likely to know ``all the 
possible uses, disclosures, and re-disclosures to which their 
information will be subject,'' individuals should be informed, 
to the extent practicable, of how information will be used and 
to whom it may be disclosed. See 64 Fed. Reg. 59918, 59940 
(Nov. 3, 1999). A signed authorization will give individuals an 
opportunity to review the authorization and create an ``initial 
moment'' in which the patient can address her privacy concerns. 
When discrepancies between an individual's privacy concerns and 
the covered entity's use and disclosure of information arise, 
the signed authorization will provide an opportunity for the 
individual to ask questions about how her information will be 
used and disclosed.
    The Secretary states three reasons for not adopting a 
signed authorization approach: (1) authorizations provide 
individuals with little actual control over their health 
information, (2) consent is often not voluntary because the 
individual must sign the form as a condition of treatment or 
payment, and (3) individuals are often asked to sign broad 
authorizations but are provided little or no information about 
how their health information will be used. 64 Fed. Reg. 59918, 
59940 (1999).
    We find the Secretary's rationale troubling. The Secretary 
has the authority to improve the current authorization process 
but states current problems as the reason not to empower 
patients. Even if the Secretary chooses not to empower 
patients, her rationale that authorizations provide individuals 
with little actual control and consent is often not voluntary 
does not consider the importance of the ``initial moment.'' As 
discussed above, this moment gives individuals the chance to 
learn about the use and disclosure of her information and ask 
questions, voice concerns or negotiate, if possible. The 
Secretary's rationale also fails to consider the reality of 
receiving medical treatment for sensitive conditions. We know 
that for stigmatizing conditions, such as HIV or sexually 
transmitted diseases, individuals exercise control by foregoing 
treatment or choosing to self-pay for specific services under 
an assumed name. Authorizations would help these individuals 
learn more about the use and disclosure of their information so 
they can feel comfortable receiving treatment and providing 
accurate information to providers.
    Because many covered entities currently obtain signed 
authorizations, there would be little, if any, additional 
administrative burden. See 64 Fed. Reg. 59918, 59940 (1999). We 
see no reason to reduce current protections afforded to 
consumers. As covered entities increase communications with 
individuals, provide individuals with opportunities to 
understand how their information is being used and disclosed, 
and allow individuals to negotiate, individuals will feel that 
they have more control over their health care decisions. These 
simple but important changes will likely improve the public's 
perception of the health care system.

    B. Individual Authorization for Sensitive Health Conditions
    (Section 164.508 Uses and disclosures for which individual 
authorization is required)

    Requiring entities to obtain authorization from an 
individual before communicating with the individual about 
sensitive health conditions is also very important. People with 
disabilities who seek sensitive health care services have 
heightened concern that their medical condition or treatment 
may be inadvertently disclosed to others such as roommates, 
house mates, family members, neighbors, employers or others who 
may want to cause harm.
    Covered entities should be required to protect against 
inadvertent disclosures of protected health information 
concerning sensitive health care services [defined as services 
relating to reproductive health, sexually transmissible 
diseases (whether or not transmitted in any particular case), 
substance abuse, or mental health] by obtaining the 
individual's authorization prior to communicating with the 
individual (or the policyholder).
    Sensitive health care services often involve the most 
personal health care decisions. Individuals with sensitive 
health conditions face unique confidentiality concerns because 
they are the most likely to suffer discrimination or 
stigmatization associated with such conditions. It is very 
important that people with disabilities who have sensitive 
conditions be able to control where and how information about 
sensitive conditions is communicated to them. For example, a 
person living with HIV may want to ensure that a covered entity 
does not send any information about health services to her work 
address because she fears her employer or co-worker may 
discriminate against her.
    We believe that covered entities should be required to 
obtain authorization from the individual prior to all 
communications with the individual regarding sensitive health 
care services. All communications with the individual should be 
protected because it is very difficult to determine exactly 
where in the chain of communication an individual's information 
could result in stigmatization, discrimination, retaliation or 
other harm.
    The Secretary acknowledged in her prefatory language that 
covered entities already have the ability to implement and 
track patient authorizations. 64 Fed. Reg. 59918, 59946 (1999). 
Furthermore, the regulations require authorizations for (1) 
uses and disclosures other than treatment, payment and health 
care operations, (2) uses and disclosures of psychotherapy 
notes, and (3) uses and disclosures for research unrelated to 
treatment. Because an authorization framework is in place, we 
do not believe that an authorization for sensitive health 
conditions would be a significant burden.

    C. De-identified Information
    (Section 164.506(b)(1) Standard: minimum necessary)
    We strongly believe that entities should first be required 
to determine whether de-identified information can be used or 
disclosed to accomplish the intended purpose. While we agree 
with the Secretary's general approach that entities use or 
disclose only the minimum amount necessary, we believe that a 
clear statement that entities must first consider de-identified 
information is the only way to ensure that the minimum amount 
standard is adequately implemented.
    Requiring entities to use and disclose de-identified 
information will help ensure that only the minimum amount will 
be used. Presumably, de-identified information is part of the 
minimum amount necessary evaluation. While proposed section 
164.506(d) defines de-identified protected health information, 
it is unclear when, if at all, an entity must use de-identified 
information.
    We believe that a de-identified requirement is consistent 
with the Secretary's proposed minimum amount requirement. In 
fact, in the prefatory language to the minimum amount 
requirement, the Secretary notes that stripping individually 
indentifiable information of identifiers is currently used for 
analytical, statistical and research purposes. 64 Fed. Reg. 
59918, 59946 (1999).
    While the Secretary states that section 164.506(d) is 
intended to permit important research to continue, certainly 
there are benefits to requiring all covered entities to 
consider de-identified information. Requiring entities to 
consider de-identified information will limit the ability of 
all recipients to link the information to individuals.

    D. Law Enforcement
    (Section 164.510(f) Disclosures for law enforcement 
purposes)
    We are also very concerned about the Secretary's proposed 
section 164.510(f). Under the proposed rule, people with 
disabilities may have their health information disclosed to law 
enforcement officials without any legal process. We urge the 
final regulation require law enforcement to obtain legal 
process-such as a warrant or court order-that is judicially-
approved after application for a Fourth Amendment probable 
cause standard.
    These same requirements exist in other federal privacy 
statutes protecting peoples' communications, cable subscriber 
records and even video rental lists. None of these laws are 
absolute bars to law enforcement access. The procedural 
safeguards ensure that accountability and oversight prevent 
unwarranted and unjustified abuse of authority.

    E. Paper Records
    (Section 164.502 Applicability)
    As discussed above, as part of administrative 
simplification, the Secretary's authority was limited to 
information electronically maintained or transmitted. We are 
concerned that people with disabilities may be reluctant to 
seek care or honestly discuss their health condition if all of 
their health information is not confidential. Privacy is 
especially important to those with disabilities because if 
information about their disability or condition is disclosed 
they may suffer discrimination, embarrassment or 
stigmatization. Because of the complexity of the health care 
system, most patients will never know what information, if any, 
is stored electronically. Even if patients are able to 
determine what information is maintained electronically, they 
will likely fear that some portion is in paper format. Without 
privacy protection for all health information, persons with 
disabilities may not disclose their health condition. The only 
way to ensure patient confidence in the health care system is 
to make the proposed rule applicable to all information.

IV. Conclusion

    We believe that the proposed rule provides an important 
foundation to protect patient privacy and maintain quality 
health care. We commend the Secretary for not preempting more 
protective state laws, acknowledging that sensitive information 
needs special protection, constructing business partner rules 
and permitting individuals to inspect and copy their health 
information. We encourage Congress to enact legislation to 
build upon these important regulations and to fill gaps left by 
HIPAA.
      

                                


Statement of the Family Violence Prevention Fund, San Francisco, CA

I. General Privacy Concerns

    The Family Violence Prevention Fund (FVPF) is a leading 
national organization that advocates on behalf of the millions 
of women and children who are victims of domestic violence each 
year. The FVPF runs several major programs that deal 
specifically with health care and its response to domestic 
violence, including the national resource center on health care 
and domestic violence. As advocates for domestic violence 
victims, the FVPF supports strong privacy protections that will 
give victims confidence that their personal information will be 
used appropriately.
    Almost onethird of American women report being a victim of 
domestic violence at some point in their lives. The health care 
system is playing an increasingly important role in responding 
to battered women by identifying and documenting abuse and 
connecting victims with domestic violence advocates and 
services. Privacy of health information is critical to the 
safety and wellbeing of millions of women and children who 
suffer harm from domestic violence and abuse each year. Strong 
privacy protections that take into consideration the concerns 
of domestic violence victims will encourage victims to discuss 
their injuries and feel safe knowing that their information 
will remain confidential.
    A victim is often concerned about privacy because she fears 
that her perpetrator will discover that she has discussed the 
abuse with her provider. A perpetrator who learns that his 
victim has told her provider about the domestic violence could 
resort to further abuse. Because victims fear that their health 
information will not remain confidential, many may be reluctant 
to discuss the violence openly and honestly.
    In order to protect victims, many providers do not document 
domestic violence because they also fear the perpetrator could 
access the victim's health information and cause additional 
harm. Providers who discover but do not document domestic 
violence run the risk that later treating providers will not 
know the history of violence and misdiagnose the victim. 
Providers who do not document violence could also reduce the 
victim's chance of success in legal proceedings against her 
perpetrator. A complete medical record that fully documents 
injuries and subsequent health complications from the abuse can 
be introduced as compelling evidence to corroborate the 
victim's testimony. Without this corroborative evidence, 
victims would need to introduce other, less persuasive evidence 
which could hinder the victim's chance of success. Providers 
who know that information will remain confidential are more 
likely to engage the patient, encourage the patient to discuss 
violence openly and feel comfortable providing a complete 
record.
    For a victim who chooses to be open and honest, privacy 
concerns only begin when she discusses the violence with her 
provider. Any communication with the victim at home, including 
a bill, email or telephone call to confirm an appointment, 
increases the likelihood that the perpetrator will intercept 
the information. Individuals who are concerned about their 
safety should be permitted to give providers a telephone number 
and address where the victim feels comfortable that the 
perpetrator will not discover that she has sought treatment.
    While the Secretary's proposed regulations are an important 
foundation and include some measures of protection for victims 
of domestic violence they fall short of providing the level of 
privacy safeguards that are necessary to protect victims. We 
have submitted comprehensive recommendations to the Secretary 
which we believe are essential for improving the health care, 
safety and well-being of domestic violence victims. Without 
these protections, victims of domestic violence will receive 
inadequate health care services, be less able to pursue 
effective legal recourse, and potentially be exposed to further 
violence.

II. The Proposed Regulations

    The FVPF believes that the Secretary's proposed regulations 
have the potential to improve the quality of care for victims 
of domestic violence by establishing an important foundation 
that personal medical information will remain confidential. 
This assurance of confidentiality will likely encourage victims 
to seek treatment and promote open and honest communication 
between doctor and patient.
    We are particularly pleased that the proposed regulations 
provide individuals access to their own health information, 
require notice to patients of confidentiality practices and do 
not preempt more protective state laws. We commend the 
Secretary for constructing business partner rules which require 
covered entities to contract with business partners to whom 
protected health information is disclosed. We also commend the 
Secretary for acknowledging the continuing need and importance 
of comprehensive federal legislation.

III. The Secretary's Authority Under HIPAA

    Under HIPAA, the Secretary only had authority to cover 
health plans, health clearinghouses and certain health 
providers. The Secretary's authority as part of administrative 
simplification was also arguably limited to electronically 
stored or transmitted information and did not include the 
authority to establish a private right of action. While we 
believe that the regulations provide an important foundation 
for privacy protections, we strongly encourage Congress to fill 
the gaps left by HIPAA.

    A. Covered Entities

    Acting under the delegation in HIPAA, the Secretary's 
regulations fall short of covering all entities that receive, 
use and disclose protected health information. Legislation is 
needed to protect information received by all entities such as 
insurance companies, marketing firms and employers. Without 
covering these entities, victims of domestic violence could be 
subject to discrimination if an insurance company or employer 
were to use the information improperly.

    B. Covered Information

    While administrative simplification under HIPAA arguably 
limited the Secretary's authority to cover only electronic 
information, we believe that privacy protections should include 
all protected health information. By protecting only electronic 
information, the same concerns about patient confidence that 
exist today will continue, and many patients will remain 
reluctant to discuss sensitive health information, even for 
treatment. Because of the complexity of the health care system, 
most patients will never know what information if any, is 
stored electronically. We are especially concerned that many 
domestic violence victims will continue to hide the real cause 
of their injuries because they fear for their safety. Even if 
patients are able to determine what information is maintained 
electronically, they will likely fear that some portion of the 
information is in paper format.
    C. Enforcement and Private Right of Action

    HIPAA only permitted the Secretary to impose civil and 
criminal penalties for violating privacy standards. In order to 
provide basic privacy protections afforded to individuals under 
other federal privacy statutes, Congress should enact 
legislation that permits individuals to bring a private right 
of action.
    The civil and criminal penalties in HIPAA are not 
sufficient to ensure that those who inappropriately use or 
disclose information or fail to adopt adequate safeguards 
comply with the regulation. We are concerned that Congress has 
not recognized the need for a private right of action with 
regard to medical information. Many other federal privacy laws 
have private right of action provisions such as the Privacy Act 
of 1974 (5 U.S.C. 552a), Electronic Communications Privacy Act 
(18 U.S.C. 2701 et seq.), Fair Credit Reporting Act (15 U.S.C. 
1681 et seq.), Cable Communications Act (47 U.S.C. 551), 
Videotape Privacy Protection Act (18 U.S.C. 2710) and the 
Driver's Privacy Protection Act (18 U.S.C 2721 et seq.). 
Certainly, highly personal health information deserves the same 
protections afforded to other information.

IV. Brief Summary of Recommended Changes to the Proposed Rule

    Although we have many concerns with the proposed rule, we 
believe that the rule provides greater protections than exist 
toady and provides an important foundation upon which to build. 
While we have submitted comprehensive comments to the 
Secretary, the following is a brief summary of our recommended 
changes to the proposed rule.

    A. Applicability

    We believe that the regulation should apply to health 
information in both electronic and paper format. By only 
covering electronic information, the same concerns about 
patient confidence that exist today will continue, and many 
patients will remain reluctant to discuss, even for treatment, 
sensitive health information. Because of the complexity of the 
health care system, most patients will never know what 
information, if any, is stored electronically. We are 
especially concerned that many domestic violence victims will 
continue to hide the real cause of their injuries because they 
fear for their safety. Even if patients are able to determine 
what information is maintained electronically, they will likely 
fear that some portion of the information is in paper format. 
The only way to ensure patient confidence in the health care 
system is to make the proposed rules applicable to all 
information.

    B. Definitions

    We agree with the Secretary's proposed rule that a minor 
who lawfully obtains health care services on his or her own 
exercises the rights of an individual under the proposed rule. 
For victims of domestic violence or abuse who are minors, this 
provision would guarantee that family members who are 
perpetrators could not access information (see also comments 
for Directory Information and Next of Kin). We are also 
concerned about minors who may suffer due to well-meaning but 
inappropriate parental intervention. For example, a daughter 
who is abused by her boyfriend may fear that if her parents 
discover the abuse, they will confront her abusive boyfriend in 
a cursory or inappropriate manner. As a result, the boyfriend 
could resort to retaliation and further violence.

    C. Treatment, Payment and Health Care Operations

    We strongly believe that covered entities should be 
required to get individual authorization in order to use or 
disclose protected health information for treatment, payment 
and health care operations. While the Secretary states that 
such an authorization is meaningless because individuals must 
sign the authorization in order to receive treatment, 
authorizations themselves are very important because they are 
an ``initial moment'' in which patients can raise questions 
about privacy concerns and learn more about options available 
to them. For many domestic violence victims who are concerned 
about further violence, this initial moment will help create 
confidence that their information will be used only for 
specified purposes.
    Providers disclosing information for consultation or 
referral should be required to verify who is requesting 
protected health information. We are concerned that victims of 
domestic violence who receive specialized care (such as 
reproductive or mental health services) may have their 
information improperly disclosed to the perpetrator. Under the 
proposed regulations, a provider who renders specialized 
services would not be required to consult the patient before 
disclosing information or even verify who has requested the 
information. We are concerned that perpetrators could 
successfully obtain information by using the proposed rule 
under false pretenses.
    The regulations should require a covered entity to protect 
against inadvertent disclosures of protected health information 
concerning sensitive health care services (defined as services 
relating to reproductive health, sexually transmitted diseases, 
substance abuse, and mental health) by obtaining an 
individual's authorization prior to communicating with the 
individual at the individual's home (whether by phone or mail). 
Individuals seeking sensitive health care services have a 
heightened concern that information about their medical 
condition or treatment may be inadvertently disclosed to others 
in their household, such as roommates, housemates, or family 
members. The authorization should specifically ask whether the 
provider or plan can call the individual at home, send 
communications via email to the individual's home, or send 
bills to the individual's home. If the individual does not 
authorize these communications, the individual should provide 
on the authorization form a phone number or an address for such 
communications and must indicate how payment will be arranged 
if payment is due.

    D. Minimum Necessary

    We strongly believe that entities should first be required 
to determine whether de-identified information can be used or 
disclosed to accomplish the intended purpose. While the 
proposed rule requires that entities use only the minimum 
amount of information necessary, the rule does not require the 
use of de-identified information. We believe that a clear 
statement that entities must first consider de-identified 
information is the only way to ensure that the minimum amount 
necessary standard is adequately implemented.
    We also strongly believe that when an entity discloses 
information at the individual's request, only the minimum 
amount necessary should be disclosed, unless the individual has 
indicated otherwise. A victim may authorize a provider to 
disclose information to a friend or family member in order to 
discuss her present course of treatment. Under the proposed 
rule, a provider could disclose the victim's entire medical 
history including information about domestic violence the 
victim may have intended to remain confidential.
    Where disclosure is not pursuant to a court order, we 
strongly recommend that only the minimum amount of information 
necessary to respond to the request be disclosed in judicial 
and administrative proceedings. While we recognize that 
litigants may need to access information, we are concerned that 
covered entities who disclose information would prefer to 
disclose all information rather than redact sensitive 
information. Unnecessary disclosure could occur under a number 
of scenarios, including a subpoena in a personal injury lawsuit 
where the victim gave a history of prior abuse at the 
provider's request. While some providers, plans or parties may 
choose to redact the information, some may not--thereby 
disclosing sensitive personal information. If the holder of 
information is unclear what information is being requested, the 
entity should request clarification and should only disclose 
that information which is necessary. While the Secretary's 
preamble raises practical concerns about applying the minimum 
amount necessary standard requirement in judicial and 
administrative proceedings, we believe that, at a minimum, only 
information reasonably necessary to respond to a subpoena 
should be disclosed (see Judicial and Administrative 
Proceedings).
    We also strongly believe that law enforcement access to 
protected health information about victims of crime or abuse 
should be limited to the minimum amount necessary requirement. 
Providers who disclose too much information to law enforcement 
without adequate consideration of the victim's safety increases 
the likelihood that a perpetrator will discover that the victim 
was treated for her injuries (see Law Enforcement). We are also 
concerned about victims in small communities who can be easily 
linked to the information even if the victim's name or address 
is not disclosed. We believe that the minimum necessary 
requirement would help prevent these types of inappropriate and 
unnecessary disclosures.

    E. Right to Request Restrictions

    An individual should have a true right to restrict the use 
and disclosure of information that could jeopardize the 
individual's safety. Women who know that they will suffer 
further violence from a perpetrator must be able to access 
health care without fearing such communications will reach him. 
A victim of domestic violence needs to be able to place 
restrictions on the use and disclosure of their information 
even for treatment, payment and health care operations. A 
victim also needs to know that a perpetrator who requests 
information will not be able to locate her. It is essential 
that a victim who has fled a perpetrator not be found because a 
provider or insurer gave the perpetrator the victim's new 
address, either directly or through mailing of an explanation 
of benefits form. A victim's right to restrict the disclosure 
of her protected health information should not be dependent on 
an agreement of a health care provider, who may underestimate 
the severity of danger. Failing to give a victim of abuse a 
true right to limit disclosures of such information where the 
disclosure would endanger her safety will undermine the efforts 
of the health care community to serve victims and deprive them 
of necessary care and assistance.
    We also believe that third parties who provide health care 
services or issue bills independent of the primary provider, 
insurer, or institution should comply with use and disclosure 
restrictions requested by an individual. If an individual 
restricts the use and disclosure of information, a provider who 
agrees to or is aware of a restriction must inform third 
parties that the information can only be used and disclosed for 
purposes that do not violate the restrictions. For example, an 
individual who is referred to an out-of-plan radiologist may be 
billed separately for the radiology treatment. So, even if the 
primary provider's bill goes to an alternate address, the 
radiologist's bill could be sent to the victim's house, 
inadvertently notifying the perpetrator and endangering her. If 
an individual has requested that the original, referring 
provider only communicate with the individual at an address 
other than the individual's home, the radiologist should also 
be required to comply with the restrictions originally 
requested by the individual. It should always be the primary 
provider/institution's responsibility to communicate the 
restriction to all third parties as a patient often does not 
know which referrals are billed separately.

    F. Component Entities

    We strongly believe that the Secretary should expressly 
state that personnel and benefit administration employees 
responsible for benefits or managing the day-to-day operation 
of the health plan are covered by the regulation. The 
Secretary's preamble appears to cover these employees but we 
believe this should be made clear in the regulation. We also 
recommend that the Secretary require personnel departments and 
employees who handle health care administration to have 
safeguards to ensure that information is not disclosed to the 
larger organization. We are very concerned about employers who 
may improperly obtain information from benefit administrators 
and use the information inappropriately to make employment 
decisions (such as promotions, job assignments, and even 
firing). Victims of domestic violence would be likely targets 
even when they perform well on the job. Employees who work 
within the health care component must be empowered to deny 
release of the information to corporate executives and managers 
outside the health care component unless disclosure is required 
for health plan administration.

    G. Judicial and Administrative Proceedings

    We strongly believe that the regulations should specify 
minimum information that must be included in court and 
administrative orders in order to guide those disclosing 
protected health information and to notify those receiving 
information that the information cannot be used or disclosed 
for other purposes. At a minimum, court and administrative 
orders should: (1) provide that the protected health 
information is subject to court protection; (2) state the 
nature of the information to be disclosed, and to the extent 
practicable, identify specific information to be disclosed; (3) 
specify to whom the information may be disclosed; (4) specify 
that such information may not otherwise be used or disclosed; 
and (5) meet any other requirements that the court or tribunal 
determines are needed to protect confidentiality. These 
requirements are necessary to ensure that sensitive information 
is not released outside of the proceedings in a way that could 
jeopardize the safety of the victim.
    We believe that only the minimum amount of information 
necessary to respond to a subpoena should be disclosed. If the 
holder of information is unclear what information is being 
requested, the entity should request clarification and should 
only disclose that information which is necessary. While the 
Secretary's preamble raises practical concerns about applying 
the minimum amount necessary requirement in judicial and 
administrative proceedings, we believe that, at a minimum, the 
Secretary should require that only information reasonably 
necessary to respond to a subpoena should be disclosed. While 
we recognize that it may sometimes be difficult for parties 
responding to requests to determine exactly what information 
the requesting party seeks, the holder of the protected health 
information should not have blanket authority to disclose all 
protected health information--only information that is directly 
responsive to a subpoena should be disclosed. While a victim 
may have a long history of domestic violence and other 
conditions, if the information is not directly responsive then 
it should not be disclosed.
    We also strongly believe that the Secretary should include 
a provision prohibiting disclosure of protected health 
information unless the individual who is the subject of the 
information has had (1) reasonable notice of the subpoena and 
(2) reasonable opportunity to move the court, or other 
presiding official, to quash the subpoena on the basis that the 
individual's privacy interest outweighs the interest of the 
person seeking the information. Under the proposed rule, a 
domestic violence victim may not know about a request for 
disclosure of her personal information that could seriously 
endanger her. A notice requirement would ensure that a victim 
could take the necessary precautions to make sure that domestic 
violence information does not reach the perpetrator.

