Skip banner
HomeHow Do I?Site MapHelp
Return To Search FormFOCUS
Search Terms: health information privacy, House or Senate or Joint

Document ListExpanded ListKWICFULL format currently displayed

Previous Document Document 15 of 45. Next Document

More Like This
Copyright 2000 Federal News Service, Inc.  
Federal News Service

 View Related Topics 

April 26, 2000, Wednesday

SECTION: PREPARED TESTIMONY

LENGTH: 10480 words

HEADLINE: PREPARED TESTIMONY OF JANET HEINRICH ASSOCIATE DIRECTOR HEALTH FINANCING AND PUBLIC HEALTH ISSUES HEALTH, EDUCATION, AND HUMAN SERVICES DIVISION
 
BEFORE THE SENATE COMMITTEE ON HEALTH, EDUCATION, LABOR AND PENSIONS

BODY:
 Mr. Chairman and Members of the Committee:

We are pleased to be here today to discuss the most recent efforts to develop a federal health privacy policy. Few areas of our lives are perceived to be more private than our health and medical care. Historically, individuals' access to information contained in their own medical records and control of others' access to that information have largely been in the command of patients, their physicians, and providers such as hospitals. However, the proliferation of electronic records and managed care arrangements has raised questions about the extent to which individuals' health care information is protected from inappropriate disclosure. The disclosure of personally identifiable medical information without authorization may not only result in information being revealed that an individual wishes to remain confidential but may subject an individual to discrimination in employment, insurance, or other matters. While federal statutes affect the disclosure of records under federally funded programs---such as the Medicare program or veterans' programs--no comprehensive federal laws have been enacted covering private sector activities in this area. Recognizing the need to ensure confidentiality of patient data, the Congress included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) a provision that the Secretary of Health and Human Services develop legislative recommendations aimed at filling this gap.1 The Congress further stipulated that if legislation governing privacy standards was not enacted by August 21, 1999, the Secretary should issue regulations on the matter. The Department of Health and Human Services (HHS) submitted the required recommendations to the Congress, but legislation was not enacted. HHS issued proposed regulations on November 3, 1999.2

You asked us to examine the proposed regulation in terms of HHS' legal authority to act in this area as well as assess the reaction from interested parties. Specifically, we (1) examined the authoritative basis in the HIPAA statute for some of the approaches taken by HHS in the proposed rule, (2) assessed the overall pattern of public responses to the rule among a selected group of 40 organizations representing different constituencies affected by the rule, (3) examined in detail the content of the views expressed by those organizations with respect to six sections of the rule that prompted an especially large volume of comments, and (4) identified concerns that would require legislative action to address.

In addressing these objectives, we examined the proposed rule and the comments submitted in response to it by a selected group of 40 organizations. 3 In constructing this list, we tried to incorporate those organizations that had been active on this issue in the past, as well as provide broad representation of different constituencies potentially affected by the rule. Thus, the list includes organizations representing patients, health care providers, standards and accrediting bodies, government entities, health care clearinghouses, employers, health plans, and research and pharmaceutical groups. (A list of these organizations is in the app.)

With regard to HHS' statutory authority, we reviewed three issues that you identified as potentially problematic: (1) controlling the use of information by others not specifically covered by HHS' proposed rule ("downstream users") by requiting covered entitles to enter into contracts with business partners; (2) the extension of protection to the paper versions of electronic data; and (3) the "sealability" standard, which permits different covered entities to decide, on the basis of a judgment of their administrative capacity, how much they need to do to comply with the regulations. In our review of the 40 stakeholders' comments, we abstracted the positions that each took on the more than 50 sections of the proposed rule. From this we determined which sections of the rule generated comments from the different categories of organizations among our 40 selected stakeholders. We then conducted a more detailed analysis of the six sections of the rule that we found had attracted the greatest overall interest. We also took particular note of any recommendations that would require legislation before they could be implemented.

In brief, the regulatory strategies HHS adopted in the proposed rule seem consistent with HIPAA's purpose of protecting the privacy of health information and are legally permissible. By requiring that entities directly regulated by the rule---health plans, health care providers, and health care clearinghouses (firms that put information into standard formats) control the information practices of entities with which they do business, HHS has attempted to fill an otherwise significant gap in privacy protection. For the same reason, HHS has covered the "paper progeny" of electronically maintained or transmitted health information--the privacy protections extended to individuals by HIPAA would be easy to circumvent if protected health information in an electronic record lost its protection merely by being printed. HHS' decision to build flexibility into the proposed rule by allowing implementation of the standards to vary on the basis of an organization's size is also within its authority.

The stakeholders' comments to HHS reflected sharply divergent views on several critical issues. Most notably, patient advocates, state government representatives, and providers strongly supported the provision of the rule that preempts weaker state laws while leaving intact stronger ones. Meanwhile, health plans and employers emphasized the practical difficulties of implementing the complex interaction of federal and different state standards. Similarly, patient advocates and law enforcement officials approved of extending the rule's coverage from the three types of entities subject to HIPAA regulation to business partners with whom these entities share protected health care data. However, the covered entities themselves were wary of assuming the responsibility for enforcing compliance by these other groups. In some cases, the changes desired by industry groups and patient advocates would require congressional action. For example, HHS could not establish a uniform federal privacy standard preempting all applicable state laws unless HIPAA was amended. Similarly, only the Congress could expand the rule's coverage to all types of entities that create, use, and share protected health information. For other proposed changes, such as coverage of records that had never been stored or transmitted electronically, it was less clear whether HHS could act without new legislation.

BACKGROUND

Highlights of the Proposed Rule

The proposed regulation addresses the protection of health information from its creation and establishes uniform requirements for those handling the information. Personal health information may be used and disclosed under conditions specified in the rule or when the individual authorizes it, and it must be disclosed when the 'individual wants to review his or her own information (and when the Secretary wants to look at the information to enforce the rule). Key elements of the proposed regulation are shown in table 1.

Table 1: Key Provisions of the Proposed Privacy Regulation

Entities the regulation covers

Covered entities are all health plans, health care providers, and health care clearinghouses.

Information the regulation covers

Covered information is any that has been maintained electronically covers or transmitted electronically. Such information is protected in all its manifestations, including its printed form, when it is held by a covered entity.

Permitted uses without individual authorization Protected information may be used and disclosed for treatment, payment, and health care operations. Plans and providers must have contracts with their business partners (lawyers, accountants, third-party administrators, accrediting organizations, and others who perform services on behalf of a plan or provider) that limit how they may use the information. Covered entities may be held responsible for the transgressions of their business partners. Information may be used without individual authorization for public policy purposes such as research, public health monitoring, health care oversight, and law enforcement.

Information practices When covered entities disclose information, they may disclose only the minimum amount necessary to fulfill the purpose. Such determinations are to be made on a case-by-case basis, when technologically feasible. Covered entities can meet privacy standards by removing specified identifying data elements. entities must provide up-to-date notice to patients and enrollees describing their rights and how the entity intends to use or disclose the information. A covered entity may not condition treatment or payment on obtaining an authorization for a disclosure for a nonrelated purpose (such as marketing).

-- Covered entities must provide individuals on request with an accounting of disclosures of their identifiable health information.

Individual rights Individuals have a right to inspect and copy their medical records. Individuals also have a right to amend and correct erroneous health information. Individuals have a right to request restrictions on further uses or disclosures of their identifiable health information in certain instances. Individuals may file complaints to a covered entity and to the Secretary of Health and Human Services about possible privacy rule violations.

Administrative requirements Covered entities must have a designated privacy official to oversee privacy practices. Covered entities must develop and apply sanctions when appropriate to employees and business partners who misuse information. Covered entities must also develop and document their policies and procedures for implementation of rule requirements.

Preemption

The proposed rule preempts state laws that are contrary to the rule, with certain exceptions. Exceptions include state laws that are more stringent, public health surveillance laws, and parental access laws.

Enforcement

HHS may make a formal finding of noncompliance and use it as a basis to initiate an action under HIPAA or to refer the matter to the Department of Justice for prosecution under HIPAA. HIPAA sets forth civil and criminal penalties for violations.

HHS Process for Obtaining Input on the Proposed Regulation

Although proposed regulations generally have a 60-day comment period, HHS extended the time period for submitting comments on the privacy regulations for an additional 45 days at the request of several health care groups. During the 3-IA-month comment period, HHS received just under 52,000 comments. Some groups organized campaigns to promote public comment on the regulation: 30,000 letters from one group were essentially identical, while 10,500 submitted by another organization were more varied but endorsed similar themes. In accordance with the Administrative Procedure Act, all comments are being reviewed and summarized for inclusion in the preamble to the final rule. According to an HHS senior policy adviser, the target date for publication of the final rule is not known. The rule would be effective 26 months after the final rule is published.

HHS' EXERCISE OF ITS RULEMAKING AUTHORITY IS CONSISTENT WITH HIPAA

Under HIPAA, HHS' authority to issue regulations is limited to setting standards for three specific types of entities: health plans, health care clearinghouses, and health care providers that transmit information electronically in connection with specific financial and administrative transactions. In the preamble to the proposed regulations, HHS acknowledges that, because of this limitation, it lacks authority to implement comprehensive privacy protections and therefore it did not attempt to do so. Because of concerns that the regulation would leave gaps in protection, HHS has attempted to find ways, consistent with the statute, to protect privacy even where it cannot regulate directly. Some have suggested that HHS has gone beyond what the law authorizes in parts of the proposed rule, while elsewhere it has left too much leeway to the regulated entities to decide how to comply with the proposed standards. Specifically, questions have been raised about (1) requiring covered entities to get assurances that their business partners--"downstream" users of the data-- will safeguard the information; (2) extending privacy protection to the contents of electronic records in other forms (such as printouts); and (3) partly on the basis of their size and the nature of their business, allowing some regulated entities to decide the detailed policies and procedures for complying with the proposed regulations (HHS refers to this as "sealability").

We found that in these areas HHS did not exceed its statutory authority. HHS has broad authority to decide how to administer programs for which it is responsible and to interpret the statutes establishing those programs, such as HIPAA. In developing the proposed regulations, HHS has used this authority to regulate areas in which it reads the law as leaving room for discretion.

Requiring Safeguards by Business Partners

The proposed regulations would require covered entities (health plans, health care clearinghouses, and any health care providers that transmit health information in electronic form) to get assurances from business partners that they in turn will safeguard the information. Business partners include lawyers, auditors, consultants, data processing firms, and others to whom the covered entity discloses protected health information so that the business partner can carry out a function of the covered entity.

The assurance required is a written contract explicitly limiting the business partner's uses and disclosure of the information and imposing security, inspection, and reporting requirements on the business partner. The regulations further protect the information in the hands of downstream users by requiring the business partner to ensure that any subcontractors or agents to whom it provides protected health information will agree to the same restrictions and conditions that apply to the business partner. The covered entity is to be held responsible for any of the business partner's material breaches of the contract if the covered entity either knew of them, or reasonably should have known, and failed to take reasonable steps to remedy them.

We find these provisions to be reasonable and within HHS' authority to promulgate. They are consistent with HIPAA's purpose of protecting the privacy of individually identifiable health information; without some control over downstream use, the protection afforded by the rule would be significantly weakened.

The business partner provisions fill a gap left by HIPAA by providing needed protection not explicitly provided for by the statute, without directly imposing requirements on entities not covered by the statute.

In proposing this part of the rule, HHS recognized that many of those who would likely obtain personally identifiable health information from covered entities are not themselves entities covered by the statute and that it did not have authority to directly regulate their use of the information. Although HHS would be acting beyond its HIPAA authority if it attempted directly to regulate entities not covered by the statute, that is not the case here: the proposed regulations distinguish clearly between treatment of covered entitles and treatment of business partners. First, the requirements to be imposed on business partners arise only if a party voluntarily chooses to do business with a covered entity. Second, business partners are not subject to enforcement action by HHS; HHS' enforcement authority is limited to covered entities. Third, the safeguards being required of business partners are not as extensive as those the regulations would require of covered entities. For example, business partners, unlike covered entities, are not required to develop and distribute an explanation of their privacy practices to individuals.

If someone to whom a covered entity disclosed information in the course of business could disclose it further with impunity, the protection afforded would be worth little. HHS therefore proposed this obligation for covered entities to exercise control by contract over use of information provided by them to business partners.

Extending Protection to the Paver Record of Electronic Data

Another issue that has been raised is whether HHS has authority under HIPAA to regulate nonelectronic records as well as electronic data. The proposed rule applies standards of protection to information that has been electronically transmitted or maintained by a covered entity, including such information in any other form. Thus, the regulations would apply when the electronic information is printed, discussed orally, or otherwise changed in form. The regulations also apply to the original paper version of information that is subsequently transmitted electronically.

We find nothing in HIPAA that restricts HHS' rulemaking authority related to identifiable health records to electronic data only. HHS states in the preamble to the proposed rule that it has authority under HIPAA to set privacy standards that apply to all individually identifiable health information, including information in a nonelectronic form. The privacy protections afforded individuals by HIPAA would in effect be negated if health information lost its protection merely by being printed or read aloud.

The rule was issued under authority in the law that, while referring to electronic exchanges, is not unequivocally limited to such exchanges. HHS is to issue regulations concerning "standards with respect to the privacy of individually identifiable health information transmitted in connection with (transactions described in a list, in another section of the law)." As HHS points out, this language is not, on its face, limited to electronic transmissions of individually identifiable health information, although electronic transmissions are clearly within its scope.

HHS' approach to this issue is reasonable and balanced. Although HHS believes that it has authority to issue regulations covering individually identifiable health information in any form, it limited the proposed regulations to individually identifiable health information that is at some point electronically maintained and transmitted by a covered entity. HHS explains that this approach focuses most on the primary concern of HIPAA-- the effect on confidentiality of health care information of the growing use of computerization in health care, including electronic transfers.

Sealability

Another area of the regulation about which questions have been raised is "scalability." "Scalability" refers to allowing covered entities, which vary greatly in size, to decide for themselves the detailed policies and procedures they will use in complying with various privacy standards. It has been suggested that such a practice is problematic in that it leaves to the covered entity the decision of how to comply.

HHS explained in the preamble to its proposed regulation that the standards are to be implemented by all covered entities, from a small, single-physician practice to the largest multistate health plan. HHS' approach is to propose the privacy principles and standards that covered entities must meet but to leave detailed policies and procedures for meeting the standards to the discretion of the covered entities. Furthermore, while all covered entities must meet the standards and are subject to the penalties in HIPAA, HHS said it intends the implementation of the proposed rules to be flexible and scalable in order to account for the nature of the covered entities' businesses as well as the covered entities' size and resources. 4

An example of the application of"scalability" is that the proposed regulations require each covered entity to designate a "privacy official" to develop privacy policies but allow the entity to decide for itself details such as whether the official would have other duties not related to privacy. HHS observed that a small office might designate the office manager, who has a variety of administrative duties, as the privacy official, whereas a large entity might designate a person whose sole responsibility is privacy policy. Similarly, the regulations require covered entities to have a mechanism for receiving complaints from individuals regarding compliance with the privacy regulations, but they leave it up to the entities to decide what that mechanism is. A smaller entity might have a more informal process than a larger entity.

HHS' decision to build flexibility and scalability into the proposed rule to account for differences in entity size is within its authority. The agency's approach requires compliance with the standards by all covered entities, while allowing each covered entity to devise its strategy to protect privacy information.

SUPPORT FOR PRIVACY PROTECTION IS WIDESPREAD. WHILE MOST CONCERNS FOCUSED ON CERTAIN KEY PROVISIONS

In reviewing the comments submitted by 40 selected stakeholders representing diverse affected constituencies in the medical privacy debate, we found widespread support for the goal of protecting individually identifiable health information from misuse. For this group, the issue is not whether to protect medical records privacy but what is the best approach for achieving it. Their comments indicated much implied agreement and several areas of explicit disagreement with the proposed regulation.

There were many sections of the rule that elicited little reaction-- suggesting a relative lack of controversy-- although other groups not included in our review could well take a different position. Areas of the rule attracting the least concern (four or fewer groups) included fairly specialized sections (such as application to military services) as well as sections of potentially broader impact (such as treatment of minors and disclosures in emergency circumstances). Fewer than 10 of the 40 stakeholders had anything to say about how the regulation addressed such issues as designation of a privacy official, disclosures for banking and payment processes, and disclosures for public health activities. A somewhat larger group (10 to 15 organizations) commented on the sections covering health oversight activities, enforcement, and compliance, and on the lengthy policies and procedures section.

Only 14 sections were commented on by at least half (20) of the stakeholders in our group, with six sections drawing the greatest attention. (See table 2.) These were provisions that would (l) preempt state laws that are in conflict with the rule and provide less stringent privacy protections; (2) allow standing authorization for disclosures for treatment, payment, or health care operations; (3) restrict the mount of information used and disclosed to the "minimum necessary"; (4) identify the entities and types of health information covered by the rule; (5) specify procedures for individual authorizations where they are still required; and (6) set provisions for business partner contracts to ensure that disclosed information remains confidential.

Table 2: Topics of Chief Concern to 40 Selected Stakeholders

Section of proposed privacy regulations Number of organizations addressing section in their comments Relationship to state laws 34 Disclosure for treatment, payment, and health 34 care operations "Minimum necessary" disclosure 34 Covered information and covered entities 34 Disclosure requiring individual authorization 32 Business panner agreements 31 Removal of identifying information 25 Right to request restrictions 25 Accounting for disclosures of information 24 Disclosure for research 23 Written notice of information practices 23 Inspection and copying of records 23 Amendment and correction of records 21 Disclosure for law enforcement 20

Six sections generating comments by the most stakeholders are distinguished by the breadth of interest across the 40 organizations included in our review. With one exception, they drew comments from all or nearly all of the groups in six or seven of the eight stakeholder categories. 5 By contrast, the remaining sections in table 2 engaged the interest of some stakeholder categories more than others. The section on protecting privacy by removing identifying information drew extensive comments from four of the eight categories of stakeholders. None of the other sections listed in table 2 attracted this level of interest in more than three of the eight stakeholder categories. For example, extensive comments on disclosures for research purposes were limited to research and pharmaceutical groups plus health care clearinghouses and providers. Patient advocates, government entities, and health care providers were most active in providing comments for the section on law enforcement.

COMMENTS ON MOST CONTROVERSIAL SECTIONS INDICATED DISAGREEMENT ON SCOPE AND FEASIBILITY In summarizing the content of the comments, we focused on the six sections of the proposed rule that attracted the most comments from all types of stakeholders. As noted above, of the more than 50 sections of the proposed regulation, only these six drew comments from at least three-quarters of the stakeholders we examined. The positions taken on these controversial sections addressed fundamental issues such as the scope of protected information and the responsibilities of different groups to safeguard that information, as well as the consequences of those decisions on the costs and burdens imposed by the rule.

Preemption of State Laws

Thirty-four of the 40 stakeholders addressed the provision that the rule would serve as a federal floor of protection rather than preempting all state laws. The proposed rule will not preempt current or future state laws if they are "more stringent than" the regulation. 6 States may apply to the Secretary of Health and Human Services for waivers from federal preemption; the regulation sets out applicable categories of exceptions. The Secretary may also issue advisory opinions--at the request of a state or on her own initiative--as to whether a provision of state law constitutes an exception because it is more stringent than the regulation.

The overriding comment, made by more than half of those remarking on this section, was that the federal rule should preempt state laws and regulations to create a single, national standard for handling health information. This position was made by all of the health plans, health care clearinghouses, and employers whose comments we reviewed. Recognizing that HIPAA does not allow HHS regulations to supersede state laws that provide greater privacy protections, several of these organizations called for congressional action to overcome this legislative restriction on HHS.

In contrast, eight other groups, including patient advocates, state government representatives, and providers, indicated support for partial federal preemption as provided in the proposed rule. They argued that it is appropriate to establish a federal floor so that rights already granted by state legislatures are not revoked and that states remain free to address future privacy concerns. Some comments focused on the value of applying the strongest privacy policy, whether it derived from federal or state law. Others particularly favored the state role in this area, with some asserting that certain additional categories of state laws should always take precedence over the proposed rule.

Many of the organizations criticized the provision for partial federal preemption of state law as overly burdensome or excessively costly to implement. In particular, they asserted that substantial expense would be incurred in reviewing state laws and determining whether a state law or the proposed rule is applicable in any given situation. The Blue Cross Blue Shield Association noted that "covered entities will be unable to navigate the labyrinth of state privacy laws under the complex construct of the HIPAA regulatory model."

Several stakeholders also complained that the language in the proposed regulation was vague and confusing. One issue mentioned was how to define a stronger protection in state law. As the Healthcare Leadership Council put it, "many state laws are enacted as part of a complete initiative, where some provisions are less protective because others are more protective." This argument was amplified in calls for the regulation to further clarify the statutory terms "provision," "state law," "contrary," "relates to," and "more stringent." Some stakeholders specifically asked the Secretary to issue state-by-state preemption guidance so that covered entities could avoid making potentially erroneous preemption decisions.

The lack of preemption guidance was of particular concern to health plans and providers, given that the regulation allows only states to ask for exceptions to preemption and preemption advisory opinions. Several stakeholders suggested that HHS should be required to respond to requests for advisory opinions and exception determinations in a timely manner. Timely publication or public notice of these opinions and determinations was also cited as important. Became HHS may not be able to handle the volume of exception determination requests, both the National Association of Insurance Commissioners and the National Conference of State Legislatures requested that state law be presumed to qualify for exception from preemption until HHS makes a determination to the contrary.

Covered Information and Covered Entities

The applicability section of the regulation specifies which entities are covered and which information is protected. Because HIPAA provides that the regulation applies only to health plans, health care clearinghouses, and any health care providers that transmit health information in electronic form, HHS does not have the authority to apply these standards directly to any other entities,s The rule applies only to "protected health information," defined as identifiable information that is electronically maintained or transmitted by a covered entity, and such information in any other form.

Nearly half of all the groups commenting on this section made the same point: the rule also should protect health information in paper records that had not been maintained or transmitted electronically. At least one organization in almost every category mentioned a need to extend the scope of the rule to all individually identifiable health information, including purely paper records. These organizations generally believe that this distinction is not only less protective of privacy but also unworkable. In contrast, several commenters want a definition of protected health information that excludes pure paper records. Some of these groups suggested that HHS' authority only extends to the electronic transmission of information, not to the information's form before or after the transmission. A few stakeholders asserted that HHS' authority over health information does not extend beyond the nine standard HIPAA transactions.9

Although many groups contended that all information regarding a patient that is maintained by a covered entity should be subject to the rule, almost as many commenters asserted that the health information definitions under the rule should not be construed broadly. For the most part, these latter stakeholders, primarily research groups, clearinghouses, and health plans, were concerned that broad definitions have the potential to impede the delivery and quality of health care. BlueCross BlueShield, for example, suggested that protected information exclude all information that does not relate to an actual medical record, asserting that "applying prescriptive rules to information that health plans hold will not only delay processing of claims and coverage decisions, but ultimately affect the quality and cost of care for health care consumers.

"

On the other hand, nine commenters suggested that HHS expand the scope of the regulations to cover more of the entities that use, disclose, generate, maintain, or receive protected health information, however defined. For example, the Workgroup on Electronic Data Interchange wrote that all entities involved in electronic exchange of individually identifiable health information should be included in the rule as health care clearinghouses. Some respondents specifically remarked that the definition of "health plan" needed to be broadened so that the same rules apply to other types of insurers, such as life, disability, workers' compensation, automobile, and property-casualty insurers. According to the National Association of Insurance Commissioners, in creating their Health Information Privacy Model Act, they concluded it was "illogical to apply one set of rules to health insurance carriers but different rules, or no rules, to other carriers that were using the same type of information." However, the Health Insurance Association of America commented that health plans should not include long-term care, disability, or dental insurance because applying the rule to these products may exceed the scope of the Secretary's authorization under HIPAA.

Providers and patient rights advocates mentioned several other individuals and organizations they believe should be covered by the rule, including employers, public health officials, marketing firms, and researchers. The American Medical Association contended that such secondary users are the ones who are most likely to wrongfully disclose and misuse protected health information. In contrast, a significant number of plans, employers, and research and pharmaceutical groups thought the covered entity definitions needed to be narrowed so that certain individuals and organizations---which could include these commenters or affiliates of these commenters--- would not be subject to the rule. These commenters were generally concerned that the covered entity definitions, if broadly construed, could place unnecessary burdens and costs on their activities. For example, three of these stakeholders opposed a covered entity definition that would include biotechnology companies or manufacturers that provide product support services, conduct patient assistance programs, or conduct postmarket surveillance. According to Genentech, Inc., "Congress did not intend that we or any other biotechnology company whose mission is discovering and marketing new drugs would be a 'covered entity' under (HIPAA)."

Finally, the term "entity" was found to be somewhat ambiguous, with some advocacy groups asking how the general rule would apply to "mixed" organizations. This is an important issue because protected health information can flow between the health component and the nonhealth component of such organizations. Several stakeholders proposed that even if an organization is not a covered entity, components within the organization that fit the definition of a covered entity should be subject to the regulations. Examples provided by the AFL-CIO and the American Civil Liberties Union included on-site health clinics operated by an employer, and a school nurse who is employed by or under contract with a school or school system.

Business Partner Contracts

Because HIPAA authorized HHS to regulate the practices of only three entities--health plans, health care providers, and health care clearinghouses--HHS developed the concept of "business partners" as a way of providing privacy protection to identifiable information obtained by other organizations in the course of performing business functions on behalf of covered entities. Support for this provision focused on its perceived necessity--otherwise much identifiable health information would have limited privacy protection--while criticism highlighted the burden of negotiating and administering thousands of different contracts.

The business partner concept generated vociferous opposition from many of the organizations commenting on the proposed rule. Eight groups including health plans and employers as well as physicians urged that HHS drop this approach altogether. Two patient rights groups plus the National Association of Attorneys General expressed support for the business partner section as written in the proposed rule.

Many of the stakeholders opposed to this provision argued that it would result in a vast number of contractual relationships that would be both costly and burdensome to implement. The Joint Commission for the Accreditation of Healthcare Organizations, for example, estimated that it would have to enter into approximately 20,000 separate contracts if it was forced to operate as a business partner in accrediting health care providers. Several commenters also maintained that the Secretary of Health and Human Services lacks the authority to indirectly extend the scope of privacy protections beyond the covered entities designated in HIPAA.

Over half of the commenters provided suggestions intended to make the application to business partners less onerous. The single most frequent recommendation, endorsed by 12 of the 31 groups commenting on this section of the proposed rule, would exempt covered entities from the definition of "business partner." The logic underlying this suggestion is that any group that was a covered entity was already obligated to protect the privacy of identifiable health information, making business partner contracts between covered entities unnecessary. Similarly, the Joint Commission and the National Committee on Quality Assurance argued that accrediting organizations such as themselves act as health oversight agencies on behalf of government programs and therefore should not be treated as business partners.

A second major area of concern among stakeholders commenting on this section involved the degree to which covered entities would be expected to monitor the compliance of their business partners with their contractual obligations. Some sought to weaken the language of the proposed role, which would hold the covered entities responsible when they "knew or reasonably should have known" about privacy violations committed by their business partners and failed to act. Eleven organizations including health plans, employers, and providers supported the view that covered entities should not be responsible for the actions of their business partners at all, or at most just for those violations that they actually knew about. By contrast, the National Association of Attorneys General specifically endorsed the idea that covered entities should routinely monitor the compliance of their business partners.

Finally, there was widespread opposition among six of the eight stakeholder categories to the requirement in the proposed rule that business partner contracts include a provision stating that the individuals whose identifiable information was disclosed were "third party beneficiaries of the contract." This was generally presumed to provide individuals whose privacy was violated in some way a basis for a "private right of action," allowing them to file a lawsuit. Such recourse is not provided in HIPAA directly, and 18 different commenters took exception to this apparent effort to achieve that goal through business partner contracts.

Standing Authorization for Disclosures for Treatment, Payment, and Health Care Operations

A central element of the proposed rule is to move away from requiring patients to consent to sharing their identifiable health information in order to have their health care services paid by a third party. Instead, the rule would grant standing authority to health plans, health care providers, and health care clearinghouses to share this information as they perform their routine tasks in administering health care services. In fact, the rule would prohibit covered entities from requesting such authorization unless it was required by state or other applicable law. Many of the commenters endorsed this shift to standing authorization for such routine administrative purposes, including organizations representing providers, accrediting agencies, researchers, and health plans. Fourteen groups agreed that providers and health plans should be allowed to obtain patient consent for these purposes. They found the process of obtaining consent was useful for maintaining trust and keeping patients informed even if it was not legally required.

The main controversies involving this section concern the scope of activities encompassed by the terms "treatment," "payment," and "health care operations." Several patient fights and provider groups felt that these terms were defined too broadly. For example, the Georgetown University Health Privacy Project requested that the definitions of treatment and payment be narrowly construed as applying only to the individual who is the subject of the information. The Health Privacy Project and others also argued that many health care administrative tasks could be performed without using identifiable health data. There was also a general wariness of administrative activities that could serve other purposes, such as marketing.

By contrast, most health plans and employers pressed HHS to expand its definition of treatment, payment, and health care operations so as to explicitly include such activities as disease and risk management, health promotion, quality improvement and outcomes evaluation, cost- effectiveness reviews, and integrated health and disability programs. Many insurers wanted explicit inclusion of underwriting and fraud prevention and investigation. Several commenters maintained that efforts to improve quality of care and promote innovation in health care could suffer if the definition of health care operations means that providers and health plans could not readily take advantage of the identifiable health data needed for these initiatives.

Some argued that HHS should not even attempt to enumerate the tasks encompassed by treatment, payment, and health care operations because such tasks were both highly varied and prone to change over time as innovations in health care delivery occurred. "Every time we speak with our members regarding this regulation," noted the American Hospital Association, "we discover another unanticipated, but legitimate, use of information. We cannot foresee all possible legitimate and necessary uses of information any better than HHS staff." Some commenters recommended, as an alternative to an exhaustive list, a more general authorization to share data reasonably related to treatment, payment, and health care operations.

Minimum Necessary Information

HHS proposed that covered entities be prohibited from using or disclosing more than the minimum amount of protected information necessary to accomplish the intended purpose of the disclosure (taking into consideration practical and technological limitations and costs). With certain exceptions, covered entities would be required to take steps to limit the amount of information disclosed from a record to the information needed by the recipient for a specific purpose.

Thirty-four of the 40 selected organizations commented on this topic, and 13 of them-representing every category of stakeholder--indicated support for the provision as written or with modifications. Healtheon/WebMD was particularly supportive, saying the requirement "will encourage better system design, attention to access controls, and more thoughtful transmission of data with a resultant improvement in privacy protection."

Another nine commenters, including providers, research organizations, and health plans, called for substantial modification of the standard, or that it be deleted from the rule entirely. These stakeholders generally believed that the "minimum necessary" standard is unworkable in its current form. Moreover, six groups, mostly those associated with employers and health plans, found the provision excessively burdensome or costly to implement.

The comment most often made on this section was that the exclusion of important clinical information could adversely affect patient care. Concerned that the standard would hinder the free flow of critical medical information, letters from several stakeholders suggested that the minimum necessary requirement not be applied to disclosures related to treatment. As the American Hospital Association put it, "what may appear unnecessary from the lab technician's or nurse's perspective may be essential for the physician's diagnosis of the patient's condition. This subjective standard could encourage practitioners in hospitals to withhold information hundreds and thousands of times daily that could be essential for later care."

Various groups wrote that the limited exceptions to the standard be broadened. For example, the Association of American Medical Colleges believed disclosures for education should be excluded from the requirement. The Department of Justice and the National Association of Attorneys General asserted that the minimum necessary rule should not apply to disclosures to health oversight agencies and law enforcement agencies, or to disclosures needed to process applications for government benefit programs. The American Council of Life Insurers stated that the standard should not apply to insurers requesting protected information for underwriting applications or evaluating claims.

Several other groups held a contrary position: the minimum necessary provision should apply to all or most uses and disclosures of individually identifiable health information, including those for law enforcement, research, and health oversight purposes. These stakeholders believed that the exceptions in the regulation are too broad. For example, the Health Privacy Project and the American Civil Liberties Union wanted the standard to apply even when an individual requests the covered entity to disclose his or her own records. 11 Similarly, Healtheon/WebMD thought the minimum necessary standard should apply to all uses and disclosures permitted under the regulation, including those required by law.12

A significant number of commenters suggested that HHS create a clear definition of the term "minimum necessary." Several found the standard ambiguous and were uncertain how the requirement that only the "minimum amount of protected health information necessary" be used or disclosed should be applied. Guidance from HHS was requested by some stakeholders regarding how to make minimum necessary determinations. A few stakeholders are particularly concerned about how these provisions apply to protected health information transmitted to health plans and employers. Quintiles Transnational wrote that "the definition of minimum necessary' is highly subjective and no bright line test or guidance is in the regulation as to how this requirement can be met." Merck-Medco Managed Care expressed concern that organizations would be put in "a position where HHS makes an after-the-fact decision on whether (the organization's determination) on the mount of information to disclose was appropriate."

Stakeholders noted that because information requests are often vague and do not specifically contain the intended use of the information, covered entities may have difficulty determining which health information is appropriate to release. Nine commenters suggested that covered entities be allowed to apply general guidelines rather than make individual determinations. Researchers in particular believed a "good faith" guideline should be applied in enforcing the standard. This is because, as elaborated on by Genentech, "in marked contrast to the reasonableness and 'scalability' discussed in the preamble, the only flexibility in applying this standard is prosecutorial discretion."

Several other stakeholders echoed a need for flexibility in the implementation of this standard, particularly for uses and disclosures within a covered entity. For example, the American Medical Informatics Association proposed that "covered entities that use safeguard mechanisms within (computerized patient record) systems should be deemed in compliance with the 'minimum necessary' requirement." The Workgroup on Electronic Data Interchange wrote that covered entities should be "free to implement (the standard) as they see best" and "would need only to 'reasonably determine' the minimum necessary data to share within a covered entity."

Another approach to addressing the implementation problem, offered by several stakeholders across the spectrum, was to require that the person requesting the information make a "minimum necessary demand." Patient advocacy groups noted that this would be appropriate when the disclosing covered entity does not have the ability to determine the minimum amount necessary. As stated by the Medical Group Management Association, "it is likely that the entity requesting information for a particular purpose is in a better position to make the minimum necessary determination."

Individual Authorizations

Traditionally, uses and disclosures of identifiable health information were supposed to take place only with the authorization of the individual involved. However, such authorizations frequently took the form of a "blanket authorization" that the patient had to sign in order to obtain access to and payment for treatment. The proposed rule would fundamentally alter that approach by permitting health plans, health care providers, and health care clearinghouses to share personally identifiable health data without authorization from the patient for purposes of providing and paying for health care services. The rule would give other entities access to such information without individual authorization for specific purposes related to "key national health care priorities." These activities include public health activities, health care oversight, and maintenance of governmental health data systems. Comparable access would also be granted to promote several additional nonhealth-related priorities, such as banking, law enforcement, and judicial and administrative processes.

For every other purpose, the proposed rule mandates individual authorizations that conform with strict procedural requirements. These other purposes represent, for the most part, nonhealthrelated activities, such as marketing and fundraising.

In addition, the rule specifies that psychotherapy notes should not be disclosed without authorization in the course of routinely administering health care delivery and reimbursement (though they are not shielded from disclosure without authorization for any of the national priority purposes). The prohibition on disclosure without authorization would also apply for "research information unrelated to treatment," which the rule defines as information developed in the course of conducting research that does not have validity or utility for purposes of providing treatment, given existing scientific evidence.

There were widely scattered comments on various aspects of these procedural requirements. Among those receiving the widest support was the provision that health plans and providers should not be able to refuse treatment or payment because a patient had declined to authorize disclosure of their identifiable health information for other purposes. However, BlueCross BlueShield requested that health plans be allowed to condition enrollment on the provision of individual authorization for disclosure of psychotherapy notes. There was also support among patient rights groups, physicians, and state attorneys general for preventing uses and disclosures beyond those authorized by the individual.

Other comments had more to do with defining the types of health data for which individual authorization would be required. Nine commenters found the rule's definition of research information unrelated to treatment" vague or ambiguous, and six recommended that HHS drop this separate category of health data altogether. These commenters were primarily health plans, employers, or groups representing medical researchers. According to the Biotechnology Industry Organization, "providers anticipate daily struggles in deciding whether information resulting from participation in a research protocol should be included in a patient's medical record (in case such information becomes critical to a patient's treatment at a later date) or whether such information should be excluded from the medical record to avoid civil and criminal penalties." This statement was typical of the concern expressed by these groups toward this special category of identifiable health information.

In contrast, two patient advocacy groups sought to ensure that once information was classified as "research information unrelated to treatment" it could not be reclassified at a later date. In addition, privacy advocacy groups sought stronger protection for "psychotherapy notes," while comments from a few health plans sought to limit the special treatment that the rule would afford this category of identifiable health information.

A related topic of widespread interest was disclosure of protected health information for "marketing" purposes. Several stakeholders called on the Secretary to define this term. Three health plans and four other stakeholders did not support requiring authorization for health-related activities, even if they had a business connection, such as reminders to refill prescriptions. On the other hand, the National Association of Attorneys General would prohibit all disclosures for marketing even with individual authorization.

Several commenters expressed a comparable concern about disclosures for employment purposes. The AFL-CIO wrote that employees should be clearly informed that they have the right to refuse to authorize disclosures without penalty. A similar concern, expressed by three patient rights groups, was that employers not have the right, without the authorization of the individual involved, to share identifiable health information between divisions within the organization that functioned as health plans or providers and the rest of the company. However, two employer groups and one health plan said that sharing of identifiable information within a covered entity without authorization should be allowed.

Finally, some of the patient advocacy groups recommended that the rule extend heightened protection for another category of health data. For example, the Bazelon Center for Mental Health Law took the position that "the rule should create a special category of highly sensitive medical information provided higher levels of privacy protection, e.g. HIV status and mental illness." However, other stakeholders said there should be no special treatment for different illnesses or categories of health information. For example, the American Health Information Management Association believed that such segregation "ultimately would be more dangerous than beneficial."

SOME MODIFICATIONS MAY REQUIRE ACTION BY THE CONGRESS

In its preamble to the rule, HHS explicitly noted that HIPAA set limits on its authority to apply privacy protections comprehensively and uniformly. Many commenters cited a need for the Congress to act if personal health information is to be subject to the same standards regardless of how it is stored (exempting purely paper records) or where the individual resides (excepting more stringent state laws). Still, stakeholders often disagreed on the steps the Congress should take to make the proposed regulation optimal or workable.

The most frequent suggestion was that the Congress enact a uniform federal medical records privacy law that would preempt all state laws. Three employers and three health plans stressed the need to eliminate any variation in standards, but no patient rights groups or government stakeholders offered this suggestion. One clearinghouse said that it strongly believes that "federal health information standards must preempt the patchwork of inconsistent State requirements if they are to provide real assurances of privacy to individuals at a time when health care is increasingly an inter-State enterprise."

Many stakeholders also called for legislative modification to the "applicability" section of the regulation. Some proposed that the Congress extend HHS' authority to cover all identifiable health information, regardless of whether it had ever been electronically stored or transmitted, even though HHS declared in the proposed rule that under current law it could have chosen to do so. A substantially larger group of commenters from across the spectrum of stakeholder categories advocated legislative changes to extend coverage under the rule to all types of entities that use or disclose identifiable health information. Perhaps anticipating this argument, the American Hospital Association wrote that "the reason Congress limited the applicability of the Secretary's regulations to these (nine) transactions is that: (1) the public was concerned about inappropriate disclosures between payers and providers, and (2) these were the transactions made more administratively efficient by HIPAA, which may heighten those concerns .... (The Secretary's) broad interpretation of statutory intent is the 'Achilles heel' of this regulation."

A need for congressional action was also cited in comments on various other sections of the regulation, primarily to limit secondary uses or disclosures of identifiable health information. A number of stakeholders asked for comprehensive privacy legislation to cover other areas as well as health. Regarding enforcement, three stakeholders stated that the Congress should establish a private right of action for individuals to enforce their rights under the privacy rules. A patient advocacy group went further in asking for the Congress to recognize a patient's ownership of his or her medical records. Some stakeholders explicitly noted that only legislation could enable the Secretary to directly regulate noncovered health researchers.

CONCLUDING OBSERVATIONS

The comments that we reviewed from major organizations--- resenting many of the entities that will have to implement the policies adopted--reflected two overriding themes. The first is a widespread acknowledgement, despite the organizations' diverse perspectives, of the importance of protecting the privacy of medical records. While the groups may vary in their assessment of the best way to achieve that goal, none challenged its fundamental value. Second, fundamental differences among the groups' positions reflect the conflicts that sometimes arise between privacy and other objectives. Different groups with varying constituencies tended to emphasize different competing goals. As HHS considers the comments in formulating the final rule, it will have to make its own judgments regarding both the relative priority to give to other objectives and the merit of differing views on the feasibility of alternative approaches for protecting medical privacy. These judgments will occur within the context of what the law currently permits and requires, unless the Congress decides to change the statutory framework established by HIPAA and related federal legislation.

Mr. Chairman and Members of the Committee, this concludes my prepared statement.

I will be happy to answer any questions you may have.

FOOTNOTES:

1 HIPAA required the Secretary of Health and Human Services to submit recommendations to the Congress on privacy standards for individually identifiable health information addressing at least the following: (1) rights of the individual who is the subject of the information, (2) procedures for exercising such rights, and (3) authorized and required uses and disclosures of such information.

2. 64 Fed. Reg. 59,918. (Hereafter, "proposed rule" or "proposed regulations.") The proposed rule can be accessed at http://aspe.hhs.gov/adminsimp

3 Also referred to as "stakeholders" or "commenters."

4 HHS did this, in part, to comply with the Regulatory Flexibility Act, which requires among other things that agencies take and document steps to minimize the significant economic impact of their proposed rules on small entities. In its initial regulatory flexibility analysis, HHS stated that its guiding principle concerning how to address the burden on small entities has been to make the provisions scalable.

5 Stakeholders fell into the following categories: patient advocates, health care providers, standards and accrediting organizations, govemmental entities, health care clearinghouses, employers, health plans, and research and pharmaceutical groups.

6 The proposed role would not preempt several categories of state laws, including those relating to reporting of disease, injury, or child abuse; birth and death reporting; public health investigation and reporting; and laws designed to prevent fraud and abuse.

7 Specifically cited were state public safety laws; psychotherapist/patient privilege and "duty to warn" case law and statutes; state laws providing exceptions to inspection/copying requirements; access privilege laws protecting attorney-client communications and quality assurance, medical appeals, peer review, credentialing, and corporate compliance activities; and state regulatory functions not specifically listed (market conduct examinations, enforcement investigations, and consumer complaint handling).

8 To cover many of the persons who obtain identifiable health information from covered entities, the regulation's "business partners" provision requires that covered entities apply privacy protections to entities with whom they contract for administrative and other services. See "Requiring Safeguards by Business Partners" on p. 5.

9 See P.L. 104-191, sec. 1173(a)(2). These transactions are those with respect to (1) health claims or equivalent encounter information, (2) health claims attachments, (3) enrollment and disenrollment in a health plan, (4) eligibility for a health plan, (5) health care payment and remittance advice, (6) health plan premium payments, (7) first report of injury, (8) health claim sums, and (9) referral certification and authorization.

10 The Health Privacy Project claimed that many people "would be mortified to learn that their health information was being reviewed for the treatment of others-particularly people they know."

11 Excepted at sec. 164.506(b)(1)(i). 12 Excepted at sec. 64.506(b)(1)(ii).

END

LOAD-DATE: April 28, 2000




Previous Document Document 15 of 45. Next Document


FOCUS

Search Terms: health information privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
   
About LEXIS-NEXIS® Congressional Universe Terms and Conditions Top of Page
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.