[Senate Hearing 111-213]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 111-213

  HEALTH INFORMATION TECHNOLOGY: PROTECTING AMERICANS' PRIVACY IN THE 
                              DIGITAL AGE

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                            JANUARY 27, 2009

                               __________

                           Serial No. J-111-3

                               __________

         Printed for the use of the Committee on the Judiciary








                  U.S. GOVERNMENT PRINTING OFFICE
54-240 PDF                WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001







                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 ARLEN SPECTER, Pennsylvania
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
RUSSELL D. FEINGOLD, Wisconsin       CHARLES E. GRASSLEY, Iowa
CHARLES E. SCHUMER, New York         JON KYL, Arizona
RICHARD J. DURBIN, Illinois          JEFF SESSIONS, Alabama
BENJAMIN L. CARDIN, Maryland         LINDSEY O. GRAHAM, South Carolina
SHELDON WHITEHOUSE, Rhode Island     JOHN CORNYN, Texas
RON WYDEN, Oregon                    TOM COBURN, Oklahoma
AMY KLOBUCHAR, Minnesota
EDWARD E. KAUFMAN, Delaware
            Bruce A. Cohen, Chief Counsel and Staff Director
              Nicholas A. Rossi, Republican Chief Counsel















                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Cardin, Hon. Benjamin L., a U.S. Senator from the State of 
  Maryland.......................................................     7
Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah......     2
Kaufman, Hon. Edward E., a U.S. Senator from the State of 
  Delaware.......................................................     5
Klobuchar, Hon. Amy, a U.S. Senator from the State of Minnesota..     4
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     5
    prepared statement...........................................   111
Whitehouse, Hon. Sheldon, a U.S Senator from the State of Rhode 
  Island.........................................................     1

                               WITNESSES

Hahn, Adrienne, Senior Attorney and Program Manager for Health 
  Policy, Consumers Union........................................    12
Hester, James, Jr., Ph.D., Director, Health Care Reform 
  Commission, Vermont State Legislature..........................     8
Houston, John, Vice President of Information Security and 
  Privacy, and Assistant Counsel, University of Pittsburgh 
  Medical Center.................................................    15
McGraw, Deven, Director, Health Privacy Project Center for 
  Democracy and Technology.......................................    10
Merritt, David, Project Director, Center for Health 
  Transformation and the Gingrich Group..........................    17
Stokes, Michael, Principal Lead Program Manager, HealthVault, 
  Microsoft Corporation..........................................    14

                         QUESTIONS AND ANSWERS

Responses of Adrienne Hahn to questions submitted by Senators 
  Leahy, Specter and Hatch.......................................    35
Responses of James Hester to questions submitted by Senators 
  Hatch and Leahy................................................    44
Responses of John P. Houston to questions submitted by Senator 
  Hatch..........................................................    45
Responses of Deven McGraw to questions submitted by Senators 
  Specter, Hatch and Leahy.......................................    61
Responses of David Merritt to questions submitted by Senators 
  Hatch and Specter..............................................    64
Responses of Michael Stokes to questions submitted by Senators 
  Leahy and Hatch................................................    66

                       SUBMISSIONS FOR THE RECORD

AARP, Washington, D.C., statement................................    73
ACLI, Frank Keating, President & Chief Executive Officer, 
  Washington, D.C., letter.......................................    79
American Psychoanalytic Association, James C. Pyles, Washington, 
  D.C., letter and attachment....................................    80
Coalition for Patient Privacy, Ashley Katz, Austin, Texas, letter    92
Hahn, Adrienne, Senior Attorney and Program Manager for Health 
  Policy, Consumers Union, statement.............................    95
Hester, James, Jr., Ph.D., Director, Health Care Reform 
  Commission, Vermont State Legislature, statement...............   102
Houston, John, Vice President of Information Security and 
  Privacy, and Assistant Counsel, University of Pittsburgh 
  Medical Center, statement......................................   107
McGraw, Deven, Director, Health Privacy Project Center for 
  Democracy and Technology, statement............................   113
Merritt, David, Project Director, Center for Health 
  Transformation and the Gingrich Group, statement...............   133
National Association of Chain Drug Stores, Alexandria, Virginia, 
  statement......................................................   158
National Business Group on Health, Helen Darling, President, 
  Washington, D.C., letter.......................................   165
Peel, Deborah C., MD, Founder & Chair, and Ashley Kats, MSW, 
  Executive Director, Patient Privacy Rights, Austin, Texas, 
  joint statement................................................   167
Stokes, Michael, Principal Lead Program Manager, HealthVault, 
  Microsoft Corporation, statement...............................   175
Vermont Information Technology Leaders (VITL), Gregory Farnum, 
  President, Montpelier, Vermont, letter.........................   183

 
  HEALTH INFORMATION TECHNOLOGY: PROTECTING AMERICANS' PRIVACY IN THE 
                              DIGITAL AGE

                              ----------                              


                       TUESDAY, JANUARY 27, 2009

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                   Washington, D.C.
    The Committee met, pursuant to notice, at 9:31 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Sheldon 
Whitehouse, presiding.
    Present: Senators Leahy, Cardin, Whitehouse, Hatch, 
Klobuchar, and Kaufman.

 OPENING STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR 
                 FROM THE STATE OF RHODE ISLAND

    Senator Whitehouse. Good morning. I am sorry the Chairman 
is not with us at this moment. We are expecting him. But in the 
meantime, he has asked me to get the hearing underway. I am 
Senator Whitehouse from Rhode Island, and I am very pleased to 
have been invited to have the opportunity to chair this 
hearing. I will take the liberty of having the floor here to 
give my 2 cents on why I think this is so important.
    We are on a very bad glide slope for health care in this 
country with a $30-plus trillion liability just for Federal 
health care benefits that is totally unfunded, not a nickel 
against that liability. We have calculated that the Bush 
addition to the deficit was $7.7 trillion before we even got 
around to the bailouts. And that seems like an impossibly big 
number. We have been arguing about $700 billion TARP funds. We 
have been arguing about $35 billion auto bailouts. Thirty-plus 
trillion dollars is an astonishing liability to have to face, 
and I believe that there are only two ways to face it.
    One is with a very bloody toolbox comprised of benefits 
cuts, throwing people off coverage, paying providers less, and 
raising taxes, and we are far too far down all those roads with 
our health care system already. So that would be a very 
unfortunate toolbox to have to resort to.
    The better toolbox is reform of the delivery system to make 
it more efficient so it is not creating so many casualties, so 
it is not creating so much waste and turmoil and division and 
stress and paperwork and duplication and waste. And in order to 
do that, health information technology is going to be an 
absolute key. The three legs of that stool, I think, are health 
information technology, investment in quality and prevention, 
and reimbursement reform, payment reform, so that the price 
signals match what we want.
    The health information technology platform is absolutely an 
essential element, not sufficient but essential, to getting 
that done, and I very firmly believe that the Achilles heel of 
health information technology is privacy. If the American 
people do not believe we have protected their privacy 
adequately, then the HIT initiative, the health information 
infrastructure America needs will simply not get through this 
building. And if it does not, that is a real tragedy because 
that toolbox takes about 10, 15, 20 years to fully deploy. We 
have got to get going now on that, and if we waste this moment, 
the time will come when we are only left with that bloody 
toolbox, because those tools, as awful as they are, have the 
one advantage that you can deploy them right away. And so if 
you have missed your moment with the reform toolbox, that is 
what you have left. And that is, I think, where we are right 
now.
    So I put this privacy question at the center of the most 
important economic issue the country faces, and I am delighted 
to have the chance to hear from all these wonderful witnesses. 
I am delighted to have the distinguished Senator from Utah, 
Senator Hatch, here; the distinguished Senator from Minnesota, 
Senator Klobuchar, here.
    Senator Hatch, would you like to make some opening remarks, 
sir?

STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM THE STATE 
                            OF UTAH

    Senator Hatch. Well, thank you, Chairman Whitehouse. We 
appreciate you and your leadership here, and I want to 
especially thank our panel here today. I appreciate the 
opportunity to say a few words on health IT this morning and, 
of course, welcome our distinguished panel, and especially you, 
Mr. Houston, from my alma mater, the University of Pittsburgh. 
I am pleased to have you here, and all of you.
    There is no doubt that we are living in an Information Age. 
Technology has radically changed business and other aspects of 
American life, and I believe that health IT can greatly 
streamline the health care sector by saving costs, time, and, 
most importantly, lives.
    I am proud to point out that Inter Mountain Health Care, 
which is headquartered in Salt Lake City, Utah, has been a 
national leader in adopting--and probably ``adapting'' would be 
a good word, too--health IT in an integrated manner and could 
serve as a model for other health care delivery systems across 
the Nation.
    My colleagues and I on the Senate Finance Committee and 
HELP Committee have been working for some time to increase 
efficiency and reduce costs in our Nation's health care 
industry. I believe the widespread use of health IT would 
undoubtedly reduce medical errors, inconsistent quality, and 
rising costs currently burdening the health care industry 
today. In fact, a Rand Corporation study projected that health 
IT has the potential to save the health care system billions of 
dollars each year.
    Now, I am proud to have been a co-author of the bipartisan 
Wired for Health Care Quality Act, both in the 109th and the 
110th Congress, along with my colleagues on both sides of the 
aisle, including Senators Kennedy, Enzi, and Clinton. 
Unfortunately, we might not have a chance to reintroduce this 
bipartisan legislation again in this Congress since health IT 
is now being addressed through the stimulus legislation.
    Now, regretfully, this language was crafted without the 
input of Republican offices, including mine, who have 
demonstrated longstanding interest in this important bipartisan 
issue. The widespread use of health IT would allow medical data 
to move with people as they move. Health IT would eliminate the 
cost of paper claims and help spread clinical research within 
the medical community. We have the most advanced medical system 
in the world. The United States now leads the world in 
technological innovation, and I hope we can stay there. There 
is no reason why people's health files--their medical history, 
test results, lab records, x-rays--cannot be accessed securely 
and confidently from a doctor's office or hospital. And I 
believe we have to develop a nationwide interoperable health IT 
infrastructure that has strong but prudent privacy and security 
protections. Providers must be able to easily manage their 
information needs to provide coordinated and quality care 
delivery while securely managing the needs of their patients.
    Now, I believe that the use of information technology is 
essential in promoting a system of coordinated and quality-
focused health care in this country in the health care delivery 
system. I think we have to embrace cutting-edge information 
technologies in health care, and we cannot afford to miss this 
opportunity.
    Now, I look forward to hearing from these witnesses here 
today. I might mention that Senator Specter, our Ranking Member 
on this Committee, is unable to attend, at least at this time, 
and has asked me to be sure that I attend. And, of course, as 
you all know, I take a tremendous interest in everything 
involving health care around here. So I am very interested in 
what you have to say and the contributions that you care to 
make to us to help us to understand this complicated but 
understandable set of issues.
    Thank you so much, Mr. Chairman.
    Senator Whitehouse. Thank you, Senator.
    The role of the States has really been impressive in all 
this, particularly in the absence of concerted, effective 
Federal leadership, and Utah, through its Utah Health 
Information Network and through Inter Mountain, has shown 
great, great leadership as a State. And I know Senator Hatch 
has been keenly interested and involved in those, so we are 
delighted that he is here.
    Another State that has shown great success and leadership 
in Minnesota, and Senator Klobuchar of Minnesota would like to 
add an opening statement.
    Senator Klobuchar.
    Senator Hatch. Could I interrupt for a minute? We are 
really happy to welcome both you and Senator Kaufman to the 
Committee. You will like the Committee, and I think you will 
make great contributions. And I think both of you will help to 
make this Committee much more bipartisan.

STATEMENT OF HON. AMY KLOBUCHAR, A U.S. SENATOR FROM THE STATE 
                          OF MINNESOTA

    Senator Klobuchar. Thank you so much. Well, thank you, 
Senator Hatch for that. Thank you, Mr. Chairman, for your 
leadership on this issue. As you can see, serving as both the 
junior and senior Senator from my State has somewhat weakened 
my immunity system, so I have a cold. But it has not weakened 
my resolve to serve on this Committee. So I am very excited to 
be here. I served for 8 years as the Hennepin County attorney 
in Minnesota, where I was a prosecutor, but I also represented 
one of the biggest hospitals in our State, Hennepin County 
Medical Center. So I have a lot of familiarity with some of 
these issues, although when I think of the technology issues, 
which Senator Whitehouse has so well talked about on the floor 
and showed such leadership on, actually my real memory is of 
two things.
    One is when I had my hip problems; I had my hip replaced at 
some point at Mayo Clinic. Driving around with multiple x-rays 
by myself in the back seat of my car where they got hot and one 
of them almost melted, I thought there must be something better 
we could do with health care in the country.
    The second was that one time when I was county attorney 
trying to get all of our police departments to change their 
complaint forms so that they were routine and we could put them 
in the computer at the same time. And I went to one of the 
smaller departments, and they said, ``We cannot do that. We 
just bought new file cabinets, and they only fit one kind.'' 
And I think of this all the time when I think of the great 
challenge it is to try to get institutions to change their 
technologies so that they match.
    It is incredibly important in the health care area. A study 
published last year in the New England Journal of Medicine 
found that only 4 percent of U.S. physicians were using fully 
functional electronic record systems, and missing medical 
records occur in one of every primary care visits. Serious 
medical errors that come as a result of missing records are 
costly, time-consuming, and preventable. With the U.S. spending 
$2.3 trillion per year on health care, we must bring an end to 
the inefficiencies of the system, and if implemented 
thoughtfully and with the kind of balance that I hope we talk 
about here today, health information technology has the 
potential to reduce waste, improve quality, and stimulate 
innovation.
    No information is more private than an individual's health 
information, and despite federally mandated privacy 
protections, consumers continue to have concerns about the 
privacy of their records. And I would agree with Senator 
Whitehouse that this is one of the major issues, intentions we 
see as we try to implement better medical technology.
    If we are going to achieve the savings we would like to see 
with medical technology, we must work to develop regulations 
and laws that inspire consumer confidence and trust. As with 
other industry advances in information technology, consumer 
confidence is achieved with proper security protection and 
improvements in business practices. Health IT investment must 
be designed to achieve modernization and measurable health 
outcome improvements. In Minnesota, we are leading the way for 
health care innovation. Countless hospitals from Winona to 
Duluth have been recognized for the measured quality outcomes 
that have resulted from effective information technology.
    We have also led the way in ensuring that the privacy of 
the patient remains protected. Patient consent is required in 
my State for nearly all disclosures of health records, and it 
is one of the few States that gives citizens a private right of 
action if the privacy of their medical records has been 
compromised.
    I am interested in learning from all of you what providers, 
consumers, and businesses are doing to help ensure the 
advancement of technology in our health care industry, while 
still working to provide the privacy and security of our 
patients.
    Thank you very much.
    Senator Whitehouse. I am delighted to join Senator Hatch in 
welcoming Senator Klobuchar to the Committee. We were 
classmates, and we have spent a lot of time together. We sit 
next to each other on Environment and Public Works, and it is 
wonderful to have her join us on Judiciary as well.
    Senator Kaufman, in addition to being a new member of the 
Committee, is also a new Senator representing the great State 
of Delaware. We are delighted to welcome him and ask him to 
make an opening statement.

 STATEMENT OF HON. EDWARD E. KAUFMAN, A U.S. SENATOR FROM THE 
                       STATE OF DELAWARE

    Senator Kaufman. Sure, I just have a few comments.
    First, I want to thank Senator Hatch, and I do want to 
operate in a bipartisan manner, as you have over the years with 
my former Senator, Senator Biden.
    I just have a few comments I want to make in the beginning. 
First, thank you for coming here. This is really an important 
issue. Everywhere I travel in Delaware, people are concerned 
about the privacy of their medical records, and everywhere I 
travel around here, people are concerned about the exploding 
costs of health care. So we have this kind of conundrum on how 
we are going to move forward on these two areas. And the main 
areas I am interested in today is kind of we are coming up with 
a very major bill, the Economic Recovery Act, and there is 
going to be a lot there, hopefully some things in health care 
that are going to help. But we want to make sure there are not 
things in there that are going to hurt.
    So I am looking forward to your testimony, and I am looking 
forward to the hearing. Thank you.

  STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE 
                        STATE OF VERMONT

    Chairman Leahy. Thank you very much, Senator Whitehouse, 
for being here. I apologize for being late. It certainly is not 
the weather. As Dr. Hester knows, we do not let weather like 
this bother us in Vermont. Anything under 5 inches is 
considered a dusting, at best. And with a Minnesotan and, 
Senator Hatch, you get snow out in Utah, don't you.
    Senator Hatch. We have been known to have snow.
    [Laughter.]
    Chairman Leahy. I think you measure by the foot on 
occasion. I am delighted to see our new members here, Senator 
Klobuchar and Senator Kaufman. I must say that Senator 
Klobuchar, like me, is a former prosecutor, and Senator Kaufman 
probably understands this Committee better than I or anybody 
else here, the years he has spent here. So thank you.
    I had a delay in the doctor's office before coming here. 
That is what held me up, which is interesting because we are 
talking about how you protect Americans' health privacy rights. 
We are going into a national health IT system, which I strongly 
support the idea. I think you have to have innovation in 
American health. That is the only way we are going to make sure 
that we get health to everybody, but we also bring the costs 
down.
    I am pleased that President Obama has called for the 
immediate investment in health information technology. If it 
works the way we want. Americans' medical records will be 
computerized within 5 years.
    Today, if you have a health record, you have a health 
privacy problem. My wife is a registered nurse, now retired, 
but she used to tell me how concerned she was to see health 
records around the hospital. Now you have electronic health 
records, digital data bases, and the Internet, and we have to 
protect people's privacy in that.
    If you can just click on a mouse and pull up records, that 
can obviously be helpful for cost-effective health care, but 
you have to make sure that personal privacy is protected. And 
if you do not have adequate safeguards to protect health 
privacy, many Americans are not going to seek medical 
treatment, which we have to worry about, because they fear that 
their sensitive health information will be disclosed without 
their consent. And those who do seek medical treatment assume 
the risk of data security breaches and other privacy 
violations. And health care providers who think there are 
privacy risks, they are going to see that as inconsistent with 
their professional obligations, and they will not want to 
participate.
    So it becomes the good news/bad news. The good news, it is 
a very great thing if we can do it; the bad news, if there are 
leaks in there, health providers will not want to use it and 
patients will not want to use it.
    Now, as Dr. Hester knows, in my home State of Vermont, we 
have formed a public-private partnership that is charged with 
developing Vermont's statewide electronic health information 
system, including a policy on privacy. I think that in order 
for a national health IT system to succeed, we in Congress 
should follow Vermont's good example and work together with 
public and private stakeholders to ensure the privacy and 
security of electronic health records. I have worked for more 
than a decade with Senator Kennedy--a tireless champion of 
health IT--and many other Members, both Republicans and 
Democrats, on this.
    I think some have suggested that addressing privacy in 
health IT legislation is too hard and that we should put that 
issue off for another day. I disagree. If you do not have 
meaningful privacy safeguards, you are not going to get a 
health IT system.
    In his inaugural address, President Obama eloquently noted 
that in our new era of responsibility ``there is nothing so 
satisfying to the spirit, so defining of our character than 
giving our all to a difficult task.'' This is a difficult task. 
Americans are up to it. The Congress had better be up to it. 
And we will make it.
    So, Mr. Chairman Whitehouse, I appreciate this, and I will 
stay and listen to the witnesses. I understand that Senator 
Hatch and Senator Klobuchar and Senator Kaufman made opening 
statements. Did you and Senator Cardin? And I must say that 
Senator Cardin is from the great State of Maryland, and we love 
Maryland. I have two grandchildren who live in Maryland, plus 
the parents, of course.
    Senator Cardin. The roads between Baltimore and Washington 
were very clear today. Maryland did a good job in cleaning the 
roads, in case you are wondering. I got here on time.
    Chairman Leahy. And your wonderful hospital, Johns Hopkins, 
saved my wife's life, so I appreciate it. Go ahead.

 STATEMENT OF HON. BENJAMIN L. CARDIN, A U.S. SENATOR FROM THE 
                       STATE OF MARYLAND

    Senator Cardin. Well, thank you. I appreciate you 
mentioning that because we are very proud in this country of 
the quality of health care. This Nation leads the world in 
medical technology, and we are proud of the quality of care 
that some people, most people in this country can receive, but 
too many people are denied access to care because of the high 
cost of health care in America and because of the large number 
of people who do not have any third-party reimbursement for 
health care. And we needed to do something about that, and I 
agree with President Obama, who has made health care reform one 
of his top priorities. And as part of that, it is to have a 
much more cost-effective system as far as medical information 
and administrative costs are concerned.
    I think we all agree with that, and I agree with the 
Chairman's comments about the goal that we clearly have of 
using information technology much more efficiently in this 
country so that those who are providing health care can get the 
necessary information to provide quality care and to avoid 
mistakes, and that all becomes a very important part of our 
health care system.
    I do first want to acknowledge Senator Klobuchar and 
Senator Kaufman and welcome them to the Judiciary Committee. It 
is wonderful to have both on our Committee, and I think we will 
have Senator Wyden for at least a short period of time on our 
Committee, maybe longer. But it is nice to have our new 
members, and we welcome them. Senator Klobuchar is not a new 
Member of Congress. We came to the Senate at the same time. And 
Senator Kaufman, as the Chairman has already alluded to, had a 
great deal of experience, more than I think any other member of 
this Committee, and we welcome your help as we try to deal with 
some very complicated issues, including how to deal with 
protecting privacy and allowing us to have an efficient system 
for sharing of information.
    And I just want to make an observation. I served on the 
Ways and Means Committee for a number of years and was involved 
in privacy issues in health care. I think part of the problem 
is that those who collect health care information have not been 
as selective as I think they should be in trying to get consent 
from their patients on sharing of information, because in many 
cases this information does not need to be shared, or it could 
be stored in a way that is encrypted or protects the personal 
identity of the individual, and yet in so many cases the 
collector of the information decides not to put it in that 
format because of whatever reason.
    So I do think we have to use some common sense here as to 
how we can protect the privacy of the information and avoid the 
coercive practices that health care professionals can use in 
order to get waivers, including denying care unless you sign 
those forms, which do not have a lot of meaning to people who 
are stressed about getting health care. They are not going to 
read the information on signing the waivers.
    So we have to come up with a better system to really have 
informed consent, because I think it is critically important 
that those who use our health care system know that their 
personal information will not be shared without their informed 
consent. And we have to come up with a way to figure out how to 
do that.
    So, to me, this hearing is critically important as we try 
to make sure that we do have a system that is efficient and one 
that allows health care professionals to have immediate access 
to information that they need in order to properly treat their 
patients, but at the same time avoid the intentional or the 
negligent release of medical information that can compromise 
not only the rights of individuals, but their confidence that 
our system is doing it in the right manner.
    Thank you, Mr. Chairman.
    Senator Whitehouse. Thank you.
    We will now hear from our learned panel. We are very proud 
to have you with us, and we will begin with Dr. James Hester, 
who comes to us from the Chairman's home State, the great Green 
Mountain State of Vermont, where he is the Director of the 
Health Care Reform Commission for the Vermont State 
Legislature. With 35 years of experience in the health care 
field, he has held senior management positions with MVP Health 
Care in Vermont, Choice Care in Cincinnati, Pilgrim Health Care 
in Boston, and Tufts New England Medical Center in Boston.
    Dr. Hester earned his Ph.D. in urban studies and his M.S. 
and B.S. degrees in aeronautics and astronautics, all from the 
Massachusetts Institute of Technology. He also holds a Master's 
of Education degree from St. Michael's College, and we welcome 
him to the Committee.
    Dr. Hester.

 STATEMENT OF JAMES HESTER, JR., PH.D., DIRECTOR, HEALTH CARE 
          REFORM COMMISSION, VERMONT STATE LEGISLATURE

    Mr. Hester. Thank you, Mr. Chair. Thank you for the 
opportunity to testify on this critical issue. I think my 
testimony will be supportive of several of the themes that the 
opening remarks of the Committee have made. My testimony today 
does not reflect the official positions of the legislature or 
the commission. I want to be clear about that.
    I come before you not as a privacy expert or IT expert but, 
rather, as one with extensive experience in using information 
and information technology as a means to furthering effective 
health care reform.
    Health care reform in Vermont, which has been underway for 
almost 8 years, is the most comprehensive State initiative in 
the country, built on an integrated strategy which includes:
    One, expanding affordable coverage in a sustainable way. We 
reduced the uninsurance rate in the State from 10 percent to 
7.5 percent in the last 2 years in the face of a declining 
economy.
    Second, bending the medical cost curve by improving the 
prevention and treatment of chronic illnesses. Our Blueprint 
for Health has pilot programs in three Vermont communities 
covering 10 percent of the Vermont population, which is showing 
some great results on this.
    And, finally, using information technology as a catalyst 
for performance improvement. Sustainable improvements in 
coverage and chronic illness care can only be achieved with the 
support of information technology. It is impossible to obtain 
the desired performance of our health care system as long as 
key clinical information is only available to providers and 
patients through paper charts sitting in filing cabinets.
    As mentioned, the primary vehicle for our IT strategy has 
been VITL. It is a new public-private organization. In the last 
3 years it has completed a State Health IT plan, implemented 
several pilot programs, and begun building the core 
infrastructure for the statewide health information exchange.
    Last May, Vermont became the first State in the country to 
provide the long-term financing to pay for both the development 
of the statewide Health Information Exchange Network and for 
electronic medical records for all independent primary care 
practices in the State.
    This transition from creating a plan and implementing 
relatively small-scale pilots to full-scale statewide 
implementation has provided a major impetus for the review of 
the privacy and security policies. Those efforts are in their 
final stages, but are now on hold pending clarification of the 
proposed privacy guidelines in the economic stimulus act.
    While the health IT financing goes far toward reducing the 
financial barrier to widespread implementation of health IT, it 
is not sufficient by itself. Realizing the benefits of health 
IT requires broad acceptance by both patients and providers of 
this new technology which deals with the most sensitive types 
of data. The process that VITL has engaged in represents a 
delicate balancing act between sometimes conflicting interests 
of consumer control and needs and provider accountability and 
responsibilities. Unless consumers are confident that their 
information is secure and will be used appropriately, they will 
not participate in electronic health information exchanges. 
Unless providers believe that the administrative burdens are 
reasonable and the information is reliable, they will not 
participate in such exchanges either.
    Moving forward with our health care reform totally depends 
upon finding an initial balance point between conflicting needs 
and interests in a way which will encourage broad-based 
participation of patients and providers. I am confident that 
once the Federal privacy guidelines and requirements in the 
stimulus act are finalized, VITL will be able to rapidly 
complete the revision of its guiding principles and operating 
policies.
    However, this balance point is not static; it will evolve. 
We fully expect that the implementation of the initial privacy 
policies in a steadily growing set of pilot health reform 
initiatives will teach us important lessons over the next 
couple of years. We will have to return to these policies on a 
regular basis to update them based on what we have learned and 
new technical capabilities. The core security and privacy 
capabilities have been carefully thought through, however, and 
provide a sound foundation for beginning this expansion.
    Vermont health care reform is built on scalable, community-
level pilot programs which enable us to learn rapidly what 
works and what needs to be improved. We will use this model to 
evolve our privacy and security policies and capabilities as 
well.
    Given the strong feelings surrounding protected health 
information and the uncertainties that are inherent in the 
early stages of the spread of EMRs, I fully expect that a 
significant minority of both patients and providers may elect 
not to participate. A reasonable goal is to devise a program 
which will satisfy the needs of a large enough percentage of 
users to enable robust testing of capabilities, deliver value 
to the users, and drive the next round of privacy and security 
technology. As capabilities mature and confidence grows, the 
hope and expectation is that our program will earn the trust of 
a steadily expanding percentage of both our population and the 
health care delivery system. The successful scaling up of our 
pilot programs into systemwide initiatives and the long-term 
success of our health reform efforts depend on it.
    [The prepared statement of Mr. Hester appears as a 
submission for the record.]
    Senator Whitehouse. Thank you very much, Dr. Hester.
    Our next witness this morning is Deven McGraw. She is the 
Director of the Health Privacy Project at the Center for 
Democracy and Technology. Prior to joining CDT, she was an 
associate in the public policy group at Patton Boggs LLP and in 
the health care group at Ropes & Gray. Ms. McGraw received her 
bachelor's degree from the University of Maryland. She earned 
her J.D. and L.L.M. from Georgetown University Law Center. She 
also holds a Master of Public Health degree from Johns Hopkins 
School of Hygiene and Public Health. We welcome her to the 
Committee.
    Ms. McGraw.

 STATEMENT OF DEVEN MCGRAW, DIRECTOR, HEALTH PRIVACY PROJECT, 
              CENTER FOR DEMOCRACY AND TECHNOLOGY

    Ms. McGraw. Thank you very much, Mr. Chairman, members of 
the Committee, and thank you for holding this hearing today. It 
really could not be more timely or more important. We have 
economic recovery legislation on the table that has $20 
billion, at least--depending on what you are looking at--to 
promote the adoption of health IT, and this commitment is 
really laying the building blocks for health reform. It is 
going to help us create the information superhighway for health 
that will improve health care quality and engage more consumers 
in their care.
    This is very good news. It is an important opportunity, and 
surveys consistently show the support of the American public 
for health IT. But these very same surveys also show that the 
public is concerned about the risks to their privacy when 
medical information will be moved online. A system that makes 
greater volumes of information available for the right 
purposes--to improve our care--is also an attractive target for 
people who would seek it for commercial gain or for other 
inappropriate purposes. So building trust in these systems is 
absolutely critical to realizing the benefits of this 
technology.
    Some say that privacy is an obstacle to achieving a digital 
health system. As Senator Leahy mentioned, it is not always 
easy to figure out the right way to approach this. But, really, 
it is not an obstacle. In fact, the opposite is true. Enhanced 
privacy and security built into health IT will bolster consumer 
trust and spur the more rapid adoption of health IT and, 
therefore, allow us to realize these benefits.
    So a commitment to spending significant dollars to advance 
health IT must be coupled with a strong commitment to privacy 
and security. One without the other is a job half done and will 
set us back significantly.
    Congress' role is critical here, and strong privacy 
protections must be part of any legislation that moves health 
IT. We cannot do this later. We will not have another 
opportunity.
    We have taken on privacy once before in HIPAA, but health 
care is really rapidly changing, and the way we move 
information today is different than it was then, and it is 
going to be even more different tomorrow and in the decades to 
come. So we really need a second generation of health privacy, 
a comprehensive, flexible privacy and security framework that 
sets clear rules for who can access personal health information 
and for what purposes that apply to all entities that are 
engaged in e-health.
    The bill that is pending builds on HIPAA and takes some 
concrete steps forward to the realization of this comprehensive 
framework of protections, and we support them. They are like a 
downpayment, a good first step. But hopefully this will not be 
the last opportunity for us to talk about this. As Dr. Hester 
aptly pointed out, you know, these conversations are going to--
you know, making sure we get this right is going to require an 
ongoing commitment from Congress, the administration, and the 
private sector as well.
    In my testimony I have some detail about the privacy 
provisions that are in the stimulus package, at least the ones 
that I have seen in the House bill that got marked up the other 
day, and so I will just touch on a few. It includes Federal 
right to be notified if your health information is breached; 
giving patients a right to an audit trail of disclosures from 
their medical record; ensuring that records or data cannot be 
sold or used for marketing purposes without your authorization. 
It has provisions to improve enforcement. It tasks the HHS and 
the Federal Trade Commission to work to develop protections for 
personal health records, which are consumer-based tools which 
require a different set of protections. Again, my testimony has 
details on all of that.
    I will close by saying, you know, the other thing that 
Congress might do is to task the Secretary with ensuring that 
all entities adopt and implement both policies and 
technological solutions that address fair information practices 
of data stewardship, then hold funding recipients accountable 
for how they implement privacy protections. At the end of the 
day, whatever happens in the stimulus and having HIPAA, some 
folks will be covered adequately; some folks will not. Having 
the private sector develop policies will give us that extra 
measure of safeguard, and I think that if I were going to add 
one more thing to what is already a very strong package of 
protections, that would be it.
    Thank you for the opportunity to testify today, and I am 
happy to answer any questions you might have.
    [The prepared statement of Ms. McGraw appears as a 
submission for the record.]
    Senator Whitehouse. Thank you, Ms. McGraw.
    Our next witness is Adrienne Hahn. She is a Senior Attorney 
and Program Manager for Consumers Union. As a health care 
advocate, Ms. Hahn is an expert on medical privacy, health care 
financing, Medicaid, and patient safety efforts at the Federal 
level. Previously, Ms. Hahn served at the United States 
Department of Justice as an attorney in the Civil Rights 
Division. She earned her Bachelor of Arts degree from the 
Colorado College--where she was a classmate of my sister--and 
her J.D. from Boston College Law School. We welcome Ms. Hahn to 
the Committee.

STATEMENT OF ADRIENNE HAHN, SENIOR ATTORNEY AND PROGRAM MANAGER 
               FOR HEALTH POLICY, CONSUMERS UNION

    Ms. Hahn. Thank you. Mr. Chairman and members of the 
Committee, thank you for inviting me to testify today. 
Consumers Union is the independent, nonprofit publisher of 
Consumer Reports magazine, and we work on a wide range of 
health care.
    There is widespread agreement to accelerate the use of 
health information technology in our otherwise high-tech health 
care system. Most hospitals and doctors' offices still store 
patient records on paper, making the history of medical care 
hard to transfer from one hospital to another or one doctor to 
another. The inefficiencies of this system can lead to medical 
errors and the loss and misplacement of vital information. As 
for patients, we rarely see our own fragmented records or track 
our own health histories.
    Consumers Union, therefore, strongly supports the movement 
toward an electronic system of health records and information 
exchange. By harnessing the power of modern information 
technology systems, we can improve the quality of American 
health care and moderate health care costs by the following: 
one, reducing errors; two, eliminating service duplication; 
three, promoting pay for performance; and, four, providing the 
data necessary to evaluate the actual comparative effectiveness 
of various treatments and drugs.
    A national system of electronic medical records has the 
potential to improve the quality of health care by reducing 
hospital-acquired infection rates. Through a network of 
electronic medical information, families can identify the 
safest and the highest-quality hospitals. As just one example 
of the tremendous improvements in quality and cost savings that 
are possible, Consumers Union has been conducting a national 
campaign to promote the disclosure of hospital infection rates, 
and you can find out more information about that at 
www.StopHospitalInfections.org.
    Each year, there are about 2 million patients who acquire 
infections in hospitals and about 100,000 who die. In 24 
States, we have worked with State legislatures to pass laws to 
require hospitals to report their rate of infection based on 
the idea that public disclosure will prompt hospitals to adopt 
effective methods to reduce their infection rates. Electronic 
medical records technology and the public disclosure of more 
types of patient care data where the patient is not identified 
will make it easier for consumers to reward those who provide 
quality.
    While there can be important public and private benefits of 
creating an effective electronic medical records system, we 
believe polls demonstrate that quite effectively. From the 
great potential of such systems unless more is done now to 
ensure privacy, there will not be the heart and soul of the 
American public in order to support that. In short, this 
requires enabling patients to participate in deciding when, 
with whom, and to what extent their personally identified 
medical information is shared.
    It is important that we all recognize that there is no 
hack-proof database or system, and once more medical data is 
moving electronically, it is subject to threats from hackers, 
identity thieves, and others. That is simply a fact of life, 
reconfirmed almost daily by new stories of financial and 
medical record data violations.
    Beyond the likely scenarios of security breaches, the value 
of electronic health information is such that many 
organizations will want to exploit secondary data sources for 
private financial gain, rarely--if ever--with patient 
knowledge, let alone consent. It is imperative that 
policymakers take aggressive steps to protect privacy. 
Otherwise, security breaches could doom expanded use of health 
information technology.
    Additionally, some will say that it is too complex or it is 
too expensive to allow people to control their medical 
information. Computers have the ability to handle the task. 
They have been designed to deal with huge numbers of 
variables--like 50 State laws--and to create special files 
where certain data are only available to a designated provider 
on a ``need-to-know basis.'' If we do not meaningfully address 
the privacy issue, polls show the public will not trust this 
system, and many will go to ``off the grid'' to get medical 
care, and we will just increase public cynicism about big 
Government and big business controlling our lives. In an age 
when the talk is of consumer-driven health care and ownership 
and empowerment, forcing people to share their most secret 
personal medical information is not the path to take.
    Therefore, Consumers Union, along with a variety of 
different organizations, has joined an e-health initiative 
which includes AARP, AFL-CIO, and other organizations that 
support this. And we have developed a set of principles that 
achieve an effective balance between promoting HIT and systemic 
privacy safeguards. Those safeguards and protections are 
attached to my testimony. I would really encourage you to take 
a look at those. I think they provide an excellent framework to 
ensure that as we move down the road of health information 
technology, we ensure that the medical privacy records of 
consumers are well protected.
    Thank you.
    [The prepared statement of Ms. Hahn appears as a submission 
for the record.]
    Senator Whitehouse. Thank you, Ms. Hahn. We appreciate you 
being with us.
    Our next witness is Michael Stokes, the Principal Lead 
Program Manager for Microsoft's HealthVault team. In this role, 
he is responsible for policy compliance relating to privacy 
across Microsoft's Health Solution Group and Advanced Research 
and Strategy Group. Before joining Microsoft, Mr. Stokes worked 
with the Hewlett-Packard Company where he designed and provided 
architectural business development and strategy. Mr. Stokes 
earned a Master's of Science from the Rochester Institute of 
Technology and a Bachelor of Science in Mathematics from the 
University of Texas at Austin. We welcome his testimony.
    Mr. Stokes.

 STATEMENT OF MICHAEL STOKES, PRINCIPAL LEAD PROGRAM MANAGER, 
               HEALTHVAULT, MICROSOFT CORPORATION

    Mr. Stokes. Thank you, Mr. Chairman and distinguished 
Senators. I am a Principal Program Manager in Microsoft's 
Health Solutions Group. I am accountable to ensure that our 
products are in compliance with applicable regulations and 
corporate policies, including privacy. I am honored to share my 
Microsoft's views on the importance of privacy in health IT. We 
commend the Committee for holding this hearing today and for 
your efforts at the intersection of privacy, information, and 
health care reform. Microsoft's products, including HealthVault 
for consumers and Amalga for hospitals and health care systems, 
focus on improving health care outcomes.
    We recognize that health data needs to be exchanged back 
and forth so that everyone--patients, hospitals, providers, and 
clinicians--have the right information at the right time to get 
the best health outcomes.
    We also understand that everyone, from patients to 
clinicians, will only be comfortable sharing health data and 
using health IT if they trust that that data is protected. 
There are three components to this trust: transparency, 
control, and security.
    First, transparency. Participants in the health care 
ecosystem should be transparent about their data collection, 
use, and disclosure practices. If patients do not understand 
what data is being collected, who has access to it, or what it 
will be used for, they may decide not to provide any 
information at all, even to their own physicians. Health care 
providers need transparency, too, so that they understand how 
health data is used, how it is protected, and how their data 
will be disclosed to other third parties.
    Second, control. Patients and other health care 
participants should be given control to manage health data 
effectively. Control allows patients to decide when and under 
what conditions they want to share health data. Control can 
help ensure that the patient's health data is shared only with 
the health care professionals who need to see it, and that the 
patient's data is not inadvertently misplaced or deleted.
    Third, security. The security of health data must be 
protected. Concerns about potential misuse of personal data 
threaten to erode confidence in digital health solutions. 
Stakeholders will be more willing to adopt the innovative 
health IT solutions that can improve care and reduce costs if 
they feel confident that their data is secure.
    By following these three principles of transparency, 
control, and security, we can encourage greater adoption and 
use of health IT and bring real change to our health care 
system.
    Consumers will receive better information about appropriate 
treatments, medications, nutrition, and exercise. Health care 
professionals will see a more complete picture of their 
patients' health, allowing them to eliminate unnecessary 
procedures, avoid harmful drug interactions, and concentrate on 
providing better quality care. And researchers can discover new 
therapies, new breakthroughs, and new cures.
    The principles of transparency, control, and security 
underlie Microsoft's approach to its health IT products. At the 
same time, we recognize that technology is only a part of the 
comprehensive approach to improve our health care system. 
Education, leadership in health care organizations, and 
meaningful public policy are also critical components to this 
success.
    We look forward to partnering with you and all participants 
in the health care ecosystem to move forward toward a dynamic, 
trusted, and patient-centric health care solution system.
    Thank you for the opportunity to testify, and I look 
forward to your questions.
    [The prepared statement of Mr. Stokes appears as a 
submission for the record.]
    Senator Whitehouse. Thank you, Mr. Stokes.
    Our next witness is John Houston. He is the Vice President 
of Information Security and Privacy and Assistant Counsel for 
the University of Pittsburgh Medical Center. In 2002, Mr. 
Houston was appointed by the Secretary of the U.S. Department 
of Health and Human Services to the National Committee on Vital 
and Health Statistics. He holds a Bachelor of Science degree in 
Computer Science and History from the University of Pittsburgh 
and a J.D. from the Duquesne University School of Law.
    Mr. Houston, welcome.

   STATEMENT OF JOHN HOUSTON, VICE PRESIDENT OF INFORMATION 
  SECURITY AND PRIVACY, AND ASSISTANT COUNSEL, UNIVERSITY OF 
                   PITTSBURGH MEDICAL CENTER

    Mr. Houston. Thank you very much. I am grateful for the 
opportunity to address this Committee today regarding this 
important topic. I would like to start my comments by stating 
that the adoption of health care information technology is one 
of the most significant health care initiatives that this 
Nation can undertake. However, the widespread adoption of 
health IT will not be successful if our patients' privacy 
expectations are not met.
    I am proud to say that UPMC has one of the most progressive 
and longstanding programs for the development and deployment of 
health IT in the world. Having been accountable for both 
privacy and information security at UPMC for the last 8 years, 
I am not only aware of the public policy considerations 
underlying privacy and information security, but also the 
operational balance between a patient's right to privacy and 
providing timely and complete information that is necessary for 
the delivery of effective health care. Unfortunately, this 
balance is neither precise nor clear. I have seen firsthand how 
information barriers established in the interest of privacy 
have detrimentally affected patient care.
    I have reviewed the current draft of the privacy 
legislation included in the Health Information Technology for 
Economic and Clinical Health Act. While the act attempts to 
address the evolving privacy and security requirements that 
have arisen since the implementation of HIPAA, it falls short 
of providing the necessary comprehensive and workable framework 
that we now need.
    As the act is now being considered, I believe it is 
important to raise a number of concerns regarding the privacy 
and security provisions in the act. These concerns are more 
fully discussed in my written testimony, but I will highlight 
just a few.
    Accounting of disclosures. The act provides that a patient 
is entitled to receive an accounting of disclosures of who 
accessed the patient's electronic record, even if such access 
was for treatment, payment, or health care operations. For an 
inpatient encounter, it would not be uncommon for more than 200 
people to have access to various aspects of a patient's record. 
In practice, this could result in substantial and costly 
efforts on behalf of the provider with little or no apparent 
benefit to the patient.
    Health care operations. The act provides that the Secretary 
will propose limitations on the use of identifiable health 
information for health care operations purposes. The burdens 
associated with de-identifying patient information must be 
considered, not only in terms of the effort and time associated 
with performing the de-identification, but also in terms of the 
likelihood that a covered entity will simply choose not to 
perform important health care operations.
    Fund raising. The act provides that fund raising would no 
longer be considered to be part of health care operations. In 
difficult economic times and in an era of shrinking 
reimbursements, fund raising is of critical importance to most 
providers. Any restriction on fund raising will further 
frustrate a provider's ability to deliver quality health care.
    Non-covered entities. The act attempts to address PHR 
providers, Health Information Exchanges (HIE), Regional Health 
Information Organizations, and other entities that had 
historically fallen outside the coverage of HIPAA. However, the 
act's treatment of each is neither comprehensive nor 
consistent. Rather than establishing an inconsistent privacy 
patchwork, a single framework needs to be established to 
accommodate not only today's requirements, but which also can 
be extended to cover the rapidly evolving health IT 
environment.
    Enforcement. While there has been much criticism of the 
current enforcement strategies, I believe that the manner in 
which enforcement is currently performed has been effective. 
The act must ensure that the opportunity to collaborate 
continues to exist for those covered entities that are 
dedicated to protecting patients' privacy.
    With that, I will close my comments. Thank you.
    [The prepared statement of Mr. Houston appears as a 
submission for the record.]
    Senator Whitehouse. Thank you very much, Mr. Houston.
    Our final witness this morning is David Merritt. Mr. 
Merritt is a Project Director at the Center for Health 
Transformation and the Gingrich Group. Mr. Merritt leads the 
center's projects on health information technology and 
expanding coverage to the uninsured. He earned his Master's 
degree in Political Science and Government from Loyola 
University, Chicago, and he earned his Bachelor's degree from 
Western Michigan University. We happen to know him as the 
editor of ``Paper Kills,'' a book that Mr. Gingrich provided an 
introduction for, and he has helped Mr. Gingrich co-author an 
article with me on health information technology--which proves 
that this is an issue upon which people at opposite ends of the 
political spectrum can find agreement.
    Mr. Merritt.

STATEMENT OF DAVID MERRITT, PROJECT DIRECTOR, CENTER FOR HEALTH 
             TRANSFORMATION AND THE GINGRICH GROUP

    Mr. Merritt. Thank you, Mr. Chairman, and thank you for the 
opportunity to testify this morning.
    Privacy cannot be compromised. But neither can we 
compromise progress in pulling our health care system out of 
the technological Stone Age. We need to find the right balance 
between privacy at all costs and progress at any cost.
    One of the key ways to any of this is by creating a common, 
uniform framework to securely store and transmit personal 
health information. The Healthcare Information Technology 
Standards Panel, known as HITSP, and the Certification 
Commission for Healthcare Information Technology, known as 
CCHIT, are doing just that. HITSP has finalized a series of 
technological standards to protect privacy, and there are two 
that are worth highlighting.
    The access control standard allows for the secure 
authorization to personal health information, including role-
based, entity-based, and context-based access control.
    The consent direct standard allows for the management of 
consumer rights as to who may access, collect, use, or disclose 
personal health information.
    These standards were recently recognized in the Federal 
Register, meaning that any future procurement of a health IT 
system by the Federal Government must include these 
protections. Now it is up to the IT vendors to actually 
implement them in their products, and one of the ways to drive 
this is through the certification process.
    Now, in full disclosure, I am on the Board of Commissioners 
for CCHIT, but these views are my own and do not represent the 
Commission.
    CCHIT certifies a range of products, including electronic 
health records, to ensure that they meet functionality, 
interoperability, and security standards. There are about 50 
security standards, including the two that I mentioned before, 
that, to be certified, an electronic health record must meet 
100 percent of them.
    Now, on a general note, policymakers are currently debating 
the future of these two organizations, and I cannot say it in 
stronger terms that replacing these organizations now or 
confusing the marketplace by creating parallel entities would 
literally turn the clock back 5 years, when this discussion 
first started. They can certainly be improved, but I think that 
we will pay a huge opportunity cost in time and resources if we 
revisit this debate now.
    Now, on the broad policy proposals that are under 
consideration by this Committee and others, Speaker Gingrich 
has a belief that when you are presented with an idea, you 
should say ``yes, if'' rather than ``no, because.'' And I have 
tried to do that with some of these proposals on the table.
    Yes, I think there should be an individual right of 
consent. Consumers should be able to opt out of certain 
products, services, or notifications, and they should be able 
to specify how their identifiable information can be shared 
outside the course of treatment or payment.
    Consent must be balanced with health services research. I 
am a strong believer in the power of data. It can reveal which 
treatments work, which treatments do not work, the 
effectiveness of drugs, devices, and other vital information 
that really does benefit all of us. This is impossible to do 
without de-identified data, and when all identifiable markers 
are stripped, personal privacy is indeed protected.
    Yes, patients should be notified of egregious breaches of 
privacy, but these protections should incorporate risk-based 
notification so that physicians, health plans, health systems, 
and others do not notify patients for harmless or inadvertent 
data sharing.
    Yes, patients should have a private right of action for 
extreme breaches of privacy. We need to strike the right 
balance so that Federal, not State, litigation is available for 
patients, but only for clear, egregious cases.
    In conclusion, we can find the right balance between 
privacy and progress if we are careful, judicious, and 
realistic. And I think once we do, we will have succeeded in 
transforming health care into a system that saves lives, saves 
money, as well as protects privacy.
    Thank you.
    [The prepared statement of Mr. Merritt appears as a 
submission for the record.]
    Senator Whitehouse. Thank you, Mr. Merritt. For questions, 
we will now turn to the distinguished Chairman of the 
Committee, Senator Leahy.
    Chairman Leahy. Thank you. Thank you very much, Senator 
Whitehouse.
    Dr. Hester, I understand that Vermont Information 
Technology Leaders, or VITL, already have some successful pilot 
programs connecting electronic health records. Is that correct?
    Mr. Hester. That is correct.
    Chairman Leahy. Given your experience with that, do you 
agree that--basically the feeling that I have--and tell me if 
you disagree, of course, but that we have to have consumer 
confidence in the privacy of those records if we really expect 
them to take part in it?
    Mr. Hester. I would agree we absolutely have to have 
consumer confidence, and I think it is important to 
differentiate between the different levels of use of the 
information. For example, we have a pilot that provides 
medication history to patients who are in the emergency room so 
that the physicians in the ER will know what medications have 
been filled in the last year. Even in that situation, where it 
is very contained, very specific, and there is immediate need, 
we still find 5 percent, 3 to 5 percent of the people do not 
agree, do not give the consent.
    Chairman Leahy. Even though they might be unconscious when 
they come in?
    Mr. Hester. You can break the glass if they are 
unconscious. There are provisions on that.
    Chairman Leahy. Okay.
    Mr. Hester. At the other end of the spectrum, when you 
start having electronic medical records which are not just 
being used by the practice, by the providers within a specific 
practice, but are connected into a regional health information 
exchange, the anxiety level and the requirements for earning 
the trust go up dramatically because the people just do not 
know who is involved in that.
    So we have a survey of the population of Vermont. Half the 
population of Vermont said that in that situation they really 
felt it was imperative that they could control or shape who 
gets their information through that network.
    Chairman Leahy. Well, let me ask the same question of Ms. 
McGraw and Ms. Hahn and Mr. Stokes. Do you find the same thing, 
that you have to have consumer confidence in the privacy, if 
this is going to work?
    Ms. McGraw. Absolutely, Senator. I think that if there has 
been a consistent theme at this hearing, it has been that if 
people do not trust these health IT systems that we are trying 
to build, we will have spent a lot of money for naught.
    Now, there has been also a lot of discussion at the hearing 
about the role of patient consent or control as a privacy 
protector, and I think the only thing that I would add is that 
that is an important component of privacy protection. But we 
cannot use patient consent as the sole protector of 
information. We cannot rely on the individual to read a form 
and completely understand all of the potential uses of their 
information, especially when you are talking about core health 
care functions, like treatment or payment or the administrative 
tasks that are core to getting those things done.
    Now, when you are talking about participation in networks, 
that is another story. That exposes people's information to 
more players than is the case when they go in to see their 
doctor. We actually published a paper just yesterday on what we 
think the right role is for patient consent.
    Chairman Leahy. If we were to put this medical IT in the 
stimulus bill, should we also have patient protections in 
there, too?
    Ms. McGraw. Yes, absolutely. And, in fact, the bill does 
take concrete steps toward the protections, again, looking at a 
set of rules.
    Chairman Leahy. Dr. Hester, do you agree?
    Mr. Hester. Agreed that it is an essential part of that 
bill.
    Chairman Leahy. Thank you. Ms. Hahn.
    Ms. Hahn. I would just echo what was said in terms of the 
concern that their medical information is private. But I would 
just add one other----
    Chairman Leahy. Is your microphone on?
    Ms. Hahn. I would just add one other factor to that, and 
that is that what we have been able to look at in terms of the 
data, it shows that, for instance, the lack of confidence 
regarding medical privacy actually differs based on race as 
well. So what concerns us, as we know, when the United States 
moves to 2032 where minorities will be the majority, if this 
issue is not addressed appropriately now, we are actually going 
to be able--all the promise in terms of care coordination, 
quality of health care, might actually come to demise because 
of the fact that the minority population right now really does 
not trust in the information being able to----
    Chairman Leahy. So that is what your polling finds, the 
minority population does not trust it.
    Ms. Hahn. No. We would say that there is a real concern for 
Americans generally, somewhere around 56----
    Chairman Leahy. But you said there was a different level of 
distrust--
    Ms. Hahn. Oh, yes. So if you break down that data and look 
at it in terms of race, it actually increases in terms of the 
level of distrust. To give you an example, even the chronically 
ill have greater trust in information remaining private as 
opposed to an African American or a Latino. So I think that 
there are some real issues here in terms of we are going to be 
bringing all Americans along in ensuring that we provide the 
type of privacy protections that people have confidence in it.
    Chairman Leahy. Mr. Stokes, do you agree or disagree with 
what you have heard?
    Mr. Stokes. Thank you for that question, Senator. As I 
testified, our products are dependent upon consumer trust. We 
believe that without consumer trust in the system, they will 
not adopt the system.
    We also, through extensive discussions and interviews, 
believe this is just as important for the providers. If the 
providers do not trust in the system, they will not adopt the 
system either. And we find with family doctors and primary care 
providers, they are as concerned about maintaining the sanctity 
of their doctor-patient relationship and that privacy as many 
of the patients we talk to.
    Chairman Leahy. Thank you.
    Mr. Chairman, I have other questions, but if I might have 
your permission, I will submit them for the record.
    Senator Whitehouse. Of course, without objection.
    Senator Klobuchar.
    Senator Klobuchar. Thank you very much, Mr. Chairman.
    Dr. Hester, your State of Vermont, like Minnesota, has gone 
beyond the HIPAA requirements, and as I mentioned, some of the 
things that Minnesota has included. What do you think would 
happen if other--we now have sort of a patchwork where some 
States have gone beyond HIPAA, some have not. People may seek 
treatment in multiple States. Do you think it would be easier 
to have this done on the Federal level or to have this done 
State by State?
    Mr. Hester. I think it is important to have clear Federal 
standards and guidelines that set the framework, you know, for 
those policies. For example, the Office of Civil Rights' 
Framework for Privacy and Security that was issued last 
December has been a very helpful tool for us. We have suspended 
the final development of our statewide policies, our operating 
policies, until we get the clarification on the Federal 
standards, and we are looking forward to that clarification. It 
is important.
    Senator Klobuchar. And just one side note, Vermont also is 
a State, like Minnesota, that passed a law prohibiting the sale 
of patients' pharmacy records.
    Mr. Hester. yes.
    Senator Klobuchar. Could you talk a little bit about how 
this came about? I think patients would be surprised to hear 
that their pharmacy records were at risk of being sold.
    Mr. Hester. Pharmaceutical companies use histories on 
prescribing patterns to target physicians for detailing on how 
to use their products. And so there was concern of that being 
done in this case without the physician's knowledge or consent 
as well. So the restrictions have been passed, and they are now 
being challenged. But it was an issue that was of great concern 
to the State legislature.
    Senator Klobuchar. And this is also included in the House 
stimulus bill as one of the limitations, the marketing 
limitation? I think it is.
    Mr. Hester. My understanding, I have not reviewed the 
details, but my understanding is they are trying to put 
restrictions in there, yes.
    Senator Klobuchar. Okay. Thank you.
    Mr. Hester. We would support that.
    Senator Klobuchar. Mr. Houston, Chairman Leahy was going 
through the other witnesses with some questions, and I saw you 
nodding your head, maybe the other way, about inclusions of 
these in the stimulus package. I brought up deliberately this 
concern of State-by-State regulation. Could you talk a little 
bit about the limitations proposed and how we can ease the 
potential burden on providers while trying to get these privacy 
concerns--which I think we have all agreed are an issue for 
consumers and we are not going to get the proper use of medical 
technology if we do not have that kind of confidence.
    Mr. Houston. Absolutely. Again, we are all patients, so we 
all have the same concerns about the protection of our medical 
information. But I know Deven said it and I have said it, that 
what we need is a comprehensive framework, and my biggest 
concern is when I read the privacy and security components of 
the act, the stimulation package, is what we end up with is a 
patchwork. And I do not think this patchwork works, in my mind. 
And there is nothing worse than getting this wrong, because I 
have seen very directly the impact of trying to inappropriately 
implement privacy and what the impact potentially can be on 
patients' care. And so while we all----
    Senator Klobuchar. Why is it a patchwork?
    Mr. Houston. Well, if you look at the way that--right now 
there is State preemption even under HIPAA. But when you look 
at the act itself, it speaks about RHIOs would be handled one 
way and other types of organizations would be handled another 
way, about how they would potentially fit under HIPAA or 
otherwise have to deal with compliance with certain privacy and 
security rules.
    I just want to get it right and get it right once, make 
sure that everybody is covered under the same framework. PHRs 
today are not covered under anything. If you have a personal 
health record system, you are not covered under HIPAA. Frankly, 
you might not be covered under anything. And so if we are going 
to develop an environment which we--and we should be forward-
looking because, you know, what we have today and what we are 
going to have in 10 years or 15 years is going to be 
dramatically different. And we need to develop a framework 
which allows us to progress and implement new and novel and 
progressive health IT, but do it in a fashion where the 
consumer continues to feel like they are protected, and so 
that--you know, HIPAA was initially enacted in 1996. I think 
everybody would agree that it has got a lot of holes. There are 
a lot of things that, because of the way HIPAA was enacted, 
really were not covered. We did not think about PHRs. We did 
not think about a National Health Information Network. And so I 
just want to make sure we get it right the first time, and I am 
concerned that we are not here and that we have one bite of the 
apple, and if we do not get it right, we may find that we are 
dealing with problems yet again in 2 or 3 or 5 years.
    Senator Klobuchar. Ms. McGraw.
    Ms. McGraw. I think the only place where I would disagree 
is we just do not think that HIPAA is the right set of 
protections for the personal health records, in part because 
HIPAA was designed to allow information to flow among 
traditional health care entities without necessarily having to 
ask the patient each and every time. These PHRs are tools that 
are designed for consumers to have copies of their own records 
that they can then move, share, they can put their own data in 
there. That needs to have really a much higher level of 
consumer control about who can get it and for what purposes. 
And so while I agree that we need sort of a common framework, a 
baseline, it has got to also be contextual. Regulation for 
those products has to target the risks that consumers will face 
in those products, which are going to be different than when a 
health care entity holds your data.
    My testimony provides a little more detail, but it is a 
little--it is sort of nuance of difference.
    Mr. Houston. And I agree that HIPAA is not necessarily the 
appropriate vehicle, but we need to be forward-looking and come 
up with a good framework that really does meet all of our 
different needs, especially as we see health care IT really 
transforming.
    Senator Klobuchar. Thank you.
    Senator Whitehouse. Senator Kaufman.
    Senator Kaufman. Yes, I want to follow up on that question. 
I think this economic recovery bill is an incredible 
opportunity for us to do some things in health care, and the 
testimony here has been directed toward that. But also it is 
going to be a lot of money, and it is going to be spent--as Mr. 
Houston said, if it not spent right, it can cause troubles.
    I would really like each one on the panel, if they could, 
kind of give their opinion on where we are in terms of the 
present status of the bills, making sure that we are protecting 
policy at the same time, having much more efficient health IT. 
Mr. Hester, do you have anything you want to say on that?
    Mr. Hester. The question is the economic stimulus act, the 
current status of that.
    Senator Kaufman. Exactly, and the provisions in it for 
health IT and privacy and where you think we are on that.
    Mr. Hester. I am going to----
    Senator Kaufman. You can pass.
    Mr. Hester. I can pass? I am going to have to pass.
    Senator Kaufman. Ms. McGraw.
    Ms. McGraw. Again, you know, we need a comprehensive 
framework of protections. HIPAA today does not get us there. 
What is in the bill takes some concrete steps forward to 
improving and filling some of the holes. I liked David's ``yes, 
if.'' I don't have so many ``yes, if's,'' but if all we need to 
do is address the ``if's,'' then we are pretty close to the 
goal line. And we should concentrate on doing that rather than 
having these--you know, wondering whether we can do privacy as 
part of health IT, because I think we are all pretty much on 
the same table that you cannot do health IT without privacy.
    So we are supportive of those provisions. If there are 
issues that need to be worked out, we should move forward with 
doing that as quickly as possible.
    Senator Kaufman. I take it there are no provisions in the 
bill that you think are so onerous that they would have to be 
struck before you would--
    Ms. McGraw. No, not in my opinion.
    Senator Kaufman. Ms. Hahn.
    Ms. Hahn. I would say that I agree with Deven. I feel that 
there has been a real willingness on the part of both the House 
and Senate to work with the e-partnership in terms of 
addressing our concerns. So we really appreciate moving 
forward.
    Mr. Stokes. Thank you for that question, Senator. Aside 
from some minor legal clarifications that I have understood 
from our lawyers that the language might impact non-health-
related entities, we see no significant difficulties in 
adoption of the language as it stands or as it is proposed. But 
as Dr. Houston pointed out, one of our concerns is providing an 
ongoing framework or guideline, so this is why my testimony 
focused on the principles of transparency, control, and 
security. If we are very clear on what the required principles 
should be and have ongoing policy discussions as the technology 
evolves, as medical research evolves, and as the health care 
ecosystem changes and evolves down the road, we are much better 
situated to dynamically address those in a basis without coming 
back again and again for legislative fixes, but are able to 
have the foundations in the legislation for the regulatory 
bodies and industries to continue to make progress.
    Senator Kaufman. Thank you.
    Mr. Houston.
    Mr. Houston. I think that absolutely I am in support of the 
health care IT component of the bill. I think health care IT is 
vital and we need to move forward with it as fast as we can. I 
do have serious concerns about the privacy components of the 
act, though, and I did outline those in my written testimony.
    Senator Kaufman. Yes, I got those. Yes.
    Mr. Houston. And I think there are some serious concerns 
that I have that could impact providers and their ability to 
deliver care efficiently. And I also think that, you know, if 
you read the privacy components of the act, they talk about 
study and reports and guidelines that need to be established. I 
really think a lot of that needs to be done up front and then 
transform that into something that works.
    From living in the trenches, I can tell you that you do not 
want to get things wrong, because you want to improve health 
care, you do not want to impact health care. And I just see too 
many things in these provisions that just concern me and are 
going to get in the way of delivering efficient health care.
    Senator Kaufman. How long do you think it would take to 
develop that? I mean, really, we are faced with an economic 
recovery bill. Clearly, we have economic--I mean, the big 
reason for doing this is to get the economy moving again.
    Mr. Houston. Sure.
    Senator Kaufman. One of the big emphases is shovel ready, 
and shovel ready does not just apply to infrastructure. It 
applies to this. So, you know, if we sit around and study this 
and come up with a plan--I mean, what do you--I think you have 
some thoughts.
    Mr. Houston. Right. We have done a lot of study. There are 
a lot of really intelligent people that have great opinions on 
what we need to do. I think in a year's time, or even less, you 
could really, I think, put together a comprehensive framework 
that works.
    You know, one of the things about privacy, though, that is 
different in most everything that is in the stimulus bill is 
everybody has an opinion in good faith as to what privacy means 
to them. And it is difficult, often, to bridge the gap between 
different people's opinions. And none of them are wrong, but we 
have got to come up with something that works and something 
that, again, does not impede health care delivery.
    Senator Kaufman. Thank you. Mr. Chairman, can we let Mr. 
Merritt, if he has comments?
    Senator Whitehouse. Go ahead.
    Mr. Merritt. Thank you. The two areas that I would focus on 
that I think could be improved, I mentioned one in my oral 
remarks.
    Senator Kaufman. Right.
    Mr. Merritt. The issue of de-identified data and health 
services research. I do not think that there should be the 
right to opt out of having your de-identified data used for 
health services research. If you ask anyone who has dealt with 
large data sets that if you have the ability for selection bias 
in opting out, you are just not going to have as valid and as 
reliable research. And I think that as we move forward with 
comparative effectiveness and evidence-based medicine, we need 
as much data as possible. And I think you can balance it--
again, getting back to my point about balancing. You can 
balance privacy with progress if you can use de-identified data 
in that way.
    The other point I would mention in the legislation that the 
House has considered is the impact on disease management or 
chronic care programs. There are restrictions on reaching out--
health plans and health systems, on reaching out to members or 
patients who might qualify or benefit from these types of 
programs. And I think that when you are talking about 
individual health and improving individual health, those data 
flows and those connection points still need to be protected. I 
think those can be best suited to be resolved through the 
rulemaking process at HHS.
    And the last thing I will mention that is currently not in 
the bill, or at least not in the packages that I have seen, is 
the idea of tying Federal money to certification. When a health 
system or a provider is going to receive a grant to either 
purchase a system or an incentive to invest in a system, I 
think there has to be the tie between the money and 
certification, and specifically to CCHIT certification, because 
they do have those protections in place, they do go through a 
very rigorous process of testing and making sure those products 
are up to snuff. So I think those four components are very 
important.
    Senator Kaufman. Thank you all.
    Thank you, Mr. Chairman.
    Senator Whitehouse. Thank you, Senator Kaufman.
    I would like to start my questions with an observation that 
comes out of something that Ms. Hahn said when she mentioned 
that there were--according to, I think it is, a CDC 
statistics--very close to 100,000 Americans who die every year 
as a result of hospital-acquired infections. Those of us who 
have been watching this thing for a while have seen this number 
move. It began with the IOM report talking about 80,000 
American deaths from all avoidable medical errors, and that was 
only 7 or 8 years ago, as I recall. And then we got to 100,000, 
and then we got to 100,000 actually just means hospital-based 
medical errors. And now we have really identified that the 
field is 100,000 people dying from hospital errors that are the 
result of hospital-acquired infections.
    So the more that we learn about this and the more that we 
drill into it, the deeper the quality problem and the more 
astonishing and egregious the consequences for Americans seems 
to be. I do not think there is anybody in this room or behind 
this table or listening to this anywhere who has not had the 
experience of having a loved one in the hospital and have that 
terrible feeling that you really cannot leave them alone there. 
Even in the best hospitals, somebody has got to be there to 
watch out and protect them. And from that to these astonishing 
consequences, if 100,000 Americans who are being killed every 
year by anything else, we would be at war. And here we have, I 
think, an enormous amount of work and investment to make.
    So I really applaud all of you for your battle to try to 
get this right. I think it is really--I opened with my concerns 
about where this put us politically with respect to the health 
care reform that we need and what the consequences are of 
getting it wrong in that larger struggle. But for a lot of 
humans, this is really a truly human story about someone that 
they love who they lost, someone in the hospital who they 
cannot leave alone there. And we just have to do this a lot 
better.
    The discussion, as I have heard it, has focused on having a 
comprehensive framework, getting it right, being fairly precise 
so that everybody knows kind of where they stand and what the 
rules are, and at the same time dealing with the ongoing nature 
of discovery. I think Mr. Stokes described it as an ecosystem 
and a dynamic environment. And as we talk about that, we in 
Congress, people who are legislators, think about different 
levels at which you can solve a problem. At the very baseline, 
you can come in, particularly if it is a very static, simple 
problem, you pass a law, you set the standard, you wash your 
hands, and you are done with it, and off you can go and worry 
about something else.
    This strikes me as not being that kind of thing. This 
strikes me as being a highly dynamic environment in which the 
standard-setting role is less important at a level of detail, 
if you will, than the architecture-building role. And right 
now, I do not see in our health care system a good oversight 
architecture for solving this problem to begin with, and then 
having somebody or something in place that can continue to 
adapt to changes through the regulatory environment, continue 
to correct. To me, this is like landing a plane. You know, you 
have got to be up, be down. You have got to make adjustments as 
the wind shifts. You have got to be--that means there has got 
to be a pilot or a group of pilots, if you will, if it is an 
organization of some kind. But there has to be some entity that 
watches this, and I am not comfortable that we have that entity 
now. As much as I applaud what the CCHIT groups have done and 
what AHRQ is doing and what--I mean, there are lots of entities 
that are out there doing it. One of the pieces of advice was do 
not mess with what is already happening. I think we kind of 
have to mess with what is already happening because I do not 
see that we have got the ongoing architecture in place to 
manage this transformation. I would love all of your thoughts 
on that point. What should we be--what order of decision should 
we be making here? Are we talking about actually setting up an 
organization of some kind that would cope with this? And I know 
Tom Daschle is going to be our new Director of Health and Human 
Services. He has written a book about the need for a Federal 
health board. It seems to me to make a lot of sense that there 
should be a Federal health board that has some oversight 
responsibility over protecting privacy and making sure that 
this gets done.
    So that is a long sort of a broad brush of a question, but 
I would love to hear your responses to it.
    Mr. Hester. I think it is an excellent question and a 
critical one. At the State level, you know, we have created 
this organization VITL, which is our health information 
exchange and has funding, to promote the development of the 
infrastructure, is putting out the privacy--but its role is 
education and promotion, and we have been asking whose role is 
it at the State level to do the oversight, because you do not 
want the policemen to also be the people who are promoting it. 
So I agree 100 percent. It is a gap, at least from our 
perspective at the State level, on how you do this.
    The other thing I just want to mention is that you talk 
about getting it right, and I guess, you know, Garrison Keillor 
talks about ``pretty good,'' and I think we want to have a 
pretty good system, because if you try getting it 100 percent, 
absolutely zero tolerance for error, it is not going to happen. 
And what we have to talk about is the balancing of risk. We 
have a huge job with the education of our public, the education 
of our consumers, on there is a huge risk associated with not 
doing this and what is the balance between an acceptable level 
of risk on the privacy and security in order to achieve the 
benefits of reducing the consequences on the delivery system. 
That is a massive, massive job in terms of getting people 
comfortable with that balance and that tradeoff.
    Ms. McGraw. I think notwithstanding the specifics on 
privacy that are in the bill--and I mention this in my 
testimony--I think the bill could benefit from a provision that 
specifically directs the Secretary of HHS--because we do not 
have this Federal health board that Senator Daschle, soon to be 
Secretary Daschle, was talking about. But you need to have 
accountability for putting these privacy and security 
protections in place, and not just the ones that are regimented 
in law. But, you know, HIPAA has always been a baseline. You 
know, States have gone farther; institutions go farther with 
their policies. Anybody, I think, who gets this significant 
chunk of Federal dollars should really commit to developing 
privacy and security policies that are coupled with good 
technological solutions that make them all work to move 
forward, not necessarily--you know, we want shovel in the 
ground, right? So having people submit detailed plans ahead of 
time is probably not possible to get the impact that we want as 
soon as we want it. But if you put the Secretary in the 
position and very specifically task him to hold people 
accountable, not just for how they spend this money, which they 
should be, but also what kind of privacy and security 
protections do you have in place. Do you have protections in 
place, for example, that meet all of what are common, fair 
information practices in other contexts? We can do that. I 
mean, there are plenty of models out there to rely on.
    Senator Whitehouse. Ms. Hahn.
    Ms. Hahn. I agree there really is not the type of 
infrastructure in place, and one key part of that public 
infrastructure is consumer education. Right now, consumers are 
clueless in terms of when they sign those HIPAA forms. I mean, 
most people actually think when you sign the form that if you 
do not sign it, you will not get health care. So, of course, 
your first thought is: Whatever I need to do to get immediate 
attention. And in terms of what protections are provided to 
them, I mean, you see the whole gamut from people feeling that 
they have a private right of action to sue if the information 
is made available to feeling that the Federal Government is 
somehow enforcing it for them.
    So whatever we do, we have to make sure that consumers have 
a clear understanding of what their medical privacy rights are. 
And in doing so, as we make sure that folks have that 
understanding, we will remove some of the fear and distrust 
that we need to move in the direction of more health 
information technology. So I think that is going to be one key 
component, and then second is accountability. People need to 
see--how many people can say here they have seen any entity 
held accountable for a breach of medical privacy? We only hear 
about the breaches, but we never find out what is the outcome. 
And that is going to be critical in moving in that direction.
    Senator Whitehouse. Mr. Stokes.
    Mr. Stokes. Senator, thank you for that question. I do not 
think we can wait 1 year or even 1 month or 1 day. As my Vice 
President testified a week and a half ago in the HELP 
Committee, we have to start today. We are shipping products 
today to meet these. We hope that there will be regulations and 
legislation in a month to help provide more uniform support. We 
hope that there will be standards and certifications in a year 
to provide even better support. But we cannot wait and we 
cannot get it right, perfect. We must start today.
    But the focus, we believe, should be on outcomes. If we get 
too caught up in the processes or the way to get there, we will 
forget that, just like the researchers and the clinicians in 
the Mayo Clinic, what we really care about is improving health 
outcomes and reducing the costs. So all of the policies and the 
principles should focus on are we getting to those outcomes. 
What is our return on investment?
    And, finally, the privacy principles are outlined about 
transparency, control, and security. These are actually the 
same technology principles required by the clinicians and by 
the researchers to improve quality and reduce cost, because for 
a clinician I want to be able to have insight into all of the 
information. I want the transparency as a CIO in a hospital of 
all the information in my hospital to improve my quality. And I 
want to be able to control that information so if the FDA sends 
me an alert, I know within hours or minutes what patients in my 
hospital system are on those medications, that I do not have to 
spend days or weeks, like it is today, to track down possible 
drug interactions.
    Thank you.
    Senator Whitehouse. Mr. Houston.
    Mr. Houston. We clearly need an organization to oversee 
privacy and security, and I think not from an enforcement 
perspective but from an oversight. I have said this for a long 
time, that we are developing this architecture to pass 
information between entities, across State boundaries, and 
across the United States. But there really is not an entity in 
place that provides, I think, the necessary oversight to ensure 
that appropriate standards are in place, not just for privacy 
and security but otherwise. And I think we need that. If you 
look today, we have the Office of Civil Rights that is supposed 
to enforce privacy. We all want to get this right, but right 
now there is no infrastructure in place to support trying to 
get it right.
    You know, I do not want to be--I hate to say this. You used 
the analogy of a pilot and the ups and downs. You want to make 
sure you are on the right trajectory when you land, and I sure 
as--you know, just like an airplane is filled with people, you 
do not want it coming down in the wrong place because a lot of 
people can get killed. And I think the same thing applies here.
    So I think what we need is, again, some type of oversight 
organization that provides support, almost like an ombuds--I 
cannot even say the word--ombudsman to do as much support as 
enforcement.
    Senator Whitehouse. Mr. Merritt.
    Mr. Merritt. If I could, I would like to take somewhat of a 
long view, like 2009 rather than the next 3 weeks. I think the 
three pillars that you identified earlier are exactly the right 
ones to focus on: health IT, quality improvement, and payment 
reform. The one I would like to focus on and urge the Congress 
to focus on this year is the issue of payment reform, because 
it can drive the other two. I think it can drive financial 
incentives for health information technology and the stimulus 
package actually has that provision and the spirit of that 
proposal.
    Secondly, payment reform can certainly drive quality 
improvements. We actually held an event at the National Press 
Club just yesterday, and it answered President Obama's call in 
his inauguration. He was looking for whatever works. And so we 
were exploring health care that works. We released a paper that 
had 60-plus pages of examples of employers and health systems 
and others who are actually using information technology, best 
practices, and other programs to improve health, lower costs, 
drive innovation, and expand access. So I think payment reform 
can actually be implemented so you can drive others to adopt 
those best practices.
    A Federal health board, while I do not support the outline 
that Secretary Daschle has put forth in his book, I do think 
that there is a role for some kind of entity to certify best 
practices, because there are many companies out there that are 
using data that can identify best practices, whether it is 
public or private data. And if there is a body that can 
actually tie best practices to payment reform, I think it 
really can be an engine to drive a lot of these innovations.
    Senator Whitehouse. Senator Klobuchar.
    Senator Klobuchar. Well, thank you very much, Senator 
Whitehouse.
    I had promised Senator Whitehouse I would not talk about 
Minnesota and the Mayo Clinic until my last round of 
questioning.
    Senator Whitehouse. But then somebody had to say Garrison 
Keillor, and now there is no holding you back.
    Senator Klobuchar. Right. And I would say that Minnesota is 
a place, to get your quote right, where the women are strong, 
the men are good-looking, and all the health care providers are 
above average. So, Dr. Merritt, I wanted to follow up with what 
you said about the cost, which is very important to me, and the 
quality. As you know, there has been a study out showing that 
if all the hospitals in the country followed the protocol that 
Mayo uses for the last 4 years of a chronically ill patient's 
life, we could save $50 billion in Medicare payments over a 4-
year period. And some of that has to do with the costs in 
certain parts of the country, but a lot has to do with the way 
Mayo is able to standardize their work, how they pay their 
doctors, but also how they share information and have a team of 
doctors working together.
    So what interests me about what you were talking about is 
first of all to make sure that in the privacy provisions in the 
stimulus bill, nothing will stop us in there from going to this 
overarching framework that we are talking about and, in fact, 
you intimated that there are some things in there that could 
help. But I want to make sure that--do you believe that there 
is anything of these provisions that are--you know, the 3-week 
provisions we are putting in place that could stop us from 
going there in terms of making sure that we can move on to 
bundled payments and all kinds of things that will create these 
kinds of incentives?
    Mr. Merritt. I would go back to the two that I identified 
earlier, which were restrictions on de-identified data, because 
I know Mayo, just like Inter Mountain, has a very robust 
research department where they can actually take research from 
the clinical process, analyze it, and then put it back into the 
process to identify what----
    Senator Klobuchar. Just to make sure, since this is my 
first day on the Committee, by ``de-identified'' you mean data 
that does not have people's names on it that goes out into 
the----
    Mr. Merritt. Yes, yes. So if you are working with a data 
set, it just means that you are dealing with the information, 
not identifiable information--names, Social Security numbers, 
et cetera.
    So I think that the legislation really does have to be 
careful with lumping in activities that are used with de-
identified data with those that use clearly identifiable data.
    Senator Klobuchar. So you want to make sure that any 
privacy language we have in the stimulus package does not limit 
the ability of Mayo or other providers in sharing this de-
identified data.
    Mr. Merritt. Yes. The reason why we are able to know that 
Mayo and Inter Mountain and others can provide care that would 
save Medicare 30 percent is because a team of researchers at 
Dartmouth has access to Medicare data, and it is de-identified 
Medicare claims data. And so those kinds of variations they can 
actually find when they have access to the research and to 
those data sets. So I think there really has to be careful 
consideration on provisions that would impact researchers' 
ability to do that.
    And then, secondly, Mayo and others are very proactive in 
identifying patients who qualify for various chronic care 
programs, and they can focus on wellness before it becomes 
disease.
    Senator Klobuchar. This is what you talked about earlier 
with being able to reach in and get the patients that you think 
need the help.
    Mr. Merritt. Correct. And many of these fall under the 
current definition of health care operations. Some of the 
language I think could actually harm a health system's ability, 
whether it is a system like UPMC or Mayo or a health plan, to 
have the ability to actually connect with a patient and say we 
have looked at your record, we understand that you have X, Y, 
and Z, we think you are in danger of, you know, Type 2 
diabetes, or you need to control your obesity, or whatever the 
condition may be. If there are restrictions on the system or 
the entity reaching out to that consumer or patient, again, I 
think you have to be very careful because you want--at the end 
of the day, we all want the patient to get the care that they 
need. But if there are privacy restrictions that do not allow 
the connection and the education, I think that could ultimately 
harm individual health.
    Senator Klobuchar. So are you concerned there is language 
in there right now that could do that?
    Mr. Merritt. Yes.
    Senator Klobuchar. Limit it.
    Mr. Merritt. Yes.
    Senator Klobuchar. All right. Well, we will have to look at 
that, because I have found it very helpful. I know it is 
helpful for Mayo and these other groups that have done so well 
to be able to have that research. I also think in the end it 
would be nice if it was done the right way, with no security 
breaches and everything we have talked about, to be able to 
have that data on a national basis so we can get the right 
protocols in place, because there clearly has been a problem 
with decisions being made with the lack of research.
    Thank you.
    Senator Whitehouse. Before we proceed, just one piece of 
administrative housekeeping. Letters from the Vermont 
Information Technology Leaders, from the Coalition for Patient 
Privacy, and from the American Civil Liberties Union will be 
added to the record of this hearing, without objection.
    One of the things that I come across pretty frequently--but 
I have not really been able to source it so I will float it out 
to the expert panel and see if you have any information on 
this--is that when people have chronic or multiple illnesses 
and they have a lot of exposure to the health care system, 
their appetite for electronic health records is very high, and 
their tolerance for privacy concerns is also quite high because 
they are living in the environment where they can see the value 
of the electronic health record in the communication and the 
privacy concerns just do not matter as much to them when they 
are ill.
    I see heads nodding. Is that anybody's experience out 
there? And might it be helpful to focus initially in terms of 
trying to develop some of this, particularly for going forward 
in a dynamic environment, on those very high expense, very high 
contact either chronic or multiple illness patients in the 
system?
    Mr. Merritt.
    Mr. Merritt. If I may, one thing the Federal Government 
could actually do to address that problem is through providing 
information for Medicare beneficiaries based on information 
that CMS actually has. For instance, we have talked a little 
bit about personal health records--Microsoft, there are private 
companies, there are private payers that have been in this 
space for a long time. CMS has a very small pilot in South 
Carolina, and they just announced two others in Arizona and 
Utah. But what I would propose is that the Federal Government, 
through CMS, actually put up a consumer portal so that any 
beneficiary who wants to can actually log on and see just a 
snippet of their information. And if they want to share that 
with their doctor, I think that would be incredibly valuable.
    Some studies say that the average beneficiary is on six 
medications. That is the average. And the average beneficiary 
sees 13 different doctors throughout the course of a year, and 
there is no coordination between them. So having patient-
controlled access to that information I think would be 
incredibly valuable, and I would certainly open it up for other 
comments as well.
    Senator Whitehouse. Mr. Houston.
    Mr. Houston. I would agree with the proposition that people 
that have chronic illnesses absolutely will be more interested 
in having PHRs, and I think the insurance companies would 
likely also want to manage that population much more 
aggressively to try to reduce inpatient admissions and improve 
quality of care, things of that sort. But I do not believe that 
those people believe that their privacy is less important 
because probably one of the primary types of chronic illness in 
the United States is behavioral health illnesses, depression 
and other things, and I think those people could definitely be 
helped by having a PHR. But they are also a population that is 
probably more concerned about the privacy of their information.
    So I think privacy has to be done well throughout 
regardless of what the population is, regardless of what the--
--
    Senator Whitehouse. Yes, I could not agree with you more 
about that. My point was that if you are looking for early 
adopters who see the real value of this, there seems to be a 
kind of fortunate correlation between the people for whom this 
would be the most helpful and their willingness in turn----
    Mr. Houston. Absolutely.
    Senator Whitehouse [continuing]. To try to achieve that 
value in their own health care.
    Mr. Houston. Take diabetes alone. I think that that is 
probably a chronic illness for which having good tools for 
patients would clearly benefit patients and reduce costs and 
improve quality of life. I mean, I think that is a clear 
winner. And you are right, those people are very concerned 
about trying to manage their condition.
    Senator Whitehouse. Dr. Hester.
    Mr. Hester. You are right on target. One of the main themes 
of health care reform in the State of Vermont has been focusing 
on patients with chronic illness. We have sustained attention 
on that. Again, I mentioned in my testimony we have pilots, 
enhanced pilots in three communities which involve payment 
reform, the creation of community care teams, and the provision 
of information technology tools for the practices and for the 
patients that will cover 10 percent of the Vermont population 
by the end of this quarter.
    It is not just a matter of the benefit to the patients. You 
cannot do chronic illness care, best practice, you cannot be 
proactive in reaching out to patients, to a diabetic who has 
not had their hemoglobin A1c in the last 6 months unless you 
have those tools in place and the patients understand it.
    So from the standpoint of--Ed Wagner has developed 
something called the ``Chronic Care Model,'' which is sort of 
his approach to saying how do you do best practice. It involves 
the combination of a proactive care team of providers and 
engaged patients. You know, the information technology is 
critical to supporting both the care team and patient 
engagement, and we have found it to be a very rich area of 
collaboration and one reason that we focused--one of VITL's 
major pilot programs has been in providing those information 
tools, supporting those information tools in those pilot 
communities. So I would be happy to provide you with some 
additional information if you are interested.
    Senator Whitehouse. Thank you. I would appreciate that.
    Mr. Stokes.
    Mr. Stokes. Senator, I agree that this is a critical area 
and a very opportune area for cost savings and improving 
quality. But as I pointed out before, there is no need to wait. 
We have a cooperation with Cleveland Clinic today that pilots 
and targets the chronic care disease population within the 
Cleveland Clinic through a combination of different doctors and 
specialties within the clinic and the chronic patients at home, 
because we have found that if they are in a remote setting, 
they will take their blood glucose measurements more often. 
There is better compliance and better participation all through 
HealthVault without having to sacrifice any patient privacies, 
maintaining the transparency and control.
    So as was discussed, if we can move forward and have better 
foundations and better infrastructure and better guidance over 
time, that would be great. But even today, we are focusing on 
the outcomes to move this forward.
    Senator Whitehouse. Dr. Hester again?
    Mr. Hester. Just one more comment. The success of that 
Chronic Care Model is completely dependent upon payment reform, 
as being discussed earlier, and there is a regional 
collaborative being formed in the New England States, including 
Rhode Island--it is being sponsored by the Milbank Fund--to 
have a regional demonstration in patient-centered medical home 
and to try to provide a vehicle for Medicare to participate and 
support. What we are finding is the States are further ahead in 
terms of multipayer payment reform involving commercial 
insurers and Medicaid, but we are having difficulty getting 
Medicare to the table, and it is something we could use some 
assistance in the new administration to move forward, and we 
are hoping this regional collaborative will be a vehicle.
    Senator Whitehouse. Well, I think I will take this 
opportunity to bring the hearing to a close. I want to thank 
all of you very much for your testimony and for your work in 
this area. I will just re-emphasize what I said at the 
beginning. I think we are headed--remember when the Clinton 
administration tried health care reform and they got Harry and 
Louise'd, and that put an end to that particular effort.
    Senator Klobuchar. But, Mr. Chair, now Harry and Louise are 
on Medicare Part D, and now they support the effort.
    [Laughter.]
    Senator Whitehouse. And I think now the model is no longer 
Harry and Louise. Now the model is Thelma and Louise, and we 
are all in the car, and the cliff is right in front of us. And 
if we do not get this solved through technology, through 
systems reform, through better quality care, through a more 
rational payment system, then we will get to the edge of that 
cliff. And when we are there and we have to go into the other 
toolbox and throw people off of health coverage and thin out 
our already tragically thin benefits and put even more costs on 
our business community, which is already laboring 
uncompetitively under health care costs compared to their 
foreign competition, and tell providers who are already cross-
subsidizing in order to stay in the Federal health care system 
that we are going to pay them even less--it is going to be a 
nightmare.
    And so you work to guide us through the privacy hazard to 
solving these problems the good way I think is really at the 
absolute apex of issues that our country faces. And I applaud 
you for it. I urge you to be as persistent and energetic as you 
can, and I think you have seen from the turnout in this 
Committee and from how long people stayed that this is a matter 
that has great interest, and we truly look forward to working 
with you.
    The record of the Committee will stay open for an 
additional week in the event that anybody has anything they 
would care to add, and without anything else, I appreciate 
again that you have all come in here. I appreciate everybody's 
attention, and the hearing is adjourned.
    [Whereupon, at 11:14 a.m., the Committee was adjourned.]
    [Questions and answers and submissions for the record 
follow.]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 
