LEXIS-NEXIS® Congressional Universe-Document

Search Terms: health information privacy, House or Senate or Joint

Document 41 of 45.

APRIL 27, 1999, TUESDAY

SECTION: IN THE NEWS

LENGTH: 4523 words

HEADLINE: PREPARED TESTIMONY BY
NATIONAL ASSOCIATION OF INSURANCE COMMISSIONERS
SPECIAL COMMITTEE ON HEALTH INSURANCE
BEFORE THE SENATE HEALTH, EDUCATION, LABOR AND PENSIONS COMMITTEE
SUBJECT - MEDICAL RECORDS PRIVACY - PREEMPTION

BODY:

I. Introduction
Good morning, Mr. Chairman and members of the Committee. My name is Kathleen Sebelius. I am the elected Insurance Commissioner for the state of Kansas. Also, I am the Secretary-Treasurer of the National Association of Insurance Commissioners (NAIC) and the chair of the NAIC's Accident and Health Insurance (B) Committee. I am testifying this morning on behalf of the NAIC's (EX) Special Committee on Health Insurance. I would like to thank you for providing the NAIC with the opportunity to testify today about the preemption issue surrounding the health information privacy legislation currently before Congress.
The NAIC, founded in 1871, is the organization of the chief insurance regulators from the 50 states, the District of Columbia, and four of the U.S. territories. The NAIC's objective is to serve the public by assisting state insurance regulators in fulfilling their regulatory responsibilities. Protection of consumers is the fundamental purpose of insurance regulation.
The NAIC Special Committee on Health Insurance ("Special Committee") is comprised of 45 state insurance regulators. The Special Committee was established as a forum to discuss federal proposals related to health insurance and to provide technical assistance to Congress and the Administration on a nonpartisan basis. Over the past several years, members of the Special Committee, including myself, have had the privilege of testifying before your Committee on various legislative proposals.
My testimony today will focus on three aspects of the preemption issue raised by the current federal legislation. First, I will discuss the states' recognition for the need for a minimum standard to protect the privacy of health information. Second, I will give some examples of what the states have done to ensure that health information is kept confidential, and discuss the concerns we have about the preemption language in the current federal legislation and how Congress can develop a federal minimum standard without eliminating existing state protections. Third, I will address the need for Congress to clarify the scope of any federal health information privacy legislation and to develop a way for states to measure their laws against any federal standard for compliance.
II. Recognizing the Need for a Federal Minimum Standard
As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress must enact privacy legislation by August 21, 1999. Should Congress fail to act, HIPAA requires the Secretary of Health and Human Services to promulgate regulations by February 21300. In addition to this statutory deadline, we recognize that Congress faces pressure to enact national legislation protecting the privacy of health information because the European Union issued a privacy directive that became effective in October 1998.
The sates, acting through the NAIC, understand the need for uniform standards to protect the privacy of health information. A minimum standard in this area is necessary given that health information is transmitted across state and national boundaries. The transmission of health information, as opposed to the delivery of health care services, is not a local activity. This was one of our main reasons for developing a model on this issue--The Health Information Privacy Model Act (attached).
The NAIC adopted the Health Information Privacy Model Act in September 1998.1 This model addresses many of the same issues that the federal legislation does, such as: (1) providing an individual the right to access and to amend the individual's protected health information; (2) requiring an entity to obtain an authorization from the individual to collect, use or disclose information; and (3) establishing exceptions to the authorization requirement. Our model was developed to assist the states in drafting uniform standards for ensuring the privacy of health information.2 However, because our jurisdiction is limited to insurance, and health information privacy encompasses more issues than insurance and more entities than insurers, we understand the desire for broader federal legislation.3
Recognizing all of the above factors, along with the fact that all of the health information privacy bills currently before this Committee preempt state law in one fashion or another, the members of the NAIC have concluded that the privacy of health information is one of the few areas where it may be appropriate for the federal government to set a minimum standard. However, it should be noted that up until this point there has been no federal standard in place. Rather, states have been the protector of consumers in this area. Any federal legislation must recognize this fact and make allowances for it.
III. Preemption
A. Existing State Laws
As this Committee is well aware, the drafting of legislation to tablish standards that protect the privacy rights of individuals with respect to highly personal health information is a very difficult task. Like you, the members of the NAIC sought to write standards into the NAIC Model that would not cripple the flow of useful information, that would not impose prohibitive costs on entities affected by the legislation, and that would not prove impossible to implement in a world that is rapidly changing from paper to electronic records. At the same time, the members of the NAIC recognized the need to assure consumers that their health information is used only for the legitimate purposes for which it was obtained, and that this information is not disclosed without the consumer's consent or knowledge for purposes that may harm or offend the individual.
When developing protections for health information, Congress must recognize the impact of any federal privacy legislation on existing federal and state laws. Although we cannot fully address the impact on federal law, we do know that many state laws touch on protected health information and appear in many locations within the states' statutes and regulations. These laws do not neatly fat into a federal bill's list of exceptions. For example, privacy laws can be found in the insurance code, probate code, and the code of civil procedure. Numerous privacy laws relating to health information are also contained in the states' public health laws, which address such topics as child immunization, laboratory testing, and the licensure of health professionals. Other potential areas involve workers compensation laws, automobile insurance laws, and laws regulating state agencies and institutions. In addition, many state privacy laws only address health programs or health-related information that are unique to a particular state.
Let me give you some examples of the existing state laws that protect health information.
Kansas
In Kansas, there are laws in the Public Health Code addressing the confidentiality of information obtained by the Kansas Secretary of Health and the Environment about diabetes mellitus. (K.S.A. 65- 1,116). Another law addresses the confidentiality of information obtained by the Secretary of Health and the Environment about hearing- impaired infants. (K.S.A.

65-1, 155). These state laws arguably would be preempted by some of the federal bills because of total preemption by the "related to" standard or because these conditions do not fall within the exceptions in the federal bills. Presumably, the above information would be governed by the provisions of the federal law; however, the federal privacy provisions would arguably allow the Secretary of Health and the Environment to disclose protected health information, without the consent of the individual, for public health purposes or for health research as defined under the federal bills. The disclosure provisions of the federal bills are potentially broader than the Kansas statutes, which generally require that the information be confidential and not disclosed without the individual's consent, unless identifying information has been removed, and which require the Secretary to remove the records of a child whose parents or guardian request in writing such action.
Vermont
Vermont, like some other states, has a cancer registry. (18 V.S.A. 154, 155, 156). The Vermont statutes require the Vermont Health Commissioner to keep confidential all information reported to the cancer registry, with exceptions for the exchange of confidential information with other states' cancer registries, federal cancer control agencies and health researchers under specified conditions. The provisions of these state laws would arguably be preempted by a federal privacy law that totally preempted state law or did not include state cancer registry laws as an exception to federal preemption. Presumably, a federal privacy law would allow the Vermont Health Commissioner to disclose protected health information in situations not authorized by the state's statutes, but allowed without authorization under the federal bills' public health or research provisions.
Massachusetts
Under Massachusetts' education statutes, provisions are established for the testing, treatment and care of persons susceptible to genetically-linked diseases. (Mass. Ann. Laws ch.76, 15B). The law requires the Department of Public Health to furnish necessary laboratory and testing facilities for a voluntary screening program for sickle cell anemia or for the sickle cell trait and for such genetically-linked diseases as may be determined by the Commissioner of Public Health. Records maintained as pan of any screening program must be kept confidential and will not be accessible to anyone other than the Commissioner of Public Health or to the local health department which is conducting the screening program, except by permission of the parents or guardian of any child or adolescent who has been screened. Information on the results of any particular screening program shall be limited to notification of the parent or guardian of the result if the person screened is under the age of 18 or to the person himself if he is over the age of 18. The results may be used otherwise only for collective statistical purposes. Again, this state program may be preempted by a federal privacy law because it does not fall under the federal bills' preemption exceptions. Under the federal bills this health information would be at risk of disclosure authorization under the public health or research provisions.
Connecticut
Connecticut has already enacted a privacy protection law for insurance information. (Conn. Gen. Stat. 38a-975 et seq.). This law applies to insurance institutions, agents and insurance-support organizations, and it protects health information that is collected, received or maintained in connection with insurance transactions that pertain to individuals who are residents of the state or who engage in insurance transactions with applicants, individuals or policyholders who are residents of the state. It also applies to insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery, or renewed in the state. This law applies to life, health, disability, and property and casualty insurance, and therefore to issuers of these products. This state law would be preempted under a federal bill that used a total preemption approach. Arguably any health information held by life or health insurers may still be protected under the federal legislation; however, health information held by disability or property and casualty insurers, which is currently protected under this state law, would become unprotected under the current federal legislation. Without the opportunity for the state to implement its own laws to address these types of insurers, the health information they hold would be vulnerable to potential misuse or disclosure by those who hold it. In addition, if the federal standard were to fall short of Connecticut law in some way, the level of protection for information held by life and health insurers would be diminished.
Utah
Under Utah's Health Code, the information obtained by the Drug Utilization Review Board under the Medical Assistance Act must be treated as confidential. (Utah Code Ann. 26-18-104). The board is required to establish procedures insuring that the information is held confidential by the pharmacist. The board shall adopt and implement procedures designed to ensure the confidentiality of all information collected, stored, retrieved, assessed, or analyzed by the board, its staff, or contractors to the drug utilization review program that identified individual physicians, pharmacists or recipients. The board may have access to identifying information for purposes of carrying out intervention activities, but that identifying information may not be released to anyone other than a member of the board. The board may release cumulative non-identifying information for research purposes. Again, the federal law could preempt this state statute because there is no exception in the federal bills for regulated drags. In addition, the pharmacist or the board arguably could release this information under the federal legislation without authorization under the research provisions.
These examples are not meant to be construed as a definitive legal analysis of the relationship between these state laws and the federal bills. The comments axe not based on an extensive review of all relevant state laws that might affect the ultimate conclusion about the interaction of the federal bills and the states' laws. However, the range of state laws relating to protected health information, and the diversity of their purposes and of the entities that they affect, are critical factors for assessing the impact of any federal preemption language.
Because state laws relating to health information and privacy are located in so many different places within each states' legal code, the length of time and complexity involved in compiling a list of these laws make it a nearly impossible task. Moreover, there is no federal or state agency or other organization that has a complete compendium of state laws that could be affected by federal privacy legislation that preempts state law. Without clear information about the laws that may be impacted by legislation, preemption must be approached with caution.
B. The Best Approach to Developing a Federal Standard
An argument will be made that the only solution to this collection of state privacy laws is a total preemption of state law. However, this "solution" is a deceptively easy response to the various state privacy laws and will most certainly result in adverse, unintended consequences. The language "any State law that relates to matters covered by this Act" could preempt literally hundreds of state laws that affect protected health information.4 Many state laws that are seemingly unrelated to health information on their face affect health information privacy and could be eliminated by a total preemption approach without any equivalent federal protection. Health information or health-related information that is currently protected will end up unprotected, and states will not be able to remedy the problem or "reprotect" the information. We offer this perspective not to "protect our turf," but rather as a caution against unintended consequences to the consumer. Because of the number and scope of the laws involved, our concerns are not limited to insurance law. We do not want Congress to reduce or eliminate any protections already in place. Preemption of state law is not a workable solution.
We believe the best approach would be to set a federal standard that does not preempt state laws that have been protecting health information for so many years. Up until now, there has been no federal standard in place, and the states have been protecting consumers. We understand the desire to establish a federal floor in this area, but it is not appropriate to preempt stronger state laws or preempt state laws that are outside the scope of the federal privacy legislation. As discussed earlier, the states have enacted privacy protections for their citizens in a variety of areas. These citizens should not lose stronger protections for their health information or lose protections granted by the states in areas not contemplated by the federal legislation.
In addition, we believe that states should be allowed to enact stronger privacy protections in the future in response to innovation in technology and changes in the use of health information.

