b"<html>\n<title> - HEALTH INFORMATION TECHNOLOGY: PROTECTING AMERICANS' PRIVACY IN THE DIGITAL AGE</title>\n<body><pre>[Senate Hearing 111-213]\n[From the U.S. Government Publishing Office]\n\n\n\n                                                        S. Hrg. 111-213\n\n  HEALTH INFORMATION TECHNOLOGY: PROTECTING AMERICANS' PRIVACY IN THE \n                              DIGITAL AGE\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                       COMMITTEE ON THE JUDICIARY\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            JANUARY 27, 2009\n\n                               __________\n\n                           Serial No. J-111-3\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n\n\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n54-240 PDF                WASHINGTON : 2010\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n                       COMMITTEE ON THE JUDICIARY\n\n                  PATRICK J. LEAHY, Vermont, Chairman\nHERB KOHL, Wisconsin                 ARLEN SPECTER, Pennsylvania\nDIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah\nRUSSELL D. FEINGOLD, Wisconsin       CHARLES E. GRASSLEY, Iowa\nCHARLES E. SCHUMER, New York         JON KYL, Arizona\nRICHARD J. DURBIN, Illinois          JEFF SESSIONS, Alabama\nBENJAMIN L. CARDIN, Maryland         LINDSEY O. GRAHAM, South Carolina\nSHELDON WHITEHOUSE, Rhode Island     JOHN CORNYN, Texas\nRON WYDEN, Oregon                    TOM COBURN, Oklahoma\nAMY KLOBUCHAR, Minnesota\nEDWARD E. KAUFMAN, Delaware\n            Bruce A. Cohen, Chief Counsel and Staff Director\n              Nicholas A. Rossi, Republican Chief Counsel\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                    STATEMENTS OF COMMITTEE MEMBERS\n\n                                                                   Page\n\nCardin, Hon. Benjamin L., a U.S. Senator from the State of \n  Maryland.......................................................     7\nHatch, Hon. Orrin G., a U.S. Senator from the State of Utah......     2\nKaufman, Hon. Edward E., a U.S. Senator from the State of \n  Delaware.......................................................     5\nKlobuchar, Hon. Amy, a U.S. Senator from the State of Minnesota..     4\nLeahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     5\n    prepared statement...........................................   111\nWhitehouse, Hon. Sheldon, a U.S Senator from the State of Rhode \n  Island.........................................................     1\n\n                               WITNESSES\n\nHahn, Adrienne, Senior Attorney and Program Manager for Health \n  Policy, Consumers Union........................................    12\nHester, James, Jr., Ph.D., Director, Health Care Reform \n  Commission, Vermont State Legislature..........................     8\nHouston, John, Vice President of Information Security and \n  Privacy, and Assistant Counsel, University of Pittsburgh \n  Medical Center.................................................    15\nMcGraw, Deven, Director, Health Privacy Project Center for \n  Democracy and Technology.......................................    10\nMerritt, David, Project Director, Center for Health \n  Transformation and the Gingrich Group..........................    17\nStokes, Michael, Principal Lead Program Manager, HealthVault, \n  Microsoft Corporation..........................................    14\n\n                         QUESTIONS AND ANSWERS\n\nResponses of Adrienne Hahn to questions submitted by Senators \n  Leahy, Specter and Hatch.......................................    35\nResponses of James Hester to questions submitted by Senators \n  Hatch and Leahy................................................    44\nResponses of John P. Houston to questions submitted by Senator \n  Hatch..........................................................    45\nResponses of Deven McGraw to questions submitted by Senators \n  Specter, Hatch and Leahy.......................................    61\nResponses of David Merritt to questions submitted by Senators \n  Hatch and Specter..............................................    64\nResponses of Michael Stokes to questions submitted by Senators \n  Leahy and Hatch................................................    66\n\n                       SUBMISSIONS FOR THE RECORD\n\nAARP, Washington, D.C., statement................................    73\nACLI, Frank Keating, President & Chief Executive Officer, \n  Washington, D.C., letter.......................................    79\nAmerican Psychoanalytic Association, James C. Pyles, Washington, \n  D.C., letter and attachment....................................    80\nCoalition for Patient Privacy, Ashley Katz, Austin, Texas, letter    92\nHahn, Adrienne, Senior Attorney and Program Manager for Health \n  Policy, Consumers Union, statement.............................    95\nHester, James, Jr., Ph.D., Director, Health Care Reform \n  Commission, Vermont State Legislature, statement...............   102\nHouston, John, Vice President of Information Security and \n  Privacy, and Assistant Counsel, University of Pittsburgh \n  Medical Center, statement......................................   107\nMcGraw, Deven, Director, Health Privacy Project Center for \n  Democracy and Technology, statement............................   113\nMerritt, David, Project Director, Center for Health \n  Transformation and the Gingrich Group, statement...............   133\nNational Association of Chain Drug Stores, Alexandria, Virginia, \n  statement......................................................   158\nNational Business Group on Health, Helen Darling, President, \n  Washington, D.C., letter.......................................   165\nPeel, Deborah C., MD, Founder & Chair, and Ashley Kats, MSW, \n  Executive Director, Patient Privacy Rights, Austin, Texas, \n  joint statement................................................   167\nStokes, Michael, Principal Lead Program Manager, HealthVault, \n  Microsoft Corporation, statement...............................   175\nVermont Information Technology Leaders (VITL), Gregory Farnum, \n  President, Montpelier, Vermont, letter.........................   183\n\n \n  HEALTH INFORMATION TECHNOLOGY: PROTECTING AMERICANS' PRIVACY IN THE \n                              DIGITAL AGE\n\n                              ----------                              \n\n\n                       TUESDAY, JANUARY 27, 2009\n\n                                       U.S. Senate,\n                                Committee on the Judiciary,\n                                                   Washington, D.C.\n    The Committee met, pursuant to notice, at 9:31 a.m., in \nroom SD-226, Dirksen Senate Office Building, Hon. Sheldon \nWhitehouse, presiding.\n    Present: Senators Leahy, Cardin, Whitehouse, Hatch, \nKlobuchar, and Kaufman.\n\n OPENING STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR \n                 FROM THE STATE OF RHODE ISLAND\n\n    Senator Whitehouse. Good morning. I am sorry the Chairman \nis not with us at this moment. We are expecting him. But in the \nmeantime, he has asked me to get the hearing underway. I am \nSenator Whitehouse from Rhode Island, and I am very pleased to \nhave been invited to have the opportunity to chair this \nhearing. I will take the liberty of having the floor here to \ngive my 2 cents on why I think this is so important.\n    We are on a very bad glide slope for health care in this \ncountry with a $30-plus trillion liability just for Federal \nhealth care benefits that is totally unfunded, not a nickel \nagainst that liability. We have calculated that the Bush \naddition to the deficit was $7.7 trillion before we even got \naround to the bailouts. And that seems like an impossibly big \nnumber. We have been arguing about $700 billion TARP funds. We \nhave been arguing about $35 billion auto bailouts. Thirty-plus \ntrillion dollars is an astonishing liability to have to face, \nand I believe that there are only two ways to face it.\n    One is with a very bloody toolbox comprised of benefits \ncuts, throwing people off coverage, paying providers less, and \nraising taxes, and we are far too far down all those roads with \nour health care system already. So that would be a very \nunfortunate toolbox to have to resort to.\n    The better toolbox is reform of the delivery system to make \nit more efficient so it is not creating so many casualties, so \nit is not creating so much waste and turmoil and division and \nstress and paperwork and duplication and waste. And in order to \ndo that, health information technology is going to be an \nabsolute key. The three legs of that stool, I think, are health \ninformation technology, investment in quality and prevention, \nand reimbursement reform, payment reform, so that the price \nsignals match what we want.\n    The health information technology platform is absolutely an \nessential element, not sufficient but essential, to getting \nthat done, and I very firmly believe that the Achilles heel of \nhealth information technology is privacy. If the American \npeople do not believe we have protected their privacy \nadequately, then the HIT initiative, the health information \ninfrastructure America needs will simply not get through this \nbuilding. And if it does not, that is a real tragedy because \nthat toolbox takes about 10, 15, 20 years to fully deploy. We \nhave got to get going now on that, and if we waste this moment, \nthe time will come when we are only left with that bloody \ntoolbox, because those tools, as awful as they are, have the \none advantage that you can deploy them right away. And so if \nyou have missed your moment with the reform toolbox, that is \nwhat you have left. And that is, I think, where we are right \nnow.\n    So I put this privacy question at the center of the most \nimportant economic issue the country faces, and I am delighted \nto have the chance to hear from all these wonderful witnesses. \nI am delighted to have the distinguished Senator from Utah, \nSenator Hatch, here; the distinguished Senator from Minnesota, \nSenator Klobuchar, here.\n    Senator Hatch, would you like to make some opening remarks, \nsir?\n\nSTATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM THE STATE \n                            OF UTAH\n\n    Senator Hatch. Well, thank you, Chairman Whitehouse. We \nappreciate you and your leadership here, and I want to \nespecially thank our panel here today. I appreciate the \nopportunity to say a few words on health IT this morning and, \nof course, welcome our distinguished panel, and especially you, \nMr. Houston, from my alma mater, the University of Pittsburgh. \nI am pleased to have you here, and all of you.\n    There is no doubt that we are living in an Information Age. \nTechnology has radically changed business and other aspects of \nAmerican life, and I believe that health IT can greatly \nstreamline the health care sector by saving costs, time, and, \nmost importantly, lives.\n    I am proud to point out that Inter Mountain Health Care, \nwhich is headquartered in Salt Lake City, Utah, has been a \nnational leader in adopting--and probably ``adapting'' would be \na good word, too--health IT in an integrated manner and could \nserve as a model for other health care delivery systems across \nthe Nation.\n    My colleagues and I on the Senate Finance Committee and \nHELP Committee have been working for some time to increase \nefficiency and reduce costs in our Nation's health care \nindustry. I believe the widespread use of health IT would \nundoubtedly reduce medical errors, inconsistent quality, and \nrising costs currently burdening the health care industry \ntoday. In fact, a Rand Corporation study projected that health \nIT has the potential to save the health care system billions of \ndollars each year.\n    Now, I am proud to have been a co-author of the bipartisan \nWired for Health Care Quality Act, both in the 109th and the \n110th Congress, along with my colleagues on both sides of the \naisle, including Senators Kennedy, Enzi, and Clinton. \nUnfortunately, we might not have a chance to reintroduce this \nbipartisan legislation again in this Congress since health IT \nis now being addressed through the stimulus legislation.\n    Now, regretfully, this language was crafted without the \ninput of Republican offices, including mine, who have \ndemonstrated longstanding interest in this important bipartisan \nissue. The widespread use of health IT would allow medical data \nto move with people as they move. Health IT would eliminate the \ncost of paper claims and help spread clinical research within \nthe medical community. We have the most advanced medical system \nin the world. The United States now leads the world in \ntechnological innovation, and I hope we can stay there. There \nis no reason why people's health files--their medical history, \ntest results, lab records, x-rays--cannot be accessed securely \nand confidently from a doctor's office or hospital. And I \nbelieve we have to develop a nationwide interoperable health IT \ninfrastructure that has strong but prudent privacy and security \nprotections. Providers must be able to easily manage their \ninformation needs to provide coordinated and quality care \ndelivery while securely managing the needs of their patients.\n    Now, I believe that the use of information technology is \nessential in promoting a system of coordinated and quality-\nfocused health care in this country in the health care delivery \nsystem. I think we have to embrace cutting-edge information \ntechnologies in health care, and we cannot afford to miss this \nopportunity.\n    Now, I look forward to hearing from these witnesses here \ntoday. I might mention that Senator Specter, our Ranking Member \non this Committee, is unable to attend, at least at this time, \nand has asked me to be sure that I attend. And, of course, as \nyou all know, I take a tremendous interest in everything \ninvolving health care around here. So I am very interested in \nwhat you have to say and the contributions that you care to \nmake to us to help us to understand this complicated but \nunderstandable set of issues.\n    Thank you so much, Mr. Chairman.\n    Senator Whitehouse. Thank you, Senator.\n    The role of the States has really been impressive in all \nthis, particularly in the absence of concerted, effective \nFederal leadership, and Utah, through its Utah Health \nInformation Network and through Inter Mountain, has shown \ngreat, great leadership as a State. And I know Senator Hatch \nhas been keenly interested and involved in those, so we are \ndelighted that he is here.\n    Another State that has shown great success and leadership \nin Minnesota, and Senator Klobuchar of Minnesota would like to \nadd an opening statement.\n    Senator Klobuchar.\n    Senator Hatch. Could I interrupt for a minute? We are \nreally happy to welcome both you and Senator Kaufman to the \nCommittee. You will like the Committee, and I think you will \nmake great contributions. And I think both of you will help to \nmake this Committee much more bipartisan.\n\nSTATEMENT OF HON. AMY KLOBUCHAR, A U.S. SENATOR FROM THE STATE \n                          OF MINNESOTA\n\n    Senator Klobuchar. Thank you so much. Well, thank you, \nSenator Hatch for that. Thank you, Mr. Chairman, for your \nleadership on this issue. As you can see, serving as both the \njunior and senior Senator from my State has somewhat weakened \nmy immunity system, so I have a cold. But it has not weakened \nmy resolve to serve on this Committee. So I am very excited to \nbe here. I served for 8 years as the Hennepin County attorney \nin Minnesota, where I was a prosecutor, but I also represented \none of the biggest hospitals in our State, Hennepin County \nMedical Center. So I have a lot of familiarity with some of \nthese issues, although when I think of the technology issues, \nwhich Senator Whitehouse has so well talked about on the floor \nand showed such leadership on, actually my real memory is of \ntwo things.\n    One is when I had my hip problems; I had my hip replaced at \nsome point at Mayo Clinic. Driving around with multiple x-rays \nby myself in the back seat of my car where they got hot and one \nof them almost melted, I thought there must be something better \nwe could do with health care in the country.\n    The second was that one time when I was county attorney \ntrying to get all of our police departments to change their \ncomplaint forms so that they were routine and we could put them \nin the computer at the same time. And I went to one of the \nsmaller departments, and they said, ``We cannot do that. We \njust bought new file cabinets, and they only fit one kind.'' \nAnd I think of this all the time when I think of the great \nchallenge it is to try to get institutions to change their \ntechnologies so that they match.\n    It is incredibly important in the health care area. A study \npublished last year in the New England Journal of Medicine \nfound that only 4 percent of U.S. physicians were using fully \nfunctional electronic record systems, and missing medical \nrecords occur in one of every primary care visits. Serious \nmedical errors that come as a result of missing records are \ncostly, time-consuming, and preventable. With the U.S. spending \n$2.3 trillion per year on health care, we must bring an end to \nthe inefficiencies of the system, and if implemented \nthoughtfully and with the kind of balance that I hope we talk \nabout here today, health information technology has the \npotential to reduce waste, improve quality, and stimulate \ninnovation.\n    No information is more private than an individual's health \ninformation, and despite federally mandated privacy \nprotections, consumers continue to have concerns about the \nprivacy of their records. And I would agree with Senator \nWhitehouse that this is one of the major issues, intentions we \nsee as we try to implement better medical technology.\n    If we are going to achieve the savings we would like to see \nwith medical technology, we must work to develop regulations \nand laws that inspire consumer confidence and trust. As with \nother industry advances in information technology, consumer \nconfidence is achieved with proper security protection and \nimprovements in business practices. Health IT investment must \nbe designed to achieve modernization and measurable health \noutcome improvements. In Minnesota, we are leading the way for \nhealth care innovation. Countless hospitals from Winona to \nDuluth have been recognized for the measured quality outcomes \nthat have resulted from effective information technology.\n    We have also led the way in ensuring that the privacy of \nthe patient remains protected. Patient consent is required in \nmy State for nearly all disclosures of health records, and it \nis one of the few States that gives citizens a private right of \naction if the privacy of their medical records has been \ncompromised.\n    I am interested in learning from all of you what providers, \nconsumers, and businesses are doing to help ensure the \nadvancement of technology in our health care industry, while \nstill working to provide the privacy and security of our \npatients.\n    Thank you very much.\n    Senator Whitehouse. I am delighted to join Senator Hatch in \nwelcoming Senator Klobuchar to the Committee. We were \nclassmates, and we have spent a lot of time together. We sit \nnext to each other on Environment and Public Works, and it is \nwonderful to have her join us on Judiciary as well.\n    Senator Kaufman, in addition to being a new member of the \nCommittee, is also a new Senator representing the great State \nof Delaware. We are delighted to welcome him and ask him to \nmake an opening statement.\n\n STATEMENT OF HON. EDWARD E. KAUFMAN, A U.S. SENATOR FROM THE \n                       STATE OF DELAWARE\n\n    Senator Kaufman. Sure, I just have a few comments.\n    First, I want to thank Senator Hatch, and I do want to \noperate in a bipartisan manner, as you have over the years with \nmy former Senator, Senator Biden.\n    I just have a few comments I want to make in the beginning. \nFirst, thank you for coming here. This is really an important \nissue. Everywhere I travel in Delaware, people are concerned \nabout the privacy of their medical records, and everywhere I \ntravel around here, people are concerned about the exploding \ncosts of health care. So we have this kind of conundrum on how \nwe are going to move forward on these two areas. And the main \nareas I am interested in today is kind of we are coming up with \na very major bill, the Economic Recovery Act, and there is \ngoing to be a lot there, hopefully some things in health care \nthat are going to help. But we want to make sure there are not \nthings in there that are going to hurt.\n    So I am looking forward to your testimony, and I am looking \nforward to the hearing. Thank you.\n\n  STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE \n                        STATE OF VERMONT\n\n    Chairman Leahy. Thank you very much, Senator Whitehouse, \nfor being here. I apologize for being late. It certainly is not \nthe weather. As Dr. Hester knows, we do not let weather like \nthis bother us in Vermont. Anything under 5 inches is \nconsidered a dusting, at best. And with a Minnesotan and, \nSenator Hatch, you get snow out in Utah, don't you.\n    Senator Hatch. We have been known to have snow.\n    [Laughter.]\n    Chairman Leahy. I think you measure by the foot on \noccasion. I am delighted to see our new members here, Senator \nKlobuchar and Senator Kaufman. I must say that Senator \nKlobuchar, like me, is a former prosecutor, and Senator Kaufman \nprobably understands this Committee better than I or anybody \nelse here, the years he has spent here. So thank you.\n    I had a delay in the doctor's office before coming here. \nThat is what held me up, which is interesting because we are \ntalking about how you protect Americans' health privacy rights. \nWe are going into a national health IT system, which I strongly \nsupport the idea. I think you have to have innovation in \nAmerican health. That is the only way we are going to make sure \nthat we get health to everybody, but we also bring the costs \ndown.\n    I am pleased that President Obama has called for the \nimmediate investment in health information technology. If it \nworks the way we want. Americans' medical records will be \ncomputerized within 5 years.\n    Today, if you have a health record, you have a health \nprivacy problem. My wife is a registered nurse, now retired, \nbut she used to tell me how concerned she was to see health \nrecords around the hospital. Now you have electronic health \nrecords, digital data bases, and the Internet, and we have to \nprotect people's privacy in that.\n    If you can just click on a mouse and pull up records, that \ncan obviously be helpful for cost-effective health care, but \nyou have to make sure that personal privacy is protected. And \nif you do not have adequate safeguards to protect health \nprivacy, many Americans are not going to seek medical \ntreatment, which we have to worry about, because they fear that \ntheir sensitive health information will be disclosed without \ntheir consent. And those who do seek medical treatment assume \nthe risk of data security breaches and other privacy \nviolations. And health care providers who think there are \nprivacy risks, they are going to see that as inconsistent with \ntheir professional obligations, and they will not want to \nparticipate.\n    So it becomes the good news/bad news. The good news, it is \na very great thing if we can do it; the bad news, if there are \nleaks in there, health providers will not want to use it and \npatients will not want to use it.\n    Now, as Dr. Hester knows, in my home State of Vermont, we \nhave formed a public-private partnership that is charged with \ndeveloping Vermont's statewide electronic health information \nsystem, including a policy on privacy. I think that in order \nfor a national health IT system to succeed, we in Congress \nshould follow Vermont's good example and work together with \npublic and private stakeholders to ensure the privacy and \nsecurity of electronic health records. I have worked for more \nthan a decade with Senator Kennedy--a tireless champion of \nhealth IT--and many other Members, both Republicans and \nDemocrats, on this.\n    I think some have suggested that addressing privacy in \nhealth IT legislation is too hard and that we should put that \nissue off for another day. I disagree. If you do not have \nmeaningful privacy safeguards, you are not going to get a \nhealth IT system.\n    In his inaugural address, President Obama eloquently noted \nthat in our new era of responsibility ``there is nothing so \nsatisfying to the spirit, so defining of our character than \ngiving our all to a difficult task.'' This is a difficult task. \nAmericans are up to it. The Congress had better be up to it. \nAnd we will make it.\n    So, Mr. Chairman Whitehouse, I appreciate this, and I will \nstay and listen to the witnesses. I understand that Senator \nHatch and Senator Klobuchar and Senator Kaufman made opening \nstatements. Did you and Senator Cardin? And I must say that \nSenator Cardin is from the great State of Maryland, and we love \nMaryland. I have two grandchildren who live in Maryland, plus \nthe parents, of course.\n    Senator Cardin. The roads between Baltimore and Washington \nwere very clear today. Maryland did a good job in cleaning the \nroads, in case you are wondering. I got here on time.\n    Chairman Leahy. And your wonderful hospital, Johns Hopkins, \nsaved my wife's life, so I appreciate it. Go ahead.\n\n STATEMENT OF HON. BENJAMIN L. CARDIN, A U.S. SENATOR FROM THE \n                       STATE OF MARYLAND\n\n    Senator Cardin. Well, thank you. I appreciate you \nmentioning that because we are very proud in this country of \nthe quality of health care. This Nation leads the world in \nmedical technology, and we are proud of the quality of care \nthat some people, most people in this country can receive, but \ntoo many people are denied access to care because of the high \ncost of health care in America and because of the large number \nof people who do not have any third-party reimbursement for \nhealth care. And we needed to do something about that, and I \nagree with President Obama, who has made health care reform one \nof his top priorities. And as part of that, it is to have a \nmuch more cost-effective system as far as medical information \nand administrative costs are concerned.\n    I think we all agree with that, and I agree with the \nChairman's comments about the goal that we clearly have of \nusing information technology much more efficiently in this \ncountry so that those who are providing health care can get the \nnecessary information to provide quality care and to avoid \nmistakes, and that all becomes a very important part of our \nhealth care system.\n    I do first want to acknowledge Senator Klobuchar and \nSenator Kaufman and welcome them to the Judiciary Committee. It \nis wonderful to have both on our Committee, and I think we will \nhave Senator Wyden for at least a short period of time on our \nCommittee, maybe longer. But it is nice to have our new \nmembers, and we welcome them. Senator Klobuchar is not a new \nMember of Congress. We came to the Senate at the same time. And \nSenator Kaufman, as the Chairman has already alluded to, had a \ngreat deal of experience, more than I think any other member of \nthis Committee, and we welcome your help as we try to deal with \nsome very complicated issues, including how to deal with \nprotecting privacy and allowing us to have an efficient system \nfor sharing of information.\n    And I just want to make an observation. I served on the \nWays and Means Committee for a number of years and was involved \nin privacy issues in health care. I think part of the problem \nis that those who collect health care information have not been \nas selective as I think they should be in trying to get consent \nfrom their patients on sharing of information, because in many \ncases this information does not need to be shared, or it could \nbe stored in a way that is encrypted or protects the personal \nidentity of the individual, and yet in so many cases the \ncollector of the information decides not to put it in that \nformat because of whatever reason.\n    So I do think we have to use some common sense here as to \nhow we can protect the privacy of the information and avoid the \ncoercive practices that health care professionals can use in \norder to get waivers, including denying care unless you sign \nthose forms, which do not have a lot of meaning to people who \nare stressed about getting health care. They are not going to \nread the information on signing the waivers.\n    So we have to come up with a better system to really have \ninformed consent, because I think it is critically important \nthat those who use our health care system know that their \npersonal information will not be shared without their informed \nconsent. And we have to come up with a way to figure out how to \ndo that.\n    So, to me, this hearing is critically important as we try \nto make sure that we do have a system that is efficient and one \nthat allows health care professionals to have immediate access \nto information that they need in order to properly treat their \npatients, but at the same time avoid the intentional or the \nnegligent release of medical information that can compromise \nnot only the rights of individuals, but their confidence that \nour system is doing it in the right manner.\n    Thank you, Mr. Chairman.\n    Senator Whitehouse. Thank you.\n    We will now hear from our learned panel. We are very proud \nto have you with us, and we will begin with Dr. James Hester, \nwho comes to us from the Chairman's home State, the great Green \nMountain State of Vermont, where he is the Director of the \nHealth Care Reform Commission for the Vermont State \nLegislature. With 35 years of experience in the health care \nfield, he has held senior management positions with MVP Health \nCare in Vermont, Choice Care in Cincinnati, Pilgrim Health Care \nin Boston, and Tufts New England Medical Center in Boston.\n    Dr. Hester earned his Ph.D. in urban studies and his M.S. \nand B.S. degrees in aeronautics and astronautics, all from the \nMassachusetts Institute of Technology. He also holds a Master's \nof Education degree from St. Michael's College, and we welcome \nhim to the Committee.\n    Dr. Hester.\n\n STATEMENT OF JAMES HESTER, JR., PH.D., DIRECTOR, HEALTH CARE \n          REFORM COMMISSION, VERMONT STATE LEGISLATURE\n\n    Mr. Hester. Thank you, Mr. Chair. Thank you for the \nopportunity to testify on this critical issue. I think my \ntestimony will be supportive of several of the themes that the \nopening remarks of the Committee have made. My testimony today \ndoes not reflect the official positions of the legislature or \nthe commission. I want to be clear about that.\n    I come before you not as a privacy expert or IT expert but, \nrather, as one with extensive experience in using information \nand information technology as a means to furthering effective \nhealth care reform.\n    Health care reform in Vermont, which has been underway for \nalmost 8 years, is the most comprehensive State initiative in \nthe country, built on an integrated strategy which includes:\n    One, expanding affordable coverage in a sustainable way. We \nreduced the uninsurance rate in the State from 10 percent to \n7.5 percent in the last 2 years in the face of a declining \neconomy.\n    Second, bending the medical cost curve by improving the \nprevention and treatment of chronic illnesses. Our Blueprint \nfor Health has pilot programs in three Vermont communities \ncovering 10 percent of the Vermont population, which is showing \nsome great results on this.\n    And, finally, using information technology as a catalyst \nfor performance improvement. Sustainable improvements in \ncoverage and chronic illness care can only be achieved with the \nsupport of information technology. It is impossible to obtain \nthe desired performance of our health care system as long as \nkey clinical information is only available to providers and \npatients through paper charts sitting in filing cabinets.\n    As mentioned, the primary vehicle for our IT strategy has \nbeen VITL. It is a new public-private organization. In the last \n3 years it has completed a State Health IT plan, implemented \nseveral pilot programs, and begun building the core \ninfrastructure for the statewide health information exchange.\n    Last May, Vermont became the first State in the country to \nprovide the long-term financing to pay for both the development \nof the statewide Health Information Exchange Network and for \nelectronic medical records for all independent primary care \npractices in the State.\n    This transition from creating a plan and implementing \nrelatively small-scale pilots to full-scale statewide \nimplementation has provided a major impetus for the review of \nthe privacy and security policies. Those efforts are in their \nfinal stages, but are now on hold pending clarification of the \nproposed privacy guidelines in the economic stimulus act.\n    While the health IT financing goes far toward reducing the \nfinancial barrier to widespread implementation of health IT, it \nis not sufficient by itself. Realizing the benefits of health \nIT requires broad acceptance by both patients and providers of \nthis new technology which deals with the most sensitive types \nof data. The process that VITL has engaged in represents a \ndelicate balancing act between sometimes conflicting interests \nof consumer control and needs and provider accountability and \nresponsibilities. Unless consumers are confident that their \ninformation is secure and will be used appropriately, they will \nnot participate in electronic health information exchanges. \nUnless providers believe that the administrative burdens are \nreasonable and the information is reliable, they will not \nparticipate in such exchanges either.\n    Moving forward with our health care reform totally depends \nupon finding an initial balance point between conflicting needs \nand interests in a way which will encourage broad-based \nparticipation of patients and providers. I am confident that \nonce the Federal privacy guidelines and requirements in the \nstimulus act are finalized, VITL will be able to rapidly \ncomplete the revision of its guiding principles and operating \npolicies.\n    However, this balance point is not static; it will evolve. \nWe fully expect that the implementation of the initial privacy \npolicies in a steadily growing set of pilot health reform \ninitiatives will teach us important lessons over the next \ncouple of years. We will have to return to these policies on a \nregular basis to update them based on what we have learned and \nnew technical capabilities. The core security and privacy \ncapabilities have been carefully thought through, however, and \nprovide a sound foundation for beginning this expansion.\n    Vermont health care reform is built on scalable, community-\nlevel pilot programs which enable us to learn rapidly what \nworks and what needs to be improved. We will use this model to \nevolve our privacy and security policies and capabilities as \nwell.\n    Given the strong feelings surrounding protected health \ninformation and the uncertainties that are inherent in the \nearly stages of the spread of EMRs, I fully expect that a \nsignificant minority of both patients and providers may elect \nnot to participate. A reasonable goal is to devise a program \nwhich will satisfy the needs of a large enough percentage of \nusers to enable robust testing of capabilities, deliver value \nto the users, and drive the next round of privacy and security \ntechnology. As capabilities mature and confidence grows, the \nhope and expectation is that our program will earn the trust of \na steadily expanding percentage of both our population and the \nhealth care delivery system. The successful scaling up of our \npilot programs into systemwide initiatives and the long-term \nsuccess of our health reform efforts depend on it.\n    [The prepared statement of Mr. Hester appears as a \nsubmission for the record.]\n    Senator Whitehouse. Thank you very much, Dr. Hester.\n    Our next witness this morning is Deven McGraw. She is the \nDirector of the Health Privacy Project at the Center for \nDemocracy and Technology. Prior to joining CDT, she was an \nassociate in the public policy group at Patton Boggs LLP and in \nthe health care group at Ropes & Gray. Ms. McGraw received her \nbachelor's degree from the University of Maryland. She earned \nher J.D. and L.L.M. from Georgetown University Law Center. She \nalso holds a Master of Public Health degree from Johns Hopkins \nSchool of Hygiene and Public Health. We welcome her to the \nCommittee.\n    Ms. McGraw.\n\n STATEMENT OF DEVEN MCGRAW, DIRECTOR, HEALTH PRIVACY PROJECT, \n              CENTER FOR DEMOCRACY AND TECHNOLOGY\n\n    Ms. McGraw. Thank you very much, Mr. Chairman, members of \nthe Committee, and thank you for holding this hearing today. It \nreally could not be more timely or more important. We have \neconomic recovery legislation on the table that has $20 \nbillion, at least--depending on what you are looking at--to \npromote the adoption of health IT, and this commitment is \nreally laying the building blocks for health reform. It is \ngoing to help us create the information superhighway for health \nthat will improve health care quality and engage more consumers \nin their care.\n    This is very good news. It is an important opportunity, and \nsurveys consistently show the support of the American public \nfor health IT. But these very same surveys also show that the \npublic is concerned about the risks to their privacy when \nmedical information will be moved online. A system that makes \ngreater volumes of information available for the right \npurposes--to improve our care--is also an attractive target for \npeople who would seek it for commercial gain or for other \ninappropriate purposes. So building trust in these systems is \nabsolutely critical to realizing the benefits of this \ntechnology.\n    Some say that privacy is an obstacle to achieving a digital \nhealth system. As Senator Leahy mentioned, it is not always \neasy to figure out the right way to approach this. But, really, \nit is not an obstacle. In fact, the opposite is true. Enhanced \nprivacy and security built into health IT will bolster consumer \ntrust and spur the more rapid adoption of health IT and, \ntherefore, allow us to realize these benefits.\n    So a commitment to spending significant dollars to advance \nhealth IT must be coupled with a strong commitment to privacy \nand security. One without the other is a job half done and will \nset us back significantly.\n    Congress' role is critical here, and strong privacy \nprotections must be part of any legislation that moves health \nIT. We cannot do this later. We will not have another \nopportunity.\n    We have taken on privacy once before in HIPAA, but health \ncare is really rapidly changing, and the way we move \ninformation today is different than it was then, and it is \ngoing to be even more different tomorrow and in the decades to \ncome. So we really need a second generation of health privacy, \na comprehensive, flexible privacy and security framework that \nsets clear rules for who can access personal health information \nand for what purposes that apply to all entities that are \nengaged in e-health.\n    The bill that is pending builds on HIPAA and takes some \nconcrete steps forward to the realization of this comprehensive \nframework of protections, and we support them. They are like a \ndownpayment, a good first step. But hopefully this will not be \nthe last opportunity for us to talk about this. As Dr. Hester \naptly pointed out, you know, these conversations are going to--\nyou know, making sure we get this right is going to require an \nongoing commitment from Congress, the administration, and the \nprivate sector as well.\n    In my testimony I have some detail about the privacy \nprovisions that are in the stimulus package, at least the ones \nthat I have seen in the House bill that got marked up the other \nday, and so I will just touch on a few. It includes Federal \nright to be notified if your health information is breached; \ngiving patients a right to an audit trail of disclosures from \ntheir medical record; ensuring that records or data cannot be \nsold or used for marketing purposes without your authorization. \nIt has provisions to improve enforcement. It tasks the HHS and \nthe Federal Trade Commission to work to develop protections for \npersonal health records, which are consumer-based tools which \nrequire a different set of protections. Again, my testimony has \ndetails on all of that.\n    I will close by saying, you know, the other thing that \nCongress might do is to task the Secretary with ensuring that \nall entities adopt and implement both policies and \ntechnological solutions that address fair information practices \nof data stewardship, then hold funding recipients accountable \nfor how they implement privacy protections. At the end of the \nday, whatever happens in the stimulus and having HIPAA, some \nfolks will be covered adequately; some folks will not. Having \nthe private sector develop policies will give us that extra \nmeasure of safeguard, and I think that if I were going to add \none more thing to what is already a very strong package of \nprotections, that would be it.\n    Thank you for the opportunity to testify today, and I am \nhappy to answer any questions you might have.\n    [The prepared statement of Ms. McGraw appears as a \nsubmission for the record.]\n    Senator Whitehouse. Thank you, Ms. McGraw.\n    Our next witness is Adrienne Hahn. She is a Senior Attorney \nand Program Manager for Consumers Union. As a health care \nadvocate, Ms. Hahn is an expert on medical privacy, health care \nfinancing, Medicaid, and patient safety efforts at the Federal \nlevel. Previously, Ms. Hahn served at the United States \nDepartment of Justice as an attorney in the Civil Rights \nDivision. She earned her Bachelor of Arts degree from the \nColorado College--where she was a classmate of my sister--and \nher J.D. from Boston College Law School. We welcome Ms. Hahn to \nthe Committee.\n\nSTATEMENT OF ADRIENNE HAHN, SENIOR ATTORNEY AND PROGRAM MANAGER \n               FOR HEALTH POLICY, CONSUMERS UNION\n\n    Ms. Hahn. Thank you. Mr. Chairman and members of the \nCommittee, thank you for inviting me to testify today. \nConsumers Union is the independent, nonprofit publisher of \nConsumer Reports magazine, and we work on a wide range of \nhealth care.\n    There is widespread agreement to accelerate the use of \nhealth information technology in our otherwise high-tech health \ncare system. Most hospitals and doctors' offices still store \npatient records on paper, making the history of medical care \nhard to transfer from one hospital to another or one doctor to \nanother. The inefficiencies of this system can lead to medical \nerrors and the loss and misplacement of vital information. As \nfor patients, we rarely see our own fragmented records or track \nour own health histories.\n    Consumers Union, therefore, strongly supports the movement \ntoward an electronic system of health records and information \nexchange. By harnessing the power of modern information \ntechnology systems, we can improve the quality of American \nhealth care and moderate health care costs by the following: \none, reducing errors; two, eliminating service duplication; \nthree, promoting pay for performance; and, four, providing the \ndata necessary to evaluate the actual comparative effectiveness \nof various treatments and drugs.\n    A national system of electronic medical records has the \npotential to improve the quality of health care by reducing \nhospital-acquired infection rates. Through a network of \nelectronic medical information, families can identify the \nsafest and the highest-quality hospitals. As just one example \nof the tremendous improvements in quality and cost savings that \nare possible, Consumers Union has been conducting a national \ncampaign to promote the disclosure of hospital infection rates, \nand you can find out more information about that at \nwww.StopHospitalInfections.org.\n    Each year, there are about 2 million patients who acquire \ninfections in hospitals and about 100,000 who die. In 24 \nStates, we have worked with State legislatures to pass laws to \nrequire hospitals to report their rate of infection based on \nthe idea that public disclosure will prompt hospitals to adopt \neffective methods to reduce their infection rates. Electronic \nmedical records technology and the public disclosure of more \ntypes of patient care data where the patient is not identified \nwill make it easier for consumers to reward those who provide \nquality.\n    While there can be important public and private benefits of \ncreating an effective electronic medical records system, we \nbelieve polls demonstrate that quite effectively. From the \ngreat potential of such systems unless more is done now to \nensure privacy, there will not be the heart and soul of the \nAmerican public in order to support that. In short, this \nrequires enabling patients to participate in deciding when, \nwith whom, and to what extent their personally identified \nmedical information is shared.\n    It is important that we all recognize that there is no \nhack-proof database or system, and once more medical data is \nmoving electronically, it is subject to threats from hackers, \nidentity thieves, and others. That is simply a fact of life, \nreconfirmed almost daily by new stories of financial and \nmedical record data violations.\n    Beyond the likely scenarios of security breaches, the value \nof electronic health information is such that many \norganizations will want to exploit secondary data sources for \nprivate financial gain, rarely--if ever--with patient \nknowledge, let alone consent. It is imperative that \npolicymakers take aggressive steps to protect privacy. \nOtherwise, security breaches could doom expanded use of health \ninformation technology.\n    Additionally, some will say that it is too complex or it is \ntoo expensive to allow people to control their medical \ninformation. Computers have the ability to handle the task. \nThey have been designed to deal with huge numbers of \nvariables--like 50 State laws--and to create special files \nwhere certain data are only available to a designated provider \non a ``need-to-know basis.'' If we do not meaningfully address \nthe privacy issue, polls show the public will not trust this \nsystem, and many will go to ``off the grid'' to get medical \ncare, and we will just increase public cynicism about big \nGovernment and big business controlling our lives. In an age \nwhen the talk is of consumer-driven health care and ownership \nand empowerment, forcing people to share their most secret \npersonal medical information is not the path to take.\n    Therefore, Consumers Union, along with a variety of \ndifferent organizations, has joined an e-health initiative \nwhich includes AARP, AFL-CIO, and other organizations that \nsupport this. And we have developed a set of principles that \nachieve an effective balance between promoting HIT and systemic \nprivacy safeguards. Those safeguards and protections are \nattached to my testimony. I would really encourage you to take \na look at those. I think they provide an excellent framework to \nensure that as we move down the road of health information \ntechnology, we ensure that the medical privacy records of \nconsumers are well protected.\n    Thank you.\n    [The prepared statement of Ms. Hahn appears as a submission \nfor the record.]\n    Senator Whitehouse. Thank you, Ms. Hahn. We appreciate you \nbeing with us.\n    Our next witness is Michael Stokes, the Principal Lead \nProgram Manager for Microsoft's HealthVault team. In this role, \nhe is responsible for policy compliance relating to privacy \nacross Microsoft's Health Solution Group and Advanced Research \nand Strategy Group. Before joining Microsoft, Mr. Stokes worked \nwith the Hewlett-Packard Company where he designed and provided \narchitectural business development and strategy. Mr. Stokes \nearned a Master's of Science from the Rochester Institute of \nTechnology and a Bachelor of Science in Mathematics from the \nUniversity of Texas at Austin. We welcome his testimony.\n    Mr. Stokes.\n\n STATEMENT OF MICHAEL STOKES, PRINCIPAL LEAD PROGRAM MANAGER, \n               HEALTHVAULT, MICROSOFT CORPORATION\n\n    Mr. Stokes. Thank you, Mr. Chairman and distinguished \nSenators. I am a Principal Program Manager in Microsoft's \nHealth Solutions Group. I am accountable to ensure that our \nproducts are in compliance with applicable regulations and \ncorporate policies, including privacy. I am honored to share my \nMicrosoft's views on the importance of privacy in health IT. We \ncommend the Committee for holding this hearing today and for \nyour efforts at the intersection of privacy, information, and \nhealth care reform. Microsoft's products, including HealthVault \nfor consumers and Amalga for hospitals and health care systems, \nfocus on improving health care outcomes.\n    We recognize that health data needs to be exchanged back \nand forth so that everyone--patients, hospitals, providers, and \nclinicians--have the right information at the right time to get \nthe best health outcomes.\n    We also understand that everyone, from patients to \nclinicians, will only be comfortable sharing health data and \nusing health IT if they trust that that data is protected. \nThere are three components to this trust: transparency, \ncontrol, and security.\n    First, transparency. Participants in the health care \necosystem should be transparent about their data collection, \nuse, and disclosure practices. If patients do not understand \nwhat data is being collected, who has access to it, or what it \nwill be used for, they may decide not to provide any \ninformation at all, even to their own physicians. Health care \nproviders need transparency, too, so that they understand how \nhealth data is used, how it is protected, and how their data \nwill be disclosed to other third parties.\n    Second, control. Patients and other health care \nparticipants should be given control to manage health data \neffectively. Control allows patients to decide when and under \nwhat conditions they want to share health data. Control can \nhelp ensure that the patient's health data is shared only with \nthe health care professionals who need to see it, and that the \npatient's data is not inadvertently misplaced or deleted.\n    Third, security. The security of health data must be \nprotected. Concerns about potential misuse of personal data \nthreaten to erode confidence in digital health solutions. \nStakeholders will be more willing to adopt the innovative \nhealth IT solutions that can improve care and reduce costs if \nthey feel confident that their data is secure.\n    By following these three principles of transparency, \ncontrol, and security, we can encourage greater adoption and \nuse of health IT and bring real change to our health care \nsystem.\n    Consumers will receive better information about appropriate \ntreatments, medications, nutrition, and exercise. Health care \nprofessionals will see a more complete picture of their \npatients' health, allowing them to eliminate unnecessary \nprocedures, avoid harmful drug interactions, and concentrate on \nproviding better quality care. And researchers can discover new \ntherapies, new breakthroughs, and new cures.\n    The principles of transparency, control, and security \nunderlie Microsoft's approach to its health IT products. At the \nsame time, we recognize that technology is only a part of the \ncomprehensive approach to improve our health care system. \nEducation, leadership in health care organizations, and \nmeaningful public policy are also critical components to this \nsuccess.\n    We look forward to partnering with you and all participants \nin the health care ecosystem to move forward toward a dynamic, \ntrusted, and patient-centric health care solution system.\n    Thank you for the opportunity to testify, and I look \nforward to your questions.\n    [The prepared statement of Mr. Stokes appears as a \nsubmission for the record.]\n    Senator Whitehouse. Thank you, Mr. Stokes.\n    Our next witness is John Houston. He is the Vice President \nof Information Security and Privacy and Assistant Counsel for \nthe University of Pittsburgh Medical Center. In 2002, Mr. \nHouston was appointed by the Secretary of the U.S. Department \nof Health and Human Services to the National Committee on Vital \nand Health Statistics. He holds a Bachelor of Science degree in \nComputer Science and History from the University of Pittsburgh \nand a J.D. from the Duquesne University School of Law.\n    Mr. Houston, welcome.\n\n   STATEMENT OF JOHN HOUSTON, VICE PRESIDENT OF INFORMATION \n  SECURITY AND PRIVACY, AND ASSISTANT COUNSEL, UNIVERSITY OF \n                   PITTSBURGH MEDICAL CENTER\n\n    Mr. Houston. Thank you very much. I am grateful for the \nopportunity to address this Committee today regarding this \nimportant topic. I would like to start my comments by stating \nthat the adoption of health care information technology is one \nof the most significant health care initiatives that this \nNation can undertake. However, the widespread adoption of \nhealth IT will not be successful if our patients' privacy \nexpectations are not met.\n    I am proud to say that UPMC has one of the most progressive \nand longstanding programs for the development and deployment of \nhealth IT in the world. Having been accountable for both \nprivacy and information security at UPMC for the last 8 years, \nI am not only aware of the public policy considerations \nunderlying privacy and information security, but also the \noperational balance between a patient's right to privacy and \nproviding timely and complete information that is necessary for \nthe delivery of effective health care. Unfortunately, this \nbalance is neither precise nor clear. I have seen firsthand how \ninformation barriers established in the interest of privacy \nhave detrimentally affected patient care.\n    I have reviewed the current draft of the privacy \nlegislation included in the Health Information Technology for \nEconomic and Clinical Health Act. While the act attempts to \naddress the evolving privacy and security requirements that \nhave arisen since the implementation of HIPAA, it falls short \nof providing the necessary comprehensive and workable framework \nthat we now need.\n    As the act is now being considered, I believe it is \nimportant to raise a number of concerns regarding the privacy \nand security provisions in the act. These concerns are more \nfully discussed in my written testimony, but I will highlight \njust a few.\n    Accounting of disclosures. The act provides that a patient \nis entitled to receive an accounting of disclosures of who \naccessed the patient's electronic record, even if such access \nwas for treatment, payment, or health care operations. For an \ninpatient encounter, it would not be uncommon for more than 200 \npeople to have access to various aspects of a patient's record. \nIn practice, this could result in substantial and costly \nefforts on behalf of the provider with little or no apparent \nbenefit to the patient.\n    Health care operations. The act provides that the Secretary \nwill propose limitations on the use of identifiable health \ninformation for health care operations purposes. The burdens \nassociated with de-identifying patient information must be \nconsidered, not only in terms of the effort and time associated \nwith performing the de-identification, but also in terms of the \nlikelihood that a covered entity will simply choose not to \nperform important health care operations.\n    Fund raising. The act provides that fund raising would no \nlonger be considered to be part of health care operations. In \ndifficult economic times and in an era of shrinking \nreimbursements, fund raising is of critical importance to most \nproviders. Any restriction on fund raising will further \nfrustrate a provider's ability to deliver quality health care.\n    Non-covered entities. The act attempts to address PHR \nproviders, Health Information Exchanges (HIE), Regional Health \nInformation Organizations, and other entities that had \nhistorically fallen outside the coverage of HIPAA. However, the \nact's treatment of each is neither comprehensive nor \nconsistent. Rather than establishing an inconsistent privacy \npatchwork, a single framework needs to be established to \naccommodate not only today's requirements, but which also can \nbe extended to cover the rapidly evolving health IT \nenvironment.\n    Enforcement. While there has been much criticism of the \ncurrent enforcement strategies, I believe that the manner in \nwhich enforcement is currently performed has been effective. \nThe act must ensure that the opportunity to collaborate \ncontinues to exist for those covered entities that are \ndedicated to protecting patients' privacy.\n    With that, I will close my comments. Thank you.\n    [The prepared statement of Mr. Houston appears as a \nsubmission for the record.]\n    Senator Whitehouse. Thank you very much, Mr. Houston.\n    Our final witness this morning is David Merritt. Mr. \nMerritt is a Project Director at the Center for Health \nTransformation and the Gingrich Group. Mr. Merritt leads the \ncenter's projects on health information technology and \nexpanding coverage to the uninsured. He earned his Master's \ndegree in Political Science and Government from Loyola \nUniversity, Chicago, and he earned his Bachelor's degree from \nWestern Michigan University. We happen to know him as the \neditor of ``Paper Kills,'' a book that Mr. Gingrich provided an \nintroduction for, and he has helped Mr. Gingrich co-author an \narticle with me on health information technology--which proves \nthat this is an issue upon which people at opposite ends of the \npolitical spectrum can find agreement.\n    Mr. Merritt.\n\nSTATEMENT OF DAVID MERRITT, PROJECT DIRECTOR, CENTER FOR HEALTH \n             TRANSFORMATION AND THE GINGRICH GROUP\n\n    Mr. Merritt. Thank you, Mr. Chairman, and thank you for the \nopportunity to testify this morning.\n    Privacy cannot be compromised. But neither can we \ncompromise progress in pulling our health care system out of \nthe technological Stone Age. We need to find the right balance \nbetween privacy at all costs and progress at any cost.\n    One of the key ways to any of this is by creating a common, \nuniform framework to securely store and transmit personal \nhealth information. The Healthcare Information Technology \nStandards Panel, known as HITSP, and the Certification \nCommission for Healthcare Information Technology, known as \nCCHIT, are doing just that. HITSP has finalized a series of \ntechnological standards to protect privacy, and there are two \nthat are worth highlighting.\n    The access control standard allows for the secure \nauthorization to personal health information, including role-\nbased, entity-based, and context-based access control.\n    The consent direct standard allows for the management of \nconsumer rights as to who may access, collect, use, or disclose \npersonal health information.\n    These standards were recently recognized in the Federal \nRegister, meaning that any future procurement of a health IT \nsystem by the Federal Government must include these \nprotections. Now it is up to the IT vendors to actually \nimplement them in their products, and one of the ways to drive \nthis is through the certification process.\n    Now, in full disclosure, I am on the Board of Commissioners \nfor CCHIT, but these views are my own and do not represent the \nCommission.\n    CCHIT certifies a range of products, including electronic \nhealth records, to ensure that they meet functionality, \ninteroperability, and security standards. There are about 50 \nsecurity standards, including the two that I mentioned before, \nthat, to be certified, an electronic health record must meet \n100 percent of them.\n    Now, on a general note, policymakers are currently debating \nthe future of these two organizations, and I cannot say it in \nstronger terms that replacing these organizations now or \nconfusing the marketplace by creating parallel entities would \nliterally turn the clock back 5 years, when this discussion \nfirst started. They can certainly be improved, but I think that \nwe will pay a huge opportunity cost in time and resources if we \nrevisit this debate now.\n    Now, on the broad policy proposals that are under \nconsideration by this Committee and others, Speaker Gingrich \nhas a belief that when you are presented with an idea, you \nshould say ``yes, if'' rather than ``no, because.'' And I have \ntried to do that with some of these proposals on the table.\n    Yes, I think there should be an individual right of \nconsent. Consumers should be able to opt out of certain \nproducts, services, or notifications, and they should be able \nto specify how their identifiable information can be shared \noutside the course of treatment or payment.\n    Consent must be balanced with health services research. I \nam a strong believer in the power of data. It can reveal which \ntreatments work, which treatments do not work, the \neffectiveness of drugs, devices, and other vital information \nthat really does benefit all of us. This is impossible to do \nwithout de-identified data, and when all identifiable markers \nare stripped, personal privacy is indeed protected.\n    Yes, patients should be notified of egregious breaches of \nprivacy, but these protections should incorporate risk-based \nnotification so that physicians, health plans, health systems, \nand others do not notify patients for harmless or inadvertent \ndata sharing.\n    Yes, patients should have a private right of action for \nextreme breaches of privacy. We need to strike the right \nbalance so that Federal, not State, litigation is available for \npatients, but only for clear, egregious cases.\n    In conclusion, we can find the right balance between \nprivacy and progress if we are careful, judicious, and \nrealistic. And I think once we do, we will have succeeded in \ntransforming health care into a system that saves lives, saves \nmoney, as well as protects privacy.\n    Thank you.\n    [The prepared statement of Mr. Merritt appears as a \nsubmission for the record.]\n    Senator Whitehouse. Thank you, Mr. Merritt. For questions, \nwe will now turn to the distinguished Chairman of the \nCommittee, Senator Leahy.\n    Chairman Leahy. Thank you. Thank you very much, Senator \nWhitehouse.\n    Dr. Hester, I understand that Vermont Information \nTechnology Leaders, or VITL, already have some successful pilot \nprograms connecting electronic health records. Is that correct?\n    Mr. Hester. That is correct.\n    Chairman Leahy. Given your experience with that, do you \nagree that--basically the feeling that I have--and tell me if \nyou disagree, of course, but that we have to have consumer \nconfidence in the privacy of those records if we really expect \nthem to take part in it?\n    Mr. Hester. I would agree we absolutely have to have \nconsumer confidence, and I think it is important to \ndifferentiate between the different levels of use of the \ninformation. For example, we have a pilot that provides \nmedication history to patients who are in the emergency room so \nthat the physicians in the ER will know what medications have \nbeen filled in the last year. Even in that situation, where it \nis very contained, very specific, and there is immediate need, \nwe still find 5 percent, 3 to 5 percent of the people do not \nagree, do not give the consent.\n    Chairman Leahy. Even though they might be unconscious when \nthey come in?\n    Mr. Hester. You can break the glass if they are \nunconscious. There are provisions on that.\n    Chairman Leahy. Okay.\n    Mr. Hester. At the other end of the spectrum, when you \nstart having electronic medical records which are not just \nbeing used by the practice, by the providers within a specific \npractice, but are connected into a regional health information \nexchange, the anxiety level and the requirements for earning \nthe trust go up dramatically because the people just do not \nknow who is involved in that.\n    So we have a survey of the population of Vermont. Half the \npopulation of Vermont said that in that situation they really \nfelt it was imperative that they could control or shape who \ngets their information through that network.\n    Chairman Leahy. Well, let me ask the same question of Ms. \nMcGraw and Ms. Hahn and Mr. Stokes. Do you find the same thing, \nthat you have to have consumer confidence in the privacy, if \nthis is going to work?\n    Ms. McGraw. Absolutely, Senator. I think that if there has \nbeen a consistent theme at this hearing, it has been that if \npeople do not trust these health IT systems that we are trying \nto build, we will have spent a lot of money for naught.\n    Now, there has been also a lot of discussion at the hearing \nabout the role of patient consent or control as a privacy \nprotector, and I think the only thing that I would add is that \nthat is an important component of privacy protection. But we \ncannot use patient consent as the sole protector of \ninformation. We cannot rely on the individual to read a form \nand completely understand all of the potential uses of their \ninformation, especially when you are talking about core health \ncare functions, like treatment or payment or the administrative \ntasks that are core to getting those things done.\n    Now, when you are talking about participation in networks, \nthat is another story. That exposes people's information to \nmore players than is the case when they go in to see their \ndoctor. We actually published a paper just yesterday on what we \nthink the right role is for patient consent.\n    Chairman Leahy. If we were to put this medical IT in the \nstimulus bill, should we also have patient protections in \nthere, too?\n    Ms. McGraw. Yes, absolutely. And, in fact, the bill does \ntake concrete steps toward the protections, again, looking at a \nset of rules.\n    Chairman Leahy. Dr. Hester, do you agree?\n    Mr. Hester. Agreed that it is an essential part of that \nbill.\n    Chairman Leahy. Thank you. Ms. Hahn.\n    Ms. Hahn. I would just echo what was said in terms of the \nconcern that their medical information is private. But I would \njust add one other----\n    Chairman Leahy. Is your microphone on?\n    Ms. Hahn. I would just add one other factor to that, and \nthat is that what we have been able to look at in terms of the \ndata, it shows that, for instance, the lack of confidence \nregarding medical privacy actually differs based on race as \nwell. So what concerns us, as we know, when the United States \nmoves to 2032 where minorities will be the majority, if this \nissue is not addressed appropriately now, we are actually going \nto be able--all the promise in terms of care coordination, \nquality of health care, might actually come to demise because \nof the fact that the minority population right now really does \nnot trust in the information being able to----\n    Chairman Leahy. So that is what your polling finds, the \nminority population does not trust it.\n    Ms. Hahn. No. We would say that there is a real concern for \nAmericans generally, somewhere around 56----\n    Chairman Leahy. But you said there was a different level of \ndistrust--\n    Ms. Hahn. Oh, yes. So if you break down that data and look \nat it in terms of race, it actually increases in terms of the \nlevel of distrust. To give you an example, even the chronically \nill have greater trust in information remaining private as \nopposed to an African American or a Latino. So I think that \nthere are some real issues here in terms of we are going to be \nbringing all Americans along in ensuring that we provide the \ntype of privacy protections that people have confidence in it.\n    Chairman Leahy. Mr. Stokes, do you agree or disagree with \nwhat you have heard?\n    Mr. Stokes. Thank you for that question, Senator. As I \ntestified, our products are dependent upon consumer trust. We \nbelieve that without consumer trust in the system, they will \nnot adopt the system.\n    We also, through extensive discussions and interviews, \nbelieve this is just as important for the providers. If the \nproviders do not trust in the system, they will not adopt the \nsystem either. And we find with family doctors and primary care \nproviders, they are as concerned about maintaining the sanctity \nof their doctor-patient relationship and that privacy as many \nof the patients we talk to.\n    Chairman Leahy. Thank you.\n    Mr. Chairman, I have other questions, but if I might have \nyour permission, I will submit them for the record.\n    Senator Whitehouse. Of course, without objection.\n    Senator Klobuchar.\n    Senator Klobuchar. Thank you very much, Mr. Chairman.\n    Dr. Hester, your State of Vermont, like Minnesota, has gone \nbeyond the HIPAA requirements, and as I mentioned, some of the \nthings that Minnesota has included. What do you think would \nhappen if other--we now have sort of a patchwork where some \nStates have gone beyond HIPAA, some have not. People may seek \ntreatment in multiple States. Do you think it would be easier \nto have this done on the Federal level or to have this done \nState by State?\n    Mr. Hester. I think it is important to have clear Federal \nstandards and guidelines that set the framework, you know, for \nthose policies. For example, the Office of Civil Rights' \nFramework for Privacy and Security that was issued last \nDecember has been a very helpful tool for us. We have suspended \nthe final development of our statewide policies, our operating \npolicies, until we get the clarification on the Federal \nstandards, and we are looking forward to that clarification. It \nis important.\n    Senator Klobuchar. And just one side note, Vermont also is \na State, like Minnesota, that passed a law prohibiting the sale \nof patients' pharmacy records.\n    Mr. Hester. yes.\n    Senator Klobuchar. Could you talk a little bit about how \nthis came about? I think patients would be surprised to hear \nthat their pharmacy records were at risk of being sold.\n    Mr. Hester. Pharmaceutical companies use histories on \nprescribing patterns to target physicians for detailing on how \nto use their products. And so there was concern of that being \ndone in this case without the physician's knowledge or consent \nas well. So the restrictions have been passed, and they are now \nbeing challenged. But it was an issue that was of great concern \nto the State legislature.\n    Senator Klobuchar. And this is also included in the House \nstimulus bill as one of the limitations, the marketing \nlimitation? I think it is.\n    Mr. Hester. My understanding, I have not reviewed the \ndetails, but my understanding is they are trying to put \nrestrictions in there, yes.\n    Senator Klobuchar. Okay. Thank you.\n    Mr. Hester. We would support that.\n    Senator Klobuchar. Mr. Houston, Chairman Leahy was going \nthrough the other witnesses with some questions, and I saw you \nnodding your head, maybe the other way, about inclusions of \nthese in the stimulus package. I brought up deliberately this \nconcern of State-by-State regulation. Could you talk a little \nbit about the limitations proposed and how we can ease the \npotential burden on providers while trying to get these privacy \nconcerns--which I think we have all agreed are an issue for \nconsumers and we are not going to get the proper use of medical \ntechnology if we do not have that kind of confidence.\n    Mr. Houston. Absolutely. Again, we are all patients, so we \nall have the same concerns about the protection of our medical \ninformation. But I know Deven said it and I have said it, that \nwhat we need is a comprehensive framework, and my biggest \nconcern is when I read the privacy and security components of \nthe act, the stimulation package, is what we end up with is a \npatchwork. And I do not think this patchwork works, in my mind. \nAnd there is nothing worse than getting this wrong, because I \nhave seen very directly the impact of trying to inappropriately \nimplement privacy and what the impact potentially can be on \npatients' care. And so while we all----\n    Senator Klobuchar. Why is it a patchwork?\n    Mr. Houston. Well, if you look at the way that--right now \nthere is State preemption even under HIPAA. But when you look \nat the act itself, it speaks about RHIOs would be handled one \nway and other types of organizations would be handled another \nway, about how they would potentially fit under HIPAA or \notherwise have to deal with compliance with certain privacy and \nsecurity rules.\n    I just want to get it right and get it right once, make \nsure that everybody is covered under the same framework. PHRs \ntoday are not covered under anything. If you have a personal \nhealth record system, you are not covered under HIPAA. Frankly, \nyou might not be covered under anything. And so if we are going \nto develop an environment which we--and we should be forward-\nlooking because, you know, what we have today and what we are \ngoing to have in 10 years or 15 years is going to be \ndramatically different. And we need to develop a framework \nwhich allows us to progress and implement new and novel and \nprogressive health IT, but do it in a fashion where the \nconsumer continues to feel like they are protected, and so \nthat--you know, HIPAA was initially enacted in 1996. I think \neverybody would agree that it has got a lot of holes. There are \na lot of things that, because of the way HIPAA was enacted, \nreally were not covered. We did not think about PHRs. We did \nnot think about a National Health Information Network. And so I \njust want to make sure we get it right the first time, and I am \nconcerned that we are not here and that we have one bite of the \napple, and if we do not get it right, we may find that we are \ndealing with problems yet again in 2 or 3 or 5 years.\n    Senator Klobuchar. Ms. McGraw.\n    Ms. McGraw. I think the only place where I would disagree \nis we just do not think that HIPAA is the right set of \nprotections for the personal health records, in part because \nHIPAA was designed to allow information to flow among \ntraditional health care entities without necessarily having to \nask the patient each and every time. These PHRs are tools that \nare designed for consumers to have copies of their own records \nthat they can then move, share, they can put their own data in \nthere. That needs to have really a much higher level of \nconsumer control about who can get it and for what purposes. \nAnd so while I agree that we need sort of a common framework, a \nbaseline, it has got to also be contextual. Regulation for \nthose products has to target the risks that consumers will face \nin those products, which are going to be different than when a \nhealth care entity holds your data.\n    My testimony provides a little more detail, but it is a \nlittle--it is sort of nuance of difference.\n    Mr. Houston. And I agree that HIPAA is not necessarily the \nappropriate vehicle, but we need to be forward-looking and come \nup with a good framework that really does meet all of our \ndifferent needs, especially as we see health care IT really \ntransforming.\n    Senator Klobuchar. Thank you.\n    Senator Whitehouse. Senator Kaufman.\n    Senator Kaufman. Yes, I want to follow up on that question. \nI think this economic recovery bill is an incredible \nopportunity for us to do some things in health care, and the \ntestimony here has been directed toward that. But also it is \ngoing to be a lot of money, and it is going to be spent--as Mr. \nHouston said, if it not spent right, it can cause troubles.\n    I would really like each one on the panel, if they could, \nkind of give their opinion on where we are in terms of the \npresent status of the bills, making sure that we are protecting \npolicy at the same time, having much more efficient health IT. \nMr. Hester, do you have anything you want to say on that?\n    Mr. Hester. The question is the economic stimulus act, the \ncurrent status of that.\n    Senator Kaufman. Exactly, and the provisions in it for \nhealth IT and privacy and where you think we are on that.\n    Mr. Hester. I am going to----\n    Senator Kaufman. You can pass.\n    Mr. Hester. I can pass? I am going to have to pass.\n    Senator Kaufman. Ms. McGraw.\n    Ms. McGraw. Again, you know, we need a comprehensive \nframework of protections. HIPAA today does not get us there. \nWhat is in the bill takes some concrete steps forward to \nimproving and filling some of the holes. I liked David's ``yes, \nif.'' I don't have so many ``yes, if's,'' but if all we need to \ndo is address the ``if's,'' then we are pretty close to the \ngoal line. And we should concentrate on doing that rather than \nhaving these--you know, wondering whether we can do privacy as \npart of health IT, because I think we are all pretty much on \nthe same table that you cannot do health IT without privacy.\n    So we are supportive of those provisions. If there are \nissues that need to be worked out, we should move forward with \ndoing that as quickly as possible.\n    Senator Kaufman. I take it there are no provisions in the \nbill that you think are so onerous that they would have to be \nstruck before you would--\n    Ms. McGraw. No, not in my opinion.\n    Senator Kaufman. Ms. Hahn.\n    Ms. Hahn. I would say that I agree with Deven. I feel that \nthere has been a real willingness on the part of both the House \nand Senate to work with the e-partnership in terms of \naddressing our concerns. So we really appreciate moving \nforward.\n    Mr. Stokes. Thank you for that question, Senator. Aside \nfrom some minor legal clarifications that I have understood \nfrom our lawyers that the language might impact non-health-\nrelated entities, we see no significant difficulties in \nadoption of the language as it stands or as it is proposed. But \nas Dr. Houston pointed out, one of our concerns is providing an \nongoing framework or guideline, so this is why my testimony \nfocused on the principles of transparency, control, and \nsecurity. If we are very clear on what the required principles \nshould be and have ongoing policy discussions as the technology \nevolves, as medical research evolves, and as the health care \necosystem changes and evolves down the road, we are much better \nsituated to dynamically address those in a basis without coming \nback again and again for legislative fixes, but are able to \nhave the foundations in the legislation for the regulatory \nbodies and industries to continue to make progress.\n    Senator Kaufman. Thank you.\n    Mr. Houston.\n    Mr. Houston. I think that absolutely I am in support of the \nhealth care IT component of the bill. I think health care IT is \nvital and we need to move forward with it as fast as we can. I \ndo have serious concerns about the privacy components of the \nact, though, and I did outline those in my written testimony.\n    Senator Kaufman. Yes, I got those. Yes.\n    Mr. Houston. And I think there are some serious concerns \nthat I have that could impact providers and their ability to \ndeliver care efficiently. And I also think that, you know, if \nyou read the privacy components of the act, they talk about \nstudy and reports and guidelines that need to be established. I \nreally think a lot of that needs to be done up front and then \ntransform that into something that works.\n    From living in the trenches, I can tell you that you do not \nwant to get things wrong, because you want to improve health \ncare, you do not want to impact health care. And I just see too \nmany things in these provisions that just concern me and are \ngoing to get in the way of delivering efficient health care.\n    Senator Kaufman. How long do you think it would take to \ndevelop that? I mean, really, we are faced with an economic \nrecovery bill. Clearly, we have economic--I mean, the big \nreason for doing this is to get the economy moving again.\n    Mr. Houston. Sure.\n    Senator Kaufman. One of the big emphases is shovel ready, \nand shovel ready does not just apply to infrastructure. It \napplies to this. So, you know, if we sit around and study this \nand come up with a plan--I mean, what do you--I think you have \nsome thoughts.\n    Mr. Houston. Right. We have done a lot of study. There are \na lot of really intelligent people that have great opinions on \nwhat we need to do. I think in a year's time, or even less, you \ncould really, I think, put together a comprehensive framework \nthat works.\n    You know, one of the things about privacy, though, that is \ndifferent in most everything that is in the stimulus bill is \neverybody has an opinion in good faith as to what privacy means \nto them. And it is difficult, often, to bridge the gap between \ndifferent people's opinions. And none of them are wrong, but we \nhave got to come up with something that works and something \nthat, again, does not impede health care delivery.\n    Senator Kaufman. Thank you. Mr. Chairman, can we let Mr. \nMerritt, if he has comments?\n    Senator Whitehouse. Go ahead.\n    Mr. Merritt. Thank you. The two areas that I would focus on \nthat I think could be improved, I mentioned one in my oral \nremarks.\n    Senator Kaufman. Right.\n    Mr. Merritt. The issue of de-identified data and health \nservices research. I do not think that there should be the \nright to opt out of having your de-identified data used for \nhealth services research. If you ask anyone who has dealt with \nlarge data sets that if you have the ability for selection bias \nin opting out, you are just not going to have as valid and as \nreliable research. And I think that as we move forward with \ncomparative effectiveness and evidence-based medicine, we need \nas much data as possible. And I think you can balance it--\nagain, getting back to my point about balancing. You can \nbalance privacy with progress if you can use de-identified data \nin that way.\n    The other point I would mention in the legislation that the \nHouse has considered is the impact on disease management or \nchronic care programs. There are restrictions on reaching out--\nhealth plans and health systems, on reaching out to members or \npatients who might qualify or benefit from these types of \nprograms. And I think that when you are talking about \nindividual health and improving individual health, those data \nflows and those connection points still need to be protected. I \nthink those can be best suited to be resolved through the \nrulemaking process at HHS.\n    And the last thing I will mention that is currently not in \nthe bill, or at least not in the packages that I have seen, is \nthe idea of tying Federal money to certification. When a health \nsystem or a provider is going to receive a grant to either \npurchase a system or an incentive to invest in a system, I \nthink there has to be the tie between the money and \ncertification, and specifically to CCHIT certification, because \nthey do have those protections in place, they do go through a \nvery rigorous process of testing and making sure those products \nare up to snuff. So I think those four components are very \nimportant.\n    Senator Kaufman. Thank you all.\n    Thank you, Mr. Chairman.\n    Senator Whitehouse. Thank you, Senator Kaufman.\n    I would like to start my questions with an observation that \ncomes out of something that Ms. Hahn said when she mentioned \nthat there were--according to, I think it is, a CDC \nstatistics--very close to 100,000 Americans who die every year \nas a result of hospital-acquired infections. Those of us who \nhave been watching this thing for a while have seen this number \nmove. It began with the IOM report talking about 80,000 \nAmerican deaths from all avoidable medical errors, and that was \nonly 7 or 8 years ago, as I recall. And then we got to 100,000, \nand then we got to 100,000 actually just means hospital-based \nmedical errors. And now we have really identified that the \nfield is 100,000 people dying from hospital errors that are the \nresult of hospital-acquired infections.\n    So the more that we learn about this and the more that we \ndrill into it, the deeper the quality problem and the more \nastonishing and egregious the consequences for Americans seems \nto be. I do not think there is anybody in this room or behind \nthis table or listening to this anywhere who has not had the \nexperience of having a loved one in the hospital and have that \nterrible feeling that you really cannot leave them alone there. \nEven in the best hospitals, somebody has got to be there to \nwatch out and protect them. And from that to these astonishing \nconsequences, if 100,000 Americans who are being killed every \nyear by anything else, we would be at war. And here we have, I \nthink, an enormous amount of work and investment to make.\n    So I really applaud all of you for your battle to try to \nget this right. I think it is really--I opened with my concerns \nabout where this put us politically with respect to the health \ncare reform that we need and what the consequences are of \ngetting it wrong in that larger struggle. But for a lot of \nhumans, this is really a truly human story about someone that \nthey love who they lost, someone in the hospital who they \ncannot leave alone there. And we just have to do this a lot \nbetter.\n    The discussion, as I have heard it, has focused on having a \ncomprehensive framework, getting it right, being fairly precise \nso that everybody knows kind of where they stand and what the \nrules are, and at the same time dealing with the ongoing nature \nof discovery. I think Mr. Stokes described it as an ecosystem \nand a dynamic environment. And as we talk about that, we in \nCongress, people who are legislators, think about different \nlevels at which you can solve a problem. At the very baseline, \nyou can come in, particularly if it is a very static, simple \nproblem, you pass a law, you set the standard, you wash your \nhands, and you are done with it, and off you can go and worry \nabout something else.\n    This strikes me as not being that kind of thing. This \nstrikes me as being a highly dynamic environment in which the \nstandard-setting role is less important at a level of detail, \nif you will, than the architecture-building role. And right \nnow, I do not see in our health care system a good oversight \narchitecture for solving this problem to begin with, and then \nhaving somebody or something in place that can continue to \nadapt to changes through the regulatory environment, continue \nto correct. To me, this is like landing a plane. You know, you \nhave got to be up, be down. You have got to make adjustments as \nthe wind shifts. You have got to be--that means there has got \nto be a pilot or a group of pilots, if you will, if it is an \norganization of some kind. But there has to be some entity that \nwatches this, and I am not comfortable that we have that entity \nnow. As much as I applaud what the CCHIT groups have done and \nwhat AHRQ is doing and what--I mean, there are lots of entities \nthat are out there doing it. One of the pieces of advice was do \nnot mess with what is already happening. I think we kind of \nhave to mess with what is already happening because I do not \nsee that we have got the ongoing architecture in place to \nmanage this transformation. I would love all of your thoughts \non that point. What should we be--what order of decision should \nwe be making here? Are we talking about actually setting up an \norganization of some kind that would cope with this? And I know \nTom Daschle is going to be our new Director of Health and Human \nServices. He has written a book about the need for a Federal \nhealth board. It seems to me to make a lot of sense that there \nshould be a Federal health board that has some oversight \nresponsibility over protecting privacy and making sure that \nthis gets done.\n    So that is a long sort of a broad brush of a question, but \nI would love to hear your responses to it.\n    Mr. Hester. I think it is an excellent question and a \ncritical one. At the State level, you know, we have created \nthis organization VITL, which is our health information \nexchange and has funding, to promote the development of the \ninfrastructure, is putting out the privacy--but its role is \neducation and promotion, and we have been asking whose role is \nit at the State level to do the oversight, because you do not \nwant the policemen to also be the people who are promoting it. \nSo I agree 100 percent. It is a gap, at least from our \nperspective at the State level, on how you do this.\n    The other thing I just want to mention is that you talk \nabout getting it right, and I guess, you know, Garrison Keillor \ntalks about ``pretty good,'' and I think we want to have a \npretty good system, because if you try getting it 100 percent, \nabsolutely zero tolerance for error, it is not going to happen. \nAnd what we have to talk about is the balancing of risk. We \nhave a huge job with the education of our public, the education \nof our consumers, on there is a huge risk associated with not \ndoing this and what is the balance between an acceptable level \nof risk on the privacy and security in order to achieve the \nbenefits of reducing the consequences on the delivery system. \nThat is a massive, massive job in terms of getting people \ncomfortable with that balance and that tradeoff.\n    Ms. McGraw. I think notwithstanding the specifics on \nprivacy that are in the bill--and I mention this in my \ntestimony--I think the bill could benefit from a provision that \nspecifically directs the Secretary of HHS--because we do not \nhave this Federal health board that Senator Daschle, soon to be \nSecretary Daschle, was talking about. But you need to have \naccountability for putting these privacy and security \nprotections in place, and not just the ones that are regimented \nin law. But, you know, HIPAA has always been a baseline. You \nknow, States have gone farther; institutions go farther with \ntheir policies. Anybody, I think, who gets this significant \nchunk of Federal dollars should really commit to developing \nprivacy and security policies that are coupled with good \ntechnological solutions that make them all work to move \nforward, not necessarily--you know, we want shovel in the \nground, right? So having people submit detailed plans ahead of \ntime is probably not possible to get the impact that we want as \nsoon as we want it. But if you put the Secretary in the \nposition and very specifically task him to hold people \naccountable, not just for how they spend this money, which they \nshould be, but also what kind of privacy and security \nprotections do you have in place. Do you have protections in \nplace, for example, that meet all of what are common, fair \ninformation practices in other contexts? We can do that. I \nmean, there are plenty of models out there to rely on.\n    Senator Whitehouse. Ms. Hahn.\n    Ms. Hahn. I agree there really is not the type of \ninfrastructure in place, and one key part of that public \ninfrastructure is consumer education. Right now, consumers are \nclueless in terms of when they sign those HIPAA forms. I mean, \nmost people actually think when you sign the form that if you \ndo not sign it, you will not get health care. So, of course, \nyour first thought is: Whatever I need to do to get immediate \nattention. And in terms of what protections are provided to \nthem, I mean, you see the whole gamut from people feeling that \nthey have a private right of action to sue if the information \nis made available to feeling that the Federal Government is \nsomehow enforcing it for them.\n    So whatever we do, we have to make sure that consumers have \na clear understanding of what their medical privacy rights are. \nAnd in doing so, as we make sure that folks have that \nunderstanding, we will remove some of the fear and distrust \nthat we need to move in the direction of more health \ninformation technology. So I think that is going to be one key \ncomponent, and then second is accountability. People need to \nsee--how many people can say here they have seen any entity \nheld accountable for a breach of medical privacy? We only hear \nabout the breaches, but we never find out what is the outcome. \nAnd that is going to be critical in moving in that direction.\n    Senator Whitehouse. Mr. Stokes.\n    Mr. Stokes. Senator, thank you for that question. I do not \nthink we can wait 1 year or even 1 month or 1 day. As my Vice \nPresident testified a week and a half ago in the HELP \nCommittee, we have to start today. We are shipping products \ntoday to meet these. We hope that there will be regulations and \nlegislation in a month to help provide more uniform support. We \nhope that there will be standards and certifications in a year \nto provide even better support. But we cannot wait and we \ncannot get it right, perfect. We must start today.\n    But the focus, we believe, should be on outcomes. If we get \ntoo caught up in the processes or the way to get there, we will \nforget that, just like the researchers and the clinicians in \nthe Mayo Clinic, what we really care about is improving health \noutcomes and reducing the costs. So all of the policies and the \nprinciples should focus on are we getting to those outcomes. \nWhat is our return on investment?\n    And, finally, the privacy principles are outlined about \ntransparency, control, and security. These are actually the \nsame technology principles required by the clinicians and by \nthe researchers to improve quality and reduce cost, because for \na clinician I want to be able to have insight into all of the \ninformation. I want the transparency as a CIO in a hospital of \nall the information in my hospital to improve my quality. And I \nwant to be able to control that information so if the FDA sends \nme an alert, I know within hours or minutes what patients in my \nhospital system are on those medications, that I do not have to \nspend days or weeks, like it is today, to track down possible \ndrug interactions.\n    Thank you.\n    Senator Whitehouse. Mr. Houston.\n    Mr. Houston. We clearly need an organization to oversee \nprivacy and security, and I think not from an enforcement \nperspective but from an oversight. I have said this for a long \ntime, that we are developing this architecture to pass \ninformation between entities, across State boundaries, and \nacross the United States. But there really is not an entity in \nplace that provides, I think, the necessary oversight to ensure \nthat appropriate standards are in place, not just for privacy \nand security but otherwise. And I think we need that. If you \nlook today, we have the Office of Civil Rights that is supposed \nto enforce privacy. We all want to get this right, but right \nnow there is no infrastructure in place to support trying to \nget it right.\n    You know, I do not want to be--I hate to say this. You used \nthe analogy of a pilot and the ups and downs. You want to make \nsure you are on the right trajectory when you land, and I sure \nas--you know, just like an airplane is filled with people, you \ndo not want it coming down in the wrong place because a lot of \npeople can get killed. And I think the same thing applies here.\n    So I think what we need is, again, some type of oversight \norganization that provides support, almost like an ombuds--I \ncannot even say the word--ombudsman to do as much support as \nenforcement.\n    Senator Whitehouse. Mr. Merritt.\n    Mr. Merritt. If I could, I would like to take somewhat of a \nlong view, like 2009 rather than the next 3 weeks. I think the \nthree pillars that you identified earlier are exactly the right \nones to focus on: health IT, quality improvement, and payment \nreform. The one I would like to focus on and urge the Congress \nto focus on this year is the issue of payment reform, because \nit can drive the other two. I think it can drive financial \nincentives for health information technology and the stimulus \npackage actually has that provision and the spirit of that \nproposal.\n    Secondly, payment reform can certainly drive quality \nimprovements. We actually held an event at the National Press \nClub just yesterday, and it answered President Obama's call in \nhis inauguration. He was looking for whatever works. And so we \nwere exploring health care that works. We released a paper that \nhad 60-plus pages of examples of employers and health systems \nand others who are actually using information technology, best \npractices, and other programs to improve health, lower costs, \ndrive innovation, and expand access. So I think payment reform \ncan actually be implemented so you can drive others to adopt \nthose best practices.\n    A Federal health board, while I do not support the outline \nthat Secretary Daschle has put forth in his book, I do think \nthat there is a role for some kind of entity to certify best \npractices, because there are many companies out there that are \nusing data that can identify best practices, whether it is \npublic or private data. And if there is a body that can \nactually tie best practices to payment reform, I think it \nreally can be an engine to drive a lot of these innovations.\n    Senator Whitehouse. Senator Klobuchar.\n    Senator Klobuchar. Well, thank you very much, Senator \nWhitehouse.\n    I had promised Senator Whitehouse I would not talk about \nMinnesota and the Mayo Clinic until my last round of \nquestioning.\n    Senator Whitehouse. But then somebody had to say Garrison \nKeillor, and now there is no holding you back.\n    Senator Klobuchar. Right. And I would say that Minnesota is \na place, to get your quote right, where the women are strong, \nthe men are good-looking, and all the health care providers are \nabove average. So, Dr. Merritt, I wanted to follow up with what \nyou said about the cost, which is very important to me, and the \nquality. As you know, there has been a study out showing that \nif all the hospitals in the country followed the protocol that \nMayo uses for the last 4 years of a chronically ill patient's \nlife, we could save $50 billion in Medicare payments over a 4-\nyear period. And some of that has to do with the costs in \ncertain parts of the country, but a lot has to do with the way \nMayo is able to standardize their work, how they pay their \ndoctors, but also how they share information and have a team of \ndoctors working together.\n    So what interests me about what you were talking about is \nfirst of all to make sure that in the privacy provisions in the \nstimulus bill, nothing will stop us in there from going to this \noverarching framework that we are talking about and, in fact, \nyou intimated that there are some things in there that could \nhelp. But I want to make sure that--do you believe that there \nis anything of these provisions that are--you know, the 3-week \nprovisions we are putting in place that could stop us from \ngoing there in terms of making sure that we can move on to \nbundled payments and all kinds of things that will create these \nkinds of incentives?\n    Mr. Merritt. I would go back to the two that I identified \nearlier, which were restrictions on de-identified data, because \nI know Mayo, just like Inter Mountain, has a very robust \nresearch department where they can actually take research from \nthe clinical process, analyze it, and then put it back into the \nprocess to identify what----\n    Senator Klobuchar. Just to make sure, since this is my \nfirst day on the Committee, by ``de-identified'' you mean data \nthat does not have people's names on it that goes out into \nthe----\n    Mr. Merritt. Yes, yes. So if you are working with a data \nset, it just means that you are dealing with the information, \nnot identifiable information--names, Social Security numbers, \net cetera.\n    So I think that the legislation really does have to be \ncareful with lumping in activities that are used with de-\nidentified data with those that use clearly identifiable data.\n    Senator Klobuchar. So you want to make sure that any \nprivacy language we have in the stimulus package does not limit \nthe ability of Mayo or other providers in sharing this de-\nidentified data.\n    Mr. Merritt. Yes. The reason why we are able to know that \nMayo and Inter Mountain and others can provide care that would \nsave Medicare 30 percent is because a team of researchers at \nDartmouth has access to Medicare data, and it is de-identified \nMedicare claims data. And so those kinds of variations they can \nactually find when they have access to the research and to \nthose data sets. So I think there really has to be careful \nconsideration on provisions that would impact researchers' \nability to do that.\n    And then, secondly, Mayo and others are very proactive in \nidentifying patients who qualify for various chronic care \nprograms, and they can focus on wellness before it becomes \ndisease.\n    Senator Klobuchar. This is what you talked about earlier \nwith being able to reach in and get the patients that you think \nneed the help.\n    Mr. Merritt. Correct. And many of these fall under the \ncurrent definition of health care operations. Some of the \nlanguage I think could actually harm a health system's ability, \nwhether it is a system like UPMC or Mayo or a health plan, to \nhave the ability to actually connect with a patient and say we \nhave looked at your record, we understand that you have X, Y, \nand Z, we think you are in danger of, you know, Type 2 \ndiabetes, or you need to control your obesity, or whatever the \ncondition may be. If there are restrictions on the system or \nthe entity reaching out to that consumer or patient, again, I \nthink you have to be very careful because you want--at the end \nof the day, we all want the patient to get the care that they \nneed. But if there are privacy restrictions that do not allow \nthe connection and the education, I think that could ultimately \nharm individual health.\n    Senator Klobuchar. So are you concerned there is language \nin there right now that could do that?\n    Mr. Merritt. Yes.\n    Senator Klobuchar. Limit it.\n    Mr. Merritt. Yes.\n    Senator Klobuchar. All right. Well, we will have to look at \nthat, because I have found it very helpful. I know it is \nhelpful for Mayo and these other groups that have done so well \nto be able to have that research. I also think in the end it \nwould be nice if it was done the right way, with no security \nbreaches and everything we have talked about, to be able to \nhave that data on a national basis so we can get the right \nprotocols in place, because there clearly has been a problem \nwith decisions being made with the lack of research.\n    Thank you.\n    Senator Whitehouse. Before we proceed, just one piece of \nadministrative housekeeping. Letters from the Vermont \nInformation Technology Leaders, from the Coalition for Patient \nPrivacy, and from the American Civil Liberties Union will be \nadded to the record of this hearing, without objection.\n    One of the things that I come across pretty frequently--but \nI have not really been able to source it so I will float it out \nto the expert panel and see if you have any information on \nthis--is that when people have chronic or multiple illnesses \nand they have a lot of exposure to the health care system, \ntheir appetite for electronic health records is very high, and \ntheir tolerance for privacy concerns is also quite high because \nthey are living in the environment where they can see the value \nof the electronic health record in the communication and the \nprivacy concerns just do not matter as much to them when they \nare ill.\n    I see heads nodding. Is that anybody's experience out \nthere? And might it be helpful to focus initially in terms of \ntrying to develop some of this, particularly for going forward \nin a dynamic environment, on those very high expense, very high \ncontact either chronic or multiple illness patients in the \nsystem?\n    Mr. Merritt.\n    Mr. Merritt. If I may, one thing the Federal Government \ncould actually do to address that problem is through providing \ninformation for Medicare beneficiaries based on information \nthat CMS actually has. For instance, we have talked a little \nbit about personal health records--Microsoft, there are private \ncompanies, there are private payers that have been in this \nspace for a long time. CMS has a very small pilot in South \nCarolina, and they just announced two others in Arizona and \nUtah. But what I would propose is that the Federal Government, \nthrough CMS, actually put up a consumer portal so that any \nbeneficiary who wants to can actually log on and see just a \nsnippet of their information. And if they want to share that \nwith their doctor, I think that would be incredibly valuable.\n    Some studies say that the average beneficiary is on six \nmedications. That is the average. And the average beneficiary \nsees 13 different doctors throughout the course of a year, and \nthere is no coordination between them. So having patient-\ncontrolled access to that information I think would be \nincredibly valuable, and I would certainly open it up for other \ncomments as well.\n    Senator Whitehouse. Mr. Houston.\n    Mr. Houston. I would agree with the proposition that people \nthat have chronic illnesses absolutely will be more interested \nin having PHRs, and I think the insurance companies would \nlikely also want to manage that population much more \naggressively to try to reduce inpatient admissions and improve \nquality of care, things of that sort. But I do not believe that \nthose people believe that their privacy is less important \nbecause probably one of the primary types of chronic illness in \nthe United States is behavioral health illnesses, depression \nand other things, and I think those people could definitely be \nhelped by having a PHR. But they are also a population that is \nprobably more concerned about the privacy of their information.\n    So I think privacy has to be done well throughout \nregardless of what the population is, regardless of what the--\n--\n    Senator Whitehouse. Yes, I could not agree with you more \nabout that. My point was that if you are looking for early \nadopters who see the real value of this, there seems to be a \nkind of fortunate correlation between the people for whom this \nwould be the most helpful and their willingness in turn----\n    Mr. Houston. Absolutely.\n    Senator Whitehouse [continuing]. To try to achieve that \nvalue in their own health care.\n    Mr. Houston. Take diabetes alone. I think that that is \nprobably a chronic illness for which having good tools for \npatients would clearly benefit patients and reduce costs and \nimprove quality of life. I mean, I think that is a clear \nwinner. And you are right, those people are very concerned \nabout trying to manage their condition.\n    Senator Whitehouse. Dr. Hester.\n    Mr. Hester. You are right on target. One of the main themes \nof health care reform in the State of Vermont has been focusing \non patients with chronic illness. We have sustained attention \non that. Again, I mentioned in my testimony we have pilots, \nenhanced pilots in three communities which involve payment \nreform, the creation of community care teams, and the provision \nof information technology tools for the practices and for the \npatients that will cover 10 percent of the Vermont population \nby the end of this quarter.\n    It is not just a matter of the benefit to the patients. You \ncannot do chronic illness care, best practice, you cannot be \nproactive in reaching out to patients, to a diabetic who has \nnot had their hemoglobin A1c in the last 6 months unless you \nhave those tools in place and the patients understand it.\n    So from the standpoint of--Ed Wagner has developed \nsomething called the ``Chronic Care Model,'' which is sort of \nhis approach to saying how do you do best practice. It involves \nthe combination of a proactive care team of providers and \nengaged patients. You know, the information technology is \ncritical to supporting both the care team and patient \nengagement, and we have found it to be a very rich area of \ncollaboration and one reason that we focused--one of VITL's \nmajor pilot programs has been in providing those information \ntools, supporting those information tools in those pilot \ncommunities. So I would be happy to provide you with some \nadditional information if you are interested.\n    Senator Whitehouse. Thank you. I would appreciate that.\n    Mr. Stokes.\n    Mr. Stokes. Senator, I agree that this is a critical area \nand a very opportune area for cost savings and improving \nquality. But as I pointed out before, there is no need to wait. \nWe have a cooperation with Cleveland Clinic today that pilots \nand targets the chronic care disease population within the \nCleveland Clinic through a combination of different doctors and \nspecialties within the clinic and the chronic patients at home, \nbecause we have found that if they are in a remote setting, \nthey will take their blood glucose measurements more often. \nThere is better compliance and better participation all through \nHealthVault without having to sacrifice any patient privacies, \nmaintaining the transparency and control.\n    So as was discussed, if we can move forward and have better \nfoundations and better infrastructure and better guidance over \ntime, that would be great. But even today, we are focusing on \nthe outcomes to move this forward.\n    Senator Whitehouse. Dr. Hester again?\n    Mr. Hester. Just one more comment. The success of that \nChronic Care Model is completely dependent upon payment reform, \nas being discussed earlier, and there is a regional \ncollaborative being formed in the New England States, including \nRhode Island--it is being sponsored by the Milbank Fund--to \nhave a regional demonstration in patient-centered medical home \nand to try to provide a vehicle for Medicare to participate and \nsupport. What we are finding is the States are further ahead in \nterms of multipayer payment reform involving commercial \ninsurers and Medicaid, but we are having difficulty getting \nMedicare to the table, and it is something we could use some \nassistance in the new administration to move forward, and we \nare hoping this regional collaborative will be a vehicle.\n    Senator Whitehouse. Well, I think I will take this \nopportunity to bring the hearing to a close. I want to thank \nall of you very much for your testimony and for your work in \nthis area. I will just re-emphasize what I said at the \nbeginning. I think we are headed--remember when the Clinton \nadministration tried health care reform and they got Harry and \nLouise'd, and that put an end to that particular effort.\n    Senator Klobuchar. But, Mr. Chair, now Harry and Louise are \non Medicare Part D, and now they support the effort.\n    [Laughter.]\n    Senator Whitehouse. And I think now the model is no longer \nHarry and Louise. Now the model is Thelma and Louise, and we \nare all in the car, and the cliff is right in front of us. And \nif we do not get this solved through technology, through \nsystems reform, through better quality care, through a more \nrational payment system, then we will get to the edge of that \ncliff. And when we are there and we have to go into the other \ntoolbox and throw people off of health coverage and thin out \nour already tragically thin benefits and put even more costs on \nour business community, which is already laboring \nuncompetitively under health care costs compared to their \nforeign competition, and tell providers who are already cross-\nsubsidizing in order to stay in the Federal health care system \nthat we are going to pay them even less--it is going to be a \nnightmare.\n    And so you work to guide us through the privacy hazard to \nsolving these problems the good way I think is really at the \nabsolute apex of issues that our country faces. And I applaud \nyou for it. I urge you to be as persistent and energetic as you \ncan, and I think you have seen from the turnout in this \nCommittee and from how long people stayed that this is a matter \nthat has great interest, and we truly look forward to working \nwith you.\n    The record of the Committee will stay open for an \nadditional week in the event that anybody has anything they \nwould care to add, and without anything else, I appreciate \nagain that you have all come in here. I appreciate everybody's \nattention, and the hearing is adjourned.\n    [Whereupon, at 11:14 a.m., the Committee was adjourned.]\n    [Questions and answers and submissions for the record \nfollow.]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 <all>\n\x1a\n</pre></body></html>\n"