b"<html>\n<title> - OVERSIGHT ON MEDICAL PRIVACY</title>\n<body><pre>[Senate Hearing 107-]\n[From the U.S. Government Printing Office]\n\n\n                                                            S Hrg 107-421\n \n                      OVERSIGHT ON MEDICAL PRIVACY\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                    COMMITTEE ON HEALTH, EDUCATION,\n                          LABOR, AND PENSIONS\n                          UNITED STATES SENATE\n\n                      ONE HUNDRED SEVENTH CONGRESS\n\n                             SECOND SESSION\n\n                                   ON\n\n\n\nEXAMINING MEDICAL PRIVACY ISSUES, FOCUSING ON THE STANDARDS FOR PRIVACY \nOF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (PRIVATE RULE), AND THE \n PROPOSED MODIFICATION TO THOSE STANDARDS, PUBLISHED BY THE DEPARTMENT \n                      OF HEALTH AND HUMAN SERVICES\n\n                               __________\n\n                             APRIL 16, 2002\n\n                               __________\n\n Printed for the use of the Committee on Health, Education, Labor, and \n                                Pensions\n\n\n\n\n\n\n                           U.S. GOVERNMENT PRINTING OFFICE\n78-950                            WASHINGTON : 2003\n___________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  \nFax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001\n\n\n\n\n\n\n          COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS\n\n               EDWARD M. KENNEDY, Massachusetts, Chairman\nCHRISTOPHER J. DODD, Connecticut     JUDD GREGG, New Hampshire\nTOM HARKIN, Iowa                     BILL FRIST, Tennessee\nBARBARA A. MIKULSKI, Maryland        MICHAEL B. ENZI, Wyoming\nJAMES M. JEFFORDS (I), Vermont       TIM HUTCHINSON, Arkansas\nJEFF BINGAMAN, New Mexico            JOHN W. WARNER, Virginia\nPAUL D. WELLSTONE, Minnesota         CHRISTOPHER S. BOND, Missouri\nPATTY MURRAY, Washington             PAT ROBERTS, Kansas\nJACK REED, Rhode Island              SUSAN M. COLLINS, Maine\nJOHN EDWARDS, North Carolina         JEFF SESSIONS, Alabama\nHILLARY RODHAM CLINTON, New York     MIKE DeWINE, Ohio\n           J. Michael Myers, Staff Director and Chief Counsel\n             Townsend Lange McNitt, Minority Staff Director\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                               STATEMENTS\n\n                        Tuesday, April 16, 2002\n\n                                                                   Page\nKennedy, Hon. Edward M., Chairman, Committee on Health, \n  Education, Labor, and Pensions, opening statement..............     1\nGregg, Hon. Judd, a U.S. Senator from the State of New Hampshire, \n  opening statement..............................................     2\nDodd, Hon. Christopher J., a U.S. Senator from the State of \n  Connecticut, opening statement.................................     6\nHarkin, Hon. Tom, a U.S. Senator from the State of Iowa, prepared \n  statement......................................................     9\nFrist, Hon. Bill, a U.S. Senator from the State of Tennessee, \n  opening statement..............................................     9\nReed, Hon. Jack, a U.S. Senator from the State of Rhode Island, \n  opening statement..............................................    11\nWarner, Hon. John W. a U.S Senator for the State of Virginia, \n  opening statement..............................................    11\nMurray, Hon. Patty, a U.S. Senator from the State of Washington, \n  opening statement..............................................    12\nEnzi, Hon. Michael B., a U.S. Senator from the State of Wyoming, \n  opening statement..............................................    31\nAllen, Claude, Deputy Secretary, Department of Health and Human \n  Services, prepared statement...................................    36\nKarp, Sam, Chief Information Officer, California Healthcare \n  Foundation, prepared statement.................................    42\nDeWine, Hon. Mike, a U.S. Senator from the State of Ohio, opening \n  statement......................................................    46\nGoldman, Janlori, Director, Health Privacy Project, Georgetown \n  University, prepared statement.................................    48\nHarding, Richard, M.D., President, American Psychiatric \n  Association, prepared statement................................    61\nClough, John C., M.D., Director, Health Affairs, Cleveland Clinic \n  Foundation, prepared statement.................................    64\n\n                          ADDITIONAL MATERIAL\n\nArticles, publications, letters, etc.:\n    Letters signed by physician groups and a consumer \n      organization...............................................     4\n    Questions of Senator Murray for Panel I......................    14\n    American Hospital Assocation.................................    69\n    The Alliance of Medical Societies............................    71\n    Blevins, Sue A., President, Institute for Health Freedom.....    72\n\n\n                      OVERSIGHT ON MEDICAL PRIVACY\n\n                              ----------                              \n\n\n                        TUESDAY, APRIL 16, 2002\n\n                              United States Senate,\n       Committee on Health, Education, Labor, and Pensions,\n                                                   Washington, D.C.\n    The committee met, pursuant to notice, at 10:05 a.m. in \nRoom 206, Hart Senate Office Building, Hon. Edward M. Kennedy \n(chairman of the committee) presiding.\n    Present: Senators Kennedy, Dodd, Wellstone, Murray, Reed, \nClinton, Gregg, Frist, Enzi, Warner, and DeWine.\n\n  OPENING STATEMENT OF HON. EDWARD M. KENNEDY, A U.S. SENATOR \n                FROM THE STATE OF MASSACHUSETTS\n\n    The Chairman. We will come to order. I am pleased to hold \nthis very important hearing on what is happening with patients' \nmedical records. The blessing of high technology can also be a \ncurse to personal privacy. With the click of a mouse our most \npersonal information can be launched into cyberspace for \nmillions to see. If we do not take steps forward to protect \nprivacy in the information age, our most personal information \nwill be available to every employer, every health insurance \ncompany, and every high-tech peeping Tom in America.\n    This is not only unfair to patients; it is bad for their \nhealth. A recent study found that one out of every six patients \nwithdraws from full participation in their own health care \nbecause they worry their medical information will be used.\n    We have worked hard to strengthen privacy protection for \nAmerica's patients. In the Health Insurance Portability and \nAccountability Act of 1996 we said privacy protections were so \nimportant that if Congress did not pass legislation to \nstrengthen privacy the administration should put in place real \nprotections. The Clinton administration did just that when it \nadopted a comprehensive set of protections to give all \nAmericans control of their private medical records. However, \nthe new rule recently proposed by the Bush administration would \nrescind these protections and would make private medical \nrecords an open book.\n    This is a serious step backwards. Each time patients see a \ndoctor or fill out a prescription they are at greater risk that \ntheir most personal medical information will be available to \nprying eyes. The administration has proposed new rules that say \nhealth providers do not have to get consent to determine how \nyour medical records are used. Requiring consent assures that \nthe patient plays a role in how their health information is \nused. It is the only real way to assure that patients and only \npatients control sensitive information. It restores faith in \nthe health care system.\n    Of course, certain narrow and common sense exceptions are \nneeded. For example, your personal physician should be allowed \nto phone in your prescription to your pharmacist. There is no \nreason that you should have to make a separate trip to the \nhospital before surgery just to consent. We can address these \npractical challenges without undermining the core protections \nin privacy.\n    The Bush administration's proposals say patients simply \nhave to be notified, not asked, about what is going to happen \nwith their medical information. We should not throw the baby \nout with the bathwater. All Americans should be assured that \ntheir personal medical information is theirs and theirs alone.\n    The administration's plan also provides for a new back-door \nloophole that allows companies to use private medical records \nto market their products. This means, for example, that \npatients seeking treatment for mental illness would have that \ninformation shared with companies selling anti-depressants and \nother therapies. Those companies would be free to send open \nmailings to your work or to your home. The administration \nclaims the new regulation grants new protections against abuse. \nThey argue that a new authorization is required before a health \nprovider or business can market to a patient. But the same \nproposal allows doctors and pharmacists to provide, without \npermission, the health information of their patients to \nbusinesses that will try to sell them new drugs, therapies, \nnursing home placements, and other care. This loophole is a \ntelemarketer's dream and a patient's nightmare and it must be \nclosed.\n    I look forward to working with my colleagues on legislation \nto assure Americans that their medical records will be kept \nprivate and I welcome our distinguished witnesses to today's \nhearing.\n    Senator Gregg.\n\n OPENING STATEMENT OF HON. JUDD GREGG, A U.S. SENATOR FROM THE \n                     STATE OF NEW HAMPSHIRE\n\n    Senator Gregg. Thank you, Mr. Chairman.\n    Medical privacy is an issue that affects every American, \nand yet prior to the passage of HIPAA in 1996, there was no \nFederal structure or law in place that would ensure that our \nmedical information remains private. HHS has been working for \nseveral years to develop comprehensive rules that govern the \nuse and disclosure of protected health information. This is no \neasy task, given the complexity and fragmentation of our health \ncare system, including the fact that our private health care \ninsurance system is employment-based and dependent upon a \nsystem of third party payers.\n    I would like to commend the administration for proposing \nsignificant improvements to the rules. These changes provide \nimportant clarifications that will aid in implementation and \ncompliance. Moreover, these changes will prevent the \nunnecessary and harmful disruption of a patient's care that \nwould have occurred under the existing rules, a very important \npoint.\n    Although the proposed rule would clarify or improve several \ndifferent provisions, the most important proposed modification \npertains to the consent and notice requirements on direct \ntreatment providers. Under the existing rules, a patient would \nhave to give prior written notice, prior written notice, to \neach and every provider that the patient sees or even schedules \nan appointment with. Not only would this requirement disrupt \nand delay care but the protection it would have provided is \nmerely illusory because a provider could withhold care if the \npatient does not provide the consent.\n    There are numerous examples of how, if unchanged, this \nrequirement will harm or delay patient care. For instance, a \npatient referred to a specialist by his or her physician may \nnot even be able to schedule an appointment without first going \nto the specialist's office and completing a form. Because only \npatients can give consent, a sick or elderly person could not \nhave a friend or a family member pick up their prescription \nunless they first go and sign a consent form with the pharmacy, \nresulting in serious delays in starting medication.\n    Ordinary physician practices, such as arranging out-patient \nsurgery or calling in prescriptions, would be in jeopardy. One \nhospital stay might result in a sick patient having to fill out \nmultiple new forms, new consent forms, in addition to all the \nforms already required for treatment--one for the hospital, one \nfor each nurse, one for each doctor, one for each medical \ntechnician that the patient sees under this proposal.\n    There are numerous examples of disruption in patient care \nthat would occur as a result of the prior consent requirement, \nand there are likely many more that have not been contemplated. \nThus, the suggestion to keep this requirement in place but \ncreate exceptions for all the various situations in which prior \nconsent would disrupt care is simply unworkable.\n    By changing this provision we avoid a consumer backlash of \nmajor proportions. While consumers rightly seek the strongest \npossible privacy protection, they have little tolerance for \nbureaucracies and hoops that make it even more difficult to \nnavigate our complex health care system, especially if the \nadditional bureaucracy does not provide meaningful protection \nor enhance the quality of care.\n    Consumers and physicians support the changes in the consent \nrequirement, and this is an important point. A letter dated \nApril 10 from a broad range of physician groups, including the \nAmerican Academy of Family Physicians, the American College of \nObstetricians and Gynecologists, and the American Medical Group \nAssociation, strongly support the administration's proposed \nchanges in the consent requirements. These organizations \nrepresent over 400,000 physicians.\n    In an earlier letter dated December 20, 2001, the National \nPartnership for Women and Families Consumer Organization and \nUnited Health Care co-signed a letter to Secretary Thompson \nraising serious concerns that the existing consent provisions \nwill seriously jeopardize quality of care, I would like to \nsubmit all those letters for the record.\n    Senator Dodd. [presiding]. Without objection, so ordered.\n    [The letters follow.]\n\n                                                     April 10, 2002\nThe Honorable Edward M. Kennedy,\nChairman Health, Education, Labor and Pensions Committee,\nWashington, DC.\n    Dear Chairman Kennedy: The Department of Health and Human Services \n(HHS) recently issued proposed changes to the medical privacy rule \n``Standards for Privacy of Individually Identifiable Health \nInformation.'' The undersigned national health and medical \norganizations and specialty societies strongly support the proposed \nrule's approach in making prior consent discretionary. Unfortunately, \nvarious press articles and commentary have seemed to suggest that \nphysicians do not support the proposed change. It is important for \nMembers of Congress to know that many physician and provider \norganizations do support the proposed modification to make prior \nconsent discretionary rather than mandatory.\n    Physicians and practitioners strongly support meaningful Federal \nprivacy protections for patients' medical information. Under the \nproposed rule, covered entities would not be required to obtain written \nconsent from patients before using or disclosing protected health \ninformation for such routine purposes as treatment, payment, and health \ncare operations. However, unlike the proposed regulation issued under \nthe Clinton Administration, covered entities would not be prohibited \nfrom obtaining written consent if they choose. We believe this approach \nstrikes the proper balance of protecting the rights and autonomy of \npatients, while removing unnecessary barriers that interfere with \npatient care and the efficient delivery of health care.\n    It is important to note that eliminating the prior consent \nrequirement does not detrimentally affect patients' privacy rights in \nany meaningful fashion. Even privacy advocates called the consent \nrequirement meaningless because the regulation permitted providers to \ndeny treatment to individuals who refused to sign the consent form. \nFurthermore, we believe that the written notice requirement is the true \nbackbone behind patients' privacy rights. The written notice, not the \nconsent form, is the means by which patients are informed of their \nrights under the regulation and how and to whom their medical \ninformation may be used or disclosed. The proposed rule actually \nstrengthens the notice requirement, which we fully support.\n    Not only would the prior consent requirement add yet another \nmandatory form to the already unmanageable paperwork burden that \nphysicians and practitioners face on a daily basis, it could pose \nserious problems for patient care. HHS outlined many of the potential \nproblems in the proposed rule.\n    The prior consent requirement could confuse patients and increase \npatient waiting times. Physicians and practitioners would be prohibited \nfrom treating patients or providing other services for them, until the \nform is actually signed. For example, physicians who have privileges at \na number of hospitals would need either to establish multiple organized \nhealth care arrangements or ask each patient in the hospital to sign a \nphysician consent form in addition to the consent form provided for the \nhospital. If a patient were required to sign multiple consent forms to \nreceive care at a hospital, this would hinder and delay patient care.\n    Additionally, the prior consent requirement would potentially \ninterfere with the ability of physicians and practitioners to continue \nmany daily practices such as referring patients for treatment, \narranging outpatient surgery, and calling-in prescriptions. \nFurthermore, physicians and practitioners might not be able to use \npatients' information to send important reminders regarding patient \ntreatment (i.e., child immunization and mammography reminders).\n    HHS faced the difficult challenge of protecting patients' privacy \nrights, while at the same time removing unnecessary barriers that \ninterfere with patient care and the delivery of health care. We \nstrongly believe that HHS met this challenge in the proposed rule, and \nwe oppose any efforts to change it.\n    Sincerely, American Academy of Dermatology Association; American \nAcademy of Family Physicians; American Academy of Nurse Practitioners; \nAmerican Academy of Physician Assistants; American Association of \nNeurological Surgeons/Congress of Neurological Surgeons; American \nAssociation of Orthopaedic Surgeons; American College of Cardiology; \nAmerican College of Nurse-Midwives; American College of Obstetricians \nand Gynecologists; American Medical Group Association; American \nPodiatric Medical Association; American Society of Cataract and \nRefractive Surgery; American Urological Association Medical Group \nManagement Association\n                                 ______\n                                 \n                                                     April 12, 2002\n    Dear Member of Congress: As you may know, the Department of Health \nand Human Services (HHS) recently issued a Notice of Proposed \nRulemaking (NPRM) proposing modifications to the final privacy rule. \nThe undersigned organizations are writing to let you know of our strong \nsupport for the proposed modification in the NPRM giving health care \nproviders the option of obtaining the prior consent of patients to use \nor disclose identifiable health information for treatment, payment and \nhealthcare operations. The Department's proposal to make obtaining \nconsent optional for providers strikes a workable compromise between \nthe original proposed regulation from 1999 that prohibited providers \nfrom obtaining written consent and the final regulation from 2000 which \nmandated it.\n    We strongly support meaningful Federal privacy protections for \npatients' medical records. An essential part of that commitment is \nensuring that patients understand their rights and how their medical \ninformation will be used. However, adding yet another mandatory form to \nthe burden that physicians, practitioners, pharmacists, hospitals and \nother health care providers already face on a daily basis does not \neffectively achieve the balance of providing privacy protections and \nassuring timely, efficient access to health care. We support the \nDepartment's proposed modification to make consent optional.\n    The NPRM documented numerous disruptions and delays in receiving \nmedical care that patients--particularly the elderly and those in rural \nareas--would face if the mandatory prior written consent requirement \nwere not modified to make it optional for health care providers. For \nexample, patients could experience significant delays in obtaining \nprescriptions because pharmacists could not fill the prescription until \nthe patient were present to sign the consent. Friends and family \npicking up prescriptions for a sick individual would not have legal \nauthority to sign the consent, and thus could not pick up the \nprescription.\n    The NPRM described how patients referred to a hospital for \noutpatient surgery might have to make an extra trip to sign a consent \nform because the hospital could not use information about the patient \nto schedule and prepare for surgery. Nurses who staff telephone centers \nthat provide health care assessment and advice, but never see patients, \nwould be unable to counsel patients because they would be prohibited \nfrom using identifiable information for treatment and would be unable \nto obtain prior written consent. The NPRM also cites emergency medical \nproviders who were concerned that even if a situation was urgent that \nthey would have to try to obtain consent, even if inconsistent with \nbest medical practices. There were also troubling questions about \nwhether physicians who had privileges at several hospitals would have \nto obtain separate consent from patients at those facilities, even if \npatients had already signed consents for the hospital.\n    These are just some examples of the potentially serious \nconsequences of the mandatory prior written consent requirement. The \nDepartment wisely chose to correct the underlying problem with the \nproposed provision to make consent optional, rather than trying to \naddress each adverse consequence of a mandatory consent requirement as \nit presented itself.\n    Sincerely, ACA International; Academy of Managed Care Pharmacy \nAdvance PCS; Advanced Medical Technology Association (AdvaMed); Aetna \nInc.; American Academy of Dermatology Association; American Academy of \nFamily Physicians; American Academy of Physician Assistants; American \nAssociation of Health Plans; American Association of Neurological \nSurgeons/Congress of Neurological Surgeons; American Association of \nOrthopaedic Surgeons; American Benefits Council; American Clinical \nLaboratory Association; American College of Nurse-Midwives; American \nHealth Care Association; American Managed Behavioral Healthcare \nAssociation; American Medical Group Association; American \nPharmaceutical Association; American Society of Cataract and Refractive \nSurgery; American Society of Consultant Pharmacists Association of; \nAmerican Medical Colleges Biotechnology Industry Organization (BIO); \nBlue Cross and Blue Shield Association; Cardinal Health; Cleveland \nClinic Foundation; The ERISA Industry Committee; Express Scripts; \nFederation of American Hospitals; Food Marketing Institute; Genzyme \nCorporation; GlaxoSmithKline; Health Insurance Association of America; \nHealthcare Leadership Council; Intermountain Health Care; Kaiser \nPermanente; Lahey Clinic; Marshfield Clinic; Mayo Foundation; Medical \nGroup Management Association; Merck-Medco; National Association of \nChain Drug Stores; National Association of Health Underwriters; \nNational Association of Manufacturers; National Retail Federation; \nPharmaceutical Care Management Association; Premier, Inc.; Quest \nDiagnostics; UnitedHealth Group; US Chamber of Commerce; Vanderbilt \nUniversity Medical Center; VHA Inc.; WellPoint Health Networks\n                                 ______\n                                 \n\n    Senator Gregg. Some have suggested that the proposed change \nwas driven by large corporate medical interests and thus is not \nin the best interest of consumers and patients. This is not the \ncase. While nearly every sector of the health care system \nsupports the proposed changes, the modifications in the consent \nrequirement only apply, only apply, and this is an important \npoint, to direct care providers.\n    Moreover, the proposed rule does not affect the \nrequirements governing use and disclosure of protected health \ninformation. Authorization would still be required for any \nother use of the protected health information.\n    The proposed change to the consent requirement strikes the \nright balance. The original rule issued by the Clinton \nadministration would have actually prohibited prior consent. I \nthink that is an important point we have to stress here. \nPresident Clinton originally proposed that there would be no \nprior consent. And that change, the reason they changed it then \nwas because the American Medical Association, allegedly on \nbehalf of its constituency, and I cannot believe it, but that \nis the allegation, wanted the prior consent to be in place. I \nam tempted, quite honestly, very much tempted to say if the \nAmerican Medical Association wants prior consent, we will give \nit to them, just for them, but we have not heard from the \nAmerican Medical Association recently on this point and maybe \ntheir position has been modified.\n    Many providers objected to the ban on prior consent and \nrightly so. The final Clinton rule would have mandated prior \nconsent before any kind of interaction with the health care \nprovider. This is far too disruptive. The proposed rule before \nus would not mandate prior consent. Instead, it would require \nproviders to give notice of their privacy practices. This would \nallow patients to be fully informed of how their information \nwill be used and would allow them to act accordingly. It is \npreferable to the coerced consent provisions contained in the \nexisting rule.\n    Finally, I would like to thank the administration for other \nproposed modifications of the rule, including the clarification \nto the marketing, parental consent, parental access, business \nassociations, and the plan sponsors' enrollment provisions. I \nlook forward obviously to hearing from the administration on \nthis point. Thank you.\n    Senator Dodd. Thank you, Senator.\n    Senator Kennedy has temporarily been called away from the \ncommittee and will return shortly. We will get to Mr. Allen \nbriefly but let me make a brief--I am going to ask unanimous \nconsent to include the full text of my opening remarks and that \nwill apply, by the way, for every member of the committee, \nthose who are here and those who have not shown up yet, to \nshare their views.\n\n OPENING STATEMENT OF HON. CHRISTOPHER J. DODD, A U.S. SENATOR \n                 FROM THE STATE OF CONNECTICUT\n\n    Senator Dodd. First of all, let me commend our chairman, \nSenator Kennedy, for convening this hearing on relatively short \nnotice but in light of the decisions made just prior to the \ndeparture of the Congress for the Easter-Passover break when \nthe news came out about the change in policy here, we thought \nit was appropriate to try and gather together as quickly as we \ncould to express ourselves on this issue.\n    I do not know of another issue that provokes as quick or as \nstrong a response from the public as the issue of privacy does, \nparticularly in light of how the world has changed in the last \ndecade. I often tell audiences at home in Connecticut that on \nthe day that President Clinton was sworn into office on January \n20, 1993 there were 55 pages on the World Wide Web. To give you \nsome idea how the world has changed in a decade, today someone \nsuggested I think the number is maybe almost a million pages an \nhour get added to the World Wide Web, or some number like that.\n    The point is today the use of the Internet and technology \nto expand information and sources of it, as well as people's \naccess to information has grown exponentially and there is a \ngrowing body of concern within the public about how much \ninformation people have, what they do with that information, \nand to the extent people are able to pry into the private lives \nand private information.\n    We would not allow anyone to come rummaging through our \nhouse, to go through our waste baskets, to go through our \nmedical cabinets and cases. We would not tolerate that, let \nanyone in our homes to do it. In a sense, if you can, in \neffect, do that today by rummaging through people's private, \nmost privately held information, then you can begin to get some \nsense of the concerns people have.\n    So the ability to control very personal information is an \nissue that is deeply felt by people and it crosses all your \ntraditional ideological and political lines. This is as \nstrongly held feeling among Democrats, Republicans, liberals, \nmoderates, conservatives as any issue I am aware of, the issue \nof privacy.\n    Since 1996 when the Health Insurance Portability and \nAccountability Act was passed many of us here have worked to \ndevelop legislation to try to protect medical records, and that \nis what we are talking about here today, in a meaningful and \ncomprehensive fashion. Unfortunately, we have not yet developed \na bipartisan legislative response. Senator Richard Shelby, my \ncolleague from Alabama, and I chair the Privacy Caucus, co-\nchair it with colleagues in the House and the Senate, to give \nyou some idea of the bipartisanship in trying to work on these \nissues.\n    But these are complicated questions. None of us are going \nto suggest that dealing with this is a simple matter. We have \ntried ideas in the past and there are always some unintended \nconsequences when you deal with this issue, but we have worked \non it.\n    Let me, in response to my friend from New Hampshire, point \nout that the Clinton Administration did, in my view, a \ntremendously admirable job in developing some very important \nprivacy protections in the medical area. For the very first \ntime patients were given the right to access their own medical \nrecords. I know that is a radical idea. It is hard to imagine, \nbut for a long time you did not have any right to see your own \ninformation at all and these rights seem so basic, as I said, \nthat it is hard to imagine they did not exist before. Imagine \nthe frustration of being denied a request to see your own \nmedical information or having a telemarketer contact you at \nhome based on targeting data derived from those records, and \nthat is rather commonplace today. In a very real way, this is a \npersonal violation in the minds of many, many Americans.\n    The final medical privacy rule was an immense undertaking. \nUpon announcing the regulations in late 2000, the Department of \nHHS received over 50,000 comments from health care providers, \ninsurance companies, doctors, and patients across the country. \nThe final rule that took effect did so in April of 2001. It was \nnot thrown together haphazardly. It was created with an \nunderstanding of the difficulties and costs associated with its \nimplementation. But the determination was made, correctly in my \nmind, that medical privacy should not be compromised.\n    Yet now the Bush Administration has announced its intention \nto do exactly that in the views of many of us up here, \nDemocrats and Republicans. Their proposals would undermine, in \nour minds, some of the most important protections that we have \nworked to establish over the last 5 years. The administration, \nas we understand it, wants to allow health care providers \nenormous discretion in how they use your medical records, your \nmost personal and private information, something that in my \nview you, as a citizen, and you alone should be the one to make \na decision about.\n    The Bush Administration proposes to remove the provision in \nthe medical privacy regulations that requires a health care \nprovider to obtain a patient's consent in order to share his or \nher records for ``treatment, payment, and other routine health \ncare operations,'' and that is a quotation. Those are not my \nwords. Instead, they want to make it mandatory for providers to \ninform patients that their records have been shared. This can \nbe done before or after the fact, according to the proposal. \nThat is very generous. It is like a neighbor calling you to \ntell you that he has read your mail and gone through your \nmedicine cabinet, except, of course, in the example, in that \ncase you have some legal recourse. Here you would have none.\n    The administration claims to be proposing these changes \nbecause privacy threatens the quality and timeliness of care. \nThis, I think, is unacceptable. There should be no trade-off \nbetween quality, timeliness, and privacy, in my view. All are \nnecessary and all are obtainable.\n    I understand that there are instances where obtaining prior \nconsent is not possible, such as emergency care, phoned-in \nprescriptions to a pharmacy. In those cases the law should \nallow the provider some leeway. But in general, privacy should \nnot be compromised. It is not necessary. It is a phony argument \nto suggest it needs to be done. And I believe that we should be \nhere trying to protect those rights when at all possible.\n    Now let me turn to my colleague from Tennessee, who I know \nhas a deep interest in the subject matter, as well, and my \nother colleagues, and then we will get to you, Mr. Allen.\n    Let me just say, as well, on the issue here, I understand \nthe importance of how sharing information for clinical trials \nand other areas can be tremendously important, but the idea \nthat you could do that after the fact or not letting the \npatient know about it, that does not make any sense to me and I \nthink any effort to do that is going to find a wall of \nopposition up here in terms of that effort.\n    At this time I would like to submit a statement from \nSenator Harkin.\n    [The prepared statement of Senator Tom Harkin follows:]\n\n                Prepared Statement of Senator Tom Harkin\n\n    I want to thank Chairman Kennedy for scheduling this \nimportant hearing.\n    As health care practices have evolved over the past several \nyears, and technology has allowed for the rapid mass transit of \ninformation, it has become critical to protect individual \nprivacy--especially as it relates to personal medical \ninformation.\n    If we are not strong on the protection, and vigilant on the \nenforcement, we will be putting ourselves and our loved ones at \nrisk.\n    Wouldn't it be ironic, and certainly tragic, if Americans \nare actually harmed when they go to a medical provider because \ntheir medical records were inappropriately used or shared?\n    Plain and simple, your private medical records should be \njust that--private.\n    Time and time again, I've heard from Iowans who are \nconcerned about the misuse of their private medical \ninformation. Sadly, this Administration has failed to listen to \nthe voices of the people.\n    I have worked hard to pass strong medical privacy \nprotections that make clear that a patient's medical records \nare not for sale. Patients must have a `right to know' how \ntheir medical information is used and they should have the \nright to say 'no' by controlling who has access to this most \nprivate of information.\n    When I talk to the reasonable patients and providers \nthroughout Iowa, they all share the same advice. Create a \nsystem that is not overly burdensome but appropriately protects \nindividual's medical records.\n    If there were problems with the existing medical privacy \nregulations, then the Administration should work with the \nCongress and the health care industry to fix those problems.\n    But that is not what was done. This reversal by the \nAdministration sacrifices patient privacy to the alter of \nspecial interests.\n    Again, I thank the Chairman for scheduling this important \noversight hearing and I look forward to working with him to \nfind a reasonable and manageable solution that above all else, \nprotects patients.\n    Senator Dodd. With that, Senator Frist?\n\n OPENING STATEMENT OF HON. BILL FRIST, A U.S. SENATOR FROM THE \n                       STATE OF TENNESSEE\n\n    Senator Frist. Thank you. And I want to thank the chairman \nand Senator Gregg for the opportunity to hold a hearing today \non an issue that is contentious, as we have seen in some of the \nopening statements, and almost deservedly so because we all \nstruggle, really struggle with this balance with information \nthat is among the most intimate information known to mankind, \nthe information about oneself, one's health, one's past, one's \nphysical, one's emotional being, how much that information \nshould be shared.\n    There are certain advantages of the sharing, there are \ncertain necessities of the sharing, but how we can build \nappropriate protections where the ultimate confidentiality, \nwhich is critical--it is critical to the doctor and the patient \nand that doctor-patient relationship and it is critical to \ndelivering the sort of care which really has made American care \nthe best in the world.\n    But it does boil down to trust, to confidentiality, to \nsecurity, and that much influences openness and how much a \npatient tells a doctor and how much a doctor puts into a \nrecord. And ultimately other people have to access that \nparticular record and it might not be the same doctor. In fact, \nit might not be the same doctor. In fact, in all likelihood, \ngiven the mobility of society today, it will not be that same \ndoctor. Yet to demand the standards that are implied with \ncontinuity of care and seamlessness, something that we all \nwant, we have to have an accurate recording of that doctor-\npatient relationship, but in such a way that it is not to be \nabused.\n    I have only been involved in this discussion at a policy \nlevel for the last 7 years, 6 years formally, and that balance \nis tough and we are seeing it play out before our eyes.\n    I do appreciate the opportunity for all of us to examine in \nas objective way as possible the impact on health information \nconfidentiality regulations that were initially introduced in \nthe shape that we are debating them and talking about them and \ndiscussing them by the Clinton Administration in the closing \ndays, as well as looking at this administration's proposed \nmodifications to those rules. I do applaud Secretary Thompson, \nhis staff at the Department of Health and Human Services, for \ncarefully reviewing these regulations and for proposing \nadjustments that, I believe, will go a long way in safeguarding \nprivacy while, at the same time, ensuring that patients \ncontinue to enjoy access to quality health care.\n    Secretary Allen, I appreciate you being here today to \ndiscuss these proposed modifications in more detail and laying \nthem out in such a way that we can further discuss them in the \nfollowing panel.\n    The protection of the confidentiality of patient \ninformation is critical, but we also need to be extremely \ncareful in this area so that we do not allow overly, \nunnecessarily restrictive rules that might threaten quality of \ncare or the safety of care that patients receive. This, as I \nsaid a few moments ago, is not an easy balance to achieve.\n    We have seen the effect of State legislation in certain \ncases. We will all be pointing to certain anecdotes and certain \ncase studies, but we have seen cases where State legislation \nhas gone too far. In Maine, for example, legislation requiring \nthat patients give consent before identifiable information \ncould be used by providers was repealed after only 12 days \nfollowing reports that it interfered with patient access to \nprescription drugs and prevented hospitals from helping clergy \nand family members even locate their loved ones.\n    During the past year, as physicians, nurses, scientists and \nconsumers have received the Federal regulations proposed by the \nprevious administration, it became clear that these rules would \nimpose similar barriers to health care access and quality.\n    There have been serious concerns raised in other areas, as \nwell. Over 140 academic research institutions, medical \nspecialty doctors, hospitals and others wrote to the Department \nof Health and Human Services to warn of potential problems \ncaused by the original regulations' research provisions. They \nwrote that the rule, if implemented, ``will seriously impair \nour ability to conduct clinical trials, clinico-pathological \nstudies of the natural history and therapeutic responsiveness \nof disease, epidemiological and health outcome studies, and \ngenetic research.''\n    While the administration's notice of proposed rulemaking \ndoes acknowledge that the rule's deidentification standard \nraises serious concerns, I strongly urge the administration to \nfully address the concerns raised by the research community in \nits final rule.\n    Finally, I would strongly encourage the administration to \ncarefully review all areas of the rule to make sure that it \ndoes not unintentionally impede the efforts of our public \nhealth officials, as well as our private health professionals, \nto respond to bioterrorist threats and attacks. The original \nrule's prohibition on the sharing of aggregate information \ncould have made it impossible to effectively track and monitor \ndisease outbreaks. I am pleased that some changes have been \nproposed in these areas, but because of the importance to \nquickly respond in these situations, I am hopeful that the \nadministration will carefully review the entire regulation \nalong these new lines in this new light.\n    Again, Mr. Chairman and Senator Gregg, thanks for holding \nthe hearing today and I look forward to hearing from our \nwitnesses.\n    Senator Dodd. Thank you very much, Senator.\n    Senator Reed.\n\n OPENING STATEMENT OF HON. JACK REED, A U.S. SENATOR FROM THE \n                     STATE OF RHODE ISLAND\n\n    Senator Reed. Thank you, Mr. Chairman. Just very briefly, \nthank you, Secretary Allen, for joining us today.\n    These are vitally important regulations. There is no issue \nin America that is of more concern to individual Americans from \nevery region of the country, every sector--everyone is \nconcerned about the protection of the privacy of their health \nrecords and there are two particular concerns that these \nregulations raise. One is whether or not there really will be \nan effective at least one-time written consent for the release \nof health care information and second, whether or not the \nmarketing aspects of these regulations invite the commercial \nexploitation of medical information, which I think most \nAmericans would be horrified about. Think of the world of \ntelemarketing with your health care records in hand and that's \na frightening thought.\n    Robert Frost, the New England poet, wrote that ``Good \nfences make good neighbors'' and the real question is whether \nthese regulations are good fences so that we can be good \nneighbors. I will look closely and listen closely to the \nhearing today to see if we have made progress in that regard, \nbut frankly, this is one of those issues that you do not have \nto be an expert to be concerned. You just have to be an \nAmerican citizen. Thank you.\n    Senator Dodd. Senator Warner, do you want to make any \nopening comments?\n\n OPENING STATEMENT OF HON. JOHN W. WARNER, A U.S. SENATOR FROM \n                     THE STATE OF VIRGINIA\n\n    Senator Warner. Very briefly. I just wish to welcome \nSecretary Allen, who served the Commonwealth of Virginia with \ngreat distinction as our Secretary of Health and Human \nResources. Now you have come to Washington to get one of the \ntoughest issues that anybody has to solve. I wish you luck.\n    Mr. Chairman, I want to commend my colleague Senator Frist \nfor all the hard work that he does in this and so many areas \nrelated to health care. Thank you, Mr. Chairman.\n    Senator Dodd. With that encouraging note we turn to Senator \nMurray.\n\nOPENING STATEMENT OF HON. PATTY MURRAY, A U.S. SENATOR FROM THE \n                      STATE OF WASHINGTON\n\n    Senator Murray. Thank you very much, Mr. Chairman. I just \nask unanimous consent that my full statement be put into the \nrecord.\n    Senator Dodd. Without objection.\n    Senator Murray. I will just say that this is an extremely \ncomplex issue that this committee has been considering for some \ntime and I think it is very important that we have these \nhearings today and further hearings before the administration's \nrules take effect to truly understand this because, as Senator \nReed said, this affects every single American and we had better \nknow what we are doing and the outcome of that before these \nrules are finalized because the impacts could be considerable.\n    For me, the most important thing is that people do go to \ntheir doctor feeling confident. Otherwise, we may create a \nsituation where individuals would fear seeking health care and \nthat is absolutely the wrong thing that we should be doing.\n    So I really look forward to this hearing and further \nhearings as we clarify what these rules would mean to general, \naverage people. Thank you very much.\n    [The prepared statement of Senator Patty Murray follows:]\n\n               Prepared Statement of Senator Patty Murray\n\n    Mr. Chairman, the Administration's decision--announced on \nMarch 23rd--to revise the regulations implementing medical \nrecords privacy has generated a great deal of concern.\n    I think this hearing is an important step in better \nunderstanding the implications of these changes and an \nopportunity for this Committee to again focus on the urgent \nneed to ensure greater medical records privacy.\n    As we learned in 1999, the issue of medical records privacy \nis a complex and emotional one. There are no easy solutions.\n    In addition, because of our fragmented health care delivery \nsystem, there are often numerous individuals who have--and in \nmany cases need--access to medical records.\n    These aren't just health care providers, and the ability to \nprotect medical records privacy becomes further complicated by \nthe number of individuals with access.\n    In 1999, this Committee attempted several times to report \nout legislation implementing HIPAA privacy regulations.\n    Unfortunately, we were not successful and had to default to \nthe regulatory process to implement privacy standards. Clearly, \nthis has created many of the problems and concerns.\n    Because of the complexity and expense to providers of \nimplementing these regulations, I supported additional relief \nfor health care providers, especially smaller hospitals or \nphysician practices.\n    I supported an extension of implementation because I \nrecognized the difficulty implementing these regulations.\n    I also wanted to be sure that providers were able to \nimplement them correctly and that patient privacy was the \nfocus.\n    Because there are limited private actions that an \nindividual can take if his or her privacy is violated, it is \ncritical that implementation is accurate.\n    In reviewing the Administration's revised regulations, I \nhave several concerns that I hope can be addressed or corrected \nlegislatively.\n    I am troubled that the Administration's changes in the \nconsent requirements will gut any real protections for \npatients.\n    Simply notifying a patient that their information will be \nreviewed or released is not adequate. Patients must have the \nright to consent to this release.\n    While there are some cases that can be exempt from this \nrequirement, I think that weakening the entire consent \nrequirement does little to ensure patients that their medical \nrecords will be kept confidential.\n    I also have some real concerns with the ability of parents \nto have access to a minor's entire health care record.\n    This is one of the issues that derailed legislation in 1999 \nand is nothing more than an attempt to impose a national \nparental consent or notification on all States.\n    It also serves to jeopardize efforts to improve access to \nSTD or reproductive health care and mental health care for \nminors.\n    The language in the regulation does appear to give \nproviders the ``discretion'' at releasing information to \nparents or making it available for review by parents.\n    If a minor has any concerns or doubts the confidentiality \nof their records, they will NOT seek care. The guarantee of \nconfidentiality has to be explicit, not up to a physician's or \nprovider's discretion.\n    It is also not clear how this provision impacts the \nlanguage on State preemption.\n    For example, Washington State guarantees a minor access to \nconfidential reproductive health care and mental health \nservices.\n    This is not a tougher standard than the Federal regulation, \nso there is some concern that this regulation could preempt \nState laws and protections provided to minors in Washington \nState.\n    I hope this Committee will have additional hearings on this \nissue. If legislative measures are needed to clarify or correct \nthese regulations, I hope we'll take the necessary action.\n    The failure to implement a national medical records privacy \nalong with a prohibition on genetic discrimination has created \na situation where individuals fear seeking health care and are \nnot providing comprehensive background to their health care \nprovider.\n    The implications of this are staggering and jeopardize \naccess to new break-through screening and prevention.\n\n            Questions from Senator Patty Murray for Panel I:\n\n    Question 1. In developing privacy regulations, the previous \nadministration did not attempt to impose any new parental \nrights.\n    The original regulations simply deferred to the States on \nparental consent or limitations on parental consent and \nnotification.\n    There was an effort in this Committee to impose this new \nnational parental review or consent of the entire minor's \nhealth care records. However, as I mentioned earlier, it was \none of the reasons legislative action stalled in the Senate.\n    <bullet> Why did this administration attempt to modify or \nexpand parental consent or review rights?\n    <bullet> How does this new revision impact States that have \nnot been silent but have acted to ensure a minor's access to \nconfidential health care services?\n    <bullet> Does this provider discretion extend beyond the \nphysician's office?\n    Question 2. One of the major gaps in the current oversight \nis the fact that IRB requirements apply only to federally-\nfunded research.\n    Private research and some off-shore research are exempt. \nHowever, the FDA approval process does provide some mechanism \nfor ensuring the safety of human subjects in clinical trials.\n    <bullet> Can we expand this authority to improve safety or \nshould we expand the jurisdiction of the Office of Human \nResearch Protections at HHS?\n    Question 3. It is difficult in today's market-driven \nresearch arena to ensure informed consent.\n    Patients are often facing life threatening illnesses. \nParents may have a child who is facing a devastating diagnosis.\n    Often, patients are almost begging to get into a clinical \ntrial. They will sign anything or agree to anything. They may \nnot pay close attention to any financial link the researcher \nmay have to the treatment.\n    <bullet> How can a research institution ensure that \npatients are fully aware of the risks associated with the trial \nas well as the risk associated with the established treatments?\n    <bullet> How can researchers ensure that patients \nunderstand the financial link that the researcher or \ninstitution may have to the treatment?\n    Question 4. I have found that many patients and families \nare often surprised when they learn that there is a financial \nlink between researcher and treatment.\n    They're surprised when the learn that some physicians or \ndoctors may be receiving some future financial benefit from a \ndrug manufacturer or royalty payments for a patent.\n    Of course, in a market-driven economy, it's difficult to \nseparate what was justifiable compensation and what was \nprovided as way of inducing a bias on the part of the research.\n    Many outstanding physicians and researchers receive \nfinancial compensation for their discoveries or their \ndevelopments--yet this never impacts their hope at finding the \ncure or treatment.\n    To assume that any financial link presents an inherit bias \nwill jeopardize how research is conducted and eliminate \nincentives for furthering science.\n    <bullet> Would more detailed disclosure requirements be \nenough to remove any conflict of interests doubts or \nallegations?\n    <bullet> How do we provide compensation to those conducting \nresearcher or evaluating clinical trials?\n    <bullet> Is there a way to totally remove any bias on the \npart of researchers?\n    Question 5. We place a great deal of oversight \nresponsibility into the hands of the Institutional Review Board \n(IRB). But it appears there is limited oversight over the IRB \nor even the selection process for a local IRB.\n    We know of cases of IRB shopping--where a researcher will \nsimply apply through different IRBs despite being rejected or \nlimited by another IRB.\n    Once a researcher receives the approval of the IRB, the \nissue of monitoring becomes questionable.\n    <bullet> Would further accreditation of IRBs serve to \nstandardize and improve the process?\n    <bullet> Would established criteria for all IRBs, including \nthe scope and timing of research review ensure greater safety?\n    <bullet> How can we work to guarantee that IRBs have \npediatric expertise or pediatric knowledge?\n    Question 6. Recent press accounts of safety problems and \nviolations in clinical trials have generated a great deal of \nconcern.\n    <bullet> Has the public lost confidence in clinical trials?\n    <bullet> Is the lack of confidence or the issue of safety \nto blame for low participation rates in clinical trials?\n    <bullet> Will addressing some of the safety gaps restore \nconfidence?\n    Clinical trials are a vital part of our health care \nstructure. If we are forced to wait until we eliminate any and \nall risks, we will lose too many patients and too many \nchildren. Greater access to clinical trials can mean the \ndifferent between life and death, especially for pediatric \ncancer cases.\n\n    Senator Dodd. Thank you very much, Senator.\n    With that, Mr. Allen, we welcome you to the hearing on \nbehalf of all of us here. Claude Allen is the Deputy Secretary \nof Health and Human Services. He is testifying today on the \nissue of medical privacy. He is now taking a leading role at \nHHS on a number of critical issues, including medical privacy.\n    As the former Secretary of Health and Human Services for \nthe State of Virginia, as has already been pointed out by \nSenator Warner, Mr. Allen has a great deal of experience \nworking with health care plans, State welfare, and access to \ncare issues. So we are delighted to have you here with us, Mr. \nAllen. We are looking forward to your testimony.\n    We will include any materials, by the way, and supporting \ndocuments that you think are worthwhile for us to have as we go \nforward. So consider any additional information that you would \nlike to have part of the record to be included. With that, we \nwill accept your testimony.\n\n  STATEMENT OF CLAUDE ALLEN, DEPUTY SECRETARY, DEPARTMENT OF \n                   HEALTH AND HUMAN SERVICES\n\n    Mr. Allen. Thank you. Good morning, Mr. Chairman, Senator \nGregg and the Members of the committee. Mr. Chairman, thank you \nfor your leadership and devotion to health issues. Senator \nKennedy has given much attention to these issues over the years \nand it has been a privilege to work with him over the course of \nthis last year on this and many other issues that affect the \nhealth care of all Americans. We both share a passion for \nensuring the confidence of every American to know his or her \nmedical records remain private, and on behalf of Secretary \nThompson and myself, I want to thank Senator Kennedy for his \nfriendship, his support, and his counsel during this last year.\n    Senator Gregg, I also wanted to extend the Secretary's and \nmy thanks for his wise counsel, his friendship and his support \nduring this last year, as well. I also want to thank Senator \nGregg for his leadership on this committee and in the United \nStates Senate on behalf of the people of New Hampshire and \nAmerica.\n    Senator Frist, your service to this country as the Senate's \nonly physician is invaluable to all of us and we thank you for \nthat. It has been a real privilege to work with you, not only \nin the areas focussing on health care, but also in terms of \nlooking beyond the shores of this country, to Africa and your \nwork there on the Foreign Relations Committee and looking at \nhealth issues globally, not just domestically. So thank you for \nyour leadership in that regard.\n    Members of the committee, I am here this morning to \ndescribe and discuss our changes to strengthen the proposed \nprivacy rule. I welcome the opportunity to appear before you \nand the committee today to discuss this important issue.\n    Last April, President Bush stated his desire to provide for \nthe first time strong patient privacy protections at the \nFederal level. Prior to implementation of the proposed privacy \nrule, the President directed Secretary Thompson to review the \nrule and to recommend modifications to it that would identify \nand correct unanticipated consequences that might impede a \npatient's access to care or harm the quality of that care \nwhile, at the same time, ensuring strong privacy protections. \nThe proposed rule achieved this goal.\n    I am pleased to say that beginning next April, for the \nfirst time all Americans will have the right to require written \nauthorization before their personal medical records are shared \nwith employers for employment decisions or given to life, \ndisability or other insurers or for marketing purposes. They \nwill have the right up front, the first time they see a doctor \nor a health care provider or enroll in a health plan, to be \nnotified of their privacy rights and how their information may \nbe used or disclosed by the provider or the plan so they may \nunderstand and discuss any concerns with their providers and \nplans and get care that is consistent with their own personal \npreference.\n    Additionally, they will have access to their own medical \nrecord and the right to correct it if it contains incorrect or \nincomplete information.\n    Mr. Chairman, since the release of the proposed \nmodifications to the rule, most of the attention has focussed \non the issue of what is referred to as consent and notice, so I \nwill begin with these provisions. We put ourselves in the shoes \nof the patient and we discovered the rule was not practical for \npatients, their doctors or pharmacists. Therefore, we tried to \nmake changes that made the most sense from the patient's \nperspective. Our proposal gives patients more control over \nwhere their information goes and gives them fair notice of how \ntheir information is used while, at the same time, providing \nthe patient with what matters most--unimpeded access to quality \ncare.\n    The new rule enhances the obligation that covered entities \ngive notice of their privacy practices to their patients by \nrequiring a good faith effort to get patients to acknowledge \nreceipt of their privacy practices. The practitioner can still \nseek voluntary consent from their patients. Nothing in this \nproposed rule prohibits consent to normal treatment documents \nthat doctors and hospitals use today. Patient authorization is \nstill required before doctors, hospitals and other direct \ntreatment providers could share personal medical records for \nnon-routine purposes, such as disclosures to employers for \nemployment purposes and marketing.\n    However, patients would expect that their doctor, their \nhospital or other direct treatment provider could share medical \ninformation for those core activities that are essential \nelements to providing health care to the patient. Patients \nwould continue to have the right to request restrictions on \nuses and disclosures of their health information.\n    Real life examples provide the best illustration of why we \nmade this change. Under the previous proposal, if a patient \nwanted or needed to receive care from a doctor he had to choose \nbetween signing a consent form prior to seeing his doctor and \nnot receiving care. This requirement was the same for all \nproviders. Mandating consent is coercive in nature and does not \nprovide meaningful control for the patient.\n    Now imagine that you have a twisted knee or a sore back \nthat limits your mobility. You sign the form. The doctor sees \nyou and recommends that you see a specialist and writes you a \nprescription for pain. The consent you signed only allows that \ndoctor to treat you, but does not allow the specialist and \npharmacist to look at your record or to provide your health \ncare services.\n    Therefore, before you can get that prescription filled you \nhave to hobble to the pharmacist to sign another consent form. \nIt is the same routine for the specialist. You have to go to \nthe office to sign another consent form before you can make an \nappointment. And forget about doing it over the phone.\n    Now, after seeing the specialist a few days later, she \ndetermines that you need surgery. First, she wants to take an \nMRI. This requires another trip to sign a consent form before \nthe appointment is made and then you have to do the same for \nthe MRI, and it goes on with each step.\n    This is the impractical reality that we faced as we looked \nat how to implement the December 2000 rule. We viewed the \nmandatory consent as coercive and a fundamental hurdle to \nhealth care for patients and the doctors, hospitals and \npharmacists that serve them.\n    In addition, the previous consent form did not contain any \ninformation about what the patient's rights were and the \nprivacy practices of the provider. That was an additional form. \nSo we combined these into one form that would provide patients \nwith all the information they needed to exercise and understand \ntheir privacy rights and protections.\n    Now, Mr. Chairman, I would like to describe briefly other \nimportant changes. From the comments we received, the area of \nmarketing seemed to satisfy no one due to its complicated \nnature. Therefore we simplified it while strengthening it at \nthe same time. The proposal prohibits explicitly using or \ndisclosing a patient's information for marketing without the \nindividual's expressed authorization. At the same time, the \nproposal would permit doctors, hospitals, pharmacists and \nhealth plans to communicate freely with patients about \nindividual treatment options and other health-related \ninformation, including disease management, case management, and \ncare coordination. We did not to interfere with valuable \ncommunications between patients and doctors over new treatments \nthey feel their patients need to know about. Nor should we \ninterfere with programs that provide important information to \nthose who suffer from chronic diseases, such as diabetes. Nor \nshould we stop pharmacists from sending refill reminders to \nthose customers who are on maintenance medications, such as \nblood pressure or cholesterol-lowering drugs.\n    Our goal is to expand the definition of what marketing is \nin the old rule, defining more communications as marketing and \nthus requiring authorization and limiting direct communication \nto those things affecting a patient's immediate health care \nneeds. We believe we have accomplished this goal. However, we \nrecognize that others may see opportunities to expand further \nthe definition and we welcome their input.\n    We also found an unintended consequence in the areas of \nparents and minors. In order to provide clarity to the \nproposal, we made limited changes to clarify that State law \ngoverns disclosures of a minor's health information to a parent \nor guardian. The intent of the current rule was never to \noverride State law. Over the years, States have developed a \nrich and broad legislative and legal history in this area and \nwe wanted to preserve it rather than confuse it. In cases where \nState law is silent or unclear, the revisions would preserve \nState and professional practice by permitting a health care \nprovider to use the discretion afforded by State or other law \nto provide or deny a parent access to such records.\n    Just as State law now determines when a minor may be \ntreated without parental consent, so too would the revisions \neffectively defer to State law on access to and control of the \nminor's information that results from such treatment.\n    In the area of research, we simplify the provisions, \nremoving the burdens on research and covered entities alike so \nthe Nation's well-renown medical research can continue at a \nvigorous pace, but with renewed confidence in patients that \ntheir personal medical information will be protected. The \nproposal would permit researchers to use a single combined form \ninstead of having multiple consent forms. The single form would \ncontain informed consent and privacy rights information. The \nproposal would also simplify provisions on obtaining a waiver \nof individual permission to access records for research \npurposes so as to follow more closely the requirement of the \ncommon rule which governs federally-funded research.\n    We also are seeking comment on the feasibility of making \nhealth information that does not identify directly the \npatients, but is important for research more readily available \nfor researchers. To accomplish this, the department is seeking \na consensus as to the type of information that would identify \ndirectly an individual and continue to be excluded from the \nproposed limited data set. To protect privacy further, we \npropose to condition the disclosure of this limited data set on \na covered entity's obtaining from the recipient an agreement in \nwhich the recipient would agree to limit the use of the data \nset for the purposes for which it was given, to not reidentify \nthe information or use it to contact any individual.\n    Other changes that I would be happy----\n    Senator Wellstone  [presiding]. Mr. Allen, I do not want to \ninterrupt you and thank you so much for being here. If you can, \nI know there are many questions and a whole other panel and I \nmight ask you to eventually summarize. It is very important \ntestimony and I apologize for being impolite. I just want to \nmake sure my colleagues have a chance for questions.\n    Mr. Allen. Senator Wellstone, I am about to finish up right \nnow.\n    Senator Wellstone. Thank you. Then I apologize.\n    Mr. Allen. Other changes that I would be happy to discuss \nin further detail during questioning include the clarifying and \nencouraging of public health reporting of adverse events and \nother post-market surveillance of the FDA, clarifying that a \ndoctor can discuss a patient's treatment with other doctors, \nnurses, and health care professionals without fear of violating \nthe rule if they are overheard inadvertently, providing model \nbusiness associate contracts provisions and allowing up to an \nadditional year for most covered entities to make their \nbusiness associate contracts compliant with the rule, and \npermitting the sharing of information among health care \nproviders and health plans for each other's treatment payment \nand quality-related health care operations.\n    I want to assure you that Secretary Thompson and I are \ncommitted to working with this committee and Congress on a \nbipartisan basis to strengthen the privacy protections while \npreserving access to quality of health care. The need to get \nstrong privacy protections in place now is a commonly held goal \nthat transcends partisan politics. We owe the American people a \nprivacy rule that works and they deserve no less.\n    I want to thank you again for the opportunity to be here \ntoday and I appreciate your interest and commitment and I am \nhappy to answer any questions that you have at this time.\n    Senator Wellstone. Thank you very much. I guess what we \nought to do is maybe go 7 minutes each. Is that okay, Senator \nWarner?\n    I want to thank you again for your testimony. Mr. Allen, I \nwant to ask you about the administration's decision to \neliminate the patient consent from the privacy rule. That is \nobviously, I think, for people in the country a great concern. \nTo me, consent is the centerpiece of patient privacy. It is \nwhat gives the patient a real say in health care and I also \nthink helps restore confidence in the health care system.\n    Now we know that there are glitches in the privacy rules \nthat need to be fixed and I accept that. For example, \npharmacists should be able to receive prescription refills over \nthe phone and a patient should be referred to a specialist \nbefore consent is given. But why did not the administration \naddress these problems in a more narrow manner instead of \nthrowing out the underlying consent provision? I want to ask a \nquestion that I think goes to the heart of what I think will be \nthe debate in the Senate and I think the debate in the country.\n    Mr. Allen. Let me start out by first of all saying that we \nhave not thrown out consent altogether. The modifications to \nthe rule simply removes the requirement for mandatory consent \nat the initial meeting. We have allowed that providers can \ncontinue to seek consent and we would encourage that providers \nseek consent from their patients.\n    The primary reason why we have moved from a mandatory \nconsent to require a mandatory notice regime is because of the \ninterference that consent would provide for the patient \nreceiving care. It was very clear under the rule that you had \nan option. If you were a patient and you presented to the \nphysician, if you did not sign the consent form a provider \ncould refuse you care. It is that plain and simple. A provider \ncould refuse you care because you did not sign a consent form.\n    So therefore, consent was not the issue that we were trying \nto fully address here. We are trying to fully address ensuring \nthat patients had adequate access, access to quality care but, \nat the same time, had their privacy rights respected. \nTherefore, what we did is after receiving an outpouring of \ncomments--during the 30-day comment period we received \napproximately 11,000 comments--we began to focus on the issues \nthat were being raised and the issues went far beyond simply \nthe pharmacist example.\n    For example, it also impacted emergency care providers that \nrequired an emergency care provider to, once they deliver you \nto the emergency room, they are off going to follow on the next \nemergency, but they still had to somehow double back to try to \nlocate you to get you to sign a written consent form and that \nsimply was unworkable.\n    The issue with specialists, again that is an area that \nraised considerable concerns. We also had issues of those who \ndid not even have direct personal contact with you--in this \narea we are talking about advancing technology, in the area of \ntelemedicine--that we would require someone who you would have \ncontact over the telephone before they can engage you would \nhave to get a written consent. These were all items that were \nunworkable and therefore we sought a mechanism that allowed us \nto go further by requiring notice on your first visit of that \npractitioner's policies in terms of how they would treat your \ninformation and give you a meaningful opportunity to engage \nthem on providing restrictions to the use of that information.\n    Senator Wellstone. I want to ask one other question for the \nrecord to begin to cover some of what I think are the concerns. \nLet me just say I thank you for your answer. In some ways I \nthink what you did was sort of speak to the question I raised \nin that again I think some of the problems you raised could be \naddressed in a more narrow manner. But again I think the \nproblem is you just basically eliminate the underlying consent \nprovision and I think that what you are going to hear from some \nof us in the Senate is yes, you are right; it is more than just \npharmacists, but there is a way of addressing these concerns--\nfor the record I want to say this--without undermining the \nentire consent provision, and I think that is going to be the \nnub of the debate.\n    Now one other issue before I run out of my time. It has to \ndo with the marketing of people's private medical information. \nWe have all heard stories where a pharmaceutical company gets \ninformation that a patient has been seeing a counselor and then \nstarts marketing antidepressants.\n    In this regulation you have changed what counts as non-\nmarketing and what is therefore not subject to the protections \nin the rule and they include, and I quote, ``recommending \nalternative treatment therapies, health providers or settings \nof care to that individual.'' This is not counted as marketing.\n    So basically that means that any communication that \nencourages a patient to use a product or a service related to \nhealth is not marketing, even if they are paid to make that \ncommunication. Now if that is not marketing, I do not know what \nit is and I am concerned that we have created a major loophole \nhere that allows people to have their private records used for \nmarketing purposes. And I wonder whether you could help me \nunderstand this change.\n    Mr. Allen. I would be glad to try to do that, Senator.\n    What we did in the rule, under the prior rule it prohibited \nthe sale of personal health information without authorization \nor consent and required that it was a much--we thought that we \nhave broadened the restriction or strengthened the privacy \nrights of individuals because what we did is that we more \nnarrowly determined what was going to be marketing and then \nrequired a direct authorization from the individual for \nmarketing purposes.\n    Under the prior rule what would happen is that there was a \nbroader definition of marketing, but what had to happen is \nthere had to be a disclosure of whether you receive \nremuneration or not from that purpose. In doing that, you had a \nsituation that we were concerned about and heard about from the \ncomments and that was if you had, for example, a provider that \ngets reimbursed for participation in continuing medical \neducation conferences--let us say they get travel \nreimbursement--to continue their medical education, if they \nthen later had a client or patient that had a condition and \nthey thought that that treatment regimen, that pharmaceutical \nproduct or that device might benefit them, they would have to \ngo through an issue of determining whether they would be \nmarketing to their client and to their patient.\n    We have great concerns about again interfering with the \ntreatment decisions that would be important to that patient-\nphysician encounter. So therefore we broadened it and said that \nwhat was not marketing were issues that dealt with care \ncoordination, issues that dealt with treatment, issues that \ndealt with disease management. These sort of items were not \ndetermined to be marketing.\n    What we did do, though, is that we also limited marketing \nin the sense that where--if it was not related to treatment of \nthe patient, that that patient would have to give prior \nauthorization for someone to send information to them in terms \nof marketing.\n    So we think that we have approached this in a very balanced \nway that once again gives considerable weight to patients \nhaving access to information that affects their health and \ntheir determination of what is in their best interest and their \nphysician's best interest of their health care outcomes.\n    Senator Wellstone. Well, I am going to turn to Senator \nFrist. I mean, we want patients to have access to information \nthat affects their health, but what we do not want is the sort \nof indiscriminate marketing of people's private medical \ninformation.\n    Mr. Allen. Certainly, and we think that we have narrowed \nthis down sufficiently enough that in this regard we will defer \nin many cases to that patient and that physician, first of all, \nin that initial encounter, determine what those practices are, \nparticularly as it relates to marketing, particularly as it \nrelates to that patient's treatment decision-making. But we \nthen narrow the scope and require affirmative disclosure and \nseeking authorization for further marketing of materials that \nmight be unrelated to the treatment of that patient.\n    Senator Wellstone. I thank you. I think we have too much of \na loophole here and I do not think you have narrowed it down \nthe way we need to, but I certainly appreciate your thorough \nanswer, and thank you.\n    Senator Frist.\n    Senator Frist. Thank you, Mr. Chairman. Both of those \nissues that were just talked about, consent and care and the \nmarketing provisions, are very important and I think in the \nsecond panel we will be coming back to the marketing provisions \nin the testimony that was sent to us because it is important, I \nthink, to make sure that in this narrowing process that the net \neffect is not to weaken the privacy rule itself.\n    But let me move to another topic, Secretary Allen, and that \nis on the research and public health and deidentification, \nissues that I mentioned in my opening statement. I very much \nagree and applaud the proposed change that would reduce that \nburden, that overly restrictive burden on scientists and \nresearch entities by requiring a single combined consent form \nrather than the multiple consent forms that were initially \nproposed by the previous administration.\n    I note that the department is also considering changes to \nthe proposed rule's so-called deidentification standard so that \ninformation could be used for research or public health \npurposes if it is facially deidentified, but still maintains or \nretains the important information for environmental health \nstudies, infectious disease tracking. That would include things \nlike zip code, date of service.\n    I am very concerned that the previous administration's \ndeidentification standard is much too stringent and could \nsignificantly slow down, hinder or impede efforts to track \ninfectious disease outbreaks or to conduct public health \ninvestigations that again I mentioned in my opening statement \nthat are important to surveillance, detection and response. It \ncould also significantly skew the results of epidemiological \nresearch studies, which routinely use admission dates and \ndischarge dates and dates of death to track and help us more \nfully understand disease.\n    In this area why is the administration seeking additional \ncomment rather than proposing a rule up front, as it has with \nother areas in this proposed rulemaking process?\n    Mr. Allen. We believe that research in the United States is \nby far the very best in the world. We believe that we want to \nmake sure that that research is able to continue and exactly \nfor what you have cited, Senator, and that is that we not only \nneed to be able to track infectious diseases and gather \npopulation-based information so that we can plan; for example, \ntrying to address chronic disease. We are working very \naggressively within the department, working with the National \nInstitutes of Health and with the universities around the \ncountry who are looking into these issues and we were very \nconcerned that by, up front, us proposing what we do not have \nall the answers to, and that is how significant and what is the \nbest method of deidentifying data so that you protect the \nprivacy rights of the individual, but we do not impede the \nadvancement of research. So those were the balancing issues \nthat we had to look at.\n    Under the proposal we have laid out as an option for \ndeidentification two alternative methods. One was to use what \nis known as basically an appropriate person who has knowledge \nand experience in statistical data and being able to say \nwhether they thought that there was a greater risk or less risk \nof identifying the individual based upon the release of that \ninformation. You can get basically somewhat of a certification \nthat that individual has made that decision or you had an \nalternative method where covered entities would have to remove \nall 18 identifiers.\n    We were concerned about both of those and therefore we felt \nit probably was best to allow the research community to offer \ncomment on that, rather than us try to--\n    Senator Frist. Have you gotten feedback from the research \ncommunity? Their initial letters we have shared with each other \nand shared with you from the research community. Has it been \nlong enough to get a feel for their response?\n    Mr. Allen. We have gotten a few and because the comment \nperiod is still open I cannot close out the options for more \ncoming in, but yes, we have begun to hear from the research \ncommunity and we think that we are getting information to \nassist us in terms of how best to approach creating a limited \ndata set, and that is really what the ultimate goal is, is what \nis the limited data set? That is, what are the limited number \nof identifiers that would be necessary to one, provide the \ninformation that we need for epidemiological research, et \ncetera, but, at the same time, to maximize the privacy \nprotections of the individual so that their identity is not \ndisclosed inadvertently or intentionally.\n    Senator Frist. Let me return to this whole concept of \nconsent and care, because as a physician, the previous \nadministration's proposed consent rules would have placed me as \na physician or physicians generally in a very difficult \nposition with respect to their patients in terms of care \ndelivery, but also from an ethical standpoint.\n    It seems to me that it would have required me not only to \nprovide notice of my privacy practices, the standards and the \nguidelines that would govern my own practice, but also would \nexpressly allow me--in fact, it would have required me to \nwithhold or deny treatment to those patients who failed or \nrefused to provide me with a written consent. That is my \ninterpretation just from reading it. It also seems to place \npatients in a difficult and an untenable position of signing a \nconsent form or not receiving that care.\n    You said in response to Senator Wellstone's questions that \nthis is one of the key areas in which the administration is \nmaking modifications to the rule. And again I know we are in \nthis comment period. Are patients and physicians responding to \nthat objection and to the proposals that have been made?\n    Mr. Allen. That is certainly what precipitated us making \nthe proposed change initially, is that we had heard from \npatients, physicians and practitioners, all within the health \ncare continuum. That would be providers, hospitals, plans, and \npatients.\n    The problem with it was, as we have identified, it was \nunworkable because what you were putting the patient in the \nposition of having to do is having to choose between signing a \nform that you may or may not understand or agree with and \ngetting care that you need immediately. It put you in that \nconundrum, but also it put the practitioner in an even more \ndifficult position in that if you see that client more than \nonce, you were almost put in the position of requiring a \nconsent form be signed every time that patient came in because \nof the revocation requirement. You would have to track whether \nthat patient revoked his or her consent.\n    So it was very difficult to do that and from an \nadministration position it was very difficult for us to be able \nto address it because we can only address these issues once a \nyear, so we would be put in a very difficult position that if \nthere were a problem identified, if we had made changes already \nthat year, we could not take action to make another change in \nthat area, whether it was consent or somewhere else, for \nanother year, and that raises serious concerns for health and \nsafety.\n    Senator Frist. I see my time has expired. Let me just add \nthat physicians and patients and others would ask me about \nemergency rooms in response to acute care, as well as the \nproblems with pharmacies themselves.\n    Thank you, Mr. Chairman. My time has expired.\n    The Chairman. Thank you very much.\n    Mr. Allen, thank you again. I know that you are very much \naware that these consent requirements were not part of the \noriginal Clinton proposal and then after they had a great many \nhearings, public hearings, really the American people spoke and \nthey spoke with such a sense of urgency about the importance of \nmedical privacy that they made these alterations and changes.\n    Now you have made a different recommendation on the way to \nproceed on this. When you were considering what other changes \nshould be there did you consider maintaining the proposal on \nconsent and trying to deal with some of the principal areas--\nfor example, the prescription drugs, the scheduling of doctors \nvisits, which were really the primary kinds of areas, as I \nunderstand on the basis of public hearings, where they would \nhave to be altered or changed?\n    My question is why not maintain the consent form and adjust \nit to take in to consideration some of the legitimate issues \nand questions, rather than going in a different direction, \ninstead of going to a situation where they will be notified and \nthey will be then on sufficient notice about what is happening \nto their medical records?\n    Mr. Allen. Mr. Chairman, I think it is very important, as \nyou point out, that with the prior administration they went \nfrom one position to a totally opposite position and we were--\n    The Chairman. Granting greater privacy. You would not \nquestion that.\n    Mr. Allen. I think what we would question is whether that \neffected greater privacy in reality for the patient, from the \npatient's perspective.\n    The Chairman. Wait a minute now. You do not think an \nindividual having control over their medical records is greater \nprivacy for that individual than the recommendation that you \nmade?\n    Mr. Allen. I think certainly an individual having greater \ncontrol over the information about them is significant, \nbalanced against them making sure--their primary reason for \ngoing to a physician is not privacy. Their primary reason for \ngoing to a physician is care. And if we put paperwork in the \nway of them accessing care, period, regardless of whether it is \nquality of care, the first idea is getting care. And the \nconsent provisions as they were proposed, from the pendulum \nswinging from no consent provision under the prior \nadministration to an absolutely mandatory written response, \nthat pendulum swinging created the conundrum of putting \npatients at risk of not receiving any care at all.\n    The Chairman. This is the committee that wrote that \nrequirement in, Mr. Allen. It is because this committee was \nconcerned about the issues of privacy that we put it in. So we \ndo not have to be reminded about the requirements because we \nsaid that unless we were going to take action, that the \nadministration was going to because it was such a sense of \nurgency.\n    And what you are talking about now is the question of the \nprivacy of the records versus care. Of course, we probably have \na difference on this. We have taken notice of what has happened \nin the types of discrimination against individuals on the basis \nof genetic information and how that can be abused by insurance \ncompanies.\n    Mr. Allen. Certainly.\n    The Chairman. And we have taken notice, as well, in terms \nof particularly in the areas of mental health, as well as the \nmarketing of various prescription drugs.\n    Now I know, as I understand, you have made a response, I \nbelieve to Senator Wellstone, about the kind of protections \nthat you believe are going to be adequate to effectively \nprotect patients from the abuses that can take place from \nmarketing private information. Am I basically correct, that you \nbelieve that the provisions that you have, the new regulations, \nare going to protect people's privacy from the marketing of \nsensitive information--for example, the needs that a person \nwould have with regard to mental health or whether someone is \nan AIDS patient?\n    Mr. Allen. We believe that we have, under this proposed \nrule, we have strengthened the marketing provisions to protect \npatients from the nonhealth disclosures of information that \nthey would reasonably expect not to occur, whether it be in the \ncase of HIV-AIDS status or the other inadvertent or intentional \nuses and misuses of that information. So we believe these \nproposed changes do effectuate that.\n    In terms of what you cited, Mr. Chairman, you talked about \ngenetics and mental health. I think it is important to note \nthat as Senator Warner has already pointed out, as the \nsecretary of Health and Human Resources of Virginia, Virginia \nis a State that protects its information, genetic information, \nfrom being used to discriminate in employment. We think that \nthat also is an area of high importance at the Federal level, \nthat this rule does not deal specifically with genetic \ninformation except for in terms of it prohibits an employer \nfrom using health-related information for employment decisions, \nperiod. It puts it as a prohibition with two very minor \nexceptions that we have to recognize, and that is in the case \nof ERISA, where an employer is a group plan. But that employer \nmust also take precautions not to use that information \ninappropriately for employment-related decisions.\n    So we believe that we have struck the appropriate balance, \nwhich would weigh in favor of the patient getting care, and \nweigh also in favor of strengthening and giving the patient the \nmaximum protection of privacy of their information, but also \nnot preclude them from having the ability to authorize, if they \nchoose to, that information going other places, whether it is \nfor marketing or other purposes.\n    The Chairman. Well, I like what you say. The question is \nwhether this language does exactly what you say. Now I have the \nregulations right here and this, as I understand, will still \nmake permissible recommended alternative treatments--this is \none of the exceptions--therapies, health care providers, or \nsettings of care to that individual. This is on page 14,790.\n    Now that seems to me, you say that this is not marketing, \neven if someone actually is involved in those kinds of \nactivities, as I understand it.\n    Mr. Allen. Senator, I do not have that paper in front of \nme.\n    The Chairman. I apologize.\n    Mr. Allen. If I understand what your question is----\n    The Chairman. Because this is not an enormously new \nsection. As you are very much aware, there have been questions \nabout the administration's proposal and there have been serious \nquestions about the rule about how sensitive information could \nbe used and those that have been critical have referred to this \nlanguage that says, in the particular regulations, the basic \ndefinition. The point is that the definition means any \ncommunication that encourages a patient to use a product or a \nservice related to health is not marketing, even if they are \npaid to make that communication. If that is not marketing, I am \nnot sure what is and I am concerned that we have created a \nmajor loophole here that allows people----\n    Mr. Allen. Not at all, Senator. We do not believe that this \nis a loophole. Again we approached this from the perspective of \nthe patient. If a patient has a particular condition, whether \nit be hypertension or allergies, for example, and the provider \nwho is working with that patient has access to the latest and \ngreatest information and product that that patient should know \nabout, that that physician believes that it is in the best \ninterest of that patient to have an opportunity to choose to \nchange from, we have made this language allow for that to \noccur. It does not interfere with the patient-physician \nencounter.\n    What it does narrow it to is it has to be related to \ntreatment for that individual and therefore that is what we \nhave said is not marketing. We believe a patient should have \naccess to that information.\n    The Chairman. The fact remains that under this language, as \nI understand it, individuals may very well receive a \npublication from a drug company about alternative AIDS \ntreatments or alternative AIDS care centers or alternative \nmental health advertising and it could be received in their \nhome or in their place of business.\n    Mr. Allen. First of all, I think I need to approach it that \nthe patient, stepping back, the patient has an opportunity to \ndetermine where that information will be received if it is \ngoing to be received.\n    The Chairman. If they have gotten notice.\n    Mr. Allen. Let me walk through it if I may, Senator.\n    The Chairman. If they have gotten notice.\n    Mr. Allen. Mr. Chairman, let me walk through if I can. At \nthe very first encounter with that patient's physician, that \npatient will have discussed or have the opportunity to know \nwhat those practices are of that provider in terms of how they \nwill use that information. Once that is determined and they \nagree with that--if they do not agree with it they can \nnegotiate with that provider that that information not be used \nat all. If the provider says ``No, we will use this \ninformation,'' the patient has the choice to say ``I will seek \nother care elsewhere.''\n    Once that is done, that information that you have described \nis information, if it is consistent with treatment, it can only \nbe approved for being sent to that patient by the covered \nentity, by the entity that has a relationship with that patient \nin terms of his or her treatment.\n    Therefore, the idea that some unrelated company out there \nis willy-nilly getting access to that patient's information, we \nbelieve that we have addressed that in this rule, that it would \nbe inappropriate, it would be a violation for information to \nend up in the hands of a third party that has no connection \nwhatsoever either to the patient or to the patient's provider \nand thereby we believe that we have narrowed and limited that \ntype of unsolicited or unrelated solicitations to that patient.\n    Where it can occur that a covered entity--let us assume it \nis a pharmacy that is working with a patient and in the case of \ndisease management or in terms of a prescription being \nrefilled--that pharmacist, the covered entity, can have a \nbusiness association with a company that they have relegated or \ndelegated that responsibility for notifying that patient that \nyour prescription has come due and we think that that is an \nappropriate use of the information to serve the patient in \nterms of his or her treatment.\n    The Chairman. Well, I think we need strong language that \nmakes very clear the protections of the privacy of the patient \nin this area and we will have an opportunity to consider that. \nThank you very much. My time is up.\n    Mr. Allen. Thank you, Mr. Chairman.\n    The Chairman. Senator Warner?\n    Senator Warner. Thank you, Mr. Chairman. I think we have \nhad a very constructive hearing this morning. It is not over \nyet, but the point I wish to make is that Congress really has \nnot been able to resolve these tough issues since 1996 and \nbasically we have just forfeited this to the successive \nadministrations of two Presidents to try to solve it.\n    I have to assume that this administration, as did the \nprevious, in a very conscientious and nonpolitical way--there \nshould not be any politics, in my judgment, involved in this \nthing if we can avoid it--is trying to do what is best for the \nhealth care industry and patients. But these issues are at the \nvery heart of our health care system and as I sat and listened \nI have one question and then one observation.\n    The second panel will come forward hopefully with good \nconstructive viewpoints on how things can be changed. You still \nhave an open mind, do you not?\n    Mr. Allen. We are required to by law.\n    Senator Warner. Well, what about just following the law to \nthe T? Keep that open mind because I think a lot of \nconscientious people are working on this. And I guess my \nquestion would be many have stated that a much more targeted \nmodification could have been made that would have improved \naccess to care while maintaining stronger privacy protections. \nDid you consider a less restrictive alternative in your \ndeliberations?\n    Mr. Allen. Senator Warner, yes, we did. We went through \nthis and tried to find ways to make the consent provision work, \nbut the bottom line, as we have already stated again, is that \nthe issue was not--the consent did not give a patient control \nover the information. It actually took control out of that \npatient's hands and put it into the hands of the provider, who \nwas forced to make a determination of whether you sign a piece \nof paper or not and determine whether you got treatment.\n    When we looked at it we tried to address the issues of the \npharmacist. We tried to address the issue relating to \nspecialists. We tried to address the issues related to \nemergency care. And we went down the list and again and again \nit came to a place where we either were going to have a rule \nthat applied broadly or we would have a narrow exception that \naddressed every specialty group that existed out there.\n    I think the goal that we were trying to achieve was one \nthat had a flexible approach, but a consistent approach across \nthe board, that took into consideration that we want to \nmaximize two things. We wanted to maximize the patient's \nability to get care, but also wanted to maximize the patient's \nability to control their ability to have their public health \ninformation shared outside of treatment, payment and operations \nthat reasonably a patient would assume that their information \nwould be used for.\n    Senator Warner. If all the best intentions that you and \nyour colleagues have manifested thus far simply prove in \npractice not to be workable, particularly the enormous costs \nthat the hospitals and other health care deliverers, physicians \nare going to have to bear, you would be willing in the future \nto reopen this thing under the process prescribed by law?\n    Mr. Allen. Yes, Senator. Under the law we would be allowed \nto revisit this issue once a year and that is why, that one \npoint, under the rule, under the statute, we were only allowed \none time a year to make changes. We were concerned that we \nwould be put into a position that we would have made a change \nand then have other issues, unanticipated issues arise that \nwere a detriment to the furtherance of either access to care or \ntook away from the privacy rights of the individual and would \nnot be allowed to address them, and that was an issue that we \nfelt very strongly that we needed to weigh in on the side of \nmaximum flexibility so that we can work it throughout the year \nwithout having to use that one-time-a-year exercise to try to \naddress every problem that arose in the interim.\n    Senator Warner. Well, I think you have delivered the \nadministration's care very professionally and quite well.\n    Mr. Allen. Thank you, Senator.\n    Senator Warner. Time will tell. Thank you very much. Thank \nyou, Mr. Chairman.\n    The Chairman. Senator Clinton?\n    Senator Clinton. Thank you, Mr. Chairman. I very much \nappreciate Senator Warner's comments because I think all of us \nare looking for an appropriate way to handle this new world of \ninformation that is out there and to protect people's right to \nprivacy, especially the most personal and intimate information \nand details about them. So I am grateful for the recognition \nthat this is probably a moving target to some extent that we \nwill evolve a response to because I feel very strongly about \nthe right to privacy and I also understand the need for health-\nrelated organizations to have access to good information.\n    But I must confess, Mr. Allen, I am confused and it may be \nthat this is such a complicated, difficult area that it is hard \nto follow, but I just wanted to run through a couple of issues.\n    As I understand what the administration is proposing, we no \nlonger will require affirmative consent, but instead, an \nacknowledgement that information about privacy rights has been \nprovided. Is that correct?\n    Mr. Allen. It is correct in the sense that we do not \nrequire that a written consent be given.\n    Senator Clinton. Right.\n    Mr. Allen. It does not preclude an entity from seeking \nconsent.\n    Senator Clinton. Well, that is what is interesting to me \nbecause as I study what you are proposing, on the one hand we \nno longer have an affirmative consent process, but you do \npermit entities to go ahead and voluntarily seek consent.\n    Mr. Allen. And there is a good reason for that. The reason \nis this, that in some cases you may have, for example, a \nhospital that already has consent for treatment, which is what \nwe call informed consent. They may want to go ahead and still \nhave consent for using that information that will be consistent \nwith treatment. Therefore some entities may choose to seek a \nwritten consent from a patient, but what we have not done is we \nhave not required everyone to do that.\n    Senator Clinton. But what you have done is when an entity \ndoes choose to require consent you have eliminated many of the \nconsent requirements that would apply to the voluntary request \nfor consent.\n    Mr. Allen. And again the reason for that is because we are \ntrying to maintain flexibility----\n    Senator Clinton. But you are trying to have it both ways.\n    Mr. Allen. If you would let me answer my question?\n    Senator Clinton. Mr. Allen, let me finish because I am \ntrying to----\n    Mr. Allen. You asked me a question and let me answer the \nquestion.\n    Senator Clinton. No, but let me pose the question.\n    Mr. Allen. I thought you already did.\n    Senator Clinton. No, I did not, Mr. Allen.\n    Mr. Allen. Well, go for it.\n    Senator Clinton. Thank you, dear.\n    Now if you are on the one hand not requiring consent and \nthen on the other hand when someone voluntarily pursues \nconsent, you eliminate what the original rule had in for the \nprovisions of consent, it seems to me you are going after \nconsent from both ends. Either you offer it or you do not offer \nit, but when it is voluntarily chosen you undermine it. And I \nthink if you look at what you have done to eliminate that in \nthe name of flexibility, you have essentially vitiated consent \neven if someone voluntarily chooses to pursue consent.\n    Mr. Allen. And your question is?\n    Senator Clinton. Why have you done that?\n    Mr. Allen. First of all, I would beg the question that we \nhave not done that. I think what we have done is we have \nstrengthened the process by one, when we remove mandatory \nwritten consent in terms of the rule we have now enabled a \npatient to get care, plain and simple. But, at the same time, \nwe have enabled a patient for the very first time under this \nrule to have information about the practices of the provider, \nto have opportunity to review those practices and engage in a \ndiscussion about those practices and seek to restrict the uses \nof that information. That is all essential for protecting and \nproviding protections for an individual in terms of how that \ninformation is used. That does not happen. That will now happen \nunder this proposed rule that did not happen under the former \nrule.\n    Beyond that, we have also provided again--we have not \nprecluded entities from seeking to get a written consent and \nthat written consent, we are not dictating the confines of that \nbecause again it is voluntary. It is something that some \nproviders may seek; others may not. But what we can guarantee \nis that that patient will get information and notice of the \npractices and procedures of that entity, and that is what we \nthink is essential to the decision-making of the patient, but \nalso to the continuity of the care that that patient will \nreceive from that provider.\n    Senator Clinton. But you are also eliminating the \nrequirements that the covered entity inform the patient it is \nreceiving remuneration for making the communication, you are \neliminating the much more restrictive definition of marketing \nso that very often a poor patient will receive information and \nwill not know that there is a financial interest in the entity \nproviding it.\n    Mr. Allen. What we have done is a couple of things, again, \nSenator. One, in terms of consent, it only relates to what we \nhave eliminated the consent for, is for treatment, payment and \noperations. Anything beyond that, you must get the patient's \nconsent for the use of that information.\n    In terms of remuneration, what you are discussing is how we \naddress the issue of practices that, for example, I cited the \nexample earlier. What we were concerned with is we have \ncircumstances in which providers participate in continuing \nmedical education conferences. Those conferences may be paid \nfor by X company. What we do not want to have happen is having \nto have providers having to toil over whether or not they \nreceive remuneration from a company simply because later on \nthey prescribe a product that they think is in the best \ninterest of their patient, but because they had been given the \nopportunity to participate in this conference we did not want \nthat to have to be considered as marketing because that is \nconsistent with that provider's treatment of the individual.\n    So therefore we have broadened what we look for in terms of \nthe definition of marketing, but we have limited it to that \nwhich is outside of the treatment-payment continuum.\n    Senator Clinton. Well, Mr. Allen, I have to confess that I \nam very disturbed by some of these changes because I think the \npractical effect is to substantially weaken the privacy rule. I \nappreciate some of the difficulties that were brought to our \nattention in a hearing that we held last year and I certainly \nbelieve we should have targeted effective measures for dealing \nwith some of those issues, like the ones that the pharmacists \nraise, but you have thrown the baby out with the bath, the best \nI can tell, and opened up a huge loophole for nearly any use of \ninformation without any effective check on it because we will \nnot have any proof that the patient has ever been adequately \ninformed.\n    I think it is unrealistic to believe that many patients are \ngoing to be that well skilled in the nuance of these rules to \neven know the questions that they are supposed to be asking and \nI think we have an obligation to err on the side of privacy. \nAnd I think that this rule, the recommended changes to the rule \nreally go in the opposite direction.\n    So I will be very interested in following what you are \nproposing on this, but I think that the witnesses who will be \ncoming to appear before us in the next panel have some very \nspecific issues and I hope that you and your colleagues will \nlisten very carefully because I think it would be quite useful \nto take another stab at trying to figure out how to do what you \nare trying to do in the name of flexibility without undermining \nprivacy.\n    Mr. Allen. Senator, I take your point very seriously. We \nare here to listen. We are in a comment period and we expect to \nget many comments. In fact, we probably will get, particularly \nafter this hearing, a lot more comments and we welcome that. \nBut I think from the perspective that we have taken, we tried \nto approach this from the patient's perspective. While you may \nthink privacy rights are the most overriding issue, we stepped \nback and thought that it was far more important that in seeking \nto maximize an individual's right of privacy that it was far \nmore important that we ensure that we do nothing, that we do \nabsolutely nothing to impede their access to care because \nhaving a right to privacy means very little to a person who is \ndesperately needing care, whether it be the mother who is----\n    Senator Clinton. You are not going to get any argument from \nany of us about that, Mr. Allen. We are all in favor of care. \nIt is just that we are concerned that in the name of care, \nprofit has a very big role in a lot of the efforts to use \ninformation available to health entities. There has to be a \nline drawn and you have ended up on one side of the line, and I \nthink some of us are more comfortable on the other side of the \nline, but that is to be worked out and discussed and I \nappreciate your willingness to listen to the comments that will \nbe coming to you. Thank you.\n    Mr. Allen. Certainly.\n    The Chairman. Senator Enzi.\n\n OPENING STATEMENT OF HON. MICHAEL E. ENZI, U.S. SENATOR FROM \n                      THE STATE OF WYOMING\n\n    Senator Enzi. Thank you, Mr. Chairman. I would ask consent \nthat a statement that I prepared be placed in the record.\n    The Chairman. Without objection.\n    Senator Enzi. Thank you. I appreciate your holding this \nhearing. This is an issue of tremendous concern to everyone \nthat I know. I know that we as a committee deferred to the \nagency to go ahead and do the rules. They did those; they \noccurred at the end of the last administration and from \ncomments that I am receiving, I am quite sure that that \nadministration would have reviewed these, as well, and I so \npleased that they have been reviewed and revised by the current \nadministration.\n    Now I know that privacy is of extreme importance to \neverybody. I saw a survey when we were doing banking privacy \nand it said that 94 percent of the people in the United States \nwere concerned about their privacy--and I was wondering what \nwas the matter with the other 6 percent.\n    But on the medical privacy rule I have had a lot of \ncomments when I've been in Wyoming. My prime concerns with the \nrule that we had, I heard from pharmacists. They are very \nconcerned about elderly people having to come in and sign a \nform so that somebody can pick up their prescriptions for them, \nyet they are not even able to come in and sign the darn form.\n    But we have some areas of Wyoming that have even bigger \nproblems than that and I suspect that we are not alone in the \ncountry, although we may be. Cell phones have not gotten to all \nof Wyoming yet. I have people that rely not on telephones that \nare party lines, but on radios that are very definitely party \nlines because anybody can pick up the transmission. In fact, \nthey rely on that feature. Everybody leaves their radio on and \nif somebody in that vast area of the back country is headed to \ntown, they put out the word that they have a couple of things \nthey need them to pick up when they are in town. They have \nrelied on that for years and it creates a tremendous sense of \ncommunity.\n    But the privacy rule does not allow that sense of \ncommunity. They are not even sure whether they are violating \nthe law by letting somebody know that they need a prescription \npicked up.