LEXIS-NEXIS® Congressional Universe-Document

Search Terms: health information privacy, House or Senate or Joint

Document 36 of 45.

MAY 27, 1999, THURSDAY

SECTION: IN THE NEWS

LENGTH: 4922 words

HEADLINE: PREPARED STATEMENT OF
MR. MARK O'KEEFE
COMMISIONER OF INSURANCE
STATE OF MONTANA
BEFORE THE HOUSE COMMERCE COMMITTEE
HEALTH AND THE ENVIRONMENT SUBCOMMITTEE
SUBJECT - MEDICAL RECORDS CONFIDENTIALITY

BODY:

Summary of Testimony by the National Association of Insurance Commissioners (NAIC)
The NAIC's testimony will focus on three aspects of the preemption issue raised by the current federal health information privacy legislation.
The NAIC will discuss the states' recognition of the desire for a minimum standard to protect the privacy of health information. The members of the NAIC have concluded that the privacy of health information is one of the few areas where it may be appropriate for the federal government to set a minimum standard. The NAIC will briefly discuss its own privacy model, "The Health Information Privacy Model Act."
The NAIC will provide some examples of what the states have done to ensure that health information is kept confidential. The NAIC will explain that the state privacy laws are found in many different areas of a state's statutes and regulations. The NAIC also will discuss the concerns it has about the preemption language in the proposed federal legislation and how Congress can develop a minimum standard without eliminating existing state protections. The NAIC believes the best approach would be to set a federal standard that does not preempt existing state laws and that allows states to enact stronger privacy protections in the future in response to innovation in technology and changes in the use of health information. The NAIC will also offer suggested language for use in the federal privacy legislation.
The NAIC will address the need for Congress to clarify the scope of any federal health information privacy legislation and to specifically outline the areas that Congress intends to address, as opposed to attempting to list all of the state laws that are exempt from the federal legislation. The NAIC will also suggest that Congress develop a way for states to measure their laws against any federal standard for compliance and to provide options for states to meet those requirements.
The NAIC urges Congress not to take a broad-brush approach to preemption that would unintentionally take away protections at the state level, eliminate states' ability to remedy unintended consequences that result from federal privacy legislation, or prevent states from responding to future changes in technology or changes in the use of health information.
I. Introduction
Good morning, Mr. Chairman and members of the Subcommittee. My name is Mark O'Keefe. I am the elected Insurance Commissioner for the state of Montana. I am testifying this morning on behalf of the National Association of Insurance Commissioners' (NAIC) (EX) Special Committee on Health Insurance. I would like to thank you for providing the NAIC with the opportunity to testify today about the preemption issue surrounding the health information privacy legislation currently before Congress.
The NAIC, founded in 1871, is the organization of the chief insurance regulators from the 50 states, the District of Columbia, and four of the U.S. territories. The NAIC's objective is to serve the public by assisting state insurance regulators in fulfilling their regulatory responsibilities. Protection of consumers is the fundamental purpose of insurance regulation.
The NAIC Special Committee on Health Insurance (Special Committee) is comprised of 45 state insurance regulators. The Special Committee was established as a forum to discuss federal proposals related to health insurance and to provide technical assistance to Congress and the Administration on a nonpartisan basis.
My testimony today will focus on three aspects of the preemption issue raised by the current federal legislation. First, I will discuss the states' recognition of the desire for a minimum standard to protect the privacy of health information. Second, I will give some examples of what the states have done to ensure that health information is kept confidential, and discuss the concerns we have about the preemption language in the proposed federal legislation and how Congress can develop a minimum standard without eliminating existing state protections. Third, I will address the need for Congress to clarify the scope of any federal health information privacy legislation and to develop a way for states to measure their laws against any federal standard for compliance.
II. Recognizing the Desire for a Federal Minimum Standard
As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress must enact privacy legislation by August 21, 1999. Should Congress fail to act, HIPAA requires the Secretary of Health and Human Services to promulgate regulations by February 2000. In addition to this statutory deadline, we recognize that Congress faces pressure to enact national legislation protecting the privacy of health information because the European Union issued a privacy directive that became effective in October 1998.
The states, acting through the NAIC, understand the desire for minimum standards to protect the privacy of health information. A minimum standard in this area is considered necessary given that health information is transmitted across state and national boundaries. The transmission of health information, as opposed to the delivery of health care services, is not a local activity. This was one of our main reasons for developing a model on this issue--The Health Information Privacy Model Act (attached).
The NAIC adopted the Health Information Privacy Model Act in September 1998. This model addresses many of the same issues that the federal legislation does, such as: (1) providing an individual the right to access and to amend the individual's protected health information; (2) requiring an entity to obtain an authorization from the individual to collect, use or disclose information; and (3) establishing exceptions to the authorization requirement. Our model was developed to assist the states in drafting uniform standards for ensuring the privacy of health information. However, because our jurisdiction is limited to insurance, and health information privacy encompasses more issues than insurance and more entities than insurers, we understand the desire for broader federal legislation.
Recognizing all of the above factors, along with the fact that all of the health information privacy bills currently before Congress preempt state law in one fashion or another, the members of the NAIC have concluded that the privacy of health information is one of the few areas where it may be appropriate for the federal government to set a minimum standard. However, it should be noted that up until this point there has been no federal standard in place. Rather, states have been the protector of consumers in this area. Any federal legislation must recognize this fact and make allowances for it.
III. Preemption
A.

