Skip banner
HomeHow Do I?Site MapHelp
Return To Search FormFOCUS
Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint

Document ListExpanded ListKWICFULL format currently displayed

Previous Document Document 121 of 124. Next Document

More Like This
Copyright 1999 Federal News Service, Inc.  
Federal News Service

FEBRUARY 24, 1999, WEDNESDAY

SECTION: CAPITOL HILL HEARING

LENGTH: 18035 words

HEADLINE: HEARING OF THE SENATE HEALTH,EDUCATION,LABOR & PENSIONS COMMITTEE
SUBJECT: PROTECTING MEDICAL RECORDS PRIVACY
CHAIRED BY:
SENATOR JIM JEFFORDS (R-VT)


WITNESSES:
GARY ELLIS, DIRECTOR, OFFICE OF PROTECTION FROM RESEARCH RISKS,
NATIONAL INSTITUTES OF HEALTH
BERNICE STEINHARDT, DIRECTOR, HEALTH SERVICES QUALITY AND PUBLIC
HEALTH ISSUES, GENERAL ACCOUNTING OFFICE
BRENT C. JAMES, EXECUTIVE DIRECOTR, INSTITUTE FOR HEALTH CARE DELIVERY
RESEARCH, INTERNATIONAL HEALTH CARE
430 DIRKSEN SENATE OFFICE BUILDING
WASHINGTON, DC
9:30 AM FEBRUARY 24, 1999

BODY:
SEN. JEFFORDS: The Committee on Health, Education, Labor and Pensions will come to order. Today is the Health and Education Committee's first hearing of the 106th Congress on the subject of medical records privacy. This hearing is a part of our committee's ongoing process to address one of the most pressing issues facing our health care system. During the 105th Congress the committee held four hearings on the privacy of medical records and genetic information, and how this issue affects health care providers, payers and consumers. Today, we will be examining the relationship between scientific research and the privacy of protected health information.
On the eve of the 21st century we find that medical technology in America has grown by leaps and bounds. In the last few decades technology advances have increased the quality of the collection and the administration of medical information. Many of these technological changes contribute to better and more efficient health care. Information technology also allows physicians and other providers to share valuable information where no means of communications previously existed.
The new wealth of information and the ease at which it can be obtained has opened many doors to researchers. With vast new resources America's world renowned research capabilities are expanding, and we have come to enjoy more breakthroughs and lifesaving medical advances. The improved access to this information does not come without risks. We, the consumers, often don't know with any certainty who has access to our private records. The establishment of large computer databases, some with millions of patient records, has not only allowed for new medical research, but has increased the potential for misuse of private medical information.
Under the current regulations provided by the federal policy for the protection of human subjects, 1991, known as the common rule, research that is federally funded or regulated through specific federal agencies must be reviewed by an institutional review board for the purpose of insuring adequate protection of subjects against risk, and assurance of informed consent.
Last summer, in response to questions surrounding confidentiality protections in research settings, my colleague, Senator Dodd and I, requested a GAO report entitled, "Medical Records Privacy, Access Needed for Health Research but Oversight of Private Protections is Limited." That's what today's hearing will focus on.
I hope that this report will be an important resource as Congress considers proposals to insure the confidentiality of medical records. The report addresses the following questions. How well do institutional review boards insure the confidentiality of protected health information? Two, to what extent is health research conducted that is not subject to the federal policy for the protection of human subjects? And three, to what extent do health researchers who conduct research not subjected to federal protection establish and maintain safeguards for health information? And four, what is needed for personally identifiable information in various research settings.
Early next month I will join with my good friend, Senator Dodd, in reintroducing a revised version of S 1921, the Health Care Personal Information Non-Disclosure Act of 1998, the Health Care PIN Act. This legislation will establish necessary national standards to protect the confidentiality of each American's medical records. The hearing will follow the committee's usual format. Each of the witnesses will speak for five minutes, though I'll give GAO a little bit longer, as I am sure they have more important things to say than you do in five minutes, but anyway, and each member will have up to five minutes per round for questioning. The hearing record will remain open for two weeks and any written statements and questions for the record should be submitted within that time frame.
Let me say that we have votes starting at 9:45, so it's my intention that we will probably continue here until the last possible moment, around 9:55 or so, and come back. So, with that, I would - Senator Kennedy.
SEN. EDWARD M. KENNEDY (D-MA): Thank you very much, Mr. Chairman. I'd put my whole statement in the record.
As you suggest, this committee has been enormously interested in the protections of human subjects. We had extensive hearings in the early 1970s, with the sterilization of the (Ralph ?) girls, the deproprevera abuses that took places in Tennessee. We did the hearings, the initial hearings on the syphilis studies that were taking place in the southern part of our country, and we developed legislation in 1974 for the protection of human subjects that worked very well, until 1980, then it got caught up in the politics of the issues on abortion, and the make-up of the board then became completely politicized and that effectively ended what had been an enormously successful panel of ethicists and others who issued their recommendations in the Federal Register. That's all they did. And virtually all the various agencies of government accepted them without really a difference. It was one of the really significant - important - without any regulatory requirements, because of really the thoughtfulness that it went through.
We've had other FDNIH boards that have been established to try and sort of be - review some of these matters. But what we have seen is this growth of research that has taken place in the private sector. And what we've also seen is the mix in terms of the exchange of various medical records, which has now, in many respects, we get more protection from Blockbuster movies than we do protecting our medical records. People know this and it's having an enormously dampening effect in terms of the willingness of people to involve themselves in very important research, very important, that can be life saving in many kind of instances.
So, this subject matter, although it can look like it's talking about issues of confidentiality, can talk about issues of privacy, is of life saving importance to millions of our citizens and we want to try and get it right, and there are a number of different approaches that have been introduced. Our colleagues and friends, Senator Jeffords, Senator Dodd have approached - Senator Leahy and I - an approach which is basically going to try and establish a floor in the various states, because states moving in trying to provide different kinds of protections. And then, we have the industry who wants preemption in terms of all the states, but they have one common kind of rule that they can sort of deal with in all of this.
So, these issues - we will be dealing with a lot of important items in the course of this session of Congress, with Medicare and Social Security, but this one here is of enormous importance and incredible significance and we really want to try and get it right. And as always, our colleagues, Senator Jeffords, Senator Dodd have provided important leadership in getting our GAO to try and review these matters and make them available to them, will be very valuable to us in the Congress to have a chance to review them with you and then to be calling on you as we develop this legislation. We very much appreciate your being here this morning and we look forward to your testimony. I thank you.
SEN. JEFFORDS: Senator Kennedy and I are trying to see who can sound the worst in our post-impeachment relapses.
(Laughter)
He wins this morning's contest.
Senator Reed, pleased to have you with us.
SEN. JACK REED (D-RI): Mr. Chairman, I have a fine voice this morning. I kept quiet during the impeachment. But this is a very important topic which touches upon our ability to conduct research successfully and also to protect the privacy of American citizens. So, I applaud your efforts and I know we'll be engaged, and the clock is ticking too, because if we don't move aggressively this, the next few months, we might be usurped by the Secretary of HHS.
I hope we can move quickly and I would reserve any other time to later in questioning. I thank you, Mr. Chairman.
SEN. JEFFORDS: Thank you.
We shall be hearing from two distinguished panels of witnesses this morning.

Our first witness this morning is Dr. Gary Ellis, is the director of the Office of Protection from Research Risks, OPRR at the National Institutes of Health, NIH. His office has primary responsibility within HHS for developing and implementing policy, procedures and regulations to insure the protection of human beings involved in research. In addition, Dr. Ellis chairs the interagency Human Subjects Research Committee, which coordinates implementation of the federal policy for protection of human subjects, the common rule.
Dr. Ellis has a strong background in experimental research, which includes a Ph.D. in biological sciences, and three years of post doctoral research training. Dr. Ellis, we are pleased to have you with us this morning, and please proceed.
MR. ELLIS: Thank you, Mr. Chairman.
SEN. JEFFORDS: Let me, again, since Senator Reed is here, we are going to go until about 9:55 and go over, we'll have two votes, and then come back after that.
Please proceed.
MR. ELLIS: Thank you.
My name is Gary Ellis, I am the director of the Office for Protection from Research Risks, the NIH office that implements the Department of Health and Human Services regulations for protection of human subjects. I also chair the interagency Human Subjects Coordinating Committee.
With the General Accounting Office delivering its report this morning on medical records privacy, I am pleased to appear before the committee to describe the federal system of protection of human research subjects, referenced in the GAO report. This year, as Senator Kennedy indicated, marks the 25th anniversary of the formal promulgation in 1974 of the Department of Health and Human Services regulations for protection of human subjects research, and enactment of the National Research Act. In 1991, the core HHS regulations on informed consent and institutional review boards were formally adopted by more than a dozen other departments and agencies that conduct or fund research involving human subjects, as the so-called common rule. Today that 1991 federal policy is shared by 17 departments and agencies representing most but not all of the federal departments and agencies sponsoring human subjects research.
In addition, certain federally-sponsored and much privately- sponsored research is subject to the regulations of the Food and Drug Administration. FDA regulations and the provisions of the common rule are largely congruent with some differences.
While the common rule defines research as a systematic investigation designed to develop or contribute to generalizable knowledge, the common rule defines human subjects as a living individual about to -- an investigator conducting research obtains data through intervention or interaction with the individual, or identifiable private information. Private information includes a medical record.
What human subject research applies beyond the protections of the common rule and FDA regulations? There can be no definitive answer as the bounds of this domain are unknown, frankly, and there is no systematic collection of such data by anyone.
Now, through allegations reported to OPRR, the office is aware of instances of human subject research not (safeguarded ?) by the common rule or FDA regulations. OPRR has identified human subject research conducted in the absence of federal protection at some universities not receiving federal research funds, some envitro fertilization clinics, some weight loss or diet clinics, some physician offices, dentist offices, or psychotherapist offices, some corporate health safety and fitness programs, and some tests.
At this point time doesn't permit me to describe the allegations in detail, but let me say, though, that once OPRR determines that it has no authority or jurisdictions or is unable to pursue such matters as human subject research.
Recognizing the substantial volume of research that lies beyond federal regulations, OPRR has worked with several hundred institutions receive HHS research dollars, to broaden human subject protection. At present, OPRR holds some 430 formal written pledges that cover more than 700 research institutions in the United States and Canada, which at the Voluntary Election Research Institution, commit all activities at the institution, irrespective of funding source to the HHS human subject regulations. OPRR deeply appreciates the willingness of these institutions to choose this voluntary protective option.
The GAO report this morning on medical records privacy reminds us that breeches of confidentiality of medical records can do serious social harm to individuals. Harms include embarrassment, disruption of family live, loss of employment, loss of insurance coverage. These harms are real harms that cause pain and suffering as with physical injuries. They ruin people's lives. In conducting research using identifiable medical records, social harms must be given as much consideration as physical harm. With regard to privacy, the common rule makes two limited references to privacy and confidentiality. First, the regulations direct institutional review boards to determine that when appropriate there are adequate protections to provide for the privacy of subjects and to maintain the confidentiality of data. IRB responsibilities are of course much broader than just this.
Second, the informed consent process requires a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained.
In summary, our enduring and vigorous federal regulations for protection of human research subjects are designed to prevent physical injury, psychological injury and harm to the dignity of research subjects as biomedical and behavioral scientists pursue new knowledge for the common good. We are always interested in improving the system to make research as safe as it can possibly be.
In the final analysis, research investigators, institutions and we are stewards of a trust agreement with the people who are research subjects, research subjects who are safeguarded by the common rule or FDA regulations. We have in place a system that minimizes the potential for harm, enables and protects individual autonomous choice and promotes the pursuit of new knowledge. By doing so we protect the rights and welfare of our fellow citizens who make a remarkable contribution to the common good by participating in research studies. We owe all subjects, all of them, irrespective of funding source, our best efforts. Thank you.
SEN. JEFFORDS: Well, thank you.
Next I am happy to introduce Ms. Bernice Steinhardt, the director of the Health Services Quality and Public Health Issues Group in the General Accounting Office, GAO. Her group oversees the programs of various agencies including the Food and Drug Administration, FDA; the National Institutes of Health, NIH; the Health Resources and Services Administration; and the Centers for Disease Control and Prevention, CDC.
Before she joined GAO in 1989, Ms. Steinhardt's professional experience encompassed a variety of public policy issues affecting energy, natural resources and science. Her career includes service at the Department of the Interior, where she worked as a special assistant to the assistant secretary for energy and minerals, and at the President's Council on Environmental Quality.
Ms. Steinhardt, thank you for being here and we will be leaving here in about nine minutes, so I am going to give you all nine minutes.
MS. STEINHARDT: Okay. Thank you very much, Mr. Chairman, Senator Kennedy and Senator Reed. We appreciate very much being invited here today to report to you on our study. At your request we explain something about how private organizations are using medical records for research and the kinds of oversight and safeguards they employ to protect the confidentiality of the information.
We surveyed about a dozen organizations including managed care organizations, pharmaceutical, biotech companies, companies with health related information about hundreds of thousands, and in some cases millions of people. We wanted to find out what kinds of research they conduct with medical records, the extent to which they rely on personal identifiers, the extent to which their research is subject to IRB review, and the extent to which they apply internal safeguards to limit access to records.
What did we find?
First, we found that a considerable amount of health research relies on personally identifiable information. Some studies need to identify individual patients in order to link multiple sources of information to answer specific questions, like for example, whether maternity patients benefit from longer hospital stays. Other outcome studies need to be able to track patients over time, to judge, for instance, the long-term effects of various drug therapies.
Many of these organizations use records data for similar types of studies, like evaluating the outcomes of treatment. Some of it is subject to the common rule and some of it is not. And while some of these organizations submit even their non-common rule research to IRB review, others do not. Some managed care organizations, for example, consider some of their research to fall into the category of community improvement studies, rather than research, and they exclude these from IRB review. Others, though, consider these same types of studies to be research and they do send them for IRB review.
Another type of research that does not come under IRB review for some companies is research that uses disease or population-based registry data. Pharmaceutical and biotechnology companies maintain these registries to monitor how a particular population responds to drugs, and to better understand certain diseases. While these companies send their FDA regulated clinical trial research through IRBs, they don't send their registry-based research for review.
Finally, some of the companies we visited don't submit any of their research for IRB review. Pharmacy benefit management companies, PBMs for example, may not receive federal support, nor do they do FDA- regulated research, but they may conduct research to develop and evaluate disease management programs, for example.
It's important to understand, though, that the oversight provided by IRBs give limited attention to patient privacy.

The common rule regulations contain very general directions to IRBs, and IRBs tend to give less attention to privacy protection than to other kinds of physical risks from research. For record safe research, IRBs generally waive requirements to obtain patients' informed consent, and in most cases they do a more limited review of the research.
Setting aside the treatment of privacy, the IRB system on the whole has weaknesses that we want to note. A 1996 report we did pointed out that IRBs faced heavy work loads, competing professional demands, and other kinds of pressures that make it difficult for them to carry out their work. A HHS IG, inspector general report last year reached similar conclusions, that IRBs reviewed too many studies, too quickly, and with too little expertise.
We don't know what the consequences of these limitations are. No one knows how often patient privacy has been breached in research projects, but our report includes several examples of breaches that have been reported to OPRR, to Dr. Ellis' office over the years, and they highlight the potential for problems to occur.
In terms of internal safeguards, we were generally impressed with what we saw at the companies we visited. Most of the companies we visited have written confidentiality policies on access to personally identifiable information, although not all of them did. Companies also told us they use a number of electronic measures like encoding and encryption to mask personally identifiable information, and they use both electronic and physical means to limit access.
So, what did we conclude from all of this?
As I said, we were generally impressed that the companies we surveyed seemed to have reasonable internal safeguards for protecting the data. On the other hand, external oversight of their research is limited and it's not clear that the current system could accommodate more extensive review responsibilities. So, as you contemplate providing IRBs with new responsibilities, we think it's important that you take into account the constraints on the existing system.
With that, I'll conclude my remarks and look forward to your questions.
 
SEN. JEFFORDS: We will defer the questions until we come back. We have a vote now and there will be a vote immediately after.
(Recess for vote)
SEN. JEFFORDS: Thank you for your patience. I think we will be uninterrupted for a while, anyway.
Dr. Ellis, let me start with you. What sanctions are enforced by the Office of Protection from Research Risks when breaches of confidentiality are determined?
DR. ELLIS: The only authority that our office has under HHS regulations is prospective. We have no reach-back authority. There is no punishment. You used the word sanctions. There is no fine, there is no criminal penalty for breaches of privacy and confidentiality in research. The sanction, if you want to use that word, is that in the extreme our office has the authority to lift the formal written agreement that our office has, we call it an assurance, of protecting human subjects at the institutions, and absent that assurance no Health and Human Services research dollars can flow to that institution. That's, if you want to call it, the ultimate death penalty from our office, is lifting the assurance that an institution has for protecting the rights and welfare of human subjects.
SEN. JEFFORDS: Under the common rule, that is under your jurisdiction, what recourse do individuals have if their privacy rights have been abused?
DR. ELLIS: Well, these complaints do come from time to time, and an individual can address the institution, the research institution, go to the institutional review board, go to the institutional official. The individual can come to our office, and again the best we can do to redress the individual's grievance is usually to work with the institution to make sure it doesn't happen again.
SEN. JEFFORDS: Now suppose harm were to come from that breach. Do you know of any other rights they have under law?
DR. ELLIS: I am not an attorney. I am going to assume that they have rights under the torts system to pursue their grievance, but you're beyond my area of expertise.
SEN. JEFFORDS: What would be the effect of extending the common rule to cover research? What would be the impact on the existing IRB system?
DR. ELLIS: If by your question you mean extending the common rule to cover all research, meaning - including the research that it doesn't currently cover, my answer as director of the office that protects the rights and welfare of human subjects is that our fellow citizens who are subjects of unchecked human experimentation - human experimentation that is currently beyond the rule would then have the full protections of institutional review board review and informed consent where appropriate.
SEN. JEFFORDS: What would be the effect of extending the common rule law - scratch that, I'm sorry.
Ms. Steinhardt, can you elaborate further on the internal confidentiality policies that exist within the organizations that you investigated? Were you able to obtain written copies of their policies and do you have any information on the enforcement of these confidentiality policies? You said yes to the first question, go ahead.
MS. STEINHARDT: We were able to get copies of the written policies of most of the companies that we visited, but as we point out in our report, two of the companies did not have any written confidentiality policies, and two of them didn't provide us - two that said they did, didn't provide them to us.
I think we were impressed with the kinds of internal safeguards that we saw, or that we heard about, but we don't know whether they are actually followed. We don't know how well these policies are carried out, we don't know how effective the various measures that the companies have in place are in actually protecting the information, so that was a limit.
SEN. JEFFORDS: Was there any organized way for people to understand the policies and their ability to complain?
MS. STEINHARDT: Well, in some cases the policies were made available to patients, for example, but not always. Sometimes the policies really were directed towards employees and what the company's expectations were of them.
SEN. JEFFORDS: Can you elaborate further on the internal confidentiality policies that exist within the organizations that you investigated? Were you able to obtain written copies of your policy?
MS. STEINHARDT: This is the question that we were -
SEN. JEFFORDS: Just talking about. Right. Yes.
Based on the organizations that you visited, how much of the research that is being done requires the use of personal identifiers?
MS. STEINHARDT: A fair amount is dependent on personally identifiable information, largely to be able to link different data bases in order to answer the questions that the researchers have posed.
SEN. JEFFORDS: You point out that there are differences in how different organizations treat quality improvement activities. From your analysis should they be considered as research? MS. STEINHARDT: This is a real bone of contention, I think, within these organizations. But frankly it's hard to see how one can draw a bright line. These are all studies that are conducted, applied research you might call it, to manage health care, and they are asking research questions to be able to determine the most cost effective, the best outcomes of care. Sometimes they call it quality improvement, sometimes they call it research. I think the real issue is whether there is a risk involved in - to patient privacy in the use of the information.
SEN. JEFFORDS: You say in your report that the actual number of confidentiality breaches is not quite known, and you cite only a few cases. Isn't this evidence that the current system is working quite well?
MS. STEINHARDT: We didn't mean it to indicate any evidence of the incidents of problems. No one knows, really, how many cases of violations of privacy there have been in research. These were only the cases that came to the attention of Dr. Ellis' office.
I think the current system probably works better than no system at all. I think there is certainly agreement about that. The question is, could it be better? These are examples of where information became disclosed and it shows opportunities, potential for harm in a system where there is no oversight.
SEN. JEFFORDS: Senator Dodd, my companion in this effort. Pleased to have you here.
SEN. CHRISTOPHER DODD (D-CT): Thank you, Mr. Chairman. I apologize for not being here at the outset. We had, Senator Bennett and I are chairing the Committee on the Year 2000 Problem, which people are becoming more and more aware of, and we were both asked to open up a hearing on the Armed Services Committee, looking into the issue of national security implications of the year 2000 problem. The General Accounting Office, by the way, which I referred to this morning, you're an excellent study done on analyzing the various agencies of the federal government and how well they are meeting the compliance deadlines. So, I apologize to you, Mr. Chairman and to the witnesses and others that I wasn't here at the outset of this, but I am once again pleased to be joining my colleague from Vermont in a broader effort here of taking a good look at the issue of confidentiality and privacy and I have some remarks I want to share because this is an issue I care deeply about.

I was, I guess maybe I shouldn't have been, but of all the issues in my state that we asked people about, in terms of where they put the level of importance or significance, the wide range of issues on education, tax cuts and so forth, the issue that had the most resounding response in my state of any issue, were people's rights to privacy when it came to medical information and financial data. It just blew every other issue by 20 points off the charts. This issue really strikes very closely in the hearts and minds of just virtually every American. They are concerned today with technology, the Y2K issue in a sense, the amount of technology, computer information, the sharing of that information and what people can do to discriminate in hiring, insurance is profound.
And so, I think what we're doing in this area, Mr. Chairman, I know that some of these questions really need to be examined carefully as to how we proceed, some of the most important work I think we can do in this, the 106th session of this Congress is to deal with the issues of privacy and particularly in the area of health care, and so I want to thank you for one, allowing me to join with you on the request for the study, the GAO report, and I am a big, big fan of the General Accounting Office. They do such a fabulous job. It's a great, great resource for the country and we're tremendously grateful to them for their efforts, and for your work on this as well, and having a hearing on this topic, it's almost, Mr. Chairman, like a scenario from some science fiction novel, I guess, in a way.
At this very moment, while we are sitting here this morning, in this committee hearing room, hundreds of millions of bits of information, literally hundreds of millions of bits of information about the medical condition of each one of us is being transported, stored and sorted, and analyzed in research data bases all over the nation. To some Americans this byproduct of technology and a more integrated health care system is a thrilling advance in research, and in many ways they are absolutely right. For the first time vast amounts of data about the outcomes of different treatments can be channeled back to providers to improve the ability of their patients to be healthy and to be cured. And for the first time, large scale, long-term studies of drugs and devices can be readily constructed and used to enhance their safety and the efficacy for patients. So there are tremendous advantages to this technology explosion, this collection of information and data. To others, of course, the same situation is one with staggering potential for exploitation and abuse. They fear that widespread sharing of medical records without appropriate safeguards, even in pursuit of admirable goals, research goals, increases the likelihood that damaging information can be used to discriminate in health care, employment and as I mentioned, insurance.
In fact, concerns that this information is not being adequately protected from misuse has led some patients to avoid full disclosure of mental health and other sensitive conditions to their physicians and to unnecessarily forego opportunities for treatment, in effect negating the benefits of this new technology.
In considering broader medical privacy legislation, one of the challenges that this committee and the Congress, the country in effect will have to reconcile are two perspectives, weighing the public good derived from health research with the privacy interests of individuals. It's not an easy question.
Senator Jeffords and I have been grappling with this for some time, beginning with work on S 1921, the Health Care Personal Information Non-Disclosure Act, which we introduced a year ago and we will reintroduce in a few weeks, and we are hopeful that the testimony that you are going to provide here for us this morning will help us to better address complex issues and modify the proposal introduced if what you suggest is worthwhile.
As most of us are aware, as a result of work begun by this committee 20 years ago, and my colleague here, Senator Kennedy, has done so much in so many of these areas here, brings a wonderful wealth of knowledge, but also just the institutional memories of what went on as we drafted legislation back some time ago, research that is federally funded or is being conducted as part of the FDA application is subject to review by institutional review boards, which must adhere to federal guidelines for the protection of human subjects.
Questions have been raised about the adequacy of these IRB oversight, generally in the level of attention that IRBs pay to privacy, risks, in particular. However, it is important to note that IRBs are currently the only mechanism providing an external review of risk, to research subjects using independent guidelines. And however we continue to grapple with the adequacy of protection for patients in this type of research, we must also determine how to address the lesser known world of medical research that falls outside of the IRB review, something I know, Dr. Ellis, that you have talked about. What qualifies as research and what doesn't, and I realize that's an emerging controversy as well.
Today's hearing was convened to give us that viewpoint. Mr. Chairman, once again I am very grateful to you for holding these hearings, and again to the GAO for your excellent study, which is going to be very helpful to us as we proceed with our legislation. But again, Mr. Chairman, I want to tell you how much I enjoy working with you on these issues and I -
SEN. JEFFORDS: You have been most helpful to me, and if you have any questions, the floor is yours.
SEN. DODD: Yeah, I mean just a few, and I wanted to - in fact I made the point, Dr. Ellis I'll start with you, that - you note that some research does not operate under the guidelines of the common rule, simply because the investigators don't consider their activities to be research. And I wonder if you could maybe elaborate a bit more on what kind of activities these are and how does their definition of research differ from yours?
DR. ELLIS: Sure. I'll give you an example. Maybe that's the best way to do it and make it less abstract. And I need to truncate this story because I don't want to further the breach of privacy that you will see that occurred in this story.
A middle tier university, not a university receiving research dollars from the Department of Health and Human Services, the faculty member conducting research in English composition, so the item of interest, of research interest to this faculty member is how does a psychotherapist take a note from a patient that the psychotherapist is seeing?
The patient may say to the therapist, "Gee, I thought of killing myself." And the psychotherapist now has a choice in how to take this note. Does the therapist say, quote, "I thought of killing myself," end quote, or does the psychotherapist write, "Patient has suicidal ideation," or other - there are an endless variety of ways to take the note. This is the issue of research of the professor of English composition, how does a therapist compose narrative to tell the story of the therapist's patient?
Well, the professor conducts this research and goes to the relevant professional society meeting, and on stage at the convention center in a major city presents this research with the original note that the psychotherapist took, fully identifying the patient's information, and it's handed out, this is a handout for the audience at the professional meeting. This is very troubling. It is correct to say that this human subject, the psychotherapist's patient is an individual, a subject in unchecked human subject research. The current statutory authority that we have in our country does not confer the protections, the federal protections of institutional review board review before that research is done, and informed consent on that most unfortunate psychotherapy patient.
That's a sobering story. That's the kind of -
SEN. DODD: Did that actually happen?
 
DR. ELLIS: Yes. I did not make any of that up. I truncated some of the details because I don't want to further the breach. Because you know, the sobering part of the story is if this patient, who has had a troubled life and tells the story, knew that this note is on display at the professional meeting, that patient might take the patient's own life.
SEN. DODD: Ms. Steinhardt, again I thank you and the GAO and the work they have done. You had a limited amount of time to conduct this study and I guess that's actually what we do up here, we want these things done yesterday and we're always impressed at how effective you are in providing us with information.
But you were unable to survey all types of organizations, obviously, in the limited amount of time, that conduct their research outside of the common rule. What types of organizations, other than those studied, do you think conduct this type of research? And again, do you think these organizations and these entities have the same capacity as those you studied to implement internal controls?
MS. STEINHARDT: I think we were able to survey probably most of the types of companies or organizations that use medical records for research. We may have - we were able only to talk to a few in each category. We probably left out fertility clinics. I think those were probably the other major category of company that we know might use medical records data that we didn't get to. But otherwise, I think we had a broad representation, broad but shallow representation of organizations.
SEN. DODD: You did have a broad representation?
MS. STEINHARDT: Yes. I think the companies that we talked to represent a fairly full range of organizations that use medical records for research. We just didn't get to talk to very many of them.
SEN. DODD: Let me - could you describe the current IRB review process? You've described, rather, the current IRB review process as not giving substantial attention to privacy protection. To what extent and what manner is privacy considered by IRBs? I should have asked that first.
MS. STEINHARDT: IRBs tend to view studies that are done with medical records as involving minimal risk. They are paper records that are not generally dealing with individuals directly where there is a physical intervention as there might be in a clinical trial. So, these are generally considered to be of minimal risk and they go through an expedited review, and they typically waive informed consent, so it doesn't get the same treatment as other types of research, typically.

SEN. DODD: Do you have any particular suggestions for improving the capacity of the IRBs?
MS. STEINHARDT: Well, in the study we did a couple of years ago, and more recently the inspector general study, I think we shared concerns about the level of training that is afforded to IRB members on just their work load. The inspector general's office made recommendations to provide better training for IRB members, and I think particularly given this area of privacy and confidentiality, that would be of importance.
SEN. DODD: Are there some other types - again, are there other reviews that are done in other areas that you may have had a chance to judge as being - as good examples of how these reviews could be conducted?
MS. STEINHARDT: I think a couple of areas where it struck us that there might be a real need in paying attention to privacy issues. It's not clear what the standards are. It would be helpful, I think, in reviewing research for reviewers, to have a good understanding in what to be looking for in the projects, what the opportunities for privacy breaches might be. That's not necessarily something that they are well versed in today.
I think it could be useful for any kind of oversight board, whether it's an IRB, or some other type of mechanism for at least someone within that group to be aware of opportunities to minimize the use of personally identifiable information in research. Some of the organizations we met with have come up with ways to do that themselves. It might be useful to have that kind of expertise in a review board to extend to all types of research.
SEN. DODD: Mr. Chairman, I have several other questions here but we've had votes and we may have a couple more coming up, so let me just ask, if I can, to submit the additional three or four questions I have to Dr. Ellis. Let me ask you just one, Dr. Ellis, and this again, you may want to submit this answer in writing a bit, but I wonder if you could just sort of outline the chain of responsibility, protecting the privacy of individuals involved in health research. Could you do that quickly? DR. ELLIS: I'll try and do that quickly. I think there are five, or six, or seven layers of protection. Initially the transaction between the research subject and the investigator, or the record, the medical record of the research subject and the investigator, and this is the most important. This is where informed consent takes place. This is the most meaningful layer of protection, a fully informed research subject volunteers and says "Yes, I will assume whatever risk. I am interested in the pursuit of new knowledge. Let's proceed."
Sitting above the investigator is the institutional review board, and so this is a group, by definition, of mixed perspective, that's important. It must be an individual not affiliated with the institution in any capacity other than IRB service. And so, the values of the community are brought in and the IRB prospectively reviews the research plan and gives a green light or says here is a caution light, we need some revisions, or rarely says - or in rare occasions will say "No, this is not acceptable at our institution."
Sitting above the IRB is the institutional official. The IRB, when it says "Yes, this research may be done under our auspices," really is serving up a recommendation to the institutional official, and the institutional official may still say, "No, we don't want it done this way, or we don't want it done at our institution."
Then there is the funder of the research. Ordinarily there is some sort of review of the science of the research, and that review of the science can include review of human subjects issue at the funder, by peers.
Then, there is the executive official at the funding agency who makes the final decision upon the recommendation of the peer review, will fund this or not.
Sitting on top of the whole process is the United States Congress. Our office has certain jurisdiction and the Food and Drug Administration has certain jurisdiction, so it's a multi-layered process of protection, and we would say that the chances, the probability of a simultaneous failure, catastrophic failure through six or seven layers of protection is slight. It's non-zero. There are stories to tell here but it's very, very safe to be a research subject because under the common rule or under FDA regulation because of the years of experience and the evolution of the practices that we have.
SEN. DODD: That's very helpful. And again, I was commending the General Accounting Office. I would be remiss if I also didn't commend the National Institutes of Health. You do a great job there as well.
DR. ELLIS: Thank you.
 
SEN. DODD: Thank you, Mr. Chairman. Thank both of you very, very much. I may have a couple of follow on questions. I am interested in how much actual accountability occurs at several of those stops that you mentioned, where people actually are going to make the review, or is it just sort of a pass through, but I'll follow up on that.
SEN. JEFFORDS: Thank you.
Ms. Steinhardt, I understand we'll be working with you continuously, but with the HIPPA deadline that's fast approaching we're going to move forward with legislation, but thank you so much, both of you, for your cooperation and help in this very, very difficult area.
DR. ELLIS: Thank you.
MS. STEINHARDT: As always, a pleasure. Thank you.
SEN. JEFFORDS: Our second and final panel of witnesses today includes distinguished professionals in the field of medicine and law.
First I would like to welcome Dr. Brent C. James, who comes to us today from Salt Lake City, where he is the executive director of the Institute of Health Care Delivery Research at Intermountain Health Care. His organization is well recognized for its work in clinical quality improvements and electronic clinical decision support systems.
Dr. James sits on the boards of several not-for-profit health care institutions whose goal is measuring and improving the quality and availability of health care services. Dr. James, we're delighted to have you with us, and I think you will proceed, and I'll introduce each of the individuals that are with us on this panel as their time comes. Please proceed.
DR. JAMES: Thank you very much, Senator.
As you mentioned, I am a physician and vice president for medical research at Intermountain Health Care. We are a system of 23 hospitals, more than 100 outpatient clinics, a total of more than one million covered lives through our health plan. We've got 22,000 employees and roughly 1,400 key allied physicians, 400 employed in the (remainder ?) community-based positions.
We are a charitable not-for-profit health care institution that supplies a little bit more than 50 percent of all health care services in Utah. In some sense we sometimes feel like we function as a public institution.
I came to IHC 13 years ago after a faculty appointment in bio- statistics at the Harvard School of Public Health, primarily because of a desire to be closer to real patient care and to the real action, and also because of a perception that Intermountain Health Care had the best functional electronic medical record in the world, which I think is largely true. We have been able to use that record to provide some very substantial improvements in care over those intervening years. Just a few quick examples.
We have used that system to reduce the number of drug overdoses and adverse reactions, what's called an adverse drug event in the patient, the single most common risk a patient faces while hospitalized, to about 30 percent of its prior rate. In community acquired pneumonia, by examining the way that physicians prescribed initial drugs, chose whether the patient was hospitalized, and then the timing and delivery of those drugs reduced the overall mortality rate by about (26 ?) percent. The first year we did that in the 20 small rural hospitals where we started it, it saved about 20 lives. It also reduced the cost of care by about 12 percent, primarily by avoiding major complications.
More recently, we have used those systems to give feedback to physicians that treat diabetic patients. That has resulted in about a 40 percent increase in (patients ?) treated to a non-deadly level. Let me say that a different way. The major consequences of uncontrolled blood sugar diabetes are blindness, kidney failure, amputation as the small vessels in the hands and feet are damaged, and death. In a typical practice, about 30 percent of patients will be managed to a normal blood sugar level. Using these systems we have been able to increase it to over 70 percent. I actually have about 65 examples like that, that I could give you of specific areas where we have been able to substantially improve patient care, nearly always accompanied with a drop in cost.
As said, you need to know that IHC as an institution, has a specific institutional policy, places the medical profession and nursing profession's ethical constraint on patient confidentiality as a sacred trust. It holds equal billing with our institutional dedication to excellence in patience care. In that regard we support currently 12 IRBs scattered through our system. We mainly use those IRBs, though, for protections from research risk, specific protections from research risks. In fact, I can tell you from (practical ?) experience, overseeing this for the IHC system, that I have not in 13 years seen a major defect in confidentiality happen on the research side of our system. On the other hand, every year we fire a number of individuals and occasionally remove physician privileges on the operating side of the system for breaches of confidentiality.
Now, in no case has one of those actually resulted in direct harm that we have been able to detect. We fire people for looking at the wrong records, and have a system that functions to that level.
About five years ago we began to systematically experiment with the best way to do that within our system of care delivery.

The mechanism that we found most useful by far was something that Dr. Paul Clayton of the American Medical Infomatics (ph) Association called a data review committee. It has a very similar structure to an IRB, but we added some extra elements. In fact, all of our IRB chairmen sit on it.
We added line operations managers. Our data review committee, which I chair, reports directly to our board of trustees. We, in addition to reviewing specific studies in a limited range. It's our job to recommend policy to the board of trustees, then to enforce and oversee the policy.
One of the real problems that I think you will discover that we face, and Senator Dodd mentioned it, is how you define research, or how you distinguish operations, where actually most of the problems occur, from research.
What we have discovered is that given the myriad of operations that take place, I mean just regular health care delivery services in a big system like IHC, they all happen at that operational level. We are far better able to control that through policy. (We reserve ?) our IRBs to oversee true research and then our data review committee specifically addresses those areas that are in between, the gray zone in between where we have trouble distinguishing those.
I would like to just close by saying that it's an ongoing experiment. We think we're coming up with some pretty good answers, but we think that probably that in this consideration we ought to think about the operational side as well as the research side of patient confidentiality and privacy protection. Thank you.
SEN. JEFFORDS: Thank you for an excellent statement.
I am next pleased to present Professor Chai R. Feldblum, who is both founder and director of the Federal Legislation Clinic at Georgetown University Law Center. A graduate of Harvard Law School, Professor Feldblum has had an illustrious legal career including clerkships for Judge Frank Coffin (sp) on the First Circuit and Justice Harry Blackmun of the US Supreme Court. Having been the lead lawyer negotiating the drafting provisions of the Americans With Disabilities Act of 1990, on behalf of the disability community Professor Feldblum is widely regarded as the leading expert in disability law. Thank you for being here. We very much look forward to hearing your testimony. Please proceed.
MS. FELDBLUM: Good morning. My name is Chai Feldblum. I am, as you said, the director of the Federal Legislation Clinic, and part of what I teach my students at Georgetown is how to speak law in English, so I hope I am able to do that today in this testimony.
I am here today representing one of the clients of the clinic, which is the Privacy Working Group of the Consortium of Citizens with Disabilities, CCD. CCD is a Washington-based coalition of about 100 disability organizations and several of those organizations have been working together for several years now on the issue of health privacy.
People with disabilities are vitally interested in privacy. Senator Dodd, as you noted, this is an issue that resonates across the country. It absolutely resonates for people with disabilities who interact with the health care system more than most people, and who unfortunately, if their information gets out, can be subject to discrimination.
In the area of health research, people with disabilities vitally care that good research gets done. We want all of those great outcomes that Dr. James just talked about. However, at the same time, we are concerned that if there are inappropriate, unauthorized disclosures either to researchers or by researchers, we could get hurt.
So, what we are concerned about is that the current situation in which there is no federal protection for privately funded research is unacceptable. And we're also concerned, as the GAO report indicates, that in publicly funded research, there is little consideration given to privacy, because the bottom line is that when, as you, Senator Kennedy said, you are working on this, you were concerned about risks, physical risks to human subjects. Privacy was almost an afterthought. Well, it's not an afterthought now, so what do we do now?
The policy question before you today is how can you best protect privacy in publicly and privately funded research? Now what does the GAO report tell you?
I don't think it tells you the answer. If it was, you would pay them even more, maybe. But I think it tells you two things. One, that if you want to use the IRB system you do have to address the current flaws in the IRB system with regard to privacy. The current regulations are really not tailored to deal with privacy. You would need to insure that those regulations are modified in some way.
Second, I think the GAO report tells you that you should be cautious about just letting the status quo exist for privately funded research, where there is no common rule governance, there is no external review, and while I have no doubt that IHC, Intermountain Health Care is not where the problems are, you have to pass a law that is going to address the entire United States of America where there might be some privately funded research where there could be a problem.
Okay. So what does CCD think you should do?
Here are our proposals in research. First, as a general matter, we believe that if a health researcher is dealing with live individuals, right, a prospective study, that researcher must get the informed consent of the individual. The basic principle.
In every single federal privacy bill that all of you have introduced, and that Senator Bennett has introduced, has an authorization section that would apply, which is an authorization that cannot be conditioned on treatment or payment, but that explains to the person where the information will be going, what it will be used for. So, CCD believes that the norm for most research should be informed, uncoerced consent.
Now, we do however, as I said, we want good research to go on. And we realize that informed consent will not always be practicable to obtain. For example, if a researcher wants to use a database of medical information that's been collected over 10 years it might be impossible to get informed consent from all the people in that database. Or if you have stored blood and tissue samples where it might be quite difficult to obtain informed consent. We believe that in those situations researchers, both publicly and privately funded should have some avenue to get access to that information without informed consent.
But we believe that researcher must go through an IRB. And that is we believe that the current IRB system even with all its flaws, which we think can be fixed, all researchers publicly and privately should go through the IRB system. We do not believe that the funding of research should dictate a different level or type of privacy protection. And we believe that that IRB system should not simply rubber stamp the researcher coming and saying, I can't get informed consent. But that researcher should number one, have to explain why she or he needs identifiable information. Because lots of research can be done without identifiable, but some as you heard this morning needs identifiable, explains to the IRB why she or he needs identifiable information and explains why it would be impracticable top get informed consent.
And then if the IRB says, yeap, you've got the go ahead, the IRB can still require the researcher to have good safeguards in place so you don't have a situation of the person then giving the handout with the psychotherapy notes. Right, you might have needed identifiable information, how else can you see what the issue was, but you don't need to give out that information. So, the IRB can ensure their safeguards.
 
Finally, although we believe that the IRB system is the one we should use, we are aware as I said of the limitations with regard to privacy. We don't however, think that you need to revise the common rule yourself, right now ion this bill. HHS is currently looking at the system, currently revising the IRB system and we think you simply need to indicate in the legislation that the secretary must also include a section, a new section on confidentiality.
In conclusion, let me note that CCD has no desire to create a system that is so protective of privacy that it makes our nations biomedical and health services research enterprise unworkable. We of all people do not want that result. But our work in this area over the past years has demonstrated to us that strong privacy protection does not have to have that result. In fact, our work on the federal privacy legislation generally has taught us that the desire for privacy and the desire for an effective health care system are not in conflict with each other requiring balancing of one interest against the other.
To the contrary, as heavy consumers of the health care system, we believe that privacy enhances that system, because it enhances peoples confidence in that system. The same thing, we believe is true in health care research. Strong intelligent coherent privacy protection enhances research by increasing individuals trust in research enterprises. We believe our recommendations in the research arena are indeed strong, intelligent, and coherent and will create an environment in which an individuals right to privacy is effectively protected and in which useful research is effectively supported and encouraged. Thank you
SEN. JEFFORDS: Well, thank you very much. Our final witness on our panel is Dr. Elizabeth B. Andrews., who directs the World Wide Epidermiology Department of Glaxo Wellcome, based in Research Triangle Park, North Carolina and Greenford (sp), England, professor of Epidemiology at the University -- the North Carolina School of Public Health, and she participates in several professional committees and panels concerned with the fields of pharmacoepidemiology (ph) research -- sorry about that -- and you can explain that one for me, and clinical safety.
Dr. Andrews, I appreciate your appearing. Please proceed.
DR. ELIZABETH B. ANDREWS: Thank you very much, Mr. Chairman, and members of the committee. I am Elizabeth Andrews. I am a pharmacoepidemiologist and director of World Wide Epidemiology at Glaxo Wellcome, a leading research-based pharmaceutical company. Thank you so much for the opportunity to testify this morning on behalf of PHRMA (ph), the Pharmaceutical Research and Manufactures of America, on the important issue of federal legislation to protect the confidentiality of medical information.

PHRMA has developed a set of key principles for maintaining confidentiality of medical information. Those principles reflect a commitment to strong protections of patient confidentiality while ensuring the availability of medical information for research and for the delivery of quality health care. A copy of these principles is attached to my written testimony, which I submit for the record.
We're encouraged that GAO's findings are consistent with the widespread belief in the research community that researchers are doing a fairly thorough job of protecting the confidentiality of patients while using medical information in extremely important research concerning public health and health care delivery. We also believe that GAO's findings provide compelling evidence that the legislative approach taken in one of the bills introduced in the last Congress, S 2609, Senator Bennett's bill, provides a promising framework for new federal law that will protect the privacy interests of individuals.
First, the GAO report acknowledges many uses of information and data in research that required some type of access to identifiable information. Not all research can be conducted strictly using anonymized records as we've already heard. Research based on archival records with medical risks to the patients and with rigorous safeguards of personally identifiable data should be encouraged, not impeded. In my written testimony, I provided several critical examples of such research.
Second, the report provides examples of a variety of safeguards that are in place in different types of organizations that undertake research outside the federal system. The examples demonstrate clearly that many safeguards already exist to protect confidentiality of identifiable patient information. Both the Chairman's bill of the last Congress, S 1921, and the Bennett bill would have established a uniform national requirement that organizations that manage health data have strong safeguards for protecting confidentiality. Moreover, these bills would have provided penalties for organizations that fail to adopt or enforce those safeguards.
Third, the report provides a realistic picture of the current IRB operations. IRBs provide a valuable function in protecting patients from unnecessary research risks. However, they have neither the expertise nor the capacity to review studies with respect to confidentiality practices. We feel it would be counterproductive to institute new requirements that they do so. Uniform national requirements for confidentiality protections would offer more appropriate, more consistent, and more rigorous controls than available through an expansion of the IRB functions.
The Bennett bill relied on a mechanism that would have required each institution, including research institutions, to establish safeguards, policies, and procedures for protecting data that identifies patients. The Chairman's bill also started from this premise, but did not develop it to address unique research issues. Instead, the Chairman's bill added new IRB and informed consent requirements.
In PHRMA's view, the process established by the Bennett bill is more protective of patient confidentiality interests than the expansion of IRB review and informed consent requirements. Such an expansion would have needlessly complicated the important tasks already faced by IRBs, and would have harmed research by subjecting each project, each hypothesis to burdensome review and consent requirements. As a result, many important research projects would never have been investigated.
One critically important issue for any confidentiality legislation is that we must draw clear distinctions between protected health information and non-identifiable information. The legislation you introduced last Congress, Mr. Chairman, defined protected health information so broadly that almost no information could be characterized as non-identifiable. As a result, every piece of health care date, whether or not it identifies an individual would be subject to all of the federal restrictions and requirements applicable under the law, including written consent, record keeping, access to review and amend and notification.
With respect to patient consent, we support current federal requirements concerning the informed consent of participants in interventional research. We do not believe, however, that research projects using databases or archives of previously collected information and materials should require informed consent.
In many cases it may be impossible to gain consent. Patients move, change health plans. They die. And given the extremely minimal risk, the patients from research of this type requiring informed consent increases the burden on researchers and patients, but does not serve to protect the patient's confidentiality interests. There are better and more appropriate ways of managing databases to safeguard the confidentiality of patients.
Mr. Chairman and members of the committee, we look forward to working with you as you continue your efforts and we stand ready to help in drafting legislation in this Congress.
 
SEN. JEFFORDS: Thank you very much. It's very helpful testimony.
Dr. James, you use the term sensitive in describing some of the medical data. How is sensitive defined and who makes a decision as to what information is sensitive?
DR. JAMES: The best way I could do that probably is to give you a few examples. For example, information on HIV status, mental health information, and reproductive history information, are some examples of sensitive information.
The best we have for managing that within our system is again through system wide policy. For example, we currently have under discussion whether we segregate our electronic medical records and require different levels of access to those portions of the record that contain what we consider to be sensitive information for our patients.
I should say in passing too, Mr. Chairman, that my 12 IRBs would be overwhelmed if I asked them to take on that extra load right now in terms of taking on full confidentiality. Our ability as a system to actually make that system work relies upon policy, and you have to add a different element to it just to make it work.
That same group can consider how to deal with sensitive information that quite frankly goes beyond the purview of the expertise of IRBs at least as they're presently constituted.
SEN. JEFFORDS: How would you know if the breach of confidentiality occurred in health care? What steps would be taken and would the patients affected be notified?
DR. JAMES: At least for a major proportion of our system they'll have a full electronic medical record. We can only tell if a breach of confidentiality has occurred usually if we have the electronic record. We maintain full audit trail so that we can tell every instance of an individual looking at a patient record for any purpose.
We not only use that to audit access to data and look for instances when individuals are looking at data where they shouldn't look. We also are just in the process of making that available to patients themselves so that a patient I see can review every individual who has looked at their record during any healthcare encounter within our system.
Usually, unless harm has occurred, we believe that harm has occurred, we would not notify a patient. We would deal with that internally. I should tell you that the vast majority of instances that we see are, were a nurse or a position or a technician has chosen to examine the record of a neighbor or a VIP who's in the hospital. Those sorts of breaches are the vast majority that we encounter with our system. The vast majority, and we believe that those are the research risks, quite frankly. SEN. JEFFORDS: What consent, if any, do you obtain from patients to include their identifiable data in your research?
DR. JAMES: Any time a patient enters our system, they sign an informed consent for use per data for direct patient care delivery for quality review and quality improvement activities to access our system. If we're launching a specific clinical investigation, a perspective interventional investigation, we, of course, obtain consent before the patient actually receives that intervention, so we really have two levels for dealing with that.
SEN. JEFFORDS: Professor Feldblum, what do you think would be the impact of imposing your suggested open standard of stop, think and justify every researcher?
MS. FELDBLUM: Well, for researchers who are going through the IRB system, they're already coming to the IRB and justifying their research in terms of risk to human subjects. All that this would do is add another element to the conversation and I agree with what the GAO report says in terms of we're going to need training for folks to understand how to have that conversation. But they will then have to explain why is it that they need identifiable data for their research and why is it impracticable to get informed consent. This isn't going to be a complicated conversation. This is going to be a lot less complicated than some of the conversation they're going to have with the IRB about physical risks to their subjects. But it will be, as we term it, the stop, think and justify moment. I actually do not think it's going to be that difficult for them because they're coming, they should be coming to the IRB to deal with that research in any event.
SEN. JEFFORDS: Since very little of what the IRB does now addresses the confidentiality of medical information, how would you modify the existing structure of institutional review boards, IRBs, to handle expanded confidentiality activities?
MS. FELDBLUM: First, let me say in deference to Dr. Ellis, who testified just right before, I think that that office would say that, yes, we do, in fact, deal with confidentiality. And let's be clear there is a piece in the IRB regs that says, number one, you have to get informed consent of individuals and that's an important piece of telling people how their information will be used. And it does say for medical records data, you have to, at least, demonstrate to the IRB that it's not practicable to get informed consent. It's just, in reality, it just happens very easily and very quickly. But I would want to say they do believe that they incorporate confidentially.
So I think all we're asking for is an enhancing of that analysis. That is, number one, not to just assume that when you use medical records data, it is minimal risks.

As, Dr. Andrews', you noted in your testimony, there's this assumption that, if it's just databases, its minimal risk. And if you look at the definition of minimal risk in the IRB regulations right now, it defines it as (sort of?) physical discomfort, physical risk.
Well, that's one type of risk, but there's another type of risk, which is the risk to me of the disclosure of that information. So the first thing I think the IRB regs should do is broaden their view of risk, including the risk to confidentiality. And then, the second piece is to require the researchers to explain to the IRBs why they need the individually identifiable information. The GAO report indicates neither the common rule nor any of these organizations that they may have lots of great safeguards, they don't have that moment where they require the researcher to explain why and in some cases, it will required and in some not. That's the second thing to add to the IRB regulations.
The third is let government learn from the innovation of the private sector. Let government learn from what IHC has done. I mean, the GAO report notes a situation where in a research state, in a research project, the computer programmer codes the information, so then the researcher's only getting de-identified form. It's a great idea. You know, then you have two people who will see my information, but not the next 20 on the project. Let HHS, when it develops these IRB regulations for confidentiality, get the information from GAO report and put in those innovations.
SEN. JEFFORDS: Senator Kennedy.
SEN. KENNEDY: Thank you very much. Let me, I think I have a good understanding of the problem about the position. Let me just ask you just one question. In your written testimony you indicated that the CCD recognizes that there's certain types of research, such as research involving the large tissue banks where it'd be very difficult to get informed consent. The common rule has a waiver for the informed consent requirement in those situations. Now, would the CCD agree the common rule deals appropriately with that type of research?
DR. FELDBLUM: No. Not at all. I mean, we believe that right now the common rule unfortunately lists all medical records, databases, all pathological specimen as involving minimal risks. They all get this expedited review, expedited review means just the chairperson or one person I the IRB committee can say, go ahead you can get all that information without informed consent. One person gets to say that. We don't think that's appropriate. We do not believe there should be a separate section for tissue samples and medical records, databases that are soon to be of minimal risks. We think they need to be looked at carefully.
Now we do still recognize that some databases, some tissue samples, and not all, I mean some tissue samples that were collected last month, there should not be a problem in getting in touch with those folks and saying, can we use our tissue sample, as opposed to something that was collected 10 years ago. See? So, that each of these elements are looked at separately and carefully, that's what -- and thank you for letting me clarify that in the written testimony.
SEN. KENNEDY: Dr. James, I saw you raise your hand?
DR. JAMES: Just a quick comment. The way that actually works in the real IRB, it's the IRB set policy what classes of data can receive expedited review. The chairman can get expedited review or the person that he's designated or she's designated for expedited review but then it comes back to the full committee. It just comes back at a later date for review. And it is still reviewed.
SEN. KENNEDY: Well, that's the, I mean if you two have some difference on it, you can imagine how we feel about it up here trying to work our way through it. But I think we want to, I think we flagged this.
Let me ask, Ms. Andrews, in your written testimony, you refer to the research section in Senator Bennett's Privacy Bill. And while the Bennett Bill addresses the research already governed by the common rule and analysis of that health care records and medical archives it does not address the privately funded health research involved in the human subject done outside of the FDA regulation.
Dr. Ellis identified a number of the institutions including privately funded research institutions in vitro fertilization clinics where the research cares what human subject research protections currently exist in these areas. How much of a problem, what do you think we ought to do about it?
DR. ANDREWS: That Senator Bennett's Bill in the research section provides for the common rule for things that are currently covered by the common rule, but for archival medical records it would require confidentiality safeguards appropriate to the individual institution, which may include research committees such as Dr. James has mentioned. So, we feel that those protections offer higher standards of protection for research that's done using existing, medical records where the patient is not put at additional medical risks.
SEN. KENNEDY: What about live human subjects?
 
DR. ANDREWS: We had not addressed, we had focused our attention for PHRMA on looking at the issues of medical records research rather than prospective interventional trials, which would normally be covered by something similar to the common rule.
SEN. KENNEDY: Okay. Dr. Feldblum, what's your reaction?
DR. FELDBLUM: Well, not all live human subject research will be governed under the common rule, if it's not federally funded or if there's not an FDA trial. So, that is still a problem for some places. The second thing is to me that Senator Bennett's bill is only just half the picture. It's putting in the safeguards. Well we want those safeguards, too. It's just we want some external review body that can look to make sure that these bill safeguards are in fact being implemented. That's all. Obviously the safeguards are important, but in our view that's the second step of the analysis. The first step is an external review entity that determines the research is appropriate and then can have some oversight over those safeguards.
SEN. KENNEDY: And Dr. James, you don't think that that's necessary or that the -
DR. JAMES: What I was really proposing was the way of implementing it. I think we agreed upon the need. It's, the question is how you effectively implement or make something like that happen and how should it be expressed in legislation. I think that everyone has agreed that prospective interventions with live humans is under IRB control. There's no disagreement about that. I think current IRB structure and OPRR functions very well at that level. In fact, I'd like to reserve my IRBs to focus on that absolutely essential function.
For us to handle large databases, we get into an interesting problem of what constitutes research versus what constitutes patient care delivery and there is a real risk that if we get too heavy-handed that we will limit good care delivery and we need to be careful about that boundary. The best group that we've found for dealing with that is not an IRB but kind of a super IRB. It has to include institutional elements that can implement policy and enforce policy with some meaningful structure within the organization. The IRB functions in conjunction with that are side by side with that but I think it's a different body than an IRB.
SEN. KENNEDY: Just see, Dr. Andrews, if I could, Mr. Chairman.
SEN. JEFFORDS: Sure, go ahead.
(Cross talk.)
DR. ANDREWS: I'd just like to comment that in the conduct of clinical trials of pharmaceutical products and other medical devices, it is routine to subject every study to IRB review and approval because it is an experimental circumstance that is either governed by the IRB or it is conducted in institutions who chose to use the common rule and it's also guided by good clinical practice guidelines and there's an international network of regulations and guidelines that govern the conduct of experimental studies of medicine.
SEN. KENNEDY: Thank you very much.
SEN. JEFFORDS: Senator Dodd.
SEN. DODD: Thank you, Mr. Chairman. Again, my thanks to our witnesses. They're very, very helpful.
And I think one of the things that, Ms. Feldblum, you mentioned, is very worthwhile advice and that is to take a look at what the private researchers are doing and technologically I hope HHS does look at that, Mr. Chairman, or else maybe that's something we ought to recommend because as you point out in many cases, of course, they're figuring out good ways of collecting data and preserving the privacy interests of individuals and too often I think we don't pay enough attention to how that's being done in a way to enhance our own agenda on these issues.
Let me just ask you, Dr. James, because you picked up on the notion this is not actually what is research and again just in response to Senator Kennedy made some references to that. Dr. Ellis gave us, gave me an example. What do you think of his example?
DR. JAMES: In terms of a defect in confidentiality?
SEN. DODD: Yeah.
DR. JAMES: That sort of research should have been IRB controlled and it's a clear defect in research and it should have been taken care of. Can I give you another example, though?
SEN. DODD: Sure.
DR. JAMES: - - I mentioned diabetes and we have been able to include care for diabetics in our system. That relies upon a registry. We keep a database; well it's part of our electronic medical record of every diabetic treated within a practice that's up under that system. That means that every time a patient who's diabetic comes to see their physician, the system prints out a phase sheet that goes on the patient's chart that reviews their diabetes history and status of control. It doesn't matter if you come in for your cold or to have someone look at your sore knee or if you come in for diabetes, it's always known.

The second piece is is we fairly routinely generate reports for the physician as part of that electronic medical record that lists his diabetic or her diabetic down on a list. And shows who's late for their last blood sugar determination, who needs their blood cholesterol, their lipid managed, how are they doing on blood pressure. Anyone who needs to visit or needs tighter control is identified from the physician for you to call those patients, bring them in, which is what commonly happens.
It's a series of thing like that that has enabled us to improve our level of care. Now quite frankly I regard that as just good health care operations.
SEN. DODD: Well let me ask you this.
(Cross talk.)
DR. JAMES: He classified that act to what he has researched.
SEN. DODD: Well let me ask you this -- I understand that. It's a very good point. Do we ask, for instance if I'm going to be part of a registry my consent that you could you my -- I'd like to know whether or not as a patient here, whether or not that my information is part of that registry, which would make a good case for. I'd like to know that you've asked for my consent before that information is going to be available. Is that asked for?
DR. JAMES: Well it is, but it is in a particular way. The registry is actually your electronic medical record. All that it requires is that we enter in your electronic medical record that you have diabetes.
SEN. DODD: How about my consent to that information that is here?
DR. JAMES: When you accept care within IHC, you sign an informed consent agreeing that we can collect and maintain information for that treatment.
SEN. DODD: Does that explain to the patient what means?
 
DR. JAMES: What I'll say is, is we believe that we're explaining it, but they probably don't understand it the level that I understand it.
SEN. DODD: Yea.
DR. JAMES: But I don't believe that I effectively can.
SEN. DODD: Because I mean that's an important point to me. You make an excellent point on terms of getting this stuff. I just want to -- I don't see where this is a great problem. I mean to me. And tell me if I'm wrong on this, but let's assume for a second you had to say to me, listen Senator, I want you to know now as part of a registry here what this means --
DR. JAMES: Well actually it's electronic medical record that we will maintain a medical record.
SEN. DODD: And do you give your consent that this information I'm collecting on your diabetes, for instance --
DR. JAMES: Yea, what we use to treat you.
SEN. DODD: Yea, do I understand that information maybe shared with other people --
DR. JAMES: It will be shared with the members of the care delivery team just as a paper record is today.
SEN. DODD: Yea.
DR. JAMES: No different.
SEN. DODD: How do you respond to this, Ms. Feldblum?
MS. FELDBLUM: Well are really -- we're moving into different type of health care and you know that's a good thing. I mean it's good in terms of what IHC is doing in terms of people with disabilities. It does raise more complicated privacy concerns. Here's pretty much how we feel about it at TCD. We recognize that clinics, hospitals, have to get people's informed consent, their authorization in order to do treatment and payment. And really although that's called a consent, let's be real, it's consent under duress because you have to sign that authorization in order to come get that treatment. So it's consent under duress, but we're willing to live with that as a sys Now the question is when they're doing more complicated disease management programs like this, do we want to say that I have the right to say no. I don't want to be part of that brilliant wonderful electronic system, because I just don't want to. Can I have the right to say no to that and still get treated at IHC. Now that would be very difficult for IHC. I've learned a lot in the last few years trying to lobby this bill and I well understand that this would be very difficult for them. So you know at CCD, we are trying to come up with a compromise to move from our position of last year was we want to be able to say no and you know, that's it. It's complicated though. And right now, your bill I think definitely I just want to say and my legal reading of both at least the Jeffords- Dodd Bill not the Kennedy-Leahy Bill would not really let somebody just opt out of that disease management work.
REP. DODD: It's a very important questions and there're not easily answered. What percentage of (farmers?) research fall outside of the IRB requirement? Yes, do you have the number?
MS. FELDBLUM: I don't have the number. I --
REP. DODD: Fifty percent, 40, 10?
MS. FELDBLUM: It's so hard to know. There's an enormous amount of work that goes into clinical trials in developing drugs. There's an increasing amount of research that (sets?) things on to evaluate the safety of medicines as Senator Kennedy and Senator Jeffords will hear this afternoon at another meeting by (room noise) regarding drug safety.
We're doing an increasing amount of work with our records to learn about the safety of medicines once they're in general use and patients who are not studied in clinical trials. There's an increasing amount of research that's being done to look at the cost effectiveness comparing different therapies. It's really difficult to quantify --
SEN. DODD: I thought it might be. (And I haven't asked yet, ?) because I want to be careful as well. This is a whole new area here, and I want to -- if we're moving away from -- if the effort is to find ways to move away from consent, and I'm not suggesting that, that's another case, but some may argue for it, I think those trend lines could be important. And I'd like to ask you to go back and see if you can't give some quantifiable indication. I'd like to see what it's like, within, I'll say the last five years or so. Is there some graph line -- are we moving -- are your number of research projects that are non-IRB required growing or shrinking? I'd like some indication of that.
DR. ANDREWS: I can tell you they're growing tremendously. And even if we took the existing research now that's done with archival records, I am convinced, it would totally swamp the current IRB system. They're currently not set up to evaluate these kinds of studies. And that's why we feel that it's important to set up additional safeguards using different mechanisms to protect the confidentiality of archival records to a very high standard.
 
SEN. DODD: I appreciate that.
Let me ask one thing. This is such important stuff; I'm very interested in it. I'm curious again about recourse to some extent. Again, the non-IRB -- you know, again, if you're not giving your consent. I mean, to what extent, under your scenarios, does a patient have some recourse if information gets out that you didn't want to have get out. I mean, you really are -- in your case, Dr. James, and I again appreciate immensely, I don't -- there's no feeling here that any of us up here have any desire at all to want to impede, obviously the critical work that you're doing. I mean, this is striking its balance. But, if information does get out and it's not protected, what recourse do I have in that situation? Quick answers if you can tell me.
MR. JAMES: Just a comment along the way.
SEN. DODD: Yeah.
MR. JAMES: You realize that I can protect data better electronically than I can in paper form?
SEN. DODD: Yes.
MR. JAMES: You understand that?
SEN. DODD: That's a very important point there.
MR. JAMES: And so, when you talk about a registry that is available to more people, that's simply not true. I have better control over who accesses the data in its electronic form and, what you call, in its registry form.
SEN. DODD: Well, that's why I think we said earlier about HHS taking a look at what you're doing as a way to enhance greater privacy. The points well taken.
MR. JAMES: So, that's an important point.
SEN. DODD: Well, what recourse do I have if it does happen?
MR. JAMES: Currently the recourse with HIC (?), is if you were harmed you would be able to use the regular tort system recourse. Alternative, we try to stop those before they ever come to harm, needless to say.
SEN. DODD: Yeah.
MR. JAMES: Because we don't want to be on the receiving end of the tort.
SEN. DODD: I understand.

How about you, Dr. Andrews?
DR. ANDREWS: Well, first, if we have better safeguards then we'll decrease the risk of those disclosures. If we have strong penalties, we'll have greater incentive for compliance. And then there are some existing mechanisms like ADA and Health Insurance Supportability and Accountability Act and Tort Law for rights of individual patients who have been harmed.
SEN. DODD: (Off mike.)
SEN. INHOFE: That's all right.
Senator Murray.
SEN. DODD: Oh, hey Patty, how are you?
SEN. MURRAY: Oh, I'm done here -- (laughter.)
Thank you, Mr. Chairman.
A fascinating difficult topic and I really appreciate all the work everyone is trying to do on this. I certainly am hearing from a lot of my constituents, obviously, Fred Hutchinson Cancer Research Center and University of Washington Medical Center are extremely interested in the implications of research -- on their research of new privacy protections. But, I also talked to consumers all the time, and I have to sit here -- we all sit here as consumers and when we hear that some nurse that happens to be a next door neighbor can take a look at our files, you know, it's pretty frightening.
And I appreciate Senator Dodd's line of questioning here, and I guess, Dr. James, let me ask you, what makes you decide whether or not to tell the patient that somebody has looked at their record?
DR. JAMES: We're currently building a system so that any patient can look at every access to their record. So if you're a patient inside Intermountain Health Care you could pull up a list of your medical records and back from the day that you started to come to see anybody associated with us, see every access, the date, the time, the name of the person, their organizational affiliation. That's the main way that we want to address that so that you have full access for disclosure for everyone who sees it.
We also internally look for patterns of inappropriate use, using that same audit trail. Now I realize that most systems don't have a full electronic system. I realize that we're one of the first who are doing that and in some sense we're working out what policy ought to look like. In an organization where we agree that patient confidentiality is the primary goal, no disagreement about that at all. Again, our solution for that is to find them and stop them before they happen.
The other thing that needs to be said one more time depends on where you draw the line between research and operations. Essentially all of our defects in confidentiality which we've been picking up when they look, not when they tell, because we've been able to tell, all of them have occurred on the operations side, not on the research side.
SEN. MURRAY: To a patient, it doesn't make a difference if they're --
DR. JAMES: I understand, but the point of it is, is you consider your legislation. I think it's clear that the bills that I've read at least, focus on the operation side as well to see, appropriately so.
But now let me start to talk about the operations of health care delivery. We have to be careful that we try to fairly narrow path so that we can get full and appropriate patient confidentiality protection, are we still allowed to (care delivery to function ??) or we will literally pay for --
SEN. MURRAY: Yeah.
(Cross talk.)
So therefore, you're saying electronic is better to track --
DR. JAMES: No question about it. And there seems to be an inherent fear in electronic record. I don't know where it comes from.
SEN. MURRAY: It just feels like when it goes into a computer, that a lot of people can take a look at it.
DR. JAMES: Yeah, but that's not true.
SEN. MURRAY: It may not be. Well that goes to the second part of my question.
It seems to me that consumer education is a critical piece of this. I don't know, or didn't know that when you signed an informed consent, what all broad parameters that means, other than just that a doctor can look at you, which is what most patients are thinking when they go in and sign any kind of consent, particularly as it was stated when you're sick.
I think that it's important for patients to know who has access to their records and what kind of retribution there is if somebody inappropriate does, and that they can request and find out who's gotten in there. How do we take care of consumer education on this so that people are aware of what rights they have and how they can know what's going on with their record?
DR. JAMES: Just a couple of comments. You realize of course the paper record, anytime you see a physician or a nurse, they are going to write down a record of that encounter for future reference, that as they write that down, that's available to the medical team, paper or electronic.
To be honest, I won't go into the stories. I believe that the paper system is substantially more loose and subject to potential abuse, just in passing, from personal experience. That said, we try to generate understandable informed consent to describe the way that we'll use information as part of a routine informed consent on every patient. It's very difficult though to get the full understanding of how you use medical information to deliver care, you see, and it's an ongoing issue for my data review committee. That's one of the things that we consider in asking the Board of Trustees to set policy.
So all that I have is a structural solution for you.
SEN. MURRAY: Uh huh.
DR. JAMES: We also try to collaborate with others who are addressing the same issue across the country to say what is the best way to fully explain to patients how you're going to use this information appropriately on their behalf, both on an individual level to care for you personally and on a group level to develop better treatment for the future.
DR. FELDBLUM: Both of your questions indicate to me why you need to pass a federal law, because a federal law can in fact require entities to give me a really fully informed consent, tell me who this information's going to be going to. Generally, what type of people, what it's going to be used for and even though it is coerced to some extent, at least they have more information.
Too, the federal law can give real recourse. I mean in answer to your question, what you got back basically was tort law, state tort law. That can be quite complicated, you know. And instead what this does is, you can have a system that sets up civil penalties, criminal penalties, cause of action, that could just go into to say there was a violation. They don't have to go show you all the consequential harms other than there was a violation.
 
Federal law is what can make the difference in this country and then consumer education about what that federal law says is going to complete the cycle.
SEN. DODD: I was just going to tell you, I didn't follow up because of the time. But it seems to me that almost a follow on question would be as in the private care, I would be more uneasy about state-by-state tort law in this area than I would a clear federal law that says exactly what the deal is. I don't know if you want to --
DR. JAMES: We agree entirely that we need common federal law so that it's common across the states. Now, that's partly self-serving because we supply care in four states, and we'd rather work on a single rule.
DR. FELDBLUM: All right, but I think there's definitely been a norm in Congress that when you pass laws that are in, sort of, complicated areas. You've done this in banking laws, consumer laws. You often do pass a federal floor that is a uniform floor and basically about two-thirds of the states just automatically, sort of, come up to that. But then, if you have states like Connecticut or Vermont, you know, Washington, where wants to do something different, they get the chance to, in fact, do something different.
So, that's only CCD's position that there should be a floor and then, states should be allowed to experiment.
SEN. DODD: But as we preempt in our laws.
DR. FELDBLUM: With some carve outs for some areas, correct.
DR ANDREWS: Research doesn't know geographic boundaries. It's really important to have states federal preemptive legislation we feel. I'd like to come back to the question about education cause I think that's very important here. And I think as health professionals, we have a responsibility to educate patients, and I think the media, as well, has a responsibility. I hope this dialog about federal legislation will improve the public's understanding of how medical information is used. And I hope we can be more responsible. When we talk about breaches of confidentiality that those are reported for what they are, which is often a violation of professional ethics, or a violation of law. It's very rarely a breach of confidentiality coming from a research setting.
REP. MURRAY: Well, I think that has to be part of the education, too. As consumers, we need to know what this research is used for and some of the good effects of it, of which there is a lot out there. And I think a lot of times, you know, people don't think beyond their own personal health care crisis they're having.
Thank you, Mr. Chairman.

SEN. JEFFORDS : Thank you.
Dr. James, you described a process by which you segregate your electronic database. This is an important issue as we consider separate treatment areas, such as mental health. Can you please elaborate for the committee, the steps involved in segregating the information and costs associated with the activity.
DR. JAMES: Currently, we've only actually, physically segregated one part of information on our electronic medical records. We actually segregate the identifiable parts off to the side. It's a virtual single record, but physically, on the computers, it's actually a separate piece of the record. That means that we can put different security protection on it.
Now, we have a random number that links record to record with all of the various parts of the medical records, but most of the people who work in my system who don't need access to identifiable information, they access the other databases with no real chance of breech because they don't have access to the identifiable portion. And we placed another level of security, the highest level of security when they want to look at the identifiable portions, you see. And we track it separately. We audit it separately as a separate entity.
The current debate within my data review committee is should we break out HIV, should we break out reproductive history, should we break out mental health. And if so, what rules would we use? I'll have to tell you, at least for us, that we still don't know quite how to handle that. It's an open technical question about what areas we consider to deserve an even higher level of protection. Most days, as chairman of the committee, my belief is that all parts of the record should receive that level of protection, except basic demographics -- your name, you know, that you're in the hospital, the things that we would release to a newspaper, for example, under state law in Utah. Do you see what I mean?
So, that's the area of current debate. We do segregate out the identifiable portion of the record right now, though.
SEN. JEFFORDS: On that debate, would legislation or regulation be helpful in trying to have a uniform system? DR. JAMES: The legislation will be particularly helpful. I really want this legislation to pass, you have to understand. It will be particularly helpful when we enter into agreements with others because it will hold them to the same standard to which we hold ourselves. And I think that will be very important, and in some ways make flows of data easier than it is right now.
In terms of segregating the medical record, I don't believe we have a technical foundation to pass a law. That's my personal belief. At least, I haven't seen a good solution of how you identify that level of information and then, how you determine, particularly, which physicians or which nurses should see it. Now, those in my system that say, for example, if we know we have an HIV-positive patient, that every care deliverer ought to be able to know that. There are others in my system who say we should use full HIV precautions on every patient and so knowing that they have HIV is not a necessary piece of information. And that's the level of the debate.
We try to avail ourselves to the best national resources in going back and forth on this thing to decide the best way to decide the best way to deliver care to patients while fully protecting appropriate confidentiality. But that at least for us is still a topic of open debate.
By the way at the current moment, what we've really said is that the entire record has full protection.
SEN. JEFFORDS: Dr. Feldblum, do you have any comment?
DR. FELDBLUM: Well, I wish that the whole rest of the country was at the technological stage that IHC was at. I mean if it were, I think privacy would so much better protected. I really want endorse what Dr. James said and what I've learned from Jan Laurie Goldman who has been doing health privacy for many years, who taught me and many members of the CCD coalition that electronic records can help preserve privacy much better than paper records in terms of protection of whose accessed those records, et cetera.
However, the bottom line is that most of the country is not where IHC is at and they use paper records. And you in 1999 I believe still need to pass a law that's gong to deal with the country as it stands right now and the law that will be able to accommodate the country as it grows into greater electronic use. I think given that, there is, we do have to think about sensitive medical information. We do have to think about whether that needs different and separate protection. You know, when it's a paper record maybe then you can segregate it better. When you've got an electronic record and the whole thing is basically anonymous because the link is in another part of the database that's wonderful. And then I think, yeah maybe the whole thing can get the same level of protection. So, think you have to pass a law for the country as it stands right now, which is not just IHC as well as the country where it will be. SEN. JEFFORDS: Dr. Andrews?
DR. ANDREWS: I think regarding the ability to segregate information or withhold certain information or withhold certain information from a medical record, there ought, I agree with the statement that all diseases, all conditions deserve the same high standard of protection. And it's incredible important that records be comprehensive if one is doing epidemiological or other research using archival records. If patients can select for some parts of their records to be withheld, then studies will be biased and we won't learn the kind of information we really need to learn, in some cases in those populations we most need new data.
SEN. JEFFORDS: I know this is a complicated area that intrigues me. We have act or we're trying to, we going to have records flowing all over the world, not just in this country. And how we arrange the system so that we can use it for the purposes intended and not breaches of confidentiality and all the problems related to it and I don't know how that gets done. I don't know enough about the technology but I do know it can do about anything you want if you have it set up right. But how it gets set up right, I don't know. And who should have the word on how it gets set up, but anyway I -- well we can ask you this Dr. Andrews. If all types of medical information, physical, genetic, and mental are subject to identical confidentiality standards, how will you suggest protecting sensitive mental health records?
DR. ANDREWS: I'm not sure I understand why that information that would normally be collected in the medical records should be treated any differently than HIV status or someone's diabetes status or hypertension, as long as the records are very well protected.
SEN. JEFFORDS: I think the reason I ask that the one that concerns the public most is the mental health record. They're adamant that they should have -- well almost super confidentiality as to information in the mental health area, even compared with AIDS. But how do we handle that? Anybody have any ideas?
DR. JAMES: I'd say that it gets the same level of protection as the whole record, which means that you use it strictly use to know to deliver health care to the patient or understand how to run a health care delivery system to improve actual execution of care delivery. That it is an interesting topic because this is one of the few areas where you have a legitimate reason for refusing to show a patient a medical record in certain limited circumstances, as with mental health data and that's a more interesting aspect of it, is when you choose not to reveal to a patient as opposed to as a general policy always making a medical record available to a patient, because, sometimes it can do act of harm, to reach confidentiality the other way, active harm to the patient by sharing a professionals evaluation of their mental health status.
 
SEN. JEFFORDS: Ms. Feldblum.
DR. FELDBLUM: Our proposal is to have strong standards for all information, so in fact in that we agree. It just might be that in some situations, if in fact that standard is not going to be as high as we want for everything, then I think we need to have a discussion about whether there needs to still be that high standard for mental health, HIV records, et cetera. I mean I think your carve out for mental health and HIV in terms of preemption, I think reflects and understanding that states have already struggled with this. I mean, I think we would hope that you could craft a law that in fact gives appropriate protection for all information, and we don't have to get into this divide, you know, aspect. But I think that's really going to depend on the law that gets crafted.
SEN. JEFFORDS: Thanks.
(Laughter.)
DR. JAMES: Just in passing, one way you could do it, for example, is you could designate a proportion of an electronic record. You can't do this with paper record. I should say that in terms of protecting subsets of information, it's very difficult to do with that paper record and not have it just disappear entirely. With an electronic record you can classify a portion of the record as mental health information, and then you could only allow access to mental health professionals, or designated attending physicians, or people at the designated attending physicians says need access to those data. And that's how you would handle it, is by having some mechanism of identifying people who could say, okay, that portion of the record doesn't exist unless you have this particular authorization, and then on a per-patient basis to identify people with that authorization. That's how you'd build it.
REP. JEFFORDS: Well, thank you all. I reserve the right for all the members to submit questions in writing to you for the next two weeks. And you've been extremely helpful, although I always come away more concerned than relieved when I get you all together. But, excellent testimony and thank you very much.
 
END


LOAD-DATE: February 27, 1999



Previous Document Document 121 of 124. Next Document

FOCUS
Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
   
About LEXIS-NEXIS® Congressional Universe Terms and Conditions Top of Page
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.