[This Transcript is Unedited]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Subcommittee on Privacy and Confidentiality
February 23, 2005
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030
TABLE OF CONTENTS
- Introductions and Opening Remarks – MARK ROTHSTEIN, Chair
- PANEL I – What is Health Privacy and Why is it Important?
- Presentation – Background, DR. THOMAS MURRAY, The Hastings Center
- Presentation — Comparative Notions of Health Privacy, DR. Bartha Maria Knoppers, University of Montreal
- Questions, Answers and Comments
- Presentation – How the Public Health Views Health Care, Privacy and Information, DR. ALAN F. WESTIN
- Questions, Answers and Comments
- PANEL II – Privacy in Health Care and Society
- Presentation – Privacy and Health Care, DR. BERNARD LO, University of California, San Francisco
- Presentation – Patient Interests, JOY PRITTS, Health Policy Institute, Georgetown University
- Presentation – Privacy and Substance Abuse Issues, A. THOMAS McLELLAN, Executive Director, Treatment Research Institute
- Questions, Answers and Comments
- Statements from the Public
- Subcommittee Discussion
SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY
- Mark A. Rothstein, CHAIR
- Dr. Simon P. Cohn
- Dr. Richard K. Harding
- John P. Houston
- Harry Reynolds
- Kathleen H. Fyffe, Lead Staff
- Amy Chapper
- Gail Horlick
- Evelyn Kappeler
- Lora Kutkat
- Catherine Lorraine
- Susan McAndrew
- Dr. Helga Rippen
- Bill Tibbitts
- Sarah Wattenberg
P R O C E E D I N G S [9:11 a.m.]
MR. ROTHSTEIN: Good morning, everyone. We’ve got a full
schedule today that should be very interesting, so I hope we can start on time,
or slightly late, even though we are expecting more people to join us as we
My name is Mark Rothstein. I’m the Director of the Institute
for Bioethics Health Policy and Law at the University of Louisville School of
Medicine and Chair of the Subcommittee on Privacy and Confidentiality of the
National Committee on Vital and Health Statistics.
The NCVHS is a Federal advisory committee consisting of private
citizens that makes recommendations to the Secretary of HHS on health
information policy. On behalf of the Subcommittee and its fine staff, I want to
welcome you to today’s hearing on the National Health Information Network.
We are being broadcast live over the Internet, and I want to
also welcome our Internet listeners.
As is our custom, we will begin with introductions of the
members of the Subcommittee, staff, witnesses and guests. I would invite
Subcommittee members and full members of the NCVHS to disclose any conflicts of
interest they may have. I will begin by noting that I have no conflicts of
interest on today’s issue, although I have taken many public positions on
matters related to health privacy.
And so it’s my great pleasure to introduce Maya Bernstein, the
new lead staff to the Committee, and she will begin the introductions.
MS. BERNSTEIN: I’m Maya Bernstein. I’ve just joined the
Department yesterday and –
MS. BERNSTEIN: — It’s my second day and I’m looking forward to
hearing what you all have to say and to mostly listening, but I will be the
lead staff succeeding Kathleen, who will help me to make that transition, and
I’m just looking forward to being here and to hearing what you have to say.
MS. FYFFE: Yes. And Maya has an excellent background, having
worked at the Office for Management and Budget and also as the privacy czar at
the Internal Revenue Service. And we are very delighted that she has joined our
MR. ROTHSTEIN: Kathleen, you might as well begin by –
[Introductions; no conflicts of interest stated.]
MR. ROTHSTEIN: Thank you, and welcome to everyone.
This afternoon from 3:15 to 3:45, members of the public may
testify for up to five minutes on issues relating to the topic of today’s
hearings. If you’re interested in testifying, please sign up with Marietta
Squire at the registration table.
The first panel of witnesses have been asked to limit their
initial remarks to 20 minutes. After all the witnesses on the panel have
testified, we will have time for questions and discussion.
Witnesses throughout the day may submit additional written
testimony to Marietta Squire if they desire within two weeks of the hearings. I
would request that witnesses and guests turn off their cell phones. Also,
during the hearing, if we all speak clearly into the microphones, those
listening on the Internet will be very appreciative, I’m sure.
Today is the first of several rounds of hearings on the
National Health Information Technology system. The second round of hearings is
scheduled for March 30th and 31st in Chicago. Additional
dates and locations will be announced as soon as they are scheduled.
As I’m sure everyone in this room knows, the United States is
committed to adopting a system of electronic health records.
TELEPHONE OPERATOR: Excuse me; Simon Cohn joins.
MR. ROTHSTEIN: Good morning, Simon.
DR. COHN (on phone): Good morning, Mark. Sorry for breaking in
in the middle here.
MR. ROTHSTEIN: Oh, that’s okay. Welcome. Simon is Chair of the
National Committee on Vital and Health Statistics, and it’s very early in
California and we appreciate your joining us.
DR. COHN: Thank you for having me.
MR. ROTHSTEIN: So let me just back up for a minute. I started
to say that, as you all know, the country is committed to a system of
electronic health records within the next decade.
There are many reasons why electronic health records are
claimed to be better than paper-based records. These include greater access to
records from remote locations, accurate and fast information from cognitively
or otherwise impaired individuals, cost savings, increased safety, as well as
research and public health benefits from such a system.
Senator Bill Frist wrote in The New England Journal of
Medicine in January of this year: “Widespread adoption of electronic
health records will reduce errors, improve quality, eliminate paperwork and
improve efficiency. Once fully implemented, electronic records will
dramatically reduce cost and improve quality.”
It remains to be seen whether a National Electronic Health
Records system will produce any or all of these claimed benefits. I would note
that in a study of medication errors in 2003 which was released in the last few
weeks and summarized in the American Medical News, computer entry and
other electronic errors far outnumbered the medication errors caused by
illegible or unclear handwriting on paper prescriptions.
So substantial implementation problems will still need to be
addressed under any system.
Even assuming that the promised benefits from electronic health
records will be realized in terms of safety and efficiency, there are very
serious challenges for health privacy and confidentiality raised by creating a
cradle-to-grave, comprehensive, longitudinal electronic health record for every
person in the United States.
Some of the privacy protections that we now have are the direct
result of the fragmented nature of health records. When an individual moves
from one city to the next, his or her health records do not automatically
follow the individual, and new records can be generated with new providers. In
addition, patients who want to get a second opinion from a physician without
the second physician knowing what the first physician recommended may now do
So the lack of coordination and integration, clearly a
deficiency in paper-based systems, may also have positive unintended
I believe that realizing the benefits of electronic health
records while protecting privacy and confidentiality is one of the greatest
challenges to bioethics and health policy in recent years.
Numerous questions come to mind. For example, what level of
patient control over the contents of the records will be permitted? If too
little, patients will have insufficient privacy and may object to the system as
being overly intrusive. If patients have too much control, then health care
quality may be jeopardized.
Health care providers may believe it is necessary to supplement
the electronic health record with additional questioning, and they may even be
concerned about liability for medical errors that could have been avoided with
greater knowledge of the patient’s health history.
The Subcommittee on Privacy and Confidentiality fully
recognizes the difficulty and importance of these issues. We have decided to
begin our consideration by calling on some of the world’s leading experts on
health privacy and confidentiality to give us background and perspective and to
help us frame the issues that we will need to be pursuing through our next sets
On behalf of the Subcommittee, but especially personally, I
want to thank all of you and for now the two members present of the first panel
for joining us today and for your willingness to help us try to deal with these
So without further introductory remarks, it’s my great
privilege to introduce Dr. Thomas Murray, who is the President of the Hastings
DR. MURRAY: Thank you, Mark. It’s somewhat chastening to be
talking about privacy, health privacy, in the presence of one of the world’s
great experts and champions of privacy, Alan Westin, Columbia, and I hope in
the soon to be presence of Anita Allen, who is one of the great legal theorists
about health privacy. But I’ll do my best, do it in plain English.
Here we’re talking about not all forms of privacy. Scholars
distinguish among may different concepts of privacy. We’re talking here about
informational privacy. It’s not the kind of privacy that was at issue in Roe v.
Wade; this is privacy about health information.
And I know of no better definition than Mr. Westin’s, who
talked about privacy as the claim of individuals, groups or institutions to
determine for themselves when, how and to what extent information about them is
communicated to others. That will be my working definition.
A little background on the state of the electronic medical
record in the United States, and I apologize if the Committee is boringly
familiar with some of these numbers but I’m not sure that all the listeners or
people in attendance will know them.
Among primary care physicians in the United States –
MR. ROTHSTEIN: I think – could we have his microphone
turned up a little bit, please. Thank you.
DR. MURRAY: By 2002, 17 percent of U.S. primary care physicians
were using electronic medical records. That compared to 58 percent in the
United Kingdom and 90 percent in Sweden. So we are not the first adopters.
If one thinks broadly about e-health, you have a number of
You have the category of medical records, and privacy is
clearly at issue there.
Of communication between physicians, other health professionals
and patients. Privacy is implicated there.
Of decision support where individual recommendations might be
forthcoming electronically to help providers.
And of knowledge base management, where security is a big issue
and if security were to fail, privacy could be pierced.
The electronic medical record is conceived of as being
potentially useful in many different venues, in many different ways:
In patient care, obviously.
In population health, by alerting, for example, a health
provider that a patient fitting these criteria and therefore this profile
should be screened.
In public health, if one could get access to aggregate data.
In health services research and in quality improvement efforts.
In population-based research. For example, in genetic research
which is linking genes to health outcomes in places with the enormous databases
now available in Utah and the smaller database, but still an important one, in
Iceland, for example.
In registry research, wherein particular outcomes, for example,
cancers are noted. In registry research, by the way, it has become quite
apparent that trustworthy intermediaries play an essential role in having a
well-functioning registry, well-functioning in two senses:
First of all, that one can get complete or near complete data
in the registry. If you simply leave it up to individuals whether or not they
want, for example, their cancer noted in the cancer registry, you will get
something less than full population agreement on that. But if you can have a
fully trustworthy intermediate and assure the individual that no one will know
who they are without sufficient protections, one can have a functioning
There are important barriers to the electronic medical record.
Among physicians, many of them find a very stressful learning curve in dealing
with the electronic medical record. Primary care docs spend more time with
electronic medical records than with paper charts, several studies show. Time
spent answering patient email in at least one important study was actually
greater than the time saved in phone and office visits.
So many of the miracles we’re hoping for and are promising with
the electronic medical record are rather like the miracles promised by many
other technologies, not least gene therapy.
And I’m told that many physicians don’t like to type, though I
wonder if that’s a cohort phenomenon. There are studies that show this, that
younger physicians, being accustomed to using computers, are probably going to
be more comfortable with this.
To put in place a full electronic medical record system could
cost a practice $50,000 per doctor in the first year. That’s a significant
capital expense. In one study, at least 10 primary care residency programs
purchased and tried to use and then abandoned electronic medical records
systems, just finding them too cumbersome and trouble-making.
Other barriers include incompatible and the fear of
ever-changing software. Now, I know that efforts to standardize data fields and
such in medical records will go a long way towards overcoming that particular
Lack of reimbursement. Some places are, I guess, reimbursing or
crediting physicians with answering patient email but many people who work in a
fee-for-service system, that’s just an extra burden on the physician with no
And the last, but the one I will focus on, barrier is the
problem of patient privacy.
So, philosophers don’t have a lot of tools, but making
distinctions is one of our most important ones. So let me lay before you three
distinctions which I think are important. I don’t know that they’re the only
ones, or the most important, but they’re three that struck me as ones that you
are wrestling with, or should be wrestling with.
First, we should distinguish between the issue of control over
the content of the electronic medical record and the control over access to
that content. It may seem fundamental and obvious, but it’s an important
distinction to bear in mind at all points, I think.
As we think about control over content, which I think for many
health professionals is the more problematic issue because a doctor doesn’t
want to have less than full information from a patient if the physician is
prescribing a drug or prescribing an appropriate treatment or trying to
diagnose an illness. Physicians rightly have been taught that they should get
as full a picture of all the relevant information as possible.
Giving a patient control over the content of that could result
in a less than optimal, and therefore a less than good decision, diagnosis,
treatment, drug prescription et cetera for that patient. The health
professionals don’t want that.
On the other hand, patients may not want certain things in
their health record at all, and certainly – I mean, I would wonder if we
should take a little survey here – is there anything that could possibly
have been in your lifelong medical record that you would not want anybody to
know, any physician to know, or any health professional et cetera? Most of us
have items that we’d rather not have widely available. So control over content
will be important, as will control over access.
I’m not here ready to recommend a particular view of control
over content or over access, but keep the distinction in mind, and just bear in
mind that you have my sympathy; I think this is one of the great challenges you
will have to confront in your work.
The second distinction is to distinguish among purposes of
access. For what purpose does an entity want access to all or some portion of
your electronic medical record? It might be for your medical care, so in that
case, an ER physician who’s never met you before and your primary care
physician who you’ve been seeing for 20 years both have the same purpose: They
want to care for you in this episode of illness.
But others, of course, may want access to the same information
– prospective or current employer, an insurance company, a Federal agency
that is investigating potential health fraud, or researchers interested in
questions that aspects of your medical record might help important questions,
might help them answer. So that’s the second set of distinctions. It’s
distinctions among the purposes for which people might seek the record.
And the third distinction would be the relationship between
you, the subject of this electronic medical record, and the entity seeking the
information. It could be, in that case, the primary care physician and the ER
doctor are quite different. The primary care physician you presumably have
learned to trust over these 20, 25 years, knows many of the most intimate
details of your life, and that’s okay with you. The ER doc you’ve never met
before, will never see again, in fact may have been unconscious throughout the
entire treatment. They’re both treating you, so the purpose is the same but the
relationship is quite different.
And then other relationships. Again we can talk about entities
that may want access to your electronic medical record with your best interest
at heart, your medical care, and others who have a different relationship with
you, like your health insurer or your prospective life insurer or some vendor
who may want to sell you a product and they’d be very interested to know if
you’ve ever been treated for erectile dysfunction. Or your spouse’s divorce
lawyer who may see some interesting ways of improving her action against you if
she could get access to your record.
So those are the three distinctions. The control over content
versus control over access, the different purposes and the different
The data in electronic health records are distinctive in a
couple of ways. For one, they’re persistent, and Mark Rothstein mentioned this.
Potentially, if you had an electronic health record, medical record, that began
prenatally, that could follow you into the nursing home with every data element
As Mark mentioned today, health records follow us quite
imperfectly. If any of you have moved a couple of times and take your children
to school and they want to see their immunization record, if you didn’t keep
that, good luck, because odds are it somehow got lost along the way. That would
change potentially with an electronic medical record.
It’s also ubiquitous, the electronic medical record, in a
special sense, but here I don’t mean that it’s out there for anyone at any time
for any purpose, but it’s ubiquitous in the sense that it’s not limited by time
and place in the way that paper records have been limited. Access in principle
is available at any time in any geographical location.
Another challenge that we all face in an effort to move towards
a constructive use of electronic medical records is public trust. You probably
read today’s paper, the Palm Beach incident where the names of people being
treated for HIV were emailed out. It’s not the first time such a thing has
happened; it’s not the last time such a thing has happened.
It’s not a distinctive problem with the electronic medical
record. Back in the early 1980s, the Hastings Center became involved in the
very earliest work on the – at that point it was just AIDS; we didn’t know
what the virus was or even if it was a virus – and the names of people, of
gay men, were released in New York City and the interest group that represented
those men who were all gay people in New York City urged no collaboration
whatsoever with researchers because they didn’t trust them anymore, and we were
brought in to help come up with a way of protecting the privacy of individuals
and yet allowing researchers to go forward with the necessary research which
was going to benefit everyone, including that population. And that didn’t
require email, but email makes it easier information to be transmitted.
We’re also going to have to assure people that the technology
works reliably and well. I was just in Davos at this World Economic Forum,
which was rather an interesting experience – quite a strange experience,
if any of you have been there; I found it quite strange.
And Hewlett Packard provided everyone with a Davos Companion, a
little IPAQ hand-held, wireless hand-held, so you could closely keep track of
your schedule and send and receive emails and the like. And mine failed by the
last day and I talked to another colleague and hers had failed, and so I think
we need to be assured that the technology is going to be stable, easy to use,
Now, I don’t know that there’s any connection between the
failure of the Davos Companions and what happened to the head of HP a couple of
weeks later, but I just note the coincidence.
So to give you a sense of how I think people might view the
electronic medical record and why they might have privacy concerns, let me give
you a hypothetical patient. Call her “Amy.”
Amy had enurisis; she was a bed-wetter at age five. And so her
parents took her to the pediatrician and the pediatrician examined her; you
know, found no significant physical problems. Eventually that problem went
away. But that’s now on her electronic medical record.
At age 12, Amy’s father discovers a pack of cigarettes in her
room, marches her over to the doctor again; in fact, Amy’s been taking up a
little bit of smoking. They try the nicotine patch. That’s all in her
electronic medical record.
At age 15, an acquaintance of Amy pushes her to try – pick
your drug of choice, illegal drug of choice. Amy becomes frightened and thinks
I really – I tried this a few times, but I’m scared; I really don’t want
to get hooked on this drug. I want to go to my doctor. But if I go to my
doctor, is that from now on permanently in my electronic medical record? What
will that mean? And for a 15-year-old, you know, life is wrapped up in the next
moment – I mean, it’s hard. She may not be thinking ahead to her first job
or later life choices, but she may still be frightened of going to the doctor,
particularly if she believes, not knowing, if she believes that this record is
permanent and indelible.
Let’s say she goes. Now at age 23, she’s been out of college
for a year, knocking around, doesn’t really have the kind of job she hoped for;
she’s a little discouraged and she has a bout of depression. So she goes to see
her physician, who diagnoses a clinical depression, mild case, and prescribes
the appropriate medication for it. That is now a part of Amy’s electronic
Other people, Amy’s friends, may be less willing to go to a
doctor for fear that a diagnosis of depression would be entered into her record
and that that might come back to hurt her later on in her life choices.
So I don’t think I’ve solved anything here, but I’ve made the
distinctions, and I hope they will be helpful, something that I think this
group probably understands very well, but I’m not sure that everyone
understands, is that the medical record, including the electronic medical
record, is not a unitary thing.
We talk about the medical record as if it were one entity and
everything in it is of an equal status. We can’t think that way any longer. We
have to simply disabuse ourselves of that over-simplification. The medical
record, including the electronic medical record, would be composed of a welter
of disparate types of information, some of it very time specific and of no
continuing interest, most of it quite inane for most of life purposes, but some
of it will be exquisitely sensitive.
The questions of how to understand that medical record, how to
identify sub-categories within that record – and I would say that if you
can do that, to the extent that that is accomplished, that would be an
enormously valuable thing to do so that we have not an infinite number but a
relatively small number of major categories of information that are attuned to
the sensitivity and other major dimensions that would be of interest to the
subject of the record, the patient, and to health providers.
The reason I’m hammering home this point is in the debate over
Social Security, privatization of Social Security, one of the issues that’s
come up is that people don’t deal well when they’re given a huge variety of
choices. They tend to tune it out.
So to find some way, and this would have to be actually studied
empirically, coming up with a sort of good number of choices which would be a
handful or a couple of handfuls probably at most of categories. You don’t want
people to judge all 400-plus categories in the medical record. You want them to
have a handful. You can say this, I’m comfortable with this purpose but not for
that one, this user but not for that purpose. That will be important.
So issues about control over content will be a challenge. The
control over access will be a challenge. And finding those categories that will
make whatever choices we decide are in the end in the interest of people, that
will serve their medical interest but will also permit them to make sensible
choices and not be overwhelmed and bewildered by those choices. Those are, I
think, key challenges that you face.
MR. ROTHSTEIN: Thank you, Tom. Appreciate the comments, and we
will go to questions after Bartha’s talk.
I’ve been informed that Anita Allen will not be able to join us
this morning. She is unfortunately ill. I don’t know what’s wrong with her, and
even if I did, I wouldn’t tell you.
MR. ROTHSTEIN: But I do with her well and we will certainly
make use of her prolific writing in this field and perhaps even consult with
her personally to get her input on this.
It’s now my great pleasure to introduce another one of my good
friends and colleagues from the University of Montreal, Dr. Bartha Maria
DR. KNOPPERS: Good morning, everyone. Not being a techie, it’s
only proper that I’m having difficulties with – you all have the
PowerPoint in front of you, so I will speak to it rather than read it out. And
my background is largely in research ethics and the laws of different countries
around the world with respect to medical data for research purposes.
I think the reason that Mark invited me here today is because
there is an increasing number of international trials, increasing number of
patients around the world involved in these trials, and the need for
comparability of data and a flow of data between countries, researchers, and
obviously, if participants are participating in research, they should be able
to benefit from those trials. So we will look at these European approaches, see
what lessons have been learned, and then
I’d like to make some concluding remarks which are not in the
PowerPoint which you have in front of you.
Now, I need to remind you that the European Union on which I
will largely concentrate now has 25 countries, and so we are talking about a
legal entity that actually prepares directives or conventions and laws and so
on and has an effect on a great number of countries, so look at it in a way as
an example of the difficulties you would have with a national approach,
considering the fact that the states usually have jurisdiction over privacy and
health legislation within their own area, within their own geographical and
So I begin with a few general remarks, look at health data, how
it’s treated, the effect member states have – we’ll only look at one
country, France, the problem with what we call “extra-territoriality”
– what happens when you want to send data out of a given legal system to
another country, specifically from the European Union to the United States or
from the European Union to my own country, which is Canada? And then conclude,
as I said, with personal remarks.
Now, all the countries that I’m dealing with have universal
health care systems, but I wish to tell you that it’s not because there’s
universal coverage or a two-tier system in some of the countries in question,
that the issues of privacy or electronic e-records or the use of medical data
is any different. It’s surprising to see in genetics has shown us this, that
the Europeans were much faster to regulate against genetic discrimination even
in countries with a universal health care because they saw life insurance as
being a socio-economic right and did not want insurers in countries such as
Belgium and France and so on to have access to genetic data.
So in 1995 already in Europe we’ve had the directive which I
state has legal force on the processes of personal data. And health data is
seen under this directive as sensitive data but is included under a very broad
notion of personal data.
And the effect of the directive was to force countries in their
domestic national legislation to harmonize with the directive and to be in
conformity with it so as to offer an equivalent level of protection in the
countries that were members of the European Union. So that’s 10 years ago, also
very important because the ultimate goal, of course, is to have what we call
portability, to be able to go from one country to the other within the European
Union and have equivalent protection, equivalent rights, and equivalent
treatment of medical data.
Now probably for me, but that’s just – and it’ll come back
in my conclusion, the most important thing about the directive is that it
incorporated the principles that were found in the OECD guidelines on the
protection of privacy in trans-border flows.
And the reason that it’s important is people often fail. You
and your principles, you know, because I’m always working on ethical codes and
principles and so on; it’s just political, you know, decoration,
window-dressing, whatever. And yet, if you look at the power of these
principles over time, not only are they reflected in the European directive 15
years later, but the majority of countries within Europe obviously harmonized
and incorporated the principles but other countries outside the European Union
were equally inspired to adopt these principles. You can see the power and the
flexibility, not limit to any one technology that principles have.
So, it’s a negative principle, the one that deals with health
data; it’s not a “you may” – it’s actually “you may
not” unless specific and suitable safeguards are there. And this is a
non-limited list. In other words, there can be additions made.
One obviously, which is now subject to contention – I’ll
get back to that – is the explicit consent except where you have laws that
authorize, such as either national security, public emergencies, state
surveillance programs and so on that constitute legitimate because they’re
already in the law’s exceptions to the need for explicit consent.
For those who are weak or vulnerable or incapable and so on,
it’s their vital interests that need to be protected, and so consent is listed
for that as well.
So you have the overriding power of the state, you have the
protection of persons, and finally, very large exception as you can see, the
processing for the purposes of preventive medicine, medical diagnosis, the
provision of care or treatment, or the management of health care services,
provided it’s by a health professional subject to professional secrecy, and
I’ll get to professional secrecy in a minute.
You cannot run health care systems – I’m talking at the
level of systems – without having to come in. I mean, they’re going to do
your blood type, they’re going to do routine tests. A system cannot work, you
cannot be cared for, if there aren’t this basic exception, if you like, to
explicit, written – or it doesn’t say written, sorry – explicit
consent by the individual.
And of course you have that additional protection of
professional secrecy by those health professionals involved.
Now, France even prior to the directive had already adopted in
1978, so it’s even much earlier, a loi – if there are no official
English translations in titles, I don’t usually put them down, but loi
relative to informatique, its informatics, fichiers would be
files and freedoms, or dossiers, let’s say, and freedoms, recently modified in
the 6th of August, 2004.
They already had the wording that eventually found itself to
the European directive and applied it to public and private sectors, because in
European countries you can still buy additional health insurance or buy
additional kinds of private services and so on if you have the means. I think
that is not allowed in my own country.
The prohibition of the Article 8 of the European directive 1995
was reiterated in the recent August 6, 2004, law in France. So again, it’s a
negative principle, and here they talk about express written agreement. The
same provision to protect the vulnerable person, the same article about
processing, so again as a state possibility of overriding and a systems one for
overriding if there’s a health professional subject to professional secrecy.
But what we have are two interesting new additions here. One,
exception for processing for research in the health sector and the possibility
of anonymizing data without express consent, now written, if you get the
authorization of the CNIL. The CNIL is the national commission for informatics
and freedom, and this was created way back in ’78 with the earlier law.
Now, we’ll have at a look at this processing in the health
sector. It’s obviously necessary for quality assurance in any given health care
system; you have to have data to know whether you’re cut off for different
tests are accurate and so on. In a health care system, you have to have
surveillance data and incidence data to know whether is HIV going up, is it
going down, are there pockets in the country that are at higher risk for
environmental or epidemiological or other reason. So there is a reason for
including research in the list of exceptions.
One comment on anonymization, if I forget to do it in my
conclusion: Anonymization is legally and ethically expedient; it gets rid of a
lot of problems. It means that you use various – and there’s a slate of
about 32 different terms in documents unfortunately around the world that’s
irreversibly anonymized, i.e., enough identifiers have been removed that you
cannot retrace an identifiable person.
Now, we all know that it only takes seven snips et cetera, et
cetera; we all know that there’s no such thing as impossible in the world of
computers and snips and the like. So let’s say in a practicable, reasonable
context it works.
But it works to the detriment, one of science in the long run,
because once you’ve anonymized, you cannot update that data because you can’t
trace it back to anyone. So if clinically something changes, whether a person
dies earlier or never dies at all or never develops the disease, you won’t
know; the data is static in time.
And secondly, so scientifically your shortchanging yourself,
after five years the data’s good only for controls; it’s not good for anything
And you may be even shortchanging the individuals whom we’re
trying to protect sometimes against themselves because their participation in
research then does not achieve the goal which usually is to find some sort of
therapy or at minimum a test for certain conditions. So it’s easy to get it
through the larger half – the ethics committees are happy; but think about
the goals before you do it.
So when they added this research exception in France, they also
created another committee, and this one is the consulting, or advisory
committee, I should say, on the treatment of information in research in the
health sector. And it was under the Research Ministry that this committee was
created, because the CNIL is a big, large commission that they’ve had since
1978; they’re not experts on health research. And just because they’d be doing
informatics and personal data processing opinions for 25 years at least doesn’t
mean they understand the particularities of health research that uses patients’
medical records and so on and research feeding back in member clinical trials,
feeding back into the medical record.
So they’ve created the committee since August 8th
– the 6th, sorry, 2004 – to examine the requests for
processing of health data for research. And they give an opinion on the
research methodology. So they’ll build up a corpus of knowledge, if you like,
that makes them particularly – well, hopefully – well informed about
And they give their opinion prior to going to the big body. You
can get stopped right there where you’re processing of health data as an
exception to the explicit written consent or presence of a law.
So once you have this opinion and the authorization of the
CNIL, notwithstanding the rules of professional secrecy, you still have certain
conditions. If the data allow identification of any way, you must code the
data, so obviously that’s a minimalist protection, what I would call it; except
obviously where people were taking drugs and you have to find them and follow
them in pharmaco kinds of studies and so on.
But the results, once published – again, to me this is
obvious – but they have to put it in to not allow the identification
direct or indirect on the data subject. But they create a possibility of
Opposition is not the same thing as consent and refusal.
Opposition is about at the level of assent and opposition. So you oppose, but
they won’t deliberately go out and deliberately and seek your consent if you
don’t want to have your data used in a research and any processing. Interesting
to see what will come if anyone will oppose. And then you can obviously suffer
the sanctions of the higher body if you fail to respect such an opposition.
So what’s happened with other countries, then, because this is
1995. The science found its way obviously into many international trials. You
could only export data from countries, members of the European Union, if the
other countries offer an adequate level of protection. So how do you evaluate
if they’re offering an adequate level of protection?
Well, it’s written in front of you – the nature of the
data, the purpose, the duration, look at the rules of law in the countries
– the general ones, the state ones, the security measures and so on. And
every country in Europe in its own legislation has this sort of
extra-territoriality. It’s very rare that a law goes beyond their own borders
and says “you can’t do this other countries unless you follow these
rules.” You can imagine the chilling effect that this had in 1995.
Let’s look at the United States then, a minute. What happened
then in companies, international and others, or research projects that were
Well, there was the beginning of negotiation with respect to
recognizing whether the United States or member states or whatever, states
within, met the levels of the protection offered by the directive. So we waited
till July, 2000, to get a decision from the European Commission on the adequacy
of your privacy principles and since then obviously HIPAA has come into effect.
Just a brief reminder of what the Safe Harbor Privacy
Principles are and we’ll move right on then to the frequently asked questions
that you can find on the website.
If personal data are collected in the European Union and
they’re transferred to the United States for pharmaceutical research, do member
state laws apply or do the Safe Harbor Principles apply?
And the answer then on this FAQ from the Commission was that
the member state law applies to the collection and processing prior to the
transfer, so you have to meet your own laws before you transfer. The Safe
Harbor Principles, however, apply to data once they’ve been transferred to the
United States. And again they come up with the year 2000 — data used for
pharmaceutical research and other purposes should be anonymized when
So what if you’ve been recognized in another country and an
individual in Germany, let’s say, wants to withdraw the data and the data’s
already sitting here with a research group at Johns Hopkins, so what happens to
an individual’s data if the person wants to withdraw? This is a universal,
Helsinki declaration. If a person wants to withdraw from research, he should be
able to do so.
Or the sponsor might want to withdraw someone for reasons by
looking at the data that a certain group of participants are more vulnerable.
So participants may decide, or sponsors may decide, to withdraw. Any data
collected previous to withdrawal may still be processed. You can’t really go
back and start taking stuff out of data sets; it makes absolutely no sense and
you probably can’t do it. And along with any other data collected as part of
the clinical trial. If this was made clear to the participant at the time that
they participated that data collected prior to the request to withdrawal could
not be removed but that you would stop using it at that particular time.
Final frequently asked question that comes up is: If you’re
key-coding at the country of origin and the country to which you’re
transferring health data cannot access the key either through a custodian or by
contract or any other way, get back to unlock that code to identify the person.
So let’s say a company here does not have the key; it stays in
Germany. If the unique key code is held in the country of origin so that he or
she could only identify research subject under special circumstances, i.e.,
maybe needed for medical care, some toxicity of a very small group or
particular individual is discovered, does it transfer from the European Union
to the United States of data coded in this way constitute a transfer of
personal data? No. In other words, the whole directive would not apply to such
What about my own country then, Canada, where every province
has jurisdiction under the Constitution over health?
Well, we asked the European Commission as well whether the new
Canadian Personal Information Protection Electronic Document Act met the
equivalent protection, just like the states needed to know in the year 2000.
And what’s interesting is that personal health information
under this Act includes not only information but you can see under C
information concerning the donation by the individuals of any body part or
bodily substance. So in addition to health services information, physical and
mental information, or any kind of other, you’ll see that samples, what we call
“wet data,” are now subject to this Act.
It’s interesting about this Act — it wasn’t even supposed to
apply to health; it was supposed to commercial activities in Canada. But
commercial activities are sort of seeping in in the sense that with research, a
lot of it’s a public/private sponsorship. There’s always a company there
usually. It’s very rare that you have a 100 percent publicly funded,
non-commercial, whether it goes from buying servers or paying for
communications or whatever, as soon as you have a commercial entity somewhere,
it fall under commercial activity. So we end up with a law that wasn’t meant
for health data applying to health data.
Now, another interesting feature about this law is that to
insure flexibility over time with additional technologies or new knowledge
coming up, they attached to the law as an annex but as part of the law the
Canadian standards association code on the protection of data.
Now, codes, as you know, as set by CSA or ISO, let’s say, can
be modified and changed over time to take into account new technologies or when
knowledge changes, if you like, or new protections are required or old
protections become redundant, which means that by changing the code over time,
you don’t have to go back to Parliament and start to read the whole legislative
process. Annex is part, but it’s “professionally” kept up to data.
We also have a tri-council policy statement covering all
research involving all research – demographic, medical, historical and so
on – involving humans, which is being updated, as you can tell, by the
Canadian Institutes for Health Research draft Privacy Best Practice Guidelines.
The statements of ethical conduct in 1998 are increasingly seen
as over-protectionist and paternalistic, i.e., since 1975, the twin pillars of
privacy and autonomy have reached a point where health research, which is more
for finding out things about certain conditions and not necessarily
individually oriented, was seen as hampered by the need for explicit individual
So it’s going to be very interesting. All kinds of
epidemiological research – leftover blood spots in newborn screening
programs were batched together by the thousands so you couldn’t figure out
where they came from and we were checking for HIV prevalence. Well, because of
the explicit consent, that whole program was dropped. So we have no idea if HIV
is going up or down. You can see
how this privacy autonomy when taken to extreme individual
autonomistic sort of extremes can harm, if you like, harm the individual and
thwart the role of the state to protect, prevent and promote health.
So these are the principles, then; I won’t go into them.
And finally, then, for Quebec. It’s a province, well, let’s say
state, can show that their internal legislation meets the substantial
equivalent – it’s sort of like what the European Union did with their
directive – then provincial legislation or state legislation does not have
to follow. You can follow your own internal, once you’ve proven substantial
equivalence. That’s an interesting mechanism as well.
So in conclusion, in the 25 member countries of the European
Union, health privacy is a fundamental human right. In countries of civilian
tradition – so the countries that followed the Napoleonic Code and I
suppose the Common Law tradition such as the U.K. or Australia or Canada except
for Quebec – not only is privacy a fundamental human right, it is what
they call a subjective right. It is found in the civil codes of most of these
countries in the chapter on the rights of personality, distinct as rights
concerning goods or objects or other chapters in civil codes.
If it’s a subjective right, that means you don’t have to show
harm when you consider that there’s been an infringement or a breach. You do
not have to show any economic or other loss. So it’s an automatically what we
call actionable right. And this makes it very powerful. At the same time,
privacy, like honor, which is in there, like reputation, which is in there, is
amorphous, it’s ambiguous, it’s hard to define.
And it’s also found in all the countries as a constitutional
– in the German constitution, for instance, right, and under private law,
in different statutes.
So for concluding remarks that are less on the European Union
or on France or even on Canada, and Tom already mentioned some of these issues
with transfer to e-records, concerns over content, concerns over access, and I
look at it more concerns over the quality of research, for me, that’s quality.
Use of data, data transferability, is extremely important. And
we have several barriers to this. If we’re looking at some of the large
international studies or even if we look with comparison, let’s say, between
population studies that are emerging, population studies that involve large
cohorts where let’s say the U.K. bio-bank, 500,000, they want to build a
resource, it’s not a research project. They want to build a research
infrastructure, a research tool, a research resource based on data that would
be at the level of let’s say normal genomic variation before you get different
diseases, testing themselves against this background, you cannot build these
infrastructures, you cannot build these resources that have no immediate
benefit for the person, that are really longitudinal studies that construct
research tools against which you can then later do your hypertension, your
diabetes, your cancer studies. You can’t build them with the current ethics and
legal requirements surrounding research.
And we’ve run into a problem, that the protection of privacy is
such that, to coin a phrase, we’ve run unto semantic inoperability. We cannot
compare data because enter it differently, they protect it differently. What’s
called de-identification under your HIPAA, you find it under the international
code on pharmaco genomics as meaning double-coding, which is totally different.
So people are using irreversibly anonymized, delaying
anonymized, truly anonymous, de-identified, traceable and so on, and we can no
longer know whether we’ve got equivalent levels of privacy and protection.
We need a concordance, we need a language that we can
understand – double-coded means back there; we’re not saying everybody has
to use the same words. We need to know, to protect privacy, what we’re talking
We can never validate, we can never gain statistical
significance, if we can’t understand how we’re protecting privacy.
Secondly, the whole issue of consent, explicit consent. The
OHRP here in the United States at the end of August put out a very
revolutionary, if you like, statement on if certain conditions were met with
respect to research with codes, with data holders, with contracts and so on,
that an explicit consent was no longer required because a person would not be
identifiable, and you’re only a person under law, for privacy purposes, if
So this whole notion of consent, broad consent, authorization,
Thirdly, we’re getting to the issue of portability in Europe
and Canada as well. Smart cards or administrative – all the countries in
Europe, if you’re a Portuguese person traveling in Italy and you have a car
accident, how to insure with the eventual harmonization that they’re looking
for that you can give your card as a Portuguese and get treated in an Italian
hospital as a member of the European Union. And I’m not even talking about
adding a few little basic medical data such as allergies and so on onto that;
just talking at the level of an administrative health card.
And in closing, since there’s a lot of people here from public
health and from WHO, I’d like to make a plea in your privacy considerations not
to forget the need for accessibility to certain minimal data not on persons but
on populations for public health purposes.
This is extremely important. We saw with anthrax, we saw with
SARS in Canada, we will see it again with the Avian flu, that unless we get
used to a citizen providing the state, who’s supposed to protect, promote and
prevent, needs a minimum amount of health data to fulfill that role.
And people will turn to the state and say, “Why didn’t you
do this?” And you’re going to say, “Well, we didn’t get your explicit
written consent. We couldn’t follow you. We had no idea what was happening in
the country. We couldn’t think ahead. And we were waiting for WHO to come out
with their international health regulations.”
So there’s a plea here to make sure that we do live in society,
we do live in relationships and in communities, we do travel on airplanes, and
there is that public health aspect that needs to be kept in mind.
Questions, Answers and Comments
MR. ROTHSTEIN: Thank you very much, Bartha. Both of you have
raised so many questions, it’s hard to know where to begin. But I will, and I’d
like to ask one question first to Tom and then see what see Bartha’s response
as well is.
I think fairly over the last 30 or so years, one of the
dominant themes in law and bioethics is autonomy in health care, that a
competent adult has the right to decide whether to see a physician at all
– and now I’m leaving aside public health issues – whether to see a
physician at all, whether to comply with the advice given by the physician, and
even to the extent of lifesaving therapies.
So my question is: How do we work in to an electronic health
record system the notion that we have built up of patient autonomy so that an
individual level one could say that you have a right not to go to the physician
if you don’t want to? You could also say that the physician has the right not
to treat you unless he or she has sufficient data from which to base a
diagnosis and treatment. But clearly there is going to be some level of
autonomy in the individual relationship between a particular patient and a
particular physician where they could in theory at least negotiate what is done
with the results of the information; that happens all the time today.
So given that dominant ethnical principle at the individual
level, how are we to give, or maybe oughtn’t give, any effect to that at a
societal level when our task is to try to make recommendations about the level
of privacy and, I would add, inevitably autonomy, that individuals should have,
or might have, in the electronic health record systems. So I’ll just begin with
that simple question.
DR. MURRAY: That’s a lie; that is not a simple question.
DR. MURRAY: That goes right to the heart of the problems that I
think you face.
You’re certainly correct in identifying a major theme in the
whole field of medical ethics over the past 35 years, at least dating back to
the birth of the Hastings Center in 1969. And that is a concern for empowering
patients in the relationship with physicians. The bete noir was the
paternalistic physician and the hero was the autonomous patient.
That was a horse that people rode for about 20 years very
successfully. It turned out to be a bit of an oversimplification of this
complex relationship between patient and physician. It was an important
corrective because at that time few people were standing up for the individual
autonomy of patients.
How do you integrate that now into our understanding of what to
do about health records?
We clearly need to be very sensitive to the interests and
reasonable and informed preferences of patients. Those are important
It is true that a patient today could go into a physician and
give minimal information and request treatment. It’s also true that a physician
could refuse to treat a patient on those grounds, right?
Back 25 year ago when we did the first study on drugs in sports
at the Hastings Center, not how to use them but the ethics of
performance-enhancing drugs in sport, I learned that the first question that a
savvy trainer asked when you ran out on the football field after a player was
injured was, “What have you taken today?” because you didn’t want to
give the player drugs that would interfere with drugs that would interact with
drugs that they were already taking.
So, I mean, a good physician would probably want to say,
“What are you taking? Before I prescribe anything to you, what are you
taking?” That has to be negotiated, and there is a certain amount of
– there’s complexity there. There are issues about professional integrity
of the health professional that I think are weighty and there are issues of the
autonomy and privacy rights and interests of the patient. All of them are
Bearing that in mind, I think it goes back to the distinctions
that I tried to make earlier. The challenge that you face is figuring out to
what extent patients would have control over the content of their record and
over who has access to sub-areas of content within that record.
I don’t think a once-for-all answer except to say that the
interests you’ve identified are in fact legitimate and significant interests.
MR. ROTHSTEIN: Bartha, would like you to comment?
DR. KNOPPERS: Yes, and I’ll start with Tom’s last comment and
I totally agree with his concluding remarks, his previous
concluding remarks that he just reiterated about the idea of breaking up levels
of privacy protection into categories and selected – in other words,
creating a hierarchy, if you like, within the medical record by broad
categories, as opposed to saying “no access at all” or total control
by the patient as to what’s in or out, which of course would be a medical
I would also argue in favor of elaborating broad principles for
electronic records rather than leaving the SOPs perhaps to the IT experts as to
what kind of procedures best respect those principles.
Your statement about autonomy still being the overriding, if
not prevailing –
MR. ROTHSTEIN: I didn’t say “the,” I said
DR. KNOPPERS: A, all right. And, as Tom said, empowering the
patient, moving away from the sort of formal imperialist or authoritarian or
paternalistic or whatever people called it.
We’ve had 35 years of this, and I’m still a believer in it, and
as Tom said, provided that autonomy is exercised in a reasonable and informed
The new emerging glory of that, as you see mainly in Europe, is
the right not to know, which has now found its way into charters and
constitutions and so on. Difficult to know how much information you have to
give someone to exercise the right not to know so that the giving of fully
informed consent as to what they don’t want to know without giving away what
they don’t want to know. So this is a quagmire in terms of legally trying to
figure this out.
I would argue that autonomy has reached an apex in terms of
individual preferences, individual exercise, individual choice. I now see a
large margin of autonomy being taken away ironically by the overriding
preoccupation with privacy. In other words, either legally or through ethics
committees, we’re starting to protect people against themselves.
If I want to give a broad consent to a particular longitudinal
study and I say as long as there’s continual ethics review, annual audit, and
the research question, you know, is not something in one of these following
areas – let’s say bioterrorism or some areas that personally would go
against my values, I want that consent to be valid over time. And it’s not
specific enough for most ethics committees and so on and so they will say,
“To protect your privacy, we’re not going to allow you that consent.”
So we’re now in an ironic situation where privacy which was
once seen as a liberty interest, in some countries privacy is seen as a freedom
close to autonomy, yet is being undermined by second guessers in the name of
privacy. So – I’m not sure if I answered your question at all.
MR. ROTHSTEIN: No, but I’m not sure you did, either, but I
liked your comments.
MR. ROTHSTEIN: And so let me recognize my colleagues who may
have questions. Dr. Harding?
DR. HARDING: Well, thank you both for beginning this very good
During the last 10 years, we have discussed this sub-category
issue, or sub-classification, in electronic medical records, and it’s been
called various things, especially sensitive information and so forth; you know,
talking about OB-GYN, genetics, infectious disease, mental illness and so
forth, those kinds of things.
Dr. Murray, you were mentioning sub-categories and then trying
to limit choices of those sub-categories to a reasonable number, because if you
have too many, it gets out of hand – or did I kind of extrapolate a little
bit from what you were saying? But if you both could comment on what you see as
the sub-categories and how they might be utilized, I would appreciate it.
DR. MURRAY: I don’t think I could add much to your
deliberations on the question of what are the appropriate ways of parsing out
this data and creating the sub-categories except to say that whatever good
ideas we may have about how this ought to be done. Say we end up with seven
sub-categories of data – I don’t know what they are. One’s going to be
psychiatric and psychiatric-related. Another may be reproductive
health-related. But they may be just segmented off from other categories.
What I would suggest is that we should take whatever our
guesses are how to chunk these, how to parse these, as a hypothesis to be
tested empirically and bring it out to patients, the public, through various
ways you could test things and look at opinion surveys and focus groups and
other ways. Try it out with health providers; does it work for them? Does it
turn out to be a sensible way to enter and process data and use data to do
optimal medical care for them? I would take it as a hypothesis.
One lesson I think we’ve learned in bioethics is sometimes
people have had wonderful ideas that look just great in principle and they
flopped completely and sometimes even worked the other way. I mean, the idea of
the so-called “required request” for organ procurement for
transplant, we thought the barrier to getting more organs for transplantation
was that doctors weren’t asking the families of dying patients. It turns out
that when they require doctors – we’ve passed laws requiring doctors
– we got fewer organs, because doctors resisted and kicked back and it
just didn’t work.
So, any great ideas we come up with, we need to road test them.
So that’s one thing I’d say.
And my point about the number of categories, it’s simply an
acknowledgment of the limitations of human information processing. More
choices, the menu gets very long, people’s choices, if anything, may become
And I mean less informed by their own standards in the sense
that in the end you say, “Here’s what you did; my God, I didn’t mean that
to happen. What I really wanted was this.” So we need to do is present an
array of choices that are optimally designed so that when people exercise
choice in these ways, they get the results they had hoped for. And if they had
been wiser and could see ahead, they’re the results that they would be pleased
to live with.
And that’s not a trivial task. It’s not one philosophers are
going to solve for you.
DR. KNOPPERS: If we do have categories, they would have to be
reviewed. We’d have to make a concept on them automatically written in.
For instance, 50 years ago, if you had the “big C,”
you didn’t talk about it. I mean, and in a lot of European countries still
today, victims can hold back and cannot communicate such what they call
“fatal prognoses” under their codes of ethics.
So what is sensitive today might actually be considered normal
10 years from now, and the hope is that genetic data and psychiatric data will
just be normal data, part of the human condition, and a lot of the stigma
that’s associated with it will disappear.
So those sensitive and so on would have to be reviewed.
Now I remember what I wanted to say here – then I get off
in another – in terms of privacy to sort of match without seeming
paternalistic, a really neglected area is the de-entological, or professional,
ethics, not just a code of code of conduct in a professional sense but actually
legally actionable. In other words, if you have professional secrecy as in
Europe, it’s not only in their codes of psychiatrists, physicians, nurses and
so on, all those handling health data in their own professional codes, so
they’re subject to disciplinary, but it’s also found in other statutes as well.
In France, it’s in the criminal code. In other countries, the
right to professional secrecy, the obligation of the professional is actually
in the constitution. They’ve raised it to a higher level. In other words, you’d
better protect data not by asking the person all the time what they want but
actually imposing on the health professional this very serious obligation of
professional secrecy to avoid breach. I mean, I think that’s a window that we
haven’t really sufficiently explored, how to up, if you like, the legal
obligation surrounding professional secrecy.
MR. ROTHSTEIN: Mr. Reynolds?
MR. REYNOLDS: Excellent testimony. I’m not sure whether to run
out of the room screaming before the rest of the people speak or what.
MR. REYNOLDS: That’s not that I’m not comfortable with privacy.
A number of things that you mentioned, as you look at the
privacy rule under HIPAA right now, privacy notices are a big deal there.
They’re complicated, they’re lengthy.
One of the things you mentioned in the testimony was clear to
the participant the notice at the time he or she plans to participate, and
that’s most every time somebody goes to a doctor in the United States when it’s
not a privacy notice.
And then you’re talking about opting out, you talk about we
have treatment, payment and health care operations which is another philosophy
under which our privacy is dealt with. You mentioned parsing available data,
the patient’s choice to parse data in or out.
Then we try to get the good medicine and some of us have been
adjudicating e-prescribing. You try to get the good medicine and then you
anonymize versus de-identify, which is what we call it. And then you have the
liability of the doctors involved and so on, based on treaty.
So you gave us a lot of information. With that framework,
that’s kind of the way we do things here right now, and I really enjoyed
understanding what they do in Europe. Where do you start when you think of the
electronic? What is the hierarchy? You know, so I mean, there’s lots of
subjects and one doctor could have a good privacy notice and the other one
could have one that would allow them to do a whole lot more but because it’s a
privacy notice and because it’s signed by the patient and everything, they
could do it, could fall under certain –
So what is the hierarchy, as we look at electronic medical
records, as we even look at what we have currently in the privacy, what’s the
hierarchy, in your opinion, really approach this? Because you’ve got to have
some starting point as kind of the Holy Grail of what we deal with.
DR. KNOPPERS: Tom was mentioning the idea of field-testing. You
might want to field-test one or two different approaches.
My preference would be, since the controllers both of the
quality of data, the type of notices, the data that’s in there that’s correct
and not – and Mark’s opening statements reflecting the errors may be even
greater than on written records which were in open drawers and hallways of
hospitals and so on – the preference I think would be to begin with the
health care providers themselves and ask them. Say, this is your chance to feed
into a future system that you’re going to have to live with and be subject to
and liable for, for moving this way not only what you think would work; how
would you best protect your patients’ interests in terms of the confidence that
is inherent in the physician/patient relationship?
If you don’t have that trust in the – I think it was Tom
again that mentioned it – you’re not only going to get poor medical care,
you’re going to get poor medical data and the relationship itself will
So I would go back to starting with the framework of principles
of which professional secrecy, or medical secrecy, whatever you call it, is
reiterated, reborn, retooled, and becomes a reminder, but in the building of it
under this new context of e-records becomes part of the profession’s work
before the AMA or whatever and actually get them involved in how this could
work, because it’s really at the family physician.
I mean, I’ve worked mainly with researchers, but I can see that
treating physicians’ patients who are eventually involved in the research and
the data that comes back. So I would start with a framework of principles, two
or three approaches that would translate those principles into different kinds
of systemic applications and actually go out there and test them. If you don’t
get buy-in, if you don’t get participation, then you need the consumer, the
patients’ organizations, involved. Sometimes they don’t like what we come up
with and it’s awful. You’ve gone through five years of work and you really
talked amongst each other but not exactly to the people who are at the front
lines, i.e., the physicians and the patients.
And they want quality care. I think they’d worry more about a
wrong prescription than taking out the fact that they live on this particular
part of town. You’d be surprised what people are sensitive to. And yet if you
don’t know that they live on that part of town, right next to the iron smelter,
that’s a very important environmental data. Not a thing about the usual thing
about abortion or psychiatry or all these sensitive genetics or whatever,
you’re missing a piece of vital data. You miss subjective – you know,
opting in and selecting and parsing. I’d be very, very careful because there’s
data there that doesn’t look medical but is equally as important.
Marital breakups, for instance. You have three in a row and you
don’t know it and you’ve just moved somewhere and you’ve got a patient in front
of you. You won’t even be able to diagnose where the stress comes from.
So I would involve patients’ organizations as well.
And then actually check out some of these countries that have
otonic records such as the U.K. and Sweden and say, “What are the lessons
learned?” That would be the third sort of empirical data-gathering, as Tom
called it, and say, “What works? What doesn’t work? And why?” so that
we really use their data for a project that you can’t really sort of build yet
because you’re not there, but they’ve done it and maybe they’ve learned
something that you need to know.
DR. MURRAY: With no disrespect meant towards the Chair or my
friend and colleague testifying or any other attorney in the room, to me it
would be a very sad thing if what we ended up with were detailed, legal
descriptions that people didn’t read but signed anyway. I mean, I don’t know
how many privacy notices I get in the mail these days from all the different
entities with which I deal. How many of you read every single one, every word
of every single one that comes in, and how many of you understand all the
implications of everything you read now?
DR. KNOPPERS: Even the lawyers don’t.
DR. MURRAY: Well, maybe they don’t. So that wouldn’t be a step
forward empowering patient autonomy, right?
If you really are after respecting patients and respecting
their liberty, promoting individuality, the kind of the moral foundations that
lie behind our concerns for privacy, lawyering it up, as the expression goes,
doesn’t get us there. It gets the entities off the hook legally, maybe, but it
doesn’t actually accomplish the human moral goals that all of us here really
There’s a constant tension whenever you create a consent form
particularly for clinical trials today between, you know, wanting to do it in
such a way that specifies every possibility in there and so it goes on in
boring and technical detail. Few people read it carefully; even fewer
Try to explain in as simple a language as you can what really
is at stake if you agree to take part in this trial. And that’s a tension
– there’s not an easy way to resolve it – and it’s a tension that you
will face in this, and I just hope that, A, you’re aware of the tension, and,
B, you will always push against the impulse to take recourse in exculpatory
language, right? We want to be as clear, transparent and truly empowering as we
can be, thus the shorter menu rather than the massive menu with many other
DR. KNOPPERS: Totally agreeing in deference to all my legal
colleagues. Consent has become like a notarized deed. It’s absolutely pathetic,
totally understandable, and it’s just preemptive legal cover-up, and I think we
should stick to principles and mechanisms and procedures that translate those
principles in an understandable way with the participation of the patients
themselves. I totally agree with my colleague on that.
MR. ROTHSTEIN: Other Committee member questions? Michael?
DR. FITZMAURICE: Health information seems to be special. When I
apply for life insurance, I’ve got to sign away things that say they can get
any information they want to in order to give an actuarial judgment about
whether they’re going to make money off of me or not.
Same thing when I get car insurance. Have you had any
accidents, any tickets? Do your kids have any accidents or tickets? You have to
reveal it and you have to sign away information.
But health insurance seems to be somewhat different. Many
people try to work for a large employer where you don’t have to reveal any
pre-existing conditions in order to get coverage. And so I’m not sure what the
range is. Is there a right of privacy for health insurance for health
information that doesn’t exist for life insurance and for auto insurance? And
certainly, people are more resistant to giving out that information.
And my questions. When we were writing the privacy rule, it was
very hard and it was hindered only at the last moment in the privacy rule if
you have at least one case of the use of contracts between the holder of
patient information and the use of that information to protect the
confidentiality of that patient information. I guess one would be a business
But what I’m thinking of is a limited data set given to a
researcher who in turn signs a data use agreement with the giver, usually a
health provider, for the use of that information in research, and it has
several different conditions in it – you won’t try to contact the person,
you won’t try to re-identify the information.
And my question is: Is the use of contracts similar in the
European Union and in Canada to protect the confidentiality, protect the
personal health information, when the patient has not given authorization for
DR. KNOPPERS: For that particular answer, you’d have to look at
the laws of every country, unfortunately.
DR. FITZMAURICE: Is there a simple case then where they do have
DR. KNOPPERS: Yes. There are model contracts, but normally most
states would already have legislation in place that would cover sensitive data
such as health data and yet not use the language of limited data sets but
actually use a body such as in France to approve the kind of arrangement needed
for that particular type of research.
So those kind of personal contracts with physicians or entities
and eventual users are not the way it’s usually done because there’s already a
legal framework that would dictate – or a body in place to vet it.
DR. FITZMAURICE: Something like going to an IRB for research?
DR. KNOPPERS: But a health information IRB, yes, yes —
DR. FITZMAURICE: Okay.
DR. KNOPPERS: — in the different countries.
I only gave the example of France but they exist in other
countries as well.
A contract approach might work, provided that I think that
somewhere there is a minimal content because the access to a limited data set
would probably be the institution who would hold the data set that the person,
the researcher, wanted. The user, the researcher, knows the particular needs of
a protocol, what kind of data, doesn’t need all the data, needs certain data.
And to be able to do that without any kind of patient consent
or knowledge, or even a notification: “All ye who enter into this
institute, we send out limited data sets for approved research protocols”
and you presume to remember that, and so you’ve consented, might be
problematic. I think it would be problematic in Europe unless it said,
“Contractual arrangements will be permitted under law if they contain the
following elements” and then, having passed a law on the public context,
the legislature, i.e., the politicians who are in touch with the writings,
would know and would have received this.
So I think there is a role for contracts to play, but not
without any kind of minimal content required by law.
MR. ROTHSTEIN: Other questions? Oh – Michael, sure.
DR. FITZMAURICE: I want to follow up with one more, and that
is, there’s a presumption you make, at least in the United States, about opting
in versus opting out. There are times when a patient has to opt in, that is, I
have to give you my authorization for use of my information if you’re going to
use it for other than treatment, payment or health operations purposes.
Other times, you have to opt it where it’s presumed that you’ve
opted in, such as when you’re being wheeled into a hospital and they say,
“Is it all right if we put your name in a hospital registry?” You
say, “Ah” – they’ve given you a medication and you’re dopey
– oh, we gave them the opportunity; that’s all we have to do. So we assume
that the person did not opt out.
Is there a principle such as maybe autonomy or
self-determination that applies to whether you would use opt-in or opt=out, or
is it a matter of balancing the benefits against the harm? Is it a weighing
versus the application of a principle?
DR. KNOPPERS: Yes, I know it’s a really important question. Tom
mentioned the Icelandic health sector database. In Iceland, the health sector
database law of 1998 was deemed unconstitutional because it presumed an opting
in on the part of Icelanders unless they opposed. They weren’t asked, but you
could oppose, and citizens were supposed to know; it’s a small country and
there are 50,000 and so on. And it was seen as a way of creating a database of
clinical data that was missing from what they already have, which is an
excellent demographic genealogical database, and the nation’s budding, growing
genetic database with explicit consent. That was deemed to be unconstitutional
and so the law was declared three years later invalid because of the opting in.
And I think the only kind of opting in that we can really
presume, and this is totally personal, would be for routine tests. A hospital
can’t run if you can’t, you know, have basic information for quality control
using leftover samples without identifiers obviously for calibrating machines
and checking that there isn’t Aspergillis in the operating room and all the
kinds of things that you need to know to run a quality hospital. Patients
expect quality care; they presume you know how to take care of things and run
things and they don’t really care what their leftover urine is used for.
So that’s a different level of opting in that’s presumed from
being in a dataset without knowledge.
If you are sufficiently anonymized, however, and you’re no
longer identifiable, then all the privacy law protections from a legal point of
view – I’m not saying ethical, but from a legal point of view, would not
apply. They’re obliged, for instance, for incidence reports to see how many
people still in the hallway or how many – so you end up being an aggregate
in a dataset. Again, there, I think, you don’t need an explicit opting in.
The only kind of opting in presumed might be at that level. I
can’t see other levels where you wouldn’t need a consent or –
DR. MURRAY: That’s a terrific question, I think. And I’m not
sure that I follow your either/or as to whether it’s going to be application of
a principle or sort of balancing.
It’s a sort of a principle balancing. The categories I was
trying to provide earlier are an effort in a way to understand the structure
that lies underneath that balancing.
So, for example, it matters what the purpose of getting the
information is. It’s really important if I show up unconscious in an ER that
you know what my allergies are, right? And I can’t tell you today, but that
would be really important information to have before you start treating me.
So the information, you look at the sensitivity information and
the utility of the information in the context of the purpose why people want
the information – what’s their purpose and what’s their relationship with
you? Are you in a care-giving relationship? Are you in potentially adversarial
relationship with them, say as a life insurer?
So that’s in a way the underlying moral structure, aspects of
the information itself, purpose and relationship, I think.
Now, there may be more. That’s a first pass at this. But that’s
the way I would think about it.
MR. ROTHSTEIN: Other questions? Yes, please, Bob?
MR. HUNGATE: Kind of an observation to start with. I’m perhaps
dating myself, but when I hear the term “autonomy,” I think of
Robinson Crusoe on his island all by himself, fully autonomous, no issues at
all. But most of us don’t deem that the life we wish, so we choose to live in a
society in a place in a community. But we don’t, as individuals, any more
understand what we’ve given up in that, and that’s kind of where I’m coming
from in this.
Your mention of simple choices made me wonder whether you’re
thinking in terms of within the system, the categories of information being a
limited number of different degrees or whether that is the way in which the
patient expresses maybe at the bottom of the HIPAA form the choices they would
wish in terms of their degrees of autonomy.
Am I making any sense in relationship to the simple choices
that you spoke of? Were those within society or were those at the individual
DR. MURRAY: If the question is this first problem of to what
extent and in what ways do individuals have control over the content – not
access to the content of their medical records; it was a sort of threshold
question that you’re going to have to deal with, I think parsing out these, you
know, handful or two handsful of relevant categories that pass muster with
individuals and with health professionals as being meaningful and usable,
useful, that’s where you might make decisions about what sort of categories
might individuals choose to have or not have in their medical record. And also
whether to provide these under certain conditions of access, certain purposes.
It very quickly becomes an extremely complex problem. I don’t
mean this in a disrespectful way, but I want choices to be meaningful and not
really formal, right? Presenting a huge array of choices with many boxes to
tick off pretty quickly loses meaning for most of us.
So I would say, you know, let’s road-test it, let’s make it a
meaningful set of finite, relatively small number of crucial choices, so that
people really can exercise autonomy in a way that really serves their interest
and is meaningful for them and doesn’t turn out to be the case where they look
back five years and say, “I didn’t mean to deny this kind of information
to these people. I didn’t understand what I was doing.” We want people to
make choices that they can later take ownership of and feel good about.
MR. ROTHSTEIN: And I think the idea, to pick up on Bob’s
point, and this sort of goes back to the initial question I asked, is even more
complicated technically, assuming that we decide what sort of stuff people will
have a right to keep out of their records as to how to do that. So you could
imagine not getting the information at all in the first place, having a right
to excise that information once it already existed, having the right to modify
that information in some way so that you have the diagnosis but not the
explanation of a psychiatric condition or you have the effect of, say, domestic
violence in the record in terms of broken bones or whatever but not the cause
And so even reaching an agreement on what sorts of things,
then we would have to deal with the issue of sort of technically how to do that
and even making those choices is a reflection on what we consider objectively
that someone subjectively might want to exclude. In other words, I mean, if
we’re really autonomous, we would have 280 million different choices as to what
we want, but that’s totally impractical. So we’re going to have to, as a group,
somebody is going to have to make a judgment call as to what it’s reasonable to
exclude if we want to do that weighed against the costs medically and so forth
of doing so.
MR. STEINDEL: I just wanted to add to your list. I think we
need to consider the transfer of information out of your record to someone
else, because I could see where if you’re going to see someone for mental
health purposes and they’re keeping an electronic health record, you might want
the information kept in that record but not necessarily transferred out.
DR. MURRAY: Right. To me, that would be the access issue: Who
would get access to that particular category, right.
MR. ROTHSTEIN: And at our last hearings, which were not
specifically on the National Health Information Network, we spent a
considerable amount of time talking about third party access to health
information which some would argue is much more of a problem than the
unauthorized access to information where anyone with economic leverage over you
can require as a condition of all sorts of things that you sign an
authorization disclosing your records.
And, in fact, I’m in the process of trying to estimate how
many compelled authorizations there are each year and we think it’s – I
mean, this is a very wide range – between 20 and 50 million. I hope to
have a closer number in a few weeks. But, I mean, it’s just extraordinary.
DR. KNOPPERS: Isn’t that where insurers – or let’s just
even take life insurers and say we’re private contractors, we’re doing a
contract on your eventual death and it’s, you know, a statistics game as to
who’s going to make money, lose money, and so on. Even there where you do sign
that line at the bottom, by saying insurers for life insurance purposes will
only have access to the following categories, a lot of the fear — and the
economic version, you can’t get a mortgage or buy a car or get a loan if you
don’t have life insurance; you need life insurance in order to get another
economic good. So it’s an entry point for other economic goods in society but
it’s a forced disclosure of something that is really quite intimate to the
So you can say, okay, insurers, this is the game. We know
you’re private and premiums have to be, you know, no adversarial selection and
so on and so on, then have them only get limited categories of access to data
that they really need for their actuarial tables.
MR. ROTHSTEIN: Well, and the same thing could be argued for
DR. KNOPPERS: Same thing, same thing.
MR. ROTHSTEIN: — and so on, but the problem is that at the
current time, with a paper-based system, there’s certainly no practical way
that this can be done. I mean, it just would be cost prohibitive, time
prohibitive, and so even when they get them with limited authorization just as
a matter of convenience, health care records holders tend to send everything
because it’s so much easier.
And unless we build into the electronic health record of the
future the capacity to limit the fields of disclosure, something that is quite
daunting, I would add, in many cases, we’ll never have that capacity, and my
understanding is that is not even currently being done.
DR. MURRAY: That seems to me a fundamentally important thing to
attend to now. Again, maybe it’s identical with this notion that I’ve been
promoting of having, you know, a finite number of categories of information in
terms of their sensitivity and utility or I would hope it’s the same thing, but
for example, a life insurer doesn’t need to know if you and your wife needed to
consult an infertility specialist in order to try to have children –
right? – unless they can show good actuarial data that that is somehow of
predictive in a way that they will use. Can we then find a way to construct,
you know, data sets that limit? They would be limited data sets not in the
sense that Dr. Fitzmaurice was talking about, but only the relevant data goes
If we could do that, then we could actually improve some
aspects of personal privacy with electronic medical records over the current
paper record, which is actually as you’ve described it, the use of those
MR. ROTHSTEIN: Yes. Yes, I mean – and I’m very anxious to
hear from Alan Westin after the break about public views on this, but I think a
common misconception is that electronic health records pose this tremendous
privacy threat when in the context that we’re talking about, it represents a
great hope or possibility of protecting privacy but only if we seize it, and I
for one certainly advocate for doing so.
Other comments? Yes, please. Beverly?
MS. DOZIER-PEEPLES: Along the same lines as the life insurance,
you mentioned in the beginning of your presentation that some European
countries were early to get on board with privacy laws to protect the genetic
information for this reason. Could you just kind of briefly describe what that
looks like? I mean, is it an anti-discrimination type law or is it restrictions
on what information insurers can obtain, or what exactly does that look like?
DR. KNOPPERS: Okay. There’s three or four different approaches
The first was Belgium in 1992 which put it in their chapter in
their civil code on insurance, simply saying there will be no access to genetic
data for life insurance purposes – stop. This was interesting because
there were protests outside the Senate at that time by people complaining that
their condition hadn’t been labeled genetic, i.e., they were being
discriminated against because insurers would have access to their data. There’s
one established. So you can legislate it simply with the problem that that
Plus, all of the approaches, and there’s three more, that
actually put genetics separate make it seem as though genetic data is not
medical data, something different, which leads to exacerbations of
stigmatization and discrimination and reinforces the idea that there’s
something spooky about genetic data.
A second approach is a moratorium. This is when insurance
companies wanted to forestall – because once you get it into law, it’s
really hard; civil codes don’t have sunset clauses, they’re not statutes. And
so voluntary moratoria. Sometimes time-limited because they wanted to open it
up, but maybe they could change their mind in the future. But in France, for
instance, until the recent laws, they had a moratoria; now it’s in the law.
But there’s still countries that have moratoria. Holland, for
instance, has a moratoria, which means that they will test or ask for. But if
it’s in your medical record, they will still have access to it, which then
leads the problem of people saying, “Well, I don’t want to go participate
in genetic research or go for a test when you’re doing linkages or pedigrees to
help my sister find out if she has it; if it goes in my medical record, then
it’s obviously so. There’s a weakness to that as well.
And the last approach is one in the U.K. where they’ve set up
a special commission which decides which conditions are so certain, genetically
speaking, that of course a life insurer should have access to them. And the
only one they’ve able to come up with, and even there they take it on and they
put it back it and they off and so on, is Huntington. But they would have found
that out from the family questionnaire in any event. I mean, they’ve been doing
questionnaires – you’ve seen them; what did your aunt die of, your mother,
your sister? – as a basic requirement for selecting what risk group you
belong to. That would have been in your family questionnaire anyway.
So this commission who decides when there’s sufficient
actuarial evidence so that insurers can legitimately discriminate in spite of
discrimination legislation is, you know, a work in progress, let’s call it.
So it’s legislated either in a code or in a human rights code
or it’s a moratorium or it’s a commission.
The most interesting approach, though, and this is not a
particular country and I’ll stop there, is that the European Convention on
Biomedicine and Human Rights in 1997, which countries as they sign in ratify
their internal law has to be in conformity, all they said, and it’s quite
smart, all they said was no tests shall be done that are not done for medical
reasons. That’s it. They didn’t mention insurance, employment; they didn’t say
who they were aiming this at. By saying that all tests should be done for
medical reasons, that means you cannot do a test simply – a genetic test
– for insurance purposes, because it’s not a medical reason. That’s an
MR. ROTHSTEIN: Tom, you wanted to comment?
DR. MURRAY: Well, just quickly. My conversion to heresy began
in the early 1990s when I chaired a task force for the genome project on
genetic information and insurance. And so we set out to make the case that
genetic information ought to be and could be distinguished from other kinds of
And over the two years of the life of this task force, we
ultimately decided that was either dishonest or impossible. The great majority
of conditions that people suffer from that affect your health, your longevity,
that are causes of illness, that create expense, health care expenses, are very
complex combinations. They’re actions of genetics and a host of other
environmental factors, developmental factors, and the like.
So to try to cleave off genetic information and treat it as
distinctive, toxic, et cetera, in the larger context of, for your purposes, the
electronic medical record, makes no sense whatsoever.
MR. ROTHSTEIN: With that final word, I want to thank the
members of our panel and I also want to thank the questioners for helping to
further flesh out these issues.
We are going to recess for 15 minutes, take a break, and then
we’ll back with Professor Alan Westin.
DR. MURRAY: Thank you.
[Break from 11:04 to 11:20 A.M.]
MR. ROTHSTEIN: We are back in session now. This is Day One of
our hearings of the Subcommittee on Privacy and Confidentiality of the National
Committee on Vital and Health Statistics.
And we have a unique privilege this morning not only to hear
from one of the great experts in the country on privacy issues, and has been
for many years, but also to get access to some very important new data that he
has collected and will be sharing with us.
So I’m very pleased to introduce Professor Alan Westin.
DR. WESTIN: Thank you, Mark. My name is Alan Westin and I am
Professor Emeritus at Columbia University. My background is in law and in
political science where I have my Ph.D. And I taught for 37 years on Upper
Broadway in Columbia.
It’s been about four decades that I have been working on
privacy issues. I go to Japan a lot because of interest in what the Japanese
are doing, and once when I got off the airport, there was a gentleman meeting
me and he had a large sign and it said, “Father of Privacy.”
DR. WESTIN: I like that, because especially in Japan I could
even be Grandfather of Privacy and still be appreciated.
But the issues of information technology and privacy have been
an occupation of mine ever since the 1950s and in my prepared testimony I give
you a little background on the various studies and publications I have done
specifically on the health area.
I kind of left this alone for the last three or four years as
the HIPAA issues unfolded. I was an advocate of Federal health privacy
legislation, but once it became the domain of the lawyers, even though I am a
lawyer, I thought that I really didn’t have that much to contribute to all of
the very specifics about the privacy rule and so forth.
But now, with the movement toward electronic health records
and technologically oriented health care system, I’m back in play, and as I’ll
mention, I’m the director of a new program on information technology, health
records and privacy at the non-profit center that I head called the Center for
Social and Legal Research.
I was interested in Tom’s comment about being very careful to
be aware of the limits and the challenges of technology approaches. I learned
this very early, in the late 1960s when I was writing my first book on privacy
and freedom. It was mail merge techniques were just developed in word
processing, and so once I got an actual letter that was addressed to me and it
said: “Mr. Alan F. Westin 1100.” The second line said “Trafalgar
Street.” Third line said: “Teaneck, New Jersey,” then the zip
code. And then, using the mail merge, it started off: “Dear Mr.
DR. WESTIN: But the best thing was the first line of the
letter: “You are not just a number to us.”
DR. WESTIN: That’s when I learned that technology can get
things very wrong.
I’m here today to report to you on a survey that we have just
done last week on how the public views the application of computerization to
the health care system. Let me start, though, by saying that I view the
electronic health record initiative as a very positive potential step in
reshaping the nation’s health care system, and the reasons that are usually
given for doing it – enhancing patient care, reducing medical errors,
reducing high paper handling costs – seem to me to be very, very worthy
and important objectives.
And we all know that this is going to reshape the medical
record as we know it and the flows of health information throughout not just
the first sector, which is patient care, and the second sector, which is
payment and quality assurance, but it’s going to reach into the third sector,
which are all the social uses of patient information – employers,
licensing, insurance, research et cetera — very important, but not themselves
the givers and providers of health care.
And so I’m very pleased that you’ve taken the topic of
sounding out how the public feels about this early in the game. And my program
was able to sponsor with Harris Interactive a national survey on public views
of application of computers and effects with HIPAA and also attitudes toward
the computerization of health records.
Our survey was just in the field February 8th to
the 13th. It was a telephone survey conducted by Harris Interactive.
We had a sample of just over 1,000 respondents and they represent approximately
214 million adults. And a survey of this size has a margin of error, as the
statisticians like to say, of plus or minus three percent.
Before I do that, though, let me just remind us all that long
before we did our survey last week, there have been, by our count, 14 national
surveys between 1978 and the present that have dealt either completely with
health privacy issues or have had major sections of health privacy questions on
them. And there are a series of sort of top line findings that are very well
When you ask people, here’s a list of information about you;
what do you consider to be the most sensitive, or which of these you would be
most concerned if the information was released without your knowledge or
consent, health information and financial information are always the top two
scorers. And in many ways, I think personal health information these days would
be slightly ahead of financial information in any kind of a rating.
The surveys show that people are concerned by very large
majorities about the privacy and security implications of going to computers
and having electronic collection and use of health information. This is because
the public essentially views technology, rightly, I would say, as a two-edged
sword – enormous benefits in many, many situations in our contemporary
life, but also sharp problems and problems that often seem to be beyond
effective control arising as a result of high technology settings.
Because of this, when people visit health websites, and we
find that 80 percent of the online population report that they have visited a
site that dealt with health and health conditions, they are often highly
concerned about their privacy and security and they don’t share their personal
data or take full advantage of these sites because of that nervousness over the
privacy and security dimension.
Especially we find in the surveys that consumers who have
chronic or genetically based health conditions are particularly concerned about
the flows of their health information into the zone three, all the social uses
of personal information from the health sector.
So we began our survey by first repeating a question which we
used in 1992 in the Harris Westin survey on health information privacy. We gave
a list of people in the health care system and said: Do you believe that any of
the following have disclosed your personal medical information in a way that
you felt was improper?
When we asked it in 1993, 27 percent of the public, which
represented then 50 million adults, said they believed that one of these five
groups had released their personal medical information in which at the
respondent considered an improper way. And this year, when we asked the same
question, it dropped from the 27 percent down to 14 percent, which is really
quite dramatic. It’s almost halving of the number of people who have this
feeling of improper release of their medical data.
In each one of the five categories, as you can see from the
numbers there, the total was down. At the same time, we should remark that 14
percent of the current American population means 30 million people, so it isn’t
as if two people and a dog are complaining about this; we’re talking about a
very substantial part of the public that feels this way.
On the other hand, to put it in some perspective, in all the
surveys that I’ve done over the years, we have about 25 percent of the public
that says, I believe that business or government has invaded my privacy.
So you start off with a quarter of the American Population
having a view that in general they have been the victims of privacy invasion.
So a 14 percent figure is not outside the parameters that we’d expect when you
have that kind of a general victimization perception on the part of roughly a
quarter of the American public.
It was sort of interesting the health insurance company was
the biggest drop – that was 15 percent in 1993 and it dropped down to
eight, and I find it interesting that it’s eight percent for the health
insurers who were the dirty birds back in 1993 of getting to patients’
information; now it’s on a level with a clinic or hospital that treated you or
a family member, which is sort of a rise one could think in the health insurer
status and a drop in the clinic and hospital status.
We then turned to HIPAA because we asked ourselves: Is this
drop in the perception that medical information has been released improperly an
effect of the
privacy notice and the whole HIPAA roll-out system, which as we
know dates from April of 2003? So in our question we said, In the past three
years, have you ever received one of these HIPAA health privacy notices? We
first described it, and the text of all of our questions is in the appendix of
my testimony which you all have copies of so you can see exactly how we worded
every single question and all the responses.
When I started out with this, you always ask yourself when
you’re developing a survey: What do you think the answers are going to be? And
when I wrote this question, I said, geez, we’ll get 90-plus percent of people
who say they’ve received the privacy notice. You can’t go to a doctor, a
dentist, a pharmacy, you can’t have health insurance without having had privacy
notices thrust at you for the past two and a half years.
Astonishingly, 32 percent of the public, representing 68
million adults, say they can’t remember ever receiving a HIPAA privacy notice.
Now, think about that for a minute. All of us in the room
think that this is all-pervasive and the American public is seeing what’s going
on. It cautions you that many of the things that are done, especially with
complicated lawyer-driven notices and the way in which this may be shown to
people by pharmacist or a doctor et cetera, that 68 million adults, if they had
to raise their hand and say, swearing on a Bible, have you ever received a
privacy notice? “Don’t believe so.”
Let me make one other cautionary comment.
Sometimes in survey research, you get worried that people will
give you what’s known as a socially acceptable answer. For example, every study
that asks people, Did you vote in the last election? Finds that millions and
millions more people say they voted than actually voted because not voting is
considered not socially acceptable. I don’t think here that we had a socially
acceptable phenomenon at all. I don’t think if somebody said no, I don’t
remember getting a notice they were trying to present themselves in more
socially acceptable ways.
On the other hand, it’s always a question of which figure you
like to look at. Two-thirds of the public does remember recalling a privacy
notice, and that represents 158 million adults. Here, only one percent said
they weren’t sure, so the main figures are the ones that are interesting.
We then asked the people who said they remembered receiving a
privacy notice the following question:
“Based on your experiences and what you may have heard,
how much has this Federal privacy regulation and the privacy notices increased
your confidence that your personal medical information is being handled today
in what you feel is the proper way? And we got 67 percent who said it increased
But please notice that only 23 percent chose “a great
deal” as their answer and 44 percent said “only somewhat.” That
tells you that joy does not reign supreme in the nation over the HIPAA effect
and that the verdict is out, you know, in terms of how people perceive their
medical record being handled after the privacy notice phenomenon.
We then turn to the real intended focus of our survey, the
electronic health record or electronic medical record situation. We described
it in this fashion, and the way we described it I think it’s very important for
you to understand and you can make your judgment about whether this is the
acceptable or best way it could have been done:
“The Federal government has called for medical and health
care organizations to work with technology firms to create a nationwide system
of patient electronic medical records over the next few years. The goal is to
improve the effectiveness of patient care, lessen medical errors, and reduce
the costs of paper handling. Have you read or heard anything about this
Here, my prediction was sound. I said, gee, you know, this is
not something that engages the American public yet in a deep way; yes, the
President spoke about it in his State of the Union message. Yes, he went out to
Cleveland and talked about it and made the television station. But I didn’t
think that this would have a majority of the American public shaking their head
“yes, I’ve heard of the war in Iraq and, yes, I’ve heard about Social
And so, 29 percent, which still represents 62 million adults,
said they had read or heard about it.
And when I took a quick look at our demographics, it was, as
you’d expect, the better educated, higher income, and technology using members
of the public that were the ones that said they had read or heard.
We then developed six concerns that we said some people have
about the effects of having an electronic health record system. We talked about
leakage of sensitive health data, whether there’d be more data sharing without
the patient’s knowledge, whether there wouldn’t be adequate security for health
data stored on computers, whether this might lead to an increase rather than a
decrease in medical errors, whether people would be less willing to provide
necessary information to their health care providers because of their concern
about computerization, and finally, that there might be a reduction of Federal
health privacy rules in the name of efficiency in this kind of a system.
The bottom line, as I’ll go into next, is that two-thirds of
the American people say they’re concerned about each of these possibilities.
Specifically, on the sensitive medical information being
leaked because of weak data security, that was our number one choice. Seventy
percent said they were concerned about this. And I give you the
“very” column because it’s often important to look at the people who
choose “very” anything, and so 38 percent said they were “very
concerned” about this.
More sharing was at 69 percent, and the highest
“very” here, 42 percent, were worried about the sharing without their
Inadequate data security, 69 percent, and 34 percent
Increasing errors rather than decreasing them, 65 percent, and 29 percent
That some people wouldn’t disclose the information to their
provider because of worries that it would go into computerized records, 65
percent, and 29 percent saying “very.”
And that the Federal health privacy rules would be watered
down, 62 percent, and 28 percent saying they were “very concerned.”
It’s typical in surveys like this, and I’ve been doing these
for 30 years, that after you describe some kind of business practice or
government program and you ask people how concerned they are about aspects of
it that you develop what’s often called a “tie-breaker question”
– that is, you say, well, you’ve told us about the program, you told about
your concerns; what’s your balanced view then on this program?
And so our question was phrased:
“Overall, do you feel that the expected benefits to
patients in society, which we already mentioned in our non-question, outweigh
potential risks to privacy, which we had just probed in our concerns, or do you
feel that the privacy risks outweigh the expected benefits?
And the winner was: No one. The public is deeply divided
– 48 to 47 percent on their view whether the benefits outweigh the privacy
risks or the privacy risks outweigh the benefits.
And I was able to look at the demographics before I came down
but not by the time I was preparing this, and I’d say the most important thing
is that the people who believe the privacy risks outweigh the expected benefits
are very widely distributed across the demographic categories. That is, it’s
not concentrated in Democrats and liberals and African-Americans and so forth.
It is so widely distributed that you would be absolutely sound
in saying that this impacts at that level men and women, upper income and lower
income, high education, low education, et cetera.
And we will be publishing in a couple of weeks all of the
demographic information, the factor analysis and so forth, and I’ll make sure
that your Committee gets this.
One of the things I’ve done over the years has been to create
what’s called a segmentation of the public on privacy issues. The way we do
this is to create three or four trend questions that tap fundamental attitudes
and then we see in the public how many people take the strong privacy view on
all of the trend questions, how many take it on some of the trend questions,
and some of them that don’t take the privacy view on any of them.
And that enables us to create a high, medium and low
segmentation of the public and puts some numbers on how many people fall into
each category and then to look at the demographics for each of those segments
to say: Who are the people then who are not concerned about privacy, or highly
And we created this here by taking the six concern questions
that you have heard me describe, and if somebody chose their concern in five or
six statements, we call those high electronic medical record privacy concern.
And what I think is a striking finding, 56 percent of the public scores high in
their privacy concern related to electronic health records.
Sixteen percent fell into the medium category, meaning that
they expressed concern in three or four statements. Fourteen percent chose one
or two. And no statement was chosen by 14 percent of the public.
So, we have a solid, national majority in a high electronic
medical record privacy concern camp. And that compares, and I think this is a
very meaningful comparison, with our studies that show only 35 percent of the
public when you deal with consumer privacy issues score in this high or
fundamentalist orientation. So we have almost double the number of people in an
intense privacy view in the health area as in the general consumer privacy
And this is about what we found – it’s a little more
intense, but it’s close to what we found in 1993 when we did a similar
segmentation when President Clinton was promoting the national health insurance
We wanted to test what I have always thought was gong to be one
of the most critical issues in this whole electronic health record development,
which is: What’s the role of the patient going to be here? Not the providers,
not the insurers, not the health data analysts, but the end user, the patient.
So we framed a question that read:
“Since most adults now use computers, the new patient
electronic medical record system could arrange ways for consumers to track
their own personal information in the new system and exercise the privacy
rights they were promised. How important do you think it is that individual
consumer tools be incorporated in the new patient electronic medical record
system from the start?”
Eighty-two percent of the public believes that this is
important, and here, 45 percent rated this as “very important.” Only
17 percent did not see this as important.
That was a little bit of a socially acceptable answer here. If
you don’t have to pay any price, if you’re not worried about the tradeoffs
between the patient’s access or the patient content control and giving the
patient these tools we described, what does it cost to respond to this, to say
“Yup, that’s very important”?
Having said that, though, I still think that this is an
extremely important finding. And the way I view it is that this is a public
mandate for what I call a privacy design specification for any electronic
health record system. That is, from the start, the public is saying: Program me
in in my privacy choices, my privacy access, my technology access. Otherwise, I
am not going to be confident that this system serves my interest and is good
for me and for society.
And so I think everybody who is an advocate and manager and
participant in the building of this system as the decade unfolds really has to
say what laws, what rules, what practices, what technology arrangements, what
education about privacy and what kind of building of positive patient
experiences will it take to get that 47 percent of the total public to feel
that the privacy risks are not outweighed.
Let me turn to some conclusions and recommendations I draw from
the study. Incidentally, the study is being released today, so you are the
first to hear it, but I do believe you’ll read something about it in the media
and in health publications and so forth since it’s now out there for general
My first premise is that an electronic medical record or
electronic health record system does hold enormous promise for patients, health
care delivery, for breakthrough research, and for the interests of the whole
society. I also think that probably the system is more likely to proceed now
than at any time in the past, and I’m sure all of you here remember that in the
‘60s and the ‘70s and the ‘80s and the ‘90s there were
major efforts to go to computerization in the health care system and enormous
sums of money were spent with I think one has to say limited result, if not
often complete failure of some of those health records.
I remember when Dr. Weed’s problem-oriented record was seen as
the great gateway by which we would computerize the record and change the whole
way in which the medical record would be used in the system. Didn’t happen.
On the other hand, I think it could happen now. Step one,
medical professionals are now pretty much technology conversant. They’ve got
laptops, they’ve got cell phones, they’re used to going into databases. And
obviously this is something of an age-related phenomenon, but I think the
generations of current health care professionals are now more open and ready to
using technology than has been the case in previous decades.
Secondly, the technology is much more powerful. We now have
data mining and data linkage techniques and we have software power, a whole
host of tools which major technology firms have been developing and university
research has developed which I think hold much more promise to achieve the cost
effectiveness and the reduction of medical error problems and so forth than
It’s true, of course, that technology has been growing steadily
ever since the computer came along, but up until fairly recently, I did not
myself see the technology tools as having the sophistication and the depth and
the reliability that I think is needed. And so I’m more optimistic about the
technology opportunity that I would have been five or 10 years ago.
On the other hand, I hope the survey results remind us all that
no matter how good the technology and no matter how ready the medical
practitioners are to embrace the technology, this system will not succeed if
public concerns over privacy are not understood and addressed.
So, what do we need?
I think there needs to be an institutionalized
privacy-by-design working group, and the best analogy I think is the excellent
LC program with the human genome project where major money, very talented
people and institutional support was given to examining the kinds of issues
that the breakthroughs in genetics rush before society. So it has to be active,
well-funded and impressively staffed.
It may be that such an organization is government supported but
not government run, that it calls for a kind of consortium of government,
private sector, consumer and patient advocates and so forth. But it’s charter
is: How do you design privacy, from the start, into an electronic health record
Secondly, I would be very worried if privacy becomes a
sub-topic of what is being discussed now as an electronic health record
standards board. I think the standards board is extremely important in terms of
interoperability issues and regional system linkage issues, et cetera,
certainly, the medical record issue itself.
But if privacy is consigned inside that board, I’m afraid that
it will not have the right kind of pressure, the right kind of poise, and so
So I would like to see an independent privacy standards board
that sits alongside the larger technology and record standards board.
The kinds of things I would see a privacy-by-design working
group to carry out would be, first, take the excellent materials that over two
or three decades we’ve developed on how to do privacy risk assessment and
threat assessment and apply it into the concrete development of electronic
health record systems. There are many, many organizations that do this kind of
privacy risk assessment. There are auditing firms, there are law firms, there
are university firms and so forth. It is a specialty and we know how to do it
well. I think it has to be a continuing privacy risk assessment, not a
Secondly, I see the group looking to identify the kind of
system design elements that would enhance rather than defeat privacy interest.
For example, I think there’s probably broad agreement that creating one
national health record system organized nationally and under the Federal
administration no matter how benign is a disaster for privacy and therefore,
regional systems with linkages and interoperability standards and so forth
seems to me an initial major design component that is privacy oriented.
There are many other things that I could talk about here but in
the interest of time I just want to say that across all of the technology and
organizational design choices that are coming up, I think this
privacy-by-design group should have the charge to say: What are the privacy
implications if we do it this way compared to if we do it that way?
Third, I think that identifying anonymization techniques would
facilitate research and data trend analysis is absolutely essential. This was
mentioned earlier today, that if we pursue privacy at the expense of
fundamental epidemiological and health system research, it will be a heavy
casualty. And it doesn’t have to be, I don’t think. There’ll be some problems
that we’ll find it very, very difficult to work out, but in general, I think we
can apply anonymization techniques in ways that will still allow important and
socially valuable research to go forward.
In order to do this, though, I think we will have to – and
I’ll talk about this in a minute – try to conceptualize a segmented
medical record that will have in it parts that are for identification and use
and other parts which from the start are identified as the kind of things that
are subject to anonymization and therefore will be organized differently in the
medical record. And I’ll explain that in just a minute.
As far as the legal and policy rules are concerned, I think
most people would agree that you can’t just take the current HIPAA privacy
rule, slap it on something called the electronic health record, and think
you’ve done your job. It’s going to take a lot of very thoughtful consideration
as to what the policies and the legal rules should be for the kind of systems
that will be rolling out with electronic health records. And I think this
privacy-by-design working group should pay a lot of attention to just that kind
Obviously, lots of others will be doing this. For example, the
Markle Foundation has a find project on connectivity in which they’ve got
excellent people looking at the privacy and security issues. So even for the
beginning I’m not suggesting that this kind of a function is going to be the
only one. It’s going to have many, many parallels and competitors and so forth
and to me, that’s fine.
Fifth, I think that the privacy-by-design working group should
try to identify and test procedures that would, responding to the 82 percent of
the public, empower individual patients to access systems directly so they can
see certain kind of information that’s there and so they can carry out with all
the power of the computer technology the privacy rights they are given.
Today, we have a paper-based, almost a ballpoint pen-based,
patient access system. I think that as we move the medical record into high
computerization, we’ve got to move the patient access and patient control
functions into equal technology driven opportunity.
A hundred and sixty-five million Americans are now online. We
have become a society which more and more has people comfortable in using
information technology in the online world. I think that should be a major
understanding as we think about this system – not the patient coming to
the doctor’s office, sitting in a chair, being thrust a notice, but being able
to sit in their kitchen or their study and have access to the system under the
right defined rules and so forth and to be able to exercise their privacy
rights wherever they are, sitting in a airport terminal with their wireless and
coming and looking at something in their medical record. I think that’s a
tremendous opportunity that we’ve got to grasp right away.
Finally, as these approaches are done, it seems to me we have
some real test beds we can think about. As the regional programs unfold in the
electronic health record systems, those are the beta sites for looking at the
privacy design world.
My experience in doing a lot of empirical studies is that you
want to go to the place where the pioneers are putting forward new
technologies, changing the way things are done, altering balances of rights and
responsibilities. You want people there who are going to do objective,
empirical research into what difference does it make that this is happening now
in this clinic or in this hospital or this doctor’s office in this IMS Health
data set. You want really to have people studying hard the actual impact of
technology in the organization, on the patients, et cetera.
That’s why my organization has created the program that I said
I’d say a little more about. We see ourselves as a not-for-profit research
organization continuing to conduct public opinion surveys on how the public and
various health care leadership groups and others feel about more and more and
more specific aspects of an electronic health record system.
We’d like to do some of those empirical case studies that I
mentioned of how the programs are actually working as they roll out. We would
like to help develop the legal and policy rules that are necessary for privacy,
confidentiality, subject access, due process and so forth. We think this will
require going quite beyond HIPAA.
I was very glad to hear the discussions of what the Europeans
are doing and what is going on with electronic health records in other
countries. There’s much to be shared and learned in those countries, and one
member of my staff is an expert in this and we would like to see not just what
the legal rules are but what the actual experiences and patient reactions are
in countries that are also experimenting and moving forward with electronic
We are going to be publishing in a couple of weeks a white
paper in which we take a broad look at computers, health records and privacy in
the 21st century and we will have a variety of other reports and we
expect to publish a quarterly electronic newsletter and as always to organize
seminars and hold conferences on program themes.
You can go to our website, www.pandav.org. You’ll find posted there
today the top line results of our survey, a report that we’ve done on how the
public views health privacy, survey findings from 1978 to 2005. I think many of
you will find a lot of interesting specifics there, not just like the top line
couple of comments that I made.
My testimony from today’s hearing will be there and this
PowerPoint will be there as well.
We will publish an expanded survey report with all the
demographics and factor analysis, and the white paper that I mentioned is
Let me just add one thing that was not in my prepared testimony
because I was stimulated by some of the conversation earlier today to share
this with you.
If we think about a patient medical record as a one thing, all
unified and all there, I think we’ll be making a privacy-by-design mistake.
Rather, I think we could imagine a six- or seven-segmented and formatted
medical record which the technology is perfectly capable of storing and
retrieving in that kind of segmentation.
And how might it be divided?
First, a segment on personal identifiers – name and
address and Social Security number and all the stuff the hackers will try and
Second could be a medical transaction segment – came in,
complained of knee problems, probably arthritis, going to put him on whatever
the latest acceptable Cox-2 is or isn’t.
Third would be a prescription history, something that
systematically listed the pharmaceutical agents that had been used by the
patient in their medical record history.
Fourth would be anything that had mental health or
psychological or psychiatric components.
Fifth would be life style information, all the terribly
sensitive stuff about sexual life and drugs and alcohol and bungee jumping and
everything where life style as we know can affect the medical system.
Finally, what I’ll call anonymized data, data that from the
beginning is seen to be important for research purposes and which is stored in
the medical record ready to use in anonymized form so that we institutionalize
some of the research function right from the start – we don’t wait for a
research protocol to be done and then go back and scratch our heads and say,
you know, what do we need from the medical record? Even though, of course,
that’ll always be necessary with highly customized research.
But for a great deal of epidemiological research,
pharmaceutical utilization research and so forth, I think we could create from
the beginning a set of patient data that would be what we see as high value for
research and therefore under the proper research access would be acceptable
from the record.
And just to show you where this goes, the psychiatric segment
obviously requires the highest level, or one of the highest levels, of access
power. It probably should be kept in encrypted form because we really must pay
attention to data security.
As you know, many health systems today only store the
psychiatric data in encrypted form and I think that’s exactly the kind of
requirement that would have to be set, whereas the anonymized data, there would
be no need for patient consent, opt in, opt out, or anything. From the
beginning, explain to the patient there would be a set of data that was going
to be useful for public health purposes, for research purposes, and so forth.
Now, I’d be the last one to say that I’ve just given you the
Lord’s work on a segmented medical record, but I think it’s interesting to
think about and to say, since the technology is capable of giving people access
to 1, 2 and 4 but not to 3, 5 and 7, that if we have the right rules as to
patient access and the right rules as to third party access and provider
access, we could think about a medical record as being a set of records, not a
record, in which rules of privacy and access and consent and disclosure would
be customized for the nature and sensitivity and functions of the different
types of information.
With that, just to show you there’s a lot of work to do, let me
stop and invite comments and questions.
MR. ROTHSTEIN: Thank you very much. We greatly appreciate your
sharing the new survey data with us and I’m sure that will generate some
questions. But I’m equally, or perhaps more fascinated, by some of your
comments and conclusions and recommendations.
Let me just ask one question before we sort of open things up.
And I’m sort of taken by your suggestion that there should be some sort of
external group that you call the privacy-by-design working group that would be
tasked with helping to design a system for electronic health records in which
privacy would be a key element.
I don’t disagree with the aim, but my personal observation is a
very practical one, and that is, it seems to me that the electronic health
record train is zooming down the track and the thought is that those of us
concerned about privacy, our job is just to make sure that the train doesn’t
leave the track, whereas what I hear you suggesting is that the privacy element
is so fundamental that it really needs to be worked out in advance of the
So perhaps you could explain your thinking some more.
DR. WESTIN: I guess the first thing I should do is say
“amen.” I think you said it just right. I think that the privacy
issues are so central to whether this will succeed – incidentally, we can
be very concrete and suggest that Congress and the state legislatures will take
their cue from how the public feels about this whole electronic health records
system. You want get appropriations? You want to get Congressional committees
to give this the kind of support that the human genome project was given in the
LC appropriation? You’ve got to convince the legislators that this an
acceptable privacy system.
So I don’t think the train can go down the track; it’s not
going to have any fuel when you get to it if there is not this kind of clear
mandate for privacy. Now, I’d be the first one to say, being a political
scientist, but how you institutionalize this, where you locate it, and
public/private, and funding and so forth, are all very important questions.
But however it’s done, I’m looking for there to be a
free-standing, high prestige, well-funded and well-staffed entity that is like
a privacy impact assessment group is inside Federal agencies if you know that
was required, a privacy impact assessment in Federal agencies now when they are
in e-government programs and so forth.
You know, I’m looking for those kinds of functions to be
institutionalized, and I think you’ve got it right. Some people believe the
train is going and it’s too late already. I don’t think so. I think that the
train is gathering steam but one of the other things that I have in my prepared
testimony that I get on to the laptop was that unlike some situations where a
business program or a government program is in fundamental collision with the
consumer and privacy groups, and you really have to have a confrontational,
dragged out kind of battle, that is not the way I read the situation here. I
think the health care community is privacy oriented. I think the technology
groups that are building many of the software tools also accept the importance
and centrality of privacy.
But I think there’s more community of interest and intention in
this area than you find in some other areas, homeland security or telemarketing
and other kinds of collision areas for privacy versus the other interests. If
that’s the case, then I think there’s more possibility of creating this kind of
an institution and getting the right kind of support for it than there would be
in some other privacy area.
MR. ROTHSTEIN: Thank you. And now, questions from my
colleagues? Mr. Reynolds?
MR. REYNOLDS: Excellent survey and excellent coordination of
this information – thank you.
You mentioned on Slide 14 that for any national EMR system, as
you think of the philosophy of segments, as you think of the philosophy of
privacy, as you think of the philosophy of structure, and then you think of
regional things, one of the things everybody ran into in HIPAA was everybody
had done their own thing for so many years and set things up and then we tried
to come up with a standard and it was a bit of a fist fight getting it all
done, whereas do you see any of these categories or any of these segments or
any of these other things that could be put in place so that as regionals do
their work, they are basing it on some kind of a foundation that when you try
to tie multiple regionals together, if you don’t go through a singular EMR
system, you have some kind of a structure that allows you to play off of the
benefits of doing it regionally but then be able to transfer that information
because more and more with the special centers of excellence and everything
else that goes on, people are going to be moving around to get care? It may be
the more significant only in the future than they are now, so any comments you
can make on that?
DR. WESTIN: I have to start by saying I’m not a technologist
though I watch technology. But my understanding of some of the things that are
happening among the technologists is that, first of all, they are working hard
on interoperability. They understand the need for operating standards that will
cut across various technology approaches and systems.
And secondly, that they’re looking at linkage techniques rather
than uniformity techniques.
So I would myself assume that you should take a look at those
kinds of studies and offers and see whether they’re going in the right
direction and if not, some pressure might be needed to make sure that the
people who are developing the whole new system see the need for that kind of
interoperability and so forth.
But I want to start by saying that though I think there are
answers out there, I’m not a technologist.
On the other hand, I think that probably the moment is right,
given the technology, to move into much more uniformity in medical record
formats. I don’t think every hospital’s way of doing it and every clinic’s way
of doing it must be saluted and preserved.
And to the extent that we are able to come up with highly
refined and correct estimates of language and the techniques, I think that we
are going to move in the next decade to a much more uniform system of reporting
and formatting and so forth.
A couple years ago, I helped a company that was developing some
small medical record software. They asked me to come in and deal with the
privacy issues. And what they were doing was hoping to move the physician from
a pad with a piece of paper to a hand-held data device which was all formatted
so that if there was a diagnosis or there was a prescription, it was uniform
throughout their entire system. That seems to me to be easy to do and we’re
ready to do. So there are some approaches that already are pretty well tested
that I think will now move into more and more use.
MR. ROTHSTEIN: Mr. Hungate?
MR. HUNGATE: A question. Going back to your segmented record,
in thinking about consent by a patient, then one level of consent might be the
linking of the personal identification information to the autonomized data. An
example might be that your genomic information would be in your personal
identifier and the PO coding information would be in the anonymized data. Is
that a correct conclusion?
DR. WESTIN: Yes, that’s very promising. In other words, I was
taken by the comments earlier that the dilemma with anonymization is that when
you truly anonymize without any preserved linkage file, you lose the ability to
update the file or to add relevant information to it.
And so one solution, as I’m sure everybody knows, is the
trusted keeper solution. For example, some years ago when anti-war
demonstrations were at their height, the American Council on Education, which
did annual surveys of college students and would ask people, “Are you
using marijuana? Are you against the war?” and all kinds of questions of
attitude, decided that they would promise anonymity and they would take the
linkage file and move it to Canada and promise that if a subpoena was ever
given by a Congressional committee, people would thumb their nose from across
the border and would never give the linkage file.
So I think there’s a range of ways that we could go at this
that have to do with both the linkage of the personal information to the
anonymous data and also maybe we are going to need these trusted organizations,
and I’m sure you know that there are organizations that are now promising to be
your trusted agent for purposes of your creating your own medical record, your
personal health record, and so forth.
MR. HUNGATE: Right.
DR. WESTIN: And I think there’s a lot of promise in that
because the trusteeship concept, if it’s the right people institutionalized in
the right way with the right legal sanction behind them so you don’t have to
run to Canada, I think that’s very promising.
MR. HUNGATE: I agree. My sense, though, is that I ought to
worry about it. I believe in chaos theory.
But a friend of mine is one of those people that’s developing
that trusted organization and he assures me that he can take care of all the
privacy issues through what he’s doing. I have reason to doubt from this
discussion that that could really happen.
But given that there is strong incentive and strong commercial
interest behind these kinds of efforts, I wonder if there isn’t some way to get
an understanding within that group, the developers of those specialized
personal information systems, that they, in order to be a trusted source, are
going to have to have a way of dealing with this privacy issue and whether
that’s not an interested party, too.
DR. WESTIN: I think that’s very important.
MR. HUNGATE: The next level.
DR. WESTIN: I’m glad you mentioned it.
MR. ROTHSTEIN: Dr. Steindel?
MR. STEINDEL: Thank you, Mark. Thank you for this really
fascinating and very, very timely survey.
I like the idea of this national privacy data board in getting
involved in the design of EHRs early et cetera; it’s a very strong point with a
lot of people and I think very necessary. What concerns me about that, though,
is expressing privacy in EHR systems is done usually through security. Privacy
is a concept and you have to somehow express that in the software.
And yet we see in one of your bullets where you ask the five or
so different questions that the consumers do not have high confidence in
computer security. So what should we be addressing? If we put this board in
place and the board says, you know, the EHR should be designed with this, this
and this, whatever it comes out to be, how do we assure the public that we can
design computer systems that express the needs of the board?
DR. WESTIN: I thought about that when I was putting a label on
that, and I thought about privacy and security design function. My problem is I
think that the security area probably belongs deep in the technology sector
much more than it does in what I think of as the policy orientation of the
When people ask me what’s the difference, my favorite way of
saying it is: Data security is the way you keep your promises of privacy and
confidentiality. It doesn’t define what is privacy, it doesn’t set the
confidentiality, but it enables you to have confidence.
On this, though, let me express some deep reservations.
Many of you have seen recently that one private data supplier
just was hacked into by a Nigerian ring which
set up 50 false customer accounts and got into 150,000 to
500,000 records and used them for identity theft. All over the world, identity
theft through a variety of techniques, sometimes employees inside being
corrupted, sometimes the hacking from outside, it’s a very insecure world, and
I think anybody who runs a data system would say that it’s next to impossible
to provide truly 100 percent data security.
So we’re dealing here in how close can we get to a system that
will give confidence to the public that in fact there’s adequate data security?
That’s why in my full testimony I talked about the fact that I think we’re
going to need a biometric identifier for the public and I think we’re going to
have one by the end of the decade primarily for homeland security purposes, but
I think this electronic health record system will be another driver of the
creation of a biometric system. And that would have an enormous damper on
identity theft because it would have a much more secure way of authenticating
who people are.
And of course that raises its own privacy issues and we’ll have
to address them, but if you take a combination of biometrics – for
example, a finger image and a retinal scan – and you add to it a smart
card chip, you’ve got about as secure a way of authenticating people as you
could want. And the ability for somebody to corrupt all three of those is going
to be extremely small.
So I think that when we look at how technology can enhance
privacy, not just press against it, let’s keep in mind that there are
technologies that are going to enable people to be much more secure in access
to their data and other people’s access to the data via technology solutions.
MR. ROTHSTEIN: Dr. Harding?
DR. HARDING: Well, I very much appreciated your testimony, and
I think most of us know that Mr. Westin was the research coordinator for the
National Commission on Confidentiality in Health Records in 1980 or so, around
that time, and really led out in this area, kind of was a precursor of this
group and we really appreciated your work through the years.
Let me ask you a political question. Your Slide Number 11 said
that it’s 48-48 on the issue of privacy versus the benefits and that there’s no
red state/blue state kind of thing; it’s not a political – there’s a
little bit of education involved.
If you were talking about the Congress votes when they are
influenced by the electorate, how do you go about doing that —
DR. WESTIN: I think probably –
DR. HARDING: — in such a split, non-demographic kind of way.
DR. WESTIN: I welcome your question. Let me try to give you a
First of all, the people who believe the benefits outweigh the
privacy risks are not hostile to privacy. It’s just that when they look back on
it, they see the benefits as being quite significant. So it isn’t even just the
47 percent that you have to address. You have to address that segment of the 48
percent that even though they think the benefits outweigh the risks, they’re
going to be responsive to privacy.
My feeling is that we’re going to need some champions in
Congress. We need some Senators and Representatives who will say, gee, this is
a good issue. Same way that it took genetic information legislation and other
kinds of legislation to need a champion, I think we need to identify and
stimulate some leading Senators and Congresspersons to say, this is an issue of
the decade; it’s good for me, it’s good for the country, because that’s the way
things get done.
When I remember how the LC program was put in, that was done
because one member said we ought to put some money into these ethical, legal
and social issues instead of just assuming that it’ll happen. And that whole
program really was the result, first, of a staffer and then of the
Senator putting it in and not being opposed because the money
was not up to the national debt level or something like that.
So politically, I think that Congress is an important place.
Now, the Administration obviously is important, and HHS is
important. But from a larger political sense, I think there should be political
leadership of the privacy campaign, and I could think right off the bat of some
people I would love to see lead it and probably all of you, too. We should make
MR. ROTHSTEIN: Final question of the morning. Ms. Wattenberg?
MS. WATTENBERG: Yes. You said before that electronic health
records goes beyond HIPAA, and I just wanted to get a little bit more of a read
from you on –
MR. ROTHSTEIN: Sarah, a little closer to the mike, please.
MS. WATTENBERG: Oh – sorry. You said before that
electronic health records goes beyond HIPAA, and I just wanted to get more of a
read from you if you have any sort of more specific thinking on that.
DR. WESTIN: Not really, not yet. I took a list of the HIPAA
mandate and laid it next to the electronic health records. It didn’t seem to me
that there was a good fit yet because these whole issues about control and
access as they were mentioned this morning, the whole concept that you would
have a patient participation that is technologically enhanced and so forth,
isn’t there yet.
And so I think that’s where we would have to start thinking.
What will it take?
And, of course, one of the problems is the whole liability
system, and everybody’s aware that as you build these records, practitioners
are going to say: What duties do I have in relationship to these records not to
be brought up on malpractice and not find myself disciplined et cetera, et
And so I think we have to rethink some of our liability system
if we’re going to use the medical record in as positive a way as we’d like to.
So that’s just something.
MS. WATTENBERG: Can I ask just a follow-up question —
MR. ROTHSTEIN: Certainly.
MS. WATTENBERG: — since there’s so many attorneys in the room?
I mean, is it true that it’s a liability issue that if a
patient says, no, you can’t have access to a certain kind of information and
treatment is prescribed based on what they have, is that still a liability
issue for the physician? This doesn’t make sense to me, but –
MR. ROTHSTEIN: Let the Internet listeners appreciate that there
were several nods of the affirmative on the question.
I want to thank Professor Westin for his typically expert and
provocative comments and we appreciate very much your coming here to spend some
time with us.
We will now stand in recess for our lunch break until 1:15 and
then we’ll hear from Panel 2 on privacy in health care and in society.
[Lunch break from 12:22 P.M. to 1:25 P.M.]
MR. ROTHSTEIN: Good afternoon. We are back with the afternoon
of Day One of the hearings of the Subcommittee on Privacy and Confidentiality
of the National Committee on Vital and Health Statistics.
Before we begin Panel 2, I just want to mention that we have
at the moment no public testimony scheduled from 3:15 to 3:45, so we will just
move forward the rest of the afternoon agenda and so we should be adjourning
approximately 4:15 this afternoon.
For those of you who were with us this morning in person or on
the Internet, I’m sure you will agree that it was a very fascinating discussion
and either you could look at this in a either positive or negative way but it
certainly raised more questions than it answered, so it was provocative, and
that’s the positive side of it, and also daunting, in the negative side that
there’s so many issues that we need to deal with.
And I’m sure that this afternoon’s panel is going to be
equally provocative, and I appreciate very much the folks who have joined us
today for Panel Number 2. So without further ado, I will recognize Panel Number
2, reminding you to please limit your initial remarks to 20 minutes and then we
will have at least 45 minutes for questions and answers with the Committee and
So with that, I would like to welcome and recognize Dr.
DR. LO: Thanks very much, Mark. It’s a pleasure for me to be
here. I know that this morning’s panel is a very tough act to follow, and since
then we’ve had our healthy NIH lunches, so there may be a bit of a
post-prandial slump. I will take literally, Mark, your exhortation to be
provocative, and I’ll be provocative.
So let me start by asking: How many of you in the room have
had back pain, knee pain, shoulder pain that was so great that you thought
about taking a medicine for it?
MR. ROTHSTEIN: Have or currently have?
DR. LO: Ever have had?
DR. LO: Okay. So then you have been very interested in the
news about all these new miracle arthritis drugs that turned maybe not to be so
much of a miracle. And we all know that one of the large manufacturers actually
voluntarily withdrew one of the Cox-2 inhibitors, Vioxx, because of reports
that it actually increased cardiac problems.
Well, let me tell you first about what one integrated health
care system clinic did in response to this, really taking advantage of
electronic health records. And they actually wrote about this in a publication
which is referenced in your hand-outs.
What they did is they notified by patients by mail within 24
hours of Merck’s recall. They immediately withdrew the drug from the pharmacies
so you could not get a refill prescribed. They notified every provider, all the
patients for whom she had prescribed the medication, and they also used their
electronic record so that the next time the patient came to clinic, an alert, a
flag, went up to the physician reminding her to talk with the patient about how
to manage this new information.
So this strikes me as a very innovative, effective use of the
sophisticated electronic health record really to respond quickly to changing
information all in the best interest of the patient.
Now, of course, once the original drug, Vioxx, was withdrawn,
everyone then started to say: Well, what about other drugs? And if you were
taking another drug – Celebrex is another cousin Cox-2 inhibitor –
you naturally asked: Well, is it safe for me to take that drug? And I think
those of you in practice probably had your emails and phones ringing off the
hook from patients who were very worried.
And the news picked this up and this headline reads:
“Cardiologists Question Safety of Vioxx-Like Painkillers/Doctors to Avoid
Prescribing” two others that he named.
There’s another headline, again, raising questions that were
on every patient’s mind, I think.
Well, given that you really only had the existing data to go
on and that it was impossible on the spur of the moment to design and carry out
and analyze a large, definitive, randomized clinic trial, how could you provide
Well, I’m going to skip that and just say one example –
this was carried out by Kaiser of Northern California – was to use, again,
a comprehensive, sophisticated, electronic medical record to look through and
identify patients who had been on various drugs, follow them out through the
medical record to track outcomes. And this study was done very quickly, as soon
as the question was raised, using pre-existing data that already existed within
a sophisticated, integrated electronic medical record system. And this was
published in a fast-track publication through the Lancet because it’s
such timely news of vital health importance.
Well, let’s think for a minute about database studies. If
we’re going to have the opportunity to answer questions quickly using existing
data on questions that have real sort of health import for many people in the
country, what kind of database do you use?
Well, first I would argue you need comprehensive data. You
need to pull together lots of different types of information which may not be
integrated in existing medical record systems. You need to integrate pharmacy
data, outpatient visit data, hospitalizations, laboratory tests and deaths.
And I think the point I want to sort of put in front of you is
to do this in systems that aren’t totally integrated, you need to maintain
individual identifiers to cross-link all these different types of data.
You also, I would argue, need complete follow-up. What that
means is you have to be able to access care outside the system.
So if a patient in Cleveland Clinic or in Kaiser has chest
pain, gets taken by the ambulance to the nearest emergency room and has a heart
attack there, that data, that information, may or may not be captured in their
home base electronic record, so you need to be able to integrate care outside
this, and again, you need an individual identifier for that.
You also need to have very few refusals or dropouts. If you
allow people to say, “I don’t want you to use my personal information in
this kind of research,” I would argue that you’re not going to get a
scientifically valid answer to the question: Does Drug X cause greater or fewer
heart problems compared to any other drug you might choose?
The reasons are that you would, first of all, lose statistical
power if a lot of people didn’t allow their data to be used. But more
importantly, you could well have selection bias, that the people who don’t
allow their records to be used may be different from those who do in a way that
actually makes the results come out differently than the way that the
scientific relationship actually is.
Let me also parenthetically say there are other uses you might
make of an electronic medical record, again, in an ideal system, to respond to
this kind of breaking news of great health impact. And this, I think, would
fall into the rubric of quality improvement. For many of these drugs, and this
is one of them, the current data showed that it’s only at the higher doses,
highest doses, that you see this adverse association between use of the drug
and adverse cardiac influence.
So one thing you might do is alert physicians who are
prescribing above the recommended dose that once they cross that threshold,
they may be entering into the realm of undesirable side effects.
Secondly, again, as part of a theoretical quality improvement
mechanism, you might say that I certainly have patients who love these drugs
because they haven’t responded to other drugs, they have stomach problems that
have precluded the use of the standard arthritis drugs, for them the advantages
of these drugs might outweigh the benefits, but only because we know that they
have other contraindications to other drugs. And again, you could put a sort of
tickler, a reminder, in the electronic record system if the doctor prescribes
one of these Cox-2 inhibitors, to say, having tried other drugs, that may be
Okay, let me switch gears a minute and say, of course, this is
not the only example that’s been in the news recently about an important health
issue where there was real uncertainty based on the existing, randomized
clinical trials and the existing data where the drug’s benefits outweighed the
risks, or vice versa.
So here’s an example from psychiatry, as it turns out.
“Prozac,” this headline reads, “Linked to Child Suicide Risk.
Study Finds 50% Greater Chance. Companies Defend Anti-Depressant.”
So again – front page news, a huge issue in terms of
depression in children, adolescents, a serious public health problem and the
concern on the one hand that effective drugs might be withheld because of
unsubstantiated concerns about suicide versus the countervailing concern that
these drugs might actually increase suicide risk.
So again, one way to try and get at more data on this question
is to go back to large databases that have the comprehensive data I just talked
Well, when you’re dealing with a sensitive condition, and
certainly depression and suicide are very sensitive, we need to think about the
potential for benefit and the potential for harm. The potential for benefit
from database might be to do database research, to use the electronic medical
record to inform patients and doctors of concerns about, or uncertainty or
controversy about, the use of drugs, and again, to enforce quality control in
But on the other side, I don’t think very people are concerned
that the fact that they have severe back pain or knee pain is very sensitive
information like psychiatric data, but with sensitive conditions, concerns
about privacy and confidentiality obviously are heightened.
And as you well know, medical health records may have special
protection under HIPAA and under various state laws and in fact it’s not
uncommon in our health care system to have separate mental health and medical
providers and records. At least in California, much of mental health care is a
carve-out totally separate from the medical system.
Lest you think I’m sort of a wild person sort of ripping apart
privacy and confidentiality, let me say that there clearly are very important
reasons why privacy and confidentiality are important in this. You know, we
believe it encourages people first to seek medical information and secondly to
disclose sensitive information.
And I would actually posit, suggest, to you, that’s not just
psychiatric information, substance abuse, things like that that are sensitive.
But just by going to a doctor for an ordinary exam, you get a routine check-up,
you get asked questions about all kinds of things –- sexuality, for
example; you’re asked to take your clothes off; as part of cancer screening,
the doctor may probe your body in ways that would be unthinkable in the
non-medical context. So for many patients, just going to the doctor is very
sensitive, let alone special topics like mental illness or genetic information
as we talked about this morning.
We think that confidentiality prevents stigma and
discrimination and we think it also is morally and ethically important because
it respects patients as persons, so there’s good reason for starting with a
very strong presumption of confidentiality in the medical care system.
But, and again, this is something that you’ve all worked on
with your work on HIPAA, confidentiality is not an absolute ethical goal and
actually I would suggest perhaps dual policy goals – and again, this is
part of the sort of supporting language in HIPAA – on the one hand, we
want to protect confidentiality, but on the other hand, we want to have access
to information for clinical care, for public health and research.
You know, what’s interesting is everyone would agree, I think,
that in SARS, anthrax, avian flu, things like that, the public health system
needs access to individualized medical records for contact tracing,
epidemiological source outbreak research, and the issue is not does the patient
have to consent; the issue is really notifying the patient in a compassionate
way and carrying out that investigation in a way that respects their privacy
and confidentiality to the greatest extent possible.
Research we ordinarily think of, I would argue, as being
somewhat more elective, that wouldn’t it be nice to do research but it’s not a
moral necessity, and certainly our common rule, our Federal regulations for
research going back to the Delmar(?) Report suggests that it’s optional –
it’s morally desirable, but optional.
But I would turn it around and say on issues like Cox-2
inhibitors for arthritis where, you know, these drugs really, two of these
drugs at least, are in the top 10 prescribed drugs in the country, blockbuster
drug; the question of depression and suicidality in children and teenagers is
again a pressing public health problem, I would argue to you or I would suggest
to you that certain types of outcome research may be more like public health
than research that we typically think of (?).
So if we are going to really do certain types of databased
research on really important topics of great public health import, what are
some of the issues?
Well, first I see the technical challenges, and you talked
about some this morning. You need compatibility between different organizations
that have very different data formats.
In terms of how myocardial infarction is recorded in one
medical care provider electronic record system may be very different than the
way it’s recorded in another. And you need to be able to protect identifying
links if you’re going to merge different databases that have different types of
information you need to answer the research question.
Patient authorization. As you know, under HIPAA, the starting
presumption is you need patient authorization and then there’s certain
exceptions or waivers. The empirical data are very clear: If you ask patients
about authorization to use their personal health information for research, they
say it’s important. And in fact, in studies where attempts were made to enroll
patients into a database where just their data will be collected and pooled,
about half the patients do not give permission.
Now, I must say that one problem with all these studies is it’s
not clear what the patients were told about the database, why it’s important,
how it might help other people like them, so it’s not clear how well they’re
informed. But they certainly gave a preference in terms of not sending back the
consent, the authorization.
What’s, I think, even more disturbing is that there’s clear
evidence of a selection bias. One very nice published study – it’s
actually a Canadian database on stroke – showed there was clear selection
bias, that the sickest patients, the most complicated patients, did not agree
to allow their data to be used. Now, whether it’s they really refused, they
were just too sick to fill out the form, we don’t know.
But my concern is that incomplete data may be misleading and it
could conceivably even be worse than no database at all because you might find
associations that really are spurious.
So the issue of patient authorization and how it might actually
serve as a deterrent to the kinds of research we would like to see done in
certain conditions I think is a tricky condition that I hope you can sort out.
Okay, and finally there’s the oversight regulations which I
think is really in your bailiwick. I think we need to distinguish between what
the regulations literally say and how they’re implemented, interpreted, on the
front lines by IRBs, by privacy boards, by researchers.
As you know, there’s provisions under the current HIPAA
regulations for de-identification of data, a waiver of authorization.
First, let me point out that de-identified data will not
suffice to do the kind of databased research I was talking about because you
need identifiers to link these different databases. Waiver of authorization is
permissible, is possible, under HIPAA. I think that the impression you get
talking to IRB chairs and researchers is that IRBs are confused about this and
they’re not allowing waivers to be granted in situations where it would seem
from a, you know, straightforward reading of the protocol in HIPAA that it
would fall under that.
Now, obviously IRBs, privacy boards are allowed to be stricter
than the regulations themselves, but this, I would suggest to you, has the
impact of making research more difficult.
So I think at the very least there needs to be guidance for
IRBs and privacy boards and I actually put in researchers as well as what kind
of outcome databased research is permissible under HIPAA.
And I also think there’s a problem at the other end, that even
if the IRB approves a study involving existing data under a waiver of
authorization, the provider may be reluctant. The hospital, the doctor, the
clinic may be reluctant to provide the data.
In California, we’ve seen that where there’s actually a
state-mandated cancer registry where access to that squarely falls into one of
the HIPAA black letter provisions. Hospitals are not submitting the data to the
cancer registry as they had been before HIPAA and as HIPAA clearly permits
because of their concerns about their liability and their concerns about
patients’ concerns about privacy.
So I think this at least needs to be clarified, but I would
argue even if the regulations work on the ground as they were intended to on
paper, it still may make it difficult or impossible to do the kinds of studies
we talked about in the beginning of my presentation.
Okay, so let me be provocative and throw out some things for
you to chew on.
First, I think there needs to be a lot of public education
about the value of databased research, both its value and of course its
limitations, but also I think about the tradeoffs between confidentiality and
patient benefit as evidenced by the possible usefulness of outcomes research.
Secondly, I would suggest we might want to think about some
research as being similar to public health, and the implication, I would
suggest, might be that the ethical issue might be notification rather than
consent or authorization as the kind of the entrée into the data.
And finally, I think there needs to be a focus on
confidentiality as well as privacy. Professor Westin and others have clearly
documented the public’s concerns about leakage of their personal data to people
who really shouldn’t be seeing it. So how personal health information is
protected and could be protected and making that as airtight as possible I
think is a real challenge.
So let me stop there, and I hope I stimulated you to think
about these things. And I’m going to now disconnect so the third speaker can
MR. ROTHSTEIN: Thank you, Bernie, and I can tell you the answer
is: Yes, you did stimulate lots of sort of synapses firing and I’m other sure
others will have questions as well when we have our panel discussion.
It’s now my pleasure to recognize our second speaker on this
panel, someone who has shared her expertise with us many times in the past, and
we’re always very grateful for her comments, Joy Pritts.
MS. PRITTS: Good afternoon. I’d like to thank the Committee
for inviting me back to speak with them.
And I’ve been asked to speak about patient interest in health
information technology, and I have to say, after listening to Dr. Lo, I’m
really torn between doing a full rebuttal of everything he said and going on
with my presentation as planned, but I think there’ll be time for that during
the question and answer period.
Where I would like to start is a period almost 10 years ago I
think it was, with a quote from the former
Secretary of Health and Human Services, Donna Shalala. And she
was talking about health information technology and people and where it might
lead us, and she posed a question which I think is as valid today and will
continue to be valid in the future as it was 10 years ago. She asked:
“When all is said and done, will our health records be
used to heal us or to reveal us?”
And I think this is a question that we have to continue to ask
as we continue in the process of developing health information technology.
Essentially what she’s asking is a point which has been brought
up by other speakers during the day, which is this balancing between the
benefits and the risks, and particularly what I’m going to speak of is how
patients perceive those benefits and risks.
We’ll start with the benefits, because clearly there are
benefits to patients to having some information in electronic form. Patients
aren’t all about just protecting their own information and keeping it quiet.
There are some valid reasons for having information in electronic form and
developing health information technology.
A lot of these have been mentioned earlier in the day, so I’ll
just briefly touch on some of them. The improved quality of care from doctors
having complete set
of records, from being able to read the records between
different health care providers where illegible records result in unfortunate
errors. The records are more complete. Theoretically, at some point in our
lives, we may have a longitudinal record of our health from before we were born
until the current time, which gives a doctor a full picture of your whole
Electronic records are more readily accessible to providers.
They could be more accessible to patients if the system is set up in a certain
They can eliminate duplicative tests which for any patient
who’s had to undergo more than one test for a condition can really be a large
And they can streamline the administrative process. Any human
being who’s ever been in a hospital system knows what it’s like when you go
from department to department and you’re asked the same questions every new
department. And with an electronic medical record, that should be no longer a
Now, that might seem to be a minor point, but when you’re in
the hospital and you’re upset, it becomes a very major inconvenience, and in
fact, a major interruption to the health care system.
But for every one of these benefits, you can kind of flip the
coin and see also the risks that are associated with it. These risks are real,
and they must be taken into account when we look forward in developing health
Yes, the records are more accessible. They’re accessible to
providers in their office, at home, on wireless networks, and it raises the
concern with a lot of people as to how secure the records are. Are they being
protected? As has been told to me, somebody could potentially sit in a
cafeteria with a WIFI and pick up some information that they probably should
not be picking up because it’s being transferred within the hospital.
The records are also potentially more accessible to others
outside of the health care system. As interesting as the National Health
Information Infrastructure is kind of bubbling along and we’re talking about
how it’s developing, there are different players who are coming into the system
that I’m not really sure were originally anticipated being central core players
in the system, including, as I’m sure you’ve heard me on this course before,
banks and financial institutions.
And we see that this is happening right now. There are
financial institutions who are administering health savings accounts, so they
have access to very detailed health information. They are not covered by the
privacy rule, and we have yet to see any of the regulations come out from the
banking authorities as to how they may use that information under the FACCT act
– that’s the acronym and I can’t remember what all the letters stand for
right now, but it’s dealing with financial information.
So we’re still not sure, even though it’s moved to that point,
it’s happening now; we don’t know if that information is covered. We know it’s
not covered under HIPAA, and right now actually it’s not covered under anything
because the regulations are out.
There’s also more information accessible, as I said here. You
could have this longitudinal record of everything that’s happened to you from
birth, and one hand that’s really good, but a lot of people have things happen
to them at times in their lives, often when they are younger, that they would
just as soon not have subject to review perhaps when they are older, and that’s
something that some people are a little bit concerned about: Are the sins of
their youth always going to be around to haunt them?
Overall, there is also seeming to be kind of a loss of control
over your health information, and this just comes from technology in general,
that people believe that once it gets in the system, it’s beyond their control;
they don’t know who has access to it, they don’t know what information they’re
seeing. And I would say that the notice of privacy practice unfortunately has
not really helped alleviate this concern.
One of the other benefits I mentioned was that it’s possible
that the information could be more accessible to the patient. But it’s also
possible that it will be less accessible to the patient. If it’s written in
code, some uniform codes so that it can be transferred easily between providers
and health plans, are patients going to be able to access this information and
understand what it says?
It’s a problem that’s not too much different from how it is
now. Many people can’t understand what their health records say when they get
access to them. They’re often written in medical jargon or shorthand. But there
are resources that you can go to that explain what that means.
So there is some concern that you’ll get some obscure computer
code somewhere down the line and you’ll have no idea what it means. Some people
who get explanations of benefits have certainly already experienced this. And
there’s no requirement under HIPAA that any of this information be translated
into plain language or English.
There’s also a possibility that the movement towards electronic
records is going to leave some patients behind. There’s a real potential here
to widen the health care gap because not everybody has access to a computer. In
fact, some of the most vulnerable populations health-wise do not.
And as we move forward, it’s a privacy concern in the sense
that people should have access and be able to control their information. It’s
also just a general issue of fairness and equity that, as we move along, people
should be brought up so that everybody has an even playing field.
So these risks really can result in harm. And the harm that
comes from the downside of the electronic medical records includes the stigma
that’s attached to certain medical conditions being spread. The consent that
most people that are at the top of almost everybody’s list, they’re afraid
they’re going to lose their job and they’re afraid they’re going to lose their
insurance, and that’s because of the way our health care system is.
Most people have their health care insurance through their
employer and people are concerned that if their employer finds out they have
certain health conditions that they’re going to lose your job and if you lose
your job, you lose your health insurance, and if you lose your health
insurance, you’re in big trouble.
The majority of bankruptcies in this country today involve
health care costs and health care debt.
There’s also a concern about police power and how authorities
are going to access information if it’s on this electronic database. Now, I
believe Dr. Westin talked this morning about how opposed people would be to a
national database, and I can guarantee you, every time I’ve been in a meeting
or a conference and anybody mentions that word, you almost see the helicopters
circling the room; it really does provoke a very adverse reaction from people.
And the unique identifier has been mentioned as something that
is necessary in order to transfer information between providers, and it also an
item which provokes very adverse reaction among many people. And I think there
are a couple of reasons why people are really adverse to the unique identifier.
One is the experience we’ve had with Social Security numbers.
They ended up being used for a purpose that they never really were intended to
be used for, and people are afraid that the national health unique identifier
would fall in the same category.
I think it also probably increases the potential risk for
identity theft. Having all this information in an electronic form, you now not
only have the person’s name, their address, their date of birth, their Social
Security number, you probably also know their mother’s middle name
if you have this longitudinal record, so you have information
all in one place that is very tempting for people who have possible bad
A recent example of this is the case that happened out in
Seattle at the end of last year where an employee of a cancer clinic obtained
the patient identification of a cancer patient. He had his name, the Social
Security number and his date of birth, and he obtained credit cards in this
patient’s name and he charged $9,000 under the patient’s name and I think four
or five cards, all while the man was undergoing chemotherapy. And I think that
we need to be aware of this because people who are sick are vulnerable and they
do not have the time or the strength or the energy to be dealing with these
types of issues.
Now, the person in Seattle actually pled guilty and he was
sentenced under HIPAA for a criminal violation of HIPAA, and I believe that’s
the first one in the country.
But I will also say that many legal experts came out afterwards
and said that they believed that HIPAA didn’t even apply to this gentleman
because he isn’t a covered entity. He’s not a health plan, he’s not a health
care clearinghouse, and he’s not a health care provider under HIPAA.
So there was a lot of discussion in the legal community saying
that, you know, people who hack into medical systems to get this kind of
information probably are not subject to the HIPAA civil and criminal
provisions, and that is a gaping hole that needs to be fixed.
When you’re balancing these interests, I think that you would
find when you talk to different patient groups, you’d find that they give very
different weight to the benefits versus the risks.
And the question pretty much comes down to, well, what do you
think you have to lose? If you’re healthy, if you’re young, if you’re kind of
in the background – nobody really knows about you, you probably don’t have
a lot to lose. But if you’re sick or somebody in your family’s been sick, then
the ratio changes pretty quickly.
It also changes depending on in some ways what your background
is. We’ve heard a lot that people who are in different ethnic groups have
different perceptions of these major databases, and a lot of this runs back to
Tuskegee and the mistrust that that engendered in the African-American
community, and that needs to be repaired, even though it’s not clinical trials
going on or things of that sort, but the trust in the clinical community as to
what you can do with health information comes from how you’ve been treated in
Now, there are other groups of people who also have a lot to
lose. If you have the fortune, I guess, of being famous, your information is
probably a lot more vulnerable than somebody who’s kind of anonymous like most
of us are.
When President Clinton was hospitalized, they found 17 people
who tried to access his health information while he was in the hospital who
weren’t supposed to have any access to it. They ranged from doctors to clerks.
Not one of them was fired, I would like to note. They were suspended.
I think that’s what’s noted here is – I’d like to quote
from the newspaper article. They talked to some of the employees. They
interviewed one who’s leaving and she said, “I’m not surprised. People are
nosy. It happens all the time.” So it’s not only President Clinton,
ex-President Clinton, who has to be worried about it.
This curiosity factor also applies to people in small
communities where everybody knows everybody else. It happens to people who work
within the health system – you go into a hospital; everybody knows you.
People are curious, they want to see your records. People know you because
they’re related to you. You’re involved in a divorce action or something of
that nature and people have an interest. So it’s not just people who are
famous, but there’s a large kind of curiosity factor that applies to many just
Also, people who have diseases that are still largely
stigmatized in the community have a lot to lose. Here in Washington, we saw
this a number of years ago with a local hospital where a gentleman went to a
local hospital and he knew the clerk who was checking him in. As a matter of
fact, they both worked at another job together in the evenings.
And the clerk was curious as to why the gentleman was there,
and she found out he had HIV. She went back to her workplace, the other
workplace, and she spread the rumor all around that the man had that
“alphabet disease.” And they made his life pure, unmitigated hell.
He sued the hospital and he won $250,000, even though the
hospital had all these great policies in place about who could have access to
the information. And the reason he won was because even though they had those
policies, nobody was really enforcing them.
There is a recent survey that’s done by HIPAA Advisory which
came out a few months ago which showed that a lot of people are not following
up on the privacy policies that they have in place. They’re not monitoring. And
that just is not following through the way people should.
On the other hand, there are a lot of people who have chronic
diseases for whom following through with having electronic medical records and
following through with their care would provide an unbelievable benefit to how
they can manage their care. Being able to transmit their health symptoms on a
daily basis to their doctor could really remove a lot of doctor visits and
improve their care.
Another thing that we’ve seen – I’ve heard this at a lot
of conferences and in my older age I’m fairly amused by it – there are
some of younger people who say, “Well, you know, we surf all the net all
the time. You know, we don’t really care about privacy that much. We get
information all the time.”
But I’d also like to say that this is the same group of people
where, you know, they get on these Internet sites and they’re not giving
necessarily the accurate information. You know, the 25-year-old male is now an
18-year-old female who’s in college or something.
So, you have a group here that’s used to giving information but
they’re also used to subverting the system, and patients have always tried to
subvert the system and we should be aware that there just may be new ways of
I think some of the unifying things here are that, no matter
which end of the continuum you’re on, people want to have some ability to
control how their health information is used and who it’s shared it and they
want to know who has access to it. They want to be able to trust that it’s
being used properly, as Dr. Lo said, that it’s being used for health care
purposes and not other purposes.
And they want accountability. If somebody violates their
privacy, they want the person held accountable. And I’ve heard this time and
We did a series of focus groups with veterans dealing with how
they felt about having their health information used for research purposes, but
that’s a whole other discussion, but one of the items that came up repeatedly
was: What happens if someone violates the rule and actually discloses the
information? So this is a concern that people have. They want to see
And – which leads to, well, does HIPAA do this? And I
would say it’s a good start, but it doesn’t do it all. In some ways, HIPAA was
outdated the day it was written because the health care system continues to
evolve so quickly that it’s hard to keep up.
One of the areas that really needs to be addressed is that
HIPAA does not directly cover everybody who will have access to health
information, to a health information technology. This is something that has to
be resolved by Congress; it’s not something that HHS can solve.
But as we see, you have many more players coming into the
picture and we don’t know how they are covered, or whether they will be
covered. And the system is leaving the station and the privacy protections are
back on the platform.
In HIPAA, as they are written now, there are at least many
people who believe the penalties apply only to covered entities. That also
needs to be resolved by Congress. Penalties should apply directly to anybody
who improperly accesses health information. And I think that’s maybe what they
were intended to do, but there are a substantial number of people out there who
think that they do not do that.
And I also believe on a more practical note that that the
notices of privacy practice need to be improved. They aren’t doing the job, and
it would be, I think, good for everybody to go back and revisit them and look
at why we want them and what information they should have in them and why
they’re not serving the purpose, because time and again we have heard that
people don’t read them or if they do read them, they do not understand them.
MR. ROTHSTEIN: Thank you very much, and I know we’ll have
questions for you at the conclusion of the panel presentations.
And the third witness of this panel is Mr. Thomas McLellan.
MR. McLELLAN: Thank you very much.
I enter the debate on the other side, I guess. I do think the
electronic health record train is leaving and my pitch is really quite a simple
one. That is, that addiction treatment information should be part of the
electronic health record.
And there are really two reasons that I take this position. One
is that it’s necessary for public health and public safety and two, because you
can do it, okay? And I’ll try to be brief and direct in talking about this.
I should say I’m a researcher in the substance abuse treatment
field. I’m a professor of psychiatry in the Department of Psychiatry at the
University of Pennsylvania and I have a small research institute. But I’m not
an advocate; I don’t represent a particular treatment perspective or
I think it’s very important to have addiction information,
substance use and substance abuse information, in an electronic health record
because addiction itself is a chronic illness that requires treatment. There
are at least two million people in specialty care alone, but many more receive
unrecorded care through primary care and other mechanisms of mental health.
Moreover, literally every month, new medications, therapies,
interventions are entering the scene, which means that there’s going to be more
access, more availability, more options. It’s going to be a much more
So, for no other reason, it’s time to acknowledge that
addiction’s an illness, that it’s being treated in the health care system, and
that it needs the same kind of information to manage it as any other illness.
But wait, as they say on the game shows, there’s more. And that
is, that addiction is part of addiction or substance use. Even problematic or
excessive substance use, sub-diagnostic, is a very important part of the
management of lots of other chronic illnesses. Diabetes, hypertension, asthma,
breast cancer, sleep disorders, chronic pain, they all are affected by
substance use. Too often, these illnesses now are badly treated because of
poorly disclosed, unavailable information.
Now, a lot of people think you don’t really need it; this is a
completely segregated system, the addiction treatment, and it’s a very simple
one. You basically take a substance abuser, you put him in a box called –
I don’t know if you have these slides if you’re looking for them – but you
put him a box called an addiction treatment program. They stay there for 28
days and like a washing machine, they come out a non-substance abuser.
Well, that’s the old days. Now, addiction treatment is much
more like the treatment of other illnesses. There’s an acute care phase,
usually in hospitals, for brief purposes to transfer often to specialty care,
but sometimes directly to continued care. And all of the options that are
available in other areas of medicine are becoming, or are already, available in
the treatment of addiction.
The point here is that like the rest of medicine, like the rest
of health care, addiction also is affected now.
So those are the reasons why I think addiction treatment,
addiction information, substance use information, should be included.
Now I want to tell you why I think it’s possible, and I take
this broadly within the rubric of the Institute of Medicine Crossing the
Quality Chasm principles of patient-centered care. So all the points that I
would make are within that rubric.
First, you might say, no, you can’t really do this with
substance abusers because they have diminished capacity or they have loss of
control; they don’t have the wherewithal to make informed decisions about the
use of their information – and let’s remember, it is their information.
That’s not so.
Yes, people in the throes of withdrawal are under temporary
incapacitation as are patients who have strokes or who have terrible pain. It’s
not qualitatively different. And it is temporary.
What we’re recommending – I’m recommending – is that
the sharing of the information within the confines of the medical health system
be the standard, but as Dr. Lo was talking about, we think within the
boundaries of patient-centered care, the patient definitely has to be notified
of this and definitely has the right to deny that.
Too often now, the standard is not for the benefit of the
patient, just for the sake of reduced workload and hassle, not sharing simply
to hide behind that. Not to say that there aren’t important issues – of
course there are – but my point, again, is that the same issues as lots of
other – of the ones that you’ll be confronting.
Now, unlike other areas, I think there are special provisions
that are going to have to happen if this is to be done the right way, which is
what I think we all want.
One, there are codes for most of the contemporary medications,
therapies, interventions that are presently under delivery. They’re not widely
disseminated, they’re not widely used, and that prevents accurate communication
of things. And I think that’s very remediable.
Finally, however, the addiction treatment specialty care sector
has special problems due to decades of under-funding and segregation really.
There aren’t the capacity for computer integration information management
specialty that there are in the rest of health care, and I think special
provisions are going to have to be made.
So in summary, I think for the sake of patient safety and
public health safety, it is necessary and wise to include addiction information
into the developing electronic health record. It’s good for both the patients
and for the rest of those who are affected by addiction and substance use in
mainstream health care.
Moreover, I think that within the confines of patient-centered
care and existing statutes, it is possible and practical to integrate this
information, and that would be my call.
So – thank you.
MR. ROTHSTEIN: Thank you very much.
Well, those three statements were certainly provocative and
they’ve provoked me to ask several questions, but I will keep my initial
questions short so my colleagues will also get a chance.
I’d like to begin with Dr. Lo and ask you a question that
relates both to your testimony and testimony that we heard this morning. And I
think it’s fair to say that you suggested that certain kinds of sensitive
information should be treated distinctly, is that fair to say?
DR. LO: I’m not sure I’d say that. I just noted that certain
types are currently treated.
MR. ROTHSTEIN: Okay. So is it your position that that should be
changed or that should be continued in some degree in the –
DR. LO: Well, let me go back to the topic.
MR. ROTHSTEIN: Okay.
DR. LO: To the extent that certain types of information are
singled out for special treatment, it makes outcomes research using large
databases on those conditions harder to do because you don’t have access to
comprehensive, integrated information.
So I think as you decide whether genetics or HIV or psychiatric
therapy should be separate or not, keep in mind what you may be giving up in
terms of research that I would argue is close to public health, obviously.
MR. ROTHSTEIN: Okay. Well, instead of asking you the question
then – I’m still determined to ask this question –
MR. ROTHSTEIN: — so maybe I’ll start with Joy and then ask the
others to comment.
We have heard several people clearly say at least that there
should be separate rules for certain unspecified classes of medical information
that’s considered to be sensitive. And the question I have, and I think it’s a
very important one, is whether those should be inclusion rules or retrieval
rules, which are quite different.
In other words, let’s suppose we decided we wanted to treated
Condition X separately because it’s very sensitive. Does that mean that X does
not get into medical records in any place, or does that mean in retrieving
those records, certain classes of people who have access to the records don’t
And I think that’s an important distinction, and so let me ask
whether – I’m not saying you’ve said anything about that; I’m just asking
whether you’ve got a comment about that point.
MS. PRITTS: It is my understanding that there are electronic
health record systems that are designed the way that you spoke of, which is
that all the information is in somebody’s record, but it’s not necessarily
retrievable by all health care providers in a system.
MR. ROTHSTEIN: Yes, I think in Alan Westin’s comment when he
was talking about a segmented health record, he wasn’t talking about six
different health records or six components. I think he was really talking about
a sort of a retrieval algorithm, and so –
MS. PRITTS: I’m sorry – I didn’t see his, but I know I’m
thinking of – I believe it’s Duke University or somewhere; I may have the
MR. ROTHSTEIN: Well, he said that the elements of what he
called a segmented health record were personal identifications, medical
transactions, drug history, mental health which had to be encrypted, life style
information and anonymous data that could be used for research purposes.
And my take on this is that what he was suggesting was a
retrieval algorithm where the information where the information would be in the
record. Yet, an argument could be made that in promoting patient autonomy there
should be certain classes of information that the patient should have the
ability or right to not get into the record at all. And so I’m trying to see if
you buy that and if you do, is it an inclusion rule or is it a retrieval rule?
MS. PRITTS: It’s a hard question to answer. I think it depends
on who – I mean, even within the patient community you’ll get different
answers on that because there are some patient privacy advocates who very
firmly believe that the patient should have the right to say what gets in the
record and what doesn’t get in the record. And that’s kind of on the extreme
edge of things.
I would say the group that’s kind of moved one over from that
says that the patient at least gets to say who gets to see what’s in the
record. And I find it a little disturbing that as we’re talking about the
electronic health record and how consumer driven this is, I keep hearing that
term used with it, that it’s consumer driven, that really the consumer, the way
things are now, doesn’t really have a whole lot of say in who the record goes
to and how they can use it.
The retrieval system helps in that it gives the patient the
option. It kind of fits within the privacy rule because it’s like the patient
can request a restriction on how the information is used for treatment and
payment in saying, “Well, yes, it’s in the record, but I’d prefer that
this information only be available to my treating physicians.”
MR. ROTHSTEIN: So you used the example in your testimony about
things that you did many years ago, right?
MS. PRITTS: Right.
MR. ROTHSTEIN: But under your discussion of a retrieval rule,
you wouldn’t have the right to expunge that now; you would just have the right
to limit who could see it, is that what you’re saying?
MS. PRITTS: You know, on the one hand I think it makes perfect
sense if you want your medical record to be complete to have it all there.
On the other hand, you know, a lot of us would like to go back
and erase things that we did in the past. And they may not really be relevant
And I’m not a physician, so I don’t feel like I’m qualified to
say how relevant some of that information is.
But I do remember the DES cases when they had to go back quite
a bit of time to find out information about mothers who took DES and were able
to make the connection with I believe it was cancer in their daughters.
So, you know, I think from a medical point of view it’s kind of
hard to say that you should be able to really just expunge your medical record
at some point.
MR. ROTHSTEIN: Okay. Bernie, now that the statement has not
been attributed to you, would you like to comment?
DR. LO: No, no – I like your second question better than
DR. LO: I would think that, as you put it, retrieval rules are
a lot more flexible than exclusion rules. So what happens all the time, I
think, in medicine is that it depends on the situation. If I’m coming in for a
vaccination, I think a lot of information really isn’t relevant to that
encounter. If I’m coming in because I suddenly fall down in the street and I’m
comatose, a lot of information, all the drugs I’ve ever been prescribed and
taking become very relevant.
So I think if the data are there, then they’re potentially
usable for the direct benefit of the patient for clinical care decisions and
presumably a treating physician in an emergency or acute situation should have
access to a pretty broad spectrum of information. But if the information never
got in in the first place because of an exclusion rule, then that would be
absolutely irretrievably lost.
MR. ROTHSTEIN: MR. McLELLAN?
MR. McLELLAN: Yes, I think the principles are safety and
efficacy first, patient preference second, because they have the rights to
deny. But with those rights come unavoidable consequences.
If you don’t make pertinent information of yours accessible for
your medical care, you cannot expect complete health care.
I still think that’s the right of the patient, because after
all – and it’s quite consistent with the Institute of Medicine’s rules.
But it’s like full disclosure to the patient – yes, you may keep this
sensitive information out of your record, but it may complicate the treatment
of your other condition down the road.
The one that I can’t quite figure out is where public health
and public safety information – the patient has cholera and doesn’t want
that put in his record, is that permissible? What level does that occur?
The other point I would make is that if you go down the list of
things that are seemingly not very sensitive and those that are very sensitive,
you’re going to quickly find that the sensitive ones are way more prevalent
than the not sensitive ones. Even something like a vaccination, you have a
terrible reaction to it two weeks later is going to be sensitive.
MR. ROTHSTEIN: I have one question from your testimony. You
mentioned – I don’t believe you gave a figure, but you said there were
many people who were in drug treatment programs who receive “unrecorded
MR. McLELLAN: Yes.
MR. ROTHSTEIN: How many of those would forego treatment
altogether if it had to be recorded?
MR. McLELLAN: An excellent question. It’s an issue that we’re
looking for all the time. But you can imagine if you don’t know how – I
don’t even know how to ask that question.
The answer is I don’t know. But it is widely reported. Not just
for substance abuse but for mental health diagnoses of all types. Physicians
prescribe medication under a different diagnosis. They don’t record them at
all. The primary care physicians give brief interventions for substance use
that aren’t recorded at all.
MR. ROTHSTEIN: Yes. I mean, that’s one of the things that does
give me pause. If we adopted an inflexible, non-patient-controlled system, are
we going to have a proliferation of Mark’s drive-through, no-record,
no-research, no-questions-asked health care that would cater to people who are
very privacy conscious and would we be, you know, making things worse not only
for their treatment but for all sorts of other things that we’re concerned
about – public health and research and so on?
Let me recognize other members of the Subcommittee with
questions. Mr. Reynolds.
MR. REYNOLDS: In one of the previous presentations, it talks
about the public being divided equally between – 48 percent say that the
benefits outweigh the risks to privacy and 47 say the reverse. As I listened to
the presentations – we had a class last week on how to look at things
maybe differently, and I heard “no, because” and “yes,
So as you hear presentations, some people say, “No, don’t
do it because of this” and others say, “Yes, do it because of
this.” So think about how you would answer it if you said “yes,
if” or “no, if.” In other words, “yes” – so, Joy,
for example, in your testimony, you obviously have a lot of good points of what
the concerns are. But if this were to happen, what would be the list of
stipulations that would absolutely need to be, you know, foundation agreements,
and the same thing with Dr. Lo and the same thing with Tom.
So, you know, that’s because we continue to hear testimony
where it’s very clear that there are keen points of view. And those points of
view all have merit. But as you try to drive to if this should or shouldn’t
happen and if it does, what would be the stipulations under which you could
take the 48 and 47 and try to make somebody – you know, make that a much
larger number that accepts it and then the ones that don’t, they would have
some way to do something. So –
And I’m not asking you to re-testify everything, but just
– you know, those are the kind of things that I’d just love your opinion
as to whether those approaches would be more of a way to really get to the
bottom line on what ought to happen.
MS. PRITTS: I see your point, and I think that there are some
basic issues that – first of all, I think that it’s going to happen
whether you want it to or not because people are moving into electronic health
records. They’ll do it in the medical field just like they’ve done it in every
other field. So I don’t think that’s a question. It will happen.
And so, when it is happening, I think that it’s essential that
– I mean, this kind of goes back to really the basic. I think that if
people trusted the system a little bit more, then you would weigh more towards
people who saw the benefits. But people don’t trust the system right now, and
so I think the question is, well, how do you make them trust the system?
And one way you make them trust the system is you make sure
that everybody who has access to the information is subject to penalties if
they use the information incorrectly. I mean, and in an ideal world, what you
would also do is you’d say, you’re going to have health insurance no matter
what your medical condition is.
And since you asked, I’m going to go there, because I think
that one of the reasons people don’t like their medical information being kept
in electronic form where it’s, you know, shared a lot between health care
providers and insurers, they don’t like their insurance companies to know
what’s wrong with them. And the reason they don’t want them to know what’s
wrong them is because they’re afraid they’re going to lose their health
And I don’t know that you’re really going to solve this issue
until you solve the general just health care issue of how people get health
care in this country. I know that’s not really where we wanted to go with this,
but I think it’s a macro level issue that really needs to be addressed because
I think fears would be much reduced if people weren’t afraid they were going to
lose their job and they were going to lose their insurance and then they’re
going to lose their house if they get sick.
MR. REYNOLDS: I understand when you asked a “yes, if”
you expect –
MS. PRITTS: Okay!
MR. REYNOLDS: No, it brings the issues right – well, maybe
a little more clearly.
MR. McLELLAN: I’ll throw my two cents in. I don’t think there’s
anybody who wouldn’t say yes if, just as you were saying, the system were
secure and under their control.
I’m on an Institute of Medicine panel right now looking at
quality of care issues, a follow-up to the Crossing the Quality Chasm. We’re
debating this issue because there are tremendous errors in medicine at all
levels because of lack of information. At the same time, there are dangers.
But nobody, I think, would take the position that it is
inherently bad to have that information in the hands of people that can do you
good. The question is how, not whether, how to keep it out of the hands of
people that can do you harm, and who has authorization.
The second question, I think, was answered by the Institute of
Medicine in their last report, and that it’s patient’s information. It’s not
the health system’s information, it’s the patient’s, and that person has the
right to ultimate decision with the attendant responsibilities for what occurs
in the course of their care.
Now, that’s quite glib for me to say it’s simply a question of
how. There are lots of thorny issues. Financial systems have been very good
– not perfect, but very good at handling this kind of information. Perhaps
you can learn lessons from them.
MR. ROTHSTEIN: Dr. Harding? Did you – I’m sorry –
MS. PRITTS: I disagree with something you said. I think there
are some patients, there is a group of patients, that even if the information
were secure, there would be a large difference of opinion as to who should have
access to that, even within like researchers.
Some people feel it’s my information and even though they’d be
in the public good, I don’t want researchers to have information to it unless
they ask me. And it goes back to what you’re saying about asking, but it’s not
that it’s secure. It’s almost like the sense of ownership, that it is my
information, it’s part of me, and, you know, I want people to at least ask me
if they can have it.
MR. ROTHSTEIN: Richard?
DR. HARDING: You, Mr. McLellan, have raised a unique thing of
testimony that we have had for some time where you have suggested that we
should have substance abuse, or one of the sensitive issues, made a part of the
general record instead of being separated out in some way. I think you’re the
first person who has made that recommendation to us.
Now, is that because you’re saying that the bar should be
raised for all medical issues and therefore high enough that sensitive issues
can be covered. That’s what you’re saying today.
MR. McLELLAN: I’m saying there’s nothing qualitatively
different about venereal disease, mental health illnesses, infectious diseases,
substance use, that make it so distinct that it shouldn’t be a part of it.
I don’t think it has anything to do with the information or its
relevance to health care. I think it’s merely a historical fact that some
illnesses have been segregated financially.
DR. HARDING: Okay. And because of prejudice or whatever, okay.
So then your issue is with access to that information.
MR. McLELLAN: Yes.
DR. HARDING: You want it all in there.
MR. McLELLAN: Yes, sir.
DR. HARDING: But then who accesses it, or how it’s accessed?
MR. McLELLAN: My point specifically is if you made a system
that would protect a person with venereal disease or who had abortion or
anything else, that system would easily accommodate substance use information,
mental health information, Alzheimer’s information, things like that.
DR. HARDING: Does anybody else have a comment about that?
DR. LO: Well, is it pertinent that substance abuse is often
linked with illegal activities and the legal implications are more than what
occurs with these other medical conditions?
MR. McLELLAN: Not within the confines of the health care. It
doesn’t matter to the doctor that’s treating it whether –
MR. ROTHSTEIN: But it does matter to the patient when the
DR. HARDING: The crack mother —
MR. ROTHSTEIN: — come in and subpoena the records. I’m sorry
DR. HARDING: The crack mother or something like that.
MR. ROTHSTEIN: Yes. Ms. Wattenberg, you wanted to say
MS. WATTENBERG: Yes, and I’ll just sort of add on some comments
You know, for those of you who know me, and I work over at
SAMHSA, I think I have finally sort of really gotten substance abuse in the
protection of those records and that we have this other existing Federal
statute – it’s
the Part II regulation – I think I’d like to pat myself on
the back, sort of fairly successful in that. And here I, you know, invite Tom
to come, knowing that he was sort of in direct opposition to that.
You know, I do think that –
MR. ROTHSTEIN: Your open-mindedness is much appreciated.
MS. WATTENBERG: Another pat on the back, right?
MS. WATTENBERG: You know, but there are issues about, you know,
avoidance of help-seeking behaviors, and I do think that there is this overlay
of the legal issues that HIPAA does not protect records from law enforcement in
the same way that Part II does.
So I’m not sure that that’s sort of what SAMHSA would be
advocating or that, you know, a large portion of what the substance abuse
community would be advocating. And yet, as I pointed out in one of the previous
hearings, right now substance abuse information, health care information, is
subject to sort of this very myriad implementation where if you’re doing
screening a brief intervention in an emergency room because you don’t meet the
definition of a program, some information is part of the general health care
record. And yet if you’re from a program like a Betty Ford Center, then that
information is not part of the health care record.
So, you know, in preparing and sort of talking to people for
this particular hearing, I now have a list of like 20 things that we in the
substance abuse community really need to think about.
That’s all I want to say.
MR. ROTHSTEIN: I’d like to recognize Bob Hungate now.
MR. HUNGATE: Thank you. I was just trying to get my arm in
front of Richard.
MR. HUNGATE: I take some of my information from The New
Yorker instead of from health services researches and listened to Dr.
Groopman and Dr. Atuguaday(?) in their recent articles about medical
Groopman talked about the fact that there is little research on
pediatrics in many medications. In your comments on Celebrex, I think wouldn’t
it have been nice if somebody took the database that you referred to and parsed
it and found out which of those patients were particularly susceptible and
published that two years ago instead of now?
Patients don’t understand how much is lost by not doing that. I
learned it when I worked at Hewlett Packard and sold medical devices and began
to understand the silo that we drew around our product and the silo the
profession did around their product.
And with electronic health records, we can cut across that and
use database research to do some more things. But patients don’t have the
understanding of that. And so I think it’s different if there were some
organization that were doing that for my benefit and I knew it, I would be more
willing to divulge it than to this broad spectrum of researchers who are
nameless people that I know nothing about. It just seems to me there’s
something there that’s not done that might help the understanding.
DR. LO: Again, let me try and tie that back with Dr. Reynolds’s
“what if” question. I mean, I think what you’re suggesting I would
certainly agree with is that patients really need to understand the potential
benefit of the uses of health information that are not the classic that doctor
and nurse taking care of you looks at in the medical record.
But I think that when we’ve talked about how this all has to be
patient-centered and a patient has to have the final say, we want that to be an
informed decision. I think this morning you heard a lot of testimony that the
current notification under HIPAA where you get this piece of paper and some
people don’t even remember getting it doesn’t do that job.
So I think there needs to be some effort, and I think you’re
right. If people really understood what certain types of outcomes research
might do, how it might benefit them or their families, and the protection that
would be taken to make sure the data doesn’t leak out, then I think they would
make an informed decision.
And I think most people would say, sure, if you can tell me
whether Drug A works and doesn’t from this data, not a final answer but better
than just sort of my doctor’s personal opinion, let’s go for it.
MR. HUNGATE: My sense is that that would have to be an
independent entity, a UL lab kind of a thing that’s separate that looks across
the system and has obligations, a vetting process that guarantees that it is a
kind of an entity that’s different than the vested entities people are
accustomed to dealing with.
DR. LO: And that entity needs to be very transparent and very
accountable back to the public.
Yes. I have things like that in public health. I mean, we have
public health departments that try and achieve that amount of trust by sort of
really going the extra mile at least in crisis situations to explain, to be
credible, to address concerns and fears.
MR. HUNGATE: But it’s not well understood.
MR. ROTHSTEIN: Yes, Mr. McLellan?
MR. McLELLAN: I’ve come to think of it, again, as part of the
deliberations in our IOM panel as the same kind of a disclosure and
conversation that you would get in if you were starting to talk with the
patient about surgery.
You have a recommendation and it’s based, if you’re a physician
or you’re part of the health field, you have a recommendation based on the
research, you have a recommendation based on prior care. It’s ultimately the
patient’s decision. So that’s why you’re trying to inform them.
And I see it the same way with regard to the collection and
utilization of information. I think it is a fact that if all information that’s
pertinent to health care is not available within the health care system, there
are risks, definable risks, to safety and benefit.
Ultimately, the patient must weigh those risks versus what
he/she is willing to share. And that’s how I’ve come down on it.
MR. ROTHSTEIN: Well, I’d like to follow that up because I think
Dr. Lo’s provocative suggestion regarding automatic access to database research
is perhaps more radical than people think at first hearing because with the
exception of the kinds of waivers that an IRB or a privacy board could give
with regard to authorization or informed consent to researcher access to
certain database information, we have not since Nuremberg recognized the
dichotomy between clinical intervention and other forms of research.
And I think what I hear you suggesting is some sort of
carve-out justified by the sort of the public health/research value of doing
that. I mean, you might be able to make an argument that is persuasive to some
people, but it clearly is, it seems to me, a major shift from the way we
currently view research. And I’ll give you a chance to respond to that.
Even if one could support that on its own merits in terms of
public health in the broadest sense, I think we would need to be concerned
about the slippery slope to other areas including anti-terrorism where Homeland
Security might want real time monitoring of all the people who come in with
fevers et cetera, et cetera, et cetera.
And so that we appreciate that privacy costs, and part of the
cost is clinical care and part of the cost is public health and part of the
cost is research and so on. I would be much more comfortable with your
educational model where people were better informed about the value of broad
participation in research studies certainly that don’t have any physical risk
to them and the value of the security protections that would be built in and so
forth than this change from the way we’ve viewed research for the last 50
So I wonder if you could comment on that.
DR. LO: Well, first I would want to try and make a difference
between – there’s a spectrum of outcomes, databased research, and I think
some of it frankly is of the trivial who cares and some of it, I think, starts
to get very close to other areas where there’s evidence that there is some
public policy that supports access without patient consent.
So states that have cancer registry, you don’t consent to have
your case included in the cancer registry; your legislature voted to have that.
And you can go to the legislatures and repeal the law but that was a public
policy geared for a specific condition with certain kind of qualifications.
MR. ROTHSTEIN: And all sorts of infectious disease reports.
DR. LO: And again, I think the most recent sort of attempts to
balance the need for public health access to data and protections for privacy
and individualized more generally have tried to sort of say both values are
very, very important. We would like to have both, but there are situations in
which the individual may not have the right to say I’m not giving you
information. Certainly in public health, that’s most apparent because there’s
immediate, serious, visible harm to individuals which you’ll be able to
With databased research, it’s statistical harm, but the number
of people potentially affected – you know, again, people can sort of
extrapolate numbers, but some people are saying as many as 10,000 people may
have had heart attacks, fatal heart attacks, due to use of these Cox-2
inhibitors when in fact, had it been known, they would not have been on the
So I think you have a tremendously important task to sort this
all out and as you all know, the sort of directness of the threat and the
threat to identify individuals makes it more pressing. But I think we do need
to sort of at least be open to the possibility that there’s some types of
research that may be so beneficial for the public, so serious, so widespread,
that we may choose to say that if we can get the safeguards strong enough and
have the public understand it well enough to agree, we may be willing to
proceed without individual –
MR. ROTHSTEIN: And how would you make that determination of
whether it’s so important, and who would make the determination of whether
that’s so important that it could be accessed without consent or authorization?
DR. LO: Again, I think it really comes down – I mean, I
think you were getting at that question. It needs to be someone who’s perceived
as trustworthy, someone who’s accountable, and someone who is transparent in
terms of stating actually what’s being done, why it’s important, and, you know,
the ability to sort of have that decision reviewed.
And again, in public health now we’re sort of thinking about
what are the parameters under which we will allow a governor or a state
department of public health to declare an emergency with quite broad powers but
having some sort of due process procedures that makes the public feel that
they’re not overstepping their bounds. But I think there are models.
MR. ROTHSTEIN: Joy?
MS. PRITTS: Yes. I’d like to announce that many of the states
that have these disease registries like cancer registries also have very
stringent rules that are imposed directly on the people who have access to
those registries as to what they can do with the information and how they can
share it. A little different than it is currently at the Federal level where
you only have – it’s kind of bootstrapped in where the provider is the one
who really bears the responsibility for insuring that the researcher have their
ducks in a row so that if you were to move to any system such as is suggested
by Dr. Lo, I think it would be imperative that the laws address the researchers
directly, not through this indirect fashion. And that would, I think, really go
a long way to help people trust a little bit more if they knew they are
directly responsible and they are directly accountable if they do something
wrong with the information.
DR. LO: I think you could make that even stronger. You could
say that you may not pass that information on to a third party.
I think the other thing that must be kept in mind is that you
only need the initial identifier to link the data. Once you have your database
to do the Cox-2 study, you can turn it over to the researcher in de-identified
Now again, someone with enough computer time and savviness
might be able to identify some people, but you could make that as
de-identifiable as you’d like once you’ve got all the information in place.
Now, you lose the chance to go back. You have to reassemble the data to do a,
you know, five-year follow-up down the road, but those are the sorts of
tradeoffs I think that you have to look at.
MR. ROTHSTEIN: So maybe you’re saying that if we did that,
besides the things that Joy suggested, we might consider a kind of minimum
necessary and least identifiable form consistent with the uses requirement to
DR. LO: Yes – well, I would be willing to go further, that
this isn’t sort of an open-ended, here’s a great database; see what you can
mine it for. It’s that we have a really pressing problem; let’s create a
database tailored to that and then we don’t want you to really use it for
anything other than this extremely pressing research question which we think
really is so close to public health investigation that we really want to treat
it similar to that. And this is what public health officials are used to doing.
MR. ROTHSTEIN: And maybe some sort of board to make those
MR. HUNGATE: I’m an old marketing guy, and you got to look for
somebody that wants something. And Vioxx is up in lights. We don’t have all the
data we need to know what’s right. If Vioxx comes back on the market, why
shouldn’t the piece of paper that you get at the druggist when you get your
drug say, “This is going to be treated as data in a public health way and
these are the safeguards and we’re going to do this with this information. And
a condition of taking this medication is that you’re part of that trial.”
Now, why couldn’t we do that?
DR. LO: Well, I think you could, and yet there’s a precedent
for that in the FDA with warnings for Accutane for women who might become
So I think, again, to the extent that you tailor it and you
offer people alternatives and have ways to educate them, I think that’s an
option you would want to look at.
MR. ROTHSTEIN: But I think you would have to do it on a
case-by-case basis. You couldn’t automatically turn everyone who took a
prescription into a research subject.
DR. LO: No. But I’m thinking that we have a public privacy
issue here and a need to communicate a way of doing things that’s different.
And we have a medication that is up in lights. And so there’s a way of
physicians I think a teachable moment, public, and limited to that specific
medication, to test.
MR. ROTHSTEIN: Well, it may be going forward that people are on
notice of that, but we’ve needed to look back.
When Vioxx came on the market, there wasn’t the assumption
DR. LO: No, I understand. But I’m thinking that why not create
an entity which is the kind of entity we think would be needed to guarantee the
privacy around a specific example and do a test? That’s kind of what I’m
MR. McLELLAN: My only point on that is Vioxx is the most recent
and visible example, but how do you know that the next, there’s not a drug
tomorrow that’s going to come out?
That’s why I’m arguing that the standard ought to be sharing
but the thing that I would disagree with you about is that I wouldn’t make it
mandatory. I would give the patient the ultimate right to not participate.
DR. LO: Well, I think I would agree with that. But all I’m
trying to argue is that rather than go off and study this approach for some
time and think about what the best way to do it is, an alternative is to also
test. And that’s the part that I’m trying to articulate as a way of also trying
to grapple with this.
MR. ROTHSTEIN: Joy, did you want to comment?
DR. PRITTS: I find this discussion pretty disturbing. I think
that at the state level when you have cancer registries, they’ve at least been
enacted by your state legislature and if you don’t like it, you vote them out.
So there’s accountability there.
The idea of having some kind of nebulous entity deciding when
something becomes an issue enough that you’re going to do this, I just find it
MR. ROTHSTEIN: Well, there is I think clearly a sense of
potential abuse or slippery slope or whatever and whether it can be saved is an
open question and what the price in privacy we would pay for putting that into
effect is remains to be seen. I mean it’s now Issue Number 87 for us to deal
Other questions or comments for this panel?
Thank you very much for your testimony. We appreciate your
We will take a 15-minute break and then proceed with the rest
of the afternoon’s agenda.
[Break from 2:58 P.M. to 3:16 P.M.]
MR. ROTHSTEIN: We are back with our hearing, the National
Committee on Vital Health Statistics Subcommittee on Privacy and
We have two individuals who have signed up for public
testimony, and so we are happy to recognize each of them for five minutes. The
first one is Kathryn Serkes.
MS. SERKES: Thank you. I’m Kathryn Serkes. Today I’m speaking
on behalf of the Medical Privacy Coalition, and that is a coalition of 29
groups, a nonpartisan coalition including the American Conservative Union, the
American Mental Health Alliance, American Policy Center, Americans for Tax
Reform, Citizens for Health, Foundation for Health Choice – I’m not going
to read all 29, I promise – Free Congress, Public Citizen’s Congress Watch
project, the Republican Liberty Caucus, American Psychoanalytical Association,
the World Privacy Forum, and Citizen Health Advocacy Group and the Association
of American Physicians and Surgeons. Also, the Pain Relief Network and the Drug
Policy Alliance, which I mention in light of the testimony on the addiction.
I have just a couple of brief comments for you today.
Particularly this morning, you heard about the attitudes in the survey that
were presented, attitudes on privacy, attitudes on the success or problems with
HIPAA. And I’d like to give you a little bit of information to tell you about
privacy in action and the application.
A survey of AAPS physicians show that physicians believe that
third parties ask for information that they believe to violate confidentiality,
overwhelming number of physicians. Fifty-one percent of physicians surveyed
report such requests from government agencies that they believe stretch the
bounds of privacy, and 70 percent believe that requests from health plans
exceed what is necessary and violate privacy.
Now, on the patient side, 87 percent of physicians surveyed
report that a patient had asked that information be kept out of the record, and
78 percent of physicians said that they had indeed withheld information from a
patient’s record due to privacy concerns.
While only 19 percent would admit to lying to protect a
patient privacy, which may have been a loaded word, 74 percent state that they
have withheld information for that reason.
Okay, so that’s what we have in practice.
The Medical Privacy Coalition objects to the standard in
general of the way the privacy is enforced now in that it is based on the
assumption that there is a compelling need for the individual’s medical
information and the position that the public health usurps the individual
rights. That is a concern of the Coalition.
Patients who fear disclosure of their sensitive information to
government agencies have no choice but to withhold the information from the
physicians. That’s the perception now of patients.
Another area of concern is law enforcement. The biggest
concern – you talked about research; you’ve heard from people talking
about the payment, et cetera – but the biggest concern for members of the
Medical Privacy Coalition is government access to the medical records. And as
you heard Joy Pritts talk about patients subverting the system, that’s what we
have now, is we have increased ways for a patient to try to subvert the system
by asking that information be withheld from the record.
I’ve given you the survey information. Anecdotally, I can tell
you that physicians tell us that the requests are on the increase to withhold
I’d like to also respond to a couple of things that we heard
in the testimony. Dr. Westin’s presentation about the privacy notice – he
said 32 percent say they had not received a HIPAA privacy notice. We would
contend that people may or may not have received that privacy notice, that
people don’t really know whether they’re getting it or not, because as some of
you remember, when you go in to see a new physician, you’re signing a lot of
papers. So we’re not sure about that. The problem is that they don’t know what
they’re signing when they’re signing. They think they’re signing a consent form
for privacy as opposed to – they still don’t get it – that there is a
difference between the consent and being advised of the information under
The Chairman talks about the issue of retrieval versus
inclusion in the record and the problem with that. This brings up the issue and
it has been mentioned around, the difference between the clinical use of
information and the others – payment, research et cetera. And there is a
need for clinical use of the information, there is a need for inclusion,
because that is the concern now, is that physicians are getting incomplete
medical records because of the privacy concern.
And the area of addiction that we brought up is that patients
foregoing treatment, and it was suggested that patients would forego treatment
if everything had to be included in the record. The difference between
addiction and other illnesses or infectious diseases is the issue of law
enforcement because patients are concerned about law enforcement access to that
And the difference here is that because of the way that HIPAA
was written, nothing in the rule, if you remember, nothing in the rule permits
covered entities from avoiding disclosures required by other laws. And there
are limited restrictions on law enforcement. So we believe that the information
from law enforcement, that the Fourth Amendment should apply to this
information as well. Medical records should be at least as well protected as
the papers in one’s home.
Do you follow me on the difference with addiction? You’re
talking about the illegal use of substances. So patients fear the criminal
prosecution when they put that into their record, not just whether they will be
stigmatized because they have AIDS or because of cancer.
The Chair also asked the question whether we would end up with
a whole new class of drive-through type of medical treatment where there are no
I can say that we have that now. We’ve seen a large increase in
the number of cash-based practices. We call them patient-doctor direct
practices where there is no third party payment and patients frequently are
doing this to avoid privacy intrusions or because of their concern for privacy.
They are preferring to pay a doctor directly and they may or may not file an
insurance claim, depending on their concern for privacy.
What we’re seeing now is that the benefit of any IT advances
will be lost unless patients and physicians can be guaranteed privacy. I think
that’s been a recurring theme in what you’ve heard today.
And I think I agree with what Joy Pritts mentioned, that HIPAA
was almost obsolete when it came into effect because we now need a new set of
rules. HIPAA was really geared to moving towards a national database, moving
towards a centralized idea of medical records and centralized electronic
And what we’re seeing now is a push away from that. We’re
hearing patients say, we want electronic medical records, but we don’t
particularly want them to be in a government nationalized database of medical
records. We can see the savings, we can see the advantages of having electronic
medical records. I can see the advantage of having my physician be able to
share with another physician and having an electronic medical record.
What’s really ringing with patients now is the personal health
record. Again, back to the issue of patient-centered and controlled, where the
patient controls the record. And in fact the Association of American Physicians
and Surgeons is working with a company named WorldDoc that has a personal
health record – exactly that, controlled by the patient. The patient
chooses whom to give the information and what parts of the records to give the
information, which gives the patient the confidence that that is being
And just as a sidelight on that, of the physicians who have
started using this personal health record, eight percent of the patients are
actually paying an annual fee to be able to use that type of system. So there
is a demand for that.
I would like to sum up by saying that we would like to see the
personal health record as the first step so we can try this out and move
towards that so that the patients are in control. And the bottom line is that
Joy Pritts asked, how do we make patients trust the system again? And there is
a simple, though not particularly easy, answer, and that is to reinstate the
issue of consent. Rather than advising patients of how their records may be
used and their information may be used, but reinstituting the actual provision
of consent, once again allowing patients to decide and make the decisions how
their medical records will be used.
Thank you very much.
MR. ROTHSTEIN: Thank you. If you could stay there for just one
second, I have one quick comment and a short question as well.
On your statement about the notice of privacy practices, I went
to a new physician about two weeks ago and I filled out all the papers and the
last thing that I was given was the acknowledgment form to acknowledge that I
had received the notice of privacy practices, which I had not been given.
And so I felt compelled to –
PARTICIPANT: They didn’t know who you were!
MR. ROTHSTEIN: — initiate a discussion as to the obligations
of a covered entity under the privacy rule. And I said, “Don’t you think
it would be a good idea if you would give me a copy of the document that you’re
asking me to acknowledge that I have received?”
And the response was, “Nobody wants to see them, nobody
reads them when we give them the copies anyhow; why would you want to read
MR. ROTHSTEIN: And so that was a bad idea to ask me a
“why” question. So then we critiqued line by the –
MR. ROTHSTEIN: Okay.
MS. SERKES: The question is, did you ask them for a restriction
to see what they did?
MR. ROTHSTEIN: I’m seeking new medical care now.
MR. ROTHSTEIN: Okay. The question that I have is: Do you have a
copy of that survey that you referred to that we could –
MS. SERKES: Yes, it was a very short – essentially the
questions that I mentioned were the questions that were asked.
MR. ROTHSTEIN: Okay, but can we have that in some sort of form?
MS. SERKES: Certainly.
PARTICIPANT: Is it on your website?
MS. SERKES: No. I will email that to you and – I’ll email
it to Marietta —
MR. ROTHSTEIN: If you would email it to Marietta, that would be
MS. SERKES: — so you have it for the record.
MR. ROTHSTEIN: Okay. We have another question.
DR. FITZMAURICE: I wanted to follow up on what our esteemed
Chairman was asking about the survey. You mentioned a large number of
government agencies’ requests for information to doctors, that they reported
receiving a large number of requests.
It could be disturbing, but I wonder how many of those were
Medicare and Medicaid information requests to make decisions about the
reasonableness of claims, that it’s something dealing with a payment, for
example, versus another purpose such as law enforcement or public health. Did
the questionnaire get at any of that information?
MS. SERKES: No, that’s why I say the questions were as simple
as I stated them, and so I guess that reflects that you’re correct; some of the
questions that may have been asked may have been for treatment, but at the same
time that the physicians felt that they overstepped what was necessary, I guess
if we want to go back to the issue of the minimum necessary, that was necessary
for the treatment, payment or operations into violating confidentiality.
So the short answer is I can’t answer how much of that was
treatment and how much of that was law enforcement et cetera.
MR. ROTHSTEIN: Thank you very much.
MS. SERKES: Thank you. We’ll be happy to work with the
Committee any way we can to advance the personal health records.
MR. ROTHSTEIN: Our next public witness is Sue Blevins.
MS. BLEVINS: Good afternoon. I’m actually speaking on behalf of
Robin K. first who has prepared a one-minute statement and then I’ll speak on
behalf of the Institute for Health Freedom.
Robin K. is a private citizen and I’m going to read her
“My name is Robin K., an attorney who has tracked medical
privacy since 1996 as a concerned private citizen. Thank you for allowing the
opportunity for Sue Blevins to present my comments today. My comments are as
“Some things in life are obviously not good ideas. Some
things usually have demonstrable risks associated with them, like driving
without your seat belt, smoking in bed, leaving your wallet out where strangers
can take it, or throwing sensitive personal health information out in the trash
without taking precautions to protect against identity theft.
“In the rush to embrace technology, well-intentioned
Federal officials and consultants are ignoring hard evidence that putting
ultra-sensitive medical information into electronic format and exchanging such
information between health care providers and entities will expose sensitive
medical information to being hacked into and wrongfully disseminated.
“The danger of wrongful access or human error resulting in
wrongful dissemination has been demonstrated again and again, yet the Federal
government is contemplating requiring every citizen to have his medical
information placed into an electronic medical record that tracks him from birth
to death. In a free country, shouldn’t it be up to each American citizen
whether he wants to accept such a risk of exposure of his sensitive medical
“I have testified in front of this Committee that if
electronic medical records are the wave of the future, regardless of the
inherent risks involved, each citizen should be able to opt in or opt out of
such a system.
“My central premise that private information stored
electronically is wrongfully exposed again and again continues to manifest
almost daily. Just this month alone, it was reported that a confidential list
of 4,500 persons with AIDS and 2,000 others who are HIV positive, mostly living
in Florida, was inadvertently emailed to more than 800 Palm Beach County health
“Also this month it was reported that ChoicePoint Inc., a
company in Georgia that gathers private information
on nearly everyone in the United States, transmitted personal
data on as many as 145,000 persons to thieves using stolen identities to create
what appeared to be 50 legitimate businesses were found to be fake companies.
“And last month, the public learned that a hacker in
California was able to read Secret Service emails and files after he breached
the cellular network of T-Mobile. Ironically, he did the hack-in during the
Secret Service’s ongoing investigation targeting underground hacker
organizations. This is a classic example of how vulnerable an electronic system
can be. In this system, it was a hacker who was being pursued by the Secret
Service who breached their own electronic communications system.
“Time and time again, these example show that no
electronic database system is foolproof and failsafe.
“Therefore, with such obvious risks of improper access of
information, a resulting invasion of privacy, each and every American citizen
should be given freedom of choice whether he wants his sensitive information to
be stored electronically.
“In conclusion, in view of these seemingly unending and
inappropriate electronic disclosures and violations, no citizen should be
compelled to risk a similar disclosure of his most private and personal medical
“Thank you for this opportunity to share my thoughts on
And this was written by Robin K., who is an attorney and
really, really cares about this issue.
Now I’ll read a statement on behalf of the Institute for
Health Freedom, and I’m speaking as Sue Blevins now.
Good afternoon. My name is Sue Blevins, and I am founder and
President of the Institute for Health Freedom, a Washington, DC-based think
tank that studies and reports on individuals’ freedom to make their own health
care choices and to maintain their health privacy, including genetic privacy.
It is clear from thousands of public comments submitted to the
U.S. Department of Health and Human Services and public opinion polls that
Americans highly value and expect medical privacy. Citizens want to exercise
the right to give or withhold consent before their personal health information
is shared with others.
Unfortunately, however, the Federal medical privacy rule,
which was released in December, 2000, and modified in August, 2002, eliminated
the precious right to give or withhold consent before one’s personal health
information could be accessed by many others.
Thus, until the right to give or withhold consent is restored,
individuals do not, and I repeat do not, have control over who has access to
their personal health information. And I need to interject there and say the
Office for Civil Rights really needs to make that clear. The public is still
confused, and in fact that Office’s website states the exact opposite, so the
public really needs to be told the truth, that they do not have control over
the flow of their personal health information.
Additionally, moving toward adopting electronic health records
is a recipe for privacy invasions, and here’s why. It is clear that combining
the lack of consent with adopting electronic medical records would lead to a
greater number of persons accessing patients’ medical records without their
The U.S. Department of Health and Human Services acknowledges
concerns about electronic health records, and I want to read three quotes from
HHS’s own analyses that were released with the Federal medical privacy rule
regarding electronic information. The first quote:
“The electronic information revolution is transforming the
recording of health information so that the disclosure of information may
require only a push of a button. In a matter of seconds, a person’s most
profoundly private information can be shared with hundreds, thousands, even
millions of individuals and organizations at a time.”
And I’d be happy to provide references for these quotes.
The second quote, and this one is very, I think, important to
health care providers:
“In short, the entire health care system is built upon the
willingness of individuals to share the most intimate details of their lives
with their health care providers. The need for privacy of health information in
particular has long been recognized as critical to the delivery of needed
medical care. More than anything else, the relationship between a patient and a
clinician is based on trust. The clinician must trust the patient to give full
and truthful information about their health, their symptoms and medical
history. The patient must trust the clinician to use that information to
improve his or her health and respect the need to keep such information
private. In order to receive accurate and reliable diagnosis and treatment,
patients must provide health care professionals with accurate, detailed
information about their personal health, their behavior, and other aspects of
their lives. The provision of health information assists in the diagnosis of an
illness or condition and the development of a treatment plan and in the
evaluation of the effectiveness of that treatment. In the absence of full and
accurate information, there is a serious risk that the treatment plan will be
inappropriate to the patient’s situation. Individuals cannot be expected to
share the most intimate details of their lives unless they have confidence that
such information will not be used or shared inappropriately. Privacy violations
reduce consumers’ trust in the health care system and institutions that serve
them. Such a loss of faith can impede the quality of health care they receive
and can harm the financial health of health care institutions.”
There’s one last short quote:
“Patients who are worried about the possible misuse of
their information often take steps to protect their privacy. Recent studies
show that a person who does not believe his privacy will be protected is much
less likely to participate fully in the diagnosis and treatment of his medical
condition. One in six Americans reported that they have taken some sort of
evasive action to avoid the inappropriate use of their information by providing
inaccurate information to a health care provider, by changing physicians, or by
avoiding care altogether.”
So in conclusion, I think it’s very important for us to
consider that basically, unless we reinstate consent and uphold true rights to
privacy, we’re putting all citizens in the position of choosing between three
One, they can seek care and have information shared without
Two, they can lie to their health care providers and others if
they really want their privacy.
Or three, they can forego care altogether in order to maintain
And I have to add that for some people maybe privacy isn’t an
issue and they aren’t being squeezed or pressed to choose between those three
options, but I’m sure, as you probably heard today, many, many people care
So I want to thank you all for the opportunity to comment today
and for considering these comments and I think for your work on trying to help
privacy become a reality in this country. Thank you.
MR. ROTHSTEIN: Thank you. A couple of quick questions.
Do we have a copy of that study that you referred to where you
said one in six took evasive action?
MS. BLEVINS: I’d be happy to get that for you.
MR. ROTHSTEIN: Thanks.
MS. BLEVINS: That was cited in the HHS’s – when they
released the privacy rule, but I’ve cited it in a paper and I’ll make that
available to the Committee.
MS. WASSERMAN: That actually, Mark, was, I think, the health
privacy project – sorry. The California HealthCare Foundation had that
MR. ROTHSTEIN: If we can get copies of that, though –
MS. BLEVINS: Sure. HHS is cited, but I’d be happy to get that
for you, too.
MR. ROTHSTEIN: Yes, I’d like to see the original. And can we
get copies of the statements that you read?
MS. BLEVINS: Absolutely. Those I can send them on electronic
format so that –
MR. ROTHSTEIN: Okay.
MS. BLEVINS: — they’re easier to transfer.
MR. ROTHSTEIN: And now I have one question about consent, and I
really don’t want to spend too much time on this, but it’s a point that I think
has to be made.
The Committee has spent hours and hours on the issue of
consent, as most of you know. I would support consent only because it’s a
traditional prerequisite of medical care and is, I think, a very important
I don’t think it has any practical value whatsoever because if
you go back to my visiting this new physician two weeks ago and they put a
bunch of papers in front of me, if the paper had been called at the top not
“acknowledgment of receipt of blah-blah-blah-blah” but “consent
to treatment and uses and disclosure of medical information which says I
consent to the disclosure of information for reimbursement purposes et cetera,
et cetera” and I don’t get to see the doctor unless I sign that form, how
is that any different from the form that they gave me to sign based on the
assumption that they’d given me the information that they didn’t give me?
So I don’t think we’re advancing the interest of privacy by
getting hung up on this, whether it’s, you know, an acknowledgment or a
“consent form.” I think what we need to do, if we’re interested in
privacy, sort of deal with the substantive questions of who gets access to the
information and how much and under what circumstances and how is it disclosed
et cetera, because under any regimen, the patient is going to have to sign
something in order to get to see the doctor, assuming that they are conscious.
And what we label that, unfortunately, in my judgment, is not the sticking
MS. BLEVINS: Can I comment?
MR. ROTHSTEIN: Sure.
MS. BLEVINS: I have to say I respectfully disagree, and let me
tell you why. And I say that respectfully because this isn’t for me; I don’t
personally feel like I have a need that I’m hearing from a lot of people who
quite frankly are telling me, A, I lie; I don’t tell my doctor I drink anymore.
You heard about the case in Pennsylvania where a man lost his license because
it became routine to report people if they had a – I don’t know the
specifics, but a DUI, DWI, and anyway, later it was reported by his doctor and
he lost his license.
Again, I know there are legitimate reasons for why there has to
be reporting at times. But if you just hear from people – and quite
frankly, I think people who really care about privacy, they’re not going to
contact your Committee and they’re not even probably going to report things to
the Federal government, and that has nothing to do against the view of the
government but just that people that are privacy conscious call me up and they
want to tell me things and they don’t want anyone else to know. When reporters
ask me for cases and I say I can’t even tell you the case, because if I tell
you the case, I’m giving away people’s very sensitive information.
So I say I come here on behalf of those people who will not
come before a government committee. They will not talk to you. They probably
wouldn’t even write or send in comments to HHS.
And I differ. I say the difference between consent and
notification is if you just imagine we change the rule regarding who has access
to your home and instead of asking for your consent before someone enters, they
now have permission, if they’re a legitimate person, to do something in your
home. They just to notify you that they’re coming in. There’s a huge difference
And where I agree with you strongly is that what we have as
consent is coercive consent, and the doctor or the nurse and everyone says in
order to treat you, I need to be able to share your information. And at that
point, that’s where the individual gets to sit down and say, okay, who gets it,
what happens? That’s a whole different scenario and even legal. It’s a
different ethic than notification.
MR. ROTHSTEIN: I agree with you, but I think it’s a sort of a
symbolic value and I don’t think it has that much difference in practice if
MS. BLEVINS: I think it does. I mean, I won’t spend a lot of
time, but I’m a former nurse; I worked at Johns Hopkins Hospital. I took care
of a lot of “VIPs.” And I can just give you one example.
There was one time – and I can’t even get too detail
oriented – there was one time a gentleman who was hospitalized who had a
very big name on Wall Street, and this was way back in the 1980s, and he asked
– and that was before we had – I don’t even know what they use in
hospitals now; I’m assuming everything’s digital, nobody gets paged. This was
when we had the old intercom system and they would page nurses and doctors and
even patient’s names over an intercom.
And this man was like “Please do not page my name.”
And it wasn’t that he was guilty and had something to hide, but he was so
“humanly powerful” that if the word got out about his disease and his
prognosis that that would affect his company and their bottom line.
So there’s so many reasons why people care about privacy. And I
agree with you that most people – the reason why I think it would be so
easy to reinstate consent and make it work is that the majority of people are
going to say “fine,” and it will work. But when you take it away,
when you basically say, okay, we’re going to take away that right to decide who
can come into your house, most people, if they’re calling an exterminator or an
electrician or somebody, they’re glad to have them just come into their house
and they’re glad to have a neighbor have a key, go in, open it up for them.
But there is a small minority who really care, and I just feel
so strongly that for those people, I’d love to see that ethic maintained.
And anyway, I agree with you strongly that it’s symbolic and
it’s coercive, but it’s still a fundamental ethic that we’ve had for many
MR. ROTHSTEIN: Okay, thank you.
MS. BLEVINS: Thank you.
MR. ROTHSTEIN: Let me alert our Internet listeners as well as
those of us who are here about some schedule changes for tomorrow that may
affect the timing.
We will begin tomorrow at 9 A.M. as scheduled and there are no
changes in Panel 3, disease and health advocacy groups.
After lunch, there is a change. We will not have a witness from
the Electronic Privacy Information Center; they are not able to be with us.
Neither will we have anyone from Patient Advocates in Research. So Panel 4 will
only have two individuals.
And Panel 5, Dr. Marshall will not be able to be with us and
WebMD will submit written testimony instead.
There are two session marked tomorrow for Subcommittee
discussion, 11 to 11:45 and then again 4 to 4:30. We’re going to have a brief
Subcommittee discussion this afternoon and I think that will obviate the need
the second of our Subcommittee discussions scheduled from 4 to 4:30.
There is some threatening weather tomorrow, I understand, so it
may well be that we will be able to finish earlier in the afternoon, although
I’m not sure exactly what time that will be yet. That will depend on some
factors that we will get to tomorrow.
For today’s Subcommittee discussion –
DR. HARDING: Mr. Chairman?
MR. ROTHSTEIN: Yes, please – Dr. Harding?
DR. HARDING: They’re talking about three to four inches of snow
tomorrow morning. Do things work? I mean, do we start at 9 o’clock here? I
mean, you know, I’m from Ohio. That doesn’t stop many people but in South
Carolina it would paralyze the city for the next two weeks.
MR. ROTHSTEIN: Well, I would assume that the rugged folks at
HHS laugh at three to four inches of snow.
DR. HARDING: Okay.
DR. HARDING: So we’ll make the assumption it’s 9 o’clock, no
matter what the weather.
MR. ROTHSTEIN: Yes, we will come, rain or snow. We will start
at 9 o’clock because if we don’t, we’re going to get all messed up with flights
going out and so on. If people can’t make it, we will make arrangements to hear
from them at some other time at one of our later hearings. That’s okay.
Now, you should have been distributed a two-sided hand-out. On
side it says “Draft 11/21/04” and the other side , “Observations
and Recommendations.” Let me remind you that the side that says
“Draft 11/21,” this is the document that the Subcommittee approved as
a result of our
November 18th, 2004, hearing on issues related to
e-prescribing, and the purpose of this was to draft some language that would be
sent to the Subcommittee on Standards and Security to be incorporated into
their overall statement which will be coming before the full NCVHS at our next
meeting, which is March 3rd and 4th.
So at this time, what I would like to do is note for you the
revisions that were made – you can see on sort of the side, and they are,
I think, primarily editorial changes in the language that was used by the
Standards and Security Subcommittee perhaps to make this similar to other kinds
of phrasing in the other document.
So at this point, the question that I would have for the
members of the Subcommittee is whether there are any changes that you think,
you know, changed our meaning or that we need to change back or whether we can
accept the revisions and express that to the other Subcommittee.
So let’s put it this way. I’ll give you a minute because
perhaps you haven’t seen it.
DR. FITZMAURICE: Mark, while we’re reading, could I ask a
question about the work “implicate?” Is that the right use of the
MR. ROTHSTEIN: Can you tell me where you are, Michael?
DR. FITZMAURICE: This first line of the second paragraph:
“E-prescribing regulates implicate other –” It’s like pointing
to a criminal and saying, “He was in it, too.” But maybe that’s a
proper legal use of the term; I just don’t know.
MR. ROTHSTEIN: Well, we could make it “relate to,” if
that bothers you.
DR. FITZMAURICE: I would understand it better.
MR. ROTHSTEIN: It was not meant as a term of art, just
“raise issues involving” – I mean there are a variety of ways
that we can say that that I’m sure would be acceptable. Do you have one in
DR. FITZMAURICE: No, I don’t. I just was wondering about the
word “implicate.” I’d not seen it used in that context before, but
maybe it’s all right.
MR. ROTHSTEIN: Okay, so we’ll leave it for now and then we’ll
see whether the full Committee is similarly troubled by the implications of
MR. ROTHSTEIN: Richard?
DR. HARDING: Could you read the last paragraph in its final
form to me?
MR. ROTHSTEIN: Okay, I’ll try.
“The NCVHS recommends that any e-prescribing pilot project
initiated in 2006 by HHS include measures to identify and address the privacy
interests of consumers and
the inclusion of substance abuse, mental health and
–” To address – to identify and address the privacy interests of
consumers – I don’t understand why they did that.
Harry, can you help?
MR. REYNOLDS: Where are we going?
MR. ROTHSTEIN: We’re in the last paragraph of the 11/21 draft.
It now is sort of odd.
DR. FITZMAURICE: Could I suggest that it might be “and to
include substance abuse, mental health and HIV providers” – replace
“the inclusion” with “to include.” I think that’s the sense
MR. ROTHSTEIN: Okay. “…to identify and address the
privacy interests of consumers and to include substance abuse, mental health
and HIV/AIDS providers?”
DR. FITZMAURICE: Yes. So that their privacy concerns will be
studied in the pilot project.
MR. REYNOLDS: Where did you use –
DR. FITZMAURICE: “To include.”
MR. ROTHSTEIN: Richard, does that –
DR. HARDING: That’s better. And there’s a period after
“meaningful way?” Is that –
MR. ROTHSTEIN: Yes.
DR. HARDING: And then –
MR. ROTHSTEIN: It’s still not great, but it’s better. It was
great before and then Simon got a hold of it.
MR. ROTHSTEIN: He’s not listening.
MR. REYNOLDS: We won’t defend him until – we won’t jump as
a Committee –
MR. ROTHSTEIN: No, I think it’s okay.
So are there any other questions about the language? There
being none, then I think we’re comfortable with that.
Now, if you would flip over the page, and this is language that
we did not draft. This is in particular – especially the recommended
MS. FYFFE: Who drafted it?
MR. ROTHSTEIN: This was drafted by the Subcommittee on
Standards and Security.
MR. REYNOLDS: Taking input from the letter.
MR. ROTHSTEIN: So they said – you know, the letter is at
the top, and then they have come up with – fortunately, Harry’s on both
subcommittees – drafted these two recommended actions, 10.1 and 10.2. Do
you want to discuss, Harry, explain the thinking?
MR. REYNOLDS: On the wording?
MR. ROTHSTEIN: Well, on why you did what you did.
MR. REYNOLDS: Basically just trying to keep it in the same
wording, the same framework, the same other that we have done on the rest of
the letter. So we have come up with observations; we have a list of
The full letter is 18 pages.
MR. ROTHSTEIN: Right.
MR. REYNOLDS: We have a list of observations ranging all the
way from new testimony to things that have been covered in the past, giving
updates on those, as well as pulling in the information from this Committee.
So we turned this into one of our observations, tried to keep
pretty much the content, and then, in line with the rest of the letter,
actually came up with recommended action.
MR. ROTHSTEIN: Okay.
MR. REYNOLDS: And I would recommend that unless there’s
anything dramatic missing above the recommended action or you see something
that you felt was omitted from the original letter, well, that would be good to
include that. Otherwise, I think it would be good for the Committee to look at
the recommended actions and make sure that those are actions that are amenable
to the Committee as it goes forward to the Secretary.
MR. ROTHSTEIN: Well, I have a concern about Action 10.2.
MR. REYNOLDS: Okay.
MR. ROTHSTEIN: I think 10.1 accurately reflects the opinion of
the Privacy and Confidentiality Subcommittee with regard to what should be done
during the 2006 pilot tests. I think that’s fine.
But 10.2 then goes beyond the pilot phase and says “HHS
should use experience gained from the pilot tests to develop and communicate
guidance to the industry.”
And so what this suggests to me is a choice of sort of soft
regulation. Based on the pilot test, it seems to me that HHS could develop
regulations dealing with e-prescribing and it might call for something that is
stronger, more prescriptive, in terms of what covered entities have to do and
what they can’t do, et cetera, et cetera, et cetera, whereas Action 10.2 says
“based on the pilot test results,” all that HHS is going to do is
develop and communicate guidance on handling privacy issues rather than
developing, you know, privacy rules. Am I misreading that?
I am misreading that? Okay. Wouldn’t be the first time.
MS. FRIEDMAN: This is Maria Friedman, and I have a different
view. And the view is that the pilot tests are really supposed to inform the
implementation of the Medicare Part D benefit and the pilot, we’re in the
of developing an RFP for pilot participants, so there’s concern
not about the replicability on the larger scale necessarily, but I think you’re
going a lot farther downstream than the results of the pilots would take us.
MR. ROTHSTEIN: Okay. I wonder if you could explain that
distinction between sort of the post-pilot phase and something further
MS. FRIEDMAN: Okay. The pilots are supposed to be conducted
during calendar year 2006. There’s an evaluation in 2007. The final rules will
come out – and again, the pilot tests were standards to help inform the
implementation of Part D benefits, okay? The final rule comes out in 2006 to be
implemented a year later, sometime in 2009. So that’s the timeline.
MR. ROTHSTEIN: So, I mean, here’s my concern. Maybe this is
misplaced and then you can help me again.
I’m reading this to say that CMS is not going to be enforcing
anything other than to give suggestions and guidance to the industry and there
may be things – I don’t know what they are yet; we haven’t done the pilot
– that we need sort of stronger rules on.
Am I way off on that?
Sue McAndrew and then –
MS. McANDREW: If I could also comment here. I mean, it seems to
me that the way the pilots are being structured, their main focus is going to
be to prove both the effectiveness of the foundation standards that are being
adopted to the rule-making this year as well as the other initial sets of
standards for e-prescribing that will then, following the evaluation, be
formulated into regulations like the foundation standards are.
But the focus, and the focus of the evaluation, is on the
standards for the e-prescribing system, and unless one of the standards
included in the pilot is actually going to be a privacy-based standard –
MR. REYNOLDS: HIPAA privacy-based standard.
MS. McANDREW: — then there is nothing for the pilots to test
or evaluate with regard to privacy and it’s not going to be a function of the
pilot tests to evaluate other operative law such as the HIPAA privacy
MS. FRIEDMAN: And, of course, pilot participants will have to
adhere to HIPAA privacy and security laws anyway. I mean, that’s a given.
MS. McANDREW: But it’s not a moving component, you know; it’s
not a standard that is being tested through the pilot. And so the outcome of
the evaluation is not going to be focused on, or in a position to direct,
changes, regulatory changes, in standards that aren’t part of any of these
That’s not to say that the experience gained through the pilots
would not otherwise inform us as the Department and the regulator of either the
security standard or the privacy standard that in this context X needs to
happen. And then the determination is, can we get to X by guidance or do we get
to X by a rule change?
But I think that is something that right now is outside of the
standards that are being scoped up for the pilot tests.
And it’s also outside of the scope of the pilot tests.
MR. ROTHSTEIN: Okay, so let me explain – I’m going to try
one more time.
I could, I think, live with deleting 10.2. I could live with
revising 10.2 to point out that we don’t know what the various regulatory
options are or what regulatory options we or the Department might want to
pursue as a result of the pilot in terms of the privacy rule and e-prescribing
rule. But the choice that the other Subcommittee made seems as if they made
sort of a substantive determination that all that is needed as a result of this
is guidance, and I don’t think we’ve made that determination yet. That’s what
it seems to me. Michael, maybe you can clear this up.
DR. FITZMAURICE: I agree with everything that Sue said, and my
take is that the 10.1 says as long as you’re doing these pilots, try to learn
something about privacy; so, identify any privacy issues that come up. And then
10.2 says, if you learn something useful, be sure to tell the industry.
Now, you could quarrel maybe a little bit with guidance and say
should “report out to the industry,” but I don’t think anybody has a
sense that we’re going to go change the privacy rule on the basis of these
MR. ROTHSTEIN: Kathleen?
MS. FYFFE: My superficial reading of this implies more
regulation, which is what you’re saying.
I mean, HHS should identify and address any privacy issues
within the context of the HIPAA privacy rule that arise during these tests. I
read that and I say, uh-oh, HHS is going to come out with more regs.
DR. FITZMAURICE: No, no, they’re looking for burdens and
MR. ROTHSTEIN: It’s interesting. I read it just the opposite
MS. McANDREW: I mean, I read the parenthetical within the
context of the privacy rule is you run these pilots, the rule is extant.
DR. FITZMAURICE: Applies.
MS. McANDREW: It’s there. It applies as is.
MR. REYNOLDS: Yes. Throughout the document, I think we
continually reference we’re setting standards that are not already in place.
HIPAA security and HIPAA privacy are in fact in place.
MR. ROTHSTEIN: Right.
MR. REYNOLDS: And so as this is discussed – but also we
felt it was important that if you are going to do e-prescribing to take another
look at privacy to see if the implementation of e-prescribing brings up other
issues that were not dealt with because the difference in e-prescribing –
I’m not saying this just to make the distinction – most of the HIPAA that
has gone in before has been claims-related, eligibility-related, kind of
non-care related, you know, non-actual giving somebody care.
So as we’re looking at putting in a process that would actually
be at the point of care, would actually be involved in other things, we have
more information that would be downloaded from a PBM, then, you know, as part
of the medical history, different than what you get – a claim is a claim
is a claim – and some of the other stuff are individual transactions.
We want to make sure that at least it gets looked at. And then,
we had recommended guidance. And I understand your concern that either we
should recommend that if there is significant findings that something happens
and whether that comes back to NCVHS or whatever.
Or, we thought about things like they’ve used an excellent job
in using frequently asked questions, they’ve done an excellent job in doing
some of these other things based on the other HIPAA transactions and code sets
which would allow the industry to truly understand the privacy rule as it
relates to e-prescribing and nothing more than a frequently asked question as
to how you would address that, using that current rule, are the kind of things
we also thought about.
MR. ROTHSTEIN: I’m sorry, Harry.
MR. REYNOLDS: Yes, so that’s kind of it.
Let me ask Harry –
MR. REYNOLDS: Is that a fair statement?
MR. ROTHSTEIN: Let me ask Harry and Maria and others what you
would think of, at the end of 10.2, just adding these words: “Communicate
guidance to the industry on handling privacy issues or take other regulatory
action as necessary.”
DR. FITZMAURICE: I would think that by saying taking other
regulatory action, you’re saying that’s regulatory action – putting
guidance out is regulatory action. I think it is.
MR. ROTHSTEIN: Yes, or other regulatory –
DR. FITZMAURICE: I don’t think that’s regulatory action. I
think that’s informing the industry. I get the sense that this is to inform the
industry. If the Committee wishes to recommend regulatory action back to HHS
once they see what is learned from the pilots, that could be another set of
MR. ROTHSTEIN: Well, all that I’m – I guess I’ve made my
point poorly too many times already.
MR. REYNOLDS: No, you haven’t. Keep going.
MR. ROTHSTEIN: I don’t want to prejudge the issue before we do
the pilots on what may be necessary in 2007 or whatever, and it may be that we
need to do something besides issue guidance to the industry. It may be FAQs, it
may be more outreach, it may be different – you know, revisions to the
privacy rule or what have you. I don’t know what. But as I read this, it says
what we find out has just got to be used to guide industry and that seems to be
MS. FRIEDMAN: That’s presuming what you find.
DR. FITZMAURICE: Depends on what you find.
MS. FRIEDMAN: Yes, I was just going to say we don’t know what
we’re going to find.
MR. ROTHSTEIN: We may not need to do anything, and I don’t want
to just say this is what we’re going to do.
MS. FRIEDMAN: That’s why there’s some benefit in leaving it
“some guidance.” Guidance can run the range from FAQs to regulatory
action and leaving that door kind of open till we see what comes out of the
MR. ROTHSTEIN: Well, then, how about if we just say “HHS
should use experience gained from the e-prescribing pilot tests to develop
appropriate responses” or something like that?
MS. McANDREW: Appropriate actions.
MR. ROTHSTEIN: Appropriate actions or innovations or something.
I’m happy with that. I’m happy to leave it open-ended. I don’t want to pick
“guidance” beforehand and make it look like we’re wed to guidance and
MR. REYNOLDS: So then what we’re doing is we’re leaving
whatever that is up to CMS and NCVHS, right?
MR. ROTHSTEIN: Yes, exactly.
MR. REYNOLDS: But it’s not just saying it’s guidance.
DR. FITZMAURICE: And it doesn’t urge them report out what they
MR. REYNOLDS: Well, the process, I think, is set up that the
pilot tests are to be reported back to NCVHS.
MS. McANDREW: The evaluation.
MR. REYNOLDS: Do you have a problem with those words?
DR. FITZMAURICE: I don’t have a problem with that at all.
MR. ROTHSTEIN: Okay, so what words are you happy with? I
MR. REYNOLDS: Your last ones.
MR. ROTHSTEIN: The clerk will repeat my –
DR. FITZMAURICE: Whatever is appropriate, I think.
MR. REYNOLDS: HHS should use experience gained from the
e-prescribing pilots –
MR. ROTHSTEIN: To develop –
MS. McANDREW: — appropriate action.
MR. ROTHSTEIN: — to develop appropriate actions?
MS. FRIEDMAN: On handling privacy issues?
MR. REYNOLDS: Right.
MR. ROTHSTEIN: Yes.
MS. WATTENBERG: I have an additional comment. I don’t know if
it’s welcome at this time or not.
MR. ROTHSTEIN: But I just need to make a statement. I want to
celebrate my victory!
MR. ROTHSTEIN: I get so few victories, even the teensy-weensy
ones I’m very happy to –
MR. REYNOLDS: We have a conference call from 5 to 6:30 at which
your praises will be sung.
MR. ROTHSTEIN: Sarah?
MS. WATTENBERG: Yes. My concern is about 10.1 and the
parenthetical material about identifying the privacy issues within the context
of the HIPAA privacy rule. I’m sure many of you will know what I’m going to
say, which is – [laughs] – is are we also going – I talked
previously with Maria about the issue of the Part II and that it has sort of a
higher level of restrictions on some information.
DEA also has restrictions on information about I think Category
I drugs that can be electronically transmitted and whether or not state HIV
laws on electronic information are also sort of regulatory issues that the
e-prescribing needs to account for.
MR. REYNOLDS: One thing – again, as I said, it’s an
18-page letter. That discussion is dealt with in a significant way in numerous
places throughout this, because it is – I mean, obviously since we were
the standards and security. I mean, the whole idea, and the DEA testified, and
the whole idea of whether or not e-prescribing as it exists now, if the DEA
comes in and puts significantly other monitoring on the controlled substances,
what that would or wouldn’t do to adoption and what that does or doesn’t mean
and how they need to work together. And we recommended HHS works with them.
So that’s predominant throughout because that is a significant
issue because you’ve got non-controlled – 85 percent of the drugs, I think
it was, were non-controlled, in the testimony had and then 12 percent were
Schedules III to V and two to three percent were Schedule IIs, okay? So we
address that in significant –
MR. ROTHSTEIN: Harry, one way I think clearing that up perhaps
to Sarah’s satisfaction, if you take a look at the end of the second paragraph
under Observation 10, because we talk about drug abuse, the last sentence says
any e-prescribing regulations must consider these – that is, the ones
mentioned in that paragraph – and other health records laws.
One thing that we could do and let me see what you think of it
is in that parenthetical, in 1, say HHS should identify and address any privacy
issues, paren, within the context of HIPAA privacy rule and other health
records laws which tracks the prior language. Would that be okay?
MR. REYNOLDS: Yes.
MS. CHAPPER: And other health records laws?
MR. ROTHSTEIN: Well, yes. That’s the language that we used at
the end of the second paragraph.
MS. McANDREW: Now is that your triumph or mine?
MR. ROTHSTEIN: No, I’ll give you credit for that –
MR. REYNOLDS: We only have an hour and a half conference call,
so if all of you are going to need accolades, write them short, nice and short.
MR. ROTHSTEIN: Okay. Michael, did you have –
DR. FITZMAURICE: No, no.
MR. ROTHSTEIN: — something else? Are you okay with that?
DR. FITZMAURICE: Yes.
MR. ROTHSTEIN: Other comments? So I would entertain a motion to
endorse the revisions as amended. Dr. Harding?
DR. HARDING: To endorse the paragraphs as amended?
MR. ROTHSTEIN: Correct. Any opposed? I mean – a second?
Any discussion? All in favor say “aye.”
MR. ROTHSTEIN: Opposed? Okay, so we are on the record as
MR. REYNOLDS: We would like it noted in the record that it was
unanimous vote and camaraderie amongst the Committee.
MR. ROTHSTEIN: Yes, absolutely.
Okay, it’s now 4:15, and do I hear any requests for additional
business to consider? Hearing none, I am very pleased to adjourn nearly a half
an hour early, and we will start tomorrow rain or shine, snow or sleet, at 9
o’clock. Thank you on the Internet for hanging with us. And we’ll see you
[Hearing adjourned at 4:18 P.M.]