b"<html>\n<title> - PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n \n      PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                  SUBCOMMITTEE ON INFORMATION POLICY,\n                     CENSUS, AND NATIONAL ARCHIVES\n\n                                 of the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 19, 2007\n\n                               __________\n\n                           Serial No. 110-33\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n                     http://www.oversight.house.gov\n\n\n                                 ______\n\n                                     \n                    U.S. GOVERNMENT PRINTING OFFICE\n39-023                      WASHINGTON : 2008\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n             COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM\n\n                 HENRY A. WAXMAN, California, Chairman\nTOM LANTOS, California               TOM DAVIS, Virginia\nEDOLPHUS TOWNS, New York             DAN BURTON, Indiana\nPAUL E. KANJORSKI, Pennsylvania      CHRISTOPHER SHAYS, Connecticut\nCAROLYN B. MALONEY, New York         JOHN M. McHUGH, New York\nELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida\nDENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana\nDANNY K. DAVIS, Illinois             TODD RUSSELL PLATTS, Pennsylvania\nJOHN F. TIERNEY, Massachusetts       CHRIS CANNON, Utah\nWM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee\nDIANE E. WATSON, California          MICHAEL R. TURNER, Ohio\nSTEPHEN F. LYNCH, Massachusetts      DARRELL E. ISSA, California\nBRIAN HIGGINS, New York              KENNY MARCHANT, Texas\nJOHN A. YARMUTH, Kentucky            LYNN A. WESTMORELAND, Georgia\nBRUCE L. BRALEY, Iowa                PATRICK T. McHENRY, North Carolina\nELEANOR HOLMES NORTON, District of   VIRGINIA FOXX, North Carolina\n    Columbia                         BRIAN P. BILBRAY, California\nBETTY McCOLLUM, Minnesota            BILL SALI, Idaho\nJIM COOPER, Tennessee                JIM JORDAN, Ohio\nCHRIS VAN HOLLEN, Maryland\nPAUL W. HODES, New Hampshire\nCHRISTOPHER S. MURPHY, Connecticut\nJOHN P. SARBANES, Maryland\nPETER WELCH, Vermont\n\n                     Phil Schiliro, Chief of Staff\n                      Phil Barnett, Staff Director\n                       Earley Green, Chief Clerk\n                  David Marin, Minority Staff Director\n\n   Subcommittee on Information Policy, Census, and National Archives\n\n                   WM. LACY CLAY, Missouri, Chairman\nPAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio\nCAROLYN B. MALONEY, New York         CHRIS CANNON, Utah\nJOHN A. YARMUTH, Kentucky            BILL SALI, Idaho\nPAUL W. HODES, New Hampshire\n                      Tony Haywood, Staff Director\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on June 19, 2007....................................     1\nStatement of:\n    Grealy, Mary R., president, Healthcare Leadership Council; \n      Byron Pickard, president, American Health Information \n      Management Association; and Peter Swire, senior fellow, \n      Center for American Progress...............................    41\n        Grealy, Mary R...........................................    41\n        Pickard, Byron...........................................    63\n        Swire, Peter.............................................    86\n    Melvin, Valerie C., Director of Information Management \n      Issues, Government Accountability Office, accompanied by \n      Linda D. Koontz, Director for Information Management \n      Issues, Government Accountability Office...................     6\nLetters, statements, etc., submitted for the record by:\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................     3\n    Grealy, Mary R., president, Healthcare Leadership Council, \n      prepared statement of......................................    43\n    Hodes, Hon. Paul W., a Representative in Congress from the \n      State of New Hampshire, prepared statement of..............    34\n    Melvin, Valerie C., Director of Information Management \n      Issues, Government Accountability Office, prepared \n      statement of...............................................     8\n    Pickard, Byron, president, American Health Information \n      Management Association, prepared statement of..............    65\n    Swire, Peter, senior fellow, Center for American Progress, \n      prepared statement of......................................    88\n\n\n      PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 19, 2007\n\n                  House of Representatives,\n   Subcommittee on Information Policy, Census, and \n                                 National Archives,\n              Committee on Oversight and Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2 p.m. in room \n2154, Rayburn House Office Building, Hon. Wm. Lacy Clay \n(chairman of the subcommittee) presiding.\n    Present: Representatives Clay, Maloney, Hodes, and Turner.\n    Staff present: Tony Haywood, staff director/counsel; Jean \nGosa, clerk; Adam C. Bordes, professional staff member; Nidia \nSalazar, staff assistant; Charles Phillips, minority counsel; \nAllyson Blandford, minority professional staff member; Patrick \nLyden, minority parliamentarian and member services \ncoordinator; and Benjamin Chance, minority clerk.\n    Mr. Clay. The Subcommittee on Information Policy, Census, \nand National Archives will come to order.\n    Let me begin by saying good afternoon and welcome to \ntoday's hearing on efforts to protect the privacy of personal \nhealth information in electronic health care information \nsystems.\n    The use of IT to store, share, and secure electronic health \ninformation has expanded rapidly in recent years. Many insurers \nand hospitals have already transitioned from paper-based \nrecords to electronic medical record systems for exchanging \npatient data. This has brought important benefits to both \npatients and providers, including shorter hospital stays, \nimproved management of chronic disease, and fewer redundant \ntests and examinations.\n    Americans have expressed legitimate concerns, however, \nabout the potential for improper disclosure of personally \nidentifiable health care information. Before they will fully \nembrace the benefits and efficiencies of e-health solutions, \npatients must be confident that personal information in \nelectronic format is as secure and private as information in \npaper records.\n    A nationwide health information network promises tremendous \nbenefits for patients. For 3 years the Department of Health and \nHuman Services has been working to make the idea technically \nand economically feasible. Unfortunately, a January 2007 GAO \nreport found that HHS was not doing enough to integrate \neffective privacy safeguards into its long-term national \nstrategy for health IT. Varying health IT privacy standards in \ndifferent States are another area of concern.\n    While the enactment of the Health Insurance Portability and \nAccountability Act [HIPAA], in 1996 was an important step \nforward, it has left patients with disparate privacy \nprotections. I believe we should amend HIPAA to extend the most \neffective and practical privacy safeguards to everyone.\n    I introduced bipartisan legislation in the 109th Congress \nwhich proposed to establish a framework for a uniform national \nhealth privacy standard. Giving patients greater personal \ncontrol over their health information is critical; therefore, \nputting in place stricter notice and consent requirements for \nall third-party disclosures and information sharing activities \nis an important legislative objective for Congress to achieve.\n    Today's hearing will allow different perspectives on these \nissues to be aired as we move toward implementing a national \nhealth care information network.\n    I must say that I am disappointed that HHS was unable to \nsupply a suitable witness to appear today on behalf of the \nadministration, but the Department has submitted written \ntestimony for today's hearing, and I will ask GAO and our other \nwitnesses to respond to positions stated in that testimony.\n    I look forward to the testimony of all of our witnesses.\n    [The prepared statement of Hon. Wm. Lacy Clay follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9023.001\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.002\n    \n    Mr. Clay. I assume when the ranking member gets here he \nwill have an opening statement and we will yield to him for \nthat, but for now we will proceed with the hearing.\n    If we don't have any additional statements, the \nsubcommittee will now hear testimony from the witnesses before \nus today.\n    On our first panel we will hear from Valerie C. Melvin, \nDirector for Human Capital and Management Information Systems \nIssues at GAO. Welcome, Ms. Melvin.\n    Accompanying Ms. Melvin is Linda D. Koontz, Director for \nInformation Management Issues at GAO. Welcome to you.\n    Ms. Melvin will deliver GAO's formal testimony, and both \nwill respond to questions.\n    Thank you for appearing before the committee today. It is \nthe policy of the Committee on Oversight and Government Reform \nto swear in all witnesses before they testify. Will you both \nplease stand and raise your right hands?\n    [Witnesses sworn.]\n    Mr. Clay. Let the record reflect that the witnesses \nanswered in the affirmative.\n    Ms. Melvin, you will have 5 minutes to make an opening \nstatement. Your complete written testimony will be included in \nthe hearing record.\n    The lighting system and the timing system does not work, so \nwe will notify you probably through the use of the gavel when \nyou get close to the 5-minute time limit.\n    Mr. Turner, thank you for being here.\n    Mr. Turner. Mr. Chairman, thank you.\n    Mr. Clay. OK. And you may, if you have an opening \nstatement, you may proceed, sir.\n    Mr. Turner. Thank you, Mr. Chairman. I appreciate that and \nI apologize for my being late.\n    I want to thank you for holding this important hearing on \nprivacy concerns and health information technology. Many health \ncare experts agree that investing in health information \ntechnology will dramatically improve patient care while \nsimultaneously decreasing health care costs.\n    For example, Kettering Medical Center in my District and \nits partners have created the Dayton Individual Health Record \nPilot Project, IHR. The Dayton IHR pilot combines a patient's \nhealth information from different sources and presents that \ninformation to patients, doctors, and other health care \nprofessionals in a format that helps all health participants \nmake efficient, appropriate decisions about their care options.\n    The Dayton IHR is a Web-based record that allows a patient \nto access their information from their home, the office, or \neven if the patient ends up in an emergency room in another \ntown.\n    While it is important that technology like the Dayton IHR \nbe made available, it should not be available at the sacrifice \nof patient privacy and security. The Dayton IHR ensures that \nonly the patient and the physicians granted access by the \npatient can look at the information within the IHR.\n    This subcommittee has previously discussed privacy concerns \nin relation to Federal IT infrastructures, and I expressed my \nconcerns with how IT breaches affect individuals, as well as \nnational security.\n    Health care raises unique privacy concerns, but I am \ninterested to learn how we can work with all stakeholders to \naddress important privacy issues and facilitate the adoption of \nhealth IT. Health IT holds the promise of increasing the \nquality of health care, as well as decreasing health care costs \nfor American families. We must be careful, however, to reach \nthese goals without sacrificing the security of professional \nhealth information.\n    I look forward to hearing the information from today's \nwitnesses on this important topic, and I yield back the \nremainder of my time.\n    Thank you.\n    Mr. Clay. Thank you so much, Mr. Turner.\n    We will begin with Ms. Melvin.\n    You may proceed.\n\n    STATEMENT OF VALERIE C. MELVIN, DIRECTOR OF INFORMATION \n     MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE, \n   ACCOMPANIED BY LINDA D. KOONTZ, DIRECTOR FOR INFORMATION \n      MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Ms. Melvin. Thank you, Mr. Chairman and Ranking Member \nTurner.\n    We are pleased to be here today to testify on privacy \nissues associated with efforts to increase the use of \ninformation technology in the health care industry. As noted, \nwith me today is Linda Koontz, Director of Information \nManagement Issues, who is responsible for GAO's privacy work.\n    In 2004 President Bush issued an Executive order that \ncalled for widespread adoption of interoperable electronic \nhealth records by 2014 and established a National Coordinator \nfor Health IT to lead and foster public/private coordination.\n    The benefits of health IT are immense, and include reducing \nmedical errors and improving public health emergency response. \nHowever, the increasing use of technology also raises concerns \nregarding the extent to which patient privacy is protected. The \nchallenge is to strike the right balance between patient \nprivacy concerns and the numerous benefits that IT has to \noffer.\n    Over the past few years, we have issued reports and \ntestified numerous times on HHS' efforts toward defining a \nnational health IT strategy. Among these reports, one issued \nlast January highlighted HHS' health IT privacy initiatives. \nToday, as requested, I will summarize the results of that \nstudy, highlighting three points: the importance of having a \ncomprehensive privacy approach, HHS' initial efforts to address \nprivacy as part of its national health IT strategy, and \nadditional efforts needed.\n    Privacy is a major concern in the health care industry, \ngiven the sensitivity of certain medical information and the \ncomplexity of the health care delivery system, with its \nnumerous players and extensive information exchange \nrequirements. This concern increases with the transition to \nusing more electronic health records. A comprehensive privacy \napproach is needed to determine how personally identifiable \ninformation will be disclosed, used, and protected.\n    HHS acknowledges in its national health IT framework the \nneed to protect consumer privacy, and it plans to develop and \nimplement privacy and security policies, practices, and \nstandards for electronic health information exchange. To this \nend, HHS and its Office of the National Coordinator have \ninitiated several efforts, including awarding contracts, \nincluding one for privacy and security solutions; consulting \nwith the National Committee on Vital and Health Statistics to \ndevelop privacy recommendations; and forming a confidentiality, \nprivacy, and security work group to identify and address \nprivacy and security policy issues.\n    Ultimately, the National Coordinator's Office intends to \nuse the results of these initiatives to identify policy and \ntechnical solutions for protecting personal health information \nas part of its continuing efforts to complete a national health \nIT strategy. However, while these efforts are good building \nblocks on which progress has been made, important work remains, \nincluding assessing how variations in State laws affect health \ninformation exchange, acting on the privacy and security \ncontractor's findings and advisory group recommendations, and \nidentifying and implementing privacy and security standards.\n    Moreover, how and when HHS plans to integrate the outcomes \nof these initiatives is unclear; thus, we have recommended that \nHHS develop an overall privacy approach that identifies \nmilestones in an accountable entity for integrating the \noutcomes of its health IT contracts and advisory group \nrecommendations, ensures that key privacy principles are fully \naddresses, and addresses key challenges associated with legal \nand policy issues and the disclosure, access to, and security \nof information.\n    In recent discussions with us, the National Coordinator \ncommitted to developing a plan that would accomplish these \nobjectives. In this regard, he announced last weekend an \ninitiative to build consensus around a harmonized set of \nprivacy and security principles which are to serve as a \nframework for addressing these important issues.\n    Overall, Mr. Chairman, the National Coordinator's intent to \nact on such an approach is promising, and building a framework \nbased on fair information principles is a good starting point \nfor moving forward; however, achieving this goal to safeguard \npersonal health information will be difficult and plagued with \nchallenges and will necessitate sustained leadership from HHS \nto realize success.\n    This concludes our prepared statement. We would be pleased \nto respond to any questions that you may have.\n    [The prepared statement of Ms. Melvin follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9023.003\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.004\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.005\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.006\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.007\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.008\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.009\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.010\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.011\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.012\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.013\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.014\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.015\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.016\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.017\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.018\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.019\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.020\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.021\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.022\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.023\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.024\n    \n    Mr. Clay. Thank you so much, Ms. Melvin.\n    According to their written testimony, HHS states that it \nhas invested significant resources and efforts in our \nnationwide strategy for protecting health information. Our \nnational health IT agenda approaches our privacy and security \nthrough a full suite of activities both in form of current work \nand preparing for future needs. Specifically, HHS mentions \nauthorizing a review of 34 States and Puerto Rico to analyze \nhow their laws are affecting the sharing of health information. \nYet, GAO's January 2007 report cites HHS' lack of an overall \nstrategic plan for integrating its privacy initiative into a \nhealth information network. The report also concludes that HHS \nlacks appropriate milestones to measure its progress to meet \nthese requirements.\n    With that in mind, I would like to ask the following \nquestion: can you explain how HHS is addressing the legal \nbarriers associated with variances in State privacy laws and \nmethods to limit the types of information disclosed through a \nnationwide exchange? And is it true that HHS disagrees with \nGAO's recommendation to establish milestones to measure \nprogress and outcomes in the development of privacy protections \nfor a network? If so, why?\n    Ms. Melvin. When our report was issued, our concern was \nthat HHS did not have, as you said, an integrated plan that \nwould allow all the various initiatives that it has undertaken \nto be integrated and to be guided by milestones and measure its \nprogress, and also from the standpoint of having a leader to \nmake sure that there would be complete integration of the \nvarious initiatives to guide the overall effort.\n    There are other factors related to the variations in the \nState agencies. They do, in fact, have contracts in place that \nare intended to assess those, as you have mentioned, and those \ntypes of initiatives are all the ones that we believe have to \nbe guided and driven by an overall integrated plan that has a \nwell-defined approach to bringing together the specific \ninitiatives, to being able to look at all of the findings and \nthe assessments that are being made, and to develop and \nimplement solutions as a result of what their assessments have \ndetermined.\n    Mr. Clay. Well, can you identify for us the entity or \nentities within HHS that will be responsible for coordinating \nand implementing its privacy initiatives? Who will promulgate \nthe regulations and oversight activities for privacy within the \nnetwork? Is this entity effectively staffed and capable of \nmanaging its responsibilities?\n    Ms. Melvin. One of the key areas or pieces of information \nthat we believe is missing is the identification of the \ncritical entity that would be responsible for bringing together \nall of the initiatives, as you have noted, so we cannot \nidentify at this time who that would be. We do understand, \nthrough our recent discussions with Dr. Kolodner, that the \nagency is taking steps through the National Coordinator's \nOffice to implement a framework; however, how that framework \nwill be put in place and who will actually guide and lead their \nefforts to accomplish that has not been specified and we have \nno information that we could share regarding its----\n    Mr. Clay. They don't know yet? I mean, you gave them that \nreport in January of this year.\n    Ms. Melvin. Yes.\n    Mr. Clay. And they have not moved on the recommendations is \nwhat you are telling me?\n    Ms. Melvin. As of last week when we spoke with Dr. Kolodner \ntheir efforts were in the early stages and there was no \nspecific information provided to us relative to who the entity \nwould be that would lead all of those efforts.\n    I should note that when our report was issued the National \nCoordinator's Office did have a difference relative to how they \nshould proceed with a coordinated approach, so it has only been \nin recent times that we have now, I think, reached more \nagreement with them relative to the importance of having a plan \nin place, an approach that would, in fact, include and identify \na specific leader for integrating or overseeing the integration \nof the various initiatives.\n    Mr. Clay. Thank you for that. And this is a question for \neither one of you. One of HIPAA's limitations is that it does \nnot cover all entities that possess or utilize personal health \ninformation. Some life insurers and research entities that are \nnot involved with the treatment of patients fall outside the \nrules. Have you examined the practical impact of not covering \nsome entities that have access to personal health information? \nIs this a significant problem, in your view, Ms. Koontz?\n    Ms. Koontz. I think that is a significant issue that \ndeserves more study, and we would like to see HHS consider that \nas it moves forward in developing privacy policies, practices, \nand standards. It is true that HIPAA covers health plans, \nhealth providers who transmit electronic information in support \nof transactions, and health information clearinghouses. The \nentities that you mentioned are outside the coverage of HIPAA. \nI think that, naturally, as we move to a national health \ninformation network in which it will be much easier, and it is \nactually intended to make information flow more easily, this is \nsomething that we should pay a lot more attention to. Again, I \ndo hope that HHS includes this in their deliberations as they \nmove forward.\n    Mr. Clay. OK. Thank you for your response.\n    Let me now turn to my ranking member, Mr. Turner.\n    You may proceed.\n    Mr. Turner. Thank you.\n    Thank you for the information you have provided to us in \nyour testimony today. This is an important issue on pretty much \nthree fronts. We have our desire to find cost savings and \nreduce the spiraling increases in health care costs. The second \nissue is quality of health care. What can we do to increase the \nquality of health care? And the third issue is: how do you \nbalance privacy?\n    So many times when we make an advance in one area privacy \neither takes a hit, or when we think we are taking an advance \nin privacy others take a hit.\n    I will tell you one funny story. Two years ago when I was \nin Washington I broke my sunglasses. I called my wife at home \nand said, can you go and get me some new sunglasses. I have a \nprescription. She goes to the eyeglass place and they wouldn't \nlet her buy eyeglasses because they said under HIPAA there is a \nfear that she would discover what my prescription is. You know, \nthat is not exactly something that I have a concern about \nhaving a privacy expectation. But, nevertheless, that was the \napplication. We had to wait until I returned back home until I \ncould get them.\n    So this is a fine balance of what things do we have an \nexpectation of privacy, and what things are important for \nefficiency, and what things do we have for cost savings, and \nmany times there are unintended consequences--you know, I can't \nget my sunglasses unless I am back home--that are overlooked. \nWhat confidence do you have, in describing the process that we \nare undertaking, that the Federal Government is going to be \nable to have a better record in ascertaining that yes, we \nreally need to protect people's privacy, yes, we need to find \ncost savings, and we need to find efficiencies to increase \nquality of health care? What are your thoughts?\n    Ms. Melvin. Again, I think the confidence will grow from \nthe extent to which there is transparency in the way that the \nhealth information network is put together and the way that \nprivacy is conveyed to and understood by the public.\n    Our work has emphasized the need for the National \nCoordinator's Office and HHS to spend significant time in \nmaking sure that there is outreach and consensus to bring \ntogether a better understanding among all participants that \nwould be involved in the overall health initiative.\n    You are right, there is an extremely fine balance between \nthe privacy issues and the need to ensure quality care, the \nneed to try to have improvements in the way that information is \nmade available about care, and all of that comes through, \nagain, having a defined plan for how they will do that, as well \nas having necessary outreach, necessary information made \navailable to educate the public on the need for and the use of \nelectronic health records so that certainly at some point \nhopefully there would be buy-in, more buy-in to make this a \nmore successful effort.\n    So I think overall success will depend on how well they can \nreally communicate and convey the need for and ultimately to \nimplement a system that does balance privacy and security with \nthe quality of the care that is being provided.\n    Mr. Turner. One of the issues that has been identified is \nthe cost savings that we expect from going to electronic \nrecordkeeping, and the implementation of technology on this \nissue is that we don't really know what our cost savings would \nbe, and we are not capturing in a very effective way how this \nmight advance us in cost. Do you agree with that? And also, do \nyou have thoughts as to what we could be doing better to \nunderstand really what will we be able to effect in cost \nsavings in this?\n    Ms. Melvin. I think clearly the cost savings is an issue. \nThe overall cost of the initiative is an issue that would have \nto be defined based on what technology is ultimately determined \nto be needed and put in place for this, again largely driven by \nthe privacy and policy security implications that would drive \nthe technology that would need to be put in place.\n    Then ultimately, as a part of the overall strategy and the \ndefined approach that the agency would need to have, a key part \nof that is defining what the costs are, what the outcomes that \nresult from that are in the way of benefits and savings. I \nthink all of those aspects collectively are going to be \nimportant in defining what the actual cost is ultimately for \nthe overall initiative.\n    Mr. Turner. Thank you, Mr. Chairman.\n    Mr. Clay. Thank you, Mr. Turner.\n    We have been joined by our colleague from New Hampshire, \nMr. Hodes.\n    I understand you have an opening statement. You may proceed \nwith that and then go into your questions.\n    Mr. Hodes. Thank you, Mr. Chairman.\n    Mr. Clay. You have ample time. You are welcome.\n    Mr. Hodes. This is a very important hearing. The privacy \nconcerns related to health information technology in the \ndigital age take on an increasingly important role as we \nexamine a health care system which many people feel is a system \nwhich is dysfunctional and not operating as it should, and many \nare looking to electronic medical records technology as a key \ncomponent to making our health care system a better-functioning \nsystem.\n    It seems that it is fairly obvious, at least to me, that \nthere are great benefits in increased coordination of care from \neffective and appropriately constructed medical records \ntechnology systems, because instead of having people carrying \naround paper records and sacks of pills from one doctor to \nanother and having the second doctor trying to figure out what \nit is that patient is on, we can quickly and easily, with \nmedical records technology, determine what care that patient \nhas had.\n    On the other hand, medical records technology presents \ngreat risks to patient security and private information. We \nhave recently seen in the Veterans Administration, which \nfrankly is in the forefront of developing electronic medical \nrecords technology, when a single laptop is lost there is \nenormous amounts of personal data that is compromised. So \ncoming up with the right construct and the right system is \nclearly very important, and it is, I think, an urgent matter \nfor us because there are a number of initiatives, both in the \nprivate sector and in Government, that are taking us down the \nroad, but it sounds from your testimony and the report that \nthere is still a very, very long way to go in coming up with an \nappropriate national system.\n    [The prepared statement of Hon. Paul W. Hodes follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9023.025\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.026\n    \n    Mr. Hodes. One question, Ms. Melvin, that I had raised by \nyour testimony that I would just like you to clarify for me, if \nyou could, would be--and I may not have all the terms right--\nbut you mentioned that the National Coordinator's Office at \nHHS, I believe, had a difference about a national coordinated \napproach when your report was initially sent over?\n    Ms. Melvin. We had originally recommended that they develop \na defined approach that would, in fact, allow them to integrate \nthe various initiatives, that would establish milestones and \ntimeframes for the completion of initiatives, obviously \nconsidering that there were multiple activities going on, and \nthat would, in fact, designate a leader, identify a leader who \nwould lead the overall coordination, an entity that would lead \nthe overall coordination of all of the various initiatives \nbeing put in place.\n    I believe that in this case in their comments HHS \nessentially believed that they did have a comprehensive \napproach. We had a difference relative to the construct of that \napproach and whether, in fact, it contained all of the \nnecessary or recognized all of the necessary components in the \nway of having a designated leader, in the way of having \nestablished milestones, and potentially measures for being able \nto really gauge progress and to guide the overall effort.\n    Mr. Hodes. And I gather there were some discussions that \ntook place?\n    Ms. Melvin. We have subsequently met with Dr. Kolodner, \nactually within the last week. We have talked more about what \nour concerns were relative to the lack of such a defined \napproach, and in talking with him and through information that \nwe have seen since our discussions, there is an indication that \nhe is in agreement with the need for having an approach, some \ntype of road map that would, in fact, provide more detail than \ndefined milestones for integrating the various initiatives that \nare underway.\n    Mr. Hodes. There is no disagreement between you and Dr. \nKolodner that the coordinator of any national health \ninformation technology system would be situated at HHS, is \nthere?\n    Ms. Melvin. We have not talked specifically about what \nentity would be the leader to integrate this. Our discussions \nwere at a level relative to the importance, the significance \noverall of developing an approach. We have not described what \nthat approach would be. We do feel it is important, however, \nthat approach does, in fact, define those critical elements \nrelative to timeframes and milestones, measures of performance, \nand also in terms of actually identifying the entity that would \nlead it, but we have not talked about specifically who that \nentity would be.\n    Mr. Hodes. You are just trying to get to square one with \nHHS and have them recognize that there needs to be a \ncoordinated approach with time lines and benchmarks and setting \nout a plan to put together the initiatives that have already \nbeen begun into some comprehensive plan that we can all look at \nand then talk about?\n    Ms. Melvin. That is absolutely correct, sir.\n    Mr. Hodes. I am just about finished, Mr. Chairman.\n    When you say that Dr. Kolodner has indicated his agreement, \nis that verbally? Is that in writing? How has that agreement \nbeen indicated?\n    Ms. Melvin. Our discussions have been held through a \nmeeting with Dr. Kolodner relative to what actions they were \ntaking, but, as I stated earlier, we have not discussed the \nspecifics of what that planned approach would look like \nultimately. It is our hope, and we do view, you know, the fact \nthat at this point he does agree with the need for that as very \npromising, but, as our statement indicates, it is a very \ndifficult task. It is a long road. It does involve a lot of \ninitiatives, and it will take sustained and committed effort on \nHHS' part to make sure that happens.\n    Mr. Hodes. What is your timeframe for getting some sort of \nconcrete response beyond the verbal discussions you have had \nfrom Dr. Kolodner and HHS that would clearly indicate, \nsomething we could look at, that says HHS agrees that we are \ngoing down this road and here is how we are going to get there? \nAre we talking a week? A month? Two months?\n    Ms. Melvin. We have not specified a specific timeframe. \nObviously, based on our recommendation, we do feel it is very \nimportant that this effort be undertaken urgently. It is very \ncritical from the standpoint of the many initiatives that HHS \nand the National Coordinator's Office does have underway that \nlead to the development of technology, the significant point \nbeing that you want security and privacy policies to be in \nplace to really guide and be a factor in determining what \ntechnology is there. So it is an urgent effort, but not one \nthat we put a definite timeframe on for seeing that it happens.\n    Mr. Hodes. Thank you very much.\n    Thank you, Mr. Chairman.\n    Mr. Clay. Thank you, Mr. Hodes, for that line of \nquestioning.\n    This question is for either/or. I would like to hear your \nthoughts on HHS' enforcement policies, practices, and \nprocedures. There has been significant criticism of the \nagency's enforcement of HIPAA and lack of civil penalties \nenforced on identified violations. Are the enforcement \nactivities of HHS being carried out in accordance with the \nstatute and the legislation and regulations? Are the current \nregulations adequate to ensure that violating entities are \nbeing sanctioned appropriately?\n    Ms. Koontz. I have to say, first of all, that we have not \nstudied HHS' enforcement actions; however, I think it has been \nwidely reported that there have been few enforcement actions on \ntheir part.\n    The way HIPAA is set up right now is that if an individual \nhas a complaint they can go to HHS, the Office of Civil Rights, \nand complain about privacy violations. I think that this, \nagain, is another issue for us moving forward. Under HIPAA, for \nexample, there is no individual right of action. If someone \nisn't satisfied with what happens at HHS, they cannot go to the \ncourts for resolution. I think this is an issue that, you know, \nwe will need to look at over time, but we haven't studied it in \ndepth.\n    Mr. Clay. One IT-specific recommendation offered by the \nNational Council of Vital Health Statistics was for HHS to \nsupport research and development of contextual access criteria \nthat is appropriate for the dissemination and sharing of \nelectronic health information. Do you know whether HHS is \naddressing this issue and, if not, why not? And does GAO concur \nwith the findings and recommendations of the National Committee \non Vital Health Statistics?\n    Ms. Koontz. First of all, in terms of the contextual \ninformation, I think that is quite an exciting idea, because if \nyou look at paper records right now, if you have to disclose a \npaper record I think that the default is to perhaps disclose \nthe whole piece of paper. The idea of this contextual access \nwould be that when you disclosed information you would use \ntechnology in such a way that you could disclose only the \ninformation that was actually needed, so it would be a way to \nreally leverage technology to increase privacy for patients and \nconsumers. So the National Committee on Vital and Health \nStatistics did recommend that HHS look at this more fully in \nthe process, and we support that.\n    I think one of the things that, as they move forward on a \ncomprehensive strategy for addressing privacy, they need to \ntake into consideration the results of all these different \ncontracts and initiatives that they have going on, which seem \nto have a lot of merit. They need to take into consideration \nthe recommendations of NVCHS, and they need to take into \nconsideration some of the challenges that I think we raised in \nour report.\n    Mr. Clay. Thank you for that response.\n    When multiple States with conflicting laws have personal \nhealth information concerning the same patient, which State's \nprivacy standard will apply, and under what circumstances? How \ncan entities in one State appropriately manage patient data \nwithin their electronic patient records if they are unaware of \napplicable restrictions in another State?\n    Ms. Koontz. Well, the issue about HIPAA is that HIPAA is \nmeant to be a floor in terms of privacy protection, so that \nmeans it does not preempt a State law that provides greater \nprivacy protections than the Federal law. But you are right: \nwhat it leads to is very much a patchwork of different kinds of \nlaws in varying States, and when you go to electronic health \nrecords and you go to a national health information network, \nagain, the information is to move. It can move much more freely \nthan it does now in a paper environment.\n    One of the challenges, when we were doing our study, that \nmany organizations talked to us about is operationalizing these \nvarious requirements and being able to navigate in an \nenvironment where information is created in one State, it is \nsent to another, it is sent yet to another, and how to really \nnavigate in that kind of environment has caused a complexity \nwhich may indicate some need maybe for greater guidance in \nterms of how to navigate this. And some people have suggested, \nof course, that there be some kind of national standard for \nprivacy that is consistent across the States. We haven't \nstudied that further, but that has been an issue that has often \nbeen raised.\n    Mr. Clay. Good. Thank you very much.\n    Mr. Turner.\n    Mr. Turner. Thank you, Mr. Chairman.\n    We want to note that Government Health IT reported on June \n15, 2007, that Dr. Kolodner, National Coordinator of Health \nInformation and Technology, has revealed that his office will \npropose a draft framework for privacy policy later this year. \nKolodner said it will reference other privacy policy documents \nfrom organizations such as Connecting for Health, the National \nCommittee on Vital and Health Statistics, and the Organization \nfor Economic Cooperation and Development. I look forward to \nseeing that so we can all have an opportunity to review it and \ndetermine its effectiveness.\n    I am going to ask if you could talk for a moment--and you \nmay not be able to--but the VA's experience during Katrina, we \nhave all heard news reports about how the VA was able to \ntransfer large numbers of patients' records far more quickly \nthan private hospitals. Are you familiar with the VA's \nexperience and their system? Could you comment on that?\n    Ms. Melvin. I am not familiar with that particular \nexperience, but what I can tell you is that VA does have a \ncomprehensive longitudinal electronic health record for its \npatients, which would explain its ability to make information \navailable for those people who were affected by Hurricane \nKatrina. Its system is set up so that it contains a complete \nrecord of each patient that is captured within its system, so \nthat would explain its ability to perhaps have records \navailable more readily certainly than other entities that do \nnot have such a capability at this point.\n    Mr. Turner. Are you familiar with either their experience \nof cost savings or efficiencies in increasing medical care and/\nor privacy issues and policies?\n    Ms. Melvin. I don't have specific information on their cost \nsavings. I can tell you, though, that they have a very \nimpressive system in place that has allowed them to achieve \nmany improvements in quality of care through the clinician's \nability to have ready access to information, through their \nability to actually use that information in the health care of \npatients at this point.\n    Mr. Turner. Thank you very much.\n    Ms. Melvin. You are very welcome.\n    Mr. Turner. Thank you, Mr. Chairman.\n    Mr. Clay. Thank you, Mr. Turner.\n    Mr. Hodes, any more?\n    Mr. Hodes. Just one more briefly.\n    Mr. Clay. Please proceed.\n    Mr. Hodes. Thank you, Mr. Chairman.\n    I would like to followup just a little bit on the question \nabout varying State standards, because I note at page, I think \nit looks like 15 of your report, where you talk about the \nchallenges to exchanging electronic health information and the \narea of understanding and resolving legal and policy issues, \nand the first bullet point you talk about is resolving \nuncertainties regarding the extent of Federal privacy \nprotection, and it leads me to the question of how quickly we \ncan go to a national information system with so many differing \nstandards out there among the States.\n    Could you tell us what do you think the benefits would be \nto establishing a Federal standard in these areas, even if it \nmeant hypothetically preempting the States?\n    Ms. Koontz. Well, it is obviously a policy judgment that \nyou are probably in a much better position to make than I, \nbut----\n    Mr. Hodes. That is why I asked the question.\n    Ms. Koontz. Fair enough. But, I mean, the obvious advantage \nhere is that we would be trading off some, getting rid of some \ncomplexity in order to, you know, if we got some \nstandardization. Obviously, from talking to a fairly large \nnumber of entities out there who are involved in information \nexchange and involved in providing health care, it is \ntremendously confusing, even to the point of trying to decide \nwhat rules apply, what category do they fit in, and then also \nhow to operationalize all the different kinds of requirements, \nas well. So, I mean, I can see on balance it is on the one hand \nand on the other hand, but there are definitely benefits to \nstandardization, as well, although there may be States where \nyou might end up lowering privacy protection, and I think that \nis an issue for that locality.\n    Mr. Hodes. OK. Thank you very much.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Clay. Thank you, Mr. Hodes.\n    The AHIC, which is a public/private working group chaired \nby the Secretary, assembled a working group on how to address \nprivacy and confidentiality issues last August. What findings, \nif any, have been presented to the Secretary? Is AHIC's work \nconsistent with GAO's findings and recommendations? Are you \nfamiliar with AHIC, the American Health Information Community?\n    Ms. Melvin. Yes, we are familiar with that. As far as their \nfindings and recommendations, at this point we are not certain \nas to exactly what they are doing. We do know that HHS is in \nthe process of assessing the information that they have from \nthem, and we have not compared that to GAO's recommendations, \nas I recall.\n    Mr. Clay. OK.\n    Ms. Melvin. We have not compared them to GAO's \nrecommendations.\n    Mr. Clay. All right. I thank you for that.\n    Let me thank both of you for your answers today and for \nbeing witnesses at this hearing. I think it is such an \nimportant issue, and we certainly appreciate GAO weighing in. \nThank you both. This panel is dismissed.\n    I would now like to invite our second panel of witnesses to \ncome forward, please.\n    Testifying today on our second panel will be Mary R. \nGrealy, president of the Healthcare Leadership Council. Welcome \nto you.\n    Bryan Pickard, president of the American Health Information \nManagement Association. Thank you for being here.\n    Peter P. Swire, the C. William O'Neill professor of law at \nthe Ohio State University's Moritz College of Law and senior \nfellow at the Center for American Progress.\n    Welcome to all of you.\n    It is the policy of the committee to swear in all witnesses \nbefore they testify. At this time I would like to ask you all \nto stand and raise your right hands.\n    [Witnesses sworn.]\n    Mr. Clay. Let the record show that all of the witnesses \nanswered in the affirmative.\n    Each of you will have 5 minutes to make an opening \nstatement. Your complete written testimony will be included in \nthe hearing record. The yellow light in front of you will \nindicate you have 1 minute remaining. The red light will \nindicate that your time has expired.\n    Ms. Grealy, we will begin with you. You may proceed.\n\nSTATEMENTS OF MARY R. GREALY, PRESIDENT, HEALTHCARE LEADERSHIP \nCOUNCIL; BYRON PICKARD, PRESIDENT, AMERICAN HEALTH INFORMATION \nMANAGEMENT ASSOCIATION; AND PETER SWIRE, SENIOR FELLOW, CENTER \n                     FOR AMERICAN PROGRESS\n\n                  STATEMENT OF MARY R. GREALY\n\n    Ms. Grealy. Thank you, Mr. Chairman and members of the \nsubcommittee. On behalf of the members of the Healthcare \nLeadership Council, I want to thank you for the opportunity to \ntestify on this extremely important subject.\n    Certainly all Americans want to be assured, as we move \ntoward a day when virtually all clinical health information \nwill be exchanged electronically, that their confidentiality \nwill be protected and information will be used to provide \nhealth care of the highest quality.\n    The Healthcare Leadership Council is comprised of chief \nexecutives of many of the Nation's leading health care \ncompanies and organizations representing all sectors of \nAmerican health care. Our members are some of the early \nadopters of health information technology.