Testimony by Stephen E. Novak for the January 11, 2005 NCVHS Subcommittee on Privacy and Confidentiality Hearing

First, I would like to thank the Committee for inviting me to speak.  HIPAA has had such a huge impact on so many aspects of American life that its effect on archives and libraries would be easy to ignore.  I’m grateful for being given this chance to explain our concerns.

As Head of Archives & Special Collections at Columbia University’s Augustus C. Long Health Sciences Library, I have had to deal with the effect of HIPAA on researcher access to records in my collections.  I have written and spoken about the HIPAA Privacy Rule both for the Society of American Archivists and for the Archivists and Librarians in the History of the Health Sciences.  That said, I want to be clear that I am not an official spokesman for the archival profession, for historians of medicine, or for Columbia University.  Many of my colleagues in both organizations see me as someone with expertise on HIPAA and its effect on libraries and archives, but they might not agree with everything I say here.

As a Dept. of Health and Human Services publication notes, HHS received over 63,000 public comments on the HIPAA Privacy Rule while it was being formulated.  It’s clear from reading the legislation that none of these comments were from archivists, librarians, manuscript curators or historians.  Because the Privacy Rule’s basic concern is the use of records containing Protected Health Information in clinical and biomedical research, applying it to archives and libraries has not been an easy fit for the types of research requests that we deal with on a daily basis.

That said, I believe that most libraries and archives that have found themselves to be a “covered entity” under the HIPAA definition now have a policy in place to regulate access to those records in their collections that contain Protected Health Information.  At Columbia, our policies for researcher access to records containing PHI have been in effect since the Spring of 2003 and are posted on our web site. (http://library.cpmc.columbia.edu/hsl/archives/accesspatient.html)

My knowledge of access policies at other libraries and archives makes me believe that most are similar to Columbia’s, but that none are exactly identical.  Although one of the Privacy Rule’s goals was to impose uniformity on access to records with PHI, its result among libraries and archives has been the opposite: different institutions treat identical materials differently.  Sometimes this is because an institution is not covered entity — and hence not affected by HIPAA.  But even libraries and archives which are covered entities have divergent policies because their legal counsel has given different interpretations of important aspects of the HIPAA Privacy Rule – and these different opinions have their origin in the ambiguities of the Rule itself.

While the profession is coping more or less successfully with the Privacy Rule, its opacity is irksome and worrisome to librarians and researchers alike.  Clarity is needed if we are to both abide by the letter of HIPAA while still serving our patrons by providing prudent access to the records of the past.

Those parts of the Rule that have confused archivists and librarians were described in an Oct. 22, 2003 letter to Secretary Tommy Thompson by Society of American Archivists President Timothy L. Ericson and President Jodi Koste of the Archivists and Librarians in the History of the Health Sciences.  This letter has never been answered and its questions are still relevant today.  These questions are:

• Does the Privacy Rule apply retroactively? If so, how far back does it extend?

Libraries and archives hold records going back centuries, yet HIPAA makes no distinction between the records of the 1990s and those of the 1790s.  Why does someone looking to use an 18^th century physician’s case book has to go through the same procedure as someone wanting to use 20^th century patient records?  Is it possible to establish a date before which records with PHI could be made available without researchers having to go through a privacy or institutional review board?

• If a “non-covered” part of a hybrid institution receives records with PHI from a “covered” part of the institution, must it create a business associate agreement?

Libraries and archives don’t easily fit into HIPAA’s business associate model. We aren’t separate organizations but internal departments.  Must a university library have an agreement with its university hospital before accepting records with PHI?  Must state archives have agreements with all those branches of state government that generate records with PHI?

• Do the guidelines for research in the PHI of deceased patients allow the researcher to use actual patient names? If not, is there a chronological point at which the names can be used?

The rule for research use of PHI of deceased patients is currently unclear if access to these records allows researchers to use actual patient names in their finished product.  If use of names is not allowed, it would mean that certain historical, biographical, and genealogical works – where the identity of the individual is the whole point — could not be written.

Laurel Thatcher Ulrich’s Pulitzer Prize winning “A Midwife’s Tale” based on the late 18^th –early 19^th century diary of Maine midwife Martha Ballard, might be impossible to write now if the diary was held be a library that was part of a covered entity.

• Physicians and other health care providers often mention names of patients they are treating in their correspondence — sometimes casually, sometimes in more detail.  At what point does this correspondence become PHI?

Personal papers of physicians, nurses, and biomedical scientists are filled with correspondence, outside of formal patient records, in which the names of patients may be mentioned.  Often this is done in the most casual way, but occasionally it is more detailed. As the Privacy Rule stands now, archivists will have to examine every document to make sure no patient names are mentioned – an impossible task for most of the profession.  It may lead to closing many collections in which the amount of PHI is minimal.

• If photographs of patients were taken for publicity, fundraising, or clinical purposes, and these images appeared in published form in the past, can we assume that the patients depicted gave their consent to be published, even if the actual consent forms no longer exist?

Traditionally, photographs of patients have appeared in a wide range of hospital publications.  These photos are eventually acquired by archives and libraries when they are no longer in active use by the parent institution.  We know that at many institutions some kind of permission was asked of the subject(s) of the photos before publication, but in most cases these forms no longer exist.  How can we allow use of these images?  At what point does a photo of patient reach the threshold of PHI?

The last two questions are particularly important because of the enormous effect they have on the way we administer our collections.  Perhaps the largest challenge we have had in applying HIPAA has been the way it has changed the definition of what records are considered confidential.  Previously, history of medicine archives and libraries regulated access to what we called “patient records” — usually hospital patient records, either in old-fashioned bound volumes or the modern file folder — that were easy to identify and segregate.  We realized that patient information sometimes appeared in other forms, say the correspondence between a physician and her patient or the research notebooks of a clinician, but these, too, were usually distinct and obvious among the larger mass of an individual’s papers and access to them was still easy to administer.

Enlarging the definition of “confidential” to the more expansive “Protected Health Information” has made every piece of correspondence and every photograph a potential landmine for the librarian and archivist. It has made the administration of the HIPAA Privacy Rule fraught with unanswered questions and has resulted in makeshift expediencies to allow us to function at all.

If every mention of a patient in physicians’ correspondence or every photograph of a patient in a hospital bed falls under the definition of PHI, those of us in charge of the nation’s history of medicine archives and manuscripts will face an impossible task.  Modern manuscript collections tend to be large and — the digital revolution not withstanding — are getting larger.  To give you an example, one physician’s papers which we recently opened at Columbia comprise 128 cubic feet or over 350 standard archival storage boxes.  With a professional staff of two we simply do not have the people or the time to be constantly policing our collections.

My colleagues at the Archives of the Johns Hopkins University Medical Institutions have addressed part of this problem by devising a form to cover what might be called “incidental disclosures” when researchers encounter PHI in the papers they are using.  It is something we’re contemplating using at Columbia, too, but it has to be said that I see nothing in HIPAA that says such an “out” is allowed.

The problem of photographs is thornier still.  At Columbia, I’m afraid to say, we’ve basically just ignored the issue since to strictly follow HIPAA we’d have to close our photograph collection entirely.  Since we currently hold over 100,000 images and since our photo collection is one of our most heavily used collections, we do not feel that closing it is an option.

In conclusion, I’d like to mention my fears of an unintended consequence of HIPAA on the historical record of medicine and the biomedical sciences in this country.  The major academic medical centers — of which the majority of formally-organized history of medicine libraries and archives are part — will continue to deal with the complications of HIPAA.  They have the resources to hire legal experts, operate IRBs and Privacy Boards, as well as a commitment to supporting research in the sciences and humanities.

But the majority of 20th century medical records in this country still remain, I suspect, in the custody of smaller, local, medical institutions that are not primarily research institutions and do not have the resources to deal with these issues. For these, the “solution” to the question of research using records containing PHI may be to destroy the records as soon as possible.  Hospital patient records in particular have always been vulnerable to destruction: they take up space and cost money to maintain and after they are no longer being actively used for health care, administrators may find in HIPAA yet another reason to trash them. On the donor side, physicians and scientists giving their papers to archives may purge them of everything — even correspondence existing outside patient records — that they think are covered by the Privacy Rule.

All this leads me to fear that the primary documents needed to write the history of health care and the biomedical sciences in the United States may come to an end in the late 1990s.  It would be paradoxical and unfortunate if a law that was designed in part to shed light on the workings of our health care system makes it impossible for the scholars of the future to do just that.

Thank you.