[This is an unedited transcript]
Hubert H. Humphrey Ruilding
200 Independence Ave., SW
Washington,
D.C.
TABLE OF CONTENTS
Page
Call to Order 1
Privacy and Patient Advocacy Groups; Privacy-enhancing
Technologies 2
Discussion 25
Privacy and Patient Groups; Privacy-enhancing
Technologies 110
Discussion 140
Public Comments 218
P R O C E E D I N G S (9:00 a.m.)
MR. GELLMAN: Good morning. This is the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. This is the sixth and last day of our hearings on health privacy. We're going to begin as we usually do by having everybody identify themselves.
MR. BERRY: I'm Nelson Berry with the Health Care Financing Administration. I'm staff to this group.
MR. SCANLON: I'm Jim Scanlon with the HHS Data Policy Office. I'm also the Executive Staff Director for the National Committee.
DR. DETMER: I'm Don Detmer, University of Virginia, Charlottesville and I chair the National Committee on Vital and Health Statistics.
DR. COHN: I'm Simon Cohn. I'm a member of the Committee and CIS Coordinator for Kaiser Permanente.
MR. GELLMAN: I'm Bob Gellman, Chairman of the Subcommittee, and otherwise a privacy and information policy consultant.
DR. HARDING: I'm Richard Harding. I'm a child psychiatrist from Columbia, South Carolina.
MS. WARD: Elizabeth Ward. I'm an Assistant Administrator at the Washington State Department of Health.
DR. SCHWARTZ: Harvey Schwartz from the Agency for Health Care Policy and Research.
MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics and Acting Executive Secretary of the Committee.
MR. GELLMAN: Let's hold off on the witnesses. Do you want to start off in the audience.
[Audience introductions were made.]
MR. GELLMAN: Thank you. The way we've been running these hearings is each witness gets five minutes to make a presentation. Basically we will spend the rest of the morning in discussion. Mark, would you like to begin?
Agenda Item: Privacy and Patient Advocacy Groups; Privacy-enhancing Technologies
MR. ROTTENBERG: Thanks for that, Bob. My name is Mark Rottenberg. I'm the Director of the Electronic Privacy Information Center here in Washington. I also have taught information privacy law at Georgetown Law Center since 1991. I'm going to make six brief points this morning and I would be happy to answer your questions.
It's clear to me, having worked in many areas of privacy, that medical record privacy is both the most significant privacy issue facing the country and the most complex. I don't think I could in this time go into the brief details of the different legislative proposals that will be considered by Congress and that I know that you will review.
I would like to, if I could, put out six principles that I hope will guide your thinking in your recommendation to the Secretary of HHS. My first point, and it has been made on other occasions very well by Dr. Nagel, is that a medical record privacy policy must in the first instance be a patient-centered policy, because it is so clear in this debate that there are so many stakeholders and so many competing claims to the use of this information that if we lose sight of the central axiom, I think we may lose the purpose of the undertaking.
The second point which I would like to make, and it's based on some of the work of the chair of this committee, is that oftentimes we're talking not so much about a privacy policy, but rather a policy of fair information practices which is to say a policy that establishes certain obligations for institutions that collect personal information and give certain rights to data subjects. If you will, code of fair information practices are essentially privacy plus. They are not simply limitations on disclosure. There are additional responsibilities, security, authenticity, integrity of data for data holders, and most importantly for data subjects a right of access to personal information.
I think there are now 34 states that have established in law such a right. One of my hopes is that a primary recommendation of this committee will be to ensure that patients have a right of access to their own record equal to the right of access of any individual or institution in the chain of the flow of that record. There are understandably exceptions to that rule, but as a starting premise and a way to give weight to the concept of a code of fair information practice, I hope you will keep in mind the importance of patient access.
A third point concerns the preemption of state law. As you're no doubt aware, many advocates of federal privacy legislation including Professor Larry Gauston(?), have recommended a federal statute that preempts state law, which means more explicitly takes away from the states the ability to evaluate, to correct and to legislate where new privacy issues arise in this domain.
I would like you to consider very carefully whether this is a wise direction to go. It is true through virtually all privacy law in the United States from the Federal Wire Tap Act of 1968 to the Video Privacy Protection Act of 1988, that the federal government has established a baseline in the privacy arena and left the states free to legislate upward. This includes companies operating multi-states, this includes communications, technologies that reach multiple jurisdictions.
I don't think there is any necessary reason that a federal privacy statute should preempt state law and I would like to suggest that, particularly given the complexity and the magnitude of this problem, there is good reason to continue to follow one of the strengths of our federal form of government and to allow the states to innovate and experiment and provide new material through their own privacy standards that could later become the material of a stronger federal statute.
My fifth point is that I hope the committee will give some attention -- I'm sorry, this is actually my fourth point -- the committee will give some attention to the important opportunities provided by what are called privacy enhancing technologies. These are techniques not only for security and confidentiality, but also techniques fundamentally that restrict access to personally identifiable information through the anonymously or pseudo-anonymizing of personal information.
Now, I'm not simply talking about statistical methods here. I'm talking about computer techniques which can in effect hard wire the best practices and statistical methods and by other means to limit access to personal information. I think this is a critical area as well.
My fifth point concerns the social security number, another very controversial area in medical record privacy. In 1993, I and a number of other privacy experts wrote to the First Lady who was at that time involved in the development of the comprehensive medical reform proposal and urged her not to use the social security number as a patient record identifier. We cited many reasons, not the least of which is that is an imprecise identifier, but also the obvious risk that it would be used to facilitate data matching and the transfer of personal information outside of the medical care context.
I wouldn't begin to suggest to you that there's a simple solution to this problem or that there aren't some significant tradeoffs in the consideration of a new medical record identifier, but I hope you will look into this issue, because it is as a matter of history one of the critical privacy concerns in this country, going back to the creation of the SSN in the 1930s and continuing through the passage of the Privacy Act in 1974 which set out very explicit requirements for the collection of the social security number by federal and state agencies.
I think now I'm up to number six, I apologize for being out of breath. When I hit the ground level, the elevators were not working, so I raced up the stairs. It's no other ailment that I'm aware of, but maybe some people in the room will disagree.
My sixth and final point is to ask you to consider also in your recommendations to the Secretary, as I hope other task forces that are looking at and will be looking at privacy issues this year, the need to create an independent privacy agency in the United States to review privacy matters on an ongoing basis. I say this not because I think it is going to provide the solution to privacy concerns arising in such areas as medical record confidentiality, but rather because institutionally and structurally the absence of a privacy agency within the U.S. has resulted in an inadequate, in my opinion, provision of expertise and an insufficient ongoing process to review privacy matters.
In the medical record privacy realm, for example, there have been many good reports over the last few years by institutions here, by the National Research Council several years ago, by the Office of Technology Assessment and I'm sure this committee as well will produce a fine report. But in the absence of an ongoing process to develop recommendations, to see through recommendations and to implement recommendations, I'm afraid that these ad hoc procedures are not sufficient for a sustained protection of patient record confidentiality.
So these then are my six points, the need for patient-centered privacy policy, the importance of patient access to the record, concerns about state preemption by a federal statute and the use of the social security number, the need to explore the use of privacy enhancing technologies and the need to create a permanent federal privacy agency. Thank you.
MR. GELLMAN: Thank you, Mark. Dr. Nagel.
DR. NAGEL: Thank you. I'm pleased to have the opportunity to meet with you this morning. I'm a practicing physician testifying today on behalf of my organization, the National Coalition for Patient Rights, and I'm also testifying for the American Psychoanalytic Association and the Association of American Physicians and Surgeons.
Congress has asked the Secretary to address at least three areas, the individual's right to privacy of their identified medical information, procedures for the exercise of these rights and the disclosures that may be authorized.
The description of the purpose of this committee and the hearings themselves, until yesterday afternoon, seemed to be devoted to the third and last of these subjects that the Secretary must address, disclosure. I will address primarily the patient's right to privacy and procedures to enforce that right.
Congress refers to privacy rights in the Kassebaum-Kennedy Bill for good reason. Patients have a well established right to privacy grounded in constitutional and statutory law, common law, the Hippocratic oath, canons of medical ethics and common sense. Unfortunately, these rights have not been uniformly enforced. The Patient
Privacy and Confidentiality Policy, of which I have made a number of copies available to the committee, of the Massachusetts Medical Society, which is the publishers of the New England Journal of Medicine, states that while the most aggressive federal prosecutor may not obtain the records of a social worker, an insurance company can demand and receive full access to the most sensitive medical record and enter it into a databank accessible to thousands of people without legal constraint. The medical society takes the position that this is wrong and sets out a mechanism in this policy that allows insurers to manage care without invading privacy.
The letter I received inviting me to testify stated the purpose of the hearings is to explore the consequences for patients and institutions of new rules for use and disclosure of health data. Americans do not want new rules. What they want is the enforcement of long established principles. They are looking to you to make recommendations that will genuinely protect and enhance individual privacy. Make no mistake about it, people care about privacy of their medical records and they are worried. In 1993, Louis Harris and Equifax did a poll. Seventy-four percent of physicians believed that increased computerization will weaken confidentiality. Eighty-five percent of the general public placed protecting the confidentiality of people's medical records ahead of providing data for research into diseases and treatments.
The same 1993 survey also found that a clear majority of Americans were very concerned about having a national health identification number assigned to each individual. At present, most Americans are unaware that this is happening. As the public becomes aware of this provision, you can expect a loud outcry.
Twenty-five years ago, a committee similar to this one wrote a report stating, "We believe that in practice the dangers inherent in establishing a standard universal identifier far outweigh any of its practical benefits. Therefore we take the position that a standard universal identifier should not be established in the United States now or in the foreseeable future. Given the advances in technology, this advice is more valid today than on the day it was written.
A short word on outcomes research. This is the 50th anniversary of the Nuremberg Code and trials. The first principle of the Code is that the voluntary consent of the human subject is absolutely essential. Dr. Jay Katz, a physician and law professor at Yale warns us to be very careful. He suggests that any time we modify our position away from individual rights, that we consider the modifications in light of the Nuremberg legacy. Putting personally identifiable medical data into a networked computer is tantamount to making an individual an experimental subject. This should never be done without fully informed written consent. Scientific research does not require abandoning one of our most important freedoms.
I want to address as my final topic the issue of electronic claims processing as a means of cutting administrative costs and the answer to fraud control. I want to refer you to a recent work of Malcolm Sparrow, License to Steal. Sparrow makes it clear that while he expects the automation of claims management should save $8 to $10 billion a year in administration costs, he goes on to say that these savings are likely to be more than offset by increased larceny permitted by electronic claims systems.
The organizations that I represent do not have all the answers, but we have a principled approach grounded in legal, ethical and medical history of this country. It is an approach based on the patient's right to privacy that has for centuries been the cornerstone of trust and essential to quality care. We urge that the Secretary's recommendations build on this history rather than conflict with it. Thank you.
MR. GELLMAN: Thank you. Lew.
MR. LORTON: Thank you for allowing me to be here. My name is Lewis Lorton. I'm the Executive Director of the HOST consortium. HOST is a consortium of health care organizations, health care providers and vendors based here in Washington but with a national scope.
Our members are very much concerned and share a belief that health care informatics can have a positive effect on providing health care. We've very much interested in the outcomes of this committee, and obviously the legislation, not because we care to influence policy, that's not correct, but we are concerned about is the difficulties implementation. Those are the points that I would like to make.
We have found that you don't know a problem very well until you actually set about actually doing something. My concern is that when policy decisions and policy recommendations are made, they are made almost universally at the policy level. So I would like to bring up three issues that we would like you to look at.
Complex problems, particularly those in health care, do not lend themselves to simple technology solutions in any way. In fact, as the complex issues are investigated with the idea of applying technology to them, the issues only get much more complex. This has been borne out in some work that we've been doing where we've been interviewing people about the implementation of their goals or their issues and how they want to implement privacy policy within their health care system. It turns out, as we get further and further into their problems, the policies get more and more difficult to implement. So we're concerned that policy looks at the issues of implementation before policy is made.
Policy technology is not and cannot be the magic bullet. Technology is not magic. All of our systems are constrained in a myriad of ways and many of these constraints are not obvious and they're not intuitive. In fact, they only become obvious when more demands are placed upon the system.
The second point I would like to make is that in many discussions we hear people responding and saying well, technology can do that. The implication is that cutting edge technology can solve any problem. The reality is that across this country health care systems have all levels of technology from virtually none to very sophisticated technology and requiring implementation of a policy which may be relatively simple for a very sophisticated organization like Columbia, like perhaps the University of Virginia, might be virtually impossible for a small health care provider in say New Mexico. So I ask you to look into that issue.
Thirdly, I am probably the only person here talking for technology and I am not a technologist. There is an enormous wealth of knowledge and ability and expertise out there in the health care information technology which could give input on these issues before policy decisions are made. I would encourage the committee to suggest that some method be used, some method be made to get input from the technologists, from the health care information specialists on the impact and the ability to implement some of the policy decisions you are going to recommend. Thank you.
MR. GELLMAN: Thank you. Karen.
MS. ROTHENBERG: Good morning. My name is Karen Rothenberg. I am the Director of the Law and Health Care Program at the University of Maryland and I'm currently serving as the Policy Chair for the National Action Plan on Breast Cancer's Committee dealing with genetic issues. Our primary priorities on that committee, on the Policy Committee, are to look at dealing with genetic discrimination and genetic privacy issues and I think although I've been asked here to basically be here as a resource, I would like to be able in part to share with you some of those experiences.
However, I want to emphasize two points that I think I've already heard from some of my other wise colleagues on this side, and that is not to forget what I consider, I guess I would go with two of the most important guiding principles that I ask you to think about and then I will spend the rest of my five minutes sharing with you my experience dealing with the genetics issues.
First of all, I think the primary ethical principle, and it's interesting that we heard from the doctor about the legal sources of this, but I'm going to deal more with the ethical source. That is what's the purpose of generating the record to begin with. Why do we ask individuals to give us information? We ask them to give it because they deem it to be to their benefit. That is the most important principle not to forget. If they weren't giving us the information to begin with, nobody else would be interested in it and nobody else would get it.
That brings me to the second point and that's their expectations. Their expectations are that they're not giving the information for everybody else to be able to benefit from it, or to in fact unfortunately in some situations, to be able to use it against them. I think even in the research context, we need to remember that our primary ethic in that context is that it's voluntary.
When we're dealing with public health needs and we're dealing with needs of criminal investigation, and we're dealing with needs of all these other people who have a stake and an interest, we have to remember again that it's critical, the information gets generated initially from the patient, period. That should be the test you ask yourself every time you determine if something is fair use or not fair use. What implications does it have to that initial trust, because that's the privacy issue.
Everything you're dealing with is really confidentiality. Once you get the information, who gets it, what protections you put in place, but the privacy principle is do I have to tell to begin with. Do I have to tell is partly based on what my expectations are of what's going to happen once I do tell.
With those two points, let me then share with you what some of our experiences are looking at these issues in the context of genetics. When we started out our project, the first thing I wanted to do was to find out what was already out there. It was frustrating that looking at the various state privacy and confidentiality protections, once again, they're really confidentiality protections. They're really not privacy protections.
Now we have some in place, which I will share with you, but I saw a patchwork that I'm sure you all know about that included medical record statutes, public health databases, registries, genetic programs that had provisions in there for confidentiality and then a whole bunch of exceptions, criminal investigations, parentage, adoption and then at the federal level some protection under our research regulations. But the only thing they had in common was that none of them were the same and that in fact we have a tremendous patchwork.
Well, on the one hand, then you would think okay, let's put our hands up and say preemption. We're just going to get one single way of dealing with it, but I would suggest that that would be very dangerous, as Mark has said earlier, because we're just not there yet. What the worst situation would be was to legislate loopholes and what I see under our current proposals, which I can talk more about, is a lot of that.
Rather what we came to is a recognition that we needed to strengthen and in some way to integrate through antidiscrimination law and privacy protections in the genetics context some new state legislation that has now also been proposed at the federal level. And what this new state legislation does, and the proposals at the federal level, is attempts to combine discrimination protection with what I consider privacy as well as confidentiality protections.
Why that becomes important is even in the research context, where your record might be protected, nothing stops a third party from asking you if for example you've been tested. It may not be in your record, but they can still ask you. Have you been tested, what are the results of those tests. If your researcher has given you those results, then you've got the information. So that as if an individual health insurance or employer can ask you the question, that's the end of your privacy. It doesn't matter if it's in your medical record, somebody now has the information which may ultimately get generated into a record.
So what we have been able to pass in a number of states, and we have a proposal at the federal level, is that they are prohibited from requiring or requesting directly or indirectly into the results of your genetic tests, or requiring you or requesting you to be tested, or in some states it's even broader than that to not being able to get genetic information.
Now, why is that good? I mean some people might be very concerned about that. Well, the reason why we think it's good is because it's not enough to protect people through saying if somebody gets this information and they use it against you, they can claim a discrimination case for example. Well, if I'm going to claim a discrimination claim, I have to do that by breaching my privacy. I have to take my chances and make sure I'm going to win.
And if I've got a predisposition to a disease, I'm healthy, what do I gain from breaching my privacy in order to try to make my discrimination claim? If I'm sick already, or if they know the situation, it's one thing, but if I'm healthy and I've chosen to be tested for a particular condition and then I risk losing my privacy in order to make my discrimination claim, it's not going to be worth it. That's why we've attempted to integrate both privacy protections and discrimination protections together.
There are now over a dozen states that have this protection in the context of genetics. I would be very concerned that those statutes not be preempted in any way based on federal law.
Now, there are ways to get at it. I think your primary focus so far has not really been on privacy. Your focus has really been on confidentiality and disclosure and exceptions. So there might be a way to work together so that these can complement each other. There isn't a way to have to wipe out these protections that we consider so important in the genetics area, which then leads me to the last question, a question of policy.
Why is genetics any different than anything else? I know this is a question that Bob will probably ask me. Why treat genetics so special? Well, you know, I'm not sure there's a good medical reason, but there's a good social reason at least to question whether or not we need some added protections. Certainly there have been a number of states that agree to us.
Is it more like AIDS and mental health or is it more like everything else? Well, first of all, genetic information has familial implications. Now, so might some of these other diseases, but this I think stretches beyond even your immediate blood relatives. So a breach for me may mean a breach and a consequence for many other relatives, cousins, siblings and beyond. Two, we unfortunately have a very scary history in our country in which difference and genetic difference is often based on ethnic groupings. There's a lot of suspicion right now and a lot of concern about how genetic information may be used to continue to perpetuate that discrimination. Now, in the ideal world then, maybe we wouldn't need to have special protection, but we're still at a point now where we need it.
Then finally, we are beginning to see even in the research context that people are afraid. They're afraid to participate in research because they're afraid that this information will be used against them. It's not just information that gets into their medical records. That's part of it, but it's also being afraid of being asked the question. Were you in a research trial, did you get information, did you get information about your genetics, what were the test results. That isn't a medical record problem. That's a question about access to the information. I think we need to do a lot more thinking about that before we're at the point where we would preempt some of the good work already done at the states. Thank you.
MR. GELLMAN: Thank you. Lauren.
MS. DAME: Good morning. I'm Lauren Dame, staff attorney at Public Citizens Health Research Group. Public Citizens Health Research Group is a non-profit organization that was founded in 1971 by Ralph Nader and Dr. Sydney Wolfe(?), the current director, to among other things fight for consumers' rights to have more control over decisions that affect their health.
In my day to day work as staff attorney, I receive calls from consumers who are having problems navigating our current health care system, consumers who cannot get health insurance, consumers who are battling with their health insurance companies or their HMOs over coverage and consumers who feel that the present system is out of control and heading in a direction over which they have little say. As medical records are computerized and there is increased disclosure of sensitive medical information, as we believe there will be, many of the problems consumers face today will be exacerbated unless strong privacy protections are included in any regulations that are developed pursuant to the Health Insurance Portability and Accountability Act.
Today I would like to use my time available to suggest some basic points that I hope you will keep in mind as you prepare your recommendations for the Secretary of Health and Human Services. First, any regulations that come out of this process should take into account the flaws of our existing health care system. we do not have universal health care nor guaranteed health insurance coverage. Instead we have a system where profit making companies can by and large pick whom to insure and how much to charge leaving more than 40 million Americans with no health insurance at all and another 29 million with inadequate insurance.
We have a system where a growing number of employers are becoming self insured and thus have a direct link to their employee's medical records, a link that can be used for illegitimate as well as legitimate purposes with few privacy restrictions. We have a system where more and more patients are being enrolled in managed care organizations leading to an increased ability for these organizations to collect personal medical information and increase pressure to use that information in a variety of ways. We have a system where advances in technology are resulting in the presence of sensitive genetic information in medical records, information which may not only provide insight into a patient's current health, but may reveal possible future health concerns.
In a system with these characteristics, disclosure of medical information can have devastating consequences for individuals leading to loss of insurance, financial problems and loss of jobs. In addition, privacy for medical information is an important value in and of itself. People feel very strongly that they should have control over dissemination of what amounts to highly intimate and private information about themselves.
Second, we believe that any effort to regulate the use and development of computerized patient medical records should begin with the proposition that medical records are created for the benefit of the patient and all other uses are secondary. This does not mean that there are not important and legitimate other uses of medical records, but the presumption should be against disclosure and there should be a heavy burden of persuasion placed on those who argue for access to patient information.
A corollary to this is the principle that personally identifiable patient information should not be disclosed without the informed consent of the patient, and by informed consent I do not mean the kinds of blanket consent or release forms that patients currently are forced to sign in order to obtain health insurance that basically give the insurers the right to collect any medical information about them they want and to do with it what they will.
Third, as regulations are developed to computerize medical records and facilitate the exchange of data, the needs of patients for information and disclosure should be taken into account as well as the needs of other parties. The new technology could be used to provide patients with better information about their health care. Further, all patients should have the right to obtain copies of their records and to correct any errors in them. Just over half the states have laws requiring the release of medical records to patients. As records are computerized and more easily and widely disseminated, it's even more important that patients have an opportunity to learn what's in them.
Today you're hearing from the privacy advocates and earlier you heard from insurers, providers and processors of data, and no doubt many of them have painted glowing pictures of great increases in efficiency and cost savings associated with computerizing medical records and with limiting privacy protections. Now, while in some areas the interests of all of us might be accommodated, you will be faced with some hard choices. In making your recommendations to the Secretary, I urge you to err on the side of protecting the privacy and confidentiality of personally identifiable medical information. As a society, we can always modify regulations to increase data exchange if experience shows us that we can safely do so, but privacy once lost cannot be recaptured. Thank you.
MR. GELLMAN: Thank you. Thank all of you. We've got a couple of hours here scheduled for discussion. We've also got a lot to discuss so I suggest that in responding to questions if you could keep your answers shorter, that would be helpful.
I want to begin with a sort of very basic kind of issue. Many of you, many of our other witnesses have come forward to talk about the importance of confidentiality and privacy in the medical context. I've said these things myself. The question I want to ask is are medical records in fact confidential. Records are routinely disclosed today to fraud investigators, researchers, public health authorities, law enforcement agencies. They are used for accreditation, licensing, peer review, utilization review, cost containment and a variety of management activities. Many of these functions are authorized or in fact directed by law. The question is what's left of confidentiality? How can anyone look a patient in the eye and say your records are really confidential? Anybody care to discuss that?
MR. ROTTENBERG: I would like to give two answers to that, Bob. Your point is well taken. We're drawing a line somewhere here between absolute disclosure and absolute privacy, but I can tell you as someone who spends a lot of time on the Internet and uses a lot of search engines to test the bounds of privacy in the information age, it is virtually impossible to find an individual's medical record. Now, there are some institutions who have set up Web sites and are exchanging medical records on the Net. If they haven't built a fire wall, you may uncover it, but if you don't know the patient's name or SSN, it would be very hard for you to find a medical record on the Internet.
I think to some extent, the line is not at absolute privacy, but this is a critical point, nor is it absolute disclosure either. Medical records are still not home addresses, they're still not published telephone numbers, they're still not date of birth. I think it's very important to keep that in mind.
The second thing I think to keep in mind is irregardless of where you put that line, the patient's perception of whether the record, whether the information that will be provided will be protected bears directly on the quality of service that person will receive, because if the person believes that this is sensitive information that would have to be disclosed for the treatment of depression or for alcoholism or for child birth or something else, if that person believes that this information is not going to be protected, then he or she may not seek medical care, or in seeking medical care may not provide relevant information necessary for the diagnosis. I think that's been pretty well established.
So my two part answer to your question is of course it's not an absolutely private record, but it's clearly private to some extent when compared with other types of personal information. Secondly, the perceived privacy of the record bears directly on an individual's willingness to obtain quality medical care. I think that's a point to keep in mind.
DR. NAGEL: Thank you. I want to first agree with everything that Mark Rottenberg just said about this issue and would like to add a couple of points. He spoke to the fact that patients aren't going to come forward and tell their secrets, tell their embarrassing experiences, tell about their vulnerabilities if they don't believe that their medical information is going to be kept private within the physician/patient or health care provider/patient relationship. The fact is, as many of you know, patients and the general public have been not very well informed about this issue. They're getting much better informed now. So the good news is people are beginning to understand the issues and they're realizing that some of these things they said in the survey they would be concerned about if they were happening are happening and they are concerned about them.
The point cannot be stressed enough that if we don't have privacy we are not going to have quality medical care. This has been the cornerstone of trust and it's the cornerstone of quality medical care.
The second point is that we're undergoing a fundamental change in the quantity of information available and that is qualitatively changing the information that's available. It has always been true that you could don a white coat, maybe put on a mustache and go into a hospital and pretend you're a doctor, walk into the medical records room and get a medical record illegally. That has always been true. But it's very different if you have to physically go on site and try to steal physical medical records or if you just have to in the privacy of your own office access them where you can access them in thousands or even millions of records at one shot, and even download those records.
So we have a quantitative difference that has qualitatively changed the nature of access. The same is true for other organizations that want to gain access to the records. They may have been having access to specific diseases or specific individual records, but it's never been possible to have the kind of wholesale access that's now possible. We can talk about that in much more length I'm sure as the morning goes on.
MR. LORTON: I would like to make two comments to clarify the situation for me. As I see it, we are confounding two different circumstances, one, health care movement within the health care environment, and movement of health care data outside. The one outside can generally be handled by policy. You no longer release that information and insurance companies are not going to be breaking into your system. The real hazard here is within the health care organization, not necessarily a hazard in reality risk to privacy, but how do we manage that technologically. So we need to be really careful that we don't confound those two situations in looking at a fix.
The other is the problem is that there is no single entity that's the medical record, absolutely not. There may be a medical record but there's equally valuable, equally damaging information that exists in other environments. There are databases of MRIs, there are work lists for laboratories, there are any conceivable place at which you show up in a modern health care facility will maintain a record of you being there. Although it may not be qualitatively as damaging, the very fact that you've been there is recorded in some way. That's potentially sensitive. The issue is how do we deal with all of that information. How do we deal with safeguarding the privacy of a technician work list who did repeat mammograms on some one? That's all medical information and is not gathered under that person's name in any identifiable way, and yet that needs to be protected in some way and that's a technology problem.
MS. ROTHENBERG: To answer your question, I could not look at them in the face and say that there is confidentiality. In fact, what I need to do is to look them in the face and tell them where there is and is not protection so then they can make the decision voluntarily whether or not they want to give me information and whether or not they want me to generate the information.
An example, HIV testing, let's just take an example, HIV testing of pregnant women. Assuming they have a choice in some states now as to whether or not they're going to be tested or not, I have argued that they need to be told that in some states if they are tested and it is positive, their name may go to the state and their partner may be notified, even if they say no. That in turn may be a trigger for domestic violence. They may then choose if they have the choice not to be tested. Otherwise to be tested without having a discussion about the limitations of who will and who will not get the information is not informed consent. So I could not look the in the eye.
I think the decision about whether to give me the information or not to give me the information or have me as the health care provider generate it depends on the context of what's going on. If I'm about to die, I'm not as worried about confidentiality and privacy than if I choose voluntarily to be a research -- participate in research or even to get tested for predisposition disease. But if it's a question of, if it's an emergency or I need the information, I'm not really as worried. That's why I think the context of where this discussion goes on becomes very important. I think it's very hard to make blanket decisions.
MS. DAME: I don't want to repeat what's been said so I will just make two brief points. First is it is certainly true that there are lots of uses of medical information and a lot of confidentiality has been lost. Maybe we're optimistic that it's not yet too late. In addition, we're being asked to make policy, so maybe it's the time to really sit down and decide some things.
I think the American public is very unaware of a lot of these confidentiality losses that you refer to. When I talk to people on the phone, they're absolutely shocked when I tell them some of the things that happens to information about them.
Second, and it was mentioned, there's a qualitative difference once you start getting computers involved and sending stuff around on wires. I'm not anti-computers, but there's a big difference in what can happen when all this information can be amassed. I think of once computers are there, people can compile databases and I always think of that Kevin Costner movie, if you build it, they will come. If you build a database, researchers will come to use it. We have to decide before we create those databases what's going to happen to that data.
DR. NAGEL: I wonder if I could just add one more somewhat provocative response to your question because this has come up a number of times. We already have a lot of access to medical records and there is no confidentiality and privacy already so why bother. It seems like a kind of curious question. If we have come to the point where we're finally identifying that we have a problem, it seems like exactly the right time to bother and to start trying to fix some of the egregious practices that have been permitted to go on. We don't want to formalize them and actually make them law.
My provocative comment is this. We have rape going on in this country every day. You will not hear any person ever say rape is occurring anyway, so --
MR. GELLMAN: Well, I don't think that's particularly telling. All of the uses I'm describing are either authorized by law or legal, whereas rape is illegal everywhere. So it's a completely different matter.
DR. NAGEL: A lot of them are really not authorized by law. A lot of them have been authorized by general practice because a lot of the whole health care system and the way it has developed has been very recent. We really haven't thought through the laws that are needed. So I would agree with you, I'm not trying to make a direct analogy, I'm merely trying to say that I think we have a great opportunity now. People are now aware of the problem, people care about it, they're getting riled up about it. This is a great time and a great opportunity that you and this committee have to write some really good recommendations.
MR. GELLMAN: Well, I don't dispute the proposition that confidentiality is important, but I do think at some level we have to look at reality. In fact, virtually all of the uses I cited in my question are in fact directly authorized by law. I can cite a statute for virtually every single one of them where disclosures are required. This is not a matter where these things have just developed, somebody did it because they felt like it. There are state legislatures and the Congress has passed a law that said we think these uses are important, we think that there is a social value to this and we are directing that these records be made available. There have been no riots in the streets, the health care system has not stopped. If there's any evidence that the quality of health care that's being given to people has been diminished by this, I haven't seen it.
I think that this is a fundamental problem in this area. I'm not saying that it's, that confidentiality isn't important, but those who want to tie the notion of confidentiality to the quality of health care or the willingness of patients to come forward and see doctors, there's no evidence that that is -- there's no much evidence that that is happening.
MR. ROTTENBERG: That's not true, Bob. I can get you a stack of articles. There are some articles that attempt to question the empirical basis of that conclusion, but there have been many studies that show that in the health care context people are less willing to disclose relevant information if they believe that -- all other things being equal -- if they believe that that information will not be kept confidential. I think that's common sense as well.
Now, I won't say that there isn't some dispute. There are articles that take another position as well, but there's plenty of evidence in many other realms of privacy, communications being a very good one, that privacy performs an important instrumental role in enabling other activities to occur. One of the activities that occurs in the medical care context is the provision of relevant information for treatment. Privacy facilitates that. It doesn't mean that there aren't a number of other things taking place in our health care system that are improving the quality of health care. I don't think that's what any of us have said. But I take issue with the point you just made. I heard it, I understood it, I don't agree.
MR. GELLMAN: Well, there are differences, there are considerable differences in privacy laws in the various states. Some states have really good laws and some states have really bad laws. Is there any evidence that the quality of care in a state with a bad law is worse than the quality of care in a state with a good law or are we just riding on the fact that we don't have a clue what the laws are in the country to begin with?
DR. NAGEL: I think yesterday at least 50 percent of the panelists that spoke between the morning and the afternoon did not know that we already have a unique health identification number in this country. I think it's actually more than 50 percent, but I know it's 50 percent. So if 50 percent of our panelists here don't know something that's passed in a law, you can be sure that Americans do not know what is already legal.
MS. ROTHENBERG: I think though, it gets back to the point again about choice. If you look at a lot of these state laws, most I think you could drive a truck through to varying degrees. A lot of people that lose their privacy are functioning in the public health setting. They're either going to public health clinics or they're benefitting from a genetics program that the state is sponsoring or some other program, and I don't think there's much of an expectation in some parts of our communities that there is privacy. There's a worry about big brother out there.
Now, where do we go with your concern that we've authorized this under state law? Many of these laws have been on the books for a very long time. Some of them, as you know, haven't been on the books for a very long time and they got through under this sort of the war on cancer, which established all these cancer registries with identifiable information. I think one of the things that the genetics movement has done has really at least raised with us questioning some of the assumptions that have been made about what you need and you don't need and whether or not some of these laws are actually too broad.
If you're in a custody battle, an adoption battle for example, your medical records get thrown into the courtroom like nothing. I would wonder how many people are going to share information about a mental health crisis or another crisis if they knew they could lose their kid over that. So I think it's partly ignorance and partly no choice. Whether it means the legislatures really balanced that or whether or not there was a strong public health push without a lot of knowledge of people to know to question it, does that mean that the public policy is out there so we should accept it? I don't think so. I think, if anything, it speaks to why we don't want preemption.
MR. GELLMAN: All right, let me turn to another issue. We've had a lot of discussion at previous hearings about health identifiers. Basically I don't think we found any consensus anywhere about what the identifier ought to be and it's one of the responsibilities of the committee. I know that there's lots of strong opposition to social security numbers. Mark, do you want to state the case?
MR. ROTTENBERG: Well as I said, a case can be found in the history of the Privacy Act of 1974 and the 1973 Report of HEW Records, Computers and the Rights of Citizens. The point simply made is that the use of a universal identifier, the use of the SSN as a universal identifier facilities data matching. That's the primary concern.
There are additional concerns. Technically speaking, the SSN is not a good identifier because it's not unique. There's not a check some position in the number and there are other problems as well.
I know this is ground that many people here have been over quite a bit. The obvious argument in favor of the SSN is that it's widely used and another obvious argument against another identifier is that it could itself equally become a universal number. I don't think there's a simple answer to either of those two criticisms or two responses. On the other hand, you see those responses don't resolve the primary concern, which is that the SSN can and will be continued to be used for facilitating data matching, which is a problem.
Now, I think the approach that was taken in Ontario, and I can't tell you what the current state of the effort is, but I can tell you what the initial goal was, to create a number specifically used for medical record identification and to back it up with a legal sanction to control its use in the medical record context I think generally speaking is a sensible approach. I don't think a number standing alone would turn out to be any better than the SSN, but I think you can couple it with some legal regime which tries to control its use.
I will point out, by the way, numbers are widely used for record identification but most organizations develop unique numbering schemes. I mean utility companies and subscription companies and phone companies and so forth, if they have a number on you, it tends to be different, or is routinely different from the number other organizations have. So there's a lot of room here, I've written some articles and so forth. I would be happy to provide them, but I think that's the basic debate.
DR. NAGEL: Just to finish up on the subject we were on before, I think that we can get into it more, but I think the point that quality care hasn't been suffering I think is one that we could raise a lot of points about and I would be happy to.
But on the issue of the unique health identifier, I think you will remember from yesterday, the afternoon panel was agreed on very little, but the one thing that they agreed on, the American Hospital Association, the American Medical Association and the American Psychiatric Association agreed that the use of one single national identification number was not a good idea. So it was one point of agreement.
Now, we have in fact seen passed in the Kassebaum-Kennedy bill the requirement for this, so what to do. Well, one thing that you might recommend is that there are alternatives to having one single number. For instance, one alternative that one computer expert and security specialist suggested to me is that there can be different numbers, as we have now, in different institutions that might be linkable, but that the link, the ability to link them together, the key to that linkage is held by the patient. So that right now, we see a situation where if a patient goes to hospital A and the goes to hospital B, they can sign a release so that information can go from hospital A to hospital B, but hospital B is not permitted to re-release that information without the patient's express consent. Setting up the patient with the holder of the key to linking these different databases would accomplish the same thing.
MR. GELLMAN: Lew, what do you think of that?
MR. LORTON: I have no stance about whether the SSN would be a good number or not, I just see technologically --I know I always sound the same -- I don't see how we're going to do it. There I don't know how many different places now who may or may not have different numbers. We've got billions of legacy records and there's no real impetus to put new numbers to those. I think the problem of implementing a universal ID is enormous.
I think Denise's idea actually is quite good in that we have been working, our consortium has been sponsoring an activity to do what is called a master patient access mediator, which does exactly that activity. We've just transitioned that into a standards organization that's now a special interest group in HL7. So that kind of thing which is mediating between existing systems based on, with diverse ID numbers, is on that we're carrying forward, is possibly doable.
MR. GELLMAN: Well, let me ask about some of the practical problems of that. It seems to me that you have a couple of different potential models here. You've got numbers, whether it's a social security number or a unique one, and then you've got no numbers so that you have linkages. I just wonder if you set up a system whereby you're going to have some kind of automatic linkage of records, linkages between systems that are not going to be keyed on a number that you're going to get the exact same thing you're worried about, which is ways of linking records across different systems. So we won't use a number. We will use fuzzy search techniques or other ways of linking records and making sure that they're matching them. And you end up with the same thing because there is a great demand out there for linking records in various ways to benefit patients, as well as accomplish other purposes which may not directly benefit patients.
MR. LORTON: The real problem, Bob, is in the desire to submerge people's ID so it's only visible by say a number or some other very limiting characteristics, and the problem is if you have a patient come in the hospital who may not know the number, have the number, be able to give the number, or the patient may be absent, how do you get that information out. An example my son gave me, who is a physician at Mount Sinai in New York City where they were trying to look for a male Hispanic, they knew his last name and all they knew was something about his physical characteristics and they knew no other linking data that could get to him and yet they needed and wanted the data. So the reality is using information in a very clear cut way by having an ID number is not plausible in many ways of actually doing clinical practice.
MR. GELLMAN: Simon.
DR. COHN: Actually, I guess I had a question to more finely try to get to this issue. I think that the panelists are talking really around two areas, as are you. One of them actually has to do with the issue of technical aspects of some sort of unique identifier. Obviously we can talk up and down around technical views on the quality of a particular unique identifier, but it seems to me that these panelists are uniquely qualified to really ask the question more about data linkages, which is really the question around unique personal identifiers. Regardless of whether we have a unique identifier, there is a capability to link, be it master patient index, fuzzy logic or otherwise.
I guess as a very fundamental question I would like to know from the panelists what are appropriate usages that should be allowed for data linkages? Is patient care, for example, a reasonable reason to link data? Is that okay?
DR. NAGEL: I can start with it if you would like. First of all, I wanted to be clear, when I heard the comment I was making about not linking data, connected to the comment that followed -- it sounding similar to the master patient index, I wanted to be clear that these were two very, very different concepts, because the issue that you're getting to in you question is should data be able to be linked, who should be able to decide if it's linked, should you be able to decide that you don't want your data linked.
I think that those questions were really very well addressed yesterday by the panelists from the American Medical Association and the American Psychiatric Association, that the medical record is established for the care of the patient. Information is given by the patient to the doctor because they think that information is going to be used to take care of them. And everything else flows from there. The issue of being able to link records really is the province of the patient, as whether the information, as the American Medical Association pointed out, ever belongs in a computer in the first place. If it's going to interfere with care, then it shouldn't be there.
Some data linkages no one would oppose. People often give the example what if you're in Topeka and you're in a car accident, wouldn't you want your emergency room doctor to know that you had a penicillin allergy and that you had diabetes. My answer to that question is sure, sure I would want them to know that. But a physician and a health care provider and a patient can sit down together when the patient is healthy and make a decision what information would you want available and linked throughout the system in an emergency, in case you're in trouble. You can get fully informed patient consent.
MR. GELLMAN: Is that really a practical alternative to expect doctors and patients who don't have enough time to spend with each other to worry about all these hypothetical problems that might come up, and in fact to which the answers will change over time as people progress through their lives and get married and have other kinds of problems?
DR. NAGEL: Thank you for asking that question. The answer is yes, Mr. Gellman, yes. This is what we as physicians have been trained to do. It's what we want to do. I hope you will read very carefully the policy of the Massachusetts Medical Society. It answers that question in great detail. Yes, maybe sometimes it will take some extra time, but this is the responsibility as professionals. It relies on our ethics.
DR. HARDING: We have so many interesting and fundamental issues here before us. I have one thought. We've had a lot of testimony from public health officials saying that it is in the good of the most people to be able to have public health research going on. By that, they said that that has to be research that is not necessarily informed consent research, because if you ask people to join into a research program, you get a special group of people who volunteer to do that, therefore it throws off the research because the N is skewed in a certain direction, who knows how.
My bias is that some public health research needs to go on. This morning on CNN, they were talking about the folic acid survey which would have to come with a large population and not be screened by voluntary means. I think they were calling it folic acid.
When is it appropriate for people to be in registries or some kind of research without their knowledge or is there ever a time when a group such as yourselves would feel that that's appropriate?
DR. NAGEL: With identifiers? With their names?
DR. HARDING: In some cases, because of the longitudinal nature, there would have to be some identifiers to keep the longitudinal -- I mean if you're dealing with a folic acid study, you're going to be doing something over a five or 10-year period, you have to have some way to identify. Now, that can be controlled at different points, but public health, they need to have some identifiers for longitudinal studies.
MS. ROTHENBERG: I think it's presumptuous to think that individuals can't make these decisions. The fear is that in the short-term we might get better public health data, but in the long-term if the public doesn't trust the government who is doing the public health research, we will get worse data. I don't think it's an either or. I think we use our common sense and we decide. First of all, we don't live in an ideal world, there are some things we may never be able to get the best perfect research.
The number one principle in research is that it's voluntary. It is not done behind your back. We are still living and unfortunately dealing with the Tuskegee situation in which we have large parts of the population that don't trust the medical establishment. They may not even know that it was called Tuskegee, but they know it was done without their knowledge.
There's a lot of public health information that doesn't need a name. Registries actually may benefit individuals, so those individuals may be comfortable having their name on it. I think in most states, Bob may correct me if I'm wrong, I think a lot of people don't know that their names are on these registries, although I don't really see any harm with telling them that.
The National Action Plan on Breast Cancer has been working on a model informed consent for the purposes of tissue sample research in the future, and it has in it a clause there that now explains that there are already areas in which your name is on them and it's pursuant to various state laws that require that under their registries. But I think it would be foolish for us to just buy that view without really critically evaluating what those assumptions mean and what that means to the trust relationship, which is critical for us doing research in our country.
Sometimes we may need identifiers. When we need identifiers, you need to get informed consent. Sometimes we don't need identifiers and we have to ask ourselves do we really need identifiers. I would even like there to be a major educational process in this country in which we share with the public the importance of being involved in research. Part of that means the safeguards that we're going to give people for being part of it.
So, I would like to have the example, again, let's have some context rather than making wholesale generalizations, but I will make one generalization. Generally, I would trust the individual, it should be voluntary, and the harm should never be greater than the -- the harm to the individual that is involved in research has to always be taken into consideration.
MS. DAME: I would like to say something about that. I want to echo Karen. It seems that for public health research, this is one of the topics that's always thrown out, you would go down a series of steps. First, is there any way to do this with anonymous data? Sometimes, it takes more creativity and a little more work, but it seems that in large part that can deal with many of the problems. If you're not able to, then what is the barrier to getting informed consent? You talk about you get a skewed population, that's a problem in all medical research where you have informed consent and there are ways to deal with that.
Finally, if you can't do it without identifiable information, maybe you just don't do it. There's always a question to be asked that we would like the answer to and we just can't do all the research we would want. Any time you're doing a balancing, you can say well, it would be really nice because this would help us make this prediction in the future, but it's always hard to quantify this privacy loss, because it's the small incremental loss which over time becomes an enormous loss for the public.
DR. COHN: I actually had a follow-on question related to research. Obviously, we have a long history in the United States of basic medical research and applied medical research. Most research institutions have institutional review boards that have policies and, at least in my view, it seems to be a good institution. I'm curious about the panelists' views on the capabilities of institutional research boards and whether that's acceptable to them.
MS. DAME: We made a comment on this issue when we were talking about the Bennett bill. Some institutional review boards are very good, some are not. I mean we don't feel that's necessarily an adequate protection. One of the biggest problems is they are made up of members of the academic community where the priority of research may be fairly high and some of the privacy concerns of individuals may seem crazy or irrational. In this country, we have a fairly long tradition of respect for individual choice, even if may be slight irrational. So that the institutional review board is not an adequate protection.
MS. ROTHENBERG: I think that institutional review boards have been oversold in this country. I think it's the best we've got right now. I serve on the Recombinant DNA Advisory Committee, so we have an opportunity to review all the IRB-approved protocols that come for gene therapy. We're yet to ever approve one where the informed consent form was sufficient. Why is that we ask? Like you said, there's tremendous variation depending on one institutional review board in an institution, that's in your institution you say you have a good one, in other institutions they're weak. There's an inherent conflict of interest because if an institutional review board doesn't approve the protocol, then the research doesn't go forward or it gets stalled. With all the pressure to try to get funding in that institution, there becomes a problem for those that are working within the institutions to say no.
There are other institutions that are very stringent on informed consent, and in fact the discussions about confidentiality and privacy not being able to be totally protected even in the context of research, and they do a good job on it. It's the best we've got right now, but I think we're giving a false sense of security if we think that's going to solve the problem.
MR. LORTON: Up until 1994, I sat concurrently on the IRBs of two institutions. I would say our weakness was, including mine, was the fact that we weren't knowledgeable enough about the areas that these people were talking about. I think if we let things go through that are bad in those areas, it was because we weren't well educated, and perhaps rather than saying we should start from scratch with new institutions, that we should make the effort to upgrade the existing institutions in particularly those areas.
DR. NAGEL: Yes, I think that the other panelists make really good points. I think IRBs really are the best that we have right now. I think we can look to the best of the IRBs to tighten places that there may have gotten to be weaknesses in some of the IRBs. But in general, the IRBs really require patient consent in most instances. The rules are really quite strict. I think that people have worked voluntarily on these IRBs, they've worked hard, they've devoted time and energy to them, and I think no one, certainly not our organization, we want to speak well of them and point to the best of them to lead the way.
I would bring in a couple of points that most researchers that were on the research panel as I reviewed the transcripts, suggested that much research can be done on de-identified information. The same policy that I've been referring to says that the task force agreed with the American Medical Association that generally de-identified medical information is generally appropriate and sufficient for clinical research. The removal of identifiable information, and I'm still quoting, from records should be done at the physicians office and not by the research team. Whenever the scientific integrity of the research requires that personally identified information be used, the patient's voluntary and express consent must be obtained through the patient's physician.
So once again, the physicians are saying yes, we think this is important enough and it relies heavily enough on our ethical principles that we should be involved in this.
I also wanted to draw your attention, bringing together the research issue with the earlier question of preemption of state laws. On January 1, 1997, just last month, in Minnesota there is a new law on research. That law says that the provider must disclose in writing to patients that health records, regardless of when generated, may be released and that the patient may object, in which case the records will not be released.
MR. GELLMAN: I would like to -- go ahead.
MS. WARD: You spoke of the Equifax Survey and nothing has come up so far about penalties. One of the things on that survey was that a significant number of people responded that if they had more confidence that there were penalties for people who misuse the information, their willingness to have informed shared or computerized would be higher. Do any of you have proposals about strengthening penalties, or whether you think that has any bearing?
MR. ROTTENBERG: Let me speak to this. Privacy is a very difficult area to enforce your legal right, not only because of the risk of magnifying the harm through a public proceeding where issues will be discussed that gave rise to the privacy intrusion, but also for the very practical reason it's difficult to establish damages. The law does not work particularly well when you cannot show the harm that results.
The answer therefore, to provide the background to answer your question, typically what has to be done is to provide some form of stipulated damages per infraction that are significant enough to create an incentive so that people will bring private cases, particularly in the absence of an independent enforcement authority, because you see this is another area where the U.S. falls short on enforcing legal privacy rights. We don't have agencies as a general matter that will bring these suits, sometimes they're done in matters involving fraud and so forth, but rarely on behalf of individuals whose privacy rights have been infringed. So to create a mechanism that will actually have sufficient incentive to use the courts, there has to be sufficiently high level of liquidated damages and attorney's fees and so forth so these cases will be brought.
I can report with some satisfaction that over the last couple of years, there seems to be a move and a willingness on the part of Congress to accept higher levels of liquidated damages. So we see, for example, in the Privacy Act, moving from $1,000 to $5,000 per infraction in bills in Congress this year. So I think a system of fines, possibly criminal penalties where appropriate, but recognizing as I said this very difficult paradox of enforcing a legal right is first of all the risk of subsequent disclosure of the information, and secondly the problem in establishing the harm.
MR. GELLMAN: Let me follow up on that slightly. I'm talking about research and I'm talking here precisely about records research. I'm not talking about research on human subjects, which is a separate issue. Does anyone have an example of an IRB approved research project that resulted in a violation of somebody's privacy, information becoming public, getting out of the research context and being used by an employer, an example where someone has been harmed as a result of this?
DR. NAGEL: Before responding to that, you stated as a statement that you were talking about research on medical record information, not on human subjects. So I wanted to read to you from the research regs, from the IRB regulations the definition of a human subject. The human subject means a living individual about whom an investigator conducting research obtains; number two, identifiable private information. Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording has taken place, that they can reasonably expect that the information will not be made public (for example, a medical record).
So the definition in IRBs of what is experimentation on human subjects includes investigation of the medical record.
MR. GELLMAN: I understand that and I've read the definition, but there is a distinction between looking at a record and treating a patient. I'm asking the question are there examples of abuses where records only have been looked at and patients have not be treated that someone's privacy has been invaded. I think this is relevant to making a decision about to what extent you regulate and penalize this kind of activity.
MS. ROTHENBERG: How would we know?
MR. GELLMAN: Have there been any complaints? I mean I think that's a fair question.
MS. ROTHENBERG: There's not much of an incentive to bring it. I certainly know of individuals who think they have been harmed, but they have not gone public and they have not filed complaints. In the context of predisposition for genetic disease as I pointed out earlier, there's very little incentive to do it.
MR. GELLMAN: I recognize that. I think the point you made and that Mark made about the difficulty of bringing privacy actions and obtaining relief is very difficult. It does happen from time to time. I think the inquiry -- in determining to what extent you're going to regulate an activity, one of the questions is, and especially an ongoing activity with a long history behind it is to what extent have their been problems, to what extent do we need to deal with something because people are abusing records all over the place. That is a relevant question. I think your answer is reasonable, how do you know is always a problem, but sometimes you do know, sometimes there are cases, sometimes there are problems. If anyone has got examples, I would like to hear about them.
DR. NAGEL: I think that the IRBs that have been good have been very strict about enforcing what is research on a human subject, including on the medical information. They've kept it strict. They haven't shared the information. I think we can turn to our IRBs and say most of them have done a very good job saying you can't have the information without patient consent. So it sounds like you're starting from a premise that they're giving the information out.
MR. FANNING: It seems to me that the IRBs have approved a lot of projects in which there is not patient consent for record studies of the kind that are being discussed here. The regulations explicitly provide for waiver of informed consent in instances where obtaining it would be impractical and the risk to the individuals is minimal. So this research is going on now. There are studies that use records with identifiers without patient consent. So it may well be that there are many instances where that's not necessary and so on, but there is a core of studies where that must be done. I guess I would want to know have there been difficulties in those studies where the use of records without patient consent with identifiers has been approved.
MS. ROTHENBERG: I mean here's an example in fact where there haven't even been identifiers and there's been some concern, if I could just share. Again, I could just give anecdotes, but the situation of the recent study on the BRCA-1 and BRCA-2 predisposition for breast cancer among the Oshkonazi(?) Jewish community. That study followed using without names anonymous Tay-Sachs samples that had been stored. Then it was based on looking at those samples of which this created no problem for the IRB because there weren't names on them, but it identified a group, Oshkonazi Jews who never had agreed to have their Tay-Sachs samples being used to look for the BRCA-1 mutation. Well, they were. There are now concerns in the Oshkonazi Jewish community that they are going to be discriminated against, both in insurance and employment, not by name, but by group.
Now, we have nothing to protect that, because even the regulations recognize individual not group harm, but there is even concern in that context. There was no discussion or concern about it at the time.
MR. GELLMAN: I think that's an interesting observation and an interesting issue, but the notion of group privacy is something that is a relatively new concept to say the least.
MS. ROTHENBERG: Right, I guess if we can't solve this one yet, we're not ready to solve that one. But actually it's interesting, because I think our assumption that people are so worried about things that have their name on them should not in any way devalue this broader community concern, which I know in the Native American community is actually more important in some Native American communities than individual privacy. Their sense of group privacy is of a higher level.
MR. FANNING: That may be true, but the committee here has to make recommendations for the use of individual records in research. It seems unlikely that feeding those factors into these choices in a piece of legislation probably isn't going to occur. The IRB may want to take it into account. So we're still faced with this core issue of a class of studies, perhaps that don't have implications of the type you've just referred to, where identifiers are needed and it is not practical to obtain consent, possibly because you can't find the people to begin with, or because once having been found and opting out, they will skew the results. Either case will skew the sample. Now, how do --
MS. ROTHENBERG: Although in the genetics area, it may be more than the individual. It may be along a continuum between the individual and the community.
MR. FANNING: Yes, that may be true, but it's easier to at least start discussing it in the context of something that doesn't raise those issues like the studies that have been done in the past that have detected, for example, the harm of DES.
DR. NAGEL: Thank you, I think that's a good point. I think that what we have to recognize is that the research that is being contemplated today, that we heard people talking about that will be possible if we have a large-linked database that everyone is clamoring for access to, is quite different than many of the studies that have been done to date, that the large scale amount of material and accessibility and ability to do linkage studies on it is very, very different than what was contemplated when the IRB regulations were originally written.
I think we have to recognize, as Mr. Gellman pointed out when he was talking with the researchers, that we have research going on in academic institutions that we may all approve of, maybe some particular, maybe someone would have a quibble with, but maybe most people would think is terrific. I'm certainly in favor of research and my guess is that everybody on this panel is in favor of health care research. The question is how do we get the best data for the research.
People have not known that their information is being used for research purposes with their name on it without their consent. The studies, the surveys that have been done have proven that people have no clue that this is happening. People are now becoming educated. They now understand that this is happening. Unless we offer people real assurances, we're going to see people withholding information from the health care system that is not going to allow accurate studies to be done on the research. I'm in favor of the same thing you're in favor of, I want to see good public health research done, I want to see good medical research done, but if we don't have accurate data to do the research on, we're going to be doing research on pseudo-data.
MR. GELLMAN: We're going to take a 10 minute break now and reconvene at quarter of.
[Brief recess.]
MR. GELLMAN: I would like to go back to the issue of identifiers. I don't think we've exhausted this one yet. One of the alternatives, and Mark you talked about it, was the idea of a unique health identifier that is not a social security, it is used only for health purposes. I want to talk about what I see as some of the problems with that. And by the way, for whatever it's worth, my view on health identifiers is I think all the alternatives are lousy. I don't think any of them make any sense, but I think the case for a health identifier, the utility of a health identifier is clearly there, whether it's worth all the hooha over it is another issue.
The idea of a unique health identifier used only for health, let me read a list of people who are likely to have access to the health identifier, doctors, dentists, hospitals, laboratories, nursing homes, pharmacies, employers, federal and state health agencies, health, life and auto companies, public health agencies, schools, the Internal Revenue Service, inspector generals, social welfare agencies. Others who might get access to it in their ordinary course of operations include debt collectors and credit bureaus. There are others who could be added to this list.
If we have a new identifier solely for health, will it really be controllable? I mean I've just read a list of what's half the economy. Lots of people are going to have a unique identifier. Is it really controllable? What do you think, Mark?
MR. ROTTENBERG: I'm really bristling a little bit, Bob, by the way you're asking some of these questions. We're not trying to find perfect alternatives, we're trying to find better alternatives. That's essentially what policy is all about. The fact that a medical record identifier, medical record identification system will be available to many people and leave in place many privacy risks doesn't mean after careful evaluation it isn't still preferable to using the SSN to identify medical records. If that is the case, then that's what we should do.
MR. GELLMAN: You're jumping to the end, I'm looking at some of the details to see how you make that jump.
MR. ROTTENBERG: I tried to earlier answer this point by saying part of what you do is you back the technique with a regulatory regime or a legal right that tries to cabin the use of that identifier. So if, for example, you look seriously at the creation of a separate medical record identifier, and I have to say that even that enterprise presumes that it's necessary to be done and I think Dr. Nagel and others have raised very important questions, is it necessary to do. That's the first question. But for the sake of argument, if you assume that it's necessary to do, then one of the ways you may be able to do it is by associating the number with some specific legal safeguards.
The other thing in terms of the general question of data linkage which was asked by Dr. Cohn, one of the things you do by preventing the simple facilitation of data linkage is you force institutions to look more closely at their practices for exchanging records and I would say in a good sense sort of strengthen the institutional responsibility when those records are transferred. It becomes a significant act. In the absence of specific measures like a separate identifier used for these record systems, it is less likely to be a specific act. This is another privacy argument that I think would weigh in the balance of a different identifier.
MR. GELLMAN: Can we have rules that tell people whether they can collect and use a particular identifier without creating First Amendment problems?
MR. ROTTENBERG: We have lots of privacy statutes in the U.S. that limit the ability of organizations to disclose information on individuals. I know of very few that have been successfully challenged on the First Amendment basis, the only one perhaps was the Telephone Consumer Protection Act of 1991. I think the federal court eventually upheld it, but there the issue was the intrusion, it was the act of speaking to a person, the notion that a credit reporting agency or a telephone company or a bank for example has a First Amendment right to sell records on its customers or clients. I'm not aware that any court has ever upheld that position.
Now, whether USA Today can publish Arthur Ashe's medical record, which in fact they did, the answer is yes, they're protected in that case by the First Amendment. They also had no fiduciary relationship with Mr. Ashe and they were under no statutory obligation. But can you pass a statute that restricts a health care facility disclosing information on patients? Yes. Will it survive a First Amendment challenge? Will it work?
MR. GELLMAN: One of the things in discussing this issue with some people is that the first thing that would be created would be an index that linked the new identifier to the social security number. Would it really be possible to say to people you can't do that?
MR. ROTTENBERG: As I said, and you know this as well as I do, in terms of regulating privacy, there are practical problems, there are legal problems, there are all sorts of challenges. Privacy is essentially a series of hurdles and barriers that try to protect rights, it's incomplete. You need administrative procedures, technical procedures, legal procedures, but you hope that through the collection of these techniques and safeguards you have more privacy than you started with. So the sense of asking these questions and the sense of will they provide an absolute guarantee, of course not. There is no absolute guarantee. Would it provide a system that may well provide better privacy in the future than we have today? Quite likely, quite likely.
MS. ROTHENBERG: I think I would just add to Mark's, how much hassle do you want and how much do you really need it. I think you're right that if you really, really want it and it really, really benefits you, you may figure out a way to do it even if it means cheating, lying and taking your chances of being later fined, sued or whatever, because your chances of being fined, sued or whatever are rare. However, if you make it really hard to be able to do what you've just suggested, and you make it harder and harder and more and more expensive to be able to do it, I think Mark is right. So you've got to figure out a way, one you say you can't do it legally, and then you figure out a way technically to make it very difficult to do. You put in as many barriers as you can, and the message gets across as a matter of public policy, there's no reason, we don't sanction you to get it.
Now, yes, there are always going to be people to find out a way to get it. But that doesn't mean that as a matter of public policy you establish you have no right to it. I mean why does anybody beyond the provider have an inherent right to link up the unique identifier with the social security number? Tell me that, why? I mean go back to our basic principle that I think everybody on this panel agreed to. That's not why the record gets generated. Anyone beyond the person that has a right to get it, the presumption should be they don't.
MR. GELLMAN: But I read you the long list of people who will get the number in the ordinary course of their activity. It's not just something you disclose to your provider, it's something that is disclosed to lots of other people. The question is whether information that is being so widely shared and used can be practically controlled.
MS. ROTHENBERG: Right, but one of the reasons they can get it may be because we've agreed to give it to them, we the patient. Maybe we didn't know we were agreeing to give it to them, but we might have allowed that process, right? We might have signed something that said all those other people can get it.
MR. GELLMAN: And you might sign the same piece of paper even if there is a statute that says this number is restricted and someone will sign a consent form that says I authorize you to have my number notwithstanding the statutory protection.
MS. ROTHENBERG: You can do something about that, you can do something like we did in our recommendation that says you can't do that. You have to have a written disclosure that has parameters, that says who is going to get it and what they're going to get. That is still possible to do because what that does is -- that's the standard of care of medical record technicians. They don't just wily nily throw things out into the world for people to capture on their database. Their standard of care in clinical care is you set time frames and parameters. If it has to do with AIDS and it has to do with mental health, a red flag goes up. So why are we willing to throw all that out because there are abuses? Let's tighten it up.
MR. GELLMAN: Let me go to --
DR. NAGEL: Before you go on, I think there's a general point here that unless you recognize the right to privacy and try to protect it, it will cease to exist. So that we start over and over again from that premise. Maybe sometime someone is going to get something anyway, but we have to start from the premise that the patient has a right to privacy and we try to protect it.
MR. GELLMAN: Let me ask another question along this line. We had a social security number, it was originally to be used for limited purposes. When it began to be used in other ways, Congress passed a law in 1974 that restricted the way the number could be used by federal, state and local governments. Then it proceeded in a number of subsequent laws to say, notwithstanding any other provision of law, we authorize the use of the social security number for drivers licenses, for welfare, for state tax, for passports, for selective service. There is an incredible demand out there in the real world for a better identifier.
All the problems that have been identified with the social security number are all true and everybody else knows them, and if someone created a new identifier, the world would beat a path to their door. Even if you are able, this is a political judgment with which you are free to disagree, even if you could pass a law that said this number will only be used for health, when the welfare people and the immigration people come along later on and say if we had a better ID number we could save billions of dollars, because that's exactly what they said in the past. That argument always sells in Congress.
So what would happen, this is my fear is that by creating a new health ID number, 10 years down the road it would become a universal ID number for everything. The result would be that everyone would be worse off from a privacy point of view rather than better.
DR. NAGEL: MR. Gellman, you're making the best case for why we shouldn't have a universal health identification number.
MR. GELLMAN: That may be, but this is one of the options that's on the table and I think it needs to be explored. I also --
MS. ROTHENBERG: But, you're getting cynical in your old age here.
[Laughter.]
MR. GELLMAN: I was always cynical.
MS. ROTHENBERG: I know, you're getting worse. Let me be a little Pollyannish here please, bear with me. If you have the power to say, like we've all pressed you to say, what is the primary purpose of this, then the next time the welfare in the schools and all those come banging on the door to Congress to say disclosure, disclosure, disclosure, your position is going to be the primary role of that record is generated for the benefit of the patient, period. That's the presumption. You want to override that presumption, you have to show us the benefits. Then hopefully, there will be people like us that will also be asked to testify in Congress and say don't do it because if you let the welfare people get that number, that may mean that those individuals who are entitled to welfare or who are worried about immigration or all those other things, they won't get prenatal care or they're going to be afraid to come in when they've got a contagious disease or an infectious disease. Now, you Congress, you have on your backs the balance between the health care of our country and the next welfare check and you figure it out. So we've got to be at the table so that it doesn't happen the next time Congress is going to do a stupid rule like that.
MR. GELLMAN: I like that a lot, but I can tell you as a veteran of many of these fights that frequently you cannot even get issues raised, you cannot find members of Congress to raise these problems because they look at what's on the other side and the policy of the moment happens to be keeping illegal immigrants out or catching skipped fathers. No one will raise the issue and these bills pass 400 to nothing. This is what happens in the real world.
MS. ROTHENBERG: All right, I have a real world experience, could I just finish. Let's talk about genetics. You may think these laws are worth nothing and maybe they're not worth nothing and maybe that's why we've gotten them passed, who knows? However, we've got some strong things on the books in some states now about access to information that passed unanimously, bipartisan. The women's health groups got together, the doctors came behind us, the biotech communities were behind us, the health insurance companies didn't fight it. Life insurance may be a different issue. I think it can be done, particularly in areas where the public recognizes the end of research might be over, contagious diseases, things where we might be able to reduce morbidity and mortality. If we characterize it as a health problem, as health, that's what medical records are generated for. Let's put it in the context of health care, not in the context of a credit union being able to have a right to the information. Let's go back to the core. We go back to the core, we keep on focusing on the core, I'm willing to take the fight on.
MR. GELLMAN: Let me just say that there's no question that there are times when a privacy law like the genetics thing can benefit from this as the hot issue of the moment and things can get passed, and that's fine. What I'm concerned about here particularly is creating a new institutional being, namely the potential of a new identifier that really is a very attractive thing and once it's created it's really hard to say no to. There have been plenty of privacy laws that have been passed one year in the glow of the moment and the next year the same legislature comes back and with the same unanimous vote undercuts it. Mark.
MR. ROTTENBERG: I want to answer your point directly, Bob. I think it's very important for this committee not to prejudge this issue in terms of what you think Congress might do with it. If you consider the issue and on balance decide, given the merits that it would be a mistake to have a separate identifier, that's your judgment and that's what you should say and that's what you should recommend to the Secretary. But if you prejudge this and say Congress will never go for it, you set in process exactly the dynamic that prevents privacy legislation from going through in the Congress. Congress needs the best recommendations and the best advice about how to protect the privacy of their constituents. They care very much about this issue. They don't know how to handle it. They have to get advice that's based on an evaluation of the merits.
So as I said, I appreciate it that you're being a little provocative here and forcing us to make the privacy case, but there's a real danger here. You should not be taking this option off the table unless you've made a judgment that it's not the right option to pursue.
MR. GELLMAN: I think that's a fair point.
Let me try a couple other aspects of this. Why does the identifier matter at all? If we have a set of rules, we were able to pass a decent privacy bill that says records can be used in this way and not in the other way, what does it matter if there is an easier way to link the records. I mean we've got rules, people follow the rules and we can't worry too much about people not following the rules. They will either be penalized, that happens anyway. But if we have a set of rules that say these are all the appropriate uses of medical records, what difference does the identifier make for a privacy perspective?
MS. ROTHENBERG: I don't know.
MR. GELLMAN: Anybody? Mark?
MS. ROTHENBERG: Is that they only way -- I don't think, do you have to make that decision? Can't you set the principles out? That to me is more of a procedural issue or a mechanism for accomplishing your goals that you've set out, isn't it? Isn't it a way to try to do what you're trying to accomplish? And you can decide to reject it or not, or maybe I'm misunderstanding.
DR. COHN: I guess I am confused. I had asked earlier about data linkages and I had heard from Denise Nagel, Dr. Nagel, about there really are reasons to have information available on patients from site to site. So I had heard that there was actually a need for a patient identifier of some sort or other.
DR. NAGEL: I think you misunderstood me if that was the conclusion you drew.
DR. COHN: Maybe I misunderstood you, but what I had heard was patients had the right to have privacy, but for example they might elect to make available to other providers such things as penicillin allergies or other information about themselves. But once that occurred, there needed to be a way for other people to get that information. So I guess that was my presumption from you. Am I mistaken about that? I'm sorry. That's what you had said in testimony here.
DR. NAGEL: That certain information -- I was distracted for a moment so I may have missed it -- that certain information that a patient chooses to make available in a clinical context should be available to other clinicians caring for them, yes.
DR. COHN: Yes, around the country and there obviously needs to be some way to do that.
DR. NAGEL: I think there are ways of doing it. I think we have ways of doing it now. I think there are other additional ways of doing it. Some of it can be done by the patient themselves without requiring this linkage. There's a new --
DR. COHN: I guess this is one of the ways, and I was responding to --
DR. NAGEL: That's the point I was trying to make though.
DR. COHN: -- Karen about why you might, excuse me, Ms. Rothenburg, why you might want to have a linkage or whatever.
MS. ROTHENBERG: But I guess what I'm saying is that's just a mechanism. I would rather you, unless you have to, I'm sorry if you have to, we want you to focus on the principles and whether or not you have to do it with a unique identifier, I think Bob is raising some concerns about maybe unique identifier in some ways may create in the future more abuses rather than less. I think if you make it look -- I guess that was your point you were trying to make. I personally don't have the expertise to say whether that's going to happen.
But if you have a very strong statement consistent with what Dr. Nagel has just said, that there are reasons to share information when it has to do with the benefit of the patient, everything else the presumption is no one else gets it. They may be able to abut that presumption. I think that was your point as well. Maybe one way to help that process is to have this identifier, maybe it's not. You have to talk about the benefits and the risks. Personally, I don't know enough about the technology or the mechanisms to know. I don't like social security numbers though.
MR. GELLMAN: Basically nobody does, except that one of the aspects of it that's very important to some people is it's an existing number and changing it is going to cost a lot of money. That's another political reality. I accept your point about principles and all that, but you have to look at these things before and assess, exactly as you said, the benefits and the risks. Everybody sees a lot of these things differently, but I think they all have to be put out on the table while we're at it.
Let me go off onto a different direction now, unless someone wants to continue on it. We talked before about research use, I want to talk about law enforcement access in a context of health care fraud. There are a lot of other law enforcement issues, and we had a discussion of this actually at all the hearings. It's clearly a major problem. We don't know what the numbers are, but the estimates are in the tens of billions. This is a major problem, there's been tons of legislation passed at all levels trying to get at health care fraud.
Fraud investigators come, they did this yesterday, they did it when we had HHS, and they have made a case about the importance of access to identifiable records, not all the time because both the prosecutors and the inspector general types have said we don't always need identifiers. So in any circumstance, I think everybody agrees if we can give people access to records without identifiers, everybody is better off, nobody is worse off. So that's sort of off the table in terms of, I think that's sort of a slam dunk of a policy.
There are huge offices at the federal and state level, and also private ones, that deal with health care fraud. They get access to probably millions of records. How do we accommodate this clearly important concern and still balance privacy?
DR. NAGEL: I will try that one first if that's okay. We heard some very interesting discussion yesterday, I was glad to be here, from law enforcement. For the sake of the people that we're here to hear them, Mr. Gellman kept pushing one of the law enforcement people on the issue of databases. The person responded, we're not sitting at a computer looking at databases, we don't want to do linkage studies on databases, that's not what we're up to. Mr. Gellman then raised the question to that law enforcement official asking if he would be agreeable then not to have access to that database for the purpose of linkage. There was a long silence, he laughed and said, if the insurance company has access to it -- I'm paraphrasing -- I want access to it too.
So the first question is why not. Why not have law enforcement have access to everything. They're trying to do good. I don't think anyone on this panel, and certainly not me, would say anything negative about the desire of law enforcement and all of the rest of us to lower fraud. We are all interested in lowering fraud. We want to catch the crooks, we want to catch the scoundrels.
But why not? Why not give them then access to everything? I think the first thing that we have to do is return to the question of the medical record and medical information and what happens if you shift that information from being the patient's information given freely to try to get them medical care. I'm going to take a short diversion here if I may to tell you why I got into this in the first place.
I'm a psychiatrist. I have been practicing for 17 years psychotherapy. I do individual psychotherapy, couples therapy, family counseling. I was trained first as a pediatrician. I had absolutely no interest in getting involved in public policy, it was the last thing on my mind. I love my practice and I fully intended to do it forever.
I had a patient come into my office who said to me at the end of this hour could you please call this 800 number, it's the number of my managed care company. They want to ask you a few questions so that they can authorize care so you can continue to see me. The patient asked me to do it, of course I said yes. I had never had an experience like this before. I called the 800 number, the person on the other end of the line introduced themselves as Debbie. She then went on to ask me questions for 25 minutes. I had just spent 50 minutes with the patient, this person asked me questions for 25 minutes. I don't think there was anything she didn't cover.
During the time, she was typing all the information, so I could hear the click, click, click going into the computer. At the end of the time, she said call back in five visits so I can talk with you again about whether treatment is needed. Now, as a psychiatrist, I thought how in the world am I going to establish a relationship of trust with my patient when everything that they're telling me is being asked for and put into a computer data bank.
Now, this brings me in a long way back to the original question, which is law enforcement. If now we have not only these insurers saying they have to know everything, all the details, all the intimate details, now we have law enforcement saying they have to know all the intimate details, who is going to tell us anything? Who is going to come and get care?
You raised the question about studies for this. I don't think you have to find a study saying that people won't get care, I think all you have to do is line up a group of physicians and ask them, line up a group of patients and ask them.
The last point I want to make about fraud control is on a different note. For that, I really, really encourage you all to get this book License to Steal. It came out this year, and I will just read you a couple of quick quotes from it. He cites a senior fraud investigator at a Medicaid fraud control unit in which the author says that, "With electronic data interchange and computerization, thieves get to steal megabucks at the speed of light and we get to chase after them with a horse and buggy. No rational business man would ever invent a system like this"
Another representative of the insurance industry on the guarantee of anonymity stated, "Administrative cost savings with electronic data interchange will in no way compensate for the tide of fraudulent claims they expect to wash over the system."
Now, I'm just pulling a few quotes out of here, but he stalks about saving $8 to $10 billion or maybe even more than that, but that the losses are going to be so much greater than that, and he talks specifically about the fact that a lot of the fraud investigators that he cites and interviewed personally in here, don't want to identify more fraud because it makes them look bad. There's enough out there already, the more that they find, the worse it looks for the whole system. So I encourage you to read this book.
MS. ROTHENBERG: This may be another public policy decision that you need to make about what the ideal world would allow versus the tradeoffs. You ask yourself why is there fraud and where is the problem. The reason there's fraud is because there are dishonest people or dishonest institutions or greedy people. It has absolutely nothing to do with the patient. So I think it's a different analogy than some of the other analogies made about health where the individual may have to share the information with the health insurance company in order for them to get payment or get their benefits.
But here the individual is losing their privacy, the patient, so that the law enforcement can take a case against their doctor. That in fact means the individual gets sacrificed twice. Once they get sacrificed because they were paying for something, or an insurance company was paying for something, or we as society were paying for something where they basically took advantage of the individual and then secondly, they get further injured because they may lose their privacy because their name is on the records in order for the law enforcement may be able to prove the case against the fraudulent institution or provider.
So that might be a situation where we just can't allow the access with identifiable names. Now, maybe if you could get the names off through the numbers, and it wasn't linkable in other ways, or there were strong safeguards, I would be more comfortable, because I think you're right, we're all in favor, everybody in the world, it's mother and apple pie about reducing fraud. So much of the savings in Kassebaum-Kennedy are tied to we're going to put more money into fraud and it makes us all feel good. But if we as a society recognize that there might be some patients that get compromised as a result of it if their names are, or they could be otherwise identified, that may be one where we just as a society say we can't get it all, because isn't it ironic that the individual might be the one being injured when it's the health care provider or the greedy institution that's taking advantage. There's an irony I think in that problem.
MR. ROTTENBERG: I just want to give a quick answer to your question. I haven't followed health care fraud and some of the privacy issues as closely as others have. I would suggest as a general matter, there are probably three things, at least three things that you're looking for in terms of an effective policy. I mean you want clearly some procedures which govern an investigation. Health care fraud, unlike other types of criminal investigations, tends to be ongoing, but you want to look at the adequacy of the procedure. You need some independent evaluation. Then finally, you need some relief or remedy for people who suffer some harm, which comes back to your question regarding the IRBs. When these investigations run afoul, then there has to be some opportunity and some mechanism to punish the bad actors.
MR. LORTON: I just want to correct an impression. Blaming the EDI, the electronic data interchange for fraud is like blaming the pen for a forger. The reality is that electronic data interchange with HCFA, as Mr. Moore(?) would probably confirm, costs one-tenth the amount of money that it does to process a claim by hand. So electronic data interchange is not the cause of fraud, it may be a mechanism, but what is more needed is more enforcement against the fraud not cutting out the electronic data interchange.
DR. NAGEL: I think that's a good point and it's exactly the point that Mr. Sparrow makes that you do increase the efficiency of each claim and in the process take out the human oversight. So I think before you argue with his point, you really ought to read his entire point.
Let me just make one other point here. A heavy burden should really be placed on fraud investigators to show that they can't get the information they want through non-identifiable information. There were two cases, Blue Cross/Blue Shield of New York came to my organization, the National Coalition for Patient Rights and asked us to file an amicus brief in a case where they were asked to turn over all of their records in an identified form. Blue Cross/Blue Shield came to us and said we think this is going to damage patient confidentiality and we want your help in trying to restrict this. They were able to restrict what was turned over.
Pacific Care of California came to us and said they were asked, I think by an inspector general there, to turn over all the identified records of all of their health plan members. In that instance also, they came to us and said we think this will be terribly hurtful to our patients. Again, they were able to restrict it to the patients who had given their permission because they brought a complaint forward. So I think we need to look at non-identifiable information and at restricting the information.
MR. GELLMAN: Well, I certainly agree on the, and I said this before, everyone agrees on the non-identifiable information, but the fraud investigators have made a clear case if I'm going to prosecute somebody I've got to pull up a record and say you did not provide this service to this patient and you sent us a bill for it. That can't be done without having records that are identified at some point.
MS. ROTHENBERG: But in that situation, the patient may have to be a witness, right?
MR. GELLMAN: Possibly, possibly not.
MS. ROTHENBERG: How do they corroborate that in fact they never saw the patient? Any good defense attorney would want to then get the name of the patient, then the patient becomes a victim.
MR. GELLMAN: I can't do this as well as the law enforcement people can, but one example they gave is the doctor billed for a service at a time when he was not in the city, so you don't need the patient to be there.
MS. ROTHENBERG: You don't need the patient's name.
MR. GELLMAN: You may not need the patient's name to enter into evidence at the trial. I think that's different.
MS. ROTHENBERG: You don't need the patient's name if he was out of town, what is the difference what the patient's name was.
MR. GELLMAN: You need to be able to get the basic information and determine -- one of the examples he gave, the doctor was not in the operating room where patient A was, he was in the operating room where patient B was. In order to uncover all this information, you have to be able to get access to the underlying information. If you don't have a computer system that can serve up all your information in a non-identifiable way, you may have no choice but to go through a paper record. At some point there may be a need to look at identifiable records simply because that's the way the records are maintained.
DR. NAGEL: I don't think anyone would argue with this though that in certain instances you need to look at identified patient information, but that's where court orders come in. That's where you have to show compelling evidence. No one wants to stand in the way of a specific law enforcement activity on a specific case. What I think that a lot of people are very concerned about are these wholesale requests that we have to be able to have access to everything in case we need it. We have to be able to go on whatever kinds -- we don't want to call it a fishing expedition. We want to call it very specific, but we don't want to have to get a very specific court order for it, we want to have fishing expedition rights.
MR. GELLMAN: Well, I understand that and I'm not necessarily wildly unsympathetic to that point of view, but if you look at the legislation that has been passed, first of all prosecutors have grand jury subpoenas with which they can get access to any health record anywhere period. They have, the HHS Inspector General has authority to get any health record in the country period. In Kennedy-Kassebaum there was a provision that was just enacted that said the attorney general can issue a subpoena for any health record in the country, period. So the investigators have statutorily passed, or otherwise well established ability to get access to all of these records expressly to deal with what Congress has identified as a major problem of health care fraud.
DR. NAGEL: But that's why the charge from Congress to this committee --
MR. GELLMAN: This was in the same bill that gave the charge to us.
DR. NAGEL: This committee is to establish privacy standards. You've been given a really wonderful opportunity. These other statutes that you have talked about in the various states were not charged with establishing privacy standards that can shape the future action of Congress.
MR. GELLMAN: Well, that's very nice and I certainly hope someone will listen, but when Congress passes a law that says come up with some privacy recommendations and at the same time says we're giving the attorney general blanket authority to get access to all health records, it's hard to reconcile that and to expect Congress then to listen to a recommendation and then turn around and walk away from a provision that it just enacted.
MS. ROTHENBERG: I do think thought, even if they have subpoena power, you might want to share with them some suggestions about regulations or parameters as to how specific that subpoena would be, the presumption being that the information not be given unless there's proof that in fact they can show that this is the only way that they can get at the information. I mean there are analogies in other areas of law that they could do that. You could seal the information.
MR. GELLMAN: Do you think that when law enforcement investigators get access to records, they should provide notice to the patient in all cases?
MS. ROTHENBERG: Oh, absolutely, why not? Give me an example.
MR. GELLMAN: Investigators come to a physician's office, they may look at all the records in the office. They have this broad authority to look at thousands and millions of records. Let me ask Dr. Nagel a question, how do you feel if an investigator came and said we have a subpoena here, we want to look at your records, we've gone through the procedures, and said we want to look at your records for some general investigation of health care fraud and we want to send a notice to all of your patients. How do you think your patients would react to that?
DR. NAGEL: I think you heard really good answers, and I will be happy to answer that question, but you heard really good answers yesterday from the American Medical Association and the American Psychiatric Association. If someone comes to a doctor's door and says they have a subpoena, the first thing the physician should do is call their medical society. The next thing the physician will be guided to do is to call the lawyer that can give them advice on this. Then if you're saying that an investigation is going on of a specific physician that is absolutely legal and the lawyer says it is and the medical society says it is, then absolutely the patients should be included in this.
We had a case in Massachusetts that you may be familiar with called Coburn versus Commonwealth. I do think it is amusing that I have been citing a number of the legal issues on this as well as the medical, but I think they're really important and they need to come out here. Coburn versus Commonwealth was an example of that. A Medicaid fraud unit came to a psychiatrist's office and wanted patient identified records, they wanted the whole thing. The Supreme Court of Massachusetts came out and said that's improper to have the whole thing. We will tell you what specific things you really need to do this fraud investigation. That's what they set out. That's appropriate.
MR. GELLMAN: Well, just to make a point about the testimony yesterday. Some of what you said is correct in terms of what the medical and the hospital association said, but when we turned the subject away from sort of criminal law enforcement activity to health care fraud, they said oh that's a little different, we have much looser standards there.
DR. NAGEL: They didn't say they had looser standards, no, they said they had different -- things were I think to be done differently.
MR. GELLMAN: Just to make a point, every year in this country there are millions of demands for medical records. I've never heard anyone say that there are millions of notices that flow through to patients of the fact that fraud investigators are getting their records.
MS. ROTHENBERG: There aren't. You know it's an interesting -- I may have jumped too quickly because I could argue this both ways. On the one hand, I think they should have entitlement to notice because why should somebody else have this information when they don't even know they've had it, particularly they can get information and that can show that the person is an illegal alien, or it can show information that can hurt the patient when that was not at all the intention of why you wanted to get that information. That's why you have to craft very tightly what that subpoena is.
But on the other hand, I worry about there being breaches when you give people notice. It's how you do the notice. If you do the notice through the mail or through e-mail or if they're leaving it on voice mail or something, then you've not only breached their privacy once, now you've told maybe the other person -- it then opens it up for other people to get, not just the individual. So I would like them to get notice, but I would be very concerned about how you give them the notice so that you don't further compound the problem.
MR. GELLMAN: What do you think the reaction of an average person would be to find out that their doctor is being investigated for health care fraud and their records are being looked at in the course of this? What do you think most patients would do about it? Do you think patients would over react to a notice like this in a circumstance where perhaps -- and this is certainly an issue -- their concern about how the records might be used otherwise might be addressed in some other way? Are we better off telling them or are we going to create more problems and difficulty and expense and court litigation? I mean this is part of the real world struggle over how far do you go and how much do you tell people.
MS. ROTHENBERG: I think their first reaction would be one of distrust of their health care provider. They would first be worried about oh my God, my health care provider is a fraudulent person. So that would be the first thing I would be concerned about, the future of the relationship. That would be one that has really nothing to do with privacy or confidentiality, that just goes to the core of what it means to be told your doctor is being investigated for fraud.
So that raises some interesting questions. We don't tell patients now that their doctors are being investigated for disciplinary action. It's caveat emptor. So I think that would be the first interesting public policy question.
The second one is I think it depends the context of where they're getting their care. I would bet patients are less worried about -- there's no empirical stuff to back this up unless anybody else knows this -- they would probably be less worried about going to the foot doctor for fraud than they would about going to the psychiatrist and being investigated for fraud. So the context of it may matter. I think it's very hard to generalize about people's sensitivities.
I think they would be very upset, however, that they were being used in order to make a case against somebody that you've now told them is doing criminal activity.
DR. NAGEL: I think you're also skipping over the point in saying how would you feel if your patients were told that this is being done. I think the first piece that needs to be addressed is when can it be done and in what instances and that the burden must be on the fraud investigators that they can't get the information in any other way and that it's necessary. The reason for that is the courts have said you start from the right to privacy.
DR. HARDING: Just speaking for the IG who was here a month ago or so, one of their concerns was that if the patients were notified it would take away the issue of collusion between the provider and the patient in some cases where they're looking at triple billing or something like that with the patient colluding with it. So they didn't want to in some points tip the patient off that there was something going on if they were being investigated too perhaps.
MS. ROTHENBERG: Oh, but then you've got other issues about due process and whether or not you're then going to use that to hurt the patient in any way. That raises a whole bunch of other questions that worry me.
MR. ROTTENBERG: We've confronted this in other settings. Records can be disclosed when an investigation is completed. I'm not necessarily -- I understand the issue you're describing -- I'm not necessarily in favor of the notice, but I don't think the fact that the notice, this happens in wiretapping for example, the fact that the notice may tip the hand of the prosecutor during the course of the investigation is simply stalled by waiting until the investigation is concluded.
MR. GELLMAN: What I'm trying to do with this discussion is there are -- we're operating in a circumstance where we've got a lot of existing law and authority on the law enforcement side and we're looking for ways to try and balance that off with privacy interests. A lot of the options that are out there are messy, cumbersome, difficult, raise other problems and we need to explore some of these alternatives just to see -- that's the point of the discussion.
MS. ROTHENBERG: And I think when you're looking at law enforcement though, you have to look at the subject of the investigation and the role of the record. Are the law enforcement agencies wanting to breach the privacy of the record in order to make a case against that individual or against a third party? That may be relevant.
MR. GELLMAN: Maybe. Let me just close this discussion with a cheap comment. The new authority for the attorney general to get access to every health care record in the country just slipped right in in the Kennedy-Kassebaum bill. Probably no one saw it, probably no one fought against it, I don't know, but it got through. That's how these laws that undermine privacy interests happen.
DR. COHN: I actually have another area that I wanted to ask a question about, primarily focused on Mr. Rottenberg and Mr. Lorton, but the others can join in. It really has to do with Mr. Rottenberg's initial comments about privacy enhancing technology. You had mentioned that as one of your key areas that you thought that this committee should be looking at. I was curious, in our discussions, where do you think those fit, privacy enhancing technologies really fit in.
The question I have for Mr. Lorton is, since you commented that technology is probably not the answer, I'm curious about your views no whether technology fits in also.
MR. ROTTENBERG: Let me say first of all that I think privacy enhancing technologies are going to be the buzzword of a lot of privacy policy that you're going to hear about over the next few years. The Europeans are very interested in this and there's been quite a lot of effort and resources thrown into looking at this.
There's been a big debate I would say in this country about an important privacy enhancing technology, though it's rarely called that, and that is cryptography and questions about communications, privacy and the right of the government to limit the use of that particular technique for law enforcement purposes. But cryptography in fact is just one of I think what will turn out to be really a whole range of mechanisms to protect privacy. I would include, for example, techniques for anonymous or pseudo-anonymous transactions. This is being developed right now, for example, in the electronic payment systems for commerce, intelligent vehicle highway systems, IVHS, to find methods to transfer at a general level between a customer and a vendor payment for a service.
Now, there are specific reasons why that is quite a bit more difficult to implement in the medical care context, because of course services are customized to an individual. Anonymity per se is not necessarily a desirable outcome. But in the linkages of data sets and attempts to de-anonymize personal information and still make useful data available to researchers and others, I think there are going to be more opportunities to find techniques to serve some of the policy goals you're looking at.
My recommendation at the outset was not so much to try to describe what all these techniques are or where they're heading, I don't think anyone can do that at this point, but to encourage you to recommend to the Secretary that more research be done in this area. I think it is an area of great sort of opportunity where some of these problems may be solved. I think we're in the very early stages of understanding new systems of identification that protect privacy and I think it's worth quite a lot, given the levels of privacy concern and the competing policy interests, it's worth quite a bit of effort to go down this path.
MR. LORTON: We really talk about not privacy and confidentiality which are policy issues, but security issues. The security is basically in two circumstances, inside the health care environment and outside the health care environment. About the only one that crosses that environment is netscape browsers or things like that where people from outside the health care environment can get in somehow. We actually have been doing a lot of technology using cryptography to make transmitting medical data across the net very, very secure. So it's essentially unbreakable. We've been doing that with Oakridge National Laboratories.
The other issue of the three issues is that the big problem in security within the hospital is defining who gets what information. That is a whole area which is essentially in this policy decision completely not handled at all. We handle it in very general circumstances but that doesn't help hospital information systems because they have to implement not the general circumstance, but the specific. The third issue, as I said, we don't depend on technology because if you're looking at the health care environment, technology is so varied across that environment. There are 600 organizations that make clinical information systems, 600. Each of those has their own best way of doing things. The problem will be implementing whatever policy decisions you decide on throughout all the 5,000 hospitals and unknown number of places to gather health data with one of these 600 different things. My concern is that a solution that depends on technology, any specific technology won't be implementable.
I think that actually that's where the government needs to take a role in driving standards, in driving implementation of standards, driving development of standards so that these organizations that develop stuff will then coalesce around standards. Was that the thrust of your question?
DR. COHN: That handles some of this.
MR. GELLMAN: Let me make a couple of points off this. I think what you all said is very well taken. I think some of the major medical privacy bills are significantly deficient in the area of PETS, privacy enhancing technologies. I think that the integration of the notion of coded and anonymous information in the McDermott Bill, which I think has a lot of other problems, but I think that is a very positive step. I think it's something that needs a lot more effort. I don't think that you can avoid some of the hard questions by simply relying on anonymous or coded information all the time, but you can surely minimize them. That really helps a lot. To the extent that you can do things in a coded or anonymized way, and still accomplish all of the purposes, everybody is better off, nobody is worse off, so I think that's very important to pursue.
Let me pursue with you, Lew, the issue of implementing solutions. We've got, as you said, an incredible mix of technology out there, handwritten paper records to computerized, whatever. How do you go about phasing in requirements in order to make it possible for the technology to catch up with the policy in some kind of cost effective way?
MR. LORTON: I personally believe in what somebody has called the communitarian(?) view of confidentiality within the health care environment. That's to assume that within the health care environment everybody within that environment will respect your privacy. Now I do that not because I believe that everybody might, but only because of the fact that I can't work through a circumstance in which I can make another opportunity, another situation work.
Somebody before mentioned, they say, well I want to make sure that my AIDS data is segregated or my psychiatric data is segregated. That's very easy to say, but when you come to it do you say okay which variables do we not show to people, which medicines do we not show to people. How can we make these decisions and how do we -- we can't just make block decisions. We have to have a lot of very difficult decisions made on an individual patient level and who do we trust to make these decisions. But if you say this to the hospital information system person, you've got to make this possible to do. We have our own problems which is building a system to do that. The bigger problem is going to be to health care, to say make this work. So it's the hospitals that are going to be a problem.
We've looked at a lot of these confidentiality enhancing things and that's not a problem. You do cryptography, you install the cryptography and you make it work, but not one of these things works across the board. You can't have little tokens that you put in the CPUs so that you see the data, because doctors walk away from the CPU, they may not have it. Somebody else who is there at the time may need it. Every time we come up with even a bevy of solutions, everybody in the room puts up their hands and gives 12 different reasons why that won't work for them.
We had a meeting on confidentiality and privacy and one of the people said I don't want my other doctors to know what my psychiatrist is giving me. Some neurologists in the room said wait a minute, I want to know. I think everybody but the dentists and the podiatrists wanted to know. So it's hard to make those difficult decisions, but those are the things that policy at least needs to steer us to by putting the limits on what decisions can be made. That's a technology problem for a technologist, and what I represent, what we're afraid of is that we don't know what's coming. Every day people are putting in systems, building towards systems, doing research. One of the reasons that I follow what you're doing is because we want some heads up on what's going to happen next year or the year after so we know that all of our systems are not going to be obsolete, so we can do whatever you say we should do.
DR. NAGEL: I would like to make a quick point on technology. I think a lot of the points that have been made are really good, privacy enhancing technology is terrific, we need it, but we need first a principle. First we need the principle that the patients have the right to privacy and that they're the ones who can control who has access to the information. Then you can have privacy enhancing technology that develops it. Unless we have the standard it's not going to be developed.
We need one further thing besides the standard. We need incentive. I've talked to a lot of computer security people at this point, they have a lot of ideas. The incentive for them, the money for them has been in developing systems that permit access and permit linkage. If we give the technology people in this country a very different message, if we tell them what we want is a secure system so we can have quality medical care and you're task is to design this system from the standpoint of absolute privacy protection, I think we're going to find that we start getting much more innovative, creative solutions.
MR. GELLMAN: I want to throw a problem at you that really hasn't been addressed directly to see if anyone has got a thought. There seems to be a considerable amount of commercial trafficking in health information. Mailing list companies like Metromail(?) have extensive databases of patients by diagnosis. According to one number I saw a few years ago, they had a patient database of 15 million people with people identified by diabetes, allergies, parkinson's disease, bladder control problems and on and on and on.
The information in these databases does not appear to originate from the health care system, it actually appears to originate from the patient's themselves or perhaps there are also other sources of health care related information, for example, if you participate in a frequent shopper program at a supermarket and you go in and buy a tube of Preparation H, the supermarket can make some inferences about what may be the matter with you. Does anybody have any ideas about how to deal with this? Is this an issue that should be addressed? Should this be regulated in some way? How might you do it?
MR. ROTTENBERG: What do we have about 10 minutes total to solve this problem?
MR. GELLMAN: If you have an answer to this problem, we will keep going.
[Laughter.]
MR. ROTTENBERG: After the problem of medical record privacy, I would say that the commodification(?) of personal information is the next biggest privacy issue in this country and it is a very tough issue. There is no 10 minute answer or 10 day or 10 year answer. But I will tell you one effort which we undertook among several to try to address the problem, because fundamentally I think it is a question of whose information is this and who has the right to obtain commercial benefit from this information.
We became involved in a case in Virginia, a man who sued U.S. News and World Report under the state statute regarding commercial appropriation for the sale of his name on a mailing list. It was Aberhomi(?) versus U.S. News and World Report. The case didn't fare so well and we essentially lost in the mid-level court in Virginia, but my sense having gone through that is that this issue is going to keep coming back and coming back because the commercial value which is being obtained from the data is tremendous. There are certainly precedents and themes that run throughout privacy law, which would suggest that people do not have the right to this value without performed consent, but between here and there is quite a bit of distance. So I don't know what the short-term solution is.
MS. ROTHENBERG: I think the short-term solution is education. When somebody goes to the Giant Pharmacy and buys whatever, Preparation H or some other things, and they swipe the credit card number in that system, then it gets to the commercial market. If they use cash it doesn't. So as a short-term solution, I think at least there could be some level of education with the public that they could decide. If your credit card, you actually do give up privacy. I don't think a lot of people recognize that. You're getting a benefit, I mean I get the benefit of frequent flyer miles every time I go into Giant pharmacy. I'm okay about that, I'm okay about some commercial person knowing I took Preparation H because I might get a coupon for it the next time. So I've made that decision, I might save money. But I might think twice the time I buy my Prozac or something like that. I don't take Prozac, but a lot of people in this room may take Prozac and they might not want to share that. So that one I might choose to pay, but I would choose that one not to pay with my credit card, to pay with cash. So if nothing else, before we have any regulation, we could certainly have an education that at least lets people know now this is going on.
MR. GELLMAN: I think that's a fair point and one might talk not only in terms of education but in better disclosures to people when information about them is being collected. Typically on some of the forms that people fill out, consumer surveys, they say this information may be used for marketing purposes without further explanation.
MR. LORTON: I just want to make a rather general point, when we pay for prescriptions with credit cards, when we pay our physicians with credit cards or checks, everything becomes medical information and this blur between the medical record as a paper record that can be put in a drawer somewhere and locked away becomes very diffuse. So that's one of the challenges for us to, for us, for you, to make certain -- for them, right -- for them to make certain that this bright line is drawn somewhere. Then you can turn around and say to the people who make these things, this is where we want you -- this is the bright line that we want you to guard. You have to draw the bright line.
MR. GELLMAN: Let me say in that regard that there has been at least some attempt in one of the bills to address the issue of credit cards. If you go to see an oncologist every week for a year and you pay with a credit card, the credit card company knows something about you by virtue of that. The Condit(?) Bill has a provision that tries to regulate the use of this information by credit card companies and to restrict it. I think you're right, this is an example of how information leaks out of the health care system into other activities that are going on routinely and it's really hard to get a grip on all of this.
MS. ROTHENBERG: I think we would all agree it should be restricted. There is a value about who should get -- we would all agree that there's a value that we don't think the credit card company should be able to sell that to another third party for commercial benefit. Do we all agree with that? That's an easy one, it seems to us.
MR. ROTTENBERG: See, we solved it.
MR. GELLMAN: Thank you. We have a few minutes left. I do want to ask another question. You talked about some of the laws, Karen that deal with genetic information. We have lots of laws floating around in various ways that regulate slices of information. Can you talk about, let's focus on genetic information in some ways as a proxy for all the categories. How do you define genetic information? How do you tell what's genetic information and what isn't? How do the bills approach this? How would you approach it? How do we draw these kinds of lines?
MS. ROTHENBERG: In one minute?
MR. GELLMAN: I will give you at least two.
MS. ROTHENBERG: Well, most of the bills don't define genetic information. Most of the bills focus on genetic tests. That becomes problematic to some extent because you can get genetic information from other ways, including family history. The more broad you define genetic information, the worry among some is it swallows up everything, that everything to some extent is genetic, maybe even, except maybe trauma and maybe even that, there may be predispositions for people to do risky behavior in some ways.
So I think it becomes a very broad definition. I can give you the definition that we've used in the laws. I should know this by heart but I don't. You all have a copy of this testimony. You should all have a copy of it, so it's in there. It's defined as information about genes, gene products or inherited characteristics that may derive from the individual or family member. That's a very broad definition, so that would prevent them -- then the next question is how do you know it when you see it. I think that's a challenge for technology too to figure out how to implement that broad definition.
MR. GELLMAN: But it's a challenge for legislation too in trying to draw clear lines between one class of information and the next. For example, if I go in to have surgery and I say to my doctor I'm depressed, does that become a mental health record. If so, does it become subject to a different set of laws. If I say my father had the same surgery, does that become a genetic record. This is not a trivial problem.
MS. ROTHENBERG: Right, and I think that the intent of those people writing these laws would be to take the broadest view of that, to give as little access as possible to those that they're fearful are going to use it against them.
DR. HARDING: Mr. Rottenberg, you mentioned one of your six principles an independent privacy agency. Could you just give a few minutes on what you might have in mind? The goods and the bad news.
MR. ROTTENBERG: Well, I know this is an issue that Bob has also written on and has some feelings about. My experience working on a whole range of privacy issues is that countries which have permanent privacy agencies generally do a better job of resolving privacy concerns when they arise. I said generally do a better job, I didn't say that they do a perfect job. But the privacy agency in Australia for example has done a half a dozen reports on medical record privacy that have affected institutional practices in that country. The Province of Ontario has done many privacy reports. The European Union and the European governments have done many reports. There have been a few in the U.S. The IOM did a very good report I thought.
My main reason for recommending that you recommend the creation of an independent privacy agency which could be general or could be solely tied to medical issues is to ensure that there is ongoing institutional expertise and attention focused on these issues. It's really an argument about institutional and structural procedures for developing public policy. Law enforcement will always be present, insurers will always be present, there will always be the stakeholders with competing claims for the use of the medical record. There has to be somewhere in the federal government an agency with an ongoing interest to protect that record.
MR. GELLMAN: I can't think of a better place to stop than that.
DR. NAGEL: Would it be reasonable to make a one minute closing comment? I would just encourage you all when you go to sit down to make these recommendations for you to put on your hat as a patient. Think about yourselves and think about your family members and think about how you want your son or daughter's medical record to be handled now or 20 years from now. Right now we're learning that people are already going out of state sometimes, getting anonymous medical care. This isn't a good solution. We need a really good solution that starts with the premise that people have a right to privacy in their medical treatment.
MR. GELLMAN: I would like to thank all of the witnesses. I think their participation here has been very helpful and I think we've really gotten through lots of very difficult issues. We will reconvene at 1:00 in this room.
[Whereupon at 12:10 p.m., the meeting recessed for lunch, to reconvene at 1:00 p.m.]
A F T E R N O O N S E S S I O N
MR. GELLMAN: This is the last afternoon of these hearings. This is the home stretch. We're going to proceed just the way we did before. I will announce that there will be an opportunity for public comments at the end of the day. If you want to make a comment, you need to sign up in the back of the room. Otherwise, we will just begin with our witnesses. Janlori, would you like to start?
Agenda Item: Privacy and Patient Groups; Privacy-enhancing Technology
MS. GOLDMAN: Sure. Thank you for inviting me to appear here today. I see so many familiar faces, many of us who have been working on the issue of medical privacy for many, many years. I'm hoping that in some ways this is the final stretch. I know I said that two years ago and two years before that and a couple years before that, but I'm a little bit more optimistic now than I have been before, not necessarily because we've been able to achieve a greater meeting of the minds. I think where we have consensus, we have consensus and where we have disagreement, we continue to have disagreement, but there's a much greater urgency for us to act now and we're in a very different political and legal climate than we have been.
I just want to make clear that I am for the first time in a while appearing with a different hat than normal. I'm not appearing on behalf of the Center for Democracy and Technology. I'm spending a year visiting at Georgetown Law School and I'm appearing in my capacity that way, which may give me a little bit more freedom than usual.
The statement that I submitted today is a report that I prepared with Deirdre Mulligan(?) who is the staff counsel at CDT, Privacy and Health Information Systems, a Guide to Protecting Patient Confidentiality. We have been working on the report for a couple of years and essentially put it together after working hands on with a number of community health management information sites, which are known as CHMIS, they're networked health information systems that are in planning. There aren't really any up and running, but we were brought in to make sure that privacy and security were principles and practices built into those systems. That was essentially our task.
It was a task that was met with tremendous resistance by people from every sector imaginable in that process. Privacy was seen as an obstacle, as a barrier to the development of health information systems. It was seen as a cost that could not be justified, that was not necessary. We were asked to kind of show the harm, prove the harm. That's where we started.
I think that in the last few years, we've made significant progress in helping people understand that you can't have an effective, both cost effective and, from a health care standpoint, effective health information system without strongly protecting privacy and security, that the ultimate goals that people are seeking to achieve in putting health information on-line and allowing it to be networked and shared and aggregated, both identifiable and non-identifiable, the goals of putting together those systems, which is reducing costs, improving quality of care, understanding more about populations could not be achieved if people didn't trust that their information would be protected because they would lose confidence in the health care system. They would withhold information, they would lie, their providers would withhold information, they would submit inaccurate information all as a way to protect their privacy, which I think people understand in a very visceral way and they know that it's the provider who is really in the position to protect their privacy, or they withhold information from their providers, which also undermines overall health care goals.
What we tried to do in putting together this report was to start from scratch and say what's important here, why is privacy important, why do people care, and then to give people a step by step guide to how they can protect privacy and security in health information systems. Many people say show me how to do it, and this is at least an attempt to take people through some of those steps and give them some kind of a working guide.
We go through what do you do when you're preparing to collect data, empowering the patient to be active, an active participant in the health information environment. What are some ways to actually collect the data, sharing the data internally, sharing it with caregivers, and then aggregating and anonymizing the data.
As I said at the outset, there's been a serious need for health information privacy legislation for many years, but there are a number of things that have occurred in the last year or so that I think have really heightened the urgency for this and have really changed the political environment. One is the one that I'm sure we've been hearing about a lot, which is the shift away from the traditional doctor/patient relationship into managed care environments, where people no longer have any real say over how their information is used, who gets it, under what circumstances and choices that they're given if they're given any at all about how much information should be collected and who should share it are probably not meaningful choices. They're most likely coerced in the sense of if you don't give us this information or you don't authorize the disclosure of it, we're not going to provide you care, we're not going to be able to pay for your treatment or there might not be meaningful choices and that people may not be given adequate information about how the information is going to be used and by whom. So you need to both have an uncoerced and voluntary choice and it needs to be meaningful in the sense of giving people enough information to make a choice.
The second thing that has occurred that I think has caused a great shift is the computerization of health information. Now again, we're still looking at the majority of health information being in paper form, but we are very quickly and now with recent law moving towards an environment where we're going to have both paper and electronic records. The risk to privacy and the risk of abuse is greatly magnified in an electronic environment. It's not just a matter of rifling through a drawer and pulling out one person's file and faxing it or xeroxing it, the capability or the capacity at least to access thousands and thousands of people's records. Now, the other thing which I heard brought out a lot on the first panel, which I completely agree with, is that the technical environment and the technical developments that we've seen in the last few years give us tremendous opportunities to protect privacy at a greater level than we currently have in a paper system. But you have to make the policy decision and Denise Nagel said this earlier, you have to make a policy decision that you're going to protect that information and then you can design the systems and policies around that policy decision but it has to be done at the outset. But it can be done and it should be done.
We're in kind of an odd time where for many decades information technology has been designed and used primarily to benefit either the government or large private institutions and the individual has more and more loss control over his or her personal information. What we see now with encryption and passwords and audit trails and smart cards possibly is the opportunity for people to have some of that technological power on their side to make decisions, to get access to information, to carry their own information, to get access to correct information. There are ways that people can be empowered in privacy and enhanced through new technologies, but again we've got to make those policy choices.
The most critical thing I think that has changed the political environment is the passage of the administrative simplification language last August in the Health Care Portability Act. There is no doubt that the divisions and the disagreements in the privacy and consumer communities of the last couple of years about how to craft the strongest most enforceable privacy legislation and get it moving through the Congress I think was one of the factors that led to this kind of last minute and successful effort to put the administrative simplification language into this law without privacy rules attached to it from the outset.
It is a disaster. I think it leaves us in a position that security people and technology people would tell you you should never be in, which is designing rules after the fact which have to then be retrofitted and built into a system that is going to be required to put health information encounter data into standard electronic form. And so, when people say, as Lew Lorton said this morning, when people say just tell us what the rules are because we want to be able to build it in, well this is the problem, it's not going to happen that way. It's going to happen I think in a backwards way at greater expense than we would otherwise have had to have.
The good news about this bad news is that we now have to do something. We're now in a much more defensive posture, where before we were in a vacuum saying okay, there's no protection for personal health information, what do we do, now we have a situation where if we don't act in the next year or so there is going to be information in electronic form mandated in electronic form without privacy rules in place. So we have a moral and legal imperative I think to work together in way we didn't have before.
The basic principles that I think should be embodied into any legislation, which we've again heard about, people should have a right to access their own medical records, people should have some control over their health information with certain exceptions being the mandatory reporting of child abuse or gunshot wounds. Fourth Amendment rules have got to be in place that govern law enforcement and other government officials. The government is not the same as an insurance company. They are different. The Constitution says that the government is different and there should be rules attached to how the government can get access to personal information. There should be enforcement of the law and strong sanctions and remedies and I think that there should also be a requirement that the information be maintained in a secure environment. That's it. Thank you.
MR. GELLMAN: Thank you. Don.
MR. HAINES: Thank you. First, I'm recovering from the flu, although I'm certified not contagious. I have a raspy throat, so I have lozenge which I hope doesn't impede my delivery.
I'm very happy to have been invited to appear on behalf of the American Civil Liberties Union. We have 275,000 members nationwide, 51 state affiliates, now in its 76th year. We have an active legislative program at the federal level. It's where I work and where I lobbied ineffectively against the Pearl Harbor sneak attack of administrative simp, although I would suggest that that legislative battle may in fact not be over. So don't perhaps too diligently pursue this process -- and also an active legislative program in the states. I would not be surprised in the course of perhaps not this legislative session but the following one, to see state legislation in one or two states on medical privacy using the one success that we were able to get on administrative simp which is the state preemption of federal law -- what a nice ring to it -- that we may well get some surprising protection for state privacy. I'm sure as we engage in our dialogue, we will flesh out some of the reasons why that's important.
We also have an active litigation program and you're certainly probably more familiar with our work on free speech, church/state, antidiscrimination matters, but we also have been active in litigation. In fact, we're currently of counsel to a number of Massachusetts plaintiffs who are suing the Inspector General of HHS, as well as other people in an oversight breach of confidentiality and identifiable HIV records.
So I just wanted to give you that background. I also have a labor background. I was for a while, about three years, full-time president of the 54-member Office Worker Union, and in that capacity represented administrative personnel, non-medical administrative personnel at a couple of large HMOs, the then Group Health as well as Kaiser Permanente here, and in addition represented some medical as well as administrative personnel at the former Georgetown Dental School.
Now, I appreciate the opportunity that Mr. Gellman and Mr. Fanning have given us to respond in a rejoinder way to comments made earlier. When I earlier protested to Bob about the way the Privacy Subcommittee was structuring its hearings, six days of hearings, five of them based on disclosure, one on privacy, he said but that just gives you an opportunity to respond. I think that's a good thing and I am happy that the transfers for the first two days are up, those unfortunately happened to be the two days before I had the flu, so I was there for those. So we're going to provide some responses, but I think that the rejoinder is important, because for example when Mr. Nielsen from Utah was here talking about his massive computerized database, I wanted to know if say Senator Bennett or Robert Redford walked into his hospital if they just went in to that database, which goes all over three states, the same way everyone else does or whether there's some special thing.
I want to focus on what I call first principles and I will do this quickly and try to finish close to my five minutes. Then in the hopes that in typical ACLU fashion I will be able to provoke some dialogue later on.
The first principle is that this information is obviously fragile, but it was developed for the benefit of the patient and in a non-property sense, but in a very real sense belongs to the patient in conjunction with the provider. I don't want to get into battle with the AMA over whether the patient record actually belongs to the provider or whether it belongs to the patient, but that basically the record was developed for that purpose.
This committee is confronted with a choice. You can retain that purpose, of if you want, you can turn every place where a medical encounter occurs into a government checkpoint for medical surveillance, because that's basically what I heard law enforcement ask for. They basically said if there's data there, they want access to it. So the first question is, the first principle is why was this information originally collected and what was it originally used for. You heard, the prior panel talked about this at some length and I won't belabor it, but I may well want to come back to the fact that many of the questions that are asked about well isn't there some disadvantage to denying access and losing that first principle.
The second principle is one which I best heard articulated actually, and maybe even to my surprise, by Bob in discussion with the HHS Inspector General, when he said to the clear amazement of the Inspector General on that day in Rosslyn, well do you understand that the fact you are saying you've never disclosed this information may be relevant to something, but that from a privacy perspective the disclosure to you of the information was the first breach of privacy. And what I was astonished by was HHS, which has some responsibility for privacy in general, that the Inspector General clearly did not get it.
I would suggest that from this morning's discussion about show me the harm about where, I forget whether it was research or whatever, information has gotten out and people have been harmed, but that to some extent we all tend to forget that. From a perspective of privacy, I have a right, we all have a right to have my affairs kept private. I need to demonstrate that when Bob discovers that I don't use Preparation H, but something else, it's amazing how this theme has been constant, that when he discovers that, that's the violation of my privacy. I have a right to have him not know that. That extends to a law enforcement person, that extends to one of the 30 percent of prosecutors at the state and local level that Mr. Barnes said were part-time -- he actually said 50, but when he talked later he on advice said that it's really 30 percent -- that the first violation of privacy is in the disclosure outside my permission to someone. It doesn't matter in one sense, it doesn't matter whether there's a redisclosure. I have a right, at least up until now, I've had a right, at least I thought I had a right to have that privacy respected.
The fact that that right may be one of those honored more in the breach than in the actuality raises certain policy questions, but it doesn't mean we ought to breach it even more. So the injury is in that first disclosure.
Secondly, if we want to protect or restore privacy, we can do it. This is not an ACLU proposal, we oppose capital punishment. But if you said, if you said anyone in possession of any information which was medical related information that they did not have a written authorization to have would be guilty of a crime the punishment of which would be death, we could restore privacy. I think there's no doubt -- now, there would be certain societal costs, there would be certain ancillary -- again, the ACLU doesn't support capital punishment so that's not an ACLU legislative proposal.
The point is if we want to get privacy back, we can do it. The fact that we slid down the slope doesn't mean that we can't go back some way. That's I think an important difference of opinion between many of the people, even people who would characterize themselves, and in some cases genuinely are, privacy advocates or saying well we've really lost all of this, let's at least draw the line here versus people in my situation who want to go back.
We also have to remember that we deal, and this is my fifth of seven first principles, we deal with frail human beings not institutions. We need to be focusing not on should law enforcement have access to this, but should the people who framed and beset Richard Jewell have access. Should the raiders of Ruby Ridge have access to your personal medical records? Framing it that way actually I think has a resonance with the populace that talking about general medical records privacy is sort of boring.
Let me take that as the segue to introduce Emily Whitfield from our Media Office from New York. The ACLU has decided that medical privacy will this year nationwide be one of a handful of things that we focus on as our top campaign priorities. So we deal with real people, not institutions. In a constitutional democracy, we make rules to protect ourselves against the frailties that are inherent in human beings. So when an inspector general or a prosecutor says I don't have a history of violating this, why are you doing this, we set this up in order to make sure that it doesn't happen. An incredible percentage of state prosecutors, an incredible percentage of both U.S. attorneys and assistant U.S. attorneys become political candidates. The temptation to use information gathered sometimes is irresistible.
Now, I don't know that when Jimmy -- sorry, forgive me, that was a Freudian slip -- that when President Clinton was reelected as Governor of Arkansas and his main Republican opponent, whose name alludes me for the moment, had to withdraw from the race because of an unauthorized disclosure of embarrassing medical information, I don't know that that came from anyone in a prosecutors office, but I do know that if I were, let's say just to pick a name out of the air, let's say my name were Dole and I was the wife of a presidential candidate, and part of our party was committed to a pro-life position. If I had in my past, long before I came to this position and long before I met my husband, maybe in college, a therapeutic abortion, I might not want that information available to a Democratic U.S. attorney who is investigating my provider for health fraud.
Now, again, that's sort of the utilitarian model, that's the look at the redisclosure issue. I ought to have a right to not have the U.S. attorney know about that period, but we can all imagine the difficulties in adhering to that.
The other point I want to make is that there's a profound difference between privacy protection and what Senator Bennett basically admitted his bill was in an interview with the New York Times, which is a disclosure bill which in order to either make it work or get it passed, has a veneer of privacy protection. That veneer may be thicker in some areas and thinner in others. For many privacy advocates, the Bennett Leahy(?) Bill ultimately came to be seen as in essence a disclosure bill not a privacy bill, as opposed to the McDermott, which I would argue flawed in many ways, at least started from a patient centered privacy perspective, and that there's a profound difference in that and that this committee is confronted with the choice of how it wants to proceed.
If the committee has, I think under Kennedy-Kassebaum, Kassebaum-Kennedy, has the opportunity to say the Congress has done certain things and there are certain advantages to going in certain directions. Our charge is to report on the effect on privacy and the concomitant effect on medical care and that this direction is an inappropriate direction and that we need to reverse that. The committee could say, for example, that to have identifiers whether social security or not, that cross institutions and cross providers would profoundly affect the quality of information available for research, even if it is consensual. Anyway, I'm sure we will talk about some of this.
The point I'm making is that if we start with the premise that this information was originally for the benefit of the patient and originally in some sense belonged to the patient and to the provider, then that perspective yields a lot of other interesting conclusions. We could have, for example, a patient provider privilege, which we don't have now at the federal level.
I'm not suggesting this, I'm just saying if we wanted to protect medical information, if we decided that medical information is as important and as valuable to society as information shared with a lawyer, I'm a lawyer, I know that's not true, but if we wanted to say medical information was as important as information shared with a lawyer, we could have a patient provider privilege and law enforcement in that situation would not get reduced access, they would get basically no access. There are a couple of exceptions just like there are a couple of exceptions on attorney client privilege, but we could do that. If we decided that medical information is really this important commodity and this important information that's essential to how society functions and to the treatment of illness, we could decide that it ought to receive the maximum protection.
Similarly, if we decide that that information is important we might decide that when you obtain that information for one purpose, you're not allowed to use it for someone else. If the ACLU gives me a car to drive around to get here, and instead I use it to go to my home in North Dakota, Minnesota because I'm dying for the blizzards, that could be seen as embezzlement. Well, if HCFA, just pick an agency out of the air, Mr. Berry, if HCFA gets information to process claims but is now, if, but is now going to various computerized medical conferences urging the availability of this database for research, maybe that's the tort of conversion, which is to take something that you're entitled to and using it for some unauthorized purpose. Maybe in some sense, in a moral sense, it's like criminal conversion, maybe that's embezzlement of data.
Again, what I hope the committee will do, and it started with the last panel and to some extent the AMA and APA comments, is return to sort of the first principles of the issue of how did the information arise, why do we have it, and if we really want to protect it, can we not do that, why does there have to be a balancing test. I'm sure in our discussions Bob and I will agree that there are indeed even here, and even I would agree, some difficult questions. Thank you.
MR. GELLMAN: Thank you. Aimee.
MS. BERENSON: I don't think it's a good sign that half of this panel are not quite in perfect health, so bear with me as well. I'm also not contagious.
My name is Aimee Berenson and I'm Director of Government Affairs for AIDS Action Council, which is the Washington, D.C. representative of over 1,400 community organizations across the country and the people living with HIV and AIDS that they serve.
Protected the privacy of health information is not merely an academic concern for people living with HIV disease. People have lost their jobs, their homes, the support of their families, friends, coworkers, communities when their illness was disclosed. And studies have shown, talk about harm, studies have shown that the fear of loss of privacy alone, just the fear of it, has deterred people from coming forward to being tested for HIV and that people who suspect that they may be HIV positive may delay early detection and treatment, treatment which we know can greatly improve both the duration and quality of their lives. Even worse, all too often, people living with this disease who come forward for care have found themselves discriminated against in the health care system itself by doctors, dentists and hospitals who refuse to treat them, or insurers who deny their claims or cap their benefits.
The Health Coverage Availability and Affordability Act, the Kennedy-Kassebaum law, provides a number of modest but important health insurance reforms, including limits on preexisting condition exclusions, expanding guarantees of availability and portability of health insurance coverage, and some prohibitions on discrimination in eligibility for health insurance coverage based on health status. However, the law does nothing to ensure that health insurance is affordable, or that health insurance plans provide an adequate package of benefits. So while the law ostensibly makes it easier to obtain and maintain health insurance coverage, there's no guarantee that the coverage that will be provided to you will be adequate or that you can afford it.
In fact, if you look at it from the other side of things, from the health care systems side, this law may actually increase the economic incentive for employers, insurers and health care providers to find ways to identify and thus perhaps limit care and coverage for individuals and families with chronic expensive illnesses like HIV disease.
The administrative simplification provisions of this law call on the Secretary of HHS to adopt standards related to security and privacy of certain electronic transactions, but these standards would appear to apply only to insurance plans, clearinghouses and health care providers who transmit health information in electronic form. The law is silent on access to and disclosure of information by other entities, or to other entities, such as employers, schools, law enforcement, research, et cetera. While the Secretary is supposed to develop standards to guide covered entities in determining what are reasonable and appropriate safeguards to protect against reasonably anticipated threats, very sort of vague standards, threats to security, integrity of information and unauthorized use or disclosure of information, the law specifies that the standards adopted must reduce the administrative cost of providing and paying for health care. The importance of privacy in this entire scheme has been almost all but ignored, yet the potential cost implications that may result from a lack of privacy protection may be as great for people living with HIV disease as any potential cost implications that may result from requiring insurers and others to comply with particular administrative procedures, to adopt particular safeguards.
The attention and commitment of this committee to highlighting the importance of privacy and the development of standards is greatly appreciated, but we're concerned that by limiting, by first promoting the electronic transfer of health information without first ensuring that strong privacy and security safeguards are in place, and by limiting the application of those privacy or security safeguards to certain entities and certain transactions, the law may in fact lead to further erosions in the privacy of personal health information.
The health care system is huge and complex and trying to protect certain pieces of information at certain points in the system may not be enough. We believe that is trying to address the failure of our health care system to respect and protect the dignity and privacy of those it's supposed to serve. We think that there need to be comprehensive privacy protections. If it's not possible to do those comprehensive protections in the context of developing regulations pursuant to the administrative simplification provisions in the Kennedy-Kassebaum law, then it has to be done through the enactment of a comprehensive federal health information privacy law.
We of course, have our principles, that's a Washington thing, everybody's got their set of principles and I will go through them very briefly, but they're the same ones, we're consistent, we've had this set of principles that we think are very important in the development of any kind of comprehensive federal protections that we've applied to every bill that's come up and any provision.
First, we believe very strongly that the federal protections must provide a strong uniform floor of protections for privacy, not a ceiling, a floor. No matter how strong and comprehensive the protections you may be able to create on the federal level are, we must not preclude states from taking action in the future to provide greater confidentiality protections if they feel it's necessary and a number of states are now sort of being galvanized into action.
Similarly, we do not want to risk undermining any aspect of existing state laws that already may provide stronger protections for health information. There are in many states in various parts of their laws provisions that may provide stronger confidentiality protections for people, who have HIV disease or other conditions. For example, there are state laws that require very stringent informed consent and notification and permission before redisclosure of information. We do not want to see those state laws undermined.
The second principle is that we must place a legal duty on all of the individuals and entities which create, collect or use personally identifiable health information to protect the confidentiality of that information. Trying to say well the doctor has a duty to protect the information, but hey if you can't pay for it out of your pocket, nobody can, you have to submit it to your health insurance plan and there's no protection once that very same information goes out of the doctor's office is not sufficient.
Thirdly, we need to clearly define permissible uses and disclosures of information and build fire walls to ensure and to prevent the use of disclosure of information for unauthorized or incompatible purposes. We must also provide individuals with greater control over their personal health information. We have to give them sufficient notice and opportunity to limit access, use and disclosure of their information. Uses and disclosure should be limited to those that are compatible with or related to the purposes for which the person gave you the information in the first place.
And of course, as has been mentioned, it's horrifying to realize that in many states third parties have more legal rights to access an individual's medical record than the individual does. That, of course, contributes to the situation we have where people really don't, they don't understand what's in their medical record and they have no idea where it goes. That's a huge problem.
Lastly, there need to be very strong effective legal remedies and sanctions for violations of law, including private rights of action. Obviously, simply having regulations that provide some mechanism for an administrative fine are not necessarily going to serve as a sufficient deterrent. Similarly, if you have a private right of action, but it's limited to certain disclosures for a certain transaction, the individual's ability to know and to prove in a court that what happened was that in the processing of their claim for a certain condition, that's where the insurance company leaked the information is ridiculous. If you don't attach privacy protection to the information no matter where it is and who has it, and people don't have a right to sue if that is breached, and you only provide rights to protect a certain piece of information in certain places, you really are undermining the whole purpose of having any kind of privacy protections at all.
I'm going to stop there so Sue can talk and so you can begin to ask questions, but I do want to applaud, on behalf of the AIDS Action Council, applaud you for your commitment and your efforts. I realize that we only got one day and the other guys got five days or whatever, but given what we found was a shocking disregard for the importance of privacy, and a lack of understanding that there is real harm and there are real costs to not having privacy protections that was sort of embodied in the Kennedy-Kassebaum law, we are very happy to be here and we look forward to working with you and to seeing your recommendations.
MR. GELLMAN: Thank you. Susan.
MS. JACOBS: Thanks. Hi, I'm Sue Jacobs. I'm an attorney at the Legal Action Center in New York and in New York, unlike in Washington, we have no principles, so --
[Laughter.]
I would like to thank the chairman and subcommittee for the opportunity to testify today on behalf of the Legal Action Center. Let me first also acknowledge, as I think everyone has, your work on the privacy issues in this legislation and other legislation. We understand that the streamlining of information transfer would be a beneficial component of any health insurance proposal and health care reform proposal, and we also understand as you acknowledged that streamlining efforts are aided by rapid technological advances. So we think it's especially important that you are today listening to issues that we're presenting on how all of this affects privacy rights of individuals with whom we deal.
The Legal Action Center is the only organization in the United States specializing in policy and legal issues in the intersecting areas of drug and alcohol abuse and AIDS. One of our principal areas of specialization is the confidentiality of patient records. Our staff has worked closely for years with the Department of HHS on revising the federal confidentiality regulations which govern alcohol and drug patient records, about which I will speak more than you will want to hear in a minute. We've written a couple of books on this one statute, and we provide assistance to thousands of drug and alcohol treatment providers and HIV providers in the entire country.
Today I will briefly, I hope, make a specific case regarding the privacy considerations of a unique population of users in the health care system, but by making that case for this group of people, I'm also arguing that the standards that regard their records A, ought to be preserved, and B, can be looked to as a model for other health care legislation that you are contemplating.
I would submit that these considerations be included in your recommendations under the Insurance and Portability Act. Obviously, as I think all of us on this panel probably agree, ultimately some of this may need to be done by legislation rather than by regulation, but that's obviously not for me to say.
The records of clients who attend specialized alcohol and drug treatment programs which are federally assisted, i.e. one federal dollar somehow finds its way through the program, are already protected by practical and effective federal legislation, and we submit that they ought to be left in place and not preempted by new health privacy legislation or new health disclosure legislation.
The reason I'm raising this is that Section 264 of the Insurance Portability Act, the administrative simplification section, does respect stronger state law confidentiality provisions to some extent, as Aimee has mentioned, but does not specify the same protections for stronger federal laws. The federal laws regarding drug and alcohol records are found at 42USC290 Section DD-2. I will be happy to give the committee our detailed commentary about that at a different time, and the regulations regarding that are quite detailed. I'm only going to summarize them and we can talk more in questions if we need to.
First, let me note that there are approximately three million people who receive treatment for alcohol and drug dependence nationally. That is not the bulk of people who need it, but it's the people who are actually in treatment. Virtually all of those folks are served by programs that are protected by the statute. That includes increasingly programs funded through managed care entities and other of the new sort of insurance providers.
The statue briefly in summary says, a provider of these services may not tell anyone that I Sue, am in drug and alcohol treatment program, except if certain exceptions apply. It's for this very same reason that Aimee spoke about in terms of the folks with HIV and AIDS. A wrongful disclosure of this information is stigmatizing, ends careers, destroys marriages and devastates friendships. I don't think I have to go into detail about the sort of label and the effect of the label that somebody has as addict or alcoholic and how that follows them.
I would point out to you just to sort of illustrate again, I think Don pointed this out, look at the people we're talking about. Many of our clients for instance are on methadone. If you want to listen to our discussion, and think about somebody receiving methadone treatment and the kinds of issues that that raises for them throughout their lives, you will have a key.
The federal confidentiality law operates by written informed consent. Bob and I have had discussions about whether that has any meaning any more in the era of electronic data transfer. We maintain that it still does, whether by pieces of paper or digitalized signatures of whatever.
The law, of course, allows disclosure about some information regarding people in treatment when that is desirable of necessary, most commonly through consent, but it's also possible to obtain information when necessary, particularly through court orders. I point this out specifically because there was some discussion earlier about subpoenas and the sort of grand jury subpoena power in the portability act. If 42CFR2 and 290 DD are not preempted, then we would maintain that the court order provisions in that statute would require, grand jury subpoena or not, that a judge make a determination of whether there's good cause for the release of that information that is being requested.
Why is that so important? It's somewhat self evident when you think again about folks who are in drug and alcohol treatment. Typically, these are folks who have had negative interactions with the criminal justice system, probably all the way up to the door of a treatment program. Congress originally in enacting this bill thought that it would be a tremendous disincentive for people to go into treatment if information about them were easily accessible by law enforcement as they walked into the door of treatment programs. Again, I can discuss that more later if you would like.
Another quick difference between the act and other legislation that we've seen and the existing federal drug alcohol law is in the area of disclosure to families and next of kin. This law does not assume that if I go into Odyssey House and my brother calls you the head of Odyssey House the next day to find out how I'm doing that it's perfectly okay to tell him, the way it might be if I entered because I had a broken leg. And there are again reasons for that. He may not know that I am an IV drug users, he may not know that I've broken up with my drug using partner, et cetera, et cetera, et cetera.
Finally, in areas of disclosures to employers, we think there is an almost overarching need to keep this information as discrete as possible. Again, we have seen time and time again the effect when this information, when it's not needed for medical treatment or other medical purposes or even payment purposes, gets into the employer's notice and knowledge.
Finally, I would just like to say that we appreciate the work that you're doing. We think in our experience serving programs and their clients that the protections in 42USC290 DD-2 are uniquely tailored for these folks, but that they in fact serve as a model for the rest of the country. Thank you for your attention.
MR. GELLMAN: Thank you, Sue, and thank all of you for your statements which I think were all very helpful.
What I'm going to try to do here this afternoon, we could redo some of the issues we did this morning and get other points of view, but there are some areas we didn't get to this morning so I thought we would do better starting with those areas to try and do our best to cover a broader front. I want to start with informed consent.
A lot of people look to informed consent as some sort of touchstone, as some sort of solution to all problems, and people have a lot of expectations out of the informed consent process that I think in some respects are unrealistic. The question is really there are a lot of -- this is clearly a complicated area. There are lots of uses and users of information, and patients are not necessarily, who have presented themselves with problems, they may be in pain, they may have mental problems, they may have all kinds of emergencies, and the wide range of patients to deal with these problems, which are challenging even for medical professionals and for lawyers. Yesterday, the representative from the AMA who is both a lawyer and a doctor said he signed a consent form and really didn't know what he was signing and then regretted it later on. I think that's sort of an example of this.
I would like you all to talk about this problem, how far we can go with informed consent. I know, Sue, you and Aimee to a certain extent look at this issue from a narrower community and I think those perspectives are useful too. But I want to try and get at this issue as generally as possible, as well as the specifics, how far can we go with this, what can we really expect out of the informed consent process. Janlori.
MS. GOLDMAN: I will start with what I would think would be an ideal situation, which I realize is pretty tough in the real world. Ideally, a person should be able to decide before any information is used for a purpose outside of the one for which they gave it, they should be able to decide whether it should be used for that other purpose, what is called a secondary purpose or an unrelated purpose, one that is incompatible. We've heard a lot of different language today and you can pick one, but the idea is that people should be able to make a decision.
Now informed consent is this buzzword that I use, which again gets back to what I talked about earlier, which is the meaningful voluntary choice. Meaningful meaning you've got full information to make the decision and voluntary meaning it's not coerced. So if I go to see a doctor and she says I would like you to participate in this research project, if I say I don't want to, she will still treat me. That would be uncoerced, that would be voluntary. I don't then have to go shop around in the market and hope to find someone who will treat me without me having to agree to disclose that information for an unrelated purpose.
Informed consent in an ideal world doesn't second guess the patient. It doesn't suggest that there are certain uses which should be deemed okay without the patient's consent and certain uses which the patient gets to have control over, because again I think in this area sensitive information should be determined by the individual in the given circumstance.
We may look at HIV information, or information related to drug and alcohol treatment as particularly sensitive, we sitting here in this room. Other people who are involved in that treatment may not think it's sensitive at all compared to other information. I just don't want to be in the position, in an ideal world, of having to create a hierarchy of illnesses or a hierarchy of conditions for which there are greater protections. There are other problems with doing that which Aimee Berenson has pointed out really well, in terms of by creating those hierarchies what we do is then we call special attention to that protected information by excising it or blacking it out. You know that in those fields that are blacked out, there's something real good and there's something which by law is prohibited from disclosing.
So in an ideal world, I think that that's the way to go, that people should be able to make choices.
MR. GELLMAN: And in the real world?
MS. GOLDMAN: In the real world, people sign forms all the time, they have no idea what they're signing, we all do it, because privacy is not the first thing that we're thinking about when we're getting medical care, when we're applying for a loan. We want the treatment, we want the loan, we want the frequent shopper card, we want the frequent flyer miles, we want whatever it is that we're going to get and we don't care about privacy in the moment because we're willing to put the money in our pocket or get the treatment or get the food stamps or get the drivers license or get whatever it is what we have to get to live in the world.
Privacy is very often kind of traded in that bargain. I don't think it should be traded. I think that there should be laws and rules and a social policy that supports people's privacy decisions and doesn't put it in the mix and doesn't create a bargaining chip because it will always lose out, not just to the institutions and the government, but people who readily give it away because they don't -- you don't protect your privacy until you've lost it, until you've been harmed. You don't.
MR. GELLMAN: Doesn't the informed consent process lend itself to that trading away?
MS. GOLDMAN: I think that it does now, because I don't think that it is meaningful or voluntary, so I think it does lend itself to becoming just signing of the forms, because that's what people do.
If, for instance, there were a policy that if you didn't -- if there were a policy that said you may not disclose this information or reuse it for an incompatible purpose unless the person knowingly and voluntarily gives his or her consent, I think that at least puts protections in place that don't currently exist, and it at least puts the burden onto the individual in a very real way to make those decisions, know what they're signing.
There have been various bills that said you couldn't give your -- informed consent could not be obtained on the day of treatment, which tries to get you out of, sign this stack of forms. So you would either have to sign it before you receive treatment or at some point afterwards. What it recognizes is that most of these disclosures are not done in an emergency basis. They're being done either for marketing or for research, where the person could in a more thoughtful manner look at an authorization form or an informed consent form.
So what I would like us to be able to do is look at the ideal and look at the real world and see if we can get them as close as they can be.
MR. HAINES: I agree with much of what Janlori said, but I think in what will be a theme, I'm not sure that I would stop quite where should would stop. But let's agree, first of all, that informed consent doesn't apply to anything that at least I know of in the current medical system, you might call it informed consent, but it is not really consent. If by consent we mean voluntary, there's no genuinely uncoerced consent in the medical system that I know about.
Also, I think that there's no genuinely informed consent. My physician doesn't tell me that his records get processed by Equifax, which I might decide is an important part of who I want to see. My physician doesn't tell me in the informed consent that the information from my insurance company may eventually go for life insurance purposes to the MIB or to a state registry or it doesn't say. So in the current system, I agree utterly with Janlori on the point about there's now no informed consent.
The question is what do you want to move to and I think I share some of the concern that's sort of reflected in the Condit bill that there are limits to what you can -- there are limits in the real world population to what you can achieve by informed consent, because we're dealing with different subgroups of that population. Educated and informed and very privacy active, privacy sensitive individuals may be able to read a consent and cross this out. Other people may not be able to. It's not necessarily, education is not necessarily the hallmark because I've certainly signed consents that I didn't know, I resonate with Dr. Palmisano with that actually.
But I do think that consent ought to be the hallmark because it goes to back to the first principle which is the information comes from the patient and is for the purposes of the patient. There really ought to be a presumption that no one else has any right to that information at all. There may be a utilitarian purpose in having access, but unless -- I actually thought again, because I'm in Washington and like principles, that Dr. Palmisano's tripartite description of approaches, the dietological(?) model which has the patient at the center, the teleological which says the doctor really knows best, and then what all the other people use which is the utilitarian model. Greatest good for the greatest number. We could probably prevent a lot of crime in this country if every room had a microphone and a two-way television. I think I read about that somewhere in high school, I think it was called 1998 or something like that, but we don't allow that as a society. With the informed consent, I would argue that that's the same thing.
The one point I want to stress on consent is we think at the ACLU, and we were happy to hear I think yesterday, that both the AMA and the APA agree that one means of disclosure for which there should be required express, non-coerced, fully informed consent is to have identifiable information placed in at least a network computer record-keeping system, maybe even not networked. But we've all talked about how there's increasing danger because of increasing computerization.
Something that we believe very strongly that I think I heard the AMA and the APA yesterday saying is that I ought to have a right to go to a hospital, or to go to a physician and say I actually want my records kept on paper, or in a hospital situation, talking real world, where you've got a -- if I'm in the emergency room, maybe I've got to be listed, but with hospitals frequently providing all physicians on staff access to records of all patients, I'm not sure that a prohibition that if I showed up in Pocatello, Idaho -- again going back to Mr. Nielson from his three state, I don't know if Idaho is one of his -- I'm not sure that if I show up in Pocatello, Idaho to be treated by one of his clinics, that my information ought to be on a computer that's accessible from Salt Lake. Or at least, I ought to have the right to say no, I want my records to stay in Pocatello.
So one of the areas that I think informed consent is very important for is this disclosure into at least at networked computer environment. Now, I've drafted a couple of state laws, I worked very heavily on a federal law, two actually, one that was introduced and one that wasn't, and these are very challenging problems. It's intellectually very difficult to figure out when consent applies. When Bob said I think yesterday how do you limit consent, how do you limit disclosure that flows from consent, that the language is hard to wrap around, I don't think it means we ought to stop wrestling with the consent.
But the other point I want to make is even though you have this main threshold of consent is absolutely required, even I would agree that there are likely, maybe by political necessity if nothing else, there are likely to be exceptions for that, even though that's by far the overwhelming general rule.
With regard to those exceptions, there ought to be very high standards for what ought to happen. That's where I think whether an unrelated purpose is a tight enough -- so I think we need both. I think we need both. I think you need a heavy genuinely informed, genuinely voluntary consent requirement, but for disclosures that happen with or without consent, you need a legislative structure.
MR. GELLMAN: Aimee, and could I ask people to keep your answers a little shorter.
MS. BERENSON: Maybe I'm getting cynical as I get older or whatever, but this whole issue of informed consent, there's something very insidious about the way we discuss it. I think clearly there's this issue of is the consent voluntary, you talk about coercion, what's your option, you're not going to get treatment or you're not going to get reimbursement for the care. But there's something else that goes on here, and it goes to the issue of information, whether people are giving informed consent.
The very entities that today say you know, it's just not feasible to get informed consent for all of the different uses and disclosures are the entities that created a system knowing that there were no limits there. So basically, and not only is this a situation where informed consent isn't real because people don't necessarily know, for example, when they sign that insurance form that they're signing away their entire medical record, but there's actually an element of disinformation about all of this. People actually believe that there are protections for their medical records. People believe, they have in their head this idea of the doctor/patient confidentiality, and the idea that the information is not going to be used outside of the context in which they believe they're signing consent for the information to be used.
So it's find to say informed consent could be very difficult and all of this and that, but the problem is that we have to first talk about limiting the system. If we had a structure where we said at the outset here are some things that you can and can't do with this information, then I think the context in which you would be saying to somebody, okay this is what we normally can and can't do, here are some -- we need you to consent, to have informed consent to do some additional disclosure. I think then we could start talking about whether consent is informed and meaningful. But right now, I think it's very problematic to blame the victim for the fact that informed consent isn't very real.
MS. JACOBS: Briefly, I think consent is an area that actually lawyers and doctors might have some common ground, I don't know about legislators. It seems to me that we may not do it well, but that's different than saying there is some principle that's involved that's important. By that, I think I mean that there are very few medical transactions that can occur without someone giving permission. In law, it will turn into a battery for instance, as a tort if somebody, if a doctor were to proceed with certain things without some authorization, whether it's the patients, their guardians, the courts. I think that's for good reason, hippocratic oath and legal ethics go to that.
The other thing about informed consent, if it worked, it would educate clients about what providers are trying to do. It does make the requester of information have to be at least somewhat specific in writing something down or specifying it.
MR. GELLMAN: We had some testimony from claims processors, and one of the things I learned from this hearing is that everything is a lot more complicated than I thought before and I already thought it was pretty complicated. Claims processors testified about the system by which bills move from providers to payers. It's a complex system involving billing services, value added networks and clearinghouses. We were told that for any given bill, that the path that that bill might take through this system is not predictable in advance. It's just going to depend on local circumstances, which networks are available at which instant. So if we're talking about patients having the right to decide whether information is on a computer, whether it's on a networked computer, can they decide whether can be faxed from here to there, can they decide whether their doctor can use a telephone to consult with another doctor and does it matter whether it's a cordless phone, or a cell phone or an analog phone or a digital phone? I mean how do we expect patients to make any of these decisions? The doctors don't understand the system. I think there are very few people within the health care system trying to explain this to people and give them choices about things that from a general level probably don't make that much of a difference. It seems like we're wasting time and effort on things that are beyond the expectation for most people to be willing or able to deal with.
MR. HAINES: The British equivalent to our AMA doesn't agree with you about computerized -- the patient's opportunity and the physician's responsibility to honor a choice to not involve computerized records. It's not the same I think, there's sort of a reduction that goes on, well, if you're going to say it can be on a computerized record, then what about cell phones. Having worked on some electronic communication privacy stuff, I'm actually sometimes more concerned about cell phones than I am concerned about medical records.
But we all agree here, and I've heard half of the panel say at various times that part of the sense of urgency is the move to computerizing records. Part of the sense of urgency is created by administrative simp. I want to at the end talk about that.
But I think there's a difference. I think we ought to expect providers and payers to establish a system which will honor this privacy choice. Maybe that's privacy-enhancing technology called -- I hate to use this term, but the U.S. mail -- but we ought to expect that I think, because I ought to have a right to say well I'm really very concerned about the access(?).
I think the point up until now, the main danger for breaches of privacy is not some evil guy lurking or hacking in, it's insider access I think is absolutely right. I think the point that was made that as you expand this that may not be true, I think the phrase if you build the honey pot, the bears will come and so will the ants and the anteaters. But one of the other -- which means that if you create this huge database, there are going to be more people trying to get access from outside. But the other thing that happens about a computerized database is that it potentially enormously increases the number of insiders you have to worry about. So if the fear is still insiders, it's one thing my doctor and the four nurses and the two technicians in that office. If it's now my doctor and it goes into a centralized network with 30 hospitals and 23 clinics, whatever, the number of insiders who have access is much greater.
MR. GELLMAN: Let me just broaden the discussion a little bit. By giving people more choice, you not only make the process more complex, but the whole administrative simplification law, there are lots of other laws that have been passed lately in an attempt to control costs in the health care system are expressly based on the premise that these systems will save money because we're getting away from paper records. There are a lot of actions and activities designed to do that, and if we're going to go back and say okay, we're going to have paper, what it means in the real world is when you write a bill that says that, you get a price tag with it, and someone says your bill is going to cost $4 billion.
MR. HAINES: Actually, Bob, actually as someone who lobbied on this bill, administrative simplification in the Senate was a sneak attack. It was in the House bill, even though it was buried. Two or three people talked about it on the House floor. On the Senate floor, we were assured by various people, including Senate committee staff that it would not be in the final bill. When it was, there was a follow-up -- there's a fundamental legitimacy problem about administrative simplification, as well as a fundamental knowledge problem.
But if you want to go to the issue of paper based records, there's a game plan here. The game plan, maybe for good purposes, I'm not saying -- the people I describe as disclosure people are not necessarily evil people, I think they don't share my values about privacy, they have other values, some of them I might characterize as greed, but some of them are utilitarian values. Maybe we will save X number of lives if we have a massive database and we're able to do all this outcomes research, or we will drop costs if we do utilization reviews and quality assurance. But there are disclosure interests, the disclosure interest, as opposed to the privacy interest.
Again, there's a fundamental world view difference. But the disclosure interests wanted administrative simp as a way to push what I would characterize as a disclosure bill maybe with some privacy veneer, maybe with more, maybe with less. We lobbied against including Bennett/Leahy for example, as the other wing to this, even though there were some who said you can't have administrative simp without privacy, we agree with that. Originally, administrative simp was designed to force the elimination of paper records.
If you look at the act, it says that, but the one thing that Senator Simon got for us with the state preemption allows the state override of that, meaning the state can decide to keep paper records. If in fact Congress said, I've looked at the CBO cost savings estimate on ad simp, it's meaningless like many of them I would argue, but if this committee decided actually administrative simplification is not going to save money, it's going to cost money, maybe because of the increased fraud or for whatever reason, I would argue the committee ought to report that back to Congress, because they're counting on that savings in a whole bunch of ways. That doesn't mean that a new law is going to have a cost effect, a price tag in order to get privacy protection because it could be that there's a fundamental fallacy in this.
In any case, the approach which was eliminate paper and that saves money and we're going to federally order the elimination of paper, was undone by Congress at the last minute, because at the last minute, Congress included the state override of the federal legislation. There may well be state laws that are going to preclude a requirement of going to --
MR. GELLMAN: Aimee.
MS. BERENSON: I think a lot of people have argued about the electronic health information system is inherently dangerous and I think many of us in our gut feel that way. The problem is it's a little too late for that argument. These systems are already in place in a lot of places, and what we have is the fear of the electronic systems is what derails the privacy legislation, while the administrative simplification piece goes on and on and on, which actually encourages the creation of these electronic systems.
But I think whether it's a paper record or whether it's a computer disk, if the issue is, if the argument is if we have to list every single potential handler of the information in an informed consent document, or somehow we can't control this system that we've created with all these different claims processors everywhere, that's ridiculous. Basically, if the insurance company, if I agree, the insurance company gets my consent to process my claim, and the insurance company then decides that the way they're going to do that is send that out to all these other places, well the insurance company tells all those other places a lot of other things about what they can and can't do with the information, how they should put the information into a certain form or do other things with the information. The idea that the same kind of sort of agency relationship doesn't exist so that you could not require basically the health insurance company that is hiring all the claims processors to say okay, I am ultimately going to be liable if there's a breach of the privacy of this information. Therefore, everybody I contract with to process this information I need to make sure that they are acting in accordance with the standards that I set down. So you can either apply the legal duty to the processors themselves or make -- basically say if the company wants to play this game, they have to ensure that ultimately they're not going to be liable for some mishandling of the information, then you're not talking about a document where you have to come up with the list of the 3,000 different claims processors all over the country that might ultimately touch your material, whether it's paper or electronic.
MR. GELLMAN: Okay, I don't have a problem with that, that seems to make sense.
One of the other things I learned here about the informed consent process is that the insurers told us that they never see the informed consent statements that patients sign in physicians offices. They don't flow upstream. A lot of this is electronic, and even if it isn't, the copies don't go. So if you get an informed consent statement -- this may not be true by the way in, and I suspect it's not true, in alcohol and drug abuse, and maybe there are some differences with AIDS treatment, especially under the summit of state laws.
But in general terms, these things don't go upstream. So if you sign one of these things and you make a change on it, no one may see it. Consent is essentially assumed. Some of the insurers said we have contracts with doctors that say it's your responsibility, if we get information, we assume you have gotten whatever consent is necessary so we can process it. This just sort of goes more to the unreality of informed consent. Can you talk a little bit about informed consent at alcohol and drug abuse and how it's different and better presumably?
MS. JACOBS: Well, I think that's a good example because programs cannot send records without that piece of paper or electronic authorization. They also have to send a notice on the prohibition of redisclosure of those records to whoever requested it. So ABC Insurance Company is on notice, they may not read the paper, but their lawyers are on notice that they may not post that information on a tree outside.
We actually think that when the providers use the piece of paper and talk to the clients, it does work. Obviously, I do function in the real world, lots of times they don't do that.
But what's interesting to me is that we at Legal Action Center have an 800 number and people call us with these complaints all the time. Every day of the week an attorney is on call, of course this is my on call day, and we get every day of the week questions from drug and alcohol treatment counselors and providers and staff and records folks asking is this okay to do or I got a request for information from managed care company ABC, they want all the records, the client has only in their form said attendance and let's say urinalysis records, so what do we do. I know that people are actually doing this.
MR. GELLMAN: Don made reference to the Condit bill which has a different approach to informed consent, which I keep trying to sell to everybody. Instead of saying we're going to get informed consent for treatment and payment and all these other uses, it says basically for treatment and payment at least, and only for those two areas, we're not going to require informed consent. It's not practical. The notion that a patient with third party payment can say well I'm going to consent to letting the insurance company pay my bill, but all the other things that are part of this insurance process, the cost containment and outcomes research and all the things that are either part of the company's policy or part of the mandated policy under federal law to control costs and to make sure that people can get care, patients can't opt out of that. That's not an option today.
What the Condit bill is saying let's accept that reality for payment and treatment and say these things are authorized by law and set some rules that apply to it and some limits and give patients a chance in effect to opt out. If they have special needs, if they have other concerns, if they don't want their bill submitted to their insurance company, they cut their deal with their doctor and then that deal would be binding actually under the proposal. Does that make any sense? Does that seem useful? Does that seem more practical in the real world? Janlori.
MS. GOLDMAN: Well, remembering back to the time that that language was drafted, it made a lot of sense at the time. It's kind of the thrill of the moment, like we were drafting a bill that maybe was going to get passed. There was an attempt to write something that was practical and workable and protective of patient privacy and could be supported by a very large group of people, which is important to have these other things happen right?
I think that it makes a lot of sense. The problem is that I think, and I think it would actually make the health care environment work more efficiently, because people would not be asked to sign a myriad of forms that essentially they weren't reading or weren't understanding or weren't having a lot of choice about. The problem is I think that it takes the choice away from the individual as a presumption. So if it occurs to somebody that they want to pay out of their pocket or that maybe they don't want the entire record going to the insurance company, or that they only want certain providers but not other providers to have access to certain information, they have to make that determination up front, they have to say something or do something, and --
MR. GELLMAN: We will post a sign, we will post a notice on the wall.
MS. GOLDMAN: Post a notice, I've been persuaded of this before and I can be persuaded again. The truth is I think that ideally what it does is it shifts the burden, it shifts the responsibility away from the patient for thinking about the issues, making the decision up front and it requires them to think of themselves as having a special need as you put it, having a special concern. These are not special needs or special concerns. In fact, it's probably the uses of the information by the people who want them that should be looked at more as we have a special interest in your information, we have a special desire for your information. By shifting that burden and getting away from informed consent in that critical area, I think it takes something away from the patient.
MR. GELLMAN: But it's not -- I mean I appreciate that, this isn't an easy issue on either side -- it's not an empty bargain. In place of the opportunity to sign a form that you don't understand and it waives all your rights, you get a series of statutory protections. At another time and place we can fight over the details of what protections are enough, but you do get something in exchange for this that may in fact be better.
MS. BERENSON: But I think I know what I'm signing. I think I am signing a form that says that the insurance company is going to be able to look at some code, or maybe my medical record for the purpose of determining if I have a claim that's reimbursable and then sending me a check or sending the doctor a check. You start out saying that if we just sort of assume consent for treatment and payment, well when I think treatment and payment, I'm thinking treatment for my medical condition and payment for the treatment of that medical treatment. I'm not thinking outcomes research and I'm not thinking all these other kinds of things that somebody might actually say do you need personally identifiable information for that.
So again, I think the problem is you sort of talk about replacing a form with a bunch of statutory protections, I think it's almost that people believe the form and don't realize that there's all these other things going on out there. Again, I just go to this issue of that's why, if we are really talking about consent for treatment and consent for payment for that treatment, then maybe the standard forms that everyone signs would be fine. It's because we allow all of these other things that people don't believe are allowed that we have a problem. That's why you have to have the statutory provisions that if you're going to allow that, then you allow them and you have to let people know that.
MR. GELLMAN: Let me just add one thought to the mix. California has had a law for a number of years that allows disclosure for payment without patient consent. Anybody know of any problems that have resulted from that? Or do you want to talk about something else, do you want to jump in on this?
MR. HAINES: I would just like to underscore briefly my agreement with what Aimee just said, which as I heard it also agrees with what Dr. Hogue said yesterday, which was looking back at my notes, quality assurance, utilization review, and peer reviews -- and I'm so sorry Dr. Cohn is not here to hear this -- are not legitimate areas that you ought to be able to compel consent in order for treatment to occur, and similarly those are things that if one were to assume consent, one of the problems -- I share Janlori's feelings that you remove the choice, I think that's fundamentally wrong because it skews the system. But I understand the intellectual problem of there are pros and cons and there are pluses and minuses but that the concept, the thing that I choke on is the concept of payment being automatically consented to when that includes all of those other things, as Aimee said, that go beyond the immediate payment.
If you go to the medical informatics meetings, people extolling the virtues of the soon to be present omnipresent medical monitor, so that I go to see my physician and to assure the quality of my care is a monitor with a real time observation, I would use the term surveillance, of my medical encounter, diagnosis code gets entered, and then a treatment and then someone is sitting in an insurance office somewhere, I mean in a payer office somewhere, insurance, HMO, managed care or whatever, who is going to say well yes, no, that's good. There are lots of advantages. I grew up in a rural area in Minnesota and North Dakota were often scarce and you can see advantages to that, if I want that. But if I'm a woman and I'm going to see a mental health provider about family abuse, I don't want someone typing back, I don't want my mental health provider to be forced to type in family abuse by brother, so they say eight visits, whereas if it had been by my father I would get 12 visits. I don't care if there's cost savings. I think that's not the same level of --
MR. GELLMAN: Yes, but other people do care if there are cost savings. Cost is not an insignificant issue in any of this.
MR. HAINES: That's right, but the question comes back to first of all, I think that we ought not assume that either computerization or any of the new things necessarily yield cost savings. That ought to be put to the test. It also particularly ought to be put to the test when we are moving fundamentally from a model of medicine which in theory -- which the public still thinks it has. I think you make a good case for the fact it's not there. We will see what happens when the public realizes it's not there.
MS. GOLDMAN: Can I just make a case for simplifying some of this? When we talk about how the health care environment is becoming so complex, there are so many new actors, so many new industries, we've now got administrative simplification mandating standardization, which means that we're going to have clearinghouses and claims processors doing the work for those who are not going to be doing it in house. While we may have a lot more actors and people coming in who are going to have an interest in using the information for a second purpose, that doesn't mean that that complicates the issue for us and we shouldn't be in a position of waiting for the issue to become so complicated that people have entrenched financial interest that we then have to accommodate in policy. MR. GELLMAN: Too late.
MS. GOLDMAN: Well, some of it is too late, but some of it is not too late. But the idea, and we had this in discussions with some of the industry folks, and there was a split in the industry as well about this issue, but the idea that a clearinghouse or a claims processor has access to information because they have a contractual relationship with a provider or a payer and therefore they have an interest, clearly they have an interest in using the information for another purpose, either in identifiable or not identifiable form. Of course they have an interest, and of course they're going to do it if there are no rules preventing them from doing it.
But right now, we can say that their only interest in using that information is to do it on behalf of the payer and the provider respecting the interests of the patient. They are a pipeline. They are doing this value-added service for either the payer or the provider and often both, they're often representing both in that situation, but that flowing with the information should be the individual's choice about how he or she wants to use it. If they don't want to use it for a second purpose, you're not filling out more and more forms because it's being held by a variety of different people.
In the U.S. mail, a piece of mail can stop at 10 or 15 or 20 different places before it reaches its final destination and we don't sit there and say there have to be special rules at each place where it stops and for each car or each airplane that the piece of mail goes on. We don't work in that field and we shouldn't allow those in the industry to argue that the world has become so complicated and there are so many different actors that now it's just a done deal and we can't fix it.
MR. GELLMAN: People don't necessarily have a right to have somebody else pay their medical bill. People offer insurance and you can purchase it or not, or government programs or whatever, but how would you feel if an insurance company said if you agree to let us use all of this information in this other way with protections and limits and all the things that we've come to expect, or at least in a piece of legislation if not in reality today, but if you don't want to agree to that, that's fine, but we're going to charge you twice as much?
MS. GOLDMAN: I think the real issue here is not -- we can argue about whether there's a constitutional right to privacy or whether there's an interest, we can have long discussions about that. The real issue I would think for this committee and for us at this table is what's the right thing to do, what's best for the health care system, what's best for the individual, how are we going to do the right thing here. That is not doing the right thing. I don't think anyone would argue that's doing the right thing. The question is can we put some rules in place that allow a person's privacy decision, or a lack of a privacy decision to follow that information to its final destination, can we do that? We do that in so many different other environments, why are we allowing this to become a complicated issue because there are more actors involved?
MR. HAINES: Actually, that's one question. Another important question is do you want to either cement a loss of privacy or do you want to create a new loss of privacy by abetting the creation of what, like the person from the Joint Accreditation Committee said, the new magical world of total computerized databases. The privacy problem with medical information isn't restricted to, isn't limited to computerized information. It exists in the Jim Rockford example, in medical records, it also exists in all the other places that medical information appears. And it exists in a law enforcement context. It exists in civil litigation where auto insurance companies get medical records and use embarrassing information to hammer settlements, or at least people complain to us and complain to Public Citizen all the time.
It seems to me that an opportunity the committee has is to say we believe medical information is in our society worthy of close to the highest level of protection, not as important as stuff we tell lawyers, that's understandable, but close to the -- and what is it, if we really believe that, what would we do, how would we follow that? Maybe that means a patient provider privilege, maybe that means standards, I don't think they're adequate but like in the McDermott bill for law enforcement access with reviews so that not every U.S. attorney or part-time county attorney can have your wife, your medical records spread all over the table.
I think if you go to the Mayo Clinic's Web site, mayo.edu, you can see the little brochure they have in Minnesota now to encourage people, at least the people who come to the Mayo Clinic, to consent to research. When you have researchers say we could never do consent, well the Mayo Clinic thinks it can live with this. Maybe ultimately it can. The Mayo Clinic is not an unknown research institution, say I a Minnesotan proudly.
The thing I want to mention is sort of buried in Dr. Nagel's testimony is one of the statistics, and as a lawyer I'm always impressed by statistics, that I like most to cite, which is in the Time CNN poll which is the focus of their cover story on medical records stuff at the end of last year, 87 percent, 87 percent of the American public favored a law that would require patient consent before every disclosure.
Now, I will tell you I know that's not workable. If I perpetrated health care fraud, can I deny consent to cover up that? I think no, but that's a very significant figure. I think that that suggests that you have the opportunity in this committee to do things that say medical information is important, it is protected, the fact we're losing some control doesn't mean we should lose all control. The fact that we can get -- the difficulty we have in dealing with some of the people who favor some level of privacy protection is that the cost of some increased privacy protection, including privacy protections in states where there are no privacy protections now is often to cement in process a system of computerization that everyone admits cannot be protected.
So if it can't really be protected, one of the questions I think you have to wrestle with, and frankly I'm not quite seeing you all wrestling with, is the fundamental a priori question of is admin simp a good idea, is the computerized database a good idea. Is it going to produce the savings the benefits? Even if it does, to some extent, so what? If it's true you can have all these improvements, is this worth changing the fundamental nature of how the information happened in the patient provider relationship.
MR. GELLMAN: Well, we're going to take a break now for 10 minutes, but the so what is if we spend an extra $5 or $10 billion increasing privacy, that means people are not going to get health care that they need because this is a zero sum game. We will be back in 10 minutes.
[Brief recess.]
MR. GELLMAN: If we could find a seat, we will press on. Now that we've resolved all of those issues, I thought we would move on to a nice simple one, preemption. This is clearly, this one ranks up there with the health identifier as what's the hardest issue in the bill.
There is clearly strong sentiment in the industry for a significant level of federal preemption and it's not clear that the insistence is for 100 percent preemption, but there is clearly a strong drift. I might say as a practical matter, and I'm not suggesting that anyone give anything away at this point obviously, but as a practical matter if there's no industry support for a privacy bill, there's not going to be a privacy bill, that's just political reality. So there's going to have to be some accommodation in some fashion on preemption. So I thought it would be useful to talk about this.
I mean one of the realities of this, I think by the way, and some of you have mentioned this before, I think the point about the value of having things develop in the states is all fine and traditional Americana and not at all beyond the pale here. But at the same time, when you look at what's happened in this area, that with some exceptions and a fairly narrow set of exceptions, most existing state laws are simply not as good as the federal bills that have been proposed. So one element of reality that we will have to deal with is the tradeoff between having something and having nothing, at least in terms of the federal bill.
I would like any of you to address this issue of we're dealing with an interstate health care system. Treatment to a greater extent is happening interstate, payment is very much an interstate activity. How can the health care system function if there are different laws in 50 states that the hospitals and the providers and the payers have to comply with?
MS. GOLDMAN: It functions now that way.
MR. GELLMAN: Well, it functions now that way, I think that's fair, but it functions now, first of all, there aren't a lot of really specific state laws. Many of the state laws don't apply to insurers, many of the state laws only apply -- and many of the state laws aren't complied with, that's the way we work now.
MS. GOLDMAN: But the truth is that in this big mess that we have of varying state laws and lack of state laws and varying standards, the health care system is currently coping with 50 different, or at least 50 different scenarios, because there are some states that have laws that only apply to payers or only apply to providers or only apply in certain situations to certain people.
But the preemption issue has been a thorny one in terms of the politics of it. I think the substance of it is pretty straightforward. When I was at the ACLU and had the pleasure of being Don's predecessor, was I your predecessor, I preceded you there, I spent a lot of time opposing preemption on privacy laws, because for the most part it was an effort on the part of industry to wipe out strong state privacy laws. So in the Fair Credit Reporting Act context, in the wiretapping context, there were efforts by both government officials and industry to say let's create a standard, one standard, a ceiling on privacy law so that it makes things easier. Well, pretty much all trafficking in personal information happens on an interstate basis and that argument applies across the board.
But there were also across the board successes in opposing preemptive legislation in those other areas, in the areas again of the Fair Credit Reporting Act and wiretapping. It allows the federal law to create a floor and the states can go above it where they want to enact more protective legislation. In the health privacy area, there was a political decision made that if you could create a federal law that was stronger than anything at the state level, in other words, you would not only create a ceiling but it would be a real ceiling, it wouldn't be pulling any state laws down under that ceiling, that that would be a good thing. It would also allow the industry to support the legislation because they weren't necessarily as concerned with how high the ceiling was, but just that there be one standard to allow the information to flow easily.
A lot of privacy and consumer advocates supported that because the ceiling was so high, but I think in this new session, we should reopen the issue and ensure that there haven't been states that have in the interim enacted stronger state laws, or that there aren't ones in process. We're in a very different environment now with administrative simplification being mandated, mandating the creation of electronic networks. I also would be chagrined to see any stronger state law wiped out by a federal privacy law. I think that would be a real mistake.
MR. GELLMAN: Aimee, can you talk about preemption? One of the things that's a reality in all the proposals pretty much is at least an attempt, even though it may not be artfully done, to preserve the state AIDS laws.
MS. BERENSON: Public health and mental health laws.
MR. GELLMAN: Yes.
MS. BERENSON: I think part of the problem here is that on one hand, we have a scenario where state laws are clearly inadequate, but what are we comparing them to? In other words, we have a problem with comparing apples and oranges, so on the one hand we say well why should you be concerned if we exempt public health laws, and those are where most of your HIV confidentiality statutes may be, though not all of them are under the rubric of public health law, shouldn't that be enough?
But I think that what we have found is that there are different provisions in different states under many different titles of state law that may in fact provide protections, whether it's protections against redisclosure requiring specific written authorized consent, Florida for example, my understanding is that Florida has a what they call a super confidentiality law with regard to HIV and imposes special burdens on health care providers and things like that. I think the concern that we have is that we would argue against sort of not only preempting things that are out there and may in fact be working well, but also we have a concern that certain states may now be galvanized to start looking at this issue and addressing the broader piece about protecting the medical record. I think to prevent them by doing that by preempting them and sort of settling for what would probably be a kind of watered down federal ceiling would be a huge mistake.
I think the last piece is, I think the AIDS epidemic in some ways is very instructive. If we were sitting here in 1979 talking about this and thinking about all the potential problems, there are many things that we would know, we would talk about the stigma of alcohol and drug abuse, but we would not have envisioned something like AIDS with not only all the stigma and discrimination issues, but also the treatment issues and the care issues and the cost of care issues or managed care, the entire scenario that we now have before us.
I think it just goes to point out the wisdom in trying to create the strongest federal floor that you can and leaving states with the option to do more, particularly given how long -- in all these years, we've never been able to get any federal privacy legislation through with regard to medical confidentiality. What makes us think that Congress and the federal government are really capable of responding to new things that may come up?
MR. GELLMAN: Well, if Congress never passes a bill, this is not a problem. Let me also say that I think it's perfectly fair at a minimum to reserve judgment and say I want to see the federal bill that's going to pass before I make a decision about preemption. No one is asking anyone to buy a pig in a poke.
MS. BERENSON: I also think that the concern, again it goes to this issue of what system has been created. There's really this concern that if we don't have uniformity and each state has a special law, it's going to screw everything up. As Janlori pointed out, they're not screwed up right now.
DR. DETMER: Yes, but I think just to interrupt for a second, whether we like it or not, telemedicine is increasingly occurring. There are new things under the sun that we've talked about. These are real issues as it relates to patient data. I'm not saying that it's not complicated, but just because we haven't had the problem in the past does not in fact mean that we aren't increasingly facing that issue looking forward.
MS. BERENSON: That's why I think creating a strong federal floor is really important, because then what you're doing is saying at a minimum, here are some of the things that we know are happening, that are real issues that we need to address and deal with how we are going to handle telemedicine and ensuring that there's patient consent and whatever and setting some floor, and that does make sense, there's no question about that.
MR. GELLMAN: Sue, let me ask a question. When I originally started drafting legislation some years ago, my original approach was to say well, we can write a federal standard that's really going to be very high and we won't need laws like the federal alcohol and drug abuse laws, and basically you folks persuaded me that you had some special interests and some special features of your law that were unique to your setting. I wonder if you could explain some of that here and make the case here that you've convinced me of before.
MS. JACOBS: Sure, and let me just say that although it's special in the sense that that law pertains to alcohol and drug treatment facilities, again we think it could be the federal ceiling or floor. In other words, many of the components here could be the standard that Aimee is talking about, if the move is toward a uniform federal piece.
The informed consent piece that I spoke about briefly has very strong details to it, which I won't bore you with, but it does make it an actual informed consent document when it is used because it narrows the scope of the disclosure. It requires written consent. It's revokable, except under certain circumstances, et cetera.
I think the most important component perhaps for our discussions though is the court order. That is a vehicle, basically through consent, for a court order. Any requester of information, who is a legitimate requester of information from a drug treatment program governed by this law can get that information. They simply have to go through some what people would call hoops, barriers, I would call legitimate steps.
And in the court order scenario, all that a requester has to do is persuade any court of appropriate jurisdiction, which means state, county or federal court, that their request is important to a court case perhaps, and they have to demonstrate that to the judge, that the privacy interests of the client are outweighed by the requester's need for information, and that's subject to debate and it's a factual situation on each occasion, and that the -- and this is very important -- the requester does not have another way to get the information.
I think lots of us who do health care related work have the scenario that an automobile claims adjuster comes to the drug treatment program and says we want to know certain things about John Doe, which actually don't have to do with John Doe being in drug and alcohol treatment. They can get -- that's a centralized place for them to go look. Vermont's Supreme Court two years ago said about a scenario like that in child welfare, that a child welfare worker could not get information from a drug treatment program simply because it was aggregated there when that information was absolutely available through other means, for instance a woman's probation officer.
I think that court order provision in 42USC290 DD-2 I guess provides those kinds of checks and balances basically without making people go too crazy.
MR. GELLMAN: Can you talk about special concerns about law enforcement access and search warrants and that sort of thing?
MS. JACOBS: Sure. As I said before, I think the data is now 80 percent of folks who come into contact with the criminal justice system in most jurisdictions report recent or somewhat past drug or alcohol use or abuse. If any number of those 80 percent people then go off to a drug treatment program, whether mandated through the courts or voluntarily, the notion is that they've had a recent contact, let's say with a police officer in an arrest. Now the officer wants to know more about them, finds out that they're in Odyssey House or in a drug treatment program ABC, knocks at the door, says hi, I'm a person who is normally authorized to ask questions of citizens, so I would like to know about John Doe, in fact I arrested John Doe and I want some information.
The law says we're sorry, even though you are normally a person who has the authority to ask citizens certain questions and they can of course not answer those questions, this person in this vulnerable stage in their life and in treatment does not have to answer you. In fact, the treatment program cannot tell you anything, unless a judge authorizes it. That is true if what happened is the police officer came to the program, or the investigating agency came to a program and said, we've heard that John Doe is here and we have a warrant for his arrest, or he is a fugitive or four years ago he was involved in X, Y, Z situation.
We are not saying, and we've never said that the prosecutors ought not legitimately be able to get the information that they need to prosecute a crime. It is simply that some judicial authority needs to intervene and evaluate that request.
MR. GELLMAN: The solution that we came up with in the Condit Bill was essentially to say your law, you get the best of both worlds, either your law or the Condit Bill would prevail, whichever one was stronger and we set up a process, namely the Secretary would decide which one, because most of the provisions of your law are in regulations rather than a statute. So that was sort of feasible.
But this question in preemption of deciding what is preempted and what isn't is a challenging one. One of the requests that you often here is well, let stronger state laws prevail. Let me ask a couple of questions just to get into the details of this.
Suppose we have one law that provides for patient access, but it exempts records that pertains to other people. The next state has a law that provides for patient access but it has no exemption for records about others. Which one is stronger?
MS. GOLDMAN: Well, if you're looking at it from a patient privacy perspective, the one that restricts access to information about other people is stronger. If you're looking at it from a patient privacy perspective as opposed to access to records. I think under that scenario, you would have to favor restricting access to somebody else's records, even if it had information about you in it. That would be my guess.
MR. GELLMAN: Right, I hope I've illustrated the point that there's a conflict there that doesn't necessarily measure up.
Let me give you another example. You can spin out hypotheticals, but I don't think this is all that unrealistic if you have lots of legislation. One law says fraud investigators can get access to patient records with a court order but with no notice to the patient. The next law says you can get access with notice, but with no court order. So which is stronger? It will depend on the details of the law to a certain extent, whatever, but I mean that's the problem here in measuring --
MR. HAINES: That doesn't mean that you have preemption to have a uniformity. You might decide in that situation that the fraud investigator has to meet both laws. He has to provide notice under one law and he has to have a court order under the other. That can be the standard. I mean you're right, we can all play the drafting games of A plus B minus, is that better than A minus plus B, but you could have the requirement. It's like drafting a will that is going to apply in several states. Some states have two witnesses, some states have three. The good lawyer makes sure you've got three, assuming super [word lost] aren't a problem. MR. GELLMAN: I understand that, and that is a possible interpretation. One of the difficulties here is how do you know. If you are promoting a preemption policy that says the strongest law prevails, just saying that doesn't provide enough guidance to people. In the case that we just talked about with alcohol and drug abuse, we established a standard which was just like you saw, but we established a process that did it. We had somebody resolving conflicts and making judgments so people would know how to act without waiting for five years of litigation to the court of appeals.
So, it seems to me at a minimum, that those who are seeking to have a preemption rule that says we're going to allow all the different states to do whatever they want and if it's stronger it's good, need to think this through better and come up with a clearer proposal.
MR. HAINES: That might be. We would oppose merely vesting with anyone, particularly the HHS Secretary sort of an initial requirement that might --
MR. GELLMAN: That's fine, but it's a process.
MR. HAINES: As evidenced by the first preemption and then the anti-preemption Simon twist in Kennedy-Kassebaum, preemption language has to be written very carefully or it could be opaque(?).
MR. GELLMAN: Yes, I had a lot of difficulty understanding the Simon language. The sentiment is pretty clear, but the language itself isn't all that --
MR. HAINES: Excuse me, Bob, before we go on, unless you want to later come back to law enforcement, you asked --
MR. GELLMAN: Go ahead.
MR. HAINES: I really would commend to the committee in the council we provide a focus on law enforcement and civil court access, but if we decide that medical information -- notice I'm not using the term medical records -- but medical information is valuable and ought to be protected, then there are things we can do that go beyond merely requiring, and we would suggest should go beyond merely requiring a court order. That for example, the law enforcement testimony you heard yesterday was very interesting. First they said, there's no problem because we already go to court and we already get subpoenas. Then when you asked them about subpoenas, it turns out that they sort of got subpoenas on request, and maybe sometimes they didn't have to request them.
The position of the ACLU is that even a Fourth Amendment standard is inadequate, that serious consideration should be given -- we're not supporting this yet because we haven't resolved our internal review -- that serious consideration should be given to whether there ought to be a patient provider privilege, which would act as, with some exceptions, an absolute bar the way an attorney client privilege is, but that prior to that you ought to look at procedural protections, which I think Mr. Litt from DOJ yesterday said he wasn't necessarily opposed to, although I'm sure he would be opposed to ours as too burdensome.
MS. GOLDMAN: I think that's a safe bet.
MR. HAINES: And for example, requiring in camera inspection, requiring removal of ID wherever possible. They sort of spell out in the McDermott Bill, we thought that McDermott's actually were inadequate. That's one of the arguments we lost in the McDermott Bill.
MS. GOLDMAN: He has a few things to learn about privacy.
MR. HAINES: Right, but the other thing I would point out is that civil process is very important. The concept you raised about access, that if we decide medical information is important, we ought to protect it I think against the general rule that everything is open in civil discovery, that in some ways law enforcement was right when they were complaining that a civil litigant has more access than they do because a civil litigant doesn't have to meet a Fourth Amendment standard, it's an irrelevant standard. Again, we would argue that you ought to be able to isolate out parts of a medical record to make sure if they're in contention, so that if I've got a broken leg, they're not going to see my abortion in the litigation over the automobile accident or things like that. I think I just want to highlight that as an area.
MS. GOLDMAN: Can I just ask another question about this, you mentioned this before this doctor patient privilege. If you're using the term privilege, I always thought that meant it was a common law privilege. Are you talking about putting it in a statute so that it's just a statutory bar on law enforcement or government access? I'm just curious where you're going.
MR. GELLMAN: Can I answer this question, at least to provide a little background to the committee? Privileges apply, they are testimonial privileges, they apply when someone testifies in court. If you have a doctor patient privilege, and all the ones that exist are statutory, not all states have doctor patient privileges, many of the ones that exist are filled with loopholes, they don't apply for example in some states in criminal cases. So imagine a privilege that says your information is protected except if someone wants to use it against you to send you to jail. That's not much of a privilege and it provides no protection for any of the disclosures that take place outside of the judicial system. They don't prevent investigators and all the other people that get access from getting access to them unless it's at a trial or in a trial related proceeding, and most of what goes on isn't that. So privileges don't --
MS. GOLDMAN: What I'm trying to figure out is that's why ACLU is --
MR. GELLMAN: Privileges don't help much with 99.9 percent of the disclosures that go on. Do you want to expand beyond that?
MR. HAINES: I think we could craft a privilege that would help with 99 percent. I don't think that's really quite right. For example, an attorney client privilege, if you're deposing me and you're asking me for information that I told my client in the investigatory process, I can so no that's privileged and then we will go to a court and we will have --
MR. GELLMAN: That's right, but that's a court related procedure.
MR. HAINES: That's right, and so what I'm saying is, what I tried to point out is that law enforcement starts from the premise, just like many of the people favoring disclosure bills, starts from the premise this information is broadly out there anyway and if you try to limit it there are going to be these bad societal impacts and some of them are bad.
But what I'm pointing out is that it may well be the charge of this committee to start from a different premise, not the bad situation we're in but is medical information important. If it is important, what ought we as a society and as a government be doing to protect it. One of those things might start with no, law enforcement, in general you're not going to have any access. Now, we will talk about exceptions to that or we're going to start there rather than the other way. That was my only point.
MR. GELLMAN: Let me dance back to one other preemption issue, and by the way, if you want more information on this whole issue of privilege, you're welcome to read my law journal article, the 84 North Carolina Law Review, it talks about this. It's a little out of date, but it's still relevant.
MR. HAINES: I went to UVA and I can't read anything in North Carolina I'm sorry.
MR. GELLMAN: Fair enough. On the preemption issue, just to sort of add another layer of complexity to an already impossible situation, a lot of the access, I mean one of the things we heard from the investigators yesterday, the police, Justice Department, was that much of the white collar fraud investigation that goes on is really done at the federal level. It's too hard for the states, they don't have the resources, and so most of this is going on. Of course, HHS is all over this issue, the IG, a lot of these things are going on at the federal level.
The question is, I raised this question at one of the earlier meetings with somebody from the general counsel's office who was talking about the Simon preemption provision, and I asked would that provision wipe out a state law that said the HHS Inspector General can't come into this state and get records because that was a stronger privacy law. Needless to say they didn't think that was a very interesting argument and it wasn't particularly welcome, but it is an issue sort of on both sides.
One is do you envision having state laws that are stronger preempt federal laws that are inconsistent or different? And secondly, since much of this activity goes on at the federal level, but by no means everything, but at least in terms of the fraud stuff, if you don't deal with this adequately at the federal level, then the state laws won't make any difference no matter what. In fact, if there are -- all of this activity will drift to wherever the weaker law happens to be no matter what. Anybody have any comments on that?
MR. HAINES: Actually I was in the room when you asked that question and I was surprised because you're the only other person frankly who ever raised that as a possibility. I won't say that that's your interpretation.
We take the position, the ACLU takes the position that that's a fair reading of what Simon does, of what the Simon Amendment does. Now, that's contrary to the normal position. Normally, even if you allowed no preemption, if you allowed state laws to stand, state laws don't override federal laws because of the supremacy clause. But obviously, Congress under the supremacy clause and under its general Title II authority, Title I authority is quite capable of saying state laws will. I think that's a fair reading, although I would admit there's a contrary reading.
MR. GELLMAN: I agree with that, there are a number of readings. That's one of them.
MR. HAINES: That's a fair reading, so I would argue now, in the same way in which we've heard that Congress has made a policy decision. The Congressional policy decision is -- although it first wanted to wipe out paper records, and even wipe out state laws requiring paper records, it had a change of heart so it will now even allow states to wipe out federal laws banning paper records.
MS. BERENSON: We were discussing amongst ourselves a little bit the different preemption provisions that are contained in the Kennedy-Kassebaum law. I think there's some question as to the types of preemption and how it all works together.
But I think to just go back to this issue of if we're talking about state laws regarding some aspect of the privacy of medical records, A, we're not talking about, I mean right now we have a situation where an insurance company or whoever basically has to sort of choose between the laws and figure that out. What we would be talking about is basically setting a federal floor and the comparison wouldn't be between the two state laws, it would be between how are the laws more stringent in their requirements as regards the federal law.
I think that the idea that somehow this is a new problem or we will all be unable to -- somehow we can figure out from state to state but we can't figure out state versus what the federal floor may be, that's going to be too confusing, is somehow ingenuous.
I also think that there's a difference between, in some of the hypotheticals, the substantive area of law. If the Secretary is pursuing Medicare or Medicaid fraud, that's something that the federal government may do, and it's sort of like you can have federal rules of evidence and state rules of evidence that are different. It's when they apply. So I think it just seemed to me that somehow not all of the examples are necessarily applicable to the situation that we're facing here. Obviously there's going to be confusion, but --
MR. GELLMAN: Yes, I think some of that is fair enough and I can just change the hypotheticals to compare federal and state laws and raise the same problems, but I think a lot of what you said is fair.
DR. HARDING: A little bit different tact, something that was said this morning that I commented on and asked about this morning. Mr. Rottenberg, I believe, mentioned the idea of an independent privacy agency being created within the federal government to oversee continuing changes in privacy laws and regulations. Your thoughts about that?
MR. HAINES: The ACLU strongly supported that for years. I can be brief, Bob.
MS. GOLDMAN: What's interesting about this is that the Administration has finally now begun to take up whether there should be some kind of an independent entity or some entity within the executive branch that oversees, looks at, studies, offers guidance on privacy issues. Under consideration right now is an options paper that OMB is working on to present a couple of different views of how this can be handled.
I think what we're going to see in the next year or so is some body, some individual, some entity that is charged with overseeing privacy at the executive branch level both with respect to the government's handling of personal information as well as the private sector. Right now, the way that it works is that there are certain agencies that are charged with oversight of federal laws where those laws require them to do so. So you've got the FTC involved in a number of privacy statutes or the FCC and OMB and HHS and the Department of Commerce.
What happens is that the various people in those agencies charged with either speaking on the issues or investigating or analyzing, offering guidance don't talk to the folks in the other agencies. There have been interagency task forces set up to try to address this issue, but there's a real need for some cohesive policy making and guidance at this level. Whether it becomes an independent agency as it is in a number of other countries abroad where it's really independent of the executive branch, but I think there are some constitutional issues here as to whether that could happen or whether it's something within the executive branch, it is way overdue.
MS. BERENSON: I guess I would have just a couple quick -- it's always nice to have some kind of agency there, but I would be curious as to what the scope of the responsibilities would be. There are certainly scenarios I could see where perhaps in fact the issues of privacy coming up around HHS programs may be different than what comes up around Commerce programs. While it would be good to have sort of standard policies and discussion and agreement about the importance of these issues, what do we mean when we say a privacy agency that would sort of set the policy.
It sounds like a good idea to have some cross agency coordination, but what exactly that agency would do and whether it would sort of be able to decide what privacy standards should apply to every agency might be a little problematic.
MR. GELLMAN: I just can't understand why you're so reluctant to sign a blank form that we will fill in later on.
MS. BERENSON: Because DOJ might not have the same interest that HHS does at certain times.
MR. GELLMAN: I certainly expect not.
MS. JACOBS: We would support I think the idea, especially as a clearinghouse, and then obviously we would want to fill in the details.
MR. GELLMAN: I want to come back to the -- this is a flavor of preemption, but from another angle. The issue of having different rules for different records, this has been discussed some, actually at almost all the hearings. The basic problem of preemption is a difficult one, whichever side you happen to be on, but clearly a lot of difficult implementation problems that are presented, and by the way, you can make the case just as well in some regards that even if you have federal preemption, the question is what is it you're preempting, it's not always clear by any means. So these problems flow both ways.
But the problems are sort of magnified in a lot of ways. We have alcohol and drug abuse laws, we have AIDS laws, we have mental health laws, we have genetics laws, and there are probably a couple other flavors out there as well. The difficulties of implementing a system -- the first set of problems is how do you know what kind of record you're dealing with in any given circumstance. You've all seen hospital records that are this thick and have a zillion pieces of paper in them that relate to different things.
It could be all of the above. I always use the example of somebody with a genetic disease who is an alcoholic, drug abuse user, who has AIDS and is depressed, you're covered by five different laws. How does anybody implement this? Does anybody have any -- there's got to be some experience that you've had or perhaps with the AIDS laws, how do you make these kinds of distinctions under existing rules?
MS. JACOBS: I think, not to beat a dead horse or whatever, the rules that we use encompass, because they're stronger, most state requirements that we've come across. So forgetting that it has a name and that Congress has already said this is a good idea, imagine a hypothetical, very strong, federal medical records privacy routine bill that specifies things.
I think the problem has been, and we've been through this for a couple of years now, agreement on what those standards would be. I think if all of us sat down and came up with the highest standards we could imagine, and Congress and the industry agreed, then we might not have to be here.
MR. GELLMAN: Let me try this another way. It's clearly identified under your law when it applies. It applies to people who are getting federal funds, they know when it applies to them, they know, and likely in many of these cases all of their records are covered by the law.
MS. JACOBS: Yes.
MR. GELLMAN: What happens when they interface with other people, either with payment or consultation, what are the difficulties or issues in terms of conveying this information to other people and retaining the protection?
MS. JACOBS: Pre-managed care, it was really a slightly different universe. There were third party payers, and you would have a client sign a consent that says Empire Blue Cross/Blue Shield pays my bills and yes you may give them a certain amount of transaction information, period, end of story virtually.
Now, it's not just managed care, it's the accountability issue I think behind managed care that seems to ask for more and more records. So we interface with entities that are not covered by the federal drug alcohol laws, except insofar as they receive information from a covered entity, and so may not redisclose and have to behave, we think, responsibly.
A more complicated scenario in some ways is in the ER, emergency room, the law has been clarified so that an attending who interviews a patient who is semi-conscious and comes in after a car accident and says, have you been drinking, is that part of what happened in the car accident while we're doing everything else we're doing, the patient gives some basic information. That information, yes I have been drinking or yes I had a six pack is not federal drug alcohol law protected, because you have to look at the purpose of the law. Laws have purposes and rationales, the purpose is to get somebody in treatment for that problem. This person is needing trauma care.
So we've been able to make those distinctions. I think that what I get very concerned about is that the drive for accountability keeps pushing down I think the willingness to support privacy considerations which are not necessarily burdensome, and not necessarily expensive.
MS. BERENSON: I think part of the problem we have is that the laws that we have are for specific information and specific scenarios and there's nothing that sort of covers the information all the time. So it's not so much a problem of figuring out when or when not the federal alcohol and drug confidentiality pieces apply, the problem is when they don't apply there's nothing else there.
We've had this experience where in the beginning of the epidemic what we were most worried about was protecting the confidentiality or anonymity of your HIV test result. Then when treatments improved, then we started realizing well we have to protect the information in the doctor's office or in the hospital, so we have all of these laws across states that protect it at one stage or another or they protect -- for example, you could be in a state where the information that you've tested positive for HIV cannot be revealed, but if you go to the drugstore to get your AZT prescription filled, there's no protection for who can see that information, or you submit a claim for treatment, there's no protection.
So I think there's less an issue of these laws sort of colliding with each other and part of the reason they don't collide with each other is because there's nothing else there, so we have these little patches of protection and nothing else there.
MR. GELLMAN: One of the benefits of all of the federal proposals is that they are comprehensive and they do attempt to cover information wherever it flows within the health care system so that there aren't gaps like that.
MS. BERENSON: Well and I think at that point then, if we have, we would have a uniform base and then states could say okay are there particular places now where there's some glitch that we need to address. Right now, there's no base and states are trying to find the glitches.
MR. GELLMAN: Are there some state AIDS laws that have some specific provisions that you could point to that are really good and better -- I'm looking for something that's more specific rather than there are some better laws -- do you have any examples off the top of your head?
MS. BERENSON: I guess again it goes back to the point I was making about apples and oranges. Like I could tell you about a law, for example, the Florida law that I referenced has some very good provisions with regard to disclosure, need to know, disclosure within a facility. It has provisions with regard to sort of the required informed consent and authorization around HIV test results. New York has a very comprehensive written consent statute. California has a written consent statute.
And so, I can sort of give you lots of different states that have different laws, but again it goes to that issue they may have a very good law with regard to the test result or with regard to treatment or with regard to protecting the information within just the public health system or protecting the information within the hospital setting. So the comparison is --
MR. GELLMAN: One of the problems, even with the proposals that exempt, public health laws (AIDS) which is sort of what's intended there without using the word, besides the fact that it's not clear, it would be interesting to know -- and I'm not asking you to do this work for us, but it may be useful later on in the legislative process -- is to look at some of the state AIDS laws in particular and see what features there are. There may be some way of categorizing these and being much more specific in terms of saying okay, if we want to preserve some of these laws, is there is a way of saying what it is we're preserving rather than being general, to try and avoid this problem of what the hell is it we're doing when we deal with this, that might be useful. Anyway, I offer that as a thought.
MS. BERENSON: And in fact, we have with CDT and the Georgetown Legal Clinic, we have gotten a lot of information and we do have a better sense -- there are 39 states I think that actually have some HIV confidentiality law on the books currently. We have tried to break them down. Some of them specifically, as I said, some of them deal with law enforcement and don't deal with disclosures for hospitals. It seems nonsensical, but we do have different information.
MR. GELLMAN: That may be a contribution later on to the legislative process.
MR. HAINES: I just wanted to ask Ms. Jacobs a question. We peaked my interest when you talked about the current situation where you might have an insurance company that's subject to your protective statute, but they're using new review whatever post-managed care entities that are not covered but as an -- have you actually had experience where there have been attempted disclosures or discussed the possibilities of disclosures? I think that's relevant to the general question about are the --
MS. JACOBS: It comes up now at the front end of the process. What I was describing as the back end of the process, so the requester is authorized as a third party payer by the client. The front end of the process is this pre-authorization thing that they do and gatekeepers do it, right? So I go to ABC Drug Treatment Program in need of treatment and I say I'm a member of XYZ HMO. They say, okay we need to know if they will authorized treatment.
Now, the difficulty here is I am considered a drug treatment client when I come in and request that service, but the HMO is not necessarily part of any protection. So I think that's what you're asking. To authorize the service, they want to know all kinds of stuff that I may not be ready to give them. That's really become a big problem.
Yes, there have been disclosures, there are a couple of famous ones that are unfortunate because there are fatalities involved where either their were disclosures or there were denials of authorization for people who said I need X, Y and Z service and the provider or the gatekeeper refused the service on the basis that you have to fail out-patient before you can go in-patient. I won't detail what happened, except to raise the specter of malpractice.
MR. GELLMAN: In the first case you gave with the HMO, what do you do?
MS. JACOBS: It's extraordinarily difficult for a very human reason which is the people are in crisis. So oftentimes what happens is they simply tell these gatekeepers, I've had a drinking problem for five years, having no idea where that information is going to go. Our advice, if we're asked before that disclosure is made, is to have a consent form signed with the gatekeeper. I Sue, say to you gatekeeper, you can discuss this with Odyssey House, only for this limited purpose. So if there is then a redisclosure, I've got you.
MR. GELLMAN: Let me turn to basically one last issue for today and that's access to records. I think at a broad level that there seems to be pretty universal agreement with the general proposition that patients should have a right of access to their records. I don't think anyone has really quibbled too much over that. We will quibble over the exceptions and that's what I want to talk about. I've got a list of exceptions, let's see what people think of them.
One of the ones, and this was discussed yesterday with the providers, is sort of a general if disclosure would cause harm to the patient. There seemed to be a strong sentiment for preserving that, in at least some cases, especially in the mental health area. What are your positions on that? Janlori?
MS. GOLDMAN: I think as a general rule people should have a right of access to their records. If a provider thinks -- I think the burden on the provider should be extremely high to show that someone would cause themselves imminent danger, that they're about to kill themselves really, that they would kill themselves if they saw this information. Not that it would cause them to be anxious or depressed or distressed, lots of information that we get access to about ourselves could be distressing. I think the burden on the provider has to be very high.
MR. GELLMAN: Don?
MR. HAINES: Well, I agree with that. I'm also unwilling to leave the decision with the provider. I mean some of the bills I think had peer review. That's another protection that I would want. Our position on access is that generally --
MR. GELLMAN: It's too long of a discussion. Aimee or Sue, do you have a view?
MS. BERENSON: Basically, I think the only problem I would have is narrowly defining what the standard is, imminent danger of some kind, and also that the decision should not, there should be some other person besides the provider making the decision.
MR. JACOBS: Providers can limit this by time, place and manner is what I've told them. They also I think then can make decisions that no, even though you're supposed to have access to your records, you're entitled, I simply have in this instance an abiding fear that X, Y, Z is going to happen so take me to court.
MS. BERENSON: What is the record is the other question. Are you talking about someone's notes about their clinical impression or some other piece of the record?
MS. GOLDMAN: I think the history on this issue is instructive, that for a long time mental -- the focus was on mental health providers restricting access to their patient's records. It wasn't an issue that the general provider community was concerned with, but it was something about mental health records that these people were more unstable, susceptible to more violent reactions if they saw information about their own care or their own treatment, their own condition. And more and more in the mental health community that is becoming an unpopular view, but it's not completely wiped out. There are a number of provider groups, particularly mental health provider groups that have advocated for being able to continue to restrict access.
MR. GELLMAN: I'm glad to hear you all say that. I'm glad that we found an issue that I get to your left on, because I think there should be no exception for this.
[Laughter.]
It's a difficult issue and there are lots of point of views and here's one now.
DR. HARDING: Okay, as a psychiatrist in practice 20 years, I have two times refused to allow a patient to see their record. In a paranoid schizophrenic patient who wants to see his record, I would question the wisdom of allowing that to happen when there's a lot in the record of course that they're paranoid about as to what is in the record that it can lead to very disturbed acting out on that very psychotic individual. So there would be times that I think it should be still the judgment of perhaps, as you say, the provider and a third party, but certainly there need to be some exceptions made.
MR. GELLMAN: That seems to be actually the drift of most of the testimony that we've had on this issue is just that, it's make it tough but allow an exception at some level.
MR. FANNING: May I just say, I think the District of Columbia Mental Health Confidentiality Statute, which is a good one, and which includes patient access, involves a court proceeding for resolving these disputes.
MR. GELLMAN: Let's talk about some other exceptions. Sometimes a medical record about you will have information about others, group therapy is the classic example. Some of the bills allow exceptions for that, do you support those?
MS. JACOBS: The New York HIV Bill protects the partner, spouse, discernable other who might be at risk. We think that makes a lot of sense. In other words, I'm positive and I identify a partner to my provider, that partner is also clearly somebody who is at risk and is somehow protected.
MS. GOLDMAN: Protected from what?
MS. JACOBS: From disclosure by the agency.
MR. GELLMAN: But we're talking here about first disclosure to the subject of the record. Views on this, Janlori or Don?
MS. GOLDMAN: I think it becomes a really difficult issue in the genetic testing area, where that's what the record is about. It's information about others in your family or information about a fetus or information about extended family members. I think this is a really hard issue, but I think that it is entitled to exactly the same privacy protections but where people want access to their own record, there has to be a way to segregate it so what they're getting access to is only the information about themselves if that's possible, if it's possible to segregate it.
MR. HAINES: I agree, and that reminds me that we sort of skirted off the specific exceptions. I think in genetic testing, increasingly the sense is that you can't protect genetic information, as opposed to a specific test result, because it goes throughout the medical record and could include just a note about a father's medical condition. That's why increasingly genetic ethicists are arguing in favor of generic, not genetic privacy protection. That's something which the ACLU supports, although we're opportunistic, not principled on this and will take protection where we can get it.
MR. GELLMAN: I've heard that, and your analysis, I think that issue has developed in the last year or two and I think that there seems to be more recognition of that, that the difficulty of doing this is --
I've got one more access issue. Pharmaceutical researchers, the pharmaceutical industry wants an exception, first party access for records that are part of clinical trials. The argument is that disclosure to the patient of some of the information, and how narrow this request is it's not clear, but it's relatively narrow, that disclosure to the participant in a clinical trial, for example of whether they are getting the active drug or the placebo will undermine the validity of the trial. How do you feel about that exception?
MS. GOLDMAN: The exception is, what they're not telling --
MR. GELLMAN: If you are a participant in a clinical trial and disclosure to you of certain --
MS. GOLDMAN: You shouldn't know if you're getting a placebo or the -- what does this have to do with the pharmaceutical company?
MS. BERENSON: This is not real. The reason that it's not real is I mean first of all, if we're talking about an individual in a clinical trial, that individual's medical record contains information about the individual, but theoretically the doctor providing the care in that clinical trial doesn't necessarily know what the patient is getting. If it's not a double blind study, then one would assume that the patient knows what arm of the trial they're in. They know they're taking AZT and 3TC and they know that.
I think there's some real question about whether or not you should have clinical trials going on where somehow in the record for the nurse and the doctor and everybody else who is working on this, the information about what drugs the person is taking is there, but you're not going to let the person know that. It goes back to this issue of health research generally I think. I think you have to start out with making sure that there's some IRB process going on.
MR. GELLMAN: That's assumed in this, of course, that there is an IRB, there has been a protocol and there has been informed consent.
MS. GOLDMAN: The beginning of the question had to do with pharmaceutical access to information and then I lost it --
MR. GELLMAN: No, the pharmaceutical industry wants an exception for clinical trials.
MS. BERENSON: But what I'm saying is that the request for the exception does not make sense to me unless you're assuming certain kinds of trials going on that are sort of contrary to what --
MR. HAINES: The pharmaceutical entity has a record which is a medical record which might be subject to access.
MR. GELLMAN: There's a record somewhere that indicates what drug --
MR. HAINES: You're absolutely right about the provider.
MS. BERENSON: The pharmaceutical company has a separate record of the clinical trial information itself.
MR. GELLMAN: Right, and somewhere there is information that qualifies as a medical record that indicates which patient is getting which drug. Whether the patient knows, or whether the doctor knows doesn't matter, the record is available somewhere. The question is does that make --
MS. BERENSON: I guess there's a question, I mean if people are actually being identified by name in this sort of clinical trial record and there's information in there that nobody else has. I don't really know how often this situation exists, but I guess I would also wonder are you keeping something that you could classify as a personal medical record of mine in that case, or are you keeping sort of aggregate information or information about a clinical trial. I guess I'm having trouble --
MR. HAINES: And why is this not involved in the initial process of setting up the clinical trial?
MS. BERENSON: That's exactly right.
MR. HAINES: If you come to me and you say we're going to do a clinical trial, we think this pill will make your hair grow and we think this pill will make you blonde again. There's of course going to be a placebo and I want to know which it is because I would rather have hair than a blonde beard, but presumably you're going to say but we can't have you participating in this unless you agree that you're not going to know, because we're running --
MS. BERENSON: It's my private medical record that I should have access to. If what it is is sort of clinical trial data about the ongoing study, I guess I don't see how that argument could be made.
MR. GELLMAN: The information appears somewhere as to which drug you are receiving. It is a record about you and it would be subject to access under the law.
MS. BERENSON: It doesn't have to be personally identifiable.
MR. GELLMAN: Of course it's identifiable.
MR. HAINES: The question is do we need a legislative exception to the right of access that specifically covers this in some narrow way, although when the pharmaceutical company is involved I never believe narrow is narrow enough, or do you say that I have the right to give up access. Is that generally the case?
MR. GELLMAN: Ultimately that becomes the question is if you don't provide an exception, then do you say to somebody you can waive your right of access, and of course that's a much more general problem of people signing consent forms and waiving their rights all over the place and that may be contrary to the structure. I'm not necessarily advocating this, I'm just trying to raise the issue.
One way of dealing with this and evading the question of waiver is to say okay in a narrow circumstance yet to be defined, where we're dealing with clinical trials and the trials would be affected by disclosure to the patient, there is an exception.
MS. GOLDMAN: I assume at some point, even if an individual decided that she wanted to waive her right of access, when the clinical trial was concluded, the person could clearly know and should, then it would evaporate.
MR. GELLMAN: The question is during the course of the clinical trial, the patient comes forward and says I want to know, the law says I have a right of access, do we say no you don't?
MS. GOLDMAN: You could waive your right.
MR. GELLMAN: That's the question, don't jump to that too quickly.
MS. GOLDMAN: I'm just saying you could, you could craft that.
MR. GELLMAN: You could, but once you start allowing people to waive rights, you really have opened the door to wiping out the whole law you just passed.
MS. BERENSON: There's another question here which is are you starting out from the assumption that sort of all of your clinical data about every research program constitutes a medical record for all the individuals in that program. I guess I'm going back to this, this doesn't really seem like something you would have to fix by creating some exception somewhere. It seems like it's something that should be addressed through the IRB process, through the process of designing your research.
I guess the other piece is it sort of posits an interesting idea, which is that somehow this information is -- I could just go and get information on all 1,600 people that are enrolled in the clinical trial.
MR. GELLMAN: You could only get information about yourself.
MS. BERENSON: I can only get information about myself. I guess you could deal with this issue through the consent process and through your IRB process in setting up the research.
MR. GELLMAN: But if there is --
MS. BERENSON: In other words, I can say that as part of this research, I can't find out. I mean this is normal practice, I can't find out, it's a double blind randomized study, I cant' find out what drug I'm on until after this happens and I sign that form and I'm agreeing to that.
MR. GELLMAN: Then it's okay?
MR. HAINES: This is a novel issue for me.
MS. BERENSON: That should be happening in the context of your design and enrollment of people into clinical trials and not somehow trying to draft some exception I think.
MR. HAINES: I think what we're worried about, we have a common worry but it's about different parts. The worry is an understandable exception to the general access provision being expanded. I think Ms. Berenson is worried about a statutory exception that might get expanded. I'm worried about the idea of waiving that might get expanded. There may or may not be an answer, but I wouldn't leap immediately to saying yes or no about that.
I would also like to give one sentence about IRBs. I thought the most important comment I've heard in any of the proceedings about IRBs that I've attended, whether they're Congressional hearings or whatever, was Ms. Rothenberg's comment about serving on the genetic recombinant DNA and saying that her review of IRB approved protocols, she had never once seen an informed consent procedure that she liked, that was acceptable. We would underscore, from the ACLU, we would underscore that there are good IRBs, there are not so good IRBs, but IRBs are not a sufficient protector of privacy in this area.
MR. GELLMAN: I took that comment another way and will have to explore with her, which was that the proposals that came to the IRB were inadequate and presumably the IRB made them adequate.
MS. BERENSON: And additionally when you say -- we need to say that there are strong current federal regulations governing NIH funded biomedical research for example that applies, but not all research in this country is done under those regulations so there are going to be --
MR. HAINES: And we would not agree that these regs are adequate for coerced, non-consensual use of --
MR. GELLMAN: I think that we've sort of covered most of the basics here between this morning and this afternoon one way or another. I think this is as good a place as any to stop. I would like to thank you all for coming. I think the discussion has been very useful and obviously will continue on in other places and in other times.
This is the last of our hearings. We're not quite sure what our procedure is from here. We're going to have to figure it out ourselves. At some point, we will be making a report with some recommendations to the Secretary which will certainly be public. But until we figure out the rest of the procedures, I really can't tell you exactly -- I certainly can't tell you what we're going to do or how we're going to do it.
If people want to submit -- this is a general comment -- if anybody wants to submit statements for the record, they're welcome to do so. If you submit stuff to us on a disk, we will try and put it up on our Web site. Allow a couple of weeks for this.
MR. HAINES: You're going to put the proceedings? I want to be able to comment after the proceedings are available.
MR. GELLMAN: Okay. I think it will probably be a couple of weeks before this transcript gets --
MR. HAINES: I'm not asking, since I was here for most of this, I'm not as concerned --
MR. GELLMAN: If people want to do it, I don't think it's a problem. At some point however, the record will close or we will have already made decisions.
PARTICIPANT: Mr. Chairman, is there time for a three minute comment?
MR. GELLMAN: We have people that signed up for public comment so we're going to go down the list. That's the last order of business. Do we have the list?
DR. HUNTOON: My name is Dr. Lawrence Huntoon. I'm a practicing physician and a member of the Board of Directors of the Association of American Physicians and Surgeons.
I, and the physicians I represent, are strongly opposed to the computerization of personal medical records. Private, confidential medical information is the property of the patient. Notwithstanding the fact that the government has no right to people's private medical records, we note that the government does a very poor job of handling electronic medical data it collects in administering existing programs.
In 1990, one of my Medicare patients had the experience of being killed off prematurely in HCFA's central database. I say prematurely because she wasn't dead yet. Despite numerous letters to HCFA and Medicare, the erroneous electronic data prevailed for nearly a year. I wrote to my Congressman to complain and the bureaucracy finally decided to resurrect her. Needless to say, the process of trying to correct her erroneous medical claim record, a problem caused by the bureaucracy itself, was exceedingly lengthy, difficult and disturbing to the patient.
Also, although it is illegal to alter Medicare claims, our claims, which we submit to Medicare electronically have been changed by Medicare personnel on more than one occasion. At other times Medicare personnel have deleted portions of our claims or entire batches of our electronic medical claims.
Based on this and many other adverse experiences with electronic claim data handled by government programs, I would like to emphasize the following points.
Number one, the error rate is high.
Number two, it is very difficult to get an error corrected.
Number three, it is very easy to alter the record even though it is illegal to do so.
Number four, there is evidently no accountability for errors in a bureaucracy, even if the person responsible for the error can be identified.
Number five, there is already long experience with electronic data processing. Unless defects in the existing system can be satisfactorily corrected, it should not be expanded.
Number six, there is very limited value in the electronic record from the clinical standpoint. The electronic data format cannot substitute for proven methods, such as performing a history and physical, reviewing actual x-ray films and other studies as opposed to simply relying upon the report or indicator in the electronic record which might be wrong. We also note that physicians frequently have to choose the next best diagnosis when the patient's actual condition doesn't fit into one of the limited choices forced by the use of the electronic format.
Number seven, given that the electronic data is often erroneous or used in an inconsistent fashion, such data is essentially useless from a scientific standpoint also.
Number eight, the only true protection to patients is to keep sensitive medical information out of the networked computer in the first place. Fully informed written consent should be required. Without this, the patient essentially becomes the subject of human experimentation without his or her consent.
Number nine, in conclusion, there are no uses for the data that could possibly outweigh the potential for abuse, and even if there were, that would certainly not justify violating the patient's right to privacy and confidentiality. Thank you.
MR. GELLMAN: Thank you. The next public comment is from Robin Kaye(?).
MS. KAYE: My name is Robin Kaye. I am a private ordinary citizen. I am not here with any organization or group. I represent myself and a fast growing number of individuals who are horrified that their private medical information will be put onto a national patient database without their consent. This will include diagnosis, identifying information and demographics.
If I go to a physician, it is my business and no one else's what is discussed. The federal government and countless others have no right to my private medical information. It would be as if they were in my bedroom or bathroom knowing the private intimate details of how my body functions.
Just because the technology exists does not mean it should be used. Indeed, in a House Subcommittee Meeting on Technology that was aired on C-Span 2 on February 12, 1997, computer experts from all over the U.S. testified to the high incidence of computer security breaches and how difficult it is to prevent computer break-ins and once they occur how difficult it is to track down the criminal.
One of the experts, Daniel Farmer, prepared a memo, Shall we dust(?) Moscow, in which he tested many computers including federal governmental computers such as Congress, the executive and judicial branches and found out that out of 1,734 total sites, 1,127 sites were easily compromised. Of federal computers tested, 61.7 percent were compromised.
How can a patient's medical information be secure with such profound breaches? Mr. Farmer states, I think that the greatest injustice is being done to the users of such sites and services. They simply are not informed of the incredible number of potential security problems on these systems. People with sensitive illnesses such as AIDS, psychiatric illnesses or who have a controversial procedure such as abortion will be at risk for this information to be disseminated and may limit their decision to be even treated. It should be up to the individual to give his consent. We should not have countless researchers, statisticians, health insurance companies, and whoever the federal government decides have access to medical information without the patient's express consent.
In addition, the medical records pertain to the patient's body and health. It should be obviously and immediately available to the patient at all times. After all, the medical records are generated first and foremost to help the patient attain the best possible health.
Also, another problem is if you go to the first doctor and the doctor reports what his diagnosis is, then you go to doctor number two, doctor number two can go to the database and see what doctor number one has said, so how can we get a truly objective second opinion?
There are some that say databases already exist, so problems already exist. If a dam has a leak, do we just say open the door up and let all the water out? No, we fix the leak at the source. Federal and state laws should prohibit physicians, health insurers, anyone who the patient comes in contact with from giving patient medical information to anyone without the patient's consent.
The general public does not know about this portion of the Kennedy-Kassebaum bill. This national patient database is counter to the recent Louis Harris Polls. Senator Leahy's November 14, 1995 statement before a Senate Committee on Labor and Human Resources cites that poll saying 80 percent of the American public expressed particular concern about computerized medical records held in databases used without the individual's consent.
You are the guardians of the people's trust. Do not give away our right to privacy without thought as to the lack of computer security, and once lost privacy is not something that can be regained.
Finally, Daniel Farmer, computer expert, states, banks, governments and other trusted institutions are racing into a complex technical arena that they appear to know very little about and to be doing still less to learn about. What is worse is that in their mad rush to appear technologically savant, they seem to have discarded any sense of social and cultural responsibility to their constituents. Thank you.
MR. GELLMAN: Thank you. Our last public speaker is Lynn Downs(?).
MS. DOWNS: My name is Lynn Downs and I'm a private citizen from New Jersey. In another country and not so very long time ago, Nazi Germany, a data processing machine was used to record name, address, marital status and characteristics in terms of each citizen's health. The managing director of the company, the German Holorith(?) Machine Company, which incidentally was a subsidiary of IBM since 1922, said and I quote from the walls of the United States Holocaust Memorial Museum here in Washington, D.C. on the fourth floor where his quote is displayed, "We are recording the individual characteristics of every single member of the nation on a little card. We are proud that we can contribute to such a task, a task that provides the physician of our German body politic with the material he needs for his examination, so our physician can determine whether from the standpoint of the nation's health the data thus arrived at correlate in a harmonious, that is healthy relationship, or whether disease conditions must be cured by corrective interventions. We have firm confidence in our physician and will follow his order blindly for we know that he will lead our nation toward a great future. Heil to our German people and their leader. Willie Holinger(?), Managing Director of [word lost], January 8, 1936.
Technology and persecution go hand and hand historically. Medical information may identify ethic groups, Tay-Sachs in Jewish people, sickle cell anemia in African Americans. Genetic marking can lead to genetic cleansing and other problems.
It is dangerous for the federal government and countless others to have so much private information. Let's take a lesson from Germany and remember why we love our country, freedom of choice, privacy and all the blessing democracy has to offer. The right of privacy for each individual is very, very precious and must not give way to the general good as it did in Germany.
MR. GELLMAN: Thank you. Before we adjourn, I would just like express my appreciation to the staff here at HHS who put together all the hearings and did all the work. I'm most grateful to you and I look forward to working with you in the future. The proceedings are adjourned.
[Whereupon the meeting was adjourned.]