Copyright 2000 Federal News Service, Inc.
Federal News Service
February 17, 2000, Thursday
SECTION: PREPARED TESTIMONY
LENGTH: 4183 words
HEADLINE:
PREPARED TESTIMONY OF WILLIAM G. PLESTED, III, M.D., MEMBER, BOARD OF TRUSTEES
AMERICAN MEDICAL ASSOCIATION
BEFORE THE HOUSE
COMMITTEE ON WAYS AND MEANS SUBCOMMITTEE ON HEALTH
SUBJECT - THE
CONFIDENTIALITY OF PATIENT RECORDS
BODY:
The
American Medical Association (AMA), representing approximately 300,000
physicians and medical student members, appreciates the opportunity to submit
testimony to the Health Subcommittee of the Ways and Means Committee regarding
an issue central to the patient- physician relationship: protecting patient
confidentiality. We particularly appreciate the chance to share with you our
concerns regarding the Secretary of Health and Human Services' (HHS) proposed
rule on patient privacy, for which public comments are due today ("Proposed
Standards for Privacy of Individually Identifiable Health Information," 45 CFR
Parts 160 through 164, 64 Fed. Reg. 59917 (November 3, 1999)).
Personal
health information is used by various entities in the health care delivery
system, including hospitals and health plans, for purposes beyond direct
treatment planning and claims payment. Each of these entities argues it needs
patient-identifiable health information to achieve its legitimate objective;
most believe they do not need explicit patient consent to receive and use such
information. That philosophy is reflected in the Secretary's proposed rule and
preamble. It is a philosophy rejected by the AMA. The AMA has consistently
maintained that an expressed "need" for information does not confer a right.
Patient consent continues to be a critical consideration in the use and
disclosure of personally identifiable health information. Consistent with AMA's
baseline philosophy regarding individual privacy rights, informed consent should
be obtained, where possible, before personally identifiable health information
is used for any purpose. However, this is clearly not practical or even possible
in some instances. In those situations in which patient consent is not feasible,
either (a) the information should have identifying information stripped from it
or (b) an objective, publicly-accountable entity must conclude that patient
consent is not required after weighing the risks and benefits of the proposed
use. A local review board system has already been adopted successfully by
several parties to the health care system, including physicians, some
researchers, a few health plans, and others.
Some parties may reject
this principle as too deferential to patients' rights at the expense of
administrative feasibility. The AMA believes that this approach properly
balances the interests at stake. Furthermore, it is the right thing to do. At a
time when the American public is looking to its leaders for a strong stand on
patients' rights, any other policy fails patients, their families and their
caregivers.
The AMA cannot support the proposed HHS regulation on
patient privacy in its current form. The complexity of the task, compounded by
the inherent restrictions under the Health Insurance Portability and
Accountability Act's (HIPAA) limited grant of regulatory authority, have
resulted in a proposed regulation that does not adequately protect patient
confidentiality and privacy and that substantially and unacceptably increases
administrative burdens for physicians.
The AMA's overarching concerns
are as follows:
- that patients' confidential information could be
disclosed without their consent for a broad array of purposes unrelated to the
patient's individual treatment or payment and extending far beyond the necessary
disclosures and uses patients would expect when they seek health care;
-
that many holders of patient information who may misuse such information would
not be held accountable under the proposed regulation, despite attempts to bring
them within regulatory reach by compelling physicians and other covered entities
to, in effect, "police" them; - that physicians will be held liable for the
uncontrollable misdeeds of their "business partners," although the physicians
themselves are in compliance with the regulation's provisions;
- that
the administrative burden and costs of implementing the proposed regulation have
not been adequately calculated, and would have a disproportionate impact on
small physician offices; and
- that the proposed rule contradicts the
intention of its legislative directive under HIPAA to "simplify" health care
administration and reduce costs, and does not improve patients' expectation of
privacy in the health care system.
Applicability
The proposed
regulation does not cover a broad spectrum of entities that are positioned to
disclose and misuse confidential patient information. The AMA finds unacceptable
the Secretary's attempt to "fill the gap" in its legislative authority by
requiring physicians and other health care practitioners to, in effect, "police"
others who should be held accountable. Such a proposal is not only inherently
unfair, it is also ineffective insofar as patients may be left without any
recourse against a party who wrongfully discloses or misuses their confidential
medical information.
General rules
The proposed regulation
seemingly is more concerned with facilitating the ease of information flow for
the broadly defined purposes of treatment, payment, and health care operations
than it is with protecting patients' confidentiality and privacy interests.
AMA's policy states that "(c)onflicts between a patient's right to privacy and a
third party's need to know should be resolved in favor of patient privacy." In
the AMA's view, the general rule should begin with preserving confidentiality
and privacy and allowing disclosure only when it is ethically and legally
justified.
Scalability - The AMA applauds the Secretary's recognition
that a "single approach to implementation of these requirements would be neither
economically feasible nor effective in safeguarding health information
privacy." Though we appreciate the flexibility physicians and other
health care practitioners will be accorded in implementing this proposed
regulation, we are concerned that a lack of clear guidance inevitably will lead
to costly disputes about compliance.
Minimum necessary use and
disclosure -We agree with the Secretary's goal of precluding wholesale transfers
of complete medical records when only a small portion is pertinent to the
patient's current treatment, but believe the proposed rule's solution may be
unworkable. In crafting a solution to the question of limiting disclosures, we
recommend a requirement for requesters to make the "minimum necessary demand."
While physicians could certainly engage the requester in a dialogue regarding
what specific information might be needed in any given instance, the liability
would be on the requester for seeking prohibited information, rather than on the
physician for not adequately divining the motivations of the requester.
Creation of De-Identified Information - The AMA favors any provisions of
the rule that would have the effect of creating incentives to "de- identify"
medical information. However, we believe the proposed rule would actually create
a disincentive to de-identify information.
We recommend revising
the list of "identifiers" to be removed from the medical record, combined with
an explicit prohibition against "linking" or re-identifying without
authorization. This will provide entities with a greater incentive to
de-identify information, while holding wrongdoers properly accountable.
Business partners - The AMA strongly objects to the proposed rule's
approach of holding physicians and other covered entities responsible for
certain violations of the rule's requirements by their business partners. As a
matter of fairness, the proposal fails. A physician group, for example, could be
subject to the full weight of enforcement and sanctions under the regulation for
prohibited activity by its business partners, even if the group had no knowledge
or control over the practices of its business partner. The AMA objects to these
provisions because they present the potential for significant liability for
physicians who, themselves, are complying with the regulation's requirements.
Component entities - We believe the proposed regulation should be
modified to expressly recognize the necessity of firewalls within businesses or
entities that provide health care as a non-core function. Examples might be
school health clinics, on-site employee health services offered by businesses
or, employers who operate self- funded health plans for their employees. We are
particularly concerned about this last category; public polling indicates that
people are deeply concerned that their employers are inappropriately accessing
their private medical information. Our key concern in these instances is in
assuring that firewalls exist between the health provider function and all other
elements of the entity.
Uses and disclosures with individual
authorization
The AMA strongly supports a requirement for an
individual's authorization for most uses of his or her identifiable health
information. The Secretary notes, and the AMA agrees, that individuals generally
do not recognize that their information may be used for a multitude of purposes
beyond their individual care and payment for that care. This fact underlies the
AMA's advocacy for a consent requirement for most uses of an individual's
private health information.
We strongly object to the provision that
would prohibit physicians from seeking their patients' authorization for
treatment, payment or health care operations. This provision flies in the face
of medical ethics and directly contradicts the Secretary's expressed intent in
the preamble, and should be deleted from the rule.
Uses and disclosures
for treatment, payment and health care operations without patient authorization
The AMA questions the Secretary's rationale for choosing to construe the
terms "treatment" and "payment" so broadly. The definition of "treatment," for
example, would include cost containment mechanisms such as case and disease
management that go to managing the costs of populations, rather than the health
care of an individual.
Patients reasonably expect that the treatment
rendered by their physician will be revealed to their health plan or other
insurer to pay the claim for benefits. However, patients do not expect, nor do
they welcome, unauthorized access to health information disclosed in the context
of a confidential relationship for the wide range of purposes HHS believes to be
somehow "compatible with and directly related" to treatment or payment.
The AMA strongly opposes any "disease management" language in the
proposed rule that is not qualified by requiring the coordination and
cooperation of the individual's physician. Patients should have the right to
consent to - or refuse - participation in disease management programs offered by
providers and plans.
The diversity of proposed uses for information
advocated by various groups illustrates the inherent difficulty in addressing
these evolving functions within any static legislative or regulatory definition.
We recommend application of the controlling rule iterated throughout AMA's
comment letter: informed consent should be obtained before personally
identifiable health information is used for any purpose. For those many
functions or circumstances for which patient consent is not feasible, the
information would either have to be de- identified to be used, or the decision
regarding its use without patient consent would be made by an objective,
publicly-accountable process that weighs the risks against the benefits of the
proposed use. This should apply to all operational uses of personally
identifiable health information that do not go directly to the individual's
specific care, as well as research projects that fall outside the purview of an
IRB process.
Right to restrict - We believe the "right to request
restriction" is an unworkable "consolation prize" for patients who have had
their right to consent taken away from them by government fiat. In addition to
its ethical flaws, we believe that offering a right to restrict presents the
potential to drive a wedge between patients who want to impose further
restrictions and providers who cannot agree to such arrangements due to the
overwhelming administrative burdens and potential liability that such individual
arrangements would entail.
Permissible uses and disclosures for purposes
other than treatment, payment and health care operations The preamble notes that
certain "national priority" activities, as well as the "smooth functioning of
the health care system," require the extensive use of individually identifiable
health information. The AMA believes that the proposed rule weighs far too
heavily in favor of those who seek access to patients' private medical
information (often the government), with inadequate deference paid to patients'
fundamental right of privacy.
Public health - While mindful that we
should not create unduly restrictive barriers for public health researchers to
access information, the AMA believes that epidemiologic research on public
health and problems should be guided by the same principles for, and safeguards
on, privacy and confidentiality that apply to all other medical research. These
breaches in confidentiality for a public health purpose are no different from
any other breach of a patient's confidentiality that benefits others beside the
patient, barring imminent public health emergencies.
Health oversight
agencies - The AMA agrees with the Secretary that, generally, oversight
activities are important to support national priorities; however, we believe
that a majority of these activities could be conducted in a manner that is less
intrusive and more sensitive to the need to protect confidential patient
information. We believe that the definition's sweeping inclusion of virtually
all government agencies that may have any connection, albeit remote, to health
care may result in widespread fishing expeditions for confidential patient
information. Even more troubling, is that the proposed regulation promotes such
access knowing that there are few safeguards in place to protect against the
government's wrongful disclosure or use.
The AMA strenuously objects to
the seemingly unfettered and unauthorized access governmental agencies will be
accorded under the proposed regulation as it is currently drafted. We recommend
that if identifiable information is used, it should be accompanied by a
limitation on further uses or access by other entities. Our chief concern here
is that access by health oversight agencies does not become a "backdoor" for law
enforcement access.
Judicial and Administrative Proceedings - While the
AMA supports the general provisions of this section, we recommend strengthening
the language to increase objectivity and to limit subsequent unauthorized use
and re-disclosure. An order by a court or administrative law judge provides some
opportunity for an objective screening mechanism to balance the interests at
stake in the proceeding, and should be required for all access in judicial and
administrative proceedings.
Law Enforcement - The AMA believes strongly
that the requesting law enforcement entity should be allowed access to medical
records only through a court order. Our position is that a strong legal
standard, accompanied by a set of parameters on need and use, is essential to
protecting not only personal medical information, but the confidence of citizens
in their government.
This is not an abstract concern. Physicians and
their patients have repeatedly experienced the intrusion of law enforcement into
patients' personal medical information when no need for identifiable information
is established and no protections are provided. The unfortunate result is less -
rather than greater - confidence in the law enforcement and judicial systems of
this country.
Governmental Health Data Systems - The AMA
strongly objects to the troubling premise seemingly underlying the entire
proposed rule, and particularly evident here, that government oversight of the
efficiency and effectiveness of the health care "system" is somehow a more
compelling national priority than protecting individual citizens' right to
privacy. We cannot agree with reasoning wherein the federal government appears
to value even marginal increments of administrative efficiency over the basic
rights of individuals to protect the privacy of their own health information.
The AMA sees no reason why government's research and policy analysis
purposes could not be fulfilled using de-identified individual or aggregate
information. Further, if the government believes it requires individually
identifiable health information for its particular purpose, it should be
required to obtain the individual's consent for such disclosure and use, or to
justify the value of the proposed project and the reasons why obtaining consent
is impracticable or impossible.
Research - The AMA strongly supports the
extension of the Common Rule to all entities conducting human subject research,
regardless of their federal nexus, and applauds the Secretary's efforts in this
important area. We agree with the Secretary's conclusion that the nexus of
federal funding is irrelevant in deciding the question of whether human research
subjects should be protected. As a matter of public policy, individuals should
be protected if they or their information are the subject of health-related
research. The source of the funding should not result in different levels of
protection.
Individual rights
The AMA supports the rights of
individual to access their medical records, subject to limited exceptions, which
is the approach adopted by the Secretary. We believe that the physical record
and notes made in treating the patient belong to the physician; however, the
information contained in the record is the patient's. Thus, certain rights
should attach for both the patient and the physician.
Administrative
requirements and policy development and documentation This provision sets out an
extensive series of administrative requirements that physicians and other
covered entities would have to incorporate into their practice or business. The
AMA has significant concerns about the substantial administrative and financial
burdens this might place on physician practices, particularly those smaller
practices whose administrative personnel are already stretched to the limit with
various governmental and health plan requirements.
The AMA objects in
the strongest terms to the school of bureaucratic thought that requires
documentation that one is going to do something, followed by documentation that
one is doing that same thing, and then requires documentation that the same
thing has been done. Physicians and their office staffs are absolutely
overwhelmed by current paperwork requirements generated by well-intended, but
poorly thought out, regulations. Such redundant documentation requirements are
for the administrative ease of compliance officers - not for physicians and
certainly not for patients. Masses of documentation allow compliance officers to
push their familiar paper and quibble over parenthetical clauses rather than to
really investigate to see when a true wrong has been committed.
The AMA
recommends that the paperwork and documentation elements of the proposed rule be
withdrawn completely and rethought with a more realistic and flexible
implementation approach for smaller physician offices. After all, is the goal to
actually protect patient privacy, or is it to create paper saying that we do?
Physicians and other licensed health care professionals already use an
array of administrative tools to honor existing ethical and legal obligations to
keep patient information confidential. We believe that a prudent implementation
of the proposed rule's administrative requirements would permit these covered
entities to modify these existing tools, rather than requiring them to "reinvent
the wheel." The corporate entities that currently do little or nothing to
protect patient privacy are those that the proposed regulation should highlight
for additional administrative protections. In addition, we believe that the
Secretary has not adequately calculated the costs of implementing the
administrative requirements under the proposed regulation. We believe the
proposed regulation would have a disproportionate impact on small business
(individual and groups of physicians and other health care practitioners).
Preemption and Relationship to State Laws
The AMA is deeply
concerned that, while the proposed rule suggests that its preemption provision
sets a federal "floor" for preemption, a raft of subsequent exceptions and
qualifiers completely undermine the provision, creating a federal "basement,"
rather than a federal "floor."
AMA policy supports a preemption
provision that preserves more stringent state confidentiality laws, so that
federal and state privacy protections would be cumulative. The proposed rule
fails to provide due deference to the States.
This section is also
flawed by the fact that entities - specifically physicians - regulated by the
rule would not be able to independently ask the Secretary for clarification as
to which law to abide by. All queries must be presented by the States. Two
implementation problems are immediately evident:
(1) physicians who seek
to comply with state law, believing in good faith that it is more stringent than
the federal standard, could be in violation of the regulation without ever
knowing or having an opportunity to directly request guidance from the
Secretary; and
(2) State governments could have a conflict of interest,
as one of the largest health data collectors, in bringing forward queries to the
Secretary.
Compliance and Enforcement
Due to the lack of
concrete guidance in its current form, the proposed regulation may unwittingly
expose physicians and other covered entities to fines for noncompliance despite
good faith efforts to comply. The AMA is also troubled by the implicit federal
overlap created by this rule wherein the traditional role of the states' medical
licensure boards in overseeing physicians' ethical practice is usurped by
federal enforcement.
We are encouraged to note the Secretary's
philosophy of providing "a cooperative approach to obtaining compliance," that
looks to an educational, rather than punitive, approach to resolve disputes. The
AMA nevertheless questions the role of the Secretary or any federal officer to
investigate complaints against physicians for breaches of patient
confidentiality. This is the traditional realm of state medical licensing boards
and their premier role in pursuing this type of activity is clearly articulated
in State medical practice acts.
Cost of Compliance
The AMA notes
that the cost to comply with the proposed privacy regulations clearly is not a
one-time cost but will be a perpetual and continuing commitment, and this should
be reflected in the analysis. These continuing costs are not anticipated by the
proposed rule. Furthermore, the proposed rule could impose significant new costs
on physicians' practices, with the potential to disproportionately burden small
physician offices. We believe this runs counter to the explicit intent of
HIPAA's "Administrative Simplification" provisions, which require "any standard
adopted under this part shall be consistent with the objective of reducing the
administrative costs of providing and paying for health care." (Sec. 262.
"Administrative Simplification," "Sec. 1172(b) Reduction of Costs.")
Conclusion The Secretary notes that she has attempted to create a
regulation that strikes a balance between permitting important uses of health
information while respecting an individual's right to privacy. We commend the
Secretary for the attempt to address these complex issues, particularly within
the restrictive framework permitted under HIPAA. The AMA does not believe,
however, that the proposed regulation achieves the necessary and proper balance.
The proposed regulation would not adequately protect patient privacy and
confidentiality and it would substantially and unacceptably increase
administrative burdens for physicians. For these reasons, we cannot support the
proposed regulation in its current form.
Further, the parameters set
under HIPAA for regulatory action do not permit the full scope of protections
that physicians believe patients deserve in any federal privacy law. We believe
that the first step of any ultimately successful proposal, legislative or
regulatory, must be to place the patient first. Each entity seeking access to
patients' most confidential medical information must pass the stringent test of
showing why its professed need should override individuals' most basic right in
keeping their own information private. Moreover, citizens deserve a full and
open discussion of exactly who wants their private medical information and for
what purpose. Only then may the true balancing of interests take place. These
are the ground rules of AMA policy and they should be the ground rules for the
federal debate regarding patient privacy.
END
LOAD-DATE: February 24, 2000