[This Transcript is Unedited]



Subcommittee on Privacy and Confidentiality

March 30, 2005

Millennium Knickerbocker Hotel
163 East Walton Place
Chicago, IL 60611

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030
(703) 352-0091


  • Introductions and Opening Remarks – Mark Rothstein, JD, Chairman
  • Panel I – Mental Health Providers
    • American Psychological Association – Russ Newman, PhD, JD, Executive Director, APA Practice Directorate
    • American Psychoanalytic Association – James C. Pyles, LLB, Powers, Pyles, Sutter & Verville, PC
  • Panel II – Other Providers
    • American Physical Therapy Association – Ellen “Mickey” Bonk, PT, MBA, Director, Rehabilitative Services, Children’s Memorial Hospital, Chicago, Illinois
    • American Dental Association – Ronald E. Inge, DDS, Associate Executive Director
    • American Optometric Association – Pamela J. Miller, OD, FAAO, JD
  • Panel III – Institutional Providers
    • American Hospital Association – Donna A.Boswell, PhD, JD, Hogan & Hartson, LLP
    • Healthcare Leadership Council – Mary R. Grealy, JD, President
    • American Health Care Association – Donna Maassen, Extendicare Health Services, Inc.
  • Statements from the Public
  • Subcommittee Discussion

R O C E E D I N G S 9:15 AM

DR. ROTHSTEIN: Good morning. My name is Mark Rothstein, and I am the Director of the Institute for Bioethics, Cell Policy and Law at the University of Louisville, School of Medicine and Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.

The NCVHS is a federal advisory committee consisting of private citizens that makes recommendations to the Secretary of HHS on matters of health information policy.

On behalf of the Subcommittee and staff I want to welcome you to today’s hearing on national health information technology. We are being broadcast live on the Internet, and I want to welcome our Internet listeners as well.

We will begin with introductions of the members of the Subcommittee, staff, witnesses and guests. Subcommittee members should disclose any conflicts of interest. Others need not do so.

I will begin by noting that I have no conflicts of interest.

DR. COHN: Good morning. I am Simon Cohn. I am the Social Executive Director for Health Information Policy for Kaiser Permanente and Chair of the full Committee and a member of the Subcommittee.

MR. HOUSTON: I am John Houston. I am a member of the Subcommittee.

MR. PYLES: James Pyles on behalf of the American Psychoanalytic Association.

DR.NEWMAN: Russ Newman. I am Executive Director for Professional Practice of the American Psychological Association.

DR. MC ANDREW: Sue McAndrew with the Office for Civil Rights, Privacy. Liaison to the Subcommittee.

DR. GREENBERG: Marjorie Greenberg from the National Center for Health Statistics, CDC and Executive Secretary to the Committee.

DR. HARDING: I am Richard Harding, Chairman of Neuropsychiatry at the University of South Carolina and a member of the Committee and Subcommittee. I have no conflicts other than that I am on the Board of Trustees of the American Psychiatric Association and Ohio State University Behavioral Health.

MS. BERNSTEIN: Myra Bernstein. I am the privacy advocate of the Department of Health and Human Services in the Office of the Assistant Secretary for Planning and Evaluation. I am lead staff to this Subcommittee.

DR. MILLER: I am Dr. Pamela Miller. I am representing the American Optometric Association.

DR. GOURGUECHON: I am Dr. Prudence Gourguechon. I am a psychiatrist and I am here as a member of the public.

DR. SPIDERO: I am Dr. Antonia Spidero. I am from CDC. I am an Acting Privacy Rules Support Officer.

DR. ROTHSTEIN: Welcome to all of you. This afternoon from 3 to 3:30 p.m., members of the public may testify for up to 5 minutes on issues related to the topic of today’s hearing. There will be no public testimony tomorrow. If you want to testify please sign up at the registration table.

Invited witnesses have been asked to limit their remarks to 15 minutes. After all the witnesses on a panel have testified we will have time for questions and discussion.

Witnesses may submit additional written testimony to Marietta Squire within 2 weeks of the hearing. I would request that witnesses and guests turn off their cell phones and other electronic devices that could interrupt the hearing.

Also, because we are being broadcast over the Internet and recorded for transcription we need to remember to speak clearly and into the microphones.

The hearings today and tomorrow are the second in a series of hearings on national health information technology.

At the first round of hearings in Washington on February 23 and 24, we heard from experts on privacy and confidentiality as well as representatives of consumer organizations. These individuals explored the privacy and confidentiality issues raised by creating an interoperable system of comprehensive longitudinal electronic health records.

At this second round of hearings we will be hearing from health care providers to get their perspectives on these important issues. We plan to hold a third round of hearings in Washington on June 7 and 8, to hear from health plans and technical experts with experience using electronic health records. Additional details about future hearings will be published in the Federal Register and on our web site as soon as they have been finalized.

To introduce the topic of today’s hearing let me briefly note that electronic health records hold out the promise of increasing the safety and efficiency of health care, lowering costs and facilitating the treatment of those with cognitive or communication impairments.

I believe that realizing the benefits of electronic health records while protecting patients’ privacy and confidentiality is one of the greatest challenges to bioethics and health policy in recent year.

Numerous questions come to mind. For example, what if any level of patient control over the contents of the records will be permitted? If too little patients will have insufficient privacy and may object to being part of the system.

If patients have too much control then health care quality may be jeopardized; health care providers may believe they have to take the time to supplement an incomplete file and health care providers may even be concerned about liability for medical errors that could have been avoided if they had more information about a patient’s health history.

These are some of the many issues that we hope that today’s witnesses will address.

So, without further delay I want to welcome our first panel this morning on mental health and mental health providers and it is my pleasure to recognize Dr.Newman.

DR. NEWMAN: Good morning, Chairman Rothstein, distinguished Subcommittee members and my co-panelists. As I indicated before I am from the American Psychological Association. We represent over 150,000 psychologists engaged in the practice, research and teaching of psychology. I want to applaud the Subcommittee’s efforts to study the various range of issues related to privacy and to thank you for the opportunity to address the Subcommittee this morning with particular emphasis on the mental health area.

As the Chairman indicated we, too, are aware of the discussions that have occurred over recent months if not the last year of the many potential benefits of a health information network of the type that is under consideration, improved access to critical health information, reduction of medical errors, improved quality of care and increased integration of care, improved efficiency and reduced administrative costs, all laudable goals that taken together could have some significant effects on reforming a health care system that is in bad need of some reforms and fixes, but as the Chairman mentioned as well, we, too, are concerned about some of the potential difficulties once implementation and execution of such a network occurs and have a number of caveats that we would like to raise to the attention of the Subcommittee specifically with respect to mental health information.

In general though I would certainly start with the basic foundation of the extent to which more information is made available through a network of this sort, one of the very reasons to have a network. That then begins to raise concerns about the privacy of that information, a constant tension that always bears management and is the very basis of this Subcommittee’s analysis I believe, but also generally I would say that fresh in the minds of my membership are the attempts to reform the health care system by the introduction of market-driven managed-care techniques, techniques that certainly had laudable goals of containing costs, laudable goals of potentially improving services but in fact the reality of the implementation of that effort really took in some unintended negative consequences in particular the extent to which business efficiencies became and overriding objective of that system we believe ran the attempt into some significant difficulties, and in the end didn’t fix the things it was intended to fix and created some problems that hadn’t existed previously, and I raise that issue because the belief that a national health information network would create efficiencies and reduce administrative costs has the same potential to be taken in the service of business interests and the for-profit aspects of our health care system which we cannot deny exist at this point and then unfortunately if those interests become too overweighted we run the risk of the national health information network being used in the service of business interests rather than in the service of improving the efficiency of the health care system as well as improving quality of care.

Once again, just as with managed care techniques they in and of themselves were neither good nor bad but the purposes for which they began to be used and the manner in which they were implemented made a big difference in terms of whether the potential benefits were realized or not. We would draw the analogy to that in terms of the development of a national health information network such that the purposes for which it is being used and the manner in which it is being implemented is as important as the laudable goals for which it initially is being created.

Specifically with respect to mental health I probably don’t need to tell this Subcommittee but will underscore anyway the unique nature of mental health interests in privacy and confidentiality. Perhaps unlike any other area of health care breaches in the confidentiality and privacy of mental health information not only are irritating, aggravating or outraging but actually prevent successful treatment from taking place and even more than just breaches in the confidentiality and privacy of mental health information the mere possibility that confidentiality would be broken in the mental health area actually works against the interests of providing successful treatment. This group is, I am sure aware of the opinion rendered in the Supreme Court, US Supreme Court case of Jaffee versus Redmond and I quote one particular line from the majority that really captures this issue quite well and is behind my comments.

As the Supreme Court said, the mere possibility of disclosure may impede the development of the confidential relationship necessary for successful treatment. So, again, unlike most areas of health care not only will a breach go to preventing successful treatment from occurring but the actual possibility that confidentiality will not be preserved will work against the development of the trusting confidential relationship necessary for successful mental health treatment to occur.

In this regard the role of the mental health professional vis-a-vis the handling of confidential mental health information I think has been unique in our health care system. The mental health professional has been in a position to make important decisions about the necessary disclosures of information related to the mental health patient’s treatment.

While it isn’t entirely clear to us at this point how the interaction between the health care provider and the national health information network will proceed we do urge that the role for the mental health professional in providing some management of the disclosure of that information be preserved because that is a role that we think has been useful to continuing the preservation of the trusting confidential relationship which of course then leads to hopefully the successful treatment.

Similarly the role the mental health professional plays with the patient relative to information available to the patient has been an important role as well. One of the questions Chairman Rothstein raised was the extent to which the patient would have access to the information contained within the national health information network. While we very much support the ability of consumers and patients to have access to larger degrees of information that pertain to them and have a certain level of control over that information we are mindful of the important role the mental health professional has played with the patient in discussing that information since much or at least some of that information could have unintended adverse consequences for the patient if it were available to the patient in the absence of the mental health professional being able to help that individual process, digest, understand some of what is there given that it tends to deal with sensitive emotional aspects of their life.

More specifically with respect to mental health treatment we have the issue of psychotherapy notes. We were pleased that the HIPAA privacy rule recognized the unique nature of psychotherapy notes as distinguished from the more general clinical record and some more general information contained within that and protected psychotherapy notes to a larger extent.

In fact as you all well know there is a psychotherapy notes exception to the general privacy rule such that those psychotherapy notes when kept separately cannot be disclosed in the absence of specific patient authorization of those psychotherapy notes.

As I said, we were pleased that the privacy rule contained that particular provision. We hope that that kind of protection for the information contained within the psychotherapy notes is not lost when a national health information network is created for hopefully easier access and availability to critical health information.

We were disappointed that the HIPAA privacy rule did not handle psychological test materials similar to the manner in which it handled psychotherapy notes and we hope that the national health information network can manage psychological test materials differently from currently how HIPAA handles that.

Psychological test materials are not treated as psychotherapy notes and are handled by HIPAA as general health information available without consent or specific authorization. This is of significant concern to us for three reasons. First of all, information —

MR. HOUSTON: Could you define psychological test material? What would that be?

DR. NEWMAN: Sure, Wechsler Intelligence Scale, raw data, patient responses to the questions on that, patient responses to the protocols initiated through the Rorschach evaluation, patient responses on the Minnesota Multiphasic Personality Inventory, all the materials and data that ultimately are used to write the psychological test report which is in effect then the summary, the analysis, the digesting of that and the communication of it in ways that are based on the psychologist’s training and expertise with the data that then puts it into a framework that can be usable by other health professionals and even in instances usable by the patients themselves but the materials that get you there are materials that if disseminated create three problems.

First of all the materials are analyzable and interpretable as a result of considerable training and experience that licensed psychologists bring to bear on that. So that material can be subject to misinterpretation by those who are not trained and experienced for the interpretation and the ability to analyze that information.

Secondly, some of those materials’ future use may be invalidated by the public disclosure of that information since the public disclosure of it creates a familiarity with the questions, the stimuli, the nature of the protocols that would enable it difficult to use those test instruments and protocols in a valid manner in the future and then finally and importantly much of the information collected during the course of that process by virtue of those test instruments and protocols can be inviolately sensitive and confidential as any communications that take place in the psychotherapy session. The simple fact that the communication is taking place in a psychological testing session and the simple fact that it is taking place around these instruments does not negate the sensitivity of the information and change it in any dramatic ways from the kind of communication that takes place in the psychotherapy sessions. So the very same reasons that the psychotherapy notes have been appropriately handled differently with higher protection as a result of the HIPAA privacy rule we would argue should be applied to psychological test data and materials as well and we hope that any creation of a national health information network can realize the sensitivity of that information just as it can recognize the sensitivity of psychotherapy communications.

One other issue that is significant for mental health particularly in the current state of the health care system is the increasing recognition and emphasis on the importance of the connection between health and behavior and the need to better integrate mental health and behavioral health into the overall health care system and service provision in this country.

As you all may be aware historically mental and behavioral health has unfortunately been kept quite separate from the delivery of physical health services with separate payment systems, with separate administrative systems, with separate record keeping systems.

While that may have served to help keep mental and behavioral health information and records more secure it also then didn’t enable the benefits of mental and behavioral health care to their full extent in the delivery of health services.

Fortunately that is beginning to change and we believe that a national health information network could go a long way to facilitating the way in which mental and behavioral health care can be better integrated into the delivery of health services.

However, as was the case before to the extent that information now is available to more individuals in the health care system and to some differently trained individuals in the health care system we would raise the necessary caution that that adds to the need to manage the protection of that information.

In particular with mental health and behavioral health information being now better integrated into the overall health care system that creates the potential for individuals who are not necessarily trained and experienced in the use of mental health information now having access to that information as a part of their overall treatment.

Unfortunately, stigma still exists with respect to mental health disorders and the treatment of mental health disorders. We would be concerned that the integration of mental and behavioral health records into the overall health information system not enable that stigma to become more severe such that health professionals or allied staff who have not previously had access to that information would now have access and would begin to perceive and view the individual patient differently as a result of their mental health diagnosis and the unfortunate stigma that goes along with that.

We, also, are aware that historically or at least we believe there has been a higher standard of privacy and confidentiality that has at least been strived for, if not maintained in the mental health system and in mental health care as opposed to physical health care.

We would hope and urge that the development of a national health information network not move to the lowest common denominator and set up a standard that was lower than that which currently exists in the delivery of mental health services.

We, in fact, are aware of the perhaps good example in the Veterans Administration health system with their use of an electronic medical record and their experience for some time with that which has been a two-tiered system with greater protections being made available for mental health information than are available for physical health information and while my written testimony has a whole series of questions that we raised collaterally my final issue to address this morning is with respect to access to information in a national health information network by health insurers. It is unclear to us at this point the degree to which health insurers would have access to information in the national health information network but we would offer some significant caveats in terms of how that area would be managed.

There has been significant historical tension between insurers and mental health professionals over the disclosure of information related to patient and patient coverage and reimbursement. In fact, we have seen all too often instances in which disclosure of sensitive mental health information has been requested in a manner that appears to be tactically intended to discourage the patient from seeking mental health services. We certainly hope that something in that order would not be further facilitated by the development of an information network with accessibility of information to health insurers.

The recent version of that I think we have seen in terms of the battle that has raged over the HIPAA privacy rule concept of minimum necessary where the licensed mental health professional believes what is minimum necessary for the utilization review process and the medical necessity determination to occur is very different than what the insurer or the managed care entity believes is the minimum necessary amount of information for that task to be effectively done.

In sum and in conclusion I would just offer the following general recommendations to cover many of the issues I have tried to briefly highlight this morning. We would suggest that any national health information network exclude or place specific limitations on access to psychotherapy notes and psychological test materials and raw data.

We would hope that a national health information network would recognize and maintain the important role that the licensed mental health professional plays in determining what is appropriate access to mental health records by insurers, patients and others, and we would hope that the network would promote the integration of physical and mental health information but do so in a cautious manner that preserves the high level of confidentiality of mental health records, for example, by creating a two-tiered system where mental health records would be subject to more limited access.

Again, I thank the Subcommittee for the opportunity to bring these important mental health confidentiality and privacy-related issues to you this morning.

DR. ROTHSTEIN: Thank you very much. That was very thoughtful testimony and you raise a number of points that I am sure the Committee members will want to probe with you during the question period.

Mr. Pyles?

MR. PYLES: Thank you. My name is James Pyles. I am representing the American Psychoanalytic Association. I want to thank the Subcommittee for the honor to appear before them and deliver our recommendations. The American Psychoanalytic Association includes over 30,000 members. It is one of the oldest organizations in the country and has been eminently involved in development of privacy policy and drafting of regulations.

I would like to summarize a series of questions that were considered in other testimony by other witnesses.

No. 1, should individuals’ identifiable health information be included in an electronic health information system without notice, without their consent and over their objections or should any electronic health information system be based on traditional principles of medical ethics which recognize at least some control in non-emergency situations by individuals? If you are willing to disclose information without the patient’s consent you must be also willing to disclose it in the health care world.

No. 2 can the security of the identifiable health information in an electronic health information system be assured?

Are there adequate rights and remedies available for individuals whose medical privacy has been compromised? I think that is a reasonable question.

Is there a clear “evidence-based” conclusion that electronic health information systems improve quality, achieve savings and improve efficiency? There is no evidence to that effect and I think the jury is still out.

Lastly, is there an accepted standard of reliability and care for electronic health information systems? I have researched this very thoroughly and I believe no such standard exists.

Our recommendations are No. 1, any electronic health information system should be ethics based and no identifiable health information should be included in such a system without the individual’s consent or against the individual’s will. Now, this is not a particular radical notion since that concept is embedded as a core principle in medical ethics of every single profession.

No national electronic health information system that uses identifiable health information should be implemented until the security of information in such a system can be assured.

Patients and individuals should have adequate rights and remedies for the violation of their medical rights including a private right of action for damages, corrective action and injunctive relief.

No national health information system should be implemented until there are clear evidence-based reasons to believe such systems improve quality, achieve savings and increase efficiency. We would not impose or recommend the abdication of rights or the procedure without further testing.

No electronic health information system should be implemented until there is a nationally recognized standard of reliability and care for such systems.

Let me just go to some of the recommendations. We know that medical privacy is essential for quality health care. There is no tension between privacy and quality of health care, so said the Supreme Court. We know that privacy is essential. The possibility of disclosure eliminates the protection of psychotherapy. Medical ethics of the American Medical Association since 1847 have recognized the right of patients to have some control over the use of private information. The American Psychoanalytical Association has a similar principle.

I think the history and tradition of the country shows that medical privacy has been recognized by constitutional law and medical ethics. The question that comes up is is there any reason to abandon the traditional principles in the interests of implementing electronic health information system. The only thing that is changed is technology. Patients remain the same. Their cares and concerns are still the same. They have the same interests in privacy.

We believe that an ethics-based system should be the top priority for any electronic health information system.

The public’s expectations, clearly they expect their information will not be used and disclosed without their permission.

You had testimony in the first hearing about a study by the Center for Social and Legal Research which found that 70 percent of the public is concerned that their information will be leaked without their permission by an electronic health information system. Sixty-five percent of Americans would not disclose sensitive information to such a system because of concerns over privacy. The rule authorizing the use and disclosure of every type of health care information by covered entities without the individual’s permission. It authorized the use and disclosure of that information in identifiable form to hundreds of thousands of other members of the public.

It rendered individuals powerless to prevent those uses and disclosures because they are made without notice, thereby eliminating rights under state law. Regardless of whether the individual signs an acknowledgement of notice of privacy practices without any accounting even if the individual pays privately, even if the information was created prior to April 14, 2003 and even if the individual objects, and the rule also granted federal regulatory permission for covered entities to waive individuals’ fundamental right to personal privacy against their will.

