DEPARTMENT OF HEALTH AND HUMAN SERVICES
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Subcommittee on Privacy and Confidentiality
January 11-12, 2005
Washington, D.C.
– Minutes –
The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics (NCVHS) held hearings on January 11 and 12, 2005, at the Hubert H. Humphrey Building in Washington, D.C. The meeting was open to the public.
Present:
Subcommittee Members:
- Mark A. Rothstein, J.D., Chair
- Jeffrey S. Blair, M.B.A.
- Simon P. Cohn, M.D.
- Richard K. Harding, M.D.
- John P. Houston, J.D.
- Harry Reynolds
Staff and Liaisons:
- Kathleen H. Fyffe, Lead Staff, HHS
- Amy Chapper, CMS
- Marjorie Greenberg, CDC
- Christina Heide, OCR
- Gail Horlick, CDC
- Evelyn Kappeler
- Catherine Lorraine, FDA
- Susan McAndrew, OCR
- Helga Rippen, M.D., Ph.D. HHS, ASPE
- Marietta Squire, CDC, NCHS
- Bill Tibbitts, IHS
- Sarah Wattenberg, SAMHSA
Others:
- Robert Aldrich, Grocery Manufacturers of America
- Don Asmonga, American Health Information Management Association
- Dixie Baker, Ph.D., SAIC
- Amy Bergner, J.D., Society for Human Rights Management
- Edward Bernacki, M.D., M.P.H., Johns Hopkins University
- Paul Billings, M.D., Ph.D., Council for Responsible Genetics
- Elizabeth I. Board, EPC Global
- Eve Collins, Atlantic Information Services
- Robert Coon, DCI Group, LLC
- Donna Givens, Givens & Associates
- John Halamka, M.D., Beth Israel Deaconess Medical Center
- Jennie Harvell, ASPE/HHS
- Lisa Horn, Society for Human Rights Management
- Joseph Huguenard, M.D., American Academy of Insurance Medicine
- Thomas Leary, HIMSS
- Lewis Maltby, National Workrights Institute
- Nancy McCall, Johns Hopkins Medical Institutions
- Robert McGarrah, Jr., J.D., M.P.H., AFL-CIO
- Roberta Meyer, American Council of Life Insurers
- Stephen E. Novak, Columbia University
- Patrick O’Connor, Kent and O’Connor
- Marc Rotenberg, Electronic Privacy Information Center
- Philip A. Rothermich, Express Scripts
- Richard Seelig, M.D., Applied Digital Co.
- Joyce E. Sensmeier, HIMSS
- Kathryn Serkes, Association of American Physicians and Surgeons
- Cosette Simon, Swiss Re Life and Health North America
- David A. Slaughter, Thompson Publishing Group
- Daniel J. Solove, George Washington University Law School
- Lisa Sotto, Esq., Hunton & Williams
- Peter Starchfield, AMT Systems, Inc.
- Michael Steffen, Center for Den & Tech
- Sonia Suter, George Washington University
- Peter Swire, Ohio State University
- Keith Tayloe, Portal Dynamics
- Donna-Bea Tillman, Ph.D., FDA
- Nancy Trenti, APA
- Jessica Townsend, Health Resources and Service Administration
- Bruce Waxman, M.D., SURGICHIP, Inc.
- Bonnie Williams, SAIC
EXECUTIVE SUMMARY
The Subcommittee on Privacy and Confidentiality held hearings on January 11 and 12, 2005, on implementation issues under the HIPAA Privacy Rule. On January 11, the Subcommittee received seven presentations about issues relating to Radio Frequency Identification. Two panelists discussed the impact of the HIPAA Privacy Rule on decedent archival health information. On January 12, the Subcommittee explored issues of third party access to and use of health information with presentations by twelve panelists.
Radio Frequency Identification – Panel 1
Dr. Bruce Waxman, SURGICHIP, Inc.
Dr. Waxman invented the SURGICHIP, which uses RFID in a tag placed on the site of the surgery to identify the patient name, the procedure, and the operative site. The information is entered on the HIPAA-compliant chip in the presence of the patient, who attaches it to the site. Following the surgery, the chip is placed permanently in the patient record. He described the many privacy and security features of the SURGICHIP. He believes that SURGICHIP enables patients to benefit from the use of RFID technology without compromiing privacy.
Richard Seelig, M.D., Applied Digital Co.
The developer of the implantable VeriChip, Dr. Seelig stated that VeriChip is an FDA-approved, implantable, passive microchip which is indicated for patient identification and access to a medical database. He noted that an individual voluntarily initiates the process, not a government entity, and that the technology is reversible. VeriChip can provide access to reliable and important information, such as patient-entered personal information, family contacts, and health care history for chronically ill patients when the ability to impart it is lacking, he explained. He called the chip “an empowering option” that should not raise privacy concerns because it contains only an ID number.
Donna-Bea Tillman, Ph.D., FDA
Dr. Tillman addressed the FDA’s role in oversight of medical devices. Monitoring devices are considered Class II and require some type of pre-market FDA notification. The FDA is primarily concerned with safety and effectiveness in medical devices, although devices designed to protect confidential information must be shown to be able to do that. When implantable devices are used for non-medical purposes, such as security or to link to a non-medical database, they are not considered medical devices and FDA does not have any jurisdiction. Only when the chip is linked to a medical database and there is a medical indication does FDA have regulatory oversight.
John Halamka, M.D., Beth Israel Deaconess Medical Center
Dr. Halamka described the use of active and passive RFID at Beth Israel Deaconess Medical Center and issues of privacy and functionality they have encountered. Beth Israel has deployed 90 active RFID tags in the emergency department and in a cardiology ward to track equipment, personnel and patients, and they have found this use of the devices to be successful. Their particular uses have not raised privacy concerns. They may begin using passive RFID devices for medication tracking and expect to see more RFID uses in the future as standards develop.
Radio Frequency Identification – Panel 2
Lisa Sotto, Esq., Hunton & Williams
Ms. Sotto described the categories of harms that may result from RFID abuses, but concluded that they are not unique to the RFID context. She explored whether current laws address these potential harms, and believes that they do. She would nevertheless encourage RFID stakeholders to develop and adopt an industry code of conduct to further protect against harms that might result from misuses of the data. She felt that a coordinated approach by all stakeholders would provide the public with the confidence needed to support the advancement of this beneficial technology.
Marc Rotenberg, Electronic Privacy Information Center (EPIC)
Mr. Rotenberg described the wide range of applications for RFID technology in health care and focused on the privacy impact in each context. He emphasized the distinction between RFID uses and applications in which personally identifiable information is not collected and those in which it is. He proposed a three-tiered policy framework for the regulation of the RFID environment in the health care setting. He emphasized the seriousness of this issue and proposed that the Subcommittee consider recommending a flat prohibition on the implant of an RFID chip, citing the ethical issues when a person’s body is changed in a way that he or she may not fully understand and cannot readily restore.
Daniel J. Solove, George Washington University Law School
Federal regulation does not cover records maintained by many state and local officials, by libraries, charities or merchants, Mr. Solove reported, and existing privacy statutes are difficult to enforce. The theme of his testimony was that “our existing legal regulation of privacy is not prepared to deal with RFID.” He believes that the problems come from what happens downstream when all this data is stored. He stated the need to ensure that RFID tags can be permanently deactivated, that they are not read by unauthorized persons, that tags are not used for other purposes and that there is a way to protect the great amount of information that could be gathered from the use of these tags.
Decedent Health Information
Stephen E. Novak, Columbia University
Mr. Novak described the impact of HIPAA on archives and special collections. He emphasized that policies vary and different institutions treat identical materials differently, and he asked for clarification. He reviewed the unanswered questions sent to the Secretary in 2003. If use of names in research is not allowed, he noted that certain historical, biographical and genealogical works where the identity of the individual is the whole point could not be written. Of major concern was the requirement to review every document and physician letter for possible PHI. Because of HIPAA, he fears that the documents needed to write the history of health care and biomedical sciences in the U.S. will come to an end in the late 1990s.
Nancy McCall, Johns Hopkins Medical Institutions
Ms. McCall stated that the Rule applies only to archives within covered entities, not to all archives with health related collections or to U.S. government archives. Some collections have been placed outside the covered entities of their institutions. Materials that had been open and accessible—and would still be at non-covered archives—must now be restricted. Fragments of incidental health information must be screened and redacted before showing documents to patrons, which is extremely demanding for staff. The Rule now limits general reference and use of nearly 95 percent of her organization’s holdings. It also makes no provisions for ranges of sensitivity in information. Patrons wishing to publish encounter major impediments. She concluded that the Privacy Rule greatly constrains open intellectual inquiry and the telling of biography and history.
Introduction
Mark A. Rothstein, J.D., Chair, Subcommittee on Privacy and Confidentiality, NCVHS
Mr. Rothstein presented four conclusions. One, HIPAA established security and fair health information practices to protect against unauthorized access to health information. Two, measures to prohibit genetic discrimination are ineffective because they focus on procedural matters rather then substantive issues. Three, there can be no effective protection of health privacy and confidentiality without considering compelled authorized access to health information. Finally, measures to limit third party access to certain health information could be embedded in new electronic health records but currently no efforts are being made to do so.
Sonia Suter, George Washington University
Ms. Suter stated that people are refusing genetic testing because of fears of third party access to test results. This impacts disease prevention and treatment. Family members may neither learn about their own risks nor get testing or genetic counseling to learn about risks and options. There can be effects on public health, research and studies of diseases. She urged protecting authorization of access to information, requiring authorization, protecting against particular uses of information, nondiscrimination, and prohibiting benefits from being conditioned on the receipt of genetic information. She advocates uniform federal prohibitions of: unauthorized access to health information, discriminatory uses of health information, and compulsory disclosure of health information by third parties as a condition of benefits.
Peter Swire, Ohio State University
Mr. Swire focused on the sharing of medical records pursuant to an authorization and the Privacy Rule’s non-coercion rule, section 508(a)(4), for providers and covered entities. It says a covered entity may not condition the provision to an individual of treatment, payment, etc., on the provision of an authorization. No such rule exists for entities such as employers or insurers. He noted that much of the authorized sharing is with third parties that are not covered entities, and HIPAA does not apply. He believes that it is not really voluntary when the employer requires employees’ medical records as a condition of employment, although employers do have legitimate interests in testing for fitness for duty. He emphasized recognizing the need for practical exceptions.
Employment
Lewis Maltby, National Workrights Institute
Mr. Maltby explained that employers can insist that an applicant authorize disclosure of his or her complete medical history. The information does not have to be job related in any way. He also expressed concern about executives pressuring employees to provide medical information about other employees whose health care may be expensive to the company. He urged that disclosure of information to employers in the hiring process should be restricted to what is relevant to the job. He also supported legal protection for a corporate employee who is being pressured to give up information.
Edward Bernacki, M.D., M.P.H., Johns Hopkins University
Employer sponsored health and wellness programs, occupational illness prevention programs, EAPs and onsite emergency care are extremely valuable to employees and employers, Dr. Bernacki feels, but will be in jeopardy if information from them is not kept confidential. He shared the American College of Occupational and Environmental Medicine (ACOEM) Code of Ethics regarding health privacy in the workplace. He also reviewed previous ACOEM recommendations for changes to HIPAA to protect employee medical information. These included defining as PHI personal health information gathered or maintained in connection with employment or employee health programs.
Robert McGarrah, Jr., J.D., M.P.H., AFL-CIO
Mr. McGarrah stated that workplace health privacy is a major concern for AFL-CIO members. He discussed the availability of improved health benefits and how they can save employers money. However, cost concerns are causing companies to put group health benefits directly under the control of CFOs and individuals with more costly health issues are being targeted. The AFL-CIO will continue to call for universal health insurance, Mr. McGarrah stated. He feels that HIPAA-defined PHI should extend to workers’ compensation programs but noted that employers and unions need aggregated medication management and integrated benefits information to make the best decisions on how to pay for care and create the safest possible workplaces.
Insurance
Joseph Huguenard, M.D., American Academy of Insurance Medicine
Roberta Meyer, American Council of Life Insurers
Presenting together, Dr. Huguenard and Ms. Meyer stated that consumers benefit significantly from life insurers’ ability to obtain and use information provided directly by the individual and pursuant to authorization of the individual. This information makes risk classification possible, which makes life insurance more widely available and more affordable. They stated that premiums are fair and are financially sound so that insurers have the ability to pay future claims. Life insurers continue to be strongly committed to protecting customers’ personal information. However, insurers must use the information in the risk classification process and in evaluation or payment of claims and to perform basic insurance functions or insurance business activities.
Paul Billings, M.D., Ph.D., Council for Responsible Genetics
Genetic or genomic testing is primarily conducted to identify health risks, make diagnoses or for other medical purposes, Dr. Billings reported. He observed that technology has made it easier and less expensive to accumulate, store, and share health related data, and to assess an increasing number of health factors, some of which are associated with genetics. He advocated for a statement and reinforcement of privacy rights. He believes the key points are to establish the importance of the individual right, to defend with policy and interpreted law that tenet, and then to seek a balance of influences so that individual lives are improved as society evolves and encounters technology driven social change. Dr. Billings recommended a discussion about which kinds of information are important to be held private or confidential.
Approaches
Amy Bergner, J.D., Society for Human Rights Management
Ms. Bergner reported that employers legitimately need employee health information for plan design and management of health care plans, disease management programs, wellness programs, and to assess eligibility for non-health benefits or family and medical leave. HR professionals strive to balance organizations’ legitimate business needs with confidentiality of employees’ personal medical information. It would be illegal for a supervisor to ask someone in the HR department for health information on an employee, she stated. SHRM believes that a voluntary approach built on best practices and current law is most appropriate. She stated that employers should only collect information that they may legally use in making employment decisions, ensure such information is properly retained, and limit access to the information.
Dixie Baker, Ph.D., SAIC
Dr. Baker described the functioning of the current security model and the reasons it is not useful for controlled sharing. She explained what is needed to meet third parties’ and individuals’ needs, and suggested that digital rights management (DRM) is the best solution. DRM was developed to enforce copyright protection on digital content distributed over the Internet. She described the system’s workflow steps. DRM could allow an insurance company to review portions of an electronic health record necessary for coverage authorization, but not allow the record to be saved on the company’s server. It could allow for Privacy Rule enforcement throughout the life of a record. She also discussed use of a trusted intermediary, calling this a more immediately feasible, though less capable, approach for sharing of electronic records.
Keith Tayloe, Portal Dynamics
Mr. Tayloe focused on consumer ownership of personal health information. A consumer managed electronic health record would provide a summary picture and the pointer to detailed records that reside with health care providers. Consumers would grant access to their electronic records at the time of the health service, which would make disclosure a direct, addressable question. He believes that this approach “will unleash the inherent innovation in the marketplace and force the health care industry to be responsive.”
SUBCOMMITTEE DISCUSSION
With the first RFID panel, the Subcommittee discussed the information capacity, durability and potential misuses of VeriChip and SURGICHIP, and what protections are in place in the manufacturing and functionality of the products. Dr. Tillman confirmed that the FDA would not have responsibility in a non-medical insertion of an identifier like a VeriChip. The issue was raised of voluntary versus coerced use of the device. Dr. Seelig urged focusing on the health care applications of the device. Issues of consent and patient information about the device’s possibilities were raised. Dr. Seelig emphasized that wearable or implantable RFID is no different than any other form of authority given for use or management or treatment.
The Subcommittee discussed with the second RFID panel whether best practices or an industry code of conduct should come before legislation. Issues of patient consent were raised and discussion focused on the need to fully notify patients of all possible privacy issues related to a device. Instead of restricting uses of a particular technology, Ms. Sotto suggested considering the bigger picture of how data is collected, used and disclosed. Dr. Harding raised the visceral issues of a permanent identifier and whether the VeriChip would cause such discussion as a bracelet or necklace. Dr. Rippen felt the cost benefit, risk and potential harm of RFID should be measured versus ID cards and biometrics. For best practices and regulation, Mr. Solove urged focus on data itself, not just the holder.
Regarding decedent health information, the Subcommittee discussed time limits on the coverage on decedents’ information. Mr. Rothstein suggested making available incidental information in letters and papers after 50 years in order to help level the playing field between non-covered and covered entities. This was greeted enthusiastically by the panelists. The group discussed the responsibilities of archivists for segregating confidential information and for establishing the definition of “confidential.” The panelists suggested sources for further exploration of this topic and noted that papers are donated with the expectation that they will be used for research.
Mr. Rothstein will check with Mr. Scanlon to see if a letter regarding RFID and VeriChip would be helpful or if any action has yet been taken, and he will report back to the Subcommittee in March. Mr. Reynolds volunteered to work on a possible letter with Mr. Rothstein. The Subcommittee decided to take no action on decedent health information. OCR is considering the issue and the Subcommittee helped OCR learn more about it but does not have a recommendation. Ms. Greenberg suggested that if in several months there is still no answer to the archivists letter or no FAQs, then OCR could let the Subcommittee know what additional input would be helpful.
With the introductory panel on January 12, the Subcommittee discussed issues relating to life insurance vs. other forms of insurance. Ms. Suter feels this is a policy issue about life insurance’s meaning and goals. In response to the Chair’s request, Mr. Swire urged that attention be paid to any situations in which authorizations are not working well with third parties that are not covered entities. Ms. Suter suggested inclusion of other possible third parties to talk about what sorts of limitations could be established. Mr. Rothstein feels the question is one of enacting limits, which requires changes to the format of health data to allow for information segregation.
Discussion with the employment presenters addressed pre-employment screenings and an increased role for physicians in protecting patient information. Another topic was designation of a specific individual as the health plan in a self-funded plan and company leaders’ access to employee health information. This related to the delivery of claim information back to the employer in non-aggregated form and the ability of managers to fire workers based on health claims. Panelists were enthusiastic about a system that would limit disclosure to job related information, but there were concerns that cross training and changing duties would make it difficult to have set job requirements. The issue was raised of expanding HIPAA to include PHI in the workplace but it was noted that the workplace situation does not fit into the normal HIPAA paradigm. Workers’ compensation and access to health care were also discussed.
The Subcommittee asked the life insurance presenters about non-HIPAA federal and state regulations on life insurance and privacy. Presenters emphasized insurers’ ongoing efforts to protect customer privacy. Regarding life insurance and genetic testing, presenters agreed that genetic tests today are not dramatic indicators for mortality, but Dr. Billings added that life insurers have based policies on poor indicators in the past. He emphasized that underwriting practices are not revealed. Insurers were reluctant to accept the concept of a list of health issues that could not be considered, were such information segregation possible.
In discussion with the final panel, the Subcommittee explored details of DRM functionality for health records and aspects of the consumer-driven approach. Both Dr. Baker and Mr. Tayloe advocated allowing consumers to set the limits on privacy of their information. Ms. Bergner stated that employers are not anxious to have extraneous health information about their employees. Dr. Baker clarified that information is less secure as systems become more complex. Mr. Rothstein emphasized that privacy is not free, that there must be recognition that one cannot have maximum information and service and privacy as well. He stated for the record that this was a background hearing of issues that are very important to him.
DETAILED MINUTES
DAY ONE
Mr. Rothstein welcomed Subcommittee members and guests to two days of hearings on implementation issues under the HIPAA Privacy Rule. The first day’s hearings focused on issues relating to Radio Frequency Identification and the impact of the HIPAA Privacy Rule on decedent archival health information. On the following day, the Subcommittee explored issues of third party access to and use of health information.
Panel 1 – Radio Frequency Identification
Dr. Bruce Waxman, SURGICHIP, Inc.
Dr. Waxman is a Board-certified orthopedic surgeon from Palm Beach Gardens, Fla. and the inventor of the SURGICHIP. This device addresses issues of wrong site surgery and performing incorrect procedures on a correct site. He noted that this type of surgical error has reached national attention, because although it is very rare, it is very devastating when it occurs.
Describing the Joint Commission on Accreditation of Healthcare Organizations’ (JCAHO) recommended “universal protocol,” in which the surgeon signs the site with a “yes” or his or her initials, then reviews the site, patient name tag and operative consent, Dr. Waxman explained that the process is sometimes forgotten and mistakes are still made. His product is intended to reduce the frequency of these errors by putting the patient’s name, the procedure, and the operative site right on the incision. Forgetting to check is less likely, he believes, if there is a physical tag on the incision site. The information is also less likely to be wrong.
In developing the SURGICHIP, Dr. Waxman chose to use RFID. The chip is encoded with the patient present to verify that the information is correct. The chip is then sent to the operating room. When the patient returns after the pre-operative visit, the chip is checked again with a hand-held reader while the patient is awake to make sure that the information is accurate. The chip is put on, and Dr. Waxman encourages patients to put it on themselves. He noted that JCAHO encourages this because patients know where the surgery should be.
The patient is taken to the operating room and the chip is read by the surgeon. If the surgeon agrees with the procedure on the chip, he or she will remove the tag and proceed with the surgery. The tag is put in the chart and becomes part of the hospital record. It is not used on another patient. Dr. Waxman showed slides of the chip and its software to the Subcommittee.
Dr. Waxman reminded the Subcommittee that the HIPAA-compliant SURGICHIP is used in addition to, not instead of, JCAHO’s universal protocol. He described the many privacy and security features of the device. These include programming by a designated professional in a private environment with password-protected access. The information is encrypted and can only be read by an RFID reader with SURGICHIP software. Once encoded, the chip is electronically locked to prevent alteration or deletion of data. A “passive” RFID tag, SURGICHIP does not have a battery. Its maximum read distance is five inches, and it is possible to user-protect the hand-held terminal. The read-out on the hand-held printer clears in five minutes or less. The chip itself displays the name of the patient and the surgery site but does list the procedure. He noted that this information is protected by the need to know exception.
The chip is not implanted, Dr. Waxman emphasized, and it is put in the hospital record where it becomes part of the HIPAA-protected medical record. He reported that password-protected data is stored in the computer after SURGICHIP is used; this is used for research only and is necessary for future tracking of functionality.
SURGICHIP has been used by Dr. Waxman and three of his associates on a very limited basis in a hospital and an outpatient center, with “wonderful” results and no surgical site errors. He reported that surgical team nurses are very happy with it. Patients are very concerned about having wrong-site surgery, he noted, and this is a comfort to them.
Richard Seelig, M.D., Applied Digital Co.
A Board-certified surgeon, Dr. Seelig is also Vice President of Medical Applications of the VeriChip Corporation. In 1999, he recognized that an implantable identification tag for pets could have valuable applications for humans. The first applications related to identification of implanted medical devices such as pacemakers and orthopedic hardware. He believed that an implantable, passive, RFID tag linked to Internet-accessible databases could provide clinician access to needed information many months after a procedure was performed and at any facility.
After the 9-11 attack, Dr. Seelig became aware of rescue workers at Ground Zero writing their badge numbers and Social Security numbers on their skin with permanent marker for identification. This illustrated to him the need for a more secure form of personal identification and access to that information as it was needed. On September 16, 2001, Dr. Seelig implanted himself with two veterinary chips and began adapting a human version that became VeriChip.
Dr. Seelig noted that his prepared remarks reference the RFID Journal for basic information on RFID technology. The VeriChip contains an implantable RFID micro transponder, intended for personal identification, security access, financial and health information applications in humans. In 2004, the FDA cleared VeriChip for medical application use in the United States.
VeriChip’s electronic circuit is activated by a low-powered radio beam sent by a hand-held battery Pocket Reader. The device is implanted subcutaneously in the rear of the upper arm and stores a unique identification number. The reader scans the arm and displays the ID number, which is used to access a secure database that provides the implanted person’s identity and other previously entered information such as a link to an electronic medical record.
Rapid access to accurate patient information is required for optimal outcomes in medical emergency situations, Dr. Seelig stated, adding that chronic illnesses frequently initiate medical emergencies and individuals with chronic diseases can experience a communication barrier that results in treatment delays. VeriChip can provide access to reliable and important information, such as patient-entered personal information, family contacts, and health care history when the ability to impart it is lacking, he explained. He called the chip “an empowering option” that allows chronic disease patients unable to communicate to obtain a comparable level of care.
The advantages Dr. Seelig listed included: it cannot be lost, stolen, forgotten, altered or copied, and is always present when needed. The information is stored on a database, not on the chip, facilitating updating or expansion of the data via an Internet-accessible computer. His company believes that RFID usage and VeriChip will not impact or expand on compliance for HIPAA covered entities or business associates. They also believe that VeriChip technology is HIPAA friendly because it does not convey a name or any information or identifier, only a number.
Verichip has participated with NHII in the areas of privacy and systems application, Dr. Seelig stated. His company’s six-point privacy statement emphasizes privacy, patient rights, strictly voluntary use of VeriChip and ability to remove the chip at any time. He concluded by stating that VeriChip is an FDA-approved, implantable, passive microchip that is indicated for patient identification and access to a medical database. An individual voluntarily initiates the process, not a government entity. The technology is a reversible biometric, which can be removed as simply as a large splinter.
Dr. Seelig quoted several comments from a January 2005 article about VeriChip in The Record of Bergen County (New Jersey). Emergency room physician Dr. Michael Gerardi said, “The computer could really make a difference for care givers worried that their loved ones show up in an emergency department and no one will know their critical information.” He continued, “I refuse to let civil libertarians get in the way of a good idea. People out there fear information on the chip. They fear Big Brother. I think that’s nonsense.”
Donna-Bea Tillman, Ph.D., FDA
Dr. Tillman addressed the FDA’s role in oversight of medical devices. This is the responsibility of the Center for Devices and Radiological Health (CDRH), whose mission is insuring the safety and effectiveness of medical devices. They take a risk-based approach to evaluation of devices, and the level of regulatory oversight depends on the potential risk that the device presents.
Moderate risk devices, including monitoring devices, are placed in Class II, most of which require some type of pre-market FDA notification before they can be marketed, Dr. Tillman explained. The company would have to show that these devices are substantially equivalent to existing products on the market. Both the VeriChip and the SURGICHIP are Class II devices. She noted that subsequent VeriChip-like devices will be exempt from pre-market review unless there are significant changes made to the device technology or for the indications for use.
All medical devices are subject to registration and listing with the FDA. Dr. Tillman emphasized the distinction between medical and non-medical devices. She explained that when implantable devices like the VeriChip are used for non-medical purposes, such as security or to link to a non-medical database, they are not considered medical devices and FDA does not have jurisdiction. Only when the chip is linked to a medical database and there is a medical indication does FDA have any sort of regulatory oversight.
The FDA is primarily concerned with safety and effectiveness in medical devices, but this can include privacy issues, Dr. Tillman stated. Devices like VeriChip and SURGICHIP undergo validation testing to show that they do what they say they do. If these devices are designed to protect confidential information, they must be shown to be able to do that. She noted that the FDA asks companies to address any confidentiality claims and reported that the guidance document on these devices has a section entitled “Information Security Procedures.”
The FDA and CDRH do have an express interest in privacy issues related to the provision of confidential patient information collected during clinical trials, Dr. Tillman noted. FDA regulations specify that names and personally identifying information collected during a clinical trial should be removed from medical records submitted to FDA for pre-market review process.
John Halamka, M.D., Beth Israel Deaconess Medical Center
Dr. Halamka described the use of active and passive RFID at his facility and issues of privacy and functionality they have encountered. He noted that he chose to have a chip implanted in order to evaluate the technology in terms of the pain of insertion, the efficacy of the technology being read and the operational aspects of linking data to the identifier.
Beth Israel has deployed 90 active RFID tags in the emergency department and in a cardiology ward to track equipment, personnel and patients. For high-use equipment such as EKG devices, ventilators and IV pumps, this helps them know precisely where items are to make the items available in time. For patient location, Beth Israel uses an RFID tag on the patient’s gurney for tracking in a work flow setting, Dr. Halamka reported. They have an electronic dashboard viewed by clinicians that shows patient initials only, current location and basic clinical information such as chief complaint, status of outstanding tests and admission status.
A privacy issue did come up in tracking staff members, so they track by roles of nurses and doctors, not by individual names. Dr. Halamka stated that RFID tags have helped them to learn, for example, that 20 percent of nursing time is spent walking down a hallway. Their overall three months experience in using active RFID tags in the tracking of equipment, patients and personnel has been effective to the level of a room. The technology can tell that a ventilator is in Room 1, but not where in the room.
Passive RFID tags are being considered for use in medication administration, Dr. Halamka reported. The hospital currently uses bar codes on the nurse, patient wristband, and medication in a pixis device. He believes that RFID passive tags will be a significant improvement because tracking a nurse and a medication passing through a door can serve as a proxy for a medication administration record and could be used for medication safety.
Dr. Halamka stated that standards are just evolving at this point. RFID is likely to replace bar codes in one to two years for tracking medication, medication administration records and positive patient IDs, assuming that standards are in place and that the technology is robust. He recognizes privacy concerns, but believes that their approach has separated PHI from the identifier itself, preventing privacy violations.
QUESTIONS and ANSWERS
Dr. Seelig confirmed that the VeriChip holds only a unique identification number. The information itself is maintained separately in a database. This is to protect privacy; if a person were surreptitiously to obtain a scanner, without a password and other forms of authentication he or she could not access any information beyond a 16-digit number. The second reason was the limited space on the chip. It also saves reprogramming difficulties, he noted.
Asked whether others in the market are considering a chip with limited data set of critical information, Dr. Seelig replied that this capability depends on whether the device would be implanted or wearable, such as a Smart Card. He noted that VeriChip is read-only but a wearable chip could be expanded or modified. Currently, VeriChip does not have the capacity for a limited set of information, but hypothetically, it could be done on an implantable chip.
Dr. Seelig reported that his company uses many methods during the fabrication to assure that the VeriChip number generation is unique and not duplicated. The number is laser-engraved on an integrated circuit, not programmed, and cannot be selected by a user. “There are now 30 million of these microchip transponders implanted in various life forms around the world and that they have very well honed a system to assure that a number is not duplicated,” he stated. The number on VeriChip does not contain any intelligent information except that the first four numbers are 1022, the company’s internal working code for the human, he reported. He emphasized that RFID is not a black and white issue. There is not one frequency, one size or one type of transmitter. They use a very, very low FCC frequency that transmits through body fluids. Different frequencies and readers are used for animals and humans.
Dr. Waxman explained that SURGICHIP is the opposite, with all intelligent information on the chip and no associated database. It is a closed-circuit system with the entire purpose of preventing error. They try to get as much information as possible on the tag and are limited to 256 bits of information. The chip uses words, such as “total hip replacement,” rather than CPT codes which could be confused or have digits reversed.
Dr. Cohn asked Dr. Halamka about having his implanted chip be a part of his biometric authentication for accessing patient-sensitive information in a computer. Dr. Halamka explained that Beth Israel uses proximity detectors to enable qualified personnel to enter secure areas such as the data center. However, they would not likely use an implanted device because they would not want to “compel any individual to get this thing inserted as part of their employment or part of their use of a computing system.” He noted speculative concerns violence or violations that might occur should chips be used as a primary means of authentication. His organization has chosen not to use standard biometric technology because of cost and frequency of false readings.
Regarding the functioning of the database idea, considering that people see many doctors and the breadth of information needs, Dr. Seelig noted that the National Health Information Infrastructure (NHII) goal of interoperability has yet to be achieved. He explained NHII wants to be sure that practices’ and hospitals’ different systems can bring to a third location the information relating to a particular individual. He believes VeriChip can offer an alternative form of directing to that information, another component of an identifier set to authenticate that database information belongs to a particular person and that clinicians can access that information. He gave the example of preventing repetition on forms and increasing accuracy and consistency of information.
Pharmacy benefit managers would provide patient medication records to prescribers but would not give information about medications for HIV, sexually transmitted diseases or behavioral health diseases if that particular physician was not involved in those issues, Mr. Blair stated. Dr. Halamka responded that a Massachusetts initiative interlinks all of the pharmacy benefit management databases to provide consolidated prescription information for use in clinical care. Medications of mental health, substance abuse or HIV treatment are not included due to state regulations on consent processes. He explained that, because this omitted information could jeopardize patient care, they are working to change that restriction. Dr. Seelig commented that his company will conform to whatever regulatory issues and rules of the road are out there, adding that technology should not shape them but be responsive to them.
Dr. Tillman confirmed that the FDA would not have any responsibility in a non-medical insertion of an identifier like a VeriChip. Dr. Harding then raised the issue of voluntary versus coerced use of the device. “There’s just something a little bit creepy about inserting something under the skin.” He felt that having it be removable is good but he was concerned that it cannot be removed by the patient without help and asked whether it can be neutralized or stopped.
Dr. Seelig urged that the discussion be confined to health care issues. He observed that patients have a level of expectation about access and accuracy of information when it is needed, expect-ing that somehow all of the necessary information about them will be at hand in the physician’s office or emergency room. He compared chip implantation with the “creepy” use of pacemakers and bone replacement, stating that it depends on the perspective of where and how any device is used. He encouraged looking at the application and the reasons for having it done, then working back to consider the benefits.
Issues were raised of consent and patient information about VeriChip’s possible uses. Dr. Seelig stated his company’s firm belief that this is a medical procedure and a medical device and as such, informed consent must be obtained. Dr. Tillman noted that currently both the chip and the reader are by prescription only for their medical use.
Mr. Houston asked about durability and failure rates for chips, issues of theft, of the ID number, and the distance from which the chip can be read. Dr. Waxman stated that the read distance for SURGICHIP is a maximum of five inches, it is only used once and it will not degrade during the short usage period. The chip is locked electronically so that it cannot be tampered with. The VeriChip read range is three inches, according to Dr. Seelig, with a useful life estimated at 15 years. It cannot easily be destroyed in the body without serious harm to the limb or the owner. He felt that abuse of the ID number was unlikely and the information would not be very useful to a thief, plus HIPAA has extensive penalties for unauthorized use of personal health information.
Leading into further privacy issues, Mr. Rothstein raised the question of the technology’s unintended consequences and potential for extension to other uses. He noted the premise that devices will only be used with informed patient consent, but many lack that decisional capacity, so the consent may be legally made by others. “It wouldn’t take too much imagination to see a requirement in the military that all service personnel had these kinds of chips,” he remarked.
RFID devices on controlled substance containers that the FDA may approve could be used easily by law enforcement, Mr. Rothstein continued, and public health officials could insist that infectious disease patients have RFID chips and be tracked. He imagined a situation in which a job applicant with an RFID chip is required to allow the chip to be read—therefore the complete health record—as a condition of employment. He asked the panel to respond to the criticism that misuse might occur and therefore some degree of regulation should be put on the technology.
Dr. Seelig stated that his company has been very active in considering these questions and trying to address them as the technology evolves. He believes that, in terms of authority of consent, wearable or implantable RFID is no different than any other form of authority given for use or management or treatment. Regarding use for other purposes, their database gives the user four categories defining who can access their health care information. Another block could be put in to prevent employers’ access but allow secure access as a condition of employment. He added that there are occupations in which the public wants to know that the right people are in the right place at the right time. The device is application specific and users would have that control.
Dr. Waxman explained that SURGICHIP is not mandatory, though he feels it certainly makes a lot of sense. However, he noted that the surgeon, except in an emergency situation, has the right to refuse to do the surgery if there is no protection of this sort. SURGICHIP information is used in a closed circumstance, with no third parties watching.
The Attorney General of Massachusetts was uncomfortable with any medication information retrieval on Medicare patients who could not consent, Dr. Halamka reported. His hospitals are now required to print a notice of possible access without consent on all discharge summaries. Those kinds of policies would need to be wrapped around any use of this technology, he stated.
Ms. Wattenberg asked for more information about how the “parallel universe of medical versus non-medical devices” could intersect and what the potential for abuse might be. She gave the example of the media obtaining a reader and using it in a hospital to obtain patient information.
Dr. Seelig responded that HIPAA has civil and criminal penalties for obtaining protected information. He also noted that many steps are required to gain access to the information, which cannot be accessed via an RF tuner. Even if the ID number was obtained from the chip, it could not be put to use. As the only manufacturer of the readers, his company knows where the readers have been shipped and who is receiving them. Registration programs are in place for the physicians using the equipment. The company also tracks location and time for each facility that does an interrogation of the chip and accesses that information.
Dr. Waxman pointed out that SURGICHIP has a very limited amount of information and it is unlikely that it could be used for any other purpose.
Panel 2 – Radio Frequency Identification
Lisa Sotto, Esq., Hunton & Williams
Ms. Sotto participated in the hearing on her own behalf, providing views not attributable to her firm or to any of her clients. RFID technology in the health care arena holds enormous promise, she stated, and could improve treatment accuracy and efficiency by making medical information immediately accessible to providers. Privacy concerns present a significant obstacle to its widespread acceptance, however. Patients must have confidence in both the security of the technology and in the related policy environment.
Ms. Sotto explained that privacy concerns with use of RFID fall into four categories: inappropriate collection of health information through RFID technology, intentional misuse or unauthorized disclosure of data by an authorized data holder, intentional interception and misuse of data by an unauthorized party, and unauthorized alteration of the data. She concluded that none of these risks are unique to the introduction of RFID technology. This is true for the first category because the chip is the identifier, not the data storage facility. These harms have been discussed for years in the privacy arena.
The real question, according to Ms. Sotto, is whether the current regulatory environment provides adequate protection against the potential dangers or whether additional protections are needed to make RFID a secure option. She noted that the HIPAA Privacy and Security Rules apply whether data was collected through RFID or any other method. So for covered entities and their business associates, she believes no additional protections appear to be necessary.
As RFID is used in the medical context, many entities will have access to data that are not HIPAA covered entities, Ms. Sotto stated, but other existing laws provide protection against the potential risks. She feels that tools currently in place provide a sufficient framework for law enforcement authorities and other security experts in the private sector to combat illegal activity.
Ms. Sotto advocated that an industry code of conduct be developed for entities that maintain or access RFID-related medical data. The Fair Information Practice Principles and the HIPAA Privacy and Security Rules provide very strong guidance in developing this type of code, which she believes should contain the following principles: Patients who are “chipped” must receive notice in plain, understandable language of the data holder’s information practices. She specified what that notice should contain. Data holders must use and disclose health data only in a manner to which the patient has clearly consented. Patients must have the ability to access their health information and to challenge the accuracy of the information and correct it as appro-priate. Health information collected via RFID technology must be both accurate and secure. Data retention and chip deactivation must be clearly addressed. Strict accountability standards and enforcement and redress mechanisms have to be established for all participating parties.
Ms. Sotto concluded that the privacy harms that may result from RFID abuses are significant, but are not unique to the RFID context. She noted that existing laws are available to address potential harms, but she also encouraged RFID stakeholders to develop and adopt an industry code of conduct to further protect against harms. A coordinated approach by all stakeholders would give the public the confidence needed to support the advancement of this beneficial technology, she believes.
Marc Rotenberg, Electronic Privacy Information Center (EPIC)
Mr. Rotenberg provided the Subcommittee with EPIC’s annual report, Privacy and Human Rights, an extensive annual survey of global privacy developments. Over the last few years, RFID has taken more and more of EPIC’s attention, he stated, and it was named to the Top Ten privacy issues for 2005. He noted that applications in the health care setting have not yet received the type of public attention and debate that consumer applications have received.
The medical discussion about RFID applications has been distorted by the debate over VeriChip, Mr. Rotenberg feels. He focused on the range of applications for RFID technology in health care and the privacy impact in each context. For example, in the problem of counterfeiting drugs, using RFID in product labels in bulk distribution could effectively track and manage inventory in the medical setting. He did not have privacy concerns with this. But when the tagging moves to the individual product level, privacy issues emerge because there is a linkage between a particular product and a particular individual, he stated.
Mr. Rotenberg then discussed use of RFID to identify people, as presented in the first panel. He acknowledged temporary RFID applications to prevent errors in surgical procedures. But he was troubled by the category that permanently identified patients using RFID and believes that this raises “profound issues for the medical community” that will need detailed consideration.
All privacy frameworks focus on the collection and use of personally identifiable information, Mr. Rotenberg stated, whether voluntary or codes of conduct or legislative frameworks. When personally identifiable information is not collected, there is not a privacy issue although there may be other concerns. Privacy risks with RFID translate into possible misuses of personally identifiable information, the concerns that privacy regulation tries to minimize or eliminate.
Mr. Rotenberg believes that use of information out of its original context raises many concerns and “can actually have a certain impact on the individual’s freedom to understand the use of information about them,” particularly if they do not know what information has been collected. He noted that HIPAA deals with this issue in a very complex fashion. EPIC’s RFID guidelines distinguish between RFID applications in which personally identifiable information is not collected and those in which it is.
International Privacy Commissioners met in 2003 to consider the RFID issue and said they would presume the application of current privacy laws. They proposed that additional consideration be given to the unique tracking features of RFID. One result of this would be enabling certain types of leading, or filling of tags, to protect privacy.
Mr. Rotenberg proposed a three-tiered policy framework for the regulation of RFID in the health care setting. Tier 1 relates to bulk distribution of products with no links to specific individuals, requiring minimal privacy rules. Tier 2 products can be linked with an individual, raising a whole different set of issues regarding current privacy rules and any necessary new safeguards. He emphasized that this inquiry is very important. For Tier 3 applications, it must be asked whether context can be limited, he stated. As businesses seek to expand and become profitable, he believes that it is very, very difficult to draw these lines. He asked the Subcommittee to consider how to assure that temporary tagging will be limited to its defined application.
The third tier includes VeriChip and similar products that may be developed. “I think we really do need to think carefully and seriously about what it means to permanently tag someone with a unique identifier in this country,” Mr. Rotenberg stated. He believes this is closely tied to national debates about the use and misuse of the Social Security number, a national I.D. card, and securing borders to link individuals with Federal agency databases. He found it impossible to consider that implantation for ID purposes could be contained to the health care setting. He further noted what he called “profound ethical issues” in this area. He believes that implanting begins to approach the realm of forced sterilization because a person’s body is changed in a way that they may not fully understand and cannot readily restore. He emphasized the seriousness of this issue and asked the Subcommittee to consider a flat prohibition on RFID chip implantation.
Daniel J. Solove, George Washington University Law School
RFID tags have many potential benefits, Mr. Solove stated, but they also pose a substantial threat to privacy. In describing the possible future of RFID, he predicted that RFID will increasingly be placed into products, licenses and I.D. cards and will be readable from greater distances. He suggested that police could track a person by obtaining a list of products that person owns or use the person’s implanted chip. Police might also use an RFID reader to scan luggage and get a full inventory of its contents.
What exactly is the threat to privacy that RFID tags pose? Mr. Solove noted that it is critically difficult to achieve true anonymity online, but by using cash at a store, one can still maintain anonymity, and RFID threatens to change this. RFID tags may function as a kind of cookie or spyware equivalent in real space, a way of tagging people and permanently enabling the possibility of monitoring their activities, he stated.
The overarching theme of his testimony was that “our existing legal regulation of privacy is not prepared to deal with RFID.” He explained that “we have a weak regulatory infrastructure for repositories of information gathered by private sector businesses and institutions and RFID information will enter into this realm.”
Mr. Solove described the vast amount of personal information collected by businesses and the government and stored in gigantic databases. Hundreds of records today detail a person’s life style and profiling tools are being developed to analyze this information and make very important decisions that affect people’s lives. Currently, the information is used for determinations on loans, jobs or licenses. He pointed out that these dossiers are not kept adequately secure, leading to identity theft. Personal information is being traded and sold between companies and is also tapped into by the government.
Federal regulation does not cover records maintained by many state and local officials, by libraries, charities or merchants, Mr. Solove reported. Existing privacy statutes are very difficult to enforce and it is often difficult for the individual to find out what information has been gathered and how it is being used.
Mr. Solove believes that RFID’s potential benefits in the medical context may be outweighed by the costs that could inhibit this process. He pointed to the long-standing tradition of doctors maintaining patient confidentiality and the uncertainty in existing law about the degree to which medical information can remain confidential. HIPAA regulations allow disclosure of health information to a law enforcement official in compliance with a subpoena or other order.
It is unclear whether the Fourth Amendment would apply when the government seeks a patient’s medical information from a physician, hospital, or other care giver, Mr. Solove stated. Under the third party doctrine, the court has held that the Fourth Amendment does not apply when a person divulges information to a third party. He believes that these questions might make people more reluctant to use RFID technology.
Mr. Solove emphasized the need for a more comprehensive statutory protection of the patient-physician relationship. He believes that there are significant dangers that RFID tags will be used to track people’s movement. There is very little regulation of what the police may do with tracking technologies and the Supreme Court holds that the Fourth Amendment does not apply, and Congress has not yet addressed that issue.
Regarding security, he raised the possibility of the VeriChip database being hacked, and whether this would mean that all VeriChip customers would need new chips. He believes that the problems come from what happens downstream when all this data is stored. He stated the need to insure that the tags can be permanently deactivated, that they are not read by unauthorized persons, that tags are not used for other purposes and that there is a way to protect the profound amount of information that could be gathered from the use of these tags.
QUESTIONS and ANSWERS
Ms. Sotto affirmed that peer pressure plays a great role in dictating behavior. She thinks a code of conduct would force the fairly small RFID community to adopt standards and she suggested that the community be involved in developing the standards. Mr. Rotenberg feels a code of conduct can be a useful supplement to a legislative or regulatory framework, but his experience has been that privacy related codes are very difficult to sustain over time. Mr. Solove felt a code of conduct alone is not enough because external pressures and factors could breach confiden-tiality. There is a real danger in considering legislation now because the issue is not the technology but how data is used, misused or disclosed, Ms. Sotto responded. Technology changes too rapidly for legislation, she stated, adding that state laws that are currently proposed will not be consistent with each other and will cause serious difficulty for compliance officers.
