Copyright 1999 Federal News Service, Inc.
Federal News Service
FEBRUARY 24, 1999, WEDNESDAY
SECTION: CAPITOL HILL HEARING
LENGTH: 18035 words
HEADLINE:
HEARING OF THE SENATE HEALTH,EDUCATION,LABOR & PENSIONS
COMMITTEE
SUBJECT: PROTECTING MEDICAL RECORDS PRIVACY
CHAIRED BY:
SENATOR JIM JEFFORDS (R-VT)
WITNESSES:
GARY
ELLIS, DIRECTOR, OFFICE OF PROTECTION FROM RESEARCH RISKS,
NATIONAL
INSTITUTES OF HEALTH
BERNICE STEINHARDT, DIRECTOR, HEALTH SERVICES QUALITY
AND PUBLIC
HEALTH ISSUES, GENERAL ACCOUNTING OFFICE
BRENT C. JAMES,
EXECUTIVE DIRECOTR, INSTITUTE FOR HEALTH CARE DELIVERY
RESEARCH,
INTERNATIONAL HEALTH CARE
430 DIRKSEN SENATE OFFICE BUILDING
WASHINGTON,
DC
9:30 AM FEBRUARY 24, 1999
BODY:
SEN.
JEFFORDS: The Committee on Health, Education, Labor and Pensions will come to
order. Today is the Health and Education Committee's first hearing of the 106th
Congress on the subject of medical records privacy. This hearing is a part of
our committee's ongoing process to address one of the most pressing issues
facing our health care system. During the 105th Congress the committee held four
hearings on the privacy of medical records and genetic
information, and how this issue affects health care providers,
payers and consumers. Today, we will be examining the relationship between
scientific research and the privacy of protected health information.
On the
eve of the 21st century we find that medical technology in America has grown by
leaps and bounds. In the last few decades technology advances have increased the
quality of the collection and the administration of medical information. Many of
these technological changes contribute to better and more efficient health care.
Information technology also allows physicians and other providers to share
valuable information where no means of communications previously existed.
The new wealth of information and the ease at which it can be obtained has
opened many doors to researchers. With vast new resources America's world
renowned research capabilities are expanding, and we have come to enjoy more
breakthroughs and lifesaving medical advances. The improved access to this
information does not come without risks. We, the consumers, often don't know
with any certainty who has access to our private records. The establishment of
large computer databases, some with millions of patient records, has not only
allowed for new medical research, but has increased the potential for misuse of
private medical information.
Under the current regulations provided by the
federal policy for the protection of human subjects, 1991, known as the common
rule, research that is federally funded or regulated through specific federal
agencies must be reviewed by an institutional review board for the purpose of
insuring adequate protection of subjects against risk, and assurance of informed
consent.
Last summer, in response to questions surrounding confidentiality
protections in research settings, my colleague, Senator Dodd and I, requested a
GAO report entitled, "Medical Records Privacy, Access Needed for Health Research
but Oversight of Private Protections is Limited." That's what today's hearing
will focus on.
I hope that this report will be an important resource as
Congress considers proposals to insure the confidentiality of medical records.
The report addresses the following questions. How well do institutional review
boards insure the confidentiality of protected health information? Two, to what
extent is health research conducted that is not subject to the federal policy
for the protection of human subjects? And three, to what extent do health
researchers who conduct research not subjected to federal protection establish
and maintain safeguards for health information? And four, what is needed for
personally identifiable information in various research settings.
Early next
month I will join with my good friend, Senator Dodd, in reintroducing a revised
version of S 1921, the Health Care Personal Information Non-Disclosure Act of
1998, the Health Care PIN Act. This legislation will establish necessary
national standards to protect the confidentiality of each American's medical
records. The hearing will follow the committee's usual format. Each of the
witnesses will speak for five minutes, though I'll give GAO a little bit longer,
as I am sure they have more important things to say than you do in five minutes,
but anyway, and each member will have up to five minutes per round for
questioning. The hearing record will remain open for two weeks and any written
statements and questions for the record should be submitted within that time
frame.
Let me say that we have votes starting at 9:45, so it's my intention
that we will probably continue here until the last possible moment, around 9:55
or so, and come back. So, with that, I would - Senator Kennedy.
SEN. EDWARD
M. KENNEDY (D-MA): Thank you very much, Mr. Chairman. I'd put my whole statement
in the record.
As you suggest, this committee has been enormously interested
in the protections of human subjects. We had extensive hearings in the early
1970s, with the sterilization of the (Ralph ?) girls, the deproprevera abuses
that took places in Tennessee. We did the hearings, the initial hearings on the
syphilis studies that were taking place in the southern part of our country, and
we developed legislation in 1974 for the protection of human subjects that
worked very well, until 1980, then it got caught up in the politics of the
issues on abortion, and the make-up of the board then became completely
politicized and that effectively ended what had been an enormously successful
panel of ethicists and others who issued their recommendations in the Federal
Register. That's all they did. And virtually all the various agencies of
government accepted them without really a difference. It was one of the really
significant - important - without any regulatory requirements, because of really
the thoughtfulness that it went through.
We've had other FDNIH boards that
have been established to try and sort of be - review some of these matters. But
what we have seen is this growth of research that has taken place in the private
sector. And what we've also seen is the mix in terms of the exchange of various
medical records, which has now, in many respects, we get more protection from
Blockbuster movies than we do protecting our medical records. People know this
and it's having an enormously dampening effect in terms of the willingness of
people to involve themselves in very important research, very important, that
can be life saving in many kind of instances.
So, this subject matter,
although it can look like it's talking about issues of confidentiality, can talk
about issues of privacy, is of life saving importance to millions of our
citizens and we want to try and get it right, and there are a number of
different approaches that have been introduced. Our colleagues and friends,
Senator Jeffords, Senator Dodd have approached - Senator Leahy and I - an
approach which is basically going to try and establish a floor in the various
states, because states moving in trying to provide different kinds of
protections. And then, we have the industry who wants preemption in terms of all
the states, but they have one common kind of rule that they can sort of deal
with in all of this.
So, these issues - we will be dealing with a lot of
important items in the course of this session of Congress, with Medicare and
Social Security, but this one here is of enormous importance and incredible
significance and we really want to try and get it right. And as always, our
colleagues, Senator Jeffords, Senator Dodd have provided important leadership in
getting our GAO to try and review these matters and make them available to them,
will be very valuable to us in the Congress to have a chance to review them with
you and then to be calling on you as we develop this legislation. We very much
appreciate your being here this morning and we look forward to your testimony. I
thank you.
SEN. JEFFORDS: Senator Kennedy and I are trying to see who can
sound the worst in our post-impeachment relapses.
(Laughter)
He wins
this morning's contest.
Senator Reed, pleased to have you with us.
SEN.
JACK REED (D-RI): Mr. Chairman, I have a fine voice this morning. I kept quiet
during the impeachment. But this is a very important topic which touches upon
our ability to conduct research successfully and also to protect the privacy of
American citizens. So, I applaud your efforts and I know we'll be engaged, and
the clock is ticking too, because if we don't move aggressively this, the next
few months, we might be usurped by the Secretary of HHS.
I hope we can move
quickly and I would reserve any other time to later in questioning. I thank you,
Mr. Chairman.
SEN. JEFFORDS: Thank you.
We shall be hearing from two
distinguished panels of witnesses this morning.
Our first witness this
morning is Dr. Gary Ellis, is the director of the Office of Protection from
Research Risks, OPRR at the National Institutes of Health, NIH. His office has
primary responsibility within HHS for developing and implementing policy,
procedures and regulations to insure the protection of human beings involved in
research. In addition, Dr. Ellis chairs the interagency Human Subjects Research
Committee, which coordinates implementation of the federal policy for protection
of human subjects, the common rule.
Dr. Ellis has a strong background in
experimental research, which includes a Ph.D. in biological sciences, and three
years of post doctoral research training. Dr. Ellis, we are pleased to have you
with us this morning, and please proceed.
MR. ELLIS: Thank you, Mr.
Chairman.
SEN. JEFFORDS: Let me, again, since Senator Reed is here, we are
going to go until about 9:55 and go over, we'll have two votes, and then come
back after that.
Please proceed.
MR. ELLIS: Thank you.
My name is
Gary Ellis, I am the director of the Office for Protection from Research Risks,
the NIH office that implements the Department of Health and Human Services
regulations for protection of human subjects. I also chair the interagency Human
Subjects Coordinating Committee.
With the General Accounting Office
delivering its report this morning on medical records privacy, I am pleased to
appear before the committee to describe the federal system of protection of
human research subjects, referenced in the GAO report. This year, as Senator
Kennedy indicated, marks the 25th anniversary of the formal promulgation in 1974
of the Department of Health and Human Services regulations for protection of
human subjects research, and enactment of the National Research Act. In 1991,
the core HHS regulations on informed consent and institutional review boards
were formally adopted by more than a dozen other departments and agencies that
conduct or fund research involving human subjects, as the so-called common rule.
Today that 1991 federal policy is shared by 17 departments and agencies
representing most but not all of the federal departments and agencies sponsoring
human subjects research.
In addition, certain federally-sponsored and much
privately- sponsored research is subject to the regulations of the Food and Drug
Administration. FDA regulations and the provisions of the common rule are
largely congruent with some differences.
While the common rule defines
research as a systematic investigation designed to develop or contribute to
generalizable knowledge, the common rule defines human subjects as a living
individual about to -- an investigator conducting research obtains data through
intervention or interaction with the individual, or identifiable private
information. Private information includes a medical record.
What human
subject research applies beyond the protections of the common rule and FDA
regulations? There can be no definitive answer as the bounds of this domain are
unknown, frankly, and there is no systematic collection of such data by anyone.
Now, through allegations reported to OPRR, the office is aware of instances
of human subject research not (safeguarded ?) by the common rule or FDA
regulations. OPRR has identified human subject research conducted in the absence
of federal protection at some universities not receiving federal research funds,
some envitro fertilization clinics, some weight loss or diet clinics, some
physician offices, dentist offices, or psychotherapist offices, some corporate
health safety and fitness programs, and some tests.
At this point time
doesn't permit me to describe the allegations in detail, but let me say, though,
that once OPRR determines that it has no authority or jurisdictions or is unable
to pursue such matters as human subject research.
Recognizing the
substantial volume of research that lies beyond federal regulations, OPRR has
worked with several hundred institutions receive HHS research dollars, to
broaden human subject protection. At present, OPRR holds some 430 formal written
pledges that cover more than 700 research institutions in the United States and
Canada, which at the Voluntary Election Research Institution, commit all
activities at the institution, irrespective of funding source to the HHS human
subject regulations. OPRR deeply appreciates the willingness of these
institutions to choose this voluntary protective option.
The GAO report this
morning on medical records privacy reminds us that breeches of confidentiality
of medical records can do serious social harm to individuals. Harms include
embarrassment, disruption of family live, loss of employment, loss of insurance
coverage. These harms are real harms that cause pain and suffering as with
physical injuries. They ruin people's lives. In conducting research using
identifiable medical records, social harms must be given as much consideration
as physical harm. With regard to privacy, the common rule makes two limited
references to privacy and confidentiality. First, the regulations direct
institutional review boards to determine that when appropriate there are
adequate protections to provide for the privacy of subjects and to maintain the
confidentiality of data. IRB responsibilities are of course much broader than
just this.
Second, the informed consent process requires a statement
describing the extent, if any, to which confidentiality of records identifying
the subject will be maintained.
In summary, our enduring and vigorous
federal regulations for protection of human research subjects are designed to
prevent physical injury, psychological injury and harm to the dignity of
research subjects as biomedical and behavioral scientists pursue new knowledge
for the common good. We are always interested in improving the system to make
research as safe as it can possibly be.
In the final analysis, research
investigators, institutions and we are stewards of a trust agreement with the
people who are research subjects, research subjects who are safeguarded by the
common rule or FDA regulations. We have in place a system that minimizes the
potential for harm, enables and protects individual autonomous choice and
promotes the pursuit of new knowledge. By doing so we protect the rights and
welfare of our fellow citizens who make a remarkable contribution to the common
good by participating in research studies. We owe all subjects, all of them,
irrespective of funding source, our best efforts. Thank you.
SEN. JEFFORDS:
Well, thank you.
Next I am happy to introduce Ms. Bernice Steinhardt, the
director of the Health Services Quality and Public Health Issues Group in the
General Accounting Office, GAO. Her group oversees the programs of various
agencies including the Food and Drug Administration, FDA; the National
Institutes of Health, NIH; the Health Resources and Services Administration; and
the Centers for Disease Control and Prevention, CDC.
Before she joined GAO
in 1989, Ms. Steinhardt's professional experience encompassed a variety of
public policy issues affecting energy, natural resources and science. Her career
includes service at the Department of the Interior, where she worked as a
special assistant to the assistant secretary for energy and minerals, and at the
President's Council on Environmental Quality.
Ms. Steinhardt, thank you for
being here and we will be leaving here in about nine minutes, so I am going to
give you all nine minutes.
MS. STEINHARDT: Okay. Thank you very much, Mr.
Chairman, Senator Kennedy and Senator Reed. We appreciate very much being
invited here today to report to you on our study. At your request we explain
something about how private organizations are using medical records for research
and the kinds of oversight and safeguards they employ to protect the
confidentiality of the information.
We surveyed about a dozen organizations
including managed care organizations, pharmaceutical, biotech companies,
companies with health related information about hundreds of thousands, and in
some cases millions of people. We wanted to find out what kinds of research they
conduct with medical records, the extent to which they rely on personal
identifiers, the extent to which their research is subject to IRB review, and
the extent to which they apply internal safeguards to limit access to records.
What did we find?
First, we found that a considerable amount of health
research relies on personally identifiable information. Some studies need to
identify individual patients in order to link multiple sources of information to
answer specific questions, like for example, whether maternity patients benefit
from longer hospital stays. Other outcome studies need to be able to track
patients over time, to judge, for instance, the long-term effects of various
drug therapies.
Many of these organizations use records data for similar
types of studies, like evaluating the outcomes of treatment. Some of it is
subject to the common rule and some of it is not. And while some of these
organizations submit even their non-common rule research to IRB review, others
do not. Some managed care organizations, for example, consider some of their
research to fall into the category of community improvement studies, rather than
research, and they exclude these from IRB review. Others, though, consider these
same types of studies to be research and they do send them for IRB review.
Another type of research that does not come under IRB review for some
companies is research that uses disease or population-based registry data.
Pharmaceutical and biotechnology companies maintain these registries to monitor
how a particular population responds to drugs, and to better understand certain
diseases. While these companies send their FDA regulated clinical trial research
through IRBs, they don't send their registry-based research for review.
Finally, some of the companies we visited don't submit any of their research
for IRB review. Pharmacy benefit management companies, PBMs for example, may not
receive federal support, nor do they do FDA- regulated research, but they may
conduct research to develop and evaluate disease management programs, for
example.
It's important to understand, though, that the oversight provided
by IRBs give limited attention to patient privacy.
The common rule
regulations contain very general directions to IRBs, and IRBs tend to give less
attention to privacy protection than to other kinds of physical risks from
research. For record safe research, IRBs generally waive requirements to obtain
patients' informed consent, and in most cases they do a more limited review of
the research.
Setting aside the treatment of privacy, the IRB system on the
whole has weaknesses that we want to note. A 1996 report we did pointed out that
IRBs faced heavy work loads, competing professional demands, and other kinds of
pressures that make it difficult for them to carry out their work. A HHS IG,
inspector general report last year reached similar conclusions, that IRBs
reviewed too many studies, too quickly, and with too little expertise.
We
don't know what the consequences of these limitations are. No one knows how
often patient privacy has been breached in research projects, but our report
includes several examples of breaches that have been reported to OPRR, to Dr.
Ellis' office over the years, and they highlight the potential for problems to
occur.
In terms of internal safeguards, we were generally impressed with
what we saw at the companies we visited. Most of the companies we visited have
written confidentiality policies on access to personally identifiable
information, although not all of them did. Companies also told us they use a
number of electronic measures like encoding and encryption to mask personally
identifiable information, and they use both electronic and physical means to
limit access.
So, what did we conclude from all of this?
As I said, we
were generally impressed that the companies we surveyed seemed to have
reasonable internal safeguards for protecting the data. On the other hand,
external oversight of their research is limited and it's not clear that the
current system could accommodate more extensive review responsibilities. So, as
you contemplate providing IRBs with new responsibilities, we think it's
important that you take into account the constraints on the existing system.
With that, I'll conclude my remarks and look forward to your questions.
SEN. JEFFORDS: We will defer the questions until we come back. We
have a vote now and there will be a vote immediately after.
(Recess for
vote)
SEN. JEFFORDS: Thank you for your patience. I think we will be
uninterrupted for a while, anyway.
Dr. Ellis, let me start with you. What
sanctions are enforced by the Office of Protection from Research Risks when
breaches of confidentiality are determined?
DR. ELLIS: The only authority
that our office has under HHS regulations is prospective. We have no reach-back
authority. There is no punishment. You used the word sanctions. There is no
fine, there is no criminal penalty for breaches of privacy and confidentiality
in research. The sanction, if you want to use that word, is that in the extreme
our office has the authority to lift the formal written agreement that our
office has, we call it an assurance, of protecting human subjects at the
institutions, and absent that assurance no Health and Human Services research
dollars can flow to that institution. That's, if you want to call it, the
ultimate death penalty from our office, is lifting the assurance that an
institution has for protecting the rights and welfare of human subjects.
SEN. JEFFORDS: Under the common rule, that is under your jurisdiction, what
recourse do individuals have if their privacy rights have been abused?
DR.
ELLIS: Well, these complaints do come from time to time, and an individual can
address the institution, the research institution, go to the institutional
review board, go to the institutional official. The individual can come to our
office, and again the best we can do to redress the individual's grievance is
usually to work with the institution to make sure it doesn't happen again.
SEN. JEFFORDS: Now suppose harm were to come from that breach. Do you know
of any other rights they have under law?
DR. ELLIS: I am not an attorney. I
am going to assume that they have rights under the torts system to pursue their
grievance, but you're beyond my area of expertise.
SEN. JEFFORDS: What would
be the effect of extending the common rule to cover research? What would be the
impact on the existing IRB system?
DR. ELLIS: If by your question you mean
extending the common rule to cover all research, meaning - including the
research that it doesn't currently cover, my answer as director of the office
that protects the rights and welfare of human subjects is that our fellow
citizens who are subjects of unchecked human experimentation - human
experimentation that is currently beyond the rule would then have the full
protections of institutional review board review and informed consent where
appropriate.
SEN. JEFFORDS: What would be the effect of extending the common
rule law - scratch that, I'm sorry.
Ms. Steinhardt, can you elaborate
further on the internal confidentiality policies that exist within the
organizations that you investigated? Were you able to obtain written copies of
their policies and do you have any information on the enforcement of these
confidentiality policies? You said yes to the first question, go ahead.
MS.
STEINHARDT: We were able to get copies of the written policies of most of the
companies that we visited, but as we point out in our report, two of the
companies did not have any written confidentiality policies, and two of them
didn't provide us - two that said they did, didn't provide them to us.
I
think we were impressed with the kinds of internal safeguards that we saw, or
that we heard about, but we don't know whether they are actually followed. We
don't know how well these policies are carried out, we don't know how effective
the various measures that the companies have in place are in actually protecting
the information, so that was a limit.
SEN. JEFFORDS: Was there any organized
way for people to understand the policies and their ability to complain?
MS.
STEINHARDT: Well, in some cases the policies were made available to patients,
for example, but not always. Sometimes the policies really were directed towards
employees and what the company's expectations were of them.
SEN. JEFFORDS:
Can you elaborate further on the internal confidentiality policies that exist
within the organizations that you investigated? Were you able to obtain written
copies of your policy?
MS. STEINHARDT: This is the question that we were -
SEN. JEFFORDS: Just talking about. Right. Yes.
Based on the
organizations that you visited, how much of the research that is being done
requires the use of personal identifiers?
MS. STEINHARDT: A fair amount is
dependent on personally identifiable information, largely to be able to link
different data bases in order to answer the questions that the researchers have
posed.
SEN. JEFFORDS: You point out that there are differences in how
different organizations treat quality improvement activities. From your analysis
should they be considered as research? MS. STEINHARDT: This is a real bone of
contention, I think, within these organizations. But frankly it's hard to see
how one can draw a bright line. These are all studies that are conducted,
applied research you might call it, to manage health care, and they are asking
research questions to be able to determine the most cost effective, the best
outcomes of care. Sometimes they call it quality improvement, sometimes they
call it research. I think the real issue is whether there is a risk involved in
- to patient privacy in the use of the information.
SEN. JEFFORDS: You say
in your report that the actual number of confidentiality breaches is not quite
known, and you cite only a few cases. Isn't this evidence that the current
system is working quite well?
MS. STEINHARDT: We didn't mean it to indicate
any evidence of the incidents of problems. No one knows, really, how many cases
of violations of privacy there have been in research. These were only the cases
that came to the attention of Dr. Ellis' office.
I think the current system
probably works better than no system at all. I think there is certainly
agreement about that. The question is, could it be better? These are examples of
where information became disclosed and it shows opportunities, potential for
harm in a system where there is no oversight.
SEN. JEFFORDS: Senator Dodd,
my companion in this effort. Pleased to have you here.
SEN. CHRISTOPHER DODD
(D-CT): Thank you, Mr. Chairman. I apologize for not being here at the outset.
We had, Senator Bennett and I are chairing the Committee on the Year 2000
Problem, which people are becoming more and more aware of, and we were both
asked to open up a hearing on the Armed Services Committee, looking into the
issue of national security implications of the year 2000 problem. The General
Accounting Office, by the way, which I referred to this morning, you're an
excellent study done on analyzing the various agencies of the federal government
and how well they are meeting the compliance deadlines. So, I apologize to you,
Mr. Chairman and to the witnesses and others that I wasn't here at the outset of
this, but I am once again pleased to be joining my colleague from Vermont in a
broader effort here of taking a good look at the issue of confidentiality and
privacy and I have some remarks I want to share because this is an issue I care
deeply about.
I was, I guess maybe I shouldn't have been, but of all the
issues in my state that we asked people about, in terms of where they put the
level of importance or significance, the wide range of issues on education, tax
cuts and so forth, the issue that had the most resounding response in my state
of any issue, were people's rights to privacy when it came to
medical information and financial data. It just blew every
other issue by 20 points off the charts. This issue really strikes very closely
in the hearts and minds of just virtually every American. They are concerned
today with technology, the Y2K issue in a sense, the amount of technology,
computer information, the sharing of that information and what people can do to
discriminate in hiring, insurance is profound.
And so, I think what we're
doing in this area, Mr. Chairman, I know that some of these questions really
need to be examined carefully as to how we proceed, some of the most important
work I think we can do in this, the 106th session of this Congress is to deal
with the issues of privacy and particularly in the area of health care, and so I
want to thank you for one, allowing me to join with you on the request for the
study, the GAO report, and I am a big, big fan of the General Accounting Office.
They do such a fabulous job. It's a great, great resource for the country and
we're tremendously grateful to them for their efforts, and for your work on this
as well, and having a hearing on this topic, it's almost, Mr. Chairman, like a
scenario from some science fiction novel, I guess, in a way.
At this very
moment, while we are sitting here this morning, in this committee hearing room,
hundreds of millions of bits of information, literally hundreds of millions of
bits of information about the medical condition of each one of us is being
transported, stored and sorted, and analyzed in research data bases all over the
nation. To some Americans this byproduct of technology and a more integrated
health care system is a thrilling advance in research, and in many ways they are
absolutely right. For the first time vast amounts of data about the outcomes of
different treatments can be channeled back to providers to improve the ability
of their patients to be healthy and to be cured. And for the first time, large
scale, long-term studies of drugs and devices can be readily constructed and
used to enhance their safety and the efficacy for patients. So there are
tremendous advantages to this technology explosion, this collection of
information and data. To others, of course, the same situation is one with
staggering potential for exploitation and abuse. They fear that widespread
sharing of medical records without appropriate safeguards, even in pursuit of
admirable goals, research goals, increases the likelihood that damaging
information can be used to discriminate in health care, employment and as I
mentioned, insurance.
In fact, concerns that this information is not being
adequately protected from misuse has led some patients to avoid full disclosure
of mental health and other sensitive conditions to their physicians and to
unnecessarily forego opportunities for treatment, in effect negating the
benefits of this new technology.
In considering broader medical privacy
legislation, one of the challenges that this committee and the Congress, the
country in effect will have to reconcile are two perspectives, weighing the
public good derived from health research with the privacy interests of
individuals. It's not an easy question.
Senator Jeffords and I have been
grappling with this for some time, beginning with work on S 1921, the Health
Care Personal Information Non-Disclosure Act, which we introduced a year ago and
we will reintroduce in a few weeks, and we are hopeful that the testimony that
you are going to provide here for us this morning will help us to better address
complex issues and modify the proposal introduced if what you suggest is
worthwhile.
As most of us are aware, as a result of work begun by this
committee 20 years ago, and my colleague here, Senator Kennedy, has done so much
in so many of these areas here, brings a wonderful wealth of knowledge, but also
just the institutional memories of what went on as we drafted legislation back
some time ago, research that is federally funded or is being conducted as part
of the FDA application is subject to review by institutional review boards,
which must adhere to federal guidelines for the protection of human subjects.
Questions have been raised about the adequacy of these IRB oversight,
generally in the level of attention that IRBs pay to privacy, risks, in
particular. However, it is important to note that IRBs are currently the only
mechanism providing an external review of risk, to research subjects using
independent guidelines. And however we continue to grapple with the adequacy of
protection for patients in this type of research, we must also determine how to
address the lesser known world of medical research that falls outside of the IRB
review, something I know, Dr. Ellis, that you have talked about. What qualifies
as research and what doesn't, and I realize that's an emerging controversy as
well.
Today's hearing was convened to give us that viewpoint. Mr. Chairman,
once again I am very grateful to you for holding these hearings, and again to
the GAO for your excellent study, which is going to be very helpful to us as we
proceed with our legislation. But again, Mr. Chairman, I want to tell you how
much I enjoy working with you on these issues and I -
SEN. JEFFORDS: You
have been most helpful to me, and if you have any questions, the floor is yours.
SEN. DODD: Yeah, I mean just a few, and I wanted to - in fact I made the
point, Dr. Ellis I'll start with you, that - you note that some research does
not operate under the guidelines of the common rule, simply because the
investigators don't consider their activities to be research. And I wonder if
you could maybe elaborate a bit more on what kind of activities these are and
how does their definition of research differ from yours?
DR. ELLIS: Sure.
I'll give you an example. Maybe that's the best way to do it and make it less
abstract. And I need to truncate this story because I don't want to further the
breach of privacy that you will see that occurred in this story.
A middle
tier university, not a university receiving research dollars from the Department
of Health and Human Services, the faculty member conducting research in English
composition, so the item of interest, of research interest to this faculty
member is how does a psychotherapist take a note from a patient that the
psychotherapist is seeing?
The patient may say to the therapist, "Gee, I
thought of killing myself." And the psychotherapist now has a choice in how to
take this note. Does the therapist say, quote, "I thought of killing myself,"
end quote, or does the psychotherapist write, "Patient has suicidal ideation,"
or other - there are an endless variety of ways to take the note. This is the
issue of research of the professor of English composition, how does a therapist
compose narrative to tell the story of the therapist's patient?
Well, the
professor conducts this research and goes to the relevant professional society
meeting, and on stage at the convention center in a major city presents this
research with the original note that the psychotherapist took, fully identifying
the patient's information, and it's handed out, this is a handout for the
audience at the professional meeting. This is very troubling. It is correct to
say that this human subject, the psychotherapist's patient is an individual, a
subject in unchecked human subject research. The current statutory authority
that we have in our country does not confer the protections, the federal
protections of institutional review board review before that research is done,
and informed consent on that most unfortunate psychotherapy patient.
That's
a sobering story. That's the kind of -
SEN. DODD: Did that actually happen?
DR. ELLIS: Yes. I did not make any of that up. I truncated some
of the details because I don't want to further the breach. Because you know, the
sobering part of the story is if this patient, who has had a troubled life and
tells the story, knew that this note is on display at the professional meeting,
that patient might take the patient's own life.
SEN. DODD: Ms. Steinhardt,
again I thank you and the GAO and the work they have done. You had a limited
amount of time to conduct this study and I guess that's actually what we do up
here, we want these things done yesterday and we're always impressed at how
effective you are in providing us with information.
But you were unable to
survey all types of organizations, obviously, in the limited amount of time,
that conduct their research outside of the common rule. What types of
organizations, other than those studied, do you think conduct this type of
research? And again, do you think these organizations and these entities have
the same capacity as those you studied to implement internal controls?
MS.
STEINHARDT: I think we were able to survey probably most of the types of
companies or organizations that use medical records for research. We may have -
we were able only to talk to a few in each category. We probably left out
fertility clinics. I think those were probably the other major category of
company that we know might use medical records data that we didn't get to. But
otherwise, I think we had a broad representation, broad but shallow
representation of organizations.
SEN. DODD: You did have a broad
representation?
MS. STEINHARDT: Yes. I think the companies that we talked to
represent a fairly full range of organizations that use medical records for
research. We just didn't get to talk to very many of them.
SEN. DODD: Let me
- could you describe the current IRB review process? You've described, rather,
the current IRB review process as not giving substantial attention to privacy
protection. To what extent and what manner is privacy considered by IRBs? I
should have asked that first.
MS. STEINHARDT: IRBs tend to view studies that
are done with medical records as involving minimal risk. They are paper records
that are not generally dealing with individuals directly where there is a
physical intervention as there might be in a clinical trial. So, these are
generally considered to be of minimal risk and they go through an expedited
review, and they typically waive informed consent, so it doesn't get the same
treatment as other types of research, typically.
SEN. DODD: Do you have
any particular suggestions for improving the capacity of the IRBs?
MS.
STEINHARDT: Well, in the study we did a couple of years ago, and more recently
the inspector general study, I think we shared concerns about the level of
training that is afforded to IRB members on just their work load. The inspector
general's office made recommendations to provide better training for IRB
members, and I think particularly given this area of privacy and
confidentiality, that would be of importance.
SEN. DODD: Are there some
other types - again, are there other reviews that are done in other areas that
you may have had a chance to judge as being - as good examples of how these
reviews could be conducted?
MS. STEINHARDT: I think a couple of areas where
it struck us that there might be a real need in paying attention to privacy
issues. It's not clear what the standards are. It would be helpful, I think, in
reviewing research for reviewers, to have a good understanding in what to be
looking for in the projects, what the opportunities for privacy breaches might
be. That's not necessarily something that they are well versed in today.
I
think it could be useful for any kind of oversight board, whether it's an IRB,
or some other type of mechanism for at least someone within that group to be
aware of opportunities to minimize the use of personally identifiable
information in research. Some of the organizations we met with have come up with
ways to do that themselves. It might be useful to have that kind of expertise in
a review board to extend to all types of research.
SEN. DODD: Mr. Chairman,
I have several other questions here but we've had votes and we may have a couple
more coming up, so let me just ask, if I can, to submit the additional three or
four questions I have to Dr. Ellis. Let me ask you just one, Dr. Ellis, and this
again, you may want to submit this answer in writing a bit, but I wonder if you
could just sort of outline the chain of responsibility, protecting the privacy
of individuals involved in health research. Could you do that quickly? DR.
ELLIS: I'll try and do that quickly. I think there are five, or six, or seven
layers of protection. Initially the transaction between the research subject and
the investigator, or the record, the medical record of the research subject and
the investigator, and this is the most important. This is where informed consent
takes place. This is the most meaningful layer of protection, a fully informed
research subject volunteers and says "Yes, I will assume whatever risk. I am
interested in the pursuit of new knowledge. Let's proceed."
Sitting above
the investigator is the institutional review board, and so this is a group, by
definition, of mixed perspective, that's important. It must be an individual not
affiliated with the institution in any capacity other than IRB service. And so,
the values of the community are brought in and the IRB prospectively reviews the
research plan and gives a green light or says here is a caution light, we need
some revisions, or rarely says - or in rare occasions will say "No, this is not
acceptable at our institution."
Sitting above the IRB is the institutional
official. The IRB, when it says "Yes, this research may be done under our
auspices," really is serving up a recommendation to the institutional official,
and the institutional official may still say, "No, we don't want it done this
way, or we don't want it done at our institution."
Then there is the funder
of the research. Ordinarily there is some sort of review of the science of the
research, and that review of the science can include review of human subjects
issue at the funder, by peers.
Then, there is the executive official at the
funding agency who makes the final decision upon the recommendation of the peer
review, will fund this or not.
Sitting on top of the whole process is the
United States Congress. Our office has certain jurisdiction and the Food and
Drug Administration has certain jurisdiction, so it's a multi-layered process of
protection, and we would say that the chances, the probability of a simultaneous
failure, catastrophic failure through six or seven layers of protection is
slight. It's non-zero. There are stories to tell here but it's very, very safe
to be a research subject because under the common rule or under FDA regulation
because of the years of experience and the evolution of the practices that we
have.
SEN. DODD: That's very helpful. And again, I was commending the
General Accounting Office. I would be remiss if I also didn't commend the
National Institutes of Health. You do a great job there as well.
DR. ELLIS:
Thank you.
SEN. DODD: Thank you, Mr. Chairman. Thank both of you
very, very much. I may have a couple of follow on questions. I am interested in
how much actual accountability occurs at several of those stops that you
mentioned, where people actually are going to make the review, or is it just
sort of a pass through, but I'll follow up on that.
SEN. JEFFORDS: Thank
you.
Ms. Steinhardt, I understand we'll be working with you continuously,
but with the HIPPA deadline that's fast approaching we're going to move forward
with legislation, but thank you so much, both of you, for your cooperation and
help in this very, very difficult area.
DR. ELLIS: Thank you.
MS.
STEINHARDT: As always, a pleasure. Thank you.
SEN. JEFFORDS: Our second and
final panel of witnesses today includes distinguished professionals in the field
of medicine and law.
First I would like to welcome Dr. Brent C. James, who
comes to us today from Salt Lake City, where he is the executive director of the
Institute of Health Care Delivery Research at Intermountain Health Care. His
organization is well recognized for its work in clinical quality improvements
and electronic clinical decision support systems.
Dr. James sits on the
boards of several not-for-profit health care institutions whose goal is
measuring and improving the quality and availability of health care services.
Dr. James, we're delighted to have you with us, and I think you will proceed,
and I'll introduce each of the individuals that are with us on this panel as
their time comes. Please proceed.
DR. JAMES: Thank you very much, Senator.
As you mentioned, I am a physician and vice president for medical research
at Intermountain Health Care. We are a system of 23 hospitals, more than 100
outpatient clinics, a total of more than one million covered lives through our
health plan. We've got 22,000 employees and roughly 1,400 key allied physicians,
400 employed in the (remainder ?) community-based positions.
We are a
charitable not-for-profit health care institution that supplies a little bit
more than 50 percent of all health care services in Utah. In some sense we
sometimes feel like we function as a public institution.
I came to IHC 13
years ago after a faculty appointment in bio- statistics at the Harvard School
of Public Health, primarily because of a desire to be closer to real patient
care and to the real action, and also because of a perception that Intermountain
Health Care had the best functional electronic medical record in the world,
which I think is largely true. We have been able to use that record to provide
some very substantial improvements in care over those intervening years. Just a
few quick examples.
We have used that system to reduce the number of drug
overdoses and adverse reactions, what's called an adverse drug event in the
patient, the single most common risk a patient faces while hospitalized, to
about 30 percent of its prior rate. In community acquired pneumonia, by
examining the way that physicians prescribed initial drugs, chose whether the
patient was hospitalized, and then the timing and delivery of those drugs
reduced the overall mortality rate by about (26 ?) percent. The first year we
did that in the 20 small rural hospitals where we started it, it saved about 20
lives. It also reduced the cost of care by about 12 percent, primarily by
avoiding major complications.
More recently, we have used those systems to
give feedback to physicians that treat diabetic patients. That has resulted in
about a 40 percent increase in (patients ?) treated to a non-deadly level. Let
me say that a different way. The major consequences of uncontrolled blood sugar
diabetes are blindness, kidney failure, amputation as the small vessels in the
hands and feet are damaged, and death. In a typical practice, about 30 percent
of patients will be managed to a normal blood sugar level. Using these systems
we have been able to increase it to over 70 percent. I actually have about 65
examples like that, that I could give you of specific areas where we have been
able to substantially improve patient care, nearly always accompanied with a
drop in cost.
As said, you need to know that IHC as an institution, has a
specific institutional policy, places the medical profession and nursing
profession's ethical constraint on patient confidentiality as a sacred trust. It
holds equal billing with our institutional dedication to excellence in patience
care. In that regard we support currently 12 IRBs scattered through our system.
We mainly use those IRBs, though, for protections from research risk, specific
protections from research risks. In fact, I can tell you from (practical ?)
experience, overseeing this for the IHC system, that I have not in 13 years seen
a major defect in confidentiality happen on the research side of our system. On
the other hand, every year we fire a number of individuals and occasionally
remove physician privileges on the operating side of the system for breaches of
confidentiality.
Now, in no case has one of those actually resulted in
direct harm that we have been able to detect. We fire people for looking at the
wrong records, and have a system that functions to that level.
About five
years ago we began to systematically experiment with the best way to do that
within our system of care delivery.
The mechanism that we found most
useful by far was something that Dr. Paul Clayton of the American Medical
Infomatics (ph) Association called a data review committee. It has a very
similar structure to an IRB, but we added some extra elements. In fact, all of
our IRB chairmen sit on it.
We added line operations managers. Our data
review committee, which I chair, reports directly to our board of trustees. We,
in addition to reviewing specific studies in a limited range. It's our job to
recommend policy to the board of trustees, then to enforce and oversee the
policy.
One of the real problems that I think you will discover that we
face, and Senator Dodd mentioned it, is how you define research, or how you
distinguish operations, where actually most of the problems occur, from
research.
What we have discovered is that given the myriad of operations
that take place, I mean just regular health care delivery services in a big
system like IHC, they all happen at that operational level. We are far better
able to control that through policy. (We reserve ?) our IRBs to oversee true
research and then our data review committee specifically addresses those areas
that are in between, the gray zone in between where we have trouble
distinguishing those.
I would like to just close by saying that it's an
ongoing experiment. We think we're coming up with some pretty good answers, but
we think that probably that in this consideration we ought to think about the
operational side as well as the research side of patient confidentiality and
privacy protection. Thank you.
SEN. JEFFORDS: Thank you for an excellent
statement.
I am next pleased to present Professor Chai R. Feldblum, who is
both founder and director of the Federal Legislation Clinic at Georgetown
University Law Center. A graduate of Harvard Law School, Professor Feldblum has
had an illustrious legal career including clerkships for Judge Frank Coffin (sp)
on the First Circuit and Justice Harry Blackmun of the US Supreme Court. Having
been the lead lawyer negotiating the drafting provisions of the Americans With
Disabilities Act of 1990, on behalf of the disability community Professor
Feldblum is widely regarded as the leading expert in disability law. Thank you
for being here. We very much look forward to hearing your testimony. Please
proceed.
MS. FELDBLUM: Good morning. My name is Chai Feldblum. I am, as you
said, the director of the Federal Legislation Clinic, and part of what I teach
my students at Georgetown is how to speak law in English, so I hope I am able to
do that today in this testimony.
I am here today representing one of the
clients of the clinic, which is the Privacy Working Group of the Consortium of
Citizens with Disabilities, CCD. CCD is a Washington-based coalition of about
100 disability organizations and several of those organizations have been
working together for several years now on the issue of health privacy.
People with disabilities are vitally interested in privacy. Senator Dodd, as
you noted, this is an issue that resonates across the country. It absolutely
resonates for people with disabilities who interact with the health care system
more than most people, and who unfortunately, if their information gets out, can
be subject to discrimination.
In the area of health research, people with
disabilities vitally care that good research gets done. We want all of those
great outcomes that Dr. James just talked about. However, at the same time, we
are concerned that if there are inappropriate, unauthorized disclosures either
to researchers or by researchers, we could get hurt.
So, what we are
concerned about is that the current situation in which there is no federal
protection for privately funded research is unacceptable. And we're also
concerned, as the GAO report indicates, that in publicly funded research, there
is little consideration given to privacy, because the bottom line is that when,
as you, Senator Kennedy said, you are working on this, you were concerned about
risks, physical risks to human subjects. Privacy was almost an afterthought.
Well, it's not an afterthought now, so what do we do now?
The policy
question before you today is how can you best protect privacy in publicly and
privately funded research? Now what does the GAO report tell you?
I don't
think it tells you the answer. If it was, you would pay them even more, maybe.
But I think it tells you two things. One, that if you want to use the IRB system
you do have to address the current flaws in the IRB system with regard to
privacy. The current regulations are really not tailored to deal with privacy.
You would need to insure that those regulations are modified in some way.
Second, I think the GAO report tells you that you should be cautious about
just letting the status quo exist for privately funded research, where there is
no common rule governance, there is no external review, and while I have no
doubt that IHC, Intermountain Health Care is not where the problems are, you
have to pass a law that is going to address the entire United States of America
where there might be some privately funded research where there could be a
problem.
Okay. So what does CCD think you should do?
Here are our
proposals in research. First, as a general matter, we believe that if a health
researcher is dealing with live individuals, right, a prospective study, that
researcher must get the informed consent of the individual. The basic principle.
In every single federal privacy bill that all of you have introduced, and
that Senator Bennett has introduced, has an authorization section that would
apply, which is an authorization that cannot be conditioned on treatment or
payment, but that explains to the person where the information will be going,
what it will be used for. So, CCD believes that the norm for most research
should be informed, uncoerced consent.
Now, we do however, as I said, we
want good research to go on. And we realize that informed consent will not
always be practicable to obtain. For example, if a researcher wants to use a
database of medical information that's been collected over 10 years it might be
impossible to get informed consent from all the people in that database. Or if
you have stored blood and tissue samples where it might be quite difficult to
obtain informed consent. We believe that in those situations researchers, both
publicly and privately funded should have some avenue to get access to that
information without informed consent.
But we believe that researcher must go
through an IRB. And that is we believe that the current IRB system even with all
its flaws, which we think can be fixed, all researchers publicly and privately
should go through the IRB system. We do not believe that the funding of research
should dictate a different level or type of privacy protection. And we believe
that that IRB system should not simply rubber stamp the researcher coming and
saying, I can't get informed consent. But that researcher should number one,
have to explain why she or he needs identifiable information. Because lots of
research can be done without identifiable, but some as you heard this morning
needs identifiable, explains to the IRB why she or he needs identifiable
information and explains why it would be impracticable top get informed consent.
And then if the IRB says, yeap, you've got the go ahead, the IRB can still
require the researcher to have good safeguards in place so you don't have a
situation of the person then giving the handout with the psychotherapy notes.
Right, you might have needed identifiable information, how else can you see what
the issue was, but you don't need to give out that information. So, the IRB can
ensure their safeguards.
Finally, although we believe that the
IRB system is the one we should use, we are aware as I said of the limitations
with regard to privacy. We don't however, think that you need to revise the
common rule yourself, right now ion this bill. HHS is currently looking at the
system, currently revising the IRB system and we think you simply need to
indicate in the legislation that the secretary must also include a section, a
new section on confidentiality.
In conclusion, let me note that CCD has no
desire to create a system that is so protective of privacy that it makes our
nations biomedical and health services research enterprise unworkable. We of all
people do not want that result. But our work in this area over the past years
has demonstrated to us that strong privacy protection does not have to have that
result. In fact, our work on the federal privacy legislation generally has
taught us that the desire for privacy and the desire for an effective health
care system are not in conflict with each other requiring balancing of one
interest against the other.
To the contrary, as heavy consumers of the
health care system, we believe that privacy enhances that system, because it
enhances peoples confidence in that system. The same thing, we believe is true
in health care research. Strong intelligent coherent privacy protection enhances
research by increasing individuals trust in research enterprises. We believe our
recommendations in the research arena are indeed strong, intelligent, and
coherent and will create an environment in which an individuals right to privacy
is effectively protected and in which useful research is effectively supported
and encouraged. Thank you
SEN. JEFFORDS: Well, thank you very much. Our
final witness on our panel is Dr. Elizabeth B. Andrews., who directs the World
Wide Epidermiology Department of Glaxo Wellcome, based in Research Triangle
Park, North Carolina and Greenford (sp), England, professor of Epidemiology at
the University -- the North Carolina School of Public Health, and she
participates in several professional committees and panels concerned with the
fields of pharmacoepidemiology (ph) research -- sorry about that -- and you can
explain that one for me, and clinical safety.
Dr. Andrews, I appreciate your
appearing. Please proceed.
DR. ELIZABETH B. ANDREWS: Thank you very much,
Mr. Chairman, and members of the committee. I am Elizabeth Andrews. I am a
pharmacoepidemiologist and director of World Wide Epidemiology at Glaxo
Wellcome, a leading research-based pharmaceutical company. Thank you so much for
the opportunity to testify this morning on behalf of PHRMA (ph), the
Pharmaceutical Research and Manufactures of America, on the important issue of
federal legislation to protect the confidentiality of medical information.
PHRMA has developed a set of key principles for maintaining
confidentiality of medical information. Those principles reflect a commitment to
strong protections of patient confidentiality while ensuring the availability of
medical information for research and for the delivery of quality health care. A
copy of these principles is attached to my written testimony, which I submit for
the record.
We're encouraged that GAO's findings are consistent with the
widespread belief in the research community that researchers are doing a fairly
thorough job of protecting the confidentiality of patients while using medical
information in extremely important research concerning public health and health
care delivery. We also believe that GAO's findings provide compelling evidence
that the legislative approach taken in one of the bills introduced in the last
Congress, S 2609, Senator Bennett's bill, provides a promising framework for new
federal law that will protect the privacy interests of individuals.
First,
the GAO report acknowledges many uses of information and data in research that
required some type of access to identifiable information. Not all research can
be conducted strictly using anonymized records as we've already heard. Research
based on archival records with medical risks to the patients and with rigorous
safeguards of personally identifiable data should be encouraged, not impeded. In
my written testimony, I provided several critical examples of such research.
Second, the report provides examples of a variety of safeguards that are in
place in different types of organizations that undertake research outside the
federal system. The examples demonstrate clearly that many safeguards already
exist to protect confidentiality of identifiable patient information. Both the
Chairman's bill of the last Congress, S 1921, and the Bennett bill would have
established a uniform national requirement that organizations that manage health
data have strong safeguards for protecting confidentiality. Moreover, these
bills would have provided penalties for organizations that fail to adopt or
enforce those safeguards.
Third, the report provides a realistic picture of
the current IRB operations. IRBs provide a valuable function in protecting
patients from unnecessary research risks. However, they have neither the
expertise nor the capacity to review studies with respect to confidentiality
practices. We feel it would be counterproductive to institute new requirements
that they do so. Uniform national requirements for confidentiality protections
would offer more appropriate, more consistent, and more rigorous controls than
available through an expansion of the IRB functions.
The Bennett bill relied
on a mechanism that would have required each institution, including research
institutions, to establish safeguards, policies, and procedures for protecting
data that identifies patients. The Chairman's bill also started from this
premise, but did not develop it to address unique research issues. Instead, the
Chairman's bill added new IRB and informed consent requirements.
In PHRMA's
view, the process established by the Bennett bill is more protective of patient
confidentiality interests than the expansion of IRB review and informed consent
requirements. Such an expansion would have needlessly complicated the important
tasks already faced by IRBs, and would have harmed research by subjecting each
project, each hypothesis to burdensome review and consent requirements. As a
result, many important research projects would never have been investigated.
One critically important issue for any confidentiality legislation is that
we must draw clear distinctions between protected health information and
non-identifiable information. The legislation you introduced last Congress, Mr.
Chairman, defined protected health information so broadly that almost no
information could be characterized as non-identifiable. As a result, every piece
of health care date, whether or not it identifies an individual would be subject
to all of the federal restrictions and requirements applicable under the law,
including written consent, record keeping, access to review and amend and
notification.
With respect to patient consent, we support current federal
requirements concerning the informed consent of participants in interventional
research. We do not believe, however, that research projects using databases or
archives of previously collected information and materials should require
informed consent.
In many cases it may be impossible to gain consent.
Patients move, change health plans. They die. And given the extremely minimal
risk, the patients from research of this type requiring informed consent
increases the burden on researchers and patients, but does not serve to protect
the patient's confidentiality interests. There are better and more appropriate
ways of managing databases to safeguard the confidentiality of patients.
Mr.
Chairman and members of the committee, we look forward to working with you as
you continue your efforts and we stand ready to help in drafting legislation in
this Congress.
SEN. JEFFORDS: Thank you very much. It's very
helpful testimony.
Dr. James, you use the term sensitive in describing some
of the medical data. How is sensitive defined and who makes a decision as to
what information is sensitive?
DR. JAMES: The best way I could do that
probably is to give you a few examples. For example, information on HIV status,
mental health information, and reproductive history information, are some
examples of sensitive information.
The best we have for managing that within
our system is again through system wide policy. For example, we currently have
under discussion whether we segregate our electronic medical records and require
different levels of access to those portions of the record that contain what we
consider to be sensitive information for our patients.
I should say in
passing too, Mr. Chairman, that my 12 IRBs would be overwhelmed if I asked them
to take on that extra load right now in terms of taking on full confidentiality.
Our ability as a system to actually make that system work relies upon policy,
and you have to add a different element to it just to make it work.
That
same group can consider how to deal with sensitive information that quite
frankly goes beyond the purview of the expertise of IRBs at least as they're
presently constituted.
SEN. JEFFORDS: How would you know if the breach of
confidentiality occurred in health care? What steps would be taken and would the
patients affected be notified?
DR. JAMES: At least for a major proportion of
our system they'll have a full electronic medical record. We can only tell if a
breach of confidentiality has occurred usually if we have the electronic record.
We maintain full audit trail so that we can tell every instance of an individual
looking at a patient record for any purpose.
We not only use that to audit
access to data and look for instances when individuals are looking at data where
they shouldn't look. We also are just in the process of making that available to
patients themselves so that a patient I see can review every individual who has
looked at their record during any healthcare encounter within our system.
Usually, unless harm has occurred, we believe that harm has occurred, we
would not notify a patient. We would deal with that internally. I should tell
you that the vast majority of instances that we see are, were a nurse or a
position or a technician has chosen to examine the record of a neighbor or a VIP
who's in the hospital. Those sorts of breaches are the vast majority that we
encounter with our system. The vast majority, and we believe that those are the
research risks, quite frankly. SEN. JEFFORDS: What consent, if any, do you
obtain from patients to include their identifiable data in your research?
