LEXIS-NEXIS® Congressional Universe-Document

Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint

Document 76 of 124.

JULY 15, 1999, THURSDAY

SECTION: IN THE NEWS

LENGTH: 1986 words

HEADLINE: PREPARED TESTIMONY OF
MR. GREG KOSKI
DIRECTOR, HUMAN RESEARCH AFFAIRS
PARTNERS HEALTH CARE SYSTEM
MASSACHUSETTS GENERAL HOSPITAL
BEFORE THE HOUSE COMMERCE COMMITTEE
HEALTH AND THE ENVIRONMENT SUBCOMMITTEE
SUBJECT - H.R. 2470

BODY:

Written Testimony presented by Greg Koski, PhD., MD., Associate Professor of Anesthesia and Critical Care Medicine, Massachusetts General Hospital, Harvard Medical School, and Director of Human Research Affairs, Partners HealthCare System, Boston, Massachusetts, on this, the 15th day of July, 1999.
Dear Mr. Chairman and Members of the Subcommittee:
Few would argue that individuals in this country reasonably expect that their privacy be respected, and that sensitive personal information about themselves, whatever the nature of that information might be, should not be disclosed to others without authorization, except in specific circumstances where there is a compelling need, and even then, only with specific provisions for protecting confidentiality of such information. Health information is arguably among the most sensitive types of personal information and has always been afforded special consideration when issues of privacy and confidentiality are concerned.
The extraordinary scope of social and technological change in our health care system over the past two decades has unavoidably and irrevocably changed the practice of medicine and the business of health care. With this change, the public has become increasingly concerned about the loss of autonomy and loss of privacy, both of which seem now to occur too frequently. Concerns regarding unauthorized access to personal medical information arise from, and are substantiated by, misuse and even abuse of information obtained during encounters with the health care system. A climate of mistrust has developed in which patients are demanding more control over who has access to their personal information and how that information is to be used. Since many do not understand the complexity of our health care system and the growing need for many different parties to access patient information in the course of their jobs, the adverse impact that broad restriction of access can have on the system, and the quality of care, is not well appreciated.
Several detailed and thoughtful analyses and reports have been presented addressing the complex issues involved in providing and managing health care while respecting the privacy of individual persons and protecting the confidentiality of personal health information. Current legislative activity pertaining to these issues at both the state and national levels reflects to a large degree the growing interest among our citizens and the entire health care system and related industries in finding effective ways to achieve these goals. One such effort is that of the Health Privacy Working Group, an initiative of the Georgetown University Institute of Health Care Research, which recently released its recommendations. These include a set of 'best principles' that provide a useful framework for development of specific policies for effective management and use of personal health care information in a manner that is well-reasoned and workable. The members of the Subcommittee will certainly receive copies of this report and will find it informative and useful. This statement of principles does not, however, obviate the need for effective legislation to affect necessary change and introduce appropriate safeguards for protection of privacy and confidentiality of health information.
Several pieces of legislation are currently under consideration by Congress, and the Secretary of the Department of Human Services has introduced a comprehensive set of recommendations as required by law that may take effect if Congress does not itself take action. Regardless of what legislation may ultimately be enacted, it should include a requirement that all persons, institutions, agencies or other entities which collect personal health care information be required to develop formal written policies and procedures for use of such information, and that patients be notified and informed of these policies and their rights. These policies and procedures should limit access and distribution of information on a rigorous 'need to know' basis. Information should only be collected and maintained in identifiable form when necessary and appropriate, it should be used only for those specific purposes for which it was intended at the time of collection unless there is appropriate notification and authorization of other uses, and when information is no longer needed, it should be destroyed or rendered nonidentifiable after a reasonable period of time unless there is a compelling justification for keeping it. If these general guidelines are kept in mind, mistrust and misuse of such information will be minimized.
I would like to thank Mr. Balarikis and the members of the Subcommittee for this opportunity to offer general comments about the bill currently before it, H.R. 2470, otherwise known as the 'Greenwood Bill'. Those who have crafted this proposed legislation deserve a great deal of credit for their thoughtful work, as many of its provisions could provide useful solutions to some of the concerns discussed above. Nevertheless, there are aspects of this bill that could be improved. I will first offer a few remarks regarding the broader aspects of the proposed legislation before focusing on those parts of the bill pertaining to appropriate conduct and oversight of health research, an area in which I can claim some experience.
First, for clarity, I would like to call your attention to the definition of "nonidentifiable" health information used in this bill. Personal health information that can be attributed to the individual person from whom it was obtained is identifiable. Only information that cannot be attributed to its source is nonidentifiable. When information is linked by a specific code number to an individual, even if all other specific identifying information has been removed, that information is still identifiable and special precautions must be taken to restrict the use of that information in ways that have not been authorized by the individual of origin. The use of this term in the proposed legislation contradicts the definition set forth in the Federal Regulations for Protection of Human Subjects in research, is confusing and misleading, and will be viewed by many as being deceptive, intended or not. Information is either identifiable or not; these are mutually exclusive. Identifiable information may be anonymous, encrypted, coded, or deidentified in an effort to offer protection of privacy and ensure confidentiality, but it is still identifiable.
The description of "health care operations" is useful, but the list includes certain activities, such as outcome assessments, that frequently overlap the research domain, which I will discuss in greater detail below. Care should be taken to insure that this does not provide a 'loop hole' for individuals to circumvent review and approval processes of Institutional Review Boards (IRBs) and the protections such review can provide.
The bill includes provisions for disclosure of information to a variety of third parties for a variety of purposes. As a general rule, any and all releases of identifiable health information to third parties outside of the health care setting in which it was obtained should be authorized by the individuals from whom the information is obtained.

Secondary 're-disclosure' to parties further removed from the primary source/custodian should be prohibited and punishable by law.
While there is clearly a need to establish a minimum standard under federal law for protections of privacy and confidentiality of personal health information, a preemptive law that would undermine or limit the ability of States choosing to pass more stringent protective laws may have a counter-productive effect, actually reducing protections for individuals. Indeed, some may view such an attempt to preempt legislation at the State level with skepticism and as an attempt to protect special interests that may be in conflict with those of individuals.
Turning to the provisions for access to personal health information for research, I would first point out that the benefits of biomedical research to both society and individuals is widely acknowledged and very highly valued by the American people. In a recent national survey, nearly 90% of those polled indicated strong or very strong support for biomedical research activities and a personal interest in participating in research, provided they could be assured that their interests and well-being were protected. There is a long and very productive tradition of using medical records and other forms of health information for research purposes in this country, and such uses have rarely resulted in breaches of confidentiality. The American people have been very willing to accept this exception to absolute privacy of their medical information, provided the information is handled in a confidential manner.
We are very fortunate to have in place in this country a system for protection of human subjects in research, including federal laws that mandate oversight of research by duly constituted Institutional Review Boards. This system, in which I am a proud and active participant, already reviews and approves most of the biomedical research conducted in this country, including research that relies upon the uses of personal health information. The challenges faced by the IRBs are considerable, but overall, it is clear that since the IRB system was developed two decades ago, biomedical research involving human subjects has flourished and reports or serious abuses are infrequent. Even as this Subcommittee considers legislation to enhance protections for patients' privacy and confidentiality of health information, steps are being taken to strengthen the IRB system to make it even more effective. I strongly support these actions, and believe that the IRB process can and should play an integral role in oversight of all research involving health information.
I further support current efforts to bring all research involving human subjects, as defined in federal regulations, under the "Common Rule" (45 CFR 46, as amended), and to develop a process to credential IRBs and health researchers as a further step toward strengthening the system for protection of human research subjects. While existing rules and regulations offer the IRBs and investigators guidance in the use of personal health information, more specific guidance should be promulgated to address issues of informed consent, uses of identifiable versus nonidentifiable information, and specific mechanisms for protection of confidentiality. In some cases, it may be appropriate for institutional 'confidentiality committees' to oversee access to personal health information at institutions that do not have sufficient research volume to justify an IRB, but even in those cases, the research should be reviewed and approved by an IRB constituted under the 'Common Rule' according to specific guidelines for research access.
In large institutions and in the growing number of integrated health care systems, of which the Partners HealthCare System is an example, the co-existence and close association of such confidentiality committees and IRBs afford completeness and consistency in policies and procedures for access to personal health information that, at least in our case, has proven to be very beneficial. As information technology and electronic medical records systems play an ever growing and important role in modern health care and research, every practicable effort should be made to take advantage of new tools and methodologies of information science to enhance protection of sensitive information and patient privacy.
In closing, I would like to thank all of the members of the Subcommittee for the opportunity to express these views. I wish you all well as you address the challenges that lie ahead.
END

LOAD-DATE: July 21, 1999

Document 76 of 124.


Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase: