Search Terms: health information privacy, House or Senate or Joint
Document 32 of 45.
Copyright 1999
Federal News Service,
Inc.
Federal News Service
View Related Topics
JULY
15, 1999, THURSDAY
SECTION:
IN THE NEWS
LENGTH:
8769 words
HEADLINE:
PREPARED TESTIMONY OF
STATEMENT OF MS. CHAI FELDBLUM
DIRECTOR, FEDERAL LEGISLATION
GEORGETOWN UNIVERSITY LAW CENTER
BEFORE THE
HOUSE
COMMERCE COMMITTEE
HEALTH AND THE ENVIRONMENT SUBCOMMITTEE
SUBJECT - H.R. 2470
BODY:
I. Introduction
My name is Chai Feldblum and I am a Professor of Law and Director of the Federal Legislation Clinic at Georgetown University Law Center. I am here today representing one of the Clinic's pro bono clients, the Consortium for Citizens with Disabilities (CCD) Privacy Working Group. Many members of the Privacy Working Group are also members of the Consumer Coalition for Health Privacy, an initiative of the Health Policy Project at Georgetown University. Indeed, the Chair of the Privacy Working Group -- Jeff Crowley of the National Association of People with AIDS -- is on the steering committee of the Consumer Coalition for Health Privacy.
CCD is a Washington-based coalition of nearly 100 national disability organizations that advocates with and on behalf of children and adults with disabilities and their families. All persons who receive health care services in this country have reason to be concerned with the inappropriate use of highly personal information that is collected about them within the health care system. As a coalition representing people living with disabilities, however, CCD's views on this issue are somewhat unique. Because people with disabilities have extensive medical records and sometimes stigmatizing conditions, such individuals feel a particular urgency to secure new privacy protection at the federal level. At the same time, many people with disabilities interact on an almost a daily basis with the medical establishment and thus benefit from a well-run, effective health care system. Such individuals do not want federal privacy protection to reduce the effectiveness of the health care system they must navigate on an ongoing basis.
All of our work in this area has taught us that the desire for medical privacy and the desire for an effective health care system are neither in conflict with each other, nor do they require balancing of one interest against another. Rather, establishing privacy protection can enhance the operation of the health care system, by increasing individuals' trust and confidence in that system. A national survey released in January 1999 found that one in six Americans engages in some form of privacy protective behavior because he or she is afraid of confidentiality breaches regarding their sensitive medical information. These activities include withholding information from health care providers, providing inaccurate information, doctor- hopping to avoid a consolidated medical record, paying out of pocket for care that is covered by insurance, and -- in some cases -- avoiding care altogether. None of this is good for either consumers or the health care system.
The CCD Privacy Working Group has developed a set of principles for
health information privacy
legislation designed to achieve the twin, mutually enhancing, goals of increasing privacy protection in the health care system and creating an effective health care system. The CCD Privacy Working Group has also worked with the Consumer Coalition for Health Privacy in the development of its principles. If there is no objection, I would like to submit these principles for the record.
Because the CCD Privacy Working Group believes it is imperative for Congress to pass federal medical privacy legislation, we have also worked diligently over the past several years to understand the concerns of all interested stakeholders in this area -- including health care providers, health plans, pharmaceutical companies, researchers, public health departments, law enforcement officials, and state legislatures -- to help bring about a consensus between our members and those stakeholders. We have done that work in two forums. First, as part of the federal legislative process, we have engaged in discussions and negotiations to help develop a consensus piece of federal legislation. Thus far, as a legislative matter, that work has primarily taken place with interested stakeholders under the aegis of the Senate Committee on Health, Education, Labor and Pensions, and has resulted in a proposed Senate Committee Chairman's mark to be offered by Senator James Jeffords. While the CCD Privacy Working Group has some remaining concerns with Senator Jeffords' legislation, we believe that legislation represents significant movement and consensus on the part of all interested stakeholders in this debate.
Second, Jeff Crowley, Chair of the CCD Privacy Working Group, participated in a year-long effort coordinated by the Health Privacy Project at Georgetown University. Under the leadership of Janlori Goldman, Director of the Health Privacy Project and a long-time privacy advocate and policy analyst, the Project convened a Health Privacy Working Group consisting of high-level representatives from disability and mental health groups, health plans, providers, employers, standards and accreditation organizations, and experts in public health, medical ethics, information systems, and health policy. The mission of the Working Group was to achiev(e) common ground on >best principles' for health privacy and identif(y) a range of options for putting those principles into practice.
The Working Group was not intended to create a template for federal legislation. Rather, it was designed to create a set of best principles that providers and plans could voluntarily put into place even before federal rules were enacted. Thus, some key issues for the CCD Privacy Working Group that are unique to federal legislation were not addressed by that group (but will be addressed in this testimony). Nevertheless, on a wide range of issues -- from rules regarding use and disclosure, to standards for authorization, to interaction with law enforcement -- the Health Privacy Working Group forged critically important agreements that may serve as guidance for Congress in the development of federal legislation. I would like to ask that a copy of that report be included in the record following my written testimony.
