Copyright 2000 Federal News Service, Inc.
Federal News Service
April 26, 2000, Wednesday
SECTION: CAPITOL HILL HEARING
LENGTH: 21287 words
HEADLINE:
HEARING OF THE SENATE HEALTH, EDUCATION, LABOR AND PENSIONS
COMMITTEE
SUBJECT: MEDICAL RECORDS PRIVACY
CHAIRED
BY: SENATOR JAMES JEFFORDS (R-VT)
LOCATION: 430 DIRKSEN
SENATE OFFICE BUILDING, WASHINGTON, D.C.
TIME:
10:00 AM. EDT DATE: WEDNESDAY, APRIL 26, 2000
WITNESSES:
JANET HEINRICH, ASSOCIATE
DIRECTOR, HEALTH FINANCING AND PUBLIC HEALTH ISSUES, GENERAL ACCOUNTING OFFICE;
JOHN P. HOUSTON, DIRECTOR, INFORMATION SERVICES DIVISION, THE
UPMC HEALTH SYSTEM;
KATHY FARMER, MANAGER, U.S. COMPENSATION AND
BENEFITS, HEWLETT PACKARD;
E. GREG KOSKI, ASSOCIATE PROFESSOR OF
ANAESTHESIA, MASSACHUSETTS GENERAL HOSPITAL;
BODY:
SEN. JAMES JEFFORDS (R-VT): The
hearing will come to order. Today marks the Health and Education Committee's
eighth hearing on one of the most pressing issues confronting our healthcare
system -- the confidentiality of healthcare information. As most of you know,
the reason we are here today is the result of what seems like a small provision
within the Health Insurance Portability and Accountability Act, HIPAA. The HIPAA
provision states that should Congress not enact medical records privacy
legislation by August 21, 1999, the secretary of Health and Human Services is
required to issue regulations on privacy standards for individually identifiable
health information.
Further, these regulations must address the
following: The rights of the individual who is the subject of the information;
procedures for exercising such rights; and, the authorized and required uses and
disclosures of such information. Last year, this committee worked tirelessly to
produce bipartisan legislation that struck the appropriate balance between
providing protection for medical information, while also allowing for necessary
sharing of information with integrated healthcare systems. In working closely
with Senators Dodd, Frist, Kennedy and other members of the committee, we were
able to make tremendous progress in resolving many policy differences.
Unfortunately, some issues remained that we were unable to reach agreement on.
Since we were unable to pass comprehensive medical records privacy legislation,
the secretary of HHS now has the duty to produce final regulations this year,
that will go into effect in the year 2002. Last November, when the Department of
Health and Human Services issued their proposed rule on privacy of individually
identifiable health information, I asked the General Accounting Office to study
the interim regulatory process and report back to this committee their finding.
I specifically asked them to look at the nature of the comment letters that HHS
received, as well as to address whether the administration's proposed rule is
consistent with the statutory authority under HIPAA.
For those of you
who actually read the 600 plus pages of the proposed rule, imagine reading
52,000 comment letters that followed the publication of the proposed rule. While
the staggering number -- it is a staggering number -- I am told that about
45,000 though, however, were form letters containing identical information. The
GAO testimony presented today will touch upon two themes -- that there is
widespread acknowledgement, despite the organization's diverse perspective, of
the importance of protecting the privacy of medical records, and that
fundamental differences among group positions reflect the conflicts that
sometimes arise between maintaining privacy protection and achieving other
important social goals.
A study by the National Research Council shows
that the pathway of a typical medical record is no longer confined within the
control of the patient's personal physician. Today, a typical record may be
handled by numerous individuals in more than 17 different organizations.
Technology has provided the tools to allow the ease of access to healthcare
information. Now, enforceable national protections are needed to ensure the
confidentially of this personal health information. As we hear from all of our
expert witnesses today, I hope to gain a better understanding regarding the
appropriateness of the proposed rule on the privacy of individually identifiable
health information, as well as whether future legislation is needed to fill gaps
that perhaps resulted from the secretary's limited authority in issuing the
regulations.
The hearing will follow the committee's usual format. Each
of the witnesses will speak for five minutes, and each member of the committee
will have up to five minutes per round for questioning. The hearing record will
remain open for two weeks, and any written statements and questions for the
record should be submitted within that time. That said, let me welcome all of
our witnesses. I look forward to hearing your testimony today and working
together, as we do now, and in the future, on reaching the appropriate results.
I'm pleased to introduce our witnesses this morning.
Testifying first
will be Dr. Janet Heinrich, Associate Director, Health Financing and Public
Health Issues with the US General Accounting Office, the GAO, Washington, DC.
Previously, Dr. Heinrich was director of the American Academy of Nursing, and
also served as the director of Extramural Programs, National Institute of
Nursing Research at the National Institutes of Health. Her professional
experience encompasses public health nursing in urban and rural settings, as
well as public policymaking at the local, state, and federal levels. In addition
to her nursing degree, her credentials include Masters of Public Health from the
Johns Hopkins University School of Hygiene and Public Health, and a Doctorate of
Public Health from Yale University Department of Epidemiology and Public Health
in the School of Medicine.
Dr. Heinrich, it's always a pleasure to have
you with us, and we look forward to your remarks. I'll turn first to Senator
Kennedy.
SEN. EDWARD KENNEDY (D-MA): Just a brief comment, Mr. Chairman.
I want to thank you for calling the hearing on the proposed rules to safeguard
the confidentiality of medical records. This issue is critically important to
every American who seeks medical care. Every patient, particularly in this
electronic age, must be able to trust that personal medical information will not
be improperly disclosed or used for unauthorized purposes. And the importance of
this trust between the patient and the doctor has been recognized since the very
dawn of medicine.
Before being entrusted with the heavy responsibility
of providing to the sick and injured, doctors take a solemn oath based upon the
declaration of principles laid down by the Greek physician more than 2,000 years
ago. Over the centuries, these principles have served as the foundation of good
medical practices. And as we consider today the basic issue of privacy of
medical records, we'd do well to remember the Hippocratic oath. "Whatever in
connection with my professional practice I see or hear, which ought not to be
spoken of abroad, I will not divulge, counting such things to be sacred
secrets."
Unfortunately, the sacred secrets of which the Hippocratic
oath spoke to have now lost much of their sanctity.
In this era of
instantaneous electronic communication, medical information can be sent around
the world at the touch of a button, and vast databases of personal medical
information are compiled and sold to the highest bidder. Although healthcare
personnel must clearly have access to medical records to provide high quality
treatment or obtain payment for services, the absence of effective privacy
protection also allows employers, sales agents, or even neighbors, to obtain
improper access to the medical information that all of us would wish to protect.
When patients fail to confide in their doctors, both patients and
society suffer. And the patients who are afraid to tell their doctor about a
previously diagnosed condition for fear of seeing that information misused, may
receive medications that are ineffective or even dangerous. And patients who are
afraid of disclosure of their medical condition to their employer or their
coworkers, may delay seeking treatment or even delay taking a simple diagnostic
test, with the result that a previously treatable condition becomes incurable.
We must all work together to restore the trust in the confidentiality of medical
practice and thus dispel the fear that so many patients feel about the security
of their personal medical information.
In 1996, Senator Kassebaum and I,
along with many other members of our committee, worked together to pass the
Health Insurance Portability and Accountability Act. This legislation called on
Congress to deal with the pressing issue of confidentiality in medical records
by enacting comprehensive legislation, required the secretary of Health and
Human Services to formulate regulations on the privacy of medical records if
Congress should decline to act. We agreed that inaction by Congress should not
mean no action on this important issue. To fulfill the requirements of the Act,
Secretary Shalala and her staff have worked effectively to establish principles
to safeguard the privacy of medical records, while still allowing the use of
medical information that are necessary for effective delivery of healthcare.
Her task was a challenging one, and I commend the secretary for the
thoroughness of her work in addressing the many complexities of this difficult
issue. I look forward to the testimony from today's witnesses, particularly
Janlori Goldman, whose expert advice was especially valuable during last year's
deliberations on medical privacy in this committee. Dr. Greg Koski, from the
Massachusetts General -- Mass General Hospital, who serves on the faculty of the
world renowned research institution, is well known for his leadership in
preserving the privacy of medical records for patients involved in medical
research. And, again, I thank you, Mr. Chairman.
SEN. JEFFORDS: Thank
you. Let me first -- accompanying Dr. Heinrich is Barry R. Bedrick. Mr. Bedrick
is an Associate General Counsel in the General Accounting Office. He has been
with GAO since 1972, and has been in charge of providing legal support for GAO's
work on health, education, labor, pension, and related issues since 1989. He's a
graduate of Colgate University and Harvard Law School. Dr. Heinrich, please
proceed.
DR. JANET HEINRICH: Thank you. Mr. Chairman, and members of the
committee, we are pleased to be here today to discuss the Department of Health
and Human Services' proposed rule on patient confidentiality issued last
November. Few areas of our lives are perceived to be more private than our
health and medical care. Historically, allowing access to information contained
in medical records has been the responsibility of physicians, hospitals, with
informed consent from patients and their families.
The proliferation of
electronic records and managed care arrangements has raised questions about the
extent to which an individual's healthcare information is protected from
inappropriate disclosure. Because of no comprehensive federal rules, laws have
been enacted to ensure confidentiality of patient data in the private sector.
Congress included in the Health Insurance Portability and Accountability Act,
HIPAA, a provision that the secretary of Health and Human Services develop
legislative recommendations aimed at filling this gap. But Congress further
stipulated that if legislation governing privacy standards was not enacted by
last year, the secretary would issue regulations on the matter.
At your
request, we examined the consistency between the HIPAA statute and the proposed
rule. We reviewed public responses to the rule among a selected group of 40
organizations representing healthcare providers, health plans, patient
advocates, and other constituencies. And, we identified concerns articulated by
these organizations that would require legislation action. The regulatory
approaches HHS adopted in the proposed rule seem consistent with HIPAA's purpose
of protecting the privacy of health information and are legally permissible. By
requiring that entities directly regulated by the rule -- health plans,
healthcare providers, and healthcare clearinghouses -- control the information
processes and practices of entities with which they do business, HHS has
attempted to fill an otherwise significant gap in privacy protection.
HHS covered the paper progeny of electronically maintained or
transmitted health information in their rule. If they had not, the privacy
protections extended to individuals by HIPAA would be easy to circumvent merely
by printing out the electronic record. The decision to build flexibility into
the proposed rule by allowing implementation of the standards to vary on the
basis of an organization's size is also within the authority of HHS. Although
there are many sections of the rule that elicited little reaction, suggesting a
relative lack of controversy, there were several areas of explicit disagreement
with the proposed regulation.
Out of the more than 50 sections of the
proposed rule, only 14 were commented on by at least half of the stakeholders
that we selected. Six issues drew the greatest attention across the 40
stakeholder statements that we reviewed. Let me summarize the major points of
contention. Preempting all state laws that are in conflict with the rule and
provide less stringent privacy protections. Allowing standing authorizations for
disclosures for treatment, payment, and healthcare operations. Restricting the
amount of information used and disclosed. Defining covered entities and the
types of information covered. Specifying procedures for individual
authorizations where they are still required. And, implementing provisions for
business partner contracts to ensure that disclosed information remains
confidential.
The positions taken on those controversial issues address
fundamental concerns such as the scope of the rule, definitions of terms, and
the consequences of decisions on the costs and burdens imposed by the rule. Many
organizations cited a need for the Congress to act if personal health
information is to be subject to the same standards regardless of geography, and
argued for the need for a uniform federal standard preempting all state laws.
Others called for a legislative modification to extend the Department's
authority to cover all identifiable health information regardless of whether it
had been electronically stored or transmitted. In other words, to cover the
paper record.
A large number of comments from across the spectrum of
stakeholder groups advocated legislative changes to extend coverage under the
rule to all types of entities that use or disclose identifiable health
information. Regarding enforcement, there were only three stakeholders in our
selected group that stated that the Congress should establish a private right of
action for individuals to enforce their rights under the privacy rule. In
conclusion, we found widespread support for the goal of protecting individually
identifiable health information from misuse. The issue is not whether to protect
the confidentiality of medical records, but the best approach for doing so.
The differences among the group reflect the conflicts that sometimes
arise between the need for individual privacy and other objectives, such as
research or the need for reducing cost of care. As the Department of Health and
Human Services considers comments in formulating the final rule, it will need to
weigh both the relative priority to give to these other objectives, and the
merit of differing views on feasibility of alternative approaches. Mr. Chairman,
and members of the committee, this concludes my prepared statement, and I will
be happy to answer any questions.
SEN. JEFFORDS: Well, thank you very
much, doctor. In your testimony, you noted that many of the organizations
asserted that substantial expense would be incurred reviewing state laws and
determining whether a state law is applicable to a given situation. Could you
expand on this point?
DR. HEINRICH: Certainly the issue of preemption
was one of the issues that many, many people commented on. There's been concern
articulated about the patchwork of state laws, and the fact that state laws seem
to be imbedded in a variety of codes and laws, making it very, very difficult to
find a law in these state statutes. Some people have said, therefore, that it
would be very important to have a federal rule that would preempt all states.
Others have argued that, in fact, there's a great deal of protection in
privacy law that we can build on.
And, in fact, entities have now been
working with these 50 different state laws. This is an opportunity to actually
build on what is the strongest privacy law.
SEN. JEFFORDS: In your
testimony, you noted that many of the organizations suggested that covered
entities be exempted from the definition of business partner in the regulation.
Please explain that rationale.
DR. HEINRICH: Groups have said that the
-- the covered groups have said that they feel it would be very difficult for
them to enforce privacy law, and they're concerned about being held accountable
for the business partners. And, Barry, in terms of the arguments from the
business partner's perspective, would you have anything to add?
MR.
BARRY BEDRICK: I think the concern that we encountered in some of the comments
was that the same entity would be a covered entity and would also, as the
regulation is now written, be required to enter into business partner agreements
with other covered entities. Their argument is that as covered entities, they're
subject to all the requirements of the regulation and, therefore, it would be
superfluous to require an additional contract with someone who is already a
covered entity.
SEN. JEFFORDS: Your testimony on the preemption of state
laws, did you find many groups suggesting that the secretary automatically issue
advisory opinion on the preemption of all state laws so that entities would know
early on to which law they must comply?
DR. HEINRICH: There were, in
fact, several commenters who suggested that if in fact there could not be a
federal standard, that perhaps the next best thing would be to have the
secretary then determine ahead of time which laws, in which states, would be
exempted. And that would provide an approach that some organizations would think
would be workable if, in fact, they couldn't have the standard rule.
SEN. JEFFORDS: The proposed rules allow for statutory authorization to
use protected health information for treatment, payment, and healthcare
operation, but does not allow entities to request a written authorization should
they wish to. Could you explain the rationale for that?
DR. HEINRICH:
Well, certainly, the rationale for having the authorization for the treatment,
for payment, and operations was because this would be, in effect, stronger than
what we currently have, which is often times a blanket authorization by
individuals for release of their information, but they have no idea what it is
being released for or how the information will be used. And, Barry, I'm going to
turn to you to describe the rationale that was given for not allowing individual
providers to request authorization.
MR. BEDRICK: Well, I think Dr.
Heinrich touched on it. This is addressed in the HHS preamble to the proposed
regulation, and essentially, as she said, they were concerned that the blanket
authorization had not been an effective mechanism for protecting privacy of the
patients. And, that if they could use this alternative method, it would, in the
end, be more protective of privacy.
SEN. JEFFORDS: Senator Kennedy.
SEN. KENNEDY: Thank you very much. Dr. Heinrich, could you tell us, in
lay person's language, how much protection exists out there in people's medical
records today? I mean, we hear that, you know, there's more protection for your
Blockbuster videos than there are for your medical records. I think the American
people, after you've studied and looked into this -- what is sort of the current
-- what was the current situation before the regulations? How easy was it for
people to get these records, and was it becoming easier for them to get it? How
much risk was there out there? How important is this issue to families?
I think people would like to know. I think most people feel when they go
in there that there is some protection. I think it's important, if we're going
to be able to develop the kind of support for legislation, we've got to be able
to show that there are some real concerns in terms of privacy that are
legitimate.
DR. HEINRICH: I started out asking the question, you know,
what is the magnitude of this problem myself. And, I think that the general
public somehow believes that the old rule that the physician, the hospital, will
take care of this information -- that they don't have to worry -- is still quite
prevalent. But, the fact of the matter is we have a lot of anecdotal information
that says that it's very easy for people, without the best interests of the
individual patient, to have access to very private medical information. I think
that in the news, the media, we've heard of some terrible consequences.
The confidentiality issues have had impact in terms of employment, in
terms of discrimination, and also for insurance purposes.
SEN. KENNEDY:
And, do you think this -- is this going to be more of a problem, do you see down
the line, with the new electronic information availability, as well as research
that's being done in DNA and being able to try and find people that may have a
greater proclivity for illness and disease, or for cancer -- that that kind of
information could be used adversely to impact people? Is this becoming more of a
problem, do you think, today than it was, say, 10 years ago?
DR.
HEINRICH: I think it is certainly the downside of our technological innovation,
is that in fact the individually identifiable information, be it genetic
information, it's going to be much more readily available if we do not protect
the information.
SEN. KENNEDY: Let me ask you, as was mentioned in the
report, the Kassebaum-Kennedy has explicit authority in terms of dealing with
electronic records. I'm interested in the non-electronic records. According to
the comments to HHS, what advantages would there be in extending the privacy
coverage to paper records?
DR. HEINRICH: In the comments that we
reviewed, people said it's an artificial distinction in many instances between
the patient's medical record that is often times a private record, and what is
electronically transmissible. I was very interested in, you know, what is the
information that's related to payment, administrative issues, versus the
clinical information and the clinical record. It's often times the clinical
information that is in the paper record. Some people argued that just in terms
of the simplicity of implementing these regulations, it would be much better to
simply have a system for all information that's applicable.
SEN.
KENNEDY: And there was nothing -- did you find any provision in the legislation
that would prohibit the HHS from extending the privacy protections to the
non-electronic record?
DR. HEINRICH: I'm going to ask Barry to answer
that question.
MR. BEDRICK: It's true certainly that the administrative
simplification provisions of the law concentrate on electronic transmission of
records. But, I think it's equally true that Congress wanted a privacy
protection scheme in the regulation or the law that would work -- that would
extend to all embodiments of the information. HHS says in the preamble to the
regulation that they have authority to regulate the information in paper form,
and that seems a reasonable --
SEN. KENNEDY: I would think so. Let me
ask you, in the comments you reviewed, did any of the stakeholders express
concerns about allowing medical information to be used without patient consent
for treatment, payment, and healthcare operations?
DR. HEINRICH: Yes.
There were several people that took exception to this, and simply stated that an
individual always should be requested for their individual, private information
without fail. There were very strong views articulated on that very issue.
SEN. KENNEDY: What was the reason for that? Just basically the privacy
reason?
DR. HEINRICH: It's the privacy reason, and some people also feel
strongly that it's the individual patient that owns their information and their
record.
SEN. KENNEDY: Let me just ask you finally, according to the
comments you reviewed, what have been identified as the major advantages of
providing HHS with the legal authority to cover all organizations that handle
medical information, not just the three types of businesses covered under the
current regs?
DR. HEINRICH: I think that the arguments that we read are
as follows, and I'm sure you'll be hearing more of these later today. But,
essentially, you have individually identified information that is used by a
variety of entities, not just the three that are covered specifically in the
legislation, and that if these entities are, in fact, using this information,
then they should be covered. A good example is organizations that deal with auto
insurance or life insurance -- are dealing with individually identifiable
medical information, but would not be covered.
SEN. KENNEDY: Thank you
very much, Mr. Chairman. Thank you. I might have some additional questions to
submit.
SEN. JEFFORDS: That'd be fine. I've got two more for you. For
the individual doctor offices that may be made to comply with the regulation,
did the comment letters reflect a concern that the burden would be so great,
that it might prevent these offices from moving toward electronic medical
records?
DR. HEINRICH: I don't recall that there was that comment per
se. There were some concerns about the cost of implementing the regulation. But,
the fact that the regulations allow for different approaches to implementation
depending on the size of the organization was really meant to relieve some of
the burden that would be placed on smaller organizations. So, in fact, the
person who would be the officer appointed for oversight of privacy or posting of
privacy rules could be fairly straightforward.
SEN. JEFFORDS: In your
testimony, you noted that there was widespread opposition to the requirement
that business partner contracts include a provision stating that the individuals
were, quote, "third party beneficiaries" of the contracts.
DR. HEINRICH:
I think that in this instance the Department was trying to give individuals the
right to sue if, in fact, their individual information was somehow misused, and
they were not able to do this for the covered entities and so this was their
approach. Would you like to say anything more about that?
MR. BEDRICK: I
agree essentially that the concern was that that clause in the business partner
contact would, in fact, create a right of the person whose information was
improperly disclosed to sue for some kind of relief. And there is,
unfortunately, no explanation of that provision in the HHS preamble to the
regulations, so it's difficult to know what was behind it. But that would seem
to be the logical explanation.
SEN. JEFFORDS: Well, thank you both.
SEN. KENNEDY: Let me just ask one thing.
SEN. JEFFORDS: Senator
Kennedy.
SEN. KENNEDY: Let me ask you, did you review what's happening
in the states on this issue? We have a pretty good bill. I know in my own state
of Massachusetts, I've been looking through that. And we've got another one that
is going to provide additional kinds of protections. We've got a lot of the
kinds of elements in that state a big research community and teaching hospitals,
and a lot of active consumer groups, and a lot of the ones that generally are in
play in terms of the national legislation.
I was wondering if you -- you
weren't charged with it, so if you didn't, I can understand it. If you did know,
or find some places -- I can ask my staff to do that work. But, if you had some
suggestions about how we could look at some of the states that are doing a good
job on it, I'd be interested.
DR. HEINRICH: We did not do that work, but
I know that you're going to be hearing from the Georgetown University Health
Policy Project, and I know they have.
SEN. KENNEDY: Thank you. Thank
you.
SEN. JEFFORDS: Thank you both very much. It's been very helpful,
and I'm sure we'll be back in touch with you. Our second panel consists of
equally distinguished expert witnesses. First, I am pleased to introduce Mr.
John P. Houston. Mr. Houston is Director, Information Services Division, Data
Security Officer, and Assistant Counsel at the UPMC Health System in Pittsburgh,
Pennsylvania. He manages the data center operations, systems support, and data
security group. In addition, he sets health system-wide information security
standards and policies. In the capacity of assistant counsel, Mr. Houston
develops, negotiates, and reviews agreements related to the acquisition, sale,
and use of technology and services. Mr. Houston, thank you for being here today
with us.
Also, I would like to introduce Ms. Kathy Farmer, Manager of
the U.S. Compensation and Benefits for Hewlett Packard, Palo Alto, California.
As such, she is in charge of the design and delivery of compensation and benefit
services within US's human resources organization. Previously, she was a vice
president in the Human Resources Division of Wells Fargo Bank, where she
redesigned the total benefits program following two mergers. Ms. Farmer managed
benefit programs with an emphasis on quality, cost, integration, and
productivity. At present, Ms. Farmer is a member of the board of directors of
the Integrated Benefits Institute. She has also been active in the Washington
Business Group on Health, the Human Resource Education and Training Committee,
and served as the president of the board of a rural community health clinic.
We're pleased to have you with us today.
Also with us in this panel is
Dr. Greg Koski, director of Human Research Affairs, Partners Healthcare System,
Inc., and Associate Professor of Anesthesia and Critical Care Medicine at
Massachusetts General Hospital. After receiving his education at Harvard, Dr.
Koski completed his residency and fellowship training at the National Institutes
of Health as a pharmacology research associate before returning to join the
Department of Anesthesia in 1984. During his 30 years at Harvard, Mr. Koski has
actively participated in every aspect of academic medicine, including basic
research, clinical investigation, teaching, administration, and patient care. As
director of Human Research Affairs, Dr. Koski is responsible for the ethical and
regulatory oversight of human investigation, including the protection of human
participants in research studies. Welcome to you also.
Mr. Houston,
please proceed.
MR. JOHN HOUSTON: I am John Houston, Director of
Information Services, Data Security Officer, and Assistant Counsel for the UPMC
Health System. UPMC is comprised of 14 owned and 10 affiliated hospitals and
long-term care facilities, 300 physician practices, and other health-related
services. UPMC employs more than 25,000 people and serves 29 western
Pennsylvania counties. I'm pleased to testify today on behalf of the American
Hospital Association's nearly 5,000 hospitals, health system networks, and other
members.
American hospitals and health systems have long been champions
of patient confidentiality. Every day, the thousands of Americans who walk
through our doors provide caregivers information of the most intimate nature.
They do so trusting that we will keep it confidential. We do. However,
caregivers must be able to obtain and share medical histories, test results, and
other information so that patients receive the best care possible. If providers
and researchers are likewise unable to obtain and reasonably use such
information, other important initiatives related to reducing medical error rates
and controlling the cost of healthcare could be frustrated.
We have a
number of concerns about HHS's proposed rule on the confidentiality of patient
information. I will focus today on two very key points. My first point is the
rule's overly broad scope. By including the requirements for privacy standards
in HIPAA, Congress was responding to concerns about threats to privacy resulting
from the electronic transfer of identifiable patient information among
providers, payers, and others. Therefore, the secretary's authority relates
specifically to the standardized transaction that HIPAA's administrative
simplification provisions were designed to facilitate. However, the proposed
rule addresses the privacy of all individually identifiable health information.
Attempting to establish standards for every use and disclosure of
personal health information requires HHS to anticipate every use and disclosure
and determine whether each is appropriate. This is impossible and beyond HHS's
scope of authority. We recommend that the rule be rewritten so that it applies
privacy standards to the individually identifiable information used with the
transactions outlined in the statute. Then, the regulation should be reissued as
a new proposed rule. And because the broad scope of the rule is so overarching
and inclusive, limiting the scope of the transactions specifically mentioned in
the law would relieve or at least ease many of the additional concerns about the
rule.
To my second point -- costs. The proposed rule would require
hospitals to develop and rewrite policies, hire staff, retrain staff,
renegotiate contracts, modify existing information systems, and implement new
information systems to track all uses and disclosures of information. Such
changes are enormously costly and conflict with HIPAA's cost reduction goal. For
a large, geographically dispersed, integrated delivery system like UPMC, the
cost of compliance will be daunting. Patient information is typically stored in
a variety of mediums at many locations. Without Enterprise Light Electronic
Health Information System (ph), the tracking and coordination of patient medical
information for the purpose of compliance will be difficult.
While UPMC
is establishing such a system, most providers do not have this capability, nor
the funds to achieve it within the timeframes necessary. HHS itself estimates
that the regulation will have a five-year cost of at least $3.8
billion. However, that estimate excludes nine of the regulation's major
requirements. The nation's hospitals spent more than $8 billion
on Y2K compliance. The HHS requirements would require longer commitments and
more change. And, therefore, it will surpass even the total for Y2K. Making
matters worse, these costs will come as hospitals are implementing HIPAA's
administrative transaction and security standards, which will require
significant investments over the next few years.
At the same time,
hospitals will continue to be battered by the Balanced Budget Act's Medicare and
Medicaid spending reductions. By limiting the scope of the regulations of the
transactions defined in HIPAA, the secretary can considerably reduce the
regulation's cost.
HHS should perform a detailed impact analysis before
the rule takes effect, and hospitals should be given three years to comply,
rather than the two years allowed in the regulations. It will take a year to
assess exactly what hospitals need to do to comply, and two years to actually
get the job done.
Let me close, Mr. Chairman, by urging Congress to act
now on the overly broad scope of the proposed rule. Between now and the issuance
of the final rule, Congress should adopt legislation making clear that you
intend a narrow, specific interpretation of HIPAA, and not the more expansive
interpretation by HHS. That way, the Department will have clear guidance as
Congress prepares the final rule. Thank you.
SEN. JEFFORDS: Thank you,
Mr. Houston. Ms. Farmer.
MS. KATHY FARMER: Thank you, and good morning,
Mr. Chairman, and Senator. I am Kathy Farmer, Manager of the U.S. Compensation
and Benefits for Hewlett Packard. HP is a leading technology provider, with more
than 83,000 employees globally in 120 countries. I am also an active participant
of the Washington Business Group on Health, on whose behalf I am testifying
today. The Washington Business Group on Health has a strong voice in the
employer community, with over 160 large employer members.
My key message
today on behalf of the WBGH is really simple. We do believe that national
confidentiality rules are needed to ensure that sensitive health data is not
misused and to strengthen consumer trust. However, the WBGH does not consider
the HHS proposed privacy rule either optimum or workable. There are numerous
provisions outlined in the proposed regulation that would be palatable to
employers, such as the statutory authorization approach for treatment, payment,
and healthcare operations. Unfortunately, though, the HHS proposed regulation,
when analyzed in its entirety, would force employers, acting as covered
entities, to navigate through a maze of unnecessarily complex data use
restrictions.
While we recognize that many of the regulation's
shortfalls result from limitations in their statutory authority, we also believe
that incomplete knowledge about the complexities of employer-sponsored health
programs was a factor. A more comprehensive legislative solution is needed.
There are a number of important reasons why the HHS proposed privacy rules fall
short. The first and most fundamental of these reasons is the definition of a
covered entity. Due to the statutory confines of HIPAA, the proposed regulations
only apply to an employer when it uses or transmits electronic individually
identifiable health information in a health plan, healthcare provider, or
business partner capacity.
We believe in the WBGH that this is a
fragmented regulatory approach and it would be very difficult to implement. An
additional concern related to the regulation's fragmentation is the explicit
exclusion of traditional disability and workers' compensation insurance from the
regulation's scope. By permitting the proposed rule to govern only electronic
individually identifiable health information derived from the group health
setting, HHS is assuming that group health disability and workers' compensation
benefits are administered separately from one another, and that they could be
subject to different sets of data rules. This is not the case in today's
business world, where advanced benefit integration is becoming increasingly
common.
In a global economy, with often times a shortage of skilled
workers, with an increased focus on productivity, 43 percent of employers are
now reporting that they are operating integrated disability management programs.
We recognize that there are political impetus in place to disability insurance
and workers' compensation benefits beyond the proposed rule's reach. However, we
believe that carve-outs of these types of data are counterproductive to the
development of integrated benefits and disability management programs.
A
second area of concern, where the privacy rules fall short, is preemption. We're
very disconcerted for a number of reasons, which are explained in the full
testimony. The most fundamental concern is that, as most employers know well to
be true, that full preemption of state laws are essential for employers who
often have nationwide webs of locations and workers. If a federal, uniform
confidentially standard is not enacted, the functioning and administration of
employer health-related programs could be placed in serious jeopardy.
Business partners, we believe, has a shortfall in the concept. Although
the proposed regulation outlines the requirements for business partner
relationships external to the covered entity, quite clearly it provides no
guidance as to whether business partner relationships can or need to exist
within different divisions of the same employer, and how these relationships
should be handled. Discussions between the WBGH and HHS failed to result in any
definitive answers to these questions. We're concerned around -- also a fourth
area in which we have concern is that we believe that the proposed privacy rule
falls short around the classification and use of individually identifiable
health data. It's quite stringent and would impede the ability to have overall
analysis when date of birth and geo-identifiers are restricted. For example, in
terms of trying to identify trends and patterns within the workforce and create
proactive interventions.
In conclusion, I must stress the HHS' good
faith effort to formulate balanced, flexible, and yet strong new privacy
standards. To its credit, during the rule drafting, HHS maintained an open door
communication policy for many groups. Despite this, we must emphasize our
continued unease with the fragmented infrastructure the proposed regulations
would create, and the consequences of this disjointed infrastructure for
employer-sponsored health initiatives. HHS cannot address many of the proposed
regulation shortfalls due to the limitation of its statutory authority.
Washington Business Group on Health and Hewlett Packard instead strongly
support a Congressional confidentiality solution, which would govern all types
of health records and regulate employers as comprehensive entities. We believe
that only legislation can fully address these issues and others that are laid
out in our testimony today. Also, a legislative response may be a more
appropriate vehicle for formulating and revising confidentiality rules in an
area that is rapidly evolving due to increasing use and application of e-health
technologies.
Although this committee is currently debating many other
weighing healthcare issues, we urge you to put medical confidentiality
legislation back on your agenda for immediate action.
Thank you.
SEN. JEFFORDS: Thank you. Dr. Koski.
DR. GREG KOSKI: Mr.
Chairman, Senator Kennedy, and distinguished members of the committee, thank you
for the opportunity to testify before you today. I know that you've all heard
this before, but I'm going to say it once again. The American people are
seriously concerned about their privacy. They're concerned because information
is being collected about them, often without their knowledge. It's being used,
often by complete strangers, in ways that were never intended, and often without
their authorization. This is completely true in the area of health information.
As Senator Kennedy has noted in his opening remarks, every encounter
with our healthcare system requires that individuals share sensitive, sometimes
intimate, personal information. They do so with a reasonable expectation that
this information is going to be used to care for them. Few appreciate the
multitude of uses and users that are necessary in order to conduct the business
of healthcare in today's complex system. The resulting loss of privacy, loss of
control, loss of autonomy -- not to mention the highly publicized abuses that
have occurred -- is just basis for this concern.
The concerns have
already had serious consequences, again, noted by Senator Kennedy. Some patients
already refuse to confide full information to their caregiver, and many fail to
seek care at all. Another consequence is the growing resistance among the
American population to use personal health information in biomedical research.
The American people, for generations, have highly valued research and have been
willing participants, provided that their interests and well being are
protected. They have agreed to relinquish absolute privacy of their health
information for the common good, provided they are afforded respect and
confidentiality.
The key principle here is balance. The secretary's
proposed regulations recognize the importance of health research, and will allow
researchers to use, without individual authorization, private health
information, but only with the approval of an institutional review board to
protect the privacy of the research subject. Critics who oppose the provisions
of this legislation will claim that they impose severe new restrictions that
will overwhelm the IRBs and make such research impossible. They will further
claim that IRBs lack the expertise to conduct such review. Put bluntly, these
claims are simply unjustified.
As you know, I am responsible for the
oversight of all human research at one of the nation's largest and most highly
respected academic healthcare systems. I've been an IRB chairperson for many
years, and also serve on those institution's confidentiality steering
committees. Based upon my firsthand experience, I'd like to set this record
straight. In 1977, the US Privacy Protection Study Commission concluded that
research use of private health information was acceptable, provided the use does
not violate any of the limitations under which the information was collected,
that the research is of sufficient value to justify the invasion of privacy, and
that it could not otherwise be done. And, that there are adequate safeguards for
maintaining confidentiality, and that there be no unauthorized secondary uses of
the information or re-disclosures to third parties.
These
recommendations were accepted by the national commission and were incorporated
into the federal regulations for protection of human research subjects, 45C,
FR46 (ph), otherwise known as the common rule. For more than 20 years, IRBs have
been required by law to review research involving personal health information.
They are specifically required to consider the risk to privacy and
confidentiality in their deliberation, and this includes not just physical
risks, but risks of psychological, social, and economic nature, which are
attendant to the research. Current OPRR (ph) guidance to IRBs and investigators
includes 11 pages specifically devoted to privacy and confidentiality issues.
I've brought along a copy of these regulations and I would respectfully request
that they be included in the record of these proceedings along with my remarks.
SEN. JEFFORDS: They will be.
DR. KOSKI: Many of these studies
involve minimal risks, and these can be approved through expedited review
procedures. At institutions with an appropriately staffed human research office,
the process requires no more than a few days, and this is a very small price to
pay for a process that has effectively protected the privacy interests of
research subjects for more than two decades, and has allowed this work to
proceed in a responsible fashion. Yes, it would be easier and quicker to do this
research without restrictions and without oversight.
But, let there be
no mistake, if we fail to protect the privacy of the individuals who are the
subjects of this research, there will be a further erosion of confidence in the
system, and this will inevitably lead to more restrictions. And this, indeed,
will bring such research to a standstill. While I generally support the
secretary's proposed regulations regarding research uses of personal
information, I do have one concern. The proposal to allow privacy boards to
oversee such research in lieu of IRBs establishes a separate, but not equal,
pathway that will allow such research to circumvent the IRB process.
While it seems perfectly reasonable to me to allow an institution that
does not have a significant volume or does not have an IRB to constitute such a
privacy board and to allow that board to rely upon the IRB review from another
institution, I believe that all human research must be reviewed and approved
through an appropriately constituted IRB under the pertinent regulations. That
concludes my prepared statement. I'll be happy to address any comments or
questions.
SEN. JEFFORDS: Thank you, doctor. Mr. Houston, in your
written testimony, you mention the need to better define what is de-identified
(ph) information and use the Dartmouth Atlas of Health Care (ph) as an example
of using aggregate information. Can you speak for a moment on the difficulty in
producing such a document while in compliance with the proposed regulations?
MR. HOUSTON: I'm sorry. I didn't hear the very first part of your
comment. I'm sorry.
SEN. JEFFORDS: In your written testimony, you
mention the need to better define what is de-identified information, and use the
Dartmouth Atlas of Health Care as an example of using aggregate information. Can
you speak for a moment on the difficulty of producing such a document while in
compliance with the proposed regulations?
MR. HOUSTON: I think simply
the American Hospital Association can provide additional information. But, I
think the issue is at what level do you de-identify information and what level
is considered compliant. And, I think the issue really comes down to you want to
be able to make full use of the information while protecting the privacy of
patient information. And a lot of cases may be frustrated in trying to use any
information for fear that you're going to go well beyond the bounds or beyond
the bounds of what the rules permit you to do.
So, I guess it's a matter
of how much can you de-identify, and is there any use past that if you
de-identify it. Again, taking information such as zip codes, birth dates, things
like that, you may end up -- if you take out too much information and make it
useless for analysis.
SEN. JEFFORDS: Again for you. Some groups have
commented with respect to the minimum necessary standard. That the burden should
be on the person requesting the information, not the one giving the information.
Does this make sense to you, or do you believe the entire concept of minimum
necessary is flawed?
MR. HOUSTON: I think that's a good compromise. I
think clearly there needs to be a justification for the information requested. I
think that clearly if you look at the potential scope of what a medical record
or identifiable patient information can be, it's quite broad. I mean, within the
health system today, the UPMC health system, we have information at physician
offices, at individual community hospitals, and at our primary specialty
hospitals. And, so, there's an enormous amount of information in a lot of
different forms, a lot of different mediums.
I think that by requiring
them to scope what they need, I think is very helpful for us, first, to make
sure that -- and provide some type of justification potentially to allow us to
understand what the purpose of their uses and whether it's justified or not.
But, at least for internal business purposes or for patient care purposes, the
concept of minimum necessary is very problematic.
Again, a lot of times
it is very difficult to understand exactly what you do need in order to deliver
care. That's, I think, the basis for our greatest concern, is that you don't
want to tie the hands of somebody who is trying to deliver effective care by
trying to determine what is necessary for them in order to deliver that care.
SEN. JEFFORDS: Finally, I think, could you clarify for me your position
on preemption? Is it fair to say that you support full preemption of state law
with the exception being in the area of law enforcement?
MR. HOUSTON: I
think the preemption is something that we need to have a single common standard.
The UPMC Health System has practices and clinics in multiple states, as well as
hospitals in Pennsylvania. I think the issue is that we need to have clear
guidance as to what set of standards we need to apply. Clearly, if there is true
federal preemption, that's very helpful to us. I think in the alternative, if
there isn't preemption, somebody needs to be very clear to us as to what
preempts what, and what standards to apply when.
And that has to occur
though, I think, the Department of Health and Human Services, or I think federal
preemption, in my mind, is required.
SEN. JEFFORDS: Ms. Farmer, when the
committee worked on privacy legislation last year, we heard from the
occupational nurses, who were concerned about sharing medical information with
employers. Can you comment on the typical barriers that exist between employers
requesting information and occupational therapists feeling compelled to protect
that information?
MS. FARMER: Yes, sir, I can. Speaking specifically now
from Hewlett Packard's practices, we have a privacy policy that's been in place
for over 25 years. It does apply to medical records. And, accordingly, the way
that health data is protected on an individual basis within Hewlett Packard, is
that only those who have a business need-to-know are permitted access to that
information. In regards to our particular organization, work-related or
site-specific medical information is retained at the occupational health nurse
level at particular sites. Those records are based on paper. They are not
electronic and they are secured strictly by the occupational health nurses.
They are not required to share any of that information with any of the
employers for any other need-to-know, other than a program manager, who would
have a very rare and infrequent need-to-know. So, from our perspective, the
medical privacy and the information of those records by the occupational health
nurses is kept completely separate through an internal firewall from employer --
protecting employers from having access to the particular individual
information.
SEN. KENNEDY: Thanks very much. And thank our panel because
I think we've got some different views, obviously, on this issue. Let me -- I
suppose we ought to understand that, even with the regulations by HHS, they are
that. They're regulations. So it doesn't get away from the importance of having
legislation that's going to either follow some of these paths that have been
outlined by HHS or others. I think that's important for us to recognize.
Dr. Koski, we in Massachusetts -- coming back again -- we've got a
pretty good law up there. And there is an additional proposal for additional
kinds of protections. And I'm just wondering, first of all, your reaction to the
HHS regulations. What is -- have you had a chance to look at them? Have you
reviewed them? Do you have a reaction to them?
DR. KOSKI: I have, but
I'd like to focus specifically on the research provisions --
SEN.
KENNEDY: Okay.
DR. KOSKI: -- where I would be most familiar with them.
In general, I believe that they do provide a high level of protection for use of
private information in research that further strengthen those that are already
included in the appropriate federal legislation dealing with those uses. You
know, it will require that there be some further clarification to the
institutional review board in order to be sure that these are applied in a
uniform fashion nationally. But in general, I believe that those are the kinds
of protections that are necessary in order to maintain the confidence of the
public that will allow us to continue to use this information as we have been.
SEN. KENNEDY: Well, as a researcher, how important is that sense of the
confidence of the public in getting good information that is the basis of good
research? How important is that?
DR. KOSKI: It's absolutely essential. I
mean, I can't put it in any other terms. You know, society benefits from
research. But in order to get results from the research, it's individuals who
take the risks. And we, as a society, have a responsibility to protect those
individuals who are taking the risks from which we will all benefit.
SEN. KENNEDY: Would you be happier if we had the preemption, if the regs
were actual law and preempted the state, the kinds of protections that are there
in Massachusetts? Or do you find that the kinds of protections that are there,
for example, in mental health, under the -- Massachusetts has broad protections
against disclosure of mental health records. Even the HHS has got the narrower
protections against disclosure of mental health therapy note. So it's a narrower
kind of a protection.
What is your own sense about the preemption issue?
Are you troubled by the disparity between what's happening in the federal law
versus the state laws?
DR. KOSKI: Well, yes I am, to a certain extent. I
guess I'd have to say if the floor established under the federal regulations or
legislation that results, if that's sufficiently high, then those concerns would
be relieved somewhat. But yes, I do have some concerns.
SEN. KENNEDY: In
our HHS regulations, there is no private action. And there, on the specific
protection for other types of medical information -- for example, information on
HIV status, genetic information and others -- there is no protection. And there
is no medical records ombudsman, which they have again at the state. Do you have
any reaction to those -- the private right of action or special protections for
other types of medical information or a medical records ombudsman?
DR.
KOSKI: Yes, I believe that when there have been abuses of private information
that there should be some recourse, so that I personally favor a private right
of action. With respect to certain areas of highly sensitive information, such
as HIV status, reproductive health, mental health, in the research domain, the
existing federal regulations already provide a higher level of protection in
those areas, as does the state legislation in Massachusetts.
SEN.
KENNEDY: Just on another area, do you feel qualified to talk about the
regulations as they apply to law enforcement as well? Do you have any reaction
to that balance between getting information from law enforcement officials and
what the standard ought to be?
DR. KOSKI: I would prefer to defer to
others who would be more knowledgeable in that area.
SEN. KENNEDY: From
your own knowledge, has this been unduly burdensome, in terms of the cost? Have
you found the kinds of protections that have been required, in terms of the
business sector, in our state? Have you found people complained about that? Has
there been an undue burden, to your information, on this issue?
DR.
KOSKI: No, it has not. Again, in the research domain, this is an area that, if
you're going to do it, you simply have to do it right. And this is one of the
necessary costs of doing that business. And I do not believe that it has been
unnecessarily burdensome.
SEN. JEFFORDS: Senator Murray?
SEN.
MURRAY: Thank you very much, Mr. Chairman, for having this hearing. And I think,
like all of the members of this committee, I'm sorry that we weren't able to
enact legislation by the August 21st deadline. And I hope that we can continue
to work towards that goal because I think we do need a comprehensive federal
standard. And we need to provide what our constituents are looking for.
I have a couple areas of concern. And I will just throw them out for the
committee and if any of the panelists want to comment.
One is on the
privacy and confidentiality guarantees for minors, that I think is of particular
concern. In Washington State, we do have protections for minors. Their
confidentiality is guaranteed when they seek family planning services, STD
screening, mental health services. And I think it's very important that whatever
we do protects that ability for states like mine to do that.
Clearly
this goes beyond an unwanted pregnancy. It has to do with STD. It has to do with
AIDS, which can be fatal. It has to do with mental health. And we know that
suicide is the second leading cause of death for minors. So I think it's
important that we do that. And I'm concerned whether or not the proposed
regulations from HHS provide that kind of state confidentiality and privacy
requirements that are enacted. And if anybody would like to comment on that?
(Laughing) -- not going to touch it. Well, I do hope this committee
continues to keep that in mind. I think it's a very important area.
The
other area I have a great deal of concern about is the issue of victims of
domestic violence. Women and men who are victims of domestic violence don't seek
healthcare if they don't feel their confidentiality is very closely guarded. And
I worry that an insurance company isn't going to notify the payer of the bills,
who may well be the abuser. And if any of you would like to comment on how we
can protect those privacy or what kind of regulations should be in place for
that, I would appreciate it.
MR. HOUSTON: Let me make a comment on both
because I think they go to the same issue. You want to, I think, as a provider
-- the provider wants to do the right thing, which is to make sure that
appropriate treatment is provided. And whatever is required to ensure that that
happens is, I think, what needs to be done.
If there need to be ways to
reasonably put in place provisions to protect both minors and abused spouses and
the like, then we need to do that. It's just a matter of -- it's always a
balance of that against the burden. And I think that's really where I know we
have had the most problem, is that we absolutely have the position that we want
to keep this information confidential and private. How do we do that without not
only impacting our ability to deliver healthcare, but also to -- in a lot of
cases, in the face of shrinking reimbursement to try to continue to serve our,
you know, dispatch our mission.
So, I don't -- having read through this
-- the rules -- at length, there really isn't anything in there that would go
counter to your concerns. I think it spoke to it generally, if you ask me. I
mean, and I think that clearly those are the types of things that we would want
to, as a health system, to try to ensure happens. I mean, we would want to make
sure that those protections are in place and that that occurs.
SEN.
MURRAY: Anybody else want to comment? Okay, thank you, Mr. Chairman. And I will
continue to be following --
SEN. JEFFORDS: Senator Dodd?
SEN.
DODD: Thank you, Mr. Chairman. And thanks for holding this hearing. I apologize
for getting here a little bit late and missed the first witness. But we've have
one of those mornings where every committee seems to be having hearings at the
same time. So I apologize to our witnesses for not being here for all of your
testimony.
And let me just -- Mr. Chairman, as you know, we tried very
hard to get a privacy bill passed in the medical records area, with your help,
Senator Kennedy's and others here. We were unable to get it, though, at least as
of to date. I'm still hopeful, although as each passing day goes on, my hope
diminishes substantially that in this Congress we're going to deal with this
issue.
It's a complicated issue. We know that. And there are unintended
consequences that can occur as a result of any legislation being adopted. So
you've got to think it through carefully. But it's our responsibility here to do
that, in an area that is as significant as this.
I don't know of another
area, in my constituency, when we surveyed issues of importance to people in
Connecticut, this issue dwarfed every other issue, from taxes and budgets and
crime. And the issue of privacy generally -- now, we didn't get into the issue
of medical and financial records and distinguish, but just on the notion of
privacy, this issue dwarfed every other concern in my constituency a few -- a
year or so ago. So there is a real concern out there.
And with the
explosion of the Internet, from 13 web sites on January 20, 1993 to 15 million
with 45,000 pages being added every minute worldwide, there is this unease that
people have about the ability of others to peer into their medical cabinets, to
peer into their bank accounts, to peer into their bedrooms, to build a glare
into the most intimate, private aspects of their lives. And we will do something
on this issue, I promise you. We will do something on privacy.
The
question is whether or not we'll do the right thing about this issue. And that's
what we really have to be careful about. And I applaud the administration for
moving on the regulations. I mean, that was certainly helpful. Although I want
to raise the question that's been raised, in fact, by a political scientist at
the Harvard Medical School in a report recently about maybe this was a step
backwards in some areas. And I'll get to that question in a minute.
But
I wanted to point out, Mr. Chairman, that while the administration, I think, has
done a good job here, there are certain things we ought to take into account and
that, even with some of the state laws out there, without having a federal law
that has breadth and depth to it, we're dealing with a patchwork that's very
uneven. And the reality is that right now, patients have few enforceable rights
in this area, when it comes to privacy of their personal health information.
They don't have the right to see their own medical records, in most areas. In
most states, you don't have the right to prevent information you give in
confidence to your doctor from being used in direct marketing. In almost all
states, you don't have the right to keep our insurer from sharing your records
with an employer.
By and large, with the exception of a few states, all
you have standing between you and the misuse of your information are good
intentions, professional ethics and internal company policies. I'm not saying
that's insignificant. But that's a little source of confidence to most people.
And, of course, as we now know with these regulations, even though they
are valuable, they're limited in scope. The secretary cannot regulate paper
records. She cannot directly regulate the use of medical information by
marketing firms, employers and researchers. And the secretary cannot offer
individuals whose rights are violated the opportunity to seek legal redress.
Only Congress, as Senator Kennedy has pointed out accurately and wisely
here, can really protect in these areas. So I think we've got to step up to the
plate and do it quickly. And hopefully, that will be the case, Mr. Chairman. I'm
deeply disappointed we let this Congress -- or apparently have let this Congress
-- go by without doing anything.
Couple of quick questions for you. One,
I'd like to come back to the minimum amount necessary issue, if I could, very
quickly. And there, this is a difficult area to put parameters around what is a
minimum amount necessary in the transfer of information. But I also want to
raise the other side of the question here and that is, if providers must
continually question whether they are passing out too much of healthcare
records, should we also be concerned that we will see an increase in medical
errors? Should we be worried about seeing more adverse drug reactions if doctors
aren't provided with the full medical history of their patients? So there is
this information where the only minimum necessary. And yet, it seems to me, the
issue is more internal than external sharing of information.
I want,
when I go to have a stress test or a heart test, I want that doctor to also know
what other vitamins or prescriptions I'm on, so that in making that
determination, I'm not going to be neglected in examining that. I wonder if you
might just quickly comment on that. Maybe we'll start with you, doctor.
DR. KOSKI: Yes. We discussed this at length in Massachusetts when we
were working on the bill there.
And clearly, restriction of the free
access to the medical information for the purposes of delivering care is a
mistake because it can result in exactly the kind of errors that you're
referring to.
The greater concern is about why information of a very
specific nature about a particular medical encounter should be released as part
of a general request for information when it has no relevance to the particular
activity that's being undertaken. Why any information should ever be released
for marketing purposes is beyond my comprehension. So that the key point here is
that we need to understand that information is provided for specific, intended
uses. And it should be restricted to those uses and to the individuals who need
the work to do those jobs. And whenever there is a new job that has to be done,
we should carefully define what information is needed to do that. And that's
going to take some time, granted. But it's exactly the approach that we need to
take.
MR. HOUSTON: Just a brief comment. In your opening remarks, you
talked about the rise of the Internet. And I think the issue here is that there
is also the issue of security versus privacy. Security is keeping people out
that have no right to that information. And privacy is the inappropriate use of
information by people that otherwise may have a right to access at least parts
of the information that's available. And so, I think the security regulations or
rules that were proposed go a long way towards addressing the concern of people,
via the Internet, anonymously going after information.
So I think they
do serve us well in that regard. And I support those fully. I think the issue of
minimum necessary, then, is one of a question of, for internal purposes, what
should be made available? And for other purposes, when requested, how much
should be made available? And I think Senator Jeffords' earlier question
regarding should they be required to ask us for a specific subset of information
and possibly give a justification of why they need that information would be
very helpful.
SEN. JEFFORDS: Senator Reed?
SEN. REED: You wanted
to respond, Dr. Koski?
DR. KOSKI: Well, yes. I just wanted to be sure
that we don't leave the impression that information technology is just a villain
in this debate because, after all, there are information technology tools that
can be very effectively used to facilitate a lot of what we're trying to do. A
good example of that is the ability to put all of the medical information on all
of our patients, in a healthcare system with over two million subscribers, and
have that information accessible to researchers, with all identifiers removed,
so that that information can be used freely, without compromising privacy. So we
need to look at where the information technology can be beneficial, as well as
where it poses --
SEN. DODD: If I just could comment? I did want to
suggest to you, by just the factual explosion of this technology, in fact,
arguably it may be a lot safer today on the Internet than it would be in the old
file cabinet with paper. So don't misunderstand me in that.
But it also,
because this is so new to so many people -- and it's unsettling. This is a
technology most people are not familiar with. And because we've seen there have
been abuses, in terms of access. And I'm going to come back in the next round
with you here, but on information, for instance, on drug stores, the Internet
drug stores, where one, you're getting advice from someone on a condition you
may have or selling you a product. Do you distinguish in that regard?
So
there are some specific questions I have. But I want to -- but time is out here.
So I'll have to wait until the next round to get back into it.
SEN.
REED: Well, I'll be -- Mr. Houston, you had a comment. This is, I think, a
worthwhile colloquy. So do you have a comment, with respect to this?
MR.
HOUSTON: I just want to make it very clear, though, that though we talk about
this, the power of information technology, I also must warn that today, very few
health systems or hospitals in the United States have a truly electronic medical
record. The costs are significant. It's going to take a long time to get where
we need to go.
SEN. REED: And these regulations don't cover paper
records.
MR. HOUSTON: That's a differing standard. And it also, I think,
if the source of compliance ultimately is through us, having purely electronic
systems to handle this information, secure this information, that's the best way
to proceed. But we're not there. And we're not going to be there for a long
time. And it does cause a lot of significant problems.
SEN. REED: Thank
you. Thank you, Mr. Chairman. One topic that has been discussed this morning has
been preemption of state laws. And it seems to me that there is a dilemma. The
dilemma is in order to confidently preempt state laws, we have to understand and
know that we have a strong, comprehensive federal law. And sometimes I hear,
sort of, two streams of discussion -- one, preempt state laws, but we don't want
this onerous federal law to impose upon us restrictions. And frankly, I think if
we're going to resolve this, my view is because of the nature of this technology
and the fact that, frankly, it is now not only accessible across the country,
but around the world, that we need a strong national standard.
And in
the long run, I would hope that it is the voices of not just public voices here
in the Senate but in the communities, they're going to stand up and say, "We
need national rules. But we understand they've got to be tough and comprehensive
and, you know, constraining, in a way, in a proper way." And I wonder if you
might comment on that, from your different perspectives. Ms. Farmer?
MS.
FARMER: Thank you. Yes, I would like to comment. As a technology-based firm and
operating in a global environment, we are keenly cognizant of the issues you
just mentioned. And since we are moving to a higher level of systems
integration, and efficiencies around the world, our issues are no longer even
U.S.-based. They are globally based. What are the appropriate systems,
securities, encryptions, uses of passwords, firewalls, et cetera, as we move not
only medical information, but information in general around the world?
And we would agree that we need to have privacy. Fundamentally, one of
the core values of Hewlett Packard has been respect for the individual employees
and their right to privacy. While not all employers may have the policy that we
have in place, and we do endorse and support a federal legislation,
fundamentally we believe that it's the employer community, the medical
community, the research community, as we gather together to say that this is
what we all need to do.
We need to have those standards. We would just
implore that, as we have this debate, that we try and create a workable, tough
standard that takes into consideration the need for American business to still
be able to have some modicum of being able to manage the healthcare dollars that
they are trying to basically drive productively in the workforce.
SEN.
REED: Well, you know, I agree, obviously, with your sentiments. But I think one
of the, perhaps, observations I would have is that I think you're all going to
be driven, not by the most enlightened members of your community, but the most
unscrupulous members of your community. And once that hits the public, because
we're now talking about not just a technical issue here. This is a cultural
issue in America. I mean, the Jeremiah Johnson ethic is very strong -- going off
by yourself, either into the woods or into your own home. This is a cultural
issue with a tremendous resonance in the American public.
And what I
would hope we could do is, very quickly, try to have the kind of input from all
these different private sectors, to help us move forward, jump start and get a
national standard that will work for all of us. Any other comments? If not, I
will -- MR. HOUSTON: I think we're looking for guidance, frankly.
SEN.
REED: So are we.
MR. HOUSTON: I believe in doing business in the most
ethical manner. And today, we have to, in often cases, use our best judgement as
what's appropriate.
And we typically are very conservative in allowing
use of data. But frankly, I think that one common body of law is going to help,
rather than hurt. And I think it's important to have.
SEN. REED: Doctor?
DR. KOSKI: Yes. Where one comes down, I think, on the issue of
preemption depends upon where you happen to be standing at the time. I think
everyone's invested in what they believe to be their own best state law, for
whatever reasons. And if you feel that the federal legislation would undermine
those and provide a lesser standard, then you would probably oppose preemption.
Whereas, if you think it's going to make things so restrictive that you wouldn't
be able to do what the people in your state thought you ought to be doing, then
you'll come down there. So finding that balance.
But I think the key
point here is that we truly need to look at what the people are saying. And that
is, "We are concerned about our privacy," as Senator Dodd pointed out. And we
need to listen to that first and then find where we can work to satisfy their
concerns and yet meet the needs that Mr. Houston and Ms. Farmer have mentioned.
SEN. REED: Thanks very much. I guess the final point would be, I just
think it would help, in terms of that search for guidance, is if we started with
the presumption that whatever we did at the federal level was going to be very
tough, very comprehensive and very responsive to this deep, cultural sense of
privacy, rather than thinking, "Well, let's go and start negotiating down as
fast we can to get to something that gives us the most flexibility."
Thank you, Mr. Chairman.
SEN. JEFFORDS: Senator Wellstone?
SEN. WELLSTONE: Thank you, Mr. Chairman. I apologize for being late. And
I had some questions for Ms. Goldman that I may not be able to ask because I
have to leave because of what's going on in agriculture in Minnesota. But let me
put some questions to you all.
Let me thank you, Mr. Chairman, for the
hearing. And I really approach this as a layperson. I mean, this is an area that
I am trying to -- I've got a long ways to go to et the intellectual capital that
I need.
But just building on what Senator Reed said, I think it's not
just a sort of cultural question of, you know, "We want our privacy," but it's
also -- and maybe this has been part of the discussion already in the committee,
Mr. Chairman -- but it's also the very legitimate fear that people have as to
how this information is going to be used. I mean, if in your family there is a
genetic predisposition toward substance abuse or mental illness or neurological
disease or whatever, you've got every reason in the world to worry about who
gets a hold of that information and what effect it has on insurance premiums and
what effect it has on whether you get a job somewhere -- you name it.
So, I mean, I think there are reasons for concern. And so, I guess, the
question that I want to ask you is -- and this comes, I think, from a different
point of view than probably several of you have expressed, but I do want to at
least get your reaction. I think the concern I have about the proposed
regulations is that they completely eliminate the fundamental concept of
informed consent. I mean, that's gone, as I see it. And to me, that violates a
kind of sacred contract between doctor and patient.
And I wanted to ask
you whether or not, from your point of view, whether you would support at least
the idea of -- quote -- "sensitive information," which would require prior
informed consent for disclosure, at least to sort of set up a separate category
of sensitive information that would require the prior informed consent?
This could be for any of you. And you all may not be in agreement.
DR. KOSKI: Well, I'm sort of more concerned about this question.
Informed consent is obviously something that's critically important in the
research domain, so I may address it from that perspective. There are already --
as I mentioned earlier -- special protections for highly sensitive types of
information. The regulations that have been proposed would allow for a waiver of
informed consent for uses of identifiable information for research purposes,
only when those studies were deemed to constitute minimal risk to the
individual, for which these highly sensitive areas of information would not
apply.
And the standards for protection would be increased in a manner
that's commensurate with the sensitivity of the data, so that there would
certainly be instances where full informed consent would be required. Doing away
with informed consent is probably not entirely accurate.
SEN. WELLSTONE:
You don't need to be kind. You think the premise of the question is wrong?
DR. KOSKI: Yes.
SEN. WELLSTONE: Okay. Well, that's important to
me. I get other input from others. And I'd be -- go on. Yeah.
MS.
FARMER: I'd like to make a comment on that. In terms of the employer perspective
on an individually based informed consent, while I concur with the concept of
information, but the individual authorization or release, if you will, would be
problematic in the employer environment. I think that we have many, many years
of wizened experience that tell us that when we go out and reach out to our
employee populations and say, "You must sign this document and return it to us,"
that if we get a 20 or a 30 percent response rate, after two or three follow up
mailings, we're doing great.
So what we have here is maybe a law of
unintended consequences. If we were required, in the employer domain, to have
this informed, written authorization to release, then we would have,
unfortunately, employees in our workforce that, because they failed to sign an
authorization, would be precluded from participating in the health programs and
plans, et cetera, which is not our goal. Our goal is to have our very valued
employees come on board with us and have the catastrophic coverage and the
medical needs for themselves and their families and not have that get lost in a
boondoggle of administration.
MR. HOUSTON: I think the other thing
that's important and from a research perspective, I mean, we are on the verge of
really being able to store enormous amounts of information on-line and to use
that for the purpose of research. We do a lot of that today at the UPMC health
system. We have certain systems in place to do that. And the value is enormous.
I think the point that you are making -- and it is very valid -- is if there is
a stigma attached to it or people are concerned that there will be a stigma
attached to their condition, they are going to be less forthright or they're
going to be concerned about seeking medical treatment.
And clearly,
privacy needs to be -- privacy rules and regulations need to be in place to
ensure that those stigmas are not attached. But we have to be very mindful of
the true value -- the real benefit here is to have that information available,
use it in its intended purposes, for its intended purposes, use it for research,
so that in the future the stigma of AIDS goes away simply because AIDS is -- we
are able to cure AIDS or address AIDS.
SEN. WELLSTONE: Well, let me do a
quick follow up because it's yellow. I understand, Dr. Koski, with research,
that your answer is on target. But I think, in regard to other uses of this
information, I don't -- I think this is a real question that I've raised. And
again, maybe this is going to be for the record and it can't be answered. But
what I'm interested in is what about a category of sensitive information with
special privacy protection, not just applied to research?
MR. HOUSTON:
The Commonwealth of Pennsylvania today carves out exceptions for AIDS and other
types of information and actually holds them to a higher standard. And I think
that we need to take account for that. But again, in the end, I want to make
sure that we're able to use the information for its intended purposes. And I
think that's what's most important, from my perspective. And whatever those
purposes are, whether they be research or otherwise helping those people to lead
productive lives and to help, maybe, ensure that their condition is alleviated
or lessened, I think that's very important. And I think we have to try to aim
towards those goals.
MS. FARMER: From the employer perspective, if I'm
understanding you correctly, I think that the individual's rights and needs are
protected through the legislation that's afforded through the Americans
Disabilities Act and that it provides protection for the individual for the
employer's misuse of sensitive or personal medical information in the field of
employment. So the misappropriate use of, perhaps, HIV information or cancer or
whatever the other medical condition may be, employers are already restricted
and individuals already have rights in regards to those protections.
DR.
KOSKI: Clearly, if individuals are concerned that telling a doctor about your
medical problems is going to result in your loss of your medical insurance, you
don't have much of an incentive to be open about it. And so, I would agree,
this, you know, restriction or real piece in a law that would appropriately
punish misuses of information and it would prohibit discrimination on the basis
of information that is provided are absolutely essential. I think the concerns
you raise, Senator Wellstone, are very real.
SEN. DODD: Well, just a
couple -- sort of following up on this last point raised by Senator Wellstone,
sharing medical, having medical information or employers being aware of medical
conditions -- existing medical conditions -- is a difficult area. But
nonetheless, I can understand, from an employer perspective, wanting to know
when you hire someone -- again, I presume the prospective employee would be the
one sharing the information so as not to in any way defraud an employer, in
terms of their ability to perform the functions for which they're being hired.
An area where I think we have more clear cut is in the predisposition
for certain illness or certain problems. And this is one where I don't think
there ought to be any debate. The unintended or the misappropriate use -- you
could spend years in court trying to find out what's an inappropriate use of
information. We now know, for instance, that at Yale they've done some
remarkable work on breast cancer and the predisposition, at birth, with infants,
twin girls, the studies they've done, getting down to the degree of something in
the neighborhood of 90 to 95 percent degree of probability of untreated, the
likelihood of twin girl babies, as I understood the study, contracting breast
cancer.
Now that availability -- now this is someone without breast
cancer, but just an employer or an insurance company having access to the
predisposition is really a concern. That's an area that I really get concerned
about. That one, the lines ought to be bright and clear, it seems to me, that
any sharing of that sort of information, of predisposition, I would like to see
prohibited. Now I don't know how you feel about that . I'd be interested in your
quick response.
MS. FARMER: From the employer perspective, my response
is short and sweet. So maybe I should go first. And that is that --
SEN.
WELLSTONE: Don't disappoint us now.
MS. FARMER: (Laughing) -- okay.
Clearly, the predisposition is none of the employer's business. We have no
interest in it. And we have no interest in having any access to that
information.
SEN. DODD: Good answer.
MR. HOUSTON: I would agree.
But you also want to make sure that if you have the capability to arrive at
those conclusions, those predispositions, and use that for other purposes, which
are not going to disadvantage the person, I think you have to. I think whether,
you know, research will allow you to improve their quality of life or help them
to take action to avoid future illness, then not only does that help the person,
but it also helps reduce the cost of healthcare and other --
SEN. DODD:
That's the consent of the individual we're talking about now.
MR.
HOUSTON: Absolutely. Absolutely. But I think it's very important that, you know,
we look at the other bona fide reasons for why this information is of value and
try to make sure that the law allows us the freedom to do what's right and to
understand what we shouldn't be doing.
SEN. DODD: Dr. Koski, I can see
you --
DR. KOSKI: Yes, I know. I'm just biting at the bit here.
(Laughter.) One of the real problems, though, Senator Dodd, is that it may not
be possible to prevent that information from being released because -- take the
example in breast cancer. We know, from studies that have been done today, that
Askanazi (ph) Jewish women have a higher propensity to develop breast cancer
because of a gene that is expressed with higher frequency in that population.
As we learn more and more about human genetic information, the groups
that we will be able to identify as being "at risk" for more and more conditions
are going to become more and more prevalent, okay? So that eventually, when we
understand -- in fact, there's another example. There's a study that's been
around for years and years and years that shows an association between men who
have hair on their earlobes and the instance of coronary artery disease.
SEN. DODD: Well, there you go. Everyone in the room is doing this.
(Laughter.)
DR. KOSKI: This is a problem. And so the focus should be
less, I believe, on just restricting the distribution of that information than
making sure that --
SEN. DODD: I understand that. What I'm talking about
is I'm talking about, you know, the specific genetic predisposition of Ms.
Farmer. I understand that there is going to be groups of people. That's
inevitable, I suppose, although I would think that we ought to make it -- we
could make it a violation of the law for someone to discriminate against hiring
an Askanazi because she's an Askanazi, there is the potential that she may
contract breast cancer. That's what we're looking at from this side of the dais
here. Whether or not you can draft legislation in that area, it seems to me, I
think we can be -- we ought to get almost unanimity, it seems to me, of thought
on that particular point, if it's possible.
Actually, the clock is --
and I have one other question. But I don't know, my colleague may have some
points.
SEN. WELLSTONE: The chairman is putting unbelievable pressure on
me.
SEN. DODD: Just one more, Mr. Chairman, so they're very important.
SEN. JEFFORDS: Make it short.
SEN. DODD: Make it short. Well, I
just -- I raised the issue before with you and that is, I asked the FDA
commissioner, Dr. Haney, when she was here, whether she thought Internet
pharmacies would come under the scope of the regulations that we've
seen drafted. She indicated she wanted to look at it further, didn't have a
quick answer for us. And I respect that. But while I have you medical privacy
experts here in front of me, I'd like to ask you and pose the question to the
three of you. And give, obviously, quick answers if you can and maybe follow up
in some writing if you want.
But do you believe that Internet companies
that provide drugs over the Internet would be required to comply with the
regulations, for one? And two, how about web sites that just provide health
consultations -- advice or manage consumers' medical records -- there is that
out there, as well, today -- but don't prescribe drugs? And could this
regulation be an additional tool for shutting down unscrupulous, on-lien
pharmacies, of which we've already had a good hearing on? So t ere are three,
quick questions.
MR. HOUSTON: I personally don't know. I don't know what
category -- SEN. DODD: Do you want to call a friend? (Laughter.)
MR.
HOUSTON: I want to use one of my lifelines. (Laughter.) My thought would be, off
the top of my head though, I think really the AHA could help out in trying to
just, you know, help you out in that regard. I don't think that necessarily an
on-line pharmacy would. I don't know which category they would fall under,
whether they would be a provider or a payer or otherwise. And I just -- I don't
know how, I mean, again, if there -- it depends on whether they're going to use
the data in (anonymous ways ?) or otherwise.
But I don't know.
MS. FARMER: From the employer perspective, I also have questions: if
they are friend, foe or beast or animal. And what I would say is that currently,
most of the Internet drug stores have positioned themselves as retail stores, as
opposed to benefits which employers provide to their employees. And they are
taking the positions that they are just a different sales channel. While they
have approached the employer community on various occasions and tried to enter
into the benefit arena, right now we don't regard them as benefits.
However, we do have pharmacy managers that fall under this regulation.
And they do have legitimate needs for data, which is geared around the whole
issue of reducing medical errors, for which employers have great interest.
DR. KOSKI: The drugs that people are on is basically a blueprint to
their medical problems. If they didn't have the problems, they wouldn't be on
the drugs. If you give me a list of drugs that someone's taking, I can tell you
an awful lot about their medical history. Certainly, a pharmacist would be --
wherever they are, Internet pharmacies, your local CVS,
whatever -- will be recipients of private health information when a person goes
in to have a prescription filled. And the information that they receive should
be used solely for the purpose of filling that prescription and providing advice
and counsel on the safe use of that drug to the individual. It should be used
for no other purpose.
And we have already seen instances where
pharmacies have sold that information for other purposes, much to the concern of
not only the individuals, but the law enforcement agencies where those things
have occurred. So I think I could give a very strong and clear answer to that,
that yes, I would think that those types of -- any entity that receives
personal, identifiable health information should be required to respect that
information and handle it according of the provisions of strict practices.
SEN. JEFFORDS: Well, thank you very much.
SEN. DODD: That's the
right answer.
SEN. JEFFORDS: Right. You've got your right answer.
SEN. DODD: Also, do you think on the unscrupulous drug companies,
Internet companies, that this might be a vehicle by which we would be able to
weed out some of these fraudulent operations that are out there? Fraudulent
isn't the right word, but unscrupulous is.
DR. KOSKI: Well, sounds like
a good job for the OIG.
SEN. DODD: Thank you, Mr. Chairman. Thank you
all, by the way.
SEN. JEFFORDS: Thank you, all the panel. Very, very
helpful information. We have another panel I'd like to call forward: Dr. Horobin
and Charles Kahn and Janlori Goldman.
Dr. Horobin is the executive vice
president of commercial development for EntreMed, Inc. Prior to joining
EntreMed, Inc. in February of 1999, Dr. Horobin was vice president, corporate
oncology at Rhone-Poulenc-Rorer and in the role launched by RPR as a global
player in oncology. Between 1987 and 1992, she held a number of clinical
development and management positions as well in Rhone- Poulenc-Rorer. Prior to
joining RPR, she spent five years in clinical development roles with the Beecham
Pharmaceuticals.
A British citizen, Dr. Horobin graduated from the
University of Manchester Medical School in 1978. She is a member of the UK Royal
College of General Practitioners and holds a UK diploma of pharmaceutical
medicine. She has recently moved to Bethesda, Maryland with her husband and two
children. And welcome here.
Mr. Kahn is Charles N. Kahn, III, president
of Health Insurance Association of America, Washington, DC. Good to see you
again. HIAA numbers among its members nearly 300 companies, which provide
health, long-term care, dental, disability and supplemental insurance. Mr. Kahn
has had numerous academic and advisory appointments, in addition to teaching
health policy at the Johns Hopkins, George Washington and Tulane Universities.
Mr. Kahn has written on healthcare financing. Mr. Kahn, good morning and welcome
to you.
And finally, I would like to introduce Janlori Goldman, director
of health policy project at Georgetown University. Ms. Goldman has researched
and written extensively on privacy policy for several years. Ms. Goldman is
currently also deputy director of the Center for Democracy and Technology and
has had several past positions for the ACLU. Ms. Goldman holds a JD from the
Hofstra University School of Law. And thank you for being here.
And we
will go back to Dr. Horobin and please proceed.
DR. JOANNA HOROBIN:
Thank you, Mr. Chairman. And thank you also for the opportunity to testify to
this important hearing on medical records privacy. And I am testifying this
morning on behalf of the Biotechnology Industry Organization or BIO. As you
heard, my name is Dr. Joanna Horobin. And I am an EVP for EntreMed, a
biotechnology company based in Maryland.
As you heard, a physician by
training and practice, right now I've been involved in the pharmaceutical drug
development business for over 18 years and, for the last eight years,
specifically in oncology drug development. As I'm sure all of you know, the
drugs that are available to fight cancer today have, at best, been poor in
assisting patients with cancer. And the price those patients have to pay, in
terms of drug toxicity, has been significant.
At EntreMed, we are trying
to develop a totally new approach to treating cancer by harnessing the body's
own control systems. We have identified natural molecules that inhibit the
abnormal and unwanted growth of new blood vessels that allow tumors to grow and
spread, but without the side effects that we have learned to expect with
traditional cancer treatment. And just six months ago, we put the first of our
three lead molecules into clinical trials. We now have Endostatin, Angiostatin
and 2ME2 in early clinical testing and a very aggressive clinical development
plan for those three molecules. And it is exactly those reasons why I am so
pleased to have the opportunity to testify on behalf of BIO today.
The
objective of the biotechnology industry is to bring breakthrough products to
patients as rapidly as possible. And I feel certain that that is an objective
that the patients themselves also share. But I am very concerned, as is BIO,
that there are some aspects of the administration's proposal on medical records
privacy that may actually have the exact opposite effect and may actually slow
down the potential pace of medical research and new drug development.
So
with that introduction, I'd like to make three points. First, I would like to
assure you that BIO fully supports the enactment of laws to protect patient
confidentiality. Indeed, patients are pivotal to the success of the biotech
industry. We want to make breakthrough medicines available to patients quickly.
But to do so requires their involvement in clinical research protocols designed
to test our drugs in a very rigorous manner. We respect the patients that
participate in that process. And we respect and want to maintain their
confidentiality.
The second point I want to make, though, is that BIO
supports the enactment of a national law that protects the confidentiality of
medical information. And indeed, Mr. Chairman, it is very important to us that
it is a national law. And maybe I can explain our specific view on that.
Today, my company's products, for example, are being tested in what we
call "single center protocols." What that means is that each study is discreet
and conducted entirely in one treatment center. But as I'm sure you all know,
the FDA rightly expects to see results in several hundreds of patients, at
least, before approving the drug for market. The quickest way for us to gather
this important data is in multicenter protocols. Essentially, the exact same
study is conducted by many different researchers in many different centers in
different states. But a study just last year showed that differences do exist,
state to state, between the different health privacy laws. And during this last
legislative session alone, 26 states have debated laws concerning privacy.
Today, my company has protocols in just five states. By the end of this
year, we would expect that to probably double and to probably double again next
year. And we believe that it is very important that laws concerning patient
confidentiality are conducted on a national basis, which will allow the speed
with which those protocols take place at the same pace as we can do today with
single center protocols.
My third point concerns the proposed medical
confidentiality regulations. And until we are able to secure enactment of
federal legislation, we need to ensure that the pending medical confidentiality
regulations strike the same balance as laid out in the chairman's mark of last
year. But unfortunately, in some ways, they do not. And I would just like to
share two specific examples.
We are concerned that, in the effort to
de-identify medical information, we may not be able to collect the data that is
actually needed for the proper conduct of clinical research and, moreover, the
proper reporting of some of that data to the FDA. Study protocols, such as those
that we and other organizations conduct, require patients to fulfill very tight
eligibility criteria. These include, for example, the age of the subject. This
is particularly important.
For example, we may want to exclude some
patients who would be at greater risk of that protocol, like the elderly or the
young. They often -- and almost always, in fact -- specify very specific types
of disease or subsets of a disease. And the reporting of adverse events
associated with clinical protocols also requires that we give information, for
example, on the patient's date of birth.
And if you would give me the
opportunity just to get up and show you something, I'd like to show you the
types of information that we collect in these clinical research protocols. I
hope you can hear with the microphone, but what I've got here are a couple of
representative pages from something -- a document that is usually used in the
industry and called a CDF or clinical data file.
SEN. JEFFORDS: I have
it here, so I can --
DR. HOROBIN: Okay. Okay. But I wanted to show you
is the type of information that is routinely collected. Now the actual document
for any given study would be many, many pages. I've just got two representative
pages here, the first couple of pages. We do, indeed, collect information on the
patient's date of birth. And as I said, that's important for eligibility.
But also, and very importantly, one of the things we ask first of all is
has this patient given informed consent to participate in this clinical study
and to have information about their progress in this clinical study reported?
And that has to be recorded right up front in this document. We ask other things
which are relevant to the particular study. Is the patient a smoker? Do they
have a history of certain diseases? And as you can see, there is a lot of
information here, which is of a general nature, about the patient's general
background.
I don't think though, as a physician, I would find it very
easy to identify an individual patient from the sort of information we've
collected here. Even if we have the patient's permission, it is really very
difficult for us to identify who this patient is at the time that these records
are collated for clinical database purposes. So I hope that helps people
understand what sort of information we're trying to collect.
And the
second point I'd like to make is that the proposed regulation also extends the
common rule to potentially non- interventional medical research -- for example,
the review of medical records. And this may not seem, at first, anything of
great concern. But it is of concern to us. For example, at my company, EntreMed,
we're developing new ways of treating cancer. That means we need to ask new
questions in new ways, particularly as we're developing different types of
cancer treatments. And therefore, the old ways of developing cancer drugs may
not apply.
For example, with one of our new compounds, investigators
wanted to test one of our drugs immediately in breast cancer. This required that
they do a search of medical records to see whether or not that protocol would be
feasible. The proposed ruling on medical information privacy would have taken
potentially a few months to -- for that to happen, if additional IRB approval
had been required. We did not need to do that in the current situation. And so
we did not need to extend the potential period of drug development for that drug
by another three months or so.
Three months may not seem a lot to you.
But if you look at it in the way that we look at it, three months can actually
be a very long time. Many of the patients in the protocols that we are treating
have less than a year to live. Every day, in the U.S. alone, 1,500 patients die
from cancer. In three months, that would be about 150,000 patients. So three
months can, indeed, be a significant period in the overall time of the drug's
development.
So, to conclude, BIO and my company believe that patient
privacy is, indeed, a very important issue. And patients have a right to
appropriate confidentiality. But as you put in place necessary -- and, indeed,
very appropriate -- legislation, which we in the biotech industry support
wholeheartedly, we want you to ensure that it is done in a balanced way that is
sensitive to the needs to bring breakthrough drugs to patients safely, ethically
and -- above all -- quickly.
Thank you very much for the opportunity to
testify.
SEN. JEFFORDS: Well, thank you for your testimony. Mr. Kahn?
MR. CHARLES KAHN, III: Thank you, Mr. Chairman. And I appreciate the
opportunity to testify here today to discuss the proposed rules issued by the
secretary of health and human services on the confidentiality of medical
information, as well as how best to protect the confidentiality of medical
information for individual Americans.
Despite the secretary's diligent
work, the regulations have flaws. Certain of these flaws can be fixed in the
regulatory process, but others are unavoidable and point to the need, as
envisioned by the framers of the Health Insurance Portability and Accountability
Act, for the Congress to legislate the rules to protect the confidentiality of
our personal medical information.
Today, I will focus on four areas
which highlight why federal legislation is necessary, as well as what should be
revised in the secretary's regulation: uniformity, consistency, reach for
enforcement and healthcare quality.
First, uniformity -- lacking the
authority to preempt state laws, the secretary's regulations alone cannot
achieve uniformity. It will take a new federal law to provide uniform national
protection with increasingly conflicting state and federal laws. The use of
health information for billing, claims payment, quality improvement, as well as
other core functions for insurers, are increasingly carried out across state
lines, through electronic data systems. Inconsistency between state and federal
laws and correspondingly high compliance cost for meeting this multitude of
requirements will impede my industry's ability to operate more effectively for
the consumer.
But beyond cost, inconsistency can not only lead to
confusion for consumers, but could adversely affect their medical care.
Consistency congressional action is also needed to bring greater rationality to
the expanding number of federal confidentiality requirements. Confidentiality
rules must be consistent across the laws regulating insurance products.
Overlapping federal confidentiality requirements being considered in different
legislation and regulatory arenas may give rise to an irrational system of
protection that will have inconsistent requirements and possibly conflicting
requirements.
For example, the confidentiality rules in the recently
enacted Gramm-Leach-Bliley Act overlap in significant ways with the secretary's
proposed confidentiality regulations. And even the administration of the new
financial services law is likely to be problematic, since HHS is not among the
federal agencies with jurisdiction over Gramm-Leach-Bliley, but obviously, still
controls the HIPAA rules regarding confidentiality.
Reach -- I must say,
in the area of reach, we take a different view than the General Accounting
Office. We believe the proposed HHS confidentiality regulations overstep
regulatory authority provided by HIPAA. HIPAA does not give the secretary the
authority to hold all of those who may be responsible for confidentiality
breaches responsible for their actions. This is a flaw that calls for
congressional authority and means for enforcement. But the secretary has chosen
to make medical providers, health plans or insurers and employers responsible
for business partners, who are not otherwise covered by HIPAA, yet handle
medical information.
This requirement, that is not mentioned in or
implied in HIPAA, would compel insurers, for example, to renegotiate hundreds of
thousands of contracts with those it has business arrangements and accept new
responsibilities for the operations of their contractors. This would not only be
disruptive to consumers but, most importantly, would place the covered entities,
like insurers, in the role of the policeman for the government.
Not only
do the secretary's regulations pass on the responsibility for enforcement of its
rules for uncovered entities to such as insurers, but also it makes the covered
entities liable in court for the breaches to the regulations by those uncovered
entities. The proposed regulations establish a private contract right of action,
allowing individuals to sue for breaches of confidentiality. This new private
right of action is in no way -- is no way to enforce compliance and will
increase the cost of care to all of us. Regardless of one's view on the merits
of increased litigation, it is clear that public policy change of this magnitude
should receive a thorough congressional airing, rather than being achieved
through the back door of regulation.
Quality -- finally, we are
concerned that the proposed regulations do not yet achieve the right balance
between protecting confidentiality and ensuring high quality care. We applaud
the secretary for recognizing the importance of allowing health plans and
providers to share information for certain healthcare operation that support
patient treatment and claims payment. However, the final rules should also
recognize the importance of sharing information to carry out, through these
management programs, any fraud initiative and patient safety activity. Some of
the narrow standards in the proposed rules could, in practice, have a chilling
effect on these important functions.
Once again, let me thank you for
the opportunity to testify today. And I'll be happy to answer any questions you
may have on the topic.
SEN. JEFFORDS: Thank you, Mr. Kahn. Ms. Goldman?
MS. JANLORI GOLDMAN: Good afternoon, Mr. Chairman. Thank you very much
for inviting us to testify today. I started the Health Privacy Project at
Georgetown University a few years ago to try to fill a gap, both in public
policy and in public understanding, of an issue that we believe directly affects
the quality of care that people get in this country and their access to care.
What we've tried to do in the project is to also fill gaps in what we know and
what we understand, so that we're not just talking about anecdotes, that we're
not overreacting to situations.
We've issued a number of reports in the
last few years. We brought together a diverse working group of stakeholders from
health plans and provider groups and disability rights groups to develop best
principles for health privacy. We did an exhaustive study of state
confidentiality statutes in this area. We have a state-by-state report that's
available, as well. We have looked at the privacy of health web sites. And we
convened a consumer coalition for health privacy, which is made up of the major
disability rights and consumer groups in this country.
Our mission,
again, is to look at the impact of the lack of privacy in healthcare. And we
have participated in a number of surveys and studies that show empirically that
the lack of confidentiality is providing -- is creating great anxiety in the
public, that people are afraid to fully share information with their doctors.
They leave out information or they lie or they go from doctor to doctor, as a
way of trying to keep their information separate. Or, in the worst case
scenario, they avoid care altogether. They're concerned both about the
development of electronic record systems and the rise of managed care that's
consolidating information. And we are seeing, again, escalated media coverage
about privacy abuses.
The comment was made earlier about discrimination.
And I think it's really important to recognize, in this area, that once we have
privacy protections in place, we will provide a first line of defense against
discrimination.
(Those without ?) any reason to see medical information
won't be able to even get it, and therefore you won't have to worry about
discrimination in as many areas as you worry about now. We know that lack of
privacy is the number one barrier to people getting genetic testing and
counseling and that it also affects whether they participate in research.
So, we also see that it effects the quality of care individuals get
because we can't accurately diagnose and treat people if they are not fully
sharing information with their doctors, but then downstream that information
that's used for research and public health will also be compromised and also be
unreliable.
Now, Congress did recognize that this is an important issue.
And in HIPAA in 1996 you imposed a deadline on yourselves to enact comprehensive
legislation. And, this committee held a number of hearings and introduced bills,
other committees in Congress did as well. It's not for lack of effort, I think,
that Congress didn't act. I think that the issue is complicated and we just had
a lot of trouble reaching common ground in a way that allowed us to move
forward.
The secretary did live up to her obligation to release proposed
rules. In the comment period that was allowed after the proposed rules were
released, you probably heard about 52,000 comments were received. Over half of
those comments came from the consumer disability rights and patient advocacy
groups that were very strong in saying not only that this regulation was narrow,
and probably too narrow to really satisfy health privacy concerns generally, but
that it should be strengthened as well. And my testimony will address those
issues.
And, I was very pleased to see in GAO's statement today that
they believe that the secretary was within her authority, her legislative
delegated authority, in the proposal that she announced.
I want to say
in response to an earlier comment also that the proposed regulation is a vital,
even if it's an intermediary, step. But, it should go forward. It should be
finalized. The absence of any federal law in this area I think has really
created havoc both in the states and in the general public.
I want to
focus on two areas in terms of the proposed rule. One is that due to the legal
constraints imposed on the secretary under HIPAA, the scope of the proposal is,
I think, very narrow. And, there are some awkward construction, such as the
business partners arrangement, that is there as a necessity to try to make this
a workable proposal. The second thing is that there are some weaknesses in the
proposal.
Let's look first at the major gaps in her proposal. It
explicitly will cover, at least in the proposal, electronic records, not paper.
I think you've heard uniformly today that the distinction is absurd. It's
unworkable. I think that GAO did say that she does have the authority to cover
paper records as well and I think that she should. It would be, I think, very
tragic if this was a disincentive to create electronic records because people
thought they could evade the scope of the regulation if they kept information in
paper form.
The second gap is that the secretary can only regulate three
entities directly; the plans, the providers and the health clearinghouse. Again,
this is a constraint from HIPAA. And, the business partner arrangement is there
because without that the secretary could have said to those three covered
entities, you may not disclose information at all outside of the covered
entities. She could say to providers in plans, you collect the information and
this is how you can use it internally and you may not disclose.
But, I
think she realized that's not workable in today's health care environment. And,
she'll need it to allow the information to be disclosed, but with some
limitations and with some requirements.
The third, I think, major gap is
the remedy section, that it is narrow. It is stingy. That even if there is in
the business contract requirement something that says individuals shall be third
party beneficiaries, that is not, I think, an explicit private right of action.
It's certainly not a federal private right of action, and people I think will
have a very difficult time if their rights are violated bringing an action in
court. And so, we have very weak enforcement of this rule.
I would say
certainly the second two gaps, the scope of coverage and the remedy, will need
congressional action. There is still a very significant role for Congress to
play here.
Let me run through the major provisions of the proposal very
quickly. Overall, it does create an incentive to identify information.
Not a requirement, but an incentive because then you're outside the
scope of the regulation. It requires that people be given notice about how their
information will be used, which is the only way they can make informed choices.
It gives them a right to see and copy their own medical information which is not
guaranteed now in most of the states. And, it requires authorization for some
patients in many instances.
We believe that you should have to get
authorization even for treatment payment and health care operations recognizing
that this might not be a meaningful authorization, but just signing on that
line, which people do now, as that is the status quo, that people sign these
waivers. That they should have to sign something that says I read the notice. I
signed it. I understand how my information is going to be used. Again, it's not
a bar to be using the information. It's a procedural protection.
In
research, the secretary says regardless of the source of funding, private funded
or publicly funded research, should be protected and should follow the same
rules. And, I think that many in the research community agree with that, that
that is the goal standard that is followed now by the major researchers in this
country.
Law enforcement, her proposal I think was very disappointing
and didn't really make much progress from the 1997 recommendations with drew
fire in this committee and in the public as well. We think it should be
strengthened and there should be a warrant requirement, or some kind of legal
process requirement.
Preemption, I want to say very quickly, I think
that there's been a lot of overreacting today on the preemption issue. Our state
report shows that there are no comprehensive strong laws at the state level. And
so, right now, health care industries, health care organizations, have to comply
with those 50 different laws that are all over the books, that are widely
divergent, that are for the most part not comprehensive but are very, very
different laws. And so, any floor that Congress sets, or that the administration
sets, will raise that bar and create substantial uniformity.
And as
Senator Murray said, there are state laws that are very specific on mental
health, on communicable disease, adoption, custody, neglect, I could go on. And,
those are areas where the federal government has not even begun to regulate. If
we were to preempt those laws, I think we would do serious damage. But, again,
any floor will be cost effective and create substantial uniformity.
Congress has set the wheels in motion for this regulatory process that's
before us today. And while this has been a tough issue with differing interests,
I think that the secretary has fulfilled her duty under HIPAA and has taken us
part of the way. The rules should be finalized and we appeal to Congress to
finish the job to fill those gaps, to strengthen the weak sections in the
proposal and to create a uniform and comprehensive federal rule on medical
privacy. Thank you very much.
SEN. JEFFORDS: Thank you. Dr. Horobin,
this committee has been interested in tackling the issue of medical errors, and
specifically towards reducing adverse drug effects. Could you briefly comment on
how the proposed rule may effect company's abilities to study adverse drug
effects?
DR. HOROBIN: Well, the one thing that we noticed is that, data
first for example, and some other pieces of information, may be the subject of
de-identification. Well, one of the things we absolutely have to provide when we
provide information to the FDA on adverse drug events is exactly the data first.
And certainly, when one is trying to look at an individual study and a set of
trends, or an individual drug and a set of trends, which would help us
understand adverse drug effects, information like that is very valuable and we
would, I think, find it more difficult to do our job appropriately without some
of that information.
SEN. JEFFORDS: As you have noted, the definition of
non- identifiable health information is very important in doing research. Could
you briefly outline instances in which a researcher would need to match
identifiers to the anonymous information and how that may typically take place?
DR. HOROBIN: The type of situation where that needs to take place is
where there may be some discrepancy on the information that we have received or
that the organization that's doing clinical research for us is received and they
need to go back to the individual physician and check that information out.
But, even in that situation, there is really no need to provide specific
information about the patient and who that patient is, but simply to clarify and
to correlate information that we've collected with information that exists with
the primary medical record. So, there is certainly a need to check and
correlate, but there is not a need to actually provide that personal information
to the sponsoring drug company.
SEN. JEFFORDS: Mr. Kahn, one of the
things that my legislation allowed for is the right for individuals to access
their own medical records. Can you describe a typical routing of a medical
record when requested by an individual? For instance, would I have to contact
separate doctor's offices, hospitals or health plans to obtain my records?
MR. KAHN: Well, currently, it is the case that those records are kept in
very different places. And as I think was pointed out in the previous panel,
there isn't really, or there are very few cases of a true electronic medical
record. We still have records that are kept in file drawers in most doctor's
offices or at hospitals. And though we have with those records opportunities for
them where they cross the system.
For example, a lot of claims are
submitted to insurance companies in paper. Then, the insurance company scans it
in the computer and now all of a sudden it is now an electronic record even
though it was a paper claim that was received from a physician.
So, I
believe under current circumstances in answering your question, a patient is
going to have to go individually back to all of the different providers because
even an insurer or a health plan, depending on what kind of health plan it is,
will not necessarily have all the records that an individual may have for their
medical treatment.
SEN. JEFFORDS: Has your organization done any
estimates on what it would cost your industry to comply with the proposed
regulation?
MR. KAHN: There have been some estimates done. HIAA have
not. Blue Cross Blue Shield Association has done an estimate and they think that
the total cost of compliance here for the health care system would be somewhere
in the $40 billion over 10 years rather than I think the
$3.8 or $4 billion that the secretary has in
the reg. I think the secretary admits in the reg that there are vast areas that
were not part of her estimate, particularly in this area of policing of business
partners through contracts, which would have to be renegotiated in other kinds
of systems and personnel would have to be added to make sure that contractors
were living up to whatever requirements they are covered and were living up to.
I would say that, if I had to guess, that the cost will be somewhere
closer to the Blue Cross estimate than to the secretary's estimate simply by
looking at the areas the secretary left out.
SEN. JEFFORDS: Dr. Horobin,
do you have a comment?
DR. HOROBIN: No.
SEN. JEFFORDS: No? Okay.
Miss Goldman, I know that traditionally you have advocated for a federal floor
rather than a ceiling when it comes to preempting state laws. However, would you
agree that the inconsistency in state law can contribute to the entity's
confusion as to the laws they must comply?
MS. GOLDMAN: Well, they might
be confused initially, but there is no federal privacy statute right now in any
other area that preempts stronger state law. And so, when the Congress passes a
law, those entities that are regulated, whether they're banks, or telephone
companies, or credit reporting companies, all of which are now regulated under
federal privacy statutes, get their lawyers together and they figure out what's
the law that now applies. There are state laws. There's a new federal law. What
falls under the floor as being weaker and what are the stronger requirements we
have to comply with.
In the wire tap law right now, one-third of the
states have stronger requirements, stronger privacy requirements and the states
comply with those. So, I think it's not unusual that that would happen. My
overall point was that it will simplify the work of the health plans, and the
providers, the hospitals. Because right now there is no federal floor under
which those weaker state laws would fall out. So, right now, they have 50
different laws. I think that's got to be more difficult, and more complicated
and more costly than having something that is uniform and allowing those
specific stronger laws in the states to stand.
SEN. JEFFORDS: Well, the
GAO indicated that many of the comments from various disability groups stated
that the definitions of treatment, payment and health care operations were too
broad, yet they didn't include disease management. Assuming that the activities
included in disease management are important to the people with disabilities, do
you think entities should have access to health information to perform those
duties?
MS. GOLDMAN: It's an important question, Mr. Chairman. I think
the reason that our organization, and disability rights, and consumer groups are
concerned about the definition of treatment payment in health care operations is
because in the proposal there is an exception to authorization for using
information for those purposes. There's no authorization required.
And
so, our groups are very concerned that it be a very narrow definition that
directly ties the uses of the information to the treatment and payment of that
individual's care. That's our concern. Now, you know, there is no set definition
of disease management as I've heard it. If we pulled people in this room, I
think we'd hear 50 different definitions of disease management.
If the
information is being used in a way to directly benefit the individual, if it's
part of their treatment, their payment, their health care operation, then I
think it should fit within that first tier. Although, again, we do advocate for
there being authorization for that.
SEN. JEFFORDS: I want to thank you
all. We've gone a little bit over our intended time, but this has been extremely
helpful. And, we reserve the right to keep bugging you. (Laughter.) So, don't
relax. I'm sure we'll have some more questions for you as we go on. It was a
pleasure to be with you all today. Thank you very much.
END
LOAD-DATE: April 28, 2000 