The approach taken by Kaiser Permanente in its notice of privacy practices says, and I am quoting, you may request that we limit our uses and disclosures of your PHI for treatment payment and health care operations purposes. However, by law we do not have to agree to your request because we strongly believe that this information is needed to appropriately manage the care of our members/patients. It is our policy to not agree to requests for restrictions.

The security of an electronic health information system cannot be assured. HHS has determined that security and privacy are inextricably linked and there is no such thing as secure electronic health information system, one that carries no risk. This would appear to be an understatement based on the recent report by the President’s Information Technology Advisory Committee which found that electronic health information systems particularly those that interconnected are highly vulnerable to hackers and others. According to the Committee, quote, ubiquitous interconnectivity equals widespread vulnerability.

Now, we are not talking about banking information here. We are talking about genetic information. We are talking about your cancer testing and mental health testing information.

The Commission further found that the threat clearly is growing with attacks risking by over 20 percent annually. For example, one survey showed that 83 percent of financial service organizations experienced compromised systems in 2003 more than double the percentage of 2001 and do you believe, does anyone believe that health information systems in medical centers have greater expertise in repairing insecurity than the Bank of America?

The Commission also noted the number of network vulnerabilities has also risen with 3780 new electronic vulnerabilities recently being reported which was a 20-fold increase from 1995.

The Commission concludes that the current approach of patching the system by adding security measures is inadequate and that new fundamental research is needed to quote, design security into computing and networking systems and software from the ground up. This is the Commission saying that the system is broken and we are not fixing it.

The validity of the Commission’s findings and conclusions illustrated by the almost daily reports of privacy breaches in the past few weeks and I have listed them for you in my testimony.

No. 1, a disgruntled former employee posted information about Kaiser Permanente patients on a web site reported to make the point that anyone could have gained access to the information.

LexisNexis reportedly had personal information about 30,000 consumers stolen by identity thieves.

A national shoe retailer reported that credit card information on its customers was stolen from its database over a 3-month period.

Bank of America reportedly lost the computer backup tapes containing personal information on about 1.2 million federal employees including US Senators.

ChoicePoint is reportedly being investigated involving the theft of more than 100,000 consumer profiles from its databases and these are just the accounts of the past 3 weeks.

Under these circumstances it is simply not credible to believe individuals would retain trust in the health delivery system necessary for quality health care if their personal health information were put into an interconnected electronic information system without their knowledge and consent. HHS has also acknowledged that there cannot be any privacy without some form of sanction or punishment activity. However, HHS has failed to propose enforcement regulations for the Amended Privacy Rule stating that quote, it is expected that the enforcement provisions applicable to all administrative simplification rules will be proposed in a future rule making. A hastily issued rule on April 17, 2003 is admittedly not the enforcement rule requested by HIPAA. We do have over 10,875 complaints from April 14, 2003 to December 31, 2004 about privacy issues made to the Office of Civil Rights. Many of these complaints were resolved because the privacy violations were authorized by the Amended Rule.

There is also recent evidence indicating that background health information may actually add to and not reduce errors. If you look at the recent article of March 9, in JAMA it showed that for example 51 percent of physicians in that research study using such a system reported medication discontinuation errors and 22 percent reported these errors occurring a few times weekly, daily or more frequently. Fifty-five percent of physicians reported difficulty even identifying patients that the information applied to.

Further, a major West Coast hospital recently abandoned a $34 million computerized health information system after 3 months. The system reportedly became an impediment to the efficient delivery of health care and failed to provide timely and accurate information.

As I said, there is no accepted standard for reliability of health information systems or for security measures. There is no accepted standard for how often an electronic health information will be in inoperable. Is it acceptable for it to fail once a year, once a month? My computer goes down at minimum once a week and I am just in the legal profession. Anyone who thinks that an electronic health care information system would not have this issue and relies solely on such a such does not use a computer.

There is no accepted standard of electronic health information security. To the contrary the Security Rule states that it was intended to be quote, scalable. So, while the individual’s expectation of privacy and sensitivity of that