Mike Ball

Executive Director
California Health Information Association

Madam Chair and Members of the Committee:

My name is Mike Ball and I am the Executive Director of the California Health Information Association. On behalf of the over 2,000 credentialed health information professionals that are members of CHIA, I appreciate the opportunity to appear at this regional meeting of the National Committee on Vital and Health Statistics and present testimony regarding the implementation of the Health Insurance Portability and Accountability Act of 1996.

CHIA is a state chapter of the The American Health Information Management Association, which is the professional association that represents over 35,000 credentialed specialists who, on a daily basis, manage and protect the health information that is an Increasingly important component of our nation's health care delivery system.

CHIA is very proud of the leadership position that AHIMA has always assumed in the national dialogue that has continued regarding what federal statutes ought to be passed to ensure American citizens have the access to their own medical information and that this information is adequately protected from inappropriate disclosure.

As AHIMA takes the lead on federal initiatives that concern health information management considerations, so to does CHIA substantially contribute to the legislative activity and dialogue thaat concern these issues at the California state level. I have included for your consideration testimony that CHIA recently offered to the California Senate Insurance Committee. The hearing addressed among other things the issue of health insurance companies insisting prospective policyholders relinquish their rights to controlling the release and use of their personal medical information as a condition of participation.

CHIA completely endorses the testimony offered to this committee by Margaret Stewart, AHIMA President-Elect, on April 15 concerning clinical coding and classification issues. I personally would add that in my capacity as CHIA's Executive Director, the two biggest factors in degrading the uniformity of clinical coding are lack of access to published coding guidelines by medical records personnel, and insurance companies arbitrarily determining that valid codes would not be eligible for reimbursement. I recommend as a condition of participation for medicare or medicaid reimbursement that a health care facility must subscribe to AHA's Coding Clinic or utilize a software solution that incorporates that information in its system. Ms. Stewart's call for a Central Authority to enforce coding standardization for both payors and providers would address the other issue.

AHIMA members work in hospitals and health care facilities throughout the United States and ensure that an individual's right to privacy is protected. Health information management professionals handle requests for health information from third party payers, employers, researchers, attorneys, other health care providers and local, state and federal agencies. Our members ensure that information is disclosed pursuant to valid authorizations from the patient or their legal representative, or pursuant to statute, regulation or court order. This responsibility is not taken lightly and is complicated by the lack of uniform national guidelines or legislation.

For the past 68 years, AHIMA and its members have assumed the responsibility for protecting the confidentiality of health information, Our efforts have been complicated by the lack of federal preemptive legislation. AHIMA and CHIA believes that the HIPAA contains language that will ensure that these protections and right to access to a citizen's personal medical information will finally be codified in preemptive federal law.

The primary goal of confidentiality is to allow patients to communicate with their physician and to share information regarding their health status. Trust is an essential element in the relationship between a patient and a physician. One of the most important aspects of the relationship between a patient and a health care provider is the provider's duty to maintain the confidentiality of health information. The historical origin of a physician's obligation is found in the Oath of Hippocrates, written between the sixth century B. C. and the first century A. D. The Oath states "what I may see or hear in the course of treatment in regard to the life of men, which on no account must spread abroad, I will keep to myself........." Ethical codes promulgated by professional associations have consistently recognized the importance of confidentiality. However, these codes do not address current issues regarding use and disclosure of health information.

While communications between patients and physicians are privileged in most states, the protection of these laws is very narrow. The privilege only applies when a physician is testifying in court or in related proceedings. Many of these laws include significant restrictions that further limit the availability of the privilege. The physician patient privilege offers no real protection to patients regarding the confidentiality of their health information.

Increasing demands for data pose an increasing threat to the patient's right to privacy. The federal Privacy Act of 1974 was designed to provide private citizens some control over the information collected about them by the federal government. Health care facilities operated by the federal government, such as the Indian Health Service, Veterans Administration and Department of Defense, are bound by the Privacy Act's requirements regarding access, use and disclosureof health information. However, the provisions of this law do not apply to health information maintained in the private sector.

The federal alcohol and drug abuse regulations only apply to federal or federally funded facilities that offer treatment for alcohol or drug abuse. While these regulations offer strong protection, they are limited in applicability. Currently, there is no uniform national standard protecting the confidentiality of health information. The protection of health information is left to state law.

Currently, only 28 states allow a patient to access their health information. However, these statutes are not uniform in their approaches. A review of these statutes reveals that in some states patients may only access hospital records while in other states they may access both hospital and physician records. There is little uniformity among state statutes and regulations regarding confidentiality of health information. Protections vary according to the holder of the information and vary for different types of information. Most statutes do not address redisclosure of health information and lack penalties for misuse or misappropriation.

It has been recognized that there is a need for more uniformity among the 50 states. In recent years, the National Conference of Commissioners on Uniform State Laws developed the Uniform Health Care Information Act in an attempt to stimulate uniformity among states on health care information management issues. Presently, only two states, Montana and Washington, have enacted this model legislation. Vermont is presently attempting to enact comprehensive legislation. Clearly, efforts must be directed toward developing national standards on privacy and confidentiality.

THE NEED FOR FEDERAL LEGISLATION

Over the past several years, a consensus has emerged within Congress and among the general public regarding the need for federal legislation to address this important issue. The Office of Technology Assessment (OTA) report, Protecting Privacy in Computerized Medical Information, found that current laws, in general, do not provide consistent, comprehensive protection of health information confidentiality. Focusing on the impact of computer technology, the report concluded that computerization reduces some concerns about privacy of health information while increasing others. The OTA report highlights the need for enactment of a comprehensive federal privacy law.

The public's concern about the confidentiality of health information was reflected in a poll conducted by Louis A. Harris and Associates for Equifax, Inc. The results of the Health Information Privacy Survey 1993 found that fifty-six percent (56%) of the survey participants indicated strong support for comprehensive federal legislation to protect the privacy of medical records as a part of health care reform.

The survey also indicated a strong agreement on what should be included in national privacy legislation. Ninety-six percent (96%) believe federal legislation should designate all personal medical information as sensitive and impose severe penalties for unauthorized disclosure. Ninety-five percent (95%) favor legislation that addresses individuals' rights to access their medical records and creates procedures for updating and correcting those records.

In 1994, the Institute of Medicine released a report, Health Data in the Information Age: Use, Disclosure and Privacy, which recommends that federal preemptive legislation be enacted to establish uniform requirements for the preservation of confidentiality and protection of privacy rights for health data about individuals.

The 1994 Equifax-Harris Consumer Privacy Survey focused on how the American public feels about having their medical records used for medical research and how safeguards would affect their opinions about such systems and uses. Among a list of 13 groups and organizations, doctors and nurses rank first in terms of the percentage of Americans who are "very" confident (43%) that this group properly handles personal and confidential information. After hearing a description about how medical records are used by researchers to study the causes of disease, 41 % of those surveyed said that they would find it at least somewhat acceptable if their records were used for such research.

If a federal law made it illegal for any medical researcher to disclose the identity or any identifiable details of a person whose health records had been used, 28% of those who were initially opposed to having their records used would change their position. This would increase the acceptance of this practice to over half of those surveyed (58%).

In the final Office of Technology Assessment (OTA) report, Bringing Health Care Online: The Role of Information Technologies, the issues of privacy and confidentiality were identified as particularly important areas in dealing with health information. The report noted that if there is little confidence that an electronic medical information system will protect them, then providers and patients will be unwilling to use it. The report recommends that Congress may wish to establish federal legislation and regulation with regard to privacy and confidentiality of medical information, as well as storage media for medical records and electronic data standards for storage and transmission of medical information.

The 1995 Equifax-Harris Mid-Decade Consumer Privacy Survey indicates that the American people say they are strongly concerned about threats to their personal privacy but believe business is doing a better job than government in handling personal information. A majority (58%) also now believes that privacy protection in the year 2000 will remain at least as strong as it is today if not improve. Americans appear more willing to take an active role in protecting their own privacy, with six out of 10 now reporting instances where they have refused to provide requested information. This is an increase from 42% since 1990.

The survey focused on the benefits of a computer-based patient record system. The majority of survey respondents see the trend towards a computer-based patient record system as either "very" beneficial (40%) or "somewhat" beneficial (45%). In terms of the personal benefits that a computer-based patient record system might provide, the greatest importance is attached to the benefit that enables key medical information to be sent to a doctor treating a person in an emergency situation away from home. 86% of survey respondents said that this would be "very" important to them. Nearly seven in ten people (69%) also said that a more effective presentation of past medical experiences, test results, and conditions would be "very" important to them. Finally, the elimination of a need to complete detailed forms as a result of the automatic printing of a patient's medical records and payment information would be "very" important to 55% of the public.

The survey also found that the ability of administrators to "identify sub-standard doctors and poorly run health facilities", to "improve the detection and reduction of fraudulent claims by patients, doctors and hospitals," and to "reduce the cost of health care by improving the identification of waste and inefficiency" would be very important to 79%, 76% and 74%, respectively, of the public. Seventy- four percent say the ability of medical researchers to get better statistical data for studying the causes of diseases and testing new treatments" would be "very" important to them.

The importance of benefits provided by computer-based patient records notwithstanding, most people say they are either "very" concerned (33%) or "somewhat" concerned (41 %) about the potential negative effects of such a system. With detailed privacy safeguards in place, most people (80%) say they would be willing to have their medical records in a computerized system. Respondents indicated that a detailed privacy code would inform patients how their records are used; set rules of confidentiality; make it possible for patients to see their medical records; keep those records separate from all other consumer databases, and ensure the records are not used for marketing products to consumers.

Virtually, all respondents (98%) believe that a "patient should be able to obtain a copy of the medical record maintained about him or her by a doctor or health facility." In response to a similar question asked in 1978, 91% of the public said that "people who want to should have the legal right to see their medical records held by their personal doctor and by a clinic or hospital."

HEALTH CARE AND THE INFORMATION AGE

The development of the national information infrastructure (NII) is a key component of health care reform. Efforts to reform this country's health care delivery system will rely heavily on administrative simplification and computerization of health information to control costs, improve quality of care and increase efficiency. The Institute of Medicine (IOM) report, The Computer- Based Patient Record: An Essential Technology for Health Care, recommended the adoption of computer-based patient records by the year 2000 and the formation of a nationwide health information network. However, as that report noted, there are states which require that medical records be written and signed. In order to facilitate the development of a national health information infrastructure, it is imperative that health information can be created, authenticated and retained in electronic form.

To meet today's information requirements, the nation must move towards a health information infrastructure which will support computer-based patient record systems that capture clinical information, integrate it with clinical support and knowledge bases, and make it available for all legitimate users.

Because health information remains largely uncomputerized and unintegrated, patient information is often inaccessible at the time health care decisions are made. Highly trained health care professionals spend valuable time looking for records, contacting each other to obtain basic information, struggling to decipher handwritten entries or repeating tests because previous results could not be found or obtained quickly enough. National studies have estimated that health care providers spend on average approximately 40 percent of their time on paperwork. External users of health information, such as payers, researchers, governmental agencies and others must depend on a limited set of data that often is not transmitted electronically or sort through volumes of records for key information about an encounter.

There are a number of benefits which can be achieved through widespread use of computer-based patient record systems. Health care providers would have more complete information about the patient instantly and easily. Care would be improved through the ability to access knowledge databases and online expert systems. Information systems would reduce the enormous paperwork burden that providers currently experience. Aggregated data from these medical records will enable better research.

One of the major prerequisites to the appropriate implementation of the computer-based patient record is the need for federal preemptive legislation to protect the confidentiality of health information. In order to move health care delivery systems into the 21st century, AHIMA believes that the nation cannot wait to enact federal preemptive confidentiality legislation. It is critical, and arguably, the most important aspect of any health care reform effort.

AHIMA'S POSITION

In February 1993, in order to address the need for federal legislation, AHIMA drafted model legislative language that outlined a code of fair information practices. This language was published in the OTA report as a model code and was used in the drafting of the "Fair Health Information Practices Act" (HR 435) and the "Medical Records Confidentiality Act" (S. 1360) which are presently pending consideration in this Congress.

There are a number of key provisions in AHIMA's model language which we believe must be essential elements of any legislation to govern the collection, use and disclosure of health care records. These include:

• Disclosure -- No person other than the patient or the patient's representative may disclose health care information to any other person without the patient's authorization, except as authorized.
• No person may disclose health care information except in accordance with the terms of the patient's authorization.
• The provisions apply both to disclosures of health care information and to redisclosures of health care information by a person to whom health care information is disclosed.
• Record of Disclosure -- Each person maintaining health care information shall maintain a record of all external disclosures of health care information made by such person concerning each patient, and such record shall become part of the health care information concerning each patient. The record of each disclosure shall include the name, address and institutional affiliation, if any, of the person to whom the health care information is disclosed, the date and purpose of the disclosure and, to the extent practicable, a description of the information disclosed.
• Patient's Authorization; Requirements for Validity -- To be valid, a patient's authorization must:

1. Identify the patient;
2. Generally describe the health care information to be disclosed;
3. Identify the person to whom the health care information is to be disclosed;
4. Describe the purpose of this disclosure;
5. Limit the length of time the patient's authorization will remain valid;
6. Be given by one of the following means --
   • In writing, dated and signed by the patient or the patient's representative; or
   • In electronic form, dated and authenticated by the patient or the patient's representative using a unique identifier.

The AHIMA model also includes the following principles of fair information practices:

• Patient's right to know -- The patient or the patient's representative has the right to know that health care information concerning the patient is maintained by any person and to know for what purpose the health care information is used.
• Restrictions on collection -- Health care information concerning a patient must be collected only to the extent necessary to carry out the legitimate purpose for which the information is collected.
• Collection and use only for lawful purpose -- Health care information must be collected and used only for a necessary and lawful purpose.
• Notification to patient -- Each person maintaining health care information must prepare a formal, written statement of the fair information practices observed by such person. Each patient who provides health care information directly to a person maintaining health care information should receive a copy of the statement of a person's fair information practices and should receive an explanation of such fair information practices upon request.
• Restriction on use for other purposes -- Health care information may not be used for any purpose beyond the purpose for which the health care information is collected, except as otherwise provided.
• Right to access -- The patient or the patient's representative may have access to health care information concerning the patient, has the right to have a copy of such health care information made after payment of a reasonable charge, and, further, has the right to have a notation made with or in such health care information of any amendment or correction of such health care information requested by the patient or patient representative.
• Required safeguards -- Any person maintaining, using or disseminating health care information shall implement reasonable safeguards for the security of the health care information and its storage, processing and transmission, whether in electronic or other form.
• Additional protections -- Methods to ensure the accuracy, reliability, relevance, completeness and timeliness of the health care information should be instituted. If advisable, additional safeguards for highly sensitive health care information should be provided. The AHIMA model language also contains provisions for civil and criminal penalties to protect against unauthorized use or disclosure.

AHIMA strongly believes that individuals have the right to know who maintains their health information and for what purpose the information is used. Health care information is extremely personal and sensitive information, that if improperly used or released, may cause significant harm to an individual's ability to obtain employment, education, insurance, credit, and other necessities. Health information concerning an individual must be collected only to the extent necessary to carry out the legitimate purpose for which the information is collected. There must be limitations on the use and disclosure of individually identifiable health information.

Health information is used for a variety of legitimate purposes, including patient care, quality assurance, education, research, public health, and legal and financial interests. Regardless of the use or users, individuals must be assured that the information they share with health care professionals will remain confidential.

It is important that information can flow within integrated health delivery systems and that no barriers are placed on providers who are trying to provide quality care to patients. There are many appropriate uses of health information within an organization and it is important to allow persons not involved in direct patient care to have access to carry out their responsibilities.

SUMMARY

The movement of patients and their health care information across state lines, access to and exchange of health care information from automated data banks and networks, and the emergence of multi-state providers and payors creates a compelling need for federal law governing the use and disclosure of health care information.