LEXIS-NEXIS® Congressional Universe-Document

Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint

Document 204 of 261.

View Related Topics

JULY 15, 1999, THURSDAY

SECTION: IN THE NEWS

LENGTH: 4643 words

HEADLINE: PREPARED TESTIMONY OF
MR. JOHN T. NIELSEN
SENIOR COUNSEL AND DIRECTOR OF GOVERNMENT RELATIONS
INTERMOUNTAIN HEALTHCARE
BEFORE THE HOUSE COMMERCE COMMITTEE
HEALTH AND THE ENVIRONMENT SUBCOMMITTEE
SUBJECT - H.R. 1746

BODY:

I. INTRODUCTION
My name is John T. Nielsen. I am Senior Counsel and Director of Government Relations at Intermountain Health Care (IHC). IHC is an integrated health care delivery system based in Salt Lake City and operating in the states of Utah, Idaho, and Wyoming. The IHC system includes 23 hospitals, 78 clinics and physician offices, 23 outpatient primary care centers, 16 home health agencies, and 400 employed physicians. Additionally, our system operates a large Health Plans Division with enrollment of 475,00 directly insured plus 430,000 who use our networks through other insurers.
IHC's 23,000 employees are keenly aware of their responsibility to safeguard personal health information and IHC has invested considerable resources in order to develop effective protections and procedures. IHC takes seriously its responsibility to use patient identifiable health information to optimize not only that patient's health, but the health of all patients in the IHC system.
II. IMPORTANCE OF FEDERAL LEGISLATION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) directs Congress to enact federal privacy legislation by August 21, 1999. That deadline is little more than one month away. If Congress fails to act by August 21, 1999, the Department of Health and Human Services (HHS) is required to promulgate regulations on privacy protection by February 2000. IHC urges Congress to meet the HIPAA deadline and to enact strong federal standards which provide uniform patient confidentiality protections across the country. IHC is pleased to lend its strong and enthusiastic support to H.R. 2470, the Medical Information Protection and Research Enhancement Act of 1999, which is similar to S. 881, the Medical Information Protection Act of 1999, introduced by Senator Robert F. Bennett of Utah, which we also support.
IHC is committed to working with this Subcommittee and others in Congress toward passage of the Greenwood/Bennett bills. The approach adopted by these legislators strikes an appropriate balance between safeguarding patient identifiable health information and facilitating the coordination and delivery of high quality, network-based health care, such as that provided at IHC.
Indeed, striking the right balance is critical to IHC's efforts to deliver the best possible patient care. IHC has developed state-of- the-art electronic medical records and common databases which we use extensively not just for treatment and payment but for such fundamental quality enhancing activities as outcomes review, disease management, health promotion and quality assurance. Not only are these efforts essential to optimizing the health of our patients but many are in fact required by federal and state programs and regulations and by accreditation standards. It is vital that federal confidentiality legislation not impede the ability to optimize patient health through the use of identifiable health information.
III. IMPORTANCE OF NATIONALLY UNIFORM PATIENT CONFIDENTIALITY PROTECTIONS
The delivery of health care today is vastly different than even a decade ago. Health care delivery increasingly crosses state lines through health system mergers, telecommunications, contractual relationships and other mechanisms. Enactment of uniform federal confidentiality protections is critical as technology is increasingly used to enhance the quality of patient care and to maximize the outcomes of health care provided to our patients. Confidentiality legislation must ensure national uniformity in recognition of the increasingly complex and interstate nature of health care delivery in this country. Health systems like IHC, which operate across state lines, would have enormous difficulty complying with different federal and state standards governing disclosure of protected health information. Individual state laws create confusion, errors and inefficiencies. The nation needs a common national standard for protection of confidentiality and privacy. Accordingly, strong federal preemption is vital. The Medical Information Protection and Research Enhancement Act rightly recognizes the importance of strong federal preemption.
IV. IHC USES PATIENT INFORMATION TO ENHANCE PATIENT CARE
IHC is committed to providing high quality health care to the communities it serves, regardless of ability to pay. IHC uses patient information to enhance patient care. A few specific examples of IHC's health care operations activities undertaken to improve health care outcomes are set forth below. The Medical Information Protection and Research Enhancement Act would facilitate the appropriate use of patient identifiable health information for these quality enhancing activities.
- Improved timing of delivery of pre-operative antibiotics to prevent serious post-operative wound infections. Our wound infection rate fell from 1.8 percent to 0.4 percent representing, at just one of our 23 hospitals, more than 50 patients per year who now do not suffer serious, potentially life-threatening infections. We also saved the cost of treating those infections, reducing health care costs by an estimated $750,000 per year at that one hospital.
- Improved support for inpatient prescriptions. A computerized order entry system warns physicians, at the time they place the order, of potential patient allergies and drug-drug interactions. It also calculates ideal dose levels, using the patient's age, weight, gender, and estimates of patient specific drug-absorption and excretion rates, based on laboratory values. That system has reduced adverse drug events (allergic reactions and drug overdoses) to less than one-third of their former level -- significantly reducing the primary treatment- related risks that patients face while hospitalized.
- Improved management of mechanical respirators for patients with acute respiratory distress syndrome (ARDS). In the most seriously ill category of ARDS patients, mortality rates fell from more than 90 percent to less than 60 percent. Costs of care, per patient who lived, fell by about 25 percent.
- Improved management of diabetic patients in an outpatient setting. The proportion of patients managed to normal blood sugar levels (hemoglobin A1c < 7.0%) improved from less than 30 percent (typical for a general internal medicine practice) to more than 70 percent. Major studies of diabetes demonstrate that that shift in blood sugar control will translate to significantly less blindness, kidney failure, amputation, and death. Others indicate that it should reduce the costs of medical treatment for diabetic patients by about $1,000 per patient per year. - Improved treatment of community-acquired pneumonia. By helping physicians more appropriately identify patients who needed hospitalization, choose appropriate initial antibiotics, and start antibiotic therapy quickly, we were able to reduce inpatient mortality rates by 26 percent.

That translates to about 20 patients saved in the ten small rural IHC hospitals where we first worked on this aspect of care delivery. It also reduced treatment costs by more than 12 percent.
- Accountability for health care delivery performance. IHC has begun to assemble and report medical outcomes, patient satisfaction outcomes, and cost outcomes for major clinical care processes that make up more than 90 percent of our total care delivery activities. We aggregate and report those data at the level of individual physicians; practice groups (e.g., clinics); hospitals; regions; and for our entire system. We use the resulting reports to hold health care professionals and our system accountable for the care we deliver to our patients, and to set and achieve care improvement goals. We believe that this system will eventually allow IHC to accurately report our performance at a community, state and national level, to help individuals and groups make better choices in the United States' competitive health care marketplace.
Nearly all of IHC's 60-plus improvement projects, including the examples listed above, had to do with care delivery execution -- consistently applying the best available current medical information -- rather than the generation of new biomedical knowledge. Some of these initiatives directly improved medical outcomes for patients. Some primarily produced significant reductions in the cost of health care while demonstrably maintaining excellent medical outcomes, thus improving (albeit indirectly) affordability of and access to health care services. Many did both at once -- improved medical outcomes while reducing costs.
All of these activities relied on information -- not just information at the level of individual patients, but information on populations of patients. We use that population-level information for operational care delivery -- execution -- not just generation of new generalizable knowledge -- research. Medicine is inherently an information science. In general, the better objective data we have -- with regard both to clinical theory, the information we use to care for a specific patient, and support to deliver the right care at the right time -- the better diagnoses we can make, the better treatments we can offer and the better patient outcomes we can achieve.
Many recent, significant improvements in patient medical outcomes grew out of better health care delivery execution -- that is, health care delivery operations. While the distinction between health care delivery operations and health research are clear at the extremes, it quickly turns to shades of grey at the center. No one has been able to produce a rigorous, functional definition to distinguish the two classes except at the extremes. It depends upon the intent of those examining the data.
National policy mistakes in this area -- policies that inappropriately slow health care delivery, where other choices could have adequately protected patient confidentiality and privacy without raising functional barriers to care delivery execution -- will be measured not just in increased health care costs, but in human lives. IHC urges this Subcommittee and others in Congress to work toward enactment of the Medical Information Protection and Research Enhancement Act because it recognizes the importance of patient identifiable health information and permits the appropriate flow of health information within a health care delivery system.
V. IHC RECOGNIZES THE CENTRAL IMPORTANCE OF THE CONFIDENTIALITY OF MEDICAL RECORDS AND HAS SET FORTH NUMEROUS INTERNAL PROCEDURES TO PROTECT CONFIDENTIALITY
IHC supports strong uniform federal confidentiality standards that buttress our health care delivery and clinical research work. Speaking through our community-based Board of Trustees, IHC has placed appropriate protection of patient confidentiality and privacy near the front of our institutional values. Those values complement a parallel mission to provide the best possible health maintenance and disease treatment to those who trust their care to our hands. On the eve of the 21st century, the best possible health maintenance and disease treatment is only possible when health care delivery operations use population-level patient data as well as individual patient data.
IHC uses enforceable corporate policy to maintain confidentiality (for health care professionals and employees, as well as patients) in those areas that are clearly health care delivery operations (for example, direct patient care delivery; billing for services; quality review of individual patient records, including such activities as mortality and morbidity conferences; resource planning, unit performance evaluation, quality improvement and disease management; and retrospective epidemiologic evaluations of program performance). The core of those policies and enforcement activities include:
- We require every employee, health care professional, researcher or volunteer to sign a confidentiality agreement stating that they will only look at or share information for the specific purpose of performing their health care delivery assignment on behalf of our patients.
- We require each new employee to undergo training with respect to IHC confidentiality policies. These policies are set forth in a draft manual, which already numbers more than 60 pages and represents more than five years of careful discussion and cross-testing. - We impose consequences -- including termination -- for improper use or handling of confidential information.
- To the extent that we have implemented an electronic medical record, we are able to monitor access to patient records (an ability not present in the paper record). We use that system as one important means to monitor and enforce our confidentiality policy. In the near future, we will bring on-line the ability for any patient to review a list of every individual who has ever accessed their electronic medical record, for any purpose.
- We utilize software controls including warnings on front log-on screens, unique log-on passwords, and computerized audit trails. In the near future, we hope to be able to implement biometric log-on B where anatomic features (such as fingerprints) uniquely identify each computer user at each interaction.
VI. IRB REVIEW MUST NOT BE REQUIRED FOR HEALTH CARE DELIVERY OPERATIONS AND EXECUTION. IRB REVIEW IS NOT THE MOST EFFECTIVE WAY TO PROTECT PATIENT CONFIDENTIALITY.
IHC requires full Institutional Review Board (IRB) review, approval and on-going oversight for any research project that involves (1) any experimental therapy; (2) patient randomization among treatment options; or (3) patient contact for research purposes. Indeed, the IHC system has 12 IRBs, but we do not look to IRBs as our sole B or even our primary B means to protect confidentiality. Most of the risks to patient confidentiality come in day-to-day patient care, as physicians and nurses routinely access identifiable patient medical records, both paper and electronic, to deliver that care. Instead, we rely upon the extensive array of enforceable policies and procedures discussed above. In the same vein, a recent GAO Report affirms that IRBs rely on organizational policies to ensure the confidentiality of information used in projects using personally identifiable medical information and that the organizations contacted have taken steps to limit access to personally identifiable information.
If IRB review of each of these health care operations activities were required, many B if not most B of the operational care delivery and health outcome improvements described above could not function on a day-to-day basis. The volume of review would be staggering, far beyond the capacity of any reasonable system of individual review and follow- up oversight. While IHC has 12 fully functioning IRBs spread throughout our integrated health care delivery system, we do not look to these IRBs to protect the confidentiality of individually identifiable patient information for daily care delivery operations and execution. That protection arises, instead, from IHC-wide policy with administrative enforcement.
As the GAO report rightly recognizes AIRB review does not ensure the confidentiality of medical information used in research because the provisions of the Common Rule related to confidentiality have limitations. Moreover, the report further acknowledges that it is not clear that the current IRB-based system could accommodate more extensive review responsibilities.
If IRB review of quality improvement activities were required, our system's ability to conduct these fundamental quality-enhancing activities would be severely impeded.

IHC uses patient-identifiable health information to generate literally hundreds of operational analyses each day that improve the quality of health care. These quality improvement activities focus on both the processes of delivering care as well as on the outcomes of care. They include health promotion and disease prevention, disease management, outcomes evaluation for internal program management, and utilization management. As discussed above, IHC recognizes the vital importance of medical records confidentiality and has established numerous internal procedures to protect confidentiality.
Because it is so difficult to precisely define and distinguish between quality improvement-based internal operations and true clinical research activities, internal confidentiality policies and procedures accompanied by stiff penalties are far more effective in safeguarding patient confidentiality than mandating that quality improvement activities undergo IRB review. As the GAO Report acknowledges, the IRB process is already overburdened and is not designed to protect patient confidentiality. A care delivery system's ability to improve quality and deliver top-tier care would seriously be jeopardized if all of these activities were required to undergo IRB review.
IHC endorses the approach of the Medical Information Protection and Research Enhancement Act which acknowledges that requiring internal operations activities to undergo IRB review will not safeguard patient confidentiality. Instead, requiring a system-wide commitment and process with respect to safeguarding personal health information will better protect privacy.
VII. THE ROLE OF INSTITUTIONAL DATA REVIEW COMMITTEES
IHC's Information Security Committee recommends policy to IHC's Board of Trustees, and individually examines and acts upon all projects that fall into the definitional grey area between operations and research. The Information Security Committee reports directly to IHC's Board of Trustees. Its members include research scientists; experts in medical informatics; practicing clinicians; medical ethicists; a knowledgeable community member not associated with IHC or with other health care delivery or research; and senior managers from IHC's care delivery operations. As an extended quorum, all IRB chairpersons working within IHC also attend to discuss problems and recommend policy supporting IRB function throughout the IHC system. A full record of each meeting is generated and maintained.
IHC's Information Security Committee is an example of what the American Medical Informatics Association, in its recommendations on confidentiality protection when electronic medical records are used, calls a Data Review Committee. While structured very like an IRB, it adds an essential organizational element: a Data Review Committee is specifically charged to generate and enforce confidentiality policies within an organization, in addition to reviewing specific projects. An organization of IHC's size generates literally hundreds of operational analyses that access patient information every day. Especially when precise definitions are impossible, enforceable organization-level policy is far more effective in protecting confidentiality and privacy than is any attempt at individual review of such massive numbers of projects.
VIII. ELECTRONIC MEDICAL RECORDS ENHANCE INDIVIDUAL PATIENT CARE AND SIMULTANEOUSLY IMPROVE HEALTH CARE DELIVERY FOR ALL PATIENTS
A. Patients Must Not be Permitted to Opt Out of Quality Enhancing Activities
IHC uses an electronic medical record because of the significant improvements in medical outcomes and health care costs that that tool has allowed. Because it is such an essential part of daily operations, IHC cannot functionally allow patients to opt out of using our electronic medical record, without sacrificing (1) our ability to deliver excellent care to the individual involved and (2) our ability to provide good care to the rest of our patients. For example, our laboratory analyzers feed directly into our computer system. When IHC committed to that link, we not only significantly improved our ability to deliver excellent care to all of our patients, but also necessarily lost our ability to process blood laboratory tests without using the electronic medical record. Permitting patients to opt out would cripple IHC's ability to improve the health care quality of all of our patients. Even the loss of 3-4% of a patient population would greatly skew results. Moreover, from a functional perspective, given our use of electronic medical records, IHC could not logistically provide for patients to opt out of the various health promotion, disease management and other quality enhancing activities we routinely undertake.
B. Patient Requests to Alter their Medical Records
Because some providers like IHC are now using electronic medical records and other providers are increasingly using electronic medical records, IHC suggests that a patient's request to amend his or her medical record or a statement of a patient's disagreement with the content of a medical record be reflected in that medical record not by inclusion of the patient's entire written request or letter but by a notation or summary. The requirement in some legislative proposals for the inclusion of the full request or disagreement is impracticable given the increasing use of electronic medical records in the delivery of health care.
C. Patient Revocation of Authorization
Our physicians are legally and ethically bound to provide the best care they can for each patient. In order to do this, complete and accurate medical information is needed. If patients were permitted to deny consent for use of their medical records information, not only would their individual care be compromised, but ongoing efforts to improve health care quality and the validity and reliability of studies would be seriously jeopardized. Patients must not be empowered to pick and choose which information from their records should be made available to their physician and others with responsibility for caring for them. Instead, federal legislation should rely on severe penalties for misuse of information. The Medical Information Protection and Research Enhancement Act appropriately recognizes the necessity of ensuring that health care providers base decisions on the best possible information.
IX. STATUTORY AUTHORIZATION
The Secretary of Health and Human Services proposed a statutory authorization in her confidentiality recommendations. The National Association of Insurance Commissioners likewise incorporated this approach in their Model Act. A statutory authorization would authorize by law widely accepted uses of patient identifiable health information such as treatment, payment and the health care operations activities described above.
IHC is pleased that the Medical Information Protection and Research Enhancement Act of 1999 includes a statutory authorization. This approach, combined with the strong penalties for misuse of information found in all of the legislative proposals on this issue, allows for appropriate access to identifiable health information while protecting patient confidentiality.
Ultimately, should Congress not adopt a statutory authorization, legislation must make clear that a signed patient authorization each time a provider and patient interact within a delivery system or network-based health plan is not required. Likewise, it is vitally important that the legislation allow health systems to engage in activities related to health promotion, disease management, quality assurance, utilization review, and related research without requiring separate patient authorization for each subsequent use of patient information. Such a requirement would be enormously burdensome for both providers and patients and, after the plans initial consolidated authorization is signed by the patient, would serve no additional purpose. IHC additionally urges that a health plan enrollee be permitted to sign one authorization form on behalf of that enrollee's covered dependents. Requiring each individual family member to sign a separate authorization form would be unwieldy at best, burdensome on the enrollee, and could result in the delay of needed care. X. APPLICABILITY TO ALL HEALTH INFORMATION
Federal legislation should apply equally to all types of health information, including genetic information. This is important because all individually identifiable health information is sensitive and should be afforded the same protections against inappropriate disclosure.
XI. PENALTIES FOR MISUSE OF PROTECTED INFORMATION
All of the various legislative proposals include significant penalties for unauthorized use of patient identifiable health information.

These are important to deter misuse of information. They should, however, be made consistent with the penalties included in HIPAA.
XII. CAUSE OF ACTION BY INDIVIDUALS
If Congress is able to meet the HIPAA deadline and enact confidentiality legislation, patients across the country will -- for the first time -- benefit from strong federal protections for patient identifiable information. Given the groundbreaking nature of this legislation and the significant criminal and civil penalties already provided for in the various legislative proposals, the inclusion of a private right of action is unnecessary. Moreover, it is our experience at IHC that breaches in the confidentiality of patient identifiable health information are not at all common. Additionally, inclusion of a private right of action would likely give rise to an entirely new plaintiff's bar, greatly increasing expensive and unpredictable private litigation. The penalty provisions in the various proposals, including the legislation before this Subcommittee, are already stringent; the addition of a cause of action is not merited.
XIII. LAW ENFORCEMENT
IHC feels that patient confidentiality legislation is an inappropriate venue for revision of probable cause and other standards now governing the access to patient records of law enforcement officials. Instead, confidentiality legislation should be law enforcement neutral. To the extent that confidentiality legislation touches on law enforcement's access to identifiable information, access should only be available after a request has been approved through a process that involves a neutral magistrate.
XIV. CLOSE
As an integrated health care delivery system, IHC is responsible for the health outcomes of the patients who seek care from our system. In order to treat our patients and improve the health outcomes of the entire population we serve, we must be able to share information among IHC corporate entities B our physicians, our hospitals, and our health plans. IHC has developed state-of-the-art electronic medical records and common databases to facilitate this communication and to make sure our physicians have complete information when treating patients. We have put in place an extensive array of enforceable confidentiality protections which we constantly improve and update. IHC urges this Subcommittee to ensure that confidentiality legislation does not unintentionally prevent the creation of these common internal, operational databases or limit the type of data which can be shared within an integrated delivery system. Such action would severely limit a health system's ability to measure and improve the health outcomes it provides those who seek its services.
The outstanding health care our physicians, nurses, and others deliver through IHC's network-based system relies on the coordination of patient care and effective quality improvement activities. Individually identifiable health information is integral to IHC's health care operations, through which we seek to maximize the quality of patient care delivered in the IHC system. I urge you to swiftly approve -- before the August recess -- the Medical Information Protection and Research Enhancement Act, which will establish uniform federal standards to protect patient confidentiality while at the same time allowing these important activities to continue.
END

LOAD-DATE: July 21, 1999

Document 204 of 261.


Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase: