The Committee has a number of special privacy and security concerns that it wishes to highlight for the Congress and the public.
The United States is in the midst of a health privacy crisis. The protection of health records has eroded significantly in the last two decades. Major contributing factors are ongoing institutional changes in the structure of the health care system and the lack of modern privacy legislation. Without a federal health privacy law, patient protections will continue to deteriorate.
Delays in passing privacy legislation will allow additional and uncontrolled uses of health information to continue to develop. Failure to address health privacy will also undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner. The greater the delay in imposing meaningful controls on the inappropriate use and disclosure of identifiable individual information, the more difficult it will be to overcome institutional resistance to restrictions on use and disclosure or changing the way that information is acquired and used.
We urge the Congress to act quickly to pass Federal privacy legislation to counter these disturbing trends.
The Committee believes that any discussion of a unique patient identifier for health care is incomplete without substantive privacy protections. The identification of patients is a constant issue in health treatment, payment, and administrative activities. The choice of a unique patient identifier will affect every health care transaction, provider, and institution. Patient privacy will be directly affected by any decision about the adoption of a unique patient identifier.
Selection of a patient identifier will have significant consequences both within and outside the health care system. A properly chosen patient identification system has the potential to enhance privacy. However, at its hearings, the Committee found no consensus on a patient identifier. Indeed, the testimony presented to the Committee reflected the extent to which public opinion is deeply divided on the approach for protecting privacy and on the issue of whether a unique patient identifier should be adopted at all.
As required by the statute, the Secretary has submitted to Congress recommendations for Federal privacy legislation, and she can provide leadership on the issue of the unique patient identifier as well. The Department and the NCVHS recognize the need for increased public education on both the benefits and the risks of having a unique health identifier for individuals. The Committee intends to continue obtaining additional public input on the individual identifier issue at future hearings. The Committee also intends to make a recommendation for a unique individual identifier in the future, recognizing that such a recommendation may not necessarily have the unanimous support of the Committee.
An issue of concern to consumers revealed during the Committee's hearings on privacy was the relationship between privacy (as defined by principles of fair information practices) and potential discrimination in employment, insurance, and elsewhere. The protection of individual privacy requires that this relationship be addressed. Part of the motivation for seeking protections for health information is to prevent the use of such information for purposes outside of health care delivery and payment. Patients receiving care for certain health conditions or who have been the subject of genetic testing are potentially subject to discrimination in employment, insurance, and elsewhere. Some patients are fearful of disclosing their full medical information to health care providers and thereby might unknowingly compromise the quality of medical care they receive. Several bills before the Congress address the possible use of genetic information to discriminate.
Privacy legislation that specifies legitimate uses of health data can prevent potential discrimination and reassure consumers by establishing a legal requirement that identifiable health information be used only for the purposes for which it was collected. Further, health care providers can be more assured of delivering quality health care services if they have more accurate patient medical information. This would be a major step toward preventing the use of health information for non-health purposes.
The Committee recognizes the fact that privacy issues and discrimination issues are complicated. An already complex health privacy bill may not be the best place to sort out responses to equally complex discrimination problems. The Committee suggests that privacy and discrimination issues deserve separate legislative treatment. The problems of discrimination are important, but further work needs to be done to more fully develop anti-discrimination legislation.
Security in the health care industry is a huge, but largely hidden, problem. Testimony before the NCVHS on security practices revealed an extraordinary lack of protection within and across health care organizations today. Currently, the practices used in the handling of paper-based health information are poor to nonexistent. The move toward electronic storage and transmission of health information adds to the Committee's concern that strong security procedures for sensitive information need to be implemented. Health care organizations have been slow to adopt strong security practices for a variety of reasons. Additionally, the lack of national privacy legislation or regulations to ensure the confidentiality of health information contributes to lax security practices.
While recognizing the poor state of information security today, the Committee also understands that for security standards to be followed they must be practical to implement in a variety of environments. Therefore, the Committee believes that any security standard that is adopted must be technology neutral and should promote interoperability among information systems. The cost of implementing specific solutions and the need for scalability based on the size of the health care entity must also be considered.
The Committee plans to continue to monitor industry compliance with and the development and maturation of security technology and standards, including electronic signatures. As standards that are fully mature and tested become available, we will review them and make recommendations for their adoption.