    H. Law Enforcement

    We are very concerned that domestic violence information 
may be disclosed to law enforcement officials without any 
consideration or notice about safety concerns of domestic 
violence victims. The only way to safeguard the privacy of 
domestic violence victims is to require a warrant from a 
neutral judicial officer prior to every law enforcement 
disclosure. A warrant requirement is a familiar standard in 
other federal privacy laws and has not been shown to interfere 
with legitimate law enforcement activity. We are also concerned 
that without a warrant requirement a victim could be deterred 
from reporting violence if she knows that the police could 
access all of her medical records.
    A covered entity should be required to provide notice to a 
victim about any requests or disclosures of information to law 
enforcement officials. Information released to law enforcement 
officials will likely be used to make an arrest or conduct 
follow up investigation. We are concerned that during this 
process a perpetrator may discover, either directly through 
police interrogation or indirectly from witnesses who have been 
contacted, that the victim has discussed the abuse with law 
enforcement officials or her provider. Providing notice to the 
victim will allow the victim to take necessary safety 
precautions. Because providers are already required to account 
for disclosures we believe that any administrative burden would 
be insignificant.
    When a victim has requested restrictions on uses and 
disclosures of her health information, the covered entity 
should communicate those restrictions to law enforcement 
officials. Informing law enforcement of the restrictions would 
help investigators understand a victim's safety concerns. Law 
enforcement officials would then be better prepared to help the 
victim seek protection during the investigation.

    I. Directory Information

    Because directory information includes the name, location 
and condition of the patient, a perpetrator could easily locate 
a victim to commit further violent acts. While individuals who 
are not incapacitated would have an opportunity to opt out or 
limit the amount of information to be disclosed, incapacitated 
individuals would have no protection. A provider who reasonably 
believes that the injuries of an incapacitated individual could 
be the result of domestic violence should be prohibited from 
disclosing the location of the individual. We believe that such 
a limitation is essential for the safety of domestic violence 
victims. Providers should be given discretion to disclose the 
location of the individual to immediate family members who 
qualify as next of kin and when the provider does not believe 
the injuries could be a result of domestic violence.

    J. Notice of Information Practices

    We encourage the Secretary to require entities to make 
reasonable efforts to obtain a signed acknowledgment that the 
individual has received and read the notice of information 
practices. While we believe that a signed authorization is the 
best policy, we also believe that a signed acknowledgment could 
also serve as an ``initial moment.'' (See Treatment, Payment 
and Health Care Operations)

    K. Next of Kin

    We are very concerned about situations where a perpetrator 
who is a next of kin attempts to obtain information about his 
victim's treatment for her injuries. If the perpetrator 
discovers that the victim discussed her injuries and identified 
the perpetrator by name, he could confront the victim. This 
confrontation may be another violent episode. We strongly 
believe that where verbal agreement cannot be obtained any 
disclosure must take into consideration whether the information 
could jeopardize the safety of the victim.
    We are also concerned that the proposed rule does not have 
adequate verification procedures to identify those who are 
requesting information. If verbal agreement is not possible, 
the perpetrator could easily obtain domestic violence 
information. In the Secretary's preamble (p. 59972), she states 
that when there is no verbal agreement, a verbal inquiry into 
the identity of the person requesting the information is 
sufficient. We strongly disagree and believe that an entity 
should verify the identity of the next of kin who has requested 
the information. A perpetrator could attempt to obtain 
information as next of kin while the victim is unconscious in 
order to find out whether she previously identified him as the 
perpetrator. By verifying the identity of the person requesting 
the information, a provider could then make an informed 
decision as to whether the safety of the victim may be 
jeopardized.

    L. Right to Restrict

    We recommend that the Secretary's proposed right to request 
restrictions on all information be retained. However, a mere 
right to request restrictions does not adequately address the 
safety concerns of victims of domestic violence or the 
discrimination and safety concerns of others with sensitive 
health conditions. Victims of domestic violence have immediate 
safety concerns when information about their treatment is 
disclosed to the perpetrator. Often perpetrators are angered if 
they find out that their victims have told a provider about the 
abuse. As a result, the victim may be in more serious danger of 
personal harm. There are many ways for perpetrators to discover 
that the victim has had or is seeking medical attention, or 
discover the whereabouts of the victim (i.e. by finding a bill 
or explanation of benefits or notice of appointment in the 
mail, answering medical history questions posed by an attending 
health care worker or an insurer, directly asking a provider or 
insurer, or by false pretenses). The victim should be able to 
request that, to the extent possible, covered entities not use 
or disclose protected health information in ways that would 
alert the perpetrator. Thus, the victim should be able to 
request that a bill be sent to a different address, or that the 
perpetrator (if identified) not be given particular health 
information about the victim, or that only specified persons be 
given full access to the patient's health information. Not 
requiring that entities restrict use of information has broad 
effects. If victims of domestic violence are not adequately 
assured of the confidentiality of their information, they will 
be less likely to seek medical attention and counseling. 
Failing to give victims a true right to limit disclosures of 
their health information where the disclosure would endanger 
their safety undermines the efforts of the health care 
community to serve victims and deprives victims of necessary 
care and assistance.
    We appreciate the Secretary's concern about the 
unworkability of an absolute right to restrict, but when 
restrictions concern information that could jeopardize the 
patient's safety, the safety of the individual outweighs any 
administrative burden. While restrictions may be ignored or 
overlooked because the person handling the information is 
unaware of the restrictions, we believe that entities could 
minimize any oversight by flagging restricted information in a 
noticeable place and manner on the information itself. All 
entities who receive sensitive information subject to 
restrictions by the individual should be informed of and comply 
with the restrictions.
    We are very concerned that the Secretary's proposed rule 
does not permit individuals to request restrictions on the use 
and disclosure of information in emergency situations. We 
strongly believe that the right to restrict should apply in 
emergency situations. A victim who has been harmed by violence 
may first turn to emergency services for aid, and the victim 
should be able to request that the perpetrator not be told of 
her condition or whereabouts.

    M. Inspection and Copying

    We recommend that the rule grant covered entities broader 
discretion to deny access to protected health information in 
certain circumstances where necessary to protect minors and 
other vulnerable people (elders, or those who are incapacitated 
or incompetent) from abuse by their parents, guardians, persons 
acting in loco parentis, or legal representatives who seek 
information under section 164.514. Extra protection is 
necessary for vulnerable people who depend on others to 
exercise their rights under the regulations, but who must be 
shielded from those empowered to act in their stead. Health 
care professionals who treat victims of child abuse, elder 
abuse, and other forms of domestic violence should have the 
discretion to withhold information about their patients from 
those whom the professional reasonably believes may harm the 
patient. Such discretion is critical when the patient has 
revealed the abuse and physical or emotional retaliation by the 
abuser is a real possibility.

                             V. Conclusion

    While we have many concerns with the proposed regulation, 
we believe that the rule provides greater privacy protections 
than exist today. We strongly encourage Congress to take the 
important next step by filling the gaps left by HIPAA.
      

                                


Statement of Health Industry Manufacturers Association

    This testimony is submitted on behalf of the Health 
Industry Manufacturers Association (HIMA) and its 800 member 
companies. HIMA is the largest medical technology trade 
association in the world, representing manufacturers of medical 
devices, in vitro diagnostic products and health information 
systems. HIMA member companies supply nearly 90 percent of the 
$68 billion of health care technology products purchased 
annually in the United States and more than 50 percent of the 
$159 billion purchased annually worldwide. We welcome the 
opportunity to submit testimony for the record on issues 
surrounding the privacy of individually identifiable health 
information.

    Comments on the Proposed Privacy Regulation

    Medical technology encompasses thousands of life-saving and 
life-enhancing products used by more than 50 medical 
specialties in numerous procedures and applications. Through 
advances in medical technology, more lives are saved, illnesses 
are prevented and recovery times are shorter.
    Medical device innovation differs significantly from 
pharmaceutical development in that most devices on the market 
today result from a series of incremental improvements to 
preexisting devices. These improvements result from continued 
vigilance by the manufacturer and substantial input from the 
provider community. Although well-designed research plays a 
significant role, formal research projects must be complemented 
by one-to-one interaction between the researchers tasked with 
developing and improving a technology and the clinical 
personnel who use it in their therapeutic and diagnostic 
interactions with patients. Continuity and perseverance in 
research and the ability to communicate freely with caregivers 
and patients are key drivers of innovation.
    HIMA strongly supports the development of reasonable 
patient confidentiality standards. We recognize the 
difficulties associated with developing privacy standards as 
highlighted by the Department of Health and Human Services 
(HHS) in the Background section of the preamble to the proposed 
rule. HHS has made a considerable effort toward ensuring that 
patient safety, the quality of care and medical research are 
not adversely affected by this regulation. Nevertheless, we 
believe the proposed rule still has many shortcomings. There 
are numerous requirements that are unrealistic and will not 
meet the needs of a health care system that is far more complex 
than that contemplated by the proposed regulation or the 
statute. Many items are ambiguous or require much more 
explanation and clarification.
    Taken together, these factors create concern from our 
perspective about the safety and quality of patient care, and 
our ability to collect data to support medical research. We 
believe these problems must be addressed in a satisfactory 
manner before any final regulatory framework is implemented.
    We are pleased to share with the Subcommittee our concerns 
about the proposed HHS privacy regulation. These are:

    The Definition of Covered Entity Should Exclude Most Device 
Manufacturers

    We are extremely troubled that the proposed rule does not 
clarify that the vast majority of device manufacturers are not 
covered entities. As currently drafted, the definition of 
covered entity includes device manufacturers who act as 
Medicare suppliers. These types of companies comprise a very 
small portion of the medical device industry. Because the 
definition of a covered entity does not distinguish between the 
majority of device manufacturers and the ``supplier 
manufacturers,'' it has the potential to be misinterpreted by 
implying that device manufacturers, in general, are covered 
entities.
    The rule is also vague in cases where a ``supplier 
manufacturer'' has only one part of its business that acts as 
the ``supplier.'' Thus, in addition to urging HHS to clarify 
that the vast majority of device manufacturers are not intended 
to be covered entities under the rule, we have urged more 
detail regarding the scope of the supplier component and its 
relationship to the rest of the company's business.

    Requirements to ``Deidentify'' Individual Health 
Information are Unworkable

    We believe the rule's requirement that 19 identifiers be 
removed before protected health information can be considered 
``deidentified'' is unworkable and will yield information which 
in most cases is useless for research purposes. Additionally, 
the proposed rule deviates from the ``reasonable basis'' 
standard promulgated by the Health Insurance Portability and 
Accountability Act (HIPAA) and instead adopts a standard which 
will be very difficult to meet, where one must, in effect, 
demonstrate that there is ``no reason to believe'' that a 
recipient of protected health information could ``reidentify'' 
the recipient.
    In light of HIPAA's civil and criminal provisions, it is 
likely these requirements, if adopted, will severely impede 
medical research by creating an atmosphere of extreme 
uncertainty surrounding what data can be legitimately released 
by a covered entity. We have urged HHS to adopt the HIPAA 
standard regarding individually identifiable health 
information. This will allow health information to be used 
unless there is a reasonable basis to believe that the 
information can be used to identify the individual.

    The Definition of Public Health Authority Must Be Expanded

    The proposed rule has a severely limited definition of 
public health authority. Medical device manufacturers operate 
in a global environment. As such, device manufacturers must 
provide protected health information not only to U.S. 
government entities, but also to government entities in other 
countries as well as private organizations. It is critical, 
therefore, that the definition of public health authority be 
expanded to allow disclosures to foreign governments and 
private sector organizations.

    Device Manufacturers Should Be Permitted to Support 
Treatment and Diagnosis

    The proposed rule does not permit manufacturers to support 
providers with treatment or diagnosis where protected health 
information may be disclosed. As a result, patient care may be 
jeopardized and access to life-saving and life-enhancing 
technologies may be seriously delayed.
    Device manufacturers frequently assist providers with the 
operation and use of a particular device or customize devices 
for particular patients. In many cases, the Food and Drug 
Administration (FDA) requires these activities and thus would 
be permitted by the proposed rule. Occasionally, however, a 
provider may ask a manufacturer for support that is not 
required by FDA, an activity not permitted by the proposed 
rule. In these instances, and in order to assure appropriate 
patient care or speedy patient access to needed devices, the 
regulation should allow a provider to disclose protected health 
information without individual authorization to the 
manufacturer.

    Device Manufacturers Should Be Permitted to Train Providers

    Frequently, device manufacturers are the only entities with 
the knowledge and experience to train providers on the use of a 
device. In addition to written instructional materials, such 
training frequently includes one-on-one tutorials in which the 
needs of individual patients are necessarily addressed. As 
currently written, the proposed regulation prohibits this type 
of provider training unless patient authorization is obtained, 
although the rule permits similar types of training if it is 
provided by health care professionals.
    To ensure the continued safe and proper use of medical 
devices, we have urged HHS to change the proposed rule to 
reflect that effective medical education results from a variety 
of sources including medical device companies and that this 
type of training should be permissible without patient 
authorization.

    The Proposed Rule Will Discourage the Collection of Needed 
Public Health Information

    The proposed rule permits disclosure of protected health 
information to device manufacturers when the information is 
needed to comply with rules or other directions of a 
governmental authority. However, the proposed rule lists only 
one requirement, device tracking, as an example. The device 
industry must comply with hundreds of FDA requirements that 
require the disclosure of protected health information.
    Given the severe civil and criminal penalties which will 
apply to entities violating the confidentiality standards 
established by the rule, we are gravely concerned that an 
atmosphere may develop where hospitals and other providers who 
now freely provide needed information to device manufacturers, 
will be reluctant to provide that same information in the 
future.
    To ensure that medical device manufacturers can carry out 
the activities mandated by FDA and other government agencies 
that require protected health information without individual 
authorization, it is essential that the final rule enumerate 
the many requirements with which device manufacturers must 
comply.

    Device Manufacturers Should Be Permitted to Support Data 
Collection Activities of Governmental and Private Entities

    The proposed rule permits disclosure of protected health 
information to a government health data system used to collect 
data for analysis in support of policy, planning, regulatory or 
management functions authorized by law. Government 
(specifically the Health Care Financing Administration (HCFA)) 
as well as private payers often rely on device manufacturers to 
supply this information specifically to support reimbursement 
and coverage policies.
    We believe the rule should allow device manufacturers to 
collect protected health information that will be used to 
support HFCA's reimbursement policies and other related 
decisions. The rule should also allow device manufacturers to 
collect the same information for third party payers who, in 
turn, must supply device reimbursement information to HCFA.

    The Proposed Requirements for Research Invalidate the 
Common Rule

    Finally, the proposed rule establishes new criteria to be 
included in patient consent forms for participation in medical 
research which conflict with current law governing human 
participation in clinical trials and which are inappropriate 
for medical device trials.
    Currently, the form and content of patient authorizations 
to participate in medical device trials are established by 
Institutional Review Boards acting in accord with the federal 
regulatory framework for the protection of human subjects 
(known as the Common Rule). The proposed rule invalidates a 
number of the elements required by the Common Rule. 
Additionally, a number of the elements in the proposed form are 
confusing and inappropriate for medical device clinical trials 
and the volunteers who participate in them.

    Conclusion

    In conclusion, HIMA strongly supports measures that will 
ensure that individual health information is appropriately 
protected while maintaining the safety and quality of care 
through necessary communications and procedures. We believe the 
proposed privacy rule has a number of shortcomings that will 
impede important research needed to support device innovation 
and patient access to new and improved medical technologies. We 
look forward to workable solutions that will guarantee safe 
patient access to innovative technologies through mechanisms 
that promote medical research and quality of care.
      

                                


Statement of Daniel V. Yager, LPA, Inc.

Mr. Chairman and Members of the Subcommittee:

    Thank you for allowing us to present our views to your 
Subcommittee regarding the proposed medical privacy regulations 
issued by the Department of Health and Human Services on 
November 3, 1999, ``Standards for Privacy of Individually 
Identifiable Health Information.'' LPA, is a public policy 
advocacy organization representing senior human resource 
executives of more than 250 of the largest corporations doing 
business in the United States. LPA's purpose is to ensure that 
U.S. employment policy supports the competitive goals of its 
member companies and their employees. Collectively, LPA member 
companies employ more than 12 million employees, or 12 percent 
of the private sector workforce.
    Although perhaps not intended by the Department of Health 
and Human Services (HHS), LPA believes that the proposed 
medical privacy regulations could arguably prevent employers 
from conducting drug testing and fitness for duty testing and 
from requiring employees to provide Family and Medical Leave 
Act certifications as permitted under current law. On February 
15, 2000, LPA filed comments with HHS detailing our concerns, 
based upon based upon extensive discussions with LPA member 
companies.
    LPA's comments underscore the critical role played by drug 
testing in promoting workplace safety and reducing medical and 
workers' compensation costs. The comments note that 70% of all 
employers conduct drug testing. Even HHS conducts drug testing 
before hiring its criminal investigators. LPA believes that it 
is important that the final medical records confidentiality 
regulations encourage, rather than discourage, employers to 
engage in drug testing, even if the testing is not required by 
federal law.
    The comments also point out that fitness for duty tests are 
already subjected to extensive restrictions under the Americans 
with Disabilities Act (ADA), which requires employers to keep 
all employee medical records confidential. The ADA also 
regulates when an employer may require an employee or 
prospective employee to take a fitness for duty test and which 
supervisors may view the results of the test. Because such 
tests confirm whether an employee is physically and mentally 
capable of handling dangerous tasks, they have the added 
benefit of ensuring that employers are providing a workplace 
free from recognized hazards under the Occupational Safety and 
Health Act. LPA believes that the regulations should clearly 
exclude fitness for duty tests.
    Similarly, employers may require employees to provide 
medical certifications under the Family and Medical Leave Act 
(FMLA) to ensure that the employees use the federally-mandated 
leave for proper purposes. Although the regulations may impact 
an employer's administration of the FMLA less severely than 
drug testing programs and fitness-for-duty testing under the 
ADA, LPA has urged the Department of Health and Human Services 
to clarify that these certifications would not be impacted by 
the final regulations.
    Mr. Chairman, LPA believes that medical records used for 
human resources purposes are already substantially protected by 
employment laws. We urge the subcommittee to voice its strong 
opposition to the additional restrictions in the regulations 
that would only serve to make an employer's compliance with 
existing laws more difficult without bolstering employee 
protection. A complete copy of our comments is attached for 
your information.
      

                                


                                                  February 15, 2000
U.S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Attn: Privacy-P, Room G-322A
Hubert H. Humphrey Building
200 Independence Ave., SW
Washington, DC 20201

    RE: Standards for Privacy of Individually Identifiable Health 
Information

    To Whom It May Concern:

    We are writing to express our strong concerns regarding the 
application of the medical privacy regulations proposed on November 3, 
1999,\1\ to the ability of employers to maintain mandatory drug testing 
programs and to make critical employment decisions which are currently 
already subject to restrictions under numerous federal and state laws, 
including the Americans with Disabilities Act, the Family and Medical 
Leave Act, and the Occupational Safety and Health Act.
---------------------------------------------------------------------------
    \1\ Standard for Privacy of Individually Identifiable Health 
Information, 64 Fed. Reg. 59,918 (proposed Nov. 3, 1999).
---------------------------------------------------------------------------
    LPA, Inc. is a public policy advocacy organization representing 
senior human resource executives of more than 250 of the largest 
corporations doing business in the United States. LPA's purpose is to 
ensure that U.S. employment policy supports the competitive goals of 
its member companies and their employees. LPA member companies employ 
more than 12 million employees, or 12 percent of the private sector 
workforce. Because of the broad scope of the regulations as discussed 
below, we believe every LPA member company would be affected in a 
significant manner.
    LPA's member companies have numerous concerns with regard to the 
regulations which will be expressed through their own individual 
comments as well as those of other organizations to which they belong. 
LPA does not believe the agency intended the regulations to cover an 
employer's use of employment-related medical information within the 
bounds of current law. However, the regulations are sufficiently vague 
that it is possible that they cover drug testing and other areas 
involving critical employment decisions where Congress and various 
state legislatures have already chosen to regulate the disclosure of 
health information.\2\
---------------------------------------------------------------------------
    \2\ LPA agrees with the statement in the Preamble that the 
Secretary does not have the authority under the Health Insurance 
Portability and Accountability Act to regulate the use of protected 
health information once it is disclosed to employers. See id. at 
59,923. As is detailed in this letter, employer use of such information 
is already substantially regulated by existing law.
---------------------------------------------------------------------------
    Our concern centers upon the broad definition of ``health 
information'' in Sec. 160.103 to include ``any information . . . that 
(1) Is created or received by a health provider . . . [or] . . . 
employer . . .; and (2) Relates to the past, present, or future 
physical or mental health or condition of an individual. . ..'' This 
definition arguably could be broad enough to include:
      data compiled pursuant to a mandatory drug testing 
program maintained by an employer as a condition of employment for its 
employees;
     data compiled pursuant to a fitness for duty test 
conducted in accordance with the Americans with Disabilities Act to 
provide a reasonable accommodation or to ensure that an individual is 
capable of performing strenuous or difficult work; and
     information contained in a certification provided by an 
employee as a condition to his or her entitlement to medical leave 
pursuant to the Family and Medical Leave Act.
    LPA does not believe the agency intended to limit these activities. 
However, because the proposed regulations cover ``protected health 
information,'' which essentially means electronically transmitted 
health information that identifies a particular individual, the 
regulations would appear to govern electronically transmitted 
information used for the purposes listed above. LPA believes that the 
final regulations should clearly exempt these uses from their scope, 
both for compelling public policy reasons and because they are 
adequately regulated by existing employment laws. Each of these 
concerns will be discussed separately below.

    I. Mandatory Drug Testing Programs 

    Many employers implement drug testing of prospective and current 
employees to ensure that their employees do not pose a threat to 
themselves, their co-employees, or the public at large. Indeed, federal 
agencies are required to test applicants and employees in sensitive 
positions for drugs under Executive Order 12,564,\3\ which implements a 
drug-free federal workplace. A review of federal agency web site job 
postings reveals that drug testing is a prerequisite for individuals 
seeking certain federal jobs, such as those who apply as criminal 
investigators in the Department of Health and Human Services \4\ and 
communications equipment specialists for the Federal Aviation 
Administration.\5\
---------------------------------------------------------------------------
    \3\ Exec. Order No. 12,564, 51 Fed. Reg. 32,889 (Sept. 15, 1986) 
reprinted in  5 U.S.C.A Sec. 7301 (note) at 166-70 (1996).
    \4\ Department of Health and Human Services, Job Announcement for a 
Supervisory Criminal Investigator, announcement number OIG-00-001, 
available at http://www.psc.gov/spo/oig0001.shtm1.
    \5\ Department of Transportation, Federal Available Administration, 
Airway Transportation System Specialist announcement, available at 
http://jobs.faa.gov/anndetail.sap?vac__id=47575.
---------------------------------------------------------------------------
    Likewise, private sector employers have used drug testing programs 
for years to enhance workplace safety, particularly when the jobs 
involve hazardous activities such as manufacturing or transportation. 
The most recent statistics indicate that 70 percent of all employers 
test their employees for drugs.\6\ Employers have implemented workplace 
drug testing for a variety of reasons, including to enhance workplace 
safety, maintain product quality, productivity and employee morale, and 
reduce medical and workers' compensation costs.\7\
---------------------------------------------------------------------------
    \6\ American Management Association, 1999 AMA Survey on Workplace 
Testing, at 2.
    \7\ See e.g., G. John Tysse and Garen E. Dodge, WINNING THE WAR ON 
DRUGS: THE ROLE OF WORKPLACE TESTING, 147(1989)
---------------------------------------------------------------------------
    Overall, workplace drug use is estimated to cost employers over 
$100 million annually.\8\ The anecdotal evidence of the effectiveness 
of workplace drug testing programs is ``compelling'' according to the 
U.S. Department of Labor's Internet site. For example:
---------------------------------------------------------------------------
    \8\ Department of Labor Internet Site: ``Working Partners for an 
Alcohol and Drug-free Workplace, Background Information: Workplace 
Substance Abuse,'' available at http://www.dol.gov/dol/asp/public/
problems/drugs/backgrnd.htm.
---------------------------------------------------------------------------
     drug-using employees at GM average 40 days sick leave each 
year compared with 4.5 days for non-users;
     employees testing positive on pre-employment drug tests at 
Utah Power & Light were 5 times more likely to be involved with a 
workplace accident than those who tested negative;
     in Ohio, the establishment of drug-testing and treatment 
programs reduced on-the-job injuries by 97 percent;
     Southern Pacific Railroad experienced a 71 percent 
decrease in injuries;
     a manufacturer with 560 employees reduced industrial 
accidents over thirty percent.\9\
---------------------------------------------------------------------------
    \9\ Id.
---------------------------------------------------------------------------
    Thus, there is ample evidence that drug testing helps achieve vital 
workplace goals.
    Because of the success of programs like these, testing in some 
industries is now even required by law, such as the mandatory drug 
testing programs for commercial drivers required by the Omnibus 
Transportation Employee Testing Act of 1991.\10\ Even where drug 
testing is not required, it is often encouraged. Thus, the Drug-Free 
Workplace Act of 1988 \11\ requires all federal contractors with 
contracts of at least $25,000 to certify that they are providing a 
drug-free workplace, at the risk of contract debarment if they fail to 
do so. Many contractors are able to provide this certification as a 
result of their drug testing programs.
---------------------------------------------------------------------------
    \10\ 49 U.S.C.A. Sec. 20103.
    \11\ 41 U.S.C.A. Sec.  et seq. (West 1987 & Supp. 1999).
---------------------------------------------------------------------------
    The regulations effectively appear to encompass information 
generated by mandatory drug testing. The medical profession holds a 
longstanding belief that drug dependency is a disease to be treated, 
rather than a disability to be accommodated.\12\ However, if that is 
the case, then workplace drug testing, despite an employer's desire to 
maintain a safe workplace, is covered under the proposed regulations' 
definition of health care, which includes ``preventive, diagnostic . . 
. rehabilitative . . . care, counseling, service or procedure with 
respect to the physical or mental condition, or functional status of a 
patient.'' \13\
---------------------------------------------------------------------------
    \12\ See, e.g., American Medical Assn., Drug Dependencies As 
Diseases, House of Delegates Resolution H-95.983 (Jan. 1998) available 
at http://www.ama-assn.org/apps/pf__online/pf__online.
    \13\ 64 Fed Reg. 60,049 (to be codified at 45 C.F.R. Sec. 160.103).
---------------------------------------------------------------------------
    Because it is important that employers be able to continue to 
maintain mandatory drug testing programs, Congress excluded them 
altogether from the strict requirements of the Americans with 
Disabilities Act governing medical examinations.\14\ The exclusion of 
mandatory drug testing programs from the ADA requirements made sound 
policy sense--to encourage workplace drug testing. However, the 
exclusion also logically flowed from the fact that such programs seek 
to obtain information about the deliberate illegal activities of 
individuals that could have serious work consequences, even if those 
activities were the result of a disease that is beyond their control.
---------------------------------------------------------------------------
    \14\ ``For purpose of this subchapter, a test to determine the 
illegal use of drugs shall not be considered a medical examination.'' 
29 U.S.C.A. Sec. 12114(d)(1) (West 1999).
---------------------------------------------------------------------------
    The same considerations that led Congress to exclude testing for 
the illegal use of drugs from the strict regulation of medical 
examinations under the Americans with Disabilities Act should lead to 
the same exclusion from the proposed regulations.

    II. Fitness for Duty Testing 

    Many jobs require certain levels of physical and/or mental 
competencies. Fitness for duty examinations allow employers to 
determine whether an individual can perform the essential functions of 
the job and, if they are not able to because of a disability, whether a 
reasonable accommodation can be made to enable them to perform those 
functions. Likewise, fitness tests for safety purposes confirm that an 
employee is physically and mentally capable of handing dangerous tasks. 
Each of these similar but distinct situations is dealt with below.
    The Equal Employment Opportunity Commission, in its January 1992 
``Technical Assistance Manual on the Employment Provisions (Title I) of 
the Americans With Disabilities Act,'' provides several examples of 
fitness tests, all of which are consistent with the ADA's protections:
     ensuring that ``prospective construction crane operators 
do not have disabilities such as uncontrolled seizures that would pose 
a significant risk to other workers;'' \15\
---------------------------------------------------------------------------
    \15\ U.S. Equal Employment Opportunity Commission, Technical 
Assistance Man., Title I, Americans with Disabilities Act, reprinted in 
Americans With Disabilities Act Man. 90:0556 (BNA)(1992).
---------------------------------------------------------------------------
     testing of workers in certain health care jobs ``to ensure 
they do not have a current contagious disease or infection that would 
pose a significant risk of transmission to others;'' \16\ and
---------------------------------------------------------------------------
    \16\ Id.
---------------------------------------------------------------------------
     ensuring that an individual considered for a position 
operating power saws or other dangerous equipment is not someone 
``disabled by narcolepsy who frequently and unexpectedly loses 
consciousness.'' \17\
---------------------------------------------------------------------------
    \17\ Id. at 90:0543.
---------------------------------------------------------------------------
    Under the Americans with Disabilities Act, employers are already 
substantially regulated as to when they can require medical exams of, 
or request medical information from individuals; what they can examine 
or ask them for; and what employment decisions are permissible once 
medical information concerning the individual is acquired. An employer 
is generally prohibited from discriminating against a ``qualified 
individual with a disability,'' which means a disabled individual who 
can perform the ``essential functions of the job'' with or without a 
``reasonable accommodation.''
    The ADA correctly recognizes that the employer must have access to 
a certain amount of medical information about employees and prospective 
employees to comply with the law. Under Section 102 of the ADA, 
employers have the right to require a medical examination after an 
offer of employment has been made and prior to the commencement of 
employment.\18\ If, during the medical examination, the doctor 
discovers a condition that may affect the person's ability to do the 
job, the employer still must go through the ``reasonable accommodation 
process'' to determine whether the individual could do the essential 
functions of the job with a reasonable accommodation.\19\ Once the 
individual has been hired, the employer may not require medical 
examinations unless they are ``job-related and consistent with business 
necessity.'' \20\
---------------------------------------------------------------------------
    \18\ 42 U.S.C.A. Sec. 12112(d).
    \19\ 42 U.S.C.A. Sec. 12111(9).
    \20\ 42 U.S.C.A. Sec. 12112(d)(4)(A).
---------------------------------------------------------------------------
    Meanwhile, the ADA limits the amount of medical information that 
can be obtained during employment to that information which is job-
related and consistent with business necessity. Strict confidentiality 
requirements apply to the information, and several courts have held, 
with agreement from the Equal Employment Opportunity Commission, that 
these requirements apply regardless of whether an individual has a 
disability.\21\ During the hiring process, the employer may share 
medical information only with decision-makers with a ``need to know'' 
the information. Even an employee's supervisor and manager are not 
entitled to any medical information beyond what limitations the 
employee has to do the particular job. Thus, the ADA already protects 
against any improper use of critical medical data by the employer.
---------------------------------------------------------------------------
    \21\ See Roe v. Cheyenne Mt. Conf. Resort, 124 F.3d 1221 (10th Cir. 
1997), cert. denied--U.S.--, 119 S. Ct. 1455 (1999); Criffen v. 
Steeltek, Inc., 160 F.3d 591 (10th Cir. 1998); Cossette v. Minnesota 
Power & Light, 188 F.3d 964 (8th Cir. 1999); Fredenberg v. Contra Costa 
County Dept. of Health Services, 172 F.3d 1176 (9th Cir. 1999).
---------------------------------------------------------------------------
    Yet, the data obtained consistent with ADA requirements would 
appear to constitute ``health information'' under the proposed 
regulations, even though HHS probably did not intend this result. Thus, 
even though the employer would have a narrow right to access the data 
under the ADA, a new authorization requirement would be superimposed by 
the proposed regulations. As a result, employers could be forbidden 
from viewing the results of medical exams taken to detect or confirm 
the existence of a disability that could affect the ability of an 
employee to do his or her job competently and safely.
    This restriction has implications beyond the ADA. Results of 
fitness for duty tests performed in accordance with the ADA may also be 
used to ensure an employer is complying with the Occupational Safety 
and Health Act (OSH Act). Although fitness for duty tests are not 
required by the OSH Act,\22\ employers may reduce unnecessary workplace 
accidents by implementing these tests because they will identify 
employees who are impaired, physically incapable, or not properly 
trained and ensure that they are not placed in jobs involving hazardous 
work.\23\ However, the medical regulations are probably sufficiently 
vague that the information gathered under these tests would not be 
exempted under them, even though fitness testing is consistent with the 
purpose of the OSH Act.
---------------------------------------------------------------------------
    \22\ The OSH Act requires employers to provide employees 
``employment and a place of employment that is free from recognized 
hazards which. . .are likely to cause death or serious physical harm to 
his employees.'' 29 U.S.
    \23\ Although hazard avoidance is often employer-driven ``[i]n many 
workplace situations, avoidance of hazards depends on proper employee 
conduct. Many citations have been issued under the general duty clause 
either because actions of employees created hazards or because 
employees did not take precautions to avoid hazards.'' Stephen A. Bokat 
and Horace A. Thompson III, Eds., OCCUPATIONAL SAFETY AND HEALTH LAW, 
136 (1988).C.A. Sec. 654(a) (West 1999).
---------------------------------------------------------------------------
    In addition, the OSH Act specifically requires employers to provide 
voluntary medical testing for its employees. An employer could use the 
information received to comply with its general obligation under OSHA 
to provide a place of employment that is free from hazards. However, it 
would appear that the information gathered under these tests would not 
be exempt from the medical privacy regulations and therefore it could 
be subjected to numerous restrictions that would prevent the use of the 
data for the very purpose that it was intended.
    For the foregoing reasons, we recommend that the final regulations 
make clear that they will not apply to information regarding fitness 
tests that an employer or its agents may lawfully obtain, use or 
disclose under the ADA, state and local laws relating to discrimination 
on the basis of disability, the OSH Act, and state safety and health 
laws. Use of such information is already adequately protected under the 
ADA, and additional consent and disclosure requirements would serve to 
impede the administration of federal antidiscrimination policy.

    III. Family and Medical Leave Act 

    Under the Family and Medical Leave Act (FMLA), employees are 
guaranteed a right to up to twelve weeks of leave annually for a 
serious medical condition. Under Section 103 of the FMLA, employees who 
wish to use FMLA medical leave can be required by their employer to 
provide a certification issued by a health care provider that 
discloses, in part:
     the date on which the employee's ``serious medical 
condition'' began;
     the probable duration of the condition;
     the ``appropriate medical facts within the knowledge of 
the health care provider'' regarding the condition; and
     a statement that the employee is unable to ``perform the 
functions of the position.'' \24\
---------------------------------------------------------------------------
    \24\ 29 U.S.C.A. Sec. 2613(b)(1-4) (West 1999).
---------------------------------------------------------------------------
    Medical certifications provided by employees returning from leave 
under the Family and Medical Leave Act allow employers to ensure that 
the employee is ready to undertake the duties required in the 
employee's position. Similar issues exist with respect to the 
information included in the opinion of a second health care provider 
requested by an employer who doubts the validity of the employee's 
initial certification \25\ or in the opinion of a third health care 
provider called upon to resolve a conflict between the opinions of the 
first and second health care providers.\26\
---------------------------------------------------------------------------
    \25\ Id. at Sec. 2613(c) & (d).
    \26\ Id. at Sec. 2613(e).
---------------------------------------------------------------------------
    Much of the information contained in the medical certification 
would appear to meet the definition of protected health information 
under all the proposed bills, and would therefore be covered by the 
requirements of those bills. However, under the FMLA, the employer may 
require the employee to provide a medical certification before 
returning the employee to his or her job. Thus, there is an implicit 
requirement that the employee provide consent for the employer to see 
the medical certification.
    To avoid any inadvertent conflicts between employment law and the 
medical privacy regulations, we recommend that the final regulations 
exclude protected health information contained in certifications that 
an employer or its agents may use or disclose when exercising their 
rights or responsibilities under the FMLA.

    IV. Consequences of an Employee's Refusal to Provide Authorization 

    In addition to recognizing that an employee authorization is not 
required where employers are currently permitted to use protected 
health information, the regulations should state that an employer is 
permitted to make an employment decision based on an employee's refusal 
to provide the results of a drug or a fitness-for-duty test under the 
ADA, FMLA, and similar laws. This would make the regulations consistent 
with the existing application of these laws and eliminate potential 
confusion regarding application of the exclusion.
    A few examples illustrate the need for such a provision. The ADA 
acknowledges that an employer is not obligated to hire an employee with 
or without a disability who is not able to perform the essential 
functions of the job. If an employee refuses to submit to a post-offer 
fitness for duty test, or refuses to disclose the results of such a 
test, the ADA allows the employer to refuse to hire the employee 
because the employer cannot assess whether the employee can perform the 
job's essential functions.
    An employer faced with the potential that an unskilled or untrained 
employee could be placed in a safety sensitive position and could cause 
substantial safety problems, must determine the employee's fitness 
before they are assigned such a position. Thus, an employer should be 
allowed to take appropriate action against an employee who refuses to 
take or disclose the results of a drug or fitness test that could 
result in safety implications.
    Similar reasoning applies under the FMLA and more generous 
employer-provided leave policies. As noted above, an employer may 
require an employee to provide a medical certification and is not 
required to restore the employee to his or her position until the 
certification is provided. Thus, if an employee refused to provide the 
disclosure, the employer could refuse to reinstate the employee.
    Moreover, employers often provide benefits beyond those required by 
the federal employment law. For example, in addition to providing 
unpaid leave under the FMLA, many employers also provide sick leave for 
short absences and temporary disability benefits for longer-term 
medical absences. For this reason, LPA also recommends that the 
regulations should permit employers to require employees to provide 
certifications of their conditions to demonstrate eligibility for these 
employer-provided benefits. The same rationale applies to both 
situations--in order to receive the protection of the law or voluntary 
benefits provided by the employer, the employee must demonstrate that 
he or she had a bona fide condition that triggered the protection or 
the benefits.
    By acknowledging that employers may make employment decisions based 
on an employee's refusal to take or disclose the results of a mandatory 
drug or fitness for duty test, a certification for FMLA or employer-
provided paid leave, the regulations would protect the ability of 
employers to comply with existing labor and employment laws, maintain 
the safety of their workplaces, and offer generous leave packages.
    V. Limitation to Electronic Data 

    As proposed, the medical privacy regulations only apply to 
electronically transmitted protected health information. However, the 
Secretary argues in the Preamble that she has the authority to regulate 
paper records under several authorities.\27\ LPA takes exception to 
this statement. The Health Insurance Portability and Accountability Act 
(HIPAA), which authorized the regulations, clearly does not authorize 
the Secretary to regulate anything but electronically transmitted 
information. This is made clear in the legislative history as well.\28\ 
LPA opposes the Secretary's stretched attempt to expand her authority 
beyond that which she is expressly granted in HIPAA.
---------------------------------------------------------------------------
    \27\ Although we are concerned that extending our regulatory 
coverage to all records might be inconsistent wit the intent of the 
provisions of HIPAA, we believe that we do have the authority to do so 
and that there are sound rationale for providing a consistent level of 
protection to all individually identifiable health information held by 
covered entities.'' Id. at 59,924.
    \28\ U.S.C.A. Sec. 1320d-2 (West Supp. 1999), ``The Committee 
recognizes the role of the private sector in establishing innovative 
data transactions systems relating to electronic exchange. . .privacy 
standards, and electronic signatures. The standards adopted would 
protect the privacy and confidentiality of health information. Health 
information is considered relatively `safe' today, and because it is 
secure, but because it is difficult to access. These standards improve 
access and establish strict privacy protections.'' Conference Report on 
the Health Insurance Portability and Accountability Act of 1996, H. 
Rep. No. 104-406 at 99 (1996), reprinted in 5 U.S.C.C.A.N. 1,900 
(1996).

---------------------------------------------------------------------------
    Thank you for this opportunity to submit our views.

            Sincerely yours,
                                            Daniel V. Yager
                          Senior Vice President and General Counsel
      

                                


Statement of Medical Group Management Association

    Medical Group Management Association (MGMA) urges the 
Department of Health and Human Services (HHS) to re-issue the 
proposed privacy rule. ``MGMA appreciates the enormous 
complexities that HHS was confronted with in drafting the 
proposed rule to protect the confidentiality of medical 
information. In light of the extensive revisions that HHS 
should incorporate into a final rule, MGMA urges HHS to issue a 
new proposed rule reflecting the revisions before it drafts a 
final rule. Due to the importance and overarching impact of 
this issue, all interested parties should have an adequate 
opportunity to review and comment on the changes to the 
original proposed rule,'' according to MGMA President and CEO 
William F. Jessee, M.D.
    The privacy of an individual's personal health information 
should never be inappropriately compromised. However, MGMA 
contends that protecting the privacy of medical information 
must be balanced against the unnecessary burdens privacy 
protections place upon group practice administrators and all 
health care providers. Furthermore, it is essential that 
privacy protections do not interfere with vital activities such 
as medical treatment and research.
    ``MGMA commends the efforts of HHS to protect the 
confidentiality of medical information. MGMA believes HHS took 
several positive steps in addressing a very difficult issue. 
However, we also believe there are several significant flaws in 
the proposed rule, which would place tremendous burdens on 
medical group practices and interfere with the delivery of 
efficient and high quality health care,'' said Jessee.
    In light of the limited applicability of the proposed rule 
mandated by the Health Insurance Portability and Accountability 
Act of 1996 (HIPAA), MGMA maintains that the best avenue for 
protecting health information is through comprehensive 
legislation. MGMA is concerned that the proposed rule would not 
apply to many entities that use and disclose medical 
information on a daily basis (e.g., life insurance issuers, 
third-party administrators, and employers). Furthermore, the 
protections provided in the proposed rule would not cover 
purely paper records.
    In its formal submission to HHS, MGMA emphasized the 
following:

     Provided HHS has the authority, MGMA urges HHS to 
expand the rule to cover all information, even information that 
has never been electronically maintained or transmitted. There 
are many medical organizations, especially small physician 
practices, that still maintain and transmit information in 
paper form. In order to protect fully the confidentiality of 
health information, HHS should apply its standards to all 
information, regardless of how it is stored or transmitted. In 
addition, the proposed approach would create an undesirable and 
confusing scenario involving ``mixed'' records with certain 
records potentially containing both protected and unprotected 
information. This would place administrative burdens upon 
providers and administrators to ensure that protected health 
information is handled appropriately.
     MGMA supports the approach adopted by HHS in the 
proposed rule that would not require a patient's authorization 
to use or disclose protected health information (PHI) for 
treatment, payment, and ``health care operations.'' Patients 
expect that their health information will be used for treatment 
and payment when they seek medical care. Requiring an 
authorization would be a mere formality and not serve a 
legitimate purpose, since an authorization often is obtained 
prior to a patient receiving medical care. MGMA strongly 
believes that a separate authorization should not be required 
for health care operations, since these activities are directly 
related to and often times inseparable from treatment and 
payment.
     HHS proposes that a covered entity must make all 
reasonable efforts not to use or disclose more than the minimum 
amount of protected health information necessary to accomplish 
the intended purpose of the use or disclosure. While the intent 
behind ``minimum necessary'' is commendable, MGMA believes this 
standard places an unfair burden on the entity making a 
disclosure and may interfere with patient care as well as 
patient safety initiatives.
     While MGMA recognizes the importance of protecting 
the privacy of health information in all hands, we strongly 
object to the ``business partner'' proposal and recommend that 
HHS completely remove the liability provision of the proposed 
rule. It is impractical and unrealistic to expect a covered 
entity to monitor and determine if a business partner is 
complying with the requirements of the regulation. In addition, 
as outlined in the rule, an individual could sue a covered 
entity if a business partner inappropriately discloses 
information. However, HIPAA does not extend to HHS the 
authority to include a ``private right of action,'' and MGMA 
believes HHS is attempting to circumvent the statute through 
the business partner proposal.
     MGMA strongly supports the principle of 
``scalability,'' which provides practices flexibility in 
complying with the proposed rule's requirements. MGMA applauds 
HHS for recognizing the fact that the magnitude and complexity 
of the proposed rule will create significant monetary and 
administrative burdens.
    The full text of MGMA's formal comments on the proposed 
rule is posted on the Public Policy section of MGMA's website 
at ``http://www.mgma.com/legislation/. For specific questions 
regarding MGMA's comments, please contact Aaron N. Krupp, MGMA 
Government Affairs Representative, at (202) 293-3450.
    Founded in 1926, MGMA's membership includes more than 7,100 
organizations, representing more than 185,000 physicians. MGMA 
executive offices are in Englewood, Colo. 
      

                                


                                    National Association of
                                    Insurance Commissioners
                                       Washington, DC 20001
                                                      March 1, 2000
The Honorable William Thomas
Chair
Subcommittee on Health
Committee on Ways and Means
1136 Longworth House Office Building
Washington, DC 20515-6349

    Dear Chairman Thomas:

    The National Association of Insurance Commissioners (NAIC), 
representing the nation's fifty-five chief insurance regulators, 
submits the enclosed document and asks that it be included in the 
record for the hearing on health information privacy held by your 
subcommittee on February 17, 2000.
    The enclosed document is the comment letter the NAIC sent to the 
United States Department of Health and Human Services regarding its 
proposed health information privacy regulation. The letter raises many 
concerns including the following:

 Limited Applicability and Scope:
    The regulation only applies to a limited group of entities (health 
plans, health care providers and health care clearinghouses) and only 
applies to paper records. While we recognize that HHS is limited in its 
authority and jurisdiction to apply the standards established in the 
regulation, we think the regulation should apply to a broader group of 
entities that use and disclose protected health information and should 
apply to all insurers, not just health insurers. We think the 
regulation should protect all forms of individually identifiable health 
information, both paper and electronic.

 Preemption of State Laws:
    While we appreciate HHS' intent to create federal minimum 
standards, to preserve stronger state laws, and to protect certain 
state laws from any preemption, the NAIC membership has serious 
reservations about how the preemption standard used in the proposed 
regulation is to be implemented. The general rule is that 
``provisions'' of state law are preempted to the extent that they are 
``contrary'' to the federal statutory and regulatory scheme. We have 
found similar standards not to be very helpful in comparing state laws 
to federal requirements. A state must examine all its laws relating to 
health information privacy to determine whether or not its laws are 
contrary to the requirements in the proposed regulation. This in and of 
itself is a major project for states to undertake.
    We offer a suggestion to help the operation of and to ease the 
administrative burden of implementing this standard. We propose that 
the states be given the greatest amount of flexibility in determining 
what the necessary scope of ``provision'' is when applying the general 
rule's contrary standard. In the regulation, HHS has recognized that 
states know their laws best and are best informed about how to apply 
their laws. The NAIC membership believes that the definition should 
preserve to the maximum extent possible state privacy initiatives that 
extend beyond the covered subject matter of the proposed regulation.

 Determination Process:
    There are several serious flaws with this proposed process:
     First, the determination process is overly burdensome for 
states. Not only do states have to conduct a ``contrary analysis'' for 
all of their laws that protect health information and then submit 
requests for exceptions to HHS, but they also have to wait for HHS to 
make a determination in order for the states to enforce their laws.
     Second, the proposed regulation states that the federal 
standard applies until a determination is made. Cessation of state 
regulation in the interim will essentially leave plans unregulated 
until HHS makes a determination. We believe the current assumption in 
the proposed regulation that the federal standard applies until a 
determination is made should be reversed. State laws should stand until 
and unless HHS has determined otherwise.
     Third, the proposed regulation does not establish a time 
frame or deadline by which HHS has to issue a determination. We suggest 
that HHS revise its regulation to include a time period by which HHS 
has to make a determination. We also suggest that if HHS does not make 
a determination after a specified amount of time, then a default 
determination should be issued in favor of the state.
     Finally, even if states are granted an exemption from 
preemption through the HHS determination process, there is a three-year 
time limit on how long a state law is exempt pursuant to this 
determination. The process is quite burdensome for the states, so we 
question the provision requiring states to ask for a re-determination 
on the same laws every three years as a waste of time and resources for 
the states and for HHS. The time limit should be eliminated.