DR. JAMES: Any time a patient enters our system, they sign an informed
consent for use per data for direct patient care delivery for quality review and
quality improvement activities to access our system. If we're launching a
specific clinical investigation, a perspective interventional investigation, we,
of course, obtain consent before the patient actually receives that
intervention, so we really have two levels for dealing with that.
SEN.
JEFFORDS: Professor Feldblum, what do you think would be the impact of imposing
your suggested open standard of stop, think and justify every researcher?
MS. FELDBLUM: Well, for researchers who are going through the IRB system,
they're already coming to the IRB and justifying their research in terms of risk
to human subjects. All that this would do is add another element to the
conversation and I agree with what the GAO report says in terms of we're going
to need training for folks to understand how to have that conversation. But they
will then have to explain why is it that they need identifiable data for their
research and why is it impracticable to get informed consent. This isn't going
to be a complicated conversation. This is going to be a lot less complicated
than some of the conversation they're going to have with the IRB about physical
risks to their subjects. But it will be, as we term it, the stop, think and
justify moment. I actually do not think it's going to be that difficult for them
because they're coming, they should be coming to the IRB to deal with that
research in any event.
SEN. JEFFORDS: Since very little of what the IRB does
now addresses the confidentiality of medical information, how would you modify
the existing structure of institutional review boards, IRBs, to handle expanded
confidentiality activities?
MS. FELDBLUM: First, let me say in deference to
Dr. Ellis, who testified just right before, I think that that office would say
that, yes, we do, in fact, deal with confidentiality. And let's be clear there
is a piece in the IRB regs that says, number one, you have to get informed
consent of individuals and that's an important piece of telling people how their
information will be used. And it does say for medical records data, you have to,
at least, demonstrate to the IRB that it's not practicable to get informed
consent. It's just, in reality, it just happens very easily and very quickly.
But I would want to say they do believe that they incorporate confidentially.
So I think all we're asking for is an enhancing of that analysis. That is,
number one, not to just assume that when you use medical records data, it is
minimal risks.
As, Dr. Andrews', you noted in your testimony, there's
this assumption that, if it's just databases, its minimal risk. And if you look
at the definition of minimal risk in the IRB regulations right now, it defines
it as (sort of?) physical discomfort, physical risk.
Well, that's one type
of risk, but there's another type of risk, which is the risk to me of the
disclosure of that information. So the first thing I think the IRB regs should
do is broaden their view of risk, including the risk to confidentiality. And
then, the second piece is to require the researchers to explain to the IRBs why
they need the individually identifiable information. The GAO report indicates
neither the common rule nor any of these organizations that they may have lots
of great safeguards, they don't have that moment where they require the
researcher to explain why and in some cases, it will required and in some not.
That's the second thing to add to the IRB regulations.
The third is let
government learn from the innovation of the private sector. Let government learn
from what IHC has done. I mean, the GAO report notes a situation where in a
research state, in a research project, the computer programmer codes the
information, so then the researcher's only getting de-identified form. It's a
great idea. You know, then you have two people who will see my information, but
not the next 20 on the project. Let HHS, when it develops these IRB regulations
for confidentiality, get the information from GAO report and put in those
innovations.
SEN. JEFFORDS: Senator Kennedy.
SEN. KENNEDY: Thank you
very much. Let me, I think I have a good understanding of the problem about the
position. Let me just ask you just one question. In your written testimony you
indicated that the CCD recognizes that there's certain types of research, such
as research involving the large tissue banks where it'd be very difficult to get
informed consent. The common rule has a waiver for the informed consent
requirement in those situations. Now, would the CCD agree the common rule deals
appropriately with that type of research?
DR. FELDBLUM: No. Not at all. I
mean, we believe that right now the common rule unfortunately lists all medical
records, databases, all pathological specimen as involving minimal risks. They
all get this expedited review, expedited review means just the chairperson or
one person I the IRB committee can say, go ahead you can get all that
information without informed consent. One person gets to say that. We don't
think that's appropriate. We do not believe there should be a separate section
for tissue samples and medical records, databases that are soon to be of minimal
risks. We think they need to be looked at carefully.
Now we do still
recognize that some databases, some tissue samples, and not all, I mean some
tissue samples that were collected last month, there should not be a problem in
getting in touch with those folks and saying, can we use our tissue sample, as
opposed to something that was collected 10 years ago. See? So, that each of
these elements are looked at separately and carefully, that's what -- and thank
you for letting me clarify that in the written testimony.
SEN. KENNEDY: Dr.
James, I saw you raise your hand?
DR. JAMES: Just a quick comment. The way
that actually works in the real IRB, it's the IRB set policy what classes of
data can receive expedited review. The chairman can get expedited review or the
person that he's designated or she's designated for expedited review but then it
comes back to the full committee. It just comes back at a later date for review.
And it is still reviewed.
SEN. KENNEDY: Well, that's the, I mean if you two
have some difference on it, you can imagine how we feel about it up here trying
to work our way through it. But I think we want to, I think we flagged this.
Let me ask, Ms. Andrews, in your written testimony, you refer to the
research section in Senator Bennett's Privacy Bill. And while the Bennett Bill
addresses the research already governed by the common rule and analysis of that
health care records and medical archives it does not address the privately
funded health research involved in the human subject done outside of the FDA
regulation.
Dr. Ellis identified a number of the institutions including
privately funded research institutions in vitro fertilization clinics where the
research cares what human subject research protections currently exist in these
areas. How much of a problem, what do you think we ought to do about it?
DR.
ANDREWS: That Senator Bennett's Bill in the research section provides for the
common rule for things that are currently covered by the common rule, but for
archival medical records it would require confidentiality safeguards appropriate
to the individual institution, which may include research committees such as Dr.
James has mentioned. So, we feel that those protections offer higher standards
of protection for research that's done using existing, medical records where the
patient is not put at additional medical risks.
SEN. KENNEDY: What about
live human subjects?
DR. ANDREWS: We had not addressed, we had
focused our attention for PHRMA on looking at the issues of medical records
research rather than prospective interventional trials, which would normally be
covered by something similar to the common rule.
SEN. KENNEDY: Okay. Dr.
Feldblum, what's your reaction?
DR. FELDBLUM: Well, not all live human
subject research will be governed under the common rule, if it's not federally
funded or if there's not an FDA trial. So, that is still a problem for some
places. The second thing is to me that Senator Bennett's bill is only just half
the picture. It's putting in the safeguards. Well we want those safeguards, too.
It's just we want some external review body that can look to make sure that
these bill safeguards are in fact being implemented. That's all. Obviously the
safeguards are important, but in our view that's the second step of the
analysis. The first step is an external review entity that determines the
research is appropriate and then can have some oversight over those safeguards.
SEN. KENNEDY: And Dr. James, you don't think that that's necessary or that
the -
DR. JAMES: What I was really proposing was the way of implementing it.
I think we agreed upon the need. It's, the question is how you effectively
implement or make something like that happen and how should it be expressed in
legislation. I think that everyone has agreed that prospective interventions
with live humans is under IRB control. There's no disagreement about that. I
think current IRB structure and OPRR functions very well at that level. In fact,
I'd like to reserve my IRBs to focus on that absolutely essential function.
For us to handle large databases, we get into an interesting problem of what
constitutes research versus what constitutes patient care delivery and there is
a real risk that if we get too heavy-handed that we will limit good care
delivery and we need to be careful about that boundary. The best group that
we've found for dealing with that is not an IRB but kind of a super IRB. It has
to include institutional elements that can implement policy and enforce policy
with some meaningful structure within the organization. The IRB functions in
conjunction with that are side by side with that but I think it's a different
body than an IRB.
SEN. KENNEDY: Just see, Dr. Andrews, if I could, Mr.
Chairman.
SEN. JEFFORDS: Sure, go ahead.
(Cross talk.)
DR. ANDREWS:
I'd just like to comment that in the conduct of clinical trials of
pharmaceutical products and other medical devices, it is routine to subject
every study to IRB review and approval because it is an experimental
circumstance that is either governed by the IRB or it is conducted in
institutions who chose to use the common rule and it's also guided by good
clinical practice guidelines and there's an international network of regulations
and guidelines that govern the conduct of experimental studies of medicine.
SEN. KENNEDY: Thank you very much.
SEN. JEFFORDS: Senator Dodd.
SEN.
DODD: Thank you, Mr. Chairman. Again, my thanks to our witnesses. They're very,
very helpful.
And I think one of the things that, Ms. Feldblum, you
mentioned, is very worthwhile advice and that is to take a look at what the
private researchers are doing and technologically I hope HHS does look at that,
Mr. Chairman, or else maybe that's something we ought to recommend because as
you point out in many cases, of course, they're figuring out good ways of
collecting data and preserving the privacy interests of individuals and too
often I think we don't pay enough attention to how that's being done in a way to
enhance our own agenda on these issues.
Let me just ask you, Dr. James,
because you picked up on the notion this is not actually what is research and
again just in response to Senator Kennedy made some references to that. Dr.
Ellis gave us, gave me an example. What do you think of his example?
DR.
JAMES: In terms of a defect in confidentiality?
SEN. DODD: Yeah.
DR.
JAMES: That sort of research should have been IRB controlled and it's a clear
defect in research and it should have been taken care of. Can I give you another
example, though?
SEN. DODD: Sure.
DR. JAMES: - - I mentioned diabetes
and we have been able to include care for diabetics in our system. That relies
upon a registry. We keep a database; well it's part of our electronic medical
record of every diabetic treated within a practice that's up under that system.
That means that every time a patient who's diabetic comes to see their
physician, the system prints out a phase sheet that goes on the patient's chart
that reviews their diabetes history and status of control. It doesn't matter if
you come in for your cold or to have someone look at your sore knee or if you
come in for diabetes, it's always known.
The second piece is is we
fairly routinely generate reports for the physician as part of that electronic
medical record that lists his diabetic or her diabetic down on a list. And shows
who's late for their last blood sugar determination, who needs their blood
cholesterol, their lipid managed, how are they doing on blood pressure. Anyone
who needs to visit or needs tighter control is identified from the physician for
you to call those patients, bring them in, which is what commonly happens.
It's a series of thing like that that has enabled us to improve our level of
care. Now quite frankly I regard that as just good health care operations.
SEN. DODD: Well let me ask you this.
(Cross talk.)
DR. JAMES: He
classified that act to what he has researched.
SEN. DODD: Well let me ask
you this -- I understand that. It's a very good point. Do we ask, for instance
if I'm going to be part of a registry my consent that you could you my -- I'd
like to know whether or not as a patient here, whether or not that my
information is part of that registry, which would make a good case for. I'd like
to know that you've asked for my consent before that information is going to be
available. Is that asked for?
DR. JAMES: Well it is, but it is in a
particular way. The registry is actually your electronic medical record. All
that it requires is that we enter in your electronic medical record that you
have diabetes.
SEN. DODD: How about my consent to that information that is
here?
DR. JAMES: When you accept care within IHC, you sign an informed
consent agreeing that we can collect and maintain information for that
treatment.
SEN. DODD: Does that explain to the patient what means?
DR. JAMES: What I'll say is, is we believe that we're explaining
it, but they probably don't understand it the level that I understand it.
SEN. DODD: Yea.
DR. JAMES: But I don't believe that I effectively can.
SEN. DODD: Because I mean that's an important point to me. You make an
excellent point on terms of getting this stuff. I just want to -- I don't see
where this is a great problem. I mean to me. And tell me if I'm wrong on this,
but let's assume for a second you had to say to me, listen Senator, I want you
to know now as part of a registry here what this means --
DR. JAMES: Well
actually it's electronic medical record that we will maintain a medical record.
SEN. DODD: And do you give your consent that this information I'm collecting
on your diabetes, for instance --
DR. JAMES: Yea, what we use to treat you.
SEN. DODD: Yea, do I understand that information maybe shared with other
people --
DR. JAMES: It will be shared with the members of the care delivery
team just as a paper record is today.
SEN. DODD: Yea.
DR. JAMES: No
different.
SEN. DODD: How do you respond to this, Ms. Feldblum?
MS.
FELDBLUM: Well are really -- we're moving into different type of health care and
you know that's a good thing. I mean it's good in terms of what IHC is doing in
terms of people with disabilities. It does raise more complicated privacy
concerns. Here's pretty much how we feel about it at TCD. We recognize that
clinics, hospitals, have to get people's informed consent, their authorization
in order to do treatment and payment. And really although that's called a
consent, let's be real, it's consent under duress because you have to sign that
authorization in order to come get that treatment. So it's consent under duress,
but we're willing to live with that as a sys Now the question is when they're
doing more complicated disease management programs like this, do we want to say
that I have the right to say no. I don't want to be part of that brilliant
wonderful electronic system, because I just don't want to. Can I have the right
to say no to that and still get treated at IHC. Now that would be very difficult
for IHC. I've learned a lot in the last few years trying to lobby this bill and
I well understand that this would be very difficult for them. So you know at
CCD, we are trying to come up with a compromise to move from our position of
last year was we want to be able to say no and you know, that's it. It's
complicated though. And right now, your bill I think definitely I just want to
say and my legal reading of both at least the Jeffords- Dodd Bill not the
Kennedy-Leahy Bill would not really let somebody just opt out of that disease
management work.
REP. DODD: It's a very important questions and there're not
easily answered. What percentage of (farmers?) research fall outside of the IRB
requirement? Yes, do you have the number?
MS. FELDBLUM: I don't have the
number. I --
REP. DODD: Fifty percent, 40, 10?
MS. FELDBLUM: It's so
hard to know. There's an enormous amount of work that goes into clinical trials
in developing drugs. There's an increasing amount of research that (sets?)
things on to evaluate the safety of medicines as Senator Kennedy and Senator
Jeffords will hear this afternoon at another meeting by (room noise) regarding
drug safety.
We're doing an increasing amount of work with our records to
learn about the safety of medicines once they're in general use and patients who
are not studied in clinical trials. There's an increasing amount of research
that's being done to look at the cost effectiveness comparing different
therapies. It's really difficult to quantify --
SEN. DODD: I thought it
might be. (And I haven't asked yet, ?) because I want to be careful as well.
This is a whole new area here, and I want to -- if we're moving away from -- if
the effort is to find ways to move away from consent, and I'm not suggesting
that, that's another case, but some may argue for it, I think those trend lines
could be important. And I'd like to ask you to go back and see if you can't give
some quantifiable indication. I'd like to see what it's like, within, I'll say
the last five years or so. Is there some graph line -- are we moving -- are your
number of research projects that are non-IRB required growing or shrinking? I'd
like some indication of that.
DR. ANDREWS: I can tell you they're growing
tremendously. And even if we took the existing research now that's done with
archival records, I am convinced, it would totally swamp the current IRB system.
They're currently not set up to evaluate these kinds of studies. And that's why
we feel that it's important to set up additional safeguards using different
mechanisms to protect the confidentiality of archival records to a very high
standard.
SEN. DODD: I appreciate that.
Let me ask one thing.
This is such important stuff; I'm very interested in it. I'm curious again about
recourse to some extent. Again, the non-IRB -- you know, again, if you're not
giving your consent. I mean, to what extent, under your scenarios, does a
patient have some recourse if information gets out that you didn't want to have
get out. I mean, you really are -- in your case, Dr. James, and I again
appreciate immensely, I don't -- there's no feeling here that any of us up here
have any desire at all to want to impede, obviously the critical work that
you're doing. I mean, this is striking its balance. But, if information does get
out and it's not protected, what recourse do I have in that situation? Quick
answers if you can tell me.
MR. JAMES: Just a comment along the way.
SEN. DODD: Yeah.
MR. JAMES: You realize that I can protect data better
electronically than I can in paper form?
SEN. DODD: Yes.
MR. JAMES: You
understand that?
SEN. DODD: That's a very important point there.
MR.
JAMES: And so, when you talk about a registry that is available to more people,
that's simply not true. I have better control over who accesses the data in its
electronic form and, what you call, in its registry form.
SEN. DODD: Well,
that's why I think we said earlier about HHS taking a look at what you're doing
as a way to enhance greater privacy. The points well taken.
MR. JAMES: So,
that's an important point.
SEN. DODD: Well, what recourse do I have if it
does happen?
MR. JAMES: Currently the recourse with HIC (?), is if you were
harmed you would be able to use the regular tort system recourse. Alternative,
we try to stop those before they ever come to harm, needless to say.
SEN.
DODD: Yeah.
MR. JAMES: Because we don't want to be on the receiving end of
the tort.
SEN. DODD: I understand.
How about you, Dr. Andrews?
DR. ANDREWS: Well, first, if we have better safeguards then we'll decrease
the risk of those disclosures. If we have strong penalties, we'll have greater
incentive for compliance. And then there are some existing mechanisms like ADA
and Health Insurance Supportability and Accountability Act and Tort Law for
rights of individual patients who have been harmed.
SEN. DODD: (Off mike.)
SEN. INHOFE: That's all right.
Senator Murray.
SEN. DODD: Oh, hey
Patty, how are you?
SEN. MURRAY: Oh, I'm done here -- (laughter.)
Thank
you, Mr. Chairman.
A fascinating difficult topic and I really appreciate all
the work everyone is trying to do on this. I certainly am hearing from a lot of
my constituents, obviously, Fred Hutchinson Cancer Research Center and
University of Washington Medical Center are extremely interested in the
implications of research -- on their research of new privacy protections. But, I
also talked to consumers all the time, and I have to sit here -- we all sit here
as consumers and when we hear that some nurse that happens to be a next door
neighbor can take a look at our files, you know, it's pretty frightening.
And I appreciate Senator Dodd's line of questioning here, and I guess, Dr.
James, let me ask you, what makes you decide whether or not to tell the patient
that somebody has looked at their record?
DR. JAMES: We're currently
building a system so that any patient can look at every access to their record.
So if you're a patient inside Intermountain Health Care you could pull up a list
of your medical records and back from the day that you started to come to see
anybody associated with us, see every access, the date, the time, the name of
the person, their organizational affiliation. That's the main way that we want
to address that so that you have full access for disclosure for everyone who
sees it.
We also internally look for patterns of inappropriate use, using
that same audit trail. Now I realize that most systems don't have a full
electronic system. I realize that we're one of the first who are doing that and
in some sense we're working out what policy ought to look like. In an
organization where we agree that patient confidentiality is the primary goal, no
disagreement about that at all. Again, our solution for that is to find them and
stop them before they happen.
The other thing that needs to be said one more
time depends on where you draw the line between research and operations.
Essentially all of our defects in confidentiality which we've been picking up
when they look, not when they tell, because we've been able to tell, all of them
have occurred on the operations side, not on the research side.
SEN. MURRAY:
To a patient, it doesn't make a difference if they're --
DR. JAMES: I
understand, but the point of it is, is you consider your legislation. I think
it's clear that the bills that I've read at least, focus on the operation side
as well to see, appropriately so.
But now let me start to talk about the
operations of health care delivery. We have to be careful that we try to fairly
narrow path so that we can get full and appropriate patient confidentiality
protection, are we still allowed to (care delivery to function ??) or we will
literally pay for --
SEN. MURRAY: Yeah.
(Cross talk.)
So therefore,
you're saying electronic is better to track --
DR. JAMES: No question about
it. And there seems to be an inherent fear in electronic record. I don't know
where it comes from.
SEN. MURRAY: It just feels like when it goes into a
computer, that a lot of people can take a look at it.
DR. JAMES: Yeah, but
that's not true.
SEN. MURRAY: It may not be. Well that goes to the second
part of my question.
It seems to me that consumer education is a critical
piece of this. I don't know, or didn't know that when you signed an informed
consent, what all broad parameters that means, other than just that a doctor can
look at you, which is what most patients are thinking when they go in and sign
any kind of consent, particularly as it was stated when you're sick.
I think
that it's important for patients to know who has access to their records and
what kind of retribution there is if somebody inappropriate does, and that they
can request and find out who's gotten in there. How do we take care of consumer
education on this so that people are aware of what rights they have and how they
can know what's going on with their record?
DR. JAMES: Just a couple of
comments. You realize of course the paper record, anytime you see a physician or
a nurse, they are going to write down a record of that encounter for future
reference, that as they write that down, that's available to the medical team,
paper or electronic.
To be honest, I won't go into the stories. I believe
that the paper system is substantially more loose and subject to potential
abuse, just in passing, from personal experience. That said, we try to generate
understandable informed consent to describe the way that we'll use information
as part of a routine informed consent on every patient. It's very difficult
though to get the full understanding of how you use medical information to
deliver care, you see, and it's an ongoing issue for my data review committee.
That's one of the things that we consider in asking the Board of Trustees to set
policy.
So all that I have is a structural solution for you.
SEN.
MURRAY: Uh huh.
DR. JAMES: We also try to collaborate with others who are
addressing the same issue across the country to say what is the best way to
fully explain to patients how you're going to use this information appropriately
on their behalf, both on an individual level to care for you personally and on a
group level to develop better treatment for the future.
DR. FELDBLUM: Both
of your questions indicate to me why you need to pass a federal law, because a
federal law can in fact require entities to give me a really fully informed
consent, tell me who this information's going to be going to. Generally, what
type of people, what it's going to be used for and even though it is coerced to
some extent, at least they have more information.
Too, the federal law can
give real recourse. I mean in answer to your question, what you got back
basically was tort law, state tort law. That can be quite complicated, you know.
And instead what this does is, you can have a system that sets up civil
penalties, criminal penalties, cause of action, that could just go into to say
there was a violation. They don't have to go show you all the consequential
harms other than there was a violation.
Federal law is what can
make the difference in this country and then consumer education about what that
federal law says is going to complete the cycle.
SEN. DODD: I was just going
to tell you, I didn't follow up because of the time. But it seems to me that
almost a follow on question would be as in the private care, I would be more
uneasy about state-by-state tort law in this area than I would a clear federal
law that says exactly what the deal is. I don't know if you want to --
DR.
JAMES: We agree entirely that we need common federal law so that it's common
across the states. Now, that's partly self-serving because we supply care in
four states, and we'd rather work on a single rule.
DR. FELDBLUM: All right,
but I think there's definitely been a norm in Congress that when you pass laws
that are in, sort of, complicated areas. You've done this in banking laws,
consumer laws. You often do pass a federal floor that is a uniform floor and
basically about two-thirds of the states just automatically, sort of, come up to
that. But then, if you have states like Connecticut or Vermont, you know,
Washington, where wants to do something different, they get the chance to, in
fact, do something different.
So, that's only CCD's position that there
should be a floor and then, states should be allowed to experiment.
SEN.
DODD: But as we preempt in our laws.
DR. FELDBLUM: With some carve outs for
some areas, correct.
DR ANDREWS: Research doesn't know geographic
boundaries. It's really important to have states federal preemptive legislation
we feel. I'd like to come back to the question about education cause I think
that's very important here. And I think as health professionals, we have a
responsibility to educate patients, and I think the media, as well, has a
responsibility. I hope this dialog about federal legislation will improve the
public's understanding of how medical information is used. And I hope we can be
more responsible. When we talk about breaches of confidentiality that those are
reported for what they are, which is often a violation of professional ethics,
or a violation of law. It's very rarely a breach of confidentiality coming from
a research setting.
REP. MURRAY: Well, I think that has to be part of the
education, too. As consumers, we need to know what this research is used for and
some of the good effects of it, of which there is a lot out there. And I think a
lot of times, you know, people don't think beyond their own personal health care
crisis they're having.
Thank you, Mr. Chairman.
SEN. JEFFORDS :
Thank you.
Dr. James, you described a process by which you segregate your
electronic database. This is an important issue as we consider separate
treatment areas, such as mental health. Can you please elaborate for the
committee, the steps involved in segregating the information and costs
associated with the activity.
DR. JAMES: Currently, we've only actually,
physically segregated one part of information on our electronic medical records.
We actually segregate the identifiable parts off to the side. It's a virtual
single record, but physically, on the computers, it's actually a separate piece
of the record. That means that we can put different security protection on it.
Now, we have a random number that links record to record with all of the
various parts of the medical records, but most of the people who work in my
system who don't need access to identifiable information, they access the other
databases with no real chance of breech because they don't have access to the
identifiable portion. And we placed another level of security, the highest level
of security when they want to look at the identifiable portions, you see. And we
track it separately. We audit it separately as a separate entity.
The
current debate within my data review committee is should we break out HIV,
should we break out reproductive history, should we break out mental health. And
if so, what rules would we use? I'll have to tell you, at least for us, that we
still don't know quite how to handle that. It's an open technical question about
what areas we consider to deserve an even higher level of protection. Most days,
as chairman of the committee, my belief is that all parts of the record should
receive that level of protection, except basic demographics -- your name, you
know, that you're in the hospital, the things that we would release to a
newspaper, for example, under state law in Utah. Do you see what I mean?
So,
that's the area of current debate. We do segregate out the identifiable portion
of the record right now, though.
SEN. JEFFORDS: On that debate, would
legislation or regulation be helpful in trying to have a uniform system? DR.
JAMES: The legislation will be particularly helpful. I really want this
legislation to pass, you have to understand. It will be particularly helpful
when we enter into agreements with others because it will hold them to the same
standard to which we hold ourselves. And I think that will be very important,
and in some ways make flows of data easier than it is right now.
In terms of
segregating the medical record, I don't believe we have a technical foundation
to pass a law. That's my personal belief. At least, I haven't seen a good
solution of how you identify that level of information and then, how you
determine, particularly, which physicians or which nurses should see it. Now,
those in my system that say, for example, if we know we have an HIV-positive
patient, that every care deliverer ought to be able to know that. There are
others in my system who say we should use full HIV precautions on every patient
and so knowing that they have HIV is not a necessary piece of information. And
that's the level of the debate.
We try to avail ourselves to the best
national resources in going back and forth on this thing to decide the best way
to decide the best way to deliver care to patients while fully protecting
appropriate confidentiality. But that at least for us is still a topic of open
debate.
By the way at the current moment, what we've really said is that the
entire record has full protection.
SEN. JEFFORDS: Dr. Feldblum, do you have
any comment?
DR. FELDBLUM: Well, I wish that the whole rest of the country
was at the technological stage that IHC was at. I mean if it were, I think
privacy would so much better protected. I really want endorse what Dr. James
said and what I've learned from Jan Laurie Goldman who has been doing health
privacy for many years, who taught me and many members of the CCD coalition that
electronic records can help preserve privacy much better than paper records in
terms of protection of whose accessed those records, et cetera.
However, the
bottom line is that most of the country is not where IHC is at and they use
paper records. And you in 1999 I believe still need to pass a law that's gong to
deal with the country as it stands right now and the law that will be able to
accommodate the country as it grows into greater electronic use. I think given
that, there is, we do have to think about sensitive medical information. We do
have to think about whether that needs different and separate protection. You
know, when it's a paper record maybe then you can segregate it better. When
you've got an electronic record and the whole thing is basically anonymous
because the link is in another part of the database that's wonderful. And then I
think, yeah maybe the whole thing can get the same level of protection. So,
think you have to pass a law for the country as it stands right now, which is
not just IHC as well as the country where it will be. SEN. JEFFORDS: Dr.
Andrews?
DR. ANDREWS: I think regarding the ability to segregate information
or withhold certain information or withhold certain information from a medical
record, there ought, I agree with the statement that all diseases, all
conditions deserve the same high standard of protection. And it's incredible
important that records be comprehensive if one is doing epidemiological or other
research using archival records. If patients can select for some parts of their
records to be withheld, then studies will be biased and we won't learn the kind
of information we really need to learn, in some cases in those populations we
most need new data.
SEN. JEFFORDS: I know this is a complicated area that
intrigues me. We have act or we're trying to, we going to have records flowing
all over the world, not just in this country. And how we arrange the system so
that we can use it for the purposes intended and not breaches of confidentiality
and all the problems related to it and I don't know how that gets done. I don't
know enough about the technology but I do know it can do about anything you want
if you have it set up right. But how it gets set up right, I don't know. And who
should have the word on how it gets set up, but anyway I -- well we can ask you
this Dr. Andrews. If all types of medical information, physical, genetic, and
mental are subject to identical confidentiality standards, how will you suggest
protecting sensitive mental health records?
DR. ANDREWS: I'm not sure I
understand why that information that would normally be collected in the medical
records should be treated any differently than HIV status or someone's diabetes
status or hypertension, as long as the records are very well protected.
SEN.
JEFFORDS: I think the reason I ask that the one that concerns the public most is
the mental health record. They're adamant that they should have -- well almost
super confidentiality as to information in the mental health area, even compared
with AIDS. But how do we handle that? Anybody have any ideas?
DR. JAMES: I'd
say that it gets the same level of protection as the whole record, which means
that you use it strictly use to know to deliver health care to the patient or
understand how to run a health care delivery system to improve actual execution
of care delivery. That it is an interesting topic because this is one of the few
areas where you have a legitimate reason for refusing to show a patient a
medical record in certain limited circumstances, as with mental health data and
that's a more interesting aspect of it, is when you choose not to reveal to a
patient as opposed to as a general policy always making a medical record
available to a patient, because, sometimes it can do act of harm, to reach
confidentiality the other way, active harm to the patient by sharing a
professionals evaluation of their mental health status.
SEN.
JEFFORDS: Ms. Feldblum.
DR. FELDBLUM: Our proposal is to have strong
standards for all information, so in fact in that we agree. It just might be
that in some situations, if in fact that standard is not going to be as high as
we want for everything, then I think we need to have a discussion about whether
there needs to still be that high standard for mental health, HIV records, et
cetera. I mean I think your carve out for mental health and HIV in terms of
preemption, I think reflects and understanding that states have already
struggled with this. I mean, I think we would hope that you could craft a law
that in fact gives appropriate protection for all information, and we don't have
to get into this divide, you know, aspect. But I think that's really going to
depend on the law that gets crafted.
SEN. JEFFORDS: Thanks.
(Laughter.)
DR. JAMES: Just in passing, one way you could do it, for example, is you
could designate a proportion of an electronic record. You can't do this with
paper record. I should say that in terms of protecting subsets of information,
it's very difficult to do with that paper record and not have it just disappear
entirely. With an electronic record you can classify a portion of the record as
mental health information, and then you could only allow access to mental health
professionals, or designated attending physicians, or people at the designated
attending physicians says need access to those data. And that's how you would
handle it, is by having some mechanism of identifying people who could say,
okay, that portion of the record doesn't exist unless you have this particular
authorization, and then on a per-patient basis to identify people with that
authorization. That's how you'd build it.
REP. JEFFORDS: Well, thank you
all. I reserve the right for all the members to submit questions in writing to
you for the next two weeks. And you've been extremely helpful, although I always
come away more concerned than relieved when I get you all together. But,
excellent testimony and thank you very much.
END
LOAD-DATE: February 27, 1999