Chairman Thomas
Q1. Electronic data can, if done properly, be even better protected than paper records. Do you believe that there is any role currently or in the near future for a rather directed movement toward electronic rather than the keeping of paper records; either carrots or sticks of some sort to move rapidly into electronic record keeping?
Are our (privacy) efforts enhanced, do we make the job easier or more difficult based upon the way we approach how we are going to legislate, that is try to deal with the very sensitive question of privacy for both individually identifiable records and encrypted records, whether they be electronic or paper; or if we put a serious emphasis on trying to create a time line in which we move to the electronic era and then deal with the same concerns about individually identified records? I am wondering which, in your opinion, would get us there in the most efficacious way?
A1. In its administrative simplification requirements, the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(Public Law 104-191, Aug. 21, 1996) calls for uniform standards for electronic transactions in health administration precisely because separate standards developed at other than the national level are not workable.
The Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996 (September 11, 1997), noted that
[t]here is continuing movement toward a computer-based patient medical record, with national standards for content and format, and the possibility of ready interstate transmission as needed for patient care. A major impetus toward adopting this type of record was a report of the Institute of Medicine in 1991 that recommended adoption of the computer-based patient record as the standard for all patient care records. Likewise, increasing use of telemedicine means that patient information will often cross State lines, sometimes in real-time delivery of care. This promising development is an important facet of the National Information Infrastructure because of its potential to provide greater access to quality health care for all Americans, especially those living in rural and remote areas.
The National Committee on Vital and Health Statistics (NCVHS) last year held six days of hearings involving witnesses from the full spectrum of public and private constituencies concerned with privacy, consumer interests, and operation of the health care system. Testimony received at these hearings showed that “computers are perceived both as threats to patient privacy and as tools for protecting personal health data. Some see computerized information as the best way to support greater use of data without revealing patient identifiers. With traditional paper records, for example, the difficulties of creating non-identifiable data are typically significant. It may be impractical and very time-consuming to make a complete copy of a paper record with all identifying data removed. With a computer record, the administrative burden of creating anonymized records may be insignificant. Others see computerized repositories of health data as magnets for hackers and other abusers.” Further testimony suggested that
[T]he real threats to computerized information -- as with paper records -- come from insiders and not from hackers.
Nevertheless, because of the important and increasing role of computers in health care, it is important to be sensitive to both public perceptions and to the possibility that abuses of computerized health records will increase in the future. One response would be increased criminal and civil penalties for misuse of computerized health records. These penalties should apply to both inside and outside abusers of health data.
The Committee noted that it is often overlooked that computers contribute directly to improved patient care in many ways, and that debates on the proper role of computers and electronic records often focus only on the threats to privacy and not the benefits for patients. The committee concluded that a more balanced discussion about the value and the risks of computers is essential, and
that we need to do more to develop and implement technological protections for health records. Technology offers the possibility that we can use records for socially beneficial purposes while fully protecting privacy at the same time. Greater use of nonidentifiable, coded, or encrypted records can make everyone better off at little or no cost. Technology will not cure all problems related to the use of identifiable information, but it can diminish the intensity and scope of the problems. This may be the most promising area for additional development.
The NCVHS has not addressed incentives or disincentives for the keeping of electronic records. A new NCVHS workgroup on Computer-based Patient Records may address this issue in the future.
Q. Does it seem reasonable that if we, for example, move toward a system which would allow for a determination of who accessed the records, to make that accessing of the records available to individuals?
Is it too simplistic to view the role of the federal government and the State legislators as perhaps dividing it along that line; that where there are identifiable personal records, that could be a very proper and appropriate role for the States to deal with how you deal with that information; and the encrypted records, primarily for research, far more often travel across State lines, are collected for purposes that should have a set of protocols properly approved by an appropriate agency? Is that too simplistic a view?
But would you respond directly to the point of having the ability to have a clear trail from the identifiable electronic data and providing it, for example, to the individual, as to who it is that has been looking at the records?
A. The NCVHS provided its recommendations on adoption of security standards in a letter to the Secretary, HHS, dated September 9, 1997. In providing a series of principles and recommendations for the Secretary’s consideration, the Committee stated that in order for health information systems to be secure, there must be monitoring of access. Specifically, “[o]rganizations should develop audit trails and mechanisms to review access to information systems to identify authorized users who misuse their privileges and perform unauthorized actions and detect attempts by intruders to access systems.”
Mr. Kleczka
Q2. With respect to research currently being done by managed care companies, is that being done with the informed consent of the individuals?
A2. We do not know. The Committee does not have information on this area.
Q3. Later this year, the European Union is scheduled to come down with a directive relative to transferring of data to a third country, and that directive indicates that they want to ensure the level of protection. Currently, does this country meet the criteria that is set forth in the directive?
A3. The EU directive is a very comprehensive privacy law covering all personal data and designates an official with power to regulate private sector use of personal data. The U.S. does not have a comprehensive legal scheme of data protection, nor an official who has privacy protection as a sole responsibility on a nationwide, or government-wide basis. Rather, it has a number of separate State and Federal laws, but no privacy law generally applicable to all data.
Q4. What would be the impact on this country in terms of trade and research should we not meet the criteria and so forth in the directive?
A4. The impact is not yet clear. It is our understanding that the Commerce Department and the State Department have been involved in discussions with EU staff . Within the Department of Health and Human Services, the HHS Data Council is surveying its staff and operational divisions to determine the extent to which individually identifiable personal data moves from the EU to the U.S.
Q5. It is your view, at this point at least, we do not currently meet the specifics of that directive?
A5. We believe that the U.S. may not currently meet all of the criteria of the EU directive.
Mr. McCrery
Q6. I want you to expound a little bit on the question of preemption of State laws. I am a little concerned about what I perceive to be the Secretary's recommendation that we have a national law, a national standard, but that we allow the States to enact stricter standards. How is that going to solve the problem of uniformity? It seems to me to be contradictory. Can you expound upon that?
A6. Preemption of state laws was the most difficult conflict identified at the hearings we held, and did not yield a clear answer. The NCVHS addressed preemption specifically in its recommendations to the Secretary (June 27, 1997), as follows:
Among large segments of the health industry, a major benefit to federal legislation is a high degree of regulatory uniformity throughout the country. The interstate nature of health care treatment and payment activities is readily apparent. It will be difficult for many involved in electronic transfers of health data to accept any proposal that does not offer significant relief from the prospect of 50 different state laws establishing separate rules.
On the other hand, it would be difficult for many patient groups, privacy advocates and perhaps some provider groups to accept any proposal that does not allow states to adopt stronger privacy protections as specified in the HIPAA. People disagree whether existing state laws offer greater protection than most of the current federal proposals, but a proposal is not a law so judgments in this area are premature. There is strong support in some communities for a minimum federal confidentiality standard that allows states to erect stronger privacy barriers. HIPAA already reflects a policy that stronger state laws should be allowed to prevail.
Existing proposals differ on preemption. Most preserve existing state mental health and public health laws, but the scope of this language is unclear. H.R. 52 adds a new idea to the mix by allowing states to pass additional restrictions on access to health records by state officials.
The Committee suggests, however, that this issue need not be treated as a single problem with a single solution. The conflicts need to be broken down into components, and each component analyzed separately. In some areas, the case for federal preemption may be stronger. For example, it may be unnecessarily complex to support 50 different patient access procedures. On the other hand, the need to recognize the diversity of state public health laws is already clearly reflected in most proposals. No one has suggested or is likely to support a uniform federal public health law. A narrower and careful analysis of preemption may help to minimize the admittedly strong conflicts here and may point to more effective resolutions. However, if sufficient national conformity is not achieved, both national and international objectives cannot be met.
Q7. Can you briefly, if you feel comfortable doing this, either on the part of the commission or on your own part, outline for us the reasons for having a national standard?
A7. The existing legal structure does not effectively control information about individuals' health. Federal legislation, establishing a basic national standard of confidentiality, is necessary to provide rights for patients and define responsibilities for record keepers. The Committee’s position on this is reflected in its recommendations to the Secretary (June 27, 1997) wherein it made a number of principal findings:
The United States is in the midst of a health privacy crisis. The protection of health records has eroded significantly in the last two decades. Major contributing factors are ongoing institutional changes in the structure of the health care system and the lack of modern privacy legislation. Without a federal health privacy law, patient protections will continue to deteriorate in the future.
The importance of trust in the provider-patient relationship must be preserved. Patients must feel comfortable in communicating sensitive personal information.
Delays in passing privacy legislation will allow additional and uncontrolled uses of health information to develop. Failure to address health privacy will also undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner. The greater the delay in imposing meaningful controls on inappropriate use and disclosure of identifiable individual information, the more difficult it will be to overcome institutional resistance to restrictions on use and disclosure or changing the way that information is acquired and used. On the other hand, the confidentiality of the provider-patient relationship and the confidentiality of health records had been the foundation by which the health care system helps ensure the best possible health care. It is not easy to strike a fair balance between these some times competing concerns.
Q8. You talk about needing to guard against discrimination in a number of areas, including insurance. Most people, when they apply for insurance, are they not asked to reveal any health conditions that would have an impact? So what is the problem on discrimination in insurance? If you see that as a problem, perhaps we should move to some sort of community rating. That would resolve that. Do you want to comment on that?
A8. To the extent that the NCVHS has addressed this matter, its discussions have included the following points. The relationship between privacy (as defined by principles of fair information practices) and discrimination is an issue that was raised a number of times during the NCVHS hearings last year. Some motivation for protecting health information is to prevent the discriminatory use of the information both inside and outside the health care setting. Patients receiving care for some health conditions or who have been the subject of genetic testing have been and continue to be the subject of discrimination in employment, insurance, and elsewhere. Several current Congressional bills address the possible discriminatory use of genetic information.
Discrimination based on health status and condition remains a major and important concern. While the Committee has not focused its full attention on discrimination, legislative responses are appropriate. It is not clear, however, that general privacy concerns and discrimination concerns must be or should be addressed together in the same piece of legislation. An already complex health privacy bill is not the best place to sort out responses to equally complex discrimination problems. The Committee suggested in its recommendations to the Secretary (June 27, 1997) that privacy and discrimination issues deserve separate legislative treatment. The problems of discrimination are important, but not enough work has been done to explore the content of anti-discrimination legislation. The Committee urged the Secretary to propose legislation expanding the anti-discrimination provisions of HIPAA to cover all aspects of discrimination based on health status and condition.
Mr. Becerra
Q9. Let me ask a question with regard to, and this may be somewhat premature, since we are trying to figure out what we believe confidentiality or privacy to be and how we address it, but certainly some of what we want to protect will have to be done through statute, e.g State preemption. But some areas are best left to regulation because they may need to change periodically and statutes would be too difficult to have constantly amended. Do have any sense right now, Dr. Detmer, what areas are clearly left to regulation versus statute? What should we not do? Is there any particular area that you could identify for us?
A9. Both the NCVHS in its recommendations to the Secretary (June 27, 1997), and the Secretary in her recommendations to Congress (September 11, 1997), recognized the difficulty in drafting health privacy legislation and recommended a “safety valve provision.” Specifically, the Secretary’s recommendations noted:
We recommend that there be authority to suspend, by regulation, any provision of the legislation for a limited period in the event of an unforeseen significant threat to health or safety, significant threat to patient privacy, major economic disruption, or manifest unfairness.
The design of precise controls on the use and disclosure of information is a complex task, and it is possible that the legislation would forbid a disclosure, or otherwise constrain behavior, in a way that causes unanticipated hardship.
Authority to suspend a provision would ensure that situations like this could be addressed, on a temporary basis, pending Congressional consideration of amendments.
Federal agencies are accustomed to the flexibility provided by the Privacy Act of 1974, whose routine use provision (5 U.S.C. § 552a(a)(7) and (b)(3)) permits agencies to make administrative choices to disclose information beyond the disclosures explicitly allowed in the statute. We do not recommend administrative authority as flexible as the routine use provision, which appears in a law covering all activities of all Federal agencies, and where a statutory catalog of all possible uses of information was not feasible. We recommend a provision to deal with extraordinary situations that may have not been foreseen, and then only for a limited time.
Q10. With regard to the whole issue of the data we collect and how we keep all that information, electronic, paper, etc., what do you do with the nonprofit, the community based clinic that already survives on a shoestring budget, if we determine that the best way to keep information safe is to go towards some electronic mechanism? How do we help those that are barely surviving to provide health care, to now get to the point where they will abide by statute or regulation requiring them to provide protection to protect information?
A10. Section 1173 of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, Aug.21, 1996) requires the Secretary to adopt standards for electronic data transactions, but does not mandate that providers exchange information electronically. While issues regarding costs of maintaining and providing information electronically have been raised at its hearings, the Committee has not addressed this issue.
Chairman Thomas
Q11. We do have a number of statutes on the books, and the staff has listed for me the Privacy Act of 1974, the Americans with Disabilities Act, the Controlled Substances Act and , most recently, the Balanced Budget Act. Did the committee review those? And can you give us any lessons learned from the implementation of these earlier federal Statutes in terms of either their applicability or difficulty of converting? Do you have any cautionary words about the way in which we might approach this particular area of privacy vis-a-vis what we have done in the past and what might be seen as somewhat similar or related areas?
A11. The Committee has not examined the Privacy Act or the other laws in any depth in developing its recommendations.
Q12. While you look at these various particulars, the other thing I am most concerned about is the balance between statute and regulations...If you could create some bright lines for us that would be most appropriate in legislation versus areas that probably are going to be changing and we can review, lock up if necessary in legislation in the future, but perhaps might lead to legislation.
A12. As noted above in response to Q9., both the NCVHS recommendations to the Secretary (June 27, 1997) and the Secretary’s recommendations to Congress (September 11, 1997) recognized the difficulty in drafting health privacy legislation and recommended a “safety valve provision.” The Secretary’s recommendations specified that “[w]e recommend that there be authority to suspend, by regulation, any provision of the legislation for a limited period in the event of an unforeseen significant threat to health or safety, significant threat to patient privacy, major economic disruption, or manifest unfairness.”
Mr. Becerra
Q13. Was there a great deal of discussion of what you do after privacy information has been disclosed? What about the person who has a mental history and those records are disclosed, or has the AIDS, HIV virus? What happens in that case, when the cat is out of the bag? Did you propose or discuss what should be the remedy in those cases?
Q14. As you continue, if you could give some close attention to giving us some strong and specific recommendations on sanctions, because there will be all sorts of special interests in this trying to fight to either make them very strong or very weak, and it would help if we had some good guidance from those who are examining the whole issue. Give us a sense of how strong or how weak we should be with regard to sanctions, if in fact we find that information is disclosed.
A13. and A14.
There is clear consensus that there be strong civil and criminal sanctions. A federal privacy law should, as recommended by the Committee (June 27, 1997) and the Secretary (September 11, 1997), “provide for punishment for those who misuse personal health information and redress for people who are harmed by its misuse. There should be criminal penalties for obtaining health information under false pretenses, and for knowingly disclosing or using medical information in violation of the Federal privacy law. Individuals whose rights under the law have been violated should be permitted to bring an action for damages and equitable relief.”