[Senate Hearing 110-114]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 110-114
 
                        PRIVATE HEALTH RECORDS:
                  PRIVACY IMPLICATIONS OF THE FEDERAL
                    GOVERNMENT'S HEALTH INFORMATION
                         TECHNOLOGY INITIATIVE

=======================================================================

                                HEARING

                               before the

                  OVERSIGHT OF GOVERNMENT MANAGEMENT,
                THE FEDERAL WORKFORCE, AND THE DISTRICT
                        OF COLUMBIA SUBCOMMITTEE

                                 of the

                              COMMITTEE ON
                         HOMELAND SECURITY AND
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                            FEBRUARY 1, 2007

                               __________

        Available via http://www.access.gpo.gov/congress/senate

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs

                     U.S. GOVERNMENT PRINTING OFFICE

33-874 PDF                 WASHINGTON DC:  2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001





























        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska
THOMAS R. CARPER, Delaware           GEORGE V. VOINOVICH, Ohio
MARK L. PRYOR, Arkansas              NORM COLEMAN, Minnesota
MARY L. LANDRIEU, Louisiana          TOM COBURN, Oklahoma
BARACK OBAMA, Illinois               PETE V. DOMENICI, New Mexico
CLAIRE McCASKILL, Missouri           JOHN WARNER, Virginia
JON TESTER, Montana                  JOHN E. SUNUNU, New Hampshire

                  Michael L. Alexander, Staff Director
     Brandon L. Milhorn, Minority Staff Director and Chief Counsel
                  Trina Driessnack Tyrer, Chief Clerk


 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE 
                          DISTRICT OF COLUMBIA

                   DANIEL K. AKAKA, Hawaii, Chairman
CARL LEVIN, Michigan                 GEORGE V. VOINOVICH, Ohio
THOMAS R. CARPER, Delaware           TED STEVENS, Alaska
MARK L. PRYOR, Arkansas              TOM COBURN, Oklahoma
MARY L. LANDRIEU, Louisiana          JOHN WARNER, Virginia

                   Richard J. Kessler, Staff Director
             Jennifer A. Hemingway, Minority Staff Director
                      Emily Marthaler, Chief Clerk





















                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Akaka................................................     1
    Senator Voinovich............................................     3
    Senator Carper...............................................     4

                               WITNESSES
                       Thursday, February 1, 2007

Robert Kolodner, M.D., Interim National Coordinator for Health 
  Information Technology, U.S. Department of Health and Human 
  Services.......................................................     5
Daniel A. Green, Deputy Associate Director, Center for Employee 
  and Family Support Policy, Office of Personnel Management......     7
David A. Powner, Director of Information Technology Management 
  Issues, Government Accountability Office, accompanied by Linda 
  Koontz, Director of Information Management Issues, Government 
  Accountability Office..........................................    17
Mark A. Rothstein, Herbert F. Boehl Chair of Law and Medicine, 
  and Director, Institute for Bioethics, Health Policy and Law, 
  University of Louisville School of Medicine....................    19
Carol C. Diamond, M.D., Managing Director, Markle Foundation, and 
  Chair, Connecting for Health...................................    20

                     Alphabetical List of Witnesses

Diamond, Carol C., M.D.:
    Testimony....................................................    20
    Prepared statement with attachments..........................   138
Green, Daniel A.:
    Testimony....................................................     7
    Prepared statement...........................................    44
Kolodner, Robert, M.D.:
    Testimony....................................................     5
    Prepared statement...........................................    35
Koontz, Linda:
    Testimony....................................................    17
    Prepared statement with attachments..........................    52
Powner, David A.:
    Testimony....................................................    17
    Prepared statement with attachments..........................    52
Rothstein, Mark A.:
    Testimony....................................................    19
    Prepared statement...........................................   130

                                APPENDIX

Background Memorandum............................................    29
Simon P. Cohn, M.D., M.P.H., Chairman, National Committee on 
  Vital and Health Statistics, submitted copy of a report 
  entitled ``Privacy and Confidentiality in the Nationwide Health 
  Information Network''..........................................   164
Response to questions submitted for the Record from:
    Dr. Kolodner.................................................   181
    Mr. Green....................................................   185
    Mr. Powner...................................................   188


                    PRIVATE HEALTH RECORDS: PRIVACY



                      IMPLICATIONS OF THE FEDERAL



                    GOVERNMENT'S HEALTH INFORMATION



                         TECHNOLOGY INITIATIVE

                              ----------                              


                       THURSDAY, FEBRUARY 1, 2007

                                   U.S. Senate,    
              Subcommittee on Oversight of Government      
                     Management, the Federal Workforce,    
                            and the District of Columbia,  
                      of the Committee on Homeland Security
                                        and Governmental Affairs,  
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:33 p.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Daniel K. 
Akaka, Chairman of the Subcommittee, presiding.
    Present: Senators Akaka, Carper, and Voinovich.

              OPENING STATEMENT OF CHAIRMAN AKAKA

    Chairman Akaka. This hearing will come to order.
    Today's hearing, ``Private Health Records: Privacy 
Implications of the Federal Government's Health Information 
Technology Initiative,'' will examine what actions the Federal 
Government is taking to ensure that privacy is an integral part 
of the national strategy to promote health information 
technology.
    Studies show that the use of health IT can save money, 
reduce medical errors, and improve the delivery of health 
services. For example, in 2004, the Center for Information 
Technology Leadership estimated that in ambulatory care 
settings the use of electronic health records (EHRs) would save 
$112 billion per year, or 7.5 percent of health care spending. 
In addition, EHRs are shown to help avoid duplicate tests and 
excess medication.
    In 2004, President Bush called for the widespread adoption 
of interoperable electronic health records within 10 years and 
issued an Executive Order that established the position of the 
National Coordinator for Health Information Technology. The 
National Coordinator is charged with developing and 
implementing a strategic plan to guide the nationwide 
implementation of interoperable health IT in both the public 
and private sectors.
    Two months later, the Department of Health and Human 
Services (HHS) released a framework for strategic action to 
promote health IT, which calls on all levels of government to 
work with the private sector to stimulate change in the health 
care industry. For example, the Departments of Veterans Affairs 
(VA) and Defense (DOD), the major Federal health care delivery 
organizations, are leaders in the use of health IT.
    VA, one of the country's largest health care providers, has 
had an automated information system in its medical facilities 
since 1985. DOD has provided IT support to its hospitals and 
clinics since 1968. As Chairman of the Veterans' Affairs 
Committee, we are looking at how to move DOD and VA forward in 
developing joint EHRs.
    This Subcommittee is particularly interested in the 
strategy, which calls for the Office of Personnel Management 
(OPM) to use its leverage as the administrator of the Federal 
Employee Health Benefits Program, which covers approximately 8 
million Federal employees, retirees, and their dependents, to 
expand the use of health IT. OPM, through its annual Call 
Letter to carriers, has been encouraging carriers to increase 
the use of EHRs, electronic prescribing, and other health IT-
related provisions.
    Although I support efforts to increase the use of health 
IT, I am deeply concerned about the level of privacy 
protections in the health IT network. In 2005, a Harris 
Interactive survey showed that 70 percent of Americans were 
concerned that an electronic medical records system would lead 
to sensitive medical records being exposed due to weak 
electronic security. This fear is understandable.
    Over the past few years, we have seen various data mining 
programs in the Federal Government that lacked key privacy 
protections. We also recall the loss of a VA laptop computer 
and the news of many other Federal data breaches that put the 
personal information of millions of Americans at risk. These 
incidents reinforce the need to build privacy and security 
protections into any system containing personal information. 
Our personal health information must not be subject to these 
same failings. Privacy and security are critical elements in 
health IT and should never be an afterthought.
    That is why I wrote to OPM in May 2005 seeking information 
on how Federal employees' health information would be protected 
under the efforts of OPM and the health insurance carriers. OPM 
responded that the Health Insurance Portability and 
Accountability Act (HIPAA) would address these privacy 
concerns. But while HIPAA is a foundation, HIPAA by itself is 
not enough. Privacy protections must be built in conjunction 
with the development of the health IT infrastructure.
    To ensure that this was happening, Senator Kennedy and I 
asked the Government Accountability Office to review the 
efforts of HHS and the National Coordinator to protect personal 
health information. GAO's report, which was released this 
morning, found that while HHS and the National Coordinator have 
taken steps to study the protection of personal health 
information, an overall strategy is needed to: One, identify 
milestones for integrating privacy into the health IT 
framework; two, ensure privacy is fully addressed; and, three, 
address key challenges associated with the nationwide exchange 
of information.
    Given the overwhelming evidence of the benefits associated 
with the expanded use of health IT, as well as the fact that 70 
percent of Americans are concerned about the privacy of their 
health information, I am surprised to learn that HHS objects to 
this recommendation.
    It is clear that the health care industry faces challenges 
in protecting electronic health information given the varying 
State laws and policies, the entities not covered by HIPAA, and 
the need to implement adequate security measures. But while 
more and more companies, providers, and carriers move forward 
with health IT, I fear that privacy suffers while HHS takes 
time to decide how to implement privacy protection. HHS must 
address these issues in a more timely fashion in order to give 
the private sector guidance on how to move forward with health 
IT and protect the private health information of all Americans.
    I want to thank our witnesses for being here today to 
discuss this critical issue.
    I now turn to my good friend, Senator Voinovich, for any 
opening statement he may have at this time.

             OPENING STATEMENT OF SENATOR VOINOVICH

    Senator Voinovich. Thank you, Senator Akaka. I appreciate 
your holding this hearing today on a subject that is of 
interest to me.
    The widespread adoption of health information technology 
such as electronic health records will revolutionize the health 
care profession. In fact, the Institute of Medicine, the 
National Committee on Vital and Health Statistics, and other 
expert panels have identified information technology as one of 
the most powerful tools in reducing medical errors and 
improving the quality of health.
    Unfortunately, our country's health care industry lags far 
behind other sectors of the economy in its investment in 
information technology. But, Senator Akaka and Carper, as I 
travel around Ohio I see a marked acceleration in the use of 
IT.
    The Institute of Medicine estimated in 1999 that there were 
nearly 98,000 deaths each year resulting from medical errors. 
Many of these deaths can be directly attributed to the inherent 
imperfections of our current paper-based health care system.
    Not only can technology save lives and improve the quality 
of health care, it also has the potential to reduce the cost of 
the delivery of health care. According to the Rand Corporation, 
the health care delivery system in the United States could save 
approximately $160 billion annually with the widespread use of 
electronic medical records. As technology advances, the issues 
surrounding protection of personal information will continue to 
be at the forefront of people's minds. Individual citizens 
continue to express concern over the security of personal, 
confidential information whether it is contained in an 
electronic health record or stolen from laptops, as Senator 
Akaka pointed out, at the Department of Veterans Affairs.
    However, the benefits of technology in the health care 
arena are undeniable, and I support the use of HIT. In fact, in 
the 109th Congress, Senator Carper and I introduced the Federal 
Employees Electronic Personal Health Records Act. I am sure we 
will be hearing more from Senator Carper about it. The bill 
will provide for the establishment and maintenance of 
electronic personal health records for individuals and family 
members enrolled in the Federal Employee Health Benefits 
Program. I have talked with one of the major health insurance 
companies and they support the use of HIT.
    I am hopeful the testimony today will assist my colleagues 
and me as we make decisions about implementing health IT. I 
personally look forward to learning from our witnesses ways 
Senator Carper and I might refine our legislation before 
introduction. As I say, we are making progress on privacy 
protections, and I am really pleased that the President issued 
an Executive Order specific to deployment of health information 
technology, including establishment of a National Coordinator 
for Health Information Technology.
    Since then, the Coordinator and the Department of Health 
and Human Services have made considerable progress toward the 
adoption of interoperable IT. But the successes have not come 
without criticism. Dr. Kolodner, your office has an enormous 
responsibility to continue to cultivate a strategic plan to 
guide implementation of nationwide interoperable health 
information technology. It is an important job. We must bring 
health care costs under control, and HIT is one part of that 
goal. However, there is some concern about whether information 
in IT systems is going to be private and secure. We cannot let 
those weaknesses impede our progress in this area.
    So, Mr. Chairman, I am looking forward to hearing from our 
witnesses.
    Chairman Akaka. Thank you very much, Senator Voinovich. 
Senator Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thank you, Mr. Chairman, and to our 
witnesses and to my friend and colleague, Senator Voinovich. He 
telegraphed my pitch a little bit, but I think it is great that 
he did.
    Mr. Chairman, as Senator Voinovich has said, we introduced 
in the last Congress and I think we are close to reintroducing 
in this Congress legislation to require those who provide 
insurance under the Federal Employee Health Benefits Program--
they would have a period of time, I think maybe less than 2 
years or so--to provide electronic health records for Federal 
employees insured under those policies if the employees wish to 
have that. And I know you have a strong interest in privacy 
protection, and we would look forward to working with you and 
your Subcommittee and your staff to make sure that we meet 
muster in that regard.
    Next month is a big month for us in Delaware, and I say 
this to our witnesses and others. We are beginning to stand up 
what we call the ``Delaware Health Information Network,'' an 
apple in my eye when I was Governor many years ago, and it is 
now actually coming to fruition as we try to electronically 
link our doctors' and nurses' offices and our hospitals and our 
labs and other providers. We are excited about the 
possibilities that holds for us.
    I am an old Navy guy, and I remember when I got out of the 
Navy--at least off of active duty, not out of the Navy, but off 
of active duty in 1973 and showed up at the VA hospital just 
outside of Wilmington. And it is not a place that, frankly, a 
lot of veterans wanted to go to for health care. I did not 
sense there was a lot of joy on the part of people who worked 
there being a VA employee, doctor or nurse or anything else. 
And, boy, that has really changed, especially in the last 
decade.
    I would never have imagined 33 years ago, that we would be 
looking to the VA to provide the way with respect to improving 
outcomes and holding down costs and saving lives. But they sure 
have come through for us.
    Mr. Chairman, don't you chair the Veterans Committee in the 
Senate?
    Chairman Akaka. Yes.
    Senator Carper. I thought so. OK. Well, you have sort of a 
double interest in this particular issue. But we really look 
forward to what you have to say. We do not have very strong 
attendance here today, partly because there is a concurrent 
just-called caucus of the Senate Democrats, and they are 
meeting as we speak to discuss a resolution that pertains to 
the President's proposed surge of troops in Iraq. So people may 
be drifting in to join us in a little bit, but that just began 
literally at the time that this hearing began. So we apologize 
for them. Those of us who are here are anxious to hear what you 
have to say. So thanks for coming.
    Chairman Akaka. Thank you very much.
    I welcome to the Subcommittee today's first panel of 
witnesses: Dr. Rob Kolodner, Interim National Coordinator for 
Health Information Technology at the Department of Health and 
Human Services, and Daniel Green, Deputy Associate Director, 
Center for Employee and Family Support Policy, at the Office of 
Personnel Management.
    It is the custom of this Subcommittee to swear in all 
witnesses, and I ask you to stand and raise your right hand. Do 
you swear that the testimony you are about to give this 
Subcommittee is the truth, the whole truth, and nothing but the 
truth, so help you, God?
    Dr. Kolodner. I do.
    Mr. Green. I do.
    Chairman Akaka. Thank you. Dr. Kolodner, please proceed 
with your statement.

    TESTIMONY OF ROBERT KOLODNER, M.D.,\1\ INTERIM NATIONAL 
COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY, U.S. DEPARTMENT 
                  OF HEALTH AND HUMAN SERVICES

    Dr. Kolodner. Good afternoon, Chairman Akaka, Senator 
Voinovich, and Senator Carper. Thank you for inviting me here 
today to discuss the privacy plans, activities, and 
accomplishments of the National Health Information Technology 
agenda led by HHS.
---------------------------------------------------------------------------
    \1\ The prepared statement of Dr. Kolodner appears in the Appendix 
on page 35.
---------------------------------------------------------------------------
    Mr. Chairman, we appreciate Hawaii's efforts as pioneers in 
protecting patient health information and note that Hawaii's 
early work to develop a comprehensive privacy law informed and 
was an important resource for HHS when we developed the HIPAA 
privacy rules.
    Privacy and security are integral components of the 
national health IT agenda and are addressed by a spectrum of 
activities that advance our current understanding of the issues 
and multiple levels and lay the foundation for future 
activities. The widespread adoption of interoperable electronic 
health records will save lives, reduce medical errors, and 
improve the quality and efficiency of care, as you have noted.
    At the same time, it will create both new challenges and 
new opportunities with respect to protecting health 
information. HIPAA created a strong foundation of privacy and 
security protections for personal health information upon which 
States may provide additional privacy protections. We are 
vigorously addressing the new challenges by leveraging existing 
privacy policy foundations, building robust new public-private 
collaborations, partnering with States, health care 
organizations, and consumers to address State and business 
level protections, and considering privacy and security 
policies and implementation at a nationwide level.
    Ultimately, the effective coordination of health IT 
activities will help create an environment that improves the 
health status of both individuals and communities at the same 
time that personal health information is protected.
    The HHS Office of the National Coordinator for Health IT, 
ONC, is charged with leading the national health IT agenda 
across the Federal Government and the private sector by 
coordinating health IT activities, including those related to 
privacy and security. ONC has the lead for working with CMS, 
the Office for Civil Rights, or OCR, and others to develop the 
privacy policies for health IT, and OCR and CMS are responsible 
for the oversight and enforcement of the related HIPAA rules.
    The GAO report provides an excellent summary of the myriad 
of our successful health IT activities since 2004, and the 
report documents an active, progressive program of HHS 
activities that identify national privacy issues to be 
addressed as well as barriers to interoperability caused by 
privacy policy variations across States that need to be 
resolved.
    The tools we use to advance our privacy and security 
activities include contracts, including a recent one with the 
National Governors Association, an interdepartmental Federal 
Policy Council, and a public-private Confidentiality, Privacy, 
and Security Work Group of the American Health Information 
Community. The Community is a Federal advisory committee that 
is chaired by Secretary Leavitt himself and plays a central 
role in all of our activities. The members of the Community, 
consisting of senior leaders from the public and private 
sectors, participate in deliberations that guide our work and 
shape our understanding of how we can most effectively advance 
the health IT agenda nationwide, including privacy and 
security.
    Much like the historic journey by Lewis and Clark 200 years 
ago, who were crossing uncharted territory, we, too, are on a 
similar journey. Their goal was clear: to find a route to the 
Pacific Ocean, although the exact path was unknown at the 
beginning. Our goal is clear as well: The secure exchange of 
interoperable electronic health information. And the detailed 
milestones necessary to achieve our goal are also not yet 
knowable.
    Our approach is iterative. First, it requires an 
understanding of the multiple environments in which we are 
operating. To gain this understanding, we have initiated 
multiple complementary activities, such as the Nationwide 
Health Information Network prototypes, the Privacy and Security 
Solutions Contract, and the State Alliance for e-Health. And we 
have gathered input from other expert resources such as the 
National Committee for Vital and Health Statistics, or NCVHS.
    Second, our approach requires that we evaluate and analyze 
what we have discovered and learned. For example, only after we 
get the State level reports this spring that identify 
challenges and opportunities to protect and share health 
information will we have sufficient data to reliably establish 
the next set of milestones that we must achieve. An output from 
one source becomes input for another, such as the NCVHS 
recommendations that have been publicly shared with the 
Community work group I mentioned previously. As that work group 
moves from addressing security to addressing privacy concerns, 
we anticipate that these recommendations will inform the next 
set of privacy priorities.
    Our activities confirm the importance we give to 
confidentiality, privacy, and security. We have been executing 
an effective plan, originally described in our strategic 
framework that you mentioned, Mr. Chairman, and one that will 
continue to grow and evolve as we submit our health IT 
strategic plan later this year.
    We are using a results-oriented strategy of discovery and 
advancement that must be done in collaboration with a variety 
of stakeholders at the local, State, and national levels. GAO 
has documented the progress that we have made in the first 2 
years of our work, and we continue to undertake multiple 
related productive activities to properly protect the 
electronic health information today, tomorrow, and into the 
future.
    Thank you for your time, and I welcome any questions you 
might have.
    Chairman Akaka. Thank you very much. I want our witnesses 
to know that your full statements will be included in the 
record.
    Mr. Green.

  TESTIMONY OF DANIEL A. GREEN,\1\ DEPUTY ASSOCIATE DIRECTOR, 
   CENTER FOR EMPLOYEE AND FAMILY SUPPORT POLICY, OFFICE OF 
                      PERSONNEL MANAGEMENT

    Mr. Green. Mr. Chairman, Members of the Subcommittee, it is 
my pleasure to be here today to represent the Office of 
Personnel Management (OPM) Director Linda Springer. I plan to 
discuss how OPM is working with the Department of Health and 
Human Services and other organizations on the National Health 
Information Technology Initiative, and I will discuss how we at 
OPM are working with our health benefits carriers to implement 
health information technology (IT) that is secure and protects 
member privacy.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Green appears in the Appendix on 
page 44.
---------------------------------------------------------------------------
    OPM administers the Federal Employees Health Benefits 
(FEHB) Program, which covers approximately 8 million Federal 
employees, retirees, and their dependents. Like other large 
employers, we contract with private sector health plans. We 
have consistently encouraged participating plans to be 
responsive to consumer interests by emphasizing flexibility and 
consumer choice. We have also encouraged plans to adopt health 
information technology as an important consumer-oriented 
initiative. At the same time, we have placed great importance 
on the privacy and security of personal health information.
    FEHB enrollees have the same privacy protections under 
Federal law as all Americans. The Health Insurance Portability 
and Accountability Act of 1996, provides protections for 
privacy of individually identifiable health information. All 
FEHB health carriers are required to comply with HIPAA 
requirements.
    And now I would like to provide some background on OPM's 
initiatives in health information technology.
    In 2004, President Bush issued an Executive Order to 
develop and implement a nationwide health IT infrastructure to 
improve the quality and efficiency of health care. In response 
to the Executive Order, we have been working with our FEHB 
plans on focused efforts to promote health IT while at the same 
time ensuring compliance with Federal requirements on privacy 
and security. More specifically, we have asked our carriers to 
concentrate on specific short-term objectives which include 
education for consumers on health IT, offering personal health 
records to consumers based on their medical claims history, 
encouraging e-prescribing, linking disease management programs 
with health IT, and compliance with Federal requirements on 
privacy.
    We have found that while there are wide variations in the 
scope and extent of health IT use, most carriers have focused 
on providing consumers with claims-based information through 
their secured websites. Some have robust health IT systems. We 
have recognized them on our own website during Open Season so 
consumers would have this additional information to take into 
consideration in making their plan choices.
    Then, last August, President Bush issued a second Executive 
Order, which underscored his commitment not only to health IT, 
but also to health care cost and quality transparency. In 
support of the order, we required all FEHB carriers to report 
on quality measures, including data from the Health Plan 
Employer Data and Information set. We also encouraged them to 
provide information on cost and quality transparency. Along 
with the carriers that have state-of-the-art health IT 
capabilities, the carriers that made their best efforts to 
provide cost and quality transparency were also prominently 
positioned on our Open Season website last fall.
    Looking forward, OPM will continue to work with carriers on 
standards for interoperability of health information records as 
they are adopted in the health care industry, and we will 
continue to provide information for consumers on carriers' cost 
and quality transparency initiatives as well as their health IT 
capabilities.
    As a member of the American Health Information Community, 
OPM will monitor the recommendations of the Confidentiality, 
Privacy, and Security Work Group and determine if there are 
privacy and security requirements that should be applied to 
FEHB carriers. We firmly believe privacy and security of 
personal health information is important. We are encouraged by 
HHS's efforts to address this important issue. We plan to 
continue to work closely with HHS, the Community, and the 
Health IT Policy Council to ensure all necessary steps are 
taken to protect consumer privacy rights.
    We appreciate this opportunity to testify before the 
Subcommittee on this very important issue, and we will be glad 
to answer any questions you may have.
    Chairman Akaka. Thank you very much for your testimony.
    Dr. Kolodner, the GAO report notes that HHS disagreed with 
GAO's recommendation to define and implement the overall 
approach for protecting health information, including 
identifying milestones and integrating privacy efforts. Can you 
elaborate on HHS's objection to GAO's recommendation, 
particularly why HHS believes that setting milestones will 
impede progress and preclude stakeholder dialogue?
    Dr. Kolodner. Yes, Mr. Chairman. As I mentioned, the issue 
is not whether we have milestones. Milestones that we can set 
up right now based on what we know are very high level. They 
are, for example, to complete our Privacy and Security 
Solutions contract, to get the results of the contract, to 
analyze those results, and based on the content that was given 
in those analyses, to then determine the next set of 
milestones. That is pretty high level. That is not what we 
believe GAO was telling us to do, because that is basic project 
management, and we are doing that already.
    The idea of stating right now what those milestones will 
look like in June or July, when we have not yet received the 
report that will be received this spring, is something that we 
know would probably not accurately reflect what we will be 
executing in June, July, and August. So we see this as an 
iterative process of discovery and collaboration.
    A very important reality is that there are many parties 
that have very strong feelings, as you can tell, about this 
area, and privacy is important. We need to make sure that we 
advance deliberately, advance as quickly as we possibly can, 
but to make sure that we listen to and are informed by a 
variety of viewpoints. And as those deliberations occur and as 
those collaborations occur, we will advance forward.
    Chairman Akaka. Thank you.
    Mr. Green, OPM's contracts with carriers require compliance 
with HIPAA. As part of OPM's requirement to promote the use of 
health IT, the 2007 Call Letter required carriers to comply 
with Federal requirements to protect the privacy of 
individually identifiable health information.
    How does OPM monitor carriers' compliance with HIPAA 
privacy and security rules? And what steps are taken if a 
carrier is found to be noncompliant?
    Mr. Green. Mr. Chairman, in addition to the HIPAA law, we 
have required by contract that all our carriers follow the 
HIPAA rules, and we have also added privacy requirements that 
pre-date the HIPAA law, and those are in our standard 
contracts. We have also added certain measures that all our 
carriers are required to comply with concerning confidentiality 
of records and privacy and the regulations used to supplement 
the Federal Acquisition Regulations. They are called FEHBAR. 
The FEHB Acquisition Regulations apply to all our carriers. 
They are required to notify their contracting officer whenever 
they have an enforcement action resulting from noncompliance, 
as issued by a State or Federal authority. They are also 
subject to audit by both GAO and OPM, including OPM's Inspector 
General's office, and they run a system of audits against the 
computer systems of all our carriers on a rotational basis. And 
they will be introducing additional privacy audit steps this 
year into that audit.
    Chairman Akaka. Mr. Green, are there any circumstances that 
would result in electronic health records or personal health 
record networks being developed or used by FEHBP carriers that 
would not come under HIPAA?
    Mr. Green. Senator, the FEHB carriers are required to 
follow HIPAA rules, and so are their business associates, such 
as pharmacy benefit managers. So any subcontracts they have 
would also under our contract require them to follow HIPAA 
rules.
    Chairman Akaka. Dr. Kolodner, the statutory advisory 
committee, NCVHS, and the Secretary's advisory committee, AHIC, 
have made recommendations to the Secretary of HHS regarding the 
protection of personal health information. What is HHS's 
response to the recommendations, and how will they be 
incorporated into a nationwide health information architecture?
    Dr. Kolodner. Mr. Chairman, the NCVHS recommendations, 
which were accepted by the Secretary and then sent to the AHIC 
work group--the Confidentiality, Privacy, and Security Work 
Group--are, in fact, informing that group as they consider the 
various privacy policies and privacy priorities. Those will 
then come back to the Community for recommendation up in terms 
of specifically what kinds of privacy policies and security 
kinds of architecture should be required as we move forward.
    The Nationwide Health Information Network prototypes also 
have brought forth a number of different solutions, and we have 
been using those to look at what should go forward for the next 
round of trial implementations that we plan to fund this next 
year. So they are very much guiding and identifying those 
requirements that need to be moving forward.
    Chairman Akaka. Mr. Green, I believe privacy protections 
must be built into the health IT architecture at the beginning 
instead of racing to address privacy violations after Americans 
lose trust in the system. However, after reading the testimony 
of the witnesses on our second panel, I fear that HHS is not 
acting fast enough to integrate privacy protections in the 
development of the health IT.
    With this in mind, Mr. Green, what risks are there to 
Federal employees' health information as FEHBP carriers push 
forward with health IT initiatives?
    Mr. Green. Senator Akaka, nothing in this world is perfect, 
and there is no absolute certainty anywhere. However, I am 
convinced that with the procedures that we have in place, the 
requirements we have in place today, protect our FEHB enrollees 
as fully or more so than any other citizen in this country 
against a chance of inappropriate misuse of that information.
    In addition, going forward with the implementation of 
health information technology, we are pleased and honored and 
excited about our participation in much of the work with the 
Department of Health and Human Services. As you know, we are a 
member of the AHIC. We are on several of the subcommittees, 
working groups, and, in fact, Director Springer for a time 
chaired the Consumer Empowerment Work Group, which is our deep 
interest because we feel like that is our responsibility--to 
support and protect our enrollees. They are our primary 
customers, after all. And, in addition, we work with the other 
Federal agencies that are heavily involved in this as part of 
an HIT Policy Council.
    So I am convinced that as we go forward, our Federal 
employees, retirees, and survivors and their family members 
will be as protected as we can possibly make them, and that is 
our promise to you, sir.
    Chairman Akaka. Thank you. Senator Voinovich.
    Senator Voinovich. Thank you.
    Dr. Kolodner, do you believe that the Office of National 
Coordinator has sufficient authority to facilitate 
communications among Federal entities, the private sector, and 
consumer organizations to lead the development and 
implementation of appropriate privacy standards?
    Dr. Kolodner. Yes, sir, I believe that we do, and I think 
that we have a number of avenues and a number of venues where 
we are already doing that, including the American Health 
Information Community, and also a number of the contracts with 
the States, like the State Alliance for e-Health.
    Senator Voinovich. Do you think outside groups looking in 
would say that they agree with you?
    Dr. Kolodner. We have several venues where we use public-
private collaborations, and we certainly look for any other 
opportunities there might be, but we have been as open as 
possible in the development of the standards, and in 
deliberations by any of the work groups. They are all open, 
broadcast on the Web, and have opportunities for public comment 
throughout.
    Senator Voinovich. I know this is off the subject, but it 
is something I am interested in. We have not passed 
appropriations, and we are talking about a continuing 
resolution. I would be interested in your observations in 
regard to whether you feel that it has been harmful to your 
respective organizations to have a continuing resolution in 
which you are operating under.
    Dr. Kolodner. For the Office of the National Coordinator, 
we have been able to proceed on a variety of activities that we 
have underway, and we have not had to slow down because of the 
continuing resolution. And we also, as you know, have the good 
fortune of having both Secretary Leavitt's very strong 
backing--this is one of his top programs--as well as the 
President having passed two Executive Orders that allow us to 
move forward.
    Senator Voinovich. So no problem?
    Dr. Kolodner. No problem.
    Senator Voinovich. Mr. Green.
    Mr. Green. Senator, I cannot speak for all of the Office of 
Personnel Management on our budget issues. I will leave that to 
Director Springer. I can say that we are moving forward on our 
initiatives, and we have a very large agenda within the Federal 
Employees Health Benefits Program and the other benefit 
systems, and we are moving forward without slackening at all.
    Senator Voinovich. Do you have the personnel and resources 
to get the job done?
    Mr. Green. Sir, I argue and fight for as many resources as 
I can get with my leadership, but I think that would probably 
be best left inside the OPM doors.
    Senator Voinovich. Well, one of the things that bothers me 
is that we are asking many agencies to do all kinds of things, 
and we do not allocate the resources so they can get the job 
done. I know it is very difficult for the secretaries of these 
departments to be forthcoming about it, but it seems to me that 
during this new budget cycle we ought to be encouraging both of 
you to make it clear to the folks that are in charge if you 
need additional help. I just read, Senator Akaka, where the 
President is talking about flat funding the nondefense 
discretionary budget again. We just cannot keep going this way. 
There are too many responsibilities that are not getting done, 
and the nondefense discretionary budget is being cut. To be 
candid with you, we should be paying for the war, just not 
putting it on the tab. What it is doing is it is squeezing out 
other priorities that are essential.
    Have you, Mr. Green, had a chance to look at the bill that 
I joined Senator Carper in introducing, the Federal Employees 
Electronic Personnel Health Records Act?
    Mr. Green. Yes, sir, I have.
    Senator Voinovich. I would be interested in your comments 
about it.
    Mr. Green. Several comments, as a matter of fact.
    We note that the bill is consistent with the direction of 
the health care industry and the leadership provided by HHS, 
and it is also consistent with OPM's initiatives, as well, to 
move our carriers toward having PHRs. We do have some concerns 
about some of the aspects of the bill. Let me put it this way: 
We would be excited and would like to work with you and your 
staff and Senator Carper to move that forward, to deal with 
some of the issues we have. I think you will find them good 
points that we both want to work through, and we would be happy 
to do that with you, sir. But overall, yes, we do support a 
bill like that.
    Senator Voinovich. So if Senator Carper's and my staff got 
in touch with you, you would be able to tell us your concerns.
    Mr. Green. We would be pleased to do that. Yes, sir.
    Senator Voinovich. I was glad to hear from your testimony 
that you are interested in HIT yourself. I mean, it is not like 
we are asking you to do something that is not already being 
done.
    Mr. Green. No, that is true. And our carriers are 
interested as well. They see this as a real opportunity not 
only to provide for their members, but also to differentiate 
themselves in the marketplace. Our job and Mr. Kolodner job is 
to see to it that they are done interoperably and so that it is 
portable and also so that they are, in fact, secure, private, 
and the information is confidential and under the control of 
the enrollee.
    Senator Voinovich. Our thought is that we could use that as 
kind of a model for the rest of the country. I mentioned that I 
spoke with Aetna, while at the bipartisan health policy 
conference sponsored by the Commonwealth Fund and the Alliance 
for Health records with Aetna's CEO, who said he thinks 
implementing personal health records is a great first step, and 
that they seem to be interested in moving forward with it. So 
it would be wonderful if we could get the standards in place 
and get moving.
    Mr. Green. Aetna is one of our carriers, of course, a very 
large participant, so that is good to hear.
    Senator Voinovich. Thank you, Senator Akaka.
    Chairman Akaka. Thank you, Senator Voinovich.
    Dr. Kolodner, you testified that the current HIPAA statute 
provides the flexibility to protect health information while 
allowing best practices to emerge. However, as Mr. Rothstein on 
our next panel notes in his written testimony, some private 
sector companies are using electronic health record and 
personal health record networks that generally are not subject 
to any Federal or State regulation because the initiatives are 
not covered entities under HIPAA.
    Does HHS have a list of entities that may have access to 
personal health information under a health IT network, but are 
not covered by HIPAA?
    Dr. Kolodner. The HIPAA rules define the entities that are 
covered by HIPAA. There are other entities that are not covered 
by HIPAA, and he may be referring to some of those entities.
    The Confidentiality, Privacy, and Security Work Group and 
our Consumer Empowerment Work Group, which is another work 
group under the American Health Information Community, both 
have started to consider whether there are entities that should 
be covered under HIPAA that are not now being covered. We will 
be looking at those recommendations as they come forward and 
see whether there is sufficient authority in HIPAA to extend 
that. So we are considering that as part of the deliberations 
that I mentioned that are underway.
    Chairman Akaka. Dr. Kolodner, HHS has been without a 
permanent National Coordinator for Health IT since May 19, 
2006. When will a permanent National Coordinator be named?
    Dr. Kolodner. Mr. Chairman, that would be a question that 
Secretary Leavitt would ultimately need to answer. He has asked 
VA to detail me over. VA did that starting in September. VA was 
gracious enough to extend the detail, so I will be here for 
another period of time, and it will be up to Secretary Leavitt 
to ultimately decide.
    Chairman Akaka. Thank you.
    Mr. Green, you testified that OPM is a member of several 
work groups focused on health IT. Can you share with us some of 
the recommendations that OPM has made to these groups?
    Mr. Green. Senator, the work groups operate under a 
consensus-based decisionmaking process. We contribute to those 
discussions on each recommendation as they come up.
    One of our primary objectives is to ensure consumer rights 
and responsibilities are protected, and we also share our 
knowledge on employer-based health benefits to shape 
recommendations that are achievable and promote the broad goals 
of the HIT initiative.
    Chairman Akaka. Thank you. Senator Carper.
    Senator Carper. Thanks, Mr. Chairman. Who did you succeed 
in your job?
    Dr. Kolodner. Dr. David Brailer was the first National 
Coordinator.
    Senator Carper. What is Dr. Brailer doing now?
    Dr. Kolodner. I believe he is doing some private 
consulting. He is also a Special Government Employee, since he 
does still co-chair the American Health Information Community.
    Senator Carper. Thanks. If you ever see him, give him my 
best. Thanks. All right.
    Dr. Kolodner. I will do so.
    Senator Carper. I understand when I was out of the room in 
another meeting here in the anteroom that Senator Voinovich 
asked for some reaction from both of you to the legislation we 
are about to reintroduce. And I understand that you pretty well 
trashed it. [Laughter.]
    No. I understand you were pretty generous. Would you just 
recap for me what you had to say and any thoughts you might 
have for making it better?
    Mr. Green. Certainly, Senator. I explained that we have 
reviewed and commented earlier, at least within the Executive 
Branch, on the bill and that since the provisions in the bill 
are consistent with the direction that the health care industry 
is going and the leadership that HHS is providing, it is also 
consistent with OPM's direction of where we want to move with 
our carriers in the FEHB program. So we are supportive of the 
bill and its outline and its purpose. There are some issues 
that we would like to have the opportunity to discuss with you 
and your staff that we think we can help improve the bill to 
fit what goes on within the FEHB program and some other issues, 
to help deal with privacy concerns as well. So we would welcome 
the opportunity.
    Senator Carper. We gratefully accept that offer.
    I mentioned earlier in opening statement, that in Delaware 
we are standing up the Delaware Health Information Network, and 
we are doing so with the financial support from the Department 
that Secretary Leavitt leads and from some of the folks that 
are your colleagues, Dr. Kolodner. And the State of Delaware is 
matching that money over the next couple of years, and the 
private sector in our State is stepping up as well. We just 
learned that Blue Cross/Blue Shield of Delaware is the latest 
to step forward and say they want to be financially supportive 
of this, too. So we are very much encouraged.
    One of our focuses in standing up the Delaware Health 
Information Network is to protect patient privacy and patient 
records. And I know that you come out of the VA, don't you?
    Dr. Kolodner. Yes, sir.
    Senator Carper. How long did you work there?
    Dr. Kolodner. Twenty-eight years.
    Senator Carper. Twenty-eight years, wow. Did you start as a 
child? [Laughter.]
    But the VA approach on harnessing information technology--
just talk with us a little bit about what you did there to 
protect the privacy of patients and their personal or health 
records. And is there maybe a lesson there, a model for the 
rest of us, whether we are doing it at the State level or for 
Federal employees?
    Dr. Kolodner. The VA had privacy as a central part of the 
system from early on, and we actually--because it is a single 
system and not a network. A network obviously presents new 
opportunities, new challenges. But as a system, we actually 
would contract to security companies for them to try to break 
into the electronic health record system and find where the 
vulnerabilities were so that we could fix them before any 
breach had occurred. The VistA system, which started out as the 
Decentralized Hospital Computer Program is secure and has not 
been a source of any breaches.
    We also have a personal health record we provide to 
veterans, starting in December, we actually upload this robust 
data from.
    Senator Carper. Starting this past December?
    Dr. Kolodner. This past December. We had it in test with a 
few thousand veterans before that, but starting this past 
December, veterans can, in fact, have a copy of their clinical 
record--not just any claims data but the clinical data that is 
in this robust VistA system--uploaded to a personal health 
record if they choose. So it is an opt-in strategy. And we have 
security----
    Senator Carper. It is opt in, not opt out?
    Dr. Kolodner. It is opt in for the personal health record, 
yes, sir. And we have gotten very positive response from the 
veterans who----
    Senator Carper. Are they opting in?
    Dr. Kolodner. They are opting in. Hundreds of thousands 
have opted in so far. And as with any new technology, if you 
remember when the Internet started, many of us were a little 
skeptical. We wanted to see what was going on. Did we want to 
use our credit card over the Internet? And gradually what 
happens is you get the early adopters who were willing to take 
a chance, and the system gets more and more robust, more and 
more trusted, and more people, in fact, come on board. So there 
is a growth curve that is a natural growth curve. It is not 
that everybody comes on at once. But it is one where you get 
more rapid uptake over time, and we are beginning to see that, 
particularly as you offer services that--veterans had wanted to 
be able to refill their prescriptions online, and they can do 
that now.
    Senator Carper. Great. You may recall in the last Congress 
the Senate passed legislation dealing with health IT, passed a 
pretty good bill. I don't know that there was anybody who voted 
against it in the Senate. It went over to the House and it 
died. It died over there, and for reasons that are not 
altogether clear to me.
    What advice would you have for us as we come back and take 
up the legislation? There may be an effort to try to combine 
what Senator Voinovich and I are doing to actually make it part 
of the larger piece of legislation? I don't know if we will let 
that happen. Maybe we will, maybe we won't. There could be 
worse outcomes.
    But why did it die in the House? What might be different 
this time? And as we tinker with that legislation and prepare 
to pass it again in the Senate, what advice would you have for 
us, either of you?
    Dr. Kolodner. Senator, certainly the reason why it died in 
the House or why the Senate and the House could not get 
together on it is beyond my purview and my expertise, and I 
would leave that to you and your colleagues.
    Senator Carper. Well, we do not know either. [Laughter.]
    But we will figure it out.
    Dr. Kolodner. I know that there is great interest in the 
health IT bill, and certainly we will work with you and with 
your colleagues as the various bills go forward to certainly 
work on something that advances the whole health IT agenda.
    Senator Carper. Well, I don't know how familiar you were 
with the legislation that was enacted in the Senate. I am not 
going to dwell on it. But if you have any ideas for the record 
that you might like to suggest to us, either of you, for how to 
improve that legislation when it comes to the floor, which I 
think will come fairly soon, we would welcome your input.
    Do you all have anything else you want to say with respect 
to any of the questions I have raised here?
    [No response.]
    OK. Thank you. Thanks very much for your good work, 
particularly at the VA, and as a veteran myself of the Navy, 
you make us very proud, even prouder to be veterans. And for 
all the veterans around the country, in Delaware and other 
places, who have the opportunity to use what I call the gold 
standard for health care in this country today, thank you for 
helping to provide that system.
    Chairman Akaka. Senator Voinovich.
    Senator Voinovich. I would like to get back to the bill 
that Senator Carper and I are going to reintroduce. It is my 
understanding that originally the bill had a 1-year 
requirement, the bill Senator Carper had, and then we had a 2-
year requirement, and then we talked to OPM and they said we 
might be moving too quickly.
    It is my understanding that OPM is reluctant to agree to a 
statutory deadline because the HHS standards have not been 
published. However, Dr. Kolodner, you indicated that you have 
the team necessary to get the job done. I just want you to know 
I do not want to see publication of the standards delayed. If 
you do not have the people that you need to get the job done, 
then we ought to know about it. I will pick up the phone and 
call my good friend, former Governor Mike Leavitt, and say, 
``Mike, you guys have made a commitment. Now put the resources 
in it so we can get it done.'' I want this taken care of.
    So if you want to respond to that, you may. [Laughter.]
    Dr. Kolodner. One of the pleasures of being over at HHS has 
been the undying support of Secretary Leavitt for the area of 
health IT. I could not ask for any stronger support from him, 
and that has been one of the things that attracted me to take 
this interim appointment.
    The office actually was established a little over a year 
ago, and we are just finishing up staffing up to our authorized 
level. We had been filling those activities with contractors. 
We are now bringing on the staff that we need, and we are 
moving as fast as we believe that we can, again, with this 
iterative process that is necessary to make the best policy.
    Senator Voinovich. Well, we welcome your input on our 
legislation. We will be talking to you and Mr. Green about it 
more.
    Thank you, Senator Akaka.
    Chairman Akaka. Dr. Kolodner and Mr. Green, thank you very 
much for your valuable testimony. I look forward to working 
with each of you to ensure that privacy and security are 
integral parts of the health IT architecture. Thank you very 
much.
    Dr. Kolodner. Thank you, sir.
    Mr. Green. Thank you.
    Chairman Akaka. And now I ask our second panel of witnesses 
to come forward. Testifying on our second panel are David 
Powner, Director of IT Management Issues, and Linda Koontz, 
Director of Information Management Issues, from the Government 
Accountability Office; also Mark Rothstein, Director of the 
Institute for Bioethics, Health Policy, and Law at the 
University of Louisville School of Medicine, as well as the 
Chair of the Subcommittee on Privacy and Confidentiality of the 
National Committee on Vital and Health Statistics; and Dr. 
Carol Diamond, Managing Director of the Markle Foundation.
    As you know, it is the custom of the Subcommittee to swear 
in all witnesses, so please stand and raise your right hand. Do 
you swear that the testimony you are about to give before this 
Subcommittee is the truth, the whole truth, and nothing but the 
truth, so help you, God?
    Mr. Powner. I do.
    Ms. Koontz. I do.
    Mr. Rothstein. I do.
    Dr. Diamond. I do.
    Chairman Akaka. Thank you. Mr. Powner, please proceed with 
your statement.

   TESTIMONY OF DAVID A. POWNER,\1\ DIRECTOR OF INFORMATION 
  TECHNOLOGY MANAGEMENT ISSUES, ACCOMPANIED BY LINDA KOONTZ, 
     DIRECTOR OF INFORMATION MANAGEMENT ISSUES, GOVERNMENT 
                     ACCOUNTABILITY OFFICE

    Mr. Powner. Chairman Akaka, Ranking Member Voinovich, we 
appreciate the opportunity to testify on privacy initiatives 
associated with our Nation's efforts to increase the use of 
health information technology. With me today is Linda Koontz, 
GAO's Director of Information Management Issues and privacy 
expert.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Powner and Ms. Koontz with 
attachments appears in the Appendix on page 52.
---------------------------------------------------------------------------
    In 2004, President Bush issued an Executive Order that 
called for widespread adoption of electronic health records by 
2014 and established a National Coordinator for Health IT to 
lead and to foster public-private coordination. Over the past 
several years, we have issued several reports and testified on 
numerous occasions, highlighting the need for detailed plans, 
milestones, and mechanisms to monitor progress if this 10-year 
goal is to be achieved.
    The benefits of health IT are immense and include reducing 
medical errors. However, it also raises concerns regarding the 
extent to which patient privacy is protected. The challenge 
here is to strike the right balance between patient privacy 
concerns and the numerous benefits IT has to offer this 
industry.
    This afternoon, as requested, I will summarize our report 
completed at your request, Mr. Chairman, on HHS's health IT 
privacy initiatives. Specifically, I would like to highlight 
three points: First, the importance of having a comprehensive 
privacy approach; second, HHS's initial efforts to address 
privacy; and, third, additional actions needed.
    Privacy is a major concern in the health care industry 
given the sensitivity of certain medical information and the 
complexity of the health care delivery system with its numerous 
players and extensive information exchange requirements. This 
concern increases as our Nation transitions to using more 
electronic health records. A comprehensive privacy approach is 
needed so that ultimately it is clear who these records are 
disclosed to, what limitations are placed on the use of the 
information, how patients can access their records, how 
inaccurate or incomplete information is corrected, and what 
administrative, physical, and technical safeguards are needed 
to protect electronic health information.
    HHS acknowledges in its National Health IT Framework the 
need to protect consumer privacy and plans to develop and 
implement appropriate privacy and security policies, practices, 
and standards for electronic health information exchange. HHS 
and its Office of the National Coordinator have initiated 
several efforts to address privacy. These include: Awarding 
several contracts that includes one for privacy and security 
solutions; consulting with the National Committee on Vital and 
Health Statistics to develop privacy recommendations; and 
forming a Confidentiality, Privacy, and Security Work Group to 
identify and address privacy and security policy issues.
    These efforts are good building blocks, but much work 
remains, including: Assessing how variations in State laws 
affect health information exchange; reporting and acting on the 
privacy and security contractors' findings; acting on advisory 
group recommendations; and identifying and implementing privacy 
and security standards.
    The National Coordinator's Office intends to use the 
results of these activities to identify policy and technical 
solutions for protecting personal health information as part of 
its continuing effort to complete a national health IT 
strategy. Ultimately, these and other efforts are to result in 
a comprehensive security and privacy policies, practices, and 
standards. However, how HHS plans to integrate the outcomes of 
its initiatives and when is unclear.
    Therefore, we recommended, Mr. Chairman, that HHS develop 
an overall privacy approach or a game plan that identifies 
milestones and an accountable entity for integrating the 
outcomes of its health IT contracts and recommendations from 
advisory groups. In addition, this approach should ensure that 
key privacy principles highlighted in our written statement are 
fully addressed. And, finally, this approach should address key 
challenges associated with legal and policy issues, disclosure 
of information, individual rights to access, and security 
measures.
    In summary, Mr. Chairman, while progress continues to be 
made through the National Coordinator's private initiatives, a 
comprehensive approach is needed to integrate the results of 
the initiatives to ensure that key privacy principles are 
addressed and to ensure that recommendations from the advisory 
committees are effectively implemented. Otherwise, HHS will not 
be providing the leadership called for by the President and its 
goal of safeguarding personal health information will be in 
jeopardy.
    This concludes our statement. We would be pleased to answer 
questions.
    Chairman Akaka. Thank you very much, Mr. Powner. Mr. 
Rothstein.

 TESTIMONY OF MARK A. ROTHSTEIN,\1\ HERBERT F. BOEHL CHAIR OF 
LAW AND MEDICINE, AND DIRECTOR, INSTITUTE FOR BIOETHICS, HEALTH 
  POLICY AND LAW, UNIVERSITY OF LOUISVILLE SCHOOL OF MEDICINE

    Mr. Rothstein. Yes, thank you very much, Mr. Chairman and 
Senator Voinovich. I appreciate the opportunity to be with you 
this afternoon. I want to clarify for the record that I am 
appearing in my individual capacity and not as a representative 
of NCVHS, which may want to deny any responsibility for my 
statements, written or oral.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Rothstein appears in the Appendix 
on page 130.
---------------------------------------------------------------------------
    I want to make two points this afternoon. First, in my 
view, HHS has not made meaningful progress in developing and 
implementing measures to protect the privacy of health 
information in electronic health networks. And the second point 
is that time is of the essence. I believe HHS must begin to act 
immediately on these very difficult privacy issues and also 
that Congress needs to hold HHS accountable and make them meet 
the milestones that have been suggested by GAO or some of the 
other measures that I want to suggest to you this afternoon in 
my testimony.
    I specifically agree with the comments in the GAO report. I 
believe that they accurately captured the sense and the 
progress, or lack of progress, on the privacy issues. But I 
would add my own assessment that I believe that the focus on 
privacy is currently lagging behind the focus at HHS on 
technical development of the infrastructure of the NHIN. And I 
am concerned that the gap between the technical progress and 
privacy is actually widening, and that is not a luxury that we 
have, for reasons that I want to pursue in just a minute.
    In 2004, the head of ONC at that time, Dr. Brailer, asked 
NCVHS to do a comprehensive study on privacy and 
confidentiality issues in the Nationwide Health Information 
Network. And it took us 18 months of hearings throughout the 
country, dozens of witnesses, and lots of rather heated 
deliberation to reach our recommendations, which were delivered 
to the Secretary in June 2006. And just to emphasize the nature 
of these fundamental questions that have to be resolved, I want 
to go through a couple of them with you, if I may.
    First, NCVHS noted that a decision has to be made on 
whether individuals have a right to decide whether they want to 
be a part of this nationwide system, and if so, should that be 
opt in or opt out or some combination, should it be controlled 
locally or via some other method. So that is a fundamental 
question.
    Another fundamental question is whether individuals should 
have some control over the contents of their health records 
that would be disclosed via the NHIN. When you put together 
comprehensive, longitudinal, individual health records, they 
are likely to contain lots of old data. Some of it may be very 
sensitive. Some of it may be irrelevant to current care. These 
records are not usually available now because of the 
fragmentation of the system. You cannot get it from all these 
places. Electronically, it will be easy to obtain this 
information, and I am concerned that under an electronic system 
we should not have less privacy than we do today. So that is a 
concern of mine.
    I am also concerned about the scope of the disclosures when 
people have to sign an authorization to get a job or life 
insurance. About 25 million of these are signed each year in 
the United States, and when the records are released, typically 
the entire file is sent. And this may include all this 
sensitive information.
    NCVHS submitted 26 recommendations to the Secretary, and I 
don't think that very much progress, if any, has been made on 
any of these areas that we identified. And I believe that time 
is of the essence, as I emphasized in my written testimony. 
Private sector groups are working today--while we are still 
talking about these issues officially in terms of regulation, 
the private sector is marching ahead. Last month, we heard at 
our hearings from Wal-Mart about this huge personal health 
record system that it is putting together, with over 2.5 
million employees represented, and this is a single company, in 
collaboration with other employers. They are not health plans. 
They are not covered entities under HIPAA. There is no 
regulation in place.
    So not only do I support the GAO recommendations, I think 
we need to be thinking beyond HIPAA. HIPAA is an archaic 
statute that was designed for totally different purposes. It 
was designed for the payment system. We now have a more 
comprehensive nationwide network involved, and I think we have 
to be thinking more comprehensively. And I believe that there 
are lots of things that need to be done, and I would recommend 
that the Subcommittee work with HHS and try to move the ball 
forward more rapidly on these very important issues.
    So I thank you for the opportunity to testify today and I 
look forward to your questions.
    Chairman Akaka. Thank you very much. Dr. Diamond.

  TESTIMONY OF CAROL C. DIAMOND, M.D.,\1\ MANAGING DIRECTOR, 
      MARKLE FOUNDATION, AND CHAIR, CONNECTING FOR HEALTH

    Dr. Diamond. Thank you, Chairman Akaka, Senator Voinovich. 
It is a privilege to be invited to testify today. I am the 
Managing Director at the Markle Foundation, and in that 
capacity I also serve as Chair of a large public-private 
collaborative called Connecting for Health. Our goal at 
Connecting for Health is to make sure that vital information is 
available both for patients and their providers when it is 
needed and where it is needed in a way that protects privacy 
and earns the trust of the American people.
---------------------------------------------------------------------------
    \1\ The prepared statement of Dr. Diamond appears in the Appendix 
on page 138.
---------------------------------------------------------------------------
    As you heard today, numerous efforts are underway to 
promote the use of health information technology within HHS, 
other parts of government, and the private sector. Yet as the 
GAO report and Mr. Rothstein have stated, there has not yet 
been enough progress in establishing a policy framework that 
will earn the long-term public trust required to sustain and 
build upon current activities.
    Toward that end, I have two important recommendations to 
make. First, the Nation needs a well-defined, comprehensive 
privacy framework based on key policy and technology attributes 
that I will lay out. Second, while the entities and contracts 
created by HHS have been useful to initiate action in this 
field, we now need to find the appropriate longer-term process 
for determining both the policies and the technologies that 
will achieve the attributes of such a framework. Our national 
strategy for health information technology must be carried out 
by decisionmakers informed by and accountable to a broad range 
of interests with direct public accountability.
    Let me first talk about the required framework for health 
IT. Our group took 3 years to develop this framework, and the 
framework includes the attributes that are necessary to protect 
privacy and security. Efforts to gather and share information 
should achieve these attributes:
    First, information sharing at the national level should be 
done in a decentralized and distributed way. Simply put, health 
information sharing should not require the development of large 
centralized repositories of personal health information. 
Clinical data should be left in the hands of patients and those 
who have a direct relationship with them in their care, and 
leave decisions about who should or should not see that data 
with patients and providers directly involved with their care.
    Second, sharing should separate demographic and clinical 
information. Sharing should be accomplished with an index that 
does not contain clinical data but, rather, knows where 
relevant information resides. Only those with proper 
authorization are then allowed to access the information, and 
this does not require the use of a national identifier.
    Third, the framework should be a flexible platform for 
innovation. Participation in the network by a broad range of 
providers delivering products and services will be a result of 
using open standards and transparent policies. This will 
encourage innovation so that we can make critical rapid 
progress.
    Fourth, the framework should implement privacy through 
technology. This is a key attribute. Technology choices should 
be made so that they can enable the effective implementation of 
policies protecting privacy. These technologies should create 
audit trails, implement security, improve data accuracy, 
prevent both intentional and unintentional improper disclosure 
of information. They should build rules and permissions into 
the process of accessing and distributing data.
    Our fifth attribute is really a set of nine foundational 
privacy principles. These have been adopted from fair 
information practices and other sources internationally. These 
principles include things like transparency, specifying the 
purpose of data being collected, collecting only what is 
necessary, adhering to the uses agreed to by the individual, 
allowing the individuals to know and have a say in how their 
information is used, maintaining the integrity of data, audit, 
oversight, and remedies in the event of breach or misuse. Every 
health information initiative should be expected to disclose 
how it addresses each of these principles.
    In summary, HHS deserves praise for its success in 
elevating public and industry interest in health information 
exchange and for encouraging the adoption of technical 
standards. But focusing only on technical standards is like 
building an interstate highway system, without the rules for 
entering, exiting, or anticipating the speed limits that need 
to be accommodated. In order to serve the communities through 
which it passes, a highway must have a coherent set of rules, 
made obvious through signage and visibly enforced, and be 
embedded in the design of the highway itself. And for the users 
of health information, patients and their providers, an 
explicit policy framework is essential.
    Several years of public opinion surveys show that Americans 
have significant privacy concerns when it comes to their health 
information. Without a policy framework with the attributes we 
propose, our Nation runs the risk of inappropriate uses of 
personal information followed by public clamor for hasty 
remedies, which will undermine the sustainability of an 
information sharing network. And these policies that touch the 
most private concerns of every American require a clear 
framework for privacy and an accountable visible process that 
can encourage public interest, that will be maintained over 
time, and that will give consumers confidence that their 
interests are being looked after.
    Mr. Chairman, the lack of trust in health information 
technology may not only impede progress but, more profoundly, 
it may squander this amazing window we have to stimulate a much 
needed transformation of our overburdened health care system.
    Thank you for the opportunity to testify.
    Chairman Akaka. Thank you very much for your statements.
    I just talked to my friend, Senator Voinovich, and I am 
going to let him proceed first.
    Senator Voinovich. Thank you very much, Senator Akaka.
    First of all, you heard the testimony of Dr. Kolodner. You 
were here for his testimony, and I asked him whether or not he 
had the staff to get the job done. In your opinion, does he 
have the staff to get the job done?
    Mr. Powner. We specifically have not looked at whether he 
has the human capital and all the resources to get the job 
done. Our big concern, Ranking Member Voinovich, is that we do 
not see a road map to get from where we are at today to have a 
comprehensive privacy policy in place.
    Dr. Kolodner made some comments about sound project 
management. Sound project management is about having milestones 
and targets, and we go after those milestones and set interim 
performance measures to gauge whether we are making enough 
progress or not. That is what we do not see, sir.
    Senator Voinovich. OK. So you are saying plan, milestones 
and, in addition, metrics to judge if milestones are being met?
    Mr. Powner. Absolutely, and some of our other witnesses 
mentioned some of the key privacy principles that clearly need 
to be addressed as part of that approach.
    Senator Voinovich. Right. Senator Akaka, it might be good--
if you recall, what we have been able to do with the GAO High-
Risk agencies. OMB and GAO have sat down together to develop a 
strategic plan on addressing these problems. They are making 
progress. It seems that process may have value here.
    The last question is for Mr. Rothstein. You said they are 
lagging behind the technical structure of developing IT. So 
what you are seeing is fast development without building 
privacy in at the beginning?
    Mr. Rothstein. Yes, Senator, and there are significant 
concerns that, unless privacy is built into the architecture of 
the system, we will not be able to come back and do it later. 
And that is why privacy protections have to be in from the 
start, and the longer it takes us to develop policies on what 
our privacy and confidentiality and security rules are, the 
more danger we have that it is going to be too late or it is 
going to be prohibitively expensive to go back and try to add 
the privacy protections.
    Senator Voinovich. Just another comment, Senator Akaka. It 
is nice that OPM may be saying they cannot do it because they 
are waiting to incorporate the privacy standards into the 
system. Thank you very much. I appreciate the chance to ask 
these questions.
    Chairman Akaka. Thank you very much, Senator Voinovich.
    Mr. Powner, you recommended in your testimony that HHS 
define a comprehensive privacy approach that includes detailed 
plans and milestones for integrating its various initiatives. 
GAO specifically mentioned the need to sequence the 
implementation of key activities appropriately. Would you 
explain that comment? Tell us why this is important. And what 
else is missing from HHS's current approach?
    Mr. Powner. Similar to Mr. Rothstein's comment, the 
sequencing is very important because his comment about building 
in privacy and security early, we see many examples throughout 
the Federal Government, Mr. Chairman, where we built in 
security or privacy after the fact, after systems and networks 
are built; and, one, it is very difficult to implement and, 
two, it is much more costly to do it after the fact. So it is 
very important that we sequence these activities. We are 
talking about prototypes right now for the National Health 
Information Network, and to Mr. Rothstein's point, what is 
happening is the technology is getting ahead of the policy, and 
we need to make sure that we get the policies in place so that 
we can actually make those appropriate technology decisions and 
build it in up front.
    Chairman Akaka. Dr. Diamond, I agree with your statement 
that public trust cannot be fully accomplished by relying only 
on existing legal provisions such as HIPAA. However, Mr. Green 
testified that OPM is pushing health IT through the FEHBP and 
is only requiring carriers to follow Federal privacy 
requirements.
    Do you believe OPM can earn the trust of Federal employees 
when carriers are increasingly using health IT?
    Dr. Diamond. Chairman, I would say two things. I think it 
is a very good thing for the Federal Government to help its 
employees find ways to see and access their own health 
information. But I would say that in the same way that the 
government can stimulate the use of information technology and 
stimulate the expectation that people can have their own 
information, it can also stimulate the adherence to a basic 
framework of privacy based on the attributes that I articulated 
today. As long as those both policy and technology things are 
clear to the user, that there is transparency, that people know 
how their information is used, then we can earn the trust.
    So I would say there is an opportunity to both stimulate 
people being more engaged in their health care by having 
personal health records and also to use the role of the Federal 
Government to make sure the attributes are built into every 
initiative that is put out there using information technology.
    Chairman Akaka. Mr. Rothstein, the privacy and security 
requirements of HIPAA and other laws do not cover all entities 
that exchange electronic personal health information. What can 
HHS do to ensure that gaps in legal privacy protection of 
health information are addressed by a privacy framework for the 
nationwide health information exchange?
    Mr. Rothstein. Mr. Chairman, one of the specific 
recommendations in my written testimony is that I believe that 
HHS should undertake a study to determine the number of health 
care providers that are, in fact, not covered entities under 
HIPAA at the moment. We have been doing that in my 
subcommittee--that is, the Subcommittee on Privacy and 
Confidentiality--and we are frankly astonished at the number of 
health care providers that are not covered entities.
    Unless you are engaged in an electronic billing 
transaction, you are not a covered entity. So all of the 
urgent-care, cash-paid doctors, many cosmetic surgeons that are 
not covered by any insurance plan, all sorts of other health 
care providers that are not covered--massage therapists, 
acupuncturists, and so forth--may not be covered entities under 
HIPAA. We don't know how many there are, and it seems that it 
is going to be Congress' role to enact new legislation or to 
amend the HIPAA statute to bring in all these other health care 
providers. But I think it would be very helpful to the Congress 
if we had a sense of how many there are that need to be 
covered.
    Chairman Akaka. Dr. Diamond.
    Dr. Diamond. Yes, Chairman. As was stated previously by 
other witnesses, HIPAA was written at a time where we did not 
contemplate a Nationwide Health Information Network, nor did we 
contemplate the number of entities and parties today who are 
part of the use and sharing of health information.
    I do think, as I stated in my testimony, the two 
comprehensive things to do would be to require a policy 
framework based on key attributes and to establish a public 
process to build in and make sure that each information 
technology initiative that is proposed lives up to those 
attributes.
    Chairman Akaka. Thank you.
    Dr. Diamond and Mr. Rothstein, based on the work of HHS to 
date to promote health IT, are there any legislative changes 
that we in Congress should consider making to ensure that the 
privacy of health information is protected?
    Mr. Rothstein. Senator, I believe there are two areas in 
which congressional action would be indicated. First, is to 
extend the coverage of health privacy legislation; in other 
words, to expand the number of covered entities that are 
currently covered under HIPAA or under some other replacement 
law. The second is of a more substantive nature, and that would 
be to try to limit the amount of information that third parties 
can require individuals to provide as a condition of getting a 
job or a life insurance policy or some other commercial 
transaction. At the moment, it is lawful to require that 
individuals sign basically an unlimited release and then all 
this information and, increasingly, more comprehensive 
information will be disclosed electronically to people who do 
not have a legitimate interest in this extra information. An 
employer or insurer may have a legitimate interest in knowing 
your current health status, but maybe not things that happened 
20 or 30 years ago that would be of a very sensitive nature. 
And I think restricting those kinds of information requests 
would be very helpful.
    An example would be under the Americans with Disabilities 
Act, the Federal statute dealing with disability discrimination 
says that if you are a current employee, the employer can only 
ask about job-related health information. But if you are an 
individual who has a job offer but have not started yet, then 
they can have an unlimited request for information. If you 
applied that same standard that is applicable to current 
employees to these applicants, then the amount of information 
would be reduced substantially.
    Chairman Akaka. Dr. Diamond.
    Dr. Diamond. I think there is an opportunity right now to 
consider what the right process is for this next level of 
public input and discussion that is required around privacy and 
security. And I think what I propose in my written testimony is 
what I will repeat here. Based on a set of foundational 
principles, there does need to be a process that will have 
appropriate public input, notice and comment, and deliberation 
so that we can move forward in a way that people feel trust in 
the health information network and the way their information is 
being shared. And I do think reverting to the policies and the 
attributes that I laid out today serve as a good yardstick or 
metric for trying to determine how to move forward.
    Chairman Akaka. Thank you. This question is to all of the 
panelists. You all heard the testimony of OPM that Federal 
employees' electronic health information is protected, despite 
the fact that HHS's efforts on privacy and security are lagging 
behind. Do you agree with OPM? Mr. Powner.
    Mr. Powner. Sir, I do not believe we are in a position to 
comment on OPM's efforts in that area. We have not looked at it 
in any detail at all.
    Chairman Akaka. Thank you. Mr. Rothstein.
    Mr. Rothstein. I would only note that the companies that 
offer insurance to Federal Government employees are covered 
entities under HIPAA because they are health plans. Therefore, 
they are regulated in the way that other covered entities are. 
But individual employees are not protected in the sense that 
for all of this information that is suddenly going to be 
aggregated and available electronically at a single point in 
time, we do not have new rules that apply to the network. What 
we are applying to government employees are the old rules under 
HIPAA.
    Chairman Akaka. Dr. Diamond.
    Dr. Diamond. Yes, I am not familiar with OPM's efforts. I 
will just offer that under the existing HIPAA rule, there have 
been 22,000 complaints to OCR, and very few have actually 
resulted in penalties. And I think there is an opportunity to 
look at not only these new attributes that I laid out here and 
the principles as a way to ask ourselves if we are doing 
enough, but also to look at appropriate remedies in the event 
of breaches, because we are in an information world today. This 
is the Information Age, and I think every one of us, while we 
enjoy the benefits of it, also have to acknowledge that we need 
to think about the protections that need to be in place to 
participate fully.
    Chairman Akaka. Mr. Powner, what do organizations that 
store and exchange personal information consider when balancing 
the benefits realized from IT with the risks introduced by 
storing large amounts of personal data in electronic format?
    Ms. Koontz. I will answer that, if I may. We found, in 
terms of the research that we have done on privacy, that best 
practices organizations do a number of things. First of all, 
they get continuous and early input from stakeholders, from 
experts, and from the public in some form. And I emphasize the 
word ``continuously'' because as these kinds of initiatives are 
worked on, they tend to evolve and change, and there needs to 
be a constant going back to the privacy principles to touch 
them to make sure that we are consistent with the framework 
that we have selected.
    I think successful organizations also use fair information 
principles. I agree with many of the other witnesses on the 
panel today that HHS needs to take a broad look at privacy, and 
it is useful to look at the fair information practices which 
are broad, very internationally accepted principles as a way of 
facilitating discussion on the balance that should be struck 
between privacy and other interests.
    I think best practices organizations assess privacy 
protections, as many of the other panelists have said, before 
information technology is acquired or developed. Technology can 
be an enabler to help build in privacy protections, but once a 
system is built, it is very difficult and often very expensive 
to go back and retrofit those kinds of protections.
    To the extent that HHS uses these kinds of best practices, 
I think it increases their chance of success in this.
    Chairman Akaka. Thank you, Ms. Koontz.
    Mr. Powner, HHS has been without a permanent National 
Coordinator for Health IT for almost a year. What effect has 
the absence of a national coordinator had on HHS's progress 
toward defining a privacy framework as part of its national 
strategy for health IT?
    Mr. Powner. First of all, I think we need to give some 
credit to Dr. Brailer for getting the ball rolling here, and 
Dr. Kolodner has kept it rolling. But longer term, when you 
look at whether we need a permanent national health IT 
coordinator, we believe we do, for a couple of reasons. There 
are going to be some tough decisions. What we discussed here 
today, tough privacy decisions from a policy perspective are 
going to have to be made. Having a permanent leader would be 
very important for that.
    Also, too, because of the collaboration that needs to occur 
with the private sector, having a permanent leader sends a 
message that this is a presidential priority. Having an interim 
leader does not.
    Chairman Akaka. Thank you very much.
    Mr. Rothstein and Dr. Diamond, in June 2006, the National 
Committee on Vital and Health Statistics sent a letter to HHS 
Secretary Leavitt with 26 recommendations on privacy and 
confidentiality in the Nationwide Health Information Network. 
Meanwhile, the Markle Foundation is working with various 
stakeholders, including government, industry, and health care 
experts, to address the challenges of creating a Nationwide 
Health Information Network.
    What has been the response from HHS on your initiatives?
    Mr. Rothstein. Mr. Chairman, in terms of the NCVHS, we 
received in the fall a letter from the Secretary acknowledging 
receipt of our report, but that has been the extent of our 
official response from the Department.
    Chairman Akaka. Dr. Diamond.
    Dr. Diamond. Mr. Chairman, we have been involved in many of 
the discussions within the work groups of the AHIC and also 
within the NHIN contract, and I think the groundwork that we 
did in laying out the framework for sharing information with 
privacy has been very instrumental in those discussions.
    However, we have not yet had the opportunity to see those 
privacy principles or the comprehensive framework that I 
discussed today make its way into the current initiatives on 
the NHIN. And to echo what some of the other witnesses have 
said, we worry that the technology efforts and the standards 
efforts are moving too far ahead of some of those privacy 
principles and privacy requirements that the technology should 
fulfill, that we should not be trying to correct later on.
    We know firsthand from doing our own prototype the year 
prior in three communities--in Indianapolis, Boston, and 
Mendocino County, California--that it is possible to connect 
disparate communities with different technologies using privacy 
and security. But those decisions about privacy and security 
changed the way technology was implemented. They drove 
decisions in the way that technology was implemented that we 
would like to see inform the process going forward.
    Chairman Akaka. Well, I want to thank you, Mr. Powner, Mr. 
Rothstein, and Dr. Diamond, for your testimonies and also Ms. 
Koontz, for your responses as well. And I want you to know that 
you have provided this Subcommittee with valuable information, 
and we appreciate all that you have done to ensure that 
Americans' health information is protected.
    Today's hearing underscored the need for HHS to integrate 
privacy into the nationwide health IT infrastructure. We heard 
repeatedly that individuals must have trust and confidence in 
the system to encourage them to share their personal health 
information. If we want health IT programs to succeed, we must 
have privacy and security protections in place at the 
beginning. I look forward to working with HHS, OPM, and the 
various stakeholder groups to make this happen.
    As there is no further business, the hearing record will be 
open for one week for additional statements or questions from 
Members of the Subcommittee.
    The hearing is now adjourned.
    [Whereupon, at 4:17 p.m., the Subcommittee was adjourned.]












                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