While agreeing that the core goal is to regulate the practices involving the collection and use of personal information, Mr. Rotenberg noted that RFID enables new forms of collection and use that current regulation may not have anticipated and that point to further safeguards. Rather than waiting to legislate until there is a problem, he recommends creating a legislative framework in which technology can evolve and consumers can be protected. The most successful privacy regimes are those that have been established at the outset of a new technology, he stated, adding that the greatest problems are in areas such as the Internet, where self-regulation has been tried.
“What is adequate consent?” Mr. Rothstein asked. He noted that disclosure of all possible privacy concerns related to an implantable chip, for example, would likely dampen the enthusiasm of people who are otherwise willing to consent in the health care setting. Mr. Solove observed that the issue of consent is complicated. He would like to see a system with a better legal and technological way of preventing secondary uses of the RFID tags. He observed that it is difficult to consent to something when one does not know what could lie in the future.
Ms. Sotto observed that consent very much depends on notice, which requires laying out possible scenarios. She believes that the possibilities of real fear-inducing scenarios could be curtailed with better technology and security improvements. However, unauthorized disclosure of data is illegal and she feels that can be dealt with by criminal statutes and better technology, better security, authentication technologies, encryption and the like.
Mr. Rotenberg stated that most privacy regimes do not rely solely on the concept of consent but have related interests intended to insure fairness and transparency and accountability. His reason for believing that implantation should be prohibited is that the line between consent and coercion is so significant that there are very few circumstances in which meaningful consent would truly consider viable alternatives to obtain the same objective.
Mr. Rothstein asked how the Subcommittee can develop recommendations for situations where there is concern about abuses outside the Subcommittee’s jurisdiction. He wants to avoid losing potential health care benefits because of concerns about other uses. Mr. Solove suggested thinking holistically and recommending that Congress address the problematic uses. Or, limiting regulations could be created to prevent problematic uses until Congress can adequately address those concerns, at which point the regulated limitations could possibly be lifted.
In Europe, where there is overarching privacy legislation, laws address the uses and disclosures of the data rather than the technology by which the data is gathered or maintained, Ms. Sotto stated. She cautioned against restricting uses of a particular technology and suggested instead considering the bigger picture of how data is collected, used and disclosed.
RFID is a surrogate for the bigger issue of personal privacy rights and the application of new technologies that might have good and less good uses, Mr. Houston observed. RFID is simply a technology that potentially causes less anonymity, which could be good in a medical case if one is incapacitated. He noted that this larger issue may be outside the purview of this Committee.
Mr. Reynolds noted that care givers are liable if something happens to a patient, and that health care delivery has multiple points of consent. In an emergency room, where do the rights of the care giver and the rights of the patient intersect and where is good medicine versus technology? Is detailed consent needed for patient care when the information has already been provided for different reasons? He noted that this impacts the person liable for care. In the ideal world, these interests are aligned, Mr. Rotenberg said. Debate arises because this information has value and use to others outside of the medical context. Privacy laws attempt to provide a necessary, protected conduit for disclosure of medical information from the patient to the care giver. He added, “The more privacy protection you provide in these relationships, the more likely you will have the open exchange of information that you need to deliver the care.”
Dr. Harding stated that he was trying to stay focused on the data but kept coming back to the “visceral issue…of a permanent versus a temporary.” He wondered whether the VeriChip would cause such discussion if it were on a bracelet or on a necklace. The subcutaneous nature seems to bring up the possibility of a proprietary national health identifier, he felt.
Ms. Sotto suggested that market mechanisms will force those who develop these technologies to adopt some sort of kill switch. Mr. Rothstein responded that he would have the same concerns with the information uses if it were a bracelet or a tag, mentioning ankle tags used on offenders on home arrest. The issue is in the application, not the technologies themselves, Dr. Rippen agreed. She felt the cost benefit, risk, and potential harm of RFID identification should be measured in various situations versus an I.D. card, biometric, or other methods.
For Mr. Blair, Dr. Seelig’s presentation resolved his concerns about abuses of VeriChip and he felt this might be a good beginning point for a best practices document. New considerations could be added to the best practices or see if legislation is required. He noted that legislation takes a long time, while best practices could support until legislation is crafted.
Privacy law really helps and facilitates the use of technology, Mr. Solove asserted, and he feels that technology users have to be adequately protected. Many might be very reluctant to use the technology or to implement it as effectively unless these concerns are addressed in advance. He feels the law is inadequate protection against crimes like identity theft and believes this is a problem of shoddy business practices not adequately addressed by the law. He emphasized the need to have a framework to ensure adequate security practices on collected data. If there is a breach, the law has to provide some way for people to deactivate their chip or to fix a problem.
Ms. Sotto reminded the group about her conclusion that RFID technology carries the same dangers that many other collection methods carry. She added that legislation done well takes time and these issues merit time for consideration and a bigger, national debate. Mr. Rotenberg supports best practices, but he does not think they are an alternative to legislation.
With the new idea that the VeriChip could be forcibly extracted and used as a form of high-tech identity theft, Mr. Rotenberg emphasized the need to think this through and noted that there is a very significant difference in moving from the temporary application of RFID to person identification to the permanent application. Mr. Blair stated that best practices are needed and could be done quickly. But he felt legislation would be required for the broader issues of the connection between the information gathered from this source and the ability to definitively identify someone with an RFID chip.
Noting that HIPAA permits disclosures without authorization for the purpose of treatment, Ms. Wattenberg asked about the potential for chip information to be shared without consent because it would further quality treatment. RFID may enable the transfer of identity or personal information without the knowledge and consent of the data subject, and that was not anticipated with HIPAA, Mr. Rotenberg responded. Ms. Sotto added that HIPAA coverage is very specific and within the RFID system, parties that are not covered entities will have access to information. RFID data can, under HIPAA, be shared with other health care providers specifically for treatment, she stated. For codes of practices and regulation, Mr. Solove urged thinking about the data itself, not just the holder, and protecting data across the board. RFID can take medical data and potentially change the holders, which alters the level of protection it gets, he observed.
Panel 3 – Decedent Health Information
Stephen E. Novak, Columbia University
HIPAA has had a huge impact on American life, Mr. Novak observed. He has had to deal with the effect of HIPAA on researcher access to records in his collections. He explained that because the Privacy Rule is concerned with use of records containing PHI in clinical and biomedical research, applying it to archives and libraries has not been an easy fit. Most libraries and archives that are covered entities now regulate access to records that contain PHI, he stated.
Counter to the Privacy Rule’s goal of imposing uniformity, access policies at other libraries and archives are similar, but none are identical, Mr. Novak stated. Different institutions treat identical materials differently because of different interpretations from their legal counsel. These ambiguities are in the Rule itself. He called the Rule’s opacity “irksome and worrisome to librarians and researchers” and stated that clarity is needed.
The problematic parts of the Rule were described in an as yet unanswered letter on October 22, 2003, to Secretary Tommy Thompson by then Society of American Archivists President Timothy L. Ericson and President Jodi Koste of the Archivists and Librarians in the History of the Health Sciences. Mr. Novak noted that these questions are still relevant. They are included in full in the transcripts available online. He stated that if use of names in research is not allowed, certain historical, biographical and genealogical works where the identity of the individual is the whole point could not be written, such as the Pulitzer Prize-winning A Midwife’s Tale, based on the late 18th and early 19th century diary of Maine midwife Martha Ballard.
Physicians and other health care providers often mention names of patients they are treating in their correspondence, sometimes casually, sometimes in more detail. At what point does this correspondence become PHI? As the Privacy Rule stands now, archivists must examine every document to make sure no patient names are mentioned before opening them up to researchers. This is often an impossible task that may lead to closing collections with only minimal PHI. This issue and the use of the administration photo collections have an enormous effect on the administration of collections, he reported, adding that HIPAA has changed the definition of “confidential”. Now every piece of correspondence and every photograph is “a potential landmine…resulting in makeshift expediencies to allow us to function at all.”
Mr. Novak reported that the staff at Archives of the Johns Hopkins University Medical Institutions use a form to cover “incidental disclosures” when researchers encounter PHI in materials. His organization is contemplating this, although he has seen nothing in HIPAA allowing it. The problem of photographs is thornier still, he stated. Following HIPAA strictly would force Columbia to close its photo collection entirely, which, because it is heavily used, they do not feel is an option.
Mr. Novak stated that the major academic medical centers will continue to deal with the complications of HIPAA. But the majority of 20th century U.S. medical records are held by smaller, local medical institutions that are not primarily research institutions and do not have the resources to deal with these issues, he explained. These institutions may destroy records containing PHI as soon as possible. Physicians and scientists giving their papers to archives may purge them heavily. He fears that the primary documents needed to write the history of health care and the biomedical sciences in the United States may come to an end in the late 1990s.
Nancy McCall, Johns Hopkins Medical Institutions
The role of the archivist is to uphold legal rights both to privacy and to public disclosure, Ms. McCall stated. She observed that HIPAA has had a tremendous impact on access and use of archival holdings and stated that the Privacy Rule greatly constrains open intellectual inquiry and ability to document facts and events in the telling of biography and history.
The Privacy Rule applies only to archives within covered entities, not to all archives with health related collections or to archival repositories of the U.S. government, Ms. McCall reported. Archives within covered entities must follow strict limitations on access and use of their holdings, but archives not subject to the Rule do not. This impacts patrons throughout the country. Some institutions have placed their archival and special collections programs outside the covered entities of their institutions, she stated
Ms. McCall explained that the Privacy Rule applies to identifiable health information in any format and in any medium, not just the hard copy records of patients and research subjects covered by previous laws and regulations. With fragments of incidental health information existing throughout general non-patient holdings, the only way to limit access to these fragments is to restrict the broad spectrum of records, she stated. This creates major impediments for patrons and is complex and labor intensive to administer. Another approach is for archivists to undertake the laborious task of redacting the fragments. For compliance with this unfunded mandate, it has been necessary to reorganize reference and research services and to transfer additional staffing, which has severely constrained work in other areas. Having to expend valuable staff time to screen and redact information from documents that would be freely accessible at archives not designated as covered entities is “enormously labor intensive and frustrating” and a significant drain on resources.
The Privacy Rule contains no principle for passage of time and assigns rights of privacy to the deceased in perpetuity, Ms. McCall stated. Although under previous laws and regulations an individual’s rights to privacy ceased at death, most collections with patient records of the deceased have had special access and use policies to protect the privacy of patients.
Legal counsel for Johns Hopkins and outside legal experts studied the Rule and concluded that it applies to all types of information and records taken in and managed by the covered entity, that the definition of PHI refers to health information about all individuals, and that there is no distinction between PHI of the living and the deceased. She provided a copy of the resulting guidelines. Materials that had been previously open for general reference must now be restricted, although they are still accessible at repositories not covered by the Privacy Rule and those with different interpretations, she noted. Incidental health information of decedents and non-decedents must be screened and redacted before showing documents to patrons. The Rule now limits general reference and use of nearly 95 percent of Hopkins’ holdings, she reported.
The Privacy Rule does allow broad access to archival holdings for the purpose of research, Ms. McCall explained, with less-rigorous rules for research on decedents than those for non-decedents. While helpful, this broader access for research does not cover general reference access, which is a large part of the activity of the archives. She described the new, time consuming steps to comply and to be able to provide basic reference information to patrons.
Ms. McCall provided the Subcommittee with her organization’s policies and procedures for access. Patrons conducting research that they wish to publish are especially frustrated by the Privacy Rule, she stated. Even with a waiver of authorization from the Johns Hopkins Privacy Board, they must obtain authorization from the legal representatives of the deceased. When the deceased have no legal representatives, the patron must obtain a ruling from a judge. That the Privacy Rule treats all types of health information equally and makes no provisions for ranges of sensitivity poses major impediments for patrons wishing to publish. Colds and fractures are held as equivalent to psychiatric illnesses and sexually transmitted diseases, she explained.
Ms. McCall requested several clarifications. First, limit the scope of PHI to information from records of patients and human subjects both living and deceased and allow access to incidental health information for the purpose of general reference. Introduce principles for passage of time. Documents containing health information from antiquity through the early 19th centuries should be open and accessible for archival reference and research whenever possible. Define and adopt standards for sensitivity of identifiable health information in archival holdings. Allow the publication of incidental health information. An addendum included further recommendations.
QUESTIONS and ANSWERS
It was determined that covered entities have the option of hybridizing or applying the Privacy Rule only to their covered functions. Mr. Houston commented that whether a person was dead a hundred years or two weeks, he or she might still not want information reviewed, disclosed and made part of a book.
Ms. McCall clarified that incidental health information referred to individuals who were not patients; patient records have always been restricted. Even before HIPAA, Mr. Novak explained, archivists never let researchers have free access to patient records. Now, “if your sixth cousin writes to your fifth cousin saying that you have a cold, that’s also considered PHI.” Ms. McCall’s organization has “a wonderful collection of letters from nurses who served overseas…writing back to their families.” These mention the writers’ own health and health of their families so it is all restricted by the Privacy Rule because it is in a covered entity.
Ms. Heide asked for panelists’ suggested limits on the coverage of decedents’ information and remarked that they grappled with this when writing the Rule. Mr. Novak felt that anything before 1880 or so should be open, adding that the census is open after 70 or 75 years. He pointed out that part of the problem is that all patient information is not equal. Psychiatric records were never disclosed, he noted. Ms. Heide asked if he advocated a different standard for different types of information, applying the Privacy Rule in perpetuity to certain types of information. Mr. Novak generally opposed applying the Privacy Rule in perpetuity, stating that it goes against general common law over the years. Mr. Rothstein replied that there is a difference between what the law used to recognize and what medical ethics has recognized since the time of Hippocrates. A physician’s successor must take those records with the same ethical strictures.
Regarding the suggestion to clarify that, within a covered entity, only PHI in the “designated record set” is subject to the HIPAA Privacy regulations, Mr. Rothstein asked how that distinction would be drawn. Mr. Novak stated that it is fairly easy to segregate hospital and clinic records, doctors’ clinical records but not their correspondence, and notebooks of scientists who are doing clinical research with human subjects. The difficulty comes, he noted, with large collections of physicians’ private papers in which “there may be six letters where he says, ‘I saw your patient and she has diabetes.’” In archives before HIPAA, patient records created by hospitals and doctors were always restricted. Correspondence and photographs were not, though they were handled with sensitivity and could be segregated or administered differently.
Mr. Rothstein gave the example of a famous person’s doctor “kind of playing fast and loose with the ethics” and writing a letter to his brother revealing information given during psychotherapy. “Should the fact that it’s not in the medical chart mean that it’s now fair game?” Mr. Novak said that archivists never thought that would be fair game, but he is not sure it should be regulated by a Federal policy. Archivists have to be trusted, he urged. When professionals process papers, they are always on the alert for material that might be embarrassing or confidential.
Mr. Novak reported that, before HIPAA, he was given the authority to close records that he felt were of a confidential nature. He added that defining “confidential” is very touchy and varies with time and space, and HIPAA has made it worse in some ways. He called the current situation “the worst of both worlds. You’re not protecting all PHI because many records will not end up in places that are covered. On the other hand, you’re making it impossible for archivists who are in covered entities to do the work they need to do.”
When a person donates their private materials, Mr. Novak confirmed, the expectation is that researchers will use them. All archives have donor agreements that specify some level of access requirements. Columbia does not accept records that are closed for long periods of time. He added that the protection and access levels at institutions vary so widely that researchers just sometimes leave in frustration.
Ms. McCall explained that they learn of a donor’s death, meaning sometimes that records can be opened, through the news and institutional publications and usually receive some notification. Mr. Novak added that, for personal papers, they might not know and would only check when someone asked for access. The Social Security index of deaths is very helpful for this. Because HIPAA distinguishes between research into information of decedents and that of people living, his organization has determined that people can be considered dead if 100 years has passed since the time of birth or the date of the patient record.
Mr. Blair felt that the Rule’s protection of records in perpetuity is an area of legal ethics that goes beyond the intent of HIPAA. But Mr. Rothstein stated that HIPAA has with the full knowledge of Congress taken on the role of a limited Federal health privacy statute.
Ms. McCall indicated that her legal counsel could further interpret the proposed change, “Clarify that PHI used in bona fide education dissertations may be published if the minimum necessary standard is applied and the document is reviewed and approved by an IRB or Privacy Board.” She explained that patient records and case files constitute an extremely small part of her collection since official patient records are maintained by another division. Personal papers of faculty and staff are mostly general correspondence, education and training records, manuscripts and research notes. Her organization also maintains the corporate records, corporate archives, and founding documents of the institution and records of governance and administration of all the divisions. One example of incidental PHI in these is the names and dates of workers who had accidents in the construction of Johns Hopkins Hospital in the late 19th century.
Ms. Heide confirmed that the PHI of deceased individuals is protected, and noted that generally, once an entity is covered, the individually identifiable health information it holds becomes covered, subject to a few exceptions such as for employment record.
To resolve this issue, Mr. Rothstein asked for feedback on a recommendation that clinical records still be covered by HIPAA, but any incidental measure that was 50 years old or older would not be subject to the Privacy Rule unless the archivists had reason to believe that it contained sensitive information. This would require a level of heightened duty. Ms. McCall and Mr. Novak were extremely enthusiastic and confirmed that archives have binding agreements with researchers specifying that if researchers come across PHI, they must bring it to the archive’s attention and not publish it. Mr. Rothstein added that if an individual’s heir wants to disclose patient records and has a legal right to do so, that is fine. Ms. Heide noted that panelists were using the words “incidental information” differently than in the language of the Rule. Ms. Wattenberg was assured that archives would still protect correspondence between two doctors that contains very sensitive information about a patient.
Mr. Rothstein asked the panelists’ help in identifying related issues for other kinds of institutions that are not as large or comprehensive. He noted that he would be reluctant to develop a pro-posal on the basis of one panel’s testimony. Archivists of covered entities are a very small group, Mr. Novak explained, with about 20 major academic medical centers. He suggested the Subcommittee contact the Medical Library Association’s History of Medicine section, which comprises hospital libraries with responsibility for records. He also suggested contacting Patricia Gallagher at the New York Academy of Medicine. Ms. McCall suggested that the Subcommittee meet with representatives of non-covered entities with large health care collections, such as the New York Academy of Medicine, the College of Physicians in Philadelphia, NLM and Countway at Harvard.
Mr. Rothstein asked whether his proposal would serve to level the playing field between covered and non-covered archives. Ms. McCall felt that it would be very helpful to have some normalization of standards for access for records in the health fields, period, at covered entities and non-covered entities. Mr. Novak pointed out that HIPAA has made non-covered entities more sensitive to access.
Observing that any archive would have obtained records from a covered entity, Mr. Reynolds asked whether inappropriate disclosure comes into play if a covered entity gives their records to a non-covered entity. Mr. Novak pointed to the business associate model, noting that there is no standard interpretation of whether “coveredness” is retroactive, or passes with materials. Ms. McCall added that a number of state archives have acquired the records of defunct hospitals in their states and do not know whether they are covered entities. This is especially important for mental hospitals and TB hospitals that have closed.
SUBCOMMITTEE DISCUSSION
The Subcommittee considered the draft letter regarding medical devices from the hearing on November 19, 2004. This letter is expected to come before the full NCVHS at the meeting in early March. Mr. Houston read the letter aloud. After extensive discussion regarding amendments, there was unanimous approval of the letter as amended. Mr. Houston would make the changes and send the letter to be forwarded to the Executive Subcommittee.
The Chair raised the issue of the next step for the RFID issue. Mr. Houston did not feel that the testimony was actionable. Dr. Rippen stated that there was nothing to use to evaluate whether a new technology would somehow change the paradigm of the discussion of privacy and the use of the technology in the health environment. She felt this might provide a way to decide whether or not new technologies need to be further discussed.
More and more technologies are showing up that will be able to be used to monitor and identify people, Mr. Reynolds commented. The issue now is still protecting the data, he said, but felt that it is important to monitor new technologies closely because “at some point they may cross a line where it is out of somebody’s hands.” He did not feel that action needed to be taken at this point, although a letter could say that this new technology merits continued diligence.
Mr. Rothstein reported that Senator Leahy of the Senate Judiciary Committee wrote a letter on October 18, 2004 to Secretary Thompson asking about RFID technology and the VeriChip, and the privacy issues it raised. Nothing has been done, so this hearing was scheduled to assist the Secretary in responding to the inquiry from the Senate. Mr. Rothstein asked whether communication from the Subcommittee stating that hearings were held and with whom, and the issues that were raised might be valuable to the Secretary.
Mr. Blair suggested indicating that this is a complex area and the Subcommittee does not have recommendations at this time, but it could encourage the existing vendors to put industry best practices in place until more information is known and legislation could be developed. Mr. Rothstein opposed making a judgment that best practices are valuable and ought to be encouraged in advance of or in lieu of legislation.
Ms. Greenberg noted that if the Subcommittee says it will monitor the situation, it implies action. The technology is developing much faster than the policy, Dr. Harding observed. He feels this technology is already blurring security of health information. Mr. Rothstein stated that he would check with Mr. Scanlon to see if a letter would be helpful or if any action had been taken at this point, and he would report back to the Subcommittee in March. If a letter was to be drafted, Mr. Reynolds volunteered to work on it with Mr. Rothstein.
Mr. Rothstein asked for the Subcommittee’s decision on the issue of archival health information.
Although Dr. Harding felt that policies should be the same for every organization, Mr. Rothstein stated that this addresses one category of covered entities and another of non-covered entities. Dr. Cohn suggested asking the Secretary to provide clarification to give archives a little more unrestricted ability and help them understand better where the lines really are. The Subcommittee had asked the panelists for more information and names of references, Ms. Greenberg stated. She felt non-response to the two letters already sent was not supportable.
In this panel, Mr. Rothstein was most concerned that covered entities compliance with the Privacy Rule resulted in the lack of access to these archival records by researchers. Ms. Greenberg observed that this is part of the bigger question of the Privacy Rule’s impact on research that this Committee has been raising without much response. Just because things are more difficult now does not mean that the Rule is wrong, she stated, because maybe some things should have been more difficult to access. She felt that the lack of response may be due to the lack of good answers. This hearing raises the issue to another level so the Subcommittee must make some response. She added that evaluation should be done of existing state policies for death records, a crossover issue.
Ms. Heide confirmed that this issue is now on OCR’s radar screen and that they would welcome recommendations. She felt that picking a timeline for protecting decedent records was troubling because it would always be arbitrary. Mr. Houston found it disingenuous for institutions to wait until after the compliance period and then segregate themselves differently as a hybrid entity.
Regarding a potential letter, Mr. Reynolds noted the similarity to the fundraising issue of leveling the playing field. From a research standpoint, growing competition will continue to be an issue for archives and he felt that such an unlevel playing field was unfair. Mr. Blair did not feel they had a specific action to recommend. Dr. Cohn suggested a letter expressing concern and asking for clarification but did not feel they had the answer of how to right this wrong.
Another option to consider would be taking no action, Mr. Rothstein stated. He noted that OCR is considering the issue, two witnesses gave presentations and submitted written testimony. The Subcommittee helped OCR learn more about this issue but does not have a recommendation. Ms. Greenberg suggested that if in several months there is still no answer to the archivists letter or no FAQs, then OCR could let the Subcommittee know what additional input would be helpful.
February 23-24, 2005 will be the first hearing on NHIN, Mr. Rothstein stated. Presentations will begin with leading bioethics and health policy experts to provide a grounding in considerations for formulating this policy. Consumer groups such as AARP will present on the second day. In Chicago on March 30-31, 2005, the plan is to hear from the AMA, medical specialty colleges, the hospital association and the nursing association.
DAY TWO
Panel 1 – Introduction
Dr. Richard Harding chaired the first panel.
Mark A. Rothstein, J.D., Chair, Subcommittee on Privacy and Confidentiality, NCVHS
Mr. Rothstein’s presentation focused on three questions about informational privacy: what are health privacy and confidentiality, why do people consider health privacy and confidentiality important, and how effective are current efforts to protect health privacy and confidentiality.
Privacy and confidentiality refer to two different concepts, Mr. Rothstein explained. He uses the term privacy to refer to a two party relationship: whether an individual can keep certain information without it being disclosed to anyone else. He read a quote from Ellen Alderman and Caroline Kennedy that concluded, “The right to privacy, it seems, is what makes us civilized.”
Confidentiality refers to a three party relationship in which the patient gives information to the provider and confidentiality considers whether the provider can re-disclose to a third party information that was originally disclosed within the confines of a confidential relationship.
Mr. Rothstein noted that the basis of confidentiality can be traced at least to the Hippocratic Oath. Professional pledges of confidentiality by health care providers imply to patients that it is all right to accept a lesser standard going from privacy to confidentiality, because limited disclosure is essential to health care and information will not be re-disclosed without consent. There are certain pieces of health information that people do not want to share irrespective of any possible adverse consequences, he continued. A 2003 study showed that the top six areas of health information considered most sensitive were abortion history, mental health history, HIV/AIDS, genetic test results, drug and alcohol history, and history of sexually transmitted disease. He noted that the sensitivities of individuals change over time.
Tangible consequences of disclosure include discrimination. This can be a situation of inaccurate conclusions or predictions being used to deny employment, insurance or other opportunities. Or, it can mean accurate conclusions or predictions based on health information will be used to deny opportunities to which individuals believe they are entitled.
Mr. Rothstein explored the effectiveness of the HIPAA Privacy Rule and genetic nondiscrimination laws to protect privacy and confidentiality in employment and health insurance. He pointed out that HIPAA is a limited system that does not establish a comprehensive system to protect health privacy and confidentiality. It only applies to covered entities and their business associates, not to employers, insurers, schools, or other entities. It covers only “so-called protected health information,” defined as individually identifiable information.
Under HIPAA, the failure to disclose health information may result in the refusal of medical treatment or the refusal to reimburse providers for services. Even though an authorization is required for most uses and disclosures beyond treatment, payment or health care operations such as marketing or research, HIPAA does not prohibit third parties from requiring the execution of an authorization as a condition of employment or purchase of an insurance policy.
Mr. Rothstein explained that regulatory barriers to prevent disclosure of patient information between provider and third party do not prevent the disclosure of information from patient to third party. A third party with economic leverage can require a patient who wants a job or insurance policy to sign an authorization releasing all of his or her medical records, he explained. This model does not address the issue of compelled authorized disclosures.
Mr. Rothstein asserted that the way to address third parties getting more information then they need is not procedural but substantive: specifying what information the third party may access and use. This involves complex issues such as who should have a right of access to health insurance and care; under what terms should medical underwriting be undertaken for insurance; the relative right of employers to decide whether employment in a particular workplace is in a person’s best interest. He feels these questions cannot be resolved by access restrictions.
Mr. Rothstein presented genetics as a case study of a failed attempt to regulate by policy. The Americans with Disabilities Act (ADA) does not prohibit requiring genetic testing as an employment condition made after an offer. Genetic predisposition is not a disability under the ADA. ADA also does not prohibit post-offer access to all health information. 32 states have enacted laws to address the first and second of these issues, but not the third. As a result, many people decline genetic testing out of concern that employers can access the results, he stated.
Minnesota and California have enacted laws allowing employers to access only job-related and relevant medical information. However, Mr. Rothstein explained that there is currently no technologically or economically feasible way to separate out job related health information, nor genetic from non-genetic information. Health care providers routinely send everything, even in response to requests for limited information. He noted that electronic health record architecture could be developed to facilitate this limited access but he is not aware of any efforts underway to do so.
Mr. Rothstein reported that since 1990, at least 43 states have enacted laws prohibiting genetic discrimination in health insurance, but they do not apply to employer sponsored group health plans, which cover 85 to 90 percent of people. He emphasized that this is not an insurance or genetics issue, but a health care system issue: who should have a right of access to health care.
Mr. Rothstein presented four conclusions. One, HIPAA established security and fair health information practices to protect against unauthorized access to health information. Two, measures to prohibit genetic discrimination are ineffective because they focus on procedural matters rather then substantive issues. Three, there can be no effective protection of health privacy and confidentiality without considering compelled authorized access to health information. Finally, measures to limit third party access to certain health information could be embedded in new electronic health records but currently no efforts are being taken to do so.
Sonia Suter, George Washington University
Ms. Suter explained that testing for conditions that will develop later in life is an area of growing concern about genetic discrimination. She discussed general approaches to protecting personal information, beginning with protecting against unauthorized access and continuing with the need to protect against particular uses and users of health information, what she calls non-discrimination. A privacy approach honors this control, she stated, allowing people to decide who will receive their information and under what circumstances. Nondiscrimination protections can focus on the harms, to support drafting of laws defining discrimination.
When third parties require disclosure of information as a condition of a benefit, Ms. Suter noted the concern that it becomes coercive. Further, once third parties have information, it is difficult to prove whether they are using it for discriminatory purposes. She emphasized the negative effects third party access can have in individual health care, research, and public health. She addressed genetics as one example of sensitive information.
Ms. Suter explained that genetic information is predictive, it can be stigmatizing, and it can be the basis of discrimination by employers, insurers, adoption agencies and financial institutions. Test results are uniquely personal and identifying, and also reveal information about family members. History of abuses by third parties has raised concerns of genetic discrimination. She described study results on this subject that showed, to a greater or lesser degree, incidents of genetic discrimination in employment and insurance.
Ms. Suter described different definitions of genetic discrimination. One is based on pre-symptomatic genetic information, an indication that someone is at an increased risk for a disease. A second could be discrimination based on susceptibility to a disease or actually having a genetic disease. There is disagreement on whether both kinds of discrimination are problematic. She called genetic discrimination “a very real and potential risk in the future.” Life insurance companies want to know about genetic testing results and most insurance commissioners believe insurers have a right to request genetic tests, studies show. Many health insurers believe genetic information will be more precise and therefore relevant to underwriting in the future. As the cost of genetic tests decrease and accuracy increases, third party interest in genetic tests will increase.
Public perception of the risk of genetic discrimination has affected behaviors and research, Ms. Suter observed. Individuals want to prevent insurers and employers from accessing their genetic information. One study found that at-risk individuals who were offered testing for colon or breast cancer refused for fear of discrimination. Nearly one third of women at high risk for breast or ovarian cancer refused to participate in a genetic study. She stated that genetic testing is not appropriate for everyone, but the decision should not be based on fears of discrimination.
Ms. Suter was further troubled that some individuals are refusing even genetic counseling for fear of health insurance discrimination. This means that people are not learning about the benefits and risks of genetic testing. She reported that a high percentage of genetic professionals would themselves like to have genetic testing for inherited cancers, but 68 percent would not want to bill their charges to their insurer for fear of discrimination and 26 percent would want to use an alias. Many would not want their results recorded in their medical record.
Anonymous testing raises concerns, Ms. Suter noted. Some genetic counselors think it inhibits good genetic counseling, which involves an individual’s test results and in depth information about the individual, his or her family history, and medical records of the patient and family members with confirmation of diagnosis in affected family members. This data would be impossible to obtain for an anonymous record, she stated. Further, there is concern that it limits testing to those with financial resources.
Ms. Suter summarized the effects of fears of third party access to genetic information. Physicians may not have full information to offer proper care. If people are not getting tested, it is difficult to prevent or ameliorate disease, which can lead to premature death. And there is concern that family members may not learn about their own risks and therefore may not get counseling and testing. If patients do not get counseling, they do not learn about the risks and options. There can be effects on public health, on research and on studies of diseases.
The solution is to protect authorization of access to information, to require authorization, to protect against particular uses of information, nondiscrimination, and to prohibit benefits from being conditioned on the receipt of genetic information, Ms. Suter stated. She reviewed state legislation, explaining that some states are trying to prevent third party access by not allowing employers or insurers to request or require genetic information or to perform genetic tests. There are no federal laws covering genetics. She stated that the goal is uniform federal prohibitions in three areas: unauthorized access to health information, discriminatory uses of health information, and compulsory disclosure of health information by third parties as a condition of benefits.
Peter Swire, Ohio State University
Mr. Swire pointed the Subcommittee to a regulatory impact analysis in the proposed and final HIPAA Rule, noting that it pulls together a lot of information on the benefits of health privacy and confidentiality, including getting people into the health system.
Mr. Swire’s presentation focused on the sharing of medical records pursuant to an authorization, the history of HIPAA as it relates to these authorizations and what he termed the Privacy Rule’s non-coercion rule for providers and covered entities. No such rule exists for entities such as employers or insurers, he stated. He noted that a great deal of the authorized sharing is with third parties that are not covered entities, so HIPAA simply does not apply.
As Chief Counselor for Privacy in the Office of Management Budget from 1999 to early 2001, Mr. Swire was closely involved in the proposed HIPAA Privacy Rule. From its beginning in 1996 as the Kennedy-Kassebaum bill, concerns over privacy and security in electronic medication transactions finally led to the HIPAA Privacy Rule. He described the process of writing the Rule, how HHS was given that job, and the political processes.
The non-coercion rule is section 508(a)(4) of the Rule. It states that a valid and correct HIPAA authorization permits disclosure to third parties. The data then flows from the covered entities to the third parties. A covered entity may not condition the provision to an individual of treatment on the signing of an authorization. In Mr. Swire’s experience, this has been widely accepted, in part because there are some important, practical exceptions in the Rule, such as for clinical research trials or eligibility for a health plan. If PHI is created specifically for a third party, such as a fitness exam for an employer, it can be given to that third party.
Like HIPAA as a whole, the section 508 rule applies only to covered entities. Mr. Swire noted that HIPAA did not consider whether these authorizations should be enough for employers or for insurers. HIPAA allows an employer to condition employment on giving authorization, but has no statutory authority over employers. He feels most would agree that it is not really voluntary when the employer tells employees they must turn over their medical records as a condition of employment. However, employers do have legitimate interests in testing for fitness for duty, he believes. He pointed out that the California and Minnesota laws limit authorizations that go beyond the scope of what the employers need for fitness or other important workplace purposes.
The Fair and Accurate Credit Transactions Act’s (FACT Act) section 411 prohibits obtaining or using medication information in connection with the granting of credit, Mr. Swire stated. He called this a “very broad, very strict as written rule,” and explained that the consensus rationale that medical data should not be used for financial underwriting. He emphasized that exceptions are needed because a flat prohibition raises important problems. He gave the example that is currently being debated of a lender who finances elective surgery but then, reasonably, wants to find out whether the surgery was performed. That is getting medication information in the provision of credit.
In conclusion, Mr. Swire charged the Subcommittee not to assume that the HIPAA policy process worked out the issues of authorizations beyond HIPAA covered entities. Those debates have not taken place, he said, adding that there likely are additional situations, especially in the workplace, where authorizations are not really voluntary, He emphasized recognizing the need for practical exceptions in part because without them, a Rule will never become law.
QUESTIONS and ANSWERS
Mr. Houston asked whether people with genetic conditions that predispose them to die at an early age will be more likely to pursue getting life insurance, and therefore whether it is not fair for insurance companies to feel they should have a right to that information. He also asked whether pre-employment screenings have shown to have some positive impact on the workforce
Mr. Rothstein stated that the upcoming panel on life insurance would shed further light on this issue. Medical examinations by companies depend on the company size and type of hazardous exposure or strenuous work involved, he noted. Some large employers are required by law to give medical examinations, such as for transportation employees. But in other industries, studies show that using a questionnaire instead of medical screenings is just as effective.
Ms. Suter noted that the public does not view life insurance the same way as health insurance, so there is less legislation prohibiting life insurance discrimination. Many states allow distinctions as long as there is an actuarial basis. She feels this is a big policy issue of what life insurance means and what its goals should be.
Dr. Harding asked the panelists to share their general thoughts of what and who could help the Subcommittee’s process, and for recommendations on how to improve genetic protections and other protections. Mr. Swire felt attention must be paid to any situations in which authorizations are not working well with third parties that are not covered entities. For employment, he urged national standards that are closer to the California or European approach. For genetics or insurance, he feels that there are instances in which authorizations are required that lead to various bad results.
There needs to be an inclusion of other possible third parties to talk about what sorts of limitations could be established, Ms. Suter suggested. There should be important exceptions and a policy debate that tries to identify goals with insurance, for example.
Mr. Rothstein stated that, by the end of the day’s hearings, it should be clear that the Privacy Rule really do not address the whole range of issues, especially those raised by compelled authorizations. The fix is very complicated because it goes to the essence of who has a right to X, Y, or Z and on what basis it will be financed. He feels the question becomes one of enacting limits and noted that the current form of health information presents practical problems. He believes that any new system must be able to segregate information for limiting disclosures.
Panel 2 – Employment
Lewis Maltby, National Workrights Institute
The workplace is the most common source of disclosure of medication information to third parties, Mr. Maltby stated, with a pre-employment medical examination required for the majority of people who apply for a job today. He explained that once an employer has made a conditional job offer, it can and will insist that, as a condition of further consideration, the applicant must sign a waiver authorizing disclosure of his or her complete medical history. The information does not have to be job related in any way, he noted, adding that there is no way now of segregating job-relevant medical information.
Medical information is also disclosed to employers in the claims administration process, he stated. This information does not stay in the hands of the physician who looks at pre-employment history or with the internal person in accounting or HR, but can be spread through gossip. More of a concern however, is compelled disclosure, Mr. Maltby stated. If an executive sees that one particular employee has cost the company heavily because of medical treatments, the employer has a very strong incentive to get rid of that individual. He reported that he has witnessed high-level corporate executives demand records from TPAs or occupational health nurses, who feel they must give up the records to protect their own jobs. One occupational health nurse testified before the US Senate that she tried to protect records, as in her profession’s code of ethics, and was fired. This is a major concern in that field, he stated.
In Mr. Maltby’s view, there is not any legal protection that is worthwhile and effective to prevent this kind of disclosure. He urged that the disclosure of information to employers in the hiring process should be restricted to what is relevant to the job. Second, it should be determined whether there is any legal protection for the person who is a corporate employee and is being pressured to give up information. Such protection should be created if it does not exist.
Edward Bernacki, M.D., M.P.H., Johns Hopkins University
Dr. Bernacki spoke for the American College of Occupational and Environmental Medicine (ACOEM). He stated that protecting confidentiality and privacy is imperative to preserving patient trust and employee trust in the workplace, and shared ACOEM’s Code of Ethics regarding confidentiality. He explained that occupational physicians interact with employers, including CEOs, general counsel, HR, plant managers, line supervisors, industrial hygienists, safety engineers, and worker’s compensation carriers. Occupational physicians practice primarily under contract to employers. They provide clinical services and engage in disease and disability management programs, medical surveillance, fitness for duty exams, independent medical exams, and analysis of aggregated information for workplace health trends.
Employer sponsored health promotion and wellness programs, occupational illness prevention programs, employee assistance programs and onsite emergency care are extremely valuable to employees and employers, Dr. Bernacki feels. These benefits can result in early diagnosis and treatment and make a real difference in employees’ lives. If medical information gathered from such programs is not kept private, participation will be in jeopardy, he observed. ACOEM believes that if a work related illness or other occupational abnormality is noted, the employer should be informed but not be given specific diagnostic information, which is common in the worker’s compensation situation. He added that there is a dialogue between occupational health nurses and the supervisor about what that person can do so that they do not harm themselves.
Dr. Bernacki stated that if a condition is discovered that is not caused by work-related factors, the employer should definitely not be informed. “We have to balance what information we’re giving out and in some way we have to prevent the work situation from causing further damage to the individual’s health,” he explained.
HIPAA does not directly address the issue of access by employers and other third parties to medical information that could affect an individual’s ability to work safely, Dr. Bernacki observed. His organization has previously recommended several changes to HIPAA to protect employee medical information: specify that personal health information gathered or maintained in connection with employment or employee health programs is within the definition of PHI; prohibit individuals within the company, including those responsible for making personnel decisions, from unfettered access to PHI; make the physician, not administrative or management personnel, responsible for interpreting health information and determining what information is relevant and what should be disclosed to a third party.
Robert McGarrah, Jr., J.D., M.P.H., AFL-CIO
Mr. McGarrah stated that workplace health privacy is a major concern for the members of the AFL-CIO and their families, totaling as many as 40 million people. He believes that today there is the ability to determine the best quality medical care, which can be delivered to every American. There are ways to integrate medical information and create integrated disability management systems that can prevent diseases and injuries, and ways to work with employees to keep them on the job and provide excellent quality medical care, he stated. He added that this has been documented to save employers money.
Mr. McGarrah also pointed out the race to reduce costs at every opportunity and reduce corporate exposure to diseases and disability, even to eliminate the jobs of people whose care could cost the company too much. Concern about health care costs is leading companies to put group health benefits directly under the control of CFOs, he reported. He noted that ten percent of the people in a health plan account for about 70 percent of the spending on that plan. He also pointed out that disability claims within workers’ compensation are frequently due to improper or inadequate medical care at the time of injury.
Fortune 500 companies and their National Business Group on Health can now benchmark the costs of health care, absences, and lost productivity, Mr. McGarrah explained. This data allows companies to manage the care and work of each affected employee. When evaluated over an entire site, company or industry, accidents and disease can be prevented, saving lives and money.
With respect to confidentiality, an employer can access a profile of any employee’s costs to the company. Mr. McGarrah described how, when the Polaroid Corporation was sold in 2003, all of its employees on permanent disability were terminated as a condition of the sale. Many companies dismiss employees once they go on long term disability or within six to 12 months. Further, worker’s compensation has become an adversarial system, he believes. For example, Liberty Mutual will, on behalf of employers, use extensive claims diagnoses and credit scores to determine which claimants are likely to be significant problems for employers and need to be isolated and handled in a more adversarial fashion, so privacy becomes almost an afterthought.
Mr. McGarrah feels that the integrated benefits area has great promise, noting that the AFL-CIO is in discussions with Aetna. Aetna has a contract with Active Health Management, which says it can form an electronic medical record on a patient by patient basis then relate the data to evidence based clinical standards. They can call patients and physicians and suggest alternative treatments. His organization feels this is appropriate for providing the best possible clinical care. However, employers are trying to hold down costs and there are privacy concerns related to employers encouraging higher deductible plans, various benefits and health savings accounts for people with chronic medical conditions.
The AFL-CIO will continue to maintain its position and call for universal health insurance. “It’s got to be done; it’s part of the solution,” Mr. McGarrah stated. He feels that HIPAA-defined PHI should extend to workers’ compensation programs. Employers and unions need the aggregated medication management and integrated benefits information to make the best decisions on how to pay for the right care and create the safest possible workplaces.
QUESTIONS and ANSWERS
Mr. Houston asked whether there could be a standard for pre-employment screenings allowing the employer to know only that the employee is fit for duty versus specific health information, and whether the physician should be the gatekeeper. Dr. Bernacki stated that occupational physicians specify what the individual is capable of doing and the supervisor must determine if the person can work within those restrictions. The employer makes the employment decision.
Dr. Bernacki was very enthusiastic about Mr. Houston’s suggestion to put more authority in the hands of the health care professional. He felt this was workable because evaluation requires balancing many facts and a non-medical person could not come up with a relevant diagnosis. He noted that in many workplaces, the screening information is shared with the employer, and he believes it would be reasonable for HIPAA to have a standard restricting this.
Mr. Reynolds observed that employer designation of one individual as the health plan does not give enough employee protection about data access. Mr. Maltby stated that reports from third party administrators back to the company are not aggregated, and cannot be because the company will not pay an aggregate bill, it wants to know which employees made the claims.
Mr. Reynolds asked whether companies are abiding by the requirement for documentation in order to share health information. Mr. Swire believes that HIPAA “does at least in theory prohibit this corporate bigwig from walking into the clerk’s office and saying I want to see where the money went.” He directed the question to Mr. Rothstein, who said they would investigate. Dr. Rippen noted that there are two pieces: the claims that go to the third party and the
information nurse practitioners obtain through a disease management program. The possibility of not using names in reporting has not been investigated enough, Mr. Rothstein noted.
Regarding the issue of employer access to complete records of their self-funded plan, Mr. Rothstein stated that benefits files are distinct from occupational medicine files, and both are separate from personnel files. Mr. Maltby said that the problem is that the employer will force the information holder to give up the information needed to fire a worker who made medical claims. He asked whether HIPAA protects against this and the Subcommittee will check.
Mr. Rothstein asked the panelists’ opinions on his theoretical framework for a system that would limit disclosure to job related information, recognizing the many technological and economic obstacles. He described one scenario: a job is given an ID number from an encyclopedia of job classifications based on core functions tied to the physical demands of the job. The physical demands would then be tied to a medical determination of what kinds of health information would bear on the ability to do that job. Then that information would be keyed to an applicant’s electronic health records. Essentially, the employer would key in the job ID number and only the relevant information would then flow to the company.
Mr. Maltby stated, “In terms of desirability it’s a no-brainer, that’s exactly what we need.”
Dr. Bernacki felt it would be wonderful but is impractical, because factors in job demands change so much. Mr. Rothstein added that companies may want to have individuals cross trained and cross qualified but that could be taken into account. Mr. McGarrah felt it could be done. He also emphasized the frequency of cross training, which would require expansive or flexible definitions. He suggested that Dr. Reeseman could advise.
To protect health professionals who refuse to turn over medical records, Mr. Rothstein asked for recommendations on state law vs. federal law vs. regulations. Mr. Maltby felt this might follow the typical model in which a few states try one thing and get it enacted then find out what they did wrong, then other states do it right and ultimately it percolates up to the federal government.
Mr. Houston clarified that the insurance component of an employer would be a covered entity and would have an obligation to account for any inappropriate disclosures of information.
The issue was raised of expanding HIPAA to include PHI in the workplace. Mr. Rothstein felt that HIPAA is not designed for this, so it might be more practical to have privacy and confidentiality protections on employers through separate legislation. All that comes with being covered under HIPAA would not work necessarily in the workplace setting, he noted. Dr. Bernacki stated that the recommendations would move the occupational physician/employee relationship closer to the physician/patient relationship in terms of privacy and confidentiality, bringing up informed consent. He was not sure ACOEM would support this. The workplace situation does not fit into the normal HIPAA paradigm.
Mr. McGarrah described a California law that provides for a unified integrated benefits program between employer and union that should provide the best possible medical care and reduce the transaction costs. The goal is uniform application of a physician/patient relationship in the entire delivery system. The result is that all medical care should be part of the same protected standard. Asked to clarify his statement about workers’ compensation claims being related to bad medical care, Mr. McGarrah stated that because it is an adversarial system, carriers will often interpose objections, causing treatment delays. There are also issues of claims being fully work related.
Dr. Rippen asked about legal resources for employees if privacy agreements are violated that relate to employers’ disease preventive services or health promotions. Mr. Maltby felt a written agreement would be enforceable, although “sometimes judges are just going to follow their own instincts on what employers are allowed to do.” He does not believe that most people could get justice because of simple economics, “regular people can’t afford lawyers anymore.” He suggested that arbitration has proven to be remarkably effective and stated that economic enforcement must be considered for every substantive issue.
Referring to credit checks on prospective employees, Mr. Houston felt an employer could legitimately try to ensure fair application of workers’ compensation rules to prevent workers taking advantage. He asked whether Mr. McGarrah believed that some employers may be trying to reduce bona fide workers’ compensation claims through that process. Mr. McGarrah responded that, in workers’ compensation, employees give up their right to bring an action in tort against the employer and the employer then gets the exclusive remedy: to provide all necessary medical care for the workplace injury or disease. His organization is seeking that the person gets all the necessary medical care for the problem caused by the injury on the job. He does not believe the credit rating has anything to do with medical status and thinks it should be an impermissible element for insurers or employer’s consideration.
The issue of workers’ access to health care was discussed. Mr. Maltby stated that, for several decades now, workers have had health care through their jobs. Now, employers are under ever-increasing competitive pressure and must cut costs, causing them to back away from giving real comprehensive health care to their workers. Since people cannot pay for it on an individual basis, he feels that health care will have to come from the government, although there is not now any political consensus or awareness of this need. Dr. Bernacki commented that there is a lot of pressure on workers’ compensation from employers raising deductibles and a shift to the workers’ compensation system to pick up those employees who submit a claim.
Panel 3 – Insurance
Mr. Rothstein noted that life insurance is being used as one example of the insurance industry.
Joseph Huguenard, M.D., American Academy of Insurance Medicine
Roberta Meyer, American Council of Life Insurers
Presenting together, Dr. Huguenard and Ms. Meyer addressed how life insurers use health information and how that benefits the consumer. The American Council of Life Insurers (ACLI) member companies represent about 70 percent of life insurance premiums in the United States.
Ms. Meyer stated that the primary goal of life insurance is to provide financial security for American families. In 2001, 69 percent of American families owned some type of life insurance. Most Americans depend on individual or group life insurance to provide long term financial protection for their families, she stated. Individual life insurance represents more than 60% of all
life insurance policies. It is a voluntary product that is purchased and underwritten on an individual basis and relies heavily on the process of risk classification and medical underwriting.
Life insurance companies need to obtain detailed information from consumers who want to purchase life insurance contracts, Ms. Meyer explained. Some is non-medical information, but medical information is also needed in most cases, including current health, health history, past illnesses, injuries, various medical treatments, and current and past doctors. Most of the information comes directly from the applicant on the application. In cases of older ages and higher amounts of insurance, more health information is obtained and a medical examination may be done of the individual with laboratory testing and screenings, Dr. Huguenard stated. When insurers do request medical information from providers, they use recognizable authorizations and they also inform the applicant of how information will be used.
Dr. Huguenard explained the underwriting process. The insurer tries to group individuals into pools of similar mortality risk. The price of life insurance is primarily based on the risk of death, which is affected by gender, age, present and past state of health, health risk factors such as blood pressure, and job, hobby and other activities. The system overall is called risk classification. Once groups are defined, insurers calculate a premium based on that group level of risk. Life insurers do not create a unique insurance policy for each individual, but insurance policy groups to which they attach the individual and then attach a premium. Those with similar risks pay the same premium, he stated.
The process ensures adequate funds to pay future benefits and keeps rates fair to the existing people in the pool and fair to prospective customers, Dr. Huguenard stated. It also enables life insurance companies to make products widely available at affordable prices. Risk classification provides the fundamental framework in the United States for the current private voluntary life insurance system. 98 percent of applicants are approved for life insurance coverage, he noted.
Life insurers rely on the applicant’s medical information to determine the appropriate risk classification with respect to all medical issues. Dr. Huguenard noted that information obtained from health care providers often does allow them to classify someone as a better risk. He gave examples of particular surgery situations and their impact on risk classification, how more information often helps insurers offer a better rate.
Dr. Huguenard discussed adverse selection, which occurs when an individual fails to disclose information about a condition and as a result receives better coverage than they would have. Oftentimes the individual will also seek more life insurance. If this occurs several times in every thousand applicants, the major negative consequence is increased cost for future customers and fewer Americans able to afford coverage, he stated. He noted that prices of life insurance have decreased over the last several years and more people have bought insurance.
Life insurance provides financial protection and policies are likely to be in force for decades, Ms. Meyer added. She explained that risk classification occurs at the very beginning of the life insurance contract, giving insurers just one opportunity to make a risk assessment that will provide for fair premiums that are also financially sound for the company’s future payment of claims. Life insurance premiums cannot be increased and contracts cannot be canceled unless the policy owner stops paying the premiums. There are cases of fraud, she added, but it is very, very difficult for an insurer to establish fraud. If established at the beginning of the contract, it means that no real contract existed. Insurers do typically have two years to contest the validity of the contract because of material misrepresentation by the applicant at the beginning of the contact.
Dr. Huguenard reiterated that risk classification is based on medical information and makes life insurance more widely available and affordable. Basic life tables have all reflected increased longevity and therefore decreased premiums over this period of time. 50 years ago, individuals with heart disease had a very hard time getting coverage at all, Ms. Meyer explained, but with medical advances, these people can live much longer and healthier lives. They can get coverage now and could not before, and/or they can get coverage at a much cheaper rate. She believes that future advances in medical science will continue to have beneficial results.
Ms. Meyer introduced the issue of insurers’ protecting customer’s health information. Although not covered entities, life insurers must use HIPAA compliant authorization forms to obtain information from entities other than the applicant or from medical testing. HIPAA in essence governs insurers’ ability to obtain PHI from covered entities, she stated. Insurers’ ability to use and disclose it is subject to many other privacy rules: Gramm-Leach-Bliley, state laws and regulations and the Fair Credit Reporting Act, changes to which have strongly impacted insurers.
These laws together provide for a continuing and affirmative obligation to protect the confidentiality and security of customer information, Ms. Meyer stated. Insurers are required to have written policies and procedures to protect that information. She added that it is also in insurers’ best interest to keep customer information secure because customers would go elsewhere if they did not feel confident in the protection of their information.
Ms. Meyer emphasized that life insurers continue to be strongly committed to protecting customer’s personal information. However, insurers must use the information in the risk classification process, in evaluation or payment of claims and to perform basic insurance functions or insurance business activities, she stated. She supported the comment by an earlier panelist that there must be exceptions to the prohibitions on disclosures even with authorization. Existing laws recognize that consumer’s privacy has to be protected, she said, but “insurers have to use the information to do the very thing that our customers come to us to do in the first place.”
Ms. Meyer summarized the presentation, stating that consumers benefit significantly from life insurers’ ability to obtain and use information obtained directly from the individual and pursuant to the expressed authorization of the individual. This information makes risk classification possible, which makes life insurance more widely available and more affordable. Premiums are fair and they are financially sound so that insurers have the ability to pay future claims. She added that they are very proud of their historic record of very carefully protecting customer information. Dr. Huguenard also recommended Dr. Robert Gleeson’s Chapter in Genetics and Life Insurance: Medical Underwriting and Social Policy, edited by Mr. Rothstein.
Paul Billings, M.D., Ph.D., Council for Responsible Genetics
Dr. Billings is a practicing human and clinical geneticist representing the Council for Responsible Genetics (CRG), not his employer, Laboratory Corporation of America Holdings. He reported that LabCorp has adopted a “rather visionary” policy that supports protecting individuals against discriminatory uses of genetic test information and federal anti-discrimination legislation, and offered to supply a copy of the policy to the Subcommittee.
Genetic or genomic testing is primarily conducted to identify health risks, make diagnoses, or for other medical purposes, Dr. Billings reported. He observed that technology has made it increasingly easy and inexpensive to accumulate, store, and share health related data. Tech-nology has also made it possible to assess an increasing number of factors that impact health, some of which are associated with genetics. He believes that soon, many of these approaches applied to human conditions will be deemed cost beneficial or of significant public interest so that third party payers will make decisions to cover these tests as benefits and pay for them.
Dr. Billings pointed out that the problem with any screening and surveillance program is that it depends on who controls and administers it. In 1999, CRG began working toward a Genetic Bill of Rights and has now adopted a set of statements that support individualism, community, and freedom in the 21st century. He announced an upcoming text reviewing this work, titled Rights and Liberties in the Biotech Age: Why We Need a Genetic Bill of Rights.
Article 7 of CRG’s genetic bill of rights states “all people have the right to genetic privacy including the right to prevent the taking or storing of bodily samples for genetic information without their voluntary informed consent.” Dr. Billings reported that discriminatory uses of genetic test results, and fears and perceptions of adverse outcomes as a result of genetic information, are very real and affect the conduct of genetic testing. They also limit the growth of the biotechnology industry.
Today, the primacy of the market, national defense, the war on crime and health considerations are frequently used as justifications for what might be perceived as intrusions into the traditional sphere of personal liberty, Dr. Billings stated, and these are enabled by changing technology. He believes it is essential to establish the importance of individual rights that improve individual lives as our society evolves and encumbers technology driven social change.
Dr. Billings asserted that the U.S. method of financing health care and the movement to improve quality of care by relying on evidence based medicine and the assessment of practice data, along with enhanced public health information collections for many purposes, poses real problems in balancing legitimate goals. For health and health care to improve in an age of more and better health and genetic information, a statement and reinforcement of privacy rights, along with others, is essential, he said.
“What I think is fascinating about this discussion is that our focus turns to what part of individual personal privacy, that particular liberty and right, should we give up so that we can continue to have a functioning let’s say life insurance industry, or other kind of benefit,” Dr. Billings stated. He suggested considering what other kinds of information, such as the life insurance industry’s business practices are held as private and asking to understand more of that information. It is very difficult for the states or the federal government to access insurer’s information, he noted. He suggested a discussion about which kinds of information are important to be held private or confidential, and whether they are having to be revealed to a business entity.
QUESTIONS and ANSWERS
Ms. Meyer and Dr. Huguenard clarified how the federal and state laws other than HIPAA close the marketing and business associate doors for privacy protection. Ms. Meyer noted that the ACLI supports legislation that would prohibit a sharing of medical information for marketing. The NAIC model GOB confidentiality law has specific health provisions in about 25 states, requiring authorization when medical information is required for purposes of marketing. The old NAIC Model Privacy Act in about 20 states requires authorization when there is sharing of medical information with an entity other than an insurance affiliate for marketing. A new section of the FCRA requires individual notice and opt out when there is sharing of any customer information for purposes of marketing. Dr. Huguenard commented that life insurers have had confidentiality language very similar to that of business associates in their contracts for years because it is essential to their businesses.
Ms. Meyer stated that the industry recognizes consumers’ particular concern about life insurers’ use of the results of genetic information and tests. She is aware of no company that requires individuals to undergo genetic tests. The industry is concerned that proposed state laws will jeopardize life insurers’ ability to underwrite based on traditional medical information and medical tests. She emphasized insurers’ need to know what a proposed insured knows so that insurers can have appropriate, fair underwriting and determine financially sound premiums. Insurers feel very strongly that all customer medical information should be kept confidential and secure, regardless of the source or nature of the information.
Dr. Billings reiterated that the underwriting practices of life insurance companies are largely unknown. Some state laws do prohibit certain kinds of underwriting practices. He focused on what is required in an application to proceed with consideration of a contract for life insurance. He listed basic requirements, adding that further requirements would be individual underwriting practice, so the frequency of such additions is unknown.
Clairfying typical patterns of life insurance purchase, Dr. Huguenard stated that families today usually have two breadwinners, and a spouse working at home also has a financial value. In estate planning, individuals with high net worth will purchase life insurance to help with costs of settling an estate and the associated taxes. He added that small and larger companies that depend on a few key individuals want to be prepared in case of the death of one of those individuals.
Mr. Blair observed that if insurers can use genetic information for risk purposes, the individuals that most need insurance coverage will be left without protection. Dr. Huguenard explained that relatively little predictive genetic information is at the deterministic level. Most may have nothing to do with mortality or may be only a small contributor, so the overall likely impact of predictive genetic information on life insurance denial is very small. But Dr. Billings noted that life insurance underwriting uses other predictive information that he called “not very good.”
Mr. Rothstein responded to Mr. Blair that unfair accurate use of information by an insurance company to deny coverage is the nature of life insurance. Mr. Blair clarified that his concern is that a person in his or her 20s, just starting a family, might be denied life insurance because they have a genetic disposition to something that might affect them later. Dr. Billings added that this technology is being focused on newborns, which gives a longer time to prevent the outcome of a risk. He predicted an explosion of risk and predictive information present in children, adding that many younger adults will be starting to buy contracts for all sorts of things where the genetic information may have some legitimate or illegal business purpose.
Ms. Meyer reiterated that 98 percent of applicants for life insurance are offered coverage, with 96 percent at standard or better rates. A lot of the dramatic change in science has made it possible to insure more people at better rates, she said. Dr. Huguenard stated that the U.S. has a life insurance product in Social Security that most people ignore. If a younger person with a genetic problem is working, his or her dependents are covered under Social Security until they are 18.
Looking into the feasibility of developing a way in which sufficient information could be disclosed to end users of the health information without disclosing everything in the medical file, Mr. Rothstein asked Dr. Hugenard if he would accept in principle limitations on the disclosure of medical information for medical underwriting, possibly using a list of items that could be used or one of items that could not, such as abortion history. Dr. Huguenard responded that he would be evaluating the risk of a person age 25-30, knowing that his company would carry that risk for the next 50 years. He felt it was very difficult to identify medical things that he would never want to access. He did agree that if a list had to be created, a list of what not to use would be preferable, and he pointed out that insurance today already has a short list of “cannots.”
Mr. Rothstein clarified that a list would include things for which there are no associated mortality risks and that he was seeking a level of willingness to accept less than perfect information to further an important privacy goal. Dr. Huguenard felt it cannot be known what will be relevant or sensitive in the future but felt the practical limitation is on record management.
Mr. Rothstein raised the idea of the new electronic health record system in which restricted information would be in the system but would not be released to life insurers. Dr. Billings commented that the privacy of medical records is a kind of a myth, since in a typical hospitalization, 80 or 90 people may assess the medical record. He believes one principle of a system should be consumer notification each and every time the record is assessed, then companies would compete on the basis that they intrude or assess it less. He suggested that, rather than listing exclusions, there be a requirement that assessments have evidentiary basis.
Noting privacy concerns, Mr. Rothstein asked whether medical underwriting using personal health information could be or has been done offshore by contractors. Dr. Huguenard had not heard of this happening, but felt it was possible. Ms. Meyer felt the Unfair Trade Practices Act would extend to activities performed by a third party contractor. Privacy obligations under Gramm-Leach-Bliley extend to activities by third party service providers, and regulators could come after offshore insurers to the same extent in this country, she stated.
Dr. Rippen asked whether a deceased parent’s genetic profile would be considered in a child’s application for insurance, if the insurer had the parent’s information on file. Dr. Huguenard said they would only consider what the child provided in terms of family history, stating that they do not underwrite people from other people’s records, and in fact support laws prohibiting this.
Dr. Rippen raised the issue of people refusing genetic testing because of concerns related to life insurance, when testing might actually benefit them for treatment and reduced risk. Dr. Huguenard stated that so many factors go into decisions about genetic testing, he did not think life insurance was the top list of reasons people don’t get genetic testing today.
Ms. Meyer felt insurers were subject to minimum necessary because they can only get information as permitted under HIPAA. But Mr. Rothstein said that minimum necessary does not apply to information pursuant to an authorization. Mr. Reynolds added that, when providing an authorization, most people think that insurers are only getting the information on the instance for which more information is needed. He added that genetic testing begins to get into dramatic future indicators, but Dr. Huguenard argued that actual dramatic indicators are relatively rare.
Panel 4 – Approaches
Amy Bergner, J.D., Society of Human Relations Managers
Ms. Bergner addressed issues surrounding the disclosure of health information in the workplace, focusing on employers’ legitimate need for health information, their challenges in protecting employee health information, and approaches employers are taking to safeguard this information. She emphasized that HR professionals strive to balance legitimate business needs of the organization while maintaining the confidentiality of employees’ personal medical information.
SHRM strongly supports efforts to protect the privacy of health information in the workplace. However, certain disclosures are legitimate and necessary for benefits administration, Ms. Bergner stated. Employers must comply with the Americans with Disabilities Act, the Family and Medical Leave Act, workers’ compensation laws, and the HIPAA Privacy Rule. A fundamental element of each is the collection and use of an employee’s medical information.
HR professionals come across employee health information in health care plan design and administration. Ms. Bergner noted that health care coverage is the most expensive benefits that employers provide. HR professionals need plan beneficiaries’ health information for plan design and operation and to make appropriate changes, she stated. The information is also needed for programs geared towards high risk, chronically ill or seriously ill employees and to assess eligibility for non-health benefits including disability, workers’ comp, wellness benefits, and some EAP functions. In those programs, employee information often must be shared among benefit programs for plan design and management and to improve benefits’ effectiveness and quality. She noted that summary health information is already governed by HIPAA, which permits the use and disclosure of health information and limited disclosure without authorization.
Under HIPAA, a group health plan may disclose individually identifiable health information to an employer that sponsors the health plan for plan administration purposes only, Ms. Bergner reported. This requires steps including amendment of the plan documents and certification by the employer. The employer is also required to establish firewalls to limit access to such information, and the minimum necessary standards of the HIPAA Privacy Rule also apply.
Ms. Bergner described one of HIPAA’s main objectives as preventing misuse of employees’ private health information that is available to the employer through health plan sponsorship. It would be illegal for a supervisor to ask someone in the HR department for health information on an employee, she stated. She noted that HR professionals obtain health information in the process of advocating on behalf of plan participants.
Employers are embracing disease management programs to improve the health of their workforce and support their bottom lines by increasing productivity and reducing medical insurance costs, Ms. Bergner stated. Data is needed on the frequency, severity and consequences of workers’ diseases and illnesses to determine whether an individual is a good candidate for a disease management program. This aggregate information is often gathered from claims data.
Establishing an employer sponsored wellness program often involves a confidential individualized health risk assessment done by an outside consultant for each individual who signs up for it. Ms. Bergner noted that only aggregate information is provided to employers.
With EAPs, HR professionals generally only learn of an employee’s use of the benefit when the employee requests information, and most EAP contracts require confidentiality. If a company requires a mandatory referral to an EAP in a case of substance abuse, the EAP may disclose limited information to specific individuals at the employer who have responsibility for monitoring the employee’s adherence to the EAP program.
In order to determine qualification for leave under the Family and Medical Leave Act, the employer has to collect relevant medical information on the health condition and often requires a doctor’s written certification, Ms. Bergner explained. This documentation is considered an employment record, not a health care record, and is not subject to HIPAA, but in practice employers treat such records as confidential. Additional layers of screening could delay an employer’s ability to grant the medical leave.
Ms. Bergner summarized employers’ challenges in protecting employee health information, including the administrative burden and expense of compliance. HIPAA has caused major new expenditures, and ensuring legal compliance with federal and state HR laws is growing more complex. Moreover, penalties for violating HIPAA’s privacy regulations also loom large.
SHRM believes that a voluntary approach built on best practices and current law is most appropriate, Ms. Bergner reported. Internal policies may include keeping a log of disclosures. Employers must provide and document the training of employees who have access to health information and have a system of sanction for any who violate the privacy policies. Employers should only collect information that they may legally use in making employment decisions, ensure such information is properly retained, and limit access to the information.
SHRM believes that current law adequately protects the privacy of employee health information. Proposals of new laws in this area would be a serious concern to SHRM and its members, Ms. Bergner stated. SHRM would also caution against any approach that would add to the time and cost of compliance with existing protections for health information.
Dixie Baker, Ph.D., SAIC
Dr. Baker represented the Healthcare Information and Management Systems Society (HIMSS). She explained that emerging and existing technologies offer potential solutions for limiting the privacy risks posed by the release of electronic health records to third parties.
Dr. Baker described the functioning of the prevailing security model and the reasons that it is not very useful for controlled sharing and collaboration. She explained that cryptographic schemes have two exceptions to this model. First, encryption is applied to data, not to the objects in which those data are stored. Second, cryptographic solutions control access through the distribution of secret keys. Public-key cryptography uses two keys: one to encrypt data and the other to decrypt. One is public and the other is kept private.
The business imperative for third parties is the need to review individuals’ health information to effectively manage business risks related to that individual, Dr. Baker stated. The personal imperative is to protect privacy by releasing minimal information to as few people as possible. Further, she noted, individuals want assurance that information restrictions will be enforced into perpetuity, not just for the initial release. “Because privacy is values-based, no consistent set of rules will work for every person or with every third party,” she said.
A solution for these conflicting imperatives—for effective and safe information sharing—must operate across multiple organizations governed by different security policies. It must enable the owner of an electronic health record to assign privacy attributes within the bounds of law. These attributes (metadata) must persist with the information throughout its lifecycle and must be uniformly interpreted and translated into enforced security rules. This will require the specification and adoption of uniform metadata standards for representing privacy attributes.
To assure integrity, the identity of the information owner and the third party recipient must be authenticated, Dr. Baker stated. The solution almost must be capable of authenticating the data itself. The specific granularity of protection must be highly flexible and the security solution must also be able to evolve with technology. She addressed the feasibility of using existing and emerging technology to address these challenges, with the objective of assuring the Subcommittee that this is not an intractable problem.
Dr. Baker believes that the technology most capable of meeting these requirements is digital rights management (DRM), which was developed to enforce copyright protection on digital content distributed over the Internet. The second generation of DRM has greatly expanded to give parties varying degrees of control over how digital content and services are used, including by whom and under what conditions. A DRM system enforces usage rights based on originator-controlled policies, she explained. She described the system’s workflow steps.
DRM policies specify how to handle actions that authenticated users attempt on protected resources. Dr. Baker gave the example that a DRM policy applied to an electronic health record might enable an insurance company to review those portions of the record necessary for coverage authorization purposes, but not allow the record to be saved on the company’s server.
A number of vendors, industry groups, and standards bodies are involved in DRM standard-ization efforts, Dr. Baker noted. She feels the ability to control and receive reports on third parties’ use of records would help protect individual privacy while enabling sharing. A DRM solution could enable direct transfer of electronic records from providers to third parties, with Privacy Rule enforcement throughout the lifetime of that information. DRM would require implementation of elements that she believes are soon likely to become standard PC features. Dr. Baker called use of a trusted intermediary a more immediately feasible, though less capable, approach for sharing of electronic records that provided many of the functions of DRM. A user interface would enable an individual to request and authorize the sharing of his or her electronic health record and prescribe specific parameters relating to that information. These rules could be managed in a relational database management system and enforced at the time the third party requested access. Third parties would be able to display an image of the information on their screens but the data would not persist as a file on the client machine. Dr. Baker stated that the trusted intermediary itself would need to gain the trust of record owners that their health information would be managed safety and responsibly. She outlined the necessary security infrastructure needed for DRM and trusted intermediary solutions.
Keith Tayloe, Portal Dynamics
In today’s post-HIPAA world, personal health information is owned and controlled by the health care provider by default, Mr. Tayloe began, adding that HIPAA recognizes that consumers have an ownership stake in their personal health information. He believes that discussions of third party disclosure need to address consumer ownership of their personal health information, where disclosure is a two party question, not a three party question. “Consumer driven health care will only be a panacea if the consumer is allowed to drive.”
Mr. Tayloe urged that consumers initiate and maintain their electronic health record based on government and health care industry standards. This consumer managed electronic health record would provide a summary picture and the pointer to detailed records that reside with health care providers. He proposed that consumers would grant access to their electronic records at the time of the health service. They could support studies or fulfill requests by making health information available anonymously. This makes disclosure a direct, addressable question, he said.
There are many potential objections to putting electronic health records in the hands of consumers, Mr. Tayloe observed. Some stem from misconceptions that a vast national infrastructure is needed to store and forward health care information. However, he stated that technically, there are no barriers.
Putting electronic health records in the hands of consumers will not improve the quality and efficiency of health care overnight, he said, but it will begin to improve the quality and efficiency of health care tomorrow. “More importantly, it will unleash the inherent innovation in the marketplace and force the health care industry to be responsive.” The Internet provides the best testimony to the potential of the consumer, he explained. Consumers can now place their own orders, track shipments, book travel, get loans, and manage stock portfolios at any time, thanks to consumer demand and marketplace innovations. He stated that pharmaceutical companies clearly believe consumers can and will influence their doctors, as demonstrated by the unending barrage of drug commercials. He also noted that consumers are making the choice to go to Canada to purchase pharmaceuticals.
Mr. Tayloe urged that the third party disclosure issue be deferred to consumers. Let consumers drive their electronic health records and decide whether or not personal health information should be disclosed and on what terms. He believes that consumer managed records will provide more information, which will lead to better diagnoses, better decisions, and fewer errors.
QUESTIONS and ANSWERS
If some documentation needed to be captured by a recipient using a DRM system, Dr. Baker indicated that this could be controlled through use of rules. For his consumer-controlled approach, Mr. Tayloe clarified that providers would need Internet access and individuals would only need the physical key or device. He confirmed that they are building an index.
Mr. Rothstein asked Ms. Bergner if SHRM would find acceptable the restriction of post offer examinations and inquiries to job related information. She responded that SHRM does not have a definitive position on that, but noted that, as a general rule, employers are not anxious to have a lot of extraneous health information about their employees.
In Mr. Tayloe’s scenario of consumer-controlled health records, Mr. Rothstein asked what would stop insurers from requiring applicants’ complete health records. Mr. Tayloe responded that in a free market, that could happen. He confirmed that his model does not get around that question of leverage by insurers, further action would be needed. Mr. Rothstein noted that for both DRM and the trusted intermediary, a decision would be needed on the boundaries of what information can be disclosed. Dr. Baker proposed that the default should be that the consumer decides, noting that the sense of what is private varies among people. Coming up with one universally acceptable set of rules would be a really difficult challenge, she added. Further, she believes that patients’ authority to decide what to share or not share will vary on the capability of the patient.
Mr. Rothstein stated that they have been searching for a way to protect sensitive, non-essential health information in an objective way from getting to third parties that can compel authorizations for broad disclosure. He believes technical solutions are a downstream issue from the fundamental question of what information gets through that system. In the employment context there is the standard of job relatedness, and he seeks a parallel in other contexts.
Dr. Baker clarified that information is much less secure than previously. Security is directly related to complexity, so as systems become more and more complex they become less and less secure, she stated. Computer systems are more vulnerable than ever and are much more ubiquitous. From a health care perspective the risk is getting higher, she observed, but added that technology also provides great benefits.
Mr. Tayloe clarified that the records residing with the health care provider would really be jointly owned with the consumer. But the summary and the key to the records could only be released if authorized by the consumer. He confirmed that individual health care providers might also hold patients’ electronic records but would not be allowed to release anything from them without consent, even the kinds of current HIPAA exceptions for research, etc.
It is important to recognize the concept of the electronic health record, Mr. Tayloe asserted. It can improve health care, so the way to begin adoption, he feels, is to let consumers take it and run with it. This is a tradeoff between things that make government uncomfortable. He noted the willingness of people to volunteer information online and resources for research, and he feels confident that people for their own health would gladly provide anonymous information for studies. He agreed that the issue of monitoring diseases and outbreaks needs to be addressed
Mr. Rothstein explained that the job related requirement under ADA is based on a long history of case law. That standard is used for medical examinations of current employees but does not apply to post offer examinations. Ms. Greenberg feels that electronic health records are an opportunity for epidemiologic research and suggested that database analysis could be useful for identifying what health areas are genuinely lower risks. Mr. Rothstein strongly emphasized that privacy is not free, it costs in terms of the compliance and also because everyone wants the most information they can get, the perfect information. He feels they will have to recognize that one cannot have maximum everything and privacy as well.
Dr. Rippen raised the issues of information expiration and tracking of secondary or tertiary uses. She felt these would provide assurance and allow individuals to be informed about how information is being used. Mr. Reynolds believes there is still a debate on creating something that defines every aspect of a person and then automates the information. He feels that an overall infrastructure is needed because with a standard format, data can be more readily communicated.
“If you do nothing, life goes on and we all get our health care,” Mr. Tayloe observed. He feels that this will have to roll out incrementally, giving the luxury of piloting different programs in different places to see what will work. He has had discussions about what happens if a consumer loses the key to his or her record. That does not exist today, so it can only get better, he believes.
Mr. Rothstein noted for the record that this was a background hearing of issues that are very important to him. He hopes they will become so to the rest of the Subcommittee and perhaps the full Committee.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ May 11, 2005
_________________________________________________
Chair Date