A.
Existing State Laws
As this Subcommittee is well aware, the drafting of legislation to establish standards that protect the privacy rights of individuals with respect to highly personal health information is a very difficult task. Like you, the members of the NAIC sought to write standards into the NAIC Model that would not cripple the flow of useful information, that would not impose prohibitive costs on entities affected by the legislation, and that would not prove impossible to implement in a world that is rapidly changing from paper to electronic records. At the same time, the members of the NAIC recognized the need to assure consumers that their health information is used only for the legitimate purposes for which it was obtained, and that this information is not disclosed without the consumer's consent or knowledge for purposes that may harm or offend the individual.
When developing protections for health information, Congress must recognize the impact of any federal privacy legislation on existing federal and state laws. Although we cannot fully address the impact on federal law, we do know that many state laws touch on protected health information and appear in many locations within the states' statutes and regulations. These laws do not neatly fit into a federal bill's list of exceptions. For example, privacy laws can be found in the insurance code, probate code, and the code of civil procedure. Numerous privacy laws relating to health information are also contained in the states' public health laws, which address such topics as child immunization, laboratory testing, and the licensure of health professionals. Other potential areas involve workers compensation laws, automobile insurance laws, and laws regulating state agencies and institutions. In addition, many state privacy laws only address health programs or health-related information that are unique to a particular state.
Let me give you some examples of the existing state laws that protect health information.
Montana
Under Montana's laws governing health maintenance organizations, any data or information pertaining to the diagnosis, treatment, or health of an enrollee or applicant obtained from the enrollee, applicant or a provider by a health maintenance organization must be held in confidence and may not be disclosed to any person, except upon express consent of the enrollee or applicant, pursuant to statute or court order for the production of evidence or discovery, in the event of a claim or litigation between the enrollee or applicant and the health maintenance organization where in the data or information is pertinent, or to the extent necessary to carry out the purposes of this chapter. (Mont. Code Ann. Section 33-31-113). The provisions of the state law would presumably be preempted by a total preemption approach and would not be saved under any current exception in the federal bills. The state law prohibits disclosure except in a few limited cases, mostly pertaining to litigation, whereas the federal legislation would allow health maintenance organizations (health plans) to disclose this protected information without authorization under many more instances.
In addition, Montana just enacted a comprehensive medical records privacy bill targeted at insurers. This new law was modeled after the NAIC Health Information Privacy Model Act, and it builds upon Montana's Insurance Information and Privacy Protection Act (Mont. Code Ann. Section 33-19-101 et seq.). The efforts and careful consideration of the state legislature to adopt privacy legislation would be lost, if the federal privacy legislation preempts all state laws relating to confidentiality of health information.
Virginia
Virginia has already enacted a privacy protection law for insurance information. (Va. Code Ann. Section 38.2-600 et seq.). This law applies to insurance institutions, agents and insurance-support organizations, and it protects insurance information, including health information, that is collected, received or maintained in connection with insurance transactions that pertain to individuals who are residents of the state or who engage in insurance transactions with applicants, individuals or policyholders who are residents of the state. It also applies to insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery, or renewed in the state. This law applies to life, accident and sickness (health), and property and casualty insurance, and therefore to issuers of these products. The state law prohibits the disclosure of personal or privileged information about an individual, with some exceptions. This state law would be preempted under a federal bill that used a total preemption approach. Arguably any health information held by life or health insurers may still be protected under the federal legislation; however, health information held by property and casualty insurers, which is currently protected under this state law, would become unprotected under the current federal legislation. Without the opportunity for the state to implement its own laws to address these types of insurers, the health information they hold would be vulnerable to potential misuse or disclosure by those who hold it. In addition, if the federal standard were to fall short of the Virginia law in some way, the level of protection for information held by life and health insurers would be diminished. Michigan
Michigan's Public Health Code mandates confidentiality of HIV testing and requires written, informed consent (Mich. Comp. Laws. Sections 333.5114, 333.5133). A physician or the physician's agent shall not order an HIV test for the purpose of diagnosing HIV infection without first receiving the written, informed consent of the test subject. Written, informed consent must contain at a minimum all of the following: (1) an explanation of the test, including the purpose of the test, the potential uses and limitations of the test, and the meaning of the test results; (2) an explanation of the rights of the test subject, including the right to withdraw consent prior to the administration of the test, the right to confidentiality of the test and the results, and the right to participate in the test on an anonymous basis; and (3) the persons or class of persons to who the test results may be disclosed. In addition, an individual who undergoes an HIV test at a department-approved testing site may request that the HIV test be performed on an anonymous basis. Staff shall administer the HIV test anonymously and shall obtain consent to the test using a coded system that does not link the individual's identity with the request for the HIV test or the results. The Michigan law states that consent is not required for an HIV test performed for the purpose of research, if the test is performed in such a manner that the identity of the test subject is not revealed to the researcher and the test results are not made known to the test subject. This state law risks being preempted by the federal legislation depending on the preemption approach and the exceptions. If state public health laws are exempt from federal law, this state law could be left in place depending on how the federal legislation classifies public health laws. If state public health laws are not excepted, this state law would arguably be preempted by federal legislation that uses a total preemption approach, but the protection the state law offers would not be replaced with a federal equivalent. Some of the federal bills would allow the identity of the individual to be disclosed without the individual's consent under the public health or research provisions.
Massachusetts
Under Massachusetts' education statutes, provisions are established for the testing, treatment and care of persons susceptible to genetically-linked diseases. (Mass. Ann. Section Laws ch.76, Section 15B). The law requires the Department of Public Health to furnish necessary laboratory and testing facilities for a voluntary screening program for sickle cell anemia or for the sickle cell trait and for such genetically-linked diseases as may be determined by the Commissioner of Public Health. Records maintained as part of any screening program must be kept confidential and will not be accessible to anyone other than the Commissioner of Public Health or to the local health department which is conducting the screening program, except by permission of the parents or guardian of any child or adolescent who has been screened. Information on the results of any particular screening program shall be limited to notification of the parent or guardian of the result if the person screened is under the age of 18 or to the person himself if he is over the age of 18. The results may be used otherwise only for collective statistical purposes. Again, this state program may be preempted by a federal privacy law because it does not fall under the federal bills' preemption exceptions. Under the federal bills this health information would be at risk of disclosure without authorization under the public health or research provisions.
Florida
Florida's Civil Rights law requires confidentiality and informed consent for genetic testing. (Fla. Stat. Ann. Section 760.40).

The law provides that except for purposes of criminal prosecution, determining paternity, or acquiring specimens from persons convicted of certain offenses, DNA analysis may be performed only with the informed consent of the person to be tested, and the results of such DNA analysis, whether held by a public or private entity, are the exclusive property of the person tested, are confidential, and may not be disclosed without the consent of the person tested. This law arguably would be preempted by a total preemption approach that uses the "related to" standard. Civil rights laws and genetic testing laws do not fall within any of the federal bills' exceptions, so presumably DNA tests would be governed by the provisions of federal bills. However, the federal legislation would arguably allow DNA test results and the identity of the individual to be disclosed without the individual's authorization under some of the federal bills' provisions, including the research provisions.
Ohio
Under Ohio law, information collected by the Ohio Health Care Data Center must be kept confidential, and may only be released in aggregate statistical form. (Ohio Rev. Code Ann. Section 3729.46(B)). The Director of Health, employees of the Department of Health including employees of the data center, and any person or governmental entity under contract with the director shall keep confidential any information collected that identifies an individual, including information pertaining to medical history, genetic information, and medical or psychological diagnosis, prognosis, and treatment. Theses persons and entities shall not release such information without the individual's consent, except in summary or statistical form with the prior written permission of the Director or as necessary for the Director to perform his duties. This state law would be preempted by a federal privacy law that totally preempted state law or did not include this type of law as an exception to federal preemption. The state law only allows release of information in summary form without identification of the individual, but this same information risks being released as personally identifiable information under the federal legislation. The federal legislation would end up unprotecting this information that is currently protected under state law.
These examples should not be construed as a definitive legal analysis of the relationship between these state laws and the federal bills. The comments are not based on an extensive review of all relevant state laws that might affect the ultimate conclusion about the interaction of the federal bills and the states' laws. However, the range of state laws relating to protected health information, and the diversity of their purposes and of the entities that they affect, are critical factors for assessing the impact of any federal preemption language.
Because state laws relating to health information and privacy are located in so many different places within each states' legal code, the length of time and complexity involved in compiling a list of these laws make it a nearly impossible task. Moreover, there is no federal or state agency or other organization that has a complete compendium of state laws that could be preempted by federal privacy legislation. Without clear information about the laws that may be impacted by legislation, preemption must be approached with caution.
B. The Best Approach to Developing a Federal Standard
An argument will be made that the only solution to this collection of state privacy laws is a total preemption of state law. However, this solution is a deceptively easy response to the various state privacy laws and will most certainly result in adverse, unintended consequences. The language any State law that relates to matters covered by this Act could preempt literally hundreds of state laws that affect protected health information. Many state laws that are seemingly unrelated to health information on their face affect health information privacy and could be eliminated by a total preemption approach without any equivalent federal protection. Health information or health-related information that is currently protected will end up unprotected, and states will not be able to remedy the problem or Are- protect the information. We offer this perspective not to protect our turf, but rather as a caution against unintended consequences to the consumer. Because of the number and scope of the laws involved, our concerns are not limited to insurance law. We do not want Congress to reduce or eliminate any protections already in place. Preemption of state law is not a workable solution.
We believe the best approach would be to set a federal standard that does not preempt state laws that have been protecting health information for so many years. Up until now, there has been no federal standard in place, and the states have been protecting consumers. We understand the desire to establish a federal floor in this area, but it is not appropriate to preempt stronger state laws or preempt state laws that are outside the scope of the federal privacy legislation. As discussed earlier, the states have enacted privacy protections for their citizens in a variety of areas. These citizens should not lose stronger protections for their health information or lose protections granted by the states in areas not contemplated by the federal legislation.
In addition, we believe that states should be allowed to enact stronger privacy protections in the future in response to innovation in technology and changes in the use of health information. We believe the best approach would balance the desire for uniformity with the recognition of the states' ability to respond quickly and to provide additional protections to their citizens. States can quickly identify the impact of any federal privacy law or any changes in technology or in the use of health information and can efficiently remedy any adverse situation. We urge Congress not to take a broad-brush approach to preemption that would unintentionally take away protections at the state level, eliminate the states' ability to remedy unintended consequences that result from federal privacy legislation, or prevent states from responding in the future.
Since Congress is certain to set some type of federal standard, we offer the following language as a suggestion of how federal privacy legislation may be drafted. This language sets a federal minimum standard that leaves in place existing state laws that are at least as protective as the federal legislation and allows states to enact stronger laws in the future.
Nothing in this Act shall be construed as preempting, superseding, or repealing, explicitly or implicitly, any provision of State law or regulation currently in effect or enacted in the future that establishes, implements, or continues in effect any standard or requirement relating to the privacy of protected health information, if such state laws or regulations provide protections for the rights of individuals to the privacy of, and access to, their health information that are at least as protective of the privacy of protected health information as those protections provided for under this Act. Any state laws or regulations governing the privacy of health information or health-related information that are not contemplated by this Act, not addressed by this Act, or which do not directly conflict with this Act, shall not be preempted. Federal law shall not occupy the field of privacy protection. The appropriate federal authority shall promulgate regulations whereby states can measure their laws and regulations against the federal standard.
We believe this language recognizes the desire for a federal standard while respecting what the states have already done.
IV. Scope of the Legislation
In addition to adopting an approach that recognizes the privacy protections already enacted by the states and that allows states the flexibility to enact stronger privacy laws in the future, we urge Congress to draft legislation that specifically outlines the areas that Congress intends to address. Congress needs to be very specific about the scope of any federal privacy legislation. This is of particular concern since the current privacy legislation is silent on many issues affecting federal and state law. The scope should not be left ambiguous or left to the courts to decide. We believe it would be better for the protection of consumers' health information if Congress would specify what is addressed by the federal legislation as opposed to attempting to list all of the state laws that are exempt from the federal legislation.

All of the current federal bills contain specific exceptions to the federal preemption language for certain state laws. Reviewing all of the bills, these exceptions include state laws that: (1) provide for the reporting of vital statistics such as birth or death information; (2) require the reporting of abuse or neglect information about any individual; (3) regulate the disclosure or reporting of information concerning an individual's mental health; (4) relate to public or mental health and prevent or otherwise restrict disclosure of information otherwise permissible under the federal legislation; (5) govern a minor's rights to access protected health information or health care services; (6) relate to the disclosure of protected health information or any other information about a minor to a parent or guardian of such minor; (7) authorize the collecting, analysis, or dissemination of information from an entity for the purpose of developing use, cost effectiveness, performance, or quality data; and (8) concern a privilege of a witness or person in state court.
Although each of the exceptions is appropriate and the list represents a good start at enumerating the specific categories of state laws that should not be preempted, these specific exceptions to the preemption language do not alleviate our concerns. There are other state laws that do not fit into any of the explicit categories and that would therefore be preempted by the broad scope of the general preemption language. In addition, not all of these specified exceptions are included in each of the bills. We mention this to underscore the critical importance of clearly defining the scope of what the federal legislation is addressing and the applicability of any specific privacy standard or exception. We believe it wiser and easier to define what types of health information and what state laws are within the scope of the federal legislation, rather than what types of health information and what state laws are outside of the scope of the federal legislation.
In addition, we urge Congress to outline a way in the federal privacy legislation for the states to measure their laws against any federal standard and to provide options for states to meet those requirements. In HIPAA, Congress gave the states three options in meeting the requirements of that legislation. Similar guidelines are needed in the privacy legislation. States need to be able to judge whether their state laws are stronger than the federal law in order to determine whether they need to take further action to revise their laws. V. Conclusion
Establishing standards to protect the collection, use, and disclosure of health information is a very important undertaking. The growth of managed care, the increasing use of electronic information, and the advances in medical science and communications technology have dramatically increased both the availability and the importance of health information. The efficient exchange of health information will save thousands of lives. The information is critical for measuring and analyzing the quality and cost effectiveness of the health care provided to consumers. Consumer benefits from advances in health information are vast. However, the potential for misuse of this information is also vast. The information itself has become a valuable product that can be sold for significant amounts of money, and the consequences of unauthorized disclosure of health information can be potentially damaging to individuals' lives. The opportunities to exploit available health information will grow in number and value as technology and medical science advance.
As Members of Congress address this critical topic, we would urge you to recognize the importance of existing state law addressing the use of health information in many contexts. Congress should be aware of the complexity of implementing federal standards without inadvertently displacing important provisions of state law. We urge Congress not to take a broad-brush approach to preemption that would unintentionally take away protections at the state level, eliminate states' ability to remedy unintended consequences that result from federal privacy legislation, or prevent states from responding to future changes in technology or changes in the use of health information. The scope of the preemption is a critical issue, and if not carefully constructed it could lead to unintended consequences. We urge you to recognize the impact of any privacy legislation on federal and state laws as you debate this issue. The members of the NAIC would be happy to work with the Members of Congress in this area. Thank you.
END

LOAD-DATE: June 3, 1999

Document 36 of 45.


Search Terms: health information privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase: