The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics was convened on Monday and Tuesday, January 13 and 14, in the Best Western-Key Bridge Hotel in Arlington, Virginia. The meeting was open to the public. Present:
Robert M. Gellman, J.D., Chair
Kathleen A. Frawley, J.D., M.S., RRA
Richard Harding, M.D.
Sheila T. Leatherman
M. Elizabeth
Ward
Marjorie Greenberg, Acting Executive Secretary, National Center for
Health Statistics (NCHS)
Lynnette Araki, NCHS
Harvey Schwartz,
Ph.D., Agency for Health Care Policy and Research liaison
James
Scanlon, HHS Executive Staff Director
Jackie Adler, NCHS
Fran Lynat, NCHS
Alan Newman, Senate Labor
Committee
Kristin Steward, American Assn. of Health Plans
Ronnie
Kokkines, IL Dept. of Public Health
Nielsen Hobbs, The Blue Sheet
Lyndalee Korn, TRW Avionics & Surveillance Group
Gerald
Gates, Bureau of the Census
Elizabeth Andres, ISPE
Roy
Bussewitz, NACDS
J. Michael Hamilton, National Cancer Institute
Winnie
Martinez, NIH
Ione Auston, National Library of Medicine
Stephanie
Mounts, NCHS
Al Zarate, NCHS
Kristin Welsh, Senate Labor Ctte.
Debbie Rudolph, IEEE
Frank Marino, VHA
Louise Huang,
Northrop Grumman
Nelson Berry, HCFA
Douglas Godesky, Admin. for
Children and Families
Chris Bergsten, AAHP
Barry Hurewitz, Hale &
Dorr
Donald Stockford, VA
Gary Friend, IMS America
Rosanna
Coffey, AHCPR
Ellen McClesky, BNA
Robert Buck, MultiState Assn.
Suzanne Tomlinson, Biotechnology Industry Org.
James Pyles,
American Psychoanalytic Assn.
Henry Heffernan, EDENS
Donald
Haines, ACLU
Constance Percy, NCI
Satcha Radcliffe, Smith Kline
Beecham
Laura Saul-Edwards, AAFP
Bill Applegate, Amer. Society
of Clinical Pathologists
Lewis Lorton, HOST
Bruce Kelly, Mayo
Foundation
Reid Cushman, Yale University
Danna Chung, DHHS
Louis
Emmet Mahoney, HRSA
Sara Froelich, Glaxo Wellcome
Donalda Ellek,
American Dental Assn.
Cathy Brady, Amer. Psychiatric Assn.
Jeffrey
Cooper, Coopersoft
Clara French, USDA WIC Program
Megan Sexauer,
NIH
Michelle Muth, U.S. Ofc. of Consumer Affairs
Deborah Tress,
CDC
Alfred Buck, JCAHO
Chuck Focarino, VA
Robert Beck,
MultiState Assn.
Bill Mahon
Elizabeth Hadley, NAIC
Judith
Zink, Paul Magliocchetti Assoc.
Margaret VanAmringe, JCAHO
George
Strehle, VA
Glen Pinder, NCHS
William Decker, AARP
Cynthia
Haney, AMA
These two days begin a series of six days of hearings being held by the new NCVHS Subcommittee on Privacy and Confidentiality, for the purpose of exploring in detail the options and issues related to health privacy/confidentiality legislation. The hearings will assist the Committee in preparing its recommendations to the Secretary, who is required under the Health Insurance Portability Act to make recommendations to Congress on health confidentiality legislation. The three areas to be examined in the first two days are research, public health, and health oversight. Transcripts and written testimony are available on the NCVHS home Page at http://aspe.os.dhhs.gov/ncvhs
Regarding research issues in the area of privacy and confidentiality, the Subcommittee heard from the following panelists:
· David Korn, M.D., Dean of Stanford Medical School and Distinguished Scholar at the American Association of Medical Colleges (AAMC)
· David Witter, Director of AAMC's Clinical and Administrative Data Service
· Robert Hiatt, M.D., Ph.D., chair of the policy committee of the American College of Epidemiology
· Elizabeth Andrews, Ph.D., chair of the Committee on Data Privacy of the International Society for Pharmaco-Epidemiology
· J. Michael Hamilton, Ph.D., Chief of the Clinical Investigation Section for the Adult Oncology Service at the National Cancer Institute and a former chair of the Institute's institutional review board (IRB).
All of the researchers testified about the public importance of their research, the need for identifiable patient information, and the importance of balancing the values of privacy and progress in health care. Guided by questions primarily from the Chair, Mr. Gellman, they explored a series of issues pertaining to definitions, authority, the consequences of excessive constraint of access, redisclosure, and the handling of abuses. They stressed that abuses by researchers are exceedingly rare, and recommended institutional responsibility (notably through IRBs) as a prime way to protect confidentiality and deal with misconduct. The same was recommended for registries, which have some similar activities and also involve access to patient records.
There was consensus that as much as possible, the same requirements should apply regardless of purpose and type of research, funding source, content of the record, or vulnerability of the population. Encryption was recognized as potentially part of the solution, albeit one that may be far off in terms of present capabilities.
It was noted that currently, managed care organizations must follow less stringent confidentiality provisions when accessing the records of their enrollees for management-related research.
In this areas, the following individuals testified:
· John Poundstone, M.D., National Association of County and City Health Officials and Commissioner of Health, Lexington, Kentucky Health Department
· David Fleming, M.D., state epidemiologist, Oregon Health Division, and President, Council of State and Territorial Epidemiologists
· Steven Thacker, M.D., Director of the Epidemiology Program Office, Centers for Disease Control
These presenters stressed the need for identifiable patient information in order to promote and protect the public's health, as well as the high value attached to confidentiality by public health departments. It was acknowledged that it is impossible to prevent abuse by "scoundrels" without completely undermining critical public health functions.
The discussion session covered many of the same questions as with the previous panel, such as definition, authority, the public benefit of access, and constraints on re-disclosure. Opinions varied on the question of uniformity. State and local representatives urged that state laws not be overridden, as they represent the proper balance point between privacy and access for that jurisdiction, as well as the basis for an entire infrastructure of regulations and practices. On the other hand, Dr. Thacker and his CDC colleagues pointed out some of the problems with a more territorial and fragmented approach to confidentiality protection.
Dr. Fleming urged that states be protected from federal subpoena or court order, and encouraged a federal law imposing penalties for misuse of information. It was noted that the wide range of public health functions presents a challenge in terms of legislation.
James Pyles of the Coalition for Patient Rights and the American Psychoanalytic Association observed that the argument that access to private information would result in better health care is not sufficient justification for invading someone's privacy.
On the second day, the Subcommittee and panelists turned to oversight issues, hearing from the following panelists:
· John Hartwig, DHHS Office of the Inspector General, where he is Deputy Inspector General for Investigations
· Mike Diegel, Director of Communications, Coalition Against Insurance Fraud
· Bill Mahon, Executive Director, National Health Care Anti-Fraud Association
· Alfred Buck, M.D., Joint Commission on Accreditation of Health Care Organizations
· Fred Broadaway, Assistant Inspector General for Investigations, Department of Labor
· Carey Sennett, Vice President for Performance Measurement, National Committee for Quality Assurance
As with the other panels, the panelists stressed their need, in the line of duty, to have access to identifiable patient records; the public benefits from their work; and the need to strike a balance between the values served by their efforts and patients' right to confidentiality. The high cost of healthcare fraud was cited as one argument for the need for oversight, and it was pointed out that accreditation organizations help to assure good and affordable healthcare.
In the discussion session, considerable time was spent trying to delineate different oversight-related functions and to consider possible "low end" protections for the less invasive function of auditing. The redisclosure of information was the focus of a lively discussion in which representatives of Inspector General offices argued for the right to redisclose, and Subcommittee members stressed the need to limit law enforcement's uses of identifiable information obtained for health oversight. The panelists generally supported the idea of preempting and standardizing state laws.
In conversation with Dr. Sennett, the idea emerged of modeling oversight bodies on existing accreditation organization such as JCAHO and NCQA, and/or of using such an organization as an independent oversight mechanism.
Mr. Gellman called the meeting to order and reviewed the plans for the hearings. They will assist the National Committee in its recommendations to the Secretary, who is required under the Health Insurance Portability Act to make recommendations to Congress on health confidentiality legislation. These two days begin a series of six days of hearings being held by the new NCVHS Subcommittee on Privacy and Confidentiality, with the purpose of exploring in detail the options and issues related to health privacy legislation. The three areas to be examined in the first two days are research, public health, and health oversight. The other four days are in February, with topics and speakers to be announced. At Mr. Gellman's request, those present introduced themselves. He then introduced the first speaker.
(Note: Transcripts and written testimony are available on the NCVHS Home Page at http://aspe.os.dhhs.gov/ncvhs
David Korn, M.D.
Dr. Korn, the dean of Stanford University Medical School, is currently on sabbatical and a Distinguished Scholar at the American Association of Medical Colleges (AAMC). His testimony represents his personal opinion.
He noted the Committee's need to find a point of balance at which the security of medical records is enhanced without seriously impairing the access and communication needed to deliver and evaluate health care. It is "fanciful" to expect to assure the absolute security of records; it is more realistic to combine improved security mechanisms with prohibitions and penalties for discriminatory misuse.
Dr. Korn cited genetic testing as an area that exemplifies the conjunction of great promise and deep public concern. He focused his initial remarks in that area, noting that most recommendations to date emphasize private interests at the expense of public benefit and do not reflect adequate input from the full scientific community. He noted some specific weaknesses in the deliberations on that issue to date. He then recommended that more careful attention be paid to the definition of terms regarding genetic testing, specifically narrowing them to focus on the purpose of a study. He later stressed the need for a secure linkage point, such as an escrow agent who holds the linkage, so that research can be done without identifiers but with the potential for linkage.
David Witter, American Association of Medical Colleges
Mr. Witter directs the Clinical and Administrative Data Service (CADS) at the AAMC. He gave some background on CADS, and then reviewed the array of subjects about which information is needed to improve treatment and diagnosis and provide health care services. He identified several issues for the Committee to consider in preparing its recommendations, stressing the benefits to the public from continued availability of medical information. He noted that various mechanisms, practices and techniques already exist to help protect privacy, and urged that the Committee distinguish clearly between non-identifiable and protected health information. Finally, he recommended that privacy legislation recognize the full spectrum of organizations involved in research-related activities that require the use of medical information.
Robert Hiatt, M.D., Ph.D., American College of Epidemiology
Dr. Hiatt chairs the policy committee for the ACE and spoke on its behalf. He stressed that the scientific basis for public health epidemiology requires readily available access to health- related databases and medical records. He added that there has already been increasing restriction on access to records, out of concerns about confidentiality. ACE recognizes the legitimacy of privacy concerns but cautions against making the important work of epidemiologists more cumbersome and costly, given the public interests it serves. Generally, individual names and identities are not revealed in use of the data; and IRBs and investigators are responsible for ensuring privacy when medical record review is required. Most epidemiologic studies use data on hundreds or thousands of subjects. A requirement to obtain permission from individuals to review their records would introduce non-respondent bias into the investigation. It would also make costs prohibitive. Dr. Hiatt contrasted the small threat to privacy from such studies with the large benefits to public health.
Elizabeth Andrews, Ph.D., International Society for Pharmaco-Epidemiology
Dr. Andrews testified on behalf of the ISPE's Committee on Data Privacy, which she chairs. ISPE uses epidemiological approaches to study the use, effectiveness, value and safety of pharmaceuticals. It has members from 45 countries. This evaluation process, which protects the public, can only be accomplished using large, linked databases. Proposed legislation considers these databases protected health information because of the presence of a code to link back to an identifier. ISPE's position is that safeguards are needed to protect that linkage, but authorization for each research use is not feasible. Thus, encoded or encrypted databases should not be considered protected health information and should be exempt from authorization requirements.
J. Michael Hamilton, Ph.D., National Cancer Institute
Dr. Hamilton is chief of the Clinical Investigation Section for the Adult Oncology Service at NCI, and is a former chair of the Institute's institutional review board (IRB). He appeared as an individual, not as a spokesman for NIH or NCI. He noted that good research requires both general demographic data and specific individual records. He then outlined some of the benefits of cancer research in respect to the introduction of new agents, definition of disease incidents and risk groups and of etiologic agents, symptom control, and genetics screening. He stressed that a wide range of people need access to research charts with patient identifiers, and no legislation can completely protect these records from intentional fraud or misuse by a "scoundrel" without closing down access to all records for all purposes, which would have far-reaching negative consequences.
Mr. Gellman thanked all the presenters. The format for the discussion was a series of questions put to the panelists by the Chair and other Subcommittee members.
Given the strong undercurrent of opposition to giving researchers access to identifiable records, please explain the need for such records.
Dr. Andrews cited examples of learning the association of maternal use of DES and vaginal cancer in offspring, discovered through the mothers' records. Another example is the discovery of gross under-use of beta blockers in the elderly following myocardial infarction. Asked what the consequences would be of a requirement to get patients' consent before looking at their records, she said this would cause bias in the data.
Dr. Hiatt said that constructing a database requires linkages that use individual identifiers; after it is constructed, much analysis is done without reference to the identifiers. He cited a study of the relationship of sigmoidoscopy screening to colon cancer mortality, which linked services provided to cancer registry data and resulted in a change in the U.S. Preventive Services Task Force's recommendations.
Dr. Hamilton noted that links to employee's records can be necessary to identify workplace causes, e.g., cancers resulting from work with coke ovens.
Dr. Korn observed that pathologic studies define diseases by looking at their natural history in a population of patients. This requires the ability to refer to patient charts. He cited the development of understanding about how to deal with very early breast or prostate cancer. Mr. Witter added the example of research into prevention of subsequent strokes.
What would the consequences be of securing permission up front from patients to make their records available for medical research?
Panelists responded that this would introduce respondent bias, and valid conclusions can only drawn from a true sample of the population.
Dr. Hamilton pointed out that some research should not be conducted without specific consent and counseling -- another reason not to ask for a blanket consent.
Have there been instances of improper use of patient records by researchers? How might such misuse be prevented or minimized?
Panelists said they knew of no such abuses by researchers, although they are theoretically possible. Dr. Korn noted the need to be sure than institutions that support research have tight security on linkers, so that researchers are not looking at identified (as distinct from identifiable) information.
Dr. Hamilton pointed out that research is reviewed by a jury-type system, the IRB, and those who misuse information are punished. Dr. Andrews said she was unaware of breaches of confidentiality in the types of studies discussed. ISPE is developing a code of conduct for its field in the area of confidentiality.
Should all research, whether private or federally funded, be subject to the same standards?
The panelists agreed that all research should be treated the same.
Should the records of persons from vulnerable populations receive special treatment?
Similarly, all patient records should be treated with the same care. Special levels of confidentiality for special groups would add complexity.
Recognizing that encryption will work in some cases, could it work across the board?
Dr. Korn pointed out that data need to be linkable, but do not need identifiers. The linkage could be held in trust. He stressed that the term "anonymization" is not an appropriate synonym for "encryption," because, in his experience, anonymous, unlinkable records are not usable. Dr. Hiatt noted that "blinded unlinked studies," which are anonymous, do have a purpose sometimes, e.g., as used by CDC to develop HIV seroprevalence data. In regard to so-called anonymous data, he also pointed out that if a group is small enough and enough other identifiers are used, the identity of individuals can be inferred.
It was noted that encryption simplifies and narrows the problem by transferring it to a smaller number of people with access to identifiers; it does not eliminate the problem. Generally, it was agreed that encryption may be a solution in the future when appropriate technologies are available and records are computerized more uniformly. It is not currently a solution, partly because of the unevenness of computer capacity across the country.
How can and should health research be defined for legislative purposes?
This prompted the question, Why do you need the definition? Mr. Gellman explained that to allow health researchers access to records, such a person or function must be defined in the law.
The option of certifying researchers rather than defining research was suggested.
Dr. Korn stated that one precondition of confidentiality protection is that institutions conducting research have a confidentiality policy in force. This provides a way of identifying and controlling researchers through the policies of given institutions, which "know who their researchers are." The second requirement is for institutions to be protected from forced disclosure of medical information.
Should different purposes and types of research be treated differently or the same?
Dr. Hiatt suggested focusing on who the person is who is allowed access to information, rather than the type of research. Mr. Witter noted that health research is heterogeneous. He suggested that in each instance, an IRB or analogous entity should have responsibility for confidentiality oversight.
The group discussed the general lack of regulation of management-related research by HMOs, compared to that for other forms of research. It was noted that licensing and accreditation of health institutions impose some constraints and oversight. There appeared to be sentiment for imposing the same kind of control over the use of patient records for health management research as for other types of research. The point was made that patients often are required to authorize the release of information for management purpose as part of their enrollment in HMOs, but this was viewed as fairly coercive in that it is a condition of enrollment.
When the same individual performs different functions at different times-- e.g., provider, peer reviewer, researcher, administrator-- how can this be managed?
Dr. Hiatt responded that when researchers sign confidentiality statements, they cover all their activities and the same requirements hold in each case. Mr. Gellman said more specificity would be needed in legislation, as a basis for penalties.
What about the research at the community level in organizations with no IRB process because the research is not federally funded?
Some panelists favored a uniform policy that would apply in these instances as well, thus requiring a body analogous to an IRB to review and approve access to medical information. It was noted that the JCAHO accreditation standards already require certain assurances regarding confidentiality. The basic principle here is that it is the organization's responsibility to protect data confidentiality.
Asked about practices at Glaxo, Dr. Andrews said there is no company IRB, but most of its research is done under FDA regulations which require IRBs and confidentiality standards.
The public is worried that knowledge of some information will cause their health plans or employers to terminate access to care. What about managed care disclosure policies?
Dr. Hiatt, who is with Kaiser Permanente, said that information used by Kaiser's research unit is kept separate from other parts of the company, with the medical group responsible for clinical data and the administrative group for administrative data. However, Kaiser may be relatively unique in this regard. He asserted that informed consent should be required to use medical records in scientific research that is designed to further a company's business interests. To a follow up question, he said that Kaiser has no formal internal disclosure policy.
Pursuing the idea of firewalls, Subcommittee members noted the walls would be all the more important in the event that a health care organization were bought by a purely business concern with less of a commitment to patient confidentiality or a greater potential conflict of interest. Mr. Gellman commented that the current language in proposed legislation, deriving from the 1974 Privacy Act, is too vague in this area.
He then asked a series of questions about re-disclosure.
Should researchers be entitled to disclose identifiable records to other researchers?
The consensus was that as regulators of each other, researchers need access to the same records.
To the police?
Dr. Korn asserted that oversight of the research process has to be enabled. Dr. Hiatt added that his organization does not release data unless compelled to.
To public health authorities?
It was noted that some disclosure is already legislated, e.g., for TB. Otherwise, researchers can offer to summarize their data without revealing patient identities. Dr. Andrews asserted that the researcher has the obligation not to disclose individual information in the research database. Mr. Witter added that only IRB-approved uses would be acceptable.
Dr. Korn reiterated his call for a blanket protection of research information from forcible disclosure, with a few narrow exceptions. He agreed with Mr. Gellman that at present, no protections exist.
Regarding proposals to preempt state laws, do any existing state laws create problems for research?
Mr. Witter noted that 38 states collect uniform hospital discharge data, each in a somewhat different way, which is frustrating for researchers. However, there may be reasons for the differences, and he expressed concern that the proposed preemption provision would override states' ability to set standards for themselves.