 Lack of Guidance in Classifying State Insurance Laws:
    There is lack of guidance regarding state laws that are contrary to 
the proposed regulation but that could fall into more than one category 
of state laws that are exempt from preemption. State insurance laws 
easily could fall into several of the categories of exceptions. An 
example is a state law regulating health insurance plans (category one) 
that is more stringent than the federal regulation (category two) and 
requires health insurance plans to report information (category 3). We 
request that a clarification be included in the regulation stating that 
if a state law falls within several different exceptions, the state 
chooses which exception shall apply. The presumption should be that the 
state has the best knowledge of its laws and it has correctly 
classified its laws in the appropriate category of exceptions. We think 
this simple clarification statement will avert much litigation and 
prevent state insurance departments from having to defend endless 
challenges to their classification of their laws.

 Lack of Clarity in Classifying State Insurance Department 
Activities:
    The proposed regulation establishes a list of exceptions to the 
authorization requirement, such that protected health information may 
be used or disclosed without authorization in certain circumstances. 
However, under the HHS proposed regulation, the activities of state 
insurance departments fit under any one or more of the following three 
exceptions: (1) for disclosure to health oversight agencies for health 
oversight activities; (2) for disclosure for law enforcement purposes; 
and (3) for use and disclosure for judicial and administrative 
proceedings. The regulation is unclear about the role of insurance 
departments relative to these exceptions, and each of these exceptions 
has its own requirements and processes. We ask HHS to include language 
in the text of the proposed regulation stating that if a state 
insurance activity falls within several different exceptions, the state 
chooses which exception shall apply. In addition, we ask HHS to 
recognize the broad scope of legally authorized activities performed by 
insurance departments and to reflect those activities in the 
regulation.

 Permitted Versus Required Disclosure:
    Under the proposed regulation covered entities are ``permitted'' 
but not ``required'' to disclose necessary protected health information 
to health oversight and law enforcement agencies. We believe that 
covered entities under investigation by a state agency should be 
required to provide that state agency with access to necessary health 
information when performing its legally mandated duties. This 
disclosure should not be optional. By not requiring insurers to provide 
state insurance departments with access to records, filings and other 
documents that may contain individually identifiable information, state 
insurance departments' ability and authority to perform their 
regulatory responsibilities is undermined. In addition, obtaining 
authorization from all of an insurer's clients for investigation of an 
insurer's business practices is not feasible or practical.
    In addition to these concerns, the members of the NAIC would 
appreciate further discussions with the witnesses regarding the 
interaction between the HHS regulation and the privacy requirements 
found in the newly enacted Gramm-Leach-Bliley Act.
    For insights into the NAIC's position regarding the issues 
surrounding proposed federal health information privacy legislation, I 
refer you to the testimony the NAIC submitted to your subcommittee on 
July 20, 1999. That testimony may be found on our website at http://
www.naic.org/1news/testimonies/index.htm.
    If you have any questions please contact Mary Beth Senkewicz at 
(202) 624-7790.
            Sincerely,
                                         Kathleen Sebelius,
                                                Vice-President NAIC
                                 Chair, Health Insurance Task Force
                         Commissioner of Insurance, State of Kansas
Enclosure
      

                                


                                                  February 15, 2000
Margaret Ann Hamburg
Assistant Secretary for Planning and Evaluation
United States Department of Health and Human Services
Hubert H. Humphrey Building
Room G-322A
200 Independence Avenue, S.W.
Washington, DC 20201
Attention: Privacy-P

    Dear Assistant Secretary Hamburg:

    On behalf of the National Association of Insurance Commissioners 
(NAIC) Health Insurance Task Force, I hereby submit these comments on 
the proposed rules entitled, ``Standards for Privacy of Individually 
Identifiable Health Information,'' published in the Federal Register on 
November 3, 1999 (64 Fed. Reg. 59918-60065).
    The NAIC appreciates the Department of Health and Human Services' 
(HHS) efforts to establish standards to protect the privacy of 
individually identifiable health information maintained or transmitted 
in connection with certain administrative and financial transactions 
and to provide a basic level of protection to consumers. We too 
understand the necessity of protecting individuals' health information, 
and as such, we have adopted stand-alone model privacy legislation \1\ 
and have incorporated privacy protections in other health-related 
models. In general, we appreciate the flexibility afforded the states 
in the HHS proposed regulation.
---------------------------------------------------------------------------
    \1\ The ``Health Information Privacy Model Act'' and the 
``Insurance Information and Privacy Protection Model Act.''
---------------------------------------------------------------------------
    Drafting standards that protect the privacy rights of individuals 
with respect to highly personal health information is a difficult task. 
Like you, the members of the NAIC sought to write standards that would 
not cripple the flow of useful information, that would not impose 
prohibitive costs on entities affected by the legislation, and that 
would not prove impossible to implement in a world that is rapidly 
changing from paper to electronic records. At the same time, the 
members of the NAIC recognized the need to assure consumers that their 
health information is used only for the legitimate purposes for which 
it was obtained, and that this information is not disclosed without the 
consumer's consent or knowledge for purposes that are likely to harm or 
offend the individual.
    While there are many similarities between the NAIC Health 
Information Privacy Model Act and the proposed regulation, the members 
of the NAIC have serious concerns about the proposed regulation's 
impact on the ability of state insurance departments to perform their 
jobs and handle their responsibilities, which include protecting 
consumers and eliminating fraud.

I. NAIC Model in Relation to the Proposed Regulation

    A. Background

    The NAIC adopted its ``Health Information Privacy Model Act'' 
(``NAIC Model Act'') in September 1998 (Attachment A). This model has a 
more narrow focus than the NAIC's ``Insurance Information and Privacy 
Protection Model Act,'' which was adopted in 1980. The model act 
adopted in 1980 addresses the privacy of all individually identifiable 
information, whereas the NAIC Model Act adopted in 1998 establishes 
protections for all health information and for protected health 
information. The NAIC Model Act was developed with state regulators, 
representatives of the insurance and managed care industries, and 
representatives from the provider and consumer communities. Our model 
was developed to assist the states in drafting uniform standards for 
ensuring the privacy of health information.

    B. Similarities

    The HHS proposed privacy regulation addresses many of the same 
issues as the NAIC Model Act. Both the NAIC Model Act and the proposed 
regulation establish procedures for the treatment of all health 
information and additional specific rules for protected health 
information. They are similar in their basic structures and the rights 
conveyed to individuals regarding their health information.
    In terms of structure, the NAIC Model Act and the regulation 
prohibit entities from using or disclosing health information except as 
authorized by the patient or as specifically permitted by the Act or 
regulation. (HHS Proposed Regulation Sec. 164.506(a); NAIC Model Act 
Sec. 10A). When protected health information is used or disclosed, both 
limit the amount of information used or disclosed to that amount which 
is necessary for the stated purpose. (HHS Sec. 164.506(b)(1); NAIC 
Sec. 10). They both establish exceptions to the authorization 
requirement, and many of the exceptions to the authorization 
requirement in the NAIC Model Act fall under what the HHS proposed 
regulation defines as treatment, payment or health care operations. 
(HHS Sec. 164.510; NAIC Sec. 11). The NAIC Model Act and the proposed 
regulation place administrative requirements on their applicable 
entities (HHS Sec. 164.518, 164.520; NAIC Sec. 5), and both establish 
civil and criminal penalties for violations (HHS Sec. 164.522; NAIC 
Sec. 15).
    In terms of individuals' rights regarding their protected health 
information, the NAIC Model Act and the proposed regulation guarantee 
similar rights. These rights include: (1) the right to inspect and copy 
the individual's protected health information (HHS Sec. 164.514; NAIC 
Sec. 7); (2) the right to amend and correct the individual's protected 
health information (HHS Sec. 164.516; NAIC Sec. 8); (3) the right to 
receive notice of an entity's privacy practices (HHS Sec. 164.512; NAIC 
Sec. 6); (4) the right to receive an accounting of everyone to whom 
protected health information was disclosed (HHS Sec. 164.515; NAIC 
Sec. 9); and (5) the right to revoke authorization to use or disclose 
protected health information (HHS Sec. 164.508(e); NAIC Sec. 10).

    C. Differences

    Even though the NAIC Model Act and the proposed regulation have 
quite a few similarities, there are significant differences that 
concern the state insurance departments and the NAIC. As we witnessed 
in the legislative proposals offered by Congress, the smallest details 
can have a huge impact on how the privacy standards effect consumers 
and the states. Key differences are in scope and in the applicable 
entities impacted by the regulation.
    HHS has expressed concern that because of its limited jurisdiction, 
the proposed regulation only applies to electronic health information 
and only applies to certain entities (64 Fed. Reg. 59923). We too are 
concerned about the limited reach of the proposed regulation.

    1. Scope (``Summary and Purpose'')

    Both the NAIC Model Act and the proposed regulation establish 
standards to protect the privacy of protected health information. 
However, the proposed regulation defines protected health information 
to include only individually identifiable health information that is or 
has been transmitted electronically (HHS Sec.  164.504). The regulation 
does not cover paper records. On the other hand, the NAIC Model Act 
does not distinguish between health information in paper format and 
health information that is electronically transmitted and maintained. 
The NAIC Model Act protects all forms of individually identifiable 
health information, both paper and electronic. We believe the NAIC 
Model Act's broader scope serves to better protect individuals' health 
information. (NAIC Sec. 4).
    HHS requested comment on whether it has the authority to extend 
protections to paper as well as electronic information, although to 
this point, HHS has limited its regulations to electronic information. 
(64 Fed. Reg. 59927). We suggest that since HHS believes it has the 
authority under HIPAA to extend these regulatory requirements to paper 
and electronic records, it should do so. Rather than wait to publish 
proposed rules that will govern paper records in the near future, we 
suggest that HHS address paper records in this current proposed 
regulation. The protections established in the proposed regulation 
should extend to both paper and electronic information.

    2. Applicable Entities (``Applicability'')

    One of the most obvious differences between the NAIC Model Act and 
the proposed regulation is in the scope of the entities to which the 
respective proposals would apply. The NAIC Model Act only applies to 
insurance carriers. The proposed regulation is broader and applies to 
health plans, health care clearinghouses, and health care providers who 
transmit health information electronically. (HHS Sec. 160.102). These 
entities are referred to in the proposed regulation as ``covered 
entities.'' (HHS Sec. 160.103).
    Although the proposed regulation generally applies to a broader 
range of entities than the NAIC Model Act, we are concerned that 
``health plan'' is defined in the proposed regulation to exclude 
certain insurers. The proposed regulation clarifies the definition of 
``health plan'' established under HIPAA to include a health insurance 
issuer, a health maintenance organization, a Medicare supplement 
policy, and a long term care policy. (HHS Sec. 160.103) As such, the 
proposed regulation would not apply to certain types of insurance 
entities, even if they provide coverage for health care services or use 
information found in an individual's medical record (i.e., life 
insurers, workers' compensation insurers, automobile insurers, other 
property-casualty insurers, and insurers offering certain limited 
benefits) (64 Fed. Reg. 59923, 59932). The NAIC Model Act applies to 
all insurers, regardless of the products that they sell.
    While we recognize the limited jurisdiction of HHS under HIPAA with 
respect to insurers, we recommend the approach of the NAIC Model Act, 
which applies to all insurance carriers and is not limited to health 
insurers. (NAIC Sec. 4). The NAIC had an extensive public discussion 
about whether the NAIC Model Act should apply only to health insurance 
carriers, or instead, to all carriers. Health insurance carriers are 
not the only types of carriers that use health information to transact 
their business. Health information is often essential to life insurers 
in issuing policies and to property and casualty insurers in settling 
workers' compensation claims and automobile claims involving personal 
injury, for example. Reinsurers also use protected health information 
to write reinsurance. The NAIC concluded that it was illogical to apply 
one set of rules to health insurance carriers but different rules, or 
no rules, to other carriers that were using the same type of 
information.\2\ Consumers deserve the same protection with respect to 
their health information, regardless of the entity using it. Nor is it 
equitable to subject health insurance carriers to more stringent rules 
than those applied to other insurers. Our model applies to all 
insurance carriers and establishes uniform rules to the greatest extent 
possible. The NAIC supports privacy protections that apply to 
individually identifiable health information wherever it resides.
---------------------------------------------------------------------------
    \2\ The NAIC Model Act does allow exceptions from the authorization 
requirement for certain insurers to conduct certain activities. These 
include: (a) when the protected health information is necessary to the 
performance of the carrier's obligations under any workers' 
compensation law or contract; and (b) when collecting protected health 
information from or disclosing protected health information to a 
reinsurer, stop loss or excess loss carrier for the purpose of 
underwriting, claims adjudication and conducting claim file audits. 
However, these entities are subject to the rest of the model's 
provisions.

---------------------------------------------------------------------------
II. Comments on Preemption (``Relationship to State Laws'')

    A. General Comments on Preemption

    Preemption of state law is a key issue for the states and the NAIC 
membership. As we stated in our May 4, 1999 letter to Congress 
(Attachment B) and in Congressional testimony (Attachment C) \3\, the 
federal government must recognize the impact of any privacy legislation 
or regulations on existing state laws. States have enacted many laws 
designed to protect an individual's health information in a variety of 
areas. These state protections appear in many locations within a 
state's statutes and regulations, and many times address programs or 
uses of health-related information that are unique to a particular 
state. In addition, states have carefully considered when to allow use 
and disclosure of health information without authorization, such as in 
cases of investigations and audits of health insurers by state 
insurance departments. States have enacted legislation and regulations 
after balancing the individual's right to keep health information 
confidential against the legitimate purposes for disclosure.
---------------------------------------------------------------------------
    \3\ Latest testimony dated July 20, 1999, before the House Ways and 
Means Committee, Subcommittee on Health is attached (Attachment C). The 
NAIC also testified two other times in 1999 on this issue: May 27, 1999 
before the House Commerce Committee, Subcommittee on Health and the 
Environment; and April 27, 1999 before the Senate Health, Education, 
Labor and Pensions Committee.
---------------------------------------------------------------------------
    While we oppose the preemption of state law, we understand the 
desire to establish a minimum standard in this area due to several 
factors. First, the transmission of health information, as opposed to 
the delivery of health care services, is not always a local activity. 
Health information is transmitted across state and national boundaries. 
Second, while the NAIC has developed model legislation for the states 
to enact to protect individuals' health information that is collected, 
used and disclosed by insurance carriers, the reality is that our 
jurisdiction is limited to insurance. Because health information 
privacy encompasses more issues than insurance and more entities than 
insurers, we understand the desire for broader regulations. As a 
result, the members of the NAIC have concluded that the privacy of 
health information is an area where it may be appropriate for the 
federal government to set a minimum standard.
    However, it should be noted that up until this point there has been 
no federal standard in place. Rather, states have been the protector of 
consumers in this area. Any federal action must recognize this fact and 
make allowances for it. The NAIC supports establishing a minimum 
federal level of protection for health information, as long as stronger 
state laws are preserved. We do not want to see health information that 
currently enjoys a high level of protection under state law end up with 
less protection under the proposed regulation.
    For these reasons, we appreciate HHS' intent to create minimum 
standards, to preserve stronger state laws, and to protect certain 
state laws from any preemption. However, it is critical that the 
proposed regulation not undermine the progress of the states in 
implementing legislation that protects health information privacy and 
not undermine states' abilities to regulate entities over which they 
have jurisdiction. It is also critical that the proposed regulation, in 
its attempt to preserve state privacy laws, not make the process for 
states to enforce their laws so burdensome that the process only works 
in theory and not in reality.

    B. Preemption Standard in the Proposed Regulation

    In the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), Congress directed HHS to implement privacy regulations if 
Congress failed to meet the statutory August 21, 1999 deadline to enact 
legislation. Congress also directed HHS to implement regulations that 
would not supercede a contrary provision of state law if the state law 
is more stringent than the regulation (HIPAA Sec. 264). While we 
appreciate the expressed intent of HHS in the preamble to preserve 
stronger state privacy laws and to protect other specific state privacy 
laws from preemption (64 Fed. Reg. 59994-59999), we have concerns about 
the language and structure used in the proposed regulation's general 
rule and the three categories of exceptions to the general rule. The 
preemption analysis used in the regulation is confusing and leaves many 
questions unanswered. Although the general rule and the exceptions were 
established in HIPAA by Congress, not by HHS, we believe HHS needs to 
make some clarifications in the proposed regulation in order to 
effectively and efficiently implement these standards.
    C. The Proposed Regulation's General Rule and Exceptions (HHS Sec.  
160.203, 160.204)

    1. General Rule

    The NAIC membership has serious reservations about how the 
preemption standard used in the proposed regulation is to be 
implemented. The general rule established in HIPAA Section 262 and used 
in the current proposed regulation states that provisions of state law 
are preempted to the extent that they are contrary to the federal 
statutory and regulatory scheme. ``Contrary'' is defined in the 
proposed regulation such that: (1) complying with both state and 
federal requirements would be impossible; or (2) obeying state law 
prevents the accomplishment and execution of the full purposes and 
objectives of the regulation (HHS Sec.  160.202). HHS has specifically 
requested comment on how these proposed criteria would be likely to 
operate with respect to particular state privacy laws (64 Fed. Reg. 
59997).
    While we recognize that HHS, in defining contrary, has used the 
standards developed by the courts for conflict preemption (64 Fed. Reg. 
59997), we would note that in the past we have found similar 
definitions not to be very helpful in comparing state laws to federal 
requirements. We encounter a similar difficulty when conducting a 
conflict analysis for ERISA preemption using the ``relates to'' 
standard. Using the conflict analysis, a state must examine all its 
laws relating to health information privacy to determine whether or not 
its laws are contrary to the requirements in the proposed regulation. 
This in and of itself is a major project for states to undertake. Just 
identifying all of the laws, let alone comparing them to the federal 
regulation, is time-consuming and confusing for states. However, in 
response to HHS' request for comment, we offer a suggestion to help the 
operation of and to ease the administrative burden of implementing this 
standard.
    We believe that how the term ``provision'' is defined will effect 
the practical implementation of the general rule. We propose that the 
states be given the greatest amount of flexibility in determining what 
the necessary scope of ``provision'' is when applying the general 
rule's contrary standard.\4\ HHS has recognized that states know their 
laws best and are best informed about how to apply their laws. (64 Fed. 
Reg. 59998). The NAIC membership believes that the definition should 
preserve to the maximum extent possible state privacy initiatives that 
extend beyond the covered subject matter of the proposed regulation.
---------------------------------------------------------------------------
    \4\ Our suggestion addresses HHS' request for comment on how the 
term ``provision'' might be defined (64 Fed. Reg. 59995).
---------------------------------------------------------------------------
    According to the preamble, when applying the general rule, what 
will be compared are state and federal requirements that are analogous, 
i.e., that address the same subject matter. If there is a state 
provision and no analogous provision in federal law, there is nothing 
to compare and no issue of a contrary requirement. (64 Fed. Reg. 
59995). Consequently, if the state law is not contrary, the state law 
stands. If the state law is contrary, the state must go to the next 
step in the analysis to see if a contrary state law can still be saved 
from preemption by qualifying as one (or more) of the three categories 
of exemptions. We believe these are important statements and should be 
included as guidance in the regulation itself, not just in the 
preamble.

    2. Exceptions to Preemption of Contrary State Laws

    The exceptions to preemption for state laws that are contrary to 
the proposed regulation fall into three categories: (1) those state 
laws that require a determination by the Secretary that they are 
necessary for certain purposes as set out in HIPAA (HHS 
Sec. 160.203(a); (2) those state laws that relate to the privacy of 
individually identifiable health information that are contrary to but 
more stringent than the federal requirements (HHS Sec. 160.203(b)); and 
(3) those state laws that are explicitly carved out or exempted from 
the general rule of preemption (HHS Sec.  160.203 (c), (d)).
    These exceptions are established in the HIPAA statute, so we 
understand that HHS is prevented from adding or deleting any exceptions 
and is limited in how these exceptions are used. However, we have 
comments and concerns regarding each category of exceptions. Our most 
serious concerns lie with the exceptions that require a determination 
by the Secretary. We also seek clarification regarding how these 
exceptions work on a practical level if a state law falls into more 
than one category of exception.

    a. Exceptions Requiring a Determination by the Secretary (Category 
One)

    Under this exception, a state may continue to enforce a contrary 
provision of state law that falls into one of five categories,\5\ but 
only after obtaining a favorable determination from the Secretary of 
HHS. As set forth in the proposed regulation, if a state wants to 
continue to enforce a contrary provision of state law that falls under 
one of the listed categories, the state must submit a written request 
with detailed information to the Secretary seeking an exception to the 
preemption. Until the Secretary's determination is made, the federal 
requirement remains in effect. The Secretary will deny a request if it 
determines that the federal requirement accomplishes the law's purpose 
as well as or better than the state law for which the request is made. 
If an exception is granted, it is effective for three years or for such 
lesser time as is specified in the determination granting the request. 
(HHS Sec. 160.204(a)).
---------------------------------------------------------------------------
    \5\ The five categories are: (1) the provision of state law is 
necessary to prevent fraud and abuse (emphasis added); (2) the 
provision of state law is necessary to ensure appropriate state 
regulation of insurance health plans (emphasis added); (3) the 
provision of state law is necessary for state reporting on health care 
delivery or costs; (4) the provision of state law is necessary for 
other purposes related to improving the Medicare program, the Medicaid 
program, or the efficiency and effectiveness of the health care system; 
and (5) the provision of state law addresses controlled substances. The 
italicized exceptions are of particular interest to the state insurance 
departments as the regulators of the insurance industry. (HHS Sec.  
160.203(a)).
---------------------------------------------------------------------------
    We believe there are several serious flaws with this proposed 
process. Our primary concern is that the determination process is 
overly burdensome for states. Not only do states have to conduct a 
``contrary analysis'' for all of their laws that protect health 
information and then submit requests for exceptions to HHS, but they 
also have to wait for HHS to make a determination in order for the 
states to enforce their laws.
    We are very concerned about the provision in the proposed 
regulation that states that the federal standard applies until a 
determination is made (the statute is silent on this issue) (HHS Sec.  
160.204(a)(2)). This provision is unacceptable for insurance 
departments that are charged with protecting the citizens of the state 
and enforcing state laws regulating health plans. Cessation of state 
regulation in the interim will essentially leave plans unregulated 
until HHS makes a determination. The NAIC membership does not believe 
that the states should be hampered in their legal duties by having 
their laws preempted until they can prove to HHS that their laws are 
``necessary'' for their states. States have passed privacy laws after 
careful consideration and debate, and they should not have to ask HHS 
for permission to enforce their own laws.
    We offer a simple solution to this problem that would work within 
the confines of HIPAA and HHS' jurisdiction. The current assumption in 
the proposed regulation that the federal standard applies until a 
determination is made should be reversed. We believe there is enough 
latitude in the statute (i.e. the statute is silent) to reverse the 
presumption, so that a state law stands until and unless HHS has 
determined otherwise. The presumption should be in favor of the state's 
interpretation of its law. This reversal is necessary to avoid a 
regulatory vacuum, especially considering that the regulation does not 
establish a time frame within which the Secretary must make a decision. 
As a result, we believe state law should stand while HHS is making a 
determination.
    On a related note, the NAIC membership questions whether HHS is 
prepared to conduct determinations for all 50 states' laws. After 
states complete their ``contrary analysis,'' they will submit their 
state laws to HHS to make a determination. State privacy laws are found 
in many different areas of a state's statutes and regulations, so the 
Secretary may receive a number of requests per state. Without an 
increase in funding for HHS and the development of HHS' infrastructure, 
HHS will not be able to handle the volume of preemption determination 
requests from the states.
    Another problem with the proposed regulation is the lack of details 
about the determination process. The proposed regulation does not 
establish a time frame or deadline by which HHS has to issue a 
determination. States could be waiting for years or indefinitely to 
find out whether HHS will grant an exemption. Such indecision could 
have a dampening effect on a state's ability to pass further legitimate 
legislation. We suggest that HHS revise its regulation to include a 
time period by which HHS has to make a determination. We also suggest 
that if HHS does not make a determination after a specified amount of 
time, then a default determination should be issued in favor of the 
state.
    We also are bothered by the fact that even if states are granted an 
exemption from preemption through the HHS determination process, there 
is a time limit on how long a state law is exempt pursuant to this 
determination (HHS Sec.  160.203(a)(4). The process is quite burdensome 
for the states, so we question the provision requiring states to ask 
for a re-determination on the same laws every three years as a waste of 
time and resources for the states and for HHS. HHS should eliminate the 
three-year limit on how long the exemption is effective.
    We are also concerned that there is no requirement in the 
regulation regarding giving notice to the states and others that HHS 
has made a determination, other than an annual publication in the 
Federal Register of all determinations made by HHS. (HHS 
Sec. 160.203(a)(8). More frequent notices, such as quarterly, should be 
made. We also suggest that HHS provide more details in the proposed 
regulation about the factors it will consider in its determination 
process and if there is a formula HHS will use to decide whether a 
state will be granted an exemption.

