Skip banner
HomeHow Do I?Site MapHelp
Return To Search FormFOCUS
Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint

Document ListExpanded ListKWICFULL format currently displayed

Previous Document Document 29 of 124. Next Document

More Like This
Copyright 2000 Federal News Service, Inc.  
Federal News Service

April 26, 2000, Wednesday

SECTION: PREPARED TESTIMONY

LENGTH: 2626 words

HEADLINE: PREPARED TESTIMONY OF THE HONORABLE SENATOR JAMES JEFFORDS CHAIRMAN
 
BEFORE THE SENATE HEALTH, EDUCATION, LABOR AND PENSIONS COMMITTEE

BODY:
 Written Testimony presented by Greg Koski, PhD, MD, Associate Professor of Anesthesia and Critical Care Medicine, Massachusetts General Hospital, Harvard Medical School, and Director of Human Research Affairs, Partners HealthCare System, Boston, Massachusetts, on this, the 26th day of April, 2000.

Dear Mr. Chairman and Members of the Committee:

Privacy is the ability to choose what information about ourselves and our activities we will share with others. Confidentiality is the process through which we demonstrate respect for other's privacy. The people of this country reasonably expect that their privacy be respected, and that sensitive personal information about themselves, whatever the nature of that information might be, not be disclosed to others without their authorization, except in specific circumstances where there is compelling justification. Even then, identifiable personal information should be disclosed only with specific provisions for protecting its confidentiality.

Health information is arguably among the most sensitive types of personal information and has always been afforded special consideration when issues of privacy and confidentiality are concerned. The extraordinary scope of social and technological change in our health care system over the past two decades has unavoidably and irrevocably changed the practice of medicine and the business of health care. With this change, the public has become increasingly concerned about loss of autonomy and loss of privacy, both of which seem now to occur all too frequently. Public concerns regarding unauthorized access to personal medical information arise from, and are substantiated by, misuse and abuse of information obtained during encounters with the health care system. Patients seeking health care services are obligated to compromise their own privacy and to share intimate personal information about themselves and their families with their caregivers. They do so with an expectation that their information will be used only for the intended purpose and only by those who need this information to provide care and complete the necessary business of healthcare. Far too often, this is not the case.

Not surprisingly, a climate of mistrust has developed in which patients are demanding more control over who has access to their personal information and how that information is to be used. Since many patients do not understand the complexity of our health care system and the growing need for many different parties to access patient information in the course of their jobs, the adverse impact that broad restriction of access can have on the system, and the quality of care, is not well appreciated.

The complex issues involved in providing and managing health care while respecting the privacy of individual persons and protecting the confidentiality of personal health information have received much attention. Current legislative activity pertaining to these issues at both the state and national levels reflects to a large degree the growing interest among our citizens and the entire health care system and related industries in finding effective ways to achieve these goals.

One such effort is that of the Health Privacy Working Group, an initiative of the Georgetown University Institute of Health Care Research, which released its recommendations last summer. The 'best principles' set forth in that report provide a useful framework for development of specific policies for effective management and use of personal health care information in a manner that is we!l-reasoned and workable. This statement of principles does not, however, obviate the need for effective legislation to affect necessary change and introduce appropriate safeguards for protection of privacy and confidentiality of health information.

In compliance with the requirements established by the Congress, the Secretary of the Department of Human Services has introduced a comprehensive set of standards and rules governing privacy of personal health information. In her previous testimony before Congress, the Secretary has set forth five guiding principles that underlie the proposed rules. These include boundaries, consumer control, security, accountability and public responsibility. The rules include many important provisions for protection of individual privacy, including a requirement that all persons, institutions, agencies or other entities that collect personal health information be required to develop formal written policies and procedures for use of such information, and that patients be notified and informed of these policies and their rights.

These rules appropriately limit access and disclosure of information on a rigorous 'need to know' basis. They stipulate that information should only be collected and maintained in identifiable form when necessary and appropriate, and that it should be used only for those specific purposes for which it was intended at the time of collection unless there is appropriate notification and authorization for other uses. When identifiable information is no longer needed, it should be destroyed or rendered non-identifiable after a reasonable period of time unless there is a compelling justification for keeping it.

Those who have crafted the proposed rules deserve accolades for then' thoughtful work, as many of the provisions could provide useful solutions to some of the concerns discussed above. Nevertheless, there are aspects of the rules that, in my opinion, could be improved. I will first offer a few remarks regarding the broader aspects of the proposed rules before focusing on those parts pertaining to appropriate conduct and oversight of health research, an area in which I can claim some experience and expertise by virtue of my professional activities and responsibilities.

While the proposed rules are really the first comprehensive approach to protection of private health information, they are ultimately limited in scope to information that has been recorded or transmitted in electronic form, leaving an important gap in the protections afforded information stored in other media, particularly paper records. This shortcoming should be addressed by ensuring that the rules are made applicable to all protected health information, regardless of the manner, format or medium in which it is collected or maintained.

For clarity, I would like to call attention to the definition of "de- identified" health information used in these rules. Personal health information that can be attributed to the individual person from whom it was obtained is "identifiable". Only information that cannot be attributed to its source is "non-identifiable". When information is linked by a specific code number to an individual, even if all other specific identifying information has been removed, that information may have been "de-identified", but it is still identifiable and special precautions must be taken to restrict the use of that information in ways that were not authorized by the individuals of origin at the time it was obtained.

The use of the term "de-identified" in the proposed rules is not interchangeable with the definition of "non-identifiable" information set forth in the Federal Regulations for Protection of Human Subjects in Research, may be confusing and misleading, and will be viewed by many as being deceptive, intended or not. Information is either identifiable or not; these are mutually exclusive. Identifiable information may be anonymous, encrypted, coded, or otherwise de- identified in an effort to offer protection of privacy and ensure confidentiality, but it is still identifiable.

Accordingly, special protections must be in place to ensure that re- identification does not occur without first carefully considering the impact that doing so may have on the individuals whose privacy will be violated.

The scope of "health care operations" is useful, but the list includes certain activities, such as outcome assessments, that frequently overlap the research domain, which I will discuss in greater detail below. Care should be taken to insure that this does not provide a 'loop hole' for individuals to circumvent review and approval processes of Institutional Review Boards ORBs) and the protections such review can provide for individual subjects of that research.

The rules include provisions for disclosure of information to outside third parties for a variety of purposes. As a general rule, any and all releases of identifiable health information to third parties outside of the health care setting in which it was obtained should be authorized by the individuals from whom the information was obtained. Secondary 're-disclosure' without specific authorization to parties further removed from the primary source/custodian should be prohibited and punishable by law.

The issue of preemption of state law has received great attention. The Secretary has established that there is a need to establish a minimum standard under federal law for protections of privacy and confidentiality of personal health information, and that it is not the intent of these rules to undermine or limit the ability of States choosing to pass more stringent legal protections for individual privacy. Indeed, attempts to preempt legislation at the State level has been viewed with skepticism as an attempt to protect special interests that may be in conflict with those of individuals.

Turning to the provisions for access to personal health information for research, I would first point out that the benefits of biomedical research to both society and individuals is widely acknowledged and very highly valued by the American people. In a recent national survey, nearly 90% of those polled indicated strong or very strong support for biomedical research activities and a personal interest in participating in research, provided they could be assured that their interests and well-bring were protected. There is a long and very productive tradition of using medical records and other forms of health information for research purposes in this country, and such uses have rarely resulted in breaches of confidentiality. The American people have been very willing to accept this exception to absolute privacy of their medical information, provided the information is handled in a confidential manner. The rules proposed by the Secretary recognize this, and appropriately allow for access to protected health information for research purposed without individual authorization from patients, but only with appropriate oversight.

We are very fortunate to have in place in this country a system for protection of human subjects in research, including federal laws that mandate oversight of research by duly constituted Institutional Review Boards. This system, in which I am a proud and active participant, already reviews and approves most of the biomedical research conducted in this country, including research that relies upon uses of personal health information. The challenges faced by the IRs are considerable, but overall, it is clear that since the IRB system was developed two decades ago, biomedical research involving human subjects has flourished and reports or serious abuses are infrequent. Even as this Committee considers new rules to enhance protections for patients' privacy and confidentiality of health information, steps are being taken to strengthen the IRB system to make it even more effective. I strongly support these actions, and believe that the IRB process can and must play an integral role in oversight of all research involving health information.

I further support current efforts to bring all research involving human subjects, as defined in federal regulations, under the "Common Rule" (45 CFR 46, as amended), and to develop a process to credential IRs and heath researchers as a further step toward strengthening the system for protection of human research subjects. While existing rules and regulations offer the IRs and investigators guidance in the use of personal health information, more specific guidance should be promulgated to address issues of informed consent, uses of identifiable versus nonidentifiable information, and specific mechanisms for protection of confidentiality.

I remain troubled by one provision of the proposed rules that would allow, in some unspecified cases, a 'privacy board' to be substituted for an IRB in the approval process for research involving protected health information. As currently proposed, such privacy boards could be used as a means of avoiding IRB review, and could result in a lesser standard for review of research involving private health information than for other kinds of human research. This approach could further fragment the process for review, approval and oversight of human research at that very moment when unification of the process under a single new federal Office for Human Research Protection is about to be realized. This would be an error, and this potential loophole should be closed.

In some cases, it may be appropriate for institutional 'privacy committees' to oversee access to personal health information at institutions that do not have sufficient research volume to justify an IRB, but in those cases, the research should first be reviewed and approved by an IRB constituted under the 'Common Rule' according to specific guidelines for research access to private health information. In large institutions and in the growing number of academically-based integrated health care systems, of which the Partners HealthCare System (Boston, MA) is an example, the co-existence and close association of such privacy committees and IRBs afford completeness and consistency in policies and procedures for access to personal health information that, at least in our case, has proven to be very beneficial and effective.

There are, of course, those who will decry enhanced privacy protections as impediments to the research process. They claim that stronger privacy protections will make it impossible to do research. In fact, exactly the opposite is true. The public has so far been willing to allow research uses of their private information to proceed because there have been strong protections by IRBs and, thankfully, few abuses of this privilege by the research community. As biomedical research increasingly depends upon access to more personal health information, and to genetic information, information that is intensely personal and sensitive, as well as predictive, society will demand that privacy protections be strengthened, and if we fail to meet those expectations, we will find that the credibility of our research endeavors are further undermined by the ever intensifying crisis of confidence that we are currently facing. Strengthening protections for human subjects and for privacy of health information actually facilitates our research mission.

As information technology and electronic medical records systems play an ever growing and important role in modem health care and research, every practicable effort should be made to take advantage of new tools and methodologies of information science to enhance protection of sensitive information and patient privacy while concurrently improving accessibility. Indeed, new approaches to electronic security and high- level encryption technologies can actually be used to strengthen protection of our privacy, but this will only happen if there are appropriate rules, incentives, and resources to catalyze development and implementation of such technologies.

In closing, I would like to thank you, Mr. Chairman, and all of the members of the Committee for this opportunity to express my views.

END

LOAD-DATE: April 27, 2000




Previous Document Document 29 of 124. Next Document


FOCUS

Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
   
About LEXIS-NEXIS® Congressional Universe Terms and Conditions Top of Page
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.