[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON INFORMATION POLICY,
CENSUS, AND NATIONAL ARCHIVES
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
JUNE 19, 2007
__________
Serial No. 110-33
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.oversight.house.gov
______
U.S. GOVERNMENT PRINTING OFFICE
39-023 WASHINGTON : 2008
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001
COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM
HENRY A. WAXMAN, California, Chairman
TOM LANTOS, California TOM DAVIS, Virginia
EDOLPHUS TOWNS, New York DAN BURTON, Indiana
PAUL E. KANJORSKI, Pennsylvania CHRISTOPHER SHAYS, Connecticut
CAROLYN B. MALONEY, New York JOHN M. McHUGH, New York
ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio MARK E. SOUDER, Indiana
DANNY K. DAVIS, Illinois TODD RUSSELL PLATTS, Pennsylvania
JOHN F. TIERNEY, Massachusetts CHRIS CANNON, Utah
WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts DARRELL E. ISSA, California
BRIAN HIGGINS, New York KENNY MARCHANT, Texas
JOHN A. YARMUTH, Kentucky LYNN A. WESTMORELAND, Georgia
BRUCE L. BRALEY, Iowa PATRICK T. McHENRY, North Carolina
ELEANOR HOLMES NORTON, District of VIRGINIA FOXX, North Carolina
Columbia BRIAN P. BILBRAY, California
BETTY McCOLLUM, Minnesota BILL SALI, Idaho
JIM COOPER, Tennessee JIM JORDAN, Ohio
CHRIS VAN HOLLEN, Maryland
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont
Phil Schiliro, Chief of Staff
Phil Barnett, Staff Director
Earley Green, Chief Clerk
David Marin, Minority Staff Director
Subcommittee on Information Policy, Census, and National Archives
WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky BILL SALI, Idaho
PAUL W. HODES, New Hampshire
Tony Haywood, Staff Director
C O N T E N T S
----------
Page
Hearing held on June 19, 2007.................................... 1
Statement of:
Grealy, Mary R., president, Healthcare Leadership Council;
Byron Pickard, president, American Health Information
Management Association; and Peter Swire, senior fellow,
Center for American Progress............................... 41
Grealy, Mary R........................................... 41
Pickard, Byron........................................... 63
Swire, Peter............................................. 86
Melvin, Valerie C., Director of Information Management
Issues, Government Accountability Office, accompanied by
Linda D. Koontz, Director for Information Management
Issues, Government Accountability Office................... 6
Letters, statements, etc., submitted for the record by:
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 3
Grealy, Mary R., president, Healthcare Leadership Council,
prepared statement of...................................... 43
Hodes, Hon. Paul W., a Representative in Congress from the
State of New Hampshire, prepared statement of.............. 34
Melvin, Valerie C., Director of Information Management
Issues, Government Accountability Office, prepared
statement of............................................... 8
Pickard, Byron, president, American Health Information
Management Association, prepared statement of.............. 65
Swire, Peter, senior fellow, Center for American Progress,
prepared statement of...................................... 88
PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS
----------
TUESDAY, JUNE 19, 2007
House of Representatives,
Subcommittee on Information Policy, Census, and
National Archives,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2 p.m. in room
2154, Rayburn House Office Building, Hon. Wm. Lacy Clay
(chairman of the subcommittee) presiding.
Present: Representatives Clay, Maloney, Hodes, and Turner.
Staff present: Tony Haywood, staff director/counsel; Jean
Gosa, clerk; Adam C. Bordes, professional staff member; Nidia
Salazar, staff assistant; Charles Phillips, minority counsel;
Allyson Blandford, minority professional staff member; Patrick
Lyden, minority parliamentarian and member services
coordinator; and Benjamin Chance, minority clerk.
Mr. Clay. The Subcommittee on Information Policy, Census,
and National Archives will come to order.
Let me begin by saying good afternoon and welcome to
today's hearing on efforts to protect the privacy of personal
health information in electronic health care information
systems.
The use of IT to store, share, and secure electronic health
information has expanded rapidly in recent years. Many insurers
and hospitals have already transitioned from paper-based
records to electronic medical record systems for exchanging
patient data. This has brought important benefits to both
patients and providers, including shorter hospital stays,
improved management of chronic disease, and fewer redundant
tests and examinations.
Americans have expressed legitimate concerns, however,
about the potential for improper disclosure of personally
identifiable health care information. Before they will fully
embrace the benefits and efficiencies of e-health solutions,
patients must be confident that personal information in
electronic format is as secure and private as information in
paper records.
A nationwide health information network promises tremendous
benefits for patients. For 3 years the Department of Health and
Human Services has been working to make the idea technically
and economically feasible. Unfortunately, a January 2007 GAO
report found that HHS was not doing enough to integrate
effective privacy safeguards into its long-term national
strategy for health IT. Varying health IT privacy standards in
different States are another area of concern.
While the enactment of the Health Insurance Portability and
Accountability Act [HIPAA], in 1996 was an important step
forward, it has left patients with disparate privacy
protections. I believe we should amend HIPAA to extend the most
effective and practical privacy safeguards to everyone.
I introduced bipartisan legislation in the 109th Congress
which proposed to establish a framework for a uniform national
health privacy standard. Giving patients greater personal
control over their health information is critical; therefore,
putting in place stricter notice and consent requirements for
all third-party disclosures and information sharing activities
is an important legislative objective for Congress to achieve.
Today's hearing will allow different perspectives on these
issues to be aired as we move toward implementing a national
health care information network.
I must say that I am disappointed that HHS was unable to
supply a suitable witness to appear today on behalf of the
administration, but the Department has submitted written
testimony for today's hearing, and I will ask GAO and our other
witnesses to respond to positions stated in that testimony.
I look forward to the testimony of all of our witnesses.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T9023.001
[GRAPHIC] [TIFF OMITTED] T9023.002
Mr. Clay. I assume when the ranking member gets here he
will have an opening statement and we will yield to him for
that, but for now we will proceed with the hearing.
If we don't have any additional statements, the
subcommittee will now hear testimony from the witnesses before
us today.
On our first panel we will hear from Valerie C. Melvin,
Director for Human Capital and Management Information Systems
Issues at GAO. Welcome, Ms. Melvin.
Accompanying Ms. Melvin is Linda D. Koontz, Director for
Information Management Issues at GAO. Welcome to you.
Ms. Melvin will deliver GAO's formal testimony, and both
will respond to questions.
Thank you for appearing before the committee today. It is
the policy of the Committee on Oversight and Government Reform
to swear in all witnesses before they testify. Will you both
please stand and raise your right hands?
[Witnesses sworn.]
Mr. Clay. Let the record reflect that the witnesses
answered in the affirmative.
Ms. Melvin, you will have 5 minutes to make an opening
statement. Your complete written testimony will be included in
the hearing record.
The lighting system and the timing system does not work, so
we will notify you probably through the use of the gavel when
you get close to the 5-minute time limit.
Mr. Turner, thank you for being here.
Mr. Turner. Mr. Chairman, thank you.
Mr. Clay. OK. And you may, if you have an opening
statement, you may proceed, sir.
Mr. Turner. Thank you, Mr. Chairman. I appreciate that and
I apologize for my being late.
I want to thank you for holding this important hearing on
privacy concerns and health information technology. Many health
care experts agree that investing in health information
technology will dramatically improve patient care while
simultaneously decreasing health care costs.
For example, Kettering Medical Center in my District and
its partners have created the Dayton Individual Health Record
Pilot Project, IHR. The Dayton IHR pilot combines a patient's
health information from different sources and presents that
information to patients, doctors, and other health care
professionals in a format that helps all health participants
make efficient, appropriate decisions about their care options.
The Dayton IHR is a Web-based record that allows a patient
to access their information from their home, the office, or
even if the patient ends up in an emergency room in another
town.
While it is important that technology like the Dayton IHR
be made available, it should not be available at the sacrifice
of patient privacy and security. The Dayton IHR ensures that
only the patient and the physicians granted access by the
patient can look at the information within the IHR.
This subcommittee has previously discussed privacy concerns
in relation to Federal IT infrastructures, and I expressed my
concerns with how IT breaches affect individuals, as well as
national security.
Health care raises unique privacy concerns, but I am
interested to learn how we can work with all stakeholders to
address important privacy issues and facilitate the adoption of
health IT. Health IT holds the promise of increasing the
quality of health care, as well as decreasing health care costs
for American families. We must be careful, however, to reach
these goals without sacrificing the security of professional
health information.
I look forward to hearing the information from today's
witnesses on this important topic, and I yield back the
remainder of my time.
Thank you.
Mr. Clay. Thank you so much, Mr. Turner.
We will begin with Ms. Melvin.
You may proceed.
STATEMENT OF VALERIE C. MELVIN, DIRECTOR OF INFORMATION
MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE,
ACCOMPANIED BY LINDA D. KOONTZ, DIRECTOR FOR INFORMATION
MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Ms. Melvin. Thank you, Mr. Chairman and Ranking Member
Turner.
We are pleased to be here today to testify on privacy
issues associated with efforts to increase the use of
information technology in the health care industry. As noted,
with me today is Linda Koontz, Director of Information
Management Issues, who is responsible for GAO's privacy work.
In 2004 President Bush issued an Executive order that
called for widespread adoption of interoperable electronic
health records by 2014 and established a National Coordinator
for Health IT to lead and foster public/private coordination.
The benefits of health IT are immense, and include reducing
medical errors and improving public health emergency response.
However, the increasing use of technology also raises concerns
regarding the extent to which patient privacy is protected. The
challenge is to strike the right balance between patient
privacy concerns and the numerous benefits that IT has to
offer.
Over the past few years, we have issued reports and
testified numerous times on HHS' efforts toward defining a
national health IT strategy. Among these reports, one issued
last January highlighted HHS' health IT privacy initiatives.
Today, as requested, I will summarize the results of that
study, highlighting three points: the importance of having a
comprehensive privacy approach, HHS' initial efforts to address
privacy as part of its national health IT strategy, and
additional efforts needed.
Privacy is a major concern in the health care industry,
given the sensitivity of certain medical information and the
complexity of the health care delivery system, with its
numerous players and extensive information exchange
requirements. This concern increases with the transition to
using more electronic health records. A comprehensive privacy
approach is needed to determine how personally identifiable
information will be disclosed, used, and protected.
HHS acknowledges in its national health IT framework the
need to protect consumer privacy, and it plans to develop and
implement privacy and security policies, practices, and
standards for electronic health information exchange. To this
end, HHS and its Office of the National Coordinator have
initiated several efforts, including awarding contracts,
including one for privacy and security solutions; consulting
with the National Committee on Vital and Health Statistics to
develop privacy recommendations; and forming a confidentiality,
privacy, and security work group to identify and address
privacy and security policy issues.
Ultimately, the National Coordinator's Office intends to
use the results of these initiatives to identify policy and
technical solutions for protecting personal health information
as part of its continuing efforts to complete a national health
IT strategy. However, while these efforts are good building
blocks on which progress has been made, important work remains,
including assessing how variations in State laws affect health
information exchange, acting on the privacy and security
contractor's findings and advisory group recommendations, and
identifying and implementing privacy and security standards.
Moreover, how and when HHS plans to integrate the outcomes
of these initiatives is unclear; thus, we have recommended that
HHS develop an overall privacy approach that identifies
milestones in an accountable entity for integrating the
outcomes of its health IT contracts and advisory group
recommendations, ensures that key privacy principles are fully
addresses, and addresses key challenges associated with legal
and policy issues and the disclosure, access to, and security
of information.
In recent discussions with us, the National Coordinator
committed to developing a plan that would accomplish these
objectives. In this regard, he announced last weekend an
initiative to build consensus around a harmonized set of
privacy and security principles which are to serve as a
framework for addressing these important issues.
Overall, Mr. Chairman, the National Coordinator's intent to
act on such an approach is promising, and building a framework
based on fair information principles is a good starting point
for moving forward; however, achieving this goal to safeguard
personal health information will be difficult and plagued with
challenges and will necessitate sustained leadership from HHS
to realize success.
This concludes our prepared statement. We would be pleased
to respond to any questions that you may have.
[The prepared statement of Ms. Melvin follows:]
[GRAPHIC] [TIFF OMITTED] T9023.003
[GRAPHIC] [TIFF OMITTED] T9023.004
[GRAPHIC] [TIFF OMITTED] T9023.005
[GRAPHIC] [TIFF OMITTED] T9023.006
[GRAPHIC] [TIFF OMITTED] T9023.007
[GRAPHIC] [TIFF OMITTED] T9023.008
[GRAPHIC] [TIFF OMITTED] T9023.009
[GRAPHIC] [TIFF OMITTED] T9023.010
[GRAPHIC] [TIFF OMITTED] T9023.011
[GRAPHIC] [TIFF OMITTED] T9023.012
[GRAPHIC] [TIFF OMITTED] T9023.013
[GRAPHIC] [TIFF OMITTED] T9023.014
[GRAPHIC] [TIFF OMITTED] T9023.015
[GRAPHIC] [TIFF OMITTED] T9023.016
[GRAPHIC] [TIFF OMITTED] T9023.017
[GRAPHIC] [TIFF OMITTED] T9023.018
[GRAPHIC] [TIFF OMITTED] T9023.019
[GRAPHIC] [TIFF OMITTED] T9023.020
[GRAPHIC] [TIFF OMITTED] T9023.021
[GRAPHIC] [TIFF OMITTED] T9023.022
[GRAPHIC] [TIFF OMITTED] T9023.023
[GRAPHIC] [TIFF OMITTED] T9023.024
Mr. Clay. Thank you so much, Ms. Melvin.
According to their written testimony, HHS states that it
has invested significant resources and efforts in our
nationwide strategy for protecting health information. Our
national health IT agenda approaches our privacy and security
through a full suite of activities both in form of current work
and preparing for future needs. Specifically, HHS mentions
authorizing a review of 34 States and Puerto Rico to analyze
how their laws are affecting the sharing of health information.
Yet, GAO's January 2007 report cites HHS' lack of an overall
strategic plan for integrating its privacy initiative into a
health information network. The report also concludes that HHS
lacks appropriate milestones to measure its progress to meet
these requirements.
With that in mind, I would like to ask the following
question: can you explain how HHS is addressing the legal
barriers associated with variances in State privacy laws and
methods to limit the types of information disclosed through a
nationwide exchange? And is it true that HHS disagrees with
GAO's recommendation to establish milestones to measure
progress and outcomes in the development of privacy protections
for a network? If so, why?
Ms. Melvin. When our report was issued, our concern was
that HHS did not have, as you said, an integrated plan that
would allow all the various initiatives that it has undertaken
to be integrated and to be guided by milestones and measure its
progress, and also from the standpoint of having a leader to
make sure that there would be complete integration of the
various initiatives to guide the overall effort.
There are other factors related to the variations in the
State agencies. They do, in fact, have contracts in place that
are intended to assess those, as you have mentioned, and those
types of initiatives are all the ones that we believe have to
be guided and driven by an overall integrated plan that has a
well-defined approach to bringing together the specific
initiatives, to being able to look at all of the findings and
the assessments that are being made, and to develop and
implement solutions as a result of what their assessments have
determined.
Mr. Clay. Well, can you identify for us the entity or
entities within HHS that will be responsible for coordinating
and implementing its privacy initiatives? Who will promulgate
the regulations and oversight activities for privacy within the
network? Is this entity effectively staffed and capable of
managing its responsibilities?
Ms. Melvin. One of the key areas or pieces of information
that we believe is missing is the identification of the
critical entity that would be responsible for bringing together
all of the initiatives, as you have noted, so we cannot
identify at this time who that would be. We do understand,
through our recent discussions with Dr. Kolodner, that the
agency is taking steps through the National Coordinator's
Office to implement a framework; however, how that framework
will be put in place and who will actually guide and lead their
efforts to accomplish that has not been specified and we have
no information that we could share regarding its----
Mr. Clay. They don't know yet? I mean, you gave them that
report in January of this year.
Ms. Melvin. Yes.
Mr. Clay. And they have not moved on the recommendations is
what you are telling me?
Ms. Melvin. As of last week when we spoke with Dr. Kolodner
their efforts were in the early stages and there was no
specific information provided to us relative to who the entity
would be that would lead all of those efforts.
I should note that when our report was issued the National
Coordinator's Office did have a difference relative to how they
should proceed with a coordinated approach, so it has only been
in recent times that we have now, I think, reached more
agreement with them relative to the importance of having a plan
in place, an approach that would, in fact, include and identify
a specific leader for integrating or overseeing the integration
of the various initiatives.
Mr. Clay. Thank you for that. And this is a question for
either one of you. One of HIPAA's limitations is that it does
not cover all entities that possess or utilize personal health
information. Some life insurers and research entities that are
not involved with the treatment of patients fall outside the
rules. Have you examined the practical impact of not covering
some entities that have access to personal health information?
Is this a significant problem, in your view, Ms. Koontz?
Ms. Koontz. I think that is a significant issue that
deserves more study, and we would like to see HHS consider that
as it moves forward in developing privacy policies, practices,
and standards. It is true that HIPAA covers health plans,
health providers who transmit electronic information in support
of transactions, and health information clearinghouses. The
entities that you mentioned are outside the coverage of HIPAA.
I think that, naturally, as we move to a national health
information network in which it will be much easier, and it is
actually intended to make information flow more easily, this is
something that we should pay a lot more attention to. Again, I
do hope that HHS includes this in their deliberations as they
move forward.
Mr. Clay. OK. Thank you for your response.
Let me now turn to my ranking member, Mr. Turner.
You may proceed.
Mr. Turner. Thank you.
Thank you for the information you have provided to us in
your testimony today. This is an important issue on pretty much
three fronts. We have our desire to find cost savings and
reduce the spiraling increases in health care costs. The second
issue is quality of health care. What can we do to increase the
quality of health care? And the third issue is: how do you
balance privacy?
So many times when we make an advance in one area privacy
either takes a hit, or when we think we are taking an advance
in privacy others take a hit.
I will tell you one funny story. Two years ago when I was
in Washington I broke my sunglasses. I called my wife at home
and said, can you go and get me some new sunglasses. I have a
prescription. She goes to the eyeglass place and they wouldn't
let her buy eyeglasses because they said under HIPAA there is a
fear that she would discover what my prescription is. You know,
that is not exactly something that I have a concern about
having a privacy expectation. But, nevertheless, that was the
application. We had to wait until I returned back home until I
could get them.
So this is a fine balance of what things do we have an
expectation of privacy, and what things are important for
efficiency, and what things do we have for cost savings, and
many times there are unintended consequences--you know, I can't
get my sunglasses unless I am back home--that are overlooked.
What confidence do you have, in describing the process that we
are undertaking, that the Federal Government is going to be
able to have a better record in ascertaining that yes, we
really need to protect people's privacy, yes, we need to find
cost savings, and we need to find efficiencies to increase
quality of health care? What are your thoughts?
Ms. Melvin. Again, I think the confidence will grow from
the extent to which there is transparency in the way that the
health information network is put together and the way that
privacy is conveyed to and understood by the public.
Our work has emphasized the need for the National
Coordinator's Office and HHS to spend significant time in
making sure that there is outreach and consensus to bring
together a better understanding among all participants that
would be involved in the overall health initiative.
You are right, there is an extremely fine balance between
the privacy issues and the need to ensure quality care, the
need to try to have improvements in the way that information is
made available about care, and all of that comes through,
again, having a defined plan for how they will do that, as well
as having necessary outreach, necessary information made
available to educate the public on the need for and the use of
electronic health records so that certainly at some point
hopefully there would be buy-in, more buy-in to make this a
more successful effort.
So I think overall success will depend on how well they can
really communicate and convey the need for and ultimately to
implement a system that does balance privacy and security with
the quality of the care that is being provided.
Mr. Turner. One of the issues that has been identified is
the cost savings that we expect from going to electronic
recordkeeping, and the implementation of technology on this
issue is that we don't really know what our cost savings would
be, and we are not capturing in a very effective way how this
might advance us in cost. Do you agree with that? And also, do
you have thoughts as to what we could be doing better to
understand really what will we be able to effect in cost
savings in this?
Ms. Melvin. I think clearly the cost savings is an issue.
The overall cost of the initiative is an issue that would have
to be defined based on what technology is ultimately determined
to be needed and put in place for this, again largely driven by
the privacy and policy security implications that would drive
the technology that would need to be put in place.
Then ultimately, as a part of the overall strategy and the
defined approach that the agency would need to have, a key part
of that is defining what the costs are, what the outcomes that
result from that are in the way of benefits and savings. I
think all of those aspects collectively are going to be
important in defining what the actual cost is ultimately for
the overall initiative.
Mr. Turner. Thank you, Mr. Chairman.
Mr. Clay. Thank you, Mr. Turner.
We have been joined by our colleague from New Hampshire,
Mr. Hodes.
I understand you have an opening statement. You may proceed
with that and then go into your questions.
Mr. Hodes. Thank you, Mr. Chairman.
Mr. Clay. You have ample time. You are welcome.
Mr. Hodes. This is a very important hearing. The privacy
concerns related to health information technology in the
digital age take on an increasingly important role as we
examine a health care system which many people feel is a system
which is dysfunctional and not operating as it should, and many
are looking to electronic medical records technology as a key
component to making our health care system a better-functioning
system.
It seems that it is fairly obvious, at least to me, that
there are great benefits in increased coordination of care from
effective and appropriately constructed medical records
technology systems, because instead of having people carrying
around paper records and sacks of pills from one doctor to
another and having the second doctor trying to figure out what
it is that patient is on, we can quickly and easily, with
medical records technology, determine what care that patient
has had.
On the other hand, medical records technology presents
great risks to patient security and private information. We
have recently seen in the Veterans Administration, which
frankly is in the forefront of developing electronic medical
records technology, when a single laptop is lost there is
enormous amounts of personal data that is compromised. So
coming up with the right construct and the right system is
clearly very important, and it is, I think, an urgent matter
for us because there are a number of initiatives, both in the
private sector and in Government, that are taking us down the
road, but it sounds from your testimony and the report that
there is still a very, very long way to go in coming up with an
appropriate national system.
[The prepared statement of Hon. Paul W. Hodes follows:]
[GRAPHIC] [TIFF OMITTED] T9023.025
[GRAPHIC] [TIFF OMITTED] T9023.026
Mr. Hodes. One question, Ms. Melvin, that I had raised by
your testimony that I would just like you to clarify for me, if
you could, would be--and I may not have all the terms right--
but you mentioned that the National Coordinator's Office at
HHS, I believe, had a difference about a national coordinated
approach when your report was initially sent over?
Ms. Melvin. We had originally recommended that they develop
a defined approach that would, in fact, allow them to integrate
the various initiatives, that would establish milestones and
timeframes for the completion of initiatives, obviously
considering that there were multiple activities going on, and
that would, in fact, designate a leader, identify a leader who
would lead the overall coordination, an entity that would lead
the overall coordination of all of the various initiatives
being put in place.
I believe that in this case in their comments HHS
essentially believed that they did have a comprehensive
approach. We had a difference relative to the construct of that
approach and whether, in fact, it contained all of the
necessary or recognized all of the necessary components in the
way of having a designated leader, in the way of having
established milestones, and potentially measures for being able
to really gauge progress and to guide the overall effort.
Mr. Hodes. And I gather there were some discussions that
took place?
Ms. Melvin. We have subsequently met with Dr. Kolodner,
actually within the last week. We have talked more about what
our concerns were relative to the lack of such a defined
approach, and in talking with him and through information that
we have seen since our discussions, there is an indication that
he is in agreement with the need for having an approach, some
type of road map that would, in fact, provide more detail than
defined milestones for integrating the various initiatives that
are underway.
Mr. Hodes. There is no disagreement between you and Dr.
Kolodner that the coordinator of any national health
information technology system would be situated at HHS, is
there?
Ms. Melvin. We have not talked specifically about what
entity would be the leader to integrate this. Our discussions
were at a level relative to the importance, the significance
overall of developing an approach. We have not described what
that approach would be. We do feel it is important, however,
that approach does, in fact, define those critical elements
relative to timeframes and milestones, measures of performance,
and also in terms of actually identifying the entity that would
lead it, but we have not talked about specifically who that
entity would be.
Mr. Hodes. You are just trying to get to square one with
HHS and have them recognize that there needs to be a
coordinated approach with time lines and benchmarks and setting
out a plan to put together the initiatives that have already
been begun into some comprehensive plan that we can all look at
and then talk about?
Ms. Melvin. That is absolutely correct, sir.
Mr. Hodes. I am just about finished, Mr. Chairman.
When you say that Dr. Kolodner has indicated his agreement,
is that verbally? Is that in writing? How has that agreement
been indicated?
Ms. Melvin. Our discussions have been held through a
meeting with Dr. Kolodner relative to what actions they were
taking, but, as I stated earlier, we have not discussed the
specifics of what that planned approach would look like
ultimately. It is our hope, and we do view, you know, the fact
that at this point he does agree with the need for that as very
promising, but, as our statement indicates, it is a very
difficult task. It is a long road. It does involve a lot of
initiatives, and it will take sustained and committed effort on
HHS' part to make sure that happens.
Mr. Hodes. What is your timeframe for getting some sort of
concrete response beyond the verbal discussions you have had
from Dr. Kolodner and HHS that would clearly indicate,
something we could look at, that says HHS agrees that we are
going down this road and here is how we are going to get there?
Are we talking a week? A month? Two months?
Ms. Melvin. We have not specified a specific timeframe.
Obviously, based on our recommendation, we do feel it is very
important that this effort be undertaken urgently. It is very
critical from the standpoint of the many initiatives that HHS
and the National Coordinator's Office does have underway that
lead to the development of technology, the significant point
being that you want security and privacy policies to be in
place to really guide and be a factor in determining what
technology is there. So it is an urgent effort, but not one
that we put a definite timeframe on for seeing that it happens.
Mr. Hodes. Thank you very much.
Thank you, Mr. Chairman.
Mr. Clay. Thank you, Mr. Hodes, for that line of
questioning.
This question is for either/or. I would like to hear your
thoughts on HHS' enforcement policies, practices, and
procedures. There has been significant criticism of the
agency's enforcement of HIPAA and lack of civil penalties
enforced on identified violations. Are the enforcement
activities of HHS being carried out in accordance with the
statute and the legislation and regulations? Are the current
regulations adequate to ensure that violating entities are
being sanctioned appropriately?
Ms. Koontz. I have to say, first of all, that we have not
studied HHS' enforcement actions; however, I think it has been
widely reported that there have been few enforcement actions on
their part.
The way HIPAA is set up right now is that if an individual
has a complaint they can go to HHS, the Office of Civil Rights,
and complain about privacy violations. I think that this,
again, is another issue for us moving forward. Under HIPAA, for
example, there is no individual right of action. If someone
isn't satisfied with what happens at HHS, they cannot go to the
courts for resolution. I think this is an issue that, you know,
we will need to look at over time, but we haven't studied it in
depth.
Mr. Clay. One IT-specific recommendation offered by the
National Council of Vital Health Statistics was for HHS to
support research and development of contextual access criteria
that is appropriate for the dissemination and sharing of
electronic health information. Do you know whether HHS is
addressing this issue and, if not, why not? And does GAO concur
with the findings and recommendations of the National Committee
on Vital Health Statistics?
Ms. Koontz. First of all, in terms of the contextual
information, I think that is quite an exciting idea, because if
you look at paper records right now, if you have to disclose a
paper record I think that the default is to perhaps disclose
the whole piece of paper. The idea of this contextual access
would be that when you disclosed information you would use
technology in such a way that you could disclose only the
information that was actually needed, so it would be a way to
really leverage technology to increase privacy for patients and
consumers. So the National Committee on Vital and Health
Statistics did recommend that HHS look at this more fully in
the process, and we support that.
I think one of the things that, as they move forward on a
comprehensive strategy for addressing privacy, they need to
take into consideration the results of all these different
contracts and initiatives that they have going on, which seem
to have a lot of merit. They need to take into consideration
the recommendations of NVCHS, and they need to take into
consideration some of the challenges that I think we raised in
our report.
Mr. Clay. Thank you for that response.
When multiple States with conflicting laws have personal
health information concerning the same patient, which State's
privacy standard will apply, and under what circumstances? How
can entities in one State appropriately manage patient data
within their electronic patient records if they are unaware of
applicable restrictions in another State?
Ms. Koontz. Well, the issue about HIPAA is that HIPAA is
meant to be a floor in terms of privacy protection, so that
means it does not preempt a State law that provides greater
privacy protections than the Federal law. But you are right:
what it leads to is very much a patchwork of different kinds of
laws in varying States, and when you go to electronic health
records and you go to a national health information network,
again, the information is to move. It can move much more freely
than it does now in a paper environment.
One of the challenges, when we were doing our study, that
many organizations talked to us about is operationalizing these
various requirements and being able to navigate in an
environment where information is created in one State, it is
sent to another, it is sent yet to another, and how to really
navigate in that kind of environment has caused a complexity
which may indicate some need maybe for greater guidance in
terms of how to navigate this. And some people have suggested,
of course, that there be some kind of national standard for
privacy that is consistent across the States. We haven't
studied that further, but that has been an issue that has often
been raised.
Mr. Clay. Good. Thank you very much.
Mr. Turner.
Mr. Turner. Thank you, Mr. Chairman.
We want to note that Government Health IT reported on June
15, 2007, that Dr. Kolodner, National Coordinator of Health
Information and Technology, has revealed that his office will
propose a draft framework for privacy policy later this year.
Kolodner said it will reference other privacy policy documents
from organizations such as Connecting for Health, the National
Committee on Vital and Health Statistics, and the Organization
for Economic Cooperation and Development. I look forward to
seeing that so we can all have an opportunity to review it and
determine its effectiveness.
I am going to ask if you could talk for a moment--and you
may not be able to--but the VA's experience during Katrina, we
have all heard news reports about how the VA was able to
transfer large numbers of patients' records far more quickly
than private hospitals. Are you familiar with the VA's
experience and their system? Could you comment on that?
Ms. Melvin. I am not familiar with that particular
experience, but what I can tell you is that VA does have a
comprehensive longitudinal electronic health record for its
patients, which would explain its ability to make information
available for those people who were affected by Hurricane
Katrina. Its system is set up so that it contains a complete
record of each patient that is captured within its system, so
that would explain its ability to perhaps have records
available more readily certainly than other entities that do
not have such a capability at this point.
Mr. Turner. Are you familiar with either their experience
of cost savings or efficiencies in increasing medical care and/
or privacy issues and policies?
Ms. Melvin. I don't have specific information on their cost
savings. I can tell you, though, that they have a very
impressive system in place that has allowed them to achieve
many improvements in quality of care through the clinician's
ability to have ready access to information, through their
ability to actually use that information in the health care of
patients at this point.
Mr. Turner. Thank you very much.
Ms. Melvin. You are very welcome.
Mr. Turner. Thank you, Mr. Chairman.
Mr. Clay. Thank you, Mr. Turner.
Mr. Hodes, any more?
Mr. Hodes. Just one more briefly.
Mr. Clay. Please proceed.
Mr. Hodes. Thank you, Mr. Chairman.
I would like to followup just a little bit on the question
about varying State standards, because I note at page, I think
it looks like 15 of your report, where you talk about the
challenges to exchanging electronic health information and the
area of understanding and resolving legal and policy issues,
and the first bullet point you talk about is resolving
uncertainties regarding the extent of Federal privacy
protection, and it leads me to the question of how quickly we
can go to a national information system with so many differing
standards out there among the States.
Could you tell us what do you think the benefits would be
to establishing a Federal standard in these areas, even if it
meant hypothetically preempting the States?
Ms. Koontz. Well, it is obviously a policy judgment that
you are probably in a much better position to make than I,
but----
Mr. Hodes. That is why I asked the question.
Ms. Koontz. Fair enough. But, I mean, the obvious advantage
here is that we would be trading off some, getting rid of some
complexity in order to, you know, if we got some
standardization. Obviously, from talking to a fairly large
number of entities out there who are involved in information
exchange and involved in providing health care, it is
tremendously confusing, even to the point of trying to decide
what rules apply, what category do they fit in, and then also
how to operationalize all the different kinds of requirements,
as well. So, I mean, I can see on balance it is on the one hand
and on the other hand, but there are definitely benefits to
standardization, as well, although there may be States where
you might end up lowering privacy protection, and I think that
is an issue for that locality.
Mr. Hodes. OK. Thank you very much.
Thank you, Mr. Chairman. I yield back.
Mr. Clay. Thank you, Mr. Hodes.
The AHIC, which is a public/private working group chaired
by the Secretary, assembled a working group on how to address
privacy and confidentiality issues last August. What findings,
if any, have been presented to the Secretary? Is AHIC's work
consistent with GAO's findings and recommendations? Are you
familiar with AHIC, the American Health Information Community?
Ms. Melvin. Yes, we are familiar with that. As far as their
findings and recommendations, at this point we are not certain
as to exactly what they are doing. We do know that HHS is in
the process of assessing the information that they have from
them, and we have not compared that to GAO's recommendations,
as I recall.
Mr. Clay. OK.
Ms. Melvin. We have not compared them to GAO's
recommendations.
Mr. Clay. All right. I thank you for that.
Let me thank both of you for your answers today and for
being witnesses at this hearing. I think it is such an
important issue, and we certainly appreciate GAO weighing in.
Thank you both. This panel is dismissed.
I would now like to invite our second panel of witnesses to
come forward, please.
Testifying today on our second panel will be Mary R.
Grealy, president of the Healthcare Leadership Council. Welcome
to you.
Bryan Pickard, president of the American Health Information
Management Association. Thank you for being here.
Peter P. Swire, the C. William O'Neill professor of law at
the Ohio State University's Moritz College of Law and senior
fellow at the Center for American Progress.
Welcome to all of you.
It is the policy of the committee to swear in all witnesses
before they testify. At this time I would like to ask you all
to stand and raise your right hands.
[Witnesses sworn.]
Mr. Clay. Let the record show that all of the witnesses
answered in the affirmative.
Each of you will have 5 minutes to make an opening
statement. Your complete written testimony will be included in
the hearing record. The yellow light in front of you will
indicate you have 1 minute remaining. The red light will
indicate that your time has expired.
Ms. Grealy, we will begin with you. You may proceed.
STATEMENTS OF MARY R. GREALY, PRESIDENT, HEALTHCARE LEADERSHIP
COUNCIL; BYRON PICKARD, PRESIDENT, AMERICAN HEALTH INFORMATION
MANAGEMENT ASSOCIATION; AND PETER SWIRE, SENIOR FELLOW, CENTER
FOR AMERICAN PROGRESS
STATEMENT OF MARY R. GREALY
Ms. Grealy. Thank you, Mr. Chairman and members of the
subcommittee. On behalf of the members of the Healthcare
Leadership Council, I want to thank you for the opportunity to
testify on this extremely important subject.
Certainly all Americans want to be assured, as we move
toward a day when virtually all clinical health information
will be exchanged electronically, that their confidentiality
will be protected and information will be used to provide
health care of the highest quality.
The Healthcare Leadership Council is comprised of chief
executives of many of the Nation's leading health care
companies and organizations representing all sectors of
American health care. Our members are some of the early
adopters of health information technology.
Mr. Chairman, with my time limitations there are two key
points that I would like to make today. First, allow me to
comment on the current HIPAA privacy rule, a rule that was
developed through careful, detailed deliberations over a 5-year
period, and its effectiveness in the context of electronic
health information exchange.
We are concerned that the transition to more widespread use
of electronic medical records will prompt a reactive call in
some quarters for additional burdensome privacy regulations. It
is important to note that the HIPAA privacy rule, which is
already quite restrictive, was spurred by the growth of
electronic transactions and already contains ample provisions
governing the confidentiality of information, electronic or
otherwise. It is even more important to recognize that more-
restrictive rules, such as requiring providers and payers to
obtain prior consent for treatment, payment, and health care
operations, would delay and disrupt health care, particularly
for the most vulnerable patients.
The fact is, Mr. Chairman, the HIPAA privacy rule has a
successful track record, and that success is being achieved in
an environment in which multi-State electronic data exchange is
already occurring.
Health care providers and plans have spent significant
resources to comply with the HIPAA rule. Before considering any
changes, we should be certain that they are absolutely
essential and would warrant diverting finite resources from
patient care to additional administrative compliance.
The other point I wish to make this afternoon is that,
while the HIPAA privacy rule is effective in protecting patient
confidentiality, the development of a multi-State network
requires the creation of a uniform Federal privacy standard.
While HIPAA establishes such a standard, it permits State
variations that are found in thousands of statutes,
regulations, common law principles, and advisories. This
patchwork quilt creates confusion among those who hold
identifiable health information and those who seek to establish
these data exchanges.
We believe strongly in a national standard that provides
strong privacy protections for every American and facilitates
nationwide and system-wide electronic data exchange for the
betterment of patient care.
Mr. Chairman, Section 6 of your bill, H.R. 4832, laid out a
process to help achieve that national standard, and we hope
that it will find its way and be part of any future HIT
legislation.
One thing that helps us put a face on health care policy
and to put it in perspective is that these issues unavoidably
become personal for all of us. My family currently has a
compelling example in the person of my 88 year old father, who
lives in Fort Lauderdale, FL. Just a few months ago, after a
brief hospital stay for acute kidney failure, he began a
regimen of dialysis three times a week. At the same time, he
was receiving radiation treatment for prostate cancer.
I can tell you firsthand that the staffs in the hospital,
the radiation center, the dialysis center, and the various
physician offices are fully complying with the HIPAA privacy
rules, oftentimes making it difficult for me and my five
brothers and sisters to help coordinate his care. Be assured
that health professionals take the rules very seriously.
More importantly, however, I am also experiencing firsthand
the absolutely critical need for a unified electronic health
record so that my Dad's oncologist, nephrologist, internist,
cardiologist, nutritionist, radiation center, and dialysis
center would all know in real time what each is prescribing
and, more importantly, how he is doing. For example, sharing
the results of lab tests, sharing the prescriptions that they
are ordering.
An electronic health record would have avoided my Dad's
recent experience of receiving Procrit from his oncologist
while he was receiving a similar medication, Epigen, at the
dialysis center. Unfortunately, it fell to us to alert and
notify those two health providers, because they were not
sharing this information.
You can see the importance of having this electronic health
record. America's patients, not just my Dad, need electronic
health record, and I applaud the efforts that you, Mr.
Chairman, and others have put toward achieving that goal.
We look forward to working with you, finding the
appropriate balance between privacy and the need for sharing
this important information as we move forward in this important
area.
Thank you.
[The prepared statement of Ms. Grealy follows:]
[GRAPHIC] [TIFF OMITTED] T9023.027
[GRAPHIC] [TIFF OMITTED] T9023.028
[GRAPHIC] [TIFF OMITTED] T9023.029
[GRAPHIC] [TIFF OMITTED] T9023.030
[GRAPHIC] [TIFF OMITTED] T9023.031
[GRAPHIC] [TIFF OMITTED] T9023.032
[GRAPHIC] [TIFF OMITTED] T9023.033
[GRAPHIC] [TIFF OMITTED] T9023.034
[GRAPHIC] [TIFF OMITTED] T9023.035
[GRAPHIC] [TIFF OMITTED] T9023.036
[GRAPHIC] [TIFF OMITTED] T9023.037
[GRAPHIC] [TIFF OMITTED] T9023.038
[GRAPHIC] [TIFF OMITTED] T9023.039
[GRAPHIC] [TIFF OMITTED] T9023.040
[GRAPHIC] [TIFF OMITTED] T9023.041
[GRAPHIC] [TIFF OMITTED] T9023.042
[GRAPHIC] [TIFF OMITTED] T9023.043
[GRAPHIC] [TIFF OMITTED] T9023.044
[GRAPHIC] [TIFF OMITTED] T9023.045
[GRAPHIC] [TIFF OMITTED] T9023.046
Mr. Clay. Thank you so much, Ms. Grealy, for that
testimony.
Mr. Pickard, you may proceed.
STATEMENT OF BYRON PICKARD
Mr. Pickard. Chairman Clay and members of the subcommittee,
thank you for this opportunity to testify. I will be testifying
on behalf of AHIMA, but will also draw upon my professional
experiences to describe the public/private efforts currently
underway exploring the privacy of electronically transmitted
health information.
My written testimony addresses some areas of specific
interest to our profession; namely, expansion of privacy
protections for personal health records, differences between
HIPAA at business associates and non-covered third-party
contractors, and protecting student health information, and
conflicts between HIPAA and FERPA. AHIMA also has a foundation
of research and education, which has received several grants
and contracts from the Office of the National Coordinator and
others. I have attached a list of those commitments.
Mr. Chairman, the HIM professionals' responsibilities are
interwoven with privacy and security issues. The expansion of
confidentiality management and protection is impacted not only
by HIPAA but also by the health care industry's continued
transformation from a paper intensive industry to one of
electronic records and transmissions.
I wish I could tell you that the health care industry has
been transformed into a fully electronic system, but, in fact,
I cannot. We are in the midst of what would be a long
transition.
In working through these transitional issues, AHIMA has
partnered with the American Medical Informatics Association and
we have produced two joint statements relative to today's
discussion, one on health information confidentiality, and the
other on the value of personal health records. With so much
history and experience in the protection of health information,
it is important to note AHIMA's position. Our written testimony
contains our full list of health information confidentiality
principles.
As our health care system becomes more interconnected, our
networked health information will flow across a range of
entities and boundaries. It will be critical to follow these
principles. Privacy protections must follow personal health
information [PHI], no matter where it resides, and uniform and
universal protections for PHI should apply across all
jurisdictions in order to facilitate consistent understanding
and compliance.
Considerable time has been spent exploring and developing
electronic health information exchange and how to protect
health information by the Agency for Health Care Research and
Quality, a American health information community, the Office of
the National Coordinator, and others. These initiatives and
their impact on privacy and security are detailed in our
written testimony.
AHIMA members, and especially those who fill the role of
privacy office, are noting that the issue of confidentiality is
moving beyond just health care. With the banking and finance
industries handling health information more frequently, it has
become apparent that we must soon address the comprehensive
protection of an individual's information, White House whether
it is financial or health related. This is an issue that
Congress will need to investigate as we see more change in the
bordering of industry boundaries.
We also see a need for consumer education to address
confidentiality and security, as well as the value of health
information technology usage. It is only with consumer trust
that a national infrastructure can be built and laws adopted or
modified to facilitate information exchange.
AHIMA has long called for consumer-based personal health
records, in addition to the standard provider-based electronic
health records. While we have never endorsed a PHR product, we
have called for consumers to use a PHR, whether in paper or
electronic form, to track their own health status. To support
this goal, AHIMA embarked upon a PHR consumer education
campaign that combines the use of a consumer Web site with
public presentations by AHIMA members in each and every State.
AHIMA is leading an effort to ensure interoperability of
the PHR, with the new health level seven standard electronic
health record, and we expect to see a new PHR electronic
standard from HL-7 in the near future.
AHIMA's believe that protections should follow personal
health information, no matter where it might be stored or
transferred, clearly extends to PHRs. PHRs can be stored or
offered by a variety of different vendors or operators. Some of
these vendors are HIPAA-covered entities, and others are not.
Protections against the discrimination and misuse of PHR
information must be established along with a requirement that
any access or use of PHR information be governed by a separate
authorization unless otherwise required by law. Except for PHRs
offered by health care providers, we believe that individuals
should be given the right to opt out of a PHR being built for
them or their family members.
The answers are not simple. As the AHIC and the NCVHS and
others discuss and provide recommendations in the privacy and
security area, Congress can also begin to look at some very
important issues: that confidentiality of protections follow
the information no matter where it resides or is transferred;
that comprehensive non-discrimination laws have harsh penalties
for the intentional misuse of health information; that we
prosecute those who break these laws; that we penalize those
entities that are non-compliant with confidentiality and
security laws and regulations; that conflicts between HIPAA
versus FERPA be eliminated in favor of consistent and strong
confidentiality; and that proposed laws be reviewed to identify
barriers that may arise that would impede the deployment of
health information technology products, expansion of health
information exchange, and critical uses of health information.
Mr. Chairman and members of the subcommittee, I hope that
our testimony has given you an insight into the aspects of
health care confidentiality and security that you are seeking,
and that our recommendations will provide you with guidance as
you address the many difficult questions facing our community.
I stand ready to answer any further questions or concerns you
might have.
Thank you.
[The prepared statement of Mr. Pickard follows:]
[GRAPHIC] [TIFF OMITTED] T9023.047
[GRAPHIC] [TIFF OMITTED] T9023.048
[GRAPHIC] [TIFF OMITTED] T9023.049
[GRAPHIC] [TIFF OMITTED] T9023.050
[GRAPHIC] [TIFF OMITTED] T9023.051
[GRAPHIC] [TIFF OMITTED] T9023.052
[GRAPHIC] [TIFF OMITTED] T9023.053
[GRAPHIC] [TIFF OMITTED] T9023.054
[GRAPHIC] [TIFF OMITTED] T9023.055
[GRAPHIC] [TIFF OMITTED] T9023.056
[GRAPHIC] [TIFF OMITTED] T9023.057
[GRAPHIC] [TIFF OMITTED] T9023.058
[GRAPHIC] [TIFF OMITTED] T9023.059
[GRAPHIC] [TIFF OMITTED] T9023.060
[GRAPHIC] [TIFF OMITTED] T9023.061
[GRAPHIC] [TIFF OMITTED] T9023.062
[GRAPHIC] [TIFF OMITTED] T9023.063
[GRAPHIC] [TIFF OMITTED] T9023.064
[GRAPHIC] [TIFF OMITTED] T9023.065
[GRAPHIC] [TIFF OMITTED] T9023.066
[GRAPHIC] [TIFF OMITTED] T9023.067
Mr. Clay. Thank you so much, Mr. Pickard.
Mr. Swire, of the Ohio State University.
STATEMENT OF PETER SWIRE
Mr. Swire. The Ohio State University, home of the Buckeyes.
Yes, sir.
Mr. Clay. Yes, sir.
Mr. Swire. Mr. Chairman, members of the subcommittee, thank
you very much for the invitation to testify here today on
privacy and security of electronic health records.
Today fewer than 10 percent of our clinical records in the
country are accessible in electronic form, and all of us hope
that number climbs sharply in the next decade.
My colleague at the Center for American Progress, Karen
Davenport, has recently released a new report about health IT
and the quality improvements, and, Mr. Chairman, I ask if that
could be submitted to the record for this hearing.
Mr. Clay. Yes, please.
Mr. Swire. Thank you.
To make this shift to the NHIN, the National Health
Information Network, we need to get privacy and security right.
Public surveys repeatedly showed that these privacy concerns
are top of mind when it comes to the shift to electronic health
records. Unless Americans are convinced that effective
safeguards are in place, many of the benefits of this NHIN may
be delayed or lost entirely.
My written statement addresses various issues, but I would
highlight two things in the testimony today: preemption and
enforcement.
On preemption, my theme is that the wrong sort of
preemption would actually repeal many existing privacy and
security safeguards. On enforcement, the current no enforcement
system is not a sound basis for going forward with electronic
health records.
Briefly, my background before returning to law teaching, I
served as chief counselor for privacy in the U.S. Office of
Management and Budget in 1999 and 2000, and in that role I was
the White House coordinator for the HIPAA privacy rule. This
has lost me many friends in the medical community.
During that time we had over 50,000 public comments on the
proposed rule, and I co-chaired the process to look at those,
try to respond to them, and come up with a final rule by the
end of 2000, and I have worked in this area since. So it is
based on that I try to offer some observations today.
On preemption, my first theme is that simple preemption of
State laws going to HIPAA alone would repeal many existing
privacy protections.
In many States we have protections for things like HIV
records, mental health, substance abuse, reproductive records,
Public Health Agency records, genetic records, and if we simply
say let's do HIPAA, then that means that all of the State
protections would be repealed.
In Ms. Grealy's testimony, they feature Indiana as a State
to look to. Indiana has the fewest State safeguards, and so
harmonizing on that level would be a drop in privacy
protection, and we should be careful about doing that.
On enforcement, I have serious concerns about the lack of
enforcement from HHS. This is an oversight issue. This creates
an obstacle to going forward with electronic health records. If
no enforcements are brought under the current system so far
under HIPAA, why should the public trust we are going to have
good enforcement for the next generation?
Let me emphasize my criticism here goes to law and policy
and not to the good faith or the intelligence or hard work of
people at HHS, but there are some legal problems the Congress
may need to address.
There are three principal problems in enforcement:
First, the batting average for HHS is pretty low. There has
been 27,000 complaints and zero civil or monetary penalties, so
over 27,000. That doesn't create a lot of confidence.
Second, the current administration has adopted the policy
of one free violation. In an enforcement rule last year, HHS
said that the first violation simply won't lead to a penalty;
instead, it will lead to a planned correct going forward. This
sends the signal that medical privacy shouldn't be taken
seriously. If you are a covered entity, just wait until they
come the first time and then you can fix it, but you don't face
any exposure.
Third, the Department of Justice has dropped the ball on
criminal prosecution. Justice has received almost 400 referrals
from HHS and has brought zero cases under those 400 referrals.
These are the most serious cases, and the problem is that, once
it goes to DOJ, under current policy HHS stops all proceedings,
so the most serious cases HHS doesn't do it and DOJ doesn't do
it.
This lack of enforcement has been the subject of major
stories in the Wall Street Journal and the Washington Post. One
expert was quoted in the post saying, ``HHS really isn't doing
anything, so why should I worry?''
The lack of HIPAA enforcement will make it harder to build
the next generation of electronic health records. Critics will
be on strong and legitimate ground saying they can't trust the
current system, much less the higher level of trust we would
want to have if we go to the all-electronic NHIN.
In my testimony I point out that we can respond to these
problems perhaps by HHS changes or by targeted legislation.
Here are three things to consider, and then I will close:
first, HHS can end the one free violation part of the
enforcement reg; second, we should end the current
interpretation where HHS stops its own enforcement efforts in
the most serious cases whenever there is a criminal referral to
DOJ; and, third, a mistaken Department of Justice legal opinion
that narrowed the criminal provisions of HIPAA should be
revisited. They really take the position that only the hospital
that intentionally violates the law and not any of the
individuals who break the law can be enforced.
That concludes my comments. I welcome any questions you may
have.
[The prepared statement of Mr. Swire follows:]
[GRAPHIC] [TIFF OMITTED] T9023.068
[GRAPHIC] [TIFF OMITTED] T9023.069
[GRAPHIC] [TIFF OMITTED] T9023.070
[GRAPHIC] [TIFF OMITTED] T9023.071
[GRAPHIC] [TIFF OMITTED] T9023.072
[GRAPHIC] [TIFF OMITTED] T9023.073
[GRAPHIC] [TIFF OMITTED] T9023.074
[GRAPHIC] [TIFF OMITTED] T9023.075
Mr. Clay. Thank you, Mr. Swire.
Let me thank the entire panel for their testimony today.
We will begin the question period under the 5-minute rule,
and I will begin with a general question for everyone to
comment on. Many electronic health care tools such as
electronic health records and internet-based personal health
records are available to consumers today. The country, however,
is still lacking an established nationwide approach for
ensuring that personal health information will be protected
from inappropriate disclosure. Do you believe that the
implementation of health IT is beginning to out-pace the
development of overall privacy policies and practices?
We will start with Ms. Grealy.
Ms. Grealy. Well, as I said, both from my experience as
heading up the Healthcare Leadership Council and formerly with
the American Hospital Association, as well as my personal
experience dealing with health care for my family, providers
took the HIPAA privacy rule very, very seriously. They put in
place compliance plans, a lot of education, and this was
throughout all of the covered entities, the various business
associates. I am not sure we often recognize just how much went
into making sure they understood the HIPAA privacy rules and
they were in compliance.
The rules are very complex. I just want to touch on, I
think, the approach that HHS and the Office of Civil Rights has
taken is really the proper approach. They could have taken a
``gotcha'' approach, and, you know, every time we find you have
made just the slightest error we are coming after you with
civil and monetary penalties or criminal penalties. I think,
instead, what they did was to develop a partnership. We want
this rule to work, and so we have partnered with providers and
others to educate them.
Of the 27,000 complaints that have been registered, I think
if you delve into them, if you talk with the people at the
Office of Civil Rights you will find that many, many, the vast
majority, were really a misunderstanding of what was required
by the privacy rule. In fact, many times we have run into what
I would call hyper-compliance, where we have providers
unwilling to share information with those who could benefit
from it because they throw up HIPAA doesn't allow me to do
that. So we really have to strike that appropriate balance.
As we move into the electronic world, security measures are
in place. I think we also sometimes lose sight that these
electronic medical records can be much more secure than the
paper records that have been sitting in file cabinets and
physicians' offices. Oftentimes you have no way of determining
who has accessed those records, unlike in the electronic world
where you can establish an audit trail. You can really
determine who has accessed that and whether it is appropriate.
You can password protect it.
So I think we have a framework. We may have to modify it.
You can tell from the GAO testimony that there is a lot of work
going on at HHS, at AHIC, the National Committee on Vital
Health Statistics, to determine what is appropriate in this
electronic world. But remember, this all started because people
were concerned about the electronic transmission of personally
identifiable health information. That is what started the HIPAA
statute and resulted in the HIPAA privacy rule. So I don't
think we need a wholesale revision of it. We may need some
tweaking of it. But I think right now it is workable, and a lot
of providers are spending a lot of time and resources that
don't go to direct patient care, but instead go toward
compliance. I think we have to be very, very careful in terms
of how we use those resources.
Mr. Clay. Thank you, Ms. Grealy.
Mr. Pickard.
Mr. Pickard. Yes. I would have to agree, and I think that
it is not a question of the technology but more about the
actual policies. I do believe that HIPAA has provided a good
framework, and I think where we run into challenges or where we
will run into challenges are the other entities, the other
types of entities outside of the HIPAA boundaries, the covered
entities that are now faced with handling health information.
So I believe that is probably where we run into challenges
associated with HIPAA. That, again, kind of brings us back to
an important point or important principle within my testimony,
and that is that the confidentiality and privacy protections
follow the information, no matter where it goes or where it
resides or how it is accessed or handled.
Mr. Clay. How about you, Mr. Swire?
Mr. Swire. Thank you, sir.
A fairly simple point. HIPAA came about when we made a
shift for payment records from paper to electronic, so you
would file with Medicare, insurance companies electronically,
and Congress said in 1996 let's do privacy and security with
that.
We are now in chapter two, and chapter two is the shift for
clinical records, your x-rays and all the rest of those things,
and we are now building the systems for the first time to
really move clinical records, so we should build those systems
right for this generation like we tried to build systems right
for the payments generation, and that is our job together.
The easiest time to get privacy and security right is when
you build it the first time. It is much harder to patch later.
That is where Congress can take a leadership role and make sure
we do it.
Mr. Clay. Thank you for that response.
Mr. Hodes.
Mr. Hodes. Thank you, Mr. Chairman.
Professor Swire, I am interested in and appreciate your
condensed version of arguments about preemption and what we
might lose by it, because really I think that goes to the heart
of policy issues that Congress is facing in dealing with the
questions of a national health information network versus
leaving it to what is clearly a rapidly evolving patchwork of
regulation. You point out that we have HIPAA as, call it, a
baseline, but that many States have--in fact, I think all the
States have dealt with other medical information of a very
sensitive kind that HIPAA simply doesn't deal with. So I take
to heart your point about not rushing too quickly to simply say
HIPAA is the standard and that is the national standard and
that is where we are leaving it.
If we were to look at the national picture, which I am sure
you have much more than I have, how would you balance, in
looking what the various States have done in terms of the
issues you have raised on pages three and four of your report--
mental health records, HIV, and all that--if Congress was
inclined to try to set some national standard, mindful of your
warnings? How would you suggest we go about looking at what the
States have done? Should we simply say we are going to take the
best standards from whichever State best protects privacy and
security of people and that is the one we are going to use for
HIV, and similarly we are going to look at mental health
records and take the best one that we can get from State B, and
then we are going to incorporate it with this other baseline
and call it a Federal standard? What do you think?
Mr. Swire. Well, we could go on for quite some time----
Mr. Hodes. I know.
Mr. Swire [continuing]. To try to figure out how to do
that, but----
Mr. Hodes. I have only got 5 minutes.
Mr. Swire. I know, and I will try to do it in about four
sentences. Not really.
The first point is best does not mean stricter or less
strict. You can't avoid making some judgments here, so when it
comes to HIV data you have a public health issue if people
won't get tested, and if you repeal for big cities' HIV
protections you could face public health risks, and that
doesn't seem like a good idea to me.
But I think one step here is I think that HHS and the
Government can play a much better role in helping us all
understand what the State laws are, and here is a specific
thing. There is this RTI study--that is the contractor for
HHS--and they have gone and done studies of, I think, 34
States. I have been told by somebody who has been near the
process that they are not planning to release the surveys from
the States to the public. It seems to me if Government is going
to spend contractor money to try to figure out what all these
State laws mean, they reduce compliance costs for everybody if
we get that information out to everybody, so just a much better
job of education and getting the information out there so that
people don't have to go to expensive law firms to try to figure
it out. That is one step toward knowing what needs to be done.
Ms. Grealy. Congressman, I would like to comment----
Mr. Hodes. Please. Thank you.
Ms. Grealy [continuing]. Because we undertook one of those
very expensive studies, $1 million investment, to have a tool
where providers could check to see what is the State law, what
is the variation. That still requires time. It is a lot of
money to maintain that system, and I don't think it addresses
your question. I don't think it really gives us a workable
national standard. Just because we have the information from
the RTI study, we still have all this variation.
We don't have to sacrifice privacy to develop this
standard. Again I reference Section 6 in H.R. 4852, which
really set out a process. Let's look at the States, let's study
the variation, and then come up with recommendations as to what
would be the appropriate rule in those very sensitive areas. We
have done it for mental health to a certain degree in the HIPAA
privacy rule, but we certainly could improve it in those other
areas.
Mr. Hodes. Thank you.
Mr. Pickard, did you want to comment?
Mr. Pickard. No.
Mr. Hodes. Thank you.
Mr. Chairman, I yield back. Thank you very much.
Mr. Clay. Thank you for that line of questions.
I asked this question to GAO during the first panel and
would like to hear your thoughts on the topic. A significant
problem with HIPAA is that it does not cover all entities that
possess or utilize personal health information. Some life
insurers and research entities not involved with the treatment
of patients fall outside the rules. In your work, have you
analyzed this problem? And how significant is it, in your view?
Let's start with Mr. Swire.
Mr. Swire. OK. So this has to do with who should be covered
entities, and the statute sets that forth. HHS doesn't have a
lot of wiggle room on that, so it would have to come from
Congress.
I think that for life insurance it is not such a big
program. Graham-Leach-Bliley applies there. But in my testimony
I point out that if you say anything that touches medical data,
like I buy a breast cancer book for somebody on Amazon, we
don't want to suddenly have HIPAA kick in just because they
mention the word health, and so how to expand it is something
that you have to be careful about.
One area of concern is that public health agencies are not
subject to Federal laws, and law enforcement when it grabs
health data, and there may be some work to be done on the
Government's side to make sure that effective protections are
in place, especially if they are trying to gather lots of bio-
surveillance kinds of things going forward.
Mr. Clay. Mr. Pickard.
Mr. Pickard. Yes. If I could just say, that is an important
question. I think that our association, AHIMA, strongly
believes in harmonization of all of the privacy protections
across all entities. When you look at the personal health
records, when HIPAA was developed personal health records were
barely being talked about. In a university setting with student
records there is a lack of harmonization, as I mentioned in my
testimony, between the FERPA, or Family Education Rights
Privacy Act, and HIPAA. There are differences. And so I think
it is an important question, and I think that, again, I agree
it is one that will require answers and consideration as we
move forward.
Mr. Clay. Thank you.
Ms. Grealy, any thoughts?
Ms. Grealy. Well, as always, it is a balancing question. We
want to make sure that we are not stifling innovation, as we
have. I mean, I think we are finally beginning to see patients
becoming more engaged in helping to manage their health care,
and getting them engaged with personal health records I think
is a very positive thing. We want to make sure that they feel
very secure when they are sharing that information.
Now, is the best way to go about that, make everyone a
covered entity? Is it better to make them business associates?
I think we just have to make sure that the rules are clear,
that we don't have conflicting standards out there. So if you
start expanding business associates, making them covered
entities, they may be in one sense a business associate, have
to comply with a covered entity's rules, but then in another
setting they become a covered entity, and they all hold a
different set of standards.
So, again, we know that there is work going on in this
area. I know AHIC is looking at it. We are going to be
testifying before them on Friday. But, again, just carefully
looking at those and making sure that we are not getting into
over-regulation and stifling the innovation that is really
taking place out there.
I think one of the most important things I heard from the
GAO panel, and something that we really have to focus on, is
educating the public, communicating to them why do we want this
information, but, more importantly, why is it good for you as a
patient for us to have this information. Why do we want it? How
are we going to share it? And how are we going to protect that
information and keep it secure? So they know under HIPAA and
various State statutes we can't disclose it to their employer,
we can't disclose it to the newspaper, we can't disclose it to
their neighbors. But we have to assure people that it is
important for their health and for the health of future
generations for us to have a workable privacy rule that allows
for the necessary flow of health information.
Mr. Clay. Along those same lines, there is significant
debate concerning the most effective way to obtain patient
authorization for the disclosure or sharing of personal health
information. For a national health information network to be
successful, doesn't it require a stronger uniform privacy
standard that requires affirmative consent from a patient for
all information disclosure? And yes, we can start with you. I
would like to hear comments from the entire panel.
Ms. Grealy. I have the great benefit of every once in a
while getting out there and talking to the real people that are
actually doing this. I was just in Delaware, where they are
doing a demonstration project with a health information
network. We talked about this. Let's call it opt-in versus opt-
out.
I am going around and asking this question: how would your
data exchange system work if it had to be an opt-in? If you are
the Mayo that has a century worth of data, longitudinal
studies, how would it work if you had to have an opt-in as
opposed to you have the information, you give people the
opportunity to opt-out of it? But if you had to go to each
individual patient, to each individual subject that you want
included, and get their affirmative decision to be included and
to share their electronic medical record, I think it would halt
the system.
If we have to make a decision between the two, certainly
opt-out is going to be better.
Mr. Clay. Mr. Pickard, any comments?
Mr. Pickard. Yes. Again, I think this is probably an area
where AHIC is, in terms of their Privacy and Security Committee
is looking into these types of issues.
I can tell you in the State of Tennessee, with our health
information exchange we have run up against this very question
or this very issue, and we have put in protocols to enable
patients to opt in or opt out, and then certainly you have the
whole concept of patient identification. But, again, I think it
is an important issue.
