[House Hearing, 110 Congress] [From the U.S. Government Publishing Office] PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS ======================================================================= HEARING before the SUBCOMMITTEE ON INFORMATION POLICY, CENSUS, AND NATIONAL ARCHIVES of the COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS FIRST SESSION __________ JUNE 19, 2007 __________ Serial No. 110-33 __________ Printed for the use of the Committee on Oversight and Government Reform Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html http://www.oversight.house.gov ______ U.S. GOVERNMENT PRINTING OFFICE 39-023 WASHINGTON : 2008 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001 COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM HENRY A. WAXMAN, California, Chairman TOM LANTOS, California TOM DAVIS, Virginia EDOLPHUS TOWNS, New York DAN BURTON, Indiana PAUL E. KANJORSKI, Pennsylvania CHRISTOPHER SHAYS, Connecticut CAROLYN B. MALONEY, New York JOHN M. McHUGH, New York ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida DENNIS J. KUCINICH, Ohio MARK E. SOUDER, Indiana DANNY K. DAVIS, Illinois TODD RUSSELL PLATTS, Pennsylvania JOHN F. TIERNEY, Massachusetts CHRIS CANNON, Utah WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California MICHAEL R. TURNER, Ohio STEPHEN F. LYNCH, Massachusetts DARRELL E. ISSA, California BRIAN HIGGINS, New York KENNY MARCHANT, Texas JOHN A. YARMUTH, Kentucky LYNN A. WESTMORELAND, Georgia BRUCE L. BRALEY, Iowa PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of VIRGINIA FOXX, North Carolina Columbia BRIAN P. BILBRAY, California BETTY McCOLLUM, Minnesota BILL SALI, Idaho JIM COOPER, Tennessee JIM JORDAN, Ohio CHRIS VAN HOLLEN, Maryland PAUL W. HODES, New Hampshire CHRISTOPHER S. MURPHY, Connecticut JOHN P. SARBANES, Maryland PETER WELCH, Vermont Phil Schiliro, Chief of Staff Phil Barnett, Staff Director Earley Green, Chief Clerk David Marin, Minority Staff Director Subcommittee on Information Policy, Census, and National Archives WM. LACY CLAY, Missouri, Chairman PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio CAROLYN B. MALONEY, New York CHRIS CANNON, Utah JOHN A. YARMUTH, Kentucky BILL SALI, Idaho PAUL W. HODES, New Hampshire Tony Haywood, Staff Director C O N T E N T S ---------- Page Hearing held on June 19, 2007.................................... 1 Statement of: Grealy, Mary R., president, Healthcare Leadership Council; Byron Pickard, president, American Health Information Management Association; and Peter Swire, senior fellow, Center for American Progress............................... 41 Grealy, Mary R........................................... 41 Pickard, Byron........................................... 63 Swire, Peter............................................. 86 Melvin, Valerie C., Director of Information Management Issues, Government Accountability Office, accompanied by Linda D. Koontz, Director for Information Management Issues, Government Accountability Office................... 6 Letters, statements, etc., submitted for the record by: Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 3 Grealy, Mary R., president, Healthcare Leadership Council, prepared statement of...................................... 43 Hodes, Hon. Paul W., a Representative in Congress from the State of New Hampshire, prepared statement of.............. 34 Melvin, Valerie C., Director of Information Management Issues, Government Accountability Office, prepared statement of............................................... 8 Pickard, Byron, president, American Health Information Management Association, prepared statement of.............. 65 Swire, Peter, senior fellow, Center for American Progress, prepared statement of...................................... 88 PROTECTING PATIENT PRIVACY IN HEALTHCARE INFORMATION SYSTEMS ---------- TUESDAY, JUNE 19, 2007 House of Representatives, Subcommittee on Information Policy, Census, and National Archives, Committee on Oversight and Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 2 p.m. in room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay (chairman of the subcommittee) presiding. Present: Representatives Clay, Maloney, Hodes, and Turner. Staff present: Tony Haywood, staff director/counsel; Jean Gosa, clerk; Adam C. Bordes, professional staff member; Nidia Salazar, staff assistant; Charles Phillips, minority counsel; Allyson Blandford, minority professional staff member; Patrick Lyden, minority parliamentarian and member services coordinator; and Benjamin Chance, minority clerk. Mr. Clay. The Subcommittee on Information Policy, Census, and National Archives will come to order. Let me begin by saying good afternoon and welcome to today's hearing on efforts to protect the privacy of personal health information in electronic health care information systems. The use of IT to store, share, and secure electronic health information has expanded rapidly in recent years. Many insurers and hospitals have already transitioned from paper-based records to electronic medical record systems for exchanging patient data. This has brought important benefits to both patients and providers, including shorter hospital stays, improved management of chronic disease, and fewer redundant tests and examinations. Americans have expressed legitimate concerns, however, about the potential for improper disclosure of personally identifiable health care information. Before they will fully embrace the benefits and efficiencies of e-health solutions, patients must be confident that personal information in electronic format is as secure and private as information in paper records. A nationwide health information network promises tremendous benefits for patients. For 3 years the Department of Health and Human Services has been working to make the idea technically and economically feasible. Unfortunately, a January 2007 GAO report found that HHS was not doing enough to integrate effective privacy safeguards into its long-term national strategy for health IT. Varying health IT privacy standards in different States are another area of concern. While the enactment of the Health Insurance Portability and Accountability Act [HIPAA], in 1996 was an important step forward, it has left patients with disparate privacy protections. I believe we should amend HIPAA to extend the most effective and practical privacy safeguards to everyone. I introduced bipartisan legislation in the 109th Congress which proposed to establish a framework for a uniform national health privacy standard. Giving patients greater personal control over their health information is critical; therefore, putting in place stricter notice and consent requirements for all third-party disclosures and information sharing activities is an important legislative objective for Congress to achieve. Today's hearing will allow different perspectives on these issues to be aired as we move toward implementing a national health care information network. I must say that I am disappointed that HHS was unable to supply a suitable witness to appear today on behalf of the administration, but the Department has submitted written testimony for today's hearing, and I will ask GAO and our other witnesses to respond to positions stated in that testimony. I look forward to the testimony of all of our witnesses. [The prepared statement of Hon. Wm. Lacy Clay follows:] [GRAPHIC] [TIFF OMITTED] T9023.001 [GRAPHIC] [TIFF OMITTED] T9023.002 Mr. Clay. I assume when the ranking member gets here he will have an opening statement and we will yield to him for that, but for now we will proceed with the hearing. If we don't have any additional statements, the subcommittee will now hear testimony from the witnesses before us today. On our first panel we will hear from Valerie C. Melvin, Director for Human Capital and Management Information Systems Issues at GAO. Welcome, Ms. Melvin. Accompanying Ms. Melvin is Linda D. Koontz, Director for Information Management Issues at GAO. Welcome to you. Ms. Melvin will deliver GAO's formal testimony, and both will respond to questions. Thank you for appearing before the committee today. It is the policy of the Committee on Oversight and Government Reform to swear in all witnesses before they testify. Will you both please stand and raise your right hands? [Witnesses sworn.] Mr. Clay. Let the record reflect that the witnesses answered in the affirmative. Ms. Melvin, you will have 5 minutes to make an opening statement. Your complete written testimony will be included in the hearing record. The lighting system and the timing system does not work, so we will notify you probably through the use of the gavel when you get close to the 5-minute time limit. Mr. Turner, thank you for being here. Mr. Turner. Mr. Chairman, thank you. Mr. Clay. OK. And you may, if you have an opening statement, you may proceed, sir. Mr. Turner. Thank you, Mr. Chairman. I appreciate that and I apologize for my being late. I want to thank you for holding this important hearing on privacy concerns and health information technology. Many health care experts agree that investing in health information technology will dramatically improve patient care while simultaneously decreasing health care costs. For example, Kettering Medical Center in my District and its partners have created the Dayton Individual Health Record Pilot Project, IHR. The Dayton IHR pilot combines a patient's health information from different sources and presents that information to patients, doctors, and other health care professionals in a format that helps all health participants make efficient, appropriate decisions about their care options. The Dayton IHR is a Web-based record that allows a patient to access their information from their home, the office, or even if the patient ends up in an emergency room in another town. While it is important that technology like the Dayton IHR be made available, it should not be available at the sacrifice of patient privacy and security. The Dayton IHR ensures that only the patient and the physicians granted access by the patient can look at the information within the IHR. This subcommittee has previously discussed privacy concerns in relation to Federal IT infrastructures, and I expressed my concerns with how IT breaches affect individuals, as well as national security. Health care raises unique privacy concerns, but I am interested to learn how we can work with all stakeholders to address important privacy issues and facilitate the adoption of health IT. Health IT holds the promise of increasing the quality of health care, as well as decreasing health care costs for American families. We must be careful, however, to reach these goals without sacrificing the security of professional health information. I look forward to hearing the information from today's witnesses on this important topic, and I yield back the remainder of my time. Thank you. Mr. Clay. Thank you so much, Mr. Turner. We will begin with Ms. Melvin. You may proceed. STATEMENT OF VALERIE C. MELVIN, DIRECTOR OF INFORMATION MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE, ACCOMPANIED BY LINDA D. KOONTZ, DIRECTOR FOR INFORMATION MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE Ms. Melvin. Thank you, Mr. Chairman and Ranking Member Turner. We are pleased to be here today to testify on privacy issues associated with efforts to increase the use of information technology in the health care industry. As noted, with me today is Linda Koontz, Director of Information Management Issues, who is responsible for GAO's privacy work. In 2004 President Bush issued an Executive order that called for widespread adoption of interoperable electronic health records by 2014 and established a National Coordinator for Health IT to lead and foster public/private coordination. The benefits of health IT are immense, and include reducing medical errors and improving public health emergency response. However, the increasing use of technology also raises concerns regarding the extent to which patient privacy is protected. The challenge is to strike the right balance between patient privacy concerns and the numerous benefits that IT has to offer. Over the past few years, we have issued reports and testified numerous times on HHS' efforts toward defining a national health IT strategy. Among these reports, one issued last January highlighted HHS' health IT privacy initiatives. Today, as requested, I will summarize the results of that study, highlighting three points: the importance of having a comprehensive privacy approach, HHS' initial efforts to address privacy as part of its national health IT strategy, and additional efforts needed. Privacy is a major concern in the health care industry, given the sensitivity of certain medical information and the complexity of the health care delivery system, with its numerous players and extensive information exchange requirements. This concern increases with the transition to using more electronic health records. A comprehensive privacy approach is needed to determine how personally identifiable information will be disclosed, used, and protected. HHS acknowledges in its national health IT framework the need to protect consumer privacy, and it plans to develop and implement privacy and security policies, practices, and standards for electronic health information exchange. To this end, HHS and its Office of the National Coordinator have initiated several efforts, including awarding contracts, including one for privacy and security solutions; consulting with the National Committee on Vital and Health Statistics to develop privacy recommendations; and forming a confidentiality, privacy, and security work group to identify and address privacy and security policy issues. Ultimately, the National Coordinator's Office intends to use the results of these initiatives to identify policy and technical solutions for protecting personal health information as part of its continuing efforts to complete a national health IT strategy. However, while these efforts are good building blocks on which progress has been made, important work remains, including assessing how variations in State laws affect health information exchange, acting on the privacy and security contractor's findings and advisory group recommendations, and identifying and implementing privacy and security standards. Moreover, how and when HHS plans to integrate the outcomes of these initiatives is unclear; thus, we have recommended that HHS develop an overall privacy approach that identifies milestones in an accountable entity for integrating the outcomes of its health IT contracts and advisory group recommendations, ensures that key privacy principles are fully addresses, and addresses key challenges associated with legal and policy issues and the disclosure, access to, and security of information. In recent discussions with us, the National Coordinator committed to developing a plan that would accomplish these objectives. In this regard, he announced last weekend an initiative to build consensus around a harmonized set of privacy and security principles which are to serve as a framework for addressing these important issues. Overall, Mr. Chairman, the National Coordinator's intent to act on such an approach is promising, and building a framework based on fair information principles is a good starting point for moving forward; however, achieving this goal to safeguard personal health information will be difficult and plagued with challenges and will necessitate sustained leadership from HHS to realize success. This concludes our prepared statement. We would be pleased to respond to any questions that you may have. [The prepared statement of Ms. Melvin follows:] [GRAPHIC] [TIFF OMITTED] T9023.003 [GRAPHIC] [TIFF OMITTED] T9023.004 [GRAPHIC] [TIFF OMITTED] T9023.005 [GRAPHIC] [TIFF OMITTED] T9023.006 [GRAPHIC] [TIFF OMITTED] T9023.007 [GRAPHIC] [TIFF OMITTED] T9023.008 [GRAPHIC] [TIFF OMITTED] T9023.009 [GRAPHIC] [TIFF OMITTED] T9023.010 [GRAPHIC] [TIFF OMITTED] T9023.011 [GRAPHIC] [TIFF OMITTED] T9023.012 [GRAPHIC] [TIFF OMITTED] T9023.013 [GRAPHIC] [TIFF OMITTED] T9023.014 [GRAPHIC] [TIFF OMITTED] T9023.015 [GRAPHIC] [TIFF OMITTED] T9023.016 [GRAPHIC] [TIFF OMITTED] T9023.017 [GRAPHIC] [TIFF OMITTED] T9023.018 [GRAPHIC] [TIFF OMITTED] T9023.019 [GRAPHIC] [TIFF OMITTED] T9023.020 [GRAPHIC] [TIFF OMITTED] T9023.021 [GRAPHIC] [TIFF OMITTED] T9023.022 [GRAPHIC] [TIFF OMITTED] T9023.023 [GRAPHIC] [TIFF OMITTED] T9023.024 Mr. Clay. Thank you so much, Ms. Melvin. According to their written testimony, HHS states that it has invested significant resources and efforts in our nationwide strategy for protecting health information. Our national health IT agenda approaches our privacy and security through a full suite of activities both in form of current work and preparing for future needs. Specifically, HHS mentions authorizing a review of 34 States and Puerto Rico to analyze how their laws are affecting the sharing of health information. Yet, GAO's January 2007 report cites HHS' lack of an overall strategic plan for integrating its privacy initiative into a health information network. The report also concludes that HHS lacks appropriate milestones to measure its progress to meet these requirements. With that in mind, I would like to ask the following question: can you explain how HHS is addressing the legal barriers associated with variances in State privacy laws and methods to limit the types of information disclosed through a nationwide exchange? And is it true that HHS disagrees with GAO's recommendation to establish milestones to measure progress and outcomes in the development of privacy protections for a network? If so, why? Ms. Melvin. When our report was issued, our concern was that HHS did not have, as you said, an integrated plan that would allow all the various initiatives that it has undertaken to be integrated and to be guided by milestones and measure its progress, and also from the standpoint of having a leader to make sure that there would be complete integration of the various initiatives to guide the overall effort. There are other factors related to the variations in the State agencies. They do, in fact, have contracts in place that are intended to assess those, as you have mentioned, and those types of initiatives are all the ones that we believe have to be guided and driven by an overall integrated plan that has a well-defined approach to bringing together the specific initiatives, to being able to look at all of the findings and the assessments that are being made, and to develop and implement solutions as a result of what their assessments have determined. Mr. Clay. Well, can you identify for us the entity or entities within HHS that will be responsible for coordinating and implementing its privacy initiatives? Who will promulgate the regulations and oversight activities for privacy within the network? Is this entity effectively staffed and capable of managing its responsibilities? Ms. Melvin. One of the key areas or pieces of information that we believe is missing is the identification of the critical entity that would be responsible for bringing together all of the initiatives, as you have noted, so we cannot identify at this time who that would be. We do understand, through our recent discussions with Dr. Kolodner, that the agency is taking steps through the National Coordinator's Office to implement a framework; however, how that framework will be put in place and who will actually guide and lead their efforts to accomplish that has not been specified and we have no information that we could share regarding its---- Mr. Clay. They don't know yet? I mean, you gave them that report in January of this year. Ms. Melvin. Yes. Mr. Clay. And they have not moved on the recommendations is what you are telling me? Ms. Melvin. As of last week when we spoke with Dr. Kolodner their efforts were in the early stages and there was no specific information provided to us relative to who the entity would be that would lead all of those efforts. I should note that when our report was issued the National Coordinator's Office did have a difference relative to how they should proceed with a coordinated approach, so it has only been in recent times that we have now, I think, reached more agreement with them relative to the importance of having a plan in place, an approach that would, in fact, include and identify a specific leader for integrating or overseeing the integration of the various initiatives. Mr. Clay. Thank you for that. And this is a question for either one of you. One of HIPAA's limitations is that it does not cover all entities that possess or utilize personal health information. Some life insurers and research entities that are not involved with the treatment of patients fall outside the rules. Have you examined the practical impact of not covering some entities that have access to personal health information? Is this a significant problem, in your view, Ms. Koontz? Ms. Koontz. I think that is a significant issue that deserves more study, and we would like to see HHS consider that as it moves forward in developing privacy policies, practices, and standards. It is true that HIPAA covers health plans, health providers who transmit electronic information in support of transactions, and health information clearinghouses. The entities that you mentioned are outside the coverage of HIPAA. I think that, naturally, as we move to a national health information network in which it will be much easier, and it is actually intended to make information flow more easily, this is something that we should pay a lot more attention to. Again, I do hope that HHS includes this in their deliberations as they move forward. Mr. Clay. OK. Thank you for your response. Let me now turn to my ranking member, Mr. Turner. You may proceed. Mr. Turner. Thank you. Thank you for the information you have provided to us in your testimony today. This is an important issue on pretty much three fronts. We have our desire to find cost savings and reduce the spiraling increases in health care costs. The second issue is quality of health care. What can we do to increase the quality of health care? And the third issue is: how do you balance privacy? So many times when we make an advance in one area privacy either takes a hit, or when we think we are taking an advance in privacy others take a hit. I will tell you one funny story. Two years ago when I was in Washington I broke my sunglasses. I called my wife at home and said, can you go and get me some new sunglasses. I have a prescription. She goes to the eyeglass place and they wouldn't let her buy eyeglasses because they said under HIPAA there is a fear that she would discover what my prescription is. You know, that is not exactly something that I have a concern about having a privacy expectation. But, nevertheless, that was the application. We had to wait until I returned back home until I could get them. So this is a fine balance of what things do we have an expectation of privacy, and what things are important for efficiency, and what things do we have for cost savings, and many times there are unintended consequences--you know, I can't get my sunglasses unless I am back home--that are overlooked. What confidence do you have, in describing the process that we are undertaking, that the Federal Government is going to be able to have a better record in ascertaining that yes, we really need to protect people's privacy, yes, we need to find cost savings, and we need to find efficiencies to increase quality of health care? What are your thoughts? Ms. Melvin. Again, I think the confidence will grow from the extent to which there is transparency in the way that the health information network is put together and the way that privacy is conveyed to and understood by the public. Our work has emphasized the need for the National Coordinator's Office and HHS to spend significant time in making sure that there is outreach and consensus to bring together a better understanding among all participants that would be involved in the overall health initiative. You are right, there is an extremely fine balance between the privacy issues and the need to ensure quality care, the need to try to have improvements in the way that information is made available about care, and all of that comes through, again, having a defined plan for how they will do that, as well as having necessary outreach, necessary information made available to educate the public on the need for and the use of electronic health records so that certainly at some point hopefully there would be buy-in, more buy-in to make this a more successful effort. So I think overall success will depend on how well they can really communicate and convey the need for and ultimately to implement a system that does balance privacy and security with the quality of the care that is being provided. Mr. Turner. One of the issues that has been identified is the cost savings that we expect from going to electronic recordkeeping, and the implementation of technology on this issue is that we don't really know what our cost savings would be, and we are not capturing in a very effective way how this might advance us in cost. Do you agree with that? And also, do you have thoughts as to what we could be doing better to understand really what will we be able to effect in cost savings in this? Ms. Melvin. I think clearly the cost savings is an issue. The overall cost of the initiative is an issue that would have to be defined based on what technology is ultimately determined to be needed and put in place for this, again largely driven by the privacy and policy security implications that would drive the technology that would need to be put in place. Then ultimately, as a part of the overall strategy and the defined approach that the agency would need to have, a key part of that is defining what the costs are, what the outcomes that result from that are in the way of benefits and savings. I think all of those aspects collectively are going to be important in defining what the actual cost is ultimately for the overall initiative. Mr. Turner. Thank you, Mr. Chairman. Mr. Clay. Thank you, Mr. Turner. We have been joined by our colleague from New Hampshire, Mr. Hodes. I understand you have an opening statement. You may proceed with that and then go into your questions. Mr. Hodes. Thank you, Mr. Chairman. Mr. Clay. You have ample time. You are welcome. Mr. Hodes. This is a very important hearing. The privacy concerns related to health information technology in the digital age take on an increasingly important role as we examine a health care system which many people feel is a system which is dysfunctional and not operating as it should, and many are looking to electronic medical records technology as a key component to making our health care system a better-functioning system. It seems that it is fairly obvious, at least to me, that there are great benefits in increased coordination of care from effective and appropriately constructed medical records technology systems, because instead of having people carrying around paper records and sacks of pills from one doctor to another and having the second doctor trying to figure out what it is that patient is on, we can quickly and easily, with medical records technology, determine what care that patient has had. On the other hand, medical records technology presents great risks to patient security and private information. We have recently seen in the Veterans Administration, which frankly is in the forefront of developing electronic medical records technology, when a single laptop is lost there is enormous amounts of personal data that is compromised. So coming up with the right construct and the right system is clearly very important, and it is, I think, an urgent matter for us because there are a number of initiatives, both in the private sector and in Government, that are taking us down the road, but it sounds from your testimony and the report that there is still a very, very long way to go in coming up with an appropriate national system. [The prepared statement of Hon. Paul W. Hodes follows:] [GRAPHIC] [TIFF OMITTED] T9023.025 [GRAPHIC] [TIFF OMITTED] T9023.026 Mr. Hodes. One question, Ms. Melvin, that I had raised by your testimony that I would just like you to clarify for me, if you could, would be--and I may not have all the terms right-- but you mentioned that the National Coordinator's Office at HHS, I believe, had a difference about a national coordinated approach when your report was initially sent over? Ms. Melvin. We had originally recommended that they develop a defined approach that would, in fact, allow them to integrate the various initiatives, that would establish milestones and timeframes for the completion of initiatives, obviously considering that there were multiple activities going on, and that would, in fact, designate a leader, identify a leader who would lead the overall coordination, an entity that would lead the overall coordination of all of the various initiatives being put in place. I believe that in this case in their comments HHS essentially believed that they did have a comprehensive approach. We had a difference relative to the construct of that approach and whether, in fact, it contained all of the necessary or recognized all of the necessary components in the way of having a designated leader, in the way of having established milestones, and potentially measures for being able to really gauge progress and to guide the overall effort. Mr. Hodes. And I gather there were some discussions that took place? Ms. Melvin. We have subsequently met with Dr. Kolodner, actually within the last week. We have talked more about what our concerns were relative to the lack of such a defined approach, and in talking with him and through information that we have seen since our discussions, there is an indication that he is in agreement with the need for having an approach, some type of road map that would, in fact, provide more detail than defined milestones for integrating the various initiatives that are underway. Mr. Hodes. There is no disagreement between you and Dr. Kolodner that the coordinator of any national health information technology system would be situated at HHS, is there? Ms. Melvin. We have not talked specifically about what entity would be the leader to integrate this. Our discussions were at a level relative to the importance, the significance overall of developing an approach. We have not described what that approach would be. We do feel it is important, however, that approach does, in fact, define those critical elements relative to timeframes and milestones, measures of performance, and also in terms of actually identifying the entity that would lead it, but we have not talked about specifically who that entity would be. Mr. Hodes. You are just trying to get to square one with HHS and have them recognize that there needs to be a coordinated approach with time lines and benchmarks and setting out a plan to put together the initiatives that have already been begun into some comprehensive plan that we can all look at and then talk about? Ms. Melvin. That is absolutely correct, sir. Mr. Hodes. I am just about finished, Mr. Chairman. When you say that Dr. Kolodner has indicated his agreement, is that verbally? Is that in writing? How has that agreement been indicated? Ms. Melvin. Our discussions have been held through a meeting with Dr. Kolodner relative to what actions they were taking, but, as I stated earlier, we have not discussed the specifics of what that planned approach would look like ultimately. It is our hope, and we do view, you know, the fact that at this point he does agree with the need for that as very promising, but, as our statement indicates, it is a very difficult task. It is a long road. It does involve a lot of initiatives, and it will take sustained and committed effort on HHS' part to make sure that happens. Mr. Hodes. What is your timeframe for getting some sort of concrete response beyond the verbal discussions you have had from Dr. Kolodner and HHS that would clearly indicate, something we could look at, that says HHS agrees that we are going down this road and here is how we are going to get there? Are we talking a week? A month? Two months? Ms. Melvin. We have not specified a specific timeframe. Obviously, based on our recommendation, we do feel it is very important that this effort be undertaken urgently. It is very critical from the standpoint of the many initiatives that HHS and the National Coordinator's Office does have underway that lead to the development of technology, the significant point being that you want security and privacy policies to be in place to really guide and be a factor in determining what technology is there. So it is an urgent effort, but not one that we put a definite timeframe on for seeing that it happens. Mr. Hodes. Thank you very much. Thank you, Mr. Chairman. Mr. Clay. Thank you, Mr. Hodes, for that line of questioning. This question is for either/or. I would like to hear your thoughts on HHS' enforcement policies, practices, and procedures. There has been significant criticism of the agency's enforcement of HIPAA and lack of civil penalties enforced on identified violations. Are the enforcement activities of HHS being carried out in accordance with the statute and the legislation and regulations? Are the current regulations adequate to ensure that violating entities are being sanctioned appropriately? Ms. Koontz. I have to say, first of all, that we have not studied HHS' enforcement actions; however, I think it has been widely reported that there have been few enforcement actions on their part. The way HIPAA is set up right now is that if an individual has a complaint they can go to HHS, the Office of Civil Rights, and complain about privacy violations. I think that this, again, is another issue for us moving forward. Under HIPAA, for example, there is no individual right of action. If someone isn't satisfied with what happens at HHS, they cannot go to the courts for resolution. I think this is an issue that, you know, we will need to look at over time, but we haven't studied it in depth. Mr. Clay. One IT-specific recommendation offered by the National Council of Vital Health Statistics was for HHS to support research and development of contextual access criteria that is appropriate for the dissemination and sharing of electronic health information. Do you know whether HHS is addressing this issue and, if not, why not? And does GAO concur with the findings and recommendations of the National Committee on Vital Health Statistics? Ms. Koontz. First of all, in terms of the contextual information, I think that is quite an exciting idea, because if you look at paper records right now, if you have to disclose a paper record I think that the default is to perhaps disclose the whole piece of paper. The idea of this contextual access would be that when you disclosed information you would use technology in such a way that you could disclose only the information that was actually needed, so it would be a way to really leverage technology to increase privacy for patients and consumers. So the National Committee on Vital and Health Statistics did recommend that HHS look at this more fully in the process, and we support that. I think one of the things that, as they move forward on a comprehensive strategy for addressing privacy, they need to take into consideration the results of all these different contracts and initiatives that they have going on, which seem to have a lot of merit. They need to take into consideration the recommendations of NVCHS, and they need to take into consideration some of the challenges that I think we raised in our report. Mr. Clay. Thank you for that response. When multiple States with conflicting laws have personal health information concerning the same patient, which State's privacy standard will apply, and under what circumstances? How can entities in one State appropriately manage patient data within their electronic patient records if they are unaware of applicable restrictions in another State? Ms. Koontz. Well, the issue about HIPAA is that HIPAA is meant to be a floor in terms of privacy protection, so that means it does not preempt a State law that provides greater privacy protections than the Federal law. But you are right: what it leads to is very much a patchwork of different kinds of laws in varying States, and when you go to electronic health records and you go to a national health information network, again, the information is to move. It can move much more freely than it does now in a paper environment. One of the challenges, when we were doing our study, that many organizations talked to us about is operationalizing these various requirements and being able to navigate in an environment where information is created in one State, it is sent to another, it is sent yet to another, and how to really navigate in that kind of environment has caused a complexity which may indicate some need maybe for greater guidance in terms of how to navigate this. And some people have suggested, of course, that there be some kind of national standard for privacy that is consistent across the States. We haven't studied that further, but that has been an issue that has often been raised. Mr. Clay. Good. Thank you very much. Mr. Turner. Mr. Turner. Thank you, Mr. Chairman. We want to note that Government Health IT reported on June 15, 2007, that Dr. Kolodner, National Coordinator of Health Information and Technology, has revealed that his office will propose a draft framework for privacy policy later this year. Kolodner said it will reference other privacy policy documents from organizations such as Connecting for Health, the National Committee on Vital and Health Statistics, and the Organization for Economic Cooperation and Development. I look forward to seeing that so we can all have an opportunity to review it and determine its effectiveness. I am going to ask if you could talk for a moment--and you may not be able to--but the VA's experience during Katrina, we have all heard news reports about how the VA was able to transfer large numbers of patients' records far more quickly than private hospitals. Are you familiar with the VA's experience and their system? Could you comment on that? Ms. Melvin. I am not familiar with that particular experience, but what I can tell you is that VA does have a comprehensive longitudinal electronic health record for its patients, which would explain its ability to make information available for those people who were affected by Hurricane Katrina. Its system is set up so that it contains a complete record of each patient that is captured within its system, so that would explain its ability to perhaps have records available more readily certainly than other entities that do not have such a capability at this point. Mr. Turner. Are you familiar with either their experience of cost savings or efficiencies in increasing medical care and/ or privacy issues and policies? Ms. Melvin. I don't have specific information on their cost savings. I can tell you, though, that they have a very impressive system in place that has allowed them to achieve many improvements in quality of care through the clinician's ability to have ready access to information, through their ability to actually use that information in the health care of patients at this point. Mr. Turner. Thank you very much. Ms. Melvin. You are very welcome. Mr. Turner. Thank you, Mr. Chairman. Mr. Clay. Thank you, Mr. Turner. Mr. Hodes, any more? Mr. Hodes. Just one more briefly. Mr. Clay. Please proceed. Mr. Hodes. Thank you, Mr. Chairman. I would like to followup just a little bit on the question about varying State standards, because I note at page, I think it looks like 15 of your report, where you talk about the challenges to exchanging electronic health information and the area of understanding and resolving legal and policy issues, and the first bullet point you talk about is resolving uncertainties regarding the extent of Federal privacy protection, and it leads me to the question of how quickly we can go to a national information system with so many differing standards out there among the States. Could you tell us what do you think the benefits would be to establishing a Federal standard in these areas, even if it meant hypothetically preempting the States? Ms. Koontz. Well, it is obviously a policy judgment that you are probably in a much better position to make than I, but---- Mr. Hodes. That is why I asked the question. Ms. Koontz. Fair enough. But, I mean, the obvious advantage here is that we would be trading off some, getting rid of some complexity in order to, you know, if we got some standardization. Obviously, from talking to a fairly large number of entities out there who are involved in information exchange and involved in providing health care, it is tremendously confusing, even to the point of trying to decide what rules apply, what category do they fit in, and then also how to operationalize all the different kinds of requirements, as well. So, I mean, I can see on balance it is on the one hand and on the other hand, but there are definitely benefits to standardization, as well, although there may be States where you might end up lowering privacy protection, and I think that is an issue for that locality. Mr. Hodes. OK. Thank you very much. Thank you, Mr. Chairman. I yield back. Mr. Clay. Thank you, Mr. Hodes. The AHIC, which is a public/private working group chaired by the Secretary, assembled a working group on how to address privacy and confidentiality issues last August. What findings, if any, have been presented to the Secretary? Is AHIC's work consistent with GAO's findings and recommendations? Are you familiar with AHIC, the American Health Information Community? Ms. Melvin. Yes, we are familiar with that. As far as their findings and recommendations, at this point we are not certain as to exactly what they are doing. We do know that HHS is in the process of assessing the information that they have from them, and we have not compared that to GAO's recommendations, as I recall. Mr. Clay. OK. Ms. Melvin. We have not compared them to GAO's recommendations. Mr. Clay. All right. I thank you for that. Let me thank both of you for your answers today and for being witnesses at this hearing. I think it is such an important issue, and we certainly appreciate GAO weighing in. Thank you both. This panel is dismissed. I would now like to invite our second panel of witnesses to come forward, please. Testifying today on our second panel will be Mary R. Grealy, president of the Healthcare Leadership Council. Welcome to you. Bryan Pickard, president of the American Health Information Management Association. Thank you for being here. Peter P. Swire, the C. William O'Neill professor of law at the Ohio State University's Moritz College of Law and senior fellow at the Center for American Progress. Welcome to all of you. It is the policy of the committee to swear in all witnesses before they testify. At this time I would like to ask you all to stand and raise your right hands. [Witnesses sworn.] Mr. Clay. Let the record show that all of the witnesses answered in the affirmative. Each of you will have 5 minutes to make an opening statement. Your complete written testimony will be included in the hearing record. The yellow light in front of you will indicate you have 1 minute remaining. The red light will indicate that your time has expired. Ms. Grealy, we will begin with you. You may proceed. STATEMENTS OF MARY R. GREALY, PRESIDENT, HEALTHCARE LEADERSHIP COUNCIL; BYRON PICKARD, PRESIDENT, AMERICAN HEALTH INFORMATION MANAGEMENT ASSOCIATION; AND PETER SWIRE, SENIOR FELLOW, CENTER FOR AMERICAN PROGRESS STATEMENT OF MARY R. GREALY Ms. Grealy. Thank you, Mr. Chairman and members of the subcommittee. On behalf of the members of the Healthcare Leadership Council, I want to thank you for the opportunity to testify on this extremely important subject. Certainly all Americans want to be assured, as we move toward a day when virtually all clinical health information will be exchanged electronically, that their confidentiality will be protected and information will be used to provide health care of the highest quality. The Healthcare Leadership Council is comprised of chief executives of many of the Nation's leading health care companies and organizations representing all sectors of American health care. Our members are some of the early adopters of health information technology. Mr. Chairman, with my time limitations there are two key points that I would like to make today. First, allow me to comment on the current HIPAA privacy rule, a rule that was developed through careful, detailed deliberations over a 5-year period, and its effectiveness in the context of electronic health information exchange. We are concerned that the transition to more widespread use of electronic medical records will prompt a reactive call in some quarters for additional burdensome privacy regulations. It is important to note that the HIPAA privacy rule, which is already quite restrictive, was spurred by the growth of electronic transactions and already contains ample provisions governing the confidentiality of information, electronic or otherwise. It is even more important to recognize that more- restrictive rules, such as requiring providers and payers to obtain prior consent for treatment, payment, and health care operations, would delay and disrupt health care, particularly for the most vulnerable patients. The fact is, Mr. Chairman, the HIPAA privacy rule has a successful track record, and that success is being achieved in an environment in which multi-State electronic data exchange is already occurring. Health care providers and plans have spent significant resources to comply with the HIPAA rule. Before considering any changes, we should be certain that they are absolutely essential and would warrant diverting finite resources from patient care to additional administrative compliance. The other point I wish to make this afternoon is that, while the HIPAA privacy rule is effective in protecting patient confidentiality, the development of a multi-State network requires the creation of a uniform Federal privacy standard. While HIPAA establishes such a standard, it permits State variations that are found in thousands of statutes, regulations, common law principles, and advisories. This patchwork quilt creates confusion among those who hold identifiable health information and those who seek to establish these data exchanges. We believe strongly in a national standard that provides strong privacy protections for every American and facilitates nationwide and system-wide electronic data exchange for the betterment of patient care. Mr. Chairman, Section 6 of your bill, H.R. 4832, laid out a process to help achieve that national standard, and we hope that it will find its way and be part of any future HIT legislation. One thing that helps us put a face on health care policy and to put it in perspective is that these issues unavoidably become personal for all of us. My family currently has a compelling example in the person of my 88 year old father, who lives in Fort Lauderdale, FL. Just a few months ago, after a brief hospital stay for acute kidney failure, he began a regimen of dialysis three times a week. At the same time, he was receiving radiation treatment for prostate cancer. I can tell you firsthand that the staffs in the hospital, the radiation center, the dialysis center, and the various physician offices are fully complying with the HIPAA privacy rules, oftentimes making it difficult for me and my five brothers and sisters to help coordinate his care. Be assured that health professionals take the rules very seriously. More importantly, however, I am also experiencing firsthand the absolutely critical need for a unified electronic health record so that my Dad's oncologist, nephrologist, internist, cardiologist, nutritionist, radiation center, and dialysis center would all know in real time what each is prescribing and, more importantly, how he is doing. For example, sharing the results of lab tests, sharing the prescriptions that they are ordering. An electronic health record would have avoided my Dad's recent experience of receiving Procrit from his oncologist while he was receiving a similar medication, Epigen, at the dialysis center. Unfortunately, it fell to us to alert and notify those two health providers, because they were not sharing this information. You can see the importance of having this electronic health record. America's patients, not just my Dad, need electronic health record, and I applaud the efforts that you, Mr. Chairman, and others have put toward achieving that goal. We look forward to working with you, finding the appropriate balance between privacy and the need for sharing this important information as we move forward in this important area. Thank you. [The prepared statement of Ms. Grealy follows:] [GRAPHIC] [TIFF OMITTED] T9023.027 [GRAPHIC] [TIFF OMITTED] T9023.028 [GRAPHIC] [TIFF OMITTED] T9023.029 [GRAPHIC] [TIFF OMITTED] T9023.030 [GRAPHIC] [TIFF OMITTED] T9023.031 [GRAPHIC] [TIFF OMITTED] T9023.032 [GRAPHIC] [TIFF OMITTED] T9023.033 [GRAPHIC] [TIFF OMITTED] T9023.034 [GRAPHIC] [TIFF OMITTED] T9023.035 [GRAPHIC] [TIFF OMITTED] T9023.036 [GRAPHIC] [TIFF OMITTED] T9023.037 [GRAPHIC] [TIFF OMITTED] T9023.038 [GRAPHIC] [TIFF OMITTED] T9023.039 [GRAPHIC] [TIFF OMITTED] T9023.040 [GRAPHIC] [TIFF OMITTED] T9023.041 [GRAPHIC] [TIFF OMITTED] T9023.042 [GRAPHIC] [TIFF OMITTED] T9023.043 [GRAPHIC] [TIFF OMITTED] T9023.044 [GRAPHIC] [TIFF OMITTED] T9023.045 [GRAPHIC] [TIFF OMITTED] T9023.046 Mr. Clay. Thank you so much, Ms. Grealy, for that testimony. Mr. Pickard, you may proceed. STATEMENT OF BYRON PICKARD Mr. Pickard. Chairman Clay and members of the subcommittee, thank you for this opportunity to testify. I will be testifying on behalf of AHIMA, but will also draw upon my professional experiences to describe the public/private efforts currently underway exploring the privacy of electronically transmitted health information. My written testimony addresses some areas of specific interest to our profession; namely, expansion of privacy protections for personal health records, differences between HIPAA at business associates and non-covered third-party contractors, and protecting student health information, and conflicts between HIPAA and FERPA. AHIMA also has a foundation of research and education, which has received several grants and contracts from the Office of the National Coordinator and others. I have attached a list of those commitments. Mr. Chairman, the HIM professionals' responsibilities are interwoven with privacy and security issues. The expansion of confidentiality management and protection is impacted not only by HIPAA but also by the health care industry's continued transformation from a paper intensive industry to one of electronic records and transmissions. I wish I could tell you that the health care industry has been transformed into a fully electronic system, but, in fact, I cannot. We are in the midst of what would be a long transition. In working through these transitional issues, AHIMA has partnered with the American Medical Informatics Association and we have produced two joint statements relative to today's discussion, one on health information confidentiality, and the other on the value of personal health records. With so much history and experience in the protection of health information, it is important to note AHIMA's position. Our written testimony contains our full list of health information confidentiality principles. As our health care system becomes more interconnected, our networked health information will flow across a range of entities and boundaries. It will be critical to follow these principles. Privacy protections must follow personal health information [PHI], no matter where it resides, and uniform and universal protections for PHI should apply across all jurisdictions in order to facilitate consistent understanding and compliance. Considerable time has been spent exploring and developing electronic health information exchange and how to protect health information by the Agency for Health Care Research and Quality, a American health information community, the Office of the National Coordinator, and others. These initiatives and their impact on privacy and security are detailed in our written testimony. AHIMA members, and especially those who fill the role of privacy office, are noting that the issue of confidentiality is moving beyond just health care. With the banking and finance industries handling health information more frequently, it has become apparent that we must soon address the comprehensive protection of an individual's information, White House whether it is financial or health related. This is an issue that Congress will need to investigate as we see more change in the bordering of industry boundaries. We also see a need for consumer education to address confidentiality and security, as well as the value of health information technology usage. It is only with consumer trust that a national infrastructure can be built and laws adopted or modified to facilitate information exchange. AHIMA has long called for consumer-based personal health records, in addition to the standard provider-based electronic health records. While we have never endorsed a PHR product, we have called for consumers to use a PHR, whether in paper or electronic form, to track their own health status. To support this goal, AHIMA embarked upon a PHR consumer education campaign that combines the use of a consumer Web site with public presentations by AHIMA members in each and every State. AHIMA is leading an effort to ensure interoperability of the PHR, with the new health level seven standard electronic health record, and we expect to see a new PHR electronic standard from HL-7 in the near future. AHIMA's believe that protections should follow personal health information, no matter where it might be stored or transferred, clearly extends to PHRs. PHRs can be stored or offered by a variety of different vendors or operators. Some of these vendors are HIPAA-covered entities, and others are not. Protections against the discrimination and misuse of PHR information must be established along with a requirement that any access or use of PHR information be governed by a separate authorization unless otherwise required by law. Except for PHRs offered by health care providers, we believe that individuals should be given the right to opt out of a PHR being built for them or their family members. The answers are not simple. As the AHIC and the NCVHS and others discuss and provide recommendations in the privacy and security area, Congress can also begin to look at some very important issues: that confidentiality of protections follow the information no matter where it resides or is transferred; that comprehensive non-discrimination laws have harsh penalties for the intentional misuse of health information; that we prosecute those who break these laws; that we penalize those entities that are non-compliant with confidentiality and security laws and regulations; that conflicts between HIPAA versus FERPA be eliminated in favor of consistent and strong confidentiality; and that proposed laws be reviewed to identify barriers that may arise that would impede the deployment of health information technology products, expansion of health information exchange, and critical uses of health information. Mr. Chairman and members of the subcommittee, I hope that our testimony has given you an insight into the aspects of health care confidentiality and security that you are seeking, and that our recommendations will provide you with guidance as you address the many difficult questions facing our community. I stand ready to answer any further questions or concerns you might have. Thank you. [The prepared statement of Mr. Pickard follows:] [GRAPHIC] [TIFF OMITTED] T9023.047 [GRAPHIC] [TIFF OMITTED] T9023.048 [GRAPHIC] [TIFF OMITTED] T9023.049 [GRAPHIC] [TIFF OMITTED] T9023.050 [GRAPHIC] [TIFF OMITTED] T9023.051 [GRAPHIC] [TIFF OMITTED] T9023.052 [GRAPHIC] [TIFF OMITTED] T9023.053 [GRAPHIC] [TIFF OMITTED] T9023.054 [GRAPHIC] [TIFF OMITTED] T9023.055 [GRAPHIC] [TIFF OMITTED] T9023.056 [GRAPHIC] [TIFF OMITTED] T9023.057 [GRAPHIC] [TIFF OMITTED] T9023.058 [GRAPHIC] [TIFF OMITTED] T9023.059 [GRAPHIC] [TIFF OMITTED] T9023.060 [GRAPHIC] [TIFF OMITTED] T9023.061 [GRAPHIC] [TIFF OMITTED] T9023.062 [GRAPHIC] [TIFF OMITTED] T9023.063 [GRAPHIC] [TIFF OMITTED] T9023.064 [GRAPHIC] [TIFF OMITTED] T9023.065 [GRAPHIC] [TIFF OMITTED] T9023.066 [GRAPHIC] [TIFF OMITTED] T9023.067 Mr. Clay. Thank you so much, Mr. Pickard. Mr. Swire, of the Ohio State University. STATEMENT OF PETER SWIRE Mr. Swire. The Ohio State University, home of the Buckeyes. Yes, sir. Mr. Clay. Yes, sir. Mr. Swire. Mr. Chairman, members of the subcommittee, thank you very much for the invitation to testify here today on privacy and security of electronic health records. Today fewer than 10 percent of our clinical records in the country are accessible in electronic form, and all of us hope that number climbs sharply in the next decade. My colleague at the Center for American Progress, Karen Davenport, has recently released a new report about health IT and the quality improvements, and, Mr. Chairman, I ask if that could be submitted to the record for this hearing. Mr. Clay. Yes, please. Mr. Swire. Thank you. To make this shift to the NHIN, the National Health Information Network, we need to get privacy and security right. Public surveys repeatedly showed that these privacy concerns are top of mind when it comes to the shift to electronic health records. Unless Americans are convinced that effective safeguards are in place, many of the benefits of this NHIN may be delayed or lost entirely. My written statement addresses various issues, but I would highlight two things in the testimony today: preemption and enforcement. On preemption, my theme is that the wrong sort of preemption would actually repeal many existing privacy and security safeguards. On enforcement, the current no enforcement system is not a sound basis for going forward with electronic health records. Briefly, my background before returning to law teaching, I served as chief counselor for privacy in the U.S. Office of Management and Budget in 1999 and 2000, and in that role I was the White House coordinator for the HIPAA privacy rule. This has lost me many friends in the medical community. During that time we had over 50,000 public comments on the proposed rule, and I co-chaired the process to look at those, try to respond to them, and come up with a final rule by the end of 2000, and I have worked in this area since. So it is based on that I try to offer some observations today. On preemption, my first theme is that simple preemption of State laws going to HIPAA alone would repeal many existing privacy protections. In many States we have protections for things like HIV records, mental health, substance abuse, reproductive records, Public Health Agency records, genetic records, and if we simply say let's do HIPAA, then that means that all of the State protections would be repealed. In Ms. Grealy's testimony, they feature Indiana as a State to look to. Indiana has the fewest State safeguards, and so harmonizing on that level would be a drop in privacy protection, and we should be careful about doing that. On enforcement, I have serious concerns about the lack of enforcement from HHS. This is an oversight issue. This creates an obstacle to going forward with electronic health records. If no enforcements are brought under the current system so far under HIPAA, why should the public trust we are going to have good enforcement for the next generation? Let me emphasize my criticism here goes to law and policy and not to the good faith or the intelligence or hard work of people at HHS, but there are some legal problems the Congress may need to address. There are three principal problems in enforcement: First, the batting average for HHS is pretty low. There has been 27,000 complaints and zero civil or monetary penalties, so over 27,000. That doesn't create a lot of confidence. Second, the current administration has adopted the policy of one free violation. In an enforcement rule last year, HHS said that the first violation simply won't lead to a penalty; instead, it will lead to a planned correct going forward. This sends the signal that medical privacy shouldn't be taken seriously. If you are a covered entity, just wait until they come the first time and then you can fix it, but you don't face any exposure. Third, the Department of Justice has dropped the ball on criminal prosecution. Justice has received almost 400 referrals from HHS and has brought zero cases under those 400 referrals. These are the most serious cases, and the problem is that, once it goes to DOJ, under current policy HHS stops all proceedings, so the most serious cases HHS doesn't do it and DOJ doesn't do it. This lack of enforcement has been the subject of major stories in the Wall Street Journal and the Washington Post. One expert was quoted in the post saying, ``HHS really isn't doing anything, so why should I worry?'' The lack of HIPAA enforcement will make it harder to build the next generation of electronic health records. Critics will be on strong and legitimate ground saying they can't trust the current system, much less the higher level of trust we would want to have if we go to the all-electronic NHIN. In my testimony I point out that we can respond to these problems perhaps by HHS changes or by targeted legislation. Here are three things to consider, and then I will close: first, HHS can end the one free violation part of the enforcement reg; second, we should end the current interpretation where HHS stops its own enforcement efforts in the most serious cases whenever there is a criminal referral to DOJ; and, third, a mistaken Department of Justice legal opinion that narrowed the criminal provisions of HIPAA should be revisited. They really take the position that only the hospital that intentionally violates the law and not any of the individuals who break the law can be enforced. That concludes my comments. I welcome any questions you may have. [The prepared statement of Mr. Swire follows:] [GRAPHIC] [TIFF OMITTED] T9023.068 [GRAPHIC] [TIFF OMITTED] T9023.069 [GRAPHIC] [TIFF OMITTED] T9023.070 [GRAPHIC] [TIFF OMITTED] T9023.071 [GRAPHIC] [TIFF OMITTED] T9023.072 [GRAPHIC] [TIFF OMITTED] T9023.073 [GRAPHIC] [TIFF OMITTED] T9023.074 [GRAPHIC] [TIFF OMITTED] T9023.075 Mr. Clay. Thank you, Mr. Swire. Let me thank the entire panel for their testimony today. We will begin the question period under the 5-minute rule, and I will begin with a general question for everyone to comment on. Many electronic health care tools such as electronic health records and internet-based personal health records are available to consumers today. The country, however, is still lacking an established nationwide approach for ensuring that personal health information will be protected from inappropriate disclosure. Do you believe that the implementation of health IT is beginning to out-pace the development of overall privacy policies and practices? We will start with Ms. Grealy. Ms. Grealy. Well, as I said, both from my experience as heading up the Healthcare Leadership Council and formerly with the American Hospital Association, as well as my personal experience dealing with health care for my family, providers took the HIPAA privacy rule very, very seriously. They put in place compliance plans, a lot of education, and this was throughout all of the covered entities, the various business associates. I am not sure we often recognize just how much went into making sure they understood the HIPAA privacy rules and they were in compliance. The rules are very complex. I just want to touch on, I think, the approach that HHS and the Office of Civil Rights has taken is really the proper approach. They could have taken a ``gotcha'' approach, and, you know, every time we find you have made just the slightest error we are coming after you with civil and monetary penalties or criminal penalties. I think, instead, what they did was to develop a partnership. We want this rule to work, and so we have partnered with providers and others to educate them. Of the 27,000 complaints that have been registered, I think if you delve into them, if you talk with the people at the Office of Civil Rights you will find that many, many, the vast majority, were really a misunderstanding of what was required by the privacy rule. In fact, many times we have run into what I would call hyper-compliance, where we have providers unwilling to share information with those who could benefit from it because they throw up HIPAA doesn't allow me to do that. So we really have to strike that appropriate balance. As we move into the electronic world, security measures are in place. I think we also sometimes lose sight that these electronic medical records can be much more secure than the paper records that have been sitting in file cabinets and physicians' offices. Oftentimes you have no way of determining who has accessed those records, unlike in the electronic world where you can establish an audit trail. You can really determine who has accessed that and whether it is appropriate. You can password protect it. So I think we have a framework. We may have to modify it. You can tell from the GAO testimony that there is a lot of work going on at HHS, at AHIC, the National Committee on Vital Health Statistics, to determine what is appropriate in this electronic world. But remember, this all started because people were concerned about the electronic transmission of personally identifiable health information. That is what started the HIPAA statute and resulted in the HIPAA privacy rule. So I don't think we need a wholesale revision of it. We may need some tweaking of it. But I think right now it is workable, and a lot of providers are spending a lot of time and resources that don't go to direct patient care, but instead go toward compliance. I think we have to be very, very careful in terms of how we use those resources. Mr. Clay. Thank you, Ms. Grealy. Mr. Pickard. Mr. Pickard. Yes. I would have to agree, and I think that it is not a question of the technology but more about the actual policies. I do believe that HIPAA has provided a good framework, and I think where we run into challenges or where we will run into challenges are the other entities, the other types of entities outside of the HIPAA boundaries, the covered entities that are now faced with handling health information. So I believe that is probably where we run into challenges associated with HIPAA. That, again, kind of brings us back to an important point or important principle within my testimony, and that is that the confidentiality and privacy protections follow the information, no matter where it goes or where it resides or how it is accessed or handled. Mr. Clay. How about you, Mr. Swire? Mr. Swire. Thank you, sir. A fairly simple point. HIPAA came about when we made a shift for payment records from paper to electronic, so you would file with Medicare, insurance companies electronically, and Congress said in 1996 let's do privacy and security with that. We are now in chapter two, and chapter two is the shift for clinical records, your x-rays and all the rest of those things, and we are now building the systems for the first time to really move clinical records, so we should build those systems right for this generation like we tried to build systems right for the payments generation, and that is our job together. The easiest time to get privacy and security right is when you build it the first time. It is much harder to patch later. That is where Congress can take a leadership role and make sure we do it. Mr. Clay. Thank you for that response. Mr. Hodes. Mr. Hodes. Thank you, Mr. Chairman. Professor Swire, I am interested in and appreciate your condensed version of arguments about preemption and what we might lose by it, because really I think that goes to the heart of policy issues that Congress is facing in dealing with the questions of a national health information network versus leaving it to what is clearly a rapidly evolving patchwork of regulation. You point out that we have HIPAA as, call it, a baseline, but that many States have--in fact, I think all the States have dealt with other medical information of a very sensitive kind that HIPAA simply doesn't deal with. So I take to heart your point about not rushing too quickly to simply say HIPAA is the standard and that is the national standard and that is where we are leaving it. If we were to look at the national picture, which I am sure you have much more than I have, how would you balance, in looking what the various States have done in terms of the issues you have raised on pages three and four of your report-- mental health records, HIV, and all that--if Congress was inclined to try to set some national standard, mindful of your warnings? How would you suggest we go about looking at what the States have done? Should we simply say we are going to take the best standards from whichever State best protects privacy and security of people and that is the one we are going to use for HIV, and similarly we are going to look at mental health records and take the best one that we can get from State B, and then we are going to incorporate it with this other baseline and call it a Federal standard? What do you think? Mr. Swire. Well, we could go on for quite some time---- Mr. Hodes. I know. Mr. Swire [continuing]. To try to figure out how to do that, but---- Mr. Hodes. I have only got 5 minutes. Mr. Swire. I know, and I will try to do it in about four sentences. Not really. The first point is best does not mean stricter or less strict. You can't avoid making some judgments here, so when it comes to HIV data you have a public health issue if people won't get tested, and if you repeal for big cities' HIV protections you could face public health risks, and that doesn't seem like a good idea to me. But I think one step here is I think that HHS and the Government can play a much better role in helping us all understand what the State laws are, and here is a specific thing. There is this RTI study--that is the contractor for HHS--and they have gone and done studies of, I think, 34 States. I have been told by somebody who has been near the process that they are not planning to release the surveys from the States to the public. It seems to me if Government is going to spend contractor money to try to figure out what all these State laws mean, they reduce compliance costs for everybody if we get that information out to everybody, so just a much better job of education and getting the information out there so that people don't have to go to expensive law firms to try to figure it out. That is one step toward knowing what needs to be done. Ms. Grealy. Congressman, I would like to comment---- Mr. Hodes. Please. Thank you. Ms. Grealy [continuing]. Because we undertook one of those very expensive studies, $1 million investment, to have a tool where providers could check to see what is the State law, what is the variation. That still requires time. It is a lot of money to maintain that system, and I don't think it addresses your question. I don't think it really gives us a workable national standard. Just because we have the information from the RTI study, we still have all this variation. We don't have to sacrifice privacy to develop this standard. Again I reference Section 6 in H.R. 4852, which really set out a process. Let's look at the States, let's study the variation, and then come up with recommendations as to what would be the appropriate rule in those very sensitive areas. We have done it for mental health to a certain degree in the HIPAA privacy rule, but we certainly could improve it in those other areas. Mr. Hodes. Thank you. Mr. Pickard, did you want to comment? Mr. Pickard. No. Mr. Hodes. Thank you. Mr. Chairman, I yield back. Thank you very much. Mr. Clay. Thank you for that line of questions. I asked this question to GAO during the first panel and would like to hear your thoughts on the topic. A significant problem with HIPAA is that it does not cover all entities that possess or utilize personal health information. Some life insurers and research entities not involved with the treatment of patients fall outside the rules. In your work, have you analyzed this problem? And how significant is it, in your view? Let's start with Mr. Swire. Mr. Swire. OK. So this has to do with who should be covered entities, and the statute sets that forth. HHS doesn't have a lot of wiggle room on that, so it would have to come from Congress. I think that for life insurance it is not such a big program. Graham-Leach-Bliley applies there. But in my testimony I point out that if you say anything that touches medical data, like I buy a breast cancer book for somebody on Amazon, we don't want to suddenly have HIPAA kick in just because they mention the word health, and so how to expand it is something that you have to be careful about. One area of concern is that public health agencies are not subject to Federal laws, and law enforcement when it grabs health data, and there may be some work to be done on the Government's side to make sure that effective protections are in place, especially if they are trying to gather lots of bio- surveillance kinds of things going forward. Mr. Clay. Mr. Pickard. Mr. Pickard. Yes. If I could just say, that is an important question. I think that our association, AHIMA, strongly believes in harmonization of all of the privacy protections across all entities. When you look at the personal health records, when HIPAA was developed personal health records were barely being talked about. In a university setting with student records there is a lack of harmonization, as I mentioned in my testimony, between the FERPA, or Family Education Rights Privacy Act, and HIPAA. There are differences. And so I think it is an important question, and I think that, again, I agree it is one that will require answers and consideration as we move forward. Mr. Clay. Thank you. Ms. Grealy, any thoughts? Ms. Grealy. Well, as always, it is a balancing question. We want to make sure that we are not stifling innovation, as we have. I mean, I think we are finally beginning to see patients becoming more engaged in helping to manage their health care, and getting them engaged with personal health records I think is a very positive thing. We want to make sure that they feel very secure when they are sharing that information. Now, is the best way to go about that, make everyone a covered entity? Is it better to make them business associates? I think we just have to make sure that the rules are clear, that we don't have conflicting standards out there. So if you start expanding business associates, making them covered entities, they may be in one sense a business associate, have to comply with a covered entity's rules, but then in another setting they become a covered entity, and they all hold a different set of standards. So, again, we know that there is work going on in this area. I know AHIC is looking at it. We are going to be testifying before them on Friday. But, again, just carefully looking at those and making sure that we are not getting into over-regulation and stifling the innovation that is really taking place out there. I think one of the most important things I heard from the GAO panel, and something that we really have to focus on, is educating the public, communicating to them why do we want this information, but, more importantly, why is it good for you as a patient for us to have this information. Why do we want it? How are we going to share it? And how are we going to protect that information and keep it secure? So they know under HIPAA and various State statutes we can't disclose it to their employer, we can't disclose it to the newspaper, we can't disclose it to their neighbors. But we have to assure people that it is important for their health and for the health of future generations for us to have a workable privacy rule that allows for the necessary flow of health information. Mr. Clay. Along those same lines, there is significant debate concerning the most effective way to obtain patient authorization for the disclosure or sharing of personal health information. For a national health information network to be successful, doesn't it require a stronger uniform privacy standard that requires affirmative consent from a patient for all information disclosure? And yes, we can start with you. I would like to hear comments from the entire panel. Ms. Grealy. I have the great benefit of every once in a while getting out there and talking to the real people that are actually doing this. I was just in Delaware, where they are doing a demonstration project with a health information network. We talked about this. Let's call it opt-in versus opt- out. I am going around and asking this question: how would your data exchange system work if it had to be an opt-in? If you are the Mayo that has a century worth of data, longitudinal studies, how would it work if you had to have an opt-in as opposed to you have the information, you give people the opportunity to opt-out of it? But if you had to go to each individual patient, to each individual subject that you want included, and get their affirmative decision to be included and to share their electronic medical record, I think it would halt the system. If we have to make a decision between the two, certainly opt-out is going to be better. Mr. Clay. Mr. Pickard, any comments? Mr. Pickard. Yes. Again, I think this is probably an area where AHIC is, in terms of their Privacy and Security Committee is looking into these types of issues. I can tell you in the State of Tennessee, with our health information exchange we have run up against this very question or this very issue, and we have put in protocols to enable patients to opt in or opt out, and then certainly you have the whole concept of patient identification. But, again, I think it is an important issue. Mr. Clay. Mr. Swire. Mr. Swire. Thank you. So the one way this comes up is if somebody sees a psychiatrist or gets substance abuse or something else and they say, look, I don't want this going out to everybody everywhere. So one idea of consent or authorization is some way for the patient to say, hold on, not this. I think it makes sense to a lot of people that some sort of permission for patients or some sort of control over that might make sense. Now, we can talk opt-in/opt-out. Some of the systems don't want to have an opt at all. They just want to say we are going to sign everybody up. I think that is a concern. So if you don't want to be in at all, if you don't want to just sort of have my doctor puts everything in and I have no control over that, I don't think that is the right place to be. The question is what point, for how many choices, will a patient have any say. I worked on Markle's Connecting for Health Task Force, and they have a write-up on this that I think goes through it in a sensible way, and I think you end up with an opt out where that is realistic where patients say, look, it generally goes in, but if I say it doesn't we should try to build it so it doesn't go in. Mr. Clay. Just to pause after hearing the three different responses, what is the damage? What is the harm if someone other than a health care provider gets a copy of an x-ray or they get a record of a prescription? What do you think the harm is? Ms. Grealy. I think the concern is that the health care provider might not get the x-ray. I mean, I am not even talking about disclosures to those that really shouldn't have the information. We are talking about patients saying, no, provider, the physician treating me cannot have this information. So we have to be very, very cautious, again, in that balance of making sure, and there may be a system of, you know, flagging it so the physician knows I don't have all the information, I had better check with this patient. I am not sure how that translates when we are trying to build data bases to improve the quality of health care, to improve treatment for disease, if we have a lot of critical missing information. Mr. Clay. Well, like the example you use in your testimony, the pharmacist should have relayed to both physicians for your father what medicines? Ms. Grealy. If this were something that he was getting at a pharmacy, you are right. CVS, one of our members, they have gone electronic, so they can do those alerts. But these were services, these were hormone shots, one being given in the oncologist's office and the other being part of the dialysis center treatment. There is no pharmacist in the picture, no electronic medical record to exchange that information, and so no way to alert. Mr. Clay. Mr. Pickard, any thoughts? Mr. Pickard. Again, I think--and I said this in my testimony--I think we need to move away from thinking about the type of information and the entity and make sure that the privacy protections do follow the health information wherever it resides. Let me just share. If I am an employee, I want the capability to opt out and to perhaps not have my employer have certain types of information. This is particularly important in today's environment where a lot of employers or insurances, for that matter, are developing personal health record tools for employees or subscribers. I think as an employee or an insurance subscriber, I should have that right to opt out of that. Mr. Swire. Just one point to add on is that some of the most sensitive kinds of data that I have been talking about, the mental health and substance abuse, genetic, or whatever, are only protected by State law, so even if x-rays aren't, these other things are only protected by State law, and if we were to harmonize at the national baseline then those psychiatric notes, the substance abuse things, and the rest could be going through the system, and that is a reason not to preempt too strictly or not to preempt at a low level. Mr. Clay. Let me ask this. This is a question for the entire panel. There have been long-term concerns on how health information is treated differently under institutions that are also covered under different privacy regulations, such as Family Educational Rights and Privacy Act of 1974. Under the privacy rule, records protected by FERPA are not covered by the privacy rule; therefore, even if the information contained in an education record is health related, the privacy rule does not apply. Is this an area where conflicts ought to be addressed in order to harmonize the way in which patient information is protected? Ms. Grealy, we will ask you first. Ms. Grealy. Well, I think one of the things that those that actually have to do compliance are always looking for is; give me uniformity. Make it simple. Don't have one set of standards here, another set of standards there. So I think any way we can harmonize these requirements is a positive thing. Mr. Clay. Mr. Pickard. Mr. Pickard. I agree. And let me just share, working in a university, you know, we interact and deal with both HIPAA regulations as well as FERPA regulations, and if I am a student and let's say if I have a medical condition that requires me to live off campus, I have to submit what actually becomes part of my academic record health information, and there is a lack of standardization in terms of how that information may or may not be handled. So I agree. I think there needs to be a harmonization across all of these different laws. Mr. Clay. Thank you. Mr. Swire. Mr. Swire. I am going to disagree on the FERPA one. I will just explain why. That was an issue that I worked on extensively during the rule and the comments from the schools, associations, and the rest. The logic at the time--and maybe it is different today--was with school nurses in high schools all over the country, rural grade schools, all the rest, if we harmonized to HIPAA, which is what AHIMA recommends and is worth considering, if we harmonize to HIPAA then the school nurse in that grade school out in a rural area would have to do full HIPAA compliance. And it wasn't clear that was the big risk, and it was clear that there would be a whole compliance thing to do if that happened. So the idea there was we thought that there was a pretty reasonable FERPA regime in place, that the school nurses shouldn't suddenly have to do more, and that was a sensible way to go. Now, it does mean that universities like Vanderbilt get a double whammy, because they get students and then they get some other folks who are HIPAA, and suddenly they get both. In some ways maybe Vanderbilt people are so smart they can handle it, but maybe not every school nurse has to do HIPAA. So I am not really sure how you harmonize, because if you harmonize that everybody is HIPAA, then it is the school nurses of America that will be here next time. Mr. Clay. Speaking of universities, Mr. Swire, I will ask you and then go down the line. Mr. Mark Rothstein of the University of Louisville has written extensively on the use of compelled authorizations for personal health information by employers for job applicants, life insurers for those applying for coverage, and other non-covered entities. If the current privacy rule does not regulate PHI once it is released to a third-party entity not covered under the rule, shouldn't we re- examine who will be covered when receiving electronic health information? Mr. Swire. That is a great question, and it wouldn't be easy to legislate, but here are a couple of points that come up. So right now you can't have compelled authorizations for health care providers. If you show up at the ER and you are rolling in on the gurney, they can't say, sign here or we won't treat you, and you sign away everything. That is in HIPAA. The thing was, when HIPAA rules were written, HHS could do that--that is covered entities--but HHS had no jurisdiction over the employers of America. That just wasn't in the statute, so there was no choice in writing the rule about what to do for employers. That is a choice that only Congress can decide to step into. If you want to say, as Congress, we are going to treat the employers the way we treat the hospitals, you can't require these authorizations as a condition of being employed here, that is a decision Congress can make. You are going to hear it from the employers. And sometimes employers will say we need this to figure out if they can lift the heavy loads or we need it for some other job-related thing. But that is what you would have to work through, and it would have to be statute. It can't be by reg. Mr. Clay. Thank you. Any comments on that, Mr. Pickard? Mr. Pickard. Yes. We are seeing many, many different types of entities outside of the HIPAA-covered entities and business associates that are handling health information. Again, this goes back to our principles I shared earlier, and that is that we really look to confidentiality protections following the health information, no matter where it resides, and there needs to be a national floor for handling health information. Mr. Clay. OK. Ms. Grealy. Ms. Grealy. I talked with a few of, I think, entities that people are referring to. Revolution Health Care is one that is really getting into working with consumers, developing a personal health record that they can access through the internet. They have a contractual relationship with the consumers that they are dealing with, and they say that they are HIPAA compliant, even though they are not a covered entity; that they feel it is a good business practice. They want the trust of the consumers that they are dealing with, and it is in their best interest to make sure that they have a high level of security and protecting that information. So I think all of us have mentioned we know that AHIC, HHS, and others are really exploring these issues, and I think that is really the appropriate place; that we need to look at it carefully; make sure, as I said earlier, that we are not stifling innovation by expanding the reach of a heavy regulatory scheme; and make sure that it is balanced well, because I don't think we want to snuff out the innovation that is going on out there, but we do want to make sure that this information is protected. Mr. Clay. All right. Thank you. Let me thank the entire panel for their testimony and their answers. We have certainly covered some ground today. This is a very complex issue. As the Congress takes this issue on of health information technology and how we actually protect the privacy of citizens throughout this country, patients, we will certainly rely on your expertise, and this hearing has been helpful in shedding light on this. Let me again thank you all for your testimony today. That concludes this hearing. [Whereupon, at 3:30 p.m., the subcommittee was adjourned.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T9023.076 [GRAPHIC] [TIFF OMITTED] T9023.077 [GRAPHIC] [TIFF OMITTED] T9023.078 [GRAPHIC] [TIFF OMITTED] T9023.079 [GRAPHIC] [TIFF OMITTED] T9023.080 [GRAPHIC] [TIFF OMITTED] T9023.081 [GRAPHIC] [TIFF OMITTED] T9023.082 [GRAPHIC] [TIFF OMITTED] T9023.083