The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics was convened on Tuesday and Wednesday, February 18 and 19 in the Hubert H. Humphrey Building in Washington, D.C. The meeting was open to the public. Present:
Robert M. Gellman, J.D., Chair
Richard Harding, M.D.
M.
Elizabeth Ward
Don E. Detmer, M.D. (NCVHS Chair)
Simon Cohn,
M.D.
Marjorie Greenberg, Acting Executive Secretary, National Center for
Health Statistics (NCHS)
Lynnette Araki, NCHS
Harvey Schwartz,
Ph.D., Agency for Health Care Policy and Research liaison
James
Scanlon, HHS Executive Staff Director
John Fanning, HHS Privacy Advocate
Jackie Adler, NCHS
Kepa
Zubeldia, Envoy-NEIC
Elizabeth McPherson, George Mason University
Leslie Neal, George Mason University
Nelson Berry, HCFA
Kelly
Vogel, Pharmaceutical Case Management Assn.
Stephanie Mounts, NCHS
Marcus Veazey, FBI
Deanna Mool, IL Department of Public Health
Samantha Silva, Healthcare Leadership Council
Lyndalee Korn, TRW
SIG
Jane Auston, NLM
Lewis Mahoney, HRSA
Robert Beck,
MultiState Associates
Sean Martin, Health News Daily
Gary
Friend, IMS America
Maya Bernstein, OMB
Reid Cushman, Yale
University
Lynnette Araki, NCHS
Evan Hendricks, Privacy Times
Jack Emery, AMA
Henry Heffernan, EDPNS
Donalda Ellek,
American Dental Assn.
John Nielsen, Intermountain Health Care
Patti
Goldman, AHA
Becky Gray, American Medical Group Assn.
Diedra
Abbot, CAP
Jay Cutler, American Psychiatric Assn.
Robert
Collins, Guardian Health
David Chung, NCQA
Alex Calcagno, Mass.
Medical Society
R. Kaigh
Lauren Dame, Public Citizen's Health
Research Group
Lawrence Huntoon, Assn. of American Physicians &
Surgeons
Karen Rothenberg, University of MD School of Law
Patricia
Melvin, Census Bureau
Chris Bergston, AAHP
Megan Sexauer
Violet
Woo, Health Policy & Strategy Assoc.
Aaron Goldstein, HOST
Geri
Aston, AM News
Meredith Wadman, Nature
William Kirby, Jr.
Marjorie
Carey Jacobs, AHA
Donna Shugheth, HIMA
Mary Ellen Bliss, AARP
Kristyn Vandegriff
Susan Jacobs, Legal Action Center
Derek
Wang, SSA
The NCVHS Subcommittee on Privacy and Confidentiality held the third and last of its two-day hearings to prepare for advising the Secretary on privacy and confidentiality legislation. It heard brief testimony and held extensive discussions with panels composed of law enforcement officials, health care providers, privacy/confidentiality advocates, and privacy-enhancing technology experts.
Neil Gallagher, Federal Bureau of Investigation; Mike Barnes, Prosecuting Attorney in South Bend, Indiana and member, National Association of Attorneys General and National District Attorneys Association; and Robert Litt, Department of Justice
Like most witnesses in all the hearings, these panelists attested to the importance of medical record information and stressed their own need for an exemption. All three expressed serious concerns about the potential adverse impact of proposed medical records privacy bills on federal and local law enforcement. They stressed law enforcement's need for access to identified patient records to pursue criminals and investigate fraud. Law enforcement seeks records for specific reasons and uses, which extend beyond health care fraud to other forms of criminal activity. The panelists noted that other safeguards already exist and are observed. They urged that any confidentiality bill should include a provision exempting law enforcement from restrictions on access to information, with reasonable restrictions on the use of those records.
Mr. Gellman and other Subcommittee members discussed with the panelists how a typical investigation obtains and uses information. The panelists described the common use of various kinds of subpoenas. They reviewed different types of records (of victims, of suspects, etc.) and why access to them is needed for non-fraud investigations. The Subcommittee was especially interested in law enforcement's potential use of computer record databases to make broad-brush queries, and the panelists stressed that it was unlikely that law enforcement would have interest or capability to do this any time soon or that doing so would be efficient. They agreed that it is reasonable to prevent police from plugging directly into a national health care data bank.
However, the panelists stressed that law enforcement needs access to large numbers of records for health care fraud investigations. Some stages of many investigations could use non- identifiable records, but eventually most require identifiable medical records. A hypothetical requirement adding a "hoop" to get identifiable records would not be too burdensome on law enforcement, but it would impose another burden on data providers and delay investigations. In general, they strongly favored the continued use of subpoenas, noting that this is an established procedure and a known document.
Proposed legislation generally gives broad access for the health care fraud investigation but then strictly limits subsequent uses of the information against the patient unless s/he is involved in the fraud. The panelists said such a restriction would be a major shift from current practices, and they argued against imposing an "artificial barrier" between fraud investigations and other criminal investigations.
John Nielsen, Intermountain Health Care (IHC) and American Hospital Association (AHA); Donald Palmisano, M.D., American Medical Association (AMA) and private surgery practice; and Steven Kenny Hoge, M.D., American Psychiatric Association (APA) and private psychiatry practice
As a large integrated health care facility, IHC emphasizes the need for the interchange of patient health care information across the delivery continuum. Drs. Palmisano and Hoge stressed the fact that patients share private information with physicians because they believe it will be used to help them, and that this principle should be the standard by which all possible uses are evaluated. They stressed the patient's right to decide on all uses of the record and to refuse to have their records computerized.
All panelists favored federal confidentiality legislation, but differed about preemption. Mr. Nielsen reaffirmed the need for federal preemption of state laws while the other two panelists and their organizations saw federal law as "a floor rather than a ceiling," allowing states to have stronger protections. Dr. Palmisano stated that the AMA might accept a good federal bill as a uniform standard, offering some possibility of eventual agreement on this issue.
On disclosure to next of kin, the panelists favored retaining physician discretion. Regarding research, Dr. Hoge drew a distinction between traditional medical and academic settings and research done in managed care companies or employers, where it may not be in the public interest. He called for special protections for patient records when the research is motivated by considerations other than patient welfare.
Access to medical records for law enforcement purposes stimulated a lively discussion with this panel, all of whom felt that no law enforcement official should be able to look at identified patient records without a court order. They were not in agreement, however, about the extent to which health care providers should voluntarily cooperate with law enforcement's informal requests for information on patients. The two physicians described stringent professional practices to protect patient records.
The panelists also had somewhat different views about unique patient identifiers. Dr. Palmisano said the AMA is opposed to them, and particularly the use of the Social Security Number (SSN) as the unique identifier. Mr. Nielsen said unique identifiers are fundamental to the kind of system IHC is trying to develop, although he agrees that the SSN should not be the identifier and that no number should be used to link data in a national database. All panelists expressed support for the principle of patient access to records, but agreed that there should be exceptions. They favored the retention of physician discretion in several contexts.
Mark Rottenberg, Electronic Privacy Information Center; Denise Nagel, National Coalition for Patient Rights, American Psychoanalytic Association, and Association for American Physicians and Surgeons; Lewis Lorton, HOST Consortium; Karen Rothenberg, Law and Health Care Program of the University of Maryland, and National Action Plan on Breast Cancer Committee on Genetic Issues; and Lauren Dame, staff attorney, Public Citizen Health Research Group
Mr. Lorton's chief messages concerned both the potential and the limits of technology, together with a strong caveat against viewing technology as a "magic bullet." He discussed the difficult implementation issues in many contexts. Other panelists emphasized the exclusive right of the patient to medical information and the overriding importance of privacy protections. They argued that although privacy has been seriously compromised, the public is becoming more aware of the problem and the Subcommittee has a clear mandate to restore balance and help curb egregious practices.
Mr. Gellman called for realism in the face of the many uses of medical records already authorized by state and federal law. Panelists countered with strong statements of hope for improvement and a challenge to the notion that public policy should accept the current level of access to medical records, even if authorized.
The issue of health identifiers generated a lively discussion that, like many others, kept returning to the core principle that records exist for the benefit of patients. All panelists favored alternatives to a single number.
On public health research and registries, they stressed the basic principle that participation must be voluntary. On research, they favored IRBs but also pointed out their limitations. They called for efforts to promote research participation by increasing assurances that serious safeguards exist.
In general, the panel acknowledged the serious social issues addressed by law enforcement, notably health care fraud, but most panelists suggested that the goal of catching fraudulent providers may not be reason enough to allow access to identifiable records. Mr. Rottenberg suggested protection through procedures to govern the investigation, independent evaluation, and remedies for people who suffer harm. Mr. Lorton stressed that computerization should not be blamed for fraud, but it was noted that increased efficiency in claims processing also removes human oversight. At a minimum, a heavy burden must be placed on fraud investigators to show that they cannot get the information they want without identifiers. In the instances where this is not possible, court orders should be required.
