Testimony of Joyce Dubow, Associate Director, AARP Public Policy Institute

National Committee on Vital Health Statistics, Subcommittee on Privacy

Hearing on Privacy and Health Information Technology, February 24, 2005

Introduction and Background

I am Joyce Dubow, Associate Director of the AARP Public Policy Institute. AARP represents over 35 million members who are 50 years of age and older. The Public Policy Institute conducts objective, relevant, and timely research on issues that are of importance to midlife and older Americans. The work of the institute both informs AARP’s advocacy efforts and contributes to and influences the public debate on health, economic security, independent living, long-term care, and consumer protection and empowerment.

With such a large membership, we have a diverse constituency. Our members include workers and retirees; individuals in their 50s who are at the peak of their earning years, and those who are in their 80s and older who live alone; individuals who have comfortable standards of living and those who struggle with limited resources and depend entirely on Social Security for their income. With respect to the subject of today’s discussion, diversity extends to an individual’s familiarity, comfort, habits, expectations, and attitudes about health information technology and personal health records.

AARP’s interest in health information technology is directly linked to our concerns about the state of health care quality in the U.S. The Institute of Medicine and others have provided ample evidence of the need to improve care. Quality problems are pervasive, occurring across care settings and delivery models. Patients suffer avoidable medical mistakes and do not receive care that experts recommend.[1]Too often, some socioeconomic, racial, and ethnic groups experience health care disparities.[2] Scarce health care resources are squandered on unnecessary procedures or services.

Clearly, improvement is needed and AARP has identified several steps that we think could help. These include: the implementation of health information technology to enable doctors, medical institutions, and long-term care facilities to conduct clinical and administrative activities in a paperless environment; the collection and reporting of standardized measures of doctor, hospital, and nursing home performance that will facilitate transparency, public accountability, and quality improvement activities; and realignment of provider and practitioner reimbursement to reward high quality.

We recognize that health information technology (HIT) is key to rapid quality improvement. Innovations like computerized physician order entry can help reduce errors by improving accuracy and legibility of prescriptions and medical records. Other technological interventions can provide decision support tools to clinicians, such as reminders and prompts to conduct recommended procedures and timely feedback of laboratory and other test results; enhance coordination; monitor and modify medications and patients’ progress; facilitate access to evidence-based guidelines; improve access to medical advancements for both clinicians and patients; and enhance physician/patient communication. And, significantly, HIT can help to engage consumes in their own care, to improve self-management of chronic illness, and to provide access to information that can help them forge more equal partnerships with their clinicians.

As noted by Dr. David Brailer, the National Coordinator for Health Information Technology, in his Framework for Strategic Action, the problems of high costs, medical errors, variable quality, and administrative inefficiencies are closely linked to the inadequate use of HIT as an integral component of medical care.[3] The U.S. lags considerably behind other nations in the adoption of electronic medical records, and it will take a concerted effort of the public and private sectors to overcome market barriers and the absence of common standards and policies to advance the HIT agenda. Moreover, as we move forward, it will be important to ensure that consumers have access to and control of their personal health information and that this occurs in a secure and confidential environment.

Consumer Interest and Use of the Internet and Personal Health Records (PHRs)

Recent findings from a study conducted for the Kaiser Family Foundation are quite sobering (although not surprising) with respect to the use of computers and the Internet by mid-life and older Americans.[4] There are substantial differences based on income, educational attainment, age, and gender. Almost half of those age 65 and older say they would not trust the Internet “at all” to provide accurate information about important health issues, although, in contrast, for those between the ages of 50-64, the Internet is the most trusted source of information. For the foreseeable future, the Internet is not likely to be a primary source of information for older persons—those not already online are not inclined to start. Yet it is likely that this situation will change as the baby boom generation matures into “senior” status. While not directly related to personal health records, (PHRs), comfort and familiarity with the Internet may be a good indicator of an individual’s attitude about electronic PHR as well.

It is important to acknowledge that there is still no commonly accepted definition of what a PHR is. In previous discussions, your Workgroup addressed this issue with David Lansky, who suggested that the term, “personal health record,” may itself be misleading because it implies a document rather than a series of functions that use a widely dispersed set of personal health information.[5] It is likely that the vast majority of consumers have never contemplated the scope of information and activities envisioned in Dr Lansky’s definition. Yet his definition is a fair description of things to come. Typically, when the concept of a PHR is presented to consumers, a high level description of the functions the PHR could perform is provided, such as tools to manage health information as well as information about transactional services such as appointments, prescription refills, and e-consultations. Dr. Lansky’s insight into the full scope and potential of the PHR illuminates the challenge of presenting the concept to consumers, particularly because of the privacy issues it raises.

AARP has not surveyed its members on their attitudes about personal health records. We have very limited anecdotal information from an open-ended survey that was used to evaluate a small pilot project on health navigation that indicates some would find a PHR useful to keep track of their personal health information. However, the surveys conducted by the Markle Foundation’s Connecting for Healthproject, Harris Interactive, and others indicate that the general public is not well-informed about issues concerning health information technology or the opportunities for improvement HIT could bring. More people (79 percent) think that giving doctors additional time to spend with their patients would be “very effective” in reducing medical errors than those who think that using computerized rather than paper records for ordering drugs and medical tests would be “very effective” (51 percent).[6] Most people are unaware of, but receptive to, the potential value of PHRs. When presented with options, most prefer electronic access to their medical records, although this varies by age, with younger people more receptive to electronic tools, while older persons prefer non-electronic paper means. Consumers appear to be most interested in the transactional features of PHRs, such as emailing their doctors, tracking immunizations, and getting laboratory results, but they also would like to be able to transfer information to a new clinician as well as note mistakes in their records. Depending on the survey, we know that between 30 and 40 percent of people maintain paper health records; far fewer mange their information electronically.

The Importance of Private and Secure PHRs Cannot Be Overestimated

Privacy and confidentiality are probably the central issues for consumers with respect to health information technology generally, and personal health records, specifically. It is obvious that without complete public confidence and trust that their personal health information is safeguarded and secure, individuals will not participate completely in their health care and will engage in privacy-protective behaviors, such as avoiding care, withholding information from their clinicians, or providing them with inaccurate information.

With respect to the subject of today’s session, consumers are very anxious about privacy issues, both in terms of others learning about their health information-seeking practices and also allowing others to have access to their personal information. A study of the Pew Internet and American Life Project found that the vast majority of consumers seeking health information online are concerned that a health-related Web site might violate their privacy by selling or giving away information about them, or that insurance companies might raise rates or deny coverage based on the health sites they visit. More than half of health information seekers fear their employers might learn which health sites they visit. Sixty percent think that putting medical records online is a bad idea because others might see their information.[7]

It is interesting that, with respect to privacy, experts and some consumer advocates do not necessarily see the value of technology in the same light. For example, technology experts consider paper records “unprivate” because paper records can be left on desks for anyone to look at, unauthorized staff could access file cabinets storing records, and so on; on the other hand, electronic records are password-protected and can only be seen by authorized personnel on a need-to-know basis. Furthermore, there is a record of who has seen the information and when they looked at it. However, consumers will tell you that some of these “protections” are illusory. It takes only a single keystroke to transmit one’s personal health information far and wide. Or a “hacker” could gain access to confidential files. Consumers need only tune in to their local news channels to learn of privacy breaches. These mistakes happen, and when they do, they frighten those who are already fearful that their information is not adequately protected; further such mistakes reinforce the convictions of those who believe that it is not possible to provide sufficient assurances of privacy and security of personal health information.

AARP Policy on Health Information, Privacy and Confidentiality

As I noted earlier, AARP fully supports the use of health information technology and believes efforts towards this end should be “aggressively promoted.” Below are the relevant public policy positions that the AARP Board of Directors has taken:

In the broadest terms, individuals should have the right to examine and copy the contents of their health care records and know the identities of entities and people who have examined their records. AARP also believes individuals have the right to determine who may have access to personally identifiable health information and for what purpose.

AARP opposes the use or disclosure of an individual’s medical information except:

  • as authorized by the patient for public health reporting as required by law,
  • for enforcement of the financial integrity of publicly funded health programs (provided that personal identifiers have been removed whenever possible), and
  • for research and quality assessment and improvement (provided that personal identifiers have been removed whenever possible).

Such uses or disclosures for reporting and enforcement should be supported by public policies confirming that the need for personally identifiable information has been established and cannot be met by other means and has been found to justify the use or disclosure. There must be substantial civil and criminal penalties for unauthorized or inappropriate use or disclosure. A warrant must be required of law enforcement agencies seeking access to personal health information. The use of personal health information permitted for disclosure must be limited to the satisfaction of the original need for disclosure, and information thus used or disclosed must not be used for any other purpose.

AARP supports actions that make individually identifiable health information less vulnerable to inappropriate disclosure and misuse. Although HIPAA standards constitute a step forward for health privacy, some provisions concern AARP.

Written consent should be required before information is shared for treatment, payment and health care operations. Mere notification to patients of a provider’s own privacy policies is inadequate because it denies consumers the opportunity to exercise the right to privacy. Legitimate concerns about problems resulting from a written consent requirement can and must be addressed.

In addition, AARP believes that use of clinical information for marketing without express written consent (or, an opt-in) should be prohibited.

While balancing the need for stringent safeguards, regulations protecting individually identifiable health information should not interfere with safe and effective delivery of quality health care services. Covered entities that bear responsibility for complying with federal privacy regulations should make every effort to ensure that their implementation minimizes interference with the routine delivery of health care services. The Department of Health and Human Services should monitor and enforce compliance with privacy regulations while at the same time offering education and guidance to covered entities as to whether their policies and procedures are reasonable and appropriate.

Covered entities should be required to provide, on request, an accounting of information disclosures that were made for TPO or for which authorization was obtained. Patients should be able to learn who has obtained access to their individually identifiable health information.


In spite of the daunting challenges that these privacy issues present, AARP believes that PHRs have great potential to help activate consumers and enable them to become engaged patients. Additional research is needed to gain a better understanding of consumer preferences and concerns about privacy and confidentiality issues. These views may change overtime as more people are exposed to electronic medical records, but it remains a critically important issue to address.

To summarize, AARP sees a direct connection between HIT and quality improvement—in fact, they are inextricably linked. Privacy and confidentiality issues cut across every aspect of QI and HIT efforts. We commend the Workgroup for its interest in consumers’ views and for recognizing that a truly consumer-/patient-centric health care system will not happen if consumers do not have a seat at the table so that they can actively articulate their needs and preferences about privacy and confidentiality as well as other HIT issues. Health care quality improvement and HIT require consumer buy-in. AARP intends to participate in the discussion, and we look forward to a mutually satisfactory dialogue with all affected stakeholders as we work together to transform 21st century health care.

[1] See Committee on Quality Health Care in America, Institute of Medicine, Crossing the Quality Chasm: A New Health System for the 21st Century, National Academy of Medicine, Washington, DC, 2001; L. T. Kohn, Corrigan, J. M., Donaldson, M. S., To Err Is Human: Building a Safer Health System, National Academy Press, Washington, DC, 2000 E. A. McGlynn, S. Asch, J. Adams, J. Keesey, J. Hicks, A. DeCristofaro, E. Kerr, “The Quality of Health Care Delivered to Adults in the US”, New England Journal of Medicine, 348: 26, June 26, 2003.

[2] See Agency for Healthcare Research and Quality, National Healthcare Disparities Report, Rockville, MD, December 2003.

[3] Brailer, David, The Decade of Health Information Technology: Delivering Consumer-centric and Information-rich Health Care, Framework for Strategic Action, US Department of Health and Human Services, July 21, 2004, Page 1.

[4] Kaiser Family Foundation, e-Health and the Elderly: How Seniors Use the Internet for Health Information, January 2005.

[5] Lansky, David, Testimony before the NCVHS Workgroup on National Health Information, January 5, 2005, page 18.

[6] Kaiser Family Foundation/Agency for Healthcare Research and Quality/Harvard School of Public Health, National Survey on Consumers’ Experiences With Patient Safety and Quality Information, Summary and Chartpack, Chart #23, November 2004.

[7] Fox, Susannah, Lee Rainie, The Online Health Care Revolution: How the Web Helps Americans Take Better Care of Themselves, Pew Internet and American Life Project.