\n    I hear from the doctors, as well. When the final rule first \ncame out I had a number of them that said, ``to me it looks \nlike I have to violate the law,'' again, because of our \ndistances and our communication, so ``Senator, what can you do \nto protect me when I violate this rule that you allowed to go \ninto place?'' When they put it that way I have a lot of \nsympathy for them.\n    I also understand what the people are talking about when \nthey talk to me and it has primarily been pharmacists and some \ndoctors and hospitals.\n    I appreciate very much your comments about the comment \nperiod not being up. One of the difficulties I have had with \nagencies has been when they have obviously failed to read the \ninformation that they were presented with and had already \nclosed their mind--before they wrote their rule--about how the \nrule was going to come out. So however it comes out, I commend \nyou on your openness on the rulemaking process.\n    [The prepared statement of Senator Michael Enzi follows:]\n\n             Prepared Statement of Senator Michael B. Enzi\n\n    Mr. Chairman. I want to thank you for promptly holding this \nhearing on the new proposed rule to protect the privacy of \nmedical records.\n    This Committee mounted a serious bipartisan effort in the \nlast Congress to advance privacy legislation. While we were not \nable to come to agreement on a handful of provisions, there was \nsignificant agreement on the details of the right policy for \nprotecting people's medical information. I believe such \nprotection is achievable while also allowing the appropriate \nuse of medical information to improve the health status of all \nAmericans through research and the development of better \nmedical management protocols.\n    The Clinton Administration took our legislative draft and \nused it as a foundation for a rule-making on medical records \nprivacy. Having been issued in the final days of that \nAdministration, President Bush was placed in the position of \nhaving to review the rule when he took office.\n    Under Secretary Thompson's leadership, the rule underwent \nadditional modifications. Which brings us to today. With that, \nI'd like to welcome Deputy Secretary Claude Allen, who will be \nexplaining the latest iteration of the rule. I also welcome the \nother witnesses whose expertise in medical privacy has helped \nshape this policy over the last 4 years.\n    I will comment very briefly on the new proposed rule. \nFirst, let me say that I support the new rule and believe it \nwill afford strong privacy protections for medical information. \nI applaud the Administration's effort to carefully balance \n``protections'' with ``progress'' in medicine. I look forward \nto the comments solicited in the preamble with respect to de-\nidentified health information.\n    The new rule was modified to correct the old rule's \nunintended consequence of threatening access to care and \nreducing the quality of care patients enjoy today. The goal of \na privacy rule should be to enhance access and quality, not \nundermine these basics of good health care.\n    Several other important modifications to the rule can be \nsummarized by the phrase ``administrative simplification.'' \nChanges to make the privacy rule patient-friendly by making it \nuser-friendly should be supported by this Committee. After all, \nthe statutory mandate to develop a medical records privacy rule \nwas included in the Health Insurance Portability and \nAccountability Act (HIPAA). HIPAA also included requirements on \nboth the private health care market and certain public programs \nto administratively simplify health care transactions. Since \nHIPAA was drafted by this Committee, it's only logical that we \nshould support all efforts to make the privacy rule consistent \nwith the our intent to simplify administrative burdens within \nthe health care system.\n    Mr. Chairman. I look forward to the testimony and again \nthank you for calling this hearing.\n    Senator Enzi. Could you give me some of the factors that \nwere motivating factors behind the changes that you made to the \nprivacy rules and the more general comments you may not have \nbeen able to make?\n    Mr. Allen. Certainly. When we received the comments--we \nreceived over 11,000 comments in about a 30-day period when we \nput these particular sections of the rule back out for \nadditional comment and we had various--we have addressed \nsomewhat earlier some of the issues that we are addressing. The \none example that continued to come up was pharmacists not being \nable to fill prescriptions without having the patient to come \nin prior to the information being transmitted to the pharmacy \nand signing a consent form. That clearly was an impediment to \ncare, to access to care.\n    We then heard from specialists who were concerned about \ntheir practices and being impeded in providing care to the \npatient. Those were the sorts of examples that we had, also. \nThen we went down the list from there. We had emergency care \nproviders who not only would have the burden of having to get a \nconsent form, but the nature of their work precludes them from \ngetting the consent when they first pick up the patient, but \nthen would require them to disrupt their normal practices by \nhaving to double back to try to seek that access.\n    The area that we heard a lot of comments about was in this \narea that we all have great concerns about, and that is \nmarketing, particularly when the marketing is using your \nhealth-related information for nonhealth purposes. Nobody wants \nto receive an unsolicited advertisement or offer that discloses \nyour public health condition or your health condition when you \ndid not consent to that or were not aware that that was going \nto occur. So we began to look at ways of strengthening the \nmarketing rule and we did that.\n    We also had concerns raised about the role and the rights \nof minors vis-a-vis their parents in terms of access to \ninformation. In that area what we did there is that we made \nvery clear that the Federal law defers to what the State law \nis. So whatever the State law is in this area, we defer to \nthat. If there is no law in that regard or if the law is \nunclear, we defer to the practice of that State that looks to \nthe health professional in exercising his or her discretion and \naccess. But we also made sure, just as most States, to provide \nthat, in cases of emergencies, physicians, and providers can \nprovide information on a minor in the case of an emergency and \nwe wanted to reflect that.\n    So we tried to approach all of these issues. Research was \nanother area where there were comments that came in and in that \narea we saw that we did not have all the answers. So what we \nhave done is we have made an approach to how to address the \nissue of research so that we do not impede research going \nforward but, at the same time, finding out how do we get the \ninformation that is needed for the research to go forward, but \nalso protecting the privacy rights of the individual so that \nthey are not identified and their information is not disclosed.\n    Senator Enzi. I certainly appreciate the thorough job that \nyou are doing on it, particularly on revisiting things that you \nrevised before it all becomes final. It is a breath of fresh \nair and will help take care of some of the people in our State. \nYour explanations today have been clear enough that people will \nunderstand this conflict between privacy and getting care and I \nknow in all those cases they would opt for the care. Thank you.\n    Mr. Allen. Thank you, Senator.\n    The Chairman. Senator Gregg.\n    Senator Gregg. Mr. Chairman, thank you.\n    Mr. Allen, I unfortunately had to depart for a while, but I \ndid have a chance at my other meeting to listen to you and I \nthought your presentation was excellent.\n    Going back to this consent issue, I just wanted to talk \nabout the unintended consequences of this mandatory consent \nlanguage. It seems to me that I can think of three instances \nwhich would create really inappropriate events as a result of \nmandatory consent. One would be my situation, where if I went \nto a doctor, the only time I would ever go to a doctor is if I \nreally had to go to the doctor. I cannot think of anything \nworse than sitting, other than maybe going to BWI and waiting \nto get through security. But when I walk into that doctor's \noffice I have one thing on my mind and that is getting better. \nAnd the odds are he could put anything in front of me if it's \nreasonable. He could even ask that I sign off that the Red Sox \nwould never win the World Series ever and I would probably sign \nit.\n    I think that therefore the relevance of a mandatory consent \nis probably limited because your reason for going to a doctor \nis not to sign a form; but to get better.\n    Second, I am concerned about the position it puts the \ndoctor in. You have alluded to this, but it seems to me that \nthere are certain laws that say a doctor must treat you, \nstarting with his Hippocratic Oath, but also specific Federal \nlaws in the area of emergency care, for example, and State \nlaws. The doctors could find themselves in the untenable \nposition of having a patient come in who may be one of these \nWyoming types, you know, independent, who just refused to sign \nanything. The patient needs to be treated, and the doctor \ntreats because they are a good doctor and they have to treat \nunder the law if it is an emergency and they have to treat \nunder their oath if it is not. What then does the doctor do? \nWhat does the doctor do with the information? He may not even \nbe able to send the patients' information to a lab.\n    Mr. Allen. That is right.\n    Senator Gregg. And physicians certainly have opened \nthemselves up to all sorts of liability in these situations.\n    So this mandatory consent creates the unintended \nconsequence of putting the doctor in an improbable and \ninappropriate position.\n    And third, I am concerned that it may create an atmosphere \nwhere people could use the mandatory consent to harm the \npatient's rights. I mean, mandatory consent could end up with \nlanguage in it, although there are limitations on this, but it \ncould end up with language in it which contractually would \nsignificantly proscribe what a patient's rights are and what \nthey are permitted to do. And, as I said, if you are going in \nto get care, you are going to sign that consent unless it is \ntruly outrageous on its face, or unless you happen to be an \nattorney.\n    So I see those three instances as examples of why mandatory \nconsent probably makes no sense and why your approach is much \nmore logical to this effort. But we do have the anomaly, I \nthink, of the American Medical Association having been the ones \nwho, I think, forced the Clinton Administration to back off \nfrom its original proposal, which was no mandatory consent, \nwhich was probably a more logical position.\n    So I'm wondering if it would be appropriate for this \ncommittee to pass a regulation or rule or law, if the Chairman \nbrings this forward, that says that if you are a member of the \nAmerican Medical Association, then you shall be subjected to \nmandatory consent. Is that reasonable?\n    Mr. Allen. I would say for those individuals who are \nmembers of the American Medical Association who might otherwise \nhave commented or maybe members of other associations that \nsupport the notice provisions that we have, if we could exclude \nthem you might want to find those members who would solely want \nto----\n    Senator Gregg. My question was fairly rhetorical.\n    Mr. Allen. Mine was, as well, my comment.\n    I think the issue there, Senator, if I may, in all \nseriousness, I think the issue there is I believe that with \nproper education, understanding of the rule and the way the \nrule works and brings an appropriate levity to the issue of \nprivacy, but also the significant importance of access to care, \nI think that we can work with the American Medical Association \nand other organizations by educating them on how this rule \nultimately will work to the benefit of the patient in both \nareas and making sure that they have the ability to have the \nprior consent, prior notification, prior authorization for use \nof their information when it is not related to treatment, \npayment or operations but, at the same time, to not be \nprecluded from getting that care when it does relate to those \nareas.\n    So I think in all seriousness I think we have an \nopportunity to educate, as well.\n    Senator Gregg. I appreciate your presentation. I think it \nwas a very effective representation of the administration's \nposition. Thank you.\n    Mr. Allen. Thank you, Senator.\n    The Chairman. Thank you very much.\n    [The prepared statement of Claude Allen follows:]\n                 Prepared Statement of Claude A. Allen\n    Chairman Kennedy, Senator Gregg, distinguished Members of the \nCommittee, it's a pleasure to be with you. I welcome the opportunity of \nappearing before you to talk about what we're doing at the Department \nof Health and Human Services to fulfill President Bush's goals of \nprotecting both vital health care services and the confidence of every \nAmerican to know that his or her personal medical records will remain \nprivate. Today, I'm going to discuss the Standards for Privacy of \nIndividually Identifiable Health Information (the Privacy Rule) and the \nproposed modifications to those standards that the Department published \nin the Federal Register for public comment on March 27, 2002.\n    President Bush, Secretary Thompson and I believe strongly in the \nneed for workable and effective federal protections to ensure patients' \nprivacy. Americans have become increasingly concerned about the privacy \nof their health care information. Fear of misuse or abuse of sensitive \nmedical information has deterred some patients from fully utilizing the \nnecessary health care services available to them. When the Privacy Rule \nis fully implemented, we will have successfully completed our goal of \ngiving American patients what they want: confidence that the privacy of \ntheir medical records will be protected and that our providers and \nhealth system will be able to deliver them the most advanced, and \nefficient quality care available. Because of the Privacy Rule, all \nAmericans will, for the first time:\n    <bullet> Have the right up front the first time they see a doctor \nor health care provider or enroll in a health plan to be notified of \ntheir privacy rights and how their information may be used or disclosed \nby the provider or the plan, so they may understand and discuss \nconcerns with these providers and plans and get care that is consistent \nwith their own personal preferences;\n    <bullet> Have the right to access their own medical record and to \nhave their record corrected, if it contains incorrect or incomplete \ninformation; and\n    <bullet> Have control over most non-routine uses or disclosures of \ntheir information, including requiring written permission before their \ninformation is shared with employers for employment decisions, shared \nwith life, disability or other insurers, or used for marketing.\n    In April 2001, President Bush acted boldly to put into place these \nstrong patient privacy protections. With laws already in effect to \nprotect personal information contained in bank, credit card, and other \nfinancial records, and to require notification of Americans about how \ntheir electronic data are used for providing these financial services, \nthe American public should not be made to wait any longer for \nprotection of the most personal of all information--their health \nrecords. At the same time, legitimate concerns were raised about \nwhether parts of the Privacy Rule would compromise patients' access to \ncare or the quality of that care. To address these concerns, the \nPresident directed Secretary Thompson to recommend appropriate \nmodifications to the Rule that would identify and correct any \nunanticipated consequences that might harm patients' access to care or \nthe quality of that care while still protecting patient \nconfidentiality.\n    The notice of proposed rulemaking published on March 27, 2002 \nrepresents the results of the Department's review of thousands of \npublic comments, recommendations from public hearings on the Privacy \nRule, as well as the letters and input from a broad and diverse group \nof lawmakers, interest groups, health care leaders, and individual \ncitizens regarding the Rule. The changes that we have proposed will \nallow us to ensure strong protections for personal medical information \nwithout negatively affecting access to care. These recommendations were \ndecided upon only after seriously examining the feasibility of all \npossible options. They are common-sense revisions that are intended to \neliminate serious obstacles to patients getting needed care while, for \nthe first time, providing federal privacy protections for patients' \nmedical records.\n    I would like to review briefly the major areas of the Privacy Rule \nwhere changes are being proposed and explain the Department's reasons \nfor proposing these actions. At the end, I will be happy to answer any \nquestions from the Committee Members on these or any other of the \nproposed changes.\nConsent and Notice\n    First, the Department has proposed a workable solution to the \nconsent and notice provision that achieves strong privacy protections \nand ensures access to care. The original regulatory proposal published \nin November 1999, prohibiting a covered health care provider from \nobtaining consent for uses and disclosures for treatment, payment and \nhealth care operations, lacked a workable process to engage the patient \nto consider the providers' privacy practices, an essential part of \nadequately protecting privacy. The final regulation published in \nDecember 2000, mandating consent for these routine uses and disclosures \ncreated barriers to timely access to care.\n    The Department's proposal is two-fold: it would enhance the \nobligation that covered entities give notice of their privacy practices \nto their patients, by requiring a good faith effort to get patients to \nacknowledge, in writing, receipt of the notice of privacy practices, \nand it would allow providers to obtain consent for these routine uses. \nThis change means only that under the Privacy Rule, patients are no \nlonger required to provide consent for their doctors, hospitals, and \nother direct treatment providers to use and disclose information for \nthose core activities that are essential elements of providing health \ncare. Patient authorization is still required for most other purposes, \nsuch as marketing and disclosures to employers for employment purposes. \nPatients also would continue to have the right to request restrictions \non uses and disclosures of their health information and would be able \nto enter into agreements with providers and health plans to further \nprotect the privacy of their health information or to further limit the \nuse of that information.\n    We believe this approach provides new, meaningful patient privacy \nprotection without impeding the delivery of high-quality care that \npatients need. The President and Secretary Thompson are dedicated to \nimproving the delivery of quality care to patients, and the December \n2000 privacy rule posed serious problems for patient access to care. \nIndeed, the comments received in March 2001 revealed a multitude of \nunintended consequences threatening patient safety and quality care. We \nalso heard from many of you on this committee, Mr. Chairman, and other \nMembers of Congress, all asking that we address these unintended \nconsequences. Most importantly, we heard from health professionals that \nthe proposed regulations would have serious consequences for the \nquality of patient care.\n    I believe it was widely recognized that the consent requirements \ninterfered with patients getting prescriptions filled in a timely \nmanner; the ability of hospitals, specialists, or other practitioners \nto act timely to start care for patients referred from other providers; \nthe ability to provide treatment over the telephone; and emergency \nmedical providers.\n    Potentially, the Department would have to repeatedly modify the \nprivacy rule as each new barrier was identified. As many of you may \nrecall, HIPAA allows modifications to the privacy rule standards only \nonce yearly, thus the Department would be in the untenable position of \nknowing of serious problems that threatened patient care, but being \nunable under the law to correct these threats to patient care on a \ntimely basis.\n    Ultimately, we tried to put ourselves in the shoes of the patient \nand do what made the most sense from his or her perspective. And, we \nbelieve that the patient most values unimpeded access to quality care, \ngenerally limiting the use of his or her information to what is \nnecessary to provide quality care, fair notice of how his or her \ninformation will be used, and more control over where other than to his \nhealth care providers and health plans his information goes.\n    Indeed, requiring individual written consent for the routine uses \nnecessary to provide care give the patient little actual control over \nthat information. When coupled with the provider's ability--and even \nnecessity--to condition treatment on the signing of a general consent \nform, the patient is forced to choose between signing the consent form \nand not receiving care. In the end, we determined that the risk of \ncompromising patient care and safety outweighed any benefit of a \nmandatory consent process. We believe the backbone of patient privacy \nrights is preserved and strengthened and the spirit and intent of the \nmandatory consent is fulfilled by the written notice requirement. \nDuring each patient's first meeting with a provider, they will receive \na notice of their privacy rights, as well as the providers' privacy \npolicies, and how their information will be used. This notice \nrequirement creates for the first time, a formalized process where the \npatient will pause and reflect on the value of the privacy of their \nmedical records and be able to discuss any concerns that they have with \nthe provider.\nHealth Care Communications and Practices\n    Second, the proposal ensures the strong protections for all forms \nof health information, including oral communications. Plans and \nproviders will be obligated to make reasonable efforts to limit the use \nand disclosure of protected health information to the appropriate \nminimum necessary to accomplish the intended purpose. We have, however, \nmade clear that a doctor could discuss a patient's treatment with other \ndoctors and health care professionals without fear of violating the \nrule if they are overheard if reasonable safeguards are in place. As \nlong as a covered entity met the minimum necessary standards and made \nan effort to protect personal health information, incidental \ndisclosures--such as another patient overhearing a fragment of \nconversation--would not be an impermissible disclosure. This proposed \nchange does not in any way permits gossiping or other careless use of \npatient information.\nResearch\n    Third, the proposals would simplify the research provisions, \nremoving many of the burdens on research and covered entities alike, \nthereby continuing to promote the highest quality of care that \nAmericans have come to expect and have a right to demand and so that \nthe nation's world-renowned medical research can continue at a vigorous \npace, but with renewed confidence in patients that their personal \nmedical information will be protected. The proposal would make it \neasier for patients who participate in research to understand all \ndimensions of the study, including privacy dimensions, through the use \nof a single combined form, instead of having multiple consent forms--\none for informed consent to the research and one or more related to \ninformation privacy rights. It streamlines requirements for obtaining a \nwaiver of individual permission to access records for research \npurposes, so as to more closely follow the requirements of the ``Common \nRule,'' which governs federally funded research. These simplified \nprovisions would, nonetheless, continue to include privacy-specific \ncriteria and would apply equally to publicly- and privately-funded \nresearch.\n    The Department is also seeking comment on the feasibility of making \nhealth information that does not directly identify the patient more \nreadily available for research and limited other purposes. For example, \nmany researchers and others who study the quality or accessibility of \ncare have indicated a need for information that does not facially \nidentify the patient, but nonetheless contains certain identifiers such \nas zip code or dates of admission and discharge. Under the Privacy \nRule, the information would not be ``de-identified.'' In environmental \ncancer studies, zipcodes are often important for environmental health \nresearch. Duration of illness is important for infectious disease \nstudies. Through the comment process, the Department is seeking a \nconsensus as to how to construct a ``limited data set'' that could be \ndisclosed for such purposes, and as to what type of information should \ncontinue to be excluded from the proposed ``limited data set'' because \nit would directly identify an individual. In addition, to further \nprotect privacy, we propose to condition the disclosure of the limited \ndata set on a covered entity's obtaining from the recipient a data use \nor similar agreement, in which the recipient would agree to limit the \nuse of the data set for the purposes for which it was given, as well as \nnot to re-identify the information or use it to contact any individual.\nParents and Minors\n    Fourth, we have made limited changes to clarify that State law \ngoverns disclosures of a minor's health information to a parent or \nguardian. The rule and the proposed modification only address the \nrights related to a minor's medical records; neither has any impact on \na minor's ability to obtain certain medical services under State law \nwithout parental consent. The intent of the current rule was never to \noverride State laws that set standards for parental access to their \nchildren's medical records. In cases where State law is silent or \nunclear, the revisions would preserve physician flexibility and \nstandards of professional practice by permitting a health care provider \nto use the discretion afforded by the State or other law to provide or \ndeny a parent access to such records. Just as State law now determines \nwhen a minor may be treated without parental consent, so too would the \nrevisions effectively defer to State law on access to and control of \nthe minor's information that results from such treatment.\nMarketing\n    Fifth, the proposal explicitly prohibits using or disclosing a \npatient's information for any marketing purposes without the \nindividual's express authorization. At the same time, the proposal \nwould ensure that doctors and other covered entities could continue to \ncommunicate freely with patients about treatment options and other \nhealth-related information, related to their treatment, including \ndisease-management programs sponsored by the entity. The doctor may or \nmay not receive remuneration. This proposal would strengthen the \nmarketing provisions by requiring an individual to specifically \nauthorize certain disclosures of health information that otherwise \nwould be permitted without such authorization under the privacy rule. \nFor example, a health plan would be prohibited from giving a \npharmaceutical company its list of all enrollees for the company to \nsend all patients information about their products without obtaining \neach individual's authorization even if that company is a business \nassociate of the health plan. However, the proposal would continue to \nallow use of information for the health plan to send enrollees with \ndiabetes information about a diabetes disease management program that \nmay help them manage their illness. Patients want information about \ntheir treatment and treatment alternatives and the benefits and \nservices offered by their plans and health care providers. Patients do \nnot want their personal information used for unsolicited marketing \npitches that have nothing to do with their care. This is the same \ncommon sense approach that governs all other revisions to the Rule: \npatients should have the right to get the best care possible, and to \nhave their sensitive medical information protected while doing so. \nOther Provisions\n    We have also proposed changes that would:\n    <bullet> Clarify and encourage public health reporting of adverse \nevents and other post-marketing surveillance of FDA-regulated products \nor services;\n    <bullet> Provide model business associate contract provisions and \nallow up to one additional year for most covered entities to make their \nbusiness associate contracts compliant with the Rule; and\n    <bullet> Permit the sharing of information among health care \nproviders and health plans for each others' treatment, payment, and \nquality-related health care operations.\nConclusion\n    I want to assure you that Secretary Thompson and I are committed to \nworking with this Committee and Congress, and with experts and the \npublic, to provide the strongest possible protections for medical \ninformation while preserving access to and quality of health care. We \nlook forward to specific comments on the proposed modifications to the \nPrivacy Rule and we remain open to additional ideas for strengthening \nprivacy protections while encouraging high quality care. But it is past \ntime to move forward. Privacy rules have been drafted for many years, \nand inaction prevents needed medical privacy protections from being put \ninto place. The need to get strong privacy protections in place now is \na commonly held goal that transcends partisan politics. We owe the \nAmerican people a privacy rule that works to allow them to continue to \nget the high-quality care that they expect they deserve no less. Thank \nyou again for the opportunity to be here today. I appreciate your \ninterest and commitment and I am happy to answer any questions.\n\n    The Chairman. We have a panel now that we will hear from. \nJanlori Goldman devoted her career to privacy and civil \nliberties issues, founder and director of Health Policy \nProject, Georgetown University Institute of Health Care \nResearch, also cofounded Center for Democracy and Technology, a \ncivil liberties organization committed to preserving free \nspeech and privacy on the Internet. Janlori has been a leader \non the privacy regulations since day one and we look forward to \nthe testimony.\n    Sam Karp, chief information officer, California Health Care \nFoundation, coordinates the foundation's initiatives in health \ncare privacy, worked on new business models, technology-based \napproaches for sharing health information. Mr. Karp is working \nto understand how providers are working to implement this \nregulation.\n    John Clough currently is the chairman of the Division of \nHealth Affairs, Cleveland Clinic Foundation. Previously the \ndoctor served as chairman of the Department of Rheumatic and \nImmunologic Disease and we are pleased to get his input on this \nimportant issue. Senator DeWine will be here just momentarily \nto give us an additional introduction.\n    Dr. Richard Harding, president of the American Psychiatric \nAssociation. Serves on the Subcommittee on Privacy, \nConfidentiality and the National Committee on Vital Health \nStatistics in the Department of Health and Human Services and \nhe will be sharing his thoughts on the impact of privacy on \nhealth care providers.\n    Mr. Karp.\n\n STATEMENT OF SAM KARP, CHIEF INFORMATION OFFICER, CALIFORNIA \n                     HEALTHCARE FOUNDATION\n\n    Mr. Karp. Good morning, Mr. Chairman, Senator Gregg and \nMembers of the committee. My name is Sam Karp. I am the chief \ninformation officer of the California Healthcare Foundation. \nThe foundation is an independent philanthropy committed to \nimproving California's health care delivery and financing \nsystems. Thank you for the opportunity to testify today on an \nissue we believe is fundamental to improving the quality of \nhealth care.\n    Over the past 5 years, the California Healthcare Foundation \nhas supported a range of activities to heighten awareness and \nunderstanding of the need to establish strong rules to \nsafeguard the confidentiality and security of personal health \ninformation both on and off-line.\n    In December of last year the foundation commissioned an \nindependent survey of health care organizations operating in \nCalifornia to see how implementation efforts are proceeding \nunder the HIPAA privacy rule. The survey was intended to \ndistinguish between the real and perceived barriers to \ncompliance and to use the results to inform policy-makers and \nthe general public debate. While I have submitted written \ntestimony that details the survey findings, I would like to \nhighlight two of the key findings here this morning.\n    First a few words about the survey. The survey was \nconducted for the foundation by the National Committee for \nQuality Assurance, NCQA, and the Georgetown University Health \nPrivacy Project. It was fielded in January and February of this \nyear just prior to the March 27 proposed rule modifications \nissued by HHS. The survey represents the views of 100 health \ncare organizations that do business in California, including 29 \nhospitals, 19 physician organizations, 26 health plans, and 26 \nother organizations, including disease management, behavioral \nhealth organizations, medical management groups, clearinghouses \nand large research organizations. The organizations that took \npart in the survey are fairly representative of entities \ncovered by the privacy rule and some of the organizations \noperate in States other than California.\n    With respect to implementation progress, if you refer to \nTable 1 in my testimony or the chart to your right, you will \nsee the progress being made in implementing the privacy rule in \nCalifornia. Ten months into the 2-year compliance period, when \nasked about specific actions taken toward implementation, 81 \npercent of the respondents reported having developed a \nstrategic plan. Sixty-seven percent indicated they have already \nconducted a gap analysis. Fifty-two percent have developed a \nreadiness initiative and 12 percent of the respondents reported \nalready completing their readiness activities.\n    As the chart indicates, hospitals report having made the \nmost progress to date, with 96 percent having developed \nstrategic plans, 75 percent having conducted gap analyses, and \n67 percent developing readiness initiatives. Physician groups \nreport having made the least progress.\n    Also with respect to implementation progress, 77 percent of \nthe respondents to the survey indicated that they had \ndesignated a privacy official, as defined by the rule. Eighty-\nseven percent of those that had designated a privacy official \nalso report they had identified the human resources within \ntheir organizations needed to prepare for HIPAA compliance.\n    Now let me turn for a moment to the consent requirement. If \nyou will refer to Figure 1 in the testimony, which is also in \nthe chart on your right, this chart indicates that a majority \nof respondents, 51 percent, report that the consent \nrequirements are somewhat workable. Another 29 percent reported \nthat they were either workable or very workable, while 20 \npercent reported that they were less than workable or not \nworkable at all. Hospitals and physician groups, those \norganizations directly affected by the consent requirements, \nwere more likely than their counterparts to report that the \nrequirements were somewhat to very workable, 90 percent and 79 \npercent respectively.\n    If you refer now to Figure 3, also on the chart to your \nright, the survey found that those respondents that report \nhaving developed a strategic plan, conducted a gap assessment \nor completed their readiness initiative--in other words, those \norganizations that were further along in their compliance \neffort--were also more likely than their counterparts to report \nthat the consent requirements were workable.\n    There were a variety of open-ended comments about the \nconsent requirements. Let me just mention a couple. Although \nthe final rule required consent to be obtained only one time, \nmany respondents expressed confusion and concern about their \nability to track revocations and limitations of consent. There \nwas also concern as a result that some covered entities would \nrequire patients to sign a consent form every time they sought \ntreatment and that patients would be overwhelmed and confused \nas a result.\n    There was also confusion expressed about whether one \ncovered entity could share quality assessment information with \nanother covered entity, but HHS provided modifications that \nhave now made that clear, that as long as those two entities \nhave an individual relationship with the patient, they can \nshare that information.\n    There are two take-aways from this survey. First, there is \nstill considerable work to be done, as we have heard this \nmorning, to address areas of confusion, misinterpretation, and \nto make the rules generally more workable. On the other hand, \nthe survey provides clear evidence, some 14 months before the \ncompliance date, that progress is being made in implementation. \nIn fact, those organizations that I mentioned a moment ago that \nare further along in their compliance efforts are finding the \nrules more workable.\n    The Chairman. I will give you another minute or two.\n    Mr. Karp. So to remove a key provision of the rule at this \ntime does not seem justified.\n    Again, thank you for this opportunity to testify today. I \nam happy to answer any questions you may have.\n    The Chairman. Enormously interesting study.\n    [The prepared statement of Mr. Sam Karp follows:]\n       Prepared Statement of Sam Karp, Chief Information Officer\n    Good morning. Mr. Chairman, Senator Gregg, and members of the \ncommittee, my name is Sam Karp. I am the Chief Information Officer of \nthe California HealthCare Foundation. The Foundation is an independent \nphilanthropy, committed to improving California's health care delivery \nand financing systems. Thank you for the opportunity to testify today \non an issue we believe is fundamental to improving the quality of \nhealth care.\n    Over the past 5 years the Foundation has supported a range of \nactivities--from research studies, surveys, educational publications, \nguides, workshops and conferences--to heighten awareness and \nunderstanding of the need to establish strong safeguards to protect the \nconfidentiality and security of personal health information, both on- \nand offline. Our work is motivated by the belief that unless patients, \nand consumers generally, have confidence that the confidentiality of \ntheir health information is guaranteed, progress being made to develop \nbetter information systems to improve care and monitor and assess the \nquality of care will be thwarted. [The Foundation's work on health \nprivacy can be found on our Web site at www.chcf.org.]\n    California HIPAA Privacy Implementation Survey\n    In December 2001, the Foundation commissioned the National \nCommittee for Quality Assurance (NCQA) and the Georgetown University \nHealth Privacy Project to survey health care organizations operating in \nCalifornia to see how implementation efforts are proceeding under the \nHIPAA Privacy Rule. The survey was intended to distinguish between the \nreal and perceived barriers to compliance and to use the results of the \nsurvey to inform policymakers and the public debate.\n    The survey represents the views of 100 health care organizations \nthat do business in California, including 29 hospitals, 19 physician \ngroups, 26 health plans, and 26 other organizations, such as disease \nmanagement organizations, clearinghouses, medical management groups, \nbehavior health care organizations and researchers. The organizations \nthat took part in this survey are fairly representative of entities \npotentially affected by the Privacy Rule. Some of the organizations \nsurveyed also operate in states other than California.\n    The survey was conducted in January and February 2002, prior to the \nMarch 27, 2002 release by Department of Health and Human Service (HHS) \nof the proposed rule modifications (NPRM).\n    When reviewing the findings of the survey it is important to note \nthat the State of California has a history of strong patient \nconfidentiality laws. Health care organizations operating in California \ngenerally have more experience operationalizing privacy protections \nthan most of the rest of the nation.\n    The Survey Findings\n    The survey identified the following key findings:\n    1. Planning is proceeding; implementation progress varies.\n    2. The consent requirements are somewhat workable.\n    3. Minimum necessary requirements are somewhat workable.\n    4. Information needed for quality assessment thought to be limited \nby the consent and minimum necessary requirements.\n    5. The business associate requirements are viewed as burdensome.\n    6. Resources are needed to assist preemption analysis.\n    7. Compliance efforts are not fully funded.\n    8. There is a general need for clarifications and/or modifications.\n1. Planning Is Proceeding; Implementation Progress Varies\n    Ten months into a 2-year compliance period, when asked about \nspecific actions taken toward implementation, 81 percent of respondents \nhave developed a strategic plan, 67 percent indicated they have \nconducted a gap assessment, and 52 percent have started to develop and \nimplement readiness initiatives. Twelve percent of respondents reported \ncompletion of their readiness initiatives. Hospitals report having made \nthe most progress to date, with Physician Groups having made the least \nprogress. (See Table 1.) Payors with a Medicaid product were less \nlikely than Payors with commercial products to have developed a \nstrategic plan (64 percent to 92 percent), conducted a gap assessment \n(50 percent to 92 percent), or developed a readiness initiative (29 \npercent to 67 percent).\n    Seventy-seven percent of respondents indicated they had designated \na Privacy Official, as defined by HIPAA. Eighty-seven percent of those \nthat had designated a Privacy Official also report they had identified \nthe human resources within their organization needed to prepare for \nHIPAA compliance. Again, Payors with a Medicaid product were less \nlikely (50 percent to 92 percent) than Payors with commercial products \nto have designated a Privacy Official and also less likely (63 percent \nto 91 percent) to have identified the human resources needed to prepare \nfor HIPAA.\n    Organizational challenges frequently identified by respondents \nincluded implementation, staff education, cost, time, and information \ntechnology.\n2. The Consent Requirements Are Somewhat Workable\n    Overall, 51 percent of total respondents felt that the consent \nrequirements were somewhat workable. Twenty-nine percent felt they were \neither workable (19 percent) or very workable (10 percent), while 20 \npercent felt they were less than workable (13 percent) or not workable \nat all (7 percent). (See Figure 1.)\n    Hospitals, Others and Physician Groups were more likely to feel the \nconsent requirements were somewhat to very workable (90 percent, 81 \npercent, and 79 percent respectively) than Payors (68 percent). \nRespondents who had developed/completed a readiness initiative, \ndeveloped a strategic plan or conducted a gap assessment were more \nlikely than their counterparts to feel that the consent requirements \nwere workable.\n    Forty-six percent of survey respondents believe that the Privacy \nRule will be useful in assuring patient confidentiality rights and \nachieving consistent national standards for confidentiality, however, \n47 percent of respondents expressed concern about the paperwork burden.\n    Although the final rule required consent to be obtained only one \ntime, many respondents expressed confusion or concern about the \npracticability of tracking revocations and limitations on consent. \nThere was concern that as a result, some covered entities would require \npatients to sign a consent form every time they sought treatment and \nthat patients would be overwhelmed and confused as a result.\n    Many respondents expressed concern that the burden of implementing \nconsent would take time and money away from patient care. Respondents \nalso expressed concern that covered entities would err on the side of \ncaution and refuse to release information for fear of violating HIPAA.\n    All respondents were asked to indicate what they deemed useful \nabout the consent requirements, and what areas of the consent \nrequirements caused them concern. Regarding aspects of the consent \nrequirements that were useful:\n    <bullet> 30 percent said that the requirements were useful in \nassuring patient rights.\n    <bullet> 16 percent felt the requirements would provide national \nstandards and increase consistency among providers.\n    <bullet> 16 percent said that there was nothing useful about the \nrequirements.\n    Regarding areas of concern related to the consent requirements:\n    <bullet> 19 percent of respondents cited continuity of care.\n    <bullet> 14 percent cited confusion about consent among patients, \nemployees, and physicians.\n    <bullet> 9 percent cited cost.\n    Payors were more likely to cite confusion about consent as an area \nof concern.\n    Respondents were asked whether available tools and technologies \ncould be used to implement four areas: 1) initial consent, 2) \nrevocations of consent, 3) limitations on consent, and 4) accounting of \ndisclosures. Implementing initial consent was thought to be the easiest \nand tracking limitations to consent the most difficult. It should be \nnoted that between 17 and 25 percent of respondents did not know how to \nrespond and were excluded from the results.\n    Physician Groups were more likely than Hospitals, Payors, and \nOthers to feel that available technologies could not be used for \ntracking initial consent. Of those who did know, 53 percent of \nrespondents felt that initial consent could definitely be tracked.\n    For revocations of consent, more than a quarter (28 percent) of \nrespondents felt that they could not be tracked with available tools \nand technologies. Forty-five percent thought they could be tracked with \navailable tools and technologies.\n    Overall 37 percent of respondents thought that limitations on \nconsent could be tracked, while 35 percent of respondents thought they \ncould not be tracked with existing tools. Only 30 percent of Hospitals \nand 32 percent of Payors felt that limitations on consent could be \ntracked with existing tools.\n    Twenty-nine percent of respondents thought that accounting of \ndisclosure could not be tracked with existing tools, while 43 percent \nthought that they could be tracked. Physician Groups (33 percent) and \nPayors (33 percent) were more likely to say that they could not be \ntracked.\n3. Minimum Necessary Requirements Are Somewhat Workable\n    Overall, 58 percent of respondents felt that the minimum necessary \nrequirements are somewhat workable. Twenty-three percent felt they were \nworkable (18 percent) or very workable (5 percent), while 19 percent \nfelt they were either less than workable (15 percent) or not workable \nat all (4 percent). Physician Groups were slightly more likely to see \nthe minimum necessary requirements as workable, with Payors and Others \nslightly less likely to see them as workable. As with the consent \nrequirements, respondents who had developed a readiness initiative or \nstrategic plan or had conducted a gap assessment were more likely than \ntheir counterparts to feel that the minimum necessary requirements were \nworkable.\n4. Information Needed For Quality Assessment Thought To Be Limited By \n        The Consent And Minimum-Necessary Requirements\n    When asked if they thought the consent requirements would enhance \nor limit the flow of information needed to assess health care quality, \n58 percent of respondents thought that the consent requirements would \nsomewhat limit (51 percent) or greatly limit (7 percent) the flow of \ninformation needed to assess quality of care. Thirty-two percent of \nrespondents felt the consent requirements would have no affect on the \nflow of information, while 10 percent percent felt the consent \nrequirements would enhance (9 percent) or greatly enhance (1 percent) \nthe flow of information. Sixty-five percent of Hospitals and 65 percent \nof Others felt that the consent requirements would somewhat or greatly \nlimit the flow of information, while 42 percent of Physician Groups and \n44 percent of Payors felt that the consent requirements would have no \neffect on the flow of information.\n    Those respondents that felt the consent requirements would somewhat \nor greatly impact the flow of information needed to assess health care \nquality were asked to indicate in what way the consent requirements \nwould impact assessment of health care quality. There were 60 open-\nended responses to this question:\n    <bullet> 30 percent of respondents answering the questions felt \nthat there would be process complications or additional burden \nassociated with paperwork.\n    <bullet> 17 percent felt there would be confusion over \nrequirements; 15 percent felt patient factors, such as revoking \nconsent, would limit the flow of information and interrupt the \ncontinuity of care.\n    <bullet> 6 percent felt that there would be inadequate transfer/\nflow of information needed for patient assessment.\n    Inadequate time was a common theme in the responses. Hospitals were \nmore likely to cite process complications, paperwork burden, and \npatient factors as limiting the flow of information, while Payors \ntended to cite confusion over requirements as limiting the flow of \ninformation.\n    With respect to the minimum necessary requirements, the findings \nwere less clear. While 45 percent of respondents' thought this \nrequirement would greatly limit or somewhat limit the flow of \ninformation needed to assess the quality of health care, another 45 \npercent thought that the minimum necessary requirements would have no \nimpact. Ten percent of respondents thought the requirements would \nsomewhat enhance (9 percent) or greatly enhance (1 percent) the flow of \ninformation.\n    Physicians and Payors expressed similar concerns that the minimum \nnecessary requirement would negatively affect the flow of information \nfor payment, delivery, and assessment of care. It appears that the \nbelief that quality would be affected is related to the fact that the \nconsent requirements in the final rule would not permit providers to \nshare Personal Health Information (PHI) with health plans for the \nplans' quality assurance activities.\n    There was generally a lack of clarity about the permissibility of \ndisclosures for quality assessment purposes. Respondents did not seem \nto understand the permitted uses and limitations of PHI within and \nbetween covered entities.\n5. The Business Associate Requirements Are Viewed As Burdensome\n    The time and cost associated with contracting with business \nassociates was a significant issue for respondents. Seventy-two percent \nfelt there would be a substantial to large time burden to implement the \nbusiness associate requirements; more than half of respondents said the \ncost of implementing these requirements was substantial to large.\n    When asked if they believe that the regulations clearly define who \nconstitutes a business associate, 65 percent of all respondents thought \nthe regulations were clear. While 81 percent of Physician Groups \nthought the regulations were clear, only 50 percent of Payors agreed. \nWhile most respondents likely have existing contractual relations, the \ninitial burden of recontracting is believed to be high. There is also \ndisagreement and lack of understanding about the level of oversight and \ndue diligence required by covered entities over their business \nassociates.\n6. Resources Are Needed To Assist Preemption Analysis\n    Fourteen percent of respondents did not know whether they had \nconducted any preemption analysis. Of those who did know, more than \nhalf have not identified the laws in the states in which they do \nbusiness that either are or are not preempted by HIPAA. When asked how \nthey were planning to identify and track these laws, most respondents \nindicated that they hoped outside sources would develop and track \npreemption issues or that they were expending significant resources \nhiring outside legal assistance. Assistance provided by HHS with regard \nto preemption analyses would ease the burden on covered entities.\n7. Compliance Efforts Are Not Fully Funded\n    With respect to funding, only 21 percent of respondents said that \ntheir compliance efforts were fully funded. More than half of \nrespondents indicated that their HIPAA compliance efforts were only \npartially funded or not funded at all. When asked whether they think \nthe anticipated costs of complying with the Privacy Rule will \neventually be offset by savings expected from implementing other \ncomponents of HIPAA (e.g., the Transaction and Code Set regulations), \n31 percent to 32 percent of respondents said they did not know. Of \nthose that said they did know, 48 percent expect no savings, 22 percent \nexpect some savings but not within the next 5 years, and 26 percent \nexpect some savings within 3 to 5 years.\n    While 51 percent of respondents reported a lack of funding, it is \nalso important to keep in mind that many respondents have not developed \na strategy or conducted a gap analysis of their organizations and this \nmay have an impact on their knowledge of the funding requirements. The \nsurvey results also indicated there is a great deal of money being \nspent on redundant legal and outside consultant analysis of the \nregulations and compliance efforts.\n8. There Is A General Need for Modifications And/Or Clarifications\n    Seventy-eight percent of respondents felt that HHS needed to \nprovide clarifications or make modifications to the final Privacy Rule. \nMany responders requested clarifications with respect to consent, \nminimum necessary, the definition and rules concerning business \nassociates, the rules concerning communications, marketing and funding, \nand preemption. Others wanted clarification around research rules and \nhow the regulations apply to disease management organizations.\nConclusion\n    The clear message from this survey is that there is a lot of work \nstill to be done to address areas of confusion, misinterpretation and \nto make the rules generally more workable.\n    1. If you are a supporter of the Privacy Rule, the survey suggests \nit cannot be fully or successfully implemented, without clarifications \nand possible modifications.\n    2. On the other hand, there is substantial evidence that progress \nis being made in implementation, so that removing key provisions of the \nrule does not seem justified.\n    Today, nearly 20 percent of Americans practice some form of \nprivacy-protective behavior that puts their own health at risk or \ncreates financial hardships. These behaviors include: paying out-of-\npocket when insured to avoid disclosure; not seeking care to avoid \ndisclosure to an employer; giving inaccurate or incomplete information \non a medical history; asking a doctor to not write down the health \nproblem or to record a less serious or embarrassing condition; or, \nsimply not seeking care at all.\n    It is in everyone's best interest to see that these rules are \nimplemented.\n    Again, thank you for this opportunity to testify today. I am happy \nto answer any questions you may have.\n\n    The Chairman. I see my friend Senator DeWine here and I \nknow that he wanted to----\n\n OPENING STATEMENT OF HON. MIKE DeWINE, U.S. SENATOR FROM THE \n                         STATE OF OHIO\n\n    Senator DeWine. Thank you, Mr. Chairman. I am just \ndelighted to welcome Dr. John Clough, who is from the Cleveland \nClinic Foundation in my home State of Ohio. Doctor, we welcome \nyou here and we look forward to your testimony.\n    He will shed some light, Mr. Chairman, on really the \ncomplexities involved with the implementation of these rules \nand the burdens that could fall on health care institutions. He \nhas been with the Cleveland Clinic for a total of nearly 35 \nyears and is currently chairman of the Division of Health \nAffairs at the Cleveland Clinic. In this capacity the doctor \noversees the Departments of Government Affairs, Community \nRelations, and the Ambassador's Program.\n    Last month he testified on the House side regarding the \nissue of medical privacy rights and has spent considerable time \nstudying the impact of the proposed rules.\n    Dr. Clough, we welcome you to the committee. We thank you \nvery much for being here and look forward to your testimony.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you very much.\n    Ms. Goldman.\n\nSTATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY PROJECT, \n                     GEORGETOWN UNIVERSITY\n\n    Ms. Goldman. Thank you. Thank you, Mr. Chairman and Senator \nDeWine for inviting me to testify and thank you also for \nholding this oversight hearing and for your commitment to \nprivacy.\n    The mission of the Health Privacy Project is also to \nbroaden access to care and to ensure that people get the \nquality of care that they need, but we know that people are \nafraid. People are afraid to go to the doctor. They are afraid \nto be honest with their doctor. They are afraid to fully share \nwith their doctor because of what could happen to them, and \ntheir fears are real. We hear stories every day and we collect \nthese stories about how people are hurt in the workplace; their \nbenefits are denied. We know that, for instance, 40 percent of \nall people diagnosed with multiple sclerosis are afraid to tell \ncolleagues and friends because of what could happen to them. \nPeople are afraid to get genetic tests. The number one barrier \nto people getting genetic testing and counseling is fear that \ntheir privacy will be violated.\n    So in response to these concerns, the administration issued \nthis landmark regulation in December of 2000, the privacy \nregulation, and the Bush Administration did allow it to go into \neffect. We realize that it has limits and weaknesses, but the \ntruth is it is the most comprehensive privacy law that we have \nat the Federal level.\n    My testimony is extensive. I want to keep it brief in my \noral statement and I want to focus on two of the proposed \nmodifications that the administration has made--in the area of \nconsent and the area of marketing. And when I talk about \nmarketing I am also going to mention an FDA provision.\n    Signing onto our recommendations here, the National \nMultiple Sclerosis Society has also endorsed our position, our \nrecommendation on consent, as has the Epilepsy Foundation, the \nNational Association of Social Workers Legal Action Center, and \na list of other groups, which we have included in our \ntestimony.\n    Let me just focus on why notice is not the same as consent. \nThe administration comes here today and says that asking \nsomeone to sign a notice--not requiring, but asking them to \nsign a notice is the same as consent. That is just not \naccurate. Asking someone to sign a consent form is a \nsignificant and meaningful moment in the process of getting \ncare and the process of enrolling in a health plan. It is \nasking someone to give their permission. It is not mandating \nthe consent. A doctor could decide to condition consent on \ngiving certain benefits, but the regulation does not require \nthat the consent be mandated.\n    In terms of paperwork burden, we know today that many, many \nhospitals, the vast majority of hospitals, and this was \nincluded in the preamble to the final regulation, do require \npeople to consent to have their information used for payment. \nMost doctors do, as well, and for treatment.\n    State laws in this area are different from what the Federal \nregulation is requiring. In State laws there are specific \nconsent provisions related to certain kinds of conditions \npeople might have--maybe in the mental health area or \ncommunicable disease or abuse and neglect, alcoholism--where \nspecific consent is authorized, is required. But in the areas \nof treatment and payment, they are much more narrow than what \nthe administration is proposing today, much more limited. \nTreatment is defined much more narrowly and directly related to \nthe treatment of the individual. Most doctors and hospitals \nwill tell you they have an ethical duty to seek consent of \ntheir patients before treating them and before having their \ninformation provided for payment.\n    Marketing? I am very bewildered and disturbed by the \nadministration's testimony today on marketing. They have \ncontended that they have strengthened the marketing provision. \nThey have done exactly the opposite. They have expanded what is \nnow considered to be marketing and now called it treatment. \nThey have called it health-related communication. What used to \nbe in this box called marketing, where people had an \nopportunity to opt out after getting a communication, where \npeople were told that there was a financial conflict of \ninterest, that is now gone from the administration's proposal.\n    Any communication from anybody, not just a doctor, anybody, \na pharmacy, that is health-related, no matter whether there is \na financial conflict of interest, does not require an \nauthorization, does not give an opt-out, does not require up-\nfront consent. That is very disturbing. A pharmacy can now sell \nyour information under HHS's proposed modification to a drug \ncompany, to a travel agency, even to a tobacco advertiser under \nthe FDA provision, and they would not have to get your consent \nand not have to give you notice. You have no control and there \nare no limits.\n    I want to just focus for a moment on the cost issue. The \ncost issue comes up time and again, but the administration \nitself, in a recent report issued from the Office of Management \nand Budget, has shown that the privacy regulation, over the \nlong term, will save $12 billion in our health care system when \nit is implemented along with the other regulations in HIPAA.\n    So $12 billion of savings when privacy is implemented \ntogether with the other transaction regulations. How can we \ntalk about then wanting to save an additional $100 by \neliminating consent? It seems to me greedy and the wrong way to \ngo.\n    I want to just conclude by saying that President Bush \ncampaigned on a number of pledges around medical privacy. He \nhad very strong position statements during the campaign. And \nwhen he allowed the privacy regulation to go into effect last \nyear he said he believed very strongly that medical privacy \nshould be protected and people should not put themselves at \nrisk when they get care. In fact, in a column in the New York \nTimes shortly after President Bush allowed the regulation to go \ninto effect, William Safire dubbed him ``the privacy \nPresident.''\n    What we are concerned about today is that if HHS's proposed \nrollbacks become law, if the consent and marketing provisions \nare weakened and if they become law, then they will legalize \nthe most disturbing and unnerving practices in the health care \nsystem today and the kinds of practices that made consumers \nangry and caused them to send in 35,000 comments asking the \nadministration to include consent, asking them to limit some of \nthe marketing activities. Now they will become legal.\n    I urge not only the administration not to roll back these \nprovisions, but I urge the Congress to act. I know that you \nhave struggled with this for over a decade, but to act to \ncreate a statute that then is not susceptible to these \npolitical back-and-forths.\n    I very much appreciate being here today and I will be \navailable to answer any questions.\n    [The prepared statement of Ms. Janlori Goldman follows:]\n                 Prepared Statement of Janlori Goldman\n    Committee Chairman Kennedy, Senator Gregg and Members of the \nCommittee:\n    On behalf of the Health Privacy Project, I am very appreciative for \nthe invitation to testify before you today at this oversight hearing on \nmedical privacy. The Project, which is part of the Institute for Health \nCare Research and Policy at Georgetown University, is dedicated to \nbroadening access to health care, and improving the quality of care by \nensuring that the privacy of people's medical information is protected \nin the health care arena. The Health Privacy Project also coordinates \nthe Consumer Coalition for Health Privacy, comprised of over 100 major \ngroups representing consumers, health care providers, and labor, \ndisability rights, and disease groups. The Coalition's Steering \nCommittee includes MRP, American Nurses Association, Bazelon Center for \nMental Health Law, National Association of People with AIDS, Genetic \nAlliance, National Multiple Sclerosis Society, and National Partnership \nfor Women & Families.\n    The Health Privacy Project conducts research and analysis on a wide \nrange of health privacy issues. Recent Project publications include: \nBest Principles for Health Privacy (1999), which reflects the common \nground achieved by a working group of diverse health care stakeholders; \nThe State of Health Privacy(1999), the only comprehensive compilation \nof State health privacy statutes, which we are currently in the process \nof updating; Implementing the Federal Health Privacy Regulation in \nCalifornia (2002); Privacy and Confidentiality in Health Research \n(2001), commissioned by the National Bioethics Advisory Commission; \nReport on the Privacy Policies and Practices of Health Web Sites \n(2000), which found that the privacy policies and practices of 19 out \nof 21 sites were inadequate and misleading; ``Virtually Exposed: \nPrivacy and E-Health'' (2000), published in Health Affairs; and Exposed \nOnline: Why the New Federal Health Privacy Regulation Doesn't Offer \nMuch Protection to Internet Users (2001). All of our work is available \nto the public at our Web site, www.healthprivacy.org.\n    The Health Privacy Project's mission is to foster greater public \ntrust and confidence in the health care system, thereby enabling people \nto more fully participate in their own care and in research without \nputting themselves at risk for unwanted--and unwarranted--intrusions. \nIt is wrong to force people to choose between seeking health care and \nsafeguarding their jobs, benefits, and reputations. People should not \nhave to worry when taking a genetic test for breast cancer, or filling \na prescription for an anti-depressant, that this most sensitive health \ninformation will be used outside the core health care setting, but they \ndo worry and with good reason.\n    The new medical Privacy Rule,\\1\\ issued by the Department of Health \nand Human Services (the Department) in December 2000 and in effect \nsince April 2001, is a landmark regulation, setting in place the first \ncomprehensive Federal safeguards for people's medical records. With \nstill a year to go before health care organizations must fully comply, \nthe centerpieces of this new privacy law are in jeopardy. We appreciate \nthe opportunity to share our concerns with this Committee about the \nBush Administration's proposal to substantially weaken the medical \nPrivacy Rule. We express particular concern about the Department's \nproposal to eliminate the patient consent requirement, and to severely \nweaken the limits on the marketing of people's medical records. Joining \nwith us in opposition to these two proposed changes, are the following \norganizations:\n---------------------------------------------------------------------------\n    \\1\\ The Privacy Rule is contained in title 45 of the Code of \nFederal Regulations. All citations in this testimony are to the \npertinent section of, or proposed amendment to, 45 C.F.R. unless \notherwise noted.\n---------------------------------------------------------------------------\n    <bullet> AIDS Action Council\n    <bullet> American Association for Geriatric Psychiatry\n    <bullet> American Counseling Association\n    <bullet> American Mental Health Counselors Association\n    <bullet> American Nurses Association\n    <bullet> American Psychoanalytic Association\n    <bullet> Bazelon Center for Mental Health Law\n    <bullet> Consumers Union\n    <bullet> CWA Local 1 168 Nurses United\n    <bullet> Electronic Privacy Information Center\n    <bullet> Family Violence Prevention Fund\n    <bullet> Genetic Alliance\n    <bullet> Hadassah\n    <bullet> National Association of People With AIDS\n    <bullet> National Mental Health Association\n    <bullet> National Organization for Rare Disorders\n    <bullet> NYC Chapter, National Association of Social Workers\n    <bullet> Title II Community AIDS Action Network\n    <bullet> Westchester Progressive Forum\n    We expect that many other organizations and individuals will voice \ntheir opposition to these proposals before the comment period closes.\n    Our testimony today will summarize both our concerns with and \nsupport for the Department's proposed modifications to the Privacy \nRule. Our statement also includes a brief history of the Privacy Rule, \nand the urgent need within the public and the health care system for \nstrong, enforceable medical privacy safeguards. In addition, we correct \nthe misperception that the long-term cost of implementing the Privacy \nRule--along with its companion HIPAA standards--will outweigh the \nbenefits. In fact, the Office of Management and Budget (OMB) released a \nreport last month documenting that protecting privacy, when done hand-\nin-hand with the related HIPM rules, will actually result in \nsubstantial cost savings.\n               i. urgent public need for medical privacy\n    The lack of a national health privacy law has had a negative impact \non health care, both on an individual as well as a community level. One \nout of every six people withdraws from full participation in their own \ncare out of fear that their medical information will be used without \ntheir knowledge or permission, as documented by a 1999 survey conducted \nfor the California HealthCare Foundation. (Available at www.chcf.org.) \nThese privacy-protective behaviors include patients providing \ninaccurate or incomplete information to doctors, doctors inaccurately \ncoding files or leaving certain things out of a patient's record, \npeople paying out of pocket to avoid a claim being submitted, or in the \nworst cases, people avoiding care altogether.\n    More specifically, a 1997 survey documenting people's fears about \ngenetic discrimination showed that 63 percent of people would not take \ngenetic tests if health insurers or employers could obtain the results. \n(Genetic Information and the Workplace, issued on January 20, 1998 by \nthe U.S. Departments of Labor, Health and Human Services, and Justice, \nand the U.S. Equal Employment Opportunity Commission). And, a recent \nstudy involving genetic counselors documents that fear of \ndiscrimination is a significant factor affecting willingness to undergo \ntesting and to seek reimbursement from health insurers. (Hall, Mark A. \nand Stephen S. Rich, Genetic Privacy Laws and Patients' Fear of \nDiscrimination by Health Insurers: The View from Genetic Counselors, 28 \nJournal of Law, Medicine & Ethics 245-57 (2000).)\n    An April 2001 Harris survey documents that nearly four out of ten \n(40 percent) people with multiple sclerosis said they have lied or \nfailed to disclose their diagnosis to colleagues, co-workers, friends \nor even family members out of fear of job loss and stigma.\n    These survey figures come to life in the daily media reports of \npeople being harmed by the use of their health information outside the \ncore health care arena. To highlight just a few:\n    <bullet> Eckerd's Drug Stores in Florida is being investigated by \nthe State Attorney General for its marketing practices. When Eckerd \ncustomers pick up their prescriptions, they sign a log indicating they \ndo not want counseling from a pharmacist. Eckerd's has been using that \nsignature as an authorization to use the customer's prescription drug \nrecords for mailing promotions and discounts financed by drug \ncompanies.\n    <bullet> Terri Seargent, a North Carolina resident, was fired from \nher job after being diagnosed with a genetic disorder that required \nexpensive treatment. Three weeks before being fired, Terri was given a \npositive review and a raise. As such, she suspected that her employer, \nwho is self-insured, found out about her condition, and fired her to \navoid the projected expenses.\n    <bullet> The medical records of an Illinois woman were posted on \nthe Internet without her knowledge or consent a few days after she was \ntreated at St. Elizabeth's Medical Center following complications from \nan abortion at the Hope Clinic for Women. The woman has sued the \nhospital, alleging St. Elizabeth's released her medical records without \nher authorization to anti-abortion activists, who then posted the \nrecords online along with a photograph they had taken of her being \ntransferred from the clinic to the hospital. The woman is also suing \nthe anti-abortion activists for invading her privacy.\n    <bullet> Several thousand patient records at the University of \nMichigan Medical Center inadvertently lingered on public Internet sites \nfor 2 months. The problem was discovered when a student searching for \ninformation about a doctor was linked to files containing private \npatient records with numbers, job status, treatment for medical \nconditions and other data.