Skip banner
HomeHow Do I?Site MapHelp
Return To Search FormFOCUS
Search Terms: health information privacy, House or Senate or Joint

Document ListExpanded ListKWICFULL format currently displayed

Previous Document Document 19 of 45. Next Document

More Like This
Copyright 2000 Federal News Service, Inc.  
Federal News Service

February 17, 2000, Thursday

SECTION: PREPARED TESTIMONY

LENGTH: 4183 words

HEADLINE: PREPARED TESTIMONY OF WILLIAM G. PLESTED, III, M.D., MEMBER, BOARD OF TRUSTEES AMERICAN MEDICAL ASSOCIATION
 
BEFORE THE HOUSE COMMITTEE ON WAYS AND MEANS SUBCOMMITTEE ON HEALTH
 
SUBJECT - THE CONFIDENTIALITY OF PATIENT RECORDS

BODY:
 The American Medical Association (AMA), representing approximately 300,000 physicians and medical student members, appreciates the opportunity to submit testimony to the Health Subcommittee of the Ways and Means Committee regarding an issue central to the patient- physician relationship: protecting patient confidentiality. We particularly appreciate the chance to share with you our concerns regarding the Secretary of Health and Human Services' (HHS) proposed rule on patient privacy, for which public comments are due today ("Proposed Standards for Privacy of Individually Identifiable Health Information," 45 CFR Parts 160 through 164, 64 Fed. Reg. 59917 (November 3, 1999)).

Personal health information is used by various entities in the health care delivery system, including hospitals and health plans, for purposes beyond direct treatment planning and claims payment. Each of these entities argues it needs patient-identifiable health information to achieve its legitimate objective; most believe they do not need explicit patient consent to receive and use such information. That philosophy is reflected in the Secretary's proposed rule and preamble. It is a philosophy rejected by the AMA. The AMA has consistently maintained that an expressed "need" for information does not confer a right. Patient consent continues to be a critical consideration in the use and disclosure of personally identifiable health information. Consistent with AMA's baseline philosophy regarding individual privacy rights, informed consent should be obtained, where possible, before personally identifiable health information is used for any purpose. However, this is clearly not practical or even possible in some instances. In those situations in which patient consent is not feasible, either (a) the information should have identifying information stripped from it or (b) an objective, publicly-accountable entity must conclude that patient consent is not required after weighing the risks and benefits of the proposed use. A local review board system has already been adopted successfully by several parties to the health care system, including physicians, some researchers, a few health plans, and others.

Some parties may reject this principle as too deferential to patients' rights at the expense of administrative feasibility. The AMA believes that this approach properly balances the interests at stake. Furthermore, it is the right thing to do. At a time when the American public is looking to its leaders for a strong stand on patients' rights, any other policy fails patients, their families and their caregivers.

The AMA cannot support the proposed HHS regulation on patient privacy in its current form. The complexity of the task, compounded by the inherent restrictions under the Health Insurance Portability and Accountability Act's (HIPAA) limited grant of regulatory authority, have resulted in a proposed regulation that does not adequately protect patient confidentiality and privacy and that substantially and unacceptably increases administrative burdens for physicians.

The AMA's overarching concerns are as follows:

- that patients' confidential information could be disclosed without their consent for a broad array of purposes unrelated to the patient's individual treatment or payment and extending far beyond the necessary disclosures and uses patients would expect when they seek health care;

- that many holders of patient information who may misuse such information would not be held accountable under the proposed regulation, despite attempts to bring them within regulatory reach by compelling physicians and other covered entities to, in effect, "police" them; - that physicians will be held liable for the uncontrollable misdeeds of their "business partners," although the physicians themselves are in compliance with the regulation's provisions;

- that the administrative burden and costs of implementing the proposed regulation have not been adequately calculated, and would have a disproportionate impact on small physician offices; and

- that the proposed rule contradicts the intention of its legislative directive under HIPAA to "simplify" health care administration and reduce costs, and does not improve patients' expectation of privacy in the health care system.

Applicability

The proposed regulation does not cover a broad spectrum of entities that are positioned to disclose and misuse confidential patient information. The AMA finds unacceptable the Secretary's attempt to "fill the gap" in its legislative authority by requiring physicians and other health care practitioners to, in effect, "police" others who should be held accountable. Such a proposal is not only inherently unfair, it is also ineffective insofar as patients may be left without any recourse against a party who wrongfully discloses or misuses their confidential medical information.

General rules

The proposed regulation seemingly is more concerned with facilitating the ease of information flow for the broadly defined purposes of treatment, payment, and health care operations than it is with protecting patients' confidentiality and privacy interests. AMA's policy states that "(c)onflicts between a patient's right to privacy and a third party's need to know should be resolved in favor of patient privacy." In the AMA's view, the general rule should begin with preserving confidentiality and privacy and allowing disclosure only when it is ethically and legally justified.

Scalability - The AMA applauds the Secretary's recognition that a "single approach to implementation of these requirements would be neither economically feasible nor effective in safeguarding health information privacy." Though we appreciate the flexibility physicians and other health care practitioners will be accorded in implementing this proposed regulation, we are concerned that a lack of clear guidance inevitably will lead to costly disputes about compliance.

Minimum necessary use and disclosure -We agree with the Secretary's goal of precluding wholesale transfers of complete medical records when only a small portion is pertinent to the patient's current treatment, but believe the proposed rule's solution may be unworkable. In crafting a solution to the question of limiting disclosures, we recommend a requirement for requesters to make the "minimum necessary demand." While physicians could certainly engage the requester in a dialogue regarding what specific information might be needed in any given instance, the liability would be on the requester for seeking prohibited information, rather than on the physician for not adequately divining the motivations of the requester.

Creation of De-Identified Information - The AMA favors any provisions of the rule that would have the effect of creating incentives to "de- identify" medical information. However, we believe the proposed rule would actually create a disincentive to de-identify information.



We recommend revising the list of "identifiers" to be removed from the medical record, combined with an explicit prohibition against "linking" or re-identifying without authorization. This will provide entities with a greater incentive to de-identify information, while holding wrongdoers properly accountable.

Business partners - The AMA strongly objects to the proposed rule's approach of holding physicians and other covered entities responsible for certain violations of the rule's requirements by their business partners. As a matter of fairness, the proposal fails. A physician group, for example, could be subject to the full weight of enforcement and sanctions under the regulation for prohibited activity by its business partners, even if the group had no knowledge or control over the practices of its business partner. The AMA objects to these provisions because they present the potential for significant liability for physicians who, themselves, are complying with the regulation's requirements.

Component entities - We believe the proposed regulation should be modified to expressly recognize the necessity of firewalls within businesses or entities that provide health care as a non-core function. Examples might be school health clinics, on-site employee health services offered by businesses or, employers who operate self- funded health plans for their employees. We are particularly concerned about this last category; public polling indicates that people are deeply concerned that their employers are inappropriately accessing their private medical information. Our key concern in these instances is in assuring that firewalls exist between the health provider function and all other elements of the entity.

Uses and disclosures with individual authorization

The AMA strongly supports a requirement for an individual's authorization for most uses of his or her identifiable health information. The Secretary notes, and the AMA agrees, that individuals generally do not recognize that their information may be used for a multitude of purposes beyond their individual care and payment for that care. This fact underlies the AMA's advocacy for a consent requirement for most uses of an individual's private health information.

We strongly object to the provision that would prohibit physicians from seeking their patients' authorization for treatment, payment or health care operations. This provision flies in the face of medical ethics and directly contradicts the Secretary's expressed intent in the preamble, and should be deleted from the rule.

Uses and disclosures for treatment, payment and health care operations without patient authorization

The AMA questions the Secretary's rationale for choosing to construe the terms "treatment" and "payment" so broadly. The definition of "treatment," for example, would include cost containment mechanisms such as case and disease management that go to managing the costs of populations, rather than the health care of an individual.

Patients reasonably expect that the treatment rendered by their physician will be revealed to their health plan or other insurer to pay the claim for benefits. However, patients do not expect, nor do they welcome, unauthorized access to health information disclosed in the context of a confidential relationship for the wide range of purposes HHS believes to be somehow "compatible with and directly related" to treatment or payment.

The AMA strongly opposes any "disease management" language in the proposed rule that is not qualified by requiring the coordination and cooperation of the individual's physician. Patients should have the right to consent to - or refuse - participation in disease management programs offered by providers and plans.

The diversity of proposed uses for information advocated by various groups illustrates the inherent difficulty in addressing these evolving functions within any static legislative or regulatory definition. We recommend application of the controlling rule iterated throughout AMA's comment letter: informed consent should be obtained before personally identifiable health information is used for any purpose. For those many functions or circumstances for which patient consent is not feasible, the information would either have to be de- identified to be used, or the decision regarding its use without patient consent would be made by an objective, publicly-accountable process that weighs the risks against the benefits of the proposed use. This should apply to all operational uses of personally identifiable health information that do not go directly to the individual's specific care, as well as research projects that fall outside the purview of an IRB process.

Right to restrict - We believe the "right to request restriction" is an unworkable "consolation prize" for patients who have had their right to consent taken away from them by government fiat. In addition to its ethical flaws, we believe that offering a right to restrict presents the potential to drive a wedge between patients who want to impose further restrictions and providers who cannot agree to such arrangements due to the overwhelming administrative burdens and potential liability that such individual arrangements would entail.

Permissible uses and disclosures for purposes other than treatment, payment and health care operations The preamble notes that certain "national priority" activities, as well as the "smooth functioning of the health care system," require the extensive use of individually identifiable health information. The AMA believes that the proposed rule weighs far too heavily in favor of those who seek access to patients' private medical information (often the government), with inadequate deference paid to patients' fundamental right of privacy.

Public health - While mindful that we should not create unduly restrictive barriers for public health researchers to access information, the AMA believes that epidemiologic research on public health and problems should be guided by the same principles for, and safeguards on, privacy and confidentiality that apply to all other medical research. These breaches in confidentiality for a public health purpose are no different from any other breach of a patient's confidentiality that benefits others beside the patient, barring imminent public health emergencies.

Health oversight agencies - The AMA agrees with the Secretary that, generally, oversight activities are important to support national priorities; however, we believe that a majority of these activities could be conducted in a manner that is less intrusive and more sensitive to the need to protect confidential patient information. We believe that the definition's sweeping inclusion of virtually all government agencies that may have any connection, albeit remote, to health care may result in widespread fishing expeditions for confidential patient information. Even more troubling, is that the proposed regulation promotes such access knowing that there are few safeguards in place to protect against the government's wrongful disclosure or use.

The AMA strenuously objects to the seemingly unfettered and unauthorized access governmental agencies will be accorded under the proposed regulation as it is currently drafted. We recommend that if identifiable information is used, it should be accompanied by a limitation on further uses or access by other entities. Our chief concern here is that access by health oversight agencies does not become a "backdoor" for law enforcement access.

Judicial and Administrative Proceedings - While the AMA supports the general provisions of this section, we recommend strengthening the language to increase objectivity and to limit subsequent unauthorized use and re-disclosure. An order by a court or administrative law judge provides some opportunity for an objective screening mechanism to balance the interests at stake in the proceeding, and should be required for all access in judicial and administrative proceedings.

Law Enforcement - The AMA believes strongly that the requesting law enforcement entity should be allowed access to medical records only through a court order. Our position is that a strong legal standard, accompanied by a set of parameters on need and use, is essential to protecting not only personal medical information, but the confidence of citizens in their government.

This is not an abstract concern. Physicians and their patients have repeatedly experienced the intrusion of law enforcement into patients' personal medical information when no need for identifiable information is established and no protections are provided. The unfortunate result is less - rather than greater - confidence in the law enforcement and judicial systems of this country.



Governmental Health Data Systems - The AMA strongly objects to the troubling premise seemingly underlying the entire proposed rule, and particularly evident here, that government oversight of the efficiency and effectiveness of the health care "system" is somehow a more compelling national priority than protecting individual citizens' right to privacy. We cannot agree with reasoning wherein the federal government appears to value even marginal increments of administrative efficiency over the basic rights of individuals to protect the privacy of their own health information.

The AMA sees no reason why government's research and policy analysis purposes could not be fulfilled using de-identified individual or aggregate information. Further, if the government believes it requires individually identifiable health information for its particular purpose, it should be required to obtain the individual's consent for such disclosure and use, or to justify the value of the proposed project and the reasons why obtaining consent is impracticable or impossible.

Research - The AMA strongly supports the extension of the Common Rule to all entities conducting human subject research, regardless of their federal nexus, and applauds the Secretary's efforts in this important area. We agree with the Secretary's conclusion that the nexus of federal funding is irrelevant in deciding the question of whether human research subjects should be protected. As a matter of public policy, individuals should be protected if they or their information are the subject of health-related research. The source of the funding should not result in different levels of protection.

Individual rights

The AMA supports the rights of individual to access their medical records, subject to limited exceptions, which is the approach adopted by the Secretary. We believe that the physical record and notes made in treating the patient belong to the physician; however, the information contained in the record is the patient's. Thus, certain rights should attach for both the patient and the physician.

Administrative requirements and policy development and documentation This provision sets out an extensive series of administrative requirements that physicians and other covered entities would have to incorporate into their practice or business. The AMA has significant concerns about the substantial administrative and financial burdens this might place on physician practices, particularly those smaller practices whose administrative personnel are already stretched to the limit with various governmental and health plan requirements.

The AMA objects in the strongest terms to the school of bureaucratic thought that requires documentation that one is going to do something, followed by documentation that one is doing that same thing, and then requires documentation that the same thing has been done. Physicians and their office staffs are absolutely overwhelmed by current paperwork requirements generated by well-intended, but poorly thought out, regulations. Such redundant documentation requirements are for the administrative ease of compliance officers - not for physicians and certainly not for patients. Masses of documentation allow compliance officers to push their familiar paper and quibble over parenthetical clauses rather than to really investigate to see when a true wrong has been committed.

