Testimony by Norma Sharara for the September 14-15, 2006 NCVHS Subcommittee on Privacy and Confidentiality Hearing

National Committee on Vital and Health Statistics

Subcommittee on Confidentiality and Privacy

Possible Expansion of Federal Medical Record Privacy Rules

September 15, 2006

Introduction

Good morning, my name is Norma Sharara and I appreciate the opportunity to provide comments to the National Committee on Vital and Health Statistics regarding the possible expansion of federal medical records privacy rules to entities not currently covered.

I appear today on behalf of the Society for Human Resource Management (SHRM).  SHRM is the world’s largest association devoted to human resource management. Representing more than 210,000 individual members, the Society’s mission is to serve the needs of HR professionals by providing the most essential and comprehensive resources available. As an influential voice, the Society’s mission is also to advance the human resource profession to ensure that HR is recognized as an essential partner in developing and executing organizational strategy. Founded in 1948, SHRM currently has more than 550 affiliated chapters within the United States and members in more than 100 countries.

Human Resource (HR) departments are involved in the critical and personal decisions that employees make about health coverage, retirement, and other benefits.  In providing information, guidance and materials to employees on these issues, HR understands the importance of maintaining the confidentiality of employee’s employment and medical information.  Because of the tremendous impact privacy and record retention rules have on the HR profession, SHRM is pleased to have the opportunity to explain how employers use medical records in the employment context and offer suggestions on how best to protect the confidentiality of medical records of employees and plan participants.

SHRM had the privilege of addressing this Committee in January 2005 on the issue of third party disclosure of health information.  In that hearing, SHRM raised specific issues about third party disclosure in the workplace.  Many of the issues and concerns raised in that testimony are also relevant to protecting the confidentiality of medical records and I reiterate them in my comments today.

It is difficult today to pick up a newspaper or turn on the television without hearing a story about the latest incident involving loss of personally identifiable information.  With the increased news stories of stolen and lost data, it is no wonder that the American public worries about how their personal information is stored as well as how it is used.  With personally identifiable information, individuals fear that identity theft will ruin their financial standing.  In light of these recent events, Congress has signaled an intention to address the disclosure of personally identifiable information comprehensively through legislation.  Several bills have been introduced that contain requirements in the event of disclosure for those who use or possess personally identifiable information.

Recent data disclosures have primarily involved identity information rather than medical information.  Nevertheless, individuals fear the unique harms that could result from unauthorized disclosure of medical information such as the denial of employment or health care coverage.  SHRM strongly supports efforts to protect the privacy of medical records and health information. HR’s role has increasingly been a balancing act of having access to the information it needs to properly serve the employee population and complying with the various federal and state employment laws concerning confidentiality of records containing personal and medical information.

Employers must comply with numerous employment laws, specifically, but not limited to the Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA), workers’ compensation laws, and the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. A fundamental element of each is the collection and use of an employee’s medical information.

My remarks today will focus on the following areas: 1) use of health information in the workplace; 2) concerns about the expansion of mandated rules regarding health information privacy; and 3) protecting the confidentiality of personal information in the workplace.

Use of Medical records

Employers use medical records and health information in various ways designed to meet the needs of employers and employees.  One of the major tasks of HR is to design and implement a health care benefits package.  Health care coverage is one of the most important and most expensive benefits provided by employers and is part of a total compensation package used by employers to recruit and retain a productive workforce.

In order to design health care plans, HR professionals depend on access to health information to determine the features and levels of benefits offered in their plans.  For example, in setting annual out-of-pocket limits, the employer needs access to aggregate health claim expense data based on its workforce. In addition, an HR professional in many instances will also need similar cumulative health data to obtain premium bids for health insurance coverage or to set health care premium rates.

Employers also use health information to assess an employee’s eligibility for other non-health benefits programs. These include disability benefits, workers’ compensation, wellness benefits and some employee assistance plan functions, such as tracking compliance with substance abuse treatment. In these health benefits programs, employee health information often must be shared between these programs in order to allow an employer to design, manage and tailor their health benefits plans more appropriately to meet the needs of their employee population; to improve health benefits effectiveness and quality; and to manage the various programs more cost efficiently.

In almost all instances, the employer requires only aggregate health care data not identified with any particular employee.  There are times, however, when individual data is necessary and required by law; for example, when determining whether leave qualifies as leave under the Family and Medical Leave Act (FMLA).  The following are additional examples of how employers typically use health information in the workplace.

Disease Management and Wellness Programs

Disease management programs help an individual work with health care professionals to effectively manage chronic conditions like asthma, diabetes and heart disease to improve the patient’s quality of life.  Such programs can potentially help prevent emergency care or hospitalization.  Wellness programs provide preventive care and encourage healthy living among employees.  Both types of programs increase productivity and reduce medical insurance costs, both of which can have a dramatic effect on the bottom line.

In determining whether their organization is a good candidate for disease management programs, it is necessary to gather and analyze data on the frequency, severity and consequences of diseases and illnesses among an organization’s workforce.  Once the analysis is completed, a workforce’s disease profile can be developed. For example, the HR professional may determine that the disease management program should focus on chronic diseases like diabetes or asthma, instead of other conditions like hypertension and allergies.

Many employers have implemented wellness programs to improve the overall health of their workforce and control costs. According to the SHRM 2006 Benefits Survey report, 66 percent of organizations provide wellness programs for their employees.

Some wellness programs involve a confidential, individualized health risk assessment for the plan beneficiary that provides a roadmap of how best to lower health risks.  In conducting the risk assessment, however, information is collected that may include family history, blood samples for cholesterol screening and other health information. Employers offering wellness programs are not conducting these programs to gather health information on employees for illegitimate or unlawful reasons but rather simply trying to improve the health and safety of their workforce and plan beneficiaries.

Employers typically do not receive the results of these individual risk assessments and, therefore, do not accept or maintain health information identified with individual employees. However, in order for employers to measure the value of such programs, they need access to health information at the aggregate level, such as utilization rates or treatment outcomes. This type of analysis assists employers to determine if the wellness program is meeting the goal of a healthier plan participant population.

Pre-employment Screenings

Employers also have a need to acquire health information through pre-employment screenings for safety and business-related purposes. In response to a growing number of transportation-related accidents caused by substance abuse, the U.S. Department of Transportation proposed legislation to eliminate substance abuse in “safety sensitive” occupations. In 1991, the Omnibus Transportation Employer Testing Act was passed. This law requires all employers who have employees who work in “safety sensitive” jobs to provide substance abuse testing and substance abuse training programs for any employees or managers who engage in safety sensitive work.

In addition, drug-free workplace programs have become fairly common as employers understand the importance of health and safety and value these programs for their organizations. Absenteeism, lost productivity, work-safety incidents and higher health care costs are problems directly related to drug and alcohol abuse, which can be extremely costly to employers. Today, drug tests may be conducted through blood, urine or hair, and samples may be taken at the worksite or at a testing facility. Health information may be gained in the course of conducting these legitimate and sometimes legally required activities. The information disclosed in this context, however, is generally limited to what is necessary to comply with the law and to maintain a safe workplace.

Family and Medical Leave Act (FMLA)

In order for an organization to determine whether an employee qualifies for FMLA, which allows an employee to take up to 12 weeks of unpaid leave for their own serious health condition or for that of a spouse or family member, the employer must collect relevant medical information on the nature of the serious health condition. An employer may require a doctor’s written certification before an employee takes FMLA leave for the employee’s own serious health condition or that of a spouse, child or parent.

For example, most employers may provide employees who request leave under the FMLA with the Certification of Healthcare Provider form which must be completed by a physician or health care professional to determine if leave is protected under the FMLA.  FMLA documentation received in this manner is considered an employment record, not a health care record and, therefore, is not covered by HIPAA, although this information is kept confidential.

Workers’ Compensation

Workers’ compensation insurance statutes establish a process through which employees who are injured or contract a work-related illness on the company’s premises, or while performing duties within the scope of employment, are covered for medical costs and any related disability. Medical information is necessary to file a claim and is used to determine whether or not an injury is work-related. After an initial determination that work caused a disabling injury, the information may also be used in subsequent determinations including whether the disability is ongoing, the existence and extent of a permanent disability, the claimant’s ability to return to work as soon as possible, and the degree to which a prior disability is a contributing factor. Making these determinations correctly and on time depends on access to unbiased and complete medical information.

As a legally mandated benefit, workers’ compensation relies on access to medical information to comply with the duty to investigate claims, begin payment for disability, medical, and rehabilitation benefits by the statutory deadline, and return injured workers as soon as they are able to return to work.

Americans with Disabilities Act (ADA)

Under the ADA, medical records may be used to help determine if an employee has an “impairment” that substantially limits one or more major life activities, or has a record of a substantial limiting impairment. Moreover, medical information is often an integral part of determining a reasonable accommodation for disabled employees. Since employers are required to determine whether or not an employee or an applicant has a disability covered within the meaning of the law, the employee’s or the applicant’s medical information is often required. HR professionals and employers would face an insurmountable challenge in making proper decisions without this information.

Workplace Safety

Employers may also seek health information to comply with Occupational Safety and Health Administration (OSHA), Mine Safety and Health Administration guidelines, or under a state law that has a similar purpose. The employer would need this information to record an illness or injury or to carry out its responsibilities for workplace medical surveillance, according to HIPAA regulations.

For example OSHA requires employers to monitor employees’ exposure to certain substances and to take specific actions when an employee’s exposure to a substance exceeds specific limits.

In addition, employers must increasingly be able to respond quickly to various external circumstances that may affect the workforce. For example, HR is currently establishing protocols for the workplace response to the very real risk of an outbreak of pandemic illness such as avian flu.

Concerns about Federal Mandate Expansion

Currently, at least a dozen different federal laws impose record-keeping and retention requirements on employers including the Americans with Disabilities Act (ADA), Family and Medical Leave Act (FMLA), workers’ compensation laws, the Fair Labor Standards Act (FLSA), and the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations to name a few.  Each law contains its own retention period for the records involved and may require different levels of protection.  Employers routinely maintain a personnel file for each employee containing those records related to employment such as application and resume, transcripts, job descriptions, hiring, promotion, transfer, layoff, compensation and education and training records as well as performance evaluations and other employment-related information.

HR also routinely keeps separate files for medical records, Equal Employment Opportunity records, immigration forms, invitations to self-identify disability or veteran’s status, safety training records under OSHA and Department of Defense and Procurement Integrity Act records for federal contractors.  Again, rules regarding who has access to these records and records retention schedules vary for each type of record.

In addition, employers must be aware of and comply with individual state requirements in each location where the company does business.  Every state has laws pertaining to medical records.  These laws vary from state to state and range from statutory rights of individuals to access their medical records to restrictions on disclosures of information by the record-holder.  Most states lack a comprehensive medical privacy law but have statutory privacy protections that apply to certain entities or cover specific conditions.

HR departments routinely handle all personnel and employment records in a confidential and/or sensitive manner.  The administrative burden, including oversight, reporting, disclosure, tracking, legal and staff training activities, and expense of compliance with the numerous federal and state laws that govern employers’ use of health information can be overwhelming for employers. HIPAA has already resulted in major new expenditures for employers, including expenses for redirection of staff time to compliance activities, as well as software and hardware acquisitions. Now, employers are in the process of complying with the adjunct HIPAA security regulations, also a time-consuming and costly effort.

Ensuring legal compliance with the vast array of federal and state human resource laws is growing increasingly complex.  According to the SHRM 2006-2007 Workplace Forecast, one of the most important HR trends that impact the workplace is the growing complexity of legal compliance.

Protecting the Confidentiality of Medical Information in the Workplace

SHRM concurs that safeguarding employee health information in the workplace is a high priority but SHRM and its members have serious concerns about any proposal that would mandate new requirements for employers regarding the privacy of health information.

SHRM recognizes that health information should not be disclosed to an employer for unlawful reasons, such as decisions to hire where a candidate is otherwise qualified to perform the essential functions of the job or to terminate employment because of a disability.  Unlawful disclosures of protected information should be punished appropriately.  SHRM believes that current law adequately protects the privacy of employee health information.  SHRM members already are subject to numerous laws and regulations governing the privacy and confidentiality of health information. Aside from these mandatory approaches, most HR professionals have adopted policies or procedures that are designed to safeguard individual health information. Even prior to the HIPAA privacy rule, employers had taken numerous steps to safeguard employee health information.

SHRM believes that a voluntary, common sense approach built on best practices and current law, represents the most appropriate approach to the issues surrounding protecting the confidentiality of health information in the workplace.  Current federal medical record privacy law does not apply to all employers or even to all holders of personally-identifiable medical information.  Expanding current federal medical records law to all employers is one way to create a kind of uniformity.  Expanding the coverage of existing rules, however, is likely to result in additional record-keeping burdens on employers without improving privacy.  If an expansion in this area is deemed necessary, whether it is an expansion of the number of entities covered or an expansion of the number of rules, SHRM respectfully suggests that the following issues be taken into account.

First, as mentioned, employers are currently operating under the auspices of numerous federal and states laws that include privacy provisions that are often contradictory.  In order to achieve a more uniform system, conflicts among the various sources of federal privacy regulation must be eliminated.  The ADA, FMLA and HIPAA all contain records requirements for employers.  Lack of harmonization of these requirements can lead to confusion and unintentional errors.

Second, in addition to the various federal laws, the states have laws specifically addressing the privacy of medical records as well.  While many of these states laws track the requirements of HIPAA, employers are nevertheless obliged to conduct a thorough review of all applicable law to ensure that they are in compliance with all variations.  To avoid the expense and possibility of error, state laws on medical record privacy should be preempted as part of any expanded federal privacy regime.

Third, any expanded federal regulation should be carefully targeted to address existing harm.  SHRM agrees wholeheartedly that harm done through illegal disclosure of medical information should be punished.  SHRM has serious reservations, however, about provisions designed to control the flow of information in the workplace.  Employers and HR departments assist employees with many issues such as work-life balance and health care billing disputes that may result in the employee’s disclosure of health information.  It is critical that mere possession of information be separated from the use of this information for discriminatory or other illegal purpose.  Best practices and model protocols based on existing procedure and current law should be encouraged to protect information coupled with appropriate punishment for intentional acts.

In conclusion, I would like to thank the committee again for the opportunity to appear before you today and SHRM looks forward to continuing to work with you on this issue and I will be pleased to answer any questions you may have.