b"<html>\n<title> - PRIVATE HEALTH RECORDS: PRIVACY IMPLICATIONS OF THE FEDERAL GOVERNMENT'S HEALTH INFORMATION TECHNOLOGY INITIATIVE</title>\n<body><pre>[Senate Hearing 110-114]\n[From the U.S. Government Printing Office]\n\n\n                                                        S. Hrg. 110-114\n \n                        PRIVATE HEALTH RECORDS:\n                  PRIVACY IMPLICATIONS OF THE FEDERAL\n                    GOVERNMENT'S HEALTH INFORMATION\n                         TECHNOLOGY INITIATIVE\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                  OVERSIGHT OF GOVERNMENT MANAGEMENT,\n                THE FEDERAL WORKFORCE, AND THE DISTRICT\n                        OF COLUMBIA SUBCOMMITTEE\n\n                                 of the\n\n                              COMMITTEE ON\n                         HOMELAND SECURITY AND\n                          GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            FEBRUARY 1, 2007\n\n                               __________\n\n        Available via http://www.access.gpo.gov/congress/senate\n\n                       Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n\n33-874 PDF                 WASHINGTON DC:  2007\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing\nOffice  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800\nDC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, \nWashington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n               JOSEPH I. LIEBERMAN, Connecticut, Chairman\nCARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine\nDANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska\nTHOMAS R. CARPER, Delaware           GEORGE V. VOINOVICH, Ohio\nMARK L. PRYOR, Arkansas              NORM COLEMAN, Minnesota\nMARY L. LANDRIEU, Louisiana          TOM COBURN, Oklahoma\nBARACK OBAMA, Illinois               PETE V. DOMENICI, New Mexico\nCLAIRE McCASKILL, Missouri           JOHN WARNER, Virginia\nJON TESTER, Montana                  JOHN E. SUNUNU, New Hampshire\n\n                  Michael L. Alexander, Staff Director\n     Brandon L. Milhorn, Minority Staff Director and Chief Counsel\n                  Trina Driessnack Tyrer, Chief Clerk\n\n\n SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE \n                          DISTRICT OF COLUMBIA\n\n                   DANIEL K. AKAKA, Hawaii, Chairman\nCARL LEVIN, Michigan                 GEORGE V. VOINOVICH, Ohio\nTHOMAS R. CARPER, Delaware           TED STEVENS, Alaska\nMARK L. PRYOR, Arkansas              TOM COBURN, Oklahoma\nMARY L. LANDRIEU, Louisiana          JOHN WARNER, Virginia\n\n                   Richard J. Kessler, Staff Director\n             Jennifer A. Hemingway, Minority Staff Director\n                      Emily Marthaler, Chief Clerk\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Akaka................................................     1\n    Senator Voinovich............................................     3\n    Senator Carper...............................................     4\n\n                               WITNESSES\n                       Thursday, February 1, 2007\n\nRobert Kolodner, M.D., Interim National Coordinator for Health \n  Information Technology, U.S. Department of Health and Human \n  Services.......................................................     5\nDaniel A. Green, Deputy Associate Director, Center for Employee \n  and Family Support Policy, Office of Personnel Management......     7\nDavid A. Powner, Director of Information Technology Management \n  Issues, Government Accountability Office, accompanied by Linda \n  Koontz, Director of Information Management Issues, Government \n  Accountability Office..........................................    17\nMark A. Rothstein, Herbert F. Boehl Chair of Law and Medicine, \n  and Director, Institute for Bioethics, Health Policy and Law, \n  University of Louisville School of Medicine....................    19\nCarol C. Diamond, M.D., Managing Director, Markle Foundation, and \n  Chair, Connecting for Health...................................    20\n\n                     Alphabetical List of Witnesses\n\nDiamond, Carol C., M.D.:\n    Testimony....................................................    20\n    Prepared statement with attachments..........................   138\nGreen, Daniel A.:\n    Testimony....................................................     7\n    Prepared statement...........................................    44\nKolodner, Robert, M.D.:\n    Testimony....................................................     5\n    Prepared statement...........................................    35\nKoontz, Linda:\n    Testimony....................................................    17\n    Prepared statement with attachments..........................    52\nPowner, David A.:\n    Testimony....................................................    17\n    Prepared statement with attachments..........................    52\nRothstein, Mark A.:\n    Testimony....................................................    19\n    Prepared statement...........................................   130\n\n                                APPENDIX\n\nBackground Memorandum............................................    29\nSimon P. Cohn, M.D., M.P.H., Chairman, National Committee on \n  Vital and Health Statistics, submitted copy of a report \n  entitled ``Privacy and Confidentiality in the Nationwide Health \n  Information Network''..........................................   164\nResponse to questions submitted for the Record from:\n    Dr. Kolodner.................................................   181\n    Mr. Green....................................................   185\n    Mr. Powner...................................................   188\n\n\n                    PRIVATE HEALTH RECORDS: PRIVACY\n\n\n\n                      IMPLICATIONS OF THE FEDERAL\n\n\n\n                    GOVERNMENT'S HEALTH INFORMATION\n\n\n\n                         TECHNOLOGY INITIATIVE\n\n                              ----------                              \n\n\n                       THURSDAY, FEBRUARY 1, 2007\n\n                                   U.S. Senate,    \n              Subcommittee on Oversight of Government      \n                     Management, the Federal Workforce,    \n                            and the District of Columbia,  \n                      of the Committee on Homeland Security\n                                        and Governmental Affairs,  \n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 2:33 p.m., in \nroom SD-342, Dirksen Senate Office Building, Hon. Daniel K. \nAkaka, Chairman of the Subcommittee, presiding.\n    Present: Senators Akaka, Carper, and Voinovich.\n\n              OPENING STATEMENT OF CHAIRMAN AKAKA\n\n    Chairman Akaka. This hearing will come to order.\n    Today's hearing, ``Private Health Records: Privacy \nImplications of the Federal Government's Health Information \nTechnology Initiative,'' will examine what actions the Federal \nGovernment is taking to ensure that privacy is an integral part \nof the national strategy to promote health information \ntechnology.\n    Studies show that the use of health IT can save money, \nreduce medical errors, and improve the delivery of health \nservices. For example, in 2004, the Center for Information \nTechnology Leadership estimated that in ambulatory care \nsettings the use of electronic health records (EHRs) would save \n$112 billion per year, or 7.5 percent of health care spending. \nIn addition, EHRs are shown to help avoid duplicate tests and \nexcess medication.\n    In 2004, President Bush called for the widespread adoption \nof interoperable electronic health records within 10 years and \nissued an Executive Order that established the position of the \nNational Coordinator for Health Information Technology. The \nNational Coordinator is charged with developing and \nimplementing a strategic plan to guide the nationwide \nimplementation of interoperable health IT in both the public \nand private sectors.\n    Two months later, the Department of Health and Human \nServices (HHS) released a framework for strategic action to \npromote health IT, which calls on all levels of government to \nwork with the private sector to stimulate change in the health \ncare industry. For example, the Departments of Veterans Affairs \n(VA) and Defense (DOD), the major Federal health care delivery \norganizations, are leaders in the use of health IT.\n    VA, one of the country's largest health care providers, has \nhad an automated information system in its medical facilities \nsince 1985. DOD has provided IT support to its hospitals and \nclinics since 1968. As Chairman of the Veterans' Affairs \nCommittee, we are looking at how to move DOD and VA forward in \ndeveloping joint EHRs.\n    This Subcommittee is particularly interested in the \nstrategy, which calls for the Office of Personnel Management \n(OPM) to use its leverage as the administrator of the Federal \nEmployee Health Benefits Program, which covers approximately 8 \nmillion Federal employees, retirees, and their dependents, to \nexpand the use of health IT. OPM, through its annual Call \nLetter to carriers, has been encouraging carriers to increase \nthe use of EHRs, electronic prescribing, and other health IT-\nrelated provisions.\n    Although I support efforts to increase the use of health \nIT, I am deeply concerned about the level of privacy \nprotections in the health IT network. In 2005, a Harris \nInteractive survey showed that 70 percent of Americans were \nconcerned that an electronic medical records system would lead \nto sensitive medical records being exposed due to weak \nelectronic security. This fear is understandable.\n    Over the past few years, we have seen various data mining \nprograms in the Federal Government that lacked key privacy \nprotections. We also recall the loss of a VA laptop computer \nand the news of many other Federal data breaches that put the \npersonal information of millions of Americans at risk. These \nincidents reinforce the need to build privacy and security \nprotections into any system containing personal information. \nOur personal health information must not be subject to these \nsame failings. Privacy and security are critical elements in \nhealth IT and should never be an afterthought.\n    That is why I wrote to OPM in May 2005 seeking information \non how Federal employees' health information would be protected \nunder the efforts of OPM and the health insurance carriers. OPM \nresponded that the Health Insurance Portability and \nAccountability Act (HIPAA) would address these privacy \nconcerns. But while HIPAA is a foundation, HIPAA by itself is \nnot enough. Privacy protections must be built in conjunction \nwith the development of the health IT infrastructure.\n    To ensure that this was happening, Senator Kennedy and I \nasked the Government Accountability Office to review the \nefforts of HHS and the National Coordinator to protect personal \nhealth information. GAO's report, which was released this \nmorning, found that while HHS and the National Coordinator have \ntaken steps to study the protection of personal health \ninformation, an overall strategy is needed to: One, identify \nmilestones for integrating privacy into the health IT \nframework; two, ensure privacy is fully addressed; and, three, \naddress key challenges associated with the nationwide exchange \nof information.\n    Given the overwhelming evidence of the benefits associated \nwith the expanded use of health IT, as well as the fact that 70 \npercent of Americans are concerned about the privacy of their \nhealth information, I am surprised to learn that HHS objects to \nthis recommendation.\n    It is clear that the health care industry faces challenges \nin protecting electronic health information given the varying \nState laws and policies, the entities not covered by HIPAA, and \nthe need to implement adequate security measures. But while \nmore and more companies, providers, and carriers move forward \nwith health IT, I fear that privacy suffers while HHS takes \ntime to decide how to implement privacy protection. HHS must \naddress these issues in a more timely fashion in order to give \nthe private sector guidance on how to move forward with health \nIT and protect the private health information of all Americans.\n    I want to thank our witnesses for being here today to \ndiscuss this critical issue.\n    I now turn to my good friend, Senator Voinovich, for any \nopening statement he may have at this time.\n\n             OPENING STATEMENT OF SENATOR VOINOVICH\n\n    Senator Voinovich. Thank you, Senator Akaka. I appreciate \nyour holding this hearing today on a subject that is of \ninterest to me.\n    The widespread adoption of health information technology \nsuch as electronic health records will revolutionize the health \ncare profession. In fact, the Institute of Medicine, the \nNational Committee on Vital and Health Statistics, and other \nexpert panels have identified information technology as one of \nthe most powerful tools in reducing medical errors and \nimproving the quality of health.\n    Unfortunately, our country's health care industry lags far \nbehind other sectors of the economy in its investment in \ninformation technology. But, Senator Akaka and Carper, as I \ntravel around Ohio I see a marked acceleration in the use of \nIT.\n    The Institute of Medicine estimated in 1999 that there were \nnearly 98,000 deaths each year resulting from medical errors. \nMany of these deaths can be directly attributed to the inherent \nimperfections of our current paper-based health care system.\n    Not only can technology save lives and improve the quality \nof health care, it also has the potential to reduce the cost of \nthe delivery of health care. According to the Rand Corporation, \nthe health care delivery system in the United States could save \napproximately $160 billion annually with the widespread use of \nelectronic medical records. As technology advances, the issues \nsurrounding protection of personal information will continue to \nbe at the forefront of people's minds. Individual citizens \ncontinue to express concern over the security of personal, \nconfidential information whether it is contained in an \nelectronic health record or stolen from laptops, as Senator \nAkaka pointed out, at the Department of Veterans Affairs.\n    However, the benefits of technology in the health care \narena are undeniable, and I support the use of HIT. In fact, in \nthe 109th Congress, Senator Carper and I introduced the Federal \nEmployees Electronic Personal Health Records Act. I am sure we \nwill be hearing more from Senator Carper about it. The bill \nwill provide for the establishment and maintenance of \nelectronic personal health records for individuals and family \nmembers enrolled in the Federal Employee Health Benefits \nProgram. I have talked with one of the major health insurance \ncompanies and they support the use of HIT.\n    I am hopeful the testimony today will assist my colleagues \nand me as we make decisions about implementing health IT. I \npersonally look forward to learning from our witnesses ways \nSenator Carper and I might refine our legislation before \nintroduction. As I say, we are making progress on privacy \nprotections, and I am really pleased that the President issued \nan Executive Order specific to deployment of health information \ntechnology, including establishment of a National Coordinator \nfor Health Information Technology.\n    Since then, the Coordinator and the Department of Health \nand Human Services have made considerable progress toward the \nadoption of interoperable IT. But the successes have not come \nwithout criticism. Dr. Kolodner, your office has an enormous \nresponsibility to continue to cultivate a strategic plan to \nguide implementation of nationwide interoperable health \ninformation technology. It is an important job. We must bring \nhealth care costs under control, and HIT is one part of that \ngoal. However, there is some concern about whether information \nin IT systems is going to be private and secure. We cannot let \nthose weaknesses impede our progress in this area.\n    So, Mr. Chairman, I am looking forward to hearing from our \nwitnesses.\n    Chairman Akaka. Thank you very much, Senator Voinovich. \nSenator Carper.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Thank you, Mr. Chairman, and to our \nwitnesses and to my friend and colleague, Senator Voinovich. He \ntelegraphed my pitch a little bit, but I think it is great that \nhe did.\n    Mr. Chairman, as Senator Voinovich has said, we introduced \nin the last Congress and I think we are close to reintroducing \nin this Congress legislation to require those who provide \ninsurance under the Federal Employee Health Benefits Program--\nthey would have a period of time, I think maybe less than 2 \nyears or so--to provide electronic health records for Federal \nemployees insured under those policies if the employees wish to \nhave that. And I know you have a strong interest in privacy \nprotection, and we would look forward to working with you and \nyour Subcommittee and your staff to make sure that we meet \nmuster in that regard.\n    Next month is a big month for us in Delaware, and I say \nthis to our witnesses and others. We are beginning to stand up \nwhat we call the ``Delaware Health Information Network,'' an \napple in my eye when I was Governor many years ago, and it is \nnow actually coming to fruition as we try to electronically \nlink our doctors' and nurses' offices and our hospitals and our \nlabs and other providers. We are excited about the \npossibilities that holds for us.\n    I am an old Navy guy, and I remember when I got out of the \nNavy--at least off of active duty, not out of the Navy, but off \nof active duty in 1973 and showed up at the VA hospital just \noutside of Wilmington. And it is not a place that, frankly, a \nlot of veterans wanted to go to for health care. I did not \nsense there was a lot of joy on the part of people who worked \nthere being a VA employee, doctor or nurse or anything else. \nAnd, boy, that has really changed, especially in the last \ndecade.\n    I would never have imagined 33 years ago, that we would be \nlooking to the VA to provide the way with respect to improving \noutcomes and holding down costs and saving lives. But they sure \nhave come through for us.\n    Mr. Chairman, don't you chair the Veterans Committee in the \nSenate?\n    Chairman Akaka. Yes.\n    Senator Carper. I thought so. OK. Well, you have sort of a \ndouble interest in this particular issue. But we really look \nforward to what you have to say. We do not have very strong \nattendance here today, partly because there is a concurrent \njust-called caucus of the Senate Democrats, and they are \nmeeting as we speak to discuss a resolution that pertains to \nthe President's proposed surge of troops in Iraq. So people may \nbe drifting in to join us in a little bit, but that just began \nliterally at the time that this hearing began. So we apologize \nfor them. Those of us who are here are anxious to hear what you \nhave to say. So thanks for coming.\n    Chairman Akaka. Thank you very much.\n    I welcome to the Subcommittee today's first panel of \nwitnesses: Dr. Rob Kolodner, Interim National Coordinator for \nHealth Information Technology at the Department of Health and \nHuman Services, and Daniel Green, Deputy Associate Director, \nCenter for Employee and Family Support Policy, at the Office of \nPersonnel Management.\n    It is the custom of this Subcommittee to swear in all \nwitnesses, and I ask you to stand and raise your right hand. Do \nyou swear that the testimony you are about to give this \nSubcommittee is the truth, the whole truth, and nothing but the \ntruth, so help you, God?\n    Dr. Kolodner. I do.\n    Mr. Green. I do.\n    Chairman Akaka. Thank you. Dr. Kolodner, please proceed \nwith your statement.\n\n    TESTIMONY OF ROBERT KOLODNER, M.D.,\\1\\ INTERIM NATIONAL \nCOORDINATOR FOR HEALTH INFORMATION TECHNOLOGY, U.S. DEPARTMENT \n                  OF HEALTH AND HUMAN SERVICES\n\n    Dr. Kolodner. Good afternoon, Chairman Akaka, Senator \nVoinovich, and Senator Carper. Thank you for inviting me here \ntoday to discuss the privacy plans, activities, and \naccomplishments of the National Health Information Technology \nagenda led by HHS.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Dr. Kolodner appears in the Appendix \non page 35.\n---------------------------------------------------------------------------\n    Mr. Chairman, we appreciate Hawaii's efforts as pioneers in \nprotecting patient health information and note that Hawaii's \nearly work to develop a comprehensive privacy law informed and \nwas an important resource for HHS when we developed the HIPAA \nprivacy rules.\n    Privacy and security are integral components of the \nnational health IT agenda and are addressed by a spectrum of \nactivities that advance our current understanding of the issues \nand multiple levels and lay the foundation for future \nactivities. The widespread adoption of interoperable electronic \nhealth records will save lives, reduce medical errors, and \nimprove the quality and efficiency of care, as you have noted.\n    At the same time, it will create both new challenges and \nnew opportunities with respect to protecting health \ninformation. HIPAA created a strong foundation of privacy and \nsecurity protections for personal health information upon which \nStates may provide additional privacy protections. We are \nvigorously addressing the new challenges by leveraging existing \nprivacy policy foundations, building robust new public-private \ncollaborations, partnering with States, health care \norganizations, and consumers to address State and business \nlevel protections, and considering privacy and security \npolicies and implementation at a nationwide level.\n    Ultimately, the effective coordination of health IT \nactivities will help create an environment that improves the \nhealth status of both individuals and communities at the same \ntime that personal health information is protected.\n    The HHS Office of the National Coordinator for Health IT, \nONC, is charged with leading the national health IT agenda \nacross the Federal Government and the private sector by \ncoordinating health IT activities, including those related to \nprivacy and security. ONC has the lead for working with CMS, \nthe Office for Civil Rights, or OCR, and others to develop the \nprivacy policies for health IT, and OCR and CMS are responsible \nfor the oversight and enforcement of the related HIPAA rules.\n    The GAO report provides an excellent summary of the myriad \nof our successful health IT activities since 2004, and the \nreport documents an active, progressive program of HHS \nactivities that identify national privacy issues to be \naddressed as well as barriers to interoperability caused by \nprivacy policy variations across States that need to be \nresolved.\n    The tools we use to advance our privacy and security \nactivities include contracts, including a recent one with the \nNational Governors Association, an interdepartmental Federal \nPolicy Council, and a public-private Confidentiality, Privacy, \nand Security Work Group of the American Health Information \nCommunity. The Community is a Federal advisory committee that \nis chaired by Secretary Leavitt himself and plays a central \nrole in all of our activities. The members of the Community, \nconsisting of senior leaders from the public and private \nsectors, participate in deliberations that guide our work and \nshape our understanding of how we can most effectively advance \nthe health IT agenda nationwide, including privacy and \nsecurity.\n    Much like the historic journey by Lewis and Clark 200 years \nago, who were crossing uncharted territory, we, too, are on a \nsimilar journey. Their goal was clear: to find a route to the \nPacific Ocean, although the exact path was unknown at the \nbeginning. Our goal is clear as well: The secure exchange of \ninteroperable electronic health information. And the detailed \nmilestones necessary to achieve our goal are also not yet \nknowable.\n    Our approach is iterative. First, it requires an \nunderstanding of the multiple environments in which we are \noperating. To gain this understanding, we have initiated \nmultiple complementary activities, such as the Nationwide \nHealth Information Network prototypes, the Privacy and Security \nSolutions Contract, and the State Alliance for e-Health. And we \nhave gathered input from other expert resources such as the \nNational Committee for Vital and Health Statistics, or NCVHS.\n    Second, our approach requires that we evaluate and analyze \nwhat we have discovered and learned. For example, only after we \nget the State level reports this spring that identify \nchallenges and opportunities to protect and share health \ninformation will we have sufficient data to reliably establish \nthe next set of milestones that we must achieve. An output from \none source becomes input for another, such as the NCVHS \nrecommendations that have been publicly shared with the \nCommunity work group I mentioned previously. As that work group \nmoves from addressing security to addressing privacy concerns, \nwe anticipate that these recommendations will inform the next \nset of privacy priorities.\n    Our activities confirm the importance we give to \nconfidentiality, privacy, and security. We have been executing \nan effective plan, originally described in our strategic \nframework that you mentioned, Mr. Chairman, and one that will \ncontinue to grow and evolve as we submit our health IT \nstrategic plan later this year.\n    We are using a results-oriented strategy of discovery and \nadvancement that must be done in collaboration with a variety \nof stakeholders at the local, State, and national levels. GAO \nhas documented the progress that we have made in the first 2 \nyears of our work, and we continue to undertake multiple \nrelated productive activities to properly protect the \nelectronic health information today, tomorrow, and into the \nfuture.\n    Thank you for your time, and I welcome any questions you \nmight have.\n    Chairman Akaka. Thank you very much. I want our witnesses \nto know that your full statements will be included in the \nrecord.\n    Mr. Green.\n\n  TESTIMONY OF DANIEL A. GREEN,\\1\\ DEPUTY ASSOCIATE DIRECTOR, \n   CENTER FOR EMPLOYEE AND FAMILY SUPPORT POLICY, OFFICE OF \n                      PERSONNEL MANAGEMENT\n\n    Mr. Green. Mr. Chairman, Members of the Subcommittee, it is \nmy pleasure to be here today to represent the Office of \nPersonnel Management (OPM) Director Linda Springer. I plan to \ndiscuss how OPM is working with the Department of Health and \nHuman Services and other organizations on the National Health \nInformation Technology Initiative, and I will discuss how we at \nOPM are working with our health benefits carriers to implement \nhealth information technology (IT) that is secure and protects \nmember privacy.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Green appears in the Appendix on \npage 44.\n---------------------------------------------------------------------------\n    OPM administers the Federal Employees Health Benefits \n(FEHB) Program, which covers approximately 8 million Federal \nemployees, retirees, and their dependents. Like other large \nemployers, we contract with private sector health plans. We \nhave consistently encouraged participating plans to be \nresponsive to consumer interests by emphasizing flexibility and \nconsumer choice. We have also encouraged plans to adopt health \ninformation technology as an important consumer-oriented \ninitiative. At the same time, we have placed great importance \non the privacy and security of personal health information.\n    FEHB enrollees have the same privacy protections under \nFederal law as all Americans. The Health Insurance Portability \nand Accountability Act of 1996, provides protections for \nprivacy of individually identifiable health information. All \nFEHB health carriers are required to comply with HIPAA \nrequirements.\n    And now I would like to provide some background on OPM's \ninitiatives in health information technology.\n    In 2004, President Bush issued an Executive Order to \ndevelop and implement a nationwide health IT infrastructure to \nimprove the quality and efficiency of health care. In response \nto the Executive Order, we have been working with our FEHB \nplans on focused efforts to promote health IT while at the same \ntime ensuring compliance with Federal requirements on privacy \nand security. More specifically, we have asked our carriers to \nconcentrate on specific short-term objectives which include \neducation for consumers on health IT, offering personal health \nrecords to consumers based on their medical claims history, \nencouraging e-prescribing, linking disease management programs \nwith health IT, and compliance with Federal requirements on \nprivacy.\n    We have found that while there are wide variations in the \nscope and extent of health IT use, most carriers have focused \non providing consumers with claims-based information through \ntheir secured websites. Some have robust health IT systems. We \nhave recognized them on our own website during Open Season so \nconsumers would have this additional information to take into \nconsideration in making their plan choices.\n    Then, last August, President Bush issued a second Executive \nOrder, which underscored his commitment not only to health IT, \nbut also to health care cost and quality transparency. In \nsupport of the order, we required all FEHB carriers to report \non quality measures, including data from the Health Plan \nEmployer Data and Information set. We also encouraged them to \nprovide information on cost and quality transparency. Along \nwith the carriers that have state-of-the-art health IT \ncapabilities, the carriers that made their best efforts to \nprovide cost and quality transparency were also prominently \npositioned on our Open Season website last fall.\n    Looking forward, OPM will continue to work with carriers on \nstandards for interoperability of health information records as \nthey are adopted in the health care industry, and we will \ncontinue to provide information for consumers on carriers' cost \nand quality transparency initiatives as well as their health IT \ncapabilities.\n    As a member of the American Health Information Community, \nOPM will monitor the recommendations of the Confidentiality, \nPrivacy, and Security Work Group and determine if there are \nprivacy and security requirements that should be applied to \nFEHB carriers. We firmly believe privacy and security of \npersonal health information is important. We are encouraged by \nHHS's efforts to address this important issue. We plan to \ncontinue to work closely with HHS, the Community, and the \nHealth IT Policy Council to ensure all necessary steps are \ntaken to protect consumer privacy rights.\n    We appreciate this opportunity to testify before the \nSubcommittee on this very important issue, and we will be glad \nto answer any questions you may have.\n    Chairman Akaka. Thank you very much for your testimony.\n    Dr. Kolodner, the GAO report notes that HHS disagreed with \nGAO's recommendation to define and implement the overall \napproach for protecting health information, including \nidentifying milestones and integrating privacy efforts. Can you \nelaborate on HHS's objection to GAO's recommendation, \nparticularly why HHS believes that setting milestones will \nimpede progress and preclude stakeholder dialogue?\n    Dr. Kolodner. Yes, Mr. Chairman. As I mentioned, the issue \nis not whether we have milestones. Milestones that we can set \nup right now based on what we know are very high level. They \nare, for example, to complete our Privacy and Security \nSolutions contract, to get the results of the contract, to \nanalyze those results, and based on the content that was given \nin those analyses, to then determine the next set of \nmilestones. That is pretty high level. That is not what we \nbelieve GAO was telling us to do, because that is basic project \nmanagement, and we are doing that already.\n    The idea of stating right now what those milestones will \nlook like in June or July, when we have not yet received the \nreport that will be received this spring, is something that we \nknow would probably not accurately reflect what we will be \nexecuting in June, July, and August. So we see this as an \niterative process of discovery and collaboration.\n    A very important reality is that there are many parties \nthat have very strong feelings, as you can tell, about this \narea, and privacy is important. We need to make sure that we \nadvance deliberately, advance as quickly as we possibly can, \nbut to make sure that we listen to and are informed by a \nvariety of viewpoints. And as those deliberations occur and as \nthose collaborations occur, we will advance forward.\n    Chairman Akaka. Thank you.\n    Mr. Green, OPM's contracts with carriers require compliance \nwith HIPAA. As part of OPM's requirement to promote the use of \nhealth IT, the 2007 Call Letter required carriers to comply \nwith Federal requirements to protect the privacy of \nindividually identifiable health information.\n    How does OPM monitor carriers' compliance with HIPAA \nprivacy and security rules? And what steps are taken if a \ncarrier is found to be noncompliant?\n    Mr. Green. Mr. Chairman, in addition to the HIPAA law, we \nhave required by contract that all our carriers follow the \nHIPAA rules, and we have also added privacy requirements that \npre-date the HIPAA law, and those are in our standard \ncontracts. We have also added certain measures that all our \ncarriers are required to comply with concerning confidentiality \nof records and privacy and the regulations used to supplement \nthe Federal Acquisition Regulations. They are called FEHBAR. \nThe FEHB Acquisition Regulations apply to all our carriers. \nThey are required to notify their contracting officer whenever \nthey have an enforcement action resulting from noncompliance, \nas issued by a State or Federal authority. They are also \nsubject to audit by both GAO and OPM, including OPM's Inspector \nGeneral's office, and they run a system of audits against the \ncomputer systems of all our carriers on a rotational basis. And \nthey will be introducing additional privacy audit steps this \nyear into that audit.\n    Chairman Akaka. Mr. Green, are there any circumstances that \nwould result in electronic health records or personal health \nrecord networks being developed or used by FEHBP carriers that \nwould not come under HIPAA?\n    Mr. Green. Senator, the FEHB carriers are required to \nfollow HIPAA rules, and so are their business associates, such \nas pharmacy benefit managers. So any subcontracts they have \nwould also under our contract require them to follow HIPAA \nrules.\n    Chairman Akaka. Dr. Kolodner, the statutory advisory \ncommittee, NCVHS, and the Secretary's advisory committee, AHIC, \nhave made recommendations to the Secretary of HHS regarding the \nprotection of personal health information. What is HHS's \nresponse to the recommendations, and how will they be \nincorporated into a nationwide health information architecture?\n    Dr. Kolodner. Mr. Chairman, the NCVHS recommendations, \nwhich were accepted by the Secretary and then sent to the AHIC \nwork group--the Confidentiality, Privacy, and Security Work \nGroup--are, in fact, informing that group as they consider the \nvarious privacy policies and privacy priorities. Those will \nthen come back to the Community for recommendation up in terms \nof specifically what kinds of privacy policies and security \nkinds of architecture should be required as we move forward.\n    The Nationwide Health Information Network prototypes also \nhave brought forth a number of different solutions, and we have \nbeen using those to look at what should go forward for the next \nround of trial implementations that we plan to fund this next \nyear. So they are very much guiding and identifying those \nrequirements that need to be moving forward.\n    Chairman Akaka. Mr. Green, I believe privacy protections \nmust be built into the health IT architecture at the beginning \ninstead of racing to address privacy violations after Americans \nlose trust in the system. However, after reading the testimony \nof the witnesses on our second panel, I fear that HHS is not \nacting fast enough to integrate privacy protections in the \ndevelopment of the health IT.\n    With this in mind, Mr. Green, what risks are there to \nFederal employees' health information as FEHBP carriers push \nforward with health IT initiatives?\n    Mr. Green. Senator Akaka, nothing in this world is perfect, \nand there is no absolute certainty anywhere. However, I am \nconvinced that with the procedures that we have in place, the \nrequirements we have in place today, protect our FEHB enrollees \nas fully or more so than any other citizen in this country \nagainst a chance of inappropriate misuse of that information.\n    In addition, going forward with the implementation of \nhealth information technology, we are pleased and honored and \nexcited about our participation in much of the work with the \nDepartment of Health and Human Services. As you know, we are a \nmember of the AHIC. We are on several of the subcommittees, \nworking groups, and, in fact, Director Springer for a time \nchaired the Consumer Empowerment Work Group, which is our deep \ninterest because we feel like that is our responsibility--to \nsupport and protect our enrollees. They are our primary \ncustomers, after all. And, in addition, we work with the other \nFederal agencies that are heavily involved in this as part of \nan HIT Policy Council.\n    So I am convinced that as we go forward, our Federal \nemployees, retirees, and survivors and their family members \nwill be as protected as we can possibly make them, and that is \nour promise to you, sir.\n    Chairman Akaka. Thank you. Senator Voinovich.\n    Senator Voinovich. Thank you.\n    Dr. Kolodner, do you believe that the Office of National \nCoordinator has sufficient authority to facilitate \ncommunications among Federal entities, the private sector, and \nconsumer organizations to lead the development and \nimplementation of appropriate privacy standards?\n    Dr. Kolodner. Yes, sir, I believe that we do, and I think \nthat we have a number of avenues and a number of venues where \nwe are already doing that, including the American Health \nInformation Community, and also a number of the contracts with \nthe States, like the State Alliance for e-Health.\n    Senator Voinovich. Do you think outside groups looking in \nwould say that they agree with you?\n    Dr. Kolodner. We have several venues where we use public-\nprivate collaborations, and we certainly look for any other \nopportunities there might be, but we have been as open as \npossible in the development of the standards, and in \ndeliberations by any of the work groups. They are all open, \nbroadcast on the Web, and have opportunities for public comment \nthroughout.\n    Senator Voinovich. I know this is off the subject, but it \nis something I am interested in. We have not passed \nappropriations, and we are talking about a continuing \nresolution. I would be interested in your observations in \nregard to whether you feel that it has been harmful to your \nrespective organizations to have a continuing resolution in \nwhich you are operating under.\n    Dr. Kolodner. For the Office of the National Coordinator, \nwe have been able to proceed on a variety of activities that we \nhave underway, and we have not had to slow down because of the \ncontinuing resolution. And we also, as you know, have the good \nfortune of having both Secretary Leavitt's very strong \nbacking--this is one of his top programs--as well as the \nPresident having passed two Executive Orders that allow us to \nmove forward.\n    Senator Voinovich. So no problem?\n    Dr. Kolodner. No problem.\n    Senator Voinovich. Mr. Green.\n    Mr. Green. Senator, I cannot speak for all of the Office of \nPersonnel Management on our budget issues. I will leave that to \nDirector Springer. I can say that we are moving forward on our \ninitiatives, and we have a very large agenda within the Federal \nEmployees Health Benefits Program and the other benefit \nsystems, and we are moving forward without slackening at all.\n    Senator Voinovich. Do you have the personnel and resources \nto get the job done?\n    Mr. Green. Sir, I argue and fight for as many resources as \nI can get with my leadership, but I think that would probably \nbe best left inside the OPM doors.\n    Senator Voinovich. Well, one of the things that bothers me \nis that we are asking many agencies to do all kinds of things, \nand we do not allocate the resources so they can get the job \ndone. I know it is very difficult for the secretaries of these \ndepartments to be forthcoming about it, but it seems to me that \nduring this new budget cycle we ought to be encouraging both of \nyou to make it clear to the folks that are in charge if you \nneed additional help. I just read, Senator Akaka, where the \nPresident is talking about flat funding the nondefense \ndiscretionary budget again. We just cannot keep going this way. \nThere are too many responsibilities that are not getting done, \nand the nondefense discretionary budget is being cut. To be \ncandid with you, we should be paying for the war, just not \nputting it on the tab. What it is doing is it is squeezing out \nother priorities that are essential.\n    Have you, Mr. Green, had a chance to look at the bill that \nI joined Senator Carper in introducing, the Federal Employees \nElectronic Personnel Health Records Act?\n    Mr. Green. Yes, sir, I have.\n    Senator Voinovich. I would be interested in your comments \nabout it.\n    Mr. Green. Several comments, as a matter of fact.\n    We note that the bill is consistent with the direction of \nthe health care industry and the leadership provided by HHS, \nand it is also consistent with OPM's initiatives, as well, to \nmove our carriers toward having PHRs. We do have some concerns \nabout some of the aspects of the bill. Let me put it this way: \nWe would be excited and would like to work with you and your \nstaff and Senator Carper to move that forward, to deal with \nsome of the issues we have. I think you will find them good \npoints that we both want to work through, and we would be happy \nto do that with you, sir. But overall, yes, we do support a \nbill like that.\n    Senator Voinovich. So if Senator Carper's and my staff got \nin touch with you, you would be able to tell us your concerns.\n    Mr. Green. We would be pleased to do that. Yes, sir.\n    Senator Voinovich. I was glad to hear from your testimony \nthat you are interested in HIT yourself. I mean, it is not like \nwe are asking you to do something that is not already being \ndone.\n    Mr. Green. No, that is true. And our carriers are \ninterested as well. They see this as a real opportunity not \nonly to provide for their members, but also to differentiate \nthemselves in the marketplace. Our job and Mr. Kolodner job is \nto see to it that they are done interoperably and so that it is \nportable and also so that they are, in fact, secure, private, \nand the information is confidential and under the control of \nthe enrollee.\n    Senator Voinovich. Our thought is that we could use that as \nkind of a model for the rest of the country. I mentioned that I \nspoke with Aetna, while at the bipartisan health policy \nconference sponsored by the Commonwealth Fund and the Alliance \nfor Health records with Aetna's CEO, who said he thinks \nimplementing personal health records is a great first step, and \nthat they seem to be interested in moving forward with it. So \nit would be wonderful if we could get the standards in place \nand get moving.\n    Mr. Green. Aetna is one of our carriers, of course, a very \nlarge participant, so that is good to hear.\n    Senator Voinovich. Thank you, Senator Akaka.\n    Chairman Akaka. Thank you, Senator Voinovich.\n    Dr. Kolodner, you testified that the current HIPAA statute \nprovides the flexibility to protect health information while \nallowing best practices to emerge. However, as Mr. Rothstein on \nour next panel notes in his written testimony, some private \nsector companies are using electronic health record and \npersonal health record networks that generally are not subject \nto any Federal or State regulation because the initiatives are \nnot covered entities under HIPAA.\n    Does HHS have a list of entities that may have access to \npersonal health information under a health IT network, but are \nnot covered by HIPAA?\n    Dr. Kolodner. The HIPAA rules define the entities that are \ncovered by HIPAA. There are other entities that are not covered \nby HIPAA, and he may be referring to some of those entities.\n    The Confidentiality, Privacy, and Security Work Group and \nour Consumer Empowerment Work Group, which is another work \ngroup under the American Health Information Community, both \nhave started to consider whether there are entities that should \nbe covered under HIPAA that are not now being covered. We will \nbe looking at those recommendations as they come forward and \nsee whether there is sufficient authority in HIPAA to extend \nthat. So we are considering that as part of the deliberations \nthat I mentioned that are underway.\n    Chairman Akaka. Dr. Kolodner, HHS has been without a \npermanent National Coordinator for Health IT since May 19, \n2006. When will a permanent National Coordinator be named?\n    Dr. Kolodner. Mr. Chairman, that would be a question that \nSecretary Leavitt would ultimately need to answer. He has asked \nVA to detail me over. VA did that starting in September. VA was \ngracious enough to extend the detail, so I will be here for \nanother period of time, and it will be up to Secretary Leavitt \nto ultimately decide.\n    Chairman Akaka. Thank you.\n    Mr. Green, you testified that OPM is a member of several \nwork groups focused on health IT. Can you share with us some of \nthe recommendations that OPM has made to these groups?\n    Mr. Green. Senator, the work groups operate under a \nconsensus-based decisionmaking process. We contribute to those \ndiscussions on each recommendation as they come up.\n    One of our primary objectives is to ensure consumer rights \nand responsibilities are protected, and we also share our \nknowledge on employer-based health benefits to shape \nrecommendations that are achievable and promote the broad goals \nof the HIT initiative.\n    Chairman Akaka. Thank you. Senator Carper.\n    Senator Carper. Thanks, Mr. Chairman. Who did you succeed \nin your job?\n    Dr. Kolodner. Dr. David Brailer was the first National \nCoordinator.\n    Senator Carper. What is Dr. Brailer doing now?\n    Dr. Kolodner. I believe he is doing some private \nconsulting. He is also a Special Government Employee, since he \ndoes still co-chair the American Health Information Community.\n    Senator Carper. Thanks. If you ever see him, give him my \nbest. Thanks. All right.\n    Dr. Kolodner. I will do so.\n    Senator Carper. I understand when I was out of the room in \nanother meeting here in the anteroom that Senator Voinovich \nasked for some reaction from both of you to the legislation we \nare about to reintroduce. And I understand that you pretty well \ntrashed it. [Laughter.]\n    No. I understand you were pretty generous. Would you just \nrecap for me what you had to say and any thoughts you might \nhave for making it better?\n    Mr. Green. Certainly, Senator. I explained that we have \nreviewed and commented earlier, at least within the Executive \nBranch, on the bill and that since the provisions in the bill \nare consistent with the direction that the health care industry \nis going and the leadership that HHS is providing, it is also \nconsistent with OPM's direction of where we want to move with \nour carriers in the FEHB program. So we are supportive of the \nbill and its outline and its purpose. There are some issues \nthat we would like to have the opportunity to discuss with you \nand your staff that we think we can help improve the bill to \nfit what goes on within the FEHB program and some other issues, \nto help deal with privacy concerns as well. So we would welcome \nthe opportunity.\n    Senator Carper. We gratefully accept that offer.\n    I mentioned earlier in opening statement, that in Delaware \nwe are standing up the Delaware Health Information Network, and \nwe are doing so with the financial support from the Department \nthat Secretary Leavitt leads and from some of the folks that \nare your colleagues, Dr. Kolodner. And the State of Delaware is \nmatching that money over the next couple of years, and the \nprivate sector in our State is stepping up as well. We just \nlearned that Blue Cross/Blue Shield of Delaware is the latest \nto step forward and say they want to be financially supportive \nof this, too. So we are very much encouraged.\n    One of our focuses in standing up the Delaware Health \nInformation Network is to protect patient privacy and patient \nrecords. And I know that you come out of the VA, don't you?\n    Dr. Kolodner. Yes, sir.\n    Senator Carper. How long did you work there?\n    Dr. Kolodner. Twenty-eight years.\n    Senator Carper. Twenty-eight years, wow. Did you start as a \nchild? [Laughter.]\n    But the VA approach on harnessing information technology--\njust talk with us a little bit about what you did there to \nprotect the privacy of patients and their personal or health \nrecords. And is there maybe a lesson there, a model for the \nrest of us, whether we are doing it at the State level or for \nFederal employees?\n    Dr. Kolodner. The VA had privacy as a central part of the \nsystem from early on, and we actually--because it is a single \nsystem and not a network. A network obviously presents new \nopportunities, new challenges. But as a system, we actually \nwould contract to security companies for them to try to break \ninto the electronic health record system and find where the \nvulnerabilities were so that we could fix them before any \nbreach had occurred. The VistA system, which started out as the \nDecentralized Hospital Computer Program is secure and has not \nbeen a source of any breaches.\n    We also have a personal health record we provide to \nveterans, starting in December, we actually upload this robust \ndata from.\n    Senator Carper. Starting this past December?\n    Dr. Kolodner. This past December. We had it in test with a \nfew thousand veterans before that, but starting this past \nDecember, veterans can, in fact, have a copy of their clinical \nrecord--not just any claims data but the clinical data that is \nin this robust VistA system--uploaded to a personal health \nrecord if they choose. So it is an opt-in strategy. And we have \nsecurity----\n    Senator Carper. It is opt in, not opt out?\n    Dr. Kolodner. It is opt in for the personal health record, \nyes, sir. And we have gotten very positive response from the \nveterans who----\n    Senator Carper. Are they opting in?\n    Dr. Kolodner. They are opting in. Hundreds of thousands \nhave opted in so far. And as with any new technology, if you \nremember when the Internet started, many of us were a little \nskeptical. We wanted to see what was going on. Did we want to \nuse our credit card over the Internet? And gradually what \nhappens is you get the early adopters who were willing to take \na chance, and the system gets more and more robust, more and \nmore trusted, and more people, in fact, come on board. So there \nis a growth curve that is a natural growth curve. It is not \nthat everybody comes on at once. But it is one where you get \nmore rapid uptake over time, and we are beginning to see that, \nparticularly as you offer services that--veterans had wanted to \nbe able to refill their prescriptions online, and they can do \nthat now.\n    Senator Carper. Great. You may recall in the last Congress \nthe Senate passed legislation dealing with health IT, passed a \npretty good bill. I don't know that there was anybody who voted \nagainst it in the Senate. It went over to the House and it \ndied. It died over there, and for reasons that are not \naltogether clear to me.\n    What advice would you have for us as we come back and take \nup the legislation? There may be an effort to try to combine \nwhat Senator Voinovich and I are doing to actually make it part \nof the larger piece of legislation? I don't know if we will let \nthat happen. Maybe we will, maybe we won't. There could be \nworse outcomes.\n    But why did it die in the House? What might be different \nthis time? And as we tinker with that legislation and prepare \nto pass it again in the Senate, what advice would you have for \nus, either of you?\n    Dr. Kolodner. Senator, certainly the reason why it died in \nthe House or why the Senate and the House could not get \ntogether on it is beyond my purview and my expertise, and I \nwould leave that to you and your colleagues.\n    Senator Carper. Well, we do not know either. [Laughter.]\n    But we will figure it out.\n    Dr. Kolodner. I know that there is great interest in the \nhealth IT bill, and certainly we will work with you and with \nyour colleagues as the various bills go forward to certainly \nwork on something that advances the whole health IT agenda.\n    Senator Carper. Well, I don't know how familiar you were \nwith the legislation that was enacted in the Senate. I am not \ngoing to dwell on it. But if you have any ideas for the record \nthat you might like to suggest to us, either of you, for how to \nimprove that legislation when it comes to the floor, which I \nthink will come fairly soon, we would welcome your input.\n    Do you all have anything else you want to say with respect \nto any of the questions I have raised here?\n    [No response.]\n    OK. Thank you. Thanks very much for your good work, \nparticularly at the VA, and as a veteran myself of the Navy, \nyou make us very proud, even prouder to be veterans. And for \nall the veterans around the country, in Delaware and other \nplaces, who have the opportunity to use what I call the gold \nstandard for health care in this country today, thank you for \nhelping to provide that system.\n    Chairman Akaka. Senator Voinovich.\n    Senator Voinovich. I would like to get back to the bill \nthat Senator Carper and I are going to reintroduce. It is my \nunderstanding that originally the bill had a 1-year \nrequirement, the bill Senator Carper had, and then we had a 2-\nyear requirement, and then we talked to OPM and they said we \nmight be moving too quickly.\n    It is my understanding that OPM is reluctant to agree to a \nstatutory deadline because the HHS standards have not been \npublished. However, Dr. Kolodner, you indicated that you have \nthe team necessary to get the job done. I just want you to know \nI do not want to see publication of the standards delayed. If \nyou do not have the people that you need to get the job done, \nthen we ought to know about it. I will pick up the phone and \ncall my good friend, former Governor Mike Leavitt, and say, \n``Mike, you guys have made a commitment. Now put the resources \nin it so we can get it done.'' I want this taken care of.\n    So if you want to respond to that, you may. [Laughter.]\n    Dr. Kolodner. One of the pleasures of being over at HHS has \nbeen the undying support of Secretary Leavitt for the area of \nhealth IT. I could not ask for any stronger support from him, \nand that has been one of the things that attracted me to take \nthis interim appointment.\n    The office actually was established a little over a year \nago, and we are just finishing up staffing up to our authorized \nlevel. We had been filling those activities with contractors. \nWe are now bringing on the staff that we need, and we are \nmoving as fast as we believe that we can, again, with this \niterative process that is necessary to make the best policy.\n    Senator Voinovich. Well, we welcome your input on our \nlegislation. We will be talking to you and Mr. Green about it \nmore.\n    Thank you, Senator Akaka.\n    Chairman Akaka. Dr. Kolodner and Mr. Green, thank you very \nmuch for your valuable testimony. I look forward to working \nwith each of you to ensure that privacy and security are \nintegral parts of the health IT architecture. Thank you very \nmuch.\n    Dr. Kolodner. Thank you, sir.\n    Mr. Green. Thank you.\n    Chairman Akaka. And now I ask our second panel of witnesses \nto come forward. Testifying on our second panel are David \nPowner, Director of IT Management Issues, and Linda Koontz, \nDirector of Information Management Issues, from the Government \nAccountability Office; also Mark Rothstein, Director of the \nInstitute for Bioethics, Health Policy, and Law at the \nUniversity of Louisville School of Medicine, as well as the \nChair of the Subcommittee on Privacy and Confidentiality of the \nNational Committee on Vital and Health Statistics; and Dr. \nCarol Diamond, Managing Director of the Markle Foundation.\n    As you know, it is the custom of the Subcommittee to swear \nin all witnesses, so please stand and raise your right hand. Do \nyou swear that the testimony you are about to give before this \nSubcommittee is the truth, the whole truth, and nothing but the \ntruth, so help you, God?\n    Mr. Powner. I do.\n    Ms. Koontz. I do.\n    Mr. Rothstein. I do.\n    Dr. Diamond. I do.\n    Chairman Akaka. Thank you. Mr. Powner, please proceed with \nyour statement.\n\n   TESTIMONY OF DAVID A. POWNER,\\1\\ DIRECTOR OF INFORMATION \n  TECHNOLOGY MANAGEMENT ISSUES, ACCOMPANIED BY LINDA KOONTZ, \n     DIRECTOR OF INFORMATION MANAGEMENT ISSUES, GOVERNMENT \n                     ACCOUNTABILITY OFFICE\n\n    Mr. Powner. Chairman Akaka, Ranking Member Voinovich, we \nappreciate the opportunity to testify on privacy initiatives \nassociated with our Nation's efforts to increase the use of \nhealth information technology. With me today is Linda Koontz, \nGAO's Director of Information Management Issues and privacy \nexpert.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Powner and Ms. Koontz with \nattachments appears in the Appendix on page 52.\n---------------------------------------------------------------------------\n    In 2004, President Bush issued an Executive Order that \ncalled for widespread adoption of electronic health records by \n2014 and established a National Coordinator for Health IT to \nlead and to foster public-private coordination. Over the past \nseveral years, we have issued several reports and testified on \nnumerous occasions, highlighting the need for detailed plans, \nmilestones, and mechanisms to monitor progress if this 10-year \ngoal is to be achieved.\n    The benefits of health IT are immense and include reducing \nmedical errors. However, it also raises concerns regarding the \nextent to which patient privacy is protected. The challenge \nhere is to strike the right balance between patient privacy \nconcerns and the numerous benefits IT has to offer this \nindustry.\n    This afternoon, as requested, I will summarize our report \ncompleted at your request, Mr. Chairman, on HHS's health IT \nprivacy initiatives. Specifically, I would like to highlight \nthree points: First, the importance of having a comprehensive \nprivacy approach; second, HHS's initial efforts to address \nprivacy; and, third, additional actions needed.\n    Privacy is a major concern in the health care industry \ngiven the sensitivity of certain medical information and the \ncomplexity of the health care delivery system with its numerous \nplayers and extensive information exchange requirements. This \nconcern increases as our Nation transitions to using more \nelectronic health records. A comprehensive privacy approach is \nneeded so that ultimately it is clear who these records are \ndisclosed to, what limitations are placed on the use of the \ninformation, how patients can access their records, how \ninaccurate or incomplete information is corrected, and what \nadministrative, physical, and technical safeguards are needed \nto protect electronic health information.\n    HHS acknowledges in its National Health IT Framework the \nneed to protect consumer privacy and plans to develop and \nimplement appropriate privacy and security policies, practices, \nand standards for electronic health information exchange. HHS \nand its Office of the National Coordinator have initiated \nseveral efforts to address privacy. These include: Awarding \nseveral contracts that includes one for privacy and security \nsolutions; consulting with the National Committee on Vital and \nHealth Statistics to develop privacy recommendations; and \nforming a Confidentiality, Privacy, and Security Work Group to \nidentify and address privacy and security policy issues.\n    These efforts are good building blocks, but much work \nremains, including: Assessing how variations in State laws \naffect health information exchange; reporting and acting on the \nprivacy and security contractors' findings; acting on advisory \ngroup recommendations; and identifying and implementing privacy \nand security standards.\n    The National Coordinator's Office intends to use the \nresults of these activities to identify policy and technical \nsolutions for protecting personal health information as part of \nits continuing effort to complete a national health IT \nstrategy. Ultimately, these and other efforts are to result in \na comprehensive security and privacy policies, practices, and \nstandards. However, how HHS plans to integrate the outcomes of \nits initiatives and when is unclear.\n    Therefore, we recommended, Mr. Chairman, that HHS develop \nan overall privacy approach or a game plan that identifies \nmilestones and an accountable entity for integrating the \noutcomes of its health IT contracts and recommendations from \nadvisory groups. In addition, this approach should ensure that \nkey privacy principles highlighted in our written statement are \nfully addressed. And, finally, this approach should address key \nchallenges associated with legal and policy issues, disclosure \nof information, individual rights to access, and security \nmeasures.\n    In summary, Mr. Chairman, while progress continues to be \nmade through the National Coordinator's private initiatives, a \ncomprehensive approach is needed to integrate the results of \nthe initiatives to ensure that key privacy principles are \naddressed and to ensure that recommendations from the advisory \ncommittees are effectively implemented. Otherwise, HHS will not \nbe providing the leadership called for by the President and its \ngoal of safeguarding personal health information will be in \njeopardy.\n    This concludes our statement. We would be pleased to answer \nquestions.\n    Chairman Akaka. Thank you very much, Mr. Powner. Mr. \nRothstein.\n\n TESTIMONY OF MARK A. ROTHSTEIN,\\1\\ HERBERT F. BOEHL CHAIR OF \nLAW AND MEDICINE, AND DIRECTOR, INSTITUTE FOR BIOETHICS, HEALTH \n  POLICY AND LAW, UNIVERSITY OF LOUISVILLE SCHOOL OF MEDICINE\n\n    Mr. Rothstein. Yes, thank you very much, Mr. Chairman and \nSenator Voinovich. I appreciate the opportunity to be with you \nthis afternoon. I want to clarify for the record that I am \nappearing in my individual capacity and not as a representative \nof NCVHS, which may want to deny any responsibility for my \nstatements, written or oral.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Rothstein appears in the Appendix \non page 130.\n---------------------------------------------------------------------------\n    I want to make two points this afternoon. First, in my \nview, HHS has not made meaningful progress in developing and \nimplementing measures to protect the privacy of health \ninformation in electronic health networks. And the second point \nis that time is of the essence. I believe HHS must begin to act \nimmediately on these very difficult privacy issues and also \nthat Congress needs to hold HHS accountable and make them meet \nthe milestones that have been suggested by GAO or some of the \nother measures that I want to suggest to you this afternoon in \nmy testimony.\n    I specifically agree with the comments in the GAO report. I \nbelieve that they accurately captured the sense and the \nprogress, or lack of progress, on the privacy issues. But I \nwould add my own assessment that I believe that the focus on \nprivacy is currently lagging behind the focus at HHS on \ntechnical development of the infrastructure of the NHIN. And I \nam concerned that the gap between the technical progress and \nprivacy is actually widening, and that is not a luxury that we \nhave, for reasons that I want to pursue in just a minute.\n    In 2004, the head of ONC at that time, Dr. Brailer, asked \nNCVHS to do a comprehensive study on privacy and \nconfidentiality issues in the Nationwide Health Information \nNetwork. And it took us 18 months of hearings throughout the \ncountry, dozens of witnesses, and lots of rather heated \ndeliberation to reach our recommendations, which were delivered \nto the Secretary in June 2006. And just to emphasize the nature \nof these fundamental questions that have to be resolved, I want \nto go through a couple of them with you, if I may.\n    First, NCVHS noted that a decision has to be made on \nwhether individuals have a right to decide whether they want to \nbe a part of this nationwide system, and if so, should that be \nopt in or opt out or some combination, should it be controlled \nlocally or via some other method. So that is a fundamental \nquestion.\n    Another fundamental question is whether individuals should \nhave some control over the contents of their health records \nthat would be disclosed via the NHIN. When you put together \ncomprehensive, longitudinal, individual health records, they \nare likely to contain lots of old data. Some of it may be very \nsensitive. Some of it may be irrelevant to current care. These \nrecords are not usually available now because of the \nfragmentation of the system. You cannot get it from all these \nplaces. Electronically, it will be easy to obtain this \ninformation, and I am concerned that under an electronic system \nwe should not have less privacy than we do today. So that is a \nconcern of mine.\n    I am also concerned about the scope of the disclosures when \npeople have to sign an authorization to get a job or life \ninsurance. About 25 million of these are signed each year in \nthe United States, and when the records are released, typically \nthe entire file is sent. And this may include all this \nsensitive information.\n    NCVHS submitted 26 recommendations to the Secretary, and I \ndon't think that very much progress, if any, has been made on \nany of these areas that we identified. And I believe that time \nis of the essence, as I emphasized in my written testimony. \nPrivate sector groups are working today--while we are still \ntalking about these issues officially in terms of regulation, \nthe private sector is marching ahead. Last month, we heard at \nour hearings from Wal-Mart about this huge personal health \nrecord system that it is putting together, with over 2.5 \nmillion employees represented, and this is a single company, in \ncollaboration with other employers. They are not health plans. \nThey are not covered entities under HIPAA. There is no \nregulation in place.\n    So not only do I support the GAO recommendations, I think \nwe need to be thinking beyond HIPAA. HIPAA is an archaic \nstatute that was designed for totally different purposes. It \nwas designed for the payment system. We now have a more \ncomprehensive nationwide network involved, and I think we have \nto be thinking more comprehensively. And I believe that there \nare lots of things that need to be done, and I would recommend \nthat the Subcommittee work with HHS and try to move the ball \nforward more rapidly on these very important issues.\n    So I thank you for the opportunity to testify today and I \nlook forward to your questions.\n    Chairman Akaka. Thank you very much. Dr. Diamond.\n\n  TESTIMONY OF CAROL C. DIAMOND, M.D.,\\1\\ MANAGING DIRECTOR, \n      MARKLE FOUNDATION, AND CHAIR, CONNECTING FOR HEALTH\n\n    Dr. Diamond. Thank you, Chairman Akaka, Senator Voinovich. \nIt is a privilege to be invited to testify today. I am the \nManaging Director at the Markle Foundation, and in that \ncapacity I also serve as Chair of a large public-private \ncollaborative called Connecting for Health. Our goal at \nConnecting for Health is to make sure that vital information is \navailable both for patients and their providers when it is \nneeded and where it is needed in a way that protects privacy \nand earns the trust of the American people.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Dr. Diamond appears in the Appendix \non page 138.\n---------------------------------------------------------------------------\n    As you heard today, numerous efforts are underway to \npromote the use of health information technology within HHS, \nother parts of government, and the private sector. Yet as the \nGAO report and Mr. Rothstein have stated, there has not yet \nbeen enough progress in establishing a policy framework that \nwill earn the long-term public trust required to sustain and \nbuild upon current activities.\n    Toward that end, I have two important recommendations to \nmake. First, the Nation needs a well-defined, comprehensive \nprivacy framework based on key policy and technology attributes \nthat I will lay out. Second, while the entities and contracts \ncreated by HHS have been useful to initiate action in this \nfield, we now need to find the appropriate longer-term process \nfor determining both the policies and the technologies that \nwill achieve the attributes of such a framework. Our national \nstrategy for health information technology must be carried out \nby decisionmakers informed by and accountable to a broad range \nof interests with direct public accountability.\n    Let me first talk about the required framework for health \nIT. Our group took 3 years to develop this framework, and the \nframework includes the attributes that are necessary to protect \nprivacy and security. Efforts to gather and share information \nshould achieve these attributes:\n    First, information sharing at the national level should be \ndone in a decentralized and distributed way. Simply put, health \ninformation sharing should not require the development of large \ncentralized repositories of personal health information. \nClinical data should be left in the hands of patients and those \nwho have a direct relationship with them in their care, and \nleave decisions about who should or should not see that data \nwith patients and providers directly involved with their care.\n    Second, sharing should separate demographic and clinical \ninformation. Sharing should be accomplished with an index that \ndoes not contain clinical data but, rather, knows where \nrelevant information resides. Only those with proper \nauthorization are then allowed to access the information, and \nthis does not require the use of a national identifier.\n    Third, the framework should be a flexible platform for \ninnovation. Participation in the network by a broad range of \nproviders delivering products and services will be a result of \nusing open standards and transparent policies. This will \nencourage innovation so that we can make critical rapid \nprogress.\n    Fourth, the framework should implement privacy through \ntechnology. This is a key attribute. Technology choices should \nbe made so that they can enable the effective implementation of \npolicies protecting privacy. These technologies should create \naudit trails, implement security, improve data accuracy, \nprevent both intentional and unintentional improper disclosure \nof information. They should build rules and permissions into \nthe process of accessing and distributing data.\n    Our fifth attribute is really a set of nine foundational \nprivacy principles. These have been adopted from fair \ninformation practices and other sources internationally. These \nprinciples include things like transparency, specifying the \npurpose of data being collected, collecting only what is \nnecessary, adhering to the uses agreed to by the individual, \nallowing the individuals to know and have a say in how their \ninformation is used, maintaining the integrity of data, audit, \noversight, and remedies in the event of breach or misuse. Every \nhealth information initiative should be expected to disclose \nhow it addresses each of these principles.\n    In summary, HHS deserves praise for its success in \nelevating public and industry interest in health information \nexchange and for encouraging the adoption of technical \nstandards. But focusing only on technical standards is like \nbuilding an interstate highway system, without the rules for \nentering, exiting, or anticipating the speed limits that need \nto be accommodated. In order to serve the communities through \nwhich it passes, a highway must have a coherent set of rules, \nmade obvious through signage and visibly enforced, and be \nembedded in the design of the highway itself. And for the users \nof health information, patients and their providers, an \nexplicit policy framework is essential.\n    Several years of public opinion surveys show that Americans \nhave significant privacy concerns when it comes to their health \ninformation. Without a policy framework with the attributes we \npropose, our Nation runs the risk of inappropriate uses of \npersonal information followed by public clamor for hasty \nremedies, which will undermine the sustainability of an \ninformation sharing network. And these policies that touch the \nmost private concerns of every American require a clear \nframework for privacy and an accountable visible process that \ncan encourage public interest, that will be maintained over \ntime, and that will give consumers confidence that their \ninterests are being looked after.\n    Mr. Chairman, the lack of trust in health information \ntechnology may not only impede progress but, more profoundly, \nit may squander this amazing window we have to stimulate a much \nneeded transformation of our overburdened health care system.\n    Thank you for the opportunity to testify.\n    Chairman Akaka. Thank you very much for your statements.\n    I just talked to my friend, Senator Voinovich, and I am \ngoing to let him proceed first.\n    Senator Voinovich. Thank you very much, Senator Akaka.\n    First of all, you heard the testimony of Dr. Kolodner. You \nwere here for his testimony, and I asked him whether or not he \nhad the staff to get the job done. In your opinion, does he \nhave the staff to get the job done?\n    Mr. Powner. We specifically have not looked at whether he \nhas the human capital and all the resources to get the job \ndone. Our big concern, Ranking Member Voinovich, is that we do \nnot see a road map to get from where we are at today to have a \ncomprehensive privacy policy in place.\n    Dr. Kolodner made some comments about sound project \nmanagement. Sound project management is about having milestones \nand targets, and we go after those milestones and set interim \nperformance measures to gauge whether we are making enough \nprogress or not. That is what we do not see, sir.\n    Senator Voinovich. OK. So you are saying plan, milestones \nand, in addition, metrics to judge if milestones are being met?\n    Mr. Powner. Absolutely, and some of our other witnesses \nmentioned some of the key privacy principles that clearly need \nto be addressed as part of that approach.\n    Senator Voinovich. Right. Senator Akaka, it might be good--\nif you recall, what we have been able to do with the GAO High-\nRisk agencies. OMB and GAO have sat down together to develop a \nstrategic plan on addressing these problems. They are making \nprogress. It seems that process may have value here.\n    The last question is for Mr. Rothstein. You said they are \nlagging behind the technical structure of developing IT. So \nwhat you are seeing is fast development without building \nprivacy in at the beginning?\n    Mr. Rothstein. Yes, Senator, and there are significant \nconcerns that, unless privacy is built into the architecture of \nthe system, we will not be able to come back and do it later. \nAnd that is why privacy protections have to be in from the \nstart, and the longer it takes us to develop policies on what \nour privacy and confidentiality and security rules are, the \nmore danger we have that it is going to be too late or it is \ngoing to be prohibitively expensive to go back and try to add \nthe privacy protections.\n    Senator Voinovich. Just another comment, Senator Akaka. It \nis nice that OPM may be saying they cannot do it because they \nare waiting to incorporate the privacy standards into the \nsystem. Thank you very much. I appreciate the chance to ask \nthese questions.\n    Chairman Akaka. Thank you very much, Senator Voinovich.\n    Mr. Powner, you recommended in your testimony that HHS \ndefine a comprehensive privacy approach that includes detailed \nplans and milestones for integrating its various initiatives. \nGAO specifically mentioned the need to sequence the \nimplementation of key activities appropriately. Would you \nexplain that comment? Tell us why this is important. And what \nelse is missing from HHS's current approach?\n    Mr. Powner. Similar to Mr. Rothstein's comment, the \nsequencing is very important because his comment about building \nin privacy and security early, we see many examples throughout \nthe Federal Government, Mr. Chairman, where we built in \nsecurity or privacy after the fact, after systems and networks \nare built; and, one, it is very difficult to implement and, \ntwo, it is much more costly to do it after the fact. So it is \nvery important that we sequence these activities. We are \ntalking about prototypes right now for the National Health \nInformation Network, and to Mr. Rothstein's point, what is \nhappening is the technology is getting ahead of the policy, and \nwe need to make sure that we get the policies in place so that \nwe can actually make those appropriate technology decisions and \nbuild it in up front.\n    Chairman Akaka. Dr. Diamond, I agree with your statement \nthat public trust cannot be fully accomplished by relying only \non existing legal provisions such as HIPAA. However, Mr. Green \ntestified that OPM is pushing health IT through the FEHBP and \nis only requiring carriers to follow Federal privacy \nrequirements.\n    Do you believe OPM can earn the trust of Federal employees \nwhen carriers are increasingly using health IT?\n    Dr. Diamond. Chairman, I would say two things. I think it \nis a very good thing for the Federal Government to help its \nemployees find ways to see and access their own health \ninformation. But I would say that in the same way that the \ngovernment can stimulate the use of information technology and \nstimulate the expectation that people can have their own \ninformation, it can also stimulate the adherence to a basic \nframework of privacy based on the attributes that I articulated \ntoday. As long as those both policy and technology things are \nclear to the user, that there is transparency, that people know \nhow their information is used, then we can earn the trust.\n    So I would say there is an opportunity to both stimulate \npeople being more engaged in their health care by having \npersonal health records and also to use the role of the Federal \nGovernment to make sure the attributes are built into every \ninitiative that is put out there using information technology.\n    Chairman Akaka. Mr. Rothstein, the privacy and security \nrequirements of HIPAA and other laws do not cover all entities \nthat exchange electronic personal health information. What can \nHHS do to ensure that gaps in legal privacy protection of \nhealth information are addressed by a privacy framework for the \nnationwide health information exchange?\n    Mr. Rothstein. Mr. Chairman, one of the specific \nrecommendations in my written testimony is that I believe that \nHHS should undertake a study to determine the number of health \ncare providers that are, in fact, not covered entities under \nHIPAA at the moment. We have been doing that in my \nsubcommittee--that is, the Subcommittee on Privacy and \nConfidentiality--and we are frankly astonished at the number of \nhealth care providers that are not covered entities.\n    Unless you are engaged in an electronic billing \ntransaction, you are not a covered entity. So all of the \nurgent-care, cash-paid doctors, many cosmetic surgeons that are \nnot covered by any insurance plan, all sorts of other health \ncare providers that are not covered--massage therapists, \nacupuncturists, and so forth--may not be covered entities under \nHIPAA. We don't know how many there are, and it seems that it \nis going to be Congress' role to enact new legislation or to \namend the HIPAA statute to bring in all these other health care \nproviders. But I think it would be very helpful to the Congress \nif we had a sense of how many there are that need to be \ncovered.\n    Chairman Akaka. Dr. Diamond.\n    Dr. Diamond. Yes, Chairman. As was stated previously by \nother witnesses, HIPAA was written at a time where we did not \ncontemplate a Nationwide Health Information Network, nor did we \ncontemplate the number of entities and parties today who are \npart of the use and sharing of health information.\n    I do think, as I stated in my testimony, the two \ncomprehensive things to do would be to require a policy \nframework based on key attributes and to establish a public \nprocess to build in and make sure that each information \ntechnology initiative that is proposed lives up to those \nattributes.\n    Chairman Akaka. Thank you.\n    Dr. Diamond and Mr. Rothstein, based on the work of HHS to \ndate to promote health IT, are there any legislative changes \nthat we in Congress should consider making to ensure that the \nprivacy of health information is protected?\n    Mr. Rothstein. Senator, I believe there are two areas in \nwhich congressional action would be indicated. First, is to \nextend the coverage of health privacy legislation; in other \nwords, to expand the number of covered entities that are \ncurrently covered under HIPAA or under some other replacement \nlaw. The second is of a more substantive nature, and that would \nbe to try to limit the amount of information that third parties \ncan require individuals to provide as a condition of getting a \njob or a life insurance policy or some other commercial \ntransaction. At the moment, it is lawful to require that \nindividuals sign basically an unlimited release and then all \nthis information and, increasingly, more comprehensive \ninformation will be disclosed electronically to people who do \nnot have a legitimate interest in this extra information. An \nemployer or insurer may have a legitimate interest in knowing \nyour current health status, but maybe not things that happened \n20 or 30 years ago that would be of a very sensitive nature. \nAnd I think restricting those kinds of information requests \nwould be very helpful.\n    An example would be under the Americans with Disabilities \nAct, the Federal statute dealing with disability discrimination \nsays that if you are a current employee, the employer can only \nask about job-related health information. But if you are an \nindividual who has a job offer but have not started yet, then \nthey can have an unlimited request for information. If you \napplied that same standard that is applicable to current \nemployees to these applicants, then the amount of information \nwould be reduced substantially.\n    Chairman Akaka. Dr. Diamond.\n    Dr. Diamond. I think there is an opportunity right now to \nconsider what the right process is for this next level of \npublic input and discussion that is required around privacy and \nsecurity. And I think what I propose in my written testimony is \nwhat I will repeat here. Based on a set of foundational \nprinciples, there does need to be a process that will have \nappropriate public input, notice and comment, and deliberation \nso that we can move forward in a way that people feel trust in \nthe health information network and the way their information is \nbeing shared. And I do think reverting to the policies and the \nattributes that I laid out today serve as a good yardstick or \nmetric for trying to determine how to move forward.\n    Chairman Akaka. Thank you. This question is to all of the \npanelists. You all heard the testimony of OPM that Federal \nemployees' electronic health information is protected, despite \nthe fact that HHS's efforts on privacy and security are lagging \nbehind. Do you agree with OPM? Mr. Powner.\n    Mr. Powner. Sir, I do not believe we are in a position to \ncomment on OPM's efforts in that area. We have not looked at it \nin any detail at all.\n    Chairman Akaka. Thank you. Mr. Rothstein.\n    Mr. Rothstein. I would only note that the companies that \noffer insurance to Federal Government employees are covered \nentities under HIPAA because they are health plans. Therefore, \nthey are regulated in the way that other covered entities are. \nBut individual employees are not protected in the sense that \nfor all of this information that is suddenly going to be \naggregated and available electronically at a single point in \ntime, we do not have new rules that apply to the network. What \nwe are applying to government employees are the old rules under \nHIPAA.\n    Chairman Akaka. Dr. Diamond.\n    Dr. Diamond. Yes, I am not familiar with OPM's efforts. I \nwill just offer that under the existing HIPAA rule, there have \nbeen 22,000 complaints to OCR, and very few have actually \nresulted in penalties. And I think there is an opportunity to \nlook at not only these new attributes that I laid out here and \nthe principles as a way to ask ourselves if we are doing \nenough, but also to look at appropriate remedies in the event \nof breaches, because we are in an information world today. This \nis the Information Age, and I think every one of us, while we \nenjoy the benefits of it, also have to acknowledge that we need \nto think about the protections that need to be in place to \nparticipate fully.\n    Chairman Akaka. Mr. Powner, what do organizations that \nstore and exchange personal information consider when balancing \nthe benefits realized from IT with the risks introduced by \nstoring large amounts of personal data in electronic format?\n    Ms. Koontz. I will answer that, if I may. We found, in \nterms of the research that we have done on privacy, that best \npractices organizations do a number of things. First of all, \nthey get continuous and early input from stakeholders, from \nexperts, and from the public in some form. And I emphasize the \nword ``continuously'' because as these kinds of initiatives are \nworked on, they tend to evolve and change, and there needs to \nbe a constant going back to the privacy principles to touch \nthem to make sure that we are consistent with the framework \nthat we have selected.\n    I think successful organizations also use fair information \nprinciples. I agree with many of the other witnesses on the \npanel today that HHS needs to take a broad look at privacy, and \nit is useful to look at the fair information practices which \nare broad, very internationally accepted principles as a way of \nfacilitating discussion on the balance that should be struck \nbetween privacy and other interests.\n    I think best practices organizations assess privacy \nprotections, as many of the other panelists have said, before \ninformation technology is acquired or developed. Technology can \nbe an enabler to help build in privacy protections, but once a \nsystem is built, it is very difficult and often very expensive \nto go back and retrofit those kinds of protections.\n    To the extent that HHS uses these kinds of best practices, \nI think it increases their chance of success in this.\n    Chairman Akaka. Thank you, Ms. Koontz.\n    Mr. Powner, HHS has been without a permanent National \nCoordinator for Health IT for almost a year. What effect has \nthe absence of a national coordinator had on HHS's progress \ntoward defining a privacy framework as part of its national \nstrategy for health IT?\n    Mr. Powner. First of all, I think we need to give some \ncredit to Dr. Brailer for getting the ball rolling here, and \nDr. Kolodner has kept it rolling. But longer term, when you \nlook at whether we need a permanent national health IT \ncoordinator, we believe we do, for a couple of reasons. There \nare going to be some tough decisions. What we discussed here \ntoday, tough privacy decisions from a policy perspective are \ngoing to have to be made. Having a permanent leader would be \nvery important for that.\n    Also, too, because of the collaboration that needs to occur \nwith the private sector, having a permanent leader sends a \nmessage that this is a presidential priority. Having an interim \nleader does not.\n    Chairman Akaka. Thank you very much.\n    Mr. Rothstein and Dr. Diamond, in June 2006, the National \nCommittee on Vital and Health Statistics sent a letter to HHS \nSecretary Leavitt with 26 recommendations on privacy and \nconfidentiality in the Nationwide Health Information Network. \nMeanwhile, the Markle Foundation is working with various \nstakeholders, including government, industry, and health care \nexperts, to address the challenges of creating a Nationwide \nHealth Information Network.\n    What has been the response from HHS on your initiatives?\n    Mr. Rothstein. Mr. Chairman, in terms of the NCVHS, we \nreceived in the fall a letter from the Secretary acknowledging \nreceipt of our report, but that has been the extent of our \nofficial response from the Department.\n    Chairman Akaka. Dr. Diamond.\n    Dr. Diamond. Mr. Chairman, we have been involved in many of \nthe discussions within the work groups of the AHIC and also \nwithin the NHIN contract, and I think the groundwork that we \ndid in laying out the framework for sharing information with \nprivacy has been very instrumental in those discussions.\n    However, we have not yet had the opportunity to see those \nprivacy principles or the comprehensive framework that I \ndiscussed today make its way into the current initiatives on \nthe NHIN. And to echo what some of the other witnesses have \nsaid, we worry that the technology efforts and the standards \nefforts are moving too far ahead of some of those privacy \nprinciples and privacy requirements that the technology should \nfulfill, that we should not be trying to correct later on.\n    We know firsthand from doing our own prototype the year \nprior in three communities--in Indianapolis, Boston, and \nMendocino County, California--that it is possible to connect \ndisparate communities with different technologies using privacy \nand security. But those decisions about privacy and security \nchanged the way technology was implemented. They drove \ndecisions in the way that technology was implemented that we \nwould like to see inform the process going forward.\n    Chairman Akaka. Well, I want to thank you, Mr. Powner, Mr. \nRothstein, and Dr. Diamond, for your testimonies and also Ms. \nKoontz, for your responses as well. And I want you to know that \nyou have provided this Subcommittee with valuable information, \nand we appreciate all that you have done to ensure that \nAmericans' health information is protected.\n    Today's hearing underscored the need for HHS to integrate \nprivacy into the nationwide health IT infrastructure. We heard \nrepeatedly that individuals must have trust and confidence in \nthe system to encourage them to share their personal health \ninformation. If we want health IT programs to succeed, we must \nhave privacy and security protections in place at the \nbeginning. I look forward to working with HHS, OPM, and the \nvarious stakeholder groups to make this happen.\n    As there is no further business, the hearing record will be \nopen for one week for additional statements or questions from \nMembers of the Subcommittee.\n    The hearing is now adjourned.\n    [Whereupon, at 4:17 p.m., the Subcommittee was adjourned.]\n\n\n\n\n\n\n\n\n\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"