    b. Exception for State Laws that are More Stringent than the 
Regulation (Category Two)

    The second exception allows a state to continue to enforce a 
contrary provision of state law that relates to the privacy of health 
information if it is more stringent than a standard, requirement, or 
implementation specification adopted under the proposed regulation. 
More stringent is broadly defined in the proposed regulation as 
providing greater privacy protections for the individual. A state is 
not required to obtain a determination about whether a provision of its 
law meets this exception. However, the Secretary on her own, or at the 
request of a state, may issue an advisory opinion as to whether a 
provision of state law meets this exception. (HHS Sec.  160.204(b)).
    In the NAIC's Congressional testimony (see attached), we supported 
the establishment of minimum standards in the area of health 
information privacy, and we urged Congress to outline a way in its 
legislation for the states to measure their laws against any federal 
standard. We appreciate that HHS has chosen to establish minimum 
federal standards and has included guidelines for states to measure 
their laws against the proposed regulation (i.e., less disclosure to 
others; greater right of access to health information by the 
individual; greater penalties; narrower scope of authorization; longer 
record-keeping requirements and accounting requirements.). States need 
to be able to judge whether their state laws are stronger than any 
federal standard in order to determine whether they need to take 
further action to revise their laws. By defining ``more stringent'' in 
the proposed regulation, HHS has offered several different examples of 
what qualifies as more stringent as guidance to the states, with the 
overriding principle of more protection to the individual whose 
information is being used or disclosed. (HHS Sec.  160.202).
    Additionally, we support HHS' decision to limit the parties who may 
request advisory opinions to the states and the Secretary of HHS. (HHS 
Sec.  160.204(b)(1); 64 Fed. Reg. 59998). We do not believe that 
insurers should be allowed to request an advisory opinion and open 
every state law up to challenge and to review by HHS.
    We do have one concern regarding this exception that we believe 
could be resolved with explicit clarification. Since the federal 
regulation only applies to individually identifiable health information 
that is electronically maintained and transferred and it only applies 
to health insurers, not all insurers, we would like assurance that the 
NAIC Model Act and similar state laws, which have a much broader scope 
(apply to all forms of transmission and to all insurers), would be 
viewed as more stringent and would be allowed to stand under the 
proposed regulation. We believe that these broader state laws would 
fall under the category of ``providing greater privacy protection for 
the individual,'' but explicit clarification in the preamble or text or 
even inclusion in the list of examples would be appreciated. The 
regulation should preserve state laws to the maximum extent possible 
and allow states to enforce their laws as they apply to entities and 
situations that are beyond the scope of the regulation.
    Overall, we are supportive of this exception and how HHS has 
addressed the issue in the regulation. This federal floor exception 
will still require the states to analyze their laws regarding whether 
the laws are contrary and more stringent than the proposed regulation. 
However, the states will not have to go through the burdensome process 
as required by the category one exceptions, and they will not be 
prevented from enforcing their laws waiting for a determination. In 
addition, this exception allows states to enact stronger laws where and 
when they are needed and to enact laws in the future to address changes 
in technology and in the use of health information and to address 
state-specific issues.
    c. Exceptions that are State Law Carve-Outs (Category Three)

    Under the third category of exceptions, a state may continue to 
enforce a contrary provision of state law that the meets one of the two 
specified exceptions: (1) provisions of state law requiring the 
reporting of disease or injury, child abuse, birth or death, or for the 
conduct of public health surveillance, investigation or intervention; 
and (2) provisions of state law requiring a health plan to report, or 
to provide access to, information for the purpose of management audits, 
financial audits, program monitoring and evaluation, facility licensure 
or certification, or individual licensure or certification (emphasis 
added). (HHS Sec. 160.203(c), (d)). No mechanism is required or 
available under the proposed regulation for determining whether a state 
law meets one of these complete carve out exceptions. It appears to be 
left up to the discretion of the states, although the NAIC membership 
requests that HHS affirmatively state this fact.
    The second carve out above is of interest to us. Although state 
insurance laws would qualify for this exception, we are concerned with 
the scope of the exemption regarding oversight of health plans. We 
realize this list of activities related to state insurance department 
oversight is set forth in HIPAA Sec. 262 (Social Security Act 
Sec. 1178); however, the preamble of the proposed regulation explains 
that Sec. 1178 carves out an area which the states traditionally have 
regulated and which the statute intends to preserve for the states (64 
Fed. Reg. 59999). We are concerned because the list has omitted some 
very important activities that are traditionally regulated by the 
states in the area of health care, specifically such activities as 
market conduct examinations, enforcement investigations or consumer 
complaint handling. While it is possible that these functions may be 
included within other categories that are itemized, it is certainly not 
clear that these functions would fall within the exemption. The NAIC 
membership thinks that the proposed regulation should recognize that 
these and other state insurance department activities are covered under 
this exception. The stated intent is to preserve an area of law 
traditionally regulated by the states, therefore we request that the 
regulation clarify, either in the preamble or the text, that a broad 
scope of state insurance department activities fall within this carve 
out.

    3. Interaction Among the Three Categories of Exceptions

    We request a clarification regarding state laws that are contrary 
to the proposed regulation but that could fall into more than one 
category of exception. Clearly the proposed regulation contemplates a 
state law falling into more than one exception (HHS Sec. 160.203), 
especially since the three categories of exceptions are drawn broadly. 
We believe state insurance laws easily could fall into several 
categories of exceptions. An example is state laws regulating health 
insurance plans (category one) that are more stringent than the federal 
regulation (category two) and require health insurance plans to report 
information (category 3). However, this language raises several 
questions: (1) If a state law falls into more than one exception, do 
states get to choose which category of exception applies? (2) Will 
insurers, consumers or others be allowed to sue state insurance 
departments if they do not agree with the departments' classifications 
of the laws? (3) Will this issue result in litigation in order to 
resolve which category of exception any particular state law falls 
into? We think a simple clarification statement in the regulation will 
answer these questions.
    We ask HHS to include language in the text of the proposed 
regulation stating that if a state law falls within several different 
exceptions, the state chooses which exception shall apply. Clearly, the 
states would prefer a category three exception (complete carve-out) 
over a category two exception (optional advisory opinion), and a 
category two exception over a category one exception (required prior 
determination). The presumption should be that the state has the best 
knowledge of its laws and it has correctly classified its laws in the 
appropriate category of exceptions. HHS even recognized in the preamble 
that states are the most knowledgeable about their own laws. (64 Fed. 
Reg. 59998). We think this simple clarification statement will avert 
much litigation and prevent state insurance departments from having to 
defend endless challenges to their classification of their laws.

III. Comments on Exceptions from the Authorization Requirement for 
Disclosure to Health Oversight Agencies for Health Oversight Activities 
(HHS Sec. 164.510(c)); for Disclosure for Law Enforcement Purposes (HHS 
Sec. 164.510(f)); and for Use and Disclosure for Judicial and 
Administrative Proceedings (HHS Sec. 164.510(d)). (``Health 
Oversight,'' ``Law Enforcement,'' and ``Judicial and Administrative 
Proceedings'')

    A. Classification of State Insurance Departments

    Similar to the NAIC Model Act, the proposed regulation establishes 
a list of exceptions to the authorization requirement, such that 
protected health information may be used or disclosed without 
authorization in certain circumstances. However, under the HHS proposed 
regulation, the activities of state insurance departments fit under any 
one or more of the following three exceptions: (1) for disclosure to 
health oversight agencies for health oversight activities; (2) for 
disclosure for law enforcement purposes; and (3) for use and disclosure 
for judicial and administrative proceedings. The regulation is unclear 
about the role of insurance departments relative to these exceptions.

    1. Health Oversight Agencies and Their Activities (HHS 
Sec. 164.510(c))

    The definition of ``health oversight agency'' \6\ most clearly 
encompasses and applies to state insurance departments. Although the 
preamble specifically lists state insurance departments as included in 
this category, we suggest including this statement in the text of the 
regulation, not just the preamble (64 Fed. Reg. 59958).
---------------------------------------------------------------------------
    \6\ ``Health oversight agency'' is defined as an agency, person or 
entity, including the employees or agents, that is a public agency (or 
acting under a grant of authority from or contract with a public 
agency) and which performs or oversees the performance of any audit; 
investigation; inspection; licensure or discipline; civil or criminal 
or administrative proceeding or action; or other activity necessary for 
appropriate oversight the health care system. (HHS Sec. 164.504).
---------------------------------------------------------------------------
    The proposed regulation provides an exception to the authorization 
requirement for disclosure to health oversight agencies for conducting 
health oversight activities. According to the proposed regulation, 
these health oversight activities authorized by law include audits; 
investigations; inspections; civil, criminal or administrative 
proceedings or actions; and other activities necessary for appropriate 
oversight of: i) the health care system; ii) government benefit 
programs for which health information is relevant to beneficiary 
eligibility; or iii) government regulatory programs for which health 
information is necessary for determining compliance with program 
standards (HHS Sec. 164.510(c)(1)).
    We are particularly concerned about the scope of the exemption in 
terms of the listed activities that are included for state oversight of 
health plans. While the list includes a large catch-all category for 
``other activities necessary for appropriate oversight of the health 
care system, government benefit programs, or of government regulatory 
programs,'' the list fails to include other oversight activities that 
are of such importance to state insurance departments that they should 
be specifically listed. Some of these oversight activities that are 
traditionally conducted by the states are: market conduct examinations; 
consumer complaint handling; solvency and financial examinations; 
rehabilitation and liquidation; investigations; audits; fraud 
activities; establishing and enforcing legal or fiscal standards 
relating to the regulation of the business of insurance, including 
claims, underwriting, sales, and managed care; assessments, 
evaluations, determinations; initiation of administrative, civil or 
criminal proceedings; compliance and enforcement of laws or 
regulations.
    While it could be argued that some of these functions are included 
within other categories that are itemized, it is certainly not clear 
that these functions would fall within the exemption. In order to 
ensure that every insurance department can fulfill its obligations to 
the citizens in its state, we request that HHS add these additional 
oversight activities to the list of specific examples. We also request 
that HHS clarify that the catch-all exemption to the authorization 
requirement for activities necessary for the appropriate oversight of 
the health care system is intended to include all legally authorized 
activities performed by insurance departments.

    2. Health Oversight Activities by Two or More Agencies.

    On a related note, the preamble states that in cases where health 
oversight agencies are working in tandem with other agencies overseeing 
public benefit programs to address compliance, fraud or other integrity 
issues that could span across programs, the oversight activities of the 
team would be considered health oversight and disclosure to and among 
team members would be permitted under the proposed rule to the extent 
permitted under other law. (64 Fed. Reg. 59958). We appreciate that 
state agencies will be able to work together and share protected health 
information among agencies in order to conduct oversight activities and 
share information, without being considered as business partners or 
needing a contract to share information among state agencies.
    However, we would like to see this ability to share information 
with other agencies for oversight purposes expanded from just 
overseeing public benefit programs (i.e. Medicaid) to overseeing health 
programs and activities as a whole. For example, an insurance 
department may not be the sole agency in a state that regulates health 
insurers and plans. In some states, the Department of Health, the 
Department of Corporations or the Department of Managed Care is 
responsible for regulating managed care entities. This results in an 
overlap in jurisdiction or in delegation of responsibilities among 
agencies for regulating the health insurance entities. Sharing of 
information among agencies for these oversight activities is just as 
important as oversight of public benefit programs. Consequently, we 
would like to see the regulation recognize the need for information-
sharing among agencies for the oversight of health programs and 
activities as a whole.

    3. Law Enforcement and Judicial and Administrative Proceedings (HHS 
Sec.  164.510(f), (d))

    In addition to falling into the health oversight exception, it 
could be argued that certain state insurance department activities fall 
under the law enforcement and judicial and administrative proceeding 
exceptions. The definition of ``law enforcement official'' is very 
broad and includes an officer of an agency or authority of a state who 
is empowered by law to conduct: 1) an investigation into a violation 
of, or failure to comply with any law; or 2) a criminal, civil or 
administrative proceeding arising from a violation of, or failure to 
comply with, any law. (HHS Sec.  164.510(f)(1)(ii); 64 Fed. Reg. 
59937). Because of their job responsibilities, state insurance 
commissioners would fall into this definition. As drafted, state 
insurance department efforts to combat health care fraud could be 
considered law enforcement activity.
    Judicial and administrative proceedings are not defined in the 
proposed regulation but are considered an exception to the 
authorization requirement. Under this exception, persons are permitted 
to disclose information in the course of any judicial or administrative 
proceeding, but only in response to an order of a court or 
administrative tribunal, or where the individual is a party to the 
proceeding and his or her medical condition or history is at issue and 
the disclosure is pursuant to lawful process or otherwise authorized by 
law. (HHS Sec. 164.510(d)(1)). State insurance departments conduct 
administrative proceedings and are often involved in judicial and 
administrative proceedings.
    Potentially, one single activity could be construed as falling into 
all three exceptions. An example could be a joint investigation by an 
insurance department's investigation team, which is investigating a 
licensee for purposes of determine if administrative action should be 
taken against the licensee, and the department's fraud unit, which may 
prosecute the individual for insurance fraud. This issue raises 
procedural questions, especially if one exception requires a court 
order (judicial and administrative proceedings), one does not (health 
care oversight), and another exception may require a court order in 
certain situations (law enforcement, although not for health care 
fraud). The preamble states that agencies that conduct both oversight 
and law enforcement activities would be subject to the provision on use 
and disclosure for health oversight activities when conducting 
oversight activities (64 Fed. Reg. 59958). However, what standards 
apply when conducting other activities. It is difficult to have several 
different applicable rules based on the activities the states are 
performing. This is especially true if states are conducting activities 
that fall into more than one category of exception and the activities 
are not so easily divided into parts that need authorization and those 
that do not.
    The regulation should state that either insurance departments 
decide which exception applies, or that all insurance department 
activities are health oversight activities. Otherwise, state insurance 
departments may face endless litigation over their classifications. We 
ask HHS to include language in the text of the proposed regulation 
stating that if a state insurance activity falls within several 
different exceptions, the state chooses which exception shall apply. 
The presumption should be that the state has the best knowledge of its 
laws and activities and has correctly classified them in the 
appropriate category of exceptions. HHS even recognized in the preamble 
that states are the most knowledgeable about their own laws (64 Fed. 
Reg. 59998). We think this simple clarification statement will avert 
much litigation and prevent a state insurance department from having to 
defend endless challenges to its classification of the exception that 
applies.

    B. Permitted Disclosures Versus Required Disclosures to State 
Insurance Departments

    We are concerned that under the proposed regulation covered 
entities are ``permitted'' but not ``required'' to disclose necessary 
protected health information to health oversight and law enforcement 
agencies (HHS Sec. 164.510(c), (f); 64 Fed. Reg. 59955). Under the 
proposed regulation, disclosure is required in only two instances--to 
permit an individual to inspect or copy their information, or when 
required by the Secretary. (HHS Sec. 164.506)
    We believe that covered entities under investigation by a state 
agency should be required to provide that state agency with access to 
necessary health information when performing its legally mandated 
duties. This disclosure should not be optional. By not requiring 
insurers to provide state insurance departments with access to records, 
filings and other documents that may contain individually identifiable 
information, state insurance departments' ability and authority to 
perform their regulatory responsibilities is undermined. In addition, 
obtaining authorization from all of an insurer's clients for 
investigation of an insurer's business practices is not feasible or 
practical.
    The NAIC requests that disclosure be required under the proposed 
regulation in additional instances, including disclosure to health 
oversight agencies for health oversight activities consistent with 
state law. The NAIC Model Act lists circumstances where an insurer is 
required to disclose protected health information without an 
authorization. Three of these situations are: (1) disclosure to 
federal, state or local authorities to the extent the carrier is 
required by law to report protected health information or for fraud 
reporting purposes; (2) disclosure to a state insurance department 
performing an examination, investigation, audit; or (3) pursuant to a 
court order. (NAIC Model Act Sec. 11). By not requiring insurers to 
disclose needed records that may contain individually identifiable 
health information, state insurance departments will be forced to 
obtain court orders for every request of information needed for a 
legitimate and lawful purpose.
    However, even court orders will not remedy the problem, since under 
the proposed regulation's judicial and administrative proceeding 
exception, covered entities are permitted to disclose protected health 
information in a judicial or administrative proceeding if the request 
for such protected health information is made through or pursuant to an 
order by the court or administrative tribunal. (HHS Sec. 164.510(d)). 
This use of ``permitted'' in the proposed regulation instead of 
``required'' will severely hamper state insurance departments from 
doing their jobs.
    The preamble states that protected health information is often 
needed as part of an administrative or judicial proceeding, and it even 
lists examples. The preamble states that these ``uses of health 
information are clearly necessary to allow the smooth functioning of 
the legal system.'' (64 Fed. Reg. 59958-59959). If the uses are 
necessary, it logically follows that the language in the text of the 
proposed regulation should use the word ``required'' instead of 
``permitted.''

IV. Comments on Accounting for Disclosures Requirement (HHS 
Sec. 164.515)

    Both the proposed regulation and the NAIC Model Act grant 
individuals the right to an accounting of the disclosures of their 
protected health information from covered entities (HHS Sec. 164.515; 
NAIC Sec. 9), and both establish exceptions to this right. The proposed 
regulation establishes an exception so that accounting for disclosure 
to an oversight agency or law enforcement agency is not required to be 
given to an individual if the agency provides a written request stating 
that the exclusion is necessary for a specified period of time. (HHS 
Sec. 164.515(a)(2)). The NAIC Model Act's exception states that the 
carrier is not required to include in the accounting any disclosures of 
protected health information that were compiled in preparation for 
litigation, law enforcement or fraud investigation. There is no date-
specific deadline on this exception.
    Both the proposed regulation and the NAIC Model Act create 
exceptions to the accounting requirement for oversight agencies and law 
enforcement agencies conducting investigations. The problem with the 
proposed regulation is that it is nearly impossible to accurately 
project the length of an investigation, especially during its early 
stages. Rather than designating a specific date or a specific amount of 
time for no accounting of disclosures to oversight or law enforcement 
agencies, the NAIC suggests a deadline based on the end of an event, 
such as conclusion of an investigation. This ensures that an individual 
will receive a full accounting of disclosures at a certain point but 
also allows an oversight or law enforcement agency to complete its 
investigation without having to set some arbitrary date of disclosure.

V. Comments on Banking Activities and Financial Services Modernization 
(HHS Sec. 164.510(i)) (``Banking and Payment Processes'')

    HHS attempts to address banks and banking activities within the 
scope of the proposed regulation. We believe this is a very important 
issue in light of the passage of financial services modernization 
legislation, The Gramm-Leach-Bliley Act, Public Law 106-102 (the ``GLB 
Act''), and with the changes in the entities that are considered 
``payers.'' However, we have some concerns about how banks and their 
activities are handled under the proposed regulation.

    A. Payment Activities Versus Non-Payment Activities

    The first issue concerns the exception for banking and payment 
processes (HHS Sec. 164.510(i)). This exception is confusing because 
HHS attempts to address two separate issues within the context of this 
one exception--payment activities and non-payment banking activities. 
We believe these two issues should be handled separately.
    Under the statute (Sec. 1179 of the Social Security Act/Sec. 262 of 
HIPAA), banks can use or disclose protected health information for 
certain listed purposes (all involving payment), and HHS repeats these 
approved activities in the regulation.\7\ billing, transferring, 
reconciling or collecting payments'' for health care or health plan 
premiums.
---------------------------------------------------------------------------
    \7\ These activities are ``authorizing, processing, clearing, 
settling, billing, transferring, reconciling or collecting payments'' 
for health care or health plan premiums.
---------------------------------------------------------------------------
    Under Sec. 164.510(i), ``disclosure for banking and payment 
processes,'' covered entities are allowed to disclose protected health 
information to financial institutions without an individual's 
authorization for processing payment for health care and health care 
premiums, including the processing of checks or credit card 
transactions as payment for health care services.\8\ However, covered 
entities would not be allowed under the proposed regulation to include 
any diagnostic or treatment information in the data transmitted to 
financial institutions. (64 Fed. Reg. 59966).
---------------------------------------------------------------------------
    \8\ We question the need for the exception for disclosure for 
banking and payment processes. Under the general rule, authorization is 
not required for payment purposes. Presumably a covered entity would 
not need an authorization to disclose protected health information to a 
bank for payment purposes. However, one of the additional listed 
exceptions is for disclosure for banking and payment processes. This 
exception appears to be duplicative of the general rule, which raises 
the question of why this is an exception. It appears HHS wants to limit 
the amount of information that a bank can receive to process a payment, 
specifically a check or a credit card transaction. This is less of an 
exception to the general rule and more of a clarification of the rule, 
since the rule already excepts payment activities.
---------------------------------------------------------------------------
    We agree with HHS' assessment of a bank's role in payment 
activities. We too recognize that a certain amount of information is 
needed to process payments, but we agree that a bank would not need 
diagnostic or treatment information in order to process a payment and 
that in most cases, if not all, only the specified information would be 
necessary for a bank to conduct payment activities.\9\ (64 Fed. Reg. 
59966).
---------------------------------------------------------------------------
    \9\ Limited list would include only: (1) the name and address of 
the account holder; (2) the name and address of the payer or provider; 
(3) the amount of the charge for health services; (4) the date on which 
health services were rendered; (5) the expiration date for the payment 
mechanism, if applicable (i.e., credit card expiration date); and (6) 
the individual's signature.
---------------------------------------------------------------------------
    HHS also raises the issue of non-payment banking activities in the 
preamble of this exception (not in the text of the proposed 
regulation). HHS theorizes about activities banks may be providing now 
and in the future for plans and providers, and HHS recognizes that 
banks, in addition to offering traditional banking services, may be 
interested in offering additional services to covered entities such as 
tracking services, and diagnostic and treatment information, claims 
management and billing support. (64 Fed. Reg. 59966). With the passage 
of the GLB Act, this is a very real scenario.
    Currently, banks are not considered covered entities under this 
proposed regulation. HHS tries to address its lack of jurisdiction over 
banks by classifying banks as ``business partners'' of covered entities 
when receiving protected health information for non-payment 
activities.\10\ (64 Fed. Reg. 59966). For example, if a bank offers an 
integrated package of traditional banking services and health claims 
and billing services, it could do so through a business partner 
arrangement that meets the proposed requirements. (64 Fed. Reg. 59966-
59967).
---------------------------------------------------------------------------
    \10\ A covered entity may disclose protected health information to 
persons it hires to perform functions on its behalf (``business 
partners''), where such information is needed for that function. 
However, a covered entity and its business partners would be required 
to enter into a contract that establish the permitted and required uses 
and disclosures of such information by the partners.
---------------------------------------------------------------------------
    We agree with HHS' assessment that nothing in the regulation would 
prohibit banks from becoming business partners of covered entities 
under the conditions established in the proposed regulation (HHS 
Sec. 164.506(e)), and that any services offered by a bank that are not 
on the list of exempt services in the statute (Social Security Act 
Sec. 1179) should be subject to the business partner rule. We also 
agree that disclosing protected health information to a financial 
institution for non-payment activities without authorization or without 
a business partner contract would violate the provisions of the 
proposed regulation. (64 Fed. Reg. 59966).
    As demonstrated by our comments, our concerns do not involve how 
HHS has addressed payment activities or non-payment activities of 
banks, but rather that HHS has addressed these two issues together as 
if there were no differences in the need for protected health 
information in these two sets of activities. We think that bank 
activities that do not involve processing payments should be handled 
separately from payment activities. The exception (HHS Sec.  
164.510(i)) should be narrowed to be just ``payment processes'' and 
should not be ``payment and banking processes'' or any other activities 
outside the scope of payment. All other non-payment activities should 
be governed by the business partners rule.
    In addition, there are discrepancies between the preamble and the 
actual text of the regulation setting forth this exception (HHS Sec.  
164.510(i)). Notwithstanding the discussion on banks as business 
partners, the intent of the preamble seems fairly focused and is 
narrower in scope than the actual text. The text of the regulation as 
it is currently written is overly broad and could lead to unintended 
consequences. The preamble addresses payment processes, but the text of 
the regulation addresses ``routine banking activities or payment.'' (64 
Fed. Reg. 59966; Sec.  164.510(i). ``Routine banking activities'' is 
very broad and could include approving loans and offering mortgages--
activities that do not necessitate disclosure of protected health 
information for payment, but would be allowed under the text of the 
regulation. Banks should not have access to individuals' protected 
health information in deciding whether to offer a loan or mortgage. We 
suggest that the text of the regulation be re-drafted to reflect the 
narrower scope and intent of the preamble.
    In short, if covered entities disclose protected health information 
to banks strictly for payment processing, we agree that no 
authorization is needed, but the information banks receive should be 
minimal. If protected health information is used for any other reason, 
authorization from the individual would be required or a business 
contract with a covered entity would be required.

    B. Banks as ``Covered Entities''
    Currently banks are not included under the definition of ``covered 
entities'' in the HHS proposed regulation; however, with the enactment 
of the GLB Act, banks are able to form holding companies that will 
include insurance companies (covered entities) and their 
activities.\11\ As a result, banks may soon have access to protected 
health information once the GLB Act is implemented and banks start 
buying insurance companies. When (not if) this happens, we believe 
banks should be classified as covered entities under the proposed 
regulation. Banks should be held to the requirements of the HHS 
proposed regulation and should be required to obtain authorization from 
an individual to conduct non-payment activities. As listed in the 
preamble, these activities requiring authorization would include: use 
for marketing of health and non-health items and services; and use and 
disclosure to non-health related divisions of the covered entity (e.g., 
for use in marketing life or casualty insurance or banking services). 
(64 Fed. Reg. 59941-59942). HHS should clarify that if financial 
institutions act as payers, they should be governed by the HHS privacy 
regulation as covered entities.
---------------------------------------------------------------------------
    \11\ We are concerned about the relationship between the GLB Act 
and its proposed privacy regulations and HHS' proposed health 
information privacy regulation. Under the GLB Act, a bank holding 
company has affiliates that may be insurance companies, securities 
firms, or thrifts. These affiliates are allowed to exchange personally 
identifiable financial information with each other and with the bank 
holding company without authorization from the individual. The only 
restrictions on sharing this information under the GLB Act is with non-
affiliated third parties. Under the HHS proposed regulation, an 
insurance company could not share protected health information with an 
affiliate without a business partner contract. Clearly, the GLB Act is 
less restrictive in the use and disclosure of protected health 
information and is less protective of individuals' rights than the HHS 
proposed regulation.
    Consideration needs to be given to the interaction between the HHS 
proposed privacy regulation, the financial services modernization 
legislation and proposed regulations, and state laws. In addition to 
the impact on state laws, we are concerned about the interaction and 
potential conflict between the two federal laws and their regulations. 
In general, the relationship between the preemption standards of HIPAA 
and the GLB Act, as they relate to financial institutions, is not clear 
and is still being analyzed and interpreted by many interested parties 
including the NAIC. We ask that HHS work with the federal agencies 
(Federal Reserve, Treasury, Office Thrift Supervision, etc.) that are 
involved in promulgating regulations to implement the GLB Act to 
discuss the potential conflicts between the competing privacy 
regulations.

---------------------------------------------------------------------------
    VI. Conclusion

    In summary, we support HHS' efforts to implement privacy 
regulations that leave intact as many state laws as possible. However, 
we do have serious concerns about the scope, the applicable entities 
effected by the proposed regulation, the preemption of state law, the 
determination process for preemption exceptions, and how state 
insurance departments and the broad scope of activities for which they 
are responsible are classified. We believe that the regulation in its 
current form has the potential to significantly impair the states' 
ability to regulate the health insurance industry. We do believe that 
the proposed regulation may be workable if HHS implements our suggested 
changes.
    The NAIC appreciates the opportunity to offer these comments 
regarding the proposed regulation. The NAIC intends to continue working 
closely with HHS on these and other issues. If HHS has any questions 
with respect to these comments or any other element of the proposed 
regulation, it should feel free to contact myself or Mary Beth 
Senkewicz at (202) 624-7790.
            Sincerely,
                                          Kathleen Sebelius
                                                    Vice President,
                                 Chair, Health Insurance Task Force
                                  Commissioner of Insurance, Kansas
Attachments
National Association of Insurance Commissioners
Federal and International Relations Office
Hall of the States
444 N. Capitol Street, N.W.
Suite 701
Washington, D.C. 20001
(202) 624-7790
      

                                


                           National Breast Cancer Coalition
                                       Washington, DC 20036
                                                  February 15, 2000
U.S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Attention: Privacy-P, Room G-322A
Hubert Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201

    Dear Assistant Secretary for Planning and Evaluation:

    I am writing to you on behalf of the National Breast Cancer 
Coalition (NBCC), and the 2.6 million women living with breast cancer. 
NBCC, a grassroots advocacy organization made up of over 500 
organizations and tens of thousands of individuals, has been working 
since l99l to eradicate breast cancer through increased funding and new 
strategies for breast cancer research, access to quality health care 
for all women, and expanded influence of breast cancer activists at 
every table where decisions regarding breast cancer are made.
    NBCC strongly believes that we must establish a national policy 
that ensures an individual's right to privacy with respect to 
individually identifiable health information. Individuals own their 
health information. The issue here is under what circumstances other 
people should be able to use an individual's health information. As 
breast cancer survivors, we believe that our illness, diagnosis, 
treatment and prognosis is very personal information. We also know that 
the misuse of our health information can harm us and our families. For 
example, unauthorized or inadvertent disclosure of our health status, 
genetic or family history can make it difficult if not impossible for 
some women and their daughters to obtain health insurance. This danger 
becomes an increasing reality as the number of entities maintaining and 
transmitting individually identifiable health information and the use 
of integrated health information systems generally continues to grow. 
Without any national privacy standards to protect consumer's rights, 
consumers risk misuse of health information within an uneven system of 
state protection.
    At the same time, NBCC believes that federal standards for 
protecting privacy rights should not impede the progress of biomedical, 
behavioral, epidemiological and health services research. Research 
offers women diagnosed with breast cancer the best hope for finding a 
cure and improving treatment, and someday preventing breast cancer. 
NBCC believes that a federal standard should protect the privacy of 
individuals and enhance public trust in medical research, and 
simultaneously protect the ability of researchers to conduct vital 
biomedical research.
    The following comments are in response to the Department of Health 
and Human Services' (HHS) proposed rule (45 CFR Parts 160 through 164). 
NBCC commends HHS for developing significant regulatory standards that 
aim to fill the gap in federal health privacy protection. While the 
draft regulations properly address several of NBCC's key concerns--such 
as access to medical records; notice of information policies; informed 
consent; minimum necessary use; and the use and disclosure of personal 
health information with regard to research--we remain concerned about 
the areas that HHS did not have the authority to cover. It is for that 
reason that we continue to urge Congress to enact comprehensive federal 
privacy legislation.
    We appreciate the opportunity to comment on the health privacy 
regulations, and look forward to working with HHS and Congress to 
improve health information privacy.

The Regulations are not sufficiently broad in scope.

    1. The Regulations cover a limited number of entities. 
(Section 164.502)

    NBCC recognizes that HIPPA specifically limited the 
entities that HHS could cover--so that the regulations could 
only apply to health plans, health care providers and health 
care clearinghouses. These three categories exclude a number of 
entities that receive health information, such as contractors, 
third party-administrators, researchers, public health 
officials, life insurance insurers, employers and marketing 
firms. The regulation's limited coverage of entities is a 
serious flaw. Congress must continue to work towards enacting a 
comprehensive federal privacy law that would apply to all of 
those who generate, maintain or receive protected health 
information.

    2. The Regulations only cover protected health information 
that is electronically transmitted. (Section 164.504)

    Another limitation of the draft regulations is that they 
only apply to ``protected health information'' which is defined 
as individually identifiable health information that has been 
transmitted or maintained electronically by a covered entity. 
This means that all private health information that remains in 
paper form would be unprotected.

    Privacy standards must apply to all individually 
identifiable health information in any form maintained or 
transmitted by a covered entity. It does not make any sense to 
draw a distinction based on form rather than content. A covered 
entity should be required to treat all information it maintains 
or transmits in the same fashion. Covered entities currently 
maintain and transmit health information in both electronic and 
paper form. In fact, many health care providers maintain solely 
paper systems and a majority of health information remains in 
paper form. If the regulations do not apply to this information 
in any form, they will not accomplish the goal of protecting 
individuals' medical privacy. People or organizations that hold 
health information that would otherwise be protected could 
escape compliance with privacy protections by maintaining the 
records on paper. Additionally, for enforcement purposes, it 
may prove difficult, if not impossible, to establish that 
specific health information at some point in its existence has 
been transmitted or maintained electronically and, therefore, 
is subject to the regulations. The best way to reduce these 
implementation and enforcement ambiguities is to make the 
privacy standards applicable to all individually identifiable 
health information transmitted or maintained by a covered 
entity regardless of its form.

    3. The Regulations should explicitly include genetic 
information in the definition of individually identifiable 
health information. (Section 164.504)

    NBCC strongly believes that the definition of individually 
identifiable health information is also flawed. While 
``individually identifiable health information'' is defined as 
information that ``relates to the past, present or future 
physical or mental health or condition of an individual,'' this 
definition does not explicitly include genetic information. 
NBCC urges the Secretary to amend the definition of 
individually identifiable health information so that genetic 
information is afforded the same protection as other medical 
information.

Individuals must have rights

regarding their health information.

    1. Individuals must have the right to access, amend and 
correct protected health information. (Sections 164.514, 
164.516)

    NBCC strongly believes that individuals should have certain 
rights with regard to their medical records and information in 
order to understand how they are being used and maintained. 
Individuals should have reasonable access to their records to 
inspect, copy, supplement or amend their medical records so 
that they can make informed health care decisions and correct 
errors where appropriate. The regulations appropriately provide 
for these individual rights. Any exceptions that would deny an 
individual's access must be extremely limited and narrowly 
construed.
    2. Individuals must have the right to restrict uses and 
disclosures of their health information. (Section 164.506(c)) 

    NBCC also believes that individuals should have the right 
to restrict a covered entity from continuing to use and 
disclose protected health information. Patients have legitimate 
concerns that ongoing disclosures could result in personal harm 
or discrimination. Individuals should be able to seek special 
protection for certain sensitive information that they do not 
wish to be disclosed. For example, many women may wish to 
prevent a health care provider from disclosing BRCA1 and BRCA2 
test results. Accordingly, NBCC supports the general idea 
behind the regulations' granting individuals the right to 
request restrictions on the uses and disclosures of protected 
health information. However, the regulations must provide 
stronger protections by binding all covered entities to any 
restriction requested by an individual (except in emergency 
situations or when it would harm the individual) and requiring 
them to comply or face consequences.

Individuals must be given notice of 

information practices. (Sections 164.512, 164.520)

    It is important that individuals understand how their 
medical records are to be used and when and under what 
circumstances that information will be disclosed to a third 
party. Individuals should be given easy-to-understand written 
notice of how their health information will be used and by 
whom. Only with such notice can people make informed, 
meaningful choices about uses and disclosures of their health 
information. Adequate notice can also help to build trust 
between patients and health care provider organizations in so 
far as it removes any element of surprise about the use and 
disclosure of health information. NBCC believes that the 
proposed regulation properly gives individuals the right to 
adequate notice of the disclosure policies of covered plans and 
providers.

Individuals' informed consent should

be obtained in most instances.

    1. Informed consent must be obtained for uses and 
disclosures unrelated to health care. (Section 164.508)

    NBCC believes that a covered entity must obtain an 
individual's specific authorization if it intends to use or 
disclose protected health information for any purpose other 
than treatment, payment or health care operations. Consumers 
regularly sign a general authorization that allows providers 
and plans to use their personal health information for 
treatment, payment or health care operations. However, there 
are many other uses that they might not anticipate and would 
want to know about. For example, breast cancer patients do not 
expect that information concerning their individual treatment 
will be released for targeted marketing of new products based 
on their health status. Nor would they necessarily want non-
health related divisions of an employer who provides health 
insurance to obtain protected health information for 
eligibility or enrollment determinations, underwriting risk 
determinations, or employment determinations. Another 
unforeseen use is research unrelated to health care, for which 
there is insufficient scientific and medical evidence regarding 
the validity or utility of the information. Such research might 
utilize their health information to discover genetic markers 
that could later be used to discriminate against women with a 
genetic predisposition for breast cancer. For uses such as 
these that are not directly related to treatment, payment, or 
health care operations, NBCC encourages the Secretary to retain 
provisions of the proposed regulations that require covered 
entities to obtain separate and specific authorization from 
individuals.

    Requiring individuals' explicit authorization for these 
uses would enhance individuals' control over their protected 
health information, if and only if, the authorizations are 
specific about the information to be disclosed and where the 
information will go. Furthermore, in order for individuals to 
voluntarily authorize such disclosures, their authorization 
must not be coerced, as a condition of payment. NBCC suggests 
that the regulations be revised to expressly provide that a 
covered entity and its business partners may use or disclose 
protected health information only for the purpose specified in 
the authorization. This would help ensure that the information 
does not fall into the hands of non-covered entities that are 
not subject to the protections afforded by the regulations.
    2. Circumstances under which informed consent is not 
required should be strictly limited.

    Federal privacy standards should strictly limit the 
circumstances under which individuals' identifiable health 
information can be used without their informed consent. The 
Secretary has proposed that covered entities could use and 
disclose protected health information without authorization 
for: (1) treatment, payment, and health care operations; and 
(2) national priority activities.

    (a) Informed consent is not necessary for uses and 
disclosures related to treatment, payment and health care 
operations if the meaning of these terms is narrowly 
interpreted. (Section 164.506) 

    Uses and disclosures related to treatment, payment and 
health care operations include purposes such as quality 
assurance, utilization review, credentialing, and other 
activities that are part of ensuring appropriate treatment and 
payment. While NBCC generally agrees that informed consent is 
not necessary for these purposes, the provisions addressing the 
meaning of treatment, payment, and health care operations 
should be amended. For example, the terms ``treatment'' and 
``payment'' should be narrowly interpreted as applying to the 
individual who is the subject of the information. In addition, 
the definition of ``treatment'' should be amended to ensure 
that disease management programs are only conducted with the 
authorization of the treating physician. The regulation should 
also expressly state that the term ``health care operations'' 
includes only disclosures made to the covered entity (or a 
business partner of such entity) on whose behalf the operation 
is being performed. Furthermore, the regulations should limit 
the definition of health care operations to include only those 
operations that cannot be carried on with reasonable 
effectiveness and efficiency without protected health 
information.

    (b) Generally, informed consent is not necessary for uses 
and disclosures related to national priority activities. 
(Section 164.510 (b) through (n)

    The regulations also provide that individually identifiable 
information could be disclosed without informed consent for the 
following national priority activities: health care oversight, 
public health, emergency purposes, research, judicial and 
administrative proceedings, law enforcement, and to provide 
information to next-of-kin. While NBCC notes the importance of 
these activities, we urge that the final regulation include 
certain safeguards to protect individuals against arbitrary 
disclosures for law enforcement purposes.

    Law enforcement should not have unfettered access to 
medical records. (Section 164.510(f))

    We believe that the federal law protecting the privacy of 
health information should be just as strong, if not stronger, 
than the protections for cable and video records. Medical 
records contain personal and sensitive information, and the 
misuse of peoples' medical information can lead to loss of jobs 
and benefits, discrimination, embarrassment, and other harms. 
However, under the regulations, medical records are not 
afforded the same protections with regard to disclosures for 
law enforcement purposes. In light of the importance of medical 
records, we recommend that law enforcement be required to 
obtain legal process--such as a warrant or court order--that is 
judicially-approved after application of a Fourth Amendment 
probable cause standard.

        Privacy Standards Should not Impedede Medical Research. 

    1. All research information related to health care should 
be reviewed under privacy standards before waiver of individual 
authorization can occur. (Section 164.510(j))

    There has been much debate about what are appropriate 
safeguards for personally identifiable information with regard 
to research. Increasingly, health services, epidemiological, 
biological and statistical research utilizes medical or health 
records and does not involve any interaction between the 
researcher and the patients. Researchers have legitimately 
raised serious questions about the feasibility of seeking 
authorizations from thousands or possibly millions of 
individuals. Other research such as retrospective or secondary 
research also utilizes archival patient materials, including 
medical records and tissue specimens, and does not involve 
direct interaction with individuals. While the data can be 
encrypted, researchers and epidemiologists need to link this 
data back to individuals in order to generate meaningful 
conclusions regarding the benefits and adverse outcomes of 
particular treatments, as well as medical effectiveness. The 
question for breast cancer advocates is under what situations 
would it be appropriate to allow the disclosure of health 
information for research purposes without patient 
authorization.
    Currently, under the Common Rule, research organizations 
conducting federally funded or regulated research projects must 
establish and operate institutional review boards (IRBs), which 
are responsible for reviewing research protocols and for 
implementing federal requirements designed to protect the 
rights and safety of human subjects. No human-subjects research 
may be initiated, and no ongoing research may continue, in the 
absence of IRB approval. Integral to conducting research under 
the Common Rule is a requirement that there is proper informed 
consent and documentation of that consent. There are, however, 
circumstances when the IRB can waive informed consent (the 
Common Rule). These circumstances are when the IRB finds and 
documents that the research: (1) involves no more than minimal 
risk to subject; (2) won't adversely affect the rights and 
welfare of subjects; (3) research can't be carried out without 
the waiver; and (4) whenever appropriate, subjects will be 
given more information after participation. Much of the 
research relying on medical records would meet this test. In 
fact, research that relies solely on medical records databases 
or pathology specimens may be reviewed in an expedited fashion 
by the IRB.
    While the IRBs are not without problems and the informed 
consent process is far from perfect, NBCC believes this is an 
appropriate paradigm to build upon. IRBs have also been given 
the responsibility to ensure there are adequate provisions to 
protect the privacy of subjects and to maintain the 
confidentiality of data and ensure protections for individuals 
involved in research. We believe that it would be appropriate 
to disclose protected health information for health research 
without obtaining authorization if the Secretary requires that 
all health research be reviewed by an IRB or an IRB-like entity 
(``internal privacy board''). In addition, we would like to see 
that all internal privacy boards meet current requirements for 
an IRB with respect to information protection, use, and 
disclosure, and are determined to be qualified to assess and 
protect the confidentiality of protected health information. 
Also, the regulations should provide that there be equal 
oversight and accountability for both IRBs and privacy boards.
    Only under these circumstances would it be appropriate to 
waive authorization. NBCC acknowledges that internal privacy 
boards have drawbacks -but they appear to be an acceptable 
alternative to an IRB.
    Generally, we support the intention with regard to research 
in the draft regulation. The regulation reflects NBCC's 
position that there should be uniform rules for researchers 
regardless of the source of funding. We also support the four 
proposed additional waiver criteria that IRBs and privacy 
boards must consider: (1) the research would be impracticable 
to conduct without the individually identifiable health 
information; (2) the research project is of sufficient 
importance to outweigh the intrusion into the privacy of the 
individual whose information would be disclosed; (3) there is 
an adequate plan to protect the identifiers from improper use 
and disclosure; and (4) there is an adequate plan to destroy 
the identifies at the earliest opportunity consistent with the 
conduct if the research, unless there is a health or research 
justification for retaining identifiers. These additional 
criteria emphasize the need for protecting privacy.
    While NBCC believes that the Secretary's proposed rules 
attempt to create a balance between privacy and research, there 
are certain limitations with regard to researchers. Mainly, the 
draft regulation only addresses the use and disclosure of 
``protected health information'' by covered entities. 
Researchers who generate their own health information fall 
outside the scope of the regulations if they are not based 
within a covered entity, and do not provide health care. We 
understand that this reflects the legal constraint imposed on 
HHS by the HIPAA. Since a great deal of research will continue 
to fall outside the scope of federal regulation, we believe 
that there is still an important role to be played by Congress 
to fill this gap.

    2. Individually identifiable health information must be 
afforded greater privacy protection when it is used or 
disclosed for research that is unrelated to health care.  
(Section 164.508 (a) (3) (iv) (B))

    NBCC recognizes the importance of allowing researchers to 
conduct vital biomedical research. The proposed regulations 
draw a distinction between research information that is related 
to the delivery of care, such as information handled in 
therapeutic clinical trials, and that which is not related to 
treatment, such as early gene sequence analysis. Research 
information that is unrelated to health care is: (1) received 
or created by a covered entity in the course of conducting 
research; (2) information for which there is insufficient 
scientific and medical evidence regarding the validity or 
utility of the information such that it should not be used for 
the purpose of providing health care; and (3) payment is not, 
or has not, been requested from a health plan. The distinction 
has been drawn so that individually identifiable health 
information is afforded greater privacy protection when it is 
used or disclosed for purposes that are unrelated to health 
care. Under the proposed rule, research information unrelated 
to health care generally may only be used or disclosed with 
authorization.
    We believe that the Secretary has properly drawn this 
distinction. However, the definition of ``research information 
unrelated to treatment'' should be revised to ensure that once 
information is classified as such, it cannot be re-classified 
as something else at a later date. We believe that without 
qualifying language this information would be vulnerable to 
disclosure in the future, if the information were later to 
become of scientific validity. The regulation should be clear 
that once information is considered ``research information 
unrelated to treatment'' it remains that way. This is 
especially important given that ``research information 
unrelated to treatment'' is afforded a higher degree of 
protection under the proposed regulation. Individuals may rely 
on this higher degree of confidentiality when consenting to the 
collection of the information in the first instance. This 
confidentiality should not be betrayed in the future just 
because the utility of the information has changed.

The regulations should preempt state privacy laws 

that provide less stringent protections and 

should not preempt strong state privacy laws. (Section 160.203)

    NBCC supports preemption if it sets a floor for the states 
and not a ceiling. We should not force states that have 
established strong privacy laws to adopt a lower standard. The 
proposed regulations reflect this position. The rule will 
preempt state laws that are in conflict with the regulatory 
requirements and that provide less stringent privacy 
protections, but will not preempt state laws that are more 
stringent.

Enforcement of Medical Privacy Standards must include 

a private right of action for individuals.

    Most importantly, we believe that there should be strong 
criminal and civil penalties for intentionally or negligently 
using individually identifiable health information. While HIPPA 
granted the Secretary the authority to impose civil monetary 
penalties and criminal penalties pursuant to the proposed 
regulations, it did not provide for a private right of action 
for individuals. NBCC's position is that the key to 
enforceability is a meaningful private right of action -
individuals must have the right to sue if their privacy rights 
are violated. Only strong enforcement will give people 
confidence that their health information is protected and 
ensure that those holding health information take their 
responsibilities seriously.
    Appropriate safeguards against misuse are necessary to help 
build public trust. Only if women trust that their individual 
health information will be kept private, will they be willing 
to participate in research efforts. At a time when new advances 
in science depend heavily on participation in clinical 
research, we cannot let the opportunity to build public trust 
go by. Knowledge about how to prevent and cure breast cancer 
will only come if real federal standards for medical privacy 
are enacted.
    We respectfully request that HHS reexamine and redefine its 
current proposal, and hope to have the opportunity to work with 
HHS and Congress on improving federal medical privacy 
standards.
            Sincerely,
                                                 Fran Visco
                                                          President
      

                                


Statement of Judith L. Lichtman, President, National Partnership for 
Women & Families

    The National Partnership for Women & Families is a national 
advocacy organization dedicated to improving the lives of women 
and families. Improving access to high quality health care is 
an integral part of our mission. Privacy of medical information 
is an essential component of high quality care. Medical privacy 
is especially important to women because they are the greatest 
users of health care services and because of their need for 
sensitive services like reproductive health and mental health 
services. Medical privacy is also especially important to women 
who are victims of domestic violence because inappropriate 
disclosures can threaten their personal safety and that of 
their children.
    Without confidence that private information will remain 
just that--private--women are reluctant to share information 
with their health care professionals--to the detriment of their 
own health. Fear that medical information is not kept 
confidential also keeps women from obtaining health care 
services in the first place or forces them to go outside their 
health plan and incur significant out-of-pocket expenses.
    In recognition of our leadership on women's health issues 
and keen interest in medical privacy, the National Partnership 
was asked to become a member of the steering committee of the 
Georgetown University Medical Center, Health Privacy Project's 
Consumer Coalition. As an active member of the steering 
committee, we helped develop the coalition's privacy 
principles. We applied these principles in our analysis of the 
proposed rule on medical privacy issued by the Department of 
Health and Human Services on November 3, 1999.
    Strong and enforceable privacy protections are needed now 
more than ever thanks to the recent changes in our health care 
system. The rise of managed care means that more people have 
access to a person's medical information. The computer 
revolution makes immediate transfer and disclosure of such 
information possible, but also brings with it the possibility 
of strong safeguards against inappropriate use and disclosure 
(e.g., the need for passwords to access files).
    We had hoped that Congress would meet its own self-imposed 
deadline of August, 21, 1999, and enact comprehensive privacy 
legislation. Unfortunately, Congress failed to meet that 
deadline.
    We applaud the Department of Health and Human Services 
(HHS) for stepping up to the plate and promulgating this 
proposed rule. The promulgation of this proposed rule 
represents an extremely important step in restoring confidence 
in the privacy of health information. There are many positive 
features of this proposed rule that we discuss in our formal 
comments to HHS, as well as areas where we urge the Department 
to revise its approach. But even if the Department adopted all 
of our recommendations, Congress would still need to act. For 
example, the proposed rule cannot, and does not, reach all of 
the people or entities that use or transfer medical 
information. Nor does it provide meaningful enough remedies for 
people whose privacy rights are violated. These holes can only 
be fixed by Congress, and we call upon Congress to enact 
legislation to fill in these holes.
    Some of the features of the proposed rule that we believe 
are especially important are the following:
     that individuals will have the right to see and 
copy (and supplement) their own health information;
     that individual authorization will be required for 
many uses and disclosures of protected health information;
     that psychotherapy notes will get the benefit of 
special protections;
     that only the ``minimum necessary'' to accomplish 
the intended purpose of the use or disclosure will be used or 
disclosed;
     that individuals will be considered ``intended 
third party beneficiaries'' of any contract between a covered 
entity and its business partners, thus able to enforce their 
own privacy rights if this contract is breached;
     that the Department has attempted to establish 
uniform rules for researchers, regardless of the source of the 
funding for the research; and
     that, in most instances, the federal rules will 
operate as a ``floor,'' not a ``ceiling,'' leaving states with 
the authority to provide greater protection for privacy.
    There are many areas where we believe the Department can, 
and should, more fully protect privacy. One primary improvement 
would be to clarify the responsibilities of employers that 
sponsor covered health plans. Since most women and families get 
their insurance through employment, they fear that employers 
know more than they should about their private medical 
information and may use that information inappropriately to 
make employment decisions. Unless the Department's rule reaches 
employers to the fullest extent possible, America's women and 
families will not believe their privacy has truly been 
protected. In addition, a few of our other recommendations 
include the following:
     requiring individual authorization for treatment, 
payment, and health care operations purposes;
     creating a special authorization process for 
certain disclosures about sensitive services;
     better protecting the personal safety of victims 
of domestic violence, including children who are victims of 
abuse; and
     improving the way the proposed rule handles the 
rights of minors.
    We look forward to working with the Administration and 
Congress to improve the quality of health care and to protect 
the privacy of medical information.
      

                                


Statement of Hon. Ron Paul, a Representative in Congress from the State 
of Texas

    Mr. Chairman, I wish to thank you for having this timely 
hearing on the Department of Health and Human Services' medical 
privacy proposal. I also appreciate the opportunity to share my 
reasons for opposing HHS' proposal with the Committee.
    While I have several serious objections to certain parts of 
HHS' proposal, Mr. Chairman, my main objection to these rules 
is with the underlying principle of allowing a federal agency 
to establish one uniform medial privacy rule for all Americans. 
Protecting medical privacy is a noble goal, however, the 
federal government is not constitutionally authorized to 
mandate a uniform standard of privacy protections for every 
citizen in the nation. Rather, the question of who should have 
access to a person's medical records should be determined by 
private contracts between that person and their health care 
provider.
    Unfortunately, government policies encouraging citizens to 
rely on third-party payors for even routine heath care expenses 
has undermined the individual's ability to control any aspect 
of their own health care, including questions regarding access 
to their medical records. All too often, third-party payors use 
their control over the health care dollar to gain access to 
even the most personal details of an individual's health care, 
using the justification that because they are paying for the 
treatments they must have access to the patient's medical 
records to protect against fraud or other malfeasance. Because 
most of the concerns about medical privacy are rooted in the 
loss of individual control over the health care dollar, the 
solution to the loss of medical privacy is to empower the 
individual by giving them back control of their health care 
dollar. The best way to do this is through means such as 
Medical Savings Accounts and individual tax credits for health 
care. When the individual has control over their health care 
dollar, they can control all aspects of their health care--
including who should have access to their medical records.
    Rather than support efforts to place the individual back in 
control of health care, this administration and many in 
Congress have pursued an agenda that would enhance the power of 
the federal government over health care. HHS' proposed medical 
privacy regulations continue in that sad tradition.
    In the name of protecting privacy, HHS has reduced the 
individual's control over their medical records. HHS' proposal, 
if enacted, would deny, as a matter of federal law, individuals 
the ability to contract with the providers or payors to 
establish limitations on who should have access to their 
medical records. Instead, every American will be forced to 
accept the privacy standard decided upon by Washington-based 
bureaucrats and politicians.
    Individual citizens would not only have to accept the 
privacy standards dictated to them by Washington bureaucrats, 
they would even be deprived the ability to hold those who 
violated their privacy accountable in a court of law. Instead, 
the regulations give the Federal Government the power to punish 
those who violate these federal standards. Thus, in a 
remarkable example of government paternalism, individuals are 
forced to rely on the good graces of government bureaucrats for 
protection of their medical privacy. These regulations also 
create yet another unconstitutional federal crime, at a time 
when voices from across the political spectrum are decrying the 
nationalization of law enforcement.
    HHS appears to believe that the American people should 
accept the privacy protections designed by the ``experts'' in 
Washington. There is no other explanation for the obstacles 
placed in the path of those seeking to comment on this 
regulation. For example, HHS is refusing to accept faxed 
comments. Furthermore, the web site that HHS has established to 
accept comments is very difficult to use and does not even let 
the user know whether or not HHS has received his comments! Mr. 
Chairman, should we trust an agency that shows such a 
reluctance to hear the voice of the people with the power to 
determine medical privacy rules for all Americans?
    These so-called ``privacy protection'' regulations not only 
strip individuals of any ability to determine for themselves 
how best to protect their medical privacy, they also create a 
privileged class of people with a federally-guaranteed right to 
see an individual's medical records without the individual's 
consent. For example, medical researchers may access a person's 
private medical records even if an individual does not want 
their private records used for medical research. Although 
individuals will be told that their identity will be protected 
the fact is that no system is fail-safe. I am aware of at least 
one incident where a man had his medical records used without 
his consent and the records inadvertently revealed his 
identity. As a result, many people in his community discovered 
details of his medical history that he wished to keep private!
    Forcing individuals to divulge medical information without 
their consent also runs afoul of the Fifth Amendment's 
prohibition on taking private property for public use without 
just compensation. After all, people do have a legitimate 
property interest in their private information; therefore 
restrictions on an individuals ability to control the 
dissemination of their private information represents a massive 
regulatory taking. The takings clause is designed to prevent 
this type of sacrifice of individual property rights for the 
``greater good.''
    In a free society such as the one envisioned by those who 
drafted the Constitution, the federal government should never 
force a citizen to divulge personal information to advance 
``important social goals.'' Rather, it should be up to the 
individuals, not the government, to determine what social goals 
are important enough to warrant allowing others access to their 
personal property, including their personal information. To the 
extent these regulations sacrifice individual rights in the 
name of a bureaucratically-determined ``common good,'' they are 
incompatible with a free society and a constitutional 
government.
    HHS' ``medical privacy'' proposals also endangers the 
privacy of Americans by allowing law enforcement and other 
government officials access to a citizen's private medical 
record without having to obtain a search warrant. This is a 
blatant violation of the Fourth Amendment to the United States 
Constitution, which protects American citizens from warrantless 
searches by government officials. The requirement that law 
enforcement officials obtain a warrant from a judge before 
searching private documents is one of the fundamental 
protections against abuse of the government's power to seize an 
individual's private documents. While the fourth amendment has 
been interpreted to allow warrantless searches in emergency 
situations, it is hard to conceive of a situation where law 
enforcement officials would be unable to obtain a warrant 
before electronic medical records would be destroyed.
    The proposal's requirement that law enforcement officials 
submit a written request to doctors, hospital and insurance 
companies before they can access private medical records is a 
poor substitute for a judicially-issued warrant. Private 
citizens are more likely to want to cooperate with law 
enforcement officials than are members of the judiciary, if for 
no other reason than because hospital administrators, insurance 
company personnel, and health care providers will lack the time 
and expertise to properly determine if a government officials' 
request is legitimate. Furthermore, private citizens are more 
likely to succumb to pressure to ``do their civic duty'' and 
cooperate with law enforcement--no matter how unjustified the 
request--than members of the judiciary.
    I also object to the fact that these proposed regulations 
``permit'' health care providers (many of whom are beholden to 
government funding) to give medical records to the government 
for inclusion in a federal health care data system. Such a 
system would contain all citizens' personal health care 
information. History shows that when the government collects 
this type of personal information the inevitable result is the 
abuse of citizens' privacy and liberty by unscrupulous 
government officials. The only fail-safe privacy protection is 
for the government not to collect and store this type of 
personal information.
    The collection and storing of personal medical information 
authorized by these regulations may also revive an effort to 
establish a ``unique health identifier'' for all Americans. As 
you are no doubt aware, Mr. Chairman, a moratorium on funds for 
developing such an identifier was included in the HHS' budget 
for fiscal years 1998 and 1999. This was because of a massive 
public outcry against having one's medical records easily 
accessible to anyone who knows their ``unique health 
identifier.'' The American people do not want their health 
information recorded on a database and they do not wish to be 
assigned a unique health identifier. Congress must head the 
wishes of the American people and repeal the statutory 
authority for HHS to establish a ``unique health identifier'' 
for all Americans.
    As an OB-GYN with more than 30 years experience in private 
practice, I am very concerned by the threat to good medical 
practice posed by these regulations. The confidential 
physician-patient relationship is the basis of good health 
care; oftentimes effective treatment depends on patients' 
ability to place absolute trust in his or her doctor. The legal 
system has acknowledged the importance of maintaining 
physician-patient confidentiality by granting physicians a 
privilege not to divulge information confided to them by their 
patients.
    Before implementing these rules or passing any legislation 
related to medical privacy, HHS and Congress should consider 
what will happen to that trust between patients and physicians 
when patients know that any and all information given their 
doctor may be placed in a government database or seen by 
medical researchers or handed over to government agents without 
a warrant?
    Questions of who should or should not have access to one's 
medical privacy are best settled via contract between a 
patients and a provider. However, the government-insurance 
company complex that governs today's health care industry has 
deprived the individual patients of control over their health 
care records, as well as over numerous other aspects of their 
health care. Rather then put the individual back in charge of 
his or her medical records, the Department of Health and Human 
Services proposed privacy regulations give the federal 
government the authority to decide who will have access to 
individual medical records. These regulations thus reduce 
individuals' ability to protect their own medical privacy.
    These regulations violate the fundamental principles of a 
free society by placing the perceived ``societal'' need to 
advance medical research over the individuals right to privacy. 
They also violate the Fourth and Fifth Amendments by allowing 
law enforcement officials and government -favored special 
interests to seize medical records without an individual's 
consent or a warrant and could facilitate the creation of a 
federal database containing the health care data of every 
American citizen. These developments could undermine the 
doctor-patient relationship and thus worsen the health care of 
millions of Americans.
    In conclusion, Mr. Chairman, I recommend that Congress 
embrace meaningful protection for medical privacy by empowering 
individuals to protect their medical records by repealing the 
statutory authorization for the Department of Health and Human 
Services to impose a one-size-fits all ``privacy''standard on 
all Americans and passing legislation placing patients back in 
control of the health care system.
      

                                


Statement of the Physician Insurers Association of America, Rockville, 
MD

    Thank you for the opportunity to comment on the proposed 
regulations to implement standards governing the privacy of 
individually identifiable health information as directed under 
section 262 of the Health Insurance Portability and 
Accountability Act of 1996 (``HIPAA'' or the ``Act''). The 
proposed rule appears to be drafted to address considerations 
involving health care providers and other ``covered entities'' 
that are the primary repositories of individually identifiable 
health information. However, the proposed rule would also 
impact professional liability insurers primarily due to the 
contractual restrictions placed on ``business partners.''

Interest of the Physician Insurers Association of America 
(PIAA)

    The PIAA is a trade association of more than 55 
professional liability insurance companies owned and/or 
operated by doctors and dentists. Collectively, these companies 
insure approximately 60 percent of America's practicing 
physicians, as well as dentists, hospitals, and other health 
care providers. As such, PIAA member insurance companies 
routinely receive reports from providers when adverse outcomes 
occur where no claim for recompense has yet been made. These 
``event or incident reports,'' as they are known, usually 
contain individually identifiable health information. Such 
important information is treated with the strictest 
confidentiality, and is rarely transmitted to anyone outside of 
the insurance company.
    While the PIAA and its members strongly support appropriate 
privacy protections for individually identifiable health 
information, we have several significant concerns regarding the 
scope of the proposed rule, its liability implications and the 
significant costs and burdens of complying with the proposed 
regulations.

Application to Business Partners

    The provisions contained at section 164.506(e) of the 
proposed rule governing the rule's application to business 
partners of covered entities are the source of concern for the 
PIAA in two significant respects.\1\ First, this section of the 
proposed rule purports to regulate indirectly business partners 
that the agency has acknowledged it lacks the authority to 
regulate directly. Second, section 164.506(e)(2)(ii)(A)'s 
requirement that these contracts designate ``individuals whose 
protected health information is disclosed'' pursuant to the 
contract as explicit third party beneficiaries, thereby creates 
potential liability under state law.
---------------------------------------------------------------------------
    \1\  Section 164.504 defines ``business partner'' as ``a person to 
whom the covered entity discloses protected health information so that 
the person can carry out, assist with the performance of, or perform on 
behalf of, a function or activity for the covered entity.'' The 
proposed rule identifies ``lawyers, auditors, consultants, third-party 
administrators, health care clearinghouses, data processing firms, 
billing firms, and other covered entities'' as examples of business 
partners for purposes of the proposed rule. Although not specifically 
mentioned, the PIAA believes that professional liability insurers would 
meet the definition of ``business partner'' for purposes of the rule, 
and assumes that professional liability insurers are so classified for 
purposes of these comments.
---------------------------------------------------------------------------
    Turning to the first concern, Congress expressly set forth 
those entities to be covered by the regulation in section 
1172(a)(1) of the Act. Indeed, the preamble to the proposed 
rule acknowledges that ``we do not have the authority to apply 
these standards directly to any entity that is not a covered 
entity...[w]e would attempt to fill this gap in our legislative 
authority in part by requiring covered entities to apply many 
of the provisions of the rule to the entities with whom they 
contract for administrative and other services.'' \2\ Using 
mandated contractual arrangements to extend the reach of the 
regulation to parties not contemplated by Congress exceeds the 
authority delegated to the agency by statute. The PIAA believes 
that the agency should reconsider this course and allow covered 
entities to determine for themselves how best to fulfill their 
responsibilities under the Act in their relations with business 
partners and others. The agency should not attempt to usurp 
Congressional authority through the use of the contractual 
artifice included in the proposed rule.
---------------------------------------------------------------------------
    \2\ See 64 Fed. Reg. p.59924, (Nov. 3, 1999)
---------------------------------------------------------------------------
    For instance, section 164.506(e)(2)(i)(H) of the proposed 
rule would specify that, ``At the termination of the contract, 
the business partner must return or destroy all protected 
health information received from the covered entity.'' \3\ This 
proposed requirement fails to recognize that many professional 
liability contracts terminate every 12 months at which time a 
new contract may be offered to a provider. A decision to offer 
the provider a new insurance contract would certainly involve a 
review of past claims and adverse event experience beyond the 
previous 12 months. Likewise, a claim may be filed against that 
provider long after the contract has terminated. In this case, 
information about the provider's claims history or the adverse 
event in question may be impossible to recreate, yet would be 
extremely important to a prompt resolution of the claim. Under 
a ``claims-made'' policy, the notice of an event often triggers 
the attachment of insurance coverage for the claim should it be 
reported in the future. For this reason and others, covered 
entities and their business partners should define the terms 
and conditions of their contracts instead of having them 
dictated in regulations.
---------------------------------------------------------------------------
    3 See 64 Fed. Reg. p.59924, (Nov. 3, 1999)
---------------------------------------------------------------------------
    Additionally, the PIAA is concerned that the proposed rule 
contains a requirement that covered entities and their business 
partners designate individuals whose protected health 
information is disclosed as express third party beneficiaries 
by contract. While the agency proffers no reason for the 
inclusion of this requirement in its discussion of the proposed 
rule, several experts in the area of health law have suggested 
that this provision creates the potential for private rights of 
action utilizing a third party beneficiary theory under state 
law.
    As the agency has itself acknowledged, HIPAA (passed by the 
104th Congress) makes no provision for a private right of 
action by individuals for violations of the statute.\4\ This 
should be regarded as an affirmation that civil and criminal 
penalties are the sole remedy for the unauthorized release of a 
patient's confidential health information. Moreover, the 
question of whether to include such a private right of action 
has been bitterly contested in deliberations by the 106th 
Congress over legislation that would provide broader privacy 
protections of individually identifiable health information. 
Given the absence of any congressional establishment of a 
federal cause of action for the violation of rights created 
under the statute, the Agency should not attempt to create a 
potential private right of action. The PIAA is gravely 
concerned that the agency would see fit to require the 
inclusion of provisions creating liability under state law in 
these contracts, particularly without any discussion of the 
potential liability ramifications of the third party 
beneficiary designation.
---------------------------------------------------------------------------
    4  See 64 Fed. Reg. p.59918, p.59923 (Nov. 3, 1999) [``In HIPAA, 
Congress did not provide such enforcement authority. There is no 
private right of action for individuals to enforce their rights. . .'']
---------------------------------------------------------------------------
    In addition to these specific concerns, we believe that the 
application of this rule to business partners will result in 
expenditures of significant resources for marginal additional 
improvements in privacy protection. This would occur at a time 
when health care expenditures continue to rise and there is a 
serious interest in decreasing the incidence of medical errors 
and improving patient care. Devoting resources to the 
establishment of appropriate privacy protections for 
individually identifiable health information must not be 
considered in isolation, but rather as one element in improving 
the current health care system.
    We are similarly concerned with the prospect of an 
increasingly confusing and possibly conflicting array of 
responsibilities for liability insurers in the area of privacy. 
Has the Agency considered in detail the interaction of the 
``business partner'' rule with privacy obligations that may 
arise under other proposed regulations and recently enacted 
legislation such as the Financial Services Modernization Act. 
We believe that minimizing cost and confusion, as well as 
eliminating any potentially conflicting obligations is central 
to effectively protecting patient privacy.
    The PIAA urges the agency not to utilize mandated 
contractual arrangements to improperly enlarge on the narrower 
authority granted by Congress, and in particular to withdraw 
the requirement that the third party beneficiary designation be 
included in such contracts.

Customary Business Relationships in the Health Care Industry

    During our review of the proposed rule, PIAA members raised 
concern regarding the potential impact of the proposed rule on 
liability insurers' access to individual health information 
related to the activities of their insureds. The preamble to 
the rule indicates that the Agency intends ``to allow customary 
business relationships in the health care industry to 
continue.'' As part of current normal business practice, 
professional liability insurers typically receive individually 
identifiable health information related to adverse incidents 
that may give rise to claims against an insured. Indeed, 
reporting requirements are typically stipulated as part of the 
claims made policy in an insurance contract. Sharing of such 
information also allows the liability insurer to conduct 
underwriting reviews to determine insurability. Finally, such 
an open business relationship promotes consideration of how 
health care systems can be improved to prevent recurrent 
adverse events. Under the proposed rule, it is unclear under 
what conditions this transfer of information could take place 
without individual authorization.
    Under section 164.506(a) as proposed, a covered entity 
would be permitted to use or disclose protected health 
information without individual authorization for treatment, 
payment or health care operations. ``Health care operations'' 
as defined under proposed section 164.504 includes:
    ``(3) Insurance rating and other insurance activities 
relating to the renewal of a contract for insurance including 
underwriting, experience rating and reinsurance, but only when 
the individuals are already enrolled in the health plan 
conducting such activities and the use or disclosures of the 
protected health information relates to an existing contract of 
insurance (including the renewal of such contract);
    (5) Compiling and analyzing information in anticipation of 
or for use in a civil or criminal legal proceeding.''
    The PIAA is concerned that the proposed definition of 
``health care operations'' fails to include the sharing of 
information with professional liability insurers that is both 
current business practice and necessary for risk management, 
error prevention, improving patient care, underwriting and 
other insurance purposes. The discussion of insurance under the 
proposed definition (above) appears to be limited to insurance 
provided by health plans and does not expressly contemplate 
other types of insurance, such as professional liability 
insurance.
    The aspect of the definition including information compiled 
``in anticipation of litigation,'' similarly provides little 
comfort as it fails to embrace the full array of situations in 
which individual health information must be exchanged between 
an insured and a professional liability insurer. This exchange 
of information often occurs long before a civil or criminal 
action is indicated, and indeed is necessary to allow the 
insurer to investigate the incident and determine whether 
compensation should be paid before any demand letter is 
received or civil action initiated. This exchange of 
information is additionally necessary even when no claim is 
made to aid in underwriting and risk management/evaluation 
activities.
    Moreover, the ``in anticipation of or for use in a civil or 
criminal proceeding'' standard is quite similar to, and equally 
as vague as, the ``anticipation of litigation'' standard for 
the work product rule under Federal Rule of Civil Procedure 
26(b)(3) which has spawned reams of case law attempting to 
define under what circumstances this standard has been met.
    The ramifications of failing to clarify the definition of 
``health care operations'' to include information shared with 
professional liability insurers are serious as it would appear 
that professional liability insurers would then be relegated to 
the exception for protected health information obtained for 
judicial and administrative proceedings. As proposed, the rule 
would impose the burdensome requirement that any transfer of 
protected health information could only occur pursuant to court 
order or by request from legal counsel in litigation. This 
result would be counterproductive for all concerned, including 
patients, as it would essentially require litigation in order 
for the claim to be evaluated. The current practice of sharing 
information with the professional liability insurer as soon as 
an adverse incident occurs facilitates compensation without 
litigation in many instances and results in lower costs per 
claim.
    In light of the foregoing, the PIAA would respectfully 
request that the agency modify the definition of ``health care 
operations'' to make clear that protected health information 
could be shared with a provider or other covered entity's 
professional liability insurer without prior authorization.
    Finally, we would like to commend the Agency for a well-
detailed and thoughtful approach to creating protections in a 
new and difficult area. We hope that our comments will be 
addressed in any further actions the Agency takes regarding 
this matter.
      

                                


Statement of Jim Ramstad, a Representative in Congress from the State 
of Minnesota

    Mr. Chairman, thank you for calling this important hearing 
to review the Administration's proposal to protect the 
confidentiality of medical records.
    Given the sensitive nature of personal health records, I am 
very aware of the importance of crafting appropriate rules and 
regulations, as well as the complexities that surround this 
task.
    I applaud the efforts of the Secretary to tackle this 
important issue with a comprehensive framework to protect 
patient information without inhibiting the use of data to 
continue research into life-saving and life-enhancing 
treatments, drugs, technologies and procedures. Ensuring 
regulations are balanced and do not stifle research, while 
protecting privacy, is one of my top priorities.
    Given the vast expanse of the regulations and the number of 
health care providers impacted by them, this hearing is 
important to closely examine the rules and determine if changes 
are necessary or more work needs to be done legislatively.
    I welcome this opportunity to learn more from today's 
witnesses on this significant health care issue, and I thank 
you again, Mr. Chairman, for calling this important hearing.
      

                                


Testimony of the Hon. Louise McIntosh Slaughter, a Representative in 
Congress from the State of New York

    I thank you, Chairman Thomas and Representative Stark, for 
this opportunity to testify on one of the most critical issues 
in Congress: medical records privacy. I cannot tell you how 
pleased I am that Congress is finally taking up this matter in 
earnest.
    It is truly gratifying for me to see a national consensus 
emerging on the need to protect the privacy of medical records. 
Privacy is one of the bedrock principles of our Constitution 
and a pillar of our democracy. Our Founders considered privacy 
so important that they included it in the Constitution in 
several different forms. The First Amendment protects our right 
to express our private thoughts, and our right to associate in 
private or public with whomever we choose. It protects the 
privacy of one's home, possessions and person against 
unreasonable search and seizure. It therefore seems natural 
that the privacy of medical records--which contain the most 
personal of information about an individual--should also be 
protected.
    Unfortunately, Americans' medical records are anything but 
private. While many people believe their medical records are 
closed to everyone except their health care provider and 
insurer, the truth is very different. On February 4, 1997, a 
New York Times article recounted how one doctor started 
investigating how many people had access to his patients' 
records after being confronted with one patient's fear of 
disclosure. He said, and I quote, ``I stopped counting at 75.'' 
This incident happened a decade ago. The situation is even more 
extreme today.
    Doctors, nurses, therapists, and secretaries are only a few 
of the people who have access to an individual's medical 
charts. Today our medical records may also be viewed by 
consultants, billing clerks, insurance ``coders,'' and many 
others. An employer may have free access to workers' records, 
especially if the company is self-insured. Medicare sees the 
records of elderly and disabled patients, while Medicaid 
workers may view medical charts for the poor. The potential for 
genetic discrimination and other misuse of this information is 
staggering.
    The computerization of medical records has exacerbated this 
situation. Many insurers pool medical information in the 
Medical Information Bureau, which may distribute it to any 
number of sources. Marketers buy sophisticated lists of health 
and demographic information to help them target their products. 
Lawyers look at records in the context of rape, domestic 
violence, and medical injury cases. Equifax and other credit 
reporting services can also get access. The list goes on and 
on.
    The computerization of medical records has added a new 
urgency to the need for regulations to protect consumers. In 
the past, the practical limitations of paper records made 
access more difficult. Computerization of records means that 
large numbers of medical records can be screened, collated, and 
distributed in the blink of an eye. Information can be made 
available to almost unlimited numbers of people via the 
Internet. The market for medical records information is 
booming, and there is reputed to be a vigorous black market for 
it as well.
    With the advent of computerized records, the potential for 
malicious misuse of this information is truly appalling. In a 
widely publicized case, a Florida public health official was 
fired after allegedly mailing computer disks with the names of 
thousands of Florida patients with HIV and AIDS anonymously to 
Tampa-area newspapers. This individual also reputedly took a 
list of the patients into a local bar and offered to help 
friends screen potential dates. In 1996, the Baltimore Sun 
reported that in Maryland there had been examples of state 
employees accepting bribes from HMOs for information on 
Medicaid recipients. One Delaware banker obtained a list of 
cancer patients, cross-referenced it with loan customers at his 
bank and called in those loans.
    There is a clear and pressing need for federal legislation 
to protect the privacy of our medical records. In a 1997 review 
of state medical privacy and confidentiality laws prepared for 
the Centers for Disease Control and Prevention, the Electronic 
Privacy and Information Center (EPIC) called federal privacy 
laws ``fragmented and uncertain.'' As long ago as 1994, the 
Institute of Medicine endorsed passage of comprehensive federal 
legislation to replace the patchwork of laws that cover medical 
records. According to the EPIC report,
    Thirty-seven states impose on physicians the duty to 
maintain the confidentiality of medical records. Twenty-six 
extend this duty to other health care providers. Thirty-three 
states and territories require health care institutions to 
maintain the confidentiality of medical records they hold. The 
survey found that only four states have specific legislation 
imposing this duty on insurers, despite the vast amount of 
information held by insurance companies. Nine states impose a 
similar duty on employers or other non-health care 
institutions.
    Only twenty-two states have legislative provisions that 
protect computerized or electronically transferred data. Forty-
two states protect information received during the course of a 
physician-patient relationship from disclosure in court 
proceedings, with certain exceptions. Twenty-eight states 
provide statutory penalties for unauthorized disclosure of 
health care information. Twelve impose criminal penalties, 
nineteen create civil penalties and three allow for both civil 
and criminal penalties. Legislative Survey of State 
Confidentiality Laws, with Specific Emphasis on HIV and 
Immunization, EPIC, February 1997.
    The report concludes by endorsing passage of federal 
privacy legislation, stating, ``Uniform standards nationwide 
will result in more effective protection of health information 
privacy.''
    The situation has changed little since that 1997 report. 
State laws are fragmented and inconsistent. People living on 
opposite sides of a state line have widely divergent privacy 
protections and recourse against violations.
    In attempting to fulfill the Health Insurance Portability 
and Accountability Act of 1996's (HIPAA) requirement that 
Congress pass medical records privacy legislation, we all 
learned a difficult lesson about the many competing interests 
on this issue. The medical records privacy debate draws in 
virtually every fact of the health care industry -doctors, 
nurses, hospitals, nursing homes, insurance companies, blood 
banks, tissue banks, laboratories, information processing 
firms, pharmaceutical companies, private and university-based 
researchers, disease advocacy groups, medical schools, and 
more. Many of these entities have very different ideas about 
the appropriate level of privacy that should be afforded to 
medical records. And first and foremost, we must consider the 
concerns of individual Americans.
    Today's hearing seeks to examine the recent regulations 
promulgated by the Department of Health and Human Services on 
the privacy of computerized medical records. In the broadest 
sense, these regulations are a major step forward. They 
represent the first concerted federal effort to ensure that 
Americans' medical information is not treated lightly. I 
commend Secretary Shalala and the HHS officials responsible for 
producing these regulations for their extremely hard work. I 
would like to highlight three concerns raised on the 
regulations:
    Research Must Not Be Inhibited. As a former microbiologist, 
I am keenly aware of the challenges faced by researchers in 
obtaining, analyzing, and interpreting medical information. 
Legitimate scientific studies should not be hampered by overly 
burdensome requirements or regulations. It is my firm belief 
that the majority of research can and should be conducted with 
medical information that is not individually identifiable. 
Further, I am deeply concerned that some industries may attempt 
to obtain medical records for marketing purposes under the 
guise of ``research.'' The regulations must ensure that science 
can move forward without compromising the privacy of 
individuals.
    Authorization and Consent Forms Must Be Meaningful. Today, 
most insurance forms contain a blanket consent paragraph that 
the individual must sign or risk being denied coverage for 
treatment. I am pleased that the regulations are designed to 
end these meaningless, coercive authorizations and replace them 
with a more targeted, informative system. The authorization 
form content requirements in the HHS regulations are a major 
step in the right direction. We must, however, ensure that 
consumers are not presented with endless paperwork, printed in 
small type and written in bureaucratic jargon. Such a case 
would only result again in consumers signing forms without 
reading them or reviewing their private rights in a meaningful 
fashion.
    Effectiveness of the Regulations Should Be Studied. I would 
strongly encourage HHS to include explicitly with the 
regulations one or more studies of their effectiveness. Which 
consent forms are the most useful for consumers? Are 
individuals indeed reading authorizations and considering their 
privacy rights? Are entities which hold medical records 
complying with the spirit as well as the letter of the law? 
Where are the remaining loopholes that may not have been 
anticipated? Is research being impacted adversely? Are certain 
requirements too burdensome? These regulations are complex; we 
cannot allow them to be issued without thoughtful oversight of 
their impact.
    Finally, I would like to raise a related issue that must 
not be ignored. While medical records privacy is critically 
important, it is only one side of the coin. The other side of 
the coin is nondiscrimination. Individuals' private medical 
information, and in particular their genetic information, 
should not be used to harm them. Without nondiscrimination 
laws, privacy is an empty protection. Without privacy 
protection, nondiscrimination laws are unenforceable.
    I am proud to be a leader in Congress in the effort to ban 
genetic discrimination. In 1995, I introduced legislation to 
ban genetic discrimination when few Members were even aware of 
the Human Genome Project. Today genetic research and 
discoveries are the subject of seemingly daily press reports. A 
``rough draft'' of the entire human genome will be completed 
this spring. Over the past five years, I have worked 
consistently to keep these issue before Members of Congress, 
educating them and their staffs about the many ethical, legal 
and social implications of genetic research.
    H.R. 306, the Genetic Information Nondiscrimination in 
Health Insurance Act, would prohibit insurers from denying, 
canceling, refusing to renew, or changing the rates, terms, or 
conditions of coverage based on genetic information. This bill 
has the overwhelming support of 212 bipartisan cosponsors and 
over 100 health-related organizations. I am proud to count as 
cosponsors all of the Health Subcommittee Democrats, as well as 
Rep. Nancy Johnson.
    More recently, I have introduced H.R. 2457, the Genetic 
Nondiscrimination in Health Insurance and Employment Act. As 
its title suggests, this bill would ban discrimination in both 
health insurance and employment. Just last week, President 
Clinton endorsed this legislation in a major Administration 
event and signed an executive order banning genetic 
discrimination in federal employment.
    Unfortunately, the new HHS medical records privacy 
regulations do not ban genetic discrimination. Doing so would 
have exceeded the scope of the HIPAA mandate. It is therefore 
up to Congress to act on this critical issue.
    We owe it to the American people to ban genetic 
discrimination. Throughout the course of my work on this issue, 
I have received heartbreaking letters from people who want to 
take a genetic test, but have decided not to do so because they 
are afraid the results might be obtained by their health 
insurer or employer. Whenever I speak to groups about genetics, 
I am inevitably approached by people afterwards who describe 
their own family history of illness and their fears that this 
information will be used against them. It is absolutely 
reproachable that Congress is allowing this situation to 
persist for millions of Americans simply because the leadership 
will not act upon this issue.
    Medical records privacy is long overdue. Again, I commend 
Secretary Shalala and her staff for producing excellent draft 
regulations. With some changes, these regulations will provide 
a solid basis for protecting the privacy of medical information 
in this nation. The next step must be to protect Americans 
against genetic discrimination. Unless we ensure that this 
information cannot be used to undermine individuals' best 
interests, the public will rightly stop supporting genetic 
research. The enormous promise of genetic technology will then 
go unfulfilled.
    I appreciate having this opportunity to offer my comments 
on medical records privacy issues, and I look forward to 
working with the members of the subcommittee to ban genetic 
discrimination.
      

                                


Statement of VHA Inc.

    On behalf of the membership of VHA, we submit these 
comments on the Administration's proposed regulations regarding 
privacy of individually identifiable health information. VHA 
supports the idea that an individual's medical information 
should remain confidential. However, this confidentiality 
should not operate as a barrier to quality and efficient care. 
With this goal in mind, VHA offers the following comments on 
the proposed regulations that will have an enormous impact on 
all of America's hospitals.
    VHA is a nationwide network of community-owned health care 
systems and physicians. Through shared knowledge and 
commitment, we build strength to improve community health and 
achieve market success. VHA has more than 1,800 members, 
representing many of America's leading community-owed health 
care providers, in forty-eight states and the District of 
Columbia. That number represents twenty-four percent of the 
nation's community-owned hospitals.
    Patients and consumers must be assured that any use of 
their medical information will be appropriate and maintained as 
strictly confidential in the course of providing care, 
performing essential quality assurance activities, conducting 
bona fide research, complying with legal requirements, and 
performing specific public health activities.
    VHA believes that any regulation should avoid imposing 
undue administrative burdens and costs on health care providers 
and others, or unnecessarily impeding the exchange of 
information used in patient care, quality, and payment. Neither 
should any regulation adversely impact clinical research or 
prudent access to research databases essential for the 
advancement of patient care.
    It is important for health care organizations operating in 
multiple states to have a consistent guide for maintaining the 
confidentiality of patient medical information. Therefore, any 
federal regulation should preempt existing state laws to ensure 
a unified law for multi-state operating health care 
organizations.
    Patient-identifiable health information is currently used 
in a variety of activities to improve health care quality. 
These activities include health promotion and disease 
prevention, disease management, outcomes research, and 
utilization management. Computers, electronic communication and 
the rapidly increasing knowledge about human genetics are 
vastly improving quality of care. However, the widespread use 
of electronic technology to store, transmit, and use health 
record information has raised questions about the safety and 
security of confidential health information. It is important 
that patients and consumers be assured that any use of their 
personal medical information is appropriately maintained as 
confidential.
    VHA aids its members in the development of sound 
operational efficiencies that result in both clinical and 
economic benefits. The federal government has long recognized 
the need for such efficiencies and has exhibited its commitment 
to encouraging them through the implementation of various 
prospective payment systems in the Medicare program. VHA's 
activities are consistent with the federal priority to require 
operational efficiencies at all levels in the health care 
industry.
    To achieve its goals, VHA believes that HHS should clarify 
the definition of ``health care operations'' and include a 
definition of ``marketing.''
    First, the definition of ``health care operations'' needs 
to be expanded. Under the proposed regulations, covered 
entities, such as VHA members, would not need to seek 
authorizations for uses or disclosures of protected health 
information (``PHI'') that relate to ``health care 
operations.'' As currently written, the definition of ``health 
care operations'' includes specific activities ``for the 
purpose of carrying out the management functions of [covered 
entities] necessary for the support of treatment or payment.'' 
VHA applauds HHS for its recognition that uses of PHI for 
purposes that are ``compatible with and directly related to'' 
treatment and payment should be exempt from a general 
authorization requirement. While the definition of ``health 
care operations'' acknowledges this fact, some activities have 
been overlooked, creating ambiguities that could inhibit the 
nation's hospitals' ability to provide high-quality patient 
care and hospital efficiency.
    VHA is concerned about the status of activities related to 
sound clinical and operational efficiencies under these 
regulations. One critical aspect of patient care is the ability 
of hospital clinicians to work together to ensure that each 
physician has met the hospital's goal of clinical and 
operational efficiency. One aspect of this team approach 
involves the review of the provisions of medical drugs and 
devices by providers. These reviews require that other members 
of the hospital staff have access to medical records, which 
include PHI. The staff members must work together with 
physicians to review relevant medical records to determine the 
most efficacious and economic drug or device for patients.
    The definition of ``health care operations'' needs to be 
clarified to ensure that these types of reviews come within the 
tier of activities for which patient authorizations are not 
required.
    While these reviews most likely fall within ``health care 
operations'' as one aspect of ``evaluating practitioner and 
provider performance'' or as part of internal quality 
oversight, the fit is not absolutely clear from the text of the 
proposed regulations. As the preamble notes, the intent of the 
regulations is ``to make the exchange of [PHI] relatively easy 
for health care purposes.'' These reviews are an important 
health care purpose.
    While VHA does not believe HHS intended to exclude these 
types of reviews from the definition of ``health care 
operations,'' we seek clarification as to their status. 
Therefore, we suggest that HHS augment the definition of 
``health care operations'' by including in the text of the 
regulation itself ``engaging in activities related to achieving 
clinical and operational efficiencies'' in subparagraph two of 
the definition. This clarification should be extended to the 
preamble as well.
    The financial gain notice requirement should be narrowed. 
Under the proposed regulations, a covered entity must include a 
statement regarding the financial gain associated with a use or 
disclosure of PHI when the covered entity requests an 
authorization for the use or disclosure that will result in 
financial gain to the entity. In the preamble, HHS clearly 
describes its concerns about financial gains resulting from 
marketing activities.
    VHA understands the concerns regarding the use of PHI for 
inappropriate marketing activities, but the proposed language 
of the regulation is too broad and restricts other necessary 
activities that may also result in financial gain to a covered 
entity. For example, when a hospital reviews a physician's 
prescription of drugs or use of devices for his/her patients to 
achieve sound clinical and operational efficiencies, the 
hospital, as well as the patient, the community, the federal 
government in its role as a payer for health care, and indeed 
the entire health care system receive economic gain. This goal 
of providing high quality clinical care that is also 
operationally sound is the same as that embraced by the 
Congress and the Administration through its creation of the 
prospective payment systems.
    VHA does not believe HHS intended to create such an 
impediment to the use of sound operational efficiencies. Thus, 
VHA suggests that the financial gain statement requirement at 
45 C.F.R. Sec. 164.508(d)(iv) be narrowed to read: ``(iv) Where 
use or disclosure of the requested information will result in 
financial gain to the entity that is unrelated to the care of 
the individual or the sound clinical or operational 
efficiencies of the covered entity, a statement that such gain 
will result.'' The preamble should also be modified to reflect 
this modification.
    The ``minimum necessary'' standard must be tightened so as 
not to divert necessary resources from patients and to address, 
in a practical manner, the uses and disclosures of PHI in day-
to-day patient care.VHA is concerned that, as currently 
described, the ``minimum necessary'' standard will inhibit the 
delivery of high quality, cost-effective health care. While it 
is clear that some uses or disclosures of PHI may not require 
all of the PHI located in a medical record, other uses will 
require this complete set of information. Because a vast number 
of medical records remain on paper, abstracting can be an 
enormous impediment to accomplishing the minimum necessary 
goal. Although well-intentioned, this standard will divert even 
more scarce resources from patient care to administrative 
functions.
    Secondly, it is unreasonable to expect that an appointed 
person or group will always be able to discern the ``correct'' 
amount of information necessary for a particular purpose, 
especially as related to treatment and certain aspects of 
health care operations. For example, what might not seem 
important to the appointed person may become vitally important 
at a later date in the patient's treatment. If the information 
is missing, the patient's medical needs would not be met. The 
provider might not even realize until too late that the record 
he/she had received had been redacted.
    VHA members involved in reviewing the provision of drugs 
and devices by providers could also be severely hampered. On 
the surface the individual determining the ``minimum 
necessary'' amount might believe that only the diagnosis and 
medicine prescribed is required reviewing a provider's 
prescription practices. For the review to meet its goals of 
improving clinical and operational efficiencies, however, it is 
often necessary to know the patients' entire histories so that 
reviewers can determine why a physician might have selected 
certain drugs or devices. Redacting records, even with the best 
of intentions, may make quality reviews inefficient or 
completely impossible.
    Thus, VHA suggests that the standard be tightened. First, 
it should be clear that in the case of treatment and health 
care operations, the minimum necessary standard should be 
modified. In the case of uses or disclosures for treatment, the 
minimum necessary standard should apply only to the number of 
individuals who obtain the PHI, not the amount of information 
because the vast majority of cases will need a full record. To 
do otherwise threatens patient care. For health care 
operations, the text already creates an exception for ``audits 
and related purposes.'' This exception should be clarified so 
that important health management reviews of provider practices 
are also not subject to the standard in terms of amounts of 
data, but only in terms of the number of people with access to 
the information.
    Second, the explanation of the standards describing the 
factors that the Secretary expects to be used in making the 
minimum necessary determinations should be made part of the 
text of the regulation. Otherwise, the standard is too vague to 
be workable and creates the risk that the courts who will 
ultimately determine the meaning of ``reasonable,'' will rely 
on a different analysis.
    Whistleblowers should be held to a ``reasonableness'' 
standard or not be exempt from the ``minimum necessary'' 
requirement entirely. As HHS recognizes, the role of 
whistleblowers has been etched into efforts to curb fraudulent 
behavior. VHA understands the need to allow these individuals 
to report abuses to health oversight agencies, law enforcement 
officials, or attorneys. The broad protection afforded 
whistleblowers in these regulations, however, erodes the 
protection of an individual's confidentiality, which 
constitutes the heart of the regulations.
    VHA is troubled by this provision generally. At a minimum, 
we suggest that addressing three basic problems with the 
provision would aid in ameliorating these concerns. First, the 
provision currently permits an individual to disclose PHI on a 
``belief.'' This standard is too broad and unenforceable. Other 
areas of law traditionally focus on a ``reasonableness'' 
standard, which is stronger than that of a ``belief.'' Under a 
reasonableness standard, a whistleblower would not be liable 
for the disclosure if a reasonable person would have evaluated 
the particular act as a violation of the laws. Thus, he/she is 
held to a societal standard that can be objectively evaluated 
and provides some level of protection for those whose 
information is disclosed. A ``belief'' standard, however, is 
subjective, making it almost impossible to find that the 
whistleblower erred. As noted in the preamble, a balance must 
be achieved so that whistleblowers are not completely 
discouraged from playing their vital role. This provision is 
not balanced, but rather lopsided and provides no check on 
disclosures of this type. Thus, HHS should adopt the widely 
accepted reasonableness standard of tort law, as the standard 
which provides protection for both individuals and 
whistleblowers, by which to judge these disclosures.
    Secondly, the provision provides whistleblowers with carte 
blanche to disclose any amount of PHI they desire. This 
allowance rips away the very protection at the center of the 
regulations. Thus, while covered entities work diligently to 
protect each individual's confidentiality, their employees, 
without any limitations, can breach that confidentiality in the 
name of a ``believed'' abuse. VHA suggests that this provision 
be limited by requiring whistleblowers to apply the ``minimum 
necessary'' standard applicable to covered entities and their 
business partners. Whistleblowers will not be deterred because 
the reasonableness standard will protect them. If their 
calculation of the amount of PHI they disclosed was reasonable, 
they will not be subject to sanctions. If not, however, the 
employee can be reprimanded. This approach strikes the right 
balance that permits good faith attempts to report abuses and 
creates an incentive not to disclose PHI maliciously or without 
reason.
    Third, as drafted the provision allows whistleblowers to 
disclose PHI to any attorney for the purpose of determining 
whether a violation of law has occurred. Permitting disclosures 
to any is extremely problematic. In addition to vastly 
increasing the number of individuals to whom PHI can be 
disclosed, it establishes no restrictions on how these 
attorneys can further use or disclose the PHI in the future 
because they are neither covered entities nor business partners 
and, therefore, not subject to the regulations. Thus, the 
protection of patient confidentiality, which is the point of 
this entire regulatory scheme, is severely hampered by this 
aspect of the whistleblower provision. VHA suggests that HHS 
clarify this provision to limit the entities to whom PHI can be 
disclosed for purposes of whistleblower activities to law 
enforcement officials and oversight agencies or individuals 
designated by the covered entity to deal with such concerns.
    Taken together, these broad, subjective aspects of the 
whistleblower provision work to destroy the right to 
confidentiality HHS has attempted to craft. Thus, if 
maintained, this provision should be significantly revised.

Conclusion

    VHA appreciates the opportunity to present its views on 
this important issue. We agree that ``a clear and consistent 
set of privacy standards'' are needed ``to improve the 
effectiveness and the efficiency of the health care system.'' 
Because of the vast nature of the proposed regulations, the 
final regulations must present both the health care community 
and the individual whose PHI is being used and disclosed with a 
clear picture of what is required. However, these requirements 
should not sacrifice America's high standard of health care. 
Thus, VHA offers these comments as an important step in the 
national conversation about this issue.

                                   -