With these two experiences as background -- the negotiations we have engaged in with various stakeholders at the federal level over the past four years, and the Health Privacy Working Group's discussions of the past year -- we are pleased to offer you comments on H.R. 2470, the Medical Information Protection Act of 1999, sponsored by Representatives Greenwood, Shays, Norwood, and LaTourette, and H.R. 1941, the
Health Information Privacy
Act, sponsored by Representatives Condit, Waxman, Markey, Dingell, and Brown of Ohio. We are disappointed that H.R. 2470 fails to include many of the most basic provisions that both industry representatives and consumer groups were apparently willing to live with in a spirit of compromise and in a desire to move forward bipartisan, consensus legislation -- as reflected in our respective public positions on Senator Jeffords' proposed committee mark. Thus, if anything, H.R. 2470 represents a step backwards from the significant movement that has been made over the past six months by all interested stakeholders. Nevertheless, perhaps because we are eternal optimists in the CCD Privacy Working Group -- and certainly because we are committed to the passage of effective federal privacy legislation -- we hope this hearing represents an honest and committed effort on the part of all members of the committee to consider changes to H.R. 2470 that will transform it into a bill that is capable of moving forward with broad bipartisan support. The CCD Privacy Working Group would prefer that H.R. 1941 be the basis for legislative action, because that legislation already represents a process of negotiation and compromise among a range of views.
Nevertheless, we believe that certain changes to H.R. 2470 would create a minimally acceptable bill that the CCD Privacy Working Group could support, rather than a bill that we must regretfully inform our members and the public represents such a serious threat to health care privacy that it should be defeated.
In this testimony, I will comment on almost all sections of both H.R. 2470 and H.R. 1941. I hope this analysis will demonstrate to the Committee that there are only a few sections of H.R. 2470 that need to be modified in order to make the bill minimally acceptable. Of course, those changes deal with significant, and at times, contested policy determinations. Nevertheless, I believe our recommendations represent not only correct policy determinations, but I also believe -- based on compromises we are willing to make in this legislation -- that these changes are ones industry stakeholders should be able to agree to as well.
II. ANALYSIS OF H.R. 2470 AND H.R. 1941
The analysis of H.R. 2470 and H.R. 1941 uses the order of sections established in H.R. 2470.
A. Access to Records
H.R. 2470 Sec. 101. Inspection and Copying of Protected Health Information Sec. 102. Amendment of Protected Health Information
H.R. 1941 Sec. 201. Right of Access Sec. 202. Right of Correction and Amendment
Both the CCD Privacy Working Group and the Consumer Coalition for Health Privacy include the following as one of their principles for federal legislation:
Federal legislation should guarantee an individual the right to access his or her own health information and the right to amend such information. Individuals should have the right to access and amend their own medical records so that they can make informed health care decisions and can correct erroneous information in their records.
This principle was also adopted as principle #3 by the Health Privacy Working Group. Both H.R. 2470 and H.R. 1941 embody this principle. H.R. 1941 does so by providing individuals the right to inspect, copy, and amend their protected health information as set forth in the recommendations conveyed to Congress by the Secretary of Health and Human Services pursuant to the requirements of the Health Insurance Portability and Accountability Act of 1996 (Secretary's HIPAA recommendations).5 H.R. 2470 achieves essentially the same result by setting forth the rights and responsibilities of consumers, providers, and agents with regard to access and amendment. Although the CCD Privacy Working Group would prefer that there be explicit time limits in the legislation regarding requests for access and amendment, we find this section to be acceptable.6
B. Notice of Confidentiality Practices
H.R. 2470 Sec. 103. Notice of Confidentiality Practices H.R. 1941 Sec. 204. Right to Notice of Information Practices and Opportunity to Seek Additional Protections
The Consumer Coalition for Health Privacy includes the following as one of its principles:
Individuals should be notified about how their medical records arand when their individually identifiable health information is disclosed to third parties. Individuals should be given written, easy- to-understand notice of how their individually identifiable health information will be used and by whom. With such notice people can make informed meaningful choices about uses and disclosures of their health information.
This same principle was adopted by the Health Privacy Working Group as Principle #4. The Working Group noted that components of such notice should include: a description of how information will be collected and the information source (such as a medical record, treatment notes, and information from third parties); how the entity will use the information, and how, when, and for what purposes the entity will request patient authorization; what information the patient is permitted to inspect and copy and how to access such information; available steps, if any, to limit access and the consequences, if any, of refusing to authorize disclosure; the health care organization's policy for making disclosures with and without patient authorization (such as for research purposes, to law enforcement, for treatment purposes, etc.); and any other information relevant to the health care entity's data practices.
Section 103 of H.R. 2470 attempts to provide an adequate notice requirement, but fails in several regards. First, H.R. 2470 requires entities to post or provide notice of the entity's confidentiality practices. Posting notices is clearly not as efficient a means of informing consumers as would be providing notices to individuals in written or on-line form. For example, Senator Jefford's proposed committee mark requires that notice be posted and provided. Second, the notice contemplated by H.R. 2470 includes notice of the uses and disclosures of protected health information authorized under this Act. Unfortunately, because section 202 of H.R. 2470 allows entities to use a consumer's protected health information for treatment, payment, health care operations, and health research without ever obtaining an authorization from the consumer for such use, this part of the notice will presumably ring relatively hollow. The use allowed under '202 is particularly broad in light of the fact that health care operations is defined in H.R. 2470 as any activity undertaken to implement the terms of a contract for health plan benefits. Because there is no limitation as to what a plan can put into its contract, there is similarly no limitation on the types of activities the plan may engage in to implement those terms. The open- ended definition of health care operations, combined with H.R. 2470's allowance of uses for such activities to be engaged in without even obtaining an authorization from the consumer, belies the title of this Act (Medical Information Protection Act of 1999). Because it is unclear to us whether section 202 was intended to have this drastic, adverse result (we certainly hope not), if section 202 is modified to create a more reasonable result, the notice section of H.R. 2470 (as well as the substance of the bill) will once again regain some meaning. (Such notice should, however, still be provided directly to the individual, as well as merely posted by the entity.)
The comparable provision in H.R. 1941, sec. 204, includes an explicit provision that a consumer be given a reasonable opportunity to seek limitations on the use and disclosure of protected health information in addition to the limitations provided in such practices, and that the entity obtain a signed acknowledgment from the protected individual acknowledging that the notice . . . has been provided to the protected individual.
The reason H.R. 1941 includes these provisions is because it creates a system in which an entity is not required to obtain a prior authorization from the consumer in order to use the consumer's protected health information for purposes of treatment and payment. (See Sec. 301. Provision and payment for health care.) Although the CCD Privacy Working Group would prefer that a prior authorization be required, we have already agreed that health care providers and plans may be permitted to essentially compel such authorizations from the consumer by conditioning the delivery of service or payment on receipt of such authorization. Given that agreement on our part, the main purpose of a prior authorization for treatment or payment would have been to provide notice to the consumer of how protected health information would be used, and to provide that individual an opportunity to seek additional restrictions on use and disclosure. The provisions of section 204 in H.R. 1941 ultimately achieve those same two goals. Moreover, section 301(c) of H.R. 1941 also includes another essential component from our perspective: it allows an individual who pays for the care himself or herself to restrict disclosure to a health care payer of the protected health information created or received in the course of receiving such care. H.R. 2470 lacks this critical component (above and beyond the fact that it lacks any authorization at all for the use of health care information for payment purposes.)
C. Establishment of Safeguards
H.R. 2470 Sec. 111. Establishment of Safeguards H.R.
H.R.
1941 Sec. 104. Safeguards Against Misuse and Prohibited Disclosures
The Consumer Coalition for Health Privacy includes the following as one of its principles:
The development of security safeguards for the use, disclosure, and storage of personal health information should be required. Appropriate safeguards should be in place to protect individually identifiable health information from unauthorized use or disclosure.
The Health Privacy Working Group also adopted, as Principle #6, that health care organizations should implement security safeguards for the storage, use, and disclosure of health information.
Although the Working Group did not discuss specific security controls at great length, there were a number of safeguards that were discussed in the context of fair information practices. They included:
- Health care organizations should endeavor to limit access to personally identifiable health information on a need-to-know basis. Employers, for example, should endeavor to restrict access to personally identifiable health information strictly to those employees who need access for payment or treatment purposes.
- In keeping with Principle #1, health care organizations should remove personal identifiers to the fullest extent possible and practical, consistent with maintaining the usefulness of the information.
- All disclosures of personally identifiable health information should be limited to the information or portion of the medical record necessary to fulfill the purpose of the disclosure.
- Health care organizations should maintain a record of disclosures of information that identifies an individual.
- Personally identifiable health information should be used within an organization only when such information is necessary to carry out the purpose of the activity, for purposes reasonably related to the purpose for which the information was collected, and for which the patient has been given notice. - Organizations should consider whether they are able to provide patients with a greater degree of anonymity in certain circumstances through the use of opt-outs, pseudonyms, identification numbers, or tagging information for additional protections.
It appears that the six subsections of Section 111(b) of H.R. 2470 attempt to approximate some of these fair information practices and we applaud that effort. Unfortunately, however, until Section 202's broad allowance of uses is modified, some of these safeguards will be useless. For example, Section 111(b)(5) calls upon entities to have an appropriate mechanism for limiting disclosures to the protected health information necessary to respond to the request for disclosure. (This parallels the substantive requirement in Section 202(c): Every disclosure of protected health information by a person under this title shall be limited to the information necessary to accomplish the purpose for which the information is disclosed.)
But under Section 202(a), and repeated again for double clarity in Section 202(b)(1)(B), any use of protected health information for treatment, payment, health care operations, and health research -- whether such use takes place within the entity or outside the entity -- is not a disclosure under H.R. 2470.
The problem created by H.R. 2470 does not result simply from creating a distinction between use and disclosure.
Although members of the CCD Privacy Working Group have never understood, as a conceptual matter, why a distinction needs to be adopted between use and disclosure, the simple creation of such a distinction does not -- in and of itself -- create a privacy problem. For example, the Health Privacy Working Group also assumes a distinction between disclosure (which it defines as sharing of patient information outside an entity) and use (which it defines as access or sharing of information within an entity, including to an agent or contractor of an entity.) Then in its discussions of fair information practices, the Working Group apparently assumed that only disclosures of personally identifiable health information would need to be limited to the information or portion of the medical record necessary to fulfill the purpose of the disclosure.
However, unlike H.R. 2470, the Working Group also assumed that personally identifiable health information would be used within an organization only when such information is necessary to carry out the purpose of the activity, for purposes reasonably related to the purpose for which the information was collected, and for which the patient has been given notice.
By contrast, H.R. 2470 includes simply the weak statement, buried in the definition section of disclosure section (2)(4)), that the use of protected health information shall not be considered a disclosure, provided that the use is consistent with the purposes for which the information was lawfully obtained. Thus, again, H.R. 2470's rules governing use, as well as disclosure, must be revisited before the safeguards section of the bill can be assumed to mean very much to consumers.
The safeguards section of H.R. 1941 is stronger, primarily because the underlying bill is stronger with regard to the substantive protections for use and disclosure of personally identifiable health information. In addition, we prefer that the safeguards be required to include administrative safeguards to ensure that protected health information is used or disclosed only when necessary, as H.R. 1941 requires, rather than having the safeguards simply address the following factors, including the need for protected health information and whether the purpose can be accomplished with nonidentifiable health information, as H.R. 2470 requires.
D. Accounting for Disclosures
H.R. 2470 Sec. 112. Accounting for Disclosures H.R. 1941 Sec. 203. Right to Review Disclosure History
The Health Privacy Working Group includes, as part of its principle #3, that an individual should have the right to see an accounting of disclosures, when such accounting is maintained (emphasis added). This recommendation clearly does not assume there will be an accounting of all uses of health information within an entity. Similarly, both H.R. 2470 and H.R. 1941 require that an accounting be made solely of disclosures, and that such accounting be made available to consumers.
The CCD Privacy Working Group has no difficulty supporting H.R. 1941's (and the Health Privacy Working Group's) limitation of accounting solely to disclosures -- because disclosures are defined in both H.R. 1941 and by the Health Privacy Working Group as providing access to protected health information to anyone other than an officer, employee, or agent of the entity holding the information. As a practical matter, it makes sense to require accounting solely of disclosures that occur outside an entity. Unfortunately, under H.R. 2470 a disclosure outside the entity is still not considered a disclosure for purposes of the law as long as it is a use for treatment, payment, the open-ended health care operations, or health research. Thus, in practice, the only accounting a health provider or plan will ever engage in will be for those rare situations in which disclosures are made for some purpose other than these four broad areas. This radically restricts the entire concept of accounting for disclosures.
E. Restrictions on Use and Disclosure
H.R. 2470 Sec. 201. General Rules Regarding Use and Disclosure Sec. 202. General Rules Regarding Use and Disclosure of Health Care Information Sec. 203. Authorizations for Use or Disclosure of
Protected Health Information Other Than for Treatment, Payment, Health Care Operations, or Health Research H.R.
H.R.
1941 Sec. 101. Restrictions on Use Sec. 102. Restrictions on Disclosure Sec. 103. Standards for Authorizations for Use and Disclosure Sec. 301. Provision of and Payment for Health Care
Restrictions on the use and disclosure of protected health information lie at the core of any federal protection for the privacy of personally identifiable health information. Both the CCD Privacy Working Group and the Consumer Coalition for Health Privacy have stated a similar principle:
The use or disclosure of individually identifiable health information absent an individual's informed consent should be prohibited. Health care providers, health plans, insurance companies, employers and others in possession of individually identifiable health information should be prohibited from using or disclosing such information unless authorized by the individual. Use or disclosure without informed consent should be permitted only under exceptional circumstances --for example, if a person's life is endangered, if there is a threat to the public health, or if there is a compelling law enforcement need. Disclosure of individually identifiable health information for marketing or commercial purposes should never be permitted without informed consent. Any time information is used or disclosed it should be limited to the minimum amount necessary for the use or disclosure.
The best way to ensure true informed consent on the part of the consumer is to allow an individual to withhold consent for use or disclosure of medical information, and still allow that individual to receive medical services without penalty. As a practical matter, however, health care providers and plans often need personally identifiable health information in order to carry out the business of providing treatment to the individual or reimbursement to providers. Given that reality, the CCD Privacy Working Group has agreed that authorizations for such purposes may essentially be compelled from the consumer by conditioning the provision of treatment or payment on the receipt of such authorizations. A key requirement, however, is that the consumer must be permitted the option of self-paying, and thus be permitted to retain the right to halt disclosure to a third party payer in such circumstances.
The Health Privacy Working Group similarly recognizes the practical requirements with regard to treatment and payment, but also recognizes another group of activities termed core business functions.
The Working Group agreed on the following approach:
The Working Group agreed that, as a general rule, patient authorization should be obtained prior to disclosure. At the same time, patient information needs to be shared for treatment, payment, and core business functions. The Working Group agreed that the patient need only provide authorization for these core, essential uses and disclosures once. Furthermore, a health care organization can condition the delivery of care or payment for care on receiving this Tier One authorization. All other activities outside this core group must be authorized separately by the patient and health care services should not be conditioned on receiving this Tier Two authorization. The Working Group also agreed that there are additional, limited activities -- such as public health reporting and emergency circumstances -- for which patient authorization should not be required.
Although the CCD Privacy Working Group has not issued a formal position on core business functions, we have stated that we find Senator Jefford's proposed committee mark on this issue to represent a minimally acceptable bill. Senator Jefford's bill is largely consistent with the consensus reached by the Health Privacy Working Group, although the bill uses a new term health care operations, rather than the better, more established term of core business functions.
Nonetheless, given the definition of health care operations in the Jeffords bill, which establishes clear parameters for that term, the CCD Privacy Working Group is able to consider the Jeffords bill minimally acceptable in this area.
By contrast, H.R. 2470 diverges from any previous bill (including the bill introduced by Senator Robert Bennett, the bill which H.R. 2470 otherwise tracks in almost all respects), in rejecting the need for any authorization for use of protected health information in the areas of treatment, payment, open-ended health care operations, and health research. Instead of requiring an authorization, and instead of placing any real limits on the uses of personally-identifiable information in these four areas, H.R. 2470 offers the following simple, precatory language: An individual who furnishes protected health information in the context of obtaining health care or health care benefits has a justifiable expectation that such information will not be misused and that its confidentiality (will) be maintained.
Sec. 202(a). While this language is a nice piece of privacy prose, given that this is a piece of legislation, we would like to trade the prose for some actual statutory protection. The only protection offered by H.R. 2470, buried in the definition of disclose, is that the use of protected health information shall not be considered a disclosure provided that the use is consistent with the purposes for which the information was lawfully obtained.
In light of the fact that a plan or provider may establish essentially any purpose as a health care operation, this provides little solace to consumers.
Some of the industry stakeholders may not have intended the drastic cut-back in privacy protection that results from this new section in H.R. 2470. (Certainly, the Health Privacy Working Group which had a significant representation from industry espoused no such view.) The catalyst for this new provision may well have been the confusion regarding the rules for use and disclosure that some industry stakeholders perceived in Senator Jeffords' committee mark. The CCD Privacy Working Group does not believe either consumers or industry benefit from confusion with regard to use and disclosure rules. Hence, we greatly appreciate the effort of the Health Privacy Working Group to forge both consensus and clarity in this area. But the manner in which H.R. 2470 has dealt with this issue is truly horrific. It has removed any confusion regarding use of protected health information by removing any real requirements on such use. That cannot be the appropriate public policy determination. It certainly is not the position our 54 million members would recognize as a legitimate policy decision. We hope we can work with the committee to create a coherent and intelligent approach to issues of use and disclosure of protected health information.
F. Next of Kin and Directory Information
H.R. 2470 Sec. 204. Next of Kin and Directory Information H.R. 1941 Sec. 307. Other Disclosures
Although disclosures of protected health information should ordinarily occur only pursuant to an authorization (compelled or real) executed by the individual, there are circumstances in which we would like health care providers to be able to disclose relevant health information to a select group of individuals who have a close relationship with the person who is the subject of the information. In such cases, we want to ensure the individual has been notified of his or her right to object to such disclosures, but if such an objection has not been lodged, we would like to ensure the provider may disclose relevant, current information.
Section 204 of H.R. 2470 essentially embodies this approach. As a technical matter, the section should refer to an individual representative as well, to include an individual who holds a power of attorney for another individual. In addition, the section should clarify that if a minor is legally permitted to receive a service without notifying his or her parent, that minor is also capable of lodging an objection to relaying protected health information regarding that service to the parent. (See discussion of minors below.)
G. Health Research
H.R. 2470 Sec. 208. Health Research H.R. 1914 Sec. 304. Health Research
The issue of health care research -- and the ability of large private companies to continue to engage in research that uses personally identifiable health information without first obtaining the informed consent of the subjects of the information -- has been one of the most contested battlegrounds in the development of federal privacy legislation. In one respect, this should come as no surprise, given the millions of dollars expended and recouped as profit through such research.
The issue is complicated, however, by the mantra that all research is good, and an accompanying assumption that we should create no possible hindrances to the development of new horizons of knowledge.
The CCD Privacy Working Group is acutely aware of the benefits of research. We are the ones that represent (and often are) the millions of people with disabilities who will benefit directly from public and private health research activities. Many people with disabilities live with conditions that are progressively debilitating, and, in some cases, fatal. Research leading to the development of new therapies or new habilitation and rehabilitation techniques can significantly enhance the quality of life for these individuals -- as well as better ensure life itself. We want such research to proceed effectively and with full vigor.
We believe, however, that the best federal privacy law is one that ensures research activities will go forward effectively, will create incentives for researchers to use nonidentifiable information whenever possible and appropriate, and will create structures that will best protect privacy whenever identifiable data is necessary for a research project. Our proposal to achieve this kind of federal privacy protection is straightforward. If a health researcher is dealing with live individuals, the researcher should obtain informed consent from these individuals, pursuant to an authorization section of federal privacy legislation, before using such individuals (or their medical information or specimens) in a research project. Delivery of treatment or payment for services should never be conditioned on the receipt of such an authorization.
When research does not involve live human subjects, however, but rather involves medical records data or stored blood or tissue samples, it may not be feasible for a researcher to obtain the informed consent of the individuals who are the subject of the information. For example, some studies require researchers to review thousands of records for patients treated over a long period of time. In this instance, it would be quite difficult for a researcher to contact every individual whose medical records are contained in the database and ask for authorization to use their identifiable data.
In such circumstances, we believe the researcher -- whether that individual is using public funds or private funds for the research -- should consult with an institutional review board (IRB) to obtain a waiver of informed consent for those individuals whose protected health information will be used in the research project. We are well aware of the current limitations of the IRB system. Because the Common Rule that sets forth the guidelines for the IRB system was designed to focus on safety risks for human subjects, not on the confidentiality of data used in health research, the Common Rule currently provides little guidance for IRBs with respect to confidentiality. Thus, we believe a modification of the Common Rule would be necessary to ensure that informed consent and confidentiality standards are met by all research projects. Nevertheless, we believe it will be more efficient to modify the existing IRB structure rather than to attempt, through federal privacy legislation, to establish an entirely new oversight structure for confidentiality protections.
Despite our support for the IRB system, we believe Section 304 of H.R. 1941, which does not necessarily contemplate using the entire IRB system, meets the basic principles CCD seeks to achieve in this area. Our main concerns are that there be an objective process by which a determination is made as to the need for identifiable information in the research project and as to the lack of feasibility in obtaining informed consent; that there be some accountability through government oversight of such determinations; and that there be a uniformity in decisions about when, and under what circumstances, to grant a waiver of informed consent. H.R. 1941 achieves these goals by requiring that protected health information may be disclosed without an authorization for health research only for uses that have been approved by an entity certified by the Secretary.
Based on the Secretary's HIPAA recommendations, we can assume these entities will have some members who are not associated with the entity that wishes to conduct the research. Moreover, certification by the Secretary should allow for some opportunity for oversight, should potential problems arise. Finally, the determinations to be made by the entity (as set forth in the bill) can serve as the basis for uniform applications.
By contrast, Section 208 of H.R. 2470 has no requirement for objective oversight of research projects, no allowance for accountability outside the private entity, and no uniform standard for determining when research may be allowed to proceed without obtaining informed consent. H.R. 2470 allows private entities that own protected health information previously created or collected by such entity (presumably, pharmacy management plans may be some of the largest repositories of such information) to disclose such protected health information to a health researcher as long as: 1) the research has been reviewed by a board, committee, or other group formally designated by such person to review research programs ; 2) the entity has an internal policy in place to assure the security and confidentiality of protected health information (this, of course, is already required under the safeguards section of the bill); 3) the entity enters into a written agreement with the recipient researcher that specifies the permissible and impermissible uses of the protected health information; and 4) the entity keeps a record of health researchers to whom the information has been disclosed. All of these elements are certainly good, basic policies for any entity to have. It is striking, however, that the core elements that the Health Privacy Working Group -- with its representation from both industry and research -- identified as basic elements of privacy protection for research are completely absent from Section 208 of H.R. 2470. Some members of the Working Group were clearly not in favor of requiring IRB approval for all research given the limitations of the current IRB system. As the report notes:
Concerns with the current (IRB) were significant enough, however, that members were open to using an alternate review process in situations where IRB approval is not currently required, if it could offer the same potential benefits of the IRB system. . . . Where IRB approval is not required . . . a health care organization should have the option to either 1) obtain IRB approval or 2) use an alternate process that provides an equivalent level of review and accountability. (emphasis added).
As noted above, the position of the CCD Privacy Working Group is that IRB approval (assuming modification of the Common Rule) is the best approach. We are willing, however, to support a non-IRB approach that provides an equivalent level of review and accountability--assuming the promise of such a statement can truly be met. Section 208 of H.R. 2470 is a far cry from meeting that promise.
H. Law Enforcement and Oversight
H.R. 2470 Sec. 210. Disclosure for Law Enforcement Purposes Sec. 206. Oversight H.R. 1914 Sec. 305. Law Enforcement Sec. 302. Health Oversight Sec. 308. Redisclosures
Principle #9 of the Health Privacy Working Group is that health care organizations should not disclose personally identifiable health information to law enforcement officials, absent compulsory legal process, such as a warrant or court order.
The Working Group recognized the situation is different when government officials have legally authorized access to information to engage in oversight and enforcement of the law. In those instances, the information obtained for oversight purposes should not be used against an individual patient in an action unrelated to the oversight.
Both H.R. 2470 and H.R. 1941 allow broad access for oversight purposes relating to health care fraud, or for accrediting purposes. Both bills, however, also ensure that protected health information about an individual that is disclosed during such actions may only be used against the individual in an action that is related to health care fraud.
With regard to law enforcement, H.R. 1941 presents a simple, yet elegant solution to the question of what type of legal process we should expect from our law enforcement officials. Section 305(a) states that protected health information may be disclosed to a law enforcement official if the law enforcement official complies with the fourth amendment to the Constitution.
Section 305(b) then explains that, in terms of applying the fourth amendment, all protected health information shall be treated as if it were held in a home over which the protected individual has exclusive authority.
In practice, this means a person's health information will be provided the same level of fourth amendment protection that a person's private suitcase would get were it sitting in a closet at the person's home. Law enforcement officials who wish to seize or search the suitcase must either receive the person's consent, or obtain a warrant. Similarly, if a law enforcement official wishes to seize or search an individual's protected health information, that official should either obtain the individual's consent or obtain a warrant.
Section 210 of H.R. 2470 goes some distance in requiring there be adequate legal process before law enforcement officials may search and seize protected health information. Unfortunately, allowing an administrative subpoena or summons to be sufficient to allow disclosure to law enforcement officials is extremely problematic given the lack of any real process or standards used in executing such summons. The reference to those documents should be deleted.
I. Individual Representatives
H.R. 2470 Sec. 212. Individual Representatives H.R. 1914 Sec. 401. Specific Classes of Individuals
These sections of the two bills should not be controversial, but for the question of how and when parents may exercise the rights of their minor children under this law. The policy of the CCD Privacy Working Group is as follows. In most cases, we expect and want parents to exercise all the rights of their minor children under this Act. These include the right to authorize disclosures, access information, and sue on behalf of their minor children.
There are limited circumstances in which we believe the minor child has the sole right to exercise the rights provided by the Act. These rare circumstances exist when the minor may legally obtain a medical service without informing his or her parents of the receipt of such service, and where a provider is available who is willing to provide such a service to the minor. These limited circumstances tend to arise in medical services that deal with: reproductive health (contraception; abortion); mental health counseling; substance abuse treatment; and treatment for sexually transmitted diseases. Some states have passed laws that provide minors the right to access particular services on their own; in other states, common law or constitutional law provides a similar right to the minor. Whatever the source of the legal right, the CCD Working Group believes that if a minor has the right to access a service on his or her own, that minor also must have the right to control the flow of the protected health information generated through that service.
The CCD Privacy Working Group also believes it is not appropriate for a federal privacy law to upset state laws that may constrain the ability of a minor to access services on his or her own. For example, many states require that a minor must inform one parent before obtaining an abortion. (To meet constitutional requirements, these states also provide for a judicial bypass of this notification requirement under certain circumstances.) The federal privacy bill should not undermine the state law by allowing a minor to withhold information about the abortion from the one parent. For that reason, it is important that the bill provide that where a minor may legally obtain a service acting on her or his own, then (and only then) may the minor exercise sole rights under the Act.
Section 212 of H.R. 2470 states simply that the rights of minors under this Act shall be exercised by a parent, the minor or other person as provided under applicable state law.
This sentence is completely ambiguous on the question of whether a parent may exercise her right to access her child's medical records, in a case where the child does not desire the parent to have such access -- and the state has determined the child may legally obtain the medical service without informing the parent. As a matter of preserving the state's decision making (as reflected in its statutory, common law, and constitutional law), the federal law should not be permitted to trump the state's determination on the minor's autonomy. The ambiguity in section 212 needs to be clarified to ensure that the status quo is maintained in the various states on the issue of minors' rights.
J. Remedies
H.R. 2470 Sec. 301. Wrongful Disclosure of Protected Health Information Sec. 311. Civil Penalty Violation Sec. 312. Procedures for Imposition of Penalties Sec. 313. Enforcement by State Insurance Commissioners H.R. 1914 Sec. 502. Enforcement
One of the principles of both the CCD Privacy Working Group and the Consumer Coalition for Health Privacy is as follows:
Federal legislation should establish strong and effective remedies for violations of privacy protections. Remedies should include a private rights of action, as well as civil penalties and criminal sanctions where appropriate. It is a truism that a right without a remedy is no right at all. One of the most glaring faults in H.R.2470 is the absence of any private right of action on behalf of ordinary citizens in this country. Every other piece of privacy legislation passed by Congress -- whether it covers banks, credit reporting, video rentals, or communications -- allows private citizens to sue in court when they have been aggrieved by a violation of the statute. Indeed, this is a basic hallmark of a range of legislation passed by Congress.
There is a good, practical reason why Congress -- in a range of laws -- has deputized private attorney generals by allowing individual citizens to sue when violations of laws have occurred. One of the goals of legislation is often to make a societal impact on a particular problem. For example, one of the goals of federal privacy legislation is to change the norms by which various stakeholders operate. Instead of having entities assume a project will always be implemented with the use of personally identifiable health information, we want all entities to stop, think, and justify before they use identifiable data.
The best way to ensure that entities experience an obligation to learn and comply with the law, and the best way to ensure that individuals who have been aggrieved by a violation of the law are made whole, is to provide individuals the opportunity to file a suit in court, prove their case, receive damages for harm suffered, and recoup attorney's fees if they prevail. Anything short of such a scheme will create a law that may (possibly) look good on paper, but will do little to help real people across the country.
K. Preemption
H.R. 2470 Sec. 401. Relationship to Other Laws H.R. 1914 Sec. 503. Relationship to Other Laws
One of the final principles of both the CCD Privacy Working Group and the Consumer Coalition for Health Privacy concerns the issue of preemption. As both coalitions note:
Federal legislation should provide a floor for the protection of individual privacy rights, not a ceiling. Like all other federal civil rights and privacy laws, federal privacy legislation for health information should set the minimum acceptable standard. Federal legislation should not pre-empt any other federal or state law or regulation that is more protective of an individual's right to privacy of or access to individually identifiable health information.
Of all issues, this has been one of the most fiercely fought during the legislative process. Consumer groups, including the CCD Privacy Working Group, have stated vehemently that states must be provided the opportunity to continue to explore ways in which to better protect the privacy of medical information in their particular states. Most industry stakeholders have just as vehemently argued that they need (or at the very least, that they very much want) the ease of complete uniformity that sweeping federal preemption of state laws can provide them.
Given the perceived intractability of both sides on this issue, it is surprising that the beginnings of a compromise on this issue had begun to be developed through Senator Jefford's proposed committee mark. Under this approach, all existing state laws dealing with privacy of medical information would remain in place.
For state laws enacted after passage of the federal law, however, those that dealt with access and amendment of information, authorizations for treatment, payment, and health care operations, and research would be preempted. The only exception would be for future state laws dealing with mental health.
While this compromise approach leaves both consumer groups and industry groups wanting something closer to their original stance, the only remaining issue in contention in this compromise concerns the status of future public health laws. As soon as that issue is resolved, there should exist a minimally acceptable compromise on preemption that all stakeholders can accept. That would be a truly miraculous result. Given how close we are to a compromise, it is truly unfortunate that H.R. 2470 returns to an old version of sweeping preemption that is disrespectful of the states and their citizens, that is unnecessary for the purpose of allowing industry to engage in effective business practices, and that will have a potential host of unintended adverse consequences that will put the adverse, unintended consequences of ERISA preemption to shame.
III. Conclusion
Congress has spent twenty years thinking about, and sporadically working on, legislation to protect the privacy of medical information. This is clearly an issue that resonates with the American people: people are concerned that there is a lack of strong, clear privacy protection with regard to some of their most sensitive medical information.
Although work on a federal privacy bill has proceeded for over twenty years, there is a sense of possibility and momentum now. Congress knows if it does not act to pass privacy legislation in the near future, the Secretary of HHS will step into the gap with regulations that will address a range of the privacy issues. But there is no reason for Congress not to act -- assuming it builds intelligently on the consensus that has developed over time among the various stakeholders in the debate.
The CCD Privacy Working Group urges this Committee to build on and strengthen the consensus that currently exists in the area of medical privacy legislation. In particular, we urge you to seriously study both Senator Jeffford's proposed committee mark and the newly-released report form the Health Privacy Working Group. The CCD Privacy Working Group does not agree with all elements of Senator Jefford's draft -- significant issues regarding minors, the private right of action, and future preemption of public health laws all remain to be resolved. Yet that list of major concerns is significantly shorter than the list of major concerns we have with H.R. 2470. Moreover, there are other elements of Senator Jefford's proposed mark that do not conform to our principles, but which we are willing to accept in the spirit of compromise. We would urge this committee to build on the compromises that have been accepted thus far by both consumer groups and industry groups, and help draft a bill that can be endorsed by a bipartisan group of Members and a wide spectrum of interested stakeholders.
END
LOAD-DATE:
July 21, 1999
Document 32 of 45.
Search Terms: health information privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.