Mr. Clay. Mr. Swire.
Mr. Swire. Thank you. So the one way this comes up is if
somebody sees a psychiatrist or gets substance abuse or
something else and they say, look, I don't want this going out
to everybody everywhere. So one idea of consent or
authorization is some way for the patient to say, hold on, not
this.
I think it makes sense to a lot of people that some sort of
permission for patients or some sort of control over that might
make sense.
Now, we can talk opt-in/opt-out. Some of the systems don't
want to have an opt at all. They just want to say we are going
to sign everybody up. I think that is a concern. So if you
don't want to be in at all, if you don't want to just sort of
have my doctor puts everything in and I have no control over
that, I don't think that is the right place to be. The question
is what point, for how many choices, will a patient have any
say.
I worked on Markle's Connecting for Health Task Force, and
they have a write-up on this that I think goes through it in a
sensible way, and I think you end up with an opt out where that
is realistic where patients say, look, it generally goes in,
but if I say it doesn't we should try to build it so it doesn't
go in.
Mr. Clay. Just to pause after hearing the three different
responses, what is the damage? What is the harm if someone
other than a health care provider gets a copy of an x-ray or
they get a record of a prescription? What do you think the harm
is?
Ms. Grealy. I think the concern is that the health care
provider might not get the x-ray. I mean, I am not even talking
about disclosures to those that really shouldn't have the
information. We are talking about patients saying, no,
provider, the physician treating me cannot have this
information. So we have to be very, very cautious, again, in
that balance of making sure, and there may be a system of, you
know, flagging it so the physician knows I don't have all the
information, I had better check with this patient.
I am not sure how that translates when we are trying to
build data bases to improve the quality of health care, to
improve treatment for disease, if we have a lot of critical
missing information.
Mr. Clay. Well, like the example you use in your testimony,
the pharmacist should have relayed to both physicians for your
father what medicines?
Ms. Grealy. If this were something that he was getting at a
pharmacy, you are right. CVS, one of our members, they have
gone electronic, so they can do those alerts. But these were
services, these were hormone shots, one being given in the
oncologist's office and the other being part of the dialysis
center treatment. There is no pharmacist in the picture, no
electronic medical record to exchange that information, and so
no way to alert.
Mr. Clay. Mr. Pickard, any thoughts?
Mr. Pickard. Again, I think--and I said this in my
testimony--I think we need to move away from thinking about the
type of information and the entity and make sure that the
privacy protections do follow the health information wherever
it resides.
Let me just share. If I am an employee, I want the
capability to opt out and to perhaps not have my employer have
certain types of information. This is particularly important in
today's environment where a lot of employers or insurances, for
that matter, are developing personal health record tools for
employees or subscribers. I think as an employee or an
insurance subscriber, I should have that right to opt out of
that.
Mr. Swire. Just one point to add on is that some of the
most sensitive kinds of data that I have been talking about,
the mental health and substance abuse, genetic, or whatever,
are only protected by State law, so even if x-rays aren't,
these other things are only protected by State law, and if we
were to harmonize at the national baseline then those
psychiatric notes, the substance abuse things, and the rest
could be going through the system, and that is a reason not to
preempt too strictly or not to preempt at a low level.
Mr. Clay. Let me ask this. This is a question for the
entire panel. There have been long-term concerns on how health
information is treated differently under institutions that are
also covered under different privacy regulations, such as
Family Educational Rights and Privacy Act of 1974. Under the
privacy rule, records protected by FERPA are not covered by the
privacy rule; therefore, even if the information contained in
an education record is health related, the privacy rule does
not apply.
Is this an area where conflicts ought to be addressed in
order to harmonize the way in which patient information is
protected?
Ms. Grealy, we will ask you first.
Ms. Grealy. Well, I think one of the things that those that
actually have to do compliance are always looking for is; give
me uniformity. Make it simple. Don't have one set of standards
here, another set of standards there. So I think any way we can
harmonize these requirements is a positive thing.
Mr. Clay. Mr. Pickard.
Mr. Pickard. I agree. And let me just share, working in a
university, you know, we interact and deal with both HIPAA
regulations as well as FERPA regulations, and if I am a student
and let's say if I have a medical condition that requires me to
live off campus, I have to submit what actually becomes part of
my academic record health information, and there is a lack of
standardization in terms of how that information may or may not
be handled. So I agree. I think there needs to be a
harmonization across all of these different laws.
Mr. Clay. Thank you.
Mr. Swire.
Mr. Swire. I am going to disagree on the FERPA one. I will
just explain why. That was an issue that I worked on
extensively during the rule and the comments from the schools,
associations, and the rest. The logic at the time--and maybe it
is different today--was with school nurses in high schools all
over the country, rural grade schools, all the rest, if we
harmonized to HIPAA, which is what AHIMA recommends and is
worth considering, if we harmonize to HIPAA then the school
nurse in that grade school out in a rural area would have to do
full HIPAA compliance. And it wasn't clear that was the big
risk, and it was clear that there would be a whole compliance
thing to do if that happened.
So the idea there was we thought that there was a pretty
reasonable FERPA regime in place, that the school nurses
shouldn't suddenly have to do more, and that was a sensible way
to go.
Now, it does mean that universities like Vanderbilt get a
double whammy, because they get students and then they get some
other folks who are HIPAA, and suddenly they get both. In some
ways maybe Vanderbilt people are so smart they can handle it,
but maybe not every school nurse has to do HIPAA.
So I am not really sure how you harmonize, because if you
harmonize that everybody is HIPAA, then it is the school nurses
of America that will be here next time.
Mr. Clay. Speaking of universities, Mr. Swire, I will ask
you and then go down the line. Mr. Mark Rothstein of the
University of Louisville has written extensively on the use of
compelled authorizations for personal health information by
employers for job applicants, life insurers for those applying
for coverage, and other non-covered entities. If the current
privacy rule does not regulate PHI once it is released to a
third-party entity not covered under the rule, shouldn't we re-
examine who will be covered when receiving electronic health
information?
Mr. Swire. That is a great question, and it wouldn't be
easy to legislate, but here are a couple of points that come
up.
So right now you can't have compelled authorizations for
health care providers. If you show up at the ER and you are
rolling in on the gurney, they can't say, sign here or we won't
treat you, and you sign away everything. That is in HIPAA.
The thing was, when HIPAA rules were written, HHS could do
that--that is covered entities--but HHS had no jurisdiction
over the employers of America. That just wasn't in the statute,
so there was no choice in writing the rule about what to do for
employers. That is a choice that only Congress can decide to
step into.
If you want to say, as Congress, we are going to treat the
employers the way we treat the hospitals, you can't require
these authorizations as a condition of being employed here,
that is a decision Congress can make. You are going to hear it
from the employers. And sometimes employers will say we need
this to figure out if they can lift the heavy loads or we need
it for some other job-related thing. But that is what you would
have to work through, and it would have to be statute. It can't
be by reg.
Mr. Clay. Thank you.
Any comments on that, Mr. Pickard?
Mr. Pickard. Yes. We are seeing many, many different types
of entities outside of the HIPAA-covered entities and business
associates that are handling health information. Again, this
goes back to our principles I shared earlier, and that is that
we really look to confidentiality protections following the
health information, no matter where it resides, and there needs
to be a national floor for handling health information.
Mr. Clay. OK. Ms. Grealy.
Ms. Grealy. I talked with a few of, I think, entities that
people are referring to. Revolution Health Care is one that is
really getting into working with consumers, developing a
personal health record that they can access through the
internet. They have a contractual relationship with the
consumers that they are dealing with, and they say that they
are HIPAA compliant, even though they are not a covered entity;
that they feel it is a good business practice. They want the
trust of the consumers that they are dealing with, and it is in
their best interest to make sure that they have a high level of
security and protecting that information.
So I think all of us have mentioned we know that AHIC, HHS,
and others are really exploring these issues, and I think that
is really the appropriate place; that we need to look at it
carefully; make sure, as I said earlier, that we are not
stifling innovation by expanding the reach of a heavy
regulatory scheme; and make sure that it is balanced well,
because I don't think we want to snuff out the innovation that
is going on out there, but we do want to make sure that this
information is protected.
Mr. Clay. All right. Thank you.
Let me thank the entire panel for their testimony and their
answers. We have certainly covered some ground today. This is a
very complex issue. As the Congress takes this issue on of
health information technology and how we actually protect the
privacy of citizens throughout this country, patients, we will
certainly rely on your expertise, and this hearing has been
helpful in shedding light on this. Let me again thank you all
for your testimony today.
That concludes this hearing.
[Whereupon, at 3:30 p.m., the subcommittee was adjourned.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T9023.076
[GRAPHIC] [TIFF OMITTED] T9023.077
[GRAPHIC] [TIFF OMITTED] T9023.078
[GRAPHIC] [TIFF OMITTED] T9023.079
[GRAPHIC] [TIFF OMITTED] T9023.080
[GRAPHIC] [TIFF OMITTED] T9023.081
[GRAPHIC] [TIFF OMITTED] T9023.082
[GRAPHIC] [TIFF OMITTED] T9023.083
