June 27, 1997 Letter to the Secretary with Recommendations on Health Privacy and Confidentiality.

National Committee on Vital & Health Statistics

---

JUN 27 1997

The Honorable Donna E. Shalala
Secretary of Health and Human Services
200 Independence Avenue S.W.
Washington, D.C. 20201

Dear Secretary Shalala:

On behalf of the National Committee on Vital and Health Statistics (NCVHS), I am pleased to forward to you our recommendations relating to health information privacy. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires you to provide detailed recommendations to the Congress with respect to the privacy of individually identifiable health information by August 1997. The law also directs you to consult with the NCVHS in developing your recommendations. The enclosed report is submitted in support of this responsibility.

In developing our recommendations to you for health information privacy, the NCVHS Subcommittee on Privacy and Confidentiality held six full days of public hearings during which we heard from 43 witnesses from the industry, privacy community, State government, and public health and research communities. We also benefitted from two additional days of public hearings in San Francisco where we heard from an additional 40 witnesses from across the health industry spectrum, including a number of representatives from the privacy and patient advocacy community.

The NCVHS recommends that you and the Administration assign the highest priority to the development of a strong position on health privacy. The NCVHS also recommends that the 105th Congress enact a health privacy law before it adjourns in the fall of 1998.

We appreciate your leadership on health information privacy, and offer our continuing assistance in addressing this national issue.

Sincerely,

/s/

Don E. Detmer, M.D.
Chairman

Enclosure

---

HEALTH PRIVACY AND CONFIDENTIALITY RECOMMENDATIONS

of the

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Approved on

June 25, 1997

---

Executive Summary

The Health Insurance Portability and Accountability Act requires the Secretary of Health and Human Services to consult with the National Committee on Vital and Health Statistics when developing recommendations on standards for the protection of the privacy of individually identifiable health information. This report is the Committee’s advice to the Secretary.

The Committee finds that the United States is in the midst of a health privacy crisis. Patients must feel comfortable in communicating sensitive personal information. Delays in passing privacy legislation will allow additional and uncontrolled uses of health information to develop.

The Committee recommends that the Secretary and the Administration assign the highest priority to the development of a strong position on health privacy that provides the highest possible level of protection for the privacy rights of patients. The Committee also unanimously recommends that the 105th Congress enact a health privacy law before it adjourns in the fall of 1998.

Health privacy legislation presents only hard choices and difficult tradeoffs. The importance of trust in the provider-patient relationship must be preserved. Health records are used to improve the quality of health care, reduce the costs of health care, expand the availability of health care, protect the public health, and assure public accountability of the health care system. Privacy competes with all of these objectives, and it is not easy to strike a fair balance between privacy and these other worthy goals. The Committee has no doubt, however, that a privacy bill can be passed that balances the interests of patients with the needs of the health care system.

The Committee calls for a law that will require creators and users of identifiable health care information to establish a full range of fair information practices, including a patient’s right of access to records, right to seek amendment of records, and right to be informed about uses of health information. The law must also impose restrictions on disclosure and use of the information, require adequate security, impose sanctions for violations, and increase reliance on non-identifiable information whenever possible.

The Committee strongly supports the use of health records for health research, subject to independent review of research protocols and other procedural protections for patients. The Committee also strongly supports the use of health records for public health purposes, subject to substantive and procedural barriers commensurate with the importance of the public health functions. The Committee believes that patients need strong substantive and procedural protections if their health records are to be disclosed to law enforcement officials.

The Committee strongly supports limiting use and disclosure of identifiable information to the minimum amount necessary to accomplish the purpose. The Committee also strongly believes that when identifiable health information is made available for non-health uses, patients deserve a strong assurance that the data will not be used to harm them.

---

NCVHS Health Privacy and Confidentiality Recommendations

Introduction

The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) requires that the Secretary of Health and Human Services submit to the Congress detailed recommendations on standards with respect to the privacy of individually identifiable health information. Under section 264 of the Act, the Secretary is required to consult with the National Committee on Vital and Health Statistics when preparing her recommendations. This report by the Committee is directed to the Secretary in response to the statutory obligation.

The Committee’s Subcommittee on Privacy and Confidentiality held six days of hearings on health privacy during the first two months of 1997. Witnesses included health care providers, researchers, public health authorities, federal and state oversight agencies, accreditation organizations, insurers, claims processors, pharmaceutical manufacturers, federal agencies, law enforcement agencies, and patient and privacy advocates. In addition, Committee hearings and meetings dealing with coding, standards, and other administrative simplification issues provided an additional opportunity to obtain views about privacy from others in the health care community.

Principal Findings and Recommendations

The United States is in the midst of a health privacy crisis. The protection of health records has eroded significantly in the last two decades. Major contributing factors are ongoing institutional changes in the structure of the health care system and the lack of modern privacy legislation. Without a federal health privacy law, patient protections will continue to deteriorate in the future.

The importance of trust in the provider-patient relationship must be preserved. Patients must feel comfortable in communicating sensitive personal information.

Delays in passing privacy legislation will allow additional and uncontrolled uses of health information to develop. Failure to address health privacy will also undermine public confidence in the health care system, expose patients to continuing invasions of privacy, subject record keepers to potentially significant legal liability, and interfere with the ability of health care providers and others to operate the health care delivery and payment system in an effective and efficient manner. The greater the delay in imposing meaningful controls on inappropriate use and disclosure of identifiable individual information, the more difficult it will be to overcome institutional resistance to restrictions on use and disclosure or changing the way that information is acquired and used. On the other hand, the confidentiality of the provider-patient relationship and the confidentiality of health records had been the foundation by which the health care system helps ensure the best possible health care. It is not easy to strike a fair balance between these some times competing concerns.

The Committee unanimously recommends that the Secretary and the Administration assign the highest priority to the development of a strong position on health privacy that provides the highest possible level of protection for the privacy rights of patients. Any Administration position must properly balance the important and well-established interests of patients in the protection of their health information against the legitimate needs of the health care system to provide and pay for health care in an efficient, effective and fair manner and to support the responsible use of health records for public health and health research.

The Health Insurance Portability and Accountability Act of 1996 provides that if the Congress does not pass privacy legislation by August 1999, then the Secretary of HHS is authorized to issue regulations containing standards for the privacy of electronic administrative and financial transactions. The Committee finds that there is virtually no industry or public support for addressing health privacy through the regulatory process alone. There is a clear and strong preference for a legislative solution.

The Committee finds that the limited scope of the Secretary’s regulatory authority may only make matters worse. It is difficult to address health privacy requirements in a piecemeal fashion. Rules that only cover electronic health care transactions but not paper-based transactions or other types of health records could prove impossible to write or administer.

Consequently, the Committee unanimously recommends that the 105th Congress enact a health privacy law before it adjourns in the fall of 1998. Leaders in both House and Senate should publicly endorse the need for strong and effective privacy legislation that provides meaningful protections to patients. Congressional leaders should ask relevant legislative committees to agree to a timetable for action. The Congress should not treat the existence of the regulatory authority as an adequate alternative to legislation.

The Committee calls for a law that requires creators and users of identifiable health information to —

• ensure a full range of fair information practices, including a patient’s right of access to records, right to seek amendment of records, and right to be informed about uses of health information;
• accept reasonable restrictions and conditions on access to and use of identifiable health information;
• maintain protections for health information as it passes into the hands of secondary and tertiary users so that there are no loopholes that allow health information to escape from privacy controls;
• provide adequate security for health data no matter what media are used to create, transmit, or store data;
• accept accountability for actions that affect the privacy interests of patients;
• use non-identifiable, coded, or encrypted information when a function can be fully or substantially accomplished without more specific identifiers.

The Committee recognizes that the drafting and passage of a health privacy law will not be easy. Health privacy legislation presents only hard choices and difficult tradeoffs. Health records are primarily used for the treatment of patients and to improve the quality of health care, reduce the costs of health care, expand the availability of health care, protect the public health, and assure public accountability of the health care system. Privacy competes with all of these objectives, and it is not easy to strike a fair balance between privacy and these other worthy goals. The task is not made any easier by the lack of agreement about what privacy means in contemporary American society.

The Committee’s hearings showed strong and widespread support for federal health privacy legislation. There are hundreds of detailed choices that must be made in the drafting of legislation, and there are major disagreements about many of them.

Users of health information uniformly expressed strong support for privacy legislation. However, most users also asked that no — or at most few — new restrictions be placed on their ability to collect, use, and disclose health information. The Committee believes that it is unfair and unreasonable for any health data user to expect that health privacy legislation will not require some change in policy and practice. Everyone — patient and record keeper alike — will benefit from health privacy legislation, and everyone is likely to pay some price for the legislation.

At the same time, the Committee recognizes that privacy legislation must take into account the complexity and the needs of the current health care delivery and payment system. New legislation must reflect the current structure and legislative framework for health care. Changes can and must be made, but no one can expect that the health care system will be restructured solely in the interests of privacy and without regard to cost. The Committee has no doubt that a privacy bill can be passed that balances the interests of patients with the needs of the health care system.

The Committee calls on everyone to work together in good faith. It is crucial that the Congress pass a balanced privacy law as quickly as possible. Each year, health information becomes available for new uses, often without any legal, administrative, or policy barriers. Unless legislation passes soon, the risks to both patients and record keepers will grow.

The Committee observes that some health care institutions and participants who would be directly affected by privacy legislation have not yet paid attention to the ongoing legislative activities. This is as worrisome as it is unfortunate. A successful bill will require contributions and assistance from everyone. Many problems can be avoided if the drafters have a better understanding of the needs of everyone. Broader participation in the legislative process will produce a better law.

Everyone will benefit from a well-crafted set of fair information practices for health information. Patients will have new rights and greater protections for sensitive information. Providers and insurers will have clearer responsibilities and rules. Secondary users will know when they can have health information, when they cannot, what their obligations are, and what penalties will result if these obligations are ignored. None of these benefits will be achieved unless everyone approaches the legislative process with a spirit of compromise.

The Committee also recognizes that passing legislation will not end either the debate or the struggle. Once a law passes, record keepers will have to change to accommodate the new rules, federal and state agencies will have to oversee implementation of the new law, and the Congress may be called upon to refine the law in the future. International data protection standards are being developed, and the United States needs to be a full partner in this effort.

One issue that arose from time to time during the hearings was the relationship between privacy (as defined by principles of fair information practices) and discrimination. Some motivation for protecting health information is to prevent the discriminatory use of the information both inside and outside the health care setting. Patients receiving care for some health conditions or who have been the subject of genetic testing have been and continue to be the subject of discrimination in employment, insurance, and elsewhere. Several current bills address the possible discriminatory use of genetic information.

Discrimination based on health status and condition remains a major and important concern. While the Committee has not focused its full attention on discrimination, legislative responses are appropriate. It is not clear, however, that general privacy concerns and discrimination concerns must be or should be addressed together in the same piece of legislation. Instead, an already complex health privacy bill is not the best place to sort out responses to equally complex discrimination problems. The Committee suggests that privacy and discrimination issues deserve separate legislative treatment. The problems of discrimination are important, but not enough work has been done to explore the content of anti-discrimination legislation. The Committee urges the Secretary to propose legislation expanding the anti-discrimination provisions of HIPAA to cover all aspects of discrimination based on health status and condition.

Finally, the Committee acknowledges that any discussion of patient privacy is incomplete without consideration of the need for and nature of a unique patient identifier for health care. The identification of patients is a constant issue in health treatment, payment, and administrative activities. The choice will affect every health care transaction, provider, and institution. Patient privacy will also be directly affected by any decision about the adoption of a unique patient identifier. Selection of a patient identifier will have significant consequences both within and without the health care system. A properly chosen patient identification system has the potential to enhance privacy.

At its hearings, the Committee has found no consensus on a patient identifier. This document contains no recommendation. The identifier issue will be considered by the Committee at a meeting later this year. The Committee could not discuss privacy, however, without taking note of the identifier issue and promising to address it in the near future.

Additional Discussion

This section discusses selected health privacy issues. Any health privacy bill will be necessarily long and complex. As a result, it is not possible or necessary for the Committee to take a position at this time on many details. In addition, as with the rest of the health care community, Committee members have a diversity of views on some issues. Some of those differences are noted here without any attempt at resolution. Subsequent decision makers must make their own judgments in any case.

The Committee is prepared and eager to cooperate with the Administration, the Congress, and others to narrow differences and to promote consensus. In the meantime, the Committee offers this discussion with the hope that it will help to foster better understanding of some issues and alternatives.

*****

A note on terminology is essential to an understanding of this document. In many ways, the term “privacy” is a poor choice to describe the concerns that the Committee is addressing here. “Privacy” has no clear or fixed meaning, and the bounds of individual privacy interests can extend far beyond the health information issues considered by the Committee. Other familiar terms are “confidentiality” and “security,” but their definition is also uncertain and their focus may be too broad.

A more precise term for the interests that this document addresses is “records privacy” or “information privacy.” The European term associated with the establishment of rules governing the collection, maintenance, use, and disclosure of personal information is “data protection.” That is a much more precise term, but it still remains somewhat unfamiliar here in the United States. Another important concept is “fair information practices,” a term invented in 1972 by an advisory committee at the Department of Health, Education & Welfare. Fair information practices form the basis for privacy laws around the world. The Privacy Act of 1974 implements fair information practices for all personal records maintained by federal agencies.. Fair information practices already form the core of all health information proposals.

Despite these shortcomings, the Committee has stuck to the term “privacy” in this report. This word is most familiar to the public and to policy makers. It is the term used in the Health Insurance Portability and Accountability Act of 1996. The use of other terminology may only produce confusion. Privacy is intended here to refer to the interests of patients in how their health information is collected, maintained, used, and disclosed.

A. Definition of Health Information

Some proposed legislation defines protected health information by defining health treatment and payment activities. All information encompassed in treatment and payment functions then falls within the scope of regulation. The HIPAA definition is broader in that it covers health information held by employers, life insurers, and schools. To date, no proposal addresses other health information (e.g., held by retailers, marketers, newspapers, or individuals).

The scope of the legislation and the definition of health information are tied together. Deciding what is health information that should be subject to regulation is not a trivial problem. Health care treatment and payment functions can be more readily defined, and all information connected to the functions can be covered. Without the framework of treatment or payment, however, the definitional problem is more acute. It can be hard to decide when information is health-related and when it is not.

An important objective in choosing a definition is the need for a bright line. Record keepers and patients alike must be able to tell what is subject to restriction and what is not. In some respects, there is a tradeoff between a clear line and broad scope. The first priority for legislation is to comprehensively cover patient data within the health care system.

B. Technology and Identifiable Information

Testimony received by the Committee showed that computers are perceived as both threats to patient privacy and as tools for protecting personal health data. Some see computerized information as the best way to support greater use of data without revealing patient identifiers. Others see computerized repositories of health data as magnets for hackers and other abusers. Testimony suggested that the real threats to computerized information — as with paper records — come from insiders and not from hackers.

Nevertheless, because of the important and increasing role of computers in health care, it is important to be sensitive to both public perceptions and to the possibility that abuses of computerized health records will increase in the future. One response would be increased criminal and civil penalties for misuse of computerized health records. These penalties should apply to both inside and outside abusers of health data.

In discussions about privacy, it is often overlooked that computers contribute directly to improved patient care in many ways. One example is the automated flagging of potential adverse drug reactions. Debates about the proper role of computers too often focus only on the threats to privacy and not the benefits for patients. A more balanced discussion about the value and the risks of computers is essential. Better consumer education may help.

To the extent that users of data can accomplish their objectives without identified information or with minimal or altered identifiers, privacy can be enhanced without any sacrifice or compromise of other objectives. At Committee hearings, most users of health data said that some functions could be accomplished without the need for identified data. With traditional paper records, the difficulties of creating non-identifiable data are typically significant. It may be impractical and very time-consuming to make a complete copy of a paper record with all identifying data removed. With a computer record, the administrative burden of creating anonymized records may be insignificant.

Determining when a record is truly non-identifiable, however, is not always simple. Records can often be linked or identified through use of combination of non-unique identifiers (e.g., birth date, birth place, mother’s first name). The Committee suggests that additional study about the line between identifiable and non-identifiable health data is needed.

Other protections can be provided by releasing data with non-unique identifiers that have been changed in a way that does not affect the utility of the data to the user. For example, if a research project requires age information, birth dates might be altered by randomly selecting a date within thirty or sixty days of the actual date. This change would make it much more unlikely that any particular individual could be identified, but it would not interfere with the conduct of the research. Similar changes in other data elements may also be possible. In a computer-based environment, these types of changes are highly recommended.

The Committee concludes that we need to do more to develop and implement technological protections for health records. Technology offers the possibility that we can use records for socially beneficial purposes while fully protecting privacy at the same time. Greater use of nonidentifiable, coded, or encrypted records can make everyone better off at little or no cost. Technology will not cure all problems related to the use of identifiable information, but it can diminish the intensity and scope of the problems. This may be the most promising area for additional development.

C. Patient Access and Amendment of Health Information

A basic element of fair information practices — and of virtually every privacy proposal for personal records maintained by third party record keepers — is a right of access by the subject of the record and the right to seek amendment of the record. All health privacy legislative proposals include these rights.

The Committee found no disagreement with the basic principle of patient access and amendment rights. The Committee believes that access and amendment rights must be a part of any health privacy legislation. Some general disagreements about the precise scope of the rights and about appropriate procedures are reflected among the Committee’s members.

Disagreements about access center on some exceptions to first-party access. The Committee found no controversy about the withholding of information that would reasonably be expected to endanger others, from a confidential source, or that is compiled in anticipation of litigation. The most controversial of the access exceptions are:

1. Information about others. Health records sometimes contain information about individuals who are not the primary subject of the record. Examples include group therapy and treatment that involves the use of genetic information. With genetic testing, information about other family members may be collected directly from the family members or may arise from testing of the patient alone. The conflict between the privacy interests of different individuals is apparent.
2. Clinical drug trial information. The pharmaceutical industry requested a limited exception for information during the course of a regulated clinical drug trial if disclosure would undermine the validity or integrity of the trial (e.g., double blind studies). The concerns are legitimate. Whether there is an actual problem here, however, is uncertain. Despite years of experience with federal and state access laws, no witness was able to provide a single example of a clinical drug trial that was affected by a first-party access demand.
3. Information whose disclosure would result in harm to the treatment or well-being of the patient. There are sharp disagreements about whether this type of exception should be recognized, what standards are appropriate, and what procedures should apply.

The right to seek an amendment often concerns health professionals because of the implication that information may be erased from a record. The usual procedure is that questioned or incorrect information is clearly marked and amended information is appended to a health record. In the case of continuing disagreement, the patient may add a statement to the record. The Committee supports these procedures.

Patient rights must be properly defined so that patients can see and amend records from appropriate record keepers. For example, there should be no need to provide independent access and amendment procedures for third party record keepers such as claims processors. These record keepers should not be asked to make medical judgments about the contents of the records that they are processing for other purposes. In general, the originator of a health record should be primarily responsible for making any amendments that are appropriate. This must be addressed through careful drafting.

D. Authorization for Disclosure of Individually Identifiable Health Information

The universally stated requirement for third-party disclosure is the informed authorization of the patient. The reality is that non-authorized disclosures are quite routine in the health care system. Examples of non-consensual recipients include health researchers, public health authorities, fraud investigators, accreditation and licensing authorities, and law enforcement agencies. Some disclosures for payment occur without express patient approval. California law authorizes disclosures for payment without patient authorization.

The extent to which patient authorizations can and should be used as a primary regulatory device for health information disclosure is a major and difficult issue. It is unclear that patients have enough information so that their approval can be fairly described as informed. It is unclear whether patients who rely on third-party payors have an effective choice about authorizing payment disclosures.

In addition, the complexities of the health payment system are vast. Testimony revealed that many different parties may participate in the transfer of bills from provider to payor. It is not always possible to determine in advance what route a particular claim might take or which organization might process it. Other testimony suggested that disclosure authorization forms are not typically transferred with health data so that subsequent recipients may not be aware of any restrictions that a patient may have imposed. It is not immediately apparent that the patient authorization process can or should control the sometimes unpredictable flow of information in the health care system.

One option is to replace patient authorizations for payment and treatment with statutory authorization and statutory restrictions. In effect, routine payment and treatment disclosures would be statutorily allowed under defined conditions. A patient who objects and makes other arrangements with a physician or insurer could still limit the statutory scheme. Because payment and treatment disclosures cover most disclosures, patient authorization for disclosure would not normally be required. This avoids the reality that the current patient authorization process protects the interests of providers and insurers more than the privacy needs of patients. Under this approach, patients asked to sign authorizations for non-routine purposes would be alerted to the unusual nature of the request.

The Committee recognizes that this is a difficult issue. Some find patient authorizations reassuring and essential. Problems with the process may be acknowledged, but some are not ready to move away from the traditional process. Others are troubled by the collection of authorizations from patients in pain who are seeking care or who do not have a realistic opportunity or the knowledge or skills to negotiate disclosure rules with providers or employers. Those most likely to have confidentiality concerns are most supportive of patient authorization. A different conclusion is reached by those who recognize that most patients routinely sign any authorization form and seem unaware of the potential problem of doing so.

The Committee is not taking a formal position on this aspect of patient authorizations for disclosure at this time. However, it urges the Secretary and the Congress to examine this issue and to review the assumptions that form the basis for current policies and practices. The goal is to find a procedure that provides effective patient protection in the real world. Less insistence on patient authorization could actually result in better patient protections if thoughtful statutory restrictions were placed on specific usages of information and appropriate accountability imposed.

Some have suggested that the patient authorization process should be expanded and that patients should be asked or permitted to make decisions about whether their information may not be computerized. Whether these proposals also contemplate patient choice for other health information transmission and storage technologies is unclear. Arguably, patient choices could also be extended to the use of fax machines, telephones (cordless, cellular, analog, digital), and electronic mail.

The Committee is not sympathetic to the notion that patients should have a choice in the technology used to create, store and transmit health information. This is not a choice that record subjects for records maintained by other third party record keepers such as banks and employers. Requiring health record keepers — who are spending vast sums on computerization — to retain parallel paper systems is impractical and costly. It would deny the benefits and savings that the Congress has already determined will result from increased use of modern information technology. Computers are an inevitable part of modern health care and indeed are intrinsic to the actual delivery of hospital care today. Patients must accept this and move on to debate the proper protections for records in a computerized environment.

E. General Limitations on Use and Disclosure

Most legislative proposals include general requirements that all uses and disclosures be limited to the minimum amount of information necessary to accomplish the purpose. Another set of protections come from rules that attempt to regulate internal uses of identifiable health data by record keepers who have lawfully obtained access to the data. The word formulas governing internal uses tend to rely on general phrases such as “compatible with the purpose for which the information was collected” or “directly related” to that purpose. The importance of these protections is too often lost in the debate and discussion. Current law contains no comparable limitations.

The Committee strongly supports limiting use and disclosure of identifiable information to the minimum amount necessary to accomplish the purpose. The tension here is between greater protection for patients and permitting record keepers and users to function without expensive or artificial restrictions. The specific statutory formula used to impose this limitation should be as narrow as practicable. It should also reflect the complexity of the modern practice of medicine and the reality that health records are used for multiple purposes. Robust computer-based health records have the potential to enhance the capacity to limit the scope of data that is properly disclosed.

Another important aspect of patient protection would prevent third party users who have access to health information from using the information against the patient in matters unrelated to health. This is an issue especially with research, law enforcement, and oversight functions.

The Committee strongly supports these patient protections. A restriction prohibiting secondary use against the record subject is an essential part of the “bargain” that allows use of the data for socially beneficial purposes while protecting individual patients. When identifiable health information is made available for non-health uses, patients deserve a strong assurance that the data will not be used to harm them.

F. Third-Party Disclosures

Testimony was received by the Committee from the different communities that use health information. While each community acknowledged the importance of confidentiality, each essentially asked for its own exception or special access provision. These requests illustrate the challenge of preserving some degree of confidentiality in a multi-faceted health care treatment and payment environment. Each user community presented a case for continued access to health records.

Some witnesses urged a narrow view of the purpose of the health record, focusing exclusively on use of the record in the treatment process and without necessarily allowing access by all health care providers. Under this view, other uses that do not directly benefit the patient should be excluded or only allowed under narrow circumstances. It is apparent, however, that health information is a valuable resource important to the conduct of many health-related activities. Federal and state laws expressly mandate some broad uses. In addition, disclosures are often required for uses outside the health care system such as civil litigation. Defining a narrow purpose for health records becomes difficult given the many institutions and interconnections in the modern health care system.

The approach taken in most legislative proposals is to identify specifically each user or function (e.g., treatment, research, public health, oversight, law enforcement) entitled to obtain access to identifiable health information. Bills prescribe threshold standards for recipients, procedures for access, and limitations on use and disclosure. Those not identified in the statute cannot obtain access.

A major problem with this approach — and a constant theme at the hearings — was the difficulty of distinguishing between the categories of users. Clear distinctions between research, public health, oversight, law enforcement, and even management are hard to articulate. Each activity merges at the edges with another. For example, when is an activity research and when is it quality assurance? This is a dispute that has already received some attention in the research and IRB communities. The problem is broader, however. The continuum of functions cuts across many familiar categories of users and makes a clear statutory categorization challenging at best.

However, treating all users in the same way is difficult for substantive, historical, and political reasons. For example, researchers channel requests for access to health records through institutional review boards (IRB). Management functions, including cost containment and quality measurement, within a health care facility are largely discretionary. If researchers have the flexibility of managers, then existing protections are lost. If managers are treated as researchers and required to seek IRB approval, management may become more cumbersome and expensive. The IRB process is inappropriate for most management activities. The result would be a diminution of standards for everyone. The definitional problem is extremely difficult. One approach deserving of more discussion would be to require the involvement of health professionals in an oversight group within each provider organization and to require the maintenance of a record of the group’s deliberations and judgments.

The Committee takes note of the problem and suggests that any rules regulating disclosures of identifiable health information be as clear and as narrow as possible. Each group of users must be required to justify their need for health information and must accept reasonable substantive and procedural limitations on access. It would be desirable if the basic choices about uses and users were made expressly in legislation.

G. Health Research

Testimony revealed that no consensus exists about how to balance the values of health research and personal privacy. Research based on non-identifiable records is largely unobjectionable. Yet some important research requires identifiers and the ability to link records over time and location. Some privacy advocates argue that each patient should be able to prevent the use of his or her records for research. Others argue that the general societal benefits of research overcome any individual objection as long as individuals are protected through privacy rules and procedures. Testimony identified no instances of breaches of confidentiality resulting from researcher use of records.

The procedures that regulate researcher access offer a second set of issues. Institutional review boards are in widespread use, and the standards that IRBs should apply in weighing risks and benefits could be defined and strengthened. Not all research is necessarily regulated by IRBs, and some have suggested that the use of IRBs should be expanded so that all researchers must first obtain IRB approval before accessing health records. Finally, some have questioned the expertise, independence, and objectivity of IRBs. No specific proposals for alternative control mechanisms were offered, however. The Committee considers reform of the IRB process to be beyond the scope of its responsibilities.

The Committee has no difficulty in taking a position on the thorny issue of researcher access to health records. The Committee strongly supports the use of health records for health research. Identifiers should only be available when necessary, and there must be some independent review of research access. Institutional review boards provide one model for independent review. Patients must also be protected against the possibility that they will be identified through publication of research findings.

The Committee recognizes the conflict between research and privacy, but requiring patient consent as a condition of researcher access is impractical and expensive. It would also most likely stop a significant amount of useful investigation. This is not in the health interest of individual patients or the general population. Patient privacy interests are adequately protected by independent review of research protocols, the earliest possible removal of identifiers, prohibitions against use of research records for actions against patients, and strict penalties against researchers who violate the rules.

H. Public Health

Public health uses of identifiable health data attract less controversy than research uses. Many public health functions are firmly rooted in well-known state and local government activities. Public health surveillance functions attract public support more readily than abstract research.

Public health agencies themselves serve as gatekeepers to health information. Functions may be defined in statute or regulation. Proposed statutory standards would set some limits on the scope of public health requests, but the standards are broad and mostly undefined. Distinctions between narrow public health functions (e.g., communicable diseases) and broader health activities (oversight and management of the health care system) may or may not be meaningful.

As with research, the Committee strongly supports the use of health records for public health purposes. Substantive and procedural rules are essential, but the barriers to existing public health functions must be kept small for the sake of public safety and health.

A state public health department witness requested greater statutory protection for records from access requests by federal agencies. The general issue of when public health departments may be allowed to redisclose health records has not been clearly addressed. An existing statutory procedure protects some research records from subpoenas. Extending this process to public health records is an issue for the Secretary to explore.

I. Oversight

One of the most challenging aspects of health privacy legislation is regulating access to records for oversight activities. Some traditional functions — such as accreditation and licensing — appear to have narrow requirements for identifiable records. Other oversight and management functions are harder to classify or even identify. Examples include utilization review, quality assurance, and cost containment activities. Proposed definitions for oversight tend to be extremely broad to avoid excluding current functions. While some oversight functions can rely on non-identifiable records, the need for identifiable information is essential at times. Since health professionals have the training and experience to judge these matters, routine involvement — indeed, required involvement — deserves consideration.

Another difficult issue not resolved to date is the distinction between oversight and law enforcement activities. The Inspector General conducts different types of activities, some management reviews, some oversight investigations, some criminal prosecutions. Distinctions between these activities are not clear, and the separate categorization of oversight and law enforcement may be largely artificial. Yet in the proposals, significant differences exist between access rights for oversight and law enforcement. Witnesses testified about the difficulties that result from these proposed distinctions.

The Committee recognizes the importance of health care oversight mechanisms. It is apparent that the Congress shares this view. Numerous laws address, direct, and require oversight activities by federal, state, local, and private entities. The importance of these activities does not mean, however, that they should be exempt from regulation in the interest of privacy. Increased use of non-identifiable records provides one solution that warrants greater exploration. Patient protections can be enhanced by prohibiting oversight records from being used against patients in other types of administrative, civil, and criminal proceedings. The Committee believes that these types of protections must be an essential part of any oversight access process. Also, treating so many different functions and users under the same “oversight” category should be avoided. More study is needed to draw useful distinctions between these activities and to find better and narrow definitions of legitimate uses and users.

J. Law Enforcement and Health Fraud Controls

Law enforcement investigatory needs for records fall roughly into two categories: health care fraud and criminal activity unrelated to the health care system. Fraud investigators routinely obtain access to large numbers of health records, but the risk to individual patients may be less because providers and not patients are the principal targets of investigation. Criminal investigators obtain access to many fewer records, but the risk to record subjects is likely greater because patients are more likely to be targeted. There is little public awareness of the extent to which health records are used in law enforcement or for fraud control.

Testimony revealed sharp differences over the standards and procedures that should govern law enforcement access. The law enforcement community contends that its track record accessing health records is a good one and that its access authority is not abused. Yet representatives of the Justice Department and the HHS Inspector General are unwilling to accede to proposals that would restrict the use of information against a record subject. Several proposals would prevent use of health records against the record subject if an investigation of a provider brought to light criminal activity by the patient other than health care fraud. Law enforcement representatives objected strongly to any new substantive or procedural barriers to law enforcement access.

Some health care providers and privacy advocates, however, seek to establish high standards that would require law enforcement requests for records to obtain court orders, to provide patient notice, and to expressly justify each access to records. Providers generally showed reluctance to make records available to police, but it appears that they are more cooperative in health care fraud investigations than in routine criminal matters.

HIPAA already includes a provision allowing the Attorney General to issue an administrative subpoena for any health record in a health care fraud investigation, even without federal funding. If there were any doubts about the scope of federal law enforcement’s authority to obtain identifiable health records, that provision ended it. No health record in the United States is beyond demand of the Attorney General. In addition, grand jury subpoenas can require production of any health record. The HHS Inspector General also has broad access authority. None of these access methods involves notice to patients or other procedural protections. Access by law enforcement agencies in some states may require advance judicial approval, however.

The same HIPAA provision also restricts the use of health information against the subject of the record unless the investigation arises out of and is directly related to health care fraud. If law enforcement wants to use the record in another way, it must first obtain a court order. That is one procedural barrier that is also included in current privacy legislative proposals. The proposals go further by requiring notice to the patient in some cases. Also, proposed standards for measuring law enforcement use requests are tougher than the HIPAA standards.

Striking a balance between the needs of law enforcement and the privacy interests of patients will not be easy. The Committee sees the restrictions of the HIPAA as providing only the most threadbare of protections for patients. If law enforcement agencies can obtain health records — especially in fraud and abuse investigations — and can use those records to put the patient in jail based on disclosures made by the patient to the physician, then little is left of the notion of health privacy. If this type of subsequent use of records by law enforcement officials it to be allowed at all, it should be subject to the most stringent substantive and procedural protections.

Investigations of health fraud and abuse are important. Nevertheless, the Committee believes that patients need strong substantive and procedural protections if their health records are to be disclosed to law enforcement officials. Investigators should be required to justify the need for patient identifiers and to remove identifiers at the earliest possible opportunity. The Committee is confident that strong protections for patient privacy interests can be compatible with fraud and abuse investigations.

K. Other Uses and Users

The hearings identified several categories of uses and users that have not been expressly addressed in legislation to date. These are complex issues, and the Committee can only suggest that these problems require more consideration and exploration in the legislative process.

1. Employers – Employers would be subject to all legislative proposals when serving as providers, processors, or insurers. Testimony suggested, however, that workplace privacy conflicts go beyond those addressed in current proposals. Health privacy in the workplace is clearly a matter of great concern to workers and to physicians. The Americans with Disabilities Act addresses some workplace discrimination issues, but other aspects of workplace privacy for health records remain largely unaddressed. These issues should be resolved through general health privacy legislation as well as through separate new discrimination laws. More work is needed to develop specific proposals on workplace health privacy issues.
2. Registries – Nothing in any of the bills adequately addresses the role of disease registries or the rules that should govern disclosures to registries. Registries collect data for such disparate purposes as research, public health surveillance, and drug and device tracking. Testimony revealed that many registries exist and are of great value in improving knowledge and the quality of health care. However, lists of existing registries, definition of terms, and standards for disclosure are hard to find. Specific rules on registries may be needed, including a way to distinguish between independent, non-commercial registries on the one hand and private, solely-for-profit databases on the other hand. The Committee supports disclosures to qualified registries, but there is a need for clearer rules, better definition, and proper procedures.

L. Preemption

Perhaps the most difficult conflict identified at the hearings is over preemption of state laws. Among large segments of the health industry, a major benefit to federal legislation is a high degree of regulatory uniformity throughout the country. The interstate nature of health care treatment and payment activities is readily apparent. It will be difficult for many involved in electronic transfers of health data to accept any proposal that does not offer significant relief from the prospect of 50 different state laws establishing separate rules.

On the other hand, it would be difficult for many patient groups, privacy advocates and perhaps some provider groups to accept any proposal that does not allow states to adopt stronger privacy protections as specified in the HIPAA. People disagree whether existing state laws offer greater protection than most of the current federal proposals, but a proposal is not a law so judgments in this area are premature. There is strong support in some communities for a minimum federal confidentiality standard that allows states to erect stronger privacy barriers. HIPAA already reflects a policy that stronger state laws should be allowed to prevail.

Existing proposals differ on preemption. Most preserve existing state mental health and public health laws, but the scope of this language is unclear. H.R. 52 adds a new idea to the mix by allowing states to pass additional restrictions on access to health records by state officials.

The Committee suggests, however, that this issue need not be treated as a single problem with a single solution. The conflicts need to be broken down into components, and each component analyzed separately. In some areas, the case for federal preemption may be stronger. For example, it may be unnecessarily complex to support 50 different patient access procedures. On the other hand, the need to recognize the diversity of state public health laws is already clearly reflected in most proposals. No one has suggested or is likely to support a uniform federal public health law. A narrower and careful analysis of preemption may help to minimize the admittedly strong conflicts here and may point to more effective resolutions. However, if sufficient national conformity is not achieved, both national and international objectives cannot be met.

M. Uniformity

Another difficult and complex issue is the establishment of uniform rules for all types of health records. Some want a uniform set of policies to apply to all health records no matter the type, location, or diagnosis. Others see the need for separate rules for some categories of records. The types of records most often singled out for separate rules are records about AIDS, mental health, alcohol or drug abuse, and genetics.

Record keepers note that the application of different rules to different types of records is cumbersome and expensive. It is possible to imagine a single hospital record that could be subject to two, three or more different substantive and procedural requirements. The burden on record keepers may be overwhelming. Definitional problems may be most difficult. It may well be impossible to draw clear lines between these categories of special records. However, providing additional protection for particularly sensitive health records is also regarded by many as essential to protecting the public health. (Jaffe v. Redmond, 116 S. Ct. 1923 (1996)).

The alternative is the establishment of a single, high-level of protection for all records. If all health records receive the highest level of protection, then there is little that can be offered to specific categories of records. Concerns about use of categories of health records need to be addressed through anti-discrimination laws, not privacy laws.

On the other hand, there already are laws that protect specific categories of records. Most states, for example, have laws that provide an extra degree of protection for AIDS records. In any event, there is a general perception that some records are more sensitive to most people and that extra protections are warranted. Anti-discrimination laws may lessen or eliminate the justification for establishing different privacy rules for some categories of health information.

There are sharply divergent points of view on this issue among Committee members.

N. Administrative Implementation and Oversight

Any health privacy legislation will surely require regulations to explain and expand the law. Who writes the regulations is an issue. While there was no direct testimony on this point, some in the health care industry do not want the Secretary of HHS to be the regulator. They perceive a conflict of interest because the Department will also be subject to the regulations it produces. While this is not unusual in government, the location of a regulatory authority is a noteworthy issue. Regulations will surely be lengthy and complex, and considerable resources may be needed to prepare and oversee any regulations. Only the Department has the expertise and understanding of health care needed for the development and application of regulations.

Another alternative is the establishment of an independent privacy agency. The agency could be broadly focused on all privacy issues or narrowly directed at health privacy issues. Most European countries already have privacy offices of some sort. The Department of Health and Human Services has established a Privacy Advocate, but it is not clear that broader health privacy issues could be addressed by a privacy office focused at departmental concerns.

The Committee notes that a current paper from the Information Policy Committee of the Information Infrastructure Task Force addresses options for promoting privacy on the national information infrastructure. Options include the creation of a privacy agency in the federal government so that issue has already been placed on the national agenda.

The Committee believes that any health privacy bill will require a separate office to write and oversee regulations. This office will necessarily have to focus narrowly on health privacy matters under the legislation. Whether this office should be located within the Department or another federal agency remains an open question.

There will also be a need for coordination of health privacy matters with other privacy initiatives at the international, federal, and state levels. These other functions might best be handled by a federal privacy agency with broader authority. Most other industrialized countries have already established national privacy offices to coordinate and oversee privacy laws. This is a complex issue with implications that go beyond the Committee’s area of interest and expertise. The Committee awaits further action by the Administration based on the IITF options paper.

O. Unforeseen Consequences

The difficulty of the task of drafting health privacy legislation is apparent and enormous. Even a well-intended bill may be deficient in some ways, and the possibility exists that new legal restrictions could result in serious disruptions to important health functions or major breaches to confidentiality. If the legislation allows enough lead time before it becomes effective, this may be less of a concern. Still, if a disruption occurred at a time when an amendment by the Congress was not possible or practical, the consequences could be major.

It may be useful to have a safety valve provision that would authorize the regulator to suspend any provision for a limited period if exceptional circumstances would result in a significant, unforeseen threat to health or safety, a major economic disruption, major breaches to confidentiality, or manifest unfairness. This authority should last only long enough to provide the Congress with the opportunity to make a decision about the need for a permanent change in the law. None of the proposals currently includes such a provision. The Secretary should consider recommending a safety valve provision.

---

APPENDIX

List of Witnesses Who Appeared
before the
NCVHS Subcommittee on Privacy and Confidentiality

The following persons provided testified on Health Information Privacy in hearings held by the National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality on January 13-14, February 3-4, and February 18-19, 1997 in Washington, DC, and on June 3-4, 1997 in San Francisco, CA.

Elizabeth Andrews, Ph.D.
International Society for Pharmacoepidemiology
Glaxo Wellcome, and
University of North Carolina School of Public Health

Michael Barnes
National District Attorneys Association

Aimee Berenson
AIDS Action Council

Fred Broadaway
Assistant Inspector General for Investigations
U.S. Department of Labor

Alfred Buck, M.D.
Joint Commission on Accreditation of Health Care Organizations

Robert Burleigh
International Billing Association

Jean Campbell, Ph.D.
Missouri Institute of Mental Health

Lauren Dame
Public Citizens Health Research Group

Charles DeCoste
U.S. Department of Veterans Affairs

Elizabeth DuMez
National Association of Social Workers

Michael Diegel
Coalition Against Insurance Fraud

David Fleming, M.D.
Oregon Health Division and
Council of State and Territorial Epidemiologists

Kathleen Fyffe
Health Insurance Association of America

Geoffrey Funk
Social Security Administration

Neil Gallagher
U.S. Federal Bureau of Investigation

Alan R. Goldhammer, Ph.D.
Biotechnology Industry Organization

Janlori Goldman
Georgetown University Law Center

Donald Haines
American Civil Liberties Union

Eileen Hansen
AIDS Legal Referral Panel

Robert A. Hiatt, M.D., Ph.D.
American College of Epidemiology
Kaiser Permanente and Northern California Cancer Center

J. Michael Hamilton, M.D.
National Cancer Institute

John Hartwig
U.S. Department of Health and Human Services
Office of the Inspector General

Steven Kenny Hoge, M.D.
American Psychiatric Association

Susan Jacobs
Legal Action Center

Stephen Joseph, M.D., M.P.H.
U.S. Department of Defense

Richard S. Kent, M.D.
Glaxo-Wellcome

David Korn, M.D.
Association of American Medical Colleges

Richard Kowalski
General Motors and
American Association of Occupational Health Nurses

David Larsen
American Association of Health Plans

Robert Litt
U.S. Department of Justice

Lewis Lorton
HOST Consortium

Bill Mahon
National Health Care Anti-Fraud Association

Denise Nagel, M.D.
National Coalition for Patient Rights
American Psychoanalytic Association, and
Association of American Physicians and Surgeons

Verla Neslund, J.D.
Centers for Disease Control and Prevention

John Nielson
American Hospital Association

Donald J. Palmisano, M.D.
American Medical Association

John Poundstone, M.D.
National Association of County and City Health Officials

Marj Plumb
Gay and Lesbian Medical Association

Joseph Reid, Ph.D.
Centers for Disease Control and Prevention

Karen Rothenberg
Law and Health Care Program
University of Maryland

Marc Rottenberg
Electronic Privacy Information Center

Mark Schiller, Ph.D.
California Association of American Physicians and Surgeons

Jeanne Sculte Scott
CIS Technologies and
Association for Electronic Health Care Transactions

Cary Sennett, M.D., Ph.D.
National Committee for Quality Assurance

Steven Thacker, M.D.
Centers for Disease Control and Prevention

Robert Thompson
Revco Drug Stores

David Witter
Clinical Administrative Data Service,
Association of American Medical Colleges