[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]




 
      PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON INFORMATION POLICY,
                     CENSUS, AND NATIONAL ARCHIVES

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 19, 2007

                               __________

                           Serial No. 110-33

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                     http://www.oversight.house.gov


                                 ______

                                     
                    U.S. GOVERNMENT PRINTING OFFICE
39-023                      WASHINGTON : 2008
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092104 Mail: Stop IDCC, Washington, DC 20402ï¿½090001

             COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM

                 HENRY A. WAXMAN, California, Chairman
TOM LANTOS, California               TOM DAVIS, Virginia
EDOLPHUS TOWNS, New York             DAN BURTON, Indiana
PAUL E. KANJORSKI, Pennsylvania      CHRISTOPHER SHAYS, Connecticut
CAROLYN B. MALONEY, New York         JOHN M. McHUGH, New York
ELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana
DANNY K. DAVIS, Illinois             TODD RUSSELL PLATTS, Pennsylvania
JOHN F. TIERNEY, Massachusetts       CHRIS CANNON, Utah
WM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California          MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts      DARRELL E. ISSA, California
BRIAN HIGGINS, New York              KENNY MARCHANT, Texas
JOHN A. YARMUTH, Kentucky            LYNN A. WESTMORELAND, Georgia
BRUCE L. BRALEY, Iowa                PATRICK T. McHENRY, North Carolina
ELEANOR HOLMES NORTON, District of   VIRGINIA FOXX, North Carolina
    Columbia                         BRIAN P. BILBRAY, California
BETTY McCOLLUM, Minnesota            BILL SALI, Idaho
JIM COOPER, Tennessee                JIM JORDAN, Ohio
CHRIS VAN HOLLEN, Maryland
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont

                     Phil Schiliro, Chief of Staff
                      Phil Barnett, Staff Director
                       Earley Green, Chief Clerk
                  David Marin, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York         CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky            BILL SALI, Idaho
PAUL W. HODES, New Hampshire
                      Tony Haywood, Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 19, 2007....................................     1
Statement of:
    Grealy, Mary R., president, Healthcare Leadership Council; 
      Byron Pickard, president, American Health Information 
      Management Association; and Peter Swire, senior fellow, 
      Center for American Progress...............................    41
        Grealy, Mary R...........................................    41
        Pickard, Byron...........................................    63
        Swire, Peter.............................................    86
    Melvin, Valerie C., Director of Information Management 
      Issues, Government Accountability Office, accompanied by 
      Linda D. Koontz, Director for Information Management 
      Issues, Government Accountability Office...................     6
Letters, statements, etc., submitted for the record by:
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     3
    Grealy, Mary R., president, Healthcare Leadership Council, 
      prepared statement of......................................    43
    Hodes, Hon. Paul W., a Representative in Congress from the 
      State of New Hampshire, prepared statement of..............    34
    Melvin, Valerie C., Director of Information Management 
      Issues, Government Accountability Office, prepared 
      statement of...............................................     8
    Pickard, Byron, president, American Health Information 
      Management Association, prepared statement of..............    65
    Swire, Peter, senior fellow, Center for American Progress, 
      prepared statement of......................................    88


      PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS

                              ----------                              


                         TUESDAY, JUNE 19, 2007

                  House of Representatives,
   Subcommittee on Information Policy, Census, and 
                                 National Archives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2 p.m. in room 
2154, Rayburn House Office Building, Hon. Wm. Lacy Clay 
(chairman of the subcommittee) presiding.
    Present: Representatives Clay, Maloney, Hodes, and Turner.
    Staff present: Tony Haywood, staff director/counsel; Jean 
Gosa, clerk; Adam C. Bordes, professional staff member; Nidia 
Salazar, staff assistant; Charles Phillips, minority counsel; 
Allyson Blandford, minority professional staff member; Patrick 
Lyden, minority parliamentarian and member services 
coordinator; and Benjamin Chance, minority clerk.
    Mr. Clay. The Subcommittee on Information Policy, Census, 
and National Archives will come to order.
    Let me begin by saying good afternoon and welcome to 
today's hearing on efforts to protect the privacy of personal 
health information in electronic health care information 
systems.
    The use of IT to store, share, and secure electronic health 
information has expanded rapidly in recent years. Many insurers 
and hospitals have already transitioned from paper-based 
records to electronic medical record systems for exchanging 
patient data. This has brought important benefits to both 
patients and providers, including shorter hospital stays, 
improved management of chronic disease, and fewer redundant 
tests and examinations.
    Americans have expressed legitimate concerns, however, 
about the potential for improper disclosure of personally 
identifiable health care information. Before they will fully 
embrace the benefits and efficiencies of e-health solutions, 
patients must be confident that personal information in 
electronic format is as secure and private as information in 
paper records.
    A nationwide health information network promises tremendous 
benefits for patients. For 3 years the Department of Health and 
Human Services has been working to make the idea technically 
and economically feasible. Unfortunately, a January 2007 GAO 
report found that HHS was not doing enough to integrate 
effective privacy safeguards into its long-term national 
strategy for health IT. Varying health IT privacy standards in 
different States are another area of concern.
    While the enactment of the Health Insurance Portability and 
Accountability Act [HIPAA], in 1996 was an important step 
forward, it has left patients with disparate privacy 
protections. I believe we should amend HIPAA to extend the most 
effective and practical privacy safeguards to everyone.
    I introduced bipartisan legislation in the 109th Congress 
which proposed to establish a framework for a uniform national 
health privacy standard. Giving patients greater personal 
control over their health information is critical; therefore, 
putting in place stricter notice and consent requirements for 
all third-party disclosures and information sharing activities 
is an important legislative objective for Congress to achieve.
    Today's hearing will allow different perspectives on these 
issues to be aired as we move toward implementing a national 
health care information network.
    I must say that I am disappointed that HHS was unable to 
supply a suitable witness to appear today on behalf of the 
administration, but the Department has submitted written 
testimony for today's hearing, and I will ask GAO and our other 
witnesses to respond to positions stated in that testimony.
    I look forward to the testimony of all of our witnesses.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T9023.001
    
    [GRAPHIC] [TIFF OMITTED] T9023.002
    
    Mr. Clay. I assume when the ranking member gets here he 
will have an opening statement and we will yield to him for 
that, but for now we will proceed with the hearing.
    If we don't have any additional statements, the 
subcommittee will now hear testimony from the witnesses before 
us today.
    On our first panel we will hear from Valerie C. Melvin, 
Director for Human Capital and Management Information Systems 
Issues at GAO. Welcome, Ms. Melvin.
    Accompanying Ms. Melvin is Linda D. Koontz, Director for 
Information Management Issues at GAO. Welcome to you.
    Ms. Melvin will deliver GAO's formal testimony, and both 
will respond to questions.
    Thank you for appearing before the committee today. It is 
the policy of the Committee on Oversight and Government Reform 
to swear in all witnesses before they testify. Will you both 
please stand and raise your right hands?
    [Witnesses sworn.]
    Mr. Clay. Let the record reflect that the witnesses 
answered in the affirmative.
    Ms. Melvin, you will have 5 minutes to make an opening 
statement. Your complete written testimony will be included in 
the hearing record.
    The lighting system and the timing system does not work, so 
we will notify you probably through the use of the gavel when 
you get close to the 5-minute time limit.
    Mr. Turner, thank you for being here.
    Mr. Turner. Mr. Chairman, thank you.
    Mr. Clay. OK. And you may, if you have an opening 
statement, you may proceed, sir.
    Mr. Turner. Thank you, Mr. Chairman. I appreciate that and 
I apologize for my being late.
    I want to thank you for holding this important hearing on 
privacy concerns and health information technology. Many health 
care experts agree that investing in health information 
technology will dramatically improve patient care while 
simultaneously decreasing health care costs.
    For example, Kettering Medical Center in my District and 
its partners have created the Dayton Individual Health Record 
Pilot Project, IHR. The Dayton IHR pilot combines a patient's 
health information from different sources and presents that 
information to patients, doctors, and other health care 
professionals in a format that helps all health participants 
make efficient, appropriate decisions about their care options.
    The Dayton IHR is a Web-based record that allows a patient 
to access their information from their home, the office, or 
even if the patient ends up in an emergency room in another 
town.
    While it is important that technology like the Dayton IHR 
be made available, it should not be available at the sacrifice 
of patient privacy and security. The Dayton IHR ensures that 
only the patient and the physicians granted access by the 
patient can look at the information within the IHR.
    This subcommittee has previously discussed privacy concerns 
in relation to Federal IT infrastructures, and I expressed my 
concerns with how IT breaches affect individuals, as well as 
national security.
    Health care raises unique privacy concerns, but I am 
interested to learn how we can work with all stakeholders to 
address important privacy issues and facilitate the adoption of 
health IT. Health IT holds the promise of increasing the 
quality of health care, as well as decreasing health care costs 
for American families. We must be careful, however, to reach 
these goals without sacrificing the security of professional 
health information.
    I look forward to hearing the information from today's 
witnesses on this important topic, and I yield back the 
remainder of my time.
    Thank you.
    Mr. Clay. Thank you so much, Mr. Turner.
    We will begin with Ms. Melvin.
    You may proceed.

