Mary R. Grealy
Healthcare Leadership Council
Representing the Confidentiality Coalition
National Committee on Vital and Health Statistics (NCVHS)
Subcommittee on Privacy and Confidentiality
“Privacy and Health Information Technology”
March 30-31, 2005
Chairman Rothstein and members of the Subcommittee, I want to thank you on behalf of the members of the Healthcare Leadership Council (HLC) and the Confidentiality Coalition for the opportunity to testify on the protection of patient privacy and the development of health care information technology.
The Healthcare Leadership Council and the Confidentiality Coalition support the efforts of the Office of the National Coordinator for Health Information Technology (ONCHIT) to create a national health information infrastructure and believe that any regional or national system designed to facilitate the sharing of electronic health information must take into account the privacy and security challenges associated with exchanging patient information among health care providers, consumers, payers and other authorized entities. Addressing these issues appropriately will be essential to achieving the interoperability necessary to improve the quality and cost effectiveness of the health care system.
Of particular interest to the Confidentiality Coalition are requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) statute and the privacy regulation promulgated thereunder (the “Privacy Rule”) and how these provisions may affect efforts to establish a national health information network (NHIN).
Before I discuss the impact of the HIPAA Privacy Rule on the NHIN, let me first explain the perspective that the Healthcare Leadership Council and the Confidentiality Coalition bring to the issue.
HLC is a not-for-profit membership organization comprised of chief executives of the nation’s leading health care companies and institutions. Fostering innovation and constantly improving the affordability and quality of American health care is the goal uniting HLC. Members of HLC – hospitals, health plans, pharmaceutical companies, medical device manufacturers, biotech firms, health product distributors, pharmacies and academic medical centers – envision a quality driven system built upon the strengths of the private sector.
In 1996, HLC began chairing the “Confidentiality Coalition,” a broad-based group of organizations who support workable national uniform privacy standards. The Confidentiality Coalition includes over 100 physician specialty and subspecialty groups, nurses, pharmacists, employers, hospitals, nursing homes, biotechnology researchers, health plans, pharmaceutical benefit management and pharmaceutical companies.
During Congressional consideration and eventual regulatory development of the HIPAA Privacy Rule, the Confidentiality Coalition played a leadership role, working with members of Congress and the administration to advocate for a workable privacy rule. We sought a rule that would strike the appropriate balance between protecting the sanctity of a patient’s medical information privacy while, at the same time, ensuring that necessary information is available for providing quality health care and conducting vital medical research. We sought a rule that would also create effective confidentiality safeguards that would not burden providers and patients with unnecessary paperwork or delays in treatment. We believe that the Privacy Rule to a great extent achieved this balance and has increased consumers’ confidence about the privacy of their medical records and allowed providers and payers to establish the procedures necessary to accomplish the dual goals of privacy protection and the delivery of quality health care.
Covered entities take compliance with the Privacy Rule very seriously. Health care providers, payers and other covered entities as well as their business associates have implemented comprehensive training and compliance plans to adhere to the Privacy Rule.
Under the Privacy Rule, disclosing identifiable health information for purposes other than carefully defined appropriate health care activities is prohibited unless the patient grants specific, prior written authorization. It is important to note that HIPAA has strong penalties for non-compliance. The Department of Health and Human Services (HHS) may impose civil monetary penalties on health plans, providers or clearinghouses of up to $250,000 for failure to comply with a Privacy Rule requirement. HIPAA also has criminal penalties. Persons who knowingly obtain or disclose individually identifiable health information in violation of HIPAA face a fine of $50,000 and up to one year of imprisonment. Criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses. Penalties for wrongful conduct that involve the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm increase to $250,000 and up to ten years imprisonment. Criminal sanctions are enforceable by the Department of Justice. Thus if you use a patient’s record, without permission, for reasons other than legitimate health care operations, you could be sanctioned with severe federal civil and criminal penalties.
Since the Privacy Rule went into effect in April of 2003, the mission of the Confidentiality Coalition has broadened. In addition to working with covered entities to facilitate implementation of the Privacy Rule, members of the Coalition work together to educate members of Congress about the protections provided by the Privacy Rule in order to avoid passage of legislation or regulations that would inadvertently duplicate or conflict with the HHS privacy rule.
It is important to remember that HIPAA privacy and security rules were adopted to provide appropriate safeguards for the electronic exchange of financial and administrative information. The electronic exchange of clinical information is no different. We are concerned that policymakers may not be aware of the purpose and scope of HIPAA privacy and security rules and will advocate for additional privacy regulations for electronic health records. The current HIPAA regulations are very restrictive and the strict penalties for non-compliance have resulted in covered entities taking a very conservative compliance approach. I think many consumers will attest to this fact if they have attempted to get health care claims or medical information for themselves or another person such as a parent without their prior approved authorization.
Recently, the Office of the National Coordinator for Health Information Technology (ONCHIT) announced a Request for Information (RFI) regarding the development and adoption of a National Health Information Network. The Confidentiality Coalition was pleased to be able to comment on the questions posed by the RFI. Our comments focused on several questions relating to the privacy and security issues posed by the creation of the NHIN, including how compliance with HIPAA and implementing regulations will interact with the NHIN as well as regulatory requirements that might be perceived as barriers to the formation and operation of a NHIN.
We believe that there are several areas in which HIPAA will significantly impede development and adoption of the establishment of a NHIN. I will discuss each of these below.
I. Preemption of State Laws
Although HIPAA establishes a federal privacy standard, it permits significant state variations that we believe will create serious impediments to sharing or sending health information, particularly across state lines.
In its Request for Information, ONCHIT recognized that “interoperability requires a set of common standards that specify how information can be communicated and in what format.” This is true not only with respect to the technical standards employed through information technology, but also with respect to the privacy standards that govern information disclosures.
HIPAA required the Secretary of Health and Human Services to adopt standards for the electronic exchange, privacy and security of health information. In general, HIPAA supersedes contrary provisions of state law. For example, the HIPAA provisions requiring the use of certain electronic standards preempt state laws that require medical records or billing records to be maintained or transmitted in written rather than electronic form. Congress, however, set a different preemption standard for privacy protections. The Privacy Rule does not supersede state laws that are contrary to and more stringent than the federal standard. As a result, providers, clearinghouses and health plans are required to comply with the federal law as well as any state privacy restrictions that are contrary and more stringent. In the context of HIPAA implementation this has been extremely difficult. In the context of a NHIN it is potentially impossible.
State health privacy protections vary widely and are found in thousands of statutes, regulations, common law principles, and advisories. Health information privacy protections can be found in a state’s health code as well as its laws and regulations governing criminal procedure, social welfare, domestic relations, evidence, public health, revenue and taxation, human resources, consumer affairs, probate and many others. The rules typically apply either to specific entities – such as hospitals or county health departments – or to specific health conditions, and no two states are the same in this regard. Virtually no state requirement is identical to the federal rule.
I know I don’t have to inform the Subcommittee of the difficulty that the multiplicity of applicable privacy rules and the lack of regulatory guidance on preemption have posed for covered entities attempting to comply with the HIPAA Privacy Rule. I would simply reference this passage of a letter to the Secretary of HHS, which was written by NCVHS:
“To determine whether state privacy laws or the HIPAA Privacy Rule applies to the multitude of health privacy issues, covered entities must obtain a comprehensive preemption analysis, detailing whether state or federal law applies. These analyses are often lengthy documents, expensive to research, highly technical, and not binding on any enforcement agency or the courts. Large, multi-state covered entities need to have such an analysis for every jurisdiction in which they do business. There is no national coordination on the issue of preemption, and state and local efforts vary widely in their degree of completion and, for those already completed, in the cost to obtain copies.”
HHS has made clear that the Agency will not provide a comprehensive preemption analysis. Moreover, single state and private sector efforts have been extremely costly and do not utilize consistent standards. Further, state requirements change frequently, causing studies to quickly become outdated.
HLC attempted to address this problem directly by commissioning a multi-jurisdiction study of state privacy laws, case law and regulations that analyzes the relationship between the federal Privacy Rule and state laws. The study initially cost more than $1 million and costs $100,000 to update annually. However, I want to point out that many organizations, particularly smaller provider groups, do not have the resources to contribute to or access studies such as the one done by HLC, and thus must navigate the sea of privacy regulations and laws on their own.
The issues associated with privacy compliance are greatly magnified in the context of a NHIN. The creation of a successful NHIN will require a national system of interoperable systems that can exchange health information. Making information available through or to a NHIN conceivably could require entities to comply with a range of different state laws each time they disclose information in the context of a federated system. The current patchwork of applicable state and federal laws will likely be a significant disincentive to participation for virtually all stakeholders. Indeed, already members affiliated with emerging regional consortia are reporting difficulty in accessing the targeted expertise needed to navigate the variations in state privacy laws across regions and indeed across the country. It is not clear how interoperability can be achieved without a more uniform framework for the protection of patient privacy. Absent such a framework, the barriers to using health information technology to improve the quality and efficiency of health care will be substantial and covered entities will be discouraged from participating. Federal preemption provisions that go further toward eliminating state variation in privacy standards and establish a unified national standard will help ensure the viability of a NHIN.
II. Accounting of Disclosures
Participation in a NHIN may impose significant and unmanageable burdens on health care providers attempting to comply with the Privacy Rule requirements regarding the accounting of disclosures of protected health information.
Under the HIPAA Privacy Rule, patients have a right to an accounting of the disclosures of their medical information by a covered entity or its business associates. Covered entities must track, record and keep documentation of these disclosures for six years in order to meet the privacy rule’s requirements. Though some disclosures, such as those made for the purposes of treatment, payment and health care operations, are exempt from the rule’s accounting of disclosures requirement, there are a substantial number of disclosures that must be tracked, including numerous disclosures to public health and state entities that are required by law.
Experience with this requirement among Confidentiality Coalition members shows that the accounting of disclosures requirement imposes undue administrative costs on covered entities and erects barriers to quality health care while providing little if any added privacy protections. The burdens associated with the accounting of disclosures provisions grow more complex when considered in the context of a NHIN, and will likely serve as a barrier to participation by covered entities.
Under the Privacy Rule alone, the accounting of disclosures requirement has, in our view, unnecessarily diminished access to health information for purposes essential to improving health care and health care quality. For example, some hospitals have stated that they will no longer participate in the CMS quality improvement organizations (QIO) projects as they relate to non-Medicare patients, because of the onerous administrative burdens imposed by the accounting of disclosures requirement. The large number of patients whose information is disclosed to QIOs makes the record keeping required unduly burdensome. Similarly, health care providers are more reluctant to make health information available to researchers because of the accounting of disclosure procedures associated with disclosing data sets to researchers pursuant to an IRB waiver of authorization.
Health plans have also faced difficult challenges implementing the accounting of disclosures standard – challenges that have raised costs. For example, state departments of insurance (DOI) require health plans to turn over thousands of records every year to facilitate DOI market conduct reviews, claim verifications and other auditing functions.
Hospitals, providers and plans must make disclosures to public entities to maintain disease registries, vital statistics and other health registries. Examples of the type of information providers are asked to report include births and deaths, cancer cases, brain and spinal cord injuries, child immunizations, blood lead analyses, and reports of workplace injuries. Tracking tens of thousands of records every year – because of government requests – is extremely costly. In addition to the cost of tracking, there is an enormous storage cost as health plans and providers must secure gigabytes and terabytes of computer storage for this very significant level of records.
In a more limited context, the Government Accountability Office (GAO) recently recognized the detrimental effects of this accounting provision and recommended modifying the Privacy Rule to exempt public health disclosures from the accounting of disclosures provision. GAO urged HHS to take immediate action to implement this change to the Privacy Rule, noting that the current accounting of disclosures requirement, particularly in reference to mandatory disclosures to public health authorities, could interfere with critical public health initiatives. In the report, GAO expresses serious concern that the Privacy Rule’s requirements regarding accounting of mandatory disclosures to public health authorities do not support the rule’s goal of ensuring effective patient privacy protections without imposing unnecessary costs or barriers.
The Confidentiality Coalition supports the GAO recommendations and has recently written to the Secretary of HHS asking that the Department move expeditiously to implement this recommendation. However, the Confidentiality Coalition recommends that exemptions for accounting of disclosures not just be limited to public health disclosures, as GAO has suggested, but that all mandatory and routine disclosures to government entities be exempted.
Efforts by ONCHIT to promote a nationwide efficient and interoperable health information system should include consideration of how the accounting of disclosures requirement could pose a significant barrier to participation.
III. Minimum Necessary
The Confidentiality Coalition believes that the Privacy Rule’s minimum necessary standard – which already poses significant burdens for covered entities – may be unworkable in the context of disclosures made through a NHIN.
The Privacy Rule provides that covered entities must make “reasonable efforts” when using, disclosing or requesting protected health information, to limit the information to the “minimum necessary” amount needed to accomplish the intended purpose of the use, disclosure or request. In addition, the regulation provides that covered entities may not use, disclose or request an entire medical record unless the entire record is “specifically justified” as the amount of information reasonably necessary. Disclosures to, or requests by, a provider for treatment purposes are exempt from the standard as are uses or disclosures made pursuant to a written patient authorization. A covered entity may rely on a requested disclosure of protected health information from another covered entity as being the minimum necessary amount.
This standard puts covered entities receiving requests to disclose information in the position of determining whether the requested information is the “minimum necessary” amount, when only the entity making a request for information has an informed basis for determining whether the information is the minimum necessary for its purposes. The legal uncertainty and risk created by this standard already has led to some “defensive” information practices that restrict the appropriate flow of information within the health care system. For example, some providers, citing the need to comply with the HIPAA Privacy Rule, have limited access by health plans to protected health information needed to perform quality assessment and improvement programs, utilization review, case management, disease management, and other functions related to maintaining the affordability of health coverage and improve outcomes.
For participants in a national or regional health information network, making minimum necessary determinations – or even determining if a requesting party or provider is a HIPAA covered entity – is likely to be extremely challenging. The uncertainty and resultant liability exposure associated with the minimum necessary standard is likely to serve as a barrier to participation in a NHIN. In its Request for Information, ONCHIT states that interoperability is “necessary for compiling the complete experience of a patient’s care, for maintaining a patient’s personal health records and for ensuring that complete health information is accessible to clinicians as the patient moves through various healthcare settings.” These goals simply cannot be fully met if a physician is required to adhere to a nebulous minimum necessary standard. The application of the minimum necessary standard to this effort may in fact increase medical error rates by limiting the flow of medical information in the health care system in a manner that is inconsistent with the provision of quality medical care. Consideration should be given to eliminating the standard, or creating a safe harbor for when personal health information is exchanged through a national health information network or regional health information exchange.
We are also concerned that current law restrictions in the area of research will prevent NHIN from achieving its ultimate objective as a tool to improve quality of care.
Research uses and disclosures are an essential part of the National Health Information Infrastructure envisioned in the seminal report “The Decade of Health Information Technology: Delivering Consumer-centric and Information-rich Health Care” (“Report”) published by ONCHIT. The Report clearly contemplates that research, including data research, will be crucial to achieving key objectives of a NHIN, particularly the goal of improving population health. In addition, the Report notes that: “Eventually an interoperable network of electronic health records would be able to accelerate translation of research into practice by tapping into national databases of clinical decision support and delivering the latest clinical knowledge to clinicians at the point of care.”
The HIPAA Privacy Rule also recognizes the importance of research to improving the quality of health care and took steps to ensure that researchers would have continuing access to health information. Under the Privacy Rule, numerous entities, including non-covered entities, receive and analyze de-identified data or limited data sets to assist health care providers, health plans, government, the health care management communities and manufacturers conduct market, utilization and outcomes research, implement best practices, and apply and benefit from economic analyses. Data researchers have helped implement prescription drug recall programs, performance of pharmaceutical market studies, and assessment of drug utilization patterns. In these areas and many others the HIPAA framework took care to protect patient privacy while permitting data use for research where appropriate. Ensuring that such access continues will be critical to realizing the goals set forth in the ONCHIT Report.
We are concerned, however, that in some instances the HIPAA Privacy Rule failed to achieve the proper balance and is inappropriately restricting access to health information for researchers. In particular, requiring expiration dates or events on all research authorizations and prohibiting individuals from granting authorization to use their health data in unspecified future studies is limiting the on-going use of research data in ways that are detrimental to the health care system. Under the Common Rule that has governed human subjects research for decades, it is generally permissible to obtain informed consent from a participant to use data for future research on data or biologic materials stored in databases or tissue banks. The Privacy Rule does not permit authorization for virtually any unspecified future uses. The Secretary’s Advisory Committee on Human Research Protections (SACHRP) has recommended that the HIPAA Privacy Rule permit future uses that are allowed under the Common Rule. We agree that the Privacy Rule needs to be modified in this area to be consistent and note that these restrictions, if not addressed, will have a significant impact on the ability of stakeholders to achieve critical goals set forth in the ONCHIT Report.
V. Patient Consent and Control
During promulgation of the HIPAA Privacy Rule, the issue of requiring providers and payers to obtain the prior written consent of patients before using their information was debated at great length. The final rule as modified allows covered entities to use patients’ medical information without authorization for medical treatment, claims payment or health care operations or as otherwise permitted or required by the Privacy Rule. For other uses, providers must obtain a written authorization from each patient.
Requiring providers and payers to obtain prior consent for treatment, payment and health care operations was rejected because of concerns that a prior authorization requirement would seriously delay and disrupt the care of patients, particularly the most vulnerable elderly and sick patients. For example, elderly patients would not be able to send a family designee to a pharmacy to pick up a prescription without first going to the pharmacy to sign consent forms; pharmacies would not be able to fill prescriptions for patients phoned in by physicians; and emergency medical personnel would be forced to get consent forms signed before treating patients – even when contrary to best medical practice. These concerns were not simply theoretical; in fact Maine passed a law requiring prior consent for health care purposes. The law was suspended just 12 days after taking effect because of the chaos that ensued in hospitals and pharmacies.
I refer again to the statements of ONCHIT that interoperability is “necessary for ensuring that complete health information is accessible to clinicians as the patient moves through various healthcare settings.” A NHIN that is constrained by various authorization or consent requirements will provide only a fraction of the speed and efficiency necessary to improve patient outcomes. Far worse, adding such requirements to the provision of care by way of a NHIN will slow and impede providers’ current ability to deliver health care services.
Some advocate that patients must have complete control over their own electronic health record – deciding who can access what information for which reasons. However, if the NHIN is to be utilized as a part of care delivery, patients simply must not be able to selectively provide information that may be relevant for treatment purposes. Should this occur, providers would be unable to rely on the NHIN as a tool for diagnosis and treatment as it may or may not include the facts necessary for the delivery of quality medical care. In addition, providers are very concerned about the liability that might result from their reliance on incomplete information.
We are aware that some would see the advent of a national health care information technology infrastructure as an opportunity to revisit the issues of patient control and consent, citing the necessity of patient and consumer confidence in order to ensure successful implementation of such a system. We believe that it is indeed important to educate consumers and patients about the privacy protections and penalties enacted under HIPAA and the Security Rule available through an NHIN in order to assure their confidence. However, providers too must have confidence in the integrity of the data provided through an NHIN in order to assure utilization of such a system. In evaluating proposals to require consent or varying degrees of patient control, we urge the Subcommittee to carefully consider the ramifications to health care delivery and public health that such steps would impose.
The Confidentiality Coalition and the Healthcare Leadership Council appreciate the opportunity to testify on the protection of patient privacy and the development of health care information technology. As described above, we are concerned about the impact that the HIPAA Privacy Rule may have on the efforts of the Office of the National Coordinator to develop a meaningful and interoperable NHIN. Modifications to the Rule and/or significant clarifying guidance could help eliminate current barriers to participation in a NHIN.
We look forward to working with the Subcommittee and with the Office of the National Coordinator in pursuit of these goals. Any questions about my testimony or these issues can be addressed to me or to Ms. Theresa Doyle, Senior Vice President for Policy, Healthcare Leadership Council (telephone 202-452-8700, e-mail firstname.lastname@example.org).
 The Privacy Rule does not require accounting for disclosures made: 1) for treatment, payment and health care operations; 2) to the individual or the individual’s personal representative; 3) for notification of or to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories; 4) pursuant to an authorization; 5) of a limited data set; 6) for national security or intelligence purposes; 7) to correctional institutes or law enforcement authorities for certain purposes regarding inmates or those in lawful custody; or 8) those disclosures incident to otherwise permitted or required uses and disclosures.
 Government Accountability Office, “Health Information: First-Year Experiences Under the Federal Privacy Rules,” September 2004.
 Under the Privacy Rule a covered entity is permitted to use and disclose protected health information without authorization for the following purposes or situations: 1) to the individual; 2) for treatment, payment and health care operations; 3) for uses and disclosures with an opportunity to agree or object; 4) for uses and disclosures that occur incident to an otherwise permitted use or disclosure; 5) for public interest and benefit activities; and 6) of a limited data set for purposes of research, public health or health care operations.