The AMA recommends that the paperwork and documentation elements of the proposed rule be withdrawn completely and rethought with a more realistic and flexible implementation approach for smaller physician offices. After all, is the goal to actually protect patient privacy, or is it to create paper saying that we do?

Physicians and other licensed health care professionals already use an array of administrative tools to honor existing ethical and legal obligations to keep patient information confidential. We believe that a prudent implementation of the proposed rule's administrative requirements would permit these covered entities to modify these existing tools, rather than requiring them to "reinvent the wheel." The corporate entities that currently do little or nothing to protect patient privacy are those that the proposed regulation should highlight for additional administrative protections. In addition, we believe that the Secretary has not adequately calculated the costs of implementing the administrative requirements under the proposed regulation. We believe the proposed regulation would have a disproportionate impact on small business (individual and groups of physicians and other health care practitioners).

Preemption and Relationship to State Laws

The AMA is deeply concerned that, while the proposed rule suggests that its preemption provision sets a federal "floor" for preemption, a raft of subsequent exceptions and qualifiers completely undermine the provision, creating a federal "basement," rather than a federal "floor."

AMA policy supports a preemption provision that preserves more stringent state confidentiality laws, so that federal and state privacy protections would be cumulative. The proposed rule fails to provide due deference to the States.

This section is also flawed by the fact that entities - specifically physicians - regulated by the rule would not be able to independently ask the Secretary for clarification as to which law to abide by. All queries must be presented by the States. Two implementation problems are immediately evident:

(1) physicians who seek to comply with state law, believing in good faith that it is more stringent than the federal standard, could be in violation of the regulation without ever knowing or having an opportunity to directly request guidance from the Secretary; and

(2) State governments could have a conflict of interest, as one of the largest health data collectors, in bringing forward queries to the Secretary.

Compliance and Enforcement

Due to the lack of concrete guidance in its current form, the proposed regulation may unwittingly expose physicians and other covered entities to fines for noncompliance despite good faith efforts to comply. The AMA is also troubled by the implicit federal overlap created by this rule wherein the traditional role of the states' medical licensure boards in overseeing physicians' ethical practice is usurped by federal enforcement.

We are encouraged to note the Secretary's philosophy of providing "a cooperative approach to obtaining compliance," that looks to an educational, rather than punitive, approach to resolve disputes. The AMA nevertheless questions the role of the Secretary or any federal officer to investigate complaints against physicians for breaches of patient confidentiality. This is the traditional realm of state medical licensing boards and their premier role in pursuing this type of activity is clearly articulated in State medical practice acts.

Cost of Compliance

The AMA notes that the cost to comply with the proposed privacy regulations clearly is not a one-time cost but will be a perpetual and continuing commitment, and this should be reflected in the analysis. These continuing costs are not anticipated by the proposed rule. Furthermore, the proposed rule could impose significant new costs on physicians' practices, with the potential to disproportionately burden small physician offices. We believe this runs counter to the explicit intent of HIPAA's "Administrative Simplification" provisions, which require "any standard adopted under this part shall be consistent with the objective of reducing the administrative costs of providing and paying for health care." (Sec. 262. "Administrative Simplification," "Sec. 1172(b) Reduction of Costs.")

Conclusion The Secretary notes that she has attempted to create a regulation that strikes a balance between permitting important uses of health information while respecting an individual's right to privacy. We commend the Secretary for the attempt to address these complex issues, particularly within the restrictive framework permitted under HIPAA. The AMA does not believe, however, that the proposed regulation achieves the necessary and proper balance. The proposed regulation would not adequately protect patient privacy and confidentiality and it would substantially and unacceptably increase administrative burdens for physicians. For these reasons, we cannot support the proposed regulation in its current form.

Further, the parameters set under HIPAA for regulatory action do not permit the full scope of protections that physicians believe patients deserve in any federal privacy law. We believe that the first step of any ultimately successful proposal, legislative or regulatory, must be to place the patient first. Each entity seeking access to patients' most confidential medical information must pass the stringent test of showing why its professed need should override individuals' most basic right in keeping their own information private. Moreover, citizens deserve a full and open discussion of exactly who wants their private medical information and for what purpose. Only then may the true balancing of interests take place. These are the ground rules of AMA policy and they should be the ground rules for the federal debate regarding patient privacy.

END



LOAD-DATE: February 24, 2000




Previous Document Document 19 of 45. Next Document


FOCUS

Search Terms: health information privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
   
About LEXIS-NEXIS® Congressional Universe Terms and Conditions Top of Page
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.