    STATEMENT OF VALERIE C. MELVIN, DIRECTOR OF INFORMATION 
     MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE, 
   ACCOMPANIED BY LINDA D. KOONTZ, DIRECTOR FOR INFORMATION 
      MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Melvin. Thank you, Mr. Chairman and Ranking Member 
Turner.
    We are pleased to be here today to testify on privacy 
issues associated with efforts to increase the use of 
information technology in the health care industry. As noted, 
with me today is Linda Koontz, Director of Information 
Management Issues, who is responsible for GAO's privacy work.
    In 2004 President Bush issued an Executive order that 
called for widespread adoption of interoperable electronic 
health records by 2014 and established a National Coordinator 
for Health IT to lead and foster public/private coordination.
    The benefits of health IT are immense, and include reducing 
medical errors and improving public health emergency response. 
However, the increasing use of technology also raises concerns 
regarding the extent to which patient privacy is protected. The 
challenge is to strike the right balance between patient 
privacy concerns and the numerous benefits that IT has to 
offer.
    Over the past few years, we have issued reports and 
testified numerous times on HHS' efforts toward defining a 
national health IT strategy. Among these reports, one issued 
last January highlighted HHS' health IT privacy initiatives. 
Today, as requested, I will summarize the results of that 
study, highlighting three points: the importance of having a 
comprehensive privacy approach, HHS' initial efforts to address 
privacy as part of its national health IT strategy, and 
additional efforts needed.
    Privacy is a major concern in the health care industry, 
given the sensitivity of certain medical information and the 
complexity of the health care delivery system, with its 
numerous players and extensive information exchange 
requirements. This concern increases with the transition to 
using more electronic health records. A comprehensive privacy 
approach is needed to determine how personally identifiable 
information will be disclosed, used, and protected.
    HHS acknowledges in its national health IT framework the 
need to protect consumer privacy, and it plans to develop and 
implement privacy and security policies, practices, and 
standards for electronic health information exchange. To this 
end, HHS and its Office of the National Coordinator have 
initiated several efforts, including awarding contracts, 
including one for privacy and security solutions; consulting 
with the National Committee on Vital and Health Statistics to 
develop privacy recommendations; and forming a confidentiality, 
privacy, and security work group to identify and address 
privacy and security policy issues.
    Ultimately, the National Coordinator's Office intends to 
use the results of these initiatives to identify policy and 
technical solutions for protecting personal health information 
as part of its continuing efforts to complete a national health 
IT strategy. However, while these efforts are good building 
blocks on which progress has been made, important work remains, 
including assessing how variations in State laws affect health 
information exchange, acting on the privacy and security 
contractor's findings and advisory group recommendations, and 
identifying and implementing privacy and security standards.
    Moreover, how and when HHS plans to integrate the outcomes 
of these initiatives is unclear; thus, we have recommended that 
HHS develop an overall privacy approach that identifies 
milestones in an accountable entity for integrating the 
outcomes of its health IT contracts and advisory group 
recommendations, ensures that key privacy principles are fully 
addresses, and addresses key challenges associated with legal 
and policy issues and the disclosure, access to, and security 
of information.
    In recent discussions with us, the National Coordinator 
committed to developing a plan that would accomplish these 
objectives. In this regard, he announced last weekend an 
initiative to build consensus around a harmonized set of 
privacy and security principles which are to serve as a 
framework for addressing these important issues.
    Overall, Mr. Chairman, the National Coordinator's intent to 
act on such an approach is promising, and building a framework 
based on fair information principles is a good starting point 
for moving forward; however, achieving this goal to safeguard 
personal health information will be difficult and plagued with 
challenges and will necessitate sustained leadership from HHS 
to realize success.
    This concludes our prepared statement. We would be pleased 
to respond to any questions that you may have.
    [The prepared statement of Ms. Melvin follows:]

    [GRAPHIC] [TIFF OMITTED] T9023.003
    
    [GRAPHIC] [TIFF OMITTED] T9023.004
    
    [GRAPHIC] [TIFF OMITTED] T9023.005
    
    [GRAPHIC] [TIFF OMITTED] T9023.006
    
    [GRAPHIC] [TIFF OMITTED] T9023.007
    
    [GRAPHIC] [TIFF OMITTED] T9023.008
    
    [GRAPHIC] [TIFF OMITTED] T9023.009
    
    [GRAPHIC] [TIFF OMITTED] T9023.010
    
    [GRAPHIC] [TIFF OMITTED] T9023.011
    
    [GRAPHIC] [TIFF OMITTED] T9023.012
    
    [GRAPHIC] [TIFF OMITTED] T9023.013
    
    [GRAPHIC] [TIFF OMITTED] T9023.014
    
    [GRAPHIC] [TIFF OMITTED] T9023.015
    
    [GRAPHIC] [TIFF OMITTED] T9023.016
    
    [GRAPHIC] [TIFF OMITTED] T9023.017
    
    [GRAPHIC] [TIFF OMITTED] T9023.018
    
    [GRAPHIC] [TIFF OMITTED] T9023.019
    
    [GRAPHIC] [TIFF OMITTED] T9023.020
    
    [GRAPHIC] [TIFF OMITTED] T9023.021
    
    [GRAPHIC] [TIFF OMITTED] T9023.022
    
    [GRAPHIC] [TIFF OMITTED] T9023.023
    
    [GRAPHIC] [TIFF OMITTED] T9023.024
    
    Mr. Clay. Thank you so much, Ms. Melvin.
    According to their written testimony, HHS states that it 
has invested significant resources and efforts in our 
nationwide strategy for protecting health information. Our 
national health IT agenda approaches our privacy and security 
through a full suite of activities both in form of current work 
and preparing for future needs. Specifically, HHS mentions 
authorizing a review of 34 States and Puerto Rico to analyze 
how their laws are affecting the sharing of health information. 
Yet, GAO's January 2007 report cites HHS' lack of an overall 
strategic plan for integrating its privacy initiative into a 
health information network. The report also concludes that HHS 
lacks appropriate milestones to measure its progress to meet 
these requirements.
    With that in mind, I would like to ask the following 
question: can you explain how HHS is addressing the legal 
barriers associated with variances in State privacy laws and 
methods to limit the types of information disclosed through a 
nationwide exchange? And is it true that HHS disagrees with 
GAO's recommendation to establish milestones to measure 
progress and outcomes in the development of privacy protections 
for a network? If so, why?
    Ms. Melvin. When our report was issued, our concern was 
that HHS did not have, as you said, an integrated plan that 
would allow all the various initiatives that it has undertaken 
to be integrated and to be guided by milestones and measure its 
progress, and also from the standpoint of having a leader to 
make sure that there would be complete integration of the 
various initiatives to guide the overall effort.
    There are other factors related to the variations in the 
State agencies. They do, in fact, have contracts in place that 
are intended to assess those, as you have mentioned, and those 
types of initiatives are all the ones that we believe have to 
be guided and driven by an overall integrated plan that has a 
well-defined approach to bringing together the specific 
initiatives, to being able to look at all of the findings and 
the assessments that are being made, and to develop and 
implement solutions as a result of what their assessments have 
determined.
    Mr. Clay. Well, can you identify for us the entity or 
entities within HHS that will be responsible for coordinating 
and implementing its privacy initiatives? Who will promulgate 
the regulations and oversight activities for privacy within the 
network? Is this entity effectively staffed and capable of 
managing its responsibilities?
    Ms. Melvin. One of the key areas or pieces of information 
that we believe is missing is the identification of the 
critical entity that would be responsible for bringing together 
all of the initiatives, as you have noted, so we cannot 
identify at this time who that would be. We do understand, 
through our recent discussions with Dr. Kolodner, that the 
agency is taking steps through the National Coordinator's 
Office to implement a framework; however, how that framework 
will be put in place and who will actually guide and lead their 
