Testimony by Robert Levine for the February 24, 2005 NCVHS Subcommittee on Privacy and Confidentiality Hearing

Thank you Mr. Chairman, Committee Members, Staff and Guests. Good morning, I’m Dr. S. Robert Levine, MD and I appreciate the opportunity to present comments to this important process as a long time volunteer leader and former International Board member of the Juvenile Diabetes Research Foundation. For those of you who aren’t familiar with the JDRF, it was founded in 1970 by the parents of children with Type 1 diabetes who each made a promise to their loved ones that they would do all they could to find a cure.  As a direct result of the passion and drive of its volunteer leaders and the skills of its professional staff, JDRF has grown to become the world’s largest non-profit non-governmental contributor to diabetes research, providing over $800 million since its founding and projecting to fund over $100 million this year alone. I should note at the outset that I was asked by JDRF to offer testimony today because of my known special interest in the National Health Information Infrastructure and as an active member of the community of people personally affected by diabetes – my wife has had Type 1 for nearly 40 years.  As such, my testimony is my own, and does not represent policy of the JDRF rather, hopefully, it fairly represents concerns of JDRF’s key constituents. Also relevant to my participation in these proceedings are my service as the Chairman of the Health Priorities Project of the Progressive Policy Institute (the policy think tank of the centrist DLC), my past Board membership of the Foundation for Accountability, and my history of leadership involvement in a number of ad hoc stakeholder collaboratives whose purpose was to envision an information-age health care system focused on helping every American achieve optimal health-related quality of life and function.

I want to start my remarks with the same sort of warning that Dr. Lawrence Summers gave the Harvard faculty recently, but hopefully I will fare better when looking back on them.  That is – some of what I will say is meant to be provocative, but, certainly, never to be disrespectful.  To me it’s not worth spending your valuable time to simply present conventional thinking, or repeat what you may have heard from others, though I hope most will judge my comments constructive.

This sub-committees charge is to address issues of privacy, confidentiality, and the protection of patient information relating to the establishment and use of a national health information infrastructure.  In confronting this important challenge, I have no doubt that you are making substantive effort to detail all the relevant risks and uncover leading-edge methods of mitigation, and many on your panels have already done a good job raising the necessary questions and offering ideas for solutions.

But I have to ask, in doing so, are we, collectively, missing the forest for the trees.  I say this because I believe, strongly, that notwithstanding all the legitimate concerns about privacy — made more intense by the too frequent and frightening stories about accidental release and deliberate theft of sensitive information — the greatest threat, the biggest risk to people with diabetes, or heart disease, or cancer, or HIV/AIDs or any other chronic disease or disability seems not to be from un-authorized sharing or use of their personal health information, rather it is from the failure to share or the inadequate use of that information, and sometimes even valuing protecting privacy over protecting an individual’s life, their health, and the health of their families, friends and neighbors.

To make my point, please allow me to read (with some editorial notes) directly from the abstract of a paper from the University HealthSystem Consortium’ Diabetes Benchmarking Project Team, published in the Feb 2005 Diabetes Care[1]

Quality of diabetes care in U.S. academic medical centers: low rates of medical regimen change.
Grant RW, Buse JB, Meigs JB; University HealthSystem Consortium (UHC) Diabetes Benchmarking Project Team. General Medicine Division, Massachusetts General Hospital and Harvard Medical School, Boston, Massachusetts 02114, USA. rgrant@partners.org

OBJECTIVE: To assess both standard and novel diabetes quality measures in a national sample of U.S. academic medical centers. RESEARCH DESIGN AND METHODS: This retrospective cohort study was conducted from 10 January 2000 to 10 January 2002. It involved 30 U.S. academic medical centers, which contributed data from 44 clinics (27 primary care clinics and 17 diabetes/endocrinology clinics). For 1,765 eligible adult patients with type 1 or type 2 diabetes with at least two clinic visits in the 24 months before 10 January 2002, including one visit in the 6 months before 10 January 2002, we assessed measurement and control of HbA(1c), blood pressure, and cholesterol and corresponding medical regimen changes at the most recent clinic visit. RESULTS: In this ethnically and economically diverse cohort, annual testing rates were very high (97.4% for HbA(1c), 96.6% for blood pressure, and 87.6% for total cholesterol). Fewer patients were at HbA(1c) goal (34.0% <7.0%) or blood pressure goal (33.0% <130/80 mmHg) than lipid goals (65.1% total cholesterol <200 mg/dl, 46.1% with LDL cholesterol <100 mg/dl). Only 10.0% of the cohort met recommended goals for all three risk factors. At the most recent clinic visit, 40.4% of patients with HbA(1c) concentrations above goal underwent adjustment of their corresponding regimens. Among untreated patients, few with elevated blood pressure (10.1% with blood pressure >130/80 mmHg) or elevated LDL cholesterol (5.6% with LDL >100 mg/dl) were started on corresponding therapy. )[SRL Note: review of the more detailed results in the full text reinforce this apparent consistent failure of providers in top academic centers to act on available patient health information to help improve outcomes] Patients with type 2 diabetes were no less likely to be intensified than patients with type 1 diabetes. CONCLUSIONS: High rates of risk factor testing do not necessarily translate to effective metabolic control [SRL Note: Quite an understatement]. Low rates of medication adjustment among patients with levels above goal suggest a specific and novel target for quality improvement measurement.

At some point, I think, it becomes ever more difficult to explain away this failure to act on information – and its contribution to poor risk reduction outcomes performance — with “everyone is working hard, against tough odds, and doing the best they can do” and we start to walk right up to (and perhaps through) the threshold of what some will construe constitutes mass negligence.

To add a further exclamation point, there is the following from Rich Lowry of the National Review, writing recently on the dramatic reductions in incidence of HIV/AIDs in newborns in New York State in an article entitled: Civil Libertarians vs. Public Health A dangerous impulse. [SRL Note: I should note that I have edited out some of Mr, Lowry’s invective, but have, I believe, remained true to his main point]

“Do we as a society prefer sick or healthy babies? Do we want babies to be infected with a potentially deadly virus or not? The answers seem obvious, but in a decade-long debate, a host of … groups, in effect, came down on the wrong side. Fortunately, in New York City — once the epicenter of the epidemic of babies born with HIV — their [privacy] obsessions were rejected, and now the scourge of newborns infected with HIV has been all but eliminated.

[Lowry continues] “According to the New York Times, in 1990 there were 321 newborns infected with HIV in New York City. In 2003 there were five. A decade ago many pregnant mothers didn’t know they were HIV-positive. They weren’t urged to get tested, and so they couldn’t take drugs that would make it less likely their babies would be infected. Newborns were tested, but … in blind tests, meaning the mothers wouldn’t be informed of the results. The mother wouldn’t know to get treatment for her child or herself.

[He further notes] “According to a New England Journal of Medicine study in the mid-1990s, two-thirds of children with [pneumocystis carinii pneumonia] weren’t getting treatment, because no one knew they had HIV.  . … New York assemblywoman Nettie Mayersohn was appalled …when she learned of the situation. She resolved to pass a law mandating that all newborns be tested and their mothers informed. For this, Mayersohn seemingly bought the enmity of [many of her past supporters].

[Numerous activist groups as well as the ACLU] … “opposed her on privacy grounds … and supposedly proposing to violate the reproductive rights of women.  Her district office was picketed. Opponents argued that pregnant mothers just couldn’t handle testing….

“Just the opposite has happened,” [Lowry quotes Mayerson as saying and he continues]. After a three-year fight, her bill passed in 1996. It revolutionized public health in New York. “The way they used to do counseling,” she says, “they told women, if you get tested and test positive, you will lose your home and lose your job. After the law passed, they told women, your baby is going to get tested anyway, so if you get tested now, you can do something to keep your baby from being born HIV-positive.”

I’ve chosen to lead my comments with these references as a  way to affirm what I believe we all agree needs to be the first order purpose of a National Health Information Infrastructure – that is to dynamically support the achievement of optimal health related quality of life and function for all, and to eliminate iatrogenic (or even unintended policy-related) harm.

It is in the context of this first order purpose and related purpose-driven design activities that privacy and confidentiality issues are best addressed.

I want to acknowledge here the important and substantive work of the “Connecting for Health initiative”, all its collaborative participants and in particular my colleague and friend David Lansky.  In reading through the Collaborative Response to the ONCHIT RFI, I was struck by a note which red-flagged, for me, what I believe is another first order principle for the NHII, one which I do not believe has been widely addressed and does have implications for overall design and functionality as well as privacy protection policy and technical specifications.

Reading from line 429 on page 10 of the Collaborative Response, having to do with the detailed design principles of the proposed “Health Information Environment” I quote:

“Item 8. Designed to Respect and Serve Patients (in addition to the Health System and the Public) The Health Information Environment is premised on a model of patient authorization and control. Patients must be able to: choose whether or not to participate in sharing personally identifiable information; exercise their rights under HIPAA; control who has access to their records (whether in whole or in part); see who has accessed their information; review, contribute to and amend their records (without unreasonable fees); receive paper or electronic copies of their information; and reliably and securely share all or portions of their records among institutions.  Once patient consent has been granted for a certain type of information access, however, information should be able to be accessed freely in a trusted environment”

 As agreeable and thoughtful a consensus statement as this is, it suffers what seem to be flaws relevant to what I believe are fundamental principles of NHII design and privacy policy.  For me these flaws are exposed by the note that patients should be able to “review, contribute to and amend their records (without unreasonable fees).”  It may not be obvious to all, but on reading and re-reading this Item 8, it occurred to me that no where in the Collaborative Response had their been a reference to the issue of “ownership” of health information, and the “without unreasonable fees” forced me to conclude that the group was missing in action on the assertion of what I believe is a  fundamental principle – that is, whereas, third parties might be individual health record keepers, and therefore have some proprietary rights in those records, the information resident in all such records is owned by the individual.  This principle is, I believe, critically important, because with the rightful assignment of ownership of personal health information to the individual, we tacitly acknowledge that that information has tangible value (which it most certainly does), and further, that users of that information (whether identified or de-identified) are doing so, for the most part, in the context of a voluntary exchange of value or definable direct benefit to the individual.  Put simply, every individual – as owner of what is a form of digital representation of self — should be, in essence, “paid” for each use, and unless otherwise agreed, and the expectation is that that “payment” or direct benefit should be as immediate as possible.[2]

This principle is important in the context of developing privacy protections because it frames the relevant issues not from the perspective of fear of inappropriate use, but from the perspective of assessable risk and definable, palpable, and often immediate benefit to the individual.  It is, in fact, a more real reflection of the calculus every individual uses when, for instance, deciding to tell the airport bartender or spring break fling the most extraordinarily personal details about themselves, details that even the people closet to them do not know – [in making the decision to share information of “value” one might ask] “what’s the risk this guy or gal knows anybody that I know, and what do I expect to gain by laying myself bare?”

It also challenges us to find the means to “close the loop” on information sharing and its related exchange of value.  That is to say – to cheat from the mentioned Diabetes Care in Academic Centers revelations – if the hospital record shows sub-optimal achievement of therapeutic goals, who is the right end-recipient of that information?  If we start with the assumption that the hospital owns the information, then we can only expect what history and evidence show us about the timely use of that information to improve health – that is we almost certainly will face years and years to come of the same dismal outcomes results, (regrettably for all involved) doubtless showing that even when the information is acquired and available to the provider, it is not reliably and pro-actively used to inform specific actions to improve individual outcomes.

If, alternatively, we start from the assumption that the individual both owns the personal health information, no matter where it resides, and has a “right” , therefore, to benefit from it (as part of the agreed exchange of value when he subjected himself to the blood draw, paid for the analysis, and allowed the hospital to hold the information in its records for its purposes, including gaining further reimbursement, completing performance report cards required for certification, doing research, etc), then this information should be immediately transmitted to the patient (its owner) along with a statement of the bench-marked goals for “people like him” and suggestions for therapeutic enhancement, self-care, and/or follow-up.

To take this further, let’s carry this concept of personal ownership of health information and the concept of value exchange or fair compensation for its use to the realm of outcomes or health delivery or epidemiologic research, or whatever, in which de-identified data is utilized. Without the framework established by this principle, most would allow that once permission is granted to use de-identified data for research, there is no further obligation on the part of the researcher or intermediary.  But is this right?  The individual is contributing value by giving access to his or her unique health information.  And there is no question in my mind, regardless of the consents involved or otherwise (and this, I believe is true for clinical trials as well, disclaimers notwithstanding, especially re: parents giving permission for participation by their minor children), that the motivator behind such a contribution – particularly for people with chronic illness and their families – is the expectation or hope for direct personal benefit.

In thinking, then, about privacy protection and methods of de-identification, and related system design – if we adopt this concept of individual ownership – we would need to be equally concerned with designing-in methods of automatic (even if arms-length) “re-identification” and timely patient notification so that if the research results in findings that could benefit the individual contributors of information,  they would not have to wait the 5 or 10 or 15 years for that new evidence to (unreliably and non-specifically) make its way through the maze of publication, guidelines development, clinical adoption, and optimal utilization. Rather the information owner, as a contributor of value to these results, would be notified immediately of the relevant findings, and informed who they might call for further information and counsel and action (that is the owner is provided their expected benefit from their contribution).

This concept of individual ownership also can inform our approach to pursuit, prosecution and punishment of violators.  As I have suggested, an individuals’ health information constitutes a form of digital representation of self.  So not only is it property, it is self.  I make this conceptual stretch (and the following, perhaps, overstatement) to emphasize the importance of crafting our judicial response to violations in a way that reflects what should be societal revulsion on an order of magnitude near to our response to kidnapping. Why – because to fully benefit from an NHII, there needs to be public confidence and a fairly extensive and open exchange of sensitive “digital self” information between trusted parties – just like to fully benefit from a free society people need to feel fairly secure that if they venture from their homes, unprotected, they won’t be snatched off the streets.  Allow me to go over the top with this analogy as a devise to emphasize the sort of energy I think we must place behind pursuit, prosecution and punishment of violators.  Here is what former NYC Mayor Rudy Giuliani has suggested re: why, from a high altitude view, the US has largely succeeded and, as an example, Mexico has not in preventing kidnapping:

To quote Mr. Giuliani:

“Kidnapping should be a much bigger problem in the United States than it is in Mexico: We are richer, there are more people to kidnap from which you can get huge ransoms. But why is it a systemic problem in Mexico City and Mexico, but not a systemic problem in the United States?

Because the United States dealt with kidnapping very early on….  The United States decided with the horrible Lindbergh kidnapping [in 1932], that got so much attention that we would not negotiate with kidnappers, we would not pay ransoms, and we would make it a horrific offense… And when a kidnapping takes place since then in the United States, it’s a major national event. The police all join together, the FBI joins with them. Every resource is used to try to catch the kidnapper and to end the kidnapping in as successful a way as possible. … And then when the people were caught, the people are punished in ways that horrify. So the people won’t do it in the future. So kidnapping has become in the United States a very, very high-risk crime, even though there’d be a high reward.”

As I noted, I know this analogy may be a bit over the top, but I hope that as such it makes the point.  And maybe – to further benefit this argument — I should add a personal health anecdote to explain my willingness to take a risk be so assertive:

Last June I underwent what was to be routine, elective, walk-in surgery at a famous New York City Hospital.  As is usually the case, my pre-admission screening was set for the week before surgery.  I arrived at the appointed time for my administrative sign-in, labs and an EKG.  I was met by a lovely admissions clerk, clearly doing her very best to get me through the process expeditiously.  And this was essentially the problem.  She was gracious and thoughtful, but nonetheless a clerk, and her focus (understandably) was her check-list. Here is what it included:

• Hand me the HIPAA book, and have me confirm by my signature that I had received it, and understood my HIPAA rights (no discussion offered and it was clear, at least to me, that her training had focused on getting the necessary things for admission done, as noted on the check-list, and the HIPAA book was simply the newest thing on the list)
• Sign a profoundly general consent for “whatever is deemed necessary” by un-named providers and a waiver – not for the surgery, but simply in advance of getting my blood drawn and an EKG done (I protested, suggesting it was so absurd as a proposed “informed consent” that it could not possibly stand up to real ethical or legal scrutiny, she smiled and nodded and indicated she was just getting done what had to be done, and I certainly could cross out or mark up or write in anything I wanted on the form).
• Fill out a required New York State advanced directive – detailing who had my medical power, what I wanted to do in case of…. You all know what these are, and also know they are not the sort of thing most otherwise healthy people going in for elective surgery expect to be confronted by let alone as part of a rushed completion of a pre-admission check-list.
• Sign a general permission for the hospital and all their minions and relationships to use whatever information is gathered about me for whatever purpose they needed to use it, for care, for insurance reimbursement, etc, etc.  Again, since I objected, I was allowed to write whatever I wanted on the paper before signing.

As I said, this was all done in an amiable fashion, by an thoughtful clerk who knew little if anything about health law, or medical procedure, or what HIPAA rights were (other than vaguely), and certainly was in no position to gain informed consent for anything (nor should she have been put in that position), or even to get a real acknowledgement of a patients “awareness of their rights.”  What she did do was complete the pre-admission check list.

I hope this rendering, alone, makes the point, that no matter what we design or say we wish to achieve, how effective our efforts are come down to being tough about our professional expectations of one another, our commitment to changing institutional cultures and professional practices, and our engaging all stakeholders in the process (recognizing the need for highest and best use of limited resources, and planning compliance requirements and initiatives appropriately) – but here is the capper:

Unfortunately my immediate recovery from surgery was complicated by the need for an emergency re-op due to uncontrolled and significant bleeding.  On the first day post op I got a call from my mother, who is a mental health professional on Long Island.  She told me that she had had an interesting call from a colleague of hers who was inquiring as to how I was doing. Having not told anyone that I was in the hospital, my mother asked why her colleague was asking.  Well, it seems that the daughter of a patient of this colleague of my mother’s had been scheduled for surgery in the same hospital and on the same day as me, but she had to be bumped from the schedule.  She was told it was because Dr. Robert Levine (Mary Tyler Moore’s husband) had had a problem requiring emergency re-operative surgery.

Health care, at its most elemental level, is action taken at the intersection of two information flows — the “expert” and the “personal” (and their components: for “expert” — the science knowledgebase and their individual and collective clinical observations; and for the personal –what patients tell us or document independently, and what we can measure).

Decisions about what actions to take are made in the context of a relationship between interpreters of these information flows (Doctors and other health professionals and their interpreters on the expert side and patients and their interpreters on the personal side).  These decisions emerge from a snapshot of the information available/accessible at the time they are made.  Because information/knowledge resident in both information flows grows and changes over time (and in ways independent from as well as dependent on actions taken) and this change and growth occurs with varying periodicity, health decisions are generally iterative rather than definitive.

Health outcomes depend on access to and immersion in these changing information flows, the frequency of sampling, the quality of interpretation and communication (and the dependent relationships), and the actions taken (and a little bit of luck and pre-determination).

Achieving best possible outcomes depends on all parties: knowing what is knowable; interpreting what’s knowable well; communicating it optimally; and doing what is doable, in a timely fashion as well ashaving an ongoing commitment to expanding the knowledgebase (of what’s knowable); closing gaps between knowable and known and doable and done; and continuous improvement.  And all of thisdepends on a dynamic continuity between the expert and the individual animated by the (fairly open) sharing of information and its linked exchange of value.

Let me conclude by affirming my belief that our interests will be best served and the value of our personal health information will be best secured, by a system that is designed and executed based on the following fundamental conceptual principles:

• Acceptance of an agreed upon overarching “first order” purpose for the system from which all design and execution decisions emerge. Specifically this first order purpose for the NHII should be (in my view) to dynamically support the achievement of optimal health related quality of life and function for all, and to eliminate iatrogenic harm.
• Acknowledgement that individuals are the “owners” of their health information, that this information has value and should be valued, and the reasonableness of the expectation that individuals should be — to the fullest and most immediate extent possible — direct beneficiaries of its collection and every use.
• Recognition that in order to create a safe and trusted space in which all stakeholders can confidently share sensitive information, abusers of trust must be actively pursued and harshly punished.  Further the technical means to assist in evidence gathering and prosecution must be designed in to the system.

THANK YOU.

---

[1] Diabetes Care. 2005 Feb;28(2):337-442.

[2] Note: this concept of personal ownership of health information is being presented, here, more as a fundamental, conceptual principle for NHII design and operations than as an assertion of a legal right, and the use of the term “paid” is shorthand for exchange of value as defined by the parties’ reasonable expectations.  Further, it is important to differentiate “information” from “record” in this context, perhaps by viewing the record as a value-added packaging of raw material (information) – both packaging and raw material have value, just as the health record and the health information within have value