Dr. Korn pointed out that there is an increasing national interest in research; he favors a federal preemption to promote research in the public interest. He cited the multi-center studies involved in epidemiologic research, national registries such as SEER, and national healthcare organizations.
Mr. Gellman noted that this issue has high political content; advocates for national standards will have to be clear and forceful.
What about research across national boundaries?
International cooperation is common for cancer. FDA is standardizing terminology with Europe and Japan. Canada participates in many American studies, sometimes with identifiable data. Data on adverse drug experience are transferred among countries all the time, involving linkable information. This information is critical in assuring data quality for appropriate regulatory decisions.
The European Union adopted a directive on data privacy, and member states have 18 months to adopt their own standards. Some countries question whether the U.S. should be provided data because of its inadequate protections.
The panelists discussed registries at length. They are important because they provide population-based data on rates about various diseases, and generate research and public health and clinical consequences. They thus contribute to the practice of medicine and the quality of public health. Linkage is necessary in order to relate the incidence of diseases to their end results.
Mr. Gellman raised questions about how legitimate registries might be distinguished from others -- e.g., through a certification process or other controls.
Constance Percy of the SEER cancer registry explained how that system works. Official recognition, usually from the state, is necessary in order to get records. Asked if people could be asked to consent before their information were sent to the registries, she said this would result in incomplete registration and thus a biased picture of the natural history of the disease.
Mr. Gellman pursued the question of how registries interface with research and how they can be controlled. It was noted that some have internal peer review groups. Most proposed bills treat registries like researchers, requiring IRB approval before disclosure. This is a "crude method," but the question is how to regulate and establish qualifications for registries to prevent abuses.
Ms. Ward suggested that a registry is a research surveillance tool, in contrast with a clearinghouse. It is generally voluntary or mandated, is under government authority, and is in service of the public health function of surveillance. Mr. Gellman noted that the legislation is not clear about this. Dr. Andrews observed that for many registries, identifying information is only available as the record goes into the registry; once it is there, there is no identifying information with which to link back to other information.
Dr. Hiatt noted that sometimes registries are the functional equivalent of the first stage of a research project. He suggested that it might be acceptable to researchers to treat registries as part of the research enterprise, requiring IRB review. This could afford a reasonable protection of patient confidentiality without interfering with research. Mr. Gellman noted that it would have to be determined whose IRB provides the oversight, and he invited those representing organizations to think about this question.
Other points raised during this discussion
It was noted that in addition to medical records, research records need protection because participation in a research study could affect employability or insurability.
Mr. Gellman observed that the public is unsympathetic to researcher use of records, does not trust researchers and fails to appreciate the connection between records and research. Researchers have not done a good job of educating the public, which is interested in research but fails to see the connection to records.
John Poundstone, M.D., National Association of County and City Health Officials
Dr. Poundstone spoke on behalf of NACCHO. He is Commissioner of Health for the Lexington, Kentucky Health Department. He noted that for public health purposes, information is needed on patients with communicable diseases, preventable causes of injuries and environment- related conditions, among other areas.
David Fleming, M.D., Oregon Health Division and Council of State and Territorial Epidemiologists
Dr. Fleming is state epidemiologist for Oregon and President of CSTE; he spoke on behalf of both. He asked the Committee to recognize that to protect, preserve and promote the health of people in their jurisdiction, public health departments sometimes need timely access to identifiable medical information without consent. The public health culture has as a strong value its responsibility to protect confidentiality. Indeed, he asserted that public health can only operate if it protects the integrity and privacy of its customers and clients; thus the issue should not be framed as "public health versus private rights." Information is needed for three public health functions: to create an official public record, for surveillance for specific diseases or conditions, and in population-based registries.
He offered four suggestions to the Subcommittee as it considers its recommendations: 1) Do not recommend preempting state laws on public health confidentiality and access, as these decisions should remain at the state level. 2) Do not change the authority of a state to require information from a mandate to a permissive. 3) Feel free to establish federal penalties for wrongful disclosure. 4) Protect state-level public health information from federal subpoena or federal court order.
Steven Thacker, M.D., Centers for Disease Control
Dr. Thacker is Director of the Epidemiology Program Office at CDC. He introduced Verna Neslund, Deputy Legal Counsel for CDC HTSDR, and Dr. Joseph Reid of CDC's Information Resource and Management Office.
CDC uses several types of public health data routinely, such as on infectious diseases, vital records, health status, risk factors, and environmental conditions. Generally, the information it collects does not include personal identification, and state health departments and other providers generally remove identifying information. However, the agency must sometimes be able to access confidential health records. It recognizes the importance of individual privacy and confidentiality, and knows of no past breaches by the agency.
Dr. Thacker mentioned trends that are strengthening the nation's health information flow, as well as barriers such as fragmented and departmentalized information. In view of both, CDC has convened a Health Information and Surveillance System Policy Board to pursue its goal of an integrated public health information and surveillance system.
Again, Mr. Gellman and others posed a series of questions for the panelists.
What does "public health" mean and how should it be defined?
Mr. Gellman referred to legislative language listing "disease or injury reporting, public health surveillance, public health investigations or interventions." Dr. Thacker said this list adequately covers the CDC mission. Dr. Poundstone suggested adding community assessment, an important local health department activity. Dr. Fleming noted the Institute of Medicine's identification of three public health functions: assessment, assurance, and policy development. He suggested adding assuring the appropriate delivery of medical care, which involves certifying needs and capacities and evaluating the quality of care. Mr. Gellman noted that some of these functions do not require identifiable records and thus are not germane to privacy legislation.
Is the term "public health authority" sufficiently defined?
The panelists felt that at the state and local levels, it is a meaningful term. Ms. Neslund noted that CDC has no legislative authority to access state records; rather, it collaborates with states. Mr. Gellman commented that the proposed bills lack enough depth to reflect the reality described by the panelists.
How should the range of public functions be dealt with?
Dr. Thacker spoke for retaining the broad, somewhat "fuzzy" language, since it reflects the true nature of public health work. Responsibility is the key, in that public health agencies take responsibility for protecting confidentiality. It is important that the legislation not restrict their range of activities.
Mr. Gellman pointed out, however, that for a law to be meaningful, there must be a limit to the amount of discretion allowed to people.
Ms. Neslund commented on the importance of the perception of confidentiality, which is especially at risk with respect to interaction with law enforcement authorities. The suspicion this generates makes it difficult to get people to voluntarily cooperate.
Dr. Fleming stressed the need to have stronger protections for the information in the health department's possession than for the original source.
Later in the discussion, Dr. Fleming said that Oregon treats core public functions and the provision of treatment as distinct functions for confidentiality purposes.
Mr. Gellman encouraged participating organizations to think about what to recommend for legislation in regard to this issue.
Why are identifiable records needed?
Dr. Fleming referred to the three areas in which identifying information is needed in public health: vital records, investigation of diseases or conditions that put the public at risk, and registry. In addition, access to unique records enables public health officials to verify the accuracy and integrity of data, which is critical. He stressed that for each task using data, health departments uniformly ask themselves whether they need identifiers.
Dr. Reid said that to date, the absence of longitudinal data has made it impossible to answer certain key public health questions -- for example, predicting complications of future births based on a mother's past delivery complications. Longitudinal data require access to individual records with personal identifiers.
To what extent can or should encryption be used in public health functions?
Dr. Reid observed that the technology exists for encryption; the limitation lies in the lack of coordination in the management of systems. For example, the independence of managed care providers and of state public health organizations permit data "leakage." Encryption is definitely part of the solution, but it should not be expected to fully solve the problem. He added that the often-used credit card security analogy is not appropriate because the ATM system tolerates a great deal of fraud.
Dr. Fleming commented that the role of encryption lies primarily in its treatment before data are passed from the health department to others such as CDC. However, capacities are still limited in this area, especially in small health departments.
Are there examples of the inappropriate use of identifiable patient records by public health authorities?
Dr. Fleming said health departments have very high standards regarding confidentiality, but there is always the possibility of abuse by a scoundrel. He cited "the exception that proves the rule" of recent violations in Florida. Dr. Poundstone said his department, with 350 employees, averages a violation every two years; an employee is fired if the offense is serious. Regarding the Florida case, Dr. Reid explained that a more careful hiring procedure would have identified the offending individual at the outset as untrustworthy. Mr. Gellman noted that there is a great deal of effort in the U.S. to control access and to oversee people, but it doesn't seem to work very well.
Dr. Thacker reminded people to "look at the denominators" and remember how rare violations are. CDC has never documented a breach of confidentiality. He urged that legislation recognize the potential negative consequences of greater restriction on public health work.
Mr. Gellman observed that for these reasons, proposed bills emphasize severe penalties for violations; however, these depend on defining what is legal and illegal.
Do special restrictions around AIDS data create problems for public health officials?
All of the respondents said their agencies have raised the confidentiality standard for all diseases to match that needed for AIDS, and this has been workable. Dr. Fleming stressed the need to assure providers that records will be used only for the purposes stated in the law and that they cannot be obtained by someone else for other purposes.
Ms. Neslund commented that 20 states do not permit data sharing between tuberculosis and AIDS, and CDC estimates 47 percent under-reporting of co-infected cases as a result of confidentiality concerns. This mutual distrust within public health may be impeding the availability of therapy to infected patients.
A series of questions prompted a discussion of proposed uniformity among state laws. Drs. Fleming and Poundstone said there is a good deal of exchange between states, especially on reportable diseases, and it generally works well.
Mr. Gellman noted that state medical confidentiality laws vary considerably, and he asked whether uniform laws would be beneficial. Dr. Fleming said there has not been a problem with the current system, and a uniform law could create problems, at least in the short run. Each state has found its own balance between access and confidentiality, and this would be upset. He again suggested that the protection afforded to the public health record be higher than that for the individual record.
Mr. Gellman responded that this dual standard could create problems. He noted that there is no intent to preempt state laws regarding what diseases are tracked.
Dr. Fleming stressed that the biggest fear in respect to disclosure is of federal subpoena. He welcomed a federal law that would tighten disclosure requirements, provided it did not preempt more restrictive state laws. The most desirable protection is a blanket authority.
Ms. Leatherman urged that attention be paid to the possibility of circumstances under which the exchange of data between health departments and health plans would be mutually advantageous and should be encouraged in legislation -- e.g., for immunizations. Dr. Fleming agreed that such instances may exist, but advised that decisions be made on a case by case basis. He noted that people may seek public health treatment of STDs to avoid having it in their medical records. He advocated starting with a strict standard from which a few exceptions are carved out.
At Dr. Schwartz's request, panelists described activity around multi-state cancer clusters. Ms. Ward explained that such efforts are normally initiated by the providers.
In response to a question, panelists agreed that all registries should be subjected to the same confidentiality restrictions, whether they exist for research or other purposes.
Mr. Gellman observed that it is not clear from the proposed legislation where registries fit, and he asked for comments about what a registry is and where its authority derives. He noted that a definition would have to cover both public health and other functions, and distinguish between registries that serve the public interest and those that don't. Ms. Leatherman added that a basic distinction is whether data provision is voluntary or compulsory.
The group discussed different types and examples of registries.
Dr. Fleming said that many states establish procedures governing access to information. The registry applicant would have to demonstrate bona fide researchability and meet confidentiality and non-disclosure conditions before gaining access to information. He added that Oregon would not release information to a private registry.
Ms. Ward said all the registries she knows of are governed by public health entities, and she queried, "Are we legislating something that is not a problem?"
Mr. Gellman noted that if registries are treated in the bills as research, they would require IRB approval. There might be standards for IRBs as well.
The group discussed the functions of immunization registries. Dr. Fleming described the unique numbering system used in Oregon for newborns, using bar codes and stickers that facilitate reporting on immunizations by being very easy for providers. The system is socially important because it increases the rate of immunization in the state and reduces the rate of unnecessary re- immunization through better record-keeping. (Kentucky uses name and date of birth for its identifiers.)
Regarding the applications of this approach to other kinds of medical treatment, Dr. Fleming said it could be useful in tracking treatment of certain chronic conditions, e.g., diabetes.
Dr. Fleming said that for its immunization registry, his department's first choice was the social security number but the state's attorney general advised against it.
Several panelists spoke in favor of a health identifier, noting its health benefits related to data accuracy, tracking, national analysis, and other factors.
How much data linkage is appropriate among the different reporting requirements in public health?
Dr. Fleming said there is a lot of controversy in this area. He advocates having the ability to do linkages across data sets, as long as the data remain within the public health department.
Ms. Ward noted that health departments are getting into quality assurance, and this role will require data and linkages that cannot be foreseen today.
At Mr. Gellman's request, the panelists enumerated the kinds of disclosures they make -- e.g., notifying partners of STDs, information to researchers in selected areas, to law enforcement agencies (with a subpoena), to other public health departments, and to the subject of the record under some conditions. Oregon and Kentucky do not disclose information to physicians; they do provide summaries on reportable diseases but not individual records.
As an aside, Dr. Fleming described the difficulty of providing useful aggregate information for policy purposes without compromising people's privacy. Dr. Thacker said CDC has rules about cell size because of its concerns about unintended disclosures.