\n    Mr. Chairman, with my time limitations there are two key \npoints that I would like to make today. First, allow me to \ncomment on the current HIPAA privacy rule, a rule that was \ndeveloped through careful, detailed deliberations over a 5-year \nperiod, and its effectiveness in the context of electronic \nhealth information exchange.\n    We are concerned that the transition to more widespread use \nof electronic medical records will prompt a reactive call in \nsome quarters for additional burdensome privacy regulations. It \nis important to note that the HIPAA privacy rule, which is \nalready quite restrictive, was spurred by the growth of \nelectronic transactions and already contains ample provisions \ngoverning the confidentiality of information, electronic or \notherwise. It is even more important to recognize that more-\nrestrictive rules, such as requiring providers and payers to \nobtain prior consent for treatment, payment, and health care \noperations, would delay and disrupt health care, particularly \nfor the most vulnerable patients.\n    The fact is, Mr. Chairman, the HIPAA privacy rule has a \nsuccessful track record, and that success is being achieved in \nan environment in which multi-State electronic data exchange is \nalready occurring.\n    Health care providers and plans have spent significant \nresources to comply with the HIPAA rule. Before considering any \nchanges, we should be certain that they are absolutely \nessential and would warrant diverting finite resources from \npatient care to additional administrative compliance.\n    The other point I wish to make this afternoon is that, \nwhile the HIPAA privacy rule is effective in protecting patient \nconfidentiality, the development of a multi-State network \nrequires the creation of a uniform Federal privacy standard. \nWhile HIPAA establishes such a standard, it permits State \nvariations that are found in thousands of statutes, \nregulations, common law principles, and advisories. This \npatchwork quilt creates confusion among those who hold \nidentifiable health information and those who seek to establish \nthese data exchanges.\n    We believe strongly in a national standard that provides \nstrong privacy protections for every American and facilitates \nnationwide and system-wide electronic data exchange for the \nbetterment of patient care.\n    Mr. Chairman, Section 6 of your bill, H.R. 4832, laid out a \nprocess to help achieve that national standard, and we hope \nthat it will find its way and be part of any future HIT \nlegislation.\n    One thing that helps us put a face on health care policy \nand to put it in perspective is that these issues unavoidably \nbecome personal for all of us. My family currently has a \ncompelling example in the person of my 88 year old father, who \nlives in Fort Lauderdale, FL. Just a few months ago, after a \nbrief hospital stay for acute kidney failure, he began a \nregimen of dialysis three times a week. At the same time, he \nwas receiving radiation treatment for prostate cancer.\n    I can tell you firsthand that the staffs in the hospital, \nthe radiation center, the dialysis center, and the various \nphysician offices are fully complying with the HIPAA privacy \nrules, oftentimes making it difficult for me and my five \nbrothers and sisters to help coordinate his care. Be assured \nthat health professionals take the rules very seriously.\n    More importantly, however, I am also experiencing firsthand \nthe absolutely critical need for a unified electronic health \nrecord so that my Dad's oncologist, nephrologist, internist, \ncardiologist, nutritionist, radiation center, and dialysis \ncenter would all know in real time what each is prescribing \nand, more importantly, how he is doing. For example, sharing \nthe results of lab tests, sharing the prescriptions that they \nare ordering.\n    An electronic health record would have avoided my Dad's \nrecent experience of receiving Procrit from his oncologist \nwhile he was receiving a similar medication, Epigen, at the \ndialysis center. Unfortunately, it fell to us to alert and \nnotify those two health providers, because they were not \nsharing this information.\n    You can see the importance of having this electronic health \nrecord. America's patients, not just my Dad, need electronic \nhealth record, and I applaud the efforts that you, Mr. \nChairman, and others have put toward achieving that goal.\n    We look forward to working with you, finding the \nappropriate balance between privacy and the need for sharing \nthis important information as we move forward in this important \narea.\n    Thank you.\n    [The prepared statement of Ms. Grealy follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9023.027\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.028\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.029\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.030\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.031\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.032\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.033\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.034\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.035\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.036\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.037\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.038\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.039\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.040\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.041\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.042\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.043\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.044\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.045\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.046\n    \n    Mr. Clay. Thank you so much, Ms. Grealy, for that \ntestimony.\n    Mr. Pickard, you may proceed.\n\n                   STATEMENT OF BYRON PICKARD\n\n    Mr. Pickard. Chairman Clay and members of the subcommittee, \nthank you for this opportunity to testify. I will be testifying \non behalf of AHIMA, but will also draw upon my professional \nexperiences to describe the public/private efforts currently \nunderway exploring the privacy of electronically transmitted \nhealth information.\n    My written testimony addresses some areas of specific \ninterest to our profession; namely, expansion of privacy \nprotections for personal health records, differences between \nHIPAA at business associates and non-covered third-party \ncontractors, and protecting student health information, and \nconflicts between HIPAA and FERPA. AHIMA also has a foundation \nof research and education, which has received several grants \nand contracts from the Office of the National Coordinator and \nothers. I have attached a list of those commitments.\n    Mr. Chairman, the HIM professionals' responsibilities are \ninterwoven with privacy and security issues. The expansion of \nconfidentiality management and protection is impacted not only \nby HIPAA but also by the health care industry's continued \ntransformation from a paper intensive industry to one of \nelectronic records and transmissions.\n    I wish I could tell you that the health care industry has \nbeen transformed into a fully electronic system, but, in fact, \nI cannot. We are in the midst of what would be a long \ntransition.\n    In working through these transitional issues, AHIMA has \npartnered with the American Medical Informatics Association and \nwe have produced two joint statements relative to today's \ndiscussion, one on health information confidentiality, and the \nother on the value of personal health records. With so much \nhistory and experience in the protection of health information, \nit is important to note AHIMA's position. Our written testimony \ncontains our full list of health information confidentiality \nprinciples.\n    As our health care system becomes more interconnected, our \nnetworked health information will flow across a range of \nentities and boundaries. It will be critical to follow these \nprinciples. Privacy protections must follow personal health \ninformation [PHI], no matter where it resides, and uniform and \nuniversal protections for PHI should apply across all \njurisdictions in order to facilitate consistent understanding \nand compliance.\n    Considerable time has been spent exploring and developing \nelectronic health information exchange and how to protect \nhealth information by the Agency for Health Care Research and \nQuality, a American health information community, the Office of \nthe National Coordinator, and others. These initiatives and \ntheir impact on privacy and security are detailed in our \nwritten testimony.\n    AHIMA members, and especially those who fill the role of \nprivacy office, are noting that the issue of confidentiality is \nmoving beyond just health care. With the banking and finance \nindustries handling health information more frequently, it has \nbecome apparent that we must soon address the comprehensive \nprotection of an individual's information, White House whether \nit is financial or health related. This is an issue that \nCongress will need to investigate as we see more change in the \nbordering of industry boundaries.\n    We also see a need for consumer education to address \nconfidentiality and security, as well as the value of health \ninformation technology usage. It is only with consumer trust \nthat a national infrastructure can be built and laws adopted or \nmodified to facilitate information exchange.\n    AHIMA has long called for consumer-based personal health \nrecords, in addition to the standard provider-based electronic \nhealth records. While we have never endorsed a PHR product, we \nhave called for consumers to use a PHR, whether in paper or \nelectronic form, to track their own health status. To support \nthis goal, AHIMA embarked upon a PHR consumer education \ncampaign that combines the use of a consumer Web site with \npublic presentations by AHIMA members in each and every State.\n    AHIMA is leading an effort to ensure interoperability of \nthe PHR, with the new health level seven standard electronic \nhealth record, and we expect to see a new PHR electronic \nstandard from HL-7 in the near future.\n    AHIMA's believe that protections should follow personal \nhealth information, no matter where it might be stored or \ntransferred, clearly extends to PHRs. PHRs can be stored or \noffered by a variety of different vendors or operators. Some of \nthese vendors are HIPAA-covered entities, and others are not.\n    Protections against the discrimination and misuse of PHR \ninformation must be established along with a requirement that \nany access or use of PHR information be governed by a separate \nauthorization unless otherwise required by law. Except for PHRs \noffered by health care providers, we believe that individuals \nshould be given the right to opt out of a PHR being built for \nthem or their family members.\n    The answers are not simple. As the AHIC and the NCVHS and \nothers discuss and provide recommendations in the privacy and \nsecurity area, Congress can also begin to look at some very \nimportant issues: that confidentiality of protections follow \nthe information no matter where it resides or is transferred; \nthat comprehensive non-discrimination laws have harsh penalties \nfor the intentional misuse of health information; that we \nprosecute those who break these laws; that we penalize those \nentities that are non-compliant with confidentiality and \nsecurity laws and regulations; that conflicts between HIPAA \nversus FERPA be eliminated in favor of consistent and strong \nconfidentiality; and that proposed laws be reviewed to identify \nbarriers that may arise that would impede the deployment of \nhealth information technology products, expansion of health \ninformation exchange, and critical uses of health information.\n    Mr. Chairman and members of the subcommittee, I hope that \nour testimony has given you an insight into the aspects of \nhealth care confidentiality and security that you are seeking, \nand that our recommendations will provide you with guidance as \nyou address the many difficult questions facing our community. \nI stand ready to answer any further questions or concerns you \nmight have.\n    Thank you.\n    [The prepared statement of Mr. Pickard follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9023.047\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.048\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.049\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.050\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.051\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.052\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.053\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.054\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.055\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.056\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.057\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.058\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.059\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.060\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.061\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.062\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.063\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.064\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.065\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.066\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.067\n    \n    Mr. Clay. Thank you so much, Mr. Pickard.\n    Mr. Swire, of the Ohio State University.\n\n                    STATEMENT OF PETER SWIRE\n\n    Mr. Swire. The Ohio State University, home of the Buckeyes. \nYes, sir.\n    Mr. Clay. Yes, sir.\n    Mr. Swire. Mr. Chairman, members of the subcommittee, thank \nyou very much for the invitation to testify here today on \nprivacy and security of electronic health records.\n    Today fewer than 10 percent of our clinical records in the \ncountry are accessible in electronic form, and all of us hope \nthat number climbs sharply in the next decade.\n    My colleague at the Center for American Progress, Karen \nDavenport, has recently released a new report about health IT \nand the quality improvements, and, Mr. Chairman, I ask if that \ncould be submitted to the record for this hearing.\n    Mr. Clay. Yes, please.\n    Mr. Swire. Thank you.\n    To make this shift to the NHIN, the National Health \nInformation Network, we need to get privacy and security right. \nPublic surveys repeatedly showed that these privacy concerns \nare top of mind when it comes to the shift to electronic health \nrecords. Unless Americans are convinced that effective \nsafeguards are in place, many of the benefits of this NHIN may \nbe delayed or lost entirely.\n    My written statement addresses various issues, but I would \nhighlight two things in the testimony today: preemption and \nenforcement.\n    On preemption, my theme is that the wrong sort of \npreemption would actually repeal many existing privacy and \nsecurity safeguards. On enforcement, the current no enforcement \nsystem is not a sound basis for going forward with electronic \nhealth records.\n    Briefly, my background before returning to law teaching, I \nserved as chief counselor for privacy in the U.S. Office of \nManagement and Budget in 1999 and 2000, and in that role I was \nthe White House coordinator for the HIPAA privacy rule. This \nhas lost me many friends in the medical community.\n    During that time we had over 50,000 public comments on the \nproposed rule, and I co-chaired the process to look at those, \ntry to respond to them, and come up with a final rule by the \nend of 2000, and I have worked in this area since. So it is \nbased on that I try to offer some observations today.\n    On preemption, my first theme is that simple preemption of \nState laws going to HIPAA alone would repeal many existing \nprivacy protections.\n    In many States we have protections for things like HIV \nrecords, mental health, substance abuse, reproductive records, \nPublic Health Agency records, genetic records, and if we simply \nsay let's do HIPAA, then that means that all of the State \nprotections would be repealed.\n    In Ms. Grealy's testimony, they feature Indiana as a State \nto look to. Indiana has the fewest State safeguards, and so \nharmonizing on that level would be a drop in privacy \nprotection, and we should be careful about doing that.\n    On enforcement, I have serious concerns about the lack of \nenforcement from HHS. This is an oversight issue. This creates \nan obstacle to going forward with electronic health records. If \nno enforcements are brought under the current system so far \nunder HIPAA, why should the public trust we are going to have \ngood enforcement for the next generation?\n    Let me emphasize my criticism here goes to law and policy \nand not to the good faith or the intelligence or hard work of \npeople at HHS, but there are some legal problems the Congress \nmay need to address.\n    There are three principal problems in enforcement:\n    First, the batting average for HHS is pretty low. There has \nbeen 27,000 complaints and zero civil or monetary penalties, so \nover 27,000. That doesn't create a lot of confidence.\n    Second, the current administration has adopted the policy \nof one free violation. In an enforcement rule last year, HHS \nsaid that the first violation simply won't lead to a penalty; \ninstead, it will lead to a planned correct going forward. This \nsends the signal that medical privacy shouldn't be taken \nseriously. If you are a covered entity, just wait until they \ncome the first time and then you can fix it, but you don't face \nany exposure.\n    Third, the Department of Justice has dropped the ball on \ncriminal prosecution. Justice has received almost 400 referrals \nfrom HHS and has brought zero cases under those 400 referrals. \nThese are the most serious cases, and the problem is that, once \nit goes to DOJ, under current policy HHS stops all proceedings, \nso the most serious cases HHS doesn't do it and DOJ doesn't do \nit.\n    This lack of enforcement has been the subject of major \nstories in the Wall Street Journal and the Washington Post. One \nexpert was quoted in the post saying, ``HHS really isn't doing \nanything, so why should I worry?''\n    The lack of HIPAA enforcement will make it harder to build \nthe next generation of electronic health records. Critics will \nbe on strong and legitimate ground saying they can't trust the \ncurrent system, much less the higher level of trust we would \nwant to have if we go to the all-electronic NHIN.\n    In my testimony I point out that we can respond to these \nproblems perhaps by HHS changes or by targeted legislation. \nHere are three things to consider, and then I will close: \nfirst, HHS can end the one free violation part of the \nenforcement reg; second, we should end the current \ninterpretation where HHS stops its own enforcement efforts in \nthe most serious cases whenever there is a criminal referral to \nDOJ; and, third, a mistaken Department of Justice legal opinion \nthat narrowed the criminal provisions of HIPAA should be \nrevisited. They really take the position that only the hospital \nthat intentionally violates the law and not any of the \nindividuals who break the law can be enforced.\n    That concludes my comments. I welcome any questions you may \nhave.\n    [The prepared statement of Mr. Swire follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9023.068\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.069\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.070\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.071\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.072\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.073\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.074\n    \n    [GRAPHIC] [TIFF OMITTED] T9023.075\n    \n    Mr. Clay. Thank you, Mr. Swire.\n    Let me thank the entire panel for their testimony today.\n    We will begin the question period under the 5-minute rule, \nand I will begin with a general question for everyone to \ncomment on. Many electronic health care tools such as \nelectronic health records and internet-based personal health \nrecords are available to consumers today. The country, however, \nis still lacking an established nationwide approach for \nensuring that personal health information will be protected \nfrom inappropriate disclosure. Do you believe that the \nimplementation of health IT is beginning to out-pace the \ndevelopment of overall privacy policies and practices?\n    We will start with Ms. Grealy.\n    Ms. Grealy. Well, as I said, both from my experience as \nheading up the Healthcare Leadership Council and formerly with \nthe American Hospital Association, as well as my personal \nexperience dealing with health care for my family, providers \ntook the HIPAA privacy rule very, very seriously. They put in \nplace compliance plans, a lot of education, and this was \nthroughout all of the covered entities, the various business \nassociates. I am not sure we often recognize just how much went \ninto making sure they understood the HIPAA privacy rules and \nthey were in compliance.\n    The rules are very complex. I just want to touch on, I \nthink, the approach that HHS and the Office of Civil Rights has \ntaken is really the proper approach. They could have taken a \n``gotcha'' approach, and, you know, every time we find you have \nmade just the slightest error we are coming after you with \ncivil and monetary penalties or criminal penalties. I think, \ninstead, what they did was to develop a partnership. We want \nthis rule to work, and so we have partnered with providers and \nothers to educate them.\n    Of the 27,000 complaints that have been registered, I think \nif you delve into them, if you talk with the people at the \nOffice of Civil Rights you will find that many, many, the vast \nmajority, were really a misunderstanding of what was required \nby the privacy rule. In fact, many times we have run into what \nI would call hyper-compliance, where we have providers \nunwilling to share information with those who could benefit \nfrom it because they throw up HIPAA doesn't allow me to do \nthat. So we really have to strike that appropriate balance.\n    As we move into the electronic world, security measures are \nin place. I think we also sometimes lose sight that these \nelectronic medical records can be much more secure than the \npaper records that have been sitting in file cabinets and \nphysicians' offices. Oftentimes you have no way of determining \nwho has accessed those records, unlike in the electronic world \nwhere you can establish an audit trail. You can really \ndetermine who has accessed that and whether it is appropriate. \nYou can password protect it.\n    So I think we have a framework. We may have to modify it. \nYou can tell from the GAO testimony that there is a lot of work \ngoing on at HHS, at AHIC, the National Committee on Vital \nHealth Statistics, to determine what is appropriate in this \nelectronic world. But remember, this all started because people \nwere concerned about the electronic transmission of personally \nidentifiable health information. That is what started the HIPAA \nstatute and resulted in the HIPAA privacy rule. So I don't \nthink we need a wholesale revision of it. We may need some \ntweaking of it. But I think right now it is workable, and a lot \nof providers are spending a lot of time and resources that \ndon't go to direct patient care, but instead go toward \ncompliance. I think we have to be very, very careful in terms \nof how we use those resources.\n    Mr. Clay. Thank you, Ms. Grealy.\n    Mr. Pickard.\n    Mr. Pickard. Yes. I would have to agree, and I think that \nit is not a question of the technology but more about the \nactual policies. I do believe that HIPAA has provided a good \nframework, and I think where we run into challenges or where we \nwill run into challenges are the other entities, the other \ntypes of entities outside of the HIPAA boundaries, the covered \nentities that are now faced with handling health information. \nSo I believe that is probably where we run into challenges \nassociated with HIPAA. That, again, kind of brings us back to \nan important point or important principle within my testimony, \nand that is that the confidentiality and privacy protections \nfollow the information, no matter where it goes or where it \nresides or how it is accessed or handled.\n    Mr. Clay. How about you, Mr. Swire?\n    Mr. Swire. Thank you, sir.\n    A fairly simple point. HIPAA came about when we made a \nshift for payment records from paper to electronic, so you \nwould file with Medicare, insurance companies electronically, \nand Congress said in 1996 let's do privacy and security with \nthat.\n    We are now in chapter two, and chapter two is the shift for \nclinical records, your x-rays and all the rest of those things, \nand we are now building the systems for the first time to \nreally move clinical records, so we should build those systems \nright for this generation like we tried to build systems right \nfor the payments generation, and that is our job together.\n    The easiest time to get privacy and security right is when \nyou build it the first time. It is much harder to patch later. \nThat is where Congress can take a leadership role and make sure \nwe do it.\n    Mr. Clay. Thank you for that response.\n    Mr. Hodes.\n    Mr. Hodes. Thank you, Mr. Chairman.\n    Professor Swire, I am interested in and appreciate your \ncondensed version of arguments about preemption and what we \nmight lose by it, because really I think that goes to the heart \nof policy issues that Congress is facing in dealing with the \nquestions of a national health information network versus \nleaving it to what is clearly a rapidly evolving patchwork of \nregulation. You point out that we have HIPAA as, call it, a \nbaseline, but that many States have--in fact, I think all the \nStates have dealt with other medical information of a very \nsensitive kind that HIPAA simply doesn't deal with. So I take \nto heart your point about not rushing too quickly to simply say \nHIPAA is the standard and that is the national standard and \nthat is where we are leaving it.\n    If we were to look at the national picture, which I am sure \nyou have much more than I have, how would you balance, in \nlooking what the various States have done in terms of the \nissues you have raised on pages three and four of your report--\nmental health records, HIV, and all that--if Congress was \ninclined to try to set some national standard, mindful of your \nwarnings? How would you suggest we go about looking at what the \nStates have done? Should we simply say we are going to take the \nbest standards from whichever State best protects privacy and \nsecurity of people and that is the one we are going to use for \nHIV, and similarly we are going to look at mental health \nrecords and take the best one that we can get from State B, and \nthen we are going to incorporate it with this other baseline \nand call it a Federal standard? What do you think?\n    Mr. Swire. Well, we could go on for quite some time----\n    Mr. Hodes. I know.\n    Mr. Swire [continuing]. To try to figure out how to do \nthat, but----\n    Mr. Hodes. I have only got 5 minutes.\n    Mr. Swire. I know, and I will try to do it in about four \nsentences. Not really.\n    The first point is best does not mean stricter or less \nstrict. You can't avoid making some judgments here, so when it \ncomes to HIV data you have a public health issue if people \nwon't get tested, and if you repeal for big cities' HIV \nprotections you could face public health risks, and that \ndoesn't seem like a good idea to me.\n    But I think one step here is I think that HHS and the \nGovernment can play a much better role in helping us all \nunderstand what the State laws are, and here is a specific \nthing. There is this RTI study--that is the contractor for \nHHS--and they have gone and done studies of, I think, 34 \nStates. I have been told by somebody who has been near the \nprocess that they are not planning to release the surveys from \nthe States to the public. It seems to me if Government is going \nto spend contractor money to try to figure out what all these \nState laws mean, they reduce compliance costs for everybody if \nwe get that information out to everybody, so just a much better \njob of education and getting the information out there so that \npeople don't have to go to expensive law firms to try to figure \nit out. That is one step toward knowing what needs to be done.\n    Ms. Grealy. Congressman, I would like to comment----\n    Mr. Hodes. Please. Thank you.\n    Ms. Grealy [continuing]. Because we undertook one of those \nvery expensive studies, $1 million investment, to have a tool \nwhere providers could check to see what is the State law, what \nis the variation. That still requires time. It is a lot of \nmoney to maintain that system, and I don't think it addresses \nyour question. I don't think it really gives us a workable \nnational standard. Just because we have the information from \nthe RTI study, we still have all this variation.\n    We don't have to sacrifice privacy to develop this \nstandard. Again I reference Section 6 in H.R. 4852, which \nreally set out a process. Let's look at the States, let's study \nthe variation, and then come up with recommendations as to what \nwould be the appropriate rule in those very sensitive areas. We \nhave done it for mental health to a certain degree in the HIPAA \nprivacy rule, but we certainly could improve it in those other \nareas.\n    Mr. Hodes. Thank you.\n    Mr. Pickard, did you want to comment?\n    Mr. Pickard. No.\n    Mr. Hodes. Thank you.\n    Mr. Chairman, I yield back. Thank you very much.\n    Mr. Clay. Thank you for that line of questions.\n    I asked this question to GAO during the first panel and \nwould like to hear your thoughts on the topic. A significant \nproblem with HIPAA is that it does not cover all entities that \npossess or utilize personal health information. Some life \ninsurers and research entities not involved with the treatment \nof patients fall outside the rules. In your work, have you \nanalyzed this problem? And how significant is it, in your view?\n    Let's start with Mr. Swire.\n    Mr. Swire. OK. So this has to do with who should be covered \nentities, and the statute sets that forth. HHS doesn't have a \nlot of wiggle room on that, so it would have to come from \nCongress.\n    I think that for life insurance it is not such a big \nprogram. Graham-Leach-Bliley applies there. But in my testimony \nI point out that if you say anything that touches medical data, \nlike I buy a breast cancer book for somebody on Amazon, we \ndon't want to suddenly have HIPAA kick in just because they \nmention the word health, and so how to expand it is something \nthat you have to be careful about.\n    One area of concern is that public health agencies are not \nsubject to Federal laws, and law enforcement when it grabs \nhealth data, and there may be some work to be done on the \nGovernment's side to make sure that effective protections are \nin place, especially if they are trying to gather lots of bio-\nsurveillance kinds of things going forward.\n    Mr. Clay. Mr. Pickard.\n    Mr. Pickard. Yes. If I could just say, that is an important \nquestion. I think that our association, AHIMA, strongly \nbelieves in harmonization of all of the privacy protections \nacross all entities. When you look at the personal health \nrecords, when HIPAA was developed personal health records were \nbarely being talked about. In a university setting with student \nrecords there is a lack of harmonization, as I mentioned in my \ntestimony, between the FERPA, or Family Education Rights \nPrivacy Act, and HIPAA. There are differences. And so I think \nit is an important question, and I think that, again, I agree \nit is one that will require answers and consideration as we \nmove forward.\n    Mr. Clay. Thank you.\n    Ms. Grealy, any thoughts?\n    Ms. Grealy. Well, as always, it is a balancing question. We \nwant to make sure that we are not stifling innovation, as we \nhave. I mean, I think we are finally beginning to see patients \nbecoming more engaged in helping to manage their health care, \nand getting them engaged with personal health records I think \nis a very positive thing. We want to make sure that they feel \nvery secure when they are sharing that information.\n    Now, is the best way to go about that, make everyone a \ncovered entity? Is it better to make them business associates? \nI think we just have to make sure that the rules are clear, \nthat we don't have conflicting standards out there. So if you \nstart expanding business associates, making them covered \nentities, they may be in one sense a business associate, have \nto comply with a covered entity's rules, but then in another \nsetting they become a covered entity, and they all hold a \ndifferent set of standards.\n    So, again, we know that there is work going on in this \narea. I know AHIC is looking at it. We are going to be \ntestifying before them on Friday. But, again, just carefully \nlooking at those and making sure that we are not getting into \nover-regulation and stifling the innovation that is really \ntaking place out there.\n    I think one of the most important things I heard from the \nGAO panel, and something that we really have to focus on, is \neducating the public, communicating to them why do we want this \ninformation, but, more importantly, why is it good for you as a \npatient for us to have this information. Why do we want it? How \nare we going to share it? And how are we going to protect that \ninformation and keep it secure? So they know under HIPAA and \nvarious State statutes we can't disclose it to their employer, \nwe can't disclose it to the newspaper, we can't disclose it to \ntheir neighbors. But we have to assure people that it is \nimportant for their health and for the health of future \ngenerations for us to have a workable privacy rule that allows \nfor the necessary flow of health information.\n    Mr. Clay. Along those same lines, there is significant \ndebate concerning the most effective way to obtain patient \nauthorization for the disclosure or sharing of personal health \ninformation. For a national health information network to be \nsuccessful, doesn't it require a stronger uniform privacy \nstandard that requires affirmative consent from a patient for \nall information disclosure? And yes, we can start with you. I \nwould like to hear comments from the entire panel.\n    Ms. Grealy. I have the great benefit of every once in a \nwhile getting out there and talking to the real people that are \nactually doing this. I was just in Delaware, where they are \ndoing a demonstration project with a health information \nnetwork. We talked about this. Let's call it opt-in versus opt-\nout.\n    I am going around and asking this question: how would your \ndata exchange system work if it had to be an opt-in? If you are \nthe Mayo that has a century worth of data, longitudinal \nstudies, how would it work if you had to have an opt-in as \nopposed to you have the information, you give people the \nopportunity to opt-out of it? But if you had to go to each \nindividual patient, to each individual subject that you want \nincluded, and get their affirmative decision to be included and \nto share their electronic medical record, I think it would halt \nthe system.\n    If we have to make a decision between the two, certainly \nopt-out is going to be better.\n    Mr. Clay. Mr. Pickard, any comments?\n    Mr. Pickard. Yes. Again, I think this is probably an area \nwhere AHIC is, in terms of their Privacy and Security Committee \nis looking into these types of issues.\n    I can tell you in the State of Tennessee, with our health \ninformation exchange we have run up against this very question \nor this very issue, and we have put in protocols to enable \npatients to opt in or opt out, and then certainly you have the \nwhole concept of patient identification. But, again, I think it \nis an important issue.\n    Mr. Clay. Mr. Swire.\n    Mr. Swire. Thank you. So the one way this comes up is if \nsomebody sees a psychiatrist or gets substance abuse or \nsomething else and they say, look, I don't want this going out \nto everybody everywhere. So one idea of consent or \nauthorization is some way for the patient to say, hold on, not \nthis.\n    I think it makes sense to a lot of people that some sort of \npermission for patients or some sort of control over that might \nmake sense.\n    Now, we can talk opt-in/opt-out. Some of the systems don't \nwant to have an opt at all. They just want to say we are going \nto sign everybody up. I think that is a concern. So if you \ndon't want to be in at all, if you don't want to just sort of \nhave my doctor puts everything in and I have no control over \nthat, I don't think that is the right place to be. The question \nis what point, for how many choices, will a patient have any \nsay.\n    I worked on Markle's Connecting for Health Task Force, and \nthey have a write-up on this that I think goes through it in a \nsensible way, and I think you end up with an opt out where that \nis realistic where patients say, look, it generally goes in, \nbut if I say it doesn't we should try to build it so it doesn't \ngo in.\n    Mr. Clay. Just to pause after hearing the three different \nresponses, what is the damage? What is the harm if someone \nother than a health care provider gets a copy of an x-ray or \nthey get a record of a prescription? What do you think the harm \nis?\n    Ms. Grealy. I think the concern is that the health care \nprovider might not get the x-ray. I mean, I am not even talking \nabout disclosures to those that really shouldn't have the \ninformation. We are talking about patients saying, no, \nprovider, the physician treating me cannot have this \ninformation. So we have to be very, very cautious, again, in \nthat balance of making sure, and there may be a system of, you \nknow, flagging it so the physician knows I don't have all the \ninformation, I had better check with this patient.\n    I am not sure how that translates when we are trying to \nbuild data bases to improve the quality of health care, to \nimprove treatment for disease, if we have a lot of critical \nmissing information.\n    Mr. Clay. Well, like the example you use in your testimony, \nthe pharmacist should have relayed to both physicians for your \nfather what medicines?\n    Ms. Grealy. If this were something that he was getting at a \npharmacy, you are right. CVS, one of our members, they have \ngone electronic, so they can do those alerts. But these were \nservices, these were hormone shots, one being given in the \noncologist's office and the other being part of the dialysis \ncenter treatment. There is no pharmacist in the picture, no \nelectronic medical record to exchange that information, and so \nno way to alert.\n    Mr. Clay. Mr. Pickard, any thoughts?\n    Mr. Pickard. Again, I think--and I said this in my \ntestimony--I think we need to move away from thinking about the \ntype of information and the entity and make sure that the \nprivacy protections do follow the health information wherever \nit resides.\n    Let me just share. If I am an employee, I want the \ncapability to opt out and to perhaps not have my employer have \ncertain types of information. This is particularly important in \ntoday's environment where a lot of employers or insurances, for \nthat matter, are developing personal health record tools for \nemployees or subscribers. I think as an employee or an \ninsurance subscriber, I should have that right to opt out of \nthat.\n    Mr. Swire. Just one point to add on is that some of the \nmost sensitive kinds of data that I have been talking about, \nthe mental health and substance abuse, genetic, or whatever, \nare only protected by State law, so even if x-rays aren't, \nthese other things are only protected by State law, and if we \nwere to harmonize at the national baseline then those \npsychiatric notes, the substance abuse things, and the rest \ncould be going through the system, and that is a reason not to \npreempt too strictly or not to preempt at a low level.\n    Mr. Clay. Let me ask this. This is a question for the \nentire panel. There have been long-term concerns on how health \ninformation is treated differently under institutions that are \nalso covered under different privacy regulations, such as \nFamily Educational Rights and Privacy Act of 1974. Under the \nprivacy rule, records protected by FERPA are not covered by the \nprivacy rule; therefore, even if the information contained in \nan education record is health related, the privacy rule does \nnot apply.\n    Is this an area where conflicts ought to be addressed in \norder to harmonize the way in which patient information is \nprotected?\n    Ms. Grealy, we will ask you first.\n    Ms. Grealy. Well, I think one of the things that those that \nactually have to do compliance are always looking for is; give \nme uniformity. Make it simple. Don't have one set of standards \nhere, another set of standards there. So I think any way we can \nharmonize these requirements is a positive thing.\n    Mr. Clay. Mr. Pickard.\n    Mr. Pickard. I agree. And let me just share, working in a \nuniversity, you know, we interact and deal with both HIPAA \nregulations as well as FERPA regulations, and if I am a student \nand let's say if I have a medical condition that requires me to \nlive off campus, I have to submit what actually becomes part of \nmy academic record health information, and there is a lack of \nstandardization in terms of how that information may or may not \nbe handled. So I agree. I think there needs to be a \nharmonization across all of these different laws.\n    Mr. Clay. Thank you.\n    Mr. Swire.\n    Mr. Swire. I am going to disagree on the FERPA one. I will \njust explain why. That was an issue that I worked on \nextensively during the rule and the comments from the schools, \nassociations, and the rest. The logic at the time--and maybe it \nis different today--was with school nurses in high schools all \nover the country, rural grade schools, all the rest, if we \nharmonized to HIPAA, which is what AHIMA recommends and is \nworth considering, if we harmonize to HIPAA then the school \nnurse in that grade school out in a rural area would have to do \nfull HIPAA compliance. And it wasn't clear that was the big \nrisk, and it was clear that there would be a whole compliance \nthing to do if that happened.\n    So the idea there was we thought that there was a pretty \nreasonable FERPA regime in place, that the school nurses \nshouldn't suddenly have to do more, and that was a sensible way \nto go.\n    Now, it does mean that universities like Vanderbilt get a \ndouble whammy, because they get students and then they get some \nother folks who are HIPAA, and suddenly they get both. In some \nways maybe Vanderbilt people are so smart they can handle it, \nbut maybe not every school nurse has to do HIPAA.\n    So I am not really sure how you harmonize, because if you \nharmonize that everybody is HIPAA, then it is the school nurses \nof America that will be here next time.\n    Mr. Clay. Speaking of universities, Mr. Swire, I will ask \nyou and then go down the line. Mr. Mark Rothstein of the \nUniversity of Louisville has written extensively on the use of \ncompelled authorizations for personal health information by \nemployers for job applicants, life insurers for those applying \nfor coverage, and other non-covered entities. If the current \nprivacy rule does not regulate PHI once it is released to a \nthird-party entity not covered under the rule, shouldn't we re-\nexamine who will be covered when receiving electronic health \ninformation?\n    Mr. Swire. That is a great question, and it wouldn't be \neasy to legislate, but here are a couple of points that come \nup.\n    So right now you can't have compelled authorizations for \nhealth care providers. If you show up at the ER and you are \nrolling in on the gurney, they can't say, sign here or we won't \ntreat you, and you sign away everything. That is in HIPAA.\n    The thing was, when HIPAA rules were written, HHS could do \nthat--that is covered entities--but HHS had no jurisdiction \nover the employers of America. That just wasn't in the statute, \nso there was no choice in writing the rule about what to do for \nemployers. That is a choice that only Congress can decide to \nstep into.\n    If you want to say, as Congress, we are going to treat the \nemployers the way we treat the hospitals, you can't require \nthese authorizations as a condition of being employed here, \nthat is a decision Congress can make. You are going to hear it \nfrom the employers. And sometimes employers will say we need \nthis to figure out if they can lift the heavy loads or we need \nit for some other job-related thing. But that is what you would \nhave to work through, and it would have to be statute. It can't \nbe by reg.\n    Mr. Clay. Thank you.\n    Any comments on that, Mr. Pickard?\n    Mr. Pickard. Yes. We are seeing many, many different types \nof entities outside of the HIPAA-covered entities and business \nassociates that are handling health information. Again, this \ngoes back to our principles I shared earlier, and that is that \nwe really look to confidentiality protections following the \nhealth information, no matter where it resides, and there needs \nto be a national floor for handling health information.\n    Mr. Clay. OK. Ms. Grealy.\n    Ms. Grealy. I talked with a few of, I think, entities that \npeople are referring to. Revolution Health Care is one that is \nreally getting into working with consumers, developing a \npersonal health record that they can access through the \ninternet. They have a contractual relationship with the \nconsumers that they are dealing with, and they say that they \nare HIPAA compliant, even though they are not a covered entity; \nthat they feel it is a good business practice. They want the \ntrust of the consumers that they are dealing with, and it is in \ntheir best interest to make sure that they have a high level of \nsecurity and protecting that information.\n    So I think all of us have mentioned we know that AHIC, HHS, \nand others are really exploring these issues, and I think that \nis really the appropriate place; that we need to look at it \ncarefully; make sure, as I said earlier, that we are not \nstifling innovation by expanding the reach of a heavy \nregulatory scheme; and make sure that it is balanced well, \nbecause I don't think we want to snuff out the innovation that \nis going on out there, but we do want to make sure that this \ninformation is protected.\n    Mr. Clay. All right. Thank you.\n    Let me thank the entire panel for their testimony and their \nanswers. We have certainly covered some ground today. This is a \nvery complex issue. As the Congress takes this issue on of \nhealth information technology and how we actually protect the \nprivacy of citizens throughout this country, patients, we will \ncertainly rely on your expertise, and this hearing has been \nhelpful in shedding light on this. Let me again thank you all \nfor your testimony today.\n    That concludes this hearing.\n    [Whereupon, at 3:30 p.m., the subcommittee was adjourned.]\n    [Additional information submitted for the hearing record \nfollows:]\n\n[GRAPHIC] [TIFF OMITTED] T9023.076\n\n[GRAPHIC] [TIFF OMITTED] T9023.077\n\n[GRAPHIC] [TIFF OMITTED] T9023.078\n\n[GRAPHIC] [TIFF OMITTED] T9023.079\n\n[GRAPHIC] [TIFF OMITTED] T9023.080\n\n[GRAPHIC] [TIFF OMITTED] T9023.081\n\n[GRAPHIC] [TIFF OMITTED] T9023.082\n\n[GRAPHIC] [TIFF OMITTED] T9023.083\n\n                                 <all>\n\x1a\n</pre></body></html>\n"