We believe the best approach would balance the need for uniformity with the recognition of the states' ability to respond quickly and to provide additional protections to their citizens. States can quickly identify the impact of any federal privacy law or any changes in the use of health information and can efficiently remedy any adverse situation. We urge Congress not to take a "broad-brush" approach to preemption that would unintentionally take away protections at the state level, eliminate the states' ability to remedy unintended consequences that result from federal privacy legislation, or prevent states from responding to future changes in technology.
IV. Scope of the Legislation
In addition to adopting an approach that recognizes the privacy protections already enacted by the states and that allows states the flexibility to enact stronger privacy laws in the future, we urge Congress to draft legislation that specifically outlines the areas that Congress intends to address. Congress needs to be very specific about the scope of any federal privacy legislation. This is of particular concern since the current privacy legislation is silent on many issues affecting federal and state law. The scope should not be left ambiguous or left to the courts to decide. We believe it would be better for the protection of consumers' health information if Congress would specify what is addressed by the federal legislation as opposed to attempting to list all of the state laws that are exempt from the federal legislation.
All of the current federal bills contain specific exceptions to the federal preemption language for certain state laws. Reviewing all of the balls, these exceptions include state laws that: (1) provide for the reporting of vital statistics such as birth or death information; (2) require the reporting of abuse or neglect information about any individual; (3) regulate the disclosure or reporting of information concerning an individual's mental health; (4) relate to public or mental health and prevent or otherwise restrict disclosure of information otherwise permissible under the federal legislation; (5) govern a minor's rights to access protected health information or health care services; (6) relate to the disclosure of protected health information or any other information about a minor to a parent or guardian of such minor; (7) authorize the collecting, analysis, or dissemination of information from an entity for the purpose of developing use, cost effectiveness, performance, or quality data; and (8) concern a privilege of a witness or person in state court. Although each of the exceptions is appropriate and the list represents a good start at enumerating the specific categories of state laws that should not be preempted, these specific exceptions to the preemption language do not alleviate our concerns. There are other state laws that do not fit into any of the explicit categories and that would therefore be preempted by the broad scope of the general preemption language. In addition, not all of these specified exceptions are included in each of the bills. We mention this to underscore the critical importance of clearly defining the scope of what the federal legislation is addressing and the applicability of any specific privacy standard or exception. We believe it wiser and easier to define what types of health information and what state laws are within the scope of the federal legislation, rather than what types of health information and what state laws are outside of the scope of the federal legislation.
In addition, we urge Congress to outline a way in the federal privacy legislation for the states to measure their laws against any federal standard and to provide options for states to meet those requirements. In HIPAA, Congress gave the states three options in meeting the requirements of that legislation. Similar guidelines are needed in the privacy legislation. States need to be able to judge whether their state laws are stronger than the federal law in order to determine whether they need to take further action to revise their laws.
V. Conclusion
Establishing standards to protect the collection, use, and disclosure of health information is a very important undertaking. The growth of managed care, the increasing use of electronic information, and the advances in medical science and communications technology have dramatically increased both the availability and the importance of health information. The efficient exchange of health information will save thousands of lives. The information is critical for measuring and analyzing the quality and cost effectiveness of the health care provided to consumers. Consumer benefits from advances in health information are vast. However, the potential for misuse of this information is also vast. The information itself has become a valuable product that can be sold for significant amounts of money, and the consequences of unauthorized disclosure of health information can be potentially damaging to individuals' lives. The opportunities to exploit available health information will grow in number and value as technology and medical science advance.
As Members of Congress address this critical topic, we would urge you to recognize the importance of existing state law addressing the use of health information in many contexts. Congress should be aware of the complexity of implementing federal standards without inadvertently displacing important provisions of state law. We urge Congress not to take a "broad-brush" approach to preemption that would unintentionally take away protections at the state level, eliminate states' ability to remedy unintended consequences that result from federal privacy legislation, or prevent states from responding to future changes in technology. The scope of the preemption is a critical issue, and if not carefully constructed it could lead to unintended consequences. We urge you to recognize the impact of any privacy legislation on federal and state laws as you debate this issue. Congress must take a balanced approach that recognizes both privacy rights and the need for affordable health insurance governed through effective state regulation. The members of the NAIC would be happy to work with the Members of Congress in this area. Thank you.
*****FOOTNOTES*****
1 This model was developed with state regulators, representatives of the insurance and managed care industries, and representatives from the provider and consumer communities. The NAIC model reflects the excellent work that has been done by a number of states on this difficult topic. The NAIC greatly benefited from the expertise of states like Vermont, which has made significant efforts to develop legislation safeguarding the privacy of health information. The NAIC also recognized the need to update the provisions of its existing "NAIC Insurance Information and Privacy Protection Model Act," which was adopted by the NAIC in 1980, to reflect the rapidly evolving marketplace for health care and health insurance and the dramatic changes that have occurred over the past 19 years in information technology.
2 The NAIC model requires careers to establish procedures for the treatment of all health information, whether or not it is protected health information. The model then establishes additional rules for protected health information. In contrast, the federal bills require that named entities establish and maintain safeguards to protect the confidentiality of protected health information, which is more limited. The NAIC believes that Congress should establish procedures to assure the accuracy and integrity of all health information, not just protected health information.
3 The most obvious difference between the NAIC model and the federal bills is in the scope of the entities to which the respective proposals would apply. The NAIC model applies to all insurance carriers. The federal bills are much broader and apply to health care providers, health plans, public health authorities, health oversight agencies, health researchers, health or life insurers, employers, schools, universities, law enforcement officials, and agents. Different sections of the federal bills apply to different combinations of these named entities. However, we are concerned that the federal bills only apply to health and life insurers and not to all insurers.
With respect to insurers, we recommend the approach of the NAIC model, which applies to all insurance carriers and is not limited to health and life insurers. The NAIC had an extensive public discussion about whether the draft NAIC model should apply only to health insurance carriers, or instead, to all carriers. Health and life insurance carriers are not the only types of carriers that use health information to transact their business. Health information is often essential to settling workers' compensation claims and automobile claims involving personal injury, for example. This is the business of property and casualty insurers. Reinsurers also use protected health information to write reinsurance. The NAIC concluded that it was illogical to apply one set of rules to health insurance carriers but different rules, or no rules, to other carriers that were using the same type of information. Consumers deserve the same protection with respect to their health information, regardless of the entity using it. Nor is it equitable to subject life and health insurance carriers to more stringent rules than those applied to other insurers. Our model applies to all insurance careers and establishes uniform rules to the greatest extent possible.
4 This language is very similar to the preemption language contained in the Employee Retirement Income Security Act of 1974 (ERISA), which states: "(T)he provisions of this title...shall supersede any and all State laws insofar as they may now or hereafter relate to any employee benefit plan .... "(emphasis added). As this Committee is well aware, twenty-five years of litigation and numerous Supreme Court decisions have yet to clarify the scope of the ERISA preemption language. We would respectfully suggest that a "relate to" standard is not a good standard to adopt in federal legislation regulating the use of health information. Total preemption language will unintentionally erase important state laws but not provide equivalent federal protections. This is the unfortunate situation that has occurred as the result of the preemption language contained in ERISA.
END

LOAD-DATE: April 28, 1999

Document 41 of 45.


Search Terms: health information privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase: