[Senate Hearing 110-114]
[From the U.S. Government Publishing Office]
S. Hrg. 110-114
PRIVATE HEALTH RECORDS:
PRIVACY IMPLICATIONS OF THE FEDERAL
GOVERNMENT'S HEALTH INFORMATION
TECHNOLOGY INITIATIVE
=======================================================================
HEARING
before the
OVERSIGHT OF GOVERNMENT MANAGEMENT,
THE FEDERAL WORKFORCE, AND THE DISTRICT
OF COLUMBIA SUBCOMMITTEE
of the
COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
FEBRUARY 1, 2007
__________
Available via http://www.access.gpo.gov/congress/senate
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
33-874 PDF WASHINGTON DC: 2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TED STEVENS, Alaska
THOMAS R. CARPER, Delaware GEORGE V. VOINOVICH, Ohio
MARK L. PRYOR, Arkansas NORM COLEMAN, Minnesota
MARY L. LANDRIEU, Louisiana TOM COBURN, Oklahoma
BARACK OBAMA, Illinois PETE V. DOMENICI, New Mexico
CLAIRE McCASKILL, Missouri JOHN WARNER, Virginia
JON TESTER, Montana JOHN E. SUNUNU, New Hampshire
Michael L. Alexander, Staff Director
Brandon L. Milhorn, Minority Staff Director and Chief Counsel
Trina Driessnack Tyrer, Chief Clerk
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE
DISTRICT OF COLUMBIA
DANIEL K. AKAKA, Hawaii, Chairman
CARL LEVIN, Michigan GEORGE V. VOINOVICH, Ohio
THOMAS R. CARPER, Delaware TED STEVENS, Alaska
MARK L. PRYOR, Arkansas TOM COBURN, Oklahoma
MARY L. LANDRIEU, Louisiana JOHN WARNER, Virginia
Richard J. Kessler, Staff Director
Jennifer A. Hemingway, Minority Staff Director
Emily Marthaler, Chief Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Akaka................................................ 1
Senator Voinovich............................................ 3
Senator Carper............................................... 4
WITNESSES
Thursday, February 1, 2007
Robert Kolodner, M.D., Interim National Coordinator for Health
Information Technology, U.S. Department of Health and Human
Services....................................................... 5
Daniel A. Green, Deputy Associate Director, Center for Employee
and Family Support Policy, Office of Personnel Management...... 7
David A. Powner, Director of Information Technology Management
Issues, Government Accountability Office, accompanied by Linda
Koontz, Director of Information Management Issues, Government
Accountability Office.......................................... 17
Mark A. Rothstein, Herbert F. Boehl Chair of Law and Medicine,
and Director, Institute for Bioethics, Health Policy and Law,
University of Louisville School of Medicine.................... 19
Carol C. Diamond, M.D., Managing Director, Markle Foundation, and
Chair, Connecting for Health................................... 20
Alphabetical List of Witnesses
Diamond, Carol C., M.D.:
Testimony.................................................... 20
Prepared statement with attachments.......................... 138
Green, Daniel A.:
Testimony.................................................... 7
Prepared statement........................................... 44
Kolodner, Robert, M.D.:
Testimony.................................................... 5
Prepared statement........................................... 35
Koontz, Linda:
Testimony.................................................... 17
Prepared statement with attachments.......................... 52
Powner, David A.:
Testimony.................................................... 17
Prepared statement with attachments.......................... 52
Rothstein, Mark A.:
Testimony.................................................... 19
Prepared statement........................................... 130
APPENDIX
Background Memorandum............................................ 29
Simon P. Cohn, M.D., M.P.H., Chairman, National Committee on
Vital and Health Statistics, submitted copy of a report
entitled ``Privacy and Confidentiality in the Nationwide Health
Information Network''.......................................... 164
Response to questions submitted for the Record from:
Dr. Kolodner................................................. 181
Mr. Green.................................................... 185
Mr. Powner................................................... 188
PRIVATE HEALTH RECORDS: PRIVACY
IMPLICATIONS OF THE FEDERAL
GOVERNMENT'S HEALTH INFORMATION
TECHNOLOGY INITIATIVE
----------
THURSDAY, FEBRUARY 1, 2007
U.S. Senate,
Subcommittee on Oversight of Government
Management, the Federal Workforce,
and the District of Columbia,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:33 p.m., in
room SD-342, Dirksen Senate Office Building, Hon. Daniel K.
Akaka, Chairman of the Subcommittee, presiding.
Present: Senators Akaka, Carper, and Voinovich.
OPENING STATEMENT OF CHAIRMAN AKAKA
Chairman Akaka. This hearing will come to order.
Today's hearing, ``Private Health Records: Privacy
Implications of the Federal Government's Health Information
Technology Initiative,'' will examine what actions the Federal
Government is taking to ensure that privacy is an integral part
of the national strategy to promote health information
technology.
Studies show that the use of health IT can save money,
reduce medical errors, and improve the delivery of health
services. For example, in 2004, the Center for Information
Technology Leadership estimated that in ambulatory care
settings the use of electronic health records (EHRs) would save
$112 billion per year, or 7.5 percent of health care spending.
In addition, EHRs are shown to help avoid duplicate tests and
excess medication.
In 2004, President Bush called for the widespread adoption
of interoperable electronic health records within 10 years and
issued an Executive Order that established the position of the
National Coordinator for Health Information Technology. The
National Coordinator is charged with developing and
implementing a strategic plan to guide the nationwide
implementation of interoperable health IT in both the public
and private sectors.
Two months later, the Department of Health and Human
Services (HHS) released a framework for strategic action to
promote health IT, which calls on all levels of government to
work with the private sector to stimulate change in the health
care industry. For example, the Departments of Veterans Affairs
(VA) and Defense (DOD), the major Federal health care delivery
organizations, are leaders in the use of health IT.
VA, one of the country's largest health care providers, has
had an automated information system in its medical facilities
since 1985. DOD has provided IT support to its hospitals and
clinics since 1968. As Chairman of the Veterans' Affairs
Committee, we are looking at how to move DOD and VA forward in
developing joint EHRs.
This Subcommittee is particularly interested in the
strategy, which calls for the Office of Personnel Management
(OPM) to use its leverage as the administrator of the Federal
Employee Health Benefits Program, which covers approximately 8
million Federal employees, retirees, and their dependents, to
expand the use of health IT. OPM, through its annual Call
Letter to carriers, has been encouraging carriers to increase
the use of EHRs, electronic prescribing, and other health IT-
related provisions.
Although I support efforts to increase the use of health
IT, I am deeply concerned about the level of privacy
protections in the health IT network. In 2005, a Harris
Interactive survey showed that 70 percent of Americans were
concerned that an electronic medical records system would lead
to sensitive medical records being exposed due to weak
electronic security. This fear is understandable.
Over the past few years, we have seen various data mining
programs in the Federal Government that lacked key privacy
protections. We also recall the loss of a VA laptop computer
and the news of many other Federal data breaches that put the
personal information of millions of Americans at risk. These
incidents reinforce the need to build privacy and security
protections into any system containing personal information.
Our personal health information must not be subject to these
same failings. Privacy and security are critical elements in
health IT and should never be an afterthought.
That is why I wrote to OPM in May 2005 seeking information
on how Federal employees' health information would be protected
under the efforts of OPM and the health insurance carriers. OPM
responded that the Health Insurance Portability and
Accountability Act (HIPAA) would address these privacy
concerns. But while HIPAA is a foundation, HIPAA by itself is
not enough. Privacy protections must be built in conjunction
with the development of the health IT infrastructure.
To ensure that this was happening, Senator Kennedy and I
asked the Government Accountability Office to review the
efforts of HHS and the National Coordinator to protect personal
health information. GAO's report, which was released this
morning, found that while HHS and the National Coordinator have
taken steps to study the protection of personal health
information, an overall strategy is needed to: One, identify
milestones for integrating privacy into the health IT
framework; two, ensure privacy is fully addressed; and, three,
address key challenges associated with the nationwide exchange
of information.
Given the overwhelming evidence of the benefits associated
with the expanded use of health IT, as well as the fact that 70
percent of Americans are concerned about the privacy of their
health information, I am surprised to learn that HHS objects to
this recommendation.
It is clear that the health care industry faces challenges
in protecting electronic health information given the varying
State laws and policies, the entities not covered by HIPAA, and
the need to implement adequate security measures. But while
more and more companies, providers, and carriers move forward
with health IT, I fear that privacy suffers while HHS takes
time to decide how to implement privacy protection. HHS must
address these issues in a more timely fashion in order to give
the private sector guidance on how to move forward with health
IT and protect the private health information of all Americans.
I want to thank our witnesses for being here today to
discuss this critical issue.
I now turn to my good friend, Senator Voinovich, for any
opening statement he may have at this time.
OPENING STATEMENT OF SENATOR VOINOVICH
Senator Voinovich. Thank you, Senator Akaka. I appreciate
your holding this hearing today on a subject that is of
interest to me.
The widespread adoption of health information technology
such as electronic health records will revolutionize the health
care profession. In fact, the Institute of Medicine, the
National Committee on Vital and Health Statistics, and other
expert panels have identified information technology as one of
the most powerful tools in reducing medical errors and
improving the quality of health.
Unfortunately, our country's health care industry lags far
behind other sectors of the economy in its investment in
information technology. But, Senator Akaka and Carper, as I
travel around Ohio I see a marked acceleration in the use of
IT.
The Institute of Medicine estimated in 1999 that there were
nearly 98,000 deaths each year resulting from medical errors.
Many of these deaths can be directly attributed to the inherent
imperfections of our current paper-based health care system.
Not only can technology save lives and improve the quality
of health care, it also has the potential to reduce the cost of
the delivery of health care. According to the Rand Corporation,
the health care delivery system in the United States could save
approximately $160 billion annually with the widespread use of
electronic medical records. As technology advances, the issues
surrounding protection of personal information will continue to
be at the forefront of people's minds. Individual citizens
continue to express concern over the security of personal,
confidential information whether it is contained in an
electronic health record or stolen from laptops, as Senator
Akaka pointed out, at the Department of Veterans Affairs.
However, the benefits of technology in the health care
arena are undeniable, and I support the use of HIT. In fact, in
the 109th Congress, Senator Carper and I introduced the Federal
Employees Electronic Personal Health Records Act. I am sure we
will be hearing more from Senator Carper about it. The bill
will provide for the establishment and maintenance of
electronic personal health records for individuals and family
members enrolled in the Federal Employee Health Benefits
Program. I have talked with one of the major health insurance
companies and they support the use of HIT.
I am hopeful the testimony today will assist my colleagues
and me as we make decisions about implementing health IT. I
personally look forward to learning from our witnesses ways
Senator Carper and I might refine our legislation before
introduction. As I say, we are making progress on privacy
protections, and I am really pleased that the President issued
an Executive Order specific to deployment of health information
technology, including establishment of a National Coordinator
for Health Information Technology.
Since then, the Coordinator and the Department of Health
and Human Services have made considerable progress toward the
adoption of interoperable IT. But the successes have not come
without criticism. Dr. Kolodner, your office has an enormous
responsibility to continue to cultivate a strategic plan to
guide implementation of nationwide interoperable health
information technology. It is an important job. We must bring
health care costs under control, and HIT is one part of that
goal. However, there is some concern about whether information
in IT systems is going to be private and secure. We cannot let
those weaknesses impede our progress in this area.
So, Mr. Chairman, I am looking forward to hearing from our
witnesses.
Chairman Akaka. Thank you very much, Senator Voinovich.
Senator Carper.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thank you, Mr. Chairman, and to our
witnesses and to my friend and colleague, Senator Voinovich. He
telegraphed my pitch a little bit, but I think it is great that
he did.
Mr. Chairman, as Senator Voinovich has said, we introduced
in the last Congress and I think we are close to reintroducing
in this Congress legislation to require those who provide
insurance under the Federal Employee Health Benefits Program--
they would have a period of time, I think maybe less than 2
years or so--to provide electronic health records for Federal
employees insured under those policies if the employees wish to
have that. And I know you have a strong interest in privacy
protection, and we would look forward to working with you and
your Subcommittee and your staff to make sure that we meet
muster in that regard.
Next month is a big month for us in Delaware, and I say
this to our witnesses and others. We are beginning to stand up
what we call the ``Delaware Health Information Network,'' an
apple in my eye when I was Governor many years ago, and it is
now actually coming to fruition as we try to electronically
link our doctors' and nurses' offices and our hospitals and our
labs and other providers. We are excited about the
possibilities that holds for us.
I am an old Navy guy, and I remember when I got out of the
Navy--at least off of active duty, not out of the Navy, but off
of active duty in 1973 and showed up at the VA hospital just
outside of Wilmington. And it is not a place that, frankly, a
lot of veterans wanted to go to for health care. I did not
sense there was a lot of joy on the part of people who worked
there being a VA employee, doctor or nurse or anything else.
And, boy, that has really changed, especially in the last
decade.
I would never have imagined 33 years ago, that we would be
looking to the VA to provide the way with respect to improving
outcomes and holding down costs and saving lives. But they sure
have come through for us.
Mr. Chairman, don't you chair the Veterans Committee in the
Senate?
Chairman Akaka. Yes.
Senator Carper. I thought so. OK. Well, you have sort of a
double interest in this particular issue. But we really look
forward to what you have to say. We do not have very strong
attendance here today, partly because there is a concurrent
just-called caucus of the Senate Democrats, and they are
meeting as we speak to discuss a resolution that pertains to
the President's proposed surge of troops in Iraq. So people may
be drifting in to join us in a little bit, but that just began
literally at the time that this hearing began. So we apologize
for them. Those of us who are here are anxious to hear what you
have to say. So thanks for coming.
Chairman Akaka. Thank you very much.
I welcome to the Subcommittee today's first panel of
witnesses: Dr. Rob Kolodner, Interim National Coordinator for
Health Information Technology at the Department of Health and
Human Services, and Daniel Green, Deputy Associate Director,
Center for Employee and Family Support Policy, at the Office of
Personnel Management.
It is the custom of this Subcommittee to swear in all
witnesses, and I ask you to stand and raise your right hand. Do
you swear that the testimony you are about to give this
Subcommittee is the truth, the whole truth, and nothing but the
truth, so help you, God?
Dr. Kolodner. I do.
Mr. Green. I do.
Chairman Akaka. Thank you. Dr. Kolodner, please proceed
with your statement.
TESTIMONY OF ROBERT KOLODNER, M.D.,\1\ INTERIM NATIONAL
COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY, U.S. DEPARTMENT
OF HEALTH AND HUMAN SERVICES
Dr. Kolodner. Good afternoon, Chairman Akaka, Senator
Voinovich, and Senator Carper. Thank you for inviting me here
today to discuss the privacy plans, activities, and
accomplishments of the National Health Information Technology
agenda led by HHS.
---------------------------------------------------------------------------
\1\ The prepared statement of Dr. Kolodner appears in the Appendix
on page 35.
---------------------------------------------------------------------------
Mr. Chairman, we appreciate Hawaii's efforts as pioneers in
protecting patient health information and note that Hawaii's
early work to develop a comprehensive privacy law informed and
was an important resource for HHS when we developed the HIPAA
privacy rules.
Privacy and security are integral components of the
national health IT agenda and are addressed by a spectrum of
activities that advance our current understanding of the issues
and multiple levels and lay the foundation for future
activities. The widespread adoption of interoperable electronic
health records will save lives, reduce medical errors, and
improve the quality and efficiency of care, as you have noted.
At the same time, it will create both new challenges and
new opportunities with respect to protecting health
information. HIPAA created a strong foundation of privacy and
security protections for personal health information upon which
States may provide additional privacy protections. We are
vigorously addressing the new challenges by leveraging existing
privacy policy foundations, building robust new public-private
collaborations, partnering with States, health care
organizations, and consumers to address State and business
level protections, and considering privacy and security
policies and implementation at a nationwide level.
Ultimately, the effective coordination of health IT
activities will help create an environment that improves the
health status of both individuals and communities at the same
time that personal health information is protected.
The HHS Office of the National Coordinator for Health IT,
ONC, is charged with leading the national health IT agenda
across the Federal Government and the private sector by
coordinating health IT activities, including those related to
privacy and security. ONC has the lead for working with CMS,
the Office for Civil Rights, or OCR, and others to develop the
privacy policies for health IT, and OCR and CMS are responsible
for the oversight and enforcement of the related HIPAA rules.
The GAO report provides an excellent summary of the myriad
of our successful health IT activities since 2004, and the
report documents an active, progressive program of HHS
activities that identify national privacy issues to be
addressed as well as barriers to interoperability caused by
privacy policy variations across States that need to be
resolved.
The tools we use to advance our privacy and security
activities include contracts, including a recent one with the
National Governors Association, an interdepartmental Federal
Policy Council, and a public-private Confidentiality, Privacy,
and Security Work Group of the American Health Information
Community. The Community is a Federal advisory committee that
is chaired by Secretary Leavitt himself and plays a central
role in all of our activities. The members of the Community,
consisting of senior leaders from the public and private
sectors, participate in deliberations that guide our work and
shape our understanding of how we can most effectively advance
the health IT agenda nationwide, including privacy and
security.
Much like the historic journey by Lewis and Clark 200 years
ago, who were crossing uncharted territory, we, too, are on a
similar journey. Their goal was clear: to find a route to the
Pacific Ocean, although the exact path was unknown at the
beginning. Our goal is clear as well: The secure exchange of
interoperable electronic health information. And the detailed
milestones necessary to achieve our goal are also not yet
knowable.
Our approach is iterative. First, it requires an
understanding of the multiple environments in which we are
operating. To gain this understanding, we have initiated
multiple complementary activities, such as the Nationwide
Health Information Network prototypes, the Privacy and Security
Solutions Contract, and the State Alliance for e-Health. And we
have gathered input from other expert resources such as the
National Committee for Vital and Health Statistics, or NCVHS.
Second, our approach requires that we evaluate and analyze
what we have discovered and learned. For example, only after we
get the State level reports this spring that identify
challenges and opportunities to protect and share health
information will we have sufficient data to reliably establish
the next set of milestones that we must achieve. An output from
one source becomes input for another, such as the NCVHS
recommendations that have been publicly shared with the
Community work group I mentioned previously. As that work group
moves from addressing security to addressing privacy concerns,
we anticipate that these recommendations will inform the next
set of privacy priorities.
Our activities confirm the importance we give to
confidentiality, privacy, and security. We have been executing
an effective plan, originally described in our strategic
framework that you mentioned, Mr. Chairman, and one that will
continue to grow and evolve as we submit our health IT
strategic plan later this year.
We are using a results-oriented strategy of discovery and
advancement that must be done in collaboration with a variety
of stakeholders at the local, State, and national levels. GAO
has documented the progress that we have made in the first 2
years of our work, and we continue to undertake multiple
related productive activities to properly protect the
electronic health information today, tomorrow, and into the
future.
Thank you for your time, and I welcome any questions you
might have.
Chairman Akaka. Thank you very much. I want our witnesses
to know that your full statements will be included in the
record.
Mr. Green.
TESTIMONY OF DANIEL A. GREEN,\1\ DEPUTY ASSOCIATE DIRECTOR,
CENTER FOR EMPLOYEE AND FAMILY SUPPORT POLICY, OFFICE OF
PERSONNEL MANAGEMENT
Mr. Green. Mr. Chairman, Members of the Subcommittee, it is
my pleasure to be here today to represent the Office of
Personnel Management (OPM) Director Linda Springer. I plan to
discuss how OPM is working with the Department of Health and
Human Services and other organizations on the National Health
Information Technology Initiative, and I will discuss how we at
OPM are working with our health benefits carriers to implement
health information technology (IT) that is secure and protects
member privacy.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Green appears in the Appendix on
page 44.
---------------------------------------------------------------------------
OPM administers the Federal Employees Health Benefits
(FEHB) Program, which covers approximately 8 million Federal
employees, retirees, and their dependents. Like other large
employers, we contract with private sector health plans. We
have consistently encouraged participating plans to be
responsive to consumer interests by emphasizing flexibility and
consumer choice. We have also encouraged plans to adopt health
information technology as an important consumer-oriented
initiative. At the same time, we have placed great importance
on the privacy and security of personal health information.
FEHB enrollees have the same privacy protections under
Federal law as all Americans. The Health Insurance Portability
and Accountability Act of 1996, provides protections for
privacy of individually identifiable health information. All
FEHB health carriers are required to comply with HIPAA
requirements.
And now I would like to provide some background on OPM's
initiatives in health information technology.
In 2004, President Bush issued an Executive Order to
develop and implement a nationwide health IT infrastructure to
improve the quality and efficiency of health care. In response
to the Executive Order, we have been working with our FEHB
plans on focused efforts to promote health IT while at the same
time ensuring compliance with Federal requirements on privacy
and security. More specifically, we have asked our carriers to
concentrate on specific short-term objectives which include
education for consumers on health IT, offering personal health
records to consumers based on their medical claims history,
encouraging e-prescribing, linking disease management programs
with health IT, and compliance with Federal requirements on
privacy.
We have found that while there are wide variations in the
scope and extent of health IT use, most carriers have focused
on providing consumers with claims-based information through
their secured websites. Some have robust health IT systems. We
have recognized them on our own website during Open Season so
consumers would have this additional information to take into
consideration in making their plan choices.
Then, last August, President Bush issued a second Executive
Order, which underscored his commitment not only to health IT,
but also to health care cost and quality transparency. In
support of the order, we required all FEHB carriers to report
on quality measures, including data from the Health Plan
Employer Data and Information set. We also encouraged them to
provide information on cost and quality transparency. Along
with the carriers that have state-of-the-art health IT
capabilities, the carriers that made their best efforts to
provide cost and quality transparency were also prominently
positioned on our Open Season website last fall.
Looking forward, OPM will continue to work with carriers on
standards for interoperability of health information records as
they are adopted in the health care industry, and we will
continue to provide information for consumers on carriers' cost
and quality transparency initiatives as well as their health IT
capabilities.
As a member of the American Health Information Community,
OPM will monitor the recommendations of the Confidentiality,
Privacy, and Security Work Group and determine if there are
privacy and security requirements that should be applied to
FEHB carriers. We firmly believe privacy and security of
personal health information is important. We are encouraged by
HHS's efforts to address this important issue. We plan to
continue to work closely with HHS, the Community, and the
Health IT Policy Council to ensure all necessary steps are
taken to protect consumer privacy rights.
We appreciate this opportunity to testify before the
Subcommittee on this very important issue, and we will be glad
to answer any questions you may have.
Chairman Akaka. Thank you very much for your testimony.
Dr. Kolodner, the GAO report notes that HHS disagreed with
GAO's recommendation to define and implement the overall
approach for protecting health information, including
identifying milestones and integrating privacy efforts. Can you
elaborate on HHS's objection to GAO's recommendation,
particularly why HHS believes that setting milestones will
impede progress and preclude stakeholder dialogue?
Dr. Kolodner. Yes, Mr. Chairman. As I mentioned, the issue
is not whether we have milestones. Milestones that we can set
up right now based on what we know are very high level. They
are, for example, to complete our Privacy and Security
Solutions contract, to get the results of the contract, to
analyze those results, and based on the content that was given
in those analyses, to then determine the next set of
milestones. That is pretty high level. That is not what we
believe GAO was telling us to do, because that is basic project
management, and we are doing that already.
The idea of stating right now what those milestones will
look like in June or July, when we have not yet received the
report that will be received this spring, is something that we
know would probably not accurately reflect what we will be
executing in June, July, and August. So we see this as an
iterative process of discovery and collaboration.
A very important reality is that there are many parties
that have very strong feelings, as you can tell, about this
area, and privacy is important. We need to make sure that we
advance deliberately, advance as quickly as we possibly can,
but to make sure that we listen to and are informed by a
variety of viewpoints. And as those deliberations occur and as
those collaborations occur, we will advance forward.
Chairman Akaka. Thank you.
Mr. Green, OPM's contracts with carriers require compliance
with HIPAA. As part of OPM's requirement to promote the use of
health IT, the 2007 Call Letter required carriers to comply
with Federal requirements to protect the privacy of
individually identifiable health information.
How does OPM monitor carriers' compliance with HIPAA
privacy and security rules? And what steps are taken if a
carrier is found to be noncompliant?
Mr. Green. Mr. Chairman, in addition to the HIPAA law, we
have required by contract that all our carriers follow the
HIPAA rules, and we have also added privacy requirements that
pre-date the HIPAA law, and those are in our standard
contracts. We have also added certain measures that all our
carriers are required to comply with concerning confidentiality
of records and privacy and the regulations used to supplement
the Federal Acquisition Regulations. They are called FEHBAR.
The FEHB Acquisition Regulations apply to all our carriers.
They are required to notify their contracting officer whenever
they have an enforcement action resulting from noncompliance,
as issued by a State or Federal authority. They are also
subject to audit by both GAO and OPM, including OPM's Inspector
General's office, and they run a system of audits against the
computer systems of all our carriers on a rotational basis. And
they will be introducing additional privacy audit steps this
year into that audit.
Chairman Akaka. Mr. Green, are there any circumstances that
would result in electronic health records or personal health
record networks being developed or used by FEHBP carriers that
would not come under HIPAA?
Mr. Green. Senator, the FEHB carriers are required to
follow HIPAA rules, and so are their business associates, such
as pharmacy benefit managers. So any subcontracts they have
would also under our contract require them to follow HIPAA
rules.
Chairman Akaka. Dr. Kolodner, the statutory advisory
committee, NCVHS, and the Secretary's advisory committee, AHIC,
have made recommendations to the Secretary of HHS regarding the
protection of personal health information. What is HHS's
response to the recommendations, and how will they be
incorporated into a nationwide health information architecture?
Dr. Kolodner. Mr. Chairman, the NCVHS recommendations,
which were accepted by the Secretary and then sent to the AHIC
work group--the Confidentiality, Privacy, and Security Work
Group--are, in fact, informing that group as they consider the
various privacy policies and privacy priorities. Those will
then come back to the Community for recommendation up in terms
of specifically what kinds of privacy policies and security
kinds of architecture should be required as we move forward.
The Nationwide Health Information Network prototypes also
have brought forth a number of different solutions, and we have
been using those to look at what should go forward for the next
round of trial implementations that we plan to fund this next
year. So they are very much guiding and identifying those
requirements that need to be moving forward.
Chairman Akaka. Mr. Green, I believe privacy protections
must be built into the health IT architecture at the beginning
instead of racing to address privacy violations after Americans
lose trust in the system. However, after reading the testimony
of the witnesses on our second panel, I fear that HHS is not
acting fast enough to integrate privacy protections in the
development of the health IT.
With this in mind, Mr. Green, what risks are there to
Federal employees' health information as FEHBP carriers push
forward with health IT initiatives?
Mr. Green. Senator Akaka, nothing in this world is perfect,
and there is no absolute certainty anywhere. However, I am
convinced that with the procedures that we have in place, the
requirements we have in place today, protect our FEHB enrollees
as fully or more so than any other citizen in this country
against a chance of inappropriate misuse of that information.
In addition, going forward with the implementation of
health information technology, we are pleased and honored and
excited about our participation in much of the work with the
Department of Health and Human Services. As you know, we are a
member of the AHIC. We are on several of the subcommittees,
working groups, and, in fact, Director Springer for a time
chaired the Consumer Empowerment Work Group, which is our deep
interest because we feel like that is our responsibility--to
support and protect our enrollees. They are our primary
customers, after all. And, in addition, we work with the other
Federal agencies that are heavily involved in this as part of
an HIT Policy Council.
So I am convinced that as we go forward, our Federal
employees, retirees, and survivors and their family members
will be as protected as we can possibly make them, and that is
our promise to you, sir.
Chairman Akaka. Thank you. Senator Voinovich.
Senator Voinovich. Thank you.
Dr. Kolodner, do you believe that the Office of National
Coordinator has sufficient authority to facilitate
communications among Federal entities, the private sector, and
consumer organizations to lead the development and
implementation of appropriate privacy standards?
Dr. Kolodner. Yes, sir, I believe that we do, and I think
that we have a number of avenues and a number of venues where
we are already doing that, including the American Health
Information Community, and also a number of the contracts with
the States, like the State Alliance for e-Health.
Senator Voinovich. Do you think outside groups looking in
would say that they agree with you?
Dr. Kolodner. We have several venues where we use public-
private collaborations, and we certainly look for any other
opportunities there might be, but we have been as open as
possible in the development of the standards, and in
deliberations by any of the work groups. They are all open,
broadcast on the Web, and have opportunities for public comment
throughout.
Senator Voinovich. I know this is off the subject, but it
is something I am interested in. We have not passed
appropriations, and we are talking about a continuing
resolution. I would be interested in your observations in
regard to whether you feel that it has been harmful to your
respective organizations to have a continuing resolution in
which you are operating under.
Dr. Kolodner. For the Office of the National Coordinator,
we have been able to proceed on a variety of activities that we
have underway, and we have not had to slow down because of the
continuing resolution. And we also, as you know, have the good
fortune of having both Secretary Leavitt's very strong
backing--this is one of his top programs--as well as the
President having passed two Executive Orders that allow us to
move forward.
Senator Voinovich. So no problem?
Dr. Kolodner. No problem.
Senator Voinovich. Mr. Green.
Mr. Green. Senator, I cannot speak for all of the Office of
Personnel Management on our budget issues. I will leave that to
Director Springer. I can say that we are moving forward on our
initiatives, and we have a very large agenda within the Federal
Employees Health Benefits Program and the other benefit
systems, and we are moving forward without slackening at all.
Senator Voinovich. Do you have the personnel and resources
to get the job done?
Mr. Green. Sir, I argue and fight for as many resources as
I can get with my leadership, but I think that would probably
be best left inside the OPM doors.
Senator Voinovich. Well, one of the things that bothers me
is that we are asking many agencies to do all kinds of things,
and we do not allocate the resources so they can get the job
done. I know it is very difficult for the secretaries of these
departments to be forthcoming about it, but it seems to me that
during this new budget cycle we ought to be encouraging both of
you to make it clear to the folks that are in charge if you
need additional help. I just read, Senator Akaka, where the
President is talking about flat funding the nondefense
discretionary budget again. We just cannot keep going this way.
There are too many responsibilities that are not getting done,
and the nondefense discretionary budget is being cut. To be
candid with you, we should be paying for the war, just not
putting it on the tab. What it is doing is it is squeezing out
other priorities that are essential.
Have you, Mr. Green, had a chance to look at the bill that
I joined Senator Carper in introducing, the Federal Employees
Electronic Personnel Health Records Act?
Mr. Green. Yes, sir, I have.
Senator Voinovich. I would be interested in your comments
about it.
Mr. Green. Several comments, as a matter of fact.
We note that the bill is consistent with the direction of
the health care industry and the leadership provided by HHS,
and it is also consistent with OPM's initiatives, as well, to
move our carriers toward having PHRs. We do have some concerns
about some of the aspects of the bill. Let me put it this way:
We would be excited and would like to work with you and your
staff and Senator Carper to move that forward, to deal with
some of the issues we have. I think you will find them good
points that we both want to work through, and we would be happy
to do that with you, sir. But overall, yes, we do support a
bill like that.
Senator Voinovich. So if Senator Carper's and my staff got
in touch with you, you would be able to tell us your concerns.
Mr. Green. We would be pleased to do that. Yes, sir.
Senator Voinovich. I was glad to hear from your testimony
that you are interested in HIT yourself. I mean, it is not like
we are asking you to do something that is not already being
done.
Mr. Green. No, that is true. And our carriers are
interested as well. They see this as a real opportunity not
only to provide for their members, but also to differentiate
themselves in the marketplace. Our job and Mr. Kolodner job is
to see to it that they are done interoperably and so that it is
portable and also so that they are, in fact, secure, private,
and the information is confidential and under the control of
the enrollee.
Senator Voinovich. Our thought is that we could use that as
kind of a model for the rest of the country. I mentioned that I
spoke with Aetna, while at the bipartisan health policy
conference sponsored by the Commonwealth Fund and the Alliance
for Health records with Aetna's CEO, who said he thinks
implementing personal health records is a great first step, and
that they seem to be interested in moving forward with it. So
it would be wonderful if we could get the standards in place
and get moving.
Mr. Green. Aetna is one of our carriers, of course, a very
large participant, so that is good to hear.
Senator Voinovich. Thank you, Senator Akaka.
Chairman Akaka. Thank you, Senator Voinovich.
Dr. Kolodner, you testified that the current HIPAA statute
provides the flexibility to protect health information while
allowing best practices to emerge. However, as Mr. Rothstein on
our next panel notes in his written testimony, some private
sector companies are using electronic health record and
personal health record networks that generally are not subject
to any Federal or State regulation because the initiatives are
not covered entities under HIPAA.
Does HHS have a list of entities that may have access to
personal health information under a health IT network, but are
not covered by HIPAA?
Dr. Kolodner. The HIPAA rules define the entities that are
covered by HIPAA. There are other entities that are not covered
by HIPAA, and he may be referring to some of those entities.
The Confidentiality, Privacy, and Security Work Group and
our Consumer Empowerment Work Group, which is another work
group under the American Health Information Community, both
have started to consider whether there are entities that should
be covered under HIPAA that are not now being covered. We will
be looking at those recommendations as they come forward and
see whether there is sufficient authority in HIPAA to extend
that. So we are considering that as part of the deliberations
that I mentioned that are underway.
Chairman Akaka. Dr. Kolodner, HHS has been without a
permanent National Coordinator for Health IT since May 19,
2006. When will a permanent National Coordinator be named?
Dr. Kolodner. Mr. Chairman, that would be a question that
Secretary Leavitt would ultimately need to answer. He has asked
VA to detail me over. VA did that starting in September. VA was
gracious enough to extend the detail, so I will be here for
another period of time, and it will be up to Secretary Leavitt
to ultimately decide.
Chairman Akaka. Thank you.
Mr. Green, you testified that OPM is a member of several
work groups focused on health IT. Can you share with us some of
the recommendations that OPM has made to these groups?
Mr. Green. Senator, the work groups operate under a
consensus-based decisionmaking process. We contribute to those
discussions on each recommendation as they come up.
One of our primary objectives is to ensure consumer rights
and responsibilities are protected, and we also share our
knowledge on employer-based health benefits to shape
recommendations that are achievable and promote the broad goals
of the HIT initiative.
Chairman Akaka. Thank you. Senator Carper.
Senator Carper. Thanks, Mr. Chairman. Who did you succeed
in your job?
Dr. Kolodner. Dr. David Brailer was the first National
Coordinator.
Senator Carper. What is Dr. Brailer doing now?
Dr. Kolodner. I believe he is doing some private
consulting. He is also a Special Government Employee, since he
does still co-chair the American Health Information Community.
Senator Carper. Thanks. If you ever see him, give him my
best. Thanks. All right.
Dr. Kolodner. I will do so.
Senator Carper. I understand when I was out of the room in
another meeting here in the anteroom that Senator Voinovich
asked for some reaction from both of you to the legislation we
are about to reintroduce. And I understand that you pretty well
trashed it. [Laughter.]
No. I understand you were pretty generous. Would you just
recap for me what you had to say and any thoughts you might
have for making it better?
Mr. Green. Certainly, Senator. I explained that we have
reviewed and commented earlier, at least within the Executive
Branch, on the bill and that since the provisions in the bill
are consistent with the direction that the health care industry
is going and the leadership that HHS is providing, it is also
consistent with OPM's direction of where we want to move with
our carriers in the FEHB program. So we are supportive of the
bill and its outline and its purpose. There are some issues
that we would like to have the opportunity to discuss with you
and your staff that we think we can help improve the bill to
fit what goes on within the FEHB program and some other issues,
to help deal with privacy concerns as well. So we would welcome
the opportunity.
Senator Carper. We gratefully accept that offer.
I mentioned earlier in opening statement, that in Delaware
we are standing up the Delaware Health Information Network, and
we are doing so with the financial support from the Department
that Secretary Leavitt leads and from some of the folks that
are your colleagues, Dr. Kolodner. And the State of Delaware is
matching that money over the next couple of years, and the
private sector in our State is stepping up as well. We just
learned that Blue Cross/Blue Shield of Delaware is the latest
to step forward and say they want to be financially supportive
of this, too. So we are very much encouraged.
One of our focuses in standing up the Delaware Health
Information Network is to protect patient privacy and patient
records. And I know that you come out of the VA, don't you?
Dr. Kolodner. Yes, sir.
Senator Carper. How long did you work there?
Dr. Kolodner. Twenty-eight years.
Senator Carper. Twenty-eight years, wow. Did you start as a
child? [Laughter.]
But the VA approach on harnessing information technology--
just talk with us a little bit about what you did there to
protect the privacy of patients and their personal or health
records. And is there maybe a lesson there, a model for the
rest of us, whether we are doing it at the State level or for
Federal employees?
Dr. Kolodner. The VA had privacy as a central part of the
system from early on, and we actually--because it is a single
system and not a network. A network obviously presents new
opportunities, new challenges. But as a system, we actually
would contract to security companies for them to try to break
into the electronic health record system and find where the
vulnerabilities were so that we could fix them before any
breach had occurred. The VistA system, which started out as the
Decentralized Hospital Computer Program is secure and has not
been a source of any breaches.
We also have a personal health record we provide to
veterans, starting in December, we actually upload this robust
data from.
Senator Carper. Starting this past December?
Dr. Kolodner. This past December. We had it in test with a
few thousand veterans before that, but starting this past
December, veterans can, in fact, have a copy of their clinical
record--not just any claims data but the clinical data that is
in this robust VistA system--uploaded to a personal health
record if they choose. So it is an opt-in strategy. And we have
security----
Senator Carper. It is opt in, not opt out?
Dr. Kolodner. It is opt in for the personal health record,
yes, sir. And we have gotten very positive response from the
veterans who----
Senator Carper. Are they opting in?
Dr. Kolodner. They are opting in. Hundreds of thousands
have opted in so far. And as with any new technology, if you
remember when the Internet started, many of us were a little
skeptical. We wanted to see what was going on. Did we want to
use our credit card over the Internet? And gradually what
happens is you get the early adopters who were willing to take
a chance, and the system gets more and more robust, more and
more trusted, and more people, in fact, come on board. So there
is a growth curve that is a natural growth curve. It is not
that everybody comes on at once. But it is one where you get
more rapid uptake over time, and we are beginning to see that,
particularly as you offer services that--veterans had wanted to
be able to refill their prescriptions online, and they can do
that now.
Senator Carper. Great. You may recall in the last Congress
the Senate passed legislation dealing with health IT, passed a
pretty good bill. I don't know that there was anybody who voted
against it in the Senate. It went over to the House and it
died. It died over there, and for reasons that are not
altogether clear to me.
What advice would you have for us as we come back and take
up the legislation? There may be an effort to try to combine
what Senator Voinovich and I are doing to actually make it part
of the larger piece of legislation? I don't know if we will let
that happen. Maybe we will, maybe we won't. There could be
worse outcomes.
But why did it die in the House? What might be different
this time? And as we tinker with that legislation and prepare
to pass it again in the Senate, what advice would you have for
us, either of you?
Dr. Kolodner. Senator, certainly the reason why it died in
the House or why the Senate and the House could not get
together on it is beyond my purview and my expertise, and I
would leave that to you and your colleagues.
Senator Carper. Well, we do not know either. [Laughter.]
But we will figure it out.
Dr. Kolodner. I know that there is great interest in the
health IT bill, and certainly we will work with you and with
your colleagues as the various bills go forward to certainly
work on something that advances the whole health IT agenda.
Senator Carper. Well, I don't know how familiar you were
with the legislation that was enacted in the Senate. I am not
going to dwell on it. But if you have any ideas for the record
that you might like to suggest to us, either of you, for how to
improve that legislation when it comes to the floor, which I
think will come fairly soon, we would welcome your input.
Do you all have anything else you want to say with respect
to any of the questions I have raised here?
[No response.]
OK. Thank you. Thanks very much for your good work,
particularly at the VA, and as a veteran myself of the Navy,
you make us very proud, even prouder to be veterans. And for
all the veterans around the country, in Delaware and other
places, who have the opportunity to use what I call the gold
standard for health care in this country today, thank you for
helping to provide that system.
Chairman Akaka. Senator Voinovich.
Senator Voinovich. I would like to get back to the bill
that Senator Carper and I are going to reintroduce. It is my
understanding that originally the bill had a 1-year
requirement, the bill Senator Carper had, and then we had a 2-
year requirement, and then we talked to OPM and they said we
might be moving too quickly.
It is my understanding that OPM is reluctant to agree to a
statutory deadline because the HHS standards have not been
published. However, Dr. Kolodner, you indicated that you have
the team necessary to get the job done. I just want you to know
I do not want to see publication of the standards delayed. If
you do not have the people that you need to get the job done,
then we ought to know about it. I will pick up the phone and
call my good friend, former Governor Mike Leavitt, and say,
``Mike, you guys have made a commitment. Now put the resources
in it so we can get it done.'' I want this taken care of.
So if you want to respond to that, you may. [Laughter.]
Dr. Kolodner. One of the pleasures of being over at HHS has
been the undying support of Secretary Leavitt for the area of
health IT. I could not ask for any stronger support from him,
and that has been one of the things that attracted me to take
this interim appointment.
The office actually was established a little over a year
ago, and we are just finishing up staffing up to our authorized
level. We had been filling those activities with contractors.
We are now bringing on the staff that we need, and we are
moving as fast as we believe that we can, again, with this
iterative process that is necessary to make the best policy.
Senator Voinovich. Well, we welcome your input on our
legislation. We will be talking to you and Mr. Green about it
more.
Thank you, Senator Akaka.
Chairman Akaka. Dr. Kolodner and Mr. Green, thank you very
much for your valuable testimony. I look forward to working
with each of you to ensure that privacy and security are
integral parts of the health IT architecture. Thank you very
much.
Dr. Kolodner. Thank you, sir.
Mr. Green. Thank you.
Chairman Akaka. And now I ask our second panel of witnesses
to come forward. Testifying on our second panel are David
Powner, Director of IT Management Issues, and Linda Koontz,
Director of Information Management Issues, from the Government
Accountability Office; also Mark Rothstein, Director of the
Institute for Bioethics, Health Policy, and Law at the
University of Louisville School of Medicine, as well as the
Chair of the Subcommittee on Privacy and Confidentiality of the
National Committee on Vital and Health Statistics; and Dr.
Carol Diamond, Managing Director of the Markle Foundation.
As you know, it is the custom of the Subcommittee to swear
in all witnesses, so please stand and raise your right hand. Do
you swear that the testimony you are about to give before this
Subcommittee is the truth, the whole truth, and nothing but the
truth, so help you, God?
Mr. Powner. I do.
Ms. Koontz. I do.
Mr. Rothstein. I do.
Dr. Diamond. I do.
Chairman Akaka. Thank you. Mr. Powner, please proceed with
your statement.
TESTIMONY OF DAVID A. POWNER,\1\ DIRECTOR OF INFORMATION
TECHNOLOGY MANAGEMENT ISSUES, ACCOMPANIED BY LINDA KOONTZ,
DIRECTOR OF INFORMATION MANAGEMENT ISSUES, GOVERNMENT
ACCOUNTABILITY OFFICE
Mr. Powner. Chairman Akaka, Ranking Member Voinovich, we
appreciate the opportunity to testify on privacy initiatives
associated with our Nation's efforts to increase the use of
health information technology. With me today is Linda Koontz,
GAO's Director of Information Management Issues and privacy
expert.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Powner and Ms. Koontz with
attachments appears in the Appendix on page 52.
---------------------------------------------------------------------------
In 2004, President Bush issued an Executive Order that
called for widespread adoption of electronic health records by
2014 and established a National Coordinator for Health IT to
lead and to foster public-private coordination. Over the past
several years, we have issued several reports and testified on
numerous occasions, highlighting the need for detailed plans,
milestones, and mechanisms to monitor progress if this 10-year
goal is to be achieved.
The benefits of health IT are immense and include reducing
medical errors. However, it also raises concerns regarding the
extent to which patient privacy is protected. The challenge
here is to strike the right balance between patient privacy
concerns and the numerous benefits IT has to offer this
industry.
This afternoon, as requested, I will summarize our report
completed at your request, Mr. Chairman, on HHS's health IT
privacy initiatives. Specifically, I would like to highlight
three points: First, the importance of having a comprehensive
privacy approach; second, HHS's initial efforts to address
privacy; and, third, additional actions needed.
Privacy is a major concern in the health care industry
given the sensitivity of certain medical information and the
complexity of the health care delivery system with its numerous
players and extensive information exchange requirements. This
concern increases as our Nation transitions to using more
electronic health records. A comprehensive privacy approach is
needed so that ultimately it is clear who these records are
disclosed to, what limitations are placed on the use of the
information, how patients can access their records, how
inaccurate or incomplete information is corrected, and what
administrative, physical, and technical safeguards are needed
to protect electronic health information.
HHS acknowledges in its National Health IT Framework the
need to protect consumer privacy and plans to develop and
implement appropriate privacy and security policies, practices,
and standards for electronic health information exchange. HHS
and its Office of the National Coordinator have initiated
several efforts to address privacy. These include: Awarding
several contracts that includes one for privacy and security
solutions; consulting with the National Committee on Vital and
Health Statistics to develop privacy recommendations; and
forming a Confidentiality, Privacy, and Security Work Group to
identify and address privacy and security policy issues.
These efforts are good building blocks, but much work
remains, including: Assessing how variations in State laws
affect health information exchange; reporting and acting on the
privacy and security contractors' findings; acting on advisory
group recommendations; and identifying and implementing privacy
and security standards.
The National Coordinator's Office intends to use the
results of these activities to identify policy and technical
solutions for protecting personal health information as part of
its continuing effort to complete a national health IT
strategy. Ultimately, these and other efforts are to result in
a comprehensive security and privacy policies, practices, and
standards. However, how HHS plans to integrate the outcomes of
its initiatives and when is unclear.
Therefore, we recommended, Mr. Chairman, that HHS develop
an overall privacy approach or a game plan that identifies
milestones and an accountable entity for integrating the
outcomes of its health IT contracts and recommendations from
advisory groups. In addition, this approach should ensure that
key privacy principles highlighted in our written statement are
fully addressed. And, finally, this approach should address key
challenges associated with legal and policy issues, disclosure
of information, individual rights to access, and security
measures.
In summary, Mr. Chairman, while progress continues to be
made through the National Coordinator's private initiatives, a
comprehensive approach is needed to integrate the results of
the initiatives to ensure that key privacy principles are
addressed and to ensure that recommendations from the advisory
committees are effectively implemented. Otherwise, HHS will not
be providing the leadership called for by the President and its
goal of safeguarding personal health information will be in
jeopardy.
This concludes our statement. We would be pleased to answer
questions.
Chairman Akaka. Thank you very much, Mr. Powner. Mr.
Rothstein.
TESTIMONY OF MARK A. ROTHSTEIN,\1\ HERBERT F. BOEHL CHAIR OF
LAW AND MEDICINE, AND DIRECTOR, INSTITUTE FOR BIOETHICS, HEALTH
POLICY AND LAW, UNIVERSITY OF LOUISVILLE SCHOOL OF MEDICINE
Mr. Rothstein. Yes, thank you very much, Mr. Chairman and
Senator Voinovich. I appreciate the opportunity to be with you
this afternoon. I want to clarify for the record that I am
appearing in my individual capacity and not as a representative
of NCVHS, which may want to deny any responsibility for my
statements, written or oral.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Rothstein appears in the Appendix
on page 130.
---------------------------------------------------------------------------
I want to make two points this afternoon. First, in my
view, HHS has not made meaningful progress in developing and
implementing measures to protect the privacy of health
information in electronic health networks. And the second point
is that time is of the essence. I believe HHS must begin to act
immediately on these very difficult privacy issues and also
that Congress needs to hold HHS accountable and make them meet
the milestones that have been suggested by GAO or some of the
other measures that I want to suggest to you this afternoon in
my testimony.
I specifically agree with the comments in the GAO report. I
believe that they accurately captured the sense and the
progress, or lack of progress, on the privacy issues. But I
would add my own assessment that I believe that the focus on
privacy is currently lagging behind the focus at HHS on
technical development of the infrastructure of the NHIN. And I
am concerned that the gap between the technical progress and
privacy is actually widening, and that is not a luxury that we
have, for reasons that I want to pursue in just a minute.
In 2004, the head of ONC at that time, Dr. Brailer, asked
NCVHS to do a comprehensive study on privacy and
confidentiality issues in the Nationwide Health Information
Network. And it took us 18 months of hearings throughout the
country, dozens of witnesses, and lots of rather heated
deliberation to reach our recommendations, which were delivered
to the Secretary in June 2006. And just to emphasize the nature
of these fundamental questions that have to be resolved, I want
to go through a couple of them with you, if I may.
First, NCVHS noted that a decision has to be made on
whether individuals have a right to decide whether they want to
be a part of this nationwide system, and if so, should that be
opt in or opt out or some combination, should it be controlled
locally or via some other method. So that is a fundamental
question.
Another fundamental question is whether individuals should
have some control over the contents of their health records
that would be disclosed via the NHIN. When you put together
comprehensive, longitudinal, individual health records, they
are likely to contain lots of old data. Some of it may be very
sensitive. Some of it may be irrelevant to current care. These
records are not usually available now because of the
fragmentation of the system. You cannot get it from all these
places. Electronically, it will be easy to obtain this
information, and I am concerned that under an electronic system
we should not have less privacy than we do today. So that is a
concern of mine.
I am also concerned about the scope of the disclosures when
people have to sign an authorization to get a job or life
insurance. About 25 million of these are signed each year in
the United States, and when the records are released, typically
the entire file is sent. And this may include all this
sensitive information.
NCVHS submitted 26 recommendations to the Secretary, and I
don't think that very much progress, if any, has been made on
any of these areas that we identified. And I believe that time
is of the essence, as I emphasized in my written testimony.
Private sector groups are working today--while we are still
talking about these issues officially in terms of regulation,
the private sector is marching ahead. Last month, we heard at
our hearings from Wal-Mart about this huge personal health
record system that it is putting together, with over 2.5
million employees represented, and this is a single company, in
collaboration with other employers. They are not health plans.
They are not covered entities under HIPAA. There is no
regulation in place.
So not only do I support the GAO recommendations, I think
we need to be thinking beyond HIPAA. HIPAA is an archaic
statute that was designed for totally different purposes. It
was designed for the payment system. We now have a more
comprehensive nationwide network involved, and I think we have
to be thinking more comprehensively. And I believe that there
are lots of things that need to be done, and I would recommend
that the Subcommittee work with HHS and try to move the ball
forward more rapidly on these very important issues.
So I thank you for the opportunity to testify today and I
look forward to your questions.
Chairman Akaka. Thank you very much. Dr. Diamond.
TESTIMONY OF CAROL C. DIAMOND, M.D.,\1\ MANAGING DIRECTOR,
MARKLE FOUNDATION, AND CHAIR, CONNECTING FOR HEALTH
Dr. Diamond. Thank you, Chairman Akaka, Senator Voinovich.
It is a privilege to be invited to testify today. I am the
Managing Director at the Markle Foundation, and in that
capacity I also serve as Chair of a large public-private
collaborative called Connecting for Health. Our goal at
Connecting for Health is to make sure that vital information is
available both for patients and their providers when it is
needed and where it is needed in a way that protects privacy
and earns the trust of the American people.
---------------------------------------------------------------------------
\1\ The prepared statement of Dr. Diamond appears in the Appendix
on page 138.
---------------------------------------------------------------------------
As you heard today, numerous efforts are underway to
promote the use of health information technology within HHS,
other parts of government, and the private sector. Yet as the
GAO report and Mr. Rothstein have stated, there has not yet
been enough progress in establishing a policy framework that
will earn the long-term public trust required to sustain and
build upon current activities.
Toward that end, I have two important recommendations to
make. First, the Nation needs a well-defined, comprehensive
privacy framework based on key policy and technology attributes
that I will lay out. Second, while the entities and contracts
created by HHS have been useful to initiate action in this
field, we now need to find the appropriate longer-term process
for determining both the policies and the technologies that
will achieve the attributes of such a framework. Our national
strategy for health information technology must be carried out
by decisionmakers informed by and accountable to a broad range
of interests with direct public accountability.
Let me first talk about the required framework for health
IT. Our group took 3 years to develop this framework, and the
framework includes the attributes that are necessary to protect
privacy and security. Efforts to gather and share information
should achieve these attributes:
First, information sharing at the national level should be
done in a decentralized and distributed way. Simply put, health
information sharing should not require the development of large
centralized repositories of personal health information.
Clinical data should be left in the hands of patients and those
who have a direct relationship with them in their care, and
leave decisions about who should or should not see that data
with patients and providers directly involved with their care.
Second, sharing should separate demographic and clinical
information. Sharing should be accomplished with an index that
does not contain clinical data but, rather, knows where
relevant information resides. Only those with proper
authorization are then allowed to access the information, and
this does not require the use of a national identifier.
Third, the framework should be a flexible platform for
innovation. Participation in the network by a broad range of
providers delivering products and services will be a result of
using open standards and transparent policies. This will
encourage innovation so that we can make critical rapid
progress.
Fourth, the framework should implement privacy through
technology. This is a key attribute. Technology choices should
be made so that they can enable the effective implementation of
policies protecting privacy. These technologies should create
audit trails, implement security, improve data accuracy,
prevent both intentional and unintentional improper disclosure
of information. They should build rules and permissions into
the process of accessing and distributing data.
Our fifth attribute is really a set of nine foundational
privacy principles. These have been adopted from fair
information practices and other sources internationally. These
principles include things like transparency, specifying the
purpose of data being collected, collecting only what is
necessary, adhering to the uses agreed to by the individual,
allowing the individuals to know and have a say in how their
information is used, maintaining the integrity of data, audit,
oversight, and remedies in the event of breach or misuse. Every
health information initiative should be expected to disclose
how it addresses each of these principles.
In summary, HHS deserves praise for its success in
elevating public and industry interest in health information
exchange and for encouraging the adoption of technical
standards. But focusing only on technical standards is like
building an interstate highway system, without the rules for
entering, exiting, or anticipating the speed limits that need
to be accommodated. In order to serve the communities through
which it passes, a highway must have a coherent set of rules,
made obvious through signage and visibly enforced, and be
embedded in the design of the highway itself. And for the users
of health information, patients and their providers, an
explicit policy framework is essential.
Several years of public opinion surveys show that Americans
have significant privacy concerns when it comes to their health
information. Without a policy framework with the attributes we
propose, our Nation runs the risk of inappropriate uses of
personal information followed by public clamor for hasty
remedies, which will undermine the sustainability of an
information sharing network. And these policies that touch the
most private concerns of every American require a clear
framework for privacy and an accountable visible process that
can encourage public interest, that will be maintained over
time, and that will give consumers confidence that their
interests are being looked after.
Mr. Chairman, the lack of trust in health information
technology may not only impede progress but, more profoundly,
it may squander this amazing window we have to stimulate a much
needed transformation of our overburdened health care system.
Thank you for the opportunity to testify.
Chairman Akaka. Thank you very much for your statements.
I just talked to my friend, Senator Voinovich, and I am
going to let him proceed first.
Senator Voinovich. Thank you very much, Senator Akaka.
First of all, you heard the testimony of Dr. Kolodner. You
were here for his testimony, and I asked him whether or not he
had the staff to get the job done. In your opinion, does he
have the staff to get the job done?
Mr. Powner. We specifically have not looked at whether he
has the human capital and all the resources to get the job
done. Our big concern, Ranking Member Voinovich, is that we do
not see a road map to get from where we are at today to have a
comprehensive privacy policy in place.
Dr. Kolodner made some comments about sound project
management. Sound project management is about having milestones
and targets, and we go after those milestones and set interim
performance measures to gauge whether we are making enough
progress or not. That is what we do not see, sir.
Senator Voinovich. OK. So you are saying plan, milestones
and, in addition, metrics to judge if milestones are being met?
Mr. Powner. Absolutely, and some of our other witnesses
mentioned some of the key privacy principles that clearly need
to be addressed as part of that approach.
Senator Voinovich. Right. Senator Akaka, it might be good--
if you recall, what we have been able to do with the GAO High-
Risk agencies. OMB and GAO have sat down together to develop a
strategic plan on addressing these problems. They are making
progress. It seems that process may have value here.
The last question is for Mr. Rothstein. You said they are
lagging behind the technical structure of developing IT. So
what you are seeing is fast development without building
privacy in at the beginning?
Mr. Rothstein. Yes, Senator, and there are significant
concerns that, unless privacy is built into the architecture of
the system, we will not be able to come back and do it later.
And that is why privacy protections have to be in from the
start, and the longer it takes us to develop policies on what
our privacy and confidentiality and security rules are, the
more danger we have that it is going to be too late or it is
going to be prohibitively expensive to go back and try to add
the privacy protections.
Senator Voinovich. Just another comment, Senator Akaka. It
is nice that OPM may be saying they cannot do it because they
are waiting to incorporate the privacy standards into the
system. Thank you very much. I appreciate the chance to ask
these questions.
Chairman Akaka. Thank you very much, Senator Voinovich.
Mr. Powner, you recommended in your testimony that HHS
define a comprehensive privacy approach that includes detailed
plans and milestones for integrating its various initiatives.
GAO specifically mentioned the need to sequence the
implementation of key activities appropriately. Would you
explain that comment? Tell us why this is important. And what
else is missing from HHS's current approach?
Mr. Powner. Similar to Mr. Rothstein's comment, the
sequencing is very important because his comment about building
in privacy and security early, we see many examples throughout
the Federal Government, Mr. Chairman, where we built in
security or privacy after the fact, after systems and networks
are built; and, one, it is very difficult to implement and,
two, it is much more costly to do it after the fact. So it is
very important that we sequence these activities. We are
talking about prototypes right now for the National Health
Information Network, and to Mr. Rothstein's point, what is
happening is the technology is getting ahead of the policy, and
we need to make sure that we get the policies in place so that
we can actually make those appropriate technology decisions and
build it in up front.
Chairman Akaka. Dr. Diamond, I agree with your statement
that public trust cannot be fully accomplished by relying only
on existing legal provisions such as HIPAA. However, Mr. Green
testified that OPM is pushing health IT through the FEHBP and
is only requiring carriers to follow Federal privacy
requirements.
Do you believe OPM can earn the trust of Federal employees
when carriers are increasingly using health IT?
Dr. Diamond. Chairman, I would say two things. I think it
is a very good thing for the Federal Government to help its
employees find ways to see and access their own health
information. But I would say that in the same way that the
government can stimulate the use of information technology and
stimulate the expectation that people can have their own
information, it can also stimulate the adherence to a basic
framework of privacy based on the attributes that I articulated
today. As long as those both policy and technology things are
clear to the user, that there is transparency, that people know
how their information is used, then we can earn the trust.
So I would say there is an opportunity to both stimulate
people being more engaged in their health care by having
personal health records and also to use the role of the Federal
Government to make sure the attributes are built into every
initiative that is put out there using information technology.
Chairman Akaka. Mr. Rothstein, the privacy and security
requirements of HIPAA and other laws do not cover all entities
that exchange electronic personal health information. What can
HHS do to ensure that gaps in legal privacy protection of
health information are addressed by a privacy framework for the
nationwide health information exchange?
Mr. Rothstein. Mr. Chairman, one of the specific
recommendations in my written testimony is that I believe that
HHS should undertake a study to determine the number of health
care providers that are, in fact, not covered entities under
HIPAA at the moment. We have been doing that in my
subcommittee--that is, the Subcommittee on Privacy and
Confidentiality--and we are frankly astonished at the number of
health care providers that are not covered entities.
Unless you are engaged in an electronic billing
transaction, you are not a covered entity. So all of the
urgent-care, cash-paid doctors, many cosmetic surgeons that are
not covered by any insurance plan, all sorts of other health
care providers that are not covered--massage therapists,
acupuncturists, and so forth--may not be covered entities under
HIPAA. We don't know how many there are, and it seems that it
is going to be Congress' role to enact new legislation or to
amend the HIPAA statute to bring in all these other health care
providers. But I think it would be very helpful to the Congress
if we had a sense of how many there are that need to be
covered.
Chairman Akaka. Dr. Diamond.
Dr. Diamond. Yes, Chairman. As was stated previously by
other witnesses, HIPAA was written at a time where we did not
contemplate a Nationwide Health Information Network, nor did we
contemplate the number of entities and parties today who are
part of the use and sharing of health information.
I do think, as I stated in my testimony, the two
comprehensive things to do would be to require a policy
framework based on key attributes and to establish a public
process to build in and make sure that each information
technology initiative that is proposed lives up to those
attributes.
Chairman Akaka. Thank you.
Dr. Diamond and Mr. Rothstein, based on the work of HHS to
date to promote health IT, are there any legislative changes
that we in Congress should consider making to ensure that the
privacy of health information is protected?
Mr. Rothstein. Senator, I believe there are two areas in
which congressional action would be indicated. First, is to
extend the coverage of health privacy legislation; in other
words, to expand the number of covered entities that are
currently covered under HIPAA or under some other replacement
law. The second is of a more substantive nature, and that would
be to try to limit the amount of information that third parties
can require individuals to provide as a condition of getting a
job or a life insurance policy or some other commercial
transaction. At the moment, it is lawful to require that
individuals sign basically an unlimited release and then all
this information and, increasingly, more comprehensive
information will be disclosed electronically to people who do
not have a legitimate interest in this extra information. An
employer or insurer may have a legitimate interest in knowing
your current health status, but maybe not things that happened
20 or 30 years ago that would be of a very sensitive nature.
And I think restricting those kinds of information requests
would be very helpful.
An example would be under the Americans with Disabilities
Act, the Federal statute dealing with disability discrimination
says that if you are a current employee, the employer can only
ask about job-related health information. But if you are an
individual who has a job offer but have not started yet, then
they can have an unlimited request for information. If you
applied that same standard that is applicable to current
employees to these applicants, then the amount of information
would be reduced substantially.
Chairman Akaka. Dr. Diamond.
Dr. Diamond. I think there is an opportunity right now to
consider what the right process is for this next level of
public input and discussion that is required around privacy and
security. And I think what I propose in my written testimony is
what I will repeat here. Based on a set of foundational
principles, there does need to be a process that will have
appropriate public input, notice and comment, and deliberation
so that we can move forward in a way that people feel trust in
the health information network and the way their information is
being shared. And I do think reverting to the policies and the
attributes that I laid out today serve as a good yardstick or
metric for trying to determine how to move forward.
Chairman Akaka. Thank you. This question is to all of the
panelists. You all heard the testimony of OPM that Federal
employees' electronic health information is protected, despite
the fact that HHS's efforts on privacy and security are lagging
behind. Do you agree with OPM? Mr. Powner.
Mr. Powner. Sir, I do not believe we are in a position to
comment on OPM's efforts in that area. We have not looked at it
in any detail at all.
Chairman Akaka. Thank you. Mr. Rothstein.
Mr. Rothstein. I would only note that the companies that
offer insurance to Federal Government employees are covered
entities under HIPAA because they are health plans. Therefore,
they are regulated in the way that other covered entities are.
But individual employees are not protected in the sense that
for all of this information that is suddenly going to be
aggregated and available electronically at a single point in
time, we do not have new rules that apply to the network. What
we are applying to government employees are the old rules under
HIPAA.
Chairman Akaka. Dr. Diamond.
Dr. Diamond. Yes, I am not familiar with OPM's efforts. I
will just offer that under the existing HIPAA rule, there have
been 22,000 complaints to OCR, and very few have actually
resulted in penalties. And I think there is an opportunity to
look at not only these new attributes that I laid out here and
the principles as a way to ask ourselves if we are doing
enough, but also to look at appropriate remedies in the event
of breaches, because we are in an information world today. This
is the Information Age, and I think every one of us, while we
enjoy the benefits of it, also have to acknowledge that we need
to think about the protections that need to be in place to
participate fully.
Chairman Akaka. Mr. Powner, what do organizations that
store and exchange personal information consider when balancing
the benefits realized from IT with the risks introduced by
storing large amounts of personal data in electronic format?
Ms. Koontz. I will answer that, if I may. We found, in
terms of the research that we have done on privacy, that best
practices organizations do a number of things. First of all,
they get continuous and early input from stakeholders, from
experts, and from the public in some form. And I emphasize the
word ``continuously'' because as these kinds of initiatives are
worked on, they tend to evolve and change, and there needs to
be a constant going back to the privacy principles to touch
them to make sure that we are consistent with the framework
that we have selected.
I think successful organizations also use fair information
principles. I agree with many of the other witnesses on the
panel today that HHS needs to take a broad look at privacy, and
it is useful to look at the fair information practices which
are broad, very internationally accepted principles as a way of
facilitating discussion on the balance that should be struck
between privacy and other interests.
I think best practices organizations assess privacy
protections, as many of the other panelists have said, before
information technology is acquired or developed. Technology can
be an enabler to help build in privacy protections, but once a
system is built, it is very difficult and often very expensive
to go back and retrofit those kinds of protections.
To the extent that HHS uses these kinds of best practices,
I think it increases their chance of success in this.
Chairman Akaka. Thank you, Ms. Koontz.
Mr. Powner, HHS has been without a permanent National
Coordinator for Health IT for almost a year. What effect has
the absence of a national coordinator had on HHS's progress
toward defining a privacy framework as part of its national
strategy for health IT?
Mr. Powner. First of all, I think we need to give some
credit to Dr. Brailer for getting the ball rolling here, and
Dr. Kolodner has kept it rolling. But longer term, when you
look at whether we need a permanent national health IT
coordinator, we believe we do, for a couple of reasons. There
are going to be some tough decisions. What we discussed here
today, tough privacy decisions from a policy perspective are
going to have to be made. Having a permanent leader would be
very important for that.
Also, too, because of the collaboration that needs to occur
with the private sector, having a permanent leader sends a
message that this is a presidential priority. Having an interim
leader does not.
Chairman Akaka. Thank you very much.
Mr. Rothstein and Dr. Diamond, in June 2006, the National
Committee on Vital and Health Statistics sent a letter to HHS
Secretary Leavitt with 26 recommendations on privacy and
confidentiality in the Nationwide Health Information Network.
Meanwhile, the Markle Foundation is working with various
stakeholders, including government, industry, and health care
experts, to address the challenges of creating a Nationwide
Health Information Network.
What has been the response from HHS on your initiatives?
Mr. Rothstein. Mr. Chairman, in terms of the NCVHS, we
received in the fall a letter from the Secretary acknowledging
receipt of our report, but that has been the extent of our
official response from the Department.
Chairman Akaka. Dr. Diamond.
Dr. Diamond. Mr. Chairman, we have been involved in many of
the discussions within the work groups of the AHIC and also
within the NHIN contract, and I think the groundwork that we
did in laying out the framework for sharing information with
privacy has been very instrumental in those discussions.
However, we have not yet had the opportunity to see those
privacy principles or the comprehensive framework that I
discussed today make its way into the current initiatives on
the NHIN. And to echo what some of the other witnesses have
said, we worry that the technology efforts and the standards
efforts are moving too far ahead of some of those privacy
principles and privacy requirements that the technology should
fulfill, that we should not be trying to correct later on.
We know firsthand from doing our own prototype the year
prior in three communities--in Indianapolis, Boston, and
Mendocino County, California--that it is possible to connect
disparate communities with different technologies using privacy
and security. But those decisions about privacy and security
changed the way technology was implemented. They drove
decisions in the way that technology was implemented that we
would like to see inform the process going forward.
Chairman Akaka. Well, I want to thank you, Mr. Powner, Mr.
Rothstein, and Dr. Diamond, for your testimonies and also Ms.
Koontz, for your responses as well. And I want you to know that
you have provided this Subcommittee with valuable information,
and we appreciate all that you have done to ensure that
Americans' health information is protected.
Today's hearing underscored the need for HHS to integrate
privacy into the nationwide health IT infrastructure. We heard
repeatedly that individuals must have trust and confidence in
the system to encourage them to share their personal health
information. If we want health IT programs to succeed, we must
have privacy and security protections in place at the
beginning. I look forward to working with HHS, OPM, and the
various stakeholder groups to make this happen.
As there is no further business, the hearing record will be
open for one week for additional statements or questions from
Members of the Subcommittee.
The hearing is now adjourned.
[Whereupon, at 4:17 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