On behalf of the American Medical Association (AMA), I want to thank the Subcommittee for inviting the AMA to testify on the issue of consent. We appreciate the time and energy that the Subcommittee is devoting to an in-depth examination of the issues surrounding the consent requirement and other important issues regarding implementation of the regulation "Standards For Privacy Of Individually Identifiable Health Information" (the "Privacy Rule"). The AMA's concerns with implementation of the consent requirement are set forth below.
The AMA is both pleased and disappointed with the consent requirement in the Privacy Rule. We are pleased that the Privacy Rule will require health care providers(1) that have a direct treatment relationship with patients to obtain consent prior to using or disclosing individually identifiable health information to carry out treatment, payment or health care operations. This requirement is consistent with the AMA's core philosophy regarding individual privacy rights.
AMA policy states that valid consent should be obtained, where possible, before personally identifiable health information is used for any purpose. However, this is clearly not practical or even possible in some instances. In situations in which obtaining patient consent is impractical or impossible, either the information should have identifying information stripped from it or an objective, publicly-accountable entity must conclude that patient consent is not required after weighing the risks and benefits of the proposed use.
The AMA strongly supports this policy and considers patient autonomy to be a fundamental element of medical ethics. When confidential health information is used or disclosed without the approval of the patient, control of sensitive health information and patient autonomy has been taken away and trust in the health care system is lost.
Unfortunately, the Privacy Rule does not require health plans to obtain consent for payment or health care operations (with the exception of psychotherapy notes). The preamble to the Privacy Rule explains that the rationale underlying consent does not apply to health plans. We believe this is completely misguided.
Since the Privacy Rule was issued, a debate has ensued over whether written consent should be required for treatment, payment and health care operations. The AMA believes that the requirement to obtain consent before any use or disclosure of individually identifiable health information honors the rights of the individual and the primacy of patient consent. To truly obtain consent means to inform the patient of the privacy practices of a provider or plan and to provide the patient with a choice. Mere notification of an entity's privacy practices does not rise to the level of respecting the autonomy of the patient.
Requiring providers to obtain consent also creates an incentive to de-identify health information. If de-identification is not practical or possible, and consent cannot be obtained, the AMA believes that an accountable entity, such as an IRB or privacy board, should evaluate the true need for the patient's identifiable information and weigh the proposed benefits from disclosure against the potential risk to patients.
Many health care providers that will be required under the Privacy Rule to obtain consent are now trying to have the requirement retracted. They claim it is "unworkable." The AMA acknowledges that some aspects of the consent requirement as written in the Privacy Rule would be unworkable. However, this is no reason to remove the requirement altogether or to make it optional. Just as the rule accommodates health care providers who have an indirect relationship with patients and health care clearinghouses that never see patients, the rule can and should be modified to accommodate other circumstances.
The AMA does not intend for its consent policy to compromise patient care or the health care system. We believe that a consent requirement that accommodates the needs of patient care and is workable for providers is preferable to abdicating the principle of patient autonomy in the name of convenience.
We note that the Department of Health and Human Services (HHS) in drafting the consent requirement attempted both to minimize potential burdens and to make it workable. We are encouraged that HHS acknowledges in the recently issued guidance materials ("Guidance") that some aspects of the consent requirement will require modifications and has committed to formal rulemaking to make such modifications. HHS also stated that it continues to review comments it received on the Privacy Rule as it makes those modifications. The AMA urges HHS to consider all suggested modifications that will improve the workability and reduce unintended consequences of the consent requirement.
The AMA offers the following suggestions to ease the burden of implementation of the consent requirement:
Physicians, hospitals and pharmacies that have contact with patients may not always have an opportunity to obtain patient consent as required by the Privacy Rule before some uses or disclosures for treatment, payment or health care operations are necessary. We are pleased that the Guidance states that HHS intends to modify the rule to ensure this flexibility, but it only refers to first time referrals. Patients may need to describe symptoms over the telephone, schedule an appointment, or ask for advice from a new or current treating physician before they have signed a consent form to allow use of their health information. There are many instances when health information must be shared prior to completing paperwork and these necessary uses and disclosures, typically initiated by the patient, should be accommodated.