efforts to accomplish that has not been specified and we have 
no information that we could share regarding its----
    Mr. Clay. They don't know yet? I mean, you gave them that 
report in January of this year.
    Ms. Melvin. Yes.
    Mr. Clay. And they have not moved on the recommendations is 
what you are telling me?
    Ms. Melvin. As of last week when we spoke with Dr. Kolodner 
their efforts were in the early stages and there was no 
specific information provided to us relative to who the entity 
would be that would lead all of those efforts.
    I should note that when our report was issued the National 
Coordinator's Office did have a difference relative to how they 
should proceed with a coordinated approach, so it has only been 
in recent times that we have now, I think, reached more 
agreement with them relative to the importance of having a plan 
in place, an approach that would, in fact, include and identify 
a specific leader for integrating or overseeing the integration 
of the various initiatives.
    Mr. Clay. Thank you for that. And this is a question for 
either one of you. One of HIPAA's limitations is that it does 
not cover all entities that possess or utilize personal health 
information. Some life insurers and research entities that are 
not involved with the treatment of patients fall outside the 
rules. Have you examined the practical impact of not covering 
some entities that have access to personal health information? 
Is this a significant problem, in your view, Ms. Koontz?
    Ms. Koontz. I think that is a significant issue that 
deserves more study, and we would like to see HHS consider that 
as it moves forward in developing privacy policies, practices, 
and standards. It is true that HIPAA covers health plans, 
health providers who transmit electronic information in support 
of transactions, and health information clearinghouses. The 
entities that you mentioned are outside the coverage of HIPAA. 
I think that, naturally, as we move to a national health 
information network in which it will be much easier, and it is 
actually intended to make information flow more easily, this is 
something that we should pay a lot more attention to. Again, I 
do hope that HHS includes this in their deliberations as they 
move forward.
    Mr. Clay. OK. Thank you for your response.
    Let me now turn to my ranking member, Mr. Turner.
    You may proceed.
    Mr. Turner. Thank you.
    Thank you for the information you have provided to us in 
your testimony today. This is an important issue on pretty much 
three fronts. We have our desire to find cost savings and 
reduce the spiraling increases in health care costs. The second 
issue is quality of health care. What can we do to increase the 
quality of health care? And the third issue is: how do you 
balance privacy?
    So many times when we make an advance in one area privacy 
either takes a hit, or when we think we are taking an advance 
in privacy others take a hit.
    I will tell you one funny story. Two years ago when I was 
in Washington I broke my sunglasses. I called my wife at home 
and said, can you go and get me some new sunglasses. I have a 
prescription. She goes to the eyeglass place and they wouldn't 
let her buy eyeglasses because they said under HIPAA there is a 
fear that she would discover what my prescription is. You know, 
that is not exactly something that I have a concern about 
having a privacy expectation. But, nevertheless, that was the 
application. We had to wait until I returned back home until I 
could get them.
    So this is a fine balance of what things do we have an 
expectation of privacy, and what things are important for 
efficiency, and what things do we have for cost savings, and 
many times there are unintended consequences--you know, I can't 
get my sunglasses unless I am back home--that are overlooked. 
What confidence do you have, in describing the process that we 
are undertaking, that the Federal Government is going to be 
able to have a better record in ascertaining that yes, we 
really need to protect people's privacy, yes, we need to find 
cost savings, and we need to find efficiencies to increase 
quality of health care? What are your thoughts?
    Ms. Melvin. Again, I think the confidence will grow from 
the extent to which there is transparency in the way that the 
health information network is put together and the way that 
privacy is conveyed to and understood by the public.
    Our work has emphasized the need for the National 
Coordinator's Office and HHS to spend significant time in 
making sure that there is outreach and consensus to bring 
together a better understanding among all participants that 
would be involved in the overall health initiative.
    You are right, there is an extremely fine balance between 
the privacy issues and the need to ensure quality care, the 
need to try to have improvements in the way that information is 
made available about care, and all of that comes through, 
again, having a defined plan for how they will do that, as well 
as having necessary outreach, necessary information made 
available to educate the public on the need for and the use of 
electronic health records so that certainly at some point 
hopefully there would be buy-in, more buy-in to make this a 
more successful effort.
    So I think overall success will depend on how well they can 
really communicate and convey the need for and ultimately to 
implement a system that does balance privacy and security with 
the quality of the care that is being provided.
    Mr. Turner. One of the issues that has been identified is 
the cost savings that we expect from going to electronic 
recordkeeping, and the implementation of technology on this 
issue is that we don't really know what our cost savings would 
be, and we are not capturing in a very effective way how this 
might advance us in cost. Do you agree with that? And also, do 
you have thoughts as to what we could be doing better to 
understand really what will we be able to effect in cost 
savings in this?
    Ms. Melvin. I think clearly the cost savings is an issue. 
The overall cost of the initiative is an issue that would have 
to be defined based on what technology is ultimately determined 
to be needed and put in place for this, again largely driven by 
the privacy and policy security implications that would drive 
the technology that would need to be put in place.
    Then ultimately, as a part of the overall strategy and the 
defined approach that the agency would need to have, a key part 
of that is defining what the costs are, what the outcomes that 
result from that are in the way of benefits and savings. I 
think all of those aspects collectively are going to be 
important in defining what the actual cost is ultimately for 
the overall initiative.
    Mr. Turner. Thank you, Mr. Chairman.
    Mr. Clay. Thank you, Mr. Turner.
    We have been joined by our colleague from New Hampshire, 
Mr. Hodes.
    I understand you have an opening statement. You may proceed 
with that and then go into your questions.
    Mr. Hodes. Thank you, Mr. Chairman.
    Mr. Clay. You have ample time. You are welcome.
    Mr. Hodes. This is a very important hearing. The privacy 
concerns related to health information technology in the 
digital age take on an increasingly important role as we 
examine a health care system which many people feel is a system 
which is dysfunctional and not operating as it should, and many 
are looking to electronic medical records technology as a key 
component to making our health care system a better-functioning 
system.
    It seems that it is fairly obvious, at least to me, that 
there are great benefits in increased coordination of care from 
effective and appropriately constructed medical records 
technology systems, because instead of having people carrying 
around paper records and sacks of pills from one doctor to 
another and having the second doctor trying to figure out what 
it is that patient is on, we can quickly and easily, with 
medical records technology, determine what care that patient 
has had.
    On the other hand, medical records technology presents 
great risks to patient security and private information. We 
have recently seen in the Veterans Administration, which 
frankly is in the forefront of developing electronic medical 
records technology, when a single laptop is lost there is 
enormous amounts of personal data that is compromised. So 
coming up with the right construct and the right system is 
clearly very important, and it is, I think, an urgent matter 
for us because there are a number of initiatives, both in the 
private sector and in Government, that are taking us down the 
road, but it sounds from your testimony and the report that 
there is still a very, very long way to go in coming up with an 
appropriate national system.
    [The prepared statement of Hon. Paul W. Hodes follows:]

    [GRAPHIC] [TIFF OMITTED] T9023.025
    
    [GRAPHIC] [TIFF OMITTED] T9023.026
    
    Mr. Hodes. One question, Ms. Melvin, that I had raised by 
your testimony that I would just like you to clarify for me, if 
you could, would be--and I may not have all the terms right--
but you mentioned that the National Coordinator's Office at 
HHS, I believe, had a difference about a national coordinated 
approach when your report was initially sent over?
    Ms. Melvin. We had originally recommended that they develop 
a defined approach that would, in fact, allow them to integrate 
the various initiatives, that would establish milestones and 
timeframes for the completion of initiatives, obviously 
considering that there were multiple activities going on, and 
that would, in fact, designate a leader, identify a leader who 
would lead the overall coordination, an entity that would lead 
the overall coordination of all of the various initiatives 
being put in place.
    I believe that in this case in their comments HHS 
essentially believed that they did have a comprehensive 
approach. We had a difference relative to the construct of that 
approach and whether, in fact, it contained all of the 
necessary or recognized all of the necessary components in the 
way of having a designated leader, in the way of having 
established milestones, and potentially measures for being able 
to really gauge progress and to guide the overall effort.
    Mr. Hodes. And I gather there were some discussions that 
took place?
    Ms. Melvin. We have subsequently met with Dr. Kolodner, 
actually within the last week. We have talked more about what 
our concerns were relative to the lack of such a defined 
approach, and in talking with him and through information that 
we have seen since our discussions, there is an indication that 
he is in agreement with the need for having an approach, some 
type of road map that would, in fact, provide more detail than 
defined milestones for integrating the various initiatives that 
are underway.
    Mr. Hodes. There is no disagreement between you and Dr. 
Kolodner that the coordinator of any national health 
information technology system would be situated at HHS, is 
there?
    Ms. Melvin. We have not talked specifically about what 
entity would be the leader to integrate this. Our discussions 
were at a level relative to the importance, the significance 
overall of developing an approach. We have not described what 
that approach would be. We do feel it is important, however, 
that approach does, in fact, define those critical elements 
relative to timeframes and milestones, measures of performance, 
and also in terms of actually identifying the entity that would 
lead it, but we have not talked about specifically who that 
entity would be.
    Mr. Hodes. You are just trying to get to square one with 
HHS and have them recognize that there needs to be a 
coordinated approach with time lines and benchmarks and setting 
out a plan to put together the initiatives that have already 
been begun into some comprehensive plan that we can all look at 
and then talk about?
    Ms. Melvin. That is absolutely correct, sir.
    Mr. Hodes. I am just about finished, Mr. Chairman.
    When you say that Dr. Kolodner has indicated his agreement, 
is that verbally? Is that in writing? How has that agreement 
been indicated?
    Ms. Melvin. Our discussions have been held through a 
meeting with Dr. Kolodner relative to what actions they were 
taking, but, as I stated earlier, we have not discussed the 
specifics of what that planned approach would look like 
ultimately. It is our hope, and we do view, you know, the fact 
that at this point he does agree with the need for that as very 
promising, but, as our statement indicates, it is a very 
difficult task. It is a long road. It does involve a lot of 
initiatives, and it will take sustained and committed effort on 
HHS' part to make sure that happens.
    Mr. Hodes. What is your timeframe for getting some sort of 
concrete response beyond the verbal discussions you have had 
from Dr. Kolodner and HHS that would clearly indicate, 
something we could look at, that says HHS agrees that we are 
going down this road and here is how we are going to get there? 
Are we talking a week? A month? Two months?
    Ms. Melvin. We have not specified a specific timeframe. 
Obviously, based on our recommendation, we do feel it is very 
important that this effort be undertaken urgently. It is very 
critical from the standpoint of the many initiatives that HHS 
and the National Coordinator's Office does have underway that 
lead to the development of technology, the significant point 
being that you want security and privacy policies to be in 
place to really guide and be a factor in determining what 
technology is there. So it is an urgent effort, but not one 
that we put a definite timeframe on for seeing that it happens.
    Mr. Hodes. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Clay. Thank you, Mr. Hodes, for that line of 
questioning.
    This question is for either/or. I would like to hear your 
thoughts on HHS' enforcement policies, practices, and 
procedures. There has been significant criticism of the 
agency's enforcement of HIPAA and lack of civil penalties 
enforced on identified violations. Are the enforcement 
activities of HHS being carried out in accordance with the 
statute and the legislation and regulations? Are the current 
regulations adequate to ensure that violating entities are 
being sanctioned appropriately?
    Ms. Koontz. I have to say, first of all, that we have not 
studied HHS' enforcement actions; however, I think it has been 
widely reported that there have been few enforcement actions on 
their part.
    The way HIPAA is set up right now is that if an individual 
has a complaint they can go to HHS, the Office of Civil Rights, 
and complain about privacy violations. I think that this, 
again, is another issue for us moving forward. Under HIPAA, for 
example, there is no individual right of action. If someone 
isn't satisfied with what happens at HHS, they cannot go to the 
courts for resolution. I think this is an issue that, you know, 
we will need to look at over time, but we haven't studied it in 
depth.
    Mr. Clay. One IT-specific recommendation offered by the 
National Council of Vital Health Statistics was for HHS to 
support research and development of contextual access criteria 
that is appropriate for the dissemination and sharing of 
electronic health information. Do you know whether HHS is 
addressing this issue and, if not, why not? And does GAO concur 
with the findings and recommendations of the National Committee 
on Vital Health Statistics?
    Ms. Koontz. First of all, in terms of the contextual 
information, I think that is quite an exciting idea, because if 
you look at paper records right now, if you have to disclose a 
paper record I think that the default is to perhaps disclose 
the whole piece of paper. The idea of this contextual access 
would be that when you disclosed information you would use 
technology in such a way that you could disclose only the 
information that was actually needed, so it would be a way to 
really leverage technology to increase privacy for patients and 
consumers. So the National Committee on Vital and Health 
Statistics did recommend that HHS look at this more fully in 
the process, and we support that.
    I think one of the things that, as they move forward on a 
comprehensive strategy for addressing privacy, they need to 
take into consideration the results of all these different 
contracts and initiatives that they have going on, which seem 
to have a lot of merit. They need to take into consideration 
the recommendations of NVCHS, and they need to take into 
consideration some of the challenges that I think we raised in 
our report.
    Mr. Clay. Thank you for that response.
    When multiple States with conflicting laws have personal 
health information concerning the same patient, which State's 
privacy standard will apply, and under what circumstances? How 
can entities in one State appropriately manage patient data 
within their electronic patient records if they are unaware of 
applicable restrictions in another State?
    Ms. Koontz. Well, the issue about HIPAA is that HIPAA is 
meant to be a floor in terms of privacy protection, so that 
means it does not preempt a State law that provides greater 
privacy protections than the Federal law. But you are right: 
what it leads to is very much a patchwork of different kinds of 
laws in varying States, and when you go to electronic health 
records and you go to a national health information network, 
again, the information is to move. It can move much more freely 
than it does now in a paper environment.
    One of the challenges, when we were doing our study, that 
many organizations talked to us about is operationalizing these 
various requirements and being able to navigate in an 
environment where information is created in one State, it is 
sent to another, it is sent yet to another, and how to really 
navigate in that kind of environment has caused a complexity 
which may indicate some need maybe for greater guidance in 
terms of how to navigate this. And some people have suggested, 
of course, that there be some kind of national standard for 
privacy that is consistent across the States. We haven't 
studied that further, but that has been an issue that has often 
been raised.
    Mr. Clay. Good. Thank you very much.
    Mr. Turner.
    Mr. Turner. Thank you, Mr. Chairman.
    We want to note that Government Health IT reported on June 
15, 2007, that Dr. Kolodner, National Coordinator of Health 
Information and Technology, has revealed that his office will 
propose a draft framework for privacy policy later this year. 
Kolodner said it will reference other privacy policy documents 
from organizations such as Connecting for Health, the National 
Committee on Vital and Health Statistics, and the Organization 
for Economic Cooperation and Development. I look forward to 
seeing that so we can all have an opportunity to review it and 
determine its effectiveness.
    I am going to ask if you could talk for a moment--and you 
may not be able to--but the VA's experience during Katrina, we 
have all heard news reports about how the VA was able to 
transfer large numbers of patients' records far more quickly 
than private hospitals. Are you familiar with the VA's 
experience and their system? Could you comment on that?
    Ms. Melvin. I am not familiar with that particular 
experience, but what I can tell you is that VA does have a 
comprehensive longitudinal electronic health record for its 
patients, which would explain its ability to make information 
available for those people who were affected by Hurricane 
Katrina. Its system is set up so that it contains a complete 
record of each patient that is captured within its system, so 
that would explain its ability to perhaps have records 
available more readily certainly than other entities that do 
not have such a capability at this point.
    Mr. Turner. Are you familiar with either their experience 
of cost savings or efficiencies in increasing medical care and/
or privacy issues and policies?
    Ms. Melvin. I don't have specific information on their cost 
savings. I can tell you, though, that they have a very 
impressive system in place that has allowed them to achieve 
many improvements in quality of care through the clinician's 
ability to have ready access to information, through their 
ability to actually use that information in the health care of 
patients at this point.
    Mr. Turner. Thank you very much.
    Ms. Melvin. You are very welcome.
    Mr. Turner. Thank you, Mr. Chairman.
    Mr. Clay. Thank you, Mr. Turner.
    Mr. Hodes, any more?
    Mr. Hodes. Just one more briefly.
    Mr. Clay. Please proceed.
    Mr. Hodes. Thank you, Mr. Chairman.
    I would like to followup just a little bit on the question 
about varying State standards, because I note at page, I think 
it looks like 15 of your report, where you talk about the 
challenges to exchanging electronic health information and the 
area of understanding and resolving legal and policy issues, 
and the first bullet point you talk about is resolving 
uncertainties regarding the extent of Federal privacy 
protection, and it leads me to the question of how quickly we 
can go to a national information system with so many differing 
standards out there among the States.
    Could you tell us what do you think the benefits would be 
to establishing a Federal standard in these areas, even if it 
meant hypothetically preempting the States?
    Ms. Koontz. Well, it is obviously a policy judgment that 
you are probably in a much better position to make than I, 
but----
    Mr. Hodes. That is why I asked the question.
    Ms. Koontz. Fair enough. But, I mean, the obvious advantage 
here is that we would be trading off some, getting rid of some 
complexity in order to, you know, if we got some 
standardization. Obviously, from talking to a fairly large 
number of entities out there who are involved in information 
exchange and involved in providing health care, it is 
tremendously confusing, even to the point of trying to decide 
what rules apply, what category do they fit in, and then also 
how to operationalize all the different kinds of requirements, 
as well. So, I mean, I can see on balance it is on the one hand 
and on the other hand, but there are definitely benefits to 
standardization, as well, although there may be States where 
you might end up lowering privacy protection, and I think that 
is an issue for that locality.
    Mr. Hodes. OK. Thank you very much.
    Thank you, Mr. Chairman. I yield back.
    Mr. Clay. Thank you, Mr. Hodes.
    The AHIC, which is a public/private working group chaired 
by the Secretary, assembled a working group on how to address 
privacy and confidentiality issues last August. What findings, 
if any, have been presented to the Secretary? Is AHIC's work 
consistent with GAO's findings and recommendations? Are you 
familiar with AHIC, the American Health Information Community?
    Ms. Melvin. Yes, we are familiar with that. As far as their 
findings and recommendations, at this point we are not certain 
as to exactly what they are doing. We do know that HHS is in 
the process of assessing the information that they have from 
them, and we have not compared that to GAO's recommendations, 
as I recall.
    Mr. Clay. OK.
    Ms. Melvin. We have not compared them to GAO's 
recommendations.
    Mr. Clay. All right. I thank you for that.
    Let me thank both of you for your answers today and for 
being witnesses at this hearing. I think it is such an 
important issue, and we certainly appreciate GAO weighing in. 
Thank you both. This panel is dismissed.
    I would now like to invite our second panel of witnesses to 
come forward, please.
    Testifying today on our second panel will be Mary R. 
Grealy, president of the Healthcare Leadership Council. Welcome 
to you.
    Bryan Pickard, president of the American Health Information 
Management Association. Thank you for being here.
    Peter P. Swire, the C. William O'Neill professor of law at 
the Ohio State University's Moritz College of Law and senior 
fellow at the Center for American Progress.
    Welcome to all of you.
    It is the policy of the committee to swear in all witnesses 
before they testify. At this time I would like to ask you all 
to stand and raise your right hands.
    [Witnesses sworn.]
    Mr. Clay. Let the record show that all of the witnesses 
answered in the affirmative.
    Each of you will have 5 minutes to make an opening 
statement. Your complete written testimony will be included in 
the hearing record. The yellow light in front of you will 
indicate you have 1 minute remaining. The red light will 
indicate that your time has expired.
    Ms. Grealy, we will begin with you. You may proceed.

STATEMENTS OF MARY R. GREALY, PRESIDENT, HEALTHCARE LEADERSHIP 
COUNCIL; BYRON PICKARD, PRESIDENT, AMERICAN HEALTH INFORMATION 
MANAGEMENT ASSOCIATION; AND PETER SWIRE, SENIOR FELLOW, CENTER 
                     FOR AMERICAN PROGRESS

                  STATEMENT OF MARY R. GREALY

    Ms. Grealy. Thank you, Mr. Chairman and members of the 
subcommittee. On behalf of the members of the Healthcare 
Leadership Council, I want to thank you for the opportunity to 
testify on this extremely important subject.
    Certainly all Americans want to be assured, as we move 
toward a day when virtually all clinical health information 
will be exchanged electronically, that their confidentiality 
will be protected and information will be used to provide 
health care of the highest quality.
    The Healthcare Leadership Council is comprised of chief 
executives of many of the Nation's leading health care 
companies and organizations representing all sectors of 
American health care. Our members are some of the early 
adopters of health information technology.
    Mr. Chairman, with my time limitations there are two key 
points that I would like to make today. First, allow me to 
comment on the current HIPAA privacy rule, a rule that was 
developed through careful, detailed deliberations over a 5-year 
period, and its effectiveness in the context of electronic 
health information exchange.
    We are concerned that the transition to more widespread use 
of electronic medical records will prompt a reactive call in 
some quarters for additional burdensome privacy regulations. It 
is important to note that the HIPAA privacy rule, which is 
already quite restrictive, was spurred by the growth of 
electronic transactions and already contains ample provisions 
governing the confidentiality of information, electronic or 
otherwise. It is even more important to recognize that more-
restrictive rules, such as requiring providers and payers to 
obtain prior consent for treatment, payment, and health care 
operations, would delay and disrupt health care, particularly 
for the most vulnerable patients.
    The fact is, Mr. Chairman, the HIPAA privacy rule has a 
successful track record, and that success is being achieved in 
an environment in which multi-State electronic data exchange is 
already occurring.
    Health care providers and plans have spent significant 
resources to comply with the HIPAA rule. Before considering any 
changes, we should be certain that they are absolutely 
essential and would warrant diverting finite resources from 
patient care to additional administrative compliance.
    The other point I wish to make this afternoon is that, 
while the HIPAA privacy rule is effective in protecting patient 
confidentiality, the development of a multi-State network 
requires the creation of a uniform Federal privacy standard. 
While HIPAA establishes such a standard, it permits State 
variations that are found in thousands of statutes, 
regulations, common law principles, and advisories. This 
patchwork quilt creates confusion among those who hold 
identifiable health information and those who seek to establish 
these data exchanges.
    We believe strongly in a national standard that provides 
strong privacy protections for every American and facilitates 
nationwide and system-wide electronic data exchange for the 
betterment of patient care.
    Mr. Chairman, Section 6 of your bill, H.R. 4832, laid out a 
process to help achieve that national standard, and we hope 
that it will find its way and be part of any future HIT 
legislation.
    One thing that helps us put a face on health care policy 
and to put it in perspective is that these issues unavoidably 
become personal for all of us. My family currently has a 
compelling example in the person of my 88 year old father, who 
lives in Fort Lauderdale, FL. Just a few months ago, after a 
brief hospital stay for acute kidney failure, he began a 
regimen of dialysis three times a week. At the same time, he 
was receiving radiation treatment for prostate cancer.
    I can tell you firsthand that the staffs in the hospital, 
the radiation center, the dialysis center, and the various 
physician offices are fully complying with the HIPAA privacy 
rules, oftentimes making it difficult for me and my five 
brothers and sisters to help coordinate his care. Be assured 
that health professionals take the rules very seriously.
    More importantly, however, I am also experiencing firsthand 
the absolutely critical need for a unified electronic health 
record so that my Dad's oncologist, nephrologist, internist, 
cardiologist, nutritionist, radiation center, and dialysis 
center would all know in real time what each is prescribing 
and, more importantly, how he is doing. For example, sharing 
the results of lab tests, sharing the prescriptions that they 
are ordering.
    An electronic health record would have avoided my Dad's 
recent experience of receiving Procrit from his oncologist 
while he was receiving a similar medication, Epigen, at the 
dialysis center. Unfortunately, it fell to us to alert and 
notify those two health providers, because they were not 
sharing this information.
    You can see the importance of having this electronic health 
record. America's patients, not just my Dad, need electronic 
health record, and I applaud the efforts that you, Mr. 
Chairman, and others have put toward achieving that goal.
    We look forward to working with you, finding the 
appropriate balance between privacy and the need for sharing 
this important information as we move forward in this important 
area.
    Thank you.
    [The prepared statement of Ms. Grealy follows:]

    [GRAPHIC] [TIFF OMITTED] T9023.027
    
    [GRAPHIC] [TIFF OMITTED] T9023.028
    
    [GRAPHIC] [TIFF OMITTED] T9023.029
    
    [GRAPHIC] [TIFF OMITTED] T9023.030
    
    [GRAPHIC] [TIFF OMITTED] T9023.031
    
    [GRAPHIC] [TIFF OMITTED] T9023.032
    
    [GRAPHIC] [TIFF OMITTED] T9023.033
    
    [GRAPHIC] [TIFF OMITTED] T9023.034
    
    [GRAPHIC] [TIFF OMITTED] T9023.035
    
    [GRAPHIC] [TIFF OMITTED] T9023.036
    
    [GRAPHIC] [TIFF OMITTED] T9023.037
    
    [GRAPHIC] [TIFF OMITTED] T9023.038
    
    [GRAPHIC] [TIFF OMITTED] T9023.039
    
    [GRAPHIC] [TIFF OMITTED] T9023.040
    
    [GRAPHIC] [TIFF OMITTED] T9023.041
    
    [GRAPHIC] [TIFF OMITTED] T9023.042
    
    [GRAPHIC] [TIFF OMITTED] T9023.043
    
    [GRAPHIC] [TIFF OMITTED] T9023.044
    
    [GRAPHIC] [TIFF OMITTED] T9023.045
    
    [GRAPHIC] [TIFF OMITTED] T9023.046
    
    Mr. Clay. Thank you so much, Ms. Grealy, for that 
testimony.
    Mr. Pickard, you may proceed.

                   STATEMENT OF BYRON PICKARD

    Mr. Pickard. Chairman Clay and members of the subcommittee, 
thank you for this opportunity to testify. I will be testifying 
on behalf of AHIMA, but will also draw upon my professional 
experiences to describe the public/private efforts currently 
underway exploring the privacy of electronically transmitted 
health information.
    My written testimony addresses some areas of specific 
interest to our profession; namely, expansion of privacy 
protections for personal health records, differences between 
HIPAA at business associates and non-covered third-party 
contractors, and protecting student health information, and 
conflicts between HIPAA and FERPA. AHIMA also has a foundation 
of research and education, which has received several grants 
and contracts from the Office of the National Coordinator and 
others. I have attached a list of those commitments.
    Mr. Chairman, the HIM professionals' responsibilities are 
interwoven with privacy and security issues. The expansion of 
confidentiality management and protection is impacted not only 
by HIPAA but also by the health care industry's continued 
transformation from a paper intensive industry to one of 
electronic records and transmissions.
    I wish I could tell you that the health care industry has 
been transformed into a fully electronic system, but, in fact, 
I cannot. We are in the midst of what would be a long 
transition.
    In working through these transitional issues, AHIMA has 
partnered with the American Medical Informatics Association and 
we have produced two joint statements relative to today's 
discussion, one on health information confidentiality, and the 
other on the value of personal health records. With so much 
history and experience in the protection of health information, 
it is important to note AHIMA's position. Our written testimony 
contains our full list of health information confidentiality 
principles.
    As our health care system becomes more interconnected, our 
networked health information will flow across a range of 
entities and boundaries. It will be critical to follow these 
principles. Privacy protections must follow personal health 
information [PHI], no matter where it resides, and uniform and 
universal protections for PHI should apply across all 
jurisdictions in order to facilitate consistent understanding 
and compliance.
    Considerable time has been spent exploring and developing 
electronic health information exchange and how to protect 
health information by the Agency for Health Care Research and 
Quality, a American health information community, the Office of 
the National Coordinator, and others. These initiatives and 
their impact on privacy and security are detailed in our 
written testimony.
    AHIMA members, and especially those who fill the role of 
privacy office, are noting that the issue of confidentiality is 
moving beyond just health care. With the banking and finance 
industries handling health information more frequently, it has 
become apparent that we must soon address the comprehensive 
protection of an individual's information, White House whether 
it is financial or health related. This is an issue that 
Congress will need to investigate as we see more change in the 
bordering of industry boundaries.
    We also see a need for consumer education to address 
confidentiality and security, as well as the value of health 
information technology usage. It is only with consumer trust 
that a national infrastructure can be built and laws adopted or 
modified to facilitate information exchange.
    AHIMA has long called for consumer-based personal health 
records, in addition to the standard provider-based electronic 
health records. While we have never endorsed a PHR product, we 
have called for consumers to use a PHR, whether in paper or 
electronic form, to track their own health status. To support 
this goal, AHIMA embarked upon a PHR consumer education 
campaign that combines the use of a consumer Web site with 
public presentations by AHIMA members in each and every State.
    AHIMA is leading an effort to ensure interoperability of 
the PHR, with the new health level seven standard electronic 
health record, and we expect to see a new PHR electronic 
standard from HL-7 in the near future.
    AHIMA's believe that protections should follow personal 
health information, no matter where it might be stored or 
transferred, clearly extends to PHRs. PHRs can be stored or 
offered by a variety of different vendors or operators. Some of 
these vendors are HIPAA-covered entities, and others are not.
    Protections against the discrimination and misuse of PHR 
information must be established along with a requirement that 
any access or use of PHR information be governed by a separate 
authorization unless otherwise required by law. Except for PHRs 
offered by health care providers, we believe that individuals 
should be given the right to opt out of a PHR being built for 
them or their family members.
    The answers are not simple. As the AHIC and the NCVHS and 
others discuss and provide recommendations in the privacy and 
security area, Congress can also begin to look at some very 
important issues: that confidentiality of protections follow 
the information no matter where it resides or is transferred; 
that comprehensive non-discrimination laws have harsh penalties 
for the intentional misuse of health information; that we 
prosecute those who break these laws; that we penalize those 
entities that are non-compliant with confidentiality and 
security laws and regulations; that conflicts between HIPAA 
versus FERPA be eliminated in favor of consistent and strong 
confidentiality; and that proposed laws be reviewed to identify 
barriers that may arise that would impede the deployment of 
health information technology products, expansion of health 
information exchange, and critical uses of health information.
    Mr. Chairman and members of the subcommittee, I hope that 
our testimony has given you an insight into the aspects of 
health care confidentiality and security that you are seeking, 
and that our recommendations will provide you with guidance as 
you address the many difficult questions facing our community. 
I stand ready to answer any further questions or concerns you 
might have.
    Thank you.
    [The prepared statement of Mr. Pickard follows:]

    [GRAPHIC] [TIFF OMITTED] T9023.047
    
    [GRAPHIC] [TIFF OMITTED] T9023.048
    
    [GRAPHIC] [TIFF OMITTED] T9023.049
    
    [GRAPHIC] [TIFF OMITTED] T9023.050
    
    [GRAPHIC] [TIFF OMITTED] T9023.051
    
    [GRAPHIC] [TIFF OMITTED] T9023.052
    
    [GRAPHIC] [TIFF OMITTED] T9023.053
    
    [GRAPHIC] [TIFF OMITTED] T9023.054
    
    [GRAPHIC] [TIFF OMITTED] T9023.055
    
    [GRAPHIC] [TIFF OMITTED] T9023.056
    
    [GRAPHIC] [TIFF OMITTED] T9023.057
    
    [GRAPHIC] [TIFF OMITTED] T9023.058
    
    [GRAPHIC] [TIFF OMITTED] T9023.059
    
    [GRAPHIC] [TIFF OMITTED] T9023.060
    
    [GRAPHIC] [TIFF OMITTED] T9023.061
    
    [GRAPHIC] [TIFF OMITTED] T9023.062
    
    [GRAPHIC] [TIFF OMITTED] T9023.063
    
    [GRAPHIC] [TIFF OMITTED] T9023.064
    
    [GRAPHIC] [TIFF OMITTED] T9023.065
    
    [GRAPHIC] [TIFF OMITTED] T9023.066
    
    [GRAPHIC] [TIFF OMITTED] T9023.067
    
    Mr. Clay. Thank you so much, Mr. Pickard.
    Mr. Swire, of the Ohio State University.

                    STATEMENT OF PETER SWIRE

    Mr. Swire. The Ohio State University, home of the Buckeyes. 
Yes, sir.
    Mr. Clay. Yes, sir.
    Mr. Swire. Mr. Chairman, members of the subcommittee, thank 
you very much for the invitation to testify here today on 
privacy and security of electronic health records.
    Today fewer than 10 percent of our clinical records in the 
country are accessible in electronic form, and all of us hope 
that number climbs sharply in the next decade.
    My colleague at the Center for American Progress, Karen 
Davenport, has recently released a new report about health IT 
and the quality improvements, and, Mr. Chairman, I ask if that 
could be submitted to the record for this hearing.
    Mr. Clay. Yes, please.
    Mr. Swire. Thank you.
    To make this shift to the NHIN, the National Health 
Information Network, we need to get privacy and security right. 
Public surveys repeatedly showed that these privacy concerns 
are top of mind when it comes to the shift to electronic health 
records. Unless Americans are convinced that effective 
safeguards are in place, many of the benefits of this NHIN may 
be delayed or lost entirely.
    My written statement addresses various issues, but I would 
highlight two things in the testimony today: preemption and 
enforcement.
    On preemption, my theme is that the wrong sort of 
preemption would actually repeal many existing privacy and 
security safeguards. On enforcement, the current no enforcement 
system is not a sound basis for going forward with electronic 
health records.
    Briefly, my background before returning to law teaching, I 
served as chief counselor for privacy in the U.S. Office of 
Management and Budget in 1999 and 2000, and in that role I was 
the White House coordinator for the HIPAA privacy rule. This 
has lost me many friends in the medical community.
    During that time we had over 50,000 public comments on the 
proposed rule, and I co-chaired the process to look at those, 
try to respond to them, and come up with a final rule by the 
end of 2000, and I have worked in this area since. So it is 
based on that I try to offer some observations today.
    On preemption, my first theme is that simple preemption of 
State laws going to HIPAA alone would repeal many existing 
privacy protections.
    In many States we have protections for things like HIV 
records, mental health, substance abuse, reproductive records, 
Public Health Agency records, genetic records, and if we simply 
say let's do HIPAA, then that means that all of the State 
protections would be repealed.
    In Ms. Grealy's testimony, they feature Indiana as a State 
to look to. Indiana has the fewest State safeguards, and so 
harmonizing on that level would be a drop in privacy 
protection, and we should be careful about doing that.
    On enforcement, I have serious concerns about the lack of 
enforcement from HHS. This is an oversight issue. This creates 
an obstacle to going forward with electronic health records. If 
no enforcements are brought under the current system so far 
under HIPAA, why should the public trust we are going to have 
good enforcement for the next generation?
    Let me emphasize my criticism here goes to law and policy 
and not to the good faith or the intelligence or hard work of 
people at HHS, but there are some legal problems the Congress 
may need to address.
    There are three principal problems in enforcement:
    First, the batting average for HHS is pretty low. There has 
been 27,000 complaints and zero civil or monetary penalties, so 
over 27,000. That doesn't create a lot of confidence.
    Second, the current administration has adopted the policy 
of one free violation. In an enforcement rule last year, HHS 
said that the first violation simply won't lead to a penalty; 
instead, it will lead to a planned correct going forward. This 
sends the signal that medical privacy shouldn't be taken 
seriously. If you are a covered entity, just wait until they 
come the first time and then you can fix it, but you don't face 
any exposure.
    Third, the Department of Justice has dropped the ball on 
criminal prosecution. Justice has received almost 400 referrals 
from HHS and has brought zero cases under those 400 referrals. 
These are the most serious cases, and the problem is that, once 
it goes to DOJ, under current policy HHS stops all proceedings, 
so the most serious cases HHS doesn't do it and DOJ doesn't do 
it.
    This lack of enforcement has been the subject of major 
stories in the Wall Street Journal and the Washington Post. One 
expert was quoted in the post saying, ``HHS really isn't doing 
anything, so why should I worry?''
    The lack of HIPAA enforcement will make it harder to build 
the next generation of electronic health records. Critics will 
be on strong and legitimate ground saying they can't trust the 
current system, much less the higher level of trust we would 
want to have if we go to the all-electronic NHIN.
    In my testimony I point out that we can respond to these 
problems perhaps by HHS changes or by targeted legislation. 
Here are three things to consider, and then I will close: 
first, HHS can end the one free violation part of the 
enforcement reg; second, we should end the current 
interpretation where HHS stops its own enforcement efforts in 
the most serious cases whenever there is a criminal referral to 
DOJ; and, third, a mistaken Department of Justice legal opinion 
that narrowed the criminal provisions of HIPAA should be 
revisited. They really take the position that only the hospital 
that intentionally violates the law and not any of the 
individuals who break the law can be enforced.
    That concludes my comments. I welcome any questions you may 
have.
    [The prepared statement of Mr. Swire follows:]

    [GRAPHIC] [TIFF OMITTED] T9023.068
    
    [GRAPHIC] [TIFF OMITTED] T9023.069
    
    [GRAPHIC] [TIFF OMITTED] T9023.070
    
    [GRAPHIC] [TIFF OMITTED] T9023.071
    
    [GRAPHIC] [TIFF OMITTED] T9023.072
    
    [GRAPHIC] [TIFF OMITTED] T9023.073
    
    [GRAPHIC] [TIFF OMITTED] T9023.074
    
    [GRAPHIC] [TIFF OMITTED] T9023.075
    
    Mr. Clay. Thank you, Mr. Swire.
    Let me thank the entire panel for their testimony today.
    We will begin the question period under the 5-minute rule, 
and I will begin with a general question for everyone to 
comment on. Many electronic health care tools such as 
electronic health records and internet-based personal health 
records are available to consumers today. The country, however, 
is still lacking an established nationwide approach for 
ensuring that personal health information will be protected 
from inappropriate disclosure. Do you believe that the 
implementation of health IT is beginning to out-pace the 
development of overall privacy policies and practices?
    We will start with Ms. Grealy.
    Ms. Grealy. Well, as I said, both from my experience as 
heading up the Healthcare Leadership Council and formerly with 
the American Hospital Association, as well as my personal 
experience dealing with health care for my family, providers 
took the HIPAA privacy rule very, very seriously. They put in 
place compliance plans, a lot of education, and this was 
throughout all of the covered entities, the various business 
associates. I am not sure we often recognize just how much went 
into making sure they understood the HIPAA privacy rules and 
they were in compliance.
    The rules are very complex. I just want to touch on, I 
think, the approach that HHS and the Office of Civil Rights has 
taken is really the proper approach. They could have taken a 
``gotcha'' approach, and, you know, every time we find you have 
made just the slightest error we are coming after you with 
civil and monetary penalties or criminal penalties. I think, 
instead, what they did was to develop a partnership. We want 
this rule to work, and so we have partnered with providers and 
others to educate them.
    Of the 27,000 complaints that have been registered, I think 
if you delve into them, if you talk with the people at the 
Office of Civil Rights you will find that many, many, the vast 
majority, were really a misunderstanding of what was required 
by the privacy rule. In fact, many times we have run into what 
I would call hyper-compliance, where we have providers 
unwilling to share information with those who could benefit 
from it because they throw up HIPAA doesn't allow me to do 
that. So we really have to strike that appropriate balance.
    As we move into the electronic world, security measures are 
in place. I think we also sometimes lose sight that these 
electronic medical records can be much more secure than the 
paper records that have been sitting in file cabinets and 
physicians' offices. Oftentimes you have no way of determining 
who has accessed those records, unlike in the electronic world 
where you can establish an audit trail. You can really 
determine who has accessed that and whether it is appropriate. 
You can password protect it.
    So I think we have a framework. We may have to modify it. 
You can tell from the GAO testimony that there is a lot of work 
going on at HHS, at AHIC, the National Committee on Vital 
Health Statistics, to determine what is appropriate in this 
electronic world. But remember, this all started because people 
were concerned about the electronic transmission of personally 
identifiable health information. That is what started the HIPAA 
statute and resulted in the HIPAA privacy rule. So I don't 
think we need a wholesale revision of it. We may need some 
tweaking of it. But I think right now it is workable, and a lot 
of providers are spending a lot of time and resources that 
don't go to direct patient care, but instead go toward 
compliance. I think we have to be very, very careful in terms 
of how we use those resources.
    Mr. Clay. Thank you, Ms. Grealy.
    Mr. Pickard.
    Mr. Pickard. Yes. I would have to agree, and I think that 
it is not a question of the technology but more about the 
actual policies. I do believe that HIPAA has provided a good 
framework, and I think where we run into challenges or where we 
will run into challenges are the other entities, the other 
types of entities outside of the HIPAA boundaries, the covered 
entities that are now faced with handling health information. 
So I believe that is probably where we run into challenges 
associated with HIPAA. That, again, kind of brings us back to 
an important point or important principle within my testimony, 
and that is that the confidentiality and privacy protections 
follow the information, no matter where it goes or where it 
resides or how it is accessed or handled.
    Mr. Clay. How about you, Mr. Swire?
    Mr. Swire. Thank you, sir.
    A fairly simple point. HIPAA came about when we made a 
shift for payment records from paper to electronic, so you 
would file with Medicare, insurance companies electronically, 
and Congress said in 1996 let's do privacy and security with 
that.
    We are now in chapter two, and chapter two is the shift for 
clinical records, your x-rays and all the rest of those things, 
and we are now building the systems for the first time to 
really move clinical records, so we should build those systems 
right for this generation like we tried to build systems right 
for the payments generation, and that is our job together.
    The easiest time to get privacy and security right is when 
you build it the first time. It is much harder to patch later. 
That is where Congress can take a leadership role and make sure 
we do it.
    Mr. Clay. Thank you for that response.
    Mr. Hodes.
    Mr. Hodes. Thank you, Mr. Chairman.
    Professor Swire, I am interested in and appreciate your 
condensed version of arguments about preemption and what we 
might lose by it, because really I think that goes to the heart 
of policy issues that Congress is facing in dealing with the 
questions of a national health information network versus 
leaving it to what is clearly a rapidly evolving patchwork of 
regulation. You point out that we have HIPAA as, call it, a 
baseline, but that many States have--in fact, I think all the 
States have dealt with other medical information of a very 
sensitive kind that HIPAA simply doesn't deal with. So I take 
to heart your point about not rushing too quickly to simply say 
HIPAA is the standard and that is the national standard and 
that is where we are leaving it.
    If we were to look at the national picture, which I am sure 
you have much more than I have, how would you balance, in 
looking what the various States have done in terms of the 
issues you have raised on pages three and four of your report--
mental health records, HIV, and all that--if Congress was 
inclined to try to set some national standard, mindful of your 
warnings? How would you suggest we go about looking at what the 
States have done? Should we simply say we are going to take the 
best standards from whichever State best protects privacy and 
security of people and that is the one we are going to use for 
HIV, and similarly we are going to look at mental health 
records and take the best one that we can get from State B, and 
then we are going to incorporate it with this other baseline 
and call it a Federal standard? What do you think?
    Mr. Swire. Well, we could go on for quite some time----
    Mr. Hodes. I know.
    Mr. Swire [continuing]. To try to figure out how to do 
that, but----
    Mr. Hodes. I have only got 5 minutes.
    Mr. Swire. I know, and I will try to do it in about four 
sentences. Not really.
    The first point is best does not mean stricter or less 
strict. You can't avoid making some judgments here, so when it 
comes to HIV data you have a public health issue if people 
won't get tested, and if you repeal for big cities' HIV 
protections you could face public health risks, and that 
doesn't seem like a good idea to me.
    But I think one step here is I think that HHS and the 
Government can play a much better role in helping us all 
understand what the State laws are, and here is a specific 
thing. There is this RTI study--that is the contractor for 
HHS--and they have gone and done studies of, I think, 34 
States. I have been told by somebody who has been near the 
process that they are not planning to release the surveys from 
the States to the public. It seems to me if Government is going 
to spend contractor money to try to figure out what all these 
State laws mean, they reduce compliance costs for everybody if 
we get that information out to everybody, so just a much better 
job of education and getting the information out there so that 
people don't have to go to expensive law firms to try to figure 
it out. That is one step toward knowing what needs to be done.
    Ms. Grealy. Congressman, I would like to comment----
    Mr. Hodes. Please. Thank you.
    Ms. Grealy [continuing]. Because we undertook one of those 
very expensive studies, $1 million investment, to have a tool 
where providers could check to see what is the State law, what 
is the variation. That still requires time. It is a lot of 
money to maintain that system, and I don't think it addresses 
your question. I don't think it really gives us a workable 
national standard. Just because we have the information from 
the RTI study, we still have all this variation.
    We don't have to sacrifice privacy to develop this 
standard. Again I reference Section 6 in H.R. 4852, which 
really set out a process. Let's look at the States, let's study 
the variation, and then come up with recommendations as to what 
would be the appropriate rule in those very sensitive areas. We 
have done it for mental health to a certain degree in the HIPAA 
privacy rule, but we certainly could improve it in those other 
areas.
    Mr. Hodes. Thank you.
    Mr. Pickard, did you want to comment?
    Mr. Pickard. No.
    Mr. Hodes. Thank you.
    Mr. Chairman, I yield back. Thank you very much.
    Mr. Clay. Thank you for that line of questions.
    I asked this question to GAO during the first panel and 
would like to hear your thoughts on the topic. A significant 
problem with HIPAA is that it does not cover all entities that 
possess or utilize personal health information. Some life 
insurers and research entities not involved with the treatment 
of patients fall outside the rules. In your work, have you 
analyzed this problem? And how significant is it, in your view?
    Let's start with Mr. Swire.
    Mr. Swire. OK. So this has to do with who should be covered 
entities, and the statute sets that forth. HHS doesn't have a 
lot of wiggle room on that, so it would have to come from 
Congress.
    I think that for life insurance it is not such a big 
program. Graham-Leach-Bliley applies there. But in my testimony 
I point out that if you say anything that touches medical data, 
like I buy a breast cancer book for somebody on Amazon, we 
don't want to suddenly have HIPAA kick in just because they 
mention the word health, and so how to expand it is something 
that you have to be careful about.
    One area of concern is that public health agencies are not 
subject to Federal laws, and law enforcement when it grabs 
health data, and there may be some work to be done on the 
Government's side to make sure that effective protections are 
in place, especially if they are trying to gather lots of bio-
surveillance kinds of things going forward.
    Mr. Clay. Mr. Pickard.
    Mr. Pickard. Yes. If I could just say, that is an important 
question. I think that our association, AHIMA, strongly 
believes in harmonization of all of the privacy protections 
across all entities. When you look at the personal health 
records, when HIPAA was developed personal health records were 
barely being talked about. In a university setting with student 
records there is a lack of harmonization, as I mentioned in my 
testimony, between the FERPA, or Family Education Rights 
Privacy Act, and HIPAA. There are differences. And so I think 
it is an important question, and I think that, again, I agree 
it is one that will require answers and consideration as we 
move forward.
    Mr. Clay. Thank you.
    Ms. Grealy, any thoughts?
    Ms. Grealy. Well, as always, it is a balancing question. We 
want to make sure that we are not stifling innovation, as we 
have. I mean, I think we are finally beginning to see patients 
becoming more engaged in helping to manage their health care, 
and getting them engaged with personal health records I think 
is a very positive thing. We want to make sure that they feel 
very secure when they are sharing that information.
    Now, is the best way to go about that, make everyone a 
covered entity? Is it better to make them business associates? 
I think we just have to make sure that the rules are clear, 
that we don't have conflicting standards out there. So if you 
start expanding business associates, making them covered 
entities, they may be in one sense a business associate, have 
to comply with a covered entity's rules, but then in another 
setting they become a covered entity, and they all hold a 
different set of standards.
    So, again, we know that there is work going on in this 
area. I know AHIC is looking at it. We are going to be 
testifying before them on Friday. But, again, just carefully 
looking at those and making sure that we are not getting into 
over-regulation and stifling the innovation that is really 
taking place out there.
    I think one of the most important things I heard from the 
GAO panel, and something that we really have to focus on, is 
educating the public, communicating to them why do we want this 
information, but, more importantly, why is it good for you as a 
patient for us to have this information. Why do we want it? How 
are we going to share it? And how are we going to protect that 
information and keep it secure? So they know under HIPAA and 
various State statutes we can't disclose it to their employer, 
we can't disclose it to the newspaper, we can't disclose it to 
their neighbors. But we have to assure people that it is 
important for their health and for the health of future 
generations for us to have a workable privacy rule that allows 
for the necessary flow of health information.
    Mr. Clay. Along those same lines, there is significant 
debate concerning the most effective way to obtain patient 
authorization for the disclosure or sharing of personal health 
information. For a national health information network to be 
successful, doesn't it require a stronger uniform privacy 
standard that requires affirmative consent from a patient for 
all information disclosure? And yes, we can start with you. I 
would like to hear comments from the entire panel.
    Ms. Grealy. I have the great benefit of every once in a 
while getting out there and talking to the real people that are 
actually doing this. I was just in Delaware, where they are 
doing a demonstration project with a health information 
network. We talked about this. Let's call it opt-in versus opt-
out.
    I am going around and asking this question: how would your 
data exchange system work if it had to be an opt-in? If you are 
the Mayo that has a century worth of data, longitudinal 
studies, how would it work if you had to have an opt-in as 
opposed to you have the information, you give people the 
opportunity to opt-out of it? But if you had to go to each 
individual patient, to each individual subject that you want 
included, and get their affirmative decision to be included and 
to share their electronic medical record, I think it would halt 
the system.
    If we have to make a decision between the two, certainly 
opt-out is going to be better.
    Mr. Clay. Mr. Pickard, any comments?
    Mr. Pickard. Yes. Again, I think this is probably an area 
where AHIC is, in terms of their Privacy and Security Committee 
is looking into these types of issues.
    I can tell you in the State of Tennessee, with our health 
information exchange we have run up against this very question 
or this very issue, and we have put in protocols to enable 
patients to opt in or opt out, and then certainly you have the 
whole concept of patient identification. But, again, I think it 
is an important issue.
    Mr. Clay. Mr. Swire.
    Mr. Swire. Thank you. So the one way this comes up is if 
somebody sees a psychiatrist or gets substance abuse or 
something else and they say, look, I don't want this going out 
to everybody everywhere. So one idea of consent or 
authorization is some way for the patient to say, hold on, not 
this.
    I think it makes sense to a lot of people that some sort of 
permission for patients or some sort of control over that might 
make sense.
    Now, we can talk opt-in/opt-out. Some of the systems don't 
want to have an opt at all. They just want to say we are going 
to sign everybody up. I think that is a concern. So if you 
don't want to be in at all, if you don't want to just sort of 
have my doctor puts everything in and I have no control over 
that, I don't think that is the right place to be. The question 
is what point, for how many choices, will a patient have any 
say.
    I worked on Markle's Connecting for Health Task Force, and 
they have a write-up on this that I think goes through it in a 
sensible way, and I think you end up with an opt out where that 
is realistic where patients say, look, it generally goes in, 
but if I say it doesn't we should try to build it so it doesn't 
go in.
    Mr. Clay. Just to pause after hearing the three different 
responses, what is the damage? What is the harm if someone 
other than a health care provider gets a copy of an x-ray or 
they get a record of a prescription? What do you think the harm 
is?
    Ms. Grealy. I think the concern is that the health care 
provider might not get the x-ray. I mean, I am not even talking 
about disclosures to those that really shouldn't have the 
information. We are talking about patients saying, no, 
provider, the physician treating me cannot have this 
information. So we have to be very, very cautious, again, in 
that balance of making sure, and there may be a system of, you 
know, flagging it so the physician knows I don't have all the 
information, I had better check with this patient.
    I am not sure how that translates when we are trying to 
build data bases to improve the quality of health care, to 
improve treatment for disease, if we have a lot of critical 
missing information.
    Mr. Clay. Well, like the example you use in your testimony, 
the pharmacist should have relayed to both physicians for your 
father what medicines?
    Ms. Grealy. If this were something that he was getting at a 
pharmacy, you are right. CVS, one of our members, they have 
gone electronic, so they can do those alerts. But these were 
services, these were hormone shots, one being given in the 
oncologist's office and the other being part of the dialysis 
center treatment. There is no pharmacist in the picture, no 
electronic medical record to exchange that information, and so 
no way to alert.
    Mr. Clay. Mr. Pickard, any thoughts?
    Mr. Pickard. Again, I think--and I said this in my 
testimony--I think we need to move away from thinking about the 
type of information and the entity and make sure that the 
privacy protections do follow the health information wherever 
it resides.
    Let me just share. If I am an employee, I want the 
capability to opt out and to perhaps not have my employer have 
certain types of information. This is particularly important in 
today's environment where a lot of employers or insurances, for 
that matter, are developing personal health record tools for 
employees or subscribers. I think as an employee or an 
insurance subscriber, I should have that right to opt out of 
that.
    Mr. Swire. Just one point to add on is that some of the 
most sensitive kinds of data that I have been talking about, 
the mental health and substance abuse, genetic, or whatever, 
are only protected by State law, so even if x-rays aren't, 
these other things are only protected by State law, and if we 
were to harmonize at the national baseline then those 
psychiatric notes, the substance abuse things, and the rest 
could be going through the system, and that is a reason not to 
preempt too strictly or not to preempt at a low level.
    Mr. Clay. Let me ask this. This is a question for the 
entire panel. There have been long-term concerns on how health 
information is treated differently under institutions that are 
also covered under different privacy regulations, such as 
Family Educational Rights and Privacy Act of 1974. Under the 
privacy rule, records protected by FERPA are not covered by the 
privacy rule; therefore, even if the information contained in 
an education record is health related, the privacy rule does 
not apply.
    Is this an area where conflicts ought to be addressed in 
order to harmonize the way in which patient information is 
protected?
    Ms. Grealy, we will ask you first.
    Ms. Grealy. Well, I think one of the things that those that 
actually have to do compliance are always looking for is; give 
me uniformity. Make it simple. Don't have one set of standards 
here, another set of standards there. So I think any way we can 
harmonize these requirements is a positive thing.
    Mr. Clay. Mr. Pickard.
    Mr. Pickard. I agree. And let me just share, working in a 
university, you know, we interact and deal with both HIPAA 
regulations as well as FERPA regulations, and if I am a student 
and let's say if I have a medical condition that requires me to 
live off campus, I have to submit what actually becomes part of 
my academic record health information, and there is a lack of 
standardization in terms of how that information may or may not 
be handled. So I agree. I think there needs to be a 
harmonization across all of these different laws.
    Mr. Clay. Thank you.
    Mr. Swire.
    Mr. Swire. I am going to disagree on the FERPA one. I will 
just explain why. That was an issue that I worked on 
extensively during the rule and the comments from the schools, 
associations, and the rest. The logic at the time--and maybe it 
is different today--was with school nurses in high schools all 
over the country, rural grade schools, all the rest, if we 
harmonized to HIPAA, which is what AHIMA recommends and is 
worth considering, if we harmonize to HIPAA then the school 
nurse in that grade school out in a rural area would have to do 
full HIPAA compliance. And it wasn't clear that was the big 
risk, and it was clear that there would be a whole compliance 
thing to do if that happened.
    So the idea there was we thought that there was a pretty 
reasonable FERPA regime in place, that the school nurses 
shouldn't suddenly have to do more, and that was a sensible way 
to go.
    Now, it does mean that universities like Vanderbilt get a 
double whammy, because they get students and then they get some 
other folks who are HIPAA, and suddenly they get both. In some 
ways maybe Vanderbilt people are so smart they can handle it, 
but maybe not every school nurse has to do HIPAA.
    So I am not really sure how you harmonize, because if you 
harmonize that everybody is HIPAA, then it is the school nurses 
of America that will be here next time.
    Mr. Clay. Speaking of universities, Mr. Swire, I will ask 
you and then go down the line. Mr. Mark Rothstein of the 
University of Louisville has written extensively on the use of 
compelled authorizations for personal health information by 
employers for job applicants, life insurers for those applying 
for coverage, and other non-covered entities. If the current 
privacy rule does not regulate PHI once it is released to a 
third-party entity not covered under the rule, shouldn't we re-
examine who will be covered when receiving electronic health 
information?
    Mr. Swire. That is a great question, and it wouldn't be 
easy to legislate, but here are a couple of points that come 
up.
    So right now you can't have compelled authorizations for 
health care providers. If you show up at the ER and you are 
rolling in on the gurney, they can't say, sign here or we won't 
treat you, and you sign away everything. That is in HIPAA.
    The thing was, when HIPAA rules were written, HHS could do 
that--that is covered entities--but HHS had no jurisdiction 
over the employers of America. That just wasn't in the statute, 
so there was no choice in writing the rule about what to do for 
employers. That is a choice that only Congress can decide to 
step into.
    If you want to say, as Congress, we are going to treat the 
employers the way we treat the hospitals, you can't require 
these authorizations as a condition of being employed here, 
that is a decision Congress can make. You are going to hear it 
from the employers. And sometimes employers will say we need 
this to figure out if they can lift the heavy loads or we need 
it for some other job-related thing. But that is what you would 
have to work through, and it would have to be statute. It can't 
be by reg.
    Mr. Clay. Thank you.
    Any comments on that, Mr. Pickard?
    Mr. Pickard. Yes. We are seeing many, many different types 
of entities outside of the HIPAA-covered entities and business 
associates that are handling health information. Again, this 
goes back to our principles I shared earlier, and that is that 
we really look to confidentiality protections following the 
health information, no matter where it resides, and there needs 
to be a national floor for handling health information.
    Mr. Clay. OK. Ms. Grealy.
    Ms. Grealy. I talked with a few of, I think, entities that 
people are referring to. Revolution Health Care is one that is 
really getting into working with consumers, developing a 
personal health record that they can access through the 
internet. They have a contractual relationship with the 
consumers that they are dealing with, and they say that they 
are HIPAA compliant, even though they are not a covered entity; 
that they feel it is a good business practice. They want the 
trust of the consumers that they are dealing with, and it is in 
their best interest to make sure that they have a high level of 
security and protecting that information.
    So I think all of us have mentioned we know that AHIC, HHS, 
and others are really exploring these issues, and I think that 
is really the appropriate place; that we need to look at it 
carefully; make sure, as I said earlier, that we are not 
stifling innovation by expanding the reach of a heavy 
regulatory scheme; and make sure that it is balanced well, 
because I don't think we want to snuff out the innovation that 
is going on out there, but we do want to make sure that this 
information is protected.
    Mr. Clay. All right. Thank you.
    Let me thank the entire panel for their testimony and their 
answers. We have certainly covered some ground today. This is a 
very complex issue. As the Congress takes this issue on of 
health information technology and how we actually protect the 
privacy of citizens throughout this country, patients, we will 
certainly rely on your expertise, and this hearing has been 
helpful in shedding light on this. Let me again thank you all 
for your testimony today.
    That concludes this hearing.
    [Whereupon, at 3:30 p.m., the subcommittee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T9023.076

[GRAPHIC] [TIFF OMITTED] T9023.077

[GRAPHIC] [TIFF OMITTED] T9023.078

[GRAPHIC] [TIFF OMITTED] T9023.079

[GRAPHIC] [TIFF OMITTED] T9023.080

[GRAPHIC] [TIFF OMITTED] T9023.081

[GRAPHIC] [TIFF OMITTED] T9023.082

[GRAPHIC] [TIFF OMITTED] T9023.083

                                 
