This Transcript is Unedited
Room 705A
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201
SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY
MEMBERS
STAFF
AGENDA ITEM: Call to Order, Introductions and Opening Remarks – MARK ROTHSTEIN, Chair
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein, and I am Director of the Institute for Bioethics Health Policy and Law at the University of Louisville School of Medicine and Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
The NCVHS is a Federal advisory committee consisting of private citizens which makes recommendations to the Secretary of HHS on matters of health information policy. On behalf of the Subcommittee and staff, I want to welcome you to today's hearing, which will be divided between Radio Frequency Identification in the morning and Decedent Archival Health Information in the afternoon.
Tomorrow's hearing will address third party access to, and use of, health information.
We are being broadcast live on the Internet, and I want to welcome our Internet listeners.
As is our custom, we'll begin with introductions of the members of the Subcommittee, staff, witnesses and guests. We invite members of the Subcommittee to disclose any conflicts of interest they may have on today's issues. I will begin by noting that I have no conflicts of interest.
[Introductions. No conflicts of interest noted.]
MR. ROTHSTEIN: Thank you, and welcome to all of you.
This afternoon at 3:15, members of the public may testify for up to five minutes on issues related to today's topic or tomorrow's topic, because it will be the only public comment period during our two-day hearings. If you're interested in testifying, please sign up at the registration table.
Witnesses have been asked to limit their initial remarks to 10 to 15 minutes. After all the witnesses on a panel have testified, we will have time for questions and answers. Witnesses may submit additional written testimony to Marietta Squires within two weeks of the hearing.
I would ask that witnesses and guests turn off their cell phones and other audible electronic devices. You can leave your passive devices on, if you'd like.
Also, during the hearing, if we all speak clearly into the microphones, it will make it easier for people listening on the Internet.
So I want to welcome the members of the first panel and I would ask Dr. Waxman to please begin.
AGENDA ITEM: Panel 1 – Radio Frequency Identification Presentation – DR. BRUCE WAXMAN
DR. WAXMAN: Good morning, and may it please the Committee. I'm Bruce Waxman. I'm a Board-certified orthopedic surgeon practicing with the Palm Beach Orthopaedic Institute in Palm Beach Gardens, Florida, which is a 13-person orthopedic group. I'm also the Chairman and President of SURGICHIP, Incorporated and the inventor of SURGICHIP.
I received my medical degree from Columbia University and trained in orthopedic surgery at Harvard University.
I spent two years in the Air Force after being drafted, and I was Chief of Orthopedics at Tyndall Air Force Base in Panama City, Florida.
From 1976 until the present, I have practiced private orthopedic surgery, specializing in total hip replacement, total knee replacement, and arthroscopic surgery. During the last year, I have not performed surgery, but I've maintained an active practice of office orthopedics with my group.
Shortly after graduation from medical school, I became acquainted with the problem of wrong-site surgery. I assumed the care of an elderly gentleman who had a hip fracture and they operated on the wrong side. After a series of medical complications, the patient eventually died without ever having his hip pinned.
When I went into private practice, an eager scrub nurse prepped and draped the wrong knee for surgery. I usually prep and drape my own patients. Fortunately, I noticed the error and didn't perform the wrong-site surgery, but I did not forget the incident.
In 1991, I began to sign "yes" on my operative sites. Shortly thereafter, the hospital recommended that everybody sign the operative sign.
Still, mistakes were made. One of the surgeons mistook the first for the second patient that he was going to operate on, and despite the fact that he operated through a "yes" and on the proper site, he did the wrong procedure.
This type of error has reached national attention now, not because it's common – it is actually very rare – but because it's so devastating when it occurs.
The Joint Commission on Accreditation of Healthcare Organizations in July, 2004, recommended what they call the "universal protocol," and that entails having the surgeon sign the site with either a "yes" or his initials, his or her initials, and then the surgical team must have a time-out during which the surgical site is reviewed, the name tag is reviewed on the patient, and the operative consent is reviewed.
And that's a great idea. Unfortunately, just because you tell people to do things does not mean they will do it, and sometimes it's forgotten. Mistakes are still being made. The Joint Commission is still reporting approximately five to eight cases per month, or about 60 to 100 cases per year, in the United States, and they state that it's underreported. And I believe they're right.
Recently, I developed a system to hopefully cut down on the frequency of these errors. The idea is to put the patient's name, the procedure, and the operative site right on the incision. It's less likely that people will forget to check if there's actually a tag, or a marker, right on the incision, and it's also less likely that the information will be wrong. In other words, a hospital chart can be switched by accident by picking up the wrong chart in transit, whereas if a tag is stuck right on the incision site, it's less likely that that will happen.
Initially, I thought of the possibility of just writing out the information, but that has the limitation first of all that it's handwriting and can be misread, and second of all, there's not room on a reasonable size tag to write the name of many operative procedures, for instance, arthroscopic anterior cruciate ligament reconstruction with patellar tendon allograft, a very common procedure. It can't fit on a tag, unless you make a very large tag, which is impractical because on a small area like the hand or the foot, and on children, the tag would be so big that it would catch on other areas and pull off and it would also obscure the "yes."
So I decided that either a bar code or RFID might solve the problem for me.
Bar code has three limitations that I saw. First, you cannot actually program a bar; it's there, and if you want to verify that the information has been read as correct and put it on the tag, which I thought was important, it cannot be done to a bar code.
Second of all, bar code is line of sight, which requires that the bars be on the front of the tag, and therefore you don't have room to put the name and the site, which I think is important so that the chip is put on the right area. Again, you could use a very large tag, but that's impractical.
Third of all, the bar code is very frequently used in a hospital and bar code readers are ubiquitous. Even the new three-dimensional bar code readers are very ubiquitous in a hospital and the RFID readers are not, and I thought that that would lend itself more toward people trying to invade the privacy of the patient since they're very familiar with these instruments.
So I chose RFID, and invented SURGICHIP. SURGICHIP is a new use of pre-existing technology in order
to help prevent wrong site, wrong person, wrong procedure surgery. The chip is encoded by a health care personnel with the patient there to verify that the information going on the chip is correct. They verify it several times.
The chip is then sent to the operating room. When the patient returns after the pre-operative visit for the surgery, again the chip is checked by reading with a hand-held reader, this time to make sure that it's accurate, and the patient is wide awake when that's done.
The chip is then put on, and I encourage the patients to put it on themselves. The Joint Commission is encouraging the patients to do this, to take part, because they're the ones that know where the surgery is. It's much less likely that you as a patient are going to put a chip on your elbow when you know it's your knee that's going to be operated on than the nurse who's never met you before who could possibly put it in the wrong place.
The chip then stays on, is taken to the operating room with you, and then is read by the surgeon. If the information on the chip, which the surgeon has confidence now that you've checked and double-checked, if the surgeon agrees with what's to be done, he or she will remove the tag and proceed with the surgery.
The tag is put in the chart and becomes part of the hospital record. It's not used on another patient.
I think I'll show you some slides. This is a picture of the tag. This shows the tag in place. Again, SURGICHIP is used in addition to the Joint Commission universal protocol; it's not used instead of – it's an additional safeguard.
That shows you the back of the tag, which has a transponder and an antenna.
This is the SURGICHIP software that the nurse in the pre-operative outpatient area uses. It's password-protected.
This is the SURGICHIP software in use, showing name of the site, whether it's right, left, or bilateral; the doctor's name; the procedure, if they drop down – it's actually very easy for the nurse to program it – the date of surgery.
And this shows just that it prompts you to verify that the information is correct. The patient actually is right there. Of if you do it by telephone – if you do it in the office, the patient is there; you read it to them, and they affirm that it's correct.
This is the printer that prints out the tag. It prints the name and the site and it also encodes the chip at the same time.
And this is the reader – it's a desktop reader – which verifies that the information is correct.
And this is an older chip in use. That's my daughter-in-law's leg.
And I don't think this projects too well, but this is a hand-held reader reading the information that's on the tag. It gives you the name of the patient, the doctor's name, which side it is, the location, and the procedure.
The SURGICHIP is HIPAA compliant. It's programmed by a designated professional in a private environment, usually the outpatient pre-operative area, sometimes in the emergency room. The entrance into it is password-protected, as I showed on the picture.
The information is encrypted. It can't be read other than with an RFID reader with SURGICHIP software. It would be like trying to read a PDF document without an Adobe Acrobat reader.
Once the chip is encoded, it is electronically locked so that it cannot be altered or deleted. This prevents any kind of inadvertent deletion or changing or malicious changing of the data.
The tag that's used, that I showed you, is called a "passive RFID tag." I think this will be discussed later. But this does not have a battery. The read distance is short. The maximum distance this can be read is five inches, so that it can't be read from across the room by somebody or from outside the operating room by somebody who wants to invade the privacy of the patient.
The screen on the hand-held is very small; it fits in the palm of the hand. It's easily shielded. Again, the software in the hand-held terminal is password-protected. It's even possible to user-protect the hand-held terminal if you feel that it's necessary.
The read-out on the hand-held printer clears in a pre-set amount of time, the maximum being five minutes. The reason we do that is that – there are two reasons. One is that you don't want the information to be there for the next case and accidentally have somebody read the information from the previous case. But just as important, you don't want it to be lying around so that somebody who's not supposed to be reading it could read it. So it clears in a pre-set amount of time, maximum, five minutes.
The screen is small. It can be easily covered, or protected or shielded by the surgeon reading it or by the nurse confirming the data in the holding area.
The chip itself, as I showed you, has the name of the patient and the site. It does not have the procedure on the face of the chip. The chip itself is easily covered, if it's on the head, by a cap; on the extremities, abdomen and chest, it's covered by the blanket that takes the patients into the operating room; if it's on the neck or the back, it's just covered by the body itself.
If indeed the chip were to be seen, it's analogous to the name band, the name on a wrist band, and the "yes" on the surgical site.
This information is actually protected by the need to know exception. And the need to know exception is barred from other areas of privacy law, but basically what it states is that if the information is so compelling that the doctor must know it, that supersedes the right to privacy in certain circumstances. And certainly, knowing the name of the patient and knowing the operative site are compelling reasons for the doctor to know.
I've already stated that the chip is not implanted; it's put in the hospital record and it becomes part of the HIPAA-protected medical record.
There is data stored in the computer after SURGICHIP is used; this is used for research only. This is password-protected and it's necessary so that eventually we can track and see if this is working, if the results are better than just having a time-out.
It's not intended that the information will be transmitted at this time. If in the future it becomes necessary to transmit it, the information can be either de-identified or initialized.
SURGICHIP has been used by me and three of my
associates on a very limited basis in a hospital and in an outpatient center and the results have been wonderful. No mistakes have been made. The nurses that are involved in the surgical team are very happy with it and the patients love it. Patients are very concerned about having wrong-site surgery. It's getting a lot of press recently and they're afraid, and this is a comfort to them. Patients have come up to me and told me that they're very happy with it.
In summary, I believe that SURGICHIP enables patients to benefit from the use of RFID technology without compromise to their rights to privacy.
MR. ROTHSTEIN: Thank you very much. It was very interesting and we'll have questions for you at the end of the panel presentations. Dr. Seelig?
AGENDA ITEM: Presentation – DR. RICHARD SEELIG
DR. SEELIG: Thank you, Mr. Chairman. Good morning.
My name is Richard Seeling. I'm Vice President of Medical Applications of the VeriChip Corporation, with offices in Delray Beach, Florida.
I would like to thank the Subcommittee on Privacy and Confidentiality for the opportunity to participate in this hearing regarding the privacy implications of RFID technology, and we commend your efforts to maintain the
sensitivity to the complex interaction between the need to know critical health care information and the maintenance of privacy of that information.
Prior to my comments, I'd like to read a paragraph from the Executive Summary of the Information for Health: A Strategy for Building the National Health Information Infrastructure Report and Recommendations from the National Committee on Vital and Health Statistics which was presented on November 15th of 2001, and with your permission, here's the quotation from that summary:
"An overarching principle applies to all elements mentioned above. It is critically important that the NHII vision and its embodiment be large enough to accommodate major changes in the future. The NHII is by its nature dynamic; every one of the elements listed above will evolve, just as the content of information and knowledge will change. All of the entities contributing to the NHII therefore must think big – especially the Federal government in its leadership role.
"In order to coordinate stakeholders appropriately and to see that everyone can benefit from the evolving information infrastructure, HHS must craft a national health information policy that is broad and flexible enough to encourage and channel – rather than inhibit – positive change." And that's the quote.
Your Committee is to be commended for its vision, foresight and perseverance in moving forward in this important aspect of health care services.
My responsibility with the VeriChip Corporation includes the development and implementation of medical applications specific to the VeriChip technology. I'm a Board-certified surgeon affiliated with Applied Digital
Solutions and its business units since 1999.
Before joining Applied Digital, I practiced in Morris County, New Jersey, for 20 years.
In addition to my clinical practice, I was a consultant to the United States Surgical Corporation and to Davis+Geck in the areas of minimally invasive surgery and new product development.
I received a Bachelor of Science degree from the George Washington University and an M.D. degree from the University of Medicine and Dentistry of New Jersey. I continue to hold a clinical assistant professor at that institution.
On September 16th, 2001, I implanted myself with two RFID microchips, initiating the implementation of the VeriChip technology.
To briefly describe our company, Applied Digital is a total owner of the VeriChip Corporation. Applied Digital in itself, as its mission, develops through multiple business units innovative security products for consumer, commercial and government sectors worldwide. Unique and often proprietary products within these business units provide security for people, animals, the food supply, government and military arena, as well as commercial assets.
Included in this diversified product line are RFID applications, end-to-end food safety systems, GPS/Satellite communications, and telecom and security infrastructure.
And what I'd like to do is just briefly describe my personal involvement of VeriChip and how it was developed.
At the outset in 1999, I was a consultant for one of Applied Digital's business units. I recognized that another business unit's product called "Home Again," which is an implantable identification tag for pets, and I'm sure many in this room already have their pets' tags as such, could have important applications for humans.
The first set of applications, as we just heard, revolved around the identification of implanted medical devices such as pacemakers and orthopedic hardware. It was my clinical experience and in discussion with colleagues that we recognized the need for improved, rapid acquisition of accurate, detailed, technical information regarding these devices and at that time it was really lacking. And that access to information caused delays and inefficiencies in patient care.
I believed that an implantable, passive, RFID tag available when needed and linked to Internet-accessible databases could provide a clinician access to the needed information many months after the procedure was performed and at any facility throughout the country.
Living in the New York area during the 9-11 attack, I became aware of rescue workers at Ground Zero writing their badge numbers, their Social Security numbers, on their skin with Magic Markers, and they did this that should they become injured or even worse, working in the pit, that they would be identified and not served the same fate as those that were in the buildings with delayed identification, so that there was a need for a more secure form of personal identification and an approved form of access to that information when that need came about.
And the experiences of the first days after the fall of the twin towers inspired me to move the identification project forward at an accelerated pace.
And of course, incidentally, we are now witnessing the same horror and the same imperatives in Southeast Asia as a consequence of the tsunami which struck that region approximately two weeks ago.
To evaluate this hypothesis, five days after the World Trade Center and Pentagon attacks, I implanted myself with two of the veterinary chips and began adapting the concept to a human version that eventually became VeriChip. These microchips were implanted in my right forearm and my right hip, as I felt there were more questions that needed to be answered that one site could provide.
And in my prepared remarks, I have referred to the RFID Journal which has some very basic question and answers about the RFID technology which you're welcome to read at your leisure.
I'd like to move to the VeriChip system description. And the VeriChip system is not just the implantable microchip, but it's a number of different units that interact together.
The VeriChip system contains an implantable RFID micro transponder which is intended for personal identification, security access, financial and health information applications in humans.
On October 12th of 2004, the Food and Drug Administration cleared VeriChip for medical application use in the United States. On December 10th of 2004, the FDA Center for Devices and Radiologic Health published its guidance for industry for devices for a Class II Special Controls Guidance Document, and that document was entitled
"Implantable Radiofrequency Transponder System for Patient Identification and Health Information," and I believe that's now available through the Federal Register.
The patented VeriChip micro transponder is a passive device that contains an electronic circuit which is activated externally by a low-powered radio beam, which is RFID, sent by a hand-held battery Pocket Reader. The VeriChip is used to store a unique identification number. It is implanted subcutaneously in the rear of the upper arm by means of a small, hand-held, preloaded introducer.
The reader scans the arm, then displays the unique ID number of the implanted VeriChip micro transponder. As RFID is employed to obtain the ID number, direct line of sight is not required; therefore, it can be read through clothing. The ID number is used to address a secure database that will provide the implanted person's identity and other previously entered information such as a link to an electronic medical record or a personal health record.
I've included additional comments about the details of the VeriChip in my prepared remarks.
In April of 2004, we were honored to be invited to present to the Secretary at the Second Annual National Steps for a Healthier U.S. Summit the application, health care application, of VeriChip.
And to summarize our presentation then, rapid access to accurate patient information is required for optimal outcomes in medical emergency situations. Chronic illnesses such as seizure disorders, stroke, diabetes, COPD, cardiac conditions or Alzheimer's disease frequently initiate medical emergencies.
While healthy adults may be able to verbally provide personal health history, a person with chronic diseases can experience a communication barrier due to loss of consciousness, impaired speech, or memory loss, resulting in treatment delays.
The challenge is to reliably obtain important information at a moment when the ability to impart it is lacking. Current modalities available to provide information include wallet cards, bracelets, and dial-in telephone numbers. Frequently, these aids are not in the possession of a patient when the need for emergency care arises, or the data is incomplete or conflicting.
An alternative to current information methodologies is VeriChip. A passive, implantable, RFID microchip, VeriChip can provide an identification gateway from the "chipped" individual to a secure database containing patient-entered personal information, family contacts, and health care history.
Advantages of this technology include that it cannot be lost, stolen, forgotten, altered or copied, and it is always there when it's needed. The information is stored on a database, not on the chip, facilitating the updating or expansion of the data via an Internet-accessible computer.
Chronic disease patients unable to communicate are at a significant disadvantage in the health care delivery system compared with those individuals not similarly impaired. By "speaking" for the patient, the VeriChip technology offers an empowering option to obtain a comparable level of care by rapidly and accurately furnishing important or even lifesaving information.
Regarding HIPAA, we believe that the RFID usage in general and VeriChip in particular will not impact or expand on HIPAA's covered entities or business associate categories or their compliance requirements. Further, we believe that the VeriChip technology is HIPAA friendly because it doesn't convey a name or any information or identifier, only a number, and that number is read by a proprietary scanner which is registered to a particular health care facility.
On January 4th of 2005, The Record of Bergen County, New Jersey, published an article regarding the VeriChip and interviewed a number of local parties, obtaining their information and reaction to its utility.
The first person who was interviewed was Dr. Michael Gerardi, who is an emergency room physician at Morristown Memorial Hospital, Chief of the Pediatric Emergency Room, and the former Chairman of the Emergency Medical Physicians Chapter of New Jersey. His comments regarding HIPAA were that:
"We're heavily invested in electronic medical records. We're concerned with HIPAA, and we do everything we can to maintain security and to protect information.
"The government created HIPAA to insure privacy in electronic billing transactions," Dr. Gerardi said. "Chip implants will not compromise security because only health care providers will have scanners for reading them."
Regarding the NHII initiatives which we fully support and we've been actively participating in in those endeavors, we believe we fall into the category of stakeholders dealing with the information technology industry, and we support the two main areas of participation in that, and that in the interests of time, I'd like to refer you to the November, 2001, report dealing with a case study which actually, with extension, predates our publication of what VeriChip was all about, but to summarize it, the two areas of our participation with NHII in the areas of privacy and systems application.
And specifically regarding the privacy issues, in November of 2004, our company publicly issued a privacy statement, and I'd like to put that on the table for our discussion:
"To insure that its attribute" – meaning VeriChip – "is a benefit and a benefit only, we are making privacy our priority and our commitment. It is good business and it's responsible behavior for a leader in an area of RFID technology."
The company's six-point privacy statement is as follows:
"Number 1. VeriChip should be voluntary and voluntary only. No person, no employer, nor any government should force anyone to get ‘chipped'.
"Number 2. Privacy must be a priority at the highest levels of our organization, and as such, we will have a privacy officer who, with privacy experts, will be charged with addressing the day-to-day global evolution of this technology.
"Number 3. We will immediately address privacy and patient rights in all consumer, distributor, and medical documents related to VeriChip.
"Number 4. VeriChip subscribers" – as we call patients – "are able to have their chip removed and discontinued at any time.
"Number 5. Privacy means different things to
different people, so only the VeriChip customer should designate the groups that may have access to his or her database information.
"And Number 6. We pledge to thoughtfully, openly and considerately engage government, privacy groups, the industry, and consumers to assure that adoption of VeriChip and RFID technology is through education and unity rather than isolation and division.
"Our Chairman of the Board has publicly stated that we will work closely with all our key constituencies, including consumers, distributors, hospitals, to make sure that the rapid adoption of VeriChip is as broad as possible. With significant opportunities for VeriChip in other areas such as security, we will strive to apply these standards consistently and uniformly across all of our target markets."
Mr. Chairman, the VeriChip Corporation stands ready to assist the NCVHS in promulgation of recommendations which respect the need for privacy yet allow current and future technological advances to improve the quality and effectiveness of medical care, especially in the area of automated patient identification and seamless access to digitized medical information.
We are confident that under the current doctor-patient relationship and the public's view of physicians and hospitals as the most trusted guardians of their medical information, the current archaic and inefficient means of managing medical information can be replaced by information systems currently considered routine in other major business sectors.
So in conclusion, VeriChip is an FDA-approved, implantable, passive microchip which is indicated for patient identification and access to a medical database. An individual voluntarily initiates the process, not a government entity. Every person has a choice.
Further, the technology is a reversible biometric. It can be removed as simply as a large splinter, thus eliminating the need for personal identification, providing the person with a greater long-term control of personal information access as opposed to a Social Security number, fingerprint, or other form of identification.
And finally, I'd like to refer back to the article in the Bergen Record.
Representative Robert E. Andrews, who represents the citizens of the Haddon Heights region of northern New Jersey, is an advocate for genetic privacy laws, and said that the chip must be kept strictly voluntary. And he was quoted as saying:
"If someone chooses to have such an implant, then
it should legal and encouraged.... But the idea of a hospital implanting a chip without permission is illegal, and should stay illegal." The question is not the technology, but how it is used, Andrews said.
And quoting Dr. Gerardi again, he was quoted as saying that "This is a very exciting thing. The computer could really make a difference for care givers worried that their loved ones show up in an emergency department and no one will know their critical information.
"Everything has its drawbacks and its positives," he said. "I refuse to let civil libertarians get in the way of a good idea. People out there fear information on the chip. They fear Big Brother. I think that's nonsense," Dr. Gerardi said.
"I think life's more important than the remote possibility of loss of confidentiality. With the chip, you can markedly improve the efficiency, accuracy and safety of care to provide people unable to communicate their health needs."
And the final comment is from a gentleman whose name is Nicholas Minicucci. He is the President and founder of Molly Foundation, which is a diabetic research and treatment institute located in Hackensack, New Jersey.
He has a daughter who has juvenile diabetes for many years and it was her plight that inspired him to develop this Foundation. He's a very passionate man, and this is the final quote of my presentation:
"Tell me about Big Brother when your daughter or loved one is run over by a truck. I don't want to hear about it."
I thank the Committee for your time and attention, and I welcome your questions.
MR. ROTHSTEIN: Thank you very much, Dr. Seelig. I'm confident that we will have several questions for you at the end of the panel presentation. And now, Dr. Tillman.
AGENDA ITEM: Presentation – DR. DONNA-BEA TILLMAN
DR. TILLMAN: Thank you. I'm going to just make a few very brief comments about FDA's role in this matter.
I'd like to start off by saying that the Center for Devices and Radiological Health is the part of FDA that's responsible for oversight of medical devices. And our primary mission is to insure the safety and effectiveness of medical devices; that's what we are mandated to do.
And to do this, we basically take a risk-based approach to the evaluation of medical devices. The amount of regulatory oversight that we apply to medical devices basically depends on the potential risk that the device presents. Higher risk devices receive a higher level of
regulatory oversight.
The highest risk devices, things like heart valves, stints, interocular lenses and things of that nature, are placed into Class III, and they require what we call "pre-market approval." In order to market a Class III product, the company has to show that the device is safe and effective, and that is very similar to those sort of more well known processes that a new drug has to go through.
Moderate risk devices, and this includes many medical products – monitoring devices, many surgical devices, and most of what you would see in a hospital – are placed in a Class II. Now most, but not all, Class II devices require some types of pre-market notification before they can be marketed. So if you've got a Class II device, generally you need to come to FDA before you can market your device.
In this case, the company has to show that these devices are substantially equivalent to legally marketed devices, so they basically have to show that the new device is equivalent to existing products on the market.
Both the VeriChip and the SURGICHIP devices are Class II devices, although it's worth noting that subsequent VeriChip-like devices will be exempt from pre-market review unless there are significant changes made to the device technology or for the indications for use.
We do have a guidance document that Dr. Seelig referred to and it is available on our website. I can certainly show you to find that, if you're interested in it.
Now, the lowest risk devices, and these are things that many people don't even know are medical devices, like toothbrushes, manual surgical instruments, gauze, those are placed in a Class I, and most, but not all, of these devices do not receive any FDA pre-market review before they go on the market.
However, all medical devices, with very few exceptions, are subject to registration and listing – in other words, a company has to tell FDA that they exist and what products they are selling; quality systems requirements, and adverse event reporting.
Now, one thing that I think is also important to recognize is the distinction between when these products become medical devices and when they are not medical devices. Our legal counsel handed down an opinion that said that when implantable devices like the VeriChip are used for non-medical purposes – in other words, for security or to basically link to a database that is financial or non-medical information – those are not considered medical devices and FDA does not have any jurisdiction over the products when they're used in that way.
When their implantable transponder devices do have medical indications, in other words, when the chip is linked to a medical database and when there is actually a medical indication, only then does FDA have any sort of regulatory oversight over the products, so that's another important thing, I think, for the Committee to recognize.
Now, although we're primarily concerned with safety and effectiveness in medical devices, there are instances where this would include privacy issues.
For example, implantable transponder devices like the VeriChip and devices like the SURGICHIP as well undergo validation testing in order to show that they basically do what they say they do. They have to show that they perform in accordance with their labeling and in accordance with how they're designed to be used. If these devices are designed to protect confidential information, then in fact they must be shown to be able to protect confidential information from disclosure.
So FDA asks companies to address any confidentiality claims that they make about the device, and the guidance document actually on these devices has a section entitled "Information Security Procedures" and under that it talks about confidentiality, and that confidentiality means the characteristic of data and information being disclosed only to authorized persons and entities at authorized times and in an authorized manner.
So that is one way that we address confidentiality provisions for these types of devices.
Finally, I'd like to note one area where FDA and CDRH do have an express interest to deal with privacy issues, and that's related to the provision of confidential patient information collected during clinical trials.
FDA regulations are very clear that the names and other personally identifying information that's collected during a clinical trial should be removed from medical records that are submitted to FDA as part of our pre-market review process, and then even if a company or an investigator fails to do so that FDA will not publicly disclose that information.
That ends my remarks.
MR. ROTHSTEIN: Thank you very much, Dr. Tillman. We have another witness who was scheduled to testify by telephone at 10 o'clock, and that's Dr. Halamka, and I'm told that he is not on line yet. So we have a couple of minutes for questions before Dr. Halamka, and then we will recognize him when he is on line. So, questions?
Questions, Answers and Comments
MR. HOUSTON: I had a specific question regarding
the VeriChip. Does the chip actually hold any data, I mean other than an identifier, or is the data really held in a database somewhere else that can then be linked back to the identifier that's held on their RFID chip?
DR. SEELIG: You're correct. The only obtainable information on the chip itself is a unique identification number. The actual information itself is maintained separately, apart from the microchip, on a database.
And the intent there is to accomplish two things. Number one is to maintain privacy in that if a person were, an entity were, to surreptitiously obtain a scanner, the only information that that scanner would yield would be an identification number, and without password and other forms of authentication, there wouldn't be any access to anything more than a 16-digit number which has no relevance other than that.
And the second reason is that we're all memory hungry and that we couldn't design anything that would obtain enough information storage on a chip to satisfy everyone's needs. And the subset of that thinking is that if one wanted to update the information, and that information resided on the chip, then you'd have to go back to a center to get your chip reprogrammed, if you will, whereas if that data remained remote from the chip, it would be very convenient to maintain updates and increase the file and add to it and revise it, very, very convenient.
MR. HOUSTON: I sort of suspected that was the case, and I understand the RFID capacities are fairly limited but that there is the capability to have capacity on an RFID chip in terms of storage spaces.
Has there been any thought, or other people out in the market, looking at maybe maintaining some type of limited data set of critical information or, you know, allergies, meds, existing type of medical conditions, things like that, on the chip itself, or is that pretty typical – what you're company is doing is what everybody else is thinking of doing?
DR. SEELIG: Well, I think there are about three questions, four questions, there.
The answer is: It depends. And it depends on whether it's implanted or whether it's a wearable form of RFID. And with a wearable form, as a Smart Card, you can have much more memory capacity. That's issue number one.
Issue number two is the capability of read-write. VeriChip is read-only so that if you have a wearable chip, you could then expand and add to it to or delete or modify. The form factor of VeriChip, as you may know, is two by 11 millimeters, so it doesn't allow much area for having this kind of luxury of space that you can spread out over a credit card sort of format.
MR. HOUSTON: We're going to look back 20 years and there's going to be like gigabytes on that little one.
DR. SEELIG: As we speak today, no.
MR. ROTHSTEIN: Before we call on Jeff, I want to follow up one question, if I may. So it is possible now that more information could be on the chip, but a limited set of information – in other words, you could conceivably have blood type, chronic disease diagnosis, or something that might be of value to first responders, but your particular product doesn't utilize that, is that correct?
DR. SEELIG: I have two audiences here; I have to directly address my colleague here from the CDRH as well as you. The current form of VeriChip does not have the capacity to do that. Should we want to do that, we would then need to re-initiate the CDRH process because that's –
MR. ROTHSTEIN: I understand. We're just trying to get some idea of the technology.
MR. HOUSTON: Hypothetically.
DR. SEELIG: And hypothetically, the answer is yes.
MR. ROTHSTEIN: Okay. Thank you. Mr. Blair?
MR. BLAIR: Actually, this question might be to both Dr. Seelig and to Dr. Waxman. I was thinking of it first to Dr. Seelig.
You said that you have a 16-digit identification and that's probably more digits than are needed just for a numeric identification, so I'm wondering: How did you come up with that? What is your methodology for issuing new numbers and keeping these numbers unique? And does that identification number contain, besides identification, any intelligent information? And I guess that really goes for both Dr. Waxman and Dr. Seelig.
DR. SEELIG: Well, thank you for that very thoughtful question. It's the first time that's ever been addressed, I think, and that 16 digits, we settled on that because we could, and that we figured the larger number we could pick, the less likelihood there would be of anyone coming up with a sequencing that would outstrip a capacity or would somehow come up with some sort of algorithm that could somehow come up with the number. So it's an impossibly large number for any reasonable expectation. That's number one.
Number two is that we go through many methods during the fabrication to assure that the number generation is unique and that it's not duplicated. First, the number itself is laser-engraved on an integrated circuit, so it's not something that's programmed after manufacture; it's actually laser-engraved on it, which means that people can't select the number – it's there, and you have to take what you get and then move on from there. That answers your second question.
And again, during the manufacturing process, there are many checks and balances to be sure that this number that's generated is not duplicated. And the proof statement of that is that our sister company, Digital Angel Corporation, which is in fact the manufacturer of the VeriChip technology, has been doing this for well over 10 years and that in the animal world there are now 30 million of these microchip transponders implanted in various life forms around the world and that they have very well honed a system to assure that a number is not duplicated, and we are using their well-established manufacturing practices compliant with CDRH requirements for a human device to assure that very thing.
The third element is: Does that number contain any intelligent information that someone could figure something out? And the answer is no, except for one thing, and that one thing – and actually there's another thought I had – the one thing is this, that the first four numbers of that sequence are 1022, and that's our internal workings for the human, so humans will not be mistaken for cattle or a chicken or a sheep or anything else, so that's the only thought that comes into those 16-digit numbers.
Now, a subset of that is something that we haven't talked at all about this morning and I daresay we're going to get into, is actually technical aspects of what RFID is and that I think it's important to say very clearly to everyone in this room: RFID is not a black and white issue. There is not one frequency. There is not one size. There is not one type of transmitter.
There are active tags, which mean battery-powered, passive tags, which our two products are, which contain no power at all. Distance of read and range – there's a whole industry out there which we're not discussing today.
Having said that, the frequency that we're using is FCC licensed, or implantable in life forms – human life and animal life forms. It's very, very low frequency, so it transmits through body fluids. We use a different frequency in humans as the pets use so that we have different readers for different applications.
Sorry for that lengthy –
MR. BLAIR: Thank you.
DR. WAXMAN: I'll give a briefer answer.
We're just the opposite. We have all intelligent information on the chip. We don't access a database; I wanted to try to avoid that.
This is a closed-circuit system. In an operating room, we want the surgeon to be able to get the information right away without having to access the database.
Each step, in our particular instance, introduces the possibility of an error, and the whole purpose of SURGICHIP is to prevent error. All the information is essential and intelligent; it's on the chip. Again, that's why it's password-protected. That's why the chip is put in the chart. That's why all the information is locked so that it can't be changed maliciously or inadvertently.
We try to get as much information as we can on the tag. We're limited to 256 bits of information. The main reason is that some surgical procedures are very long; a spine procedure can involve a description of multiple levels. So I've tried to limit the amount of space for the name and the site so that I have plenty of room for the procedure. Hopefully, somebody smarter than I will devise a chip that can get more than 256 bits.
But this is different than VeriChip. We want the information to be intelligent and accurate and rapidly accessible.
MR. BLAIR: Are you using one of the standardized code sets for the procedure, and if so, which one?
DR. WAXMAN: I'm not sure what you mean by code set?
MR. BLAIR: Whether you're using --
DR. WAXMAN: Oh, no, we're not doing –
MR. BLAIR: -- CPT codes –
DR. WAXMAN: Not at all.
MR. BLAIR: -- using surgical codes, standardized surgical codes.
DR. WAXMAN: Not at all. We're using words, not any abbreviations. Hopefully, no initials. The only limitation is the space. I want it to be written out. I don't want "99281" or "29881" to be confused with something else. There are a million codes. You can hardly get a surgeon write the name or the "S" on the site and look at it besides having to reference and remember a whole book of codes. I want it to say "total hip replacement," and the surgeon says, "That's what I'm going to do."
MR. BLAIR: Yes.
DR. WAXMAN: I want it to be simple.
MR. ROTHSTEIN: Well, thank you. I understand now we have Dr. Halamka on the line?
DR. HALAMKA (on phone): Yes, I am here.
MR. ROTHSTEIN: Welcome. Good to hear from you again, and we're anxious to hear your testimony.
AGENDA ITEM: Presentation – DR. JOHN HALAMKA (on phone)
DR. HALAMKA: Oh, very good. Well, thanks for having me. And just as background for the Committee, I am the Chief Information Officer of Harvard Medical School and the Chief Information Officer of CareGroup, a group of six hospitals in Boston. Beth Israel Deaconess is the flagship hospital.
And today what I'll describe is the use of RFID, both passive and active, at Beth Israel Deaconess Medical Center and some of the issues that we have encountered, specifically issues of privacy and functionality, and how is it we use them and what are our use cases.
I should also disclose that I am one of those 30 million biological individuals who does have a chip implanted. I am 102230000472, and that chip is in my right triceps.
That implantation was done about a month ago, surely not because I am an evangelist for this technology because I felt that the only credible way to evaluate the technology was to have a human subject, and that would be me as the volunteer, in terms of the pain of insertion, the efficacy of the technology being read, the operational aspects of linking data to the identifier, et cetera.
So with that as background, the two ways in which we use RFID at Beth Israel Deaconess, passive and active. I'm going to start with active.
We have partnered with a company called PanGo Networks to deploy 90 active RFID tags in the emergency department and in one of our cardiology wards. And the use case for that active ID tag is to track equipment, personnel and patients.
Specifically with regard to equipment, yes, there's a theft deterrent or tracking aspect to it, but most importantly, for our high-use equipment such as EKG devices, ventilators and IV pumps, we really want to know where they are so that they're available just in time – that is, if a trauma patient comes into the trauma bay, you want to make sure that you've got the appropriate equipment handy, and therefore we have a heads up display that shows the location of the high-use equipment items in our 48,000-square-foot emergency room, based on active RFID transponder tags attached to those pieces of equipment.
We're interested in locating the patients, and as the other speakers have said, we are not using patient-identified information on an RFID tag; specifically, we are just simply tracking the gurneys on which a patient resides, and therefore that's a proxy for where is that patient, radiology? Bed one, bed two? Et cetera.
And we use that information purely in a work flow setting. We have an electronic dashboard that is viewed by our clinicians. The public view of the dashboard is de-identified; there is no name of a patient; purely the initials of a patient and the current location of that patient as indicated by the RFID tag as shown on the board, as well as some basic clinical information such as chief complaint and the status of various outstanding tests and whether they're admitted or not admitted, waiting for a bed, that sort of thing.
We also track staff, nurses and doctors, and there's where a real privacy issue certainly came up. When we went to do this pilot, the staff said, are you going to be tracking us such that you could identify us by name and use that in some sort of punitive fashion? So you were 17 minutes in the break room and you only have 15 minutes allocated.
We said, from a person-tracking standpoint, workflow analysis, we're going to track roles of nurses and doctors and not individual names.
And so we use it in the case of if you look at the average emergency room day, 20 percent of nursing time, as indicated by RFID tags, is spent walking down this hallway; if we would only move the pixis pill cabinet down to the center of the emergency department, we could enhance productivity and workflow.
So we have very specifically told staff we do not track you as an identified person, and that has certainly been a much easier way to use RFID effectively for workflow analysis.
And thus far, our experience over the last three months in using active RFID tags in the tracking of equipment, tracking of patients and tracking of personnel has been effective to the level of a room. The technology we're using, PanGo, which uses WiFi networks, existing networks, as a mechanism of triangulation of the RFID tag, can tell us not that a ventilator is in the corner of Room 1 but it's in Room 1 somewhere.
And so to that level of granularity, tracking of personnel and patients and equipment to the level of a room in an emergency department setting has been effective. And privacy issues, as I've said, the patients purely de-identified, tracking them by initials, tracking them by gurney that they're on, and the individual personnel tracked by role.
Passive RFID tags are something that are really at this point more of a speculative use for us. The use case we're looking at is in medication administration.
Today, we're using bar codes. Bar code the nurse, bar code the patient wristband, and bar code the medication in a pixis device. And that's a repackaging of the medication into a plastic bag with a bar code.
We believe that RFID passive tags will have a significant advantage over bar codes because bar codes require a proximity to the reader, they can get torn and bent, that the notion of having a patient wristband or, if you really want to speculate – as I have, this implanted tag – a patient is in a room and because of RFID being present, we know the patient has been pushed into that room. Passive RFID tag, so we don't have tracking per se but we do know that, say, patient walked through the door which happens to have a passive RFID access point that is using an RF excitation signal to get an RFID read as the patient goes through the door.
Well, a nurse goes through the door and a medication goes through the door; that then can serve as a proxy for a medication administration record or in fact could be used in the sense of, gee, the nurse has just walked into this patient's room with this med and that's not a med that a patient should receive, and so then can be used from a medication safety as well as a medication administration record.
So we believe that the technology is very early with regard to the passive RFID tags, as the other speakers have said.
Standards are very much just evolving at this point and so in my conversations with industry leaders, the EPC global group and folks at the FDA, it sounds to me as if we should look at these potential uses of passive RFID. For the moment, however, bar codes are the practical approach to track medication and track medication administration records and positive patient IDs but that
looking out on the one-year to two-year horizon, replacing bar codes in those settings with RFID tags, assuming that standards are in place and that the passive RFID technology is robust, that it would have the advantages of allowing a much broader scanning area such as walking through the threshold into a room rather than passing a reader over a specific bar code.
So today, I would say that the passive side of things has just one privacy issue, and I think the other speakers did address it, and that is, you can imagine a scenario where if we had all injected passive RFID tags and the database that related our tag number to our name or other protected health information was somehow available, that I could be walking in a mall past a Mont Blanc pen shop and a billboard would appear: "Hey, John – we're having a sale on the pen that you like, and I understand that three months ago you bought some ink. It's time to buy some more."
You know, one could envision interesting privacy violations based on the fact that an individual could be associated with a passive RFID tag that's implanted.
But, as the other speakers have said, the intent is any linkage is going to be kept private and certainly, at this point, no – at least in the case of VeriChip – protected health care information is on the chip itself, purely a 16-digit identifier which is utterly useless unless you have access to the linkage data.
So, yes, privacy concerns are something we need to be aware of, but at the moment, it does seem that the approach has separated protected health information from the identifier itself and therefore I don't see privacy violations in the immediate future.
So that's been my experience thus far, and certainly happy to answer any questions the Committee may have.
MR. ROTHSTEIN: Thank you very much. I'm sure we will have some questions, so if you could stay on the line for another half-hour, we would appreciate it very much.
DR. HALAMKA: That would be fine.
Questions, Answers and Comments
MR. ROTHSTEIN: So, other Committee members? Dr. Cohn.
DR. COHN: Yes. John, this is Simon Cohn. Actually, I'm pleased that you're on as a user of the technology, I guess a personal user.
I actually had a question for you, and this is a little – I'm not sure it's tangential, but it maybe takes the question maybe a step further, because obviously as I think you commented, there's patient issues; there's also employment and employment sort of privacy and confidentiality discrimination issues.
But, curious, we've all talked – and I'm talking about now access to your electronic medical record, access to your terminals in your environment that have patient-sensitive information – I think as we've all talked about security and password protection log-on, obviously the issue of biometrics comes up versus secure cards, versus secure IDs versus just a regular password.
And I've heard recently a lot about proximity devices. Normally, I guess, worn around your neck, which might be RFID technology. But of course you bring up the interesting question about the fact that you're already implanted with something internally.
Are you comfortable – once again, as an employee of your institution – having that become part of your biometric authentication when you walk up to a computer device and start entering patient-specific information?
DR. HALAMKA: Sure. Well, a couple of answers to that. We are using proximity detectors today to enable qualified personnel to enter secure areas such as our data center where we have nine million patient records stored electronically. So I think the notion of carrying something that is used as a means of identification is certainly workable and positive.
The challenge, I would think, in using, let's
say, the VeriChip as the mechanism of authentication is obviously this is a medical procedure. Now, it's a relatively painless procedure and it's relatively fast, but I don't think we would want to compel any individual to get this thing inserted as part of their employment or part of their use of a computing system.
Now, obviously there are other macabre variations one could think about, which is if somebody wanted to break into a highly secure system, they could extract a chip from a known valid user, whether that was removing their arm or simply removing the chip, and clearly there's speculative concerns on what kind of either violence or violation might occur should that be used as a primary means of authentication.
But I will say the notion of biometrics, in my experience, where a biometric is defined as a thumbprint, hand geometry, iris scan et cetera, in our health care environment, there have been too many false positives and false negatives associated with standard biometric technology that we have chosen not to use it, as well as the fact that I have 8,000 computers at Beth Israel Deaconess – the notion of outfitting every one of 8,000 computers with a biometric reader is certainly a capital expense I can't afford.
So it is certainly attractive to think about an implanted chip which is easy to read, certainly more accurate in the sense that it is a 16-digit binary representation rather than a thumbprint which is an analog representation.
So if I were to choose some kind of authentication device, it certainly has appealing qualities. I just think the requirements for insertion would not be tenable.
MR. ROTHSTEIN: The order of questioning will go Harry, then Jeff, then Richard, then John, and then, if we have any time, I'll ask some of the 30 or 40 questions that have occurred to me. So, Harry?
MR. REYNOLDS: Yes, I have a question for Dr. Waxman and then Dr. Seelig.
Dr. Waxman, you made a comment about the Privacy Law and that if the information is compelling that the doctor must know they can get it. Do you know where that is in the law, or can you give me a little more on that?
DR. WAXMAN: I can't actually reference that. I looked it up once on the Internet last week, and it had to do with, if I remember, a public institution, records in a college setting, if I remember correctly. I can't give you the exact site.
MR. REYNOLDS: Okay.
And Dr. Seelig, since you're implanted, which is
now public knowledge, I guess, give me a sense of how you see this whole database idea working? I mean, obviously, once you get X-amount of people chipped and you have a database somewhere that obviously identifies them, and then that database starts building information, and then you think of all the doctors and all the hospitals and you think of the fact that HMOs really didn't win in the United States so people are seeing many doctors for many things and everybody needs information. How do you see that play out, at least in your vision?
DR. SEELIG: The National Health Infrastructure initiative that Secretary Thompson started in the spring of 2004 and that Dr. Brailer is now moving forward in implementing has 12 goals that they want to see accomplished. And the one goal that you're referring to is something that is yet to be achieved, and that's interoperability.
And that means if a particular hospital or physician's office uses one form of electronic medical record or another, what NHII wants to do is to be sure that those different systems can bring to a third location, if you will, the information relating to that patient.
What VeriChip can offer is an alternative form of pointing, or directing, to that information, so that us in room here are conversant and we can give our names, some
sort of other pointing information and actually Dr. Halamka chaired a very good session at NHII dealing with this whole thing of identifiers to access that information.
VeriChip will be another component of that identifier set to be sure that you can get 100 percent certainty, or as close thereto, of knowing that the information reposing on an information database pertains to the person in front of you, and conversely that you, in front of a clinician, can access that information. That's the fit for VeriChip.
MR. REYNOLDS: So would you see me giving my doctor my 16-digit number and then they could access that database?
DR. SEELIG: Yes, and that – for example, you're undergoing chemotherapy; you're fatigued, you've been to your 13th doctor on your second day going through the mill, if you will. Why should you constantly have to fill out the same forms and repeat the same information over and over again, if you could, let alone if you were impaired? Yes.
So – and then the other thing is it's going to be more accurate because it's going to be consistent, and you're not going to likely make mistakes or cause confusion.
MR. REYNOLDS: Thank you. That's it, Mark.
DR. HALAMKA: In fact, could I add to this?
DR. SEELIG: Certainly.
DR. HALAMKA: Is that possible?
DR. SEELIG: Please. Go ahead.
DR. HALAMKA: Okay. I have added my 16-digit identifier to the master patient index that is used to link all of our six hospitals, so my personal medical record can be looked up by my Beth Israel Deaconess medical record number, my private physician's office medical record number, or my 16-digit identifier. They're all equivalent to get to my electronic medical records in Boston.
MR. ROTHSTEIN: Okay. Jeff?
MR. BLAIR: This is for Dr. Seelig and Dr. Halamka. Hello, John –
DR. HALAMKA: Hello.
MR. BLAIR: -- this is Jeff Blair.
When we were receiving testimony from the work we were doing on the Subcommittee for Standards and Security for e-prescribing, one of the – well, actually, it came up in bits and pieces; some of the information that came up was that the pharmacy benefit managers that had a portion of the medication record for a particular patient that's part of a health plan would be providing that information to the prescriber in order to facilitate clinical decision support. But they were filtering it. And they felt they needed to filter it because if the particular patient was taking medications for HIV or sexually transmitted diseases or behavioral health diseases and that particular physician wasn't involved in those issues, they were actually making the decision that they would filter that information out and not tell the prescriber that that patient was taking that medication in order to protect privacy.
In short, it was a decision where they're making a tradeoff between the safety of the patient in terms of a drug-to-drug interaction that may not be detected and privacy. And I was wondering if either of you have encountered this issue where you're having to make this type of a tradeoff, and if so, how you've dealt with it.
DR. HALAMKA: I'm certainly happy to take that one because we've already done it.
We launched over the last six months in Massachusetts statewide an initiative called Meds-Info. Meds-Info interlinks the databases of RX Hub, Express-Scripts, Merck-Medco, MPC Health, effectively all of the pharmacy benefit management databases that serve our entire state.
And today, if you walk into Beth Israel Deaconess, Boston Medical Center or Emerson Hospital, our three pilot users, an authorized physician types in the name, gender, date of birth of an individual and five seconds later, with patient consent, a result of all of that information seeking across all the PBMs in our region appears for use in clinical care.
It does not include medications of mental health, substance abuse or HIV treatment, and the reason for that is a regulatory reason. In the state of Massachusetts, it turns out that we require a level of consent, specifically not just as global consent – yes, you can go look up my data – but that every place that data lives, Express Scripts, RX Hub, requires an individual, separate consent by the patient to release the information therein if there is going to be mental health and substance abuse information transmitted.
So in our first iteration, which, as I said, it's been live and working very well, we have not been able to get through a lot of this consent and regulatory restriction. And we recognize that that could jeopardize patient care. A patient could be on an MAO inhibitor and I'm going to give them a medication in the emergency department with a drug-drug interaction that causes harm.
So we're working at the state level and through the Mass Health Data Consortium and through our folks that are involved with the State House trying to change that restriction that will enable us, with a global consent, to share these medications that are not shown today.
MR. BLAIR: Thank you, John. Dr. Seelig?
DR. SEELIG: Very briefly, I think this reinforces our approach to this whole matter, and that is that we will conform to whatever regulatory issues and rules of the road that are out there, that the technology should not shape them but actually be responsive to them.
MR. ROTHSTEIN: Richard?
DR. HARDING: Most of my questions have been asked, but one quick one for Dr. Tillman. You mentioned that there were medical and non-medical issues for insertion of an identifier like a VeriChip or something and that if it was something for something like security, FDA would not have any responsibility there. The insertion of a device under the skin is not a FDA responsibility?
DR. TILLMAN: That is correct. We have a legal decision from our counsel that, if you look at the definition of a medical device, that unless there is a medical use of this product, it doesn't meet the legal definition of a medical – I'll give you an example, if you think of ear-piercing. But that is the legal decision we've been given.
So that is correct. Unless the VeriChip or an implantable device has a medical indication, FDA has no legal authority over it.
DR. HARDING: So, the same device inserted the
same place can have different – okay.
DR. TILLMAN: That is correct.
DR. HARDING: Thank you.
The other is something that has been alluded to but we haven't really said is the issue of voluntary use of this device versus coerced use of the device. And there's just something a little bit creepy about inserting something under the skin – you know, tagging, putting the SURGICHIP on my arm doesn't have the same feeling to me as having something inserted into my body.
And the idea of having that being removable is good, but there is that issue of "I have something that I can't do anything about without the help of somebody else."
And from the time that I decide I don't want this thing anymore to the time that I get it out, it's a funny situation to me. Any thoughts about it? Can it be neutralized? Can it be stopped?
DR. TILLMAN: Can you turn it off, right?
DR. HARDING: Yes – turn this thing off for a while, or something like that.
DR. SEELIG: Perhaps Dr. Waxman would like – would you like to make any comments about that first? You've obviously done one way and we've done another.
DR. WAXMAN: Well, the SURGICHIP is not implantable and it's removed and put in the chart, never used again. So it doesn't seem to be so much of an issue.
DR. HARDING: Time limited kind of thing.
DR. WAXMAN: Well, it's not time limited; it can always be read. But there's no need, once the surgery has been performed. Then it's a part of the hospital record. It's just not there anymore after the – it has a one-time, one-purpose use, and once it's done, it's never used again.
DR. SEELIG: We're here talking about health care and if we can just confine the discussion regarding health care, I think we can be very clear about this. And that is that separating health care information from any other form of access health care information, patients and people have a level of expectation about access and accuracy of that information when it's needed, and that people demand, or they expect, somehow, as soon as you get to the office or as soon as you get to the emergency room, somehow everything that they need to know about you is going to be at hand.
And they don't know about all the running behind the scenes to get the file rooms and the faxes and all of the other nonsense with microfiches that has to happen to obtain that information to deal with the relevancy of that situation.
So with that as a backdrop, and then dealing with medical hardware, and now you're going to put this creepy thing in your body that has a microprocessor and has a 10-year lithium battery and it's going to keep sending shock waves to your heart? That sounds pretty creepy to me! Or you're going to take your natural bone out of your body and you're going to replace with titanium and plastic and it's going to work, and you can play tennis instead of having your own natural bone? Well, that sounds pretty creepy to me as well.
DR. WAXMAN: It doesn't sound creepy to me.
[Laughter.]
DR. SEELIG: The point being that it depends on the perspective of where and how that hardware is being used and to what place it's going to be and use it's going to be put.
And I think that if we look at the application, and say, why am I having this done? –- and then work back from there about the benefits, I think that's a safer approach and a more, if you will, conservative medical approach to things rather than saying something is coming out of the blue and all of a sudden I have to make a decision about it.
DR. HARDING: I think that's the issue that I'm trying to raise, is that there is a consent issue to have that thing put in my arm –
DR. SEELIG: Exactly.
DR. HARDING: -- and that I have to be fully aware, fully informed, of what the possibilities are. And as long as I have that, and consent is given, and more power to it. But I just have some concerns about the consent process in this.
DR. SEELIG: Well, that's right. And I think that we firmly believe that this is a medical procedure and a medical device and as such, informed consent must be obtained. And as any clinician knows, you can make a recommendation to a number of patients to get the same form of treatment and a certain patient set, subset, will say yes and another set will say no. Whatever they want to have done is done.
DR. TILLMAN: I'd like to add one more comment, and that is that currently these devices are what we consider prescription use only, so both the chip itself is available on the use of a prescription and the readers as well. So at least for these two products, they both require prescriptions, so medical involvement; they're not available to just anybody off – for their medical use.
The non-medical use, then that's a different story.
MR. ROTHSTEIN: Okay. Mr. Houston, and please save me some time.
MR. HOUSTON: Three quick questions.
[Laughter.]
MR. HOUSTON: Three long questions. Especially, I guess, for all types of technology, durability and failure rates – have there been any types of studies as to especially the implantable kinds? How long do these things last? Are they prone to being damaged or destroyed?
And I guess the other question is: I guess there is the capability for somebody to steal the number, take the number, and encode something else to admit the same number, and RFID technology may not be as sophisticated as a VeriChip or another chip, and frankly use that for some other theft, basically steal the number.
And then the third question I have is in terms of the range. I mean, I know there are different powers of chips that make them have longer ranges. What are we talking about? How far away would somebody be, especially implantable kind, before they could actually read the number off the chip?
DR. WAXMAN: I have brief answers to your questions.
As I stated in my testimony, the distance is maximum of five inches for the SURGICHIP. The SURGICHIP is only used once. The time for its use is within a period of hours, so it's not going to degrade.
And finally, the chip is locked electronically so that it cannot be tampered with. It's as if you were to envision an old-time post office with lots of mailboxes that are open and have little tablets you can write information on. Once the information is placed, a glass door is closed and can never be opened again; you can only read the information inside. It cannot be tampered with.
DR. SEELIG: I'll be very, very brief in these answers so we have more time.
Useful life we estimate to be 15 years. The way it's implanted in the body with soft tissue, it would take blunt force that would make that extremity or that life form incompatible with life for it to be destroyed.
The abuse of the number that – I guess we could have fiction writers here come up with some good scenarios, but the answer is not really, number one, and number two, so what? If you have a pacemaker or a total hip replacement, who cares? And what are they going to do with that information? So, again, it's the Pepsi challenge: What are you going to do with the information now that you've gotten it?
And again, because it's medical information and because it's medical information protected under HIPAA, there's a whole constellation of civil and criminal penalties for using that information in authorized ways.
And finally, the read range is three inches.
MR. HOUSTON: Thank you.
MR. ROTHSTEIN: Well, I have some general observations and questions for the panel.
Our second panel is going to explore specifically the privacy issues that are raised by RFID, but I'd like to ask our first panel while we have you here to address some of the issues that I anticipate will be coming up in the second panel.
And in particular is the question of sort of unintended consequences, slippery slopes, potential for extending the technology to other uses that I think it's prudent for us to explore. I don't see anyone opposed to the idea of trying to prevent wrong-site surgery. I don't see anyone opposed to the idea of getting access to essential patient information in trauma situations or to identify victims in disasters.
But it's easy, I think, to contemplate more extensive uses of this technology. For example, one of the premises of the technology is that it will only be used with the informed consent of the patient. There are many individuals who lack that decisional capacity and therefore the consent may be legally made by others who have responsibility for them. So, in other words, parents could require that their children get these implants or someone who had custody over someone who was mentally retarded or who had Alzheimer's disease. It wouldn't take too much imagination to see a requirement in a military that all service personnel had these kinds of chips.
So the notion that it would be used only in the informed consent that we view in the clinical setting I think may not work out.
In addition, I think there are many other uses that one can envision, for example, putting RFID devices on controlled substance containers that the FDA may approve could used by law enforcement very easily. I could see public health officials insisting in lieu of quarantine or isolation that infectious disease patients have RFID chips and you could follow them before they entered public buildings or public spaces where they might spread disease.
Tomorrow, we're going to talk about the issue of third party uses and compelled disclosures, and so one can imagine a situation where you apply for a job and you've got an RFID chip and the occupational physician has the reader and as a condition of employment, you have to allow them to read your chip, which would allow them electronic health record access to your complete health records.
And one of the things we're going to explore tomorrow is whether in these kinds of settings there should be limited access to third parties, which would be limited only to those essential things that they need to know.
So I could go on and on and I imagine the next panel will probably probe many of these and probably other issues as well.
I would like to give each of you a chance to respond to the notion that even though your technology is benign and lifesaving in some respects, what do you say to the criticism that some people might misuse it and go beyond and therefore some degree of regulation should be put on the technology?
DR. SEELIG: All right. I have more hours in me, so I'll go first.
[Laughter.]
DR. SEELIG: Let me just say, Mr. Chairman, we have since this first came about been very active in addressing and thinking through these particular questions and trying, as we evolve the technology, to address them as this is going forward.
In terms of authority of consent, in fact that's what we have to go on, and that is, that people can provide informed consent for themselves. We are our health proxies for our children and for our disabled parents and that power of attorney is provided by a third party authorizing consent to provide that. So in that regard, RFID, whether it's wearable or implantable, any format, is no different than any other form of authority given for use or management or treatment.
In terms of use for other purposes, I can only tell you how we've addressed it, and with our database, which we call a Global VeriChip Registry System, we in fact give the user a choice, and in fact they have four choices as to who can access their health care information so that if we're dealing with Alzheimer's or, say, autistic children, we want the first responders to know who the person is and what their emergency contact information. But it's not necessary, or even appropriate, for them to know the underlying medical information about that individual.
So the user has the option to tag, or to block, that information from being available to those people.
And the same thing can be true for employers – that we could put another block in there for a person to say, no, no, no, my employer is not going to be able to see my health information, but if they need to use this for my job which requires secure access as a condition of employment, yes, they can use it for that purpose only, but not for unintended consequence of knowing what my other health information was.
And that's what compelled use, I think, is voluntary.
And the other part of it is, too, that there are occupations where you and I want to know that the right people are in the right place at the right time, that the people in the cockpit of an airplane or the control center of a nuclear power plant or who have their buttons on the launch codes of nuclear submarine are the right people in the right place at the right time.
So I think it's application specific and we can control it in our way, and that's something we would certainly offer anyone who is interested in looking at it.
MR. ROTHSTEIN: Dr. Waxman, do you want to comment?
DR. WAXMAN: As far as SURGICHIP goes, it's not mandatory that the patient submit to using SURGICHIP any more than it's mandatory that they allow "yes" to be written on the surgical site. It certainly makes a lot of sense but if the patient refuses, they don't have to use it. Of course, the surgeon, except in an emergency situation, has the right to refuse to do the surgery if there's no protection of this sort.
As far as the information being available to third parties, it's used in a closed circumstance. There are no third parties watching. The chip is in the chart and protected by the medical records, the HIPAA regulations, and the information that's on the reader is timed out and will disappear. Sir, I don't consider that to be an issue with SURGICHIP.
MR. ROTHSTEIN: Dr. Halamka?
DR. HALAMKA: Sure. Well, I'm a strong believer in patient consent for all uses of retrieval of medical information except in those cases where a patient is comatose and can't otherwise consent.
Let me tell you what we had to do, because the Attorney General of Massachusetts was a bit uncomfortable with even this medication information retrieval on Medicare patients who could not consent.
We are now required to print on all discharge summaries, "During the course of your care, we may have looked up your medication information at a time when you were not able to consent to such a look-up. If you have an interest in exploring this further, here is the phone number of our privacy officer."
So even on those cases where a patient's comatose or incapable of consenting, we're still advising them and informing them what we did and giving them the opportunity to understand it better.
So, certainly those kinds of policies and procedures would need to be wrapped around any use of this technology.
MR. ROTHSTEIN: Sarah, did you have a question?
MS. WATTENBERG: Yes. I'm interested in this idea that in some cases the device will meet the definition of a medical device and in some cases it won't. And so you sort of have this parallel universe of medical versus non-medical devices.
And I want to know whether or not there's any sort of way that they would intersect and what the potential for abuse might be.
For instance, if you have, you know, Associated Press, and they buy one of these sort in the general marketplace and they have a very ingenious IT person or somebody who doesn't have much scruples, whether or not there's a potential that they could sort of walk down the hall of a hospital and just kind of scan people and get information.
Perhaps a question out of my own ignorance of how health technology works, but curious, nonetheless.
DR. SEELIG: Well, first of all, we struggled with the FDA on this whole issue of bifurcation of application and of governance. We're comfortable with it now, as difficult as it was to come to that.
As far as the scenario that you laid out, again, HIPAA has put into place civil and criminal penalties for obtaining that information. So if someone were to obtain that data, then they would be violating the laws that are already in place, number one.
Number two is that in order to gain access to the information, there are many steps you need to go to to get it. We use proprietary software in the scanner, so if you had an RF tuner, a scanner tuned to that particular frequency, you wouldn't get the information off the chip. There's a lot more memory on the chip dealing with authentication and transfer information back and forth aside from that 16-digit number.
The third element is that if that information were obtained, the question is to what use that would be put. And I'd like to welcome hearing what those challenges of information would be to understand how we have addressed them or could address that potential in the future.
Thirdly is that we're the only manufacturer of the readers, so therefore we know where these readers have been shipped and to who is receiving them. We have a registration program for the physicians who do the insertions and we have a registration procedure for the affiliates, as we call them, who obtain the scanners. We also have a post-market tracking system so we know where the chips have been shipped to and to whom the chip was the inserted.
So we have, as our part of our best manufacturing practices, a tracking program of both the scanners and the chips so that we can, in the best situation, if a bad thing happens, be able to move back to understand it.
And not only that, in our own personal health information system – as I mentioned, it's called GRVS, Global Registry Verification System – we have a tracking system, an audit trail that automatically locates and has a time stamp for the location and the facility that actually does an interrogation of the chip and accesses that information.
And that's the best we can do right now, so if there's something else we can work with, we'd be glad to.
MR. ROTHSTEIN: Well, I want to – oh, I'm sorry – Dr. Waxman?
DR. WAXMAN: I just wanted to mention, as far as SURGICHIP is concerned, SURGICHIP just has a very limited amount of information. The chip itself is now in the medical record after it's been used and it can only be read with a reader that has software installed by SURGICHIP. And even if somebody were to steal the reader with the SURGICHIP software in it, and it's not available to everybody, it is by prescription, as you know, you still have to get the proper password to get in.
So it's unlikely that it could be used for any other purpose. And as a matter of fact, even if you could steal the reader, get into the software using the password and read the information in the chart, it's much easier just to open to the page that says "Operative Consent." It has the same information and it's easier to get.
MR. ROTHSTEIN: I want to thank all four members of our panel for getting our RFID hearings off to such a lively, thought provoking start, and we will take a 15-minute break.
And I want to alert our Internet listeners that we will begin Panel 2 at 11:10, and that should not cut Panel 2 short because unlike the first panel, we only have three witnesses, and so we should have ample time for their testimony as well as questions.
So we are going to take a break until 11:10. Thank you.
DR. HALAMKA: Well, guys, thank you.
[Break at 9:52 a.m. Meeting resumes at 11:12 a.m.]
MR. ROTHSTEIN: Good morning. We are back with Panel Number 2 of our RFID hearings. I want to welcome all three of our Panel 2 members, and I think you had a chance to hear at least some of the testimony that we heard from our first panel group and it was very stimulating and I imagine you will have some interesting perspective to add to that.
So I'd to like to invite Ms. Sotto to begin.
AGENDA ITEM: Panel 2 – Radio Frequency Identification
Presentation – LISA SOTTO, Esquire
MS. SOTTO: Thank you very much. Good morning.
My name is Lisa Sotto, and I'm a Partner with the law firm of Hunton & Williams. I head the firm's Regulatory Privacy and Information Management Practice.
And I also lead privacy projects for the firm's Center for Information Policy Leadership, which is a privacy think tank affiliated with the law firm. The Center brings together business leaders, government officials, consumer advocates and academic experts to provide thought leadership on information management issues.
Through both the law firm and the Center, I advise chief privacy officers and other senior executives on the development of global information management programs. I have written and spoken extensively on information management issues, with a focus on privacy in the health care arena.
Thank you very much for the opportunity to participate today. I'm doing so on my own behalf and my views should neither be attributed to the firm of Hunton & Williams nor to any of my clients.
RFID technology in the health care arena holds enormous promise. If its use becomes widespread, it can lead to greater accuracy and efficiency in treating patients by making medical information immediately accessible to health care providers. Privacy concerns, however, present a significant obstacle to its widespread acceptance.
The benefits of using RFID in medical settings are achievable only if patients are confident that the data being transmitted will not be misused. The value of RFID in the medical arena can be fully realized only if patients have confidence in both the security of the technology and in the related policy environment.
For purposes of today's discussion, I've divided the privacy concerns related to the use of RFID into several distinct categories of potential harm. I'll go through each of those categories; I'll name them first and then hit each one in turn.
The first is the inappropriate collection of health information through RFID technology.
Second, the intentional misuse or unauthorized disclosure of the data by an authorized data holder.
Third, the intentional interception of the data and its subsequent misuse by an unauthorized party.
And fourth, the unauthorized alteration of the data.
So, going to the first potential harm first, the inappropriate collection of data through RFID technology.
In non-medical settings, there's a widespread concern that RFID chips may be used to collect data surreptitiously. For example, in the library setting, RFID chips can be attached to books without the knowledge of individual borrowers, and information about the borrowers' reading habits can be collected.
In the health care context, this issue does not present a significant concern. RFID devices used in health care generally are used only with the individual's knowledge and consent or that of the individual's legal representative.
Further, with respect to the VeriChip, which is considered the most privacy-invasive of the approved RFID devices, all data maintained is in a database associated with the chip and is self-reported.
So in the medical context, currently use of RFID devices is fully opt-in. Patients affirmatively choose to provide medical information through RFID technology.
In addition, also with respect to the VeriChip, no medical data is stored in the chip itself. Instead, the information is maintained in a separate database. Therefore, even if you are implanted with a VeriChip that was secretly scanned, the information the interloper would receive would be limited to a 16-digit ID number and only would have meaning to those who have access to the database itself.
The chip itself acts as a unique identifier, not as a transmitter of health information. So the bigger privacy concern with respect to the VeriChip really involves unauthorized access to the VeriChip database. This sort of unauthorized access is a significant threat to individual privacy, particularly when dealing with sensitive health information, but it's not unique to the RFID context. Unauthorized database access is an issue in many other settings and it's frequently managed using security tools like encryption or authentication technologies.
The second category of potential harm is the intentional misuse or unauthorized disclosure of the data by an authorized data holder. This is where a party to whom an individual has granted permission to access the data for authorized purposes may use or disclose it for unauthorized purposes.
This is a legitimate and very significant concern, but again it's not unique to the RFID context. It's an issue we confront daily in connection with the collection and maintenance of data sets generally.
Whether information is recorded on paper or electronically, guarding against its misuse or unauthorized disclosure is a security issue and an organizational oversight issue that needs to be addressed by every entity that maintains sensitive data.
The third category of potential harm, the intentional interception of information and its misuse by unauthorized parties. Any intentional and illicit interception of medical data and its subsequent use for purposes for which it was not intended is a clear violation of patient privacy.
Here again, however, this is not a new privacy risk that has arisen only as a result of the development of RFID technology. The risk of data interception and misuse involves security issues that plague every organization that stores sensitive data.
These problems generally are addressed through encryption and authentication. As with any unauthorized interception of data, the solution lies with better, more secure technology.
The fourth potential of harm, the unauthorized alteration of medical data. The risk that a patient's medical information may be inappropriately altered poses a serious threat not only to a patient's privacy rights but also to the patient's ability to obtain appropriate medical care.
Again, as with the other risks I've mentioned, the risks related to data integrity are not unique to the RFID context. In any situation in which data integrity is an issue, authentication technologies and other safeguards must be used to help insure that only those with authority to amend the data are given that access to amend.
By dividing into these bite-size chunks of potential harms the issues, we find that these harms, while extremely serious, are not unique to the RFID context. In the privacy arena, we've been discussing these harms, these potential harms, for years.
The real question is whether the current regulatory environment provides adequate protection against the potential dangers or whether additional protections are needed to make RFID a secure option.
For most health care providers, HIPAA's privacy and security rules impose strict limits on the use and disclosure of health information. The restrictions apply without regard to how the data was collected, whether collected through RFID or any other collections method.
So for covered entities and for their business associates who are contractually restricted in their use and disclosure of the data, no additional protections appear to be necessary.
There are, however, in the RFID setting as used in the medical context many parties, many entities, that will have access to the data that are not HIPAA-covered entities. For these entities not covered by HIPAA, other existing laws provide protection against the potential risks.
For example, the unauthorized use or disclosure of medical data may be considered a violation of Section 5 of the FTC Act which prohibits entities from engaging in unfair or deceptive trade practices. The FTC has availed itself of this provision on numerous occasions to protect against many of the same privacy abuses that I've mentioned above.
With respect to unauthorized data users who illicitly intercept and exploit medical information obtained through an RFID system, existing law provides the necessary tools to actively combat and deter this illegal behavior. While the threat of hackers and lots of other bad guys will continue to exist, the tools that are currently in place do provide a sufficient framework for law enforcement authorities and other security experts in the private sector to combat illegal activity.
In addition the protections provided by existing law, and industry code of conduct should be developed for entities that maintain or access RFID-related medical data. The Fair Information Practice Principles and HIPAA's Privacy and Security Rules provide very strong guidance in developing this type of code of conduct.
I would submit that a code of conduct should contain the following principles:
First, notice, and we've discussed this a little bit in the previous panel. Patients who are "chipped" must receive notice, written in plain, understandable language, of the data holder's information practices. This sort of notice will allow patients to make truly informed decisions as to their level of participation in an RFID network.
At a minimum, the notice should clearly identify the entity collecting the data, the uses and disclosures of the data, the type of data collected, the methods by which the data are collected, the security measures used to safeguard the information, and the rights of the patient – for example, the rights of the patient to amend the data or access the data.
Second, consent. Data holders must use and disclose health data only in a manner to which the patient has clearly consented, and consent also is very much dependent on clear and complete notice.
If the data must be disclosed pursuant to legal requirements, for example, in response to a subpoena, the data holder should seek to insure that the recipient uses the data only for the narrow purpose for which it was disclosed and should also seek to insure that safeguards are put in place to protect the data.
The third principle, access and amendment.
Patients must have the ability to access their health information and to challenge the accuracy of the information and correct it where that's appropriate. IN the health care arena, accuracy of medical information is absolutely critical.
Fourth in a code of conduct, data integrity and security. Health information collected in connection with RFID technology must be both accurate and secure. Minimum standards must be established to protect against loss and unauthorized alteration, destruction, access, use and disclosure.
Fifth, the principle of data retention and chip deactivation. There needs to be clear guidance as to how an individual may first deactivate an RFID chip used for medical purpose. And second, there needs to be guidance as to how to request the destruction of medical data maintained either within an RFID chip or within a database connected with an RFID chip.
Under most circumstances, data should be retained only for so long as the individual agrees and must be permanently destroyed once the individual has authorized its destruction.
The sixth principle, accountability – very, very important principle. Strict accountability standards and enforcement and redress mechanisms have to be established for all parties that participate in an RFID system. There must be a price to be paid for being the weak link in a security chain.
The privacy harms that may result from RFID abuses are significant, but they are not unique to the RFID context. While I believe existing laws are available to address potential harms, I would nevertheless encourage RFID stakeholders to develop and adopt an industry code of conduct to further protect against harms that might result from misuses of the data.
A coordinated approach by all stakeholders would provide the public with the confidence needed to support the advancement of this beneficial technology.
Thank you for the opportunity to appear before you today and address these important privacy issues. I would of course be happy to answer any questions.
MR. ROTHSTEIN: Thank you very much, and there will be questions, I'm quite confident. And we'll move now to our second witness, Mr. Rotenberg.
AGENDA ITEM: Presentation – MARK ROTENBERG
MR. ROTENBERG: Thank you very much, Mr. Chairman, members of the Committee.
My name is Mark Rotenberg. I'm Executive Director and President of the Electronic Privacy Information Center here in Washington. I'm also on the faculty at Georgetown Law Center where I've taught privacy law for 15 years.
And I'd like to thank you for very much for inviting me to participate this morning and also for looking into the issue of RFID applications and privacy.
I wanted to begin by drawing your attention to a report that I've circulated for you. It is the annual report by my organization, EPIC. It's titled Privacy and Human Rights. It's an extensive survey that we undertake each year of privacy developments around the globe. It's broken down essentially into two sections. The first is by subject matter and the second is by country.
And what we are seeking to do is to identify emerging privacy issues and then to understand on a comparative basis how different countries are responding to new privacy challenges.
This publication has turned out to be an enormously useful project, I think, for a Committee such as yours that are both assessing the impact of RFID and trying to understand how others may be responding.
I will say that over the last few years of our research, RFID has taken more and more of our attention. In fact, this year, 2005, we've just announced our list of Top Ten issues to watch and we've identified RFID as one of the Top Ten privacy issues for the coming year.
But interestingly, the applications in the health care setting have not yet received the type of public attention and debate that the applications in the consumer setting have received.
So by way of example, during the past year, the United States Congress held its first hearing on RFID applications, focusing on new developments in product distribution and inventory management and the tagging of consumer products and what the impact might be on privacy interests of the consumers in the business environment in the use of RFID technique.
In similar fashion, the Federal Trade Commission held its first public workshop just this past year on the use of RFIDs in the consumer-merchant context, asking questions similar to those that have been asked by Congress.
The medical discussion about RFID applications, if I may be direct, I think has been distorted somewhat by the debate over VeriChip, and I say this at the outset because in preparing my remarks for you today, I came to understand that there are really a wide range of applications for RFID technology in the health care setting and I think it's very important to understand the scope of applications and to assess the privacy impact in each of these contexts.
And in fact, that will be really the focus of my presentation today, is to look at the range of applications for RFID and to try to identify those applications where there is significant privacy interests and those applications where there may be minimal privacy interests.
If we're talking, for example, about the problem of counterfeiting drugs, the labeling of products in bulk distribution turns out to be an effective way, potentially effective way, to track and manage inventory in the medical care context, much as large corporations are beginning to realize that RFID is a useful technique to track distribution and products at the inventory level.
We understand this; we don't see a particular privacy concern. If it helps diminish the risk of counterfeiting of drugs, it seems to be a useful and important application of the technology.
But, of course, when we take the next step over and we move the tagging from the bulk level to the individual product level, so, for example, it's on the prescription drug vial that's in the possession of the patient, then we may begin to understand that some privacy issues emerge, because now there is a linkage between a particular product and a particular individual. And I'm going to come back to this point in just a moment.
There's a third category I'd like to suggest to you where the primary purpose of the RFID is not to identify product but rather to identify people, and I think here we are looking at two different types of applications.
It was actually very nicely illustrated on the first panel this morning. There are the applications of RFID for individuals, for example, to prevent errors in surgical procedure that are temporary. They exist in a particular point in time and a particular context; when that purpose if fulfilled, the use of the RFID effectively goes away.
We can identify some privacy concerns that might arise in that setting although I'd actually suggest security concerns may turn out to be greater than the privacy concerns. The accuracy of the information, for example, may be a greater concern than the misuse of the information.
But the troubling category, and I will conclude on this one by the end of my presentation, has to do with the permanent identification of patients using RFID technique, and I do believe that this raises profound issues for the medical community that you will need to consider in more detail.
Now, you're broadly familiar, I'm certain, with the various privacy frameworks that are discussed in the context of medical privacy protection. Ms. Sotto, I think, did a very nice job providing an example of how Fair Information Practices can be applied in developing codes of conduct for the use of RFID technique.
There is certainly this specific HIPAA Privacy Rule which comes into play with the collection of medical information. Our own organization, because of its work on RFID issues, over the past year actually spent quite a bit of time in consultation with consumer groups and academic experts developing a set of RFID guidelines, but as I said at the outset, these are really directed toward the concerns of consumers in the marketplace and don't actually reflect some of the issues that might arise in the health care setting.
The key point about all privacy frameworks, whether they're voluntary or codes of conduct or legislative, is that they focus on the collection and use of personally identifiable information, broadly speaking. And as a general matter, as a presumption, I think we can say that when personally identifiable information is not collected, there really is not a privacy issue. There may be other concerns; I don't mean to say that our concerns about the misuse of data disappear when the data is no longer individually identifiable, but they're almost by definition of a different type.
Now, in thinking about the privacy risks with
RFID, I think what we're really talking about, apart from the problems of a procedure going wrong and an implant, for example, are the possible misuses of personally identifiable information. These are the concerns the Privacy Law and regulation typically tries to minimize or eliminate where possible.
The use of information out of its original context raises many concerns where a data subject can be used in subsequent determinations about employment, about insurance, can have a discriminatory impact. Ultimately, I would argue, it can actually have a certain impact on the individual's freedom to understand the use of information about them and how it's being used, particularly in a circumstance where they simply don't know what information has been collected.
Privacy scholars and others have certainly recognized the importance of Jeremy Bentham, the great utilitarian's model of the ideal prison called the Panopticon. The Panopticon had the unique feature that it gave the guard in the prison the ability to constantly observe the prisoner while the prisoner had no ability to know whether or not he was being observed. And the consequence of this, which Bentham realized, was that in such a world, you didn't even need a guard because people would simply believe that they were constantly being observed and would control their behavior as if that was the condition. The understanding of the physical Panopticon as the ideal prison has oftentimes been described as sort of the privacy nightmare, when people lose control of personal information.
HIPAA itself actually deals with this issue of personally identifiable information in a very complex fashion and I won't go into the detail now, but you have, as I'm sure you know, different categories and subcategories that seek to identify certain classes of information and the obligations that the covered entities have in the use and collection of that data.
Our own RFID guidelines distinguish again between RFID users and applications where personally identifiable information is not collected and those circumstances where it is collected and we place a much greater obligation, of course, on the circumstances where the data is collected.
Briefly, a highlight of some of the recent legislative developments. As I said, we do believe that this year there'll be a great deal of attention on RFID issues.
I think an important starting point for the policy debate was provided just a little more than a year ago by the International Privacy Commissioners. These are leading officials from around the world with legislative and regulatory authority over privacy matters in their national government. Unfortunately, we don't have actually a comparable office in the United States.
But when this group met in 2003 to consider the RFID issue, they said as a starting proposition, they would presume the application of current privacy laws of personally identifiable information that may exist in an RFID-enabled environment and that they proposed that additional consideration be given to the unique tracking features of RFID.
So, for example, you may need to enable certain types of leading, or so-called filling of tags, to protect privacy.
Various state bills are now under consideration, and as I mentioned earlier, there are hearings at the Federal Trade Commission.
Well, I'd like to go directly then to my proposal to you as at least a starting proposition for what an appropriate policy framework might be for the regulation of the RFID environment in the health care setting. And this proposal follows from the wide range of applications that I think we will be seeing in the use of RFID.
And this first category, which I call Tier 1, we focus simply on the bulk distribution of products. And as I suggested earlier, because there are no links to specific individuals, I think the necessity of privacy rules in this setting is – I don't want to say non-existent; I'm sure someday someone will show me this slide and I'll regret saying today "no privacy obligations."
But at least as a starting point, I think it seems reasonable that at this level, there's quite a bit of separation between identifiable individuals and the use of the technique.
As I suggested earlier, I think once you can link the product, once you have the prescription drug being filled in the pharmacy or the hospital, you have a patient, a customer, in possession of a vial with an RFID tag on it, a whole different set of issues should be asked: What is the application in that setting of current privacy rules? What new safeguards may be necessary, recognizing the unique capabilities of this technology? And I think this is a very important inquiry that should be pursued.
The Tier 3 set of applications I think really focuses on the question of whether context can be limited. And I fully appreciate the panel presentation – I think it was almost the ideal description of a limited context application for RFID tagging. And if I could be assured that that was the full application of the RFID tag, it would seem that maybe the privacy interest here is not so great.
But as with all of these techniques, as with all businesses that seek to expand and become profitable, as with innovation itself, it is very, very difficult to draw these lines.
So even as I said, recognizing what may almost be the ideal case for temporary tagging presented on the first panel, I would ask you to consider: What are the boundaries, legal, technological and regulatory, that can assure us that that type of tagging will be limited to its defined application?
The final category obviously concerns VeriChip and other similar products that may be developed. And as I said, it is my view that the discussion about RFID in the health care context has been focused in many respects too much on this particular product. I'm not even certain that we'll be talking about it a couple of years from now.
But nonetheless, to the extent that the product exists, I think we really do need to think carefully and seriously about what it means to permanently tag someone with a unique identifier in this country.
This is so closely tied to national debates about the use and misuse of the Social Security number, about whether we should have a national I.D. card, about how do we secure our borders so that we can link individuals with Federal agency databases, I don't think you can possibly consider that implanting a unique identity number in an individual could be contained to simply the health care setting.
I think there are also profound ethical issues here. I don't mean to put this quite on the same level, for example, with forced sterilization, but we begin to approach that realm when we change a person's body in a way that they may or may not fully understand and which for them to restore is really beyond the means of most people. I mean, that's what we're talking about when we implant a chip of this type.
It's significant, of course; I mean, I heard Dr. Seelig this morning tell us that we've now got 30 million living organisms that have been implanted with chips. I'm obviously working off of old numbers, because last year we were simply talking about a million.
But this is a very serious issue, and I would simply propose to you in your recommendations for HHS on the appropriate applications of RFID in the health care setting that you consider a flat prohibition on the implant of an RFID chip.
Thank you.
MR. ROTHSTEIN: Thank you very much, and that certainly raises more questions for us to talk about. Professor Solove?
AGENDA ITEM: Presentation – DANIEL J. SOLOVE
MR. SOLOVE: Thank you. My name is Daniel Solove. I'm a law professor at the George Washington University Law School. And I want to thank the Committee for inviting me to give these remarks.
RFID tags have many potential benefits, but they also pose a substantial threat to privacy. The future of RFID is vast and potentially very significant. As prices come down for the tags, they'll increasingly be placed into products; they can be placed into licenses or I.D. cards or virtually any item or product.
Technology over time might include the range of the signal and then that will enable chips to be read from greater distances. One scenario is: Suppose the police want to track a person. They could, for instance, get a list of the products that a person owns, or if the chip is implanted in the person, it would be even easier, and then track the person with the chips 24 hours a day.
Police might use an RFID reader to scan people's luggage or bags to get a full inventory of their contents.
Another potential use is a private company tracking people's RFID tags and beaming them individually tailored ads wherever they go; this is from the movie "Minority Report," for example.
What exactly is the threat to privacy that RFID tags pose?
Well, currently there's a bit of a divide between the online and offline world. Online, our transactions are readily tracked. Everything we buy at stores like amazon.com is recorded, every single purchase. I purchase quite a lot on Amazon and they have a list of everything I've ever bought since I started shopping with them.
Everything we peruse on amazon.com, for example, can also be recorded as well, and is being recorded.
And unless one is very computer savvy, it's critically difficult to achieve true anonymity online, truly be untraceable. Offline, it is still possible to be readily anonymous. I can go to a bookstore and buy a book with cash, and unless people remember my face, no record is going to be kept that Daniel Solove bought that particular book, unless I use a credit card, but if I use cash, I can still maintain anonymity.
RFID threatens to change this. On the Internet, people's Web-surfing can be tracked by cookies and spyware, and I think that RFID tags threaten to be a kind of cookie or spyware equivalent in real space, to some extent, a way of tagging people and permanently enabling the possibility of monitoring their activities. They can be a very powerful information-gathering tool and a way to track people's movement.
And a key program that's sort of the overarching theme of my testimony today is that our existing legal regulation of privacy is not prepared to deal with RFID. It's not just an issue of technology; our legal system isn't ready for this as it currently stands. We have a weak regulatory infrastructure for repositories of information gathered by private sector businesses and institutions and RFID information will enter into this realm.
To understand the full implications of the technology, we must understand the rise of what I call "digital dossiers" and this legal regulatory infrastructure that protects our privacy.
I