The Kentucky health department gets routine notification of immigrants coming into the community with infectious diseases. Oregon sometimes has to try and work with Canadian manufacturers if imported products cause an outbreak. There are six authorized quarantine ports in the country, and local and state authorities in those areas have international work. International travel is another category.
Dr. Fleming stressed the need to separate the requirements for reporting to the police from those for reporting to public health departments, partly because the latter tend to be "softer" in their response. In this context, Ms. Leatherman reiterated her point that legislation could be used to improve health data gathering, e.g., in respect to child abuse.
Asked if the Privacy Act is a problem for them, the CDC representatives said it is technically workable and a routine "part of life" for the agency.
Dr. Poundstone noted that it may be increasingly the case that managed care organizations collecting data for business analysis of disease management will be unwilling to share data for proprietary reasons.
Mr. Scanlon observed that some information reported to public health agencies is meant to be public, even if it is damaging. Mr. Gellman agreed that this points to a set of difficult confidentiality concerns that are not addressed in this hearing.
The status of mental health and substance abuse treatment functions is separate in many jurisdictions, often with different confidentiality provisions. Ms. Neslund noted that many drug treatment providers do not provide HIV surveillance information.
It was noted that the VA system and the Indian Health Service system have different requirements and policies for data sharing and confidentiality. Again, Ms. Neslund commented that several large metropolitan VA facilities do not report HIV incidence, with probable public health effect. Mr. Gellman said the Subcommittee would take this up with the VA representatives.
James Pyles, Coalition for Patient Rights and American Psychoanalytic Association
Mr. Pyles observed that the argument that access to private information would result in better health care is not sufficient justification for invading someone's privacy. He noted that physicians cannot impose medical procedures on patients without their consent, and researchers cannot compel people to answer questions. He argued that use of medical records should be subject to the same constraints.
Further, Mr. Pyles asserted that the patient's confidence in the confidentiality of his/her health records is an important element in providing quality health care. Moreover, physicians need to feel comfortable that their records are protected. He urged the Subcommittee to keep these points in mind as it prepares its recommendations.
John Hartwig, DHHS Office of the Inspector General
Mr. Hartwig is the Deputy Inspector General for Investigations for HHS. He noted that federal law enforcement agencies have been aware of the sensitivity of health information and have an excellent record in protecting it from misuse and unnecessary release. He outlined the IG's oversight responsibilities for controlling fraud, waste and abuse in all programs funded and administered by DHHS. They are carried out through audits, program evaluations, and investigations, each of which requires access to personally identifiable health information.
He gave examples of the types of Medicare fraud and abuse the OIG investigates -- e.g., billing for incontinence care kits for patients who were not incontinent, and billing the medical services of residents as those of a teaching physician. The GAO has estimated that health care losses due to fraud and abuse represent 10 percent of outlays. It is important that the IG have access to health records without being burdened with crippling and costly restrictions. Individual records cannot be excluded, because Medicare beneficiaries sometimes participate in fraudulent schemes.
The OIG urges that confidentiality legislation address real rather than theoretical abuses, and also objects to any provision that absolutely bars access to health information for law enforcement purposes. Mr. Hartwig cited the federal Privacy Act provisions and penalties as a good starting point.
Mike Diegel, Coalition Against Insurance Fraud
Mr. Diegel is Director of Communications for the Coalition, a broad-based national organization that includes consumers, insurance companies and regulators. He pointed out that insurance fraud affects everyone and contributes to the high cost of health care. It may have been as high as $54 billion in 1994. Much of it is committed by providers, both individual and institutional. To investigate suspicious claims, it is sometimes necessary to have access to a central database of patient records.
Mr. Diegel recommended that exceptions to the absolute privacy of patient records be limited to legitimate investigations conducted without malice and with minimal disclosure of information. He pointed out that there have been no known violations or abuses of patient privacy in insurance investigations. Fraud investigations are important because they lower the cost of fraud and speed up the settlement of honest claims.
Bill Mahon, National Health Care Anti-Fraud Association
Mr. Mahon is Executive Director of the association, whose members include third-party payers and most federal law enforcement agencies. He echoed Mr. Diegel's comments about the high cost of health care fraud. 55 percent of the nation's total health care expenditure is in the private sector, and it is legally more costly to defraud federal programs, so private payers have a key role in fighting fraud. He noted that providers generally defraud several payers at once, most often to bill for things not done. Thus, records must be reviewed to find fraud. He gave several examples. In conclusion, he urged that privacy boundaries be drawn in such a way that falsehoods in patient information can be brought to light.
Alfred Buck, M.D., Joint Commission on Accreditation of Health Care Organizations
JCAHO manages the accreditation of some 16,000 organizations. It supports the need for confidentiality legislation but offers four recommendations: 1) National accrediting entities should be referenced as standard-setting organizations, and their needs for data should be structured into the legislation. 2) Clinically oriented data elements need comprehensive treatment to facilitate integration with financial and administrative data. 3) External comparative metrics providing high-level organizational comparisons should be stringently defined. An associated recommendation is that a task force of national accrediting bodies be asked to address the issue of report cards. 4) National accrediting entities should be included in the definition of data clearinghouse.
Fred Broadaway, Department of Labor Office of the Inspector General
Mr. Broadaway is the Assistant Inspector General for Investigations at the Labor Department. His office protects several health care programs under the Department's jurisdiction, using audits and criminal investigations. It also has oversight responsibility for all employee health benefit plans covered under ERISA. It routinely uses medical information obtained by subpoena, search warrant, and review of agency claimant files or individual waivers. Most investigations are claimant- or provider-based. He gave some examples of the types of fraud investigated, much of which involves unscrupulous medical service providers. This requires access to a wide assortment of records. The office is concerned that excessive restrictions on health information access could hinder the IG's investigations of plans covered under ERISA.
Mr. Broadaway enumerated the OIG's concerns in regard to excessive restrictions in S- 1360, the Bennett Bill. He expressed hope that the Committee would recommend a law enforcement exemption to any general protection of health care information, to permit investigative access to government agency records and access to records under current practice and search warrants.
Mr. Gellman explained that the purpose of proposed confidentiality legislation has been to put limits around who could get records, without identifying every institution. The present discussion will explore some of the questions raised by that type of flexibility.
In response to questions, Dr. Buck said the proposed language describing accreditation is correct as far as it goes, but needs to add the direct review of medical records. The field itself has clarified what constitutes a national accrediting body, and JCAHO has developed criteria which he offered to share with the Subcommittee.
Asked to justify the need for access to records and the benefits of his organization's functions, he referred to the broad function of oversight and the organizational improvement and education it promotes. The overall benefit is the establishment of accountability for satisfactory administrative and medical care, as documented in medical records.
The techniques of investigation vary with the circumstances; in the case of sentinel events, JCAHO sends in a full survey team. In the course of a year it looks at thousands of individually identified records.
Most accreditation needs can be met using aggregate data, but under some circumstances, it is necessary to review individual identifiable data, notably in the investigation of sentinel events but also to track disparities or questions. Dr. Buck said a simple way of stripping identifiers that also could be regenerated simply would be useful. Records are not normally tracked across institutions, but identifiers are needed to go to different departments. Records are very seldom taken off the premises, and if they are, stringent rules are followed. Records are not retained.
Asked about possible constraints on access, he stressed the need to preserve the credibility of the process by retaining the option for random record selection, unannounced. This would ordinarily take place following an audit in which identifiers were not used, preferably in a short time frame.
Asked about breaches of patient confidentiality, Dr. Buck said none has taken place within JCAHO, to his knowledge. The organization has standards for privacy and confidentiality, and trains employees on that subject.
Mr. Gellman suggested that the current proposed language on the audit function is too broad, and he asked if there were a way to be more specific yet still comprehensive enough, while limiting the entitlement to get records for an audit. This pertains to both government agencies and industry fraud activities; the question, in effect, is how a health care oversight agency should be defined.
Mr. Hartwig noted that because "health record" has a broad definition, it is appropriate for health oversight to have a broad one. He added that audits and evaluations are as important as investigations. Dr. Buck noted that some of the problems are caused by the broad definition of health information in the Kennedy-Kassebaum bill. Mr. Mahon asserted that the current definition is too broad, effectively turning every investigator or U.S. Attorney into a health oversight agent.
Mr. Gellman explained that the intent is to identify categories of users and define the circumstances under which their access to records is justified. The thrust of this discussion is seeking a "lower standard" for the less invasive activities of the audit, as distinct from law enforcement. Mr. Hartwig responded that the distinction is less and less a reality, because auditors often assist in criminal investigations. He added that access is not unrestricted today, and the Privacy Act imposes constraints on auditors and criminal investigators. Mr. Gellman pointed out that even if access to private information is justified, and even in the absence of abuse, there must be some legal constraints on the invasion of privacy. He continued his effort to delineate the various types of activities -- evaluation, investigation, audit -- noting that a difficulty is that all of the functions shade off into each other.
Mr. Hartwig said the OIG has separate audit, evaluation and investigation components, and policies about when auditors are to contact the investigative side. Many activities are handled jointly. Mr. Broadaway concurred that the lines of demarcation are less clear than they were a decade or two ago. He added that the functions are bureaucratically segregated in the Labor Department.
Asked about the private sector policies, Mr. Mahon noted that private insurers obtain records of their own insured persons and do not exchange data between companies. Mr. Diegel pointed out that claims adjusters are on the front lines of handling and reviewing information.
Mr. Gellman asked the panelists why they need to see records. Mr. Hartwig said that for criminal cases it is essential to be able to prove charges, and the patient record generally provides the key evidence. From the other side, the accused have to be able to defend against specific charges, and this also requires evidence. As for audits and evaluations, they generally look at eligibility and whether or not services billed for were actually provided, and also whether they were appropriate to the diagnosis. This too requires reference to identifiable patient records. He agreed with Mr. Gellman that much of the analysis involves linking and matching different records, e.g., billing records and medical records.
Dr. Buck enumerated the three areas in which JCAHO's work requires access to identifiable data: hands-on medical record-review during a survey, investigation of a sentinel event, and evaluation to address a complaint.
Mr. Gellman asked if a computerized stripping of identifiers would work, if consistently available. Mr. Hartwig said that audit reviews are in fact sometimes done using computer tapes without identifiers -- e.g., looking at contraindicated drugs. Dr. Buck cautioned against basing a recommended solution on a technological capability that does not yet exist in reality. Mr. Diegel said it would be acceptable to consumers to have information encrypted in some way when records are used for investigations or oversight. Consumers are concerned that with the sophistication and ease of database manipulation, increasing amounts of information are going into databases.
Mr. Gellman returned to his search for a standard, given the broad definition of oversight and these organizations' legitimate need for access to identifiable records. He proposed a hypothetical procedural standard in which access to identifiable records required certification by a supervisor in the oversight body's office. Mr. Hartwig said this would not be a burdensome standard, and it is already used on the investigation side. Mr. Gellman added that a substantive standard will be needed at the law enforcement end.
JCAHO receives records voluntarily as part of the process of accreditation, a condition of which is continuing access for medical record review. Dr. Buck will provide the Subcommittee with a copy of the application for JCAHO accreditation. Private companies gain access via contract or subpoena. The DHHS OIG has administrative subpoena authority, with special procedures for access to substance abuse records. Medicare records are computerized. The DHHS IG cannot get records of private patients for whom no federal funds were spent, except as part of a Medicare investigation. Kennedy-Kassebaum expanded the IG's authority to subpoena private insurance records.
The Labor Department's IG uses subpoenas, search warrants, and claimant or individual waivers to access records. Most IGs have inspection rights. However, Mr. Broadaway stressed that a criminal investigator's access to records must be part of a particular investigation and based on the allegation of misconduct; it is not "a random walk." In contrast, audit access is random.
Mr. Gellman observed that a centralized or linkable computer system of records, when accomplished, will offer the possibility of very broad access under existing authority, and with it the theoretical potential to turn the medical record system into "a police surveillance system." Mr. Hartwig acknowledged this theoretical possibility, but stressed that in practice, such technology would make access easier and faster, not result in scrutiny of more records. Nevertheless, Mr. Gellman pushed the point that the privilege would need to be limited.
Mr. Mahon stressed the distinction between medical records and billing records, and said that the former are much less accessible and protected under the Privacy Act.
To a question, both Mr. Hartwig and Mr. Broadaway said their offices had not used the authority in the Privacy Act to exempt themselves from civil law suits for violation of the law.
This topic prompted a long and lively discussion, centering on how much latitude law enforcement agencies should have for re-disclosure of information for different purposes. Mr. Gellman noted that proposed bills stipulate that oversight authorities can only use records in administrative, civil or criminal action if the patient in question is engaged in health care fraud. Mr. Hartwig said the problem there is in defining health care fraud. He stressed that there are exigent circumstances in which exceptions are justified.
Mr. Gellman pointed out that the authorities have very broad rights of access to medical records in connection with broadly defined oversight authority that lacks clear lines of demarcation; meanwhile, access to records is becoming easier as a result of computerization and networking. The net result is the need for protections to prevent the specter, however unlikely, of someone's "sifting through medical records" in search of criminal activity. He suggested a standard whereby access is permitted for a specific purpose for which a case has been made, together with a prohibition of use of the record in other ways. The basic principle is to make it impossible to use the healthcare oversight mechanism as a tool for other purposes. He acknowledged that the price of protecting confidentiality is that "somebody is going to get away with something."
Asked if IG-type audits or investigations very often turn up evidence of unrelated wrongdoing, Mr. Hartwig said he knew of no such instance with medical records. However, the IG has always argued for a mechanism for the redisclosure of data, if necessary.
Dr. Schwartz asked about the possibility of restricting the type of information to which there is access within records. Mr. Broadaway said reviews typically do not require a look at all information in the record, and the specific information desired is detailed in the request for a search warrant or subpoena.
Dr. Buck said JCAHO needs access to complete records for random samples, in order to go from one level of assessment to another. Thus, a focused abstraction of a record would not support the survey process. Records that are stripped of identifiers would be sufficient for some surveys, but that capability does not yet exist. Asked the "access door" to a provider's patient charts, he said the request goes to the party in legal possession of the records, either an individual provider or a managed care company.
Mr. Gellman asked for reactions to the Kennedy-Kassebaum provision retaining the validity of state laws that are more privacy-protective and stringent than the federal law. Dr. Buck observed that the trend in health care is toward greater integration and more cross-state information exchange, and this should be facilitated. He expressed hope that federal law, which he favors, would minimize the differences in levels of confidentiality protection. He called attention to the Dartmouth Atlas, which concludes that healthcare is delivered by 303 functional healthcare regions, almost none of which follow geopolitical boundaries.
Asked about a hypothetical case in which a state required a court order, patient notification, and probable cause conditions, Mr. Hartwig said this would have a "chilling effect" on healthcare enforcement, might cause defrauding providers to move there, and cause enforcement agencies to resort to more invasive strategies such as search warrants.
Mr. Diegel said insurance companies generally favor federal legislation and a national standard. He referred to the model legislation developed by the National Association of Insurance Commissioners. Mr. Mahon agreed on the merits of a single national standard, and pointed to two problematic areas for his industry: the degree of immunity from civil liability when reporting a suspected case of fraud, and state requirements for insurers.
In response to a comment by Mr. Scanlon, Dr. Buck reiterated JCAHO's recommendation that a group of accrediting bodies visit this subject, a core of which concerns data quality.
Mr. Mahon said private insurers not only have more difficulty gaining access to patient records connected to substance abuse or psychiatric treatment, but they face legal liability if they disclose such information in response to a subpoena.
Mr. Hartwig said the IG is also sensitive to this issue.
In response to a question, the panelists said a unique patient identifier would facilitate their work. They did not speak for one option over the others.
The group recessed for lunch, after which Mr. Gellman introduced the final speaker.
Carey Sennett, National Committee for Quality Assurance
Dr. Sennett is Vice President for Performance Measurement at NCQA, which evaluates and reports on the quality and performance of managed care organizations, to inform purchasing decisions. This is done through an accreditation program and a set of performance measures known as HEDIS. He suggested that the desired trust in health plans and providers as responsible and accountable medical information trustees depends on four things: an absolute commitment to medical record confidentiality, improved procedures for obtaining access to the information, communication to patients about this commitment, and demonstration of the appropriate use of information. He outlined the kinds of resources, mechanisms and practices needed to achieve each of those conditions.
NCQA and JCAHO (which he said are in competition in their accreditation functions) are organizing a conference on patient confidentiality, to look more closely at these issues and at what organizational responses are needed. This is likely to have an impact on confidentiality policies and requirements, including those regarding psychiatric and substance abuse treatment records. At present, NCQA evaluates an HMO's adequacy in regard to confidentiality protections on the basis of the existence of grievances or complaints.
Asked about NCQA's need for access to identifiable records, Dr. Sennett said the records are generally "blinded" by the providers, and there is no reason for them to be identified. The organization's reviewers are given strict confidentiality guidelines.
Mr. Gellman observed that the activities of both JCAHO and NCQA are easier to define than some other kinds of oversight activity, because of their limited need for records. He speculated about using the accreditation process more formally as an independent oversight mechanism regarding confidentiality. Dr. Sennett replied that NCQA would embrace in its accreditation process clearly recognized federal standards, possibly as a floor for more rigorous standards; moreover, full compliance with state and federal regulations is a condition of accreditation. Steven Lamb of NCQA added that the organization has cooperative relationships with eight states, and is about to begin a formal process with HCFA to evaluate how NCQA accreditation and standards could be used in conjunction with HCFA's review. If HCFA had additional confidentiality requirements to oversee, these could be rolled into the same model. Dr. Sennett added that NCQA would want to stay within its established arena of the delivery system.
Mr. Gellman wondered if the accreditation and independent review model might be replicated as an oversight mechanism in other, non-provider sectors where people are getting access to records. Mr. Scanlon said there is precedent in federal law for having an industry accreditation group act on behalf of federal agencies, as long as it does not confer monopoly status if there is no such group. Dr. Sennett said NCQA believes there should always be more than one mechanism for demonstrating compliance with a federal standard.
In response to a question about research use of patient information, Dr. Sennett said NCQA does not address this per se.
Asked about the sources of information in a plan, he said information comes from administrative data sets, claim encounter data, and medical records. Generally, the plans provide their own data, although a third party prepares surveys.
NCQA does not require a particular confidentiality policy of plans, but rather any one that reasonably assures confidentiality. It would "offer" plans any well-accepted and generally useful standard.
Ms. Leatherman asked Dr. Sennett's views on private sector access to other data sources, notably public health immunization records. He replied that NCQA's major concern is the "very substantial variation" among plans in the extent to which they use information to manage healthcare. They have not considered accessing information from public data sources, but he agreed that it might facilitate accurate reporting and record keeping. He added that in the short run, the paper medical record is the primary document for care measurement and management.
Ms. Leatherman asked about NCQA's principle of patients' right to assess and verify their medical records. He said this is a reflection of concern about misinformation, but is a value statement rather than a specific process. Dr. Harding later commented that while this is a laudable principle, it could result in the doctor's writing a different kind of chart reflecting less judgment.
Finally, Mr. Lamb mentioned NCQA's concern that the Bennett Bill's definition of an accrediting body might militate against NCQA's ability to receive medical records. Mr. Gellman agreed that this is a potential problem, related to the overlap between providers and insurers and the existence of circumstances in which disclosures for treatment are broader than for other purposes.
There being no further public comment, Mr. Gellman thanked the panelists and adjourned the meeting.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ Kathleen A. Frawley 4/6/98
_________________________________________________
for Chair Date