Copyright 2000 Federal News Service, Inc.
Federal News Service
April 26, 2000, Wednesday
SECTION: PREPARED TESTIMONY
LENGTH: 2626 words
HEADLINE:
PREPARED TESTIMONY OF THE HONORABLE SENATOR JAMES JEFFORDS CHAIRMAN
BEFORE THE SENATE HEALTH, EDUCATION, LABOR AND PENSIONS
COMMITTEE
BODY:
Written Testimony presented
by Greg Koski, PhD, MD, Associate Professor of Anesthesia and Critical Care
Medicine, Massachusetts General Hospital, Harvard Medical School, and Director
of Human Research Affairs, Partners HealthCare System, Boston, Massachusetts, on
this, the 26th day of April, 2000.
Dear Mr. Chairman and Members of the
Committee:
Privacy is the ability to choose what information about
ourselves and our activities we will share with others. Confidentiality is the
process through which we demonstrate respect for other's privacy. The people of
this country reasonably expect that their privacy be respected, and that
sensitive personal information about themselves, whatever the nature of that
information might be, not be disclosed to others without their authorization,
except in specific circumstances where there is compelling justification. Even
then, identifiable personal information should be disclosed only with specific
provisions for protecting its confidentiality.
Health information is
arguably among the most sensitive types of personal information and has always
been afforded special consideration when issues of privacy and confidentiality
are concerned. The extraordinary scope of social and technological change in our
health care system over the past two decades has unavoidably and irrevocably
changed the practice of medicine and the business of health care. With this
change, the public has become increasingly concerned about loss of autonomy and
loss of privacy, both of which seem now to occur all too frequently. Public
concerns regarding unauthorized access to personal medical information arise
from, and are substantiated by, misuse and abuse of information obtained during
encounters with the health care system. Patients seeking health care services
are obligated to compromise their own privacy and to share intimate personal
information about themselves and their families with their caregivers. They do
so with an expectation that their information will be used only for the intended
purpose and only by those who need this information to provide care and complete
the necessary business of healthcare. Far too often, this is not the case.
Not surprisingly, a climate of mistrust has developed in which patients
are demanding more control over who has access to their personal information and
how that information is to be used. Since many patients do not understand the
complexity of our health care system and the growing need for many different
parties to access patient information in the course of their jobs, the adverse
impact that broad restriction of access can have on the system, and the quality
of care, is not well appreciated.
The complex issues involved in
providing and managing health care while respecting the privacy of individual
persons and protecting the confidentiality of personal health information have
received much attention. Current legislative activity pertaining to these issues
at both the state and national levels reflects to a large degree the growing
interest among our citizens and the entire health care system and related
industries in finding effective ways to achieve these goals.
One such
effort is that of the Health Privacy Working Group, an initiative of the
Georgetown University Institute of Health Care Research, which released its
recommendations last summer. The 'best principles' set forth in that report
provide a useful framework for development of specific policies for effective
management and use of personal health care information in a manner that is
we!l-reasoned and workable. This statement of principles does not, however,
obviate the need for effective legislation to affect necessary change and
introduce appropriate safeguards for protection of privacy and confidentiality
of health information.
In compliance with the requirements established
by the Congress, the Secretary of the Department of Human Services has
introduced a comprehensive set of standards and rules governing privacy of
personal health information. In her previous testimony before Congress, the
Secretary has set forth five guiding principles that underlie the proposed
rules. These include boundaries, consumer control, security, accountability and
public responsibility. The rules include many important provisions for
protection of individual privacy, including a requirement that all persons,
institutions, agencies or other entities that collect personal health
information be required to develop formal written policies and procedures for
use of such information, and that patients be notified and informed of these
policies and their rights.
These rules appropriately limit access and
disclosure of information on a rigorous 'need to know' basis. They stipulate
that information should only be collected and maintained in identifiable form
when necessary and appropriate, and that it should be used only for those
specific purposes for which it was intended at the time of collection unless
there is appropriate notification and authorization for other uses. When
identifiable information is no longer needed, it should be destroyed or rendered
non-identifiable after a reasonable period of time unless there is a compelling
justification for keeping it.
Those who have crafted the proposed rules
deserve accolades for then' thoughtful work, as many of the provisions could
provide useful solutions to some of the concerns discussed above. Nevertheless,
there are aspects of the rules that, in my opinion, could be improved. I will
first offer a few remarks regarding the broader aspects of the proposed rules
before focusing on those parts pertaining to appropriate conduct and oversight
of health research, an area in which I can claim some experience and expertise
by virtue of my professional activities and responsibilities.
While the
proposed rules are really the first comprehensive approach to protection of
private health information, they are ultimately limited in scope to information
that has been recorded or transmitted in electronic form, leaving an important
gap in the protections afforded information stored in other media, particularly
paper records. This shortcoming should be addressed by ensuring that the rules
are made applicable to all protected health information, regardless of the
manner, format or medium in which it is collected or maintained.
For
clarity, I would like to call attention to the definition of "de- identified"
health information used in these rules. Personal health information that can be
attributed to the individual person from whom it was obtained is "identifiable".
Only information that cannot be attributed to its source is "non-identifiable".
When information is linked by a specific code number to an individual, even if
all other specific identifying information has been removed, that information
may have been "de-identified", but it is still identifiable and special
precautions must be taken to restrict the use of that information in ways that
were not authorized by the individuals of origin at the time it was obtained.
The use of the term "de-identified" in the proposed rules is not
interchangeable with the definition of "non-identifiable" information set forth
in the Federal Regulations for Protection of Human Subjects in Research, may be
confusing and misleading, and will be viewed by many as being deceptive,
intended or not. Information is either identifiable or not; these are mutually
exclusive. Identifiable information may be anonymous, encrypted, coded, or
otherwise de- identified in an effort to offer protection of privacy and ensure
confidentiality, but it is still identifiable.
Accordingly, special
protections must be in place to ensure that re- identification does not occur
without first carefully considering the impact that doing so may have on the
individuals whose privacy will be violated.
The scope of "health care
operations" is useful, but the list includes certain activities, such as outcome
assessments, that frequently overlap the research domain, which I will discuss
in greater detail below. Care should be taken to insure that this does not
provide a 'loop hole' for individuals to circumvent review and approval
processes of Institutional Review Boards ORBs) and the protections such review
can provide for individual subjects of that research.
The rules include
provisions for disclosure of information to outside third parties for a variety
of purposes. As a general rule, any and all releases of identifiable health
information to third parties outside of the health care setting in which it was
obtained should be authorized by the individuals from whom the information was
obtained. Secondary 're-disclosure' without specific authorization to parties
further removed from the primary source/custodian should be prohibited and
punishable by law.
The issue of preemption of state law has received
great attention. The Secretary has established that there is a need to establish
a minimum standard under federal law for protections of privacy and
confidentiality of personal health information, and that it is not the intent of
these rules to undermine or limit the ability of States choosing to pass more
stringent legal protections for individual privacy. Indeed, attempts to preempt
legislation at the State level has been viewed with skepticism as an attempt to
protect special interests that may be in conflict with those of individuals.
Turning to the provisions for access to personal health information for
research, I would first point out that the benefits of biomedical research to
both society and individuals is widely acknowledged and very highly valued by
the American people. In a recent national survey, nearly 90% of those polled
indicated strong or very strong support for biomedical research activities and a
personal interest in participating in research, provided they could be assured
that their interests and well-bring were protected. There is a long and very
productive tradition of using medical records and other forms of health
information for research purposes in this country, and such uses have rarely
resulted in breaches of confidentiality. The American people have been very
willing to accept this exception to absolute privacy of their medical
information, provided the information is handled in a
confidential manner. The rules proposed by the Secretary recognize this, and
appropriately allow for access to protected health information for research
purposed without individual authorization from patients, but only with
appropriate oversight.
We are very fortunate to have in place in this
country a system for protection of human subjects in research, including federal
laws that mandate oversight of research by duly constituted Institutional Review
Boards. This system, in which I am a proud and active participant, already
reviews and approves most of the biomedical research conducted in this country,
including research that relies upon uses of personal health information. The
challenges faced by the IRs are considerable, but overall, it is clear that
since the IRB system was developed two decades ago, biomedical research
involving human subjects has flourished and reports or serious abuses are
infrequent. Even as this Committee considers new rules to enhance protections
for patients' privacy and confidentiality of health information, steps are being
taken to strengthen the IRB system to make it even more effective. I strongly
support these actions, and believe that the IRB process can and must play an
integral role in oversight of all research involving health information.
I further support current efforts to bring all research involving human
subjects, as defined in federal regulations, under the "Common Rule" (45 CFR 46,
as amended), and to develop a process to credential IRs and heath researchers as
a further step toward strengthening the system for protection of human research
subjects. While existing rules and regulations offer the IRs and investigators
guidance in the use of personal health information, more specific guidance
should be promulgated to address issues of informed consent, uses of
identifiable versus nonidentifiable information, and specific mechanisms for
protection of confidentiality.
I remain troubled by one provision of the
proposed rules that would allow, in some unspecified cases, a 'privacy board' to
be substituted for an IRB in the approval process for research involving
protected health information. As currently proposed, such privacy boards could
be used as a means of avoiding IRB review, and could result in a lesser standard
for review of research involving private health information than for other kinds
of human research. This approach could further fragment the process for review,
approval and oversight of human research at that very moment when unification of
the process under a single new federal Office for Human Research Protection is
about to be realized. This would be an error, and this potential loophole should
be closed.
In some cases, it may be appropriate for institutional
'privacy committees' to oversee access to personal health information at
institutions that do not have sufficient research volume to justify an IRB, but
in those cases, the research should first be reviewed and approved by an IRB
constituted under the 'Common Rule' according to specific guidelines for
research access to private health information. In large institutions and in the
growing number of academically-based integrated health care systems, of which
the Partners HealthCare System (Boston, MA) is an example, the co-existence and
close association of such privacy committees and IRBs afford completeness and
consistency in policies and procedures for access to personal health information
that, at least in our case, has proven to be very beneficial and effective.
There are, of course, those who will decry enhanced privacy protections
as impediments to the research process. They claim that stronger privacy
protections will make it impossible to do research. In fact, exactly the
opposite is true. The public has so far been willing to allow research uses of
their private information to proceed because there have been strong protections
by IRBs and, thankfully, few abuses of this privilege by the research community.
As biomedical research increasingly depends upon access to more personal health
information, and to genetic information, information that is intensely personal
and sensitive, as well as predictive, society will demand that privacy
protections be strengthened, and if we fail to meet those expectations, we will
find that the credibility of our research endeavors are further undermined by
the ever intensifying crisis of confidence that we are currently facing.
Strengthening protections for human subjects and for privacy of health
information actually facilitates our research mission.
As information
technology and electronic medical records systems play an ever growing and
important role in modem health care and research, every practicable effort
should be made to take advantage of new tools and methodologies of information
science to enhance protection of sensitive information and patient privacy while
concurrently improving accessibility. Indeed, new approaches to electronic
security and high- level encryption technologies can actually be used to
strengthen protection of our privacy, but this will only happen if there are
appropriate rules, incentives, and resources to catalyze development and
implementation of such technologies.
In closing, I would like to thank
you, Mr. Chairman, and all of the members of the Committee for this opportunity
to express my views.
END
LOAD-DATE: April 27,
2000