We are very encouraged that the Guidance states: "[u]nder the transition provisions, if prior to the compliance date, a provider obtained consent for the use or disclosure of health information for any one of the TPO [treatment, payment, health care operations] purposes, the provider may use the health information collected pursuant to that consent for all three purposes after the compliance date." However, the Guidance does not state that HHS will clarify this in a formal modification to the regulation. The AMA believes that the text of the regulation as it is today is subject to differing interpretations and would strongly urge a formal clarification in the modification of the regulation.
In addition, in many instances, written consent is not required under current law in order for physicians to use protected health information for TPO purposes. Thus, many physicians would not have a written consent on file for their patients. The AMA would urge HHS to treat all covered entities in the same manner with respect to this issue. The Guidance states: "[h]ealth plans and health care clearinghouses are not required to have express legal permission from individuals to use or disclose health information obtained prior to the compliance date for their own TPO purposes." If a health care provider was able to legally use protected health information without written consent prior to the compliance date the health care provider should not be precluded from using such information or penalized.
A physician who is otherwise protecting a patient's health information and fails to meet these standards through inadvertent error, impossibility or to avoid harm to the patient should not be subject to penalties. Some patients understand that their physician can only promise to do his or her "best" to restrict information, such as to attempt to limit access by certain office personnel. Yet as written, the Privacy Rule would discourage such "loose" agreements. Because a physician would be violating the rule if he or she did not adhere to an agreed upon restriction, physicians that currently agree to such requests in good faith may no longer do so. With a good faith standard, health care providers will be more likely to agree to such requests and patient expectations will be more realistic.
The right to revoke consent should also be qualified with a good faith standard. A revocation is not effective to the extent a health care provider has acted in reliance on the consent of the patient. The Guidance clarifies that such a revocation would not interfere with billing or reimbursement because a health care provider obtained consent and provided services with the expectation that he or she could bill for the services. This clarification is helpful. However, to "act in reliance" is subject to interpretation. Physicians and other health care providers use information consistent with consent for many purposes. There may be circumstances, such as when a third party has already been provided access to such information, which would make it very difficult to track down, retrieve, or remove one patient's information from the general flow of all such information. We believe that a good faith standard would significantly reduce for health care providers the burdens associated with compliance with a revocation of consent.
As mentioned previously, some health care providers believe that the consent requirement for treatment, payment and health care operations should be removed or should be optional. They state that health care providers should not be required to obtain patient consent to use or disclose individually identifiable health information for these purposes because they are "routine." However, this argument is clearly disingenuous. Many uses and disclosures allowed under the definition of "health care operations" are anything but routine.
When patients seek health care they are generally aware that their information will be used and disclosed for treatment and to some degree for general administrative and payment purposes. Indeed, these activities fall under the definitions of treatment, payment and health care operations. However, most patients do not imagine that their information will be used or disclosed for many other activities allowed under "health care operations" such as marketing or disease management. Many of these activities are not critical nor are they necessary for covered entities to operate their business.
In addition, many of the functions included in the definition of healthcare operations can be and are routinely conducted with de-identified information. It is the non-routine, non-critical activities that have made their way into the definition of healthcare operations that make the most compelling case for requiring patient consent in the first place. Therefore, the current definition must be narrowed to only include necessary and critical business operations, especially if some covered entities are not even required to obtain consent.
It is especially troublesome that health plans are omitted from the consent requirement given the overly broad definition of "health care operations." What is even more serious, is that health plans obtain patient identifiable information from health care providers under the auspices of payment for patient care services. Thus, health plans have access to sensitive patient information, without consent of the patient, that they use or disclose for any purpose they chose. The AMA strenuously objects to allowing health plans to use or disclose protected health information without patient consent for non-billing, non-payment purposes and non-routine, non-critical health care operations.
The AMA believes it is appropriate for health care providers to condition treatment or health plans to condition enrollment on a patient's consent to use or disclose their protected health information, but only when the use or disclosure will be made for routine and necessary purposes. It is not acceptable to condition treatment or enrollment on a patient's consent to use or disclose such information for non-routine, non-critical purposes, especially when de-identified information is a reasonable alternative. A broad definition of "health care operations" that includes non-routine and non-critical activities will have the effect of coercing patients to consent to uses or disclosures of their personal health information for many activities that should be optional. A broad definition would also decrease any incentive to utilize de-identified information.
It is worth noting the breadth of the scope of the activities that fall within the definition of "health care operations." The definition of health care operations allows activities such as "population based activities related to improving health or reducing health care costs," and "related functions that do not include treatment." In addition, the inclusion of "business planning and development," and "business management and general administrative activities" in the definition of healthcare operations permits even more indefinite and unlimited uses. The definition also includes "quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies." This latter category allows health plans to conduct research that falls outside the purview of an IRB without the consent of the patient. The definition of health care operations should be qualified to ensure that only critical and necessary activities are included under the broad categories in the definition.
Disease management and marketing activities are also permitted under the definition of health care operations. Clearly, there are opportunities for disease management and marketing programs to assist patients. But patients should have the right to consent to - or refuse - participation in disease management programs. In addition, consider the breadth of the definition of disease management. In fact, the Guidance admits that the definition of disease management is fact specific. This creates further ambiguity that does not favor the patient's privacy rights. It is clear that a patient's enrollment in a health plan or treatment by a provider should not be affected by his or her decision to decline participation in marketing or disease management programs. Thus, disease management and marketing should not be included in the definition of healthcare operations.
The AMA believes that covered entities should be required to obtain authorization for non-routine, non-critical uses and disclosures of protected health information separate and apart from the consent required under the Privacy Rule. These uses and disclosures should not be lumped into consent for necessary treatment, payment and health care operations. This is particularly important in situations where consent is not even required. Patients should have the opportunity to agree to or to refuse non-routine, non-critical uses and disclosures of their protected health information.
At an absolute minimum, non-routine, non-critical uses and disclosures permitted under payment and health care operations should be undertaken with de-identified information. However, as long as an entity is permitted to use individually identifiable health information for any purpose, sometimes without patient consent, the incentive to de-identify is removed entirely.
Sweeping these non-routine, non-critical uses and disclosures into consent under the definition of health care operations is especially troubling if the consent requirement for treatment, payment and health care operations is removed from the Privacy Rule. If the requirement to obtain consent is removed from the regulation, there is even more of an urgency to narrow the definition of health care operations. Otherwise, for all the activities that we discussed above, providers, health plans and third parties would have full and complete access to sensitive health information without the patient's consent or control. To remove the consent requirement for treatment, payment and health care operations, without narrowing of the definitions would fly in the face of patient privacy and autonomy, merely for the convenience of the provider.
The argument that obtaining consent is "unworkable" is equally invalid for health plans as it is for providers. There is no credible justification for HHS to omit health plans from this requirement. It makes sense that consent is optional for health care providers or clearinghouses that have an indirect relationship with patients mainly because they do not have contact with patients and typically other requirements are in place to protect the privacy of the patient's health information.
However, most health plans do have contact with patients through the enrollment process. Most health plans require signed paperwork by enrollees and the Privacy Rule requires that they provide a notice of privacy practices to enrollees. Therefore, a consent form can easily be included in an enrollment package or accompany the notice of privacy practices. Patients would submit this documentation upon enrollment. It is our view that, similar to the burden that a consent requirement puts on providers, that the health plan should recognize the patient's right to privacy of their health information and the patient's right to control such information.
The AMA urges HHS to incorporate all possible improvements to the consent requirement so that it will not impede patient care or health care delivery. To this end, the rule should allow reasonable and limited uses or disclosures to carry out treatment, payment or health care operations before obtaining patient consent. In addition, uses and disclosures of protected health information created or received prior to the compliance date of the Privacy Rule should be allowed to continue as was legally permitted prior to the effective date of the Privacy Rule, without regard to the content or existence of a written consent.
Moreover, to further protect patient privacy, the definition of health care operations should be narrowed so that patients will not be forced to consent to non-routine, non-critical uses of their confidential information, especially when de-identified information could be used as an alternative. Thus, authorization should be required for non-routine, non-critical uses and disclosures of protected health information. Narrowing the definition of health care operations is particularly important when considering uses and disclosures by health plans that are permitted without patient consent. One solution would be to require health plans to obtain patient consent for payment and health care operations. The AMA strongly believes that this definition must be narrowed, especially if HHS removes or weakens the consent requirement.
It is our hope that these solutions will be implemented to resolve the issues that surround providing consent to use and disclosure of health information in a manner that is consistent with AMA policy.
1 The Privacy Rule defines Health care providers very broadly to include physicians as well as any providers of services, and providers of medical and health services (as defined in Section 1861 of the Social Security Act, 42 U.S.C. 1395x) and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.