\n    <bullet> Joan Kelly, an employee of Motorola, was automatically \nenrolled in a ``depression program'' by her employer after her \nprescription drugs management company reported that she was taking \nanti-depressants.\n    <bullet> Eli Lilly and Co. inadvertently revealed 600 patient e-\nmail addresses when it sent a message to every individual registered to \nreceive reminders about taking Prozac. In the past, the e-mail messages \nwere addressed to individuals. The message announcing the end of the \nreminder service, however, was addressed to all of the participants.\n    <bullet> A few months ago, a hacker downloaded medical records, \nhealth information, and social security numbers on more than 5,000 \npatients at the University of Washington Medical Center. The University \nconceded that its privacy and security safeguards were not adequate.\n    In the absence of a Federal health privacy law, these people \nsuffered job loss, loss of dignity, discrimination, and stigma. Had \nthey acted on their fears and withdrawn from full participation in \ntheir own care--as many people do to protect their privacy--they would \nhave put themselves at risk for undiagnosed and untreated conditions. \nIn the absence of a law, people have faced the untenable choice of \nshielding themselves from unwanted exposure or sharing openly with \ntheir health care providers.\n                  ii. the genesis of the privacy rule\n    The current Federal health Privacy Rule is a major victory for all \nhealth care consumers, and takes a significant step toward restoring \npublic trust and confidence in our nation's health care system. The \nregulation promises to fill the most troubling gap in Federal privacy \nlaw, setting in place an essential framework and baseline on which to \nbuild. Each one of us stands to benefit from the Privacy Rule in \ncritical ways, including greater participation in the health care \nsystem, improved diagnosis and treatment, more reliable data for \nresearch and outcomes analysis, and greater uniformity and certainty \nfor health care institutions as they develop privacy safeguards and \nmodernize their information systems.\n    Most notably, the current Privacy Rule grants people the right to \nsee and copy their own medical records; requires health care providers \nto obtain patient consent before using their records for treatment, \npayment and health care operations; imposes limits on using medical \nrecords for marketing; imposes safeguards on publicly and privately \nfunded research use of patient data; somewhat limits law enforcement \naccess to medical 4 records; and allows for civil and criminal \npenalties to be imposed if the Rule is violated.\n    The Privacy Rule was issued by the Department in December 2000 in \nresponse to a mandate from Congress included in the 1996 Health \nInsurance Portability and Accountability Act (HIPAA), which required \nthat if Congress did not enact a medical privacy statute by August \n1999, then the Department was required to promulgate regulations. This \nrule has been the subject of a lengthy, thorough, and robust rulemaking \nprocess--both before and since its December 2000 release in final form.\n    Despite intense pressure from some in the health care industry, the \nBush Administration allowed this important regulation to go into effect \nin April 2001. The first implementation guidance issued by the \nDepartment on July 6, 2001, addresses the many misstatements and \nexaggerations that some in the industry have been spreading about the \nPrivacy Rule. On its face, the guidance was aimed at calming industry \nfears, and we hoped it would lead to greater acceptance of the \nregulation and foster compliance with the regulation. The guidance also \nindicated the changes the Department intended to propose to make to the \nregulation.\n    We acknowledge that the Privacy Rule--as finalized--has serious \ngaps and weaknesses, some of which can only be remedied by Congress, \nand some of which are within the Department's authority to regulate. \nOne shortcoming is that the rule only directly regulates providers, \nplans and clearinghouses, and does not directly regulate employers, \npharmaceutical companies, workers' compensation insurers, and many \nresearchers. The rule also lacks a private right of action that would \ngive people the right to sue if their privacy was violated. Under \nHIPAA, only Congress and the states are empowered to address these \nlimits. However, where the Department does have the power to strengthen \nthe Rule, it has chosen instead to dilute it.\n     iii. summary of the health privacy project's comments on the \n      department's proposed modifications to consent and marketing\n\nA. Consent for Treatment, Payment, and Health Care Operations--Sec. \n                    164.506\n\nProposed Modification:\n    The Department proposes to eliminate the requirement that health \ncare providers obtain an individual's consent prior to using or \ndisclosing protected health information for treatment, payment, and \nhealth care operations.\nHealth Privacy Project Recommendation:\n    The Health Privacy Project recommends that the Department retain \nthe Privacy Rule's prior consent requirement, and make targeted \nmodifications to address the unintended consequences that result from \nthe consent requirement in some circumstances.\nRationale:\n    The Privacy Rule requires that health care providers obtain an \nindividual's consent prior to using or disclosing protected health \ninformation for treatment, payment, and health care operations. At the \ncore of the Department's proposed modifications to the Privacy Rule is \nthe elimination of this prior consent requirement. In its place, the \nDepartment substitutes a requirement that direct treatment providers \nmake a ``good faith effort'' to obtain the individual's written \nacknowledgment that he or she received the provider's privacy notice. \n(Section 164.520 of the Privacy Rule requires covered entities to \nprovide this notice of privacy practices.) This proposal to eliminate \nthe consent requirement strikes at the very heart of the Privacy Rule \nand takes away a core privacy protection for consumers. The Privacy \nRule's consent requirement is intended to bolster patient trust and \nconfidence in providers and in health care organizations by respecting \nthe patient's central role in making health care decisions. The \nDepartment's proposal to eliminate the consent requirement represents a \nhuge step backwards for consumers--and one that will undermine trust in \nthe health care system.\n    This debate is about much more than the label on the piece of paper \nthat a patient signs, or about whether a patient is given two pieces of \npaper (a notice and consent form) or just one (a notice). There are \nfundamental differences between a consent process and acknowledgement \nof a receipt of a notice. Seeking advance permission from a patient \nbefore using or disclosing health information acknowledges first and \nforemost that it is the patient's decision whether to entrust others \nwith his or her private medical information and under what \ncircumstances. The Privacy Rule's consent requirement gives individuals \nsome control over how their health information is used and disclosed. \nPatients would certainly have more control if consent could be withheld \nwithout the provider refusing to provide treatment. However, it is by \nno means clear that providers will withhold treatment even though \npermitted to do so, particularly when the individual consents to some \nuses/disclosures (treatment and payment uses/disclosures), but \nwithholds consent for others (some of the relatively vast number of \n``health care operations'' permitted by the Privacy Rule). It is clear \nthat without a prior consent requirement, patients will have no control \nover how their health care information is used or disclosed beyond the \nright to request a restriction. Asking an individual to acknowledge \nreceiving a privacy notice reinforces that the individual patient has \nabsolutely no say in the matter.\n    The Privacy Rule's consent requirement is the best way to ensure \nthat patients actually know how their health care information will be \nused or disclosed and know what their privacy rights are. The process \nof obtaining consent defines an ``initial moment''--as the Department \nacknowledges--in which patients can raise questions about privacy \nconcerns and learn more about options available to them. Patients are \nmore likely to read the notice, or at least ask questions about how \ntheir information will be used or disclosed, when they are being asked \nto give their consent. Asking a patient to acknowledge receipt of a \nnotice does not provide a comparable ``initial moment''--especially \nwhen the individual is only asked to acknowledge receipt of a piece of \npaper, not whether they have read the paper or understood it or have \nquestions about it.\n    From a practical perspective, the consent form required in the \nPrivacy Rule focuses attention on a new right that is central to the \nconsent process--the right to request a restriction. By all accounts, \nthe consent form is much shorter than the notice of privacy practices. \nThus, information that is repeated in the relatively short consent form \nwill be highlighted for patients. The Privacy Rule requires the consent \nform to State that the individual has the right to request a \nrestriction. See Sec. 164.506(c)(4)(i). Including this information in \nthe consent form, as well as in the notice, makes it even more likely \nthat patients will be aware of this important right.\n    That the Department has chosen radical surgery--total elimination \nof the consent requirement--when much more targeted, privacy-protective \ninterventions would have sufficed is especially troublesome.\n    The Department not only proposes to eliminate the consent \nrequirement, it also proposes to delete several provisions that apply \nwhen providers or plans choose to require consent. The Privacy Rule \nincludes various provisions that govern the content of the consent form \n(e.g., it must State that the individual has the right to review the \nprivacy notice before signing the consent form) and the right to \nrevoke. See Sec. 164.506(b) and (c).\n    Under the Privacy Rule, these provisions apply when consent is \nrequired and when it is optional. The Department proposes to delete all \nof these provisions in order to ``enhance the flexibility of the \nconsent process for those covered entities that choose to obtain \nconsent.'' See 67 Fed. Reg. 14780. In addition, the Department proposes \nto delete provisions governing conflicting consents and authorizations; \nunder the Privacy Rule, covered entities must follow the most \nrestrictive. See Sec. 164.506(e). The Department also proposes to \ndelete the provisions that govern joint consents by organized health \ncare arrangements. See Sec. 164.506(f). By eliminating all of these \nprovisions, the Department takes away important safeguards that should, \nat the very least, apply when consent is obtained voluntarily.\n\nB. Marketing--Secs. 164.501 and 164.508(a)(3)\n\nProposed Modifications:\n    The Department proposes to reduce the Privacy Rule's privacy \nprotections that apply to communications that many consumers consider \nto be ``marketing.'' Under the Privacy Rule, a covered entity that is \npaid by a third party to encourage patients to purchase or use a \nproduct or service that is health related must adhere to certain \nconditions. In its first communication, the covered entity must give \nthe patient an opportunity to refuse further marketing materials. The \ncovered entity must inform the patient that it is receiving \nremuneration for making the communication. Additionally, the marketing \nmaterials must identify the covered entity as the party making the \ncommunication. The Department proposes to eliminate these requirements \nby removing from the definition of ``marketing'' all communications \nthat encourage patients to purchase or use products or services that \nare health related, including communications that a covered entity is \npaid to make.\n    The Department does propose to retain the Privacy Rule's \nrequirement that a covered entity obtain an individual's authorization \nprior to using or disclosing health information for ``marketing.'' \nHowever, because the Department proposes to contract the definition of \n``marketing,'' the prior authorization requirement will apply only to a \nnarrow range of communications--those that encourage the purchase or \nuse of a product or service that is not health related. The prior \nauthorization requirement will not apply to communications that \nencourage the use or purchase of a health related product or service \nbecause such communications are excluded from the definition of \nmarketing, even if the covered entity is paid to make the \ncommunication. The net effect of these proposed changes is to \nsubstantially weaken the Privacy Rule.\nHealth Privacy Project Recommendations:\n    The Health Privacy Project recommends that the Department:\n    <bullet> Revise the definition of ``marketing'' to include \ncommunications encouraging the purchase or use of a health-related \nproduct or service where a covered entity receives direct or indirect \nremuneration from a third party for making the communication.\n    <bullet> Revise the Privacy Rule so that a covered entity must \nobtain an individual's authorization prior to using or disclosing \nprotected health information for all marketing purposes, including \ncommunications encouraging the purchase or use of health related \nproducts or services where the covered entity has received or will \nreceive direct or indirect remuneration for making the communication.\n    <bullet> Retain the requirement that the authorization notify the \nindividual if the marketing is intended to result in remuneration to \nthe covered entity from a third party.\n    <bullet> Further modify the provisions to require that an \nauthorization for marketing specify w whether the protected health \ninformation is to be used or disclosed for the marketing of health care \nrelated services or products or for products and services not related \nto health care.\nRationale:\n    The Privacy Rule classifies communications that encourage patients \nto purchase or use products and services in three categories: 1) \nCommunications that are clearly treatment oriented and for which the \ncovered entity does not receive remuneration from a third party (such \nas a doctor recommending a particular medicine to a patient because it \nis medically indicated); 2) Communications that are related to health \nbut are at least partially financially motivated (such as a pharmacy \nbeing paid by a drug company to send a patient a letter encouraging her \nto switch her medication to the drug company's brand; and 3) \ncommunications that are clearly marketing because they do not relate to \nhealth (such as sending vacation advertisements.) See Appendix A at 1. \nBecause the first category of communications is clearly treatment \nrelated, there is no requirement for prior authorization to use health \ninformation to make these communications. At the opposite end of the \ncontinuum, because the covered entity is being paid to use health \ninformation to market a product or service that is totally unrelated to \nhealth, the covered entity must obtain patients' prior authorization \nbefore it can use their health information for these marketing \npurposes. The treatment of these two categories of health information \nremains relatively unchanged under the proposed modifications to the \nPrivacy Rule. See Appendix A at 2.\n    With respect to the second category of communications, those that \nencourage the use or purchase of a health related product or service \nand for which the covered entity receives remuneration, the Department \ninitially recognized that covered entities face a financial conflict of \ninterest when they are paid to recommend a certain health related \nproduct or service. In light of these conflicts, the current Privacy \nRule treats these communications as ``marketing.'' The Privacy Rule \npermits health information to be used without the patient's prior \nauthorization in these circumstances only if certain conditions are \nmet. The patient must be given an opportunity to opt out of receiving \nfurther communications. Additionally, the patient must be notified that \nthe covered entity is the source of the communication and is being paid \nto make the recommendation. See Appendix A at 1.\n    Many consumers believe that the Privacy Rule's delayed opt-out \napproach is insufficient to protect privacy. They have urged the \nDepartment to modify the rule to require that covered entities obtain \npatient authorization prior to engaging in this type marketing activity \n(i.e., where the covered entity is paid to encourage the use or \npurchase of a health related product or service).\n    In response to these concerns, the Department essentially proposes \nto eliminate the protections (albeit inadequate) that currently exist. \nThe Department accomplishes this by removing paid communications that \nencourage the use or purchase of a health related product or service \nentirely from the definition of ``marketing.'' This proposed change \neffectively allows covered entities to make this type of paid \ncommunication without any prior authorization or chance to opt out.\\2\\ \nSee Appendix A at 2.\n---------------------------------------------------------------------------\n    \\2\\ The Department's explanation that it is proposing to \n``explicitly require covered entities to first obtain the individual's \nspecific authorization before sending them any marketing materials'' \n``based on consumer concerns that the marketing provisions in the \ncurrent rule does not protect individuals' privacy'' is disingenuous at \nbest, given that they accomplish this by removing an entire category of \ncommunications from the definition of ``marketing.'' See Department's \nPress Release, March 21, 2002.\n---------------------------------------------------------------------------\n    We oppose this change on a number of grounds. First, we believe \nthat the determination whether prior authorization for a communication \nis required should not rest on whether a communication is in some way \nrelated to health . The proposed exclusion of ``health related'' \ncommunications from the definition of ``marketing'' is extremely broad. \nIt is hard to conceive of a communication that remotely relates to \nhealth that would be considered to be ``marketing.'' Many activities \nthat health care consumers would consider marketing and find \nobjectionable would be excluded from the definition of marketing under \nthis proposal.\n    For example, the proposed definition of marketing excludes ``a \ncommunication made to an individual. . . to direct or recommend \nalternative treatments, therapies, health care providers, or settings \nof care.'' (See Sec. 164.501 (defining ``marketing'').) Under this \nexception, a pharmacy can be paid by a drug company to identify and \nselect patients based on their health information to send them material \nencouraging them to switch their prescriptions to the drug companys \nparticular brand of medicine. This ``recommendation of alternative \ntreatment'' is primarily motivated by profit and has little to do with \nwhat is medically best for the patient. Many patients believe that this \nfinancially motivated use of their health information is a violation of \ntheir privacy.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ See e.g., Robert O'Harrow, Jr., Prescription Fear, Privacy \nSales The Washington Post, February 15, 1998 at Al; Henry 1. Davis, \n``More Eckerd Questions,'' St. Petersburg Times, March 5, 2002 at 1E.\n---------------------------------------------------------------------------\n    Second, because recommending any health related product or service \nis not considered to be ``marketing'' there is no requirement that the \nconsumer be informed that the covered entity is receiving remuneration \nfrom a third party to make these recommendations. In the above example, \npatients could receive materials from their pharmacy suggesting that \nthey change their medicine to a different brand without ever being \ninformed that the pharmacy was paid to make the recommendation. This \napproach encourages providers to engage in practices that are ridden \nwith financial conflicts of interest.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ See Bernard Lo, M.D. and Ann Alpers, M.D., Uses and Abuses of \nPrescription Drug Information in Pharmacy Benefits Management Programs, \n283 JAMA 801 at 809 (February 9, 2000).\n---------------------------------------------------------------------------\n    Third, the proposed modification eliminates any control that an \nindividual may have over the use of his protected health information \nfor receiving this type of recommendation. Because these communications \nare not ``marketing'' there is no requirement that the covered entity \nobtain prior authorization to use the information in this manner. \nFurthermore, there is no mechanism by which an individual can remove \nhis or her name from the covered entity's mailing list for these \n``recommendations.'' This approach does not respect health care \nconsumers and leaves them powerless.\n    Expanding the definition of marketing can cure these faults. We \nbelieve that marketing should include communications about a product or \nservice to encourage recipients of the communication to purchase or use \nthe product or service where the covered entity receives direct or \nindirect remuneration for making the communication. We would apply this \nstandard to both health related and non-health related communications. \nUsing this definition presents a rather bright line test. If a covered \nentity receives payment for a communication, the communication is \nmarketing.\n    In conjunction with this recommendation, we urge the Department to \nretain the proposed modification that would require covered entities to \nobtain an individual's authorization prior to using his or her health \ninformation for these marketing purposes. Health care consumers should \nhave control over whether their health information is used for profit-\nmaking purposes that are only tangentially related to their health.\nAppointment Reminders and Prescription Refill Notices\n    A number of concerns have been raised about communications, such as \nappointment reminders and prescription refill notices, that may \npotentially fall in the gray area of what should be considered to be \nmarketing. We would expect that the vast majority of covered entities \ndo not receive remuneration for sending their patients appointment \nreminders. Therefore, this type of communication would not be \nmarketing. Likewise, where a pharmacy on its own volition sends a \nprescription refill notice or advises a patient of a potential adverse \ndrug reaction and suggests an alternative it would not be marketing. \nHowever, where a pharmacy receives payment for encouraging patients to \nrefill prescriptions or switch medicine brands, the communication would \nbe marketing.\n    We recognize that at times this definition may encompass some \ncommunications that provide useful information to health care \nconsumers. However, if a covered entity is receiving payment from a \nthird party for making the communication, it is pursuing activity that \nis at least partially in its self-interest, as opposed to the interest \nof the patient. In such a circumstance, the individual should be \ninformed in advance that the covered entity receives remuneration for \nits communications and should have control over whether his or her \nhealth information is used in this manner.\n   iv. summary of health privacy project comments on other proposed \n                             modifications\n\n1. Hybrid Entities--Sec. 164.504\n\nProposed Modification:\n    The Department proposes to modify the hybrid entity provisions in \norder to allow any covered entity that performs a mixture of covered \nand non-covered functions to have the option of being designated a \nhybrid entity or having the entire organization treated as a covered \nentity. Additionally, the Department would require that a covered \nentity that elects hybrid status include in its designated health care \ncomponent(s) any component that would meet the definition of covered \nentity if it were a separate legal entity.\n    The modifications would permit, but not require, the hybrid entity \nto designate a component that performs: (1) covered functions; and (2) \nactivities that would make such a component a business associate of a \ncomponent that performs covered functions if the two components were \nseparate legal entities.\nHealth Privacy Project Recommendations:\n    <bullet> Reject the proposal that any covered entity can elect to \nbe a hybrid entity, and require those covered entities whose primary \nfunctions are not covered functions to be hybrid entities and to erect \nfirewalls between their health care components and other components. \nPermit (as conditioned below) covered entities whose primary functions \nare health care to be hybrid entities.\n    <bullet> Modify the implementation specifications of the proposed \nmodified hybrid provisions to require that, at a minimum, a hybrid \nentity must designate a component that performs covered functions as a \nhealth care component.\n    <bullet> Clarify that a health care provider (including a component \nof a hybrid entity that provides health care) cannot avoid being deemed \na ``covered entity'' if it relies on a third party to conduct its \nstandard electronic transactions. Clarify that with respect to hybrid \nentities, a health care provider cannot avoid having its treatment \ncomponent considered a health care component by relying on a billing \ndepartment to conduct its standard electronic transactions.\n\n2. Disclosures of Protected Health Information Related to FDA-regulated \n                    Products or Activities--Sec. 164.512(b)\n\nProposed Modifications:\n    The Department proposes to create an extremely broad exception to \nthe general requirement to obtain authorization prior to the disclosure \nof protected health information. The proposed modification would allow \ndisclosures of protected health information to private entities as part \nof any data-gathering activity that can be termed ``related to the \nquality, safety, or effectiveness of such FDA-regulated product or \nactivity.'' Under this proposed modification, disclosures would no \nlonger be required by, or at the direction of, the FDA.\nHPP Recommendations:\n    The Health Privacy Project strongly opposes the Department's \nproposal and urges the Department to retain the current provisions of \nthe Privacy Rule. The Privacy Rule provides a specific series of public \nhealth related exceptions to the authorization requirement. The \nproposed modifications, however, would create a vague and general \nstandard, under the rubric of ``public health,'' that would open the \ndoor to the release of protected health information to pharmaceutical \ncompanies and arguably to tobacco companies as well. We do not see a \ngenuine public health need that justifies such a significant expansion \nin the Privacy Rule.\n\n3. De-Identification--Sec. 164.514\n\nProposed Modification:\n    The Department is not proposing any substantive modifications to \nthe de-identification provisions of the Privacy Rule at this time, but \nis considering the creation of a limited data set that would not \ninclude ''facially identifiable health information. This data set would \nbe available for research, public health, and health care operations \npurposes presumably without authorization. In addition, the Department \nis considering the requirement that covered entities obtain data use or \nsimilar agreements from recipients that limit the use and disclosure of \nthe data set and prohibit the recipients from re-identifying or \ncontacting individuals.\nHealth Privacy Project Recommendations:\n    The Health Privacy Project supports the Department's decision to \nmaintain the de-identification provisions. Before proposing an approach \nfor the use or disclosure of a limited data set, the Department must \ncarefully consider what identifiers can safely be included and the \nadequacy of privacy protections for the data set. We have specific \nconcerns about the ease with which identifiable information that does \nnot include direct identifiers can be combined with other data to \ndirectly identify an individual, as well as concerns about the \nenforceability of data use agreements.\n\n4. Research--Secs. 164.512(i),164.508(0, 164.508(c)(1), 164.532\n\nProposed Modifications:\n    he Department proposes to:\n    (1) modify the waiver of authorization provisions.\n    (2) clarify that the Privacy Rule's provisions for IRBs and privacy \nboards would encompass a partial waiver of authorization for purposes \nof recruiting research participants.\n    (3) maintain an individual's right to revoke an authorization.\n    (4) permit research authorizations to be combined with other legal \npermission to participate in a research study.\n    (5) permit an authorization to use or disclose protected health \ninformation for the creation and maintenance of a research data base \nwithout an expiration date or event, but limit it to the purpose of \ncreating or maintaining that data base.\n    (6) permit the use of individually identifiable health information \nafter the compliance date for research protocols that received a waiver \nof authorization from an IRB prior to the compliance date.\nHealth Privacy Project Recommendations:\n    The Health Privacy Project:\n    (1) is pleased that research protocols will still be required to \nmeet waiver criteria that are more narrowly focused on the privacy \ninterests of the research participants.\n    (2) is pleased that the Department is not proposing modifications \nto the provisions on reviews preparatory to research so that \nresearchers could remove protected health information from a covered \nentity's premises for recruitment purposes.\n    (3) commends the Department for retaining an individual's right to \nrevoke a research authorization, but recommends further guidance on how \nto implement the revocation requirement.\n    (4) urges the Department not to permit research authorizations to \nbe combined with an informed consent to participate in a study.\n    (5) strongly agrees with the Department that the expiration date \nexception for the creation and maintenance of data bases should not be \nextended to authorizations for further research or any other purpose.\n    (6) recommends that a research study that receives a waiver of \nauthorization from an IRB prior to the compliance date, but begins \nafter the compliance date, be re-evaluated to ensure that adequate \nprivacy protections are in place.\n\n5. Individual Authorization--Sec. 164.508\n\nProposed Modifications:\n    The Department proposes to:\n    (1) streamline the authorization process by consolidating the \ndifferent authorizations in the Privacy Rule under a single set of \ncriteria and removing some core elements from the authorization \nrequirement.\n    (2) tighten provisions on the use and disclosure of psychotherapy \nnotes so that psychotherapy notes cannot be used or disclosed without \nindividual authorization for another entity's treatment, payment, and \nhealth care operations purposes.\n    (3) add clarifying language so that an individual who initiates an \nauthorization would not be required to reveal the purpose of his or her \nrequest.\n    (4) maintain the individual's right to revoke an authorization.\nHealth Privacy Project Recommendation:\n    The Health Privacy Project applauds the Department's proposal under \nnumbers (2), (3) and (4) above. However, while we support the \nDepartment's effort to simplify the authorization provisions, we \nstrongly urge the Department to: (a) retain the core elements required \nfor research authorizations involving treatment of an individual under \nthe Privacy Rule; (b) require remuneration disclosures in all \nauthorizations, not only in authorizations for marketing; and (c) \nretain the plain language requirement as a core element of a valid \nauthorization. It is critical that an individual knows how his or her \ninformation will and will not be used or disclosed so that s/he can \nmake an informed decision about giving authorization. Furthermore, any \nrequest 11 for individual authorization to use or disclose information \nmust be communicated in a manner that can be understood by the average \nreader so that people know what they are authorizing.\n\n6. Accounting of Disclosures--Sec. 164.528\n\nProposed Modification:\n    The Department proposes to expand the list of exceptions to the \naccounting of disclosures requirement so that it no longer requires \ncovered entities to account for any disclosures made pursuant to an \nindividual authorization.\nHealth Privacy Project Recommendation:\n    The Health Privacy Project opposes the Department's proposal and \nurges the Department to retain the requirement that disclosures of \nprotected health information made pursuant to an authorization be \nincluded in an accounting of disclosures. Removing authorized \ndisclosures from the accounting takes away the individual's means of \nverifying that his or her information was disclosed as specified in the \nauthorization. Such a modification would also hinder an individual's \nability to detect authorizations that have been fraudulently submitted \nor altered.\n\n7. Balancing the Rights of Minors and Parents--Sec. 164.502(9)(3)\n\nProposed Modification:\n    The Department proposes to modify the Privacy Rule's approach to \nbalancing the rights of minors and parents by permitting covered \nentities to decide when to disclose protected health information about \na minor to a parent in cases where State or other applicable law is \nsilent or unclear.\nHealth Privacy Project Recommendations:\n    The Health Privacy Project opposes the proposed modifications \nbecause they would deter minors from obtaining critical health \nservices, such as mental health care, substance abuse treatment, and \ntesting and treatment for sexually transmitted diseases. We recommend \nthat the Department retain the approach in the current Privacy Rule, \nexcept its approach to non-preemption of State laws that are less \nprotective of a minor's privacy. Specifically, we recommend that the \nDepartment apply the same preemption rules to State laws pertaining to \nminors and disclosures to parents that the Department applies to other \nState laws, as HIPAA requires.\n\n8. Disclosures for Treatment, Payment, or Health Care Operations of \n                    Another Entity--Proposed Sec. 164.506(c)\n\nProposed Modification:\n    The Department proposes several modifications to clarify how \ncovered entities may use or disclose protected health information for \ntreatment, payment, or health care operations, and to permit covered \nentities to disclose protected health information to other entities \n(including non-covered entities) for the second entity's treatment, \npayment, or health care operations activities.\nHealth Privacy Project Recommendation:\n    Most troubling is the Department's proposal to permit covered \nentities to disclose protected health information to other covered \nentities for the recipient's health care operations. This constitutes a \nsignificant alteration of the structure of the Privacy Rule, and the \nDepartment is proposing it without adequate justification. The Health \nPrivacy Project recommends that the Department reconsider the necessity \nfor such a change and assess whether the concept of ``organized health \ncare arrangement,'' which already is part of the Privacy Rule, \naddresses the quality assurance issues raised in the preamble. If the \nDepartment pursues modifications along these lines, the Department \nshould craft narrow language that addresses actual problems--and only \nthe problems identified in the preamble.\n\n9. Definition of Protected Health Information and Proposed Exclusion of \n                    ``Employment Records''--Sec. 164.501\n\nProposed Modification:\n    The Department proposes to amend the definition of ``protected \nhealth information'' in section 164.501 to explicitly exclude \n``employment records,'' referred to in the preamble as ``individually \nidentifiable health information . . . held by a covered entity in its \nrole as employer.'' 67 Fed. Reg. 14804.\nHealth Privacy Project Recommendation:\n    The Health Privacy Project opposes this proposal because it \nthreatens to undermine important safeguards in the Privacy Rule. The \nplain language of the proposed text appears to move outside of the \nPrivacy Rule any use or disclosure of employees' health plan records, \nas well as information shared with an employer's on-site clinic where \nthat clinic is a covered provider under the current Privacy Rule. Thus, \nthrough a sweeping ``technical correction'' in the applicable \ndefinition, this proposal takes health information that is protected by \nthe Privacy Rule and renders it unprotected. This is especially \ndangerous because of the legitimate concern people have that employers \nwill use protected health information, including genetic information, \ninappropriately to make employment-related decisions (such as deciding \nwhich employees to promote or fire).\n\n10. Disclosure of Enrollment and Disenrollment Information to Sponsors \n                    of Group Health Plans--Proposed Sec. \n                    164.504(f)(1)(iii)\n\nProposed Modification:\n    The Department proposes to permit group health plans (as well as \nHMOs and issuers) to disclose to the sponsor of the group health plan \n(usually an employer) information on whether an individual is \nparticipating in the group health plan (or is enrolled in, or has \ndisenrolled from, the HMO or issuer).\nHealth Privacy Project Recommendation:\n    The Health Privacy Project supports this proposed modification \nbecause it is limited to information about whether the individual is \nparticipating in or enrolled in the plan and does not permit the \ndisclosure of any other protected health information.\n\n11. Minimum Necessary and Oral Communications--Secs. 164.502(a) and \n                    Sec. 164.530(c)\n\nProposed Modification:\n    The Department proposes to:\n    <bullet> modify the Privacy Rule to add a new provision which would \nexplicitly permit certain ``incidental'' uses and disclosures that \noccur as a result of an otherwise permitted use or disclosure under the \nPrivacy Rule; and\n    <bullet> modify the administrative requirements to expressly \nrequire covered entities to reasonably safeguard protected health \ninformation to limit incidental uses or disclosures made pursuant to an \notherwise permitted or required use or disclosure.\nHealth Privacy Project Recommendation:\n    The Health Privacy Project does not believe a modification \nexpressly permitting incidental uses is necessary, but understands that \nthe Department wishes to calm the fears of some of those in the health \ncare industry. We commend the Department for including a related \nmodification that expressly requires covered entities to reasonably \nsafeguard protected health information to limit incidental uses or \ndisclosures made pursuant to an otherwise permitted or required use or \ndisclosure.\n\n12. Business Associate Transition Provisions--Sec.164.532 (d) & (e)\n\nProposed Modification:\n    The Department proposes new transition provisions to allow most \ncovered entities to continue to operate under certain existing business \ncontracts with business associates for up to 1 year beyond the current \ncompliance date for the Privacy Rule.\nHealth Privacy Project Recommendation:\n    The Health Privacy Project recommends that the Department retain \nthe existing compliance date for all aspects of the Privacy Rule. The \nDepartment has provided covered entities with a model business \nassociate contract which should ease compliance efforts.\n        v. cost: omb reports privacy regulation will save money\n    According to a March 2002 report just issued by OMB's Office of \nInformation and Regulatory Affairs (OIRA), the Department estimates \nthat the cost associated with implementing the Privacy Rule \n(approximately $17 billion over 10 years) will be greatly offset by the \ncost savings associated with implementing HlPAA's transactions \nstandards (approximately $29 billion saved over 10 years). See Appendix \nB for excerpt of report. The cost of implementing the Privacy Rule must \nnot be viewed in isolation. The Privacy Rule is an integral--and \nnecessary--part of a package of Administrative Simplification rules. \nThe goal of standardizing electronic health care transactions is to \ncreate efficiencies and save money. When the Privacy Rule is \nimplemented together with the transactions standards and other \nAdministrative Simplification rules, as contemplated by Congress, a net \nsavings will be achieved. Finally, we must also acknowledge the \nbenefits reaped by increased patient participation in health care and \nresearch, as well as the qualitative benefits that are achieved by \nfurthering this important societal value.\n                               conclusion\n    When President Bush allowed the Privacy Rule to go into effect last \nApril, he issued a strong statement about the need to protect patient \nprivacy and foster confidence that people's ``personal medical records \nwill remain private.'' The President also pledged during his campaign \nto support a law requiring that a ``company cannot use my information \nwithout my permission to do so,''and expressed support for strong laws \nprotecting medical and genetic privacy. In fact, William Safire dubbed \nhim the ``privacy President'' in a New York Times column shortly after \nthe Privacy Rule went into effect. But, if the Department's proposed \nchanges become final, the Privacy Rule will legalize many of the \npractices that caused public outcry for a law. We urge the Bush \nAdministration not to roll back the important gains our country has \nmade in protecting the privacy of people's medical records. We urge \npolicymakers to look at the substantial progress being made by doctors, \nhospitals, and health plans in complying with the Rule. And finally, we \nurge that glitches in the regulation be addressed through narrowly \ntailored fixes that preserve the integrity of the final Rule.\n\n    The Chairman. I think if someone heard you and heard Mr. \nAllen both describing the same piece of legislation, they would \nwonder how they could. We are grateful for your testimony.\n    Dr. Harding.\n\n    STATEMENT OF RICHARD HARDING, M.D., PRESIDENT, AMERICAN \n                    PSYCHIATRIC ASSOCIATION\n\n    Dr. Harding. Thank you, Mr. Chairman and Senator DeWine. I \nam Richard Harding, President of the APA, American Psychiatric \nAssociation, and Professor of Psychiatry and Pediatrics at the \nUniversity of South Carolina. I am also proud to be a member of \nthe National Committee on Vital and Health Statistics, as you \nmentioned, but I am here speaking for myself and for the \nAmerican Psychiatric Association.\n    I want to express my appreciation for being here and for \nyour committee's commitment to protecting medical records. I \nwould also like to compliment you on your efficient and \nprofessional staff, who have been most helpful to all of us \ncoming up to this hearing.\n    Medical privacy and medical record confidentiality are \nissues about which all Americans are deeply concerned, at least \n94 percent, as the Senator was saying. Recently the Department \nof Health and Human Services has proposed regulations which \nwill probably reduce administrative burdens on physicians and \ncovered entities, probably. And, as such, this is appreciated \nas a physician speaking, but it is important to recognize that \nthey are inadequate to protect patients.\n    The APA objects to the elimination of consent by citizens \nbecause the citizens own the consent, and the substitution of a \nregulatory permission by Health and Human Services. We strongly \nbelieve patients should be able to choose who will see their \nmedical records and to be fair, in the proposed changes a \nprivacy notice is substituted for the written consent, but this \nis not privacy. Nor is protection of the patient's information. \nWe found that out last week when a company was selling postal \naddresses and telephone numbers because citizens did not notice \nin the long privacy notice that only email addresses would not \nbe released.\n    It concerns me that the patients, under the proposed rule, \ndo not have authority over their medical record, even if the \npatient pays out of their pocket, which is a rapidly growing \ntrend because of the issue of privacy.\n    The APA understands that there are previously described \ncircumstances where a covered entity needs to use or disclose \npersonal health information prior to the initial face-to-face \nencounter with a patient and therefore to obtaining consent. It \nwould seem to me that the remedy for this is to modify the \nconsent requirement in the privacy rule. The Department of HHS \nhas overcorrected a problem, by a proposed elimination of the \ntraditional patient right of affirmative consent altogether. \nThis is a truly sea change event in American medicine, to go to \nthis way of handling consent.\n    The APA recommends Health and Human Services retain the \nprivacy rule's prior consent requirement with targeted \nmodifications, as mentioned in previous testimony.\n    Briefly on marketing, marketing is defined, and I think it \nis important to define it, as ``to make a communication about a \nproduct or service to encourage recipients of the communication \nto purchase or use the product or service.'' The HSS proposed \nchanges to the marketing provisions appear to require \nauthorization before the patient receives marketing materials. \nIn so doing, that is well intended, but it is flawed. There is \nno real effective privacy safety net against commercial usage. \nThe real problem is the exclusions to the term ``marketing'' \nswallow the rule.\n    Under the proposed changes, a long list of programs is not \nconsidered marketing. Marketers can use things such as disease \nmanagement, as mentioned before, wellness programs, case \nmanagement, prescription refills and so forth to send marketing \nmaterials. The regulations do not clearly restrict these \nmarketing loopholes from abuses, and I will not get into the \nexamples of that, which have already been stated.\n    It is my experience as a practicing physician that patients \nhave never dreamed of their personal health information being \nused for marketing. That just does not enter their minds. This \nis especially critical for marketing to minors.\n    I strongly urge the committee to join us in requesting HHS \nrequire a patient's consent and their authorization for \nmarketing before medical information is released under HIPAA.\n    We thank you for this opportunity to testify and respond to \nyour questions and continuing to work with the committee on \nthese important issues. Thank you.\n    [The prepared statement of Richard Harding, M.D. follows:]\n              Prepared Statement of Richard Harding, M.D.\n    Mr. Chairman, and members of the Committee, I am Richard Harding, \nM.D., testifying on behalf of the American Psychiatric Association \n(APA), a medical specialty society, representing more than 40,000 \npsychiatric physicians nationwide. I serve the APA as its President and \nam currently Professor of Clinical Psychiatry and Pediatrics at the \nUniversity of South Carolina School of Medicine. In addition, I serve \nas Vice-Chairman for Clinical Affairs of the Department of Psychiatry \nand maintain a busy outpatient practice.\n    While I also serve on the Subcommittee on Privacy and \nConfidentiality of the National Committee on Vital and Health \nStatistics within the Department of Health and Human Services (HHS), \nthe views I am presenting today are my views and the views of the \nAmerican Psychiatric Association.\n    First, I would like to thank Chairman Kennedy and the members of \nthe Committee for the opportunity to testify today. My oral comments \nwill be limited to two major concerns: consent and marketing. My \nwritten testimony is significantly more expansive as it reflects APA's \ncomments on all of the NPRM privacy regulation changes, that we will \nformally submit to HHS, and I ask that it be made part of the hearing \nrecord.\n    Mr. Chairman we greatly appreciate your commitment to protecting \nmedical records privacy. Privacy and particularly medical records \nprivacy is an issue that not only affects all Americans but also one \nthat they are deeply concerned about. On behalf of our profession and \nour patients I thank you for holding this hearing on the recent changes \nHHS made to the Medical Privacy Regulation.\n    While the Department of Health and Human Services (HHS) proposed \nHIPM privacy regulation changes will reduce the burden on physicians \nand other healthcare providers, it is important to recognize they are \ninadequate to protect patients. The APA objects to the proposed \nelimination of the consent requirement that patients give written \nconsent before their records are disclosed to physicians, hospitals or \ninsurance companies. Under the proposed changes, consent is optional \nfor direct treatment providers. HHS now gives their ``regulatory \npermission'' to allow a patient's information to be freely disclosed to \nhealth plans, providers, and clearing houses without the patient's \nconsent. The APA strongly believes patients should be able to choose \nwho will see their medical records. The elimination of the consent \nrequirement is a significant change not only to the historic doctor-\npatient treatment relationship but also an impediment to physicians' \nefforts to provide the best possible medical care. The consent \nrequirement gave the physician the opportunity to discuss where their \nmedical information would be released. We need to take steps to ensure \nthat doctor-patient confidentiality is preserved and strengthened.\n    It is troubling to me as a practicing psychiatrist that a patient, \nunder this rule, does not have consent authority over their medical \nrecords even if the patient pays out of pocket for their treatment. The \nproposed changes to the rule eliminate patient protection in a private \npayment situation with their provider by allowing information to be \nreleased without the patient's consent. For example, celebrities who \nseek help from a substance abuse center and pay in cash to be anonymous \nshould be allowed to do so without their health information being \nreleased. Similarly, Medicare patients who elect to personally pay for \ntreatment should not be at risk from the prying eyes of government.\n    Under the proposed changes, a privacy notice is substituted for \nconsent. A privacy notice serves as a long and cumbersome notice that \nthe records will be released. This is not privacy nor is a protection \nof the patient's information. Furthermore, why must an ill patient have \nto look in the required privacy notice, which could be ten pages long \nas stated by the American Hospital Association. Buried within this \nlengthy notice is where a patient's medical information will be sent. \nAs we have found out last week internet companies are selling a \nperson's postal address and telephone number because the consumer did \nnot notice in the long privacy notice that only e-mail addresses would \nnot be released.\n    The APA recommends HHS retain the privacy rule's prior consent \nrequirement, with targeted modifications to address the unintended \nimplementation hurdles that result from the consent requirement in a \ncouple of circumstances.\n    While the HHS proposed changes to the marketing provision appear to \nrequire an authorization from a patient before the patient receives \nmarketing materials is well intentioned, the devil is truly in the \ndetails. The APA is concerned about the loopholes in the definitions of \nmarketing through the enumerated exclusions from the appearance of \nprotection by the so called marketing definition. There is no real \neffective privacy protection safety net against commercial usage of \nprivate patient information. Under HHS's changes, marketeers can use \ndisease management, wellness programs, prescription refill reminders, \ncase management and other related communications to send their \nmarketing materials. These programs are not considered marketing. The \nregulations do not clearly restrict these marketing loopholes from \nabuses. It clearly is not in the best interest of the patient for a \ndrug store to send a prescription refill reminder without the patient's \nauthorization after the pharmacist was compensated by a pharmaceutical \ncompany. Recall not to long ago drug stores admitted to making patient \nprescription information available for use by a direct mail company and \npharmaceutical companies. Now a pharmacy not only would be able to \nlegally sell to a pharmaceutical company a list of patients that have \nbeen prescribed certain drugs in order to promote alternative drugs, \nbut also the pharmacy could now in its own self financial interest in a \nmedication's more profitable cost to them be suggesting a change in \nmedication refill. The marketing communication would no longer need to \nidentify the covered entity as the one making the communication, or \nneed to State compensation was received.\n    Moreover, the fund raising provisions despite overwhelming \ntestimony to the NCVHS urging that there be an ``opt in'' (prior \nconsent) not ``opt out'' after the fact, using without permission an \nindividual patient's name for the fund raising purposes of the covered \nentity. Can you imagine sending out millions of letters telling you the \nnames of persons served in your substance abuse treatment program--\nwithout their consent or authorization, and only thereafter, if the \nfund raiser wishes to do it again, then have to ask for the \nindividual's permission to use her or his name in the fundraising \nendeavor. Does this sound reasonable to anyone.\n    I strongly urge the Committee to join us in requesting HHS require \na patients consent and their authorization for marketing before their \nmedical information is released under the Health Insurance Portability \nand Accountability Act (HIPAA). Also, in closing let me just briefly \nsummarize our comments on parental rights to a minor's medical records, \nto wit: there should be no changes to these provisions which have the \neffect of reducing access to health care by adolescent patients.\n    We thank you for this opportunity to testify, respond to your \nquestions and continuing to work with the Committee on these important \nissues.\n\n    The Chairman. Dr. Clough.\n\n STATEMENT OF JOHN C. CLOUGH, M.D., DIRECTOR, HEALTH AFFAIRS, \n                  CLEVELAND CLINIC FOUNDATION\n\n    Dr. Clough. Good morning, Mr. Chairman, Senator DeWine. I \nam Dr. John Clough, Director of Health Affairs at the Cleveland \nClinic Foundation and I have also been a practicing \nRheumatologist there for over 30 years.\n    The Cleveland Clinic Foundation supports Federal privacy \nprotections for identifiable patient information. The privacy \nrule would give patients their first-ever Federal protection of \nidentifiable health information and proposed modifications \nwould improve it significantly. For the first time, Federal \nstandards prohibit the use and disclosure of patient \ninformation for purposes other than treatment, payment, and \nhealth care operations without patient authorization. This \nmorning I will focus on the proposed modification to the \nconsent provision, as well as an important modification that \nthe department is considering with respect to how patient \ninformation is deidentified.\n    We support the proposed modification to the consent \nrequirement for the following six reasons. First, this \nmodification would remove barriers to patient access to care \nwhile strengthening patient privacy protections. The Cleveland \nClinic, with 1.6 million patient visits annually and over \n50,000 admissions annually, routinely receives information from \npatients, from referring physicians around the world, and uses \nthis information to schedule and prepare for examinations and \nprocedures before the patients arrive. Prior consent, perhaps \nrequiring an extra trip, would have to be obtained before any \nuse of this patient information.\n    Other inevitable problems include patients being unable to \ndiscuss their care over the telephone with covering physicians \nbecause these providers may not have signed consent forms. The \nsame problem would preclude nurses staffing telephone call \ncenters, such as the Cleveland Clinic's nurse-on-call service, \nfrom advising patients in many cases.\n    The proposed modification eliminates these barriers to care \nwithout weakening privacy protections. It would strengthen the \nnotice requirement by requiring that providers give patients a \nnotice of their rights and obtain acknowledgement that they \nsigned it.\n    Second, the suggestion that the department make exceptions \nfor every problem that arises as a result of the consent \nrequirement, as opposed to fixing the underlying problem, makes \nlittle sense and is unworkable. Furthermore, the fact that \nHIPAA allows modifications to the privacy rule only once \nannually would produce long delays in getting problems fixed.\n    Third, some have claimed that many States already have \nsimilar consent requirements. In fact, no State has a similarly \nbroad prior consent requirement. Maine did attempt it in 1999, \nbut had to suspend their law after only 12 days because of \nsevere disruption of patient care.\n    Fourth, the modification making consent optional is a \nworkable compromise of two diametrically opposed approaches \ntaken in the Clinton proposed regulation and the Clinton final \nregulation. In November 1999 the Clinton Administration's \nproposed privacy regulation prohibited providers from obtaining \nprior consent. They argued that such authorizations could not \nprovide meaningful privacy protections or individual control \nand, in fact, could culminate an individual's erroneous \nunderstandings of their rights and predications and could \nimpair care.\n    In response to objections to this approach, the Clinton \nAdministration reversed itself and mandated prior consent in \nthe final rule. The proposed modifications strike the right \nbalance between these two extremes.\n    Fifth, even advocates for the most stringent privacy \nregulations testified last year that the prior consent \nrequirement was meaningful and coerced because if the patients \nrefused to sign the consent, the provider could deny treatment.\n    Six, various press articles have suggested that physicians \ndo not support the modification to the consent provision. It is \nimportant for Members of Congress to realize that many, if not \nmost physicians organizations support the modification. In an \nApril 10 letter to Congress, which is attached to my statement, \norganizations representing family physicians, surgeons, \ncardiologists, OB-GYNs and others, over 400,000 physicians in \nall, express support for making consent optional. I might add \nthat many of those are members of the AMA.\n    With respect to research and deidentification of patient \ninformation, the modifications proposed by the department make \nseveral key improvements that will eliminate unnecessary \nbarriers to the conduct of research while protecting patient \nconfidentiality. The modifications simplify the procedures and \npaperwork involved.\n    In addition, however, we believe that the regulations \nshould permit a limited set of facially deidentified data to be \ndisclosed for research purposes. The department has said it is \nconsidering such a change. Under the final rule some 18 \ncharacteristics would need to be removed to deidentify data. \nHowever, the 18 include such items as zip code, admission and \ndischarge dates, dates of death and age that do not facially \nidentify individuals and they are often important in \nepidemiological research, as well as in hospital disease \nsurveillance activities, particularly important in detecting \nbioterrorism.\n    Mr. Chairman, that concludes my statement. Thank you again \nfor giving me this opportunity to testify this morning and I \nwould be happy to answer your questions.\n    [The prepared statement of John Clough, M.D. follows:]\n               Prepared Statement of John C. Clough, M.D.\n    Good morning. I am Dr. John D. Clough, Director of Health Affairs \nfor the Cleveland Clinic Foundation. I am also a practicing \nrheumatologist.\n    The Cleveland Clinic Foundation strongly supports meaningful \nFederal privacy protections for identifiable patient information. The \nprivacy rule is intended to give patients the first-ever Federal \nprotection of their identifiable health information. We believe the \nrecently proposed modifications would make major and necessary \nimprovements to the final rule that will help achieve privacy goals \nwithout erecting barriers to high quality and timely health care for \npatients.\n    What has been missed in much of the reporting and debate about the \nmodifications is that they retain, and actually strengthen, the most \nimportant new protections for patients. For the first time, Federal \nstandards prohibit the use and disclosure of patient information for \npurposes other than treatment, payment, and health care operations \nwithout patient authorization. Thus, disclosing a patient's name and \ndiagnosis to a newspaper, a bank, an employer, a marketer, without the \nprior, specific, written authorization of the patient is prohibited. \nThe rule also gives patients new rights under Federal law to receive \nnotice of their rights, to be informed as to how their information can \nand cannot be used, and to access their own medical record.\n    In spite of the fact that the proposed modifications keep intact \nthese protections and actually strengthened many of them, virtually all \nof the attention of late has focused on the ``prior consent'' \nrequirement. This morning I will focus on the modification to the \nconsent provision, as well as an important modification that the \nDepartment is considering with respect to how patient information is \n``de-identified.''\nConsent\n    We strongly support the proposed modification which would make it \noptional, rather than required, for providers to obtained a signed, \nwritten consent form before using or disclosing identifiable \ninformation for treatment, payment, and health care operations.\n\nFirst: This modification would remove barriers to timely patient access \n    to care created by the requirement in the final rule. while \n    retaining and even strengthening strong patient privacy \n    protections.\n\n    The following are a few of the many examples from the Cleveland \nClinic's vantage point of how the requirement, without the proposed \nmodifications, would create significant barriers to patient access to \ncare.\n    <bullet> The Cleveland Clinic and other hospitals routinely receive \ninformation about a patient from referring physicians and use this \ninformation to schedule and prepare for procedures prior to the patient \npresenting themselves at the hospital. Prior consent would have to be \nobtained before any use of the patient's information for treatment. \nThus, we could not use information to schedule procedures or begin \nintake procedures until we had such consents.\n    <bullet> This would be problem enough for the Cleveland Clinic, \nwhere 1.6 million visits are on an outpatient basis each year. But, the \ndisruption and delay for patients should be viewed in the totality of \ntheir care from beginning to end.\n    <bullet> For the patient, the consent requirement would mean \nmultiple trips to sign a new consent form before receiving care at \nevery point. It would mean signing one consent form before visiting \ntheir physician, another before referral to a specialist, another \nbefore getting an MRI, one more before scheduling surgery at the \nhospital, another for the ambulance ride to the nursing home, another \nbefore sending someone to pick up a prescription, and on and on.\n    <bullet> Other inevitable problems included patients being unable \nto discuss their care over the telephone with physicians, nurses and \nothers covering for their colleagues during non-business hours because \nthese providers may not have a signed consent form. Also, nurses \nstaffing telephone call centers would be prohibited from advising \npatients in many cases because there is not opportunity to obtain prior \nwritten consent from the patient.\n    The proposed modification eliminates these barriers to care without \neliminating privacy protections. It is the written notice, not the \nconsent form, that is the means by which patients are informed of their \nrights and how and with whom their information may and may not be used. \nThe modification retains and strengthens the notice requirement in the \nfinal rule by requiring that providers give patients the notice and \nobtain an acknowledgment that the patient has received it.\n\nSecond: The suggestion by some that the Department make exceptions for \n    every problem that arises as a result of the consent requirement, \n    as opposed to fixing the underlying problem, is unworkable.\n\n    The Department cannot possibly anticipate every problem that could \narise, as dozens have become apparent since issuance of the final rule \na year and a half ago. More will arise after the rule takes effect. \nBecause the Health Insurance Portability and Accountability Act (HIPAA) \nallows modifications to the privacy rule only once each year to address \nsuch problems, patients would have to suffer through disruptions and \ndelays in care for over a year before such problems could be fixed.\n\nThird: Some have claimed that many States already have similar consent \n    requirements. In fact, today NO State has a similarly broad \n    prohibition on use and disclosure of information for treatment, \n    payment and health care operations without prior consent.\n\n    One State--Maine--did attempt such a broad prior consent \nrequirement in 1999. The Maine law was suspended in an emergency \nsession of the legislature after only 12 days because of severe \ndisruptions in patient care.\n\nFourth: The modification making consent optional is a workable \n    compromise of two diametrically opposed approaches taken in the \n    Clinton proposed regulation and the Clinton final regulation.\n\n    In November 1999, the Clinton administration's proposed privacy \nregulation not only rejected the idea of mandating that providers \nobtain consent, it went so far as to prohibit them from obtaining it. \nIn doing so, the Clinton administration argued that ``(s)uch \nauthorizations could not provide meaningful privacy protections or \nindividual control and could in fact cultivate in individuals erroneous \nunderstandings of their rights and protections.'' In addition, they \nmaintained that separate authorization for routine referrals ``could \nimpair care.''\n    Many physician and other groups objected to the prohibition on \nobtaining consent. In response, the administration went to the other \nextreme and mandated prior consent in the final rule. The recently \nannounced modifications strike the right balance between these two \nextremes. Providers may obtain consent if they wish to do so. However, \na provider will not have to delay treatment.\n\nFifth: Even advocates for the most stringent privacy regulations \n    testified last year that the prior consent requirement was \n    ``meaningless'' and ``coerced'' because if the patient refused to \n    sign the consent, the provider could deny treatment.\n\n    If the patient refuses to sign, there are many situations in which \nlaws, regulations, practice guidelines, and our code of ethics requires \nphysicians to treat the patient. The physician following the code of \nethics would then be in violation of the privacy regulation and subject \nto civil and even criminal penalties.\n\nSixth: Various press articles have suggested that physicians do not \n    support the modification to the consent provision. It is important \n    for Members of Congress to know that many, if not most, physician \n    organizations support the modification.\n\n    In an April 10 letter to Congress which is attached to my \nstatement, organizations representing family physicians, surgeons, \ncardiologists, OB/GYNs, and others--over 400,000 physicians in all--\nexpressed support for making consent optional.\nResearch and ``De-identification'' of Patient Information\n    The modifications proposed by the Department with respect to \nresearch make several key improvements that will eliminate unnecessary \nbarriers to the conduct of life-saving research, while maintaining \nimportant protections for patient confidentiality. In particular, the \nmodifications simplify, for patients and researchers, the procedures \nand paperwork involved.\n    However, one additional revision to the privacy regulation is \nneeded. We believe the regulations should permit a limited set of data \nwhich has been ``facially de-identified'' to 4 be disclosed for \nresearch purposes. The Department is considering such a revision, but \nhas invited further comment before making a final decision to make the \nchange.\n    The stringency of the final rule's requirements for de-identifying \ninformation prompts concerns that the standard would render data \nuseless for much research. Under the final rule, some 18 \ncharacteristics would need to be removed from data to render it ``de-\nidentified.'' Most of the characteristics make sense, such as names and \naddresses, which could directly identify an individual. However, some \ndo not. For example, zip codes, admission and discharge dates, date of \ndeath, and age do not directly identify an individual. However, such \ninformation is often critical to conducting research. Epidemiological \nstudies routinely use hospital admission and discharge dates, date of \ndeath to track and understand diseases. Such studies have taken on new \nimportance with the threat of bioterrorism. Hospitals need to be able \nto share de-identified information for such purposes, as well as for \nimproving the quality of care for patients, and improving community \nhealth services. Under the final rule, sharing this information is not \npermitted.\n    There may be no other issue that has so united those in health \ncare; the change is supported by virtually every corner of the health \ncare community. This includes groups ranging from the Association of \nAmerican Medical Colleges, the American Medical Association, State \nhospital associations, patient and consumer groups. Attached to my \nstatement are two letters from these groups.\n    Mr. Chairman, that concludes my statement. Thank you, again, for \ngiving me this opportunity to testify this morning. I will be happy to \nanswer your questions.\n\n    The Chairman. Thank you very much for your very interesting \nstatement, which I think with the other statements puts this in \nsome perspective.\n    I would like to ask Ms. Goldman, the difference between \nnotification and consent and how you respond to points which \nwere raised recently by Dr. Clough and others about these areas \nof treatment which are necessary and really in the interest of \nthe patient, and by failing to do sort of a more comprehensive, \nlike the administration is doing, that we really can be \nperceived as putting the patient at risk. These are some of the \nbalances. Your response?\n    Ms. Goldman. I think it is important to keep in mind that \nwe put the patient at risk today by not protecting privacy and \nwe have data that shows that, that people are putting their own \ncare at risk. They are withholding information and they are \nafraid to seek care. So people are at risk.\n    Protecting privacy does not put them at risk, particularly \nif there are doctors who want to get the consent to their \npatients before using their information to treat them or to pay \nfor their care. Someone may decide to pay out-of-pocket and the \nconsent form gives them the opportunity to say to their doctor, \n``I am going to pay out-of-pocket, so I do not want to consent \nto have the information shared for payment purposes.'' Many \ndoctors, I think, including Dr. Harding and others, would say \nthat they would want to use the consent. It is optional \ncertainly for them to decide they want to mandate it, but they \ndo not have to do that.\n    And asking someone to consent to having their information \nused is certainly different than asking them to sign a notice \njust telling them how their information is going to be used. It \nis a dramatically different kind of piece of paper and not one \nI think which is just about paperwork burden, but which is \ninvolving the patient in decisions about his or her care.\n    The Chairman. Well, how do you respond to these points that \nhave been raised that by not taking--we have had the example of \nthe pharmacist and we have had doctors mention these others \nkinds of areas. Are you suggesting that we have the right to \nprivacy or the consent form and then have exceptions for these \nparticulars? And can you ever get enough on the list? Your \nanswer?\n    Ms. Goldman. Well, the Health Privacy Project has been \nsaying for a year that certain glitches and certain unintended \nconsequences in the privacy regulation should be fixed. We \nthink they should have been fixed a year ago. So we think that \nwhat the secretary of HHS should have done was to make targeted \nmodifications to the privacy regulation to address the consent \nproblems.\n    Pharmacies should have--this problem should be fixed. \nMaking referrals, exactly the same problem, that information \noccasionally needs to be received before a prescription is \nfilled or a referral is made. Those are glitches that should \nhave been fixed and we say in our testimony very specifically, \nwe make recommendations that those problems should be fixed. \nBut there is no need, and I think it is unjustified to use \nthose examples to eliminate the consent requirement completely.\n    The Chairman. Dr. Clough.\n    Dr. Clough. The problem, I think, is that glitches as they \noccur under the current rule would interfere with treatment and \nwould interfere with it until they get corrected. Glitches \nunder the other approach would not interfere with treatment and \ncould be corrected later with less disruption of care.\n    And with respect to prior consent, I would say that if you \nthink about what happens in a physician-patient encounter, when \nI first see a patient, I have never seen them before, they have \nnever seen me before and I am asking them to sign a blanket \nagreement that what I do is okay, I think that is less \nmeaningful than getting some information on the table, deciding \nwhat it is that needs to be consented to, and then get the \nconsent for treatment because I think that is where the \nimportant consent really is.\n    Patients can tell me that they do not want their \ninformation released and I respect that and I do not release it \nif they do not want it released, and I think every physician \ndoes that.\n    So I would say that these modifications improve the \nfunctionality of the rule without diluting it and give a chance \nto change the rule in the direction of greater privacy if that \nis necessary, but without interfering with patient care in the \nprocess.\n    Ms. Goldman. Mr. Chairman, can I respond to what Dr. Cough \nhas said?\n    The Chairman. Go ahead.\n    Ms. Goldman. It is an interesting point that when a patient \nasks him to maintain confidentiality and not to share \ninformation, that he respects that and the consent form that is \nin the final regulation gives his patients the opportunity to \nhave that conversation with him. It is exactly that initial \nmoment that triggers that kind of a conversation.\n    A notice is much less likely to ever trigger that \nconversation and ever allow for that to happen between Dr. \nClough and his patients.\n    The Chairman. I am going to have to submit the other \nquestions, but I thank you. This is an enormously important \narea. As I said, there are few values that we have that are \nreally more important than privacy as a country and a society \nand I think in the medical area it is right at the top.\n    We have heard a lot of good testimony today, conflicting \ntestimony, but it does not lessen the importance that I think \nwe have as a committee and as a Senate to do what is necessary \nin terms of both giving the assurance of good treatment, but \nalso in terms of protecting the privacy, and we are committed \nto trying to do that.\n    I thank our panel very much. We will submit some questions \nfor you.\n    The hearing stands in recess.\n\n                          ADDITIONAL MATERIAL\n\n        Prepared Statement of the American Hospital Association\n    The American Hospital Association (AHA) and its nearly 5,000-member \nhospitals, health systems, networks, and other providers are committed \nto safeguarding patients' medical information and ensuring that \npatients understand and have appropriate access to their medical \ninformation. We believe Congress shared these goals when it enacted the \nHealth Insurance Portability and Accountability Act (HIPAA) in 1996. \nUnfortunately, the final regulations implementing that vision elevated \nbureaucracy above common sense in a number of crucial respects.\n    Before the Administration proposed changes last month, the rule's \nmost alarming provision for hospitals and our patients was the \nrequirement that patients read, review and return a 10-page privacy \nnotice and a separate consent form before they could be cared for. \nHospitals were deeply distressed by visions of parents with sick or \ninjured children being met at the hospital door not with care and \ncompassion, but with a lengthy privacy notice that had to be read, and \na consent form that had to be signed, before care could be provided for \nthe child. Yet, that is precisely what the medical privacy regulations \nrequired hospitals to do.\n    Make no mistake--hospitals are genuinely committed to ensuring that \npatients know how their medical information is being used, what their \nrights are and how they can exercise them. That is not up for debate. \nWhat is up for debate is whether the current medical privacy \nregulations enhance medical privacy or frustrate it by delaying care \nfor patients. The current privacy rule prohibits patients and their \nphysicians from scheduling any testing procedures, outpatient surgery \nor other care the government determines isn't an emergency until the \npatient (1) receives and reads their privacy notice, and (2) signs and \nreturns the consent form to the hospital. For hospitals, the answer is \nclear: the written consent requirement will frustrate patients and \nproviders to no necessary end.\n    To test consumer reaction to these written consent requirements, \nthe AHA commissioned an independent research firm, Market Strategies, \nto poll more than 900 consumers this month about their reaction to the \nway hospitals were required to implement the consent requirement under \nthe medical privacy regulation. Here's what consumers told them:\n    <bullet> 86 percent think asking a sick person to sign a legal \ndocument that could be 10 pages when they see a doctor, nurse or pick \nup a prescription at the pharmacy is an unnecessary burden.\n    <bullet> 85 percent agree that elderly Americans will be hurt the \nmost because they see many different physicians and often have someone \nelse pick up prescriptions for them.\n    <bullet> 84 percent believe that time spent in a doctor's office \nshould be spent on patient care, not filling out more paperwork.\n    <bullet> 77 percent agree that the government should not make \nhospitals wait to schedule tests until the patient reads the privacy \nnotice and signs and returns a consent form to the hospital.\n    The April poll confirms what the AHA had learned earlier this year \nfrom a series of four focus groups that Market Strategies conducted in \nTampa and St. Lois. When apprised on the written consent requirements, \nconsumers said:\n\n                ``This will be a paperwork nightmare.''\n\n ``They should simply require that hospitals and pharmacies post this \n         [privacy notice], but signing a form is ridiculous.''\n\n ``I've waited 2 hours to see the doctor and he's got to do all this?''\n\n    The recent announcement by the Department of Health and Human \nServices (HHS) that it was proposing to replace redundant written \nconsent requirements with a written acknowledgment came as welcome \nnews. That proposal does not weaken, much less eliminate, any of a \npatient's privacy rights. It does not change the fact that hospitals \nare not permitted to use patients' information for marketing or \nresearch, without their express written permission. Instead, it allows \nhospitals to immediately work with patients and their doctors to \nprovide or schedule medical treatment or tests. Hospitals are still \nrequired to try and obtain written acknowledgment from a patient that \nhe or she has received the privacy notice, but they can do so when it's \nconvenient for the patient--not the government. Moreover, asking \npatients to acknowledge in writing that they have received the \nhospital's privacy notice signals to patients that the notice contains \nimportant information that they should read and understand.\n    Hospitals welcome the proposed change because we care for and about \npatients--we want all of our patients to be met at the hospital door \nwith care and compassion, not paperwork and delay. Written \nacknowledgement will let us keep that promise.\n    Many lawmakers agree. On July 3, 2001, 165 members of the House of \nRepresentatives sent a bi-partisan letter to HHS Secretary Tommy \nThompson telling him that ``scheduling patients for surgery, x-rays or \nother vital services should not depend on patients having to complete \nan exhaustive privacy and consent form that could be 10-or-more pages \nlong.'' HHS responded by replacing redundant written consent with \nwritten acknowledgement, which eliminates a barrier to patient care.\nConclusion\n    A top priority for America's hospitals is safeguarding patient \nprivacy while ensuring that nothing gets in the way of patient care. \nHHS' proposal to replace the redundant written consent requirement with \npatient acknowledgement removes one of the privacy rule's key \nroadblocks to the delivery of good patient care. It is good for \npatients and hospitals and does not sacrifice patients' privacy rights.\n    why written acknowledgement is better for patients and providers\n    As a result of HHS's proposed changes to the HIPAA privacy rules, \nthe AHA has prepared a series of Qs & As to help hospitals respond to \ninquiries from patients and the public.\n    Question 1. Will I know what my rights are if I don't have to sign \na written consent form for hospitals to use my health information?\n    Yes. Hospitals are still required to provide you with a written \nnotice of their privacy practices (called a ``privacy notice'') that \nexplains how hospitals are permitted to use your medical information. \nHospitals are permitted to use your medical information for only three \npurposes: (1) treating you; (2) obtaining payment for your care; and \n(3) for their own operations, including improving their ability to \nprovide quality care to you and other patients. Hospitals are not \npermitted to use your medical information for any other purpose, such \nas for marketing or research, without your written permission, except \nin a medical emergency or other very limited circumstances, such as \nthose permitted or required by Federal and State law.\n    The privacy notice explains your medical privacy rights, such as \nyour right to see and copy your information or request to change that \ninformation. It also tells you, for example, where you need to go to \nsee and copy your information or to request to change it.\n    Question 2. Doesn't signing a written consent form make it more \nlikely that I will learn about or understand my privacy rights?\n    No. The privacy notice you will receive from the hospital--not the \nwritten consent form--explains your privacy rights. The written consent \nform didn't provide any additional information that isn't already in \nthe privacy notice. Under the changes proposed, hospitals will be \nrequired to have you acknowledge in writing that they have given you \ntheir privacy notice. Hospitals want patients to know and understand \ntheir medical privacy rights. And by having you acknowledge that you \nwere given a copy of their privacy notice, hospitals are letting you \nknow that the privacy notice has important information that you need to \nread and understand.\n    Question 3. Will I be losing any of my privacy rights if I'm not \nrequired to sign a written consent form?\n    No. None of your privacy rights will be lost. Your rights are \nguaranteed by the rule and by the notice, whether or not you sign a \nconsent form. For example, you will still have the right to request \nthat the hospital not contact you at the office with any test or \nmedical results, but only call you at your home.\n    Question 4. Was there something wrong with having patients sign a \nwritten consent form?\n    Yes. Hospitals could not work with you or your doctor to schedule \nany testing procedures, outpatient surgery or other care the government \ndetermined wasn't an emergency until you (1) received and read their \nprivacy notice, and (2) signed and returned the consent form to the \nhospital. Hospitals were not allowed to make any exceptions to this \nrule, even for disabled or elderly Americans or those who lived in \nremote rural areas. Hospitals were very concerned that their ability to \nrespond quickly to the needs of their patients would be hampered by \nthis unnecessary requirement and that patients would be frustrated with \nthem because they were not allowed to make exceptions to this Federal \nlaw.\n    Question 5. Will the hospital be able to use my health information \nin ways that are not approved by the Federal privacy rule if I don't \nsign a written consent form for the use of my information?\n    No. The rules continue to obligate hospitals to use your health \ninformation only for (1) treating you; (2) obtaining payment for your \ncare, and (3) for their own operations, including improving the quality \nof care they provide to you and other patients. Hospitals must explain \nthe ways they will use your health information in the privacy notice \nthey have to give to you. A hospital cannot use or disclose your health \ninformation in other ways, such as for marketing or research, unless \nthe hospital gets your written permission before doing so.\n    Question 6. Is a hospital prevented from getting my written consent \nto use my health information?\n    No. Hospitals and doctors are still permitted to ask for your \nwritten consent before they use information about you to provide health \ncare services; however, if they use a written acknowledgement, they \nwon't have to delay providing care for you until you (1) received and \nread their privacy notice, and (2) signed and returned the consent form \nto the hospital or doctor.\n    Question 7. Will hospitals know that I received their privacy \nnotice if I don't have to sign a written consent?\n    Yes. The proposed changes to the privacy rules require hospitals to \nhave you acknowledge, in writing, that you received their privacy \nnotice. At the time you receive the notice, the hospital will ask you \nto acknowledge in writing that you received the notice.\n    Question 8. Will this new proposal requiring me to acknowledge that \nI have received the privacy notice mean that I'm spending more time \nfilling out forms in the hospital admission office or emergency room?\n    No. Signing an acknowledgement should not increase the time you \nhave to spend in the admission process. In an emergency situation, this \nacknowledgement can even be delayed to allow you to give it at a less \nstressful and more convenient time.\n    Question 9. Why is a written acknowledgement that I received the \nhospital's privacy notice better than the requirement that I sign a \nwritten consent?\n    The written acknowledgement allows hospitals to immediately work \nwith you or your doctor to treat you or to schedule any testing \nprocedures, outpatient surgery or other care. In an emergency \nsituation, hospitals can even delay getting your written \nacknowledgement until a less stressful and more convenient time for \nyou. The acknowledgement does not take away any of your privacy rights. \nAnd it is still an effective way for hospitals to let you know that the \nprivacy notice they give to you has important information about your \nprivacy rights that they want you to read and understand.\n    The written consent requirement, on the other hand, forced \nhospitals to delay scheduling any testing procedures, outpatient \nsurgery or other care or giving you any treatment the government \ndetermined wasn't an emergency until you (1) received and read their \nprivacy notice (which could be as long as 10 pages in order to meet \nFederal requirements), and (2) signed and returned the consent form to \nthe hospital or doctor. Hospitals were not allowed to make any \nexceptions, even for disabled or elderly Americans or those who lived \nin remote rural areas. The written consent requirement increased the \npaperwork burden for patients and hospitals without giving you any new \nprivacy rights that the rule and the privacy notice doesn't already \nguarantee or any additional information about your rights that isn't \nalready in the privacy notice.\n    Question 10. Do the proposed changes to the privacy rules affect \nany of my privacy rights?\n    No. The proposed changes to the privacy rules do not do away with \nor weaken any of your privacy rights. Your rights continued to be \nguaranteed. The proposed changes only get rid of a significant \nroadblock that would have forced hospitals to delay your treatment \nuntil you (1) received and read their privacy notice, and (2) signed \nand returned the consent form to the hospital or doctor, and cut the \nunnecessary paperwork burden for patients and hospitals.\n   Prepared Statement of Members of the Alliance of Medical Societies\n    As you are aware, on March 27, 2002, the Department of Health and \nHuman Services (HHS) issued a proposed rule to modify the ``Standards \nfor Privacy of Individually Identifiable Health Information.'' We, the \nundersigned members of the Alliance of Medical Societies, strongly \nsupport the proposed modifications that HHS is considering with respect \nto prior consent and research and would also like to comment on the \nbusiness associates provision.\n    The Alliance of Medical Societies comprises 12 national medical \nsocieties representing more than 150,000 specialty-care physicians. Its \nmission is to promote sound Federal health care policies that will \nenhance the ability of specialty-care physicians to provide the best \npossible health care to their patients.\nPrior Consent\n    The proposed modifications to the prior consent portion of the rule \nrepresents a workable compromise between the original proposed \nregulation issued in 1999 that would have prohibited providers from \nobtaining consent and the final privacy regulation issued in 2000 that \nmandated prior consent requirements. These modifications maintain the \npatient privacy protections required by Congress without disrupting \npatient access to quality health care.\n    The Alliance supports meaningful privacy protections for patients' \nmedical records and believes that it is important for patients to be \nnotified of their rights. The proposal for regulatory permission as \nopposed to mandatory written consent would not change the ethical and \nprofessional practice of physicians and most health care providers to \nobtain patient consent. Not only would the prior consent requirement \nadd yet another mandatory form to the already unmanageable paperwork \nburden that physicians and practitioners face on a daily basis, it \ncould pose serious problems for patient care. HHS outlined many of the \npotential problems in the proposed rule. We strongly believe that HHS \nchose wisely in proposing to make prior consent discretionary, and we \noppose any efforts to change it.\nMedical Research\n    We also thank the Administration for improving the provisions \ngoverning medical research. The proposed modifications alleviate the \nburdens placed on medical researchers and removes obstacles that would \nimpede important public health research. In particular, the Alliance \nsupports the Administration's proposal to simplify the authorization \nprocess and to eliminate the inconsistent privacy review criteria for \nInstitutional Review Boards. Without these critical changes, health \ncare studies may be abandoned or avoided altogether as the burdens and \nliability associated with compliance would deter many medical \nresearchers.\n    In addition, although HHS did not propose to modify the de-\nidentification standard, we appreciate their call for additional \ncomments on this provision. We urge the Department to reconsider the \nFinal Rule's current standard, which requires the removal of 18 \ncharacteristics from data in order to render it ``de-identified.'' Some \nof the data that must be removed--specifically, dates of admission or \nservice and device serial numbers--are often needed when evaluating \nmedical records for epidemiological and other health related research.\n    We believe the regulation could be improved significantly by \nmodifying the de-identification standard to require that information \ninstead be stripped of direct identifiers that would facially identify \nan individual. Direct identifiers would be defined as name, address, \nelectronic mail address, telephone number, fax number, social security \nnumber, health benefits number, financial account numbers, drivers \nlicense number or other vehicle numbers that are in the public records \nsystem.\nBusiness Associates\n    While the Administration proposes to provide a 1-year window for \ncovered entities to revise their contracts with business associates, \nthese same covered entities will be required to comply with the new \nrule regardless of whether or not a new contract has been secured. \nHence, the 1-year window provides a false sense of flexibility. We are \nfurther concerned that HHS will require business associate contracts \nbetween two covered entities. This seems to defy reason since each \ncovered entity will be required to comply with the regulation \nindependently.\n    To conclude, we strongly support meaningful and workable privacy \nprotections for patients' medical records and appreciate this \nopportunity to express our views on the modifications to the privacy \nregulations proposed by HHS.\n    Sincerely, American Academy of Dermatology Association; American \nAssoc. of Neurological Surgeons/Congress of Neurological Surgeons; \nAmerican Association of Orthopaedic Surgeons; American College of \nCardiology; American College of Radiology; American Society of Cataract \n& Refractive Surgery;\n                  Prepared Statement of Sue A. Blevins\n    Thank you, Mr. Chairman and Committee members, for holding this \ntimely public hearing to examine how the proposed revisions to the \nFederal medical privacy rule will affect patients' control over their \npersonal health information. I appreciate the opportunity to submit \nwritten testimony and focus on the concerns raised by thousands of \ncitizens who submitted comments to the U.S. Department of Health and \nHuman Services (HHS) opposing access to their personal health \ninformation without their consent.\n    In particular, sections 164.502 and 164.506 of the revised rule \ngive the Federal Government the regulatory authority to decide for each \nand every citizen who can access individuals' medical information-\nincluding genetic information-for most purposes, including medical \ntreatment, payment and health-care operations. The U.S. Department of \nHealth and Human Services and the medical industry should not be making \nthese decisions for individuals. In fact, a national Gallup survey \nshows that Americans want to be the ones to decide who can see their \npersonal health information with--or without--their consent.\nMajority of Americans are Concerned About Medical Privacy According to \n        a National Gallup Survey\n    The Institute for Health Freedom commissioned a national Gallup \nsurvey to find out how Americans feel about medical and genetic \nprivacy. We had heard from privacy advocates across the country about \ntheir concerns. But we wanted to find out how ordinary citizens across \nthe Nation--not just privacy advocates--feel about the issue.\n    The national Gallup survey was conducted between August 11 and \nAugust 26, 2000 and the results are posted at the Institute for Health \nFreedom's Web site: www.ForHealthFreedom.org. (As of April 2, 2002, the \nsurvey had not been updated by the Gallup Organization.) The survey of \n1,000 adults nationwide found an overwhelming majority of Americans do \nnot want third parties to have access to their medical records--\nincluding genetic information--without their consent.\n    <bullet> 95 percent say banks should not be allowed to see \npatients' medical records without individuals' consent;\n    <bullet> 92 percent oppose allowing governmental agencies access to \npatients' medical records without permission;\n    <bullet> 88 percent oppose letting police or lawyers review medical \nrecords without explicit consent;\n    <bullet> 84 percent say employers should not be allowed access to \npatients' medical records without permission; and\n    <bullet> 67 percent oppose researchers accessing patients' medical \nrecords without consent.\n    The national Gallup survey also included two important questions \nabout genetic privacy. One asked whether doctors should be allowed to \ntest patients for genetic factors without their consent. Only 14 \npercent of respondents would permit such testing; 86 percent oppose it.\n    The other question asked whether medical and governmental \nresearchers should be allowed to study individuals' genetic information \nwithout first obtaining their permission. More than nine in ten adults \n(93 percent) feel medical and governmental researchers should first \nobtain permission before studying their genetic information.\n    What's more, when asked whether they are aware of a Federal \nproposal to assign a medical identification number--similar to a Social \nSecurity number--to each American, only 12 percent said they had heard \nanything about it. College-educated adults (16 percent) are more likely \nthan those with less than a college education (8 percent) to be aware \nof the proposal. Regardless of their knowledge about it, however, an \noverwhelming majority (91 percent) oppose the plan.\n    I strongly encourage this committee to consider how the final and \nrevised Federal medical privacy rule is going to strip patients of the \nability to decide who can access their personal health information \n(including genetic information) with--or without--patients' consent.\n    Finally, following is a ``questions and answers'' summary about the \nproposed revised Federal medical privacy rule:\nUpdate on the Federal Medical Privacy Rule: Questions and Answers*\n    Americans are being told they will have stronger medical privacy \nprotections under the revised Federal medical privacy rule published in \nthe Federal Register on March 27, 2002.\\1\\ However, the following \n``questions and answers'' summary shows that the revised rule does not \nprovide patients stronger medical privacy. Rather, it actually weakens \nindividuals' ability to restrict access to their medical records.\n---------------------------------------------------------------------------\n    \\1\\ ``Standards for Privacy of Individually Identifiable Health \nInformation,'' Federal Register, Vol. 67, No. 59, March 27, 2002, pp. \n14776-14815, [http://www.access.gpo.gov/su--docs/fedreg/aO20327c.html].\n---------------------------------------------------------------------------\n    The following summary is based on a review of the revised Federal \nmedical privacy rule (published March 27, 2002) \\2\\ compared to the \nfinal Federal medical privacy rule (published December 28, 2000).\\3\\ \nCitations to specific key pages are provided to help the public, media, \nand policymakers understand the serious implications of the rule.\n---------------------------------------------------------------------------\n    \\2\\ `` Ibid.\n    \\3\\ ``Standards for Privacy of Individually Identifiable Health \nInformation,'' Federal Register, Vol. 65, No. 250, December 28, 2000, \npp. 82462-82829, [http://www.access.gpo.gov/su--docs/fedreg/\naO01228c.html].\n---------------------------------------------------------------------------\nDoes the revised Federal medical privacy rule provide consumers greater \n        control over the flow of their personal health information?\n    No, under the revised Federal medical privacy rule, patients will \nnot be in control of deciding whether they want health insurers, \ndoctors, and medical data-processing companies to share their personal \nhealth information--including genetic information--with others. Rather, \nhealth insurers, doctors and medical data-processing companies are \nactually granted ``regulatory permission'' to share patients' health \ninformation for any activities related to patients' health care \ntreatment, processing of their health care claims, or ``health care \noperations''--a term which encompasses many activities unrelated to \npatients' direct care (such as permitting FBI officials to search \nmedical records looking for fraud and abuse activities).\\4\\\n---------------------------------------------------------------------------\n    \\4\\ Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 14780, \n14812.\n---------------------------------------------------------------------------\n    Also, under the revised Federal medical privacy rule health \ninsurers, doctors, and medical data-processing companies will not need \nto get patients' written, informed consent before sharing patients' \npersonal health information--including past medical records and genetic \ninformation--with many third parties.\nHow Does Congress or HHS Define ``Medical Privacy'' or ``Privacy''?\n    They don't. Ironically, while the Federal medical privacy rule \nincludes many definitions, the terms ``medical privacy'' or ``privacy'' \nare not clearly defined in the rule.\\5\\ Instead, a Federal committee \ncomposed primarily of fact-gathering experts was given the legal \nauthority to advise HHS in establishing standards for Americans' \nmedical privacy.\\6\\\n---------------------------------------------------------------------------\n    \\5\\ Federal Register, Vol. 65, No. 250, December 28, 2000, pp. \n82798, 82803-82805; Federal Register, Vo1. 67, No. 59, March 27, 2002, \npp. 14810-14812.\n    \\6\\ Federal Register, Vo1. 67, No. 59, March 27, 2002, p. 14777.\n---------------------------------------------------------------------------\nAre patients guaranteed the right to sign private contracts with their \n        doctors to withhold personal health information from third \n        parties?\n    No, patients cannot withhold their personally identifiable health \ninformation from the U.S. Department of Health and Human Services. In \nfact, the rule creates a massive Federal mandate that requires every \ndoctor and other health care practitioner to share patients' records \nwith the Federal Government--specifically the U.S. Department of Health \nand Human Services (HHS)--without patient consent.\\7\\ The Federal \nGovernment even has the right to access an individual's psychotherapy \nnotes in order to monitor compliance with the rule.\\8\\\n---------------------------------------------------------------------------\n    \\7\\ Federal Register, Vo1. 65, No. 250, December 28, 2000, p. \n82802.\n    \\8\\ Ibid., pp. 82811, 82805.\n---------------------------------------------------------------------------\nWill patients be guaranteed the right to an accounting of to whom and \n        when their personal health information was disclosed for health \n        care services related to their treatment and processing of \n        health claims?\n    No, patients will not receive an accounting of to whom and when \ntheir records were disclosed for most health care services, including \nactivities related to treatment, payment, or health care operations (a \nbroad definition encompassing many uses).\\9\\\n---------------------------------------------------------------------------\n    \\9\\ Ibid., p. 82826.\n---------------------------------------------------------------------------\n    In just a few years, patients' personally identifiable health \ninformation is going to be flowing over the Internet--without patients' \npermission--for purposes related to treatment, payment, and health care \noperations. But patients won't even know this is happening because they \nwon't be able to obtain an accounting of disclosures for treatment, \npayment, and health care operations.\nWill President Bush's proposed changes to the Federal medical privacy \n        rule (published March 27, 2002) strengthen or weaken Americans' \n        medical privacy?\n    It is important to note that the Clinton Administration initially \nproposed prohibiting doctors and hospitals from getting patients' \nconsent before releasing their medical information.\\10\\ But after \nreceiving more than 52,000 public comments, the Clinton Administration \nrevised the rule and added a very weak, coercive consent provision.\n---------------------------------------------------------------------------\n    \\10\\ Federal Register, Vol. 64, No. 212, November 3, 1999, p. \n59941.\n---------------------------------------------------------------------------\n    However, the Bush Administration is legally permitting health \ninsurers, doctors and medical data-processing companies to release \npatients' personal health information without asking patients for their \npermission. Instead, these entities can simply provide notices of how \nthe information will be shared. This policy takes the active \ndecisionmaking authority away from patients and shifts it to doctors \nand hospitals. This is a major shift away from the precious health care \nethics that we have honored for many years in this country: the ethics \nof consent and confidentiality.\nIn addition to allowing patients' medical records to be disclosed for \n        treatment, payment and health care operations, who else can see \n        patients' records without patients' consent?\n    Under the Bush Administration's revised rule (as under Clinton \nAdministration's final rule), Americans' medical records can be \ndisclosed for many broadly defined purposes without patient consent, \nincluding, but not limited to, the following:\n    <bullet> Oversight of the health care system\n    <bullet> FDA monitoring (including dietary supplements)\n    <bullet> Public health surveillance and activities\n    <bullet> Foreign governments collaborating with U.S. public health \nofficials\n    <bullet> Research (if an IRB or privacy board waives consent)\n    <bullet> Law enforcement activities\n    <bullet> Judicial and administrative proceedings\n    <bullet> Licensure and disciplinary actions.\\11\\\n---------------------------------------------------------------------------\n    \\11\\ Federal Register, Vol. 65, No. 250, December 28, 2000, pp. \n82525, 82528, 82813-82817.\n---------------------------------------------------------------------------\nDoes the Federal medical privacy rule provide patients recourse if \n        their privacy is breached?\n    No, patients are not guaranteed any recourse other than the right \nto complain.\\12\\ They can complain to their health care providers or \ninstitutions about privacy breaches. They also can complain to the \nSecretary of the U.S. Department of Health and Human Services. However, \nthe HHS Secretary does not have to investigate the complaint. The final \nrule reads that the Secretary ``may,'' not ``shall,'' investigate \ncomplaints.\\13\\\n---------------------------------------------------------------------------\n    \\12\\ Ibid., pp. 82801-82802.\n    \\13\\ Ibid., p. 82802.\n---------------------------------------------------------------------------\n    Additionally, individuals do not have a private right of action \n(they can't sue) if their privacy is breached under the final medical \nprivacy rule.\nWhy was the Federal medical privacy rule created in the first place?\n    The Federal medical privacy rule was established as dictated by the \nHealth Insurance Portability and Accountability Act of 1996 (HIPAA) \nthat fosters the development of a national health information network \nthrough standardized codes for all health care services nationwide.\\14\\ \nThe HIPAA law requires health plans to use national standardized codes \nfor electronic transactions for payment of medical care. The HIPAA law \nadditionally requires that unique health identifiers be assigned to \nfour groups, including every: (1) individual, (2) health care provider, \n(3) employer, and (4) health plan.\\15\\ Those identifiers will \nfacilitate electronic transactions for all types of health care, \nwhether services are paid by government or privately. (Note: the \nindividual identifier has been put on hold temporarily for 1 year.)\n---------------------------------------------------------------------------\n    \\14\\ ``Health Insurance Reform: Standards for Electronic \nTransactions; Announcement of Designated Standard Maintenance \nOrganizations; Final Rule and Notice,'' Federal Register, Volume 65, \nNo. 160, August 17, 2000, pp. 50312-50313.\n    \\15\\ Ibid., p. 50313.\n---------------------------------------------------------------------------\n    The result will be that each patient's visit to a doctor or \nhospital will be easily tracked.\n    In the next few years, it is going to become increasingly simple to \ntransfer electronic medical records over the Internet. With just a \nclick of a mouse, it will be much easier to access and share \nindividuals' records with many third parties. That is why all Americans \nshould become informed about the Federal medical privacy rule and \ndemand the right to control their most personal information--their \nhealth information, including genetic information.\n    * This update analysis on the Federal medical privacy rule was \nprepared by Sue Blevins, President, Institute for Health Freedom and \nDeborah Grady, Research Associate, Institute for Health Freedom. Many \nof the Federal medical privacy rule provisions remain the same as those \nanalyzed in a previous paper titled ``The Final Federal Medical Privacy \nRule: Myths and Facts'' by Sue Blevins and Robin Kaigh, Esq. (February \n8, 2001), see [http://www.forhealthfreedom.org/Publications/Privacy/\nMedPrivFacts.html].\n\n    [Whereupon, at 12:10 p.m., the hearing was adjourned.]\n\n                                    \n\n      \n\x1a\n</pre></body></html>\n"