NCVHS Subcommittee on Privacy & Confidentiality
Tentative Agenda – Hearings on Privacy and Health Information Technology
March 30-31, 2005
Testimony of American Hospital Association
by Donna A. Boswell, J.D., Ph.D.
Hogan & Hartson, LLP
Thank you for the opportunity to speak today about the privacy and confidentiality issues that affect the creation and deployment of a national health information infrastructure. My name is Donna Boswell. I am a health care lawyer and I have served as counsel to AHA on HIPAA issues, including privacy and confidentiality. HIPAA has induced interesting changes in hospitals and physician offices. Before the federal privacy rule under HIPAA, providers’ protection of patient privacy was rooted in the medical relationship – the basic fact that patient trust is integral to the practice of quality medicine. Formerly, medical ethics, best clinical practices, licensure and accreditation standards memorialized the duties of confidentiality stemming from a patient’s expectation of privacy when seeking medical care. In some states, for some providers, or for some kinds of information, state laws, regulations and constitutions codified these duties and provided for enforcement.
As a result of HIPAA, all that has changed – sort of. Very specific requirements for protecting privacy are now federal law, protected by federal criminal penalties of up to 10 years in prison and/or $250,000 for each violation that results in a disclosure. As your own hearing record documents, patients were confused, uncertain, and fearful of real and imagined rips and gaps in the mantle of medical privacy. When it became clear in 1996 that the health care system can no longer responsibly function without 21st century information and communication systems, these fears lent their urgency to the call for a uniform federal standard for medical privacy — uniformity of rights and standards, predictability of procedures, and realistic accountability for meeting these standards.
We have learned many things as hospitals have revised their practices for protecting patient privacy to integrate the multiple specific requirements of the HIPAA privacy and security rules.
First, we have learned that it is very costly, complex, and disruptive to make changes to policies and procedures that affect the day-to-day activities of caregivers and administrative personnel in our facilities. A prime example is the seemingly harmless HIPAA requirement that documentation be kept to provide each patient an accounting of disclosures to third parties. Defenders of this requirement liken it to an audit trail memorializing access to a record in an electronic system – but the accounting is nothing like an audit trail. The accounting is an explanation of the legal requirements governing each information disclosure – the who, what, when, why, and under what legal authority of each disclosure. No system can be programmed to automatically record these judgments; the time of caregivers who call the social work agency, who talk to the health department, or who deal with the sample request of the public health authorities will always be required to make the appropriate documentation in the form, and with the content required to give each patient, upon request, the accounting required by the regulation.
In a regional information system, where health authorities are lawfully given access to records through some centralized governance structure, it will be impossible for individual hospitals, doctors, labs, pharmacies and payers to enforce their policies and procedures for making such an accounting under the rule. Certainly, the governing authority of a regional information system will need records to document that legal requirements were met with respect to each entity that accesses information through the system, but this is a far different requirement than the patient-specific accounting required by the current regulation. This requirement will have to be significantly changed so that it is not a relatively useless impediment, and is a meaningful protection of patients within the new context.
Second, we have learned that criminal penalties are a magnet attracting the attention of in-house compliance personnel, and that their interpretation of the federal and state standards to prevent violations are not always well-received by patients’ family members, law enforcement officials, newspapers, and public health authorities. The potential liability and risk to reputation from criminal prosecution, and possible loss of federal program participation necessitates a different calculus to be applied: decisions about health information cannot be based solely on the best interest of the patient, or even the best interests of the health care system. Rather, a responsible entity must allow its compliance program to establish and enforce standards for protecting it from unnecessary risk.
Perhaps the most important thing we learned is that the new federal “floor” of privacy protection does not yet provide the uniformity and predictability that was one of the biggest hopes of its proponents. To a large extent this is because the federal standards were grafted onto the existing patchwork of state and local laws, licensing and accreditation requirements. In effect, the “new” federal system overlays and trickles down through and around the practices, customs, and requirements that are imposed at all levels.
Grudgingly, I think just about everybody would agree – now that we are a couple of years into implementation – that the focused attention on systemic procedures for dealing with privacy rights and confidentiality protections has been mostly a good thing. But we are not really much closer to having a uniform and predictable system to provide that foundation of trust for a national health information infrastructure. In fact, as political factions shop for alternative forums to remedy their dissatisfaction with one or more of the federal standards, state legislatures are a favorite target for modifying, “improving” and creating new standards and remedies in the name of “medical privacy.” This un-systematic thicket of laws will preclude efficient use of a health information infrastructure that operates across state boundaries.
And the thicket keeps growing more dense as providers and payers are required to weave new state and local requirements into the compliance structure they have created to meet the federal standard. In effect, whether or not it makes sense as a practical or legal mater to treat the state, local and accreditation standards as if they are enforceable with criminal penalties, they automatically are elevated to that compliance level by being added to the HIPAA implementation structure an entity has deployed to protect medical privacy. Others will speak to you about the cost and impossibility of the preemption analysis, but my point here is a simple one: As a practical matter, the preemption analysis is only useful in anticipation of litigation. Most of the health care community tries to comply with laws, not simply hire lawyers to anticipate litigation and tell us which laws can be reasonably ignored.
Our national health care system can no longer beguile itself with the myth that quality care involves only one doctor and one patient alone in a room where confessions are made and promises are kept. This is one piece of the puzzle, and in some segments such as psychiatry, the relationship is the key to the therapeutic process. But it is foolish to take the one-to-one therapeutic encounter and use it as a metaphor for deriving a system of laws to govern modern medical care. Modern health care occurs in a system of hospitals, specialists, labs, pharmacies, and payers. This system undoubtedly involves communication and commerce that crosses state lines. A visit with a physician may be the point of entry into this system for a given episode of illness, but it contorts the process and potentially undermines the quality of care to pretend that an institution can be reduced to a personification of the secret-protecting family doctor.
What is required to keep the patient’s trust that information is being securely and appropriately used is a set of standards that apply no matter what state the patient resides in, no matter what state(s) the provider is licensed in, no matter what state the payer is licensed in, and no matter where the regional information system is located. By definition, a national or regional health information infrastructure will have to have a single, predictable set of standards to enable health care providers and payers to rely on the information. No matter how much money is invested in national health information infrastructure, and no matter how much it improves the quality of care and efficiency of health care transactions, it cannot be used by providers and payers who must comply with local laws.
And if they do use the infrastructure on a piece meal basis, only with respect to specific facts and episodes as permissible under state law, over the long term, it will not be worth the investment. A provider looking at a clinical record accessed through the regional infrastructure, must be able to trust the accuracy, integrity and completeness of the information if it is to inform a diagnosis and provide a basis for recommending a course of treatment. Finding the right standard to deliver health care with a reasonable expectation of privacy is integral to the success of this venture. If patients and providers are not confident that the standards protect the privacy of the patient-provider relationship, they will not use the system. Like the old timers faced with modern banking, they will avoid the system and deal in cash.
So in sum, there are three issues that must be addressed in the privacy space to ensure that the current push for a national health information infrastructure is not yet another expensive boondoggle.
- Preemption – there must be a uniform, trustworthy national standards for safeguarding the confidentiality of health information.
- Accounting of disclosures – the requirement that each provider and payer provide each patient with an “accounting” explaining the legal basis for third party disclosures must be lifted.
- Liability – A provider must not be at risk under applicable state and federal laws for the actions taken by those responsible for operating the regional or national information system.
Thank you for your time. I will be happy to address your questions.