The group discussed the growing interest in privacy enhancing technology, and the Subcommittee was encouraged to recommend more research in this area. One panelist stressed that as important as these measures are, they must be built on the principle that patients have a right to privacy and to controlling access to their records.
The members of this and the next panel supported Mr. Rottenberg's suggestion for creation of a federal privacy agency, to ensure that ongoing institutional expertise and attention are focused on these issues and to provide procedures for developing public policy.
Janlori Goldman, Georgetown Law School; Don Haines, American Civil Liberties Union; Aimee Berenson, Director of Government Affairs, AIDS Action Council; Sue Jacobs, Legal Action Center
Ms. Goldman set the tone by stating that the heightened urgency of the situation makes her more optimistic about the prospects for medical privacy than she has been for years. She and other panelists asserted that privacy advocates have a moral and legal imperative to take action. The passage of HIPAA was decisive in that last-minute administrative simplification language was included without attaching privacy rules -- an action that all panelists decried as very damaging to privacy.
The discussion with this panel focused on three topics: informed consent, preemption, and patient access to records. Al panelists stressed the underlying principle of the patient's right to privacy, making medical information worthy of the highest level of protection possible and giving patients the right to control uses of their medical records. Some panelists expressed strong opposition to computerization and electronic transmission of records. Mr. Haines observed, for example, that computerization on networked databases not only makes records vulnerable to external invasion but increases the number of "insiders" with access to them. Mr. Gellman presented the counter-arguments regarding the money that can be saved by automation and redirected into health care.
These themes ran through the discussion of informed consent, among other topics. Ms. Goldman said that even if EDI seems dangerous, it is already a reality; the goal now must be to clarify who is responsible and accountable for security as the records move through the pipeline, also ensuring that patients' restrictions on use of their information travel with that information. The panelists generally opposed the Condit bill provisions that assume patient consent and provide statutory protections, because they reduce patient choice.
Several panelists questioned administrative simplification, primarily because it militates against privacy and indeed has been promoted without adequate privacy protections, and secondarily because it may not generate the huge savings expected of it. Mr. Haines urged the Subcommittee to wrestle with the fundamental question of whether administrative simplification is really a good idea and one that justifies basic changes in the patient/provider relationship.
Most panelists strongly opposed federal preemption of state law in this area, arguing that many states are beginning to look at privacy issues, and preempting them with a federal ceiling that is likely to be weaker would be a mistake.
On access to records, the panelists stressed patients' right of access and the need for a high burden on providers to deny access. Some felt that providers need oversight in this area.
Lawrence Huntoon, M.D., Board of Directors, American Association of Physicians and Surgeons; Robin Kaye, private citizen; and Lynn Downs, private citizen
All three individuals expressed grave concerns about the computerization of patient records. They cited (respectively) the government's poor record with electronic records, the high incidence of security breaches of computerized records, and Nazi Germany's disregard for individual rights and abuse of medical records.
Mr. Gellman called to order this third and final set of two-day hearings. Following introductions, he welcomed the first panelists.
Neil Gallagher, Deputy Assistant Director, Criminal Investigative Division, Federal Bureau of Investigation (FBI)
Mr. Gallagher noted that health care fraud schemes take many forms and have been found in every part of the industry, and the FBI's authorities in this realm are just as broad. The Bureau needs access to identified patient records to identify fraudulent activity. It has serious concerns about recently proposed confidentiality legislation which imposes impediments to law enforcement's ability to obtain and use health information. The FBI recommends that any confidentiality bill include a provision exempting law enforcement from restrictions on access to information. The proposed legislation particularly imposes burdens and costs on law enforcement in investigations not related to health care fraud.
Mr. Gallagher noted the absence of evidence of abuse by law enforcement. He also pointed out the existing safeguards observed by law enforcement officials.
Mike Barnes, Prosecuting Attorney, South Bend, Indiana; Chairman of Board, National Association of Attorneys General; member, National District Attorneys Association
Mr. Barnes testified on behalf of his two national associations, expressing prosecutors' concerns about the potential adverse impact of medical records privacy bills on local law enforcement. These groups "strenuously oppose any attempt to place undue and unneeded restrictions on any type of criminal investigation." He urged that in proposals on medical record confidentiality, the perspective and needs of those charged with protecting the American public be heeded along with other interests. The proposed privacy rules would work to the detriment of the victims of crimes by making it difficult (for example) to acquire physical evidence of injuries or distinguishing body marks of a suspect, or to provide crucial incriminating information. A requirement that this evidence must be obtained by judicial warrant is impractical.
The administration during the 104th Congress studied medical records confidentiality, and Mr. Barnes spoke favorably of its findings, which afford citizens the protections they demand without limiting law enforcement's access to information.
Robert Litt, Deputy Assistant Attorney General, Criminal Division, Department of Justice
Like the other panelists, Mr. Litt affirmed the importance of the privacy of medical information while stressing that this right must be balanced against other societal interests, one of which is the goal of apprehending and punishing criminals. He, too, called for a law enforcement exemption to federal legislation, and he cited the laws that already provide substantial protections for individual privacy. He added that law enforcement has its own interest in preserving the confidentiality of its investigations. He noted that the specter of "health police" sitting at computer terminals and scanning medical records in search of criminal activity is not realistic, given the limited resources of law enforcement and the fact that this is an unproductive way to ferret out crime. Rather, law enforcement seeks records for specific reasons and uses.
Mr. Litt pointed out that these uses extend beyond health care fraud to other forms of criminal activity, and law enforcement needs quick, confidential and unhindered access to patient records within reasonable restrictions on the use of those records. He also stressed that legislation should not add to the already considerable burdens on state and local law enforcement in a way that amounts to an unfunded federal mandate. He predicted that such burdens would create more litigation, add to the cost of law enforcement, and delay criminal investigations, and he pointed out that the Supreme Court has repeatedly held that Grand Juries should be allowed law enforcement full scope to explore all relevant facts. He mentioned a few restrictions on handling records that he considered reasonable.
Mr. Gellman observed that virtually every witness has attested to the importance of medical record information and to their own need for an exemption. He then asked a series of questions on ordinary crime (as distinct from health care fraud), asking at the outset for a description of how a typical investigation of such crime obtains and uses information.
Mr. Barnes said an ordinary investigation -- which is normally prosecuted at the local level -- would use a search warrant or subpoena to obtain records. Hospital staffs are often "skittish " about divulging anything about their internal operations. Mr. Litt added that in the federal system in such a situation, evidence is generally obtained by subpoena, or by search warrant if those who would comply with the warrant are themselves under investigation. He explained that for a Grand Jury subpoena, no threshold is required other than the prosecutor's determination that the information is relevant to the investigation. Mr. Barnes said law enforcement in Indiana does not use Grand Jury subpoenas in the same way, but rather a parallel subpoena that also requires a threshold.
Both panelists disagreed with Mr. Gellman's assertion that the proposed bills would make it easier to get records. Mr. Barnes reiterated his point about hospital staff's reluctance to share records, and Mr. Litt stated that nothing in the legislation would ease the burden of law enforcement.
The group then discussed access to the records of victims of a crime. Mr. Barnes said the severity of the crime in his state is directly linked to the severity of the injury, so medical proof is needed. If victims are cooperative, waivers are secured; if not, their records are gotten by subpoena or search warrant.
The next category was medical information on a suspect in a crime who was injured in the course of committing it. Mr. Barnes said that although it has its limits, there is generally rapport between local police and emergency rooms, and it is common for law enforcement to contact emergency rooms in such a situation. They would give specific characteristics of the individual, time, and nature of injury, and leave it up to the emergency room to identify anyone meeting those characteristics. In that instance, law enforcement would then contact the individual, and they might also look at their medical record. Mr. Barnes and Mr. Gallagher pointed out that their answers are hypothetical, and it is important to have the legal flexibility to handle crime on a case- by-case basis. To another question, Mr. Barnes said Indiana law requires the reporting of wounds from some kinds of violence.
Dr. Schwartz asked about following up on a crime months later, based on information acquired from research or analysis files, and Mr. Litt and Mr. Barnes said law enforcement would generally go back to the original medical records in such an instance. Mr. Litt added that law enforcement does not pay much attention to medical research.
He described the standard procedure in the federal system, adding that the presence of any exigency would determine the use of informal (asking questions of hospitals) versus formal (subpoena) methods. The informal process could yield faster results and prevent an escape.
Mr. Fanning asked about the pharmacy benefit system as a source of information. Mr. Barnes said he has queried individual pharmacy chains, but not benefit systems. Mr. Gallagher said the FBI might use pharmacy information if a fugitive used a distinguishing drug, but Mr. Litt said this would be a small category of cases.
Mr. Gellman postulated that law enforcement's normal interest in information is limited to
information for identification, but Mr. Litt disagreed, saying that there are other uses as well.
Mr. Gellman asked for comments on law enforcement's potential use of computerized records to make broad-brush queries or to scan large numbers of medical records. Mr. Barnes expressed doubt that law enforcement would have interest or capability to do this any time soon, or that it would be efficient. Mr. Gallagher and Mr. Litt agreed, saying the resources and capabilities do not exist in law enforcement.
In response to a question from Mr. Gellman about a hypothetical rule to prohibit law enforcement from having direct access to computerized hospital records without going through an intermediary, Mr. Barnes said this might not be upsetting, but he questioned why law enforcement should be handicapped in this way. Mr. Gellman explained he is looking for agreement on where a line can be drawn. Mr. Litt commented that it is reasonable to prevent police from plugging directly into a national health care data bank. However, law enforcement does need access to large numbers of records for health care fraud investigations. Mr. Gallagher urged careful consideration of the implications of such a law before deciding on its acceptability.
Dr. Detmer asked about the extent of variance among states in regard to law enforcement's access to personal health data. Mr. Barnes said there is not a great deal of variance; the principles are generally the same, although states may apply them somewhat differently. Dr. Detmer noted that the Privacy Act applies to all government situations, and he asked about reactions to that as a national norm. Mr. Barnes said that Act sometimes causes local officials trouble, such as when drug treatment centers use it to withhold information on residents, thereby creating "a kind of sanctuary." Mr. Gallagher pointed out that this stance often leads to more intrusive police actions such as surveillance.
Continuing on the Privacy Act, Mr. Gellman observed that it contains exceedingly broad exemptions for law enforcement records, including medical records. Mr. Litt pointed out that the Act also imposes limitations on federal law enforcement.
Mr. Gellman then asked a series of questions about currently proposed bills, eliciting the panelists' reactions to various provisions. Mr. Barnes expressed support for a provision that permits the disclosure of information to law enforcement if a crime has been committed at a health care facility or to determine if a crime has been committed.
Mr. Gallagher commented that in general, recent legislation has been problematic in its effort to base exceptions for law enforcement on whether a situation is or is not health care related. It is difficult for the FBI to decide who are health care information trustees, or in other ways to "try to cull out the exceptions." Mr. Litt added that provisions that require such fine distinctions are likely to induce litigation. Mr. Gellman explained that the idea is to draw a clear line for, or around, law enforcement. Responding to a comment in earlier testimony, he also asserted that it is not necessary to demonstrate abuse to justify restrictions on access to records. Mr. Litt commented that a balance must be struck among litigation costs, privacy rights, and the ability of law enforcement to investigate crime.
The discussion returned to the provisions of proposed bills, and Mr. Barnes said a provision allowing disclosure under gunshot wound reporting laws is important to law enforcement. He also favors a provision to allow medical record keepers to provide information to assist in locating a victim, witness or fugitive -- especially the latter. All panelists said the dependence of the legislation on the concept of legitimate law enforcement inquiry does not create problems, although Mr. Gallagher noted that there might be differences in the way legitimacy is interpreted. Mr. Barnes said he knew of no complaints by citizen's groups about the conduct of law enforcement in his community, and Mr. Gallagher said no abuses of records have come to the FBI's attention. Mr. Litt qualified these statements, saying misconduct and incorrect procedure by law enforcement can probably be found and cited; however, there are already checks in the system for handling such situations.
Mr. Gellman turned to the subject of health care fraud, which is estimated at $52 billion a year. The FBI has some 300 agents working on it, and about 2,000 pending investigations. Mr. Barnes said many larger metropolitan D.A. offices have units on health care fraud, and the nation's attorneys general have taken the lead on these issues. Local prosecutors are concerned that devolution and block grants to the states will increase the burden on local law enforcement. Mr. Litt added that traditionally, federal law enforcement has been paramount, in cooperation with the states, because health care fraud is often interstate in nature. Mr. Barnes agreed, with the exception of fake accidents, where state law enforcement is active.
At Mr. Gellman's request, the panelists described examples of typical health care fraud investigations, which generally involve looking at identifiable records, for example to see what was billed for and patients' diagnoses. Mr. Gallagher identified three levels of gaining information: reviewing general billing information, identifying health records that need to be reviewed, and interviewing patients.
Asked how abuses are brought to law enforcement's attention, the panelists said the alert might come from employees of the suspect institution, patients themselves, or insurance companies or fiscal intermediaries. They were unable to estimate the number individual records looked at in a year in connection with health care fraud investigations, but Mr. Gallagher said a case in Louisiana required a review of 2,000 records.
Asked about subpoenas, the panelists said they do not represent a burden, at least for federal law enforcement officials. Mr. Gallagher said that provisions that distinguish between health care fraud investigations and others and that give latitude only for the former are not helpful. Mr. Litt pointed out that organized crime is moving into health care businesses, making moot the distinction between investigations of health care fraud and of organized crime.
Mr. Gellman noted that drawing lines between different functions is a general problem with this legislation. He asked for more comments on provisions that distinguish between oversight and law enforcement and that impose fewer barriers to access on the former activity. Mr. Gallagher noted the definitional problems, asking rhetorically how the HHS Inspector General would be defined. In addition, law enforcement is strongly opposed to limiting the ability of oversight people to provide evidence of crimes to law enforcement people. Mr. Gellman noted the possible relevance of the Privacy Act's distinctions between J-2 and K-2 exemptions.
Asked whether fraud investigations could manage with non-identifiable records, the panelists said that some stages of many investigations could use non-identifiable records, but eventually most require access to identifiable medical records. Mr. Litt said a hypothetical requirement adding a "hoop" to get identifiable records would not be too burdensome on law enforcement, but it would impose another burden on data providers and delay investigations.
Mr. Gellman noted that the reuse of information obtained by law enforcement agencies is a big issue in the legislation, which generally gives broad access for the health care fraud investigation but then strictly limits subsequent uses of the information against the patient, unless s/he is involved in the fraud. Mr. Litt explained that such a restriction would be a major shift from current practices, which are based on the legal principle that once the initial intrusion is justified, any further use of the information deemed necessary by law enforcement is acceptable. Mr. Gellman asserted that if records are routinely accessible for health care fraud investigations and if there is no protection against subsequent use, patient privacy is completely undermined and patients will be ill-advised to reveal anything to their physicians that could be used against them. Mr. Litt pointed out that this is the current situation, and nobody is advising patients against disclosing material.
In response to another question, Mr. Litt said the Justice Department does not like Kennedy/Kassebaum's requirement of a court order to use a record obtained through a fraud subpoena against a patient in another proceeding. Mr. Gallagher noted the inconsistency of suspending patient privacy rights when that is in the interests of the health care industry, but protecting their identities when other crimes are involved. He asserted that the real tests are whether it is a legitimate law enforcement investigation and how the agency gains access to and uses the records. Imposing an "artificial barrier" between fraud investigations and other criminal investigations would have a significant impact on law enforcement.
Mr. Gellman explained that restricting reuse of information is a way of making possible the broad access deemed important for fighting health care fraud. He pointed out that computerized records will soon be a reality, and law enforcement will improve its capabilities, yielding the possibility of general record searches and of no protection for patients.
He then asked for comments on various procedures established in Kennedy/Kassebaum. Mr. Litt agreed with the principle of balancing the injury to the patient against the public interest, but disagreed with having judges make these decisions. The DOJ's experience with substance abuse records is that some judges either stall their decisions or even refuse to make them.
Mr. Gellman asked for responses to proposed requirements for law enforcement access, starting with the requirement that law enforcement have a written certification from a supervisory authority. Mr. Gallagher and Mr. Litt said this would not be difficult for the FBI, but Mr. Barnes said it would impose serious impediments for local law enforcement, which often has very limited resources. Mr. Gallagher pointed out that the definition of a supervisor could be problematic and confusing. The panelists said a requirement that the request be in writing would not be onerous. In general, they strongly favored the continued use of subpoenas, noting that this is an established procedure and a known document. Asked if they objected to a requirement to notify patients who are the targets of investigations, they said this is contrary to normal law enforcement practice. In response to a follow-up question, they said that although patients are involved in health care fraud in a minority of cases, it is still a significant number.
Asked about a proposed requirement that subpoena applications show probable cause and demonstrate the relevance of the information to the investigation, Mr. Litt said this is too tough "by yards" and "a vast shift." Current law on Grand Juries does not require a show of relevance, a practice that has been upheld in court. The problem with showing relevance is that the thinking about a crime may change, and law enforcement would not want to be held to initial speculation and theory.
Mr. Gellman noted that the Privacy Protection Study Commission's 1977 report stated that Grand Jury subpoenas are used to circumvent restrictions needed for search warrants, and that there should be restrictions on Grand Jury subpoenas. Mr. Litt said it is not uncommon to actually show subpoenaed evidence to the Grand Jury, and so such a requirement would not be bothersome. Mr. Gallagher objected to another requirement that the evidence be used only for Grand Jury purposes, if it would prevent the use in other criminal investigation of evidence acquired for a health care fraud investigation. The panelists did not have problems with requirements about time periods for destroying or returning records, and they supported the idea of imposing reasonable limits on the uses of information.
Asked about problems with drug and alcohol records, Mr. Litt referred to his earlier comments about judges' sitting on requests for court orders. He also noted that substance abuse records tend to be intermingled with other records that are subject to different standards.
Asked about redisclosure to other law enforcement agencies, Mr. Litt said the DOJ only discloses to other federal law enforcement officers, unless it gets a court order.
Mr. Gellman thanked the panelists for their open and helpful discussion with the Subcommittee, noting that law enforcement issues are likely to be even more contentious than other aspects of this generally contentious subject.
John Nielsen, Intermountain Health Care (IHC) and American Hospital Association (AHA)
As a large integrated health care facility, IHC emphasizes the need for the interchange of patient health care information across the delivery continuum. It believes that increasing providers' access to that information will improve quality and control costs. It also recognizes the importance of the public's concerns about confidentiality. State laws governing the exchange of patient information are inconsistent and archaic, and AHA and IHC recommend a uniform federal law that preempts state laws on confidentiality and privacy.
Mr. Nielsen described IHC's longitudinal data record system and its relation to other systems such as care process models and security measures.
Donald Palmisano, M.D., American Medical Association (AMA) and private surgery practice
The AMA has 300,000 physician and medical student members. The medical profession's underlying premise with regard to confidentiality is to preserve the trust that is the basis of the patient/physician relationship. The exchange of information is a vital part of that relationship. The professional and ethical responsibility to keep patients' confidences is no different just because medical records are now stored electronically. However, the information is now far more vulnerable because of linkages to other information databases and third parties' growing demands for access.
Dr. Palmisano stressed that even if those parties show a compelling need for the information, "a need is not a right." AMA policy states that patients' privacy should be honored unless the patient waives it in a meaningful way or in the rare event of strongly countervailing public interest. Furthermore, the information disclosed should be limited, permitting no fishing expeditions. Patients should generally have access to the information in their medical record. The record is the property of the provider, and disclosures should emanate from the provider. Patient consents should be applied only to the specific uses for which they were given. In this context, the AMA cautions against categorizing utilization review, quality assurance, and fraud and abuse monitoring as serving "payment or treatment purposes." Exceptions to the requirement for patient consent to disclosure should be minimal and narrowly drawn, and medical information used for research purposes should have all identifying information removed whenever possible.
Steven Kenny Hoge, M.D., American Psychiatric Association (APA) and Private Psychiatry Practice
Dr. Hoge's presentation stressed the fact that patients share private information with physicians because they believe it will be used to help them, and physicians have controlled access to this information to serve in their patients' interests. Recently, the physician's role as guardian of patient privacy has come under serious attack, and medical information has been put to uses that do not serve patient interests.
Noting that they overlap considerably with those articulated by Dr. Palmisano, Dr. Hoge outlined some of the principles APA believes are important to maintaining privacy. He stressed that legal and ethical sanctions for violations should keep pace with the development of new technologies, which should not be employed to stretch the limits of appropriate access.
Mr. Gellman asked if the panelists supported the Congressional judgment that medical records need broad federal legal protection. Mr. Nielsen reaffirmed this principle and the need for federal preemption of state laws. Dr. Palmisano said the AMA supports federal law as "a floor rather than a ceiling," allowing states to have stronger protections. Dr. Hoge agreed with Dr. Palmisano, adding his view that Kennedy/Kassebaum does not bespeak a Congressional intent to legislate broadly in the area of information exchange, given its focus on eight "data points" in electronic transmission.
Mr. Gellman asked the panelists whether they favored legislation over regulation. Mr. Nielsen said this issue is well suited to a broad federal legislative solution that provides a framework or tone, with the details to be worked out through the agency rule-making process. He stressed the need for national uniformity. Dr. Palmisano said the AMA supports legislation but cautions against any attempts to micromanage the doctor-patient relationship. Dr. Hoge indicated that the APA accepts the idea of a federal law as a floor, provided it does not try to micromanage the doctor-patient relationship. For the "seven or eight very, very small pieces of electronically transmitted information" (or "data elements") addressed in Kennedy/Kassebaum, he recommended regulation over legislation.
Dr. Cohn explained that these are not just data elements but transactions, each containing many elements including clinical information. He noted the differences among the panelists in regard to a uniform national confidentiality standard versus allowing the states to have more stringent standards, and the panelists elaborated on their views. Mr. Nielsen suggested possibly having the states replicate the federal law so it could be enforced at the local level, making enforcement less onerous. Dr. Hoge observed that states have accrued generations of experience, case law and modes of practice. He questioned the need for a single national standard, generating a lengthy exchange of views.
As arguments for a national standard, Mr. Gellman cited the patchwork quilt of state regulations and the failure to protect patient records in many places, the plethora of separate state laws and regulations for different conditions, and the interstate nature of health records transactions. Dr. Hoge countered that the patchwork quilt is supplemented by a single national standard of malpractice as well as case law, tort law, and professional standards. Mr. Gellman noted that the Privacy Protection Study Commission concluded that patients who sue their doctors for breaches of confidentiality will lose.
Dr. Hoge said the APA would support stronger monetary penalties piggybacked on top of existing state laws, to strengthen enforcement. He noted the massive compilations of patient data being done by insurance companies, managed care companies and other entities, and said these practices should be regulated. He dismissed the argument that it is too difficult to deal with different state confidentiality laws in interstate transactions.
Mr. Nielsen cited the states that "have no inclination to address" patient privacy as a major reason for a federal law, and he questioned the notion that a federal standard would threaten the patient-physician relationship. Dr. Palmisano said the AMA's position is that the best interests of the patient are the determining factor -- a principle to which he returned several times during the discussion. He said the AMA would reconsider the preemption issue if federal legislation proved acceptable to all parties and protected patients. He emphasized that prior to computerization of records, patient information was safe from intrusion; it is electronic dissemination to other databases that makes it vulnerable to hackers.
Mr. Gellman noted that although hackers are clearly a problem, most abuse of personal records comes from insiders. He observed that Dr. Palmisano's statement that the AMA might accept a good federal bill as a uniform standard offers some potential for eventual agreement. Returning to his earlier comments, Dr. Hoge stressed that the business entities compiling massive patient data have different relationships to patients than doctors do, and it is therefore necessary to establish rights of action in order to hold them liable.
Turning to a new subject, Mr. Gellman asked the panelists to comment on disclosure to next of kin. Dr. Palmisano said the tradition in medicine is generally for the patient to give permission before something is disclosed. He described some scenarios, based on the principle that the patient has the right to the information, and he added that sometimes the patient's permission is inferred from "the way they bring family members in." There are also state laws on this matter. Mr. Gellman said the question lies in instances where there is no expressed view from the patient, with some proposals providing for physician discretion and others requiring advance patient notification. The panelists favored retaining physician discretion.
Mr. Gellman asked about the practice of posting patient information in public areas in hospital wards, for the purpose of tracking patients. Mr. Nielsen called this a common cultural phenomenon and noted that it is obviated by computer systems. Dr. Harding said JCAHO certification is contingent on keeping such information where only staff can see it. Dr. Cohn reinforced the point that this an area in which computerization actually increases confidentiality.
Turning to the broad subject of non-consensual disclosure of patient information, Mr. Gellman began with the subject of disclosure to researchers. He asked if standard IRB provisions are adequate, and Dr. Palmisano and Dr. Hoge endorsed this as a good model. Dr. Hoge drew a distinction between traditional medical and academic settings and research done in other settings such as managed care companies, where the research may not be in the public interest. Patient records need special protections in the latter settings. Mr. Nielsen said his plan has had good experience with IRBs. He expressed hope that patient consent provisions will be broad enough to cover research, but he added that with some kinds of research, explicit patient consent should be obtained. Furthermore, patient-specific information obtained for research should be destroyed or returned upon completion of the use for which it was obtained. Dr. Hoge noted that federal regulations require the retention of records for five years, and he added that in his experience IRBs require that identifying information be removed once the data are collected and coded. Dr. Cohn commented that Kaiser Permanente, too, uses the IRB model for its research.
Mr. Gellman asked about disclosure for public health uses, and Dr. Palmisano said compliance with laws in this area should always use the minimal possible amount of information about the individual. Dr. Nielsen said the fact that it is in the public interest makes disclosure for these purposes acceptable. Noting the incident in Florida in which the names of HIV-positive people were divulged, Dr. Hoge suggested that data regarding sensitive health conditions should be put off limits to computerized record keeping.
Dr. Schwartz asked what should be done in the event of a hypothetical situation in which researchers doing profile analysis turned up evidence of a pattern of suspected child abuse. Some panelists felt that researchers do not have the responsibility clinicians do in this area, and moreover they must observe absolute confidentiality; others felt that such a pattern might be revealed only in research and should be reported, even in the absence of a law requiring disclosure. The recurring question arose of where to draw the line in computer surveillance.
Dr. Cohn asked if the panelists felt some data deserved higher levels of confidentiality and privacy than others, and Dr. Palmisano said the AMA's view is that all information should be accorded the same high level of protection. Dr. Hoge suggested consulting patients about the appropriate levels of protection, and Mr. Nielsen said this issue is the subject of "a raging debate" among professionals in his institution. Dr. Hoge said the APA tells members to "get the best privacy deal you can for your patients."
Dr. Harding then introduced the subject that stimulated the liveliest discussion of the day: access to medical records for law enforcement. Dr. Palmisano said any lax standard of disclosure undermines the trust at the core of the patient-doctor relationship, and the privacy interest should take precedence in the absence of an overriding probable cause standard. Asked what he did if patients asked him not to put something in their records, he said he simply noted that something of "a very personal nature" was discussed. He stressed that as the son of a policeman and someone with great respect for policemen, he nevertheless believes the American principle of freedom from coercion must be carefully protected.
Dr. Hoge agreed, noting that privacy is inseparable from democracy. He noted that although medical knowledge and technology could save more lives if it were forced on people, this is contrary to medical values; by the same token, "we accept some loss of efficiency in our law enforcement to protect patient privacy." He noted the widespread evidence of people's concerns about invasion of privacy, along with evidence of doctors' avoiding writing things in records because "we know it is going to be computerized." He stressed the need to move quickly to protect privacy before the degree of access leads to "a huge national data bank" filled with information that is "less accurate, less complete and less useful" than today's records.
Mr. Nielsen observed that while police investigations would not impede the privilege existing between patients and doctors, no law enforcement official should be able to look at identified patient records without a court order. Health care providers have an obligation to yield to the processes of the law, but only when evidence has been presented to satisfy an independent determination of need. He recommended the use of discretion in the amount of information released to law enforcement, and the requirement of patient consent unless there is a court process.
Mr. Gellman noted earlier testimony that under current law, any medical record in the country can be obtained by the HHS Inspector General, any federal prosecutor with a Grand Jury subpoena, or the Attorney General with an administrative subpoena-- none of these requiring judicial process, independent review or notice to patients. Moreover, the police can use any information they find about patients against them. Given these realities, he asked rhetorically how anyone can suggest there is any confidentiality today. Dr. Hoge said that this area of the new legislation may be its most important element.
The subject of the extent of actual, and desired, compliance with law enforcement by medical providers generated considerable discussion. Dr. Hoge noted that Mr. Barnes' suggestion that doctors do not easily give up medical records is indicative of "the status quo in this country." The APA's Committee on Confidentiality is striving to educate members -- for example, about the difference between a subpoena and a court order and the fact that they need only comply with the latter. Dr. Palmisano said that in Louisiana, the medical society and the physician captive insurance company alert physicians to the latest laws on disclosure and encourage them to consult legal counsel if they are unsure about compliance.
Dr. Hoge said he routinely notifies patients if their records are being subpoenaed, and he and other psychiatrists are willing to fight efforts to force disclosure, if necessary. For the records of incompetent patients without proper legal representation, "the standard, routine response to those sorts of subpoenas is to decline to comply."
Mr. Gellman expressed surprise at the degree of resistance represented by these panelists, noting that earlier discussions with law enforcement people did not give this impression. In contrast, Mr. Nielsen (who has been a police officer and a District Attorney) said it would be wrong to give the impression that health care is "always adversarially at odds with the law enforcement authority." In fact, in 99 percent of cases they should supply the information requested. In his experience, court orders for information are predominantly to help prosecute in cases of homicide, assault, rape and child abuse. IHC's policy requires consultation with the hospital's general counsel if there is a question about a request for information.
Dr. Hoge agreed that if there is a legitimate court order, the physician can do nothing but comply; but where there is "an option to resist," physicians should act on behalf of their patients. He noted that the testimony of the law enforcement panel suggests that health care providers are complying inappropriately with "informal" requests to disclose confidential information, indicating that provider education is in order. He added that the idea that psychiatric records contain "juicy" information that will help solve crimes is a myth.
Mr. Gellman observed that the vast majority of medical records are obtained to investigate health care fraud, and in this context the mere volume makes patient notification unlikely. Moreover, these disclosures are generally permitted by state law and policy in recognition of the magnitude of the problem. Dr. Hoge agreed that health care fraud is "a different scenario"; asked why, he acknowledged the need to investigate fraud, provided there is a judicial process and a way of restraining law enforcement from merely "sifting through records." Dr. Palmisano called attention to the AMA's proposed health savings plans as a way to make patients more responsible for their own health and, by extension, their own records, thus obviating the need for so much scrutiny to detect fraud. Mr. Nielsen observed that this is a significant public policy issue, and one in which law enforcement authorities have arguably been overreaching.
After noting that capitation is another good way to reduce fraud and abuse, Dr. Cohn asked Mr. Nielsen what advice he offers based on his broad experience. Mr. Nielsen recommended exceptions to confidentiality restrictions for the proper authorities, including criminal law, tempered by the introduction of a neutral fact finder to determine the validity of law enforcement's need for information. He also suggested including language in the subpoena or court order indicating the breadth and scope of the information sought.
Asked to elaborate on his reference to "new entities" that have relationships to patients unlike those of doctors, Dr. Hoge said he was referring primarily to managed care plans and employers, as well as others serving as a clearinghouse. The distinguishing factor is whether their role is to help patients. Information that patients have given doctors willingly and sometimes gratefully in the expectation that it would benefit them has been transformed so it is being used against their own best interests -- for example, to deny them care. The intended use of the information should be determined before it is released.
Dr. Palmisano added that he believed patients should be able to remove their names and data from databases that have no right to their information.
Turning to informed consent, Mr. Gellman asked whether the panelists felt patients understand consent forms and are capable of negotiating changes in them. Dr. Palmisano commented that the informed consent process for treatment is well developed and might be used as a model. He noted that patients feel they have no choice but to sign administrative consent forms. Dr. Hoge agreed, observing that in today's environment consumers are becoming more assertive on their own behalf, when the best solution is to shore up the role of doctors as gatekeepers.
Dr. Detmer asked for comments on unique identifiers. Dr. Palmisano said the AMA is opposed to unique patient identifiers because they make linkage too easy, and it is particularly against the use of the Social Security Number (SSN) as the unique identifier. Mr. Nielsen said unique identifiers are fundamental to the kind of system IHC is trying to develop, although he agrees that the SSN should not be the identifier. He described the index number IHC uses internally to identify and track patients. Dr. Palmisano said no one is against the use of patient identifiers within a health care institution; the issue is having a national system. Speaking personally, Mr. Nielsen expressed agreement about the dangers of a national personal identifier that tags an individual for electronic transfer of information on the Internet.
Noting the value of the information on IHC's database, Dr. Harding asked Mr. Nielsen if anyone had approached them for access. Mr. Nielsen said many systems would like access, but his company resists that for both proprietary and confidentiality reasons.
Dr. Cohn asked for comments on a uniform provider identifier, and Dr. Palmisano said the AMA is willing to consider it under circumscribed conditions. Dr. Hoge said the APA has not discussed it, but a provider identifier seems less problematic. Following further discussion of the risks and benefits of a hypothetical national health care database, Mr. Gellman evoked a range of opinions from panelists with a question about whether patients benefit from cost containment and utilization review activities. Dr. Palmisano observed that in the past, physicians filled out standard billing forms and gave them to patients, who sent them on to insurance carriers. This system is best for preventing error and fraud.
Finally, Mr. Gellman asked about patient access to records, which is provided in all new proposals. All panelists expressed support for this, but agreed that there should be exceptions. The group discussed the practice of allowing physicians to withhold from patients information that could harm them. Dr. Palmisano said this practice is less and less common among physicians, while Dr. Hoge said it is common among psychiatrists. Mr. Nielsen said his system places some restrictions on patient access. Mr. Gellman noted that the determined patient can find a way to get records, and in view of this and other factors, it may be simpler to have a blanket rule permitting access. Dr. Palmisano suggested looking to worker's comp as a model, in which the minimum amount of information needed to satisfy the company is provided. He said when he gets a request for a patient's entire medical record, he calls the patient and asks for permission.
Mr. Gellman thanked the panelists for meeting with the Subcommittee.
Public Comment: Denise Nagel, Executive Director, National Coalition for Patient Rights
Dr. Nagel, a panelist on the next day of these hearings, asked for a clarification of a statement of Dr. Palmisano's. In response to her question, he confirmed that he shares the view that if patients feels that having their information disseminated in a computerized network would interfere with their care, they should have the opportunity to ask that the information not be entered into the computerized network.
The meeting was recessed until the following day.
Mark Rottenberg, Electronic Privacy Information Center
Mr. Rottenberg, who also teaches at Georgetown Law Center, offered six principles to guide the Subcommittee's thinking in preparing its recommendations. He urged them to
· recommend a patient-centered policy
· ensure that patients have a right of access to their own record
· consider not preempting state law and states' ability to evaluate and correct as new privacy issues arise
· give attention to privacy-enhancing technologies
· not use the social security number as the patient record identifier
· recommend the creation of a permanent, independent privacy agency
Denise Nagel, National Coalition for Patient Rights, American Psychoanalytic Association, and Association for American Physicians and Surgeons
Dr. Nagel said that whereas the hearings have mostly been devoted to disclosure issues, she would primarily address the patient's right to privacy and procedures to enforce that right. These rights are well established but not well enforced, and Americans clearly want the long- established principles to be enforced. It is not clear that they want new rules, as is assumed in Kennedy/Kassebaum. As evidenced by the Harris/Equifax poll and other sources, people care about and are worried about the privacy of their medical records. Many would be alarmed to know that a national health ID number has been proposed.
Dr. Nagel pointed out that the first principle of the Nuremburg Code is the voluntary consent of the human subject. Putting personally identifiable medical data into a networked computer is tantamount to making an individual an experimental subject, and this should never be done without fully informed written consent. Finally, she called attention to License to Steal by Malcolm Sparrow, which predicts that the billions that will be saved by automating claims management will be offset by the increased larceny it makes possible. She expressed hope that the Secretary's recommendations will build on the patient's right to privacy, which is the cornerstone of trust and the foundation of quality care.
Lewis Lorton, HOST Consortium
HOST is a consortium of health care organizations, providers and vendors that believe in the potential benefits of health care informatics for health care but are concerned about the difficulties of implementation. Mr. Lorton raised three issues. First, he cautioned against thinking that complex problems have simple technological solutions, or that technology is a kind of magic bullet. Second, he pointed out that all levels of technological capability exist in the U.S. Finally, he encouraged the Subcommittee to get input from health care information specialists regarding the policies on which it will be advising.
Karen Rothenberg, Law and Health Care Program of the University of Maryland; Policy Chair, National Action Plan on Breast Cancer Committee on Genetic Issues
The aforementioned policy committee primarily deals with genetic discrimination and genetic privacy. Ms. Rothenberg suggested that the primary ethical principle in the privacy area is that medical records are generated by individuals who give information voluntarily, believing that doing so will benefit them. In the genetics area, her organization has helped create a "tremendous patchwork" of privacy and confidentiality protections that, however limited, are better than what existed previously. Preemption of state laws would be "very dangerous" because so much progress still needs to be made and states are in a better position to make it. The worst situation would be to "legislate loopholes." She described the protections now established in several states, and expressed hope that her group's work on privacy protections could complement the work of the Subcommittee, which has primarily focused on confidentiality and disclosure.
As to why it warrants special protections, she said genetic information has familial implications and also can be used to discriminate against groups. People are starting to fear participation in research, which could undermine some good work.
Lauren Dame, staff attorney, Public Citizen Health Research Group
Ms. Dame suggested that any regulations that come out of this process should take into account the flaws of the existing health care system, which she enumerated (e.g., the lack of universal coverage, the growing role of market forces). In such a system, disclosure of medical information can have devastating consequences. She echoed earlier comments about medical records' being for patients first, adding that the presumption should be against disclosure with a heavy burden of persuasion on all who argue for access. Also, identifiable information should not be disclosed without informed consent. Patients' needs for information should be taken into account, and they should have the right to obtain and correct their records.
Mr. Gellman noted the many legal uses of medical records and queried whether anything is left of confidentiality to protect. The panelists acknowledged that it has been seriously compromised, but stressed that the public is becoming more aware of the problem and the Subcommittee has a clear mandate to improve the situation. Moreover, medical records are still more private than other types of personal information. Dr. Nagel observed that the quantity of accessible information is growing to such an extent that the changes are having a qualitative effect. But new public recognition of confidentiality and privacy problems offers an opportunity to curb egregious practices.
Mr. Lorton noted the distinction between internal and external data movement in the health care environment. Outside movement can generally be handled by policy; the real hazard is within the health care organization. He pointed out that the medical record is not a single entity; rather, medical information on individuals resides in many contexts, such as laboratory worklists and MRI databases. Ms. Rothenberg commented on the need to tell patients honestly whether or not their information is protected in specific contexts.
Mr. Gellman called for realism in the face of the many uses of medical records authorized by state and federal law, which reflect a belief in the social value of these uses of private information. He questioned whether health care quality has truly been diminished by these violations, introducing a theme that continued through the discussion. Most panelists argued that health care has indeed been damaged by these violations of privacy, especially for people in public health settings. They also questioned whether public policy should accept the current level of access to medical records, even if it is authorized, arguing that this shows the need for stronger state laws.
Mr. Gellman raised the issue of health identifiers, generating a lively discussion that returned frequently to the core principle that records exist for the benefit of patients. Mr. Rottenberg stated the case against using SSNs for this purpose: briefly, that using the SSN facilitates inappropriate data matching, and that it is not a good identifier because it is not unique. The approach taken in Ontario of creating a special number for medical record identification and backing it with legal sanctions to control its use is preferable. Dr. Nagel suggested that the Subcommittee use its mandate to point out that there are alternatives to a single number, such as one in which the individual has several linkable numbers for different institutional contexts, with the individual holding the key that links them. Mr. Lorton supported that idea, and said HL7 has formed a special interest group on a master patient access mediator. He noted the many technical difficulties of implementing a universal ID.
Dr. Cohn asked if the panelists felt that any uses justified data linkages, and Dr. Nagel said the question is who should be able to decide this. Patients and their physicians should decide together what information to make available throughout the system, for example for access in the event of an emergency. She stressed that physicians are willing to take the time to do this, as evidenced in the policy of the Massachusetts Medical Society.
Mr. Gellman noted that one option is the creation of a unique identifier for health purposes; he illustrated the question of whether it would be controllable by reading a list of 17 categories of people with likely access to it. Mr. Rottenberg stressed that the point of this effort is to find better alternatives, not perfect alternatives, and also to impose a series of hurdles and barriers. If the goal is to "cabin the use of the identifier," then it can be associated with specific legal safeguards. In addition, institutions can be forced to improve their practices for exchanging records by having their responsibility for the records strengthened. He expressed doubt that a First Amendment-based challenge to restrictions on disclosure would be successful. The objective is to send the public policy message that invasions of privacy are not sanctioned.
Ms. Rothenberg added that the laxness in this area is partly possible because patients have not known what they were agreeing to, and this is changing. She urged that instead of giving up on privacy and confidentiality because there are abuses, this area should be tightened. Dr. Nagel added that the right to privacy will cease to exist unless it is always returned to as the basic principle.
Panelists responded to Mr. Gellman's concern that a new identifier would meet the same fate as the SSN by stressing the importance of taking a strong position that the record is generated for the benefit of the patient and that there is a strong presumption against any other uses. The group discussed whether Congress could be successfully held accountable for better public policy in this area, with Ms. Rothenberg citing the strong measures passed in the genetics area and stressing the role of advocacy groups in keeping the pressure on politicians. Mr. Rottenberg urged the Subcommittee not to "prejudge this issue in terms of what you think Congress might do with it," but rather to give its best advice based on an evaluation of the merits.
Dr. Harding asked for comments on public health research and registries, and Ms. Rothenberg said the basic principle must be that participation is voluntary. The country needs a major educational process to promote the importance of being involved in research, and this can only succeed in the presence of convincing safeguards. Ms. Dame suggested three steps in considering public health research: can it be done with anonymous data; what are the barriers to getting informed consent; and if these are not possible, should the research be done at all.
Several panelists spoke from experience about the adequacy of IRBs, with Ms. Dame speaking for many in saying that while this function should be preserved and some IRBs are very good, some are not, and in general they do not offer adequate protection. Ms. Rothenberg said the Recombinant DNA Advisory Committee on which she serves has yet to see a gene therapy protocol with an adequate informed consent form. Mr. Lorton said in his experience, IRB members are not knowledgeable enough about the specific research areas they must review. He suggested upgrading existing institutions rather than creating new ones. Dr. Nagel noted that the AMA recommends using de-identified medical information wherever possible, with information removed in the physician's office.
With regard to records research, Dr. Nagel noted that IRB regulations include investigation of the medical record in the definition of human subject experimentation, and that most IRBs have been good about enforcing privacy. She stressed that getting good research data depends on offering people real assurances about privacy protection.
Ms. Ward asked about penalties, and Mr. Rottenberg discussed the difficulties with enforcing legal rights to privacy. He noted a new willingness in Congress to accept higher levels of liquidated damages, which are necessary to create the incentive to use the courts.
Most of the rest of the discussion focused on law enforcement access to medical records, particularly to fight health care fraud. Mr. Gellman noted the huge law enforcement system dedicated to this purpose and their liberal access to records, and he asked how this "clearly important concern" can be balanced with privacy. While acknowledging the social value of this effort, Dr. Nagel reasserted the basic purpose of medical records and talked about her concerns, as a psychiatrist, about establishing a relationship of trust with patients when everything they tell her might be "put into a computer data bank." She questioned whether in this environment patients would continue to seek care, and she referred again to Malcolm Sparrow's book linking health care claims fraud to electronic data interchange.
Ms. Rothenberg suggested that the goal of catching fraudulent providers may not be reason enough to allow access to identifiable records. Mr. Rottenberg suggested imposing these restrictions: procedures to govern the investigation, independent evaluation, and remedy for people who suffer harm.
Mr. Lorton pointed out that EDI is no more responsible for fraud than the pen is for forgery. He called for more enforcement, not less EDI. Dr. Nagel agreed with the first point, but pointed out that increases in the efficiency of claims processing also remove human oversight. She suggested that a heavy burden be placed on fraud investigators to show that they cannot get the information they want without identifiers. In the instances where this is not possible, court orders should be required, based on demonstration of compelling evidence. What people are concerned about is law enforcement's wholesale requests for data and fishing expedition rights. To Mr. Gellman's point that Congress has already granted them broad access, she argued that the Subcommittee still has a chance to restore balance.
Ms. Rothenberg and Dr. Nagel said that in most cases, patients should be informed that investigators have (or had) access to their records. Dr. Nagel recalled the steps Dr. Palmisano said doctors should take when records are requested: calling the medical society, calling the lawyer and, if the request is deemed legal, informing the patient. Ms. Rothenberg noted that there is a risk in giving people notice, and care must be taken in the way this is done.
Dr. Cohn asked about privacy enhancing technology, and Mr. Rottenberg noted that it involves a range of mechanisms not limited to cryptography. There is a good deal of interest in the U.S. and Europe in these technologies, which he noted are more difficult to implement in the medical care context. The search for better techniques continues, and he encouraged the Committee to recommend to the Secretary that more research be done in this area. Mr. Lorton noted that while privacy and confidentiality are policy issues, his organization focuses on internal and external security issues. The big problem within hospitals is defining who gets what information. Efforts are complicated by the range of technology in health care; for example, 600 organizations make clinical information systems, which points to the need for government leadership in standardization efforts.
Mr. Gellman noted that some major medical privacy bills are deficient in the area of privacy enhancing technologies. He and Mr. Lorton discussed the many practical difficulties of implementing security technologies. Mr. Lorton stressed that the industry needs to know what policy decisions lie ahead, so it can be working on appropriate technology. Dr. Nagel pointed out that as important as these measures are, they must begin from the principle that patients have a right to privacy and to controlling access to their information. A clear message conveying a commitment to quality medical care built on a secure system would provide the industry with the incentives needed to come up with innovative solutions.
Mr. Gellman raised the issue of commercial trafficking in health information, which generally originates from unsuspecting patients themselves (e.g., by using credit cards). Mr. Rottenberg said that after medical record privacy, the commodification of personal information is the second biggest privacy issue in the country, raising the same question of whom the information belongs to. The commercial value of the information is considerable, and while privacy law suggests that it can only be acquired with informed consent, this has not been enforced. Ms. Rothenberg suggested, for starters, educating people to avoid using their credit cards to purchase sensitive products and services. Mr. Gellman added the need for better disclosures to people when information on them is being collected.
He then asked about genetic information, and Ms. Rothenberg noted that most bills focus on genetic tests rather than genetic information because the latter is very broad. She agreed that it is difficult to draw clear lines between classes of information, and recommended that the law take a broad view and allow as little access as possible.
Dr. Harding asked for comments on the proposed independent privacy agency, and Mr. Rottenberg said he recommends it in order to ensure that ongoing institutional expertise and attention are focused on these issues, and to provide procedures for developing public policy. He noted that countries with such agencies do a better job of resolving privacy concerns when they arise. There should be an agency in the federal government with an ongoing interest to protect the medical record.
Mr. Gellman thanked the panelists, and welcomed the next panel.
Janlori Goldman, Georgetown Law School
Ms. Goldman is on leave from the Center for Democracy and Technology, where she co- authored the report, "Privacy and Health Information Systems: A Guide to Protecting Patient Confidentiality." She said the heightened urgency of the situation makes her more optimistic about the prospects for medical privacy than she has been for years. In working with Community Health Information Networks, she encountered tremendous resistance from people who regarded privacy as an obstacle and an unnecessary cost; since then there has been progress in helping people understand that there can be no effective and cost-effective health information system without privacy and security, because of the centrality of trust.
Four factors have changed the political environment and heightened the urgency: the shift into managed care, which has changed the doctor/patient relationship and reduced patients' control over information; the computerization of health information and the heightened risk of abuse; technical advances that afford new opportunities to protect privacy, provided the necessary policy decision is made; and the passage of HIPAA. HIPAA was decisive in that divisions among privacy advocates made it possible to pass last-minute administrative simplification language without attaching privacy rules -- an action that Ms. Goldman called "a disaster." Now, privacy advocates have a moral and legal imperative to work together for privacy rules.
Don Haines, American Civil Liberties Union (ACLU)
Mr. Haines said the only success of privacy advocates in respect to HIPAA was the provision for state preemption of federal law, which may lead to "surprising protection for state privacy." He noted several first principles, including the fact that medical records are developed for the benefit of patients and the assertion that if the country truly wants to protect or restore privacy, it can do so, even in the presence of some slippage. Another principle is that we deal with frail human beings, not institutions, and policy must be set in recognition of this reality. He noted that many U.S. Attorneys and Assistant U.S. Attorneys become political candidates and face a strong temptation to misuse information. He also stressed the difference between privacy protection (which is patient-centered) and disclosure restriction, noting that the Bennett Bill was the latter. He urged the Committee to return to first principles.
Aimee Berenson, Director of Government Affairs, AIDS Action Council
Ms. Berenson observed that the privacy of health information is not just an academic concern for people living with HIV disease. The fear of losing privacy has deterred people from being tested for HIV and thus delayed treatment. Worse, many who have tested positive have been discriminated against in the health care system and by insurers. HIPAA provides modest but important health insurance reforms, but also may lead to further erosions of privacy by promoting EDI without ensuring strong and universal privacy safeguards. Other weaknesses of the law are that its privacy and confidentiality provisions will apply only to EDI, and that they must meet the criterion of reducing administrative cost.
Noting that protecting certain pieces of information at certain points in the system may not be enough, Ms. Berenson called for comprehensive privacy protections. Her organization espouses the following principles:
· Federal protections must provide a strong uniform floor of protections for privacy. Stronger existing and future state laws should not be preempted.
· Those who collect and use personally identifiable health information should have legal responsibility for protecting its confidentiality.
· Permissible uses and disclosures should be clearly defined, and firewalls should be built to prevent unauthorized uses. Also, people should have more control over their personal health information.
· There must be strong legal remedies and sanctions for violations.
Ms. Berenson joined her fellow panelists and former panelists in thanking the Subcommittee for its efforts in this area.
Sue Jacobs, Legal Action Center
The Center specializes in policy and legal issues in the intersecting areas of drug/alcohol abuse and AIDS, with patient record confidentiality as a major specialization. Ms. Jacobs noted that the appropriate standards for people in the aforementioned categories can be a model for other health care legislation as well. These populations' records are protected by federal legislation if they are in federally-assisted treatment programs, and these laws should be left in place -- something that HIPAA does not stipulate. The relevant statute (42USC290 Section DD- 2) prevents a provider from revealing who is in a treatment program, with a few exceptions, and the confidentiality law operates by written informed consent. Ms. Jacobs compared other provisions of the law with proposed confidentiality legislation. She stressed the need for strict protections for the populations she works with, and also commended the protections as a model with broader possible applications.
The discussion with this panel focused on three topics: informed consent, preemption, and patient access to records. On the first, Mr. Gellman asked what can realistically be expected from the informed consent process. Ms. Goldman stated an ideal in which people would decide how their information is used, and said policy should bring the reality as close to this as possible. She agreed that informed consent can be used to trade away privacy, but asserted that this function can be limited. Mr. Haines commented that there is currently no uncoerced, genuinely informed consent in the medical system; nevertheless, rather than simply assuming consent as the Condit Bill does in most cases, he favors having genuine consent as the hallmark, with the presumption that no one else has a right to the information and very high standards for exceptions. He noted that the AMA and the APA support this principle, and added that an area in which informed consent is especially important is disclosure into a networked computer environment.
Ms. Berenson decried the fact that a system has been created in which people believe their records are protected even as the very people who created that system say confidentiality is not possible. Thus, the first step is to limit the system. Ms. Jacobs noted that both the Hippocratic oath and legal ethics underlie the principle of informed consent.
Mr. Gellman noted the tremendous complexity of the current system, with billing services, value-added networks and clearinghouses that make the goal of meaningful informed consent seem impossible. Mr. Haines noted that the British medical society supports a patient's right to refuse to have records computerized. He suggested making it clear that providers and payers are expected to establish a system that will honor a choice for privacy. Computerization on networked databases not only makes records vulnerable to external invasion, but increases the number of "insiders" with access to them. Mr. Gellman noted that a refusal to computerize would carry a huge price tag. Mr. Haines said that if, on the contrary, it became clear that administrative simplification is going to cost more than it saves, the Committee should report that to Congress, which is counting on the savings.
Ms. Berenson observed that even if EDI seems dangerous, it is already a reality. On the issue originally raised by Mr. Gellman about the number of handlers, she said that the informed consent process, rather than specifying every handler, should clarify who is responsible and accountable for security.
Mr. Gellman then raised another problem, that consent statements "don't flow upstream" from physicians' offices to other handlers. Ms. Jacobs said in the substance abuse treatment field programs cannot send records without the authorization, and the system is alert to the limitations on disclosure. Mr. Gellman asked for reactions to the Condit Bill in this regard. It assumes consent but makes any special arrangements made between the patient and doctor binding. Ms. Goldman said that even though this approach would make the system more efficient, it removes choice from the individual as a presumption and thus she cannot support it. Ms. Berenson agreed, adding that when a form is replaced by statutory protections, people do not realize what is going on.
Taking issue with an assertion of Dr. Cohn the previous day, Mr. Haines added that quality assurance, utilization review and peer review are not legitimate areas for which consent should be compelled for treatment to occur, even if they would save money. Mr. Gellman countered that many people do care about saving money. Ms. Goldman argued for keeping the approach simple and not ending up having to accommodate people with entrenched financial interests. Clearinghouses and claims processors are merely pipelines whose use of information should be governed by patient choice, and the industry should not be allowed to complicate things so much that privacy violations appear to be "a done deal" that cannot be fixed. Systems should be created so that people's privacy decisions follow their information to its final destination.
Mr. Haines reiterated the point that the Committee has an opportunity to assert the belief that medical information is worthy of the highest level of protection in this society. He urged the Subcommittee to wrestle with the fundamental question of whether administrative simplification is really a good idea, and one that justifies basic changes in the patient/provider relationship. Mr. Gellman responded that the tradeoff is the money that could be saved and redirected to more health care.
He then introduced the issue of preemption, noting that industry support is needed for enactment of a privacy bill and that the industry favors federal preemption. He added that most state laws are not as good as the federal bills, and he asked the panelists to address the reality of interstate activity in health care.
Ms. Goldman asserted that the system already functions with different state laws. She described the experience with the Fair Credit Reporting Act, which -- despite industry opposition -- allows states to enact stricter protective legislation. Originally, privacy advocates supported the idea of preemptive federal legislation for health care records, assuming it would be a high ceiling; however, administrative simplification has changed the environment and it would be a real mistake to wipe out strong state laws.
At Mr. Gellman's request, Ms. Berenson talked about attempts to preserve state AIDS laws. She noted that many states are, rather belatedly, beginning to look at privacy issues, and preempting them for a "watered down federal ceiling" would be a mistake. The AIDs epidemic is instructive in that it took everyone by surprise and required rapid responses, something states can do more easily than Congress and the federal government. Mr. Gellman commented that it is reasonable to reserve judgment until there is an actual federal bill to evaluate.
Ms. Jacobs said that from her vantage point, a strong federal ceiling with uniform components based on protections for alcohol and drug treatment facilities would be acceptable. She called attention to the provisions for court orders, and described the protections against search warrants for people in treatment unless authorized by a judge.
Mr. Gellman noted that in the event of coexisting laws and a provision that the stronger law will prevail, it is not always obvious which is stronger. Advocates for this kind of arrangement therefore need to develop a proposal offering guidance on this matter. He noted that another ambiguous area for coexisting state and federal laws is fraud investigations, which are normally conducted at the federal level.
He then raised the question of having different rules for different records, and Ms. Jacobs repeated her point that if the highest standard applied to all records, this would not be a problem. Asked what happens when federally funded programs interface with other programs, she said this is particularly complicated with managed care organizations, which want lots of records, and in emergency rooms, where people may reveal things in a crisis situation. She expressed concern that the drive for accountability in health care is undermining the willingness to support privacy considerations. Ms. Berenson noted that a general problem is that laws apply to specific information and scenarios, and nothing covers the information all the time. Mr. Gellman pointed out that this is a potential benefit of comprehensive federal legislation.
Asked which state AIDS laws have good provisions, she mentioned Florida on disclosure and California and New York on written consent. CDT and the Georgetown Legal Clinic have compiled information on best practices, which Mr. Gellman said could be helpful to the legislative process.
Turning to access to records, Mr. Gellman noted that there is general agreement that patients should have a right of access to their records. He asked for comments on possible exceptions. Ms. Goldman said the burden on the provider must be very high to withhold a record. Mr. Haines said such a provider should be subject to peer review. Ms. Berenson agreed, and also recommended a narrow definition of the standard for exceptions. She added that "the record" also needs to be defined. The group noted the special issues posed by group therapy, genetic testing, and pharmaceutical clinical trials. In general, they favored keeping the exceptions as narrow as possible.
The panelists were asked about the idea of an independent privacy agency, and Mr. Haines said the ACLU has supported it for years. Ms. Goldman noted that OMB is working on an options paper on how this might be handled. She predicted the creation soon of an entity at the executive branch level to oversee privacy in the handling of personal information by both the government and the private sector, and she noted the need for cohesive policy and guidance in this area. Ms. Berenson questioned whether the same agency could address privacy issues in the context of sectors as different as health and commerce.
Mr. Gellman thanked the panelists for the very useful discussion, and invited them to submit follow-up statements. He then opened the floor for public comment.
Lawrence Huntoon, M.D., Board of Directors, American Association of Physicians and Surgeons
Dr. Huntoon said he and the physicians he represents strongly oppose the computerization of personal medical records, which are the property of patients. He described his experience with the government's poor handling of electronic medical data, and offered nine reasons against automating patient records. They included the high error rate, the difficulty of getting an error corrected, the ease of altering records for bureaucrats, their lack of accountability for errors, the limited clinical and scientific value of the electronic record, and the overriding importance of the patient's right to privacy and confidentiality.
Robin Kaye, private citizen
Ms. Kaye commented that she and others are "horrified" that their medical information will be put on a national patient database without their consent. She called attention to a February 12, 1997 hearing by the House Subcommittee on Technology, at which computer experts testified to the high incidence of computer security breaches, and she questioned how medical information could be secure with such profound breaches. She called for no access without patient consent, and patient access to their own records at all times. She urged that the Committee help plug the "leak in the dam" rather than letting all the water out.
Lynn Downs, private citizen
Ms. Downs observed that in Nazi Germany, a data processing machine was used to record personal and health characteristics of citizens, and she quoted a statement by the director of the company that put health statistics in the service of the Third Reich. She concluded that "technology and persecution go hand in hand historically," and medical and genetic information can be used to oppress and harm people; therefore it is dangerous for the government and others to have so much private information. The right of privacy should not be "given away to the general good," as happened in Nazi Germany.
After expressing his appreciation to the staff for putting together the six days of hearings, Mr. Gellman adjourned the meeting.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ Don E. Detmer April 18, 1998
_________________________________________________________
NCVHS Chair Date