S. Hrg. 106-501 PROPOSED RULE ON THE PRIVACY OF INDIVID- UALLY IDENTIFIABLE HEALTH INFORMATION HEARING OF THE COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS UNITED STATES SENATE ONE HUNDRED SDCTH CONGRESS SECOND SESSION ON EXAMINING ISSUES DEALING WITH PRIVACY OF INDIVIDUALITY IDEN- TIFIABLE HEALTH INFORMATION, FOCUSING ON RELATED PROVI- SIONS OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABIL- ITY ACT APRIL 26, 2000 Printed for the use of the Committee on Health, Education, Labor, and Pensions U.S. GOVERNMENT PRINTING OFFICE 64-101CC WASHINGTON : 2000 ForsalebytheU.S.GovernmentPrintingOffice SuperintendentofDocuments,CongressionalSalesOffice,Washington,DC 20402 ISBN 0-16-060836-8 COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS JAMES M. JEFFORDS, Vermont, Chairman JUDD GREGG, New Hampshire EDWARD M. KENNEDY, Massachusetts BILL FRIST, Tennessee CHRISTOPHERJ. DODD, Connecticut MIKE DeWINE, Ohio TOM HARKIN, Iowa MICHAEL B. ENZI, Wyoming BARBARAA. MIKULSKI, Maryland TIM HUTCHINSON, Arkansas JEFF BINGAMAN, New Mexico SUSAN M. COLLINS, Maine PAUL D. WELLSTONE, Minnesota SAM BROWNBACK, Kansas PATTY MURRAY. Washington CHUCK HAGEL, Nebraska JACK REED. Rhode Island JEFF SESSIONS. Alabama MarkE. Powden, StaffDirector Susan K. Hattan.Deputy StaffDirector J. Michael Myers, Minority StaffDirector and ChiefCounsel (II) CMS Library C2-Q7-i3 7500 Security S!vd- CONTENTS STATEMENTS Wednesday, April 26, 2000 Page Jeffords, Hon. James M., Chairman, Committee on Health, Education, Labor, and Pensions, openingstatement 1 Kennedy, Edward M., a U.S. Senator from the State ofMassachusetts, open- ingstatement 3 Preoared statement 4 Heinrich, Janet, Associate Director, Health Financing and Public Health Issues, U.S. General Accounting Office, Washington, DC, accompanied by BarryR. Bedrick,Associate Greneral Counsel 6 Prepared statement 9 Houston, John P., director, information services division, UPMC Health Sys- tem, Pittsburgh, PA, on behalf of American Hospital Association; Kathy Farmer, manager of U.S. Compensation and Benefits, Hewlett Packard, Palo Alto, CA, on behalf of Washington Business Group on Health; and Dr. E. Greg Koski, associate professor ofanesthesia and critical care medi- MA cine, Massachusetts GeneralHospital, Boston, 35 Prepared statementsof: Mr. Houston 36 Ms. Farmer 44 Dr. Koski 57 Horobin, Dr. Joanna C, senior vice president for commercial development, EntreMed, Inc., Rockville, MD, on behalfofthe Biotech Industry Organiza- tion; CharlesN. Kahn III, president. Health InsuranceAssociation ofAmer- ica, Washington, DC; and Janlori Goldman, director, health policy project. Institute for Healthcare Research and Pohcy, Georgetown University, Washington, DC 75 Prepared statements of: Dr. Horobin 78 Mr. Kahn 87 Ms. Goldman 95 American Collectors Association, Inc., Gary D. Rippentrop on behalfof, pre- pared statement 189 National CoahtionforPatientRights, prepared statement 195 AmericanPsychoanal)rticAssociation, prepared statement 196 American Healthways, Inc., prepared statement 198 Consortium forCitizenswithDisabilities, prepared statement 200 Association for Healthcare Philanthropy (AHP), William C. McGinly, on be- halfof, prepared statement 205 ConsumerCoalition forHealthPrivacy,prepared statement 230 ADDITIONAL MATERIAL Articles, publications, letters, etc.: Guidelines devotedtoprivacyand confidentialityissues 51 Comments on proposed Federal standards for privacy of individually identifiablehealthinformation, February 17, 2000 101 MargaretAnn Hamburg, Assistant Secretary, U.S. Department ofHealth and Himian Services, from Kathleen Sebelius, Commissioner ofInsur- ance, StateofKansas, datedFebruary 15, 2000 209 Mr. Pollack'sresponses toquestions askedbySenatorWeUstone 221 Mr. Kahn'sresponses toquestions askedby SenatorWellstone 224 Dr. Koski'sresponses toquestions asked byWellstone 226 Ms. Farmer's responses toquestions askedbySenatorWellstone 227 Dr. Horobin'sresponses toquestions askedbySenatorWellstone 230 (III) PROPOSED RULE ON THE PRIVACY OF INDI- VroUALLY roENTIFIABLE HEALTH INFOR- MATION WEDNESDAY, APRIL 26, 2000 U.S. Senate, Committee on Health, Education, Labor, and Pensions, Washington, DC. The committee met, pursuant to notice, at 10:05 a.m., in room SD-430, Dirksen Senate Office Building, Senator Jeffords (chair- man ofthe committee) presiding. Present: Senators Jeffords, Kennedy, Dodd, Wellstone, Murray, and Reed. Opening Statement of Senator Jeffords The Chairman. The hearing will come to order. Today marks the Health and Education Committee's eighth hear- ing on—one of the most pressing issues confronting our health care system ^the confidentiality ofhealth care information. As most of you know, we are here today as a result of what seemed like a small provision within the Health Insurance Port- ability and Accountabihty Act, or HIPAA. The HIPAA provision states that should Congress not enact medical records privacy leg- islation by August 21, 1999, the Secretary of Health and Human Services is required to issue regulations on privacy standards for individually identifiable health information. Fvirther, these regula- tions must address the following: the rights of the individual who is the subject of the information; procedures for exercising such rights; and the authorized and required uses and disclosures of such information. Last year, this committee worked tirelessly to produce bipartisan legislation that struck the appropriate balance between providing protection for medical information while also allowing for necessary sharing ofinformation within integrated health care systems. In working closely with Senators Dodd, Frist, Kennedy, and other members ofthe committee, we were able to make tremendous progress in resolving many policy differences. Unfortunately, some issues remained on which we were unable to reach agreement. Since we were unable to pass comprehensive medical records pri- vacy legislation, the Secretary of Health and Human Services now has the duty to produce final regulations this year that will go into effect in the year 2002. Last November, when the Department of Health and Human Services issued their proposed rule on the privacy of individually (1) 2 identifiable health information, I asked the General Accounting Of- fice (GAO) to study the interim regulatory process and report their findings to this committee. I specifically asked them to look at the nature ofthe comment letters that Health and Human Services re- ceived, as well as to address whether the administration's proposed rule is consistent with the statutory authority under HIPAA. For those ofyou who actually read the 600-plus pages ofthe pro- posed rule, imagine reading the 52,000 comment letters that fol- lowed the publication ofthe proposed rule. While this is a stagger- ing number, I am told that about 45,000, however, were form let- ters containing identical information. The —GAO testimony presented today will touch upon two themes that there is widespread acknowledgment, despite the or- ganizations* diverse perspectives, of the importance of protecting the privacy of medical records; and that fundamental differences among the groups* positions reflect the conflicts that sometimes arise between maintaining privacy protections and achieving other important social goals. A study by the National Research Council shows that the path- way of a typical medical record is no longer confined within the control of the patient's personal physician. Today, a typical record may be handled by numerous individuals in more than 17 different organizations. Technology has provided the tools to allow the ease ofaccess to health care information. Now, enforceable national pro- tections are needed to ensure the confidentiality of this personal health information. As we hear from all ofour expert witnesses today, I hope to gain a better understanding regarding the appropriateness of the pro- posed rule on the privacy of individually identifiable health infor- mation, as well as whether future legislation is needed to fill gaps that perhaps resulted from the Secretary's limited authority in issuing the regulation. The hearing will follow the committee's usual format. Each ofthe _ witnesses will speak for 5 minutes, and each member of the com- mittee will have up to 5 minutes per round for questioning. The hearing record will remain open for 2 weeks, and any written state- ments and questions for the record should be submitted within that time. That said, let me welcome all ofour witnesses. I look forward to hearing your testimony today and working together with you now and in the future to reach the appropriate results. I am pleased to introduce our witnesses this morning. Testifying first will be Dr. Janet Heinrich, Associate Director for Health Fi- nancing and Public Health Issues at the U.S. General Accounting Office, Washington, DC. Previously, Dr. Heinrich was director of the American Academy of Nursing and also served as Director of Extramural Programs, National Institute of Nursing Research, at the National Institutes of Health. Her professional experience en- compasses public health nursing in urban and rural settings, as well as public policy making at the local, State, and Federal levels. In addition to her nursing degree, her credentials include a Master ofPublic Health from The Johns Hopkins University School ofHy- giene and Public Health and a Doctorate ofPublic Health from the 3 Yale University Department of Epidemiology and Public Health in the School ofMedicine. Dr. Heinrich, as always, it is a pleasiu-e to have you with us, and we look forward to your remarks. I will turn first to our ranking member. Senator Kennedy, for any comments. Opening Statement of Senator Kennedy Senator Kennedy. Thank you, Mr. Chairman. I havejust a brief comment. I want to thank you for calling this hearing on the proposed rules to safeguard the confidentiality of medical records. This issue is critically important to every American who seeks medical care. Every patient, particularly in this electronic age, must be able to trust that personal medical information will not be improperly dis- closed or used for imauthorized purposes. The importance of this trust between the patient and the doctor has been recognized since the very dawn ofmedicine. Before being entrusted witn the heavy responsibilities of providing to the sick and injured, doctors take a solemn oath based upon the declara- tions and principles laid down by the Greek physician, Hippocrates, more than 2,000 years ago. Over the centuries, these principles have served as the fovmda- tion of good medical practice, and as we consider today the basic issue of privacy of medical records, we would do well to remember the Hippocratic Oath: "Whatever, in connection with my profes- sional practice, I see or hear which ought not to be spoken of abroad, I will not divulge, coimting such things to be sacred se- crets." Unfortimately, the "sacred secrets" of which the Hippocratic Oath spoke have now lost much oftheir sanctity. In this era ofin- stantaneous electronic commimication, medical information can be sent aroimd the world at the touch ofa button, and vast databases of personal medical information are compiled and sold to the high- est bidder. Although health care personnel must clearly have ac- cess to medical records to provide nigh-quality treatment or obtain pajrment for services, the absence of effective privacy protections often allows employers, sales agents, and even neighbors to obtain improper access to the medical information that all of us would wish to protect. When patients fail to confide in their doctors, both patients and society suffer, and patients who are afraid to tell their doctor about a previously-diagnosed condition for fear ofseeing that information misused may receive medications that are ineffective or even dan- gerous. And patients who are afraid of disclosiu-e oftheir medical condi- tion to their employer or their coworkers may delay seeking treat- ment or even delay taking a simple diagnostic test, with the result that a previously treatable condition becomes incurable. We must all work together to restore the trust in the confiden- tiality ofmedical practice and thus dispel the fear that so many pa- tients feel about the security oftheir personal medical information. In 1996, Senator Kassebaum and I, along with many other mem- bers of our committee, worked together to pass the Health Insur- 4 ance Portability and Accountability Act. This legislation called on Congress to deal with the pressing issue ofconfidentiality ofmedi- cal records by enacting comprehensive legislation. It required the Secretary of Health and Human Services to formulate regulations on the privacy ofmedical records ifCongress declined to act. We agreed that inaction by Congress should not mean no action on this important issue. To fulfill the requirements ofthe Act, Secretary Shalala and her staffworked effectively to establish principles to safeguard the pri- vacy ofmedical records while still allowing the use ofmedical infor- mation which is necessary for effective delivery ofhealth care. Her task was a challenging one, and I commend the Secretary for the thoroughness of her work in addressing the many complexities of this difficult issue. I look forward to the testimony from today's witnesses, particu- larly Janlori Goldman, whose expert advice was especially valuable during last year's deliberations on medical privacy in this commit- tee; and Dr. Greg Koski, from the Massachusetts General Hospital, who serves on the faculty of that world-renowned research and is well-known for his leadership in preserving the privacy of medical records for patients involved in medical research. Again I thank you, Mr. Chairman. [The prepared statement ofSenator Kennedy follows:] Prepared Statement of Senator Kennedy Thank you, Mr. Chairman, for calling this hearing on the pro- posed rules to safeguard the confidentiality ofmedical records. This issue is critically im—portant to every American who seek—s medical care. Every patient ^particularly in this electronic age ^must be able to trust that personal medical information will not be improp- erly disclosed or used for unauthorized purposes. The importance ofthis trust between patient and doctor has been recognized since the very dawn ofmedicine. Before being entrusted with the heavy responsibility of providing care to the sick and in- jured, doctors take a solemn oath based on the declaration ofprin- ciples laid down by the Greek physician, Hippocrates, more than two thousand years ago. Over the centuries, these principles have served as the foundation of good medical practice. As we consider today the basic issue of privacy of medical records, we would do well to remember the words ofthe Hippocratic Oath: ^Whatever, in connection with my professional practice ... I see or hear . . . which ought not to be spoken of abroad, I will not di- vulge, counting such things to be as sacred secrets.** Unfortunately, the "sacred secrets" of which Hippocrates spoke have now lost much of their sanctity. In this era of instantaneous electronic communication, medical information can be sent around the world at the touch ofa button. Vast databases ofpersonal med- ical information are compiled and sold to the highest bidder. Al- though health care personnel must clearly have access to medical records to provide lugh-quality treatment and obtain payment for services, the absence of effective privacy protections often allows employers, sales agents, or even neighbors to obtain improper ac- cess to the medical information that adl ofus would wish to protect. 5 When patients fail to confide in their doctors, both patients and society suffer. Patients who are afraid to tell their doctor about a previously diagnosed condition, for fear of seeing that information misused may receive medications that are ineffective or even dan- gerous. Patients who are afraid ofdisclosure oftheir medical condi- tion to their employer or their coworkers may del—ay seeking treat- ment or even delay taking a simple diagnostic test with the result that a previously treatable condition becomes incurable. We must all work together to restore the trust in the confiden- tiahty ofmedical practice and thus dispel the fear that so many pa- tients feel about the security oftheir per—sonal medical information. In 1996, Senator Kass—ebaum and I ^along with many other members ofour conmiittee worked together to pass the Health In- surance Portability and Accountability Act. This legislation called on Congress to deal with the pressing issue of confidentiality in medical records by enacting comprehensive legislation. It also re- quired the Secretary of Health and Human Services to formulate regulations on the privacy of medical records if Congress declined to act. We agreed that inaction by Congress should not mean no action on this important issue. To fulfill the requirements ofthe Act, Secretary Shalala and her staff have worked effectively to establish principles to safeguard the privacy ofmedical records, while still allowing the uses ofmed- ical information that are necessary for effective delivery of health care. Her task was a challenging one, and I commend the Secretary for the thoroughness of her work in addressing the many complex- ities of this difficult issue. I have always maintained that medical records should have protections similar to those extended to video rental records. Therefore, I am concerned that this regulation gives law enforcement officials broad access to these personal records, but I beheve we could address this when we take up comprehensive legislation. The regulations proposed by Secretary Shalala are an important step toward assuring the confidentiality of health information. Nonetheless, more remains to be done. In formulating the regula- tions that are the subject oftoday's hearing. Secretary Shalala was quite properly constrained by the legislative boundaries ofthe 1996 Act. A major focus ofthe Act was on electronic medical records, rath- er than the paper records that still form the vast majority of pa- tients* medical files. To conform to a narrow reading ofthe Act, the Secretary proposes to restrict the scope of the regulations to elec- tronic records. Many legal scholars have agreed that extending the coverage of privacy regidations to paper records would be within the scope of the Act, and I urge the Secretary to consider such an extension. In accord with the Act, the regulations cover only a few specified types of businesses, rather than directly covering all businesses with access to a patient's records. In today's complex health care environment, a patient's medical information may pass from a doc- tor t—o an insurer to a pharmacy to a marketer of medical prod- ucts all with the click ofa—mouse. Congressional action would pro- tect all health information ^however it is transmitted and wher- ever it exists. 6 Finally, the Act did not provide for the right of citizens to seek legal remedies if the confidentiality of their records is violated. Past experience shows that a private right of action is an effective deterrent against violations, and only a private action can provide adequate compensation when deterrence fails. To restore the trust of patients in the confidentiality of their medical records and to protect that trust with effective enforcement, we must pass com- prehensive medical privacy legislation. I look forward to the testimony from today's witnesses. I particu- larly welcome Janlori Goldman, whose expert advice was especially valuable during last year's deliberations on medical privacy in this committee, and Dr. Greg Koski from Massachusetts General Hos- pital, who serves on the faculty ofthat world-renowned research in- stitution and who is well known for his leadership in preserving the privacy of medical records for patients involved in medical re- search. The Chairman. Thank you. Let me first say that accompan3dng Dr. Heinrich today is Barry R. Bedrick. Mr. Bedrick is an associate general counsel in the Gen- eral Accounting Office. He has been with GAO since 1972 and has been in charge ofproviding legal support for GAO's work on health, education, labor, pensions, and related issues since 1989. He is a graduate ofColgate University and Harvard Law School. Dr. Heinrich, please proceed. STATEMENT OF JANET HEINRICH, ASSOCIATE DIRECTOR, HEALTH FINANCING AND PUBLIC HEALTH ISSUES, U.S. GEN- ERAL ACCOUNTING OFFICE, WASHINGTON, DC, ACCOM- PANIED BY BARRY R. BEDRICK, ASSOCIATE GENERAL COUN- SEL Ms. Heinrich. Mr. Chairman and members ofthe committee, we are pleased to be here today to discuss the Department of Health and Human Services proposed rule on patient confidentiality issued last November. Few areas ofour lives are perceived to be more private than our health and medical care. Historically, allowing access to informa- tion contained in medical records has been the responsibility of physicians and hospitals, with informed consent from patients and their famiUes. The proliferation ofelectronic records and managed care arrange- ments has raised questions about the extent to which individuals* health care information is protected from inappropriate disclosure. Because no comprehensive Federal laws have been enacted to en- sure confidentiality of patient data in the private sector, the Con- gress included in the Health Insurance Portability and Accountabil- ity Act, HIPAA, a provision that the Secretary of Health and Human Services develop legislative recommendations aimed at fill- ing this gap. The Congress ftirther stipulated that iflegislation governing pri- vacy standards was not enacted by last year, the Secretary would issue regulations on the matter. At your request, we examined the consistency between the HIPAA statute and the proposed rules; we reviewed public re- sponses to the rule among a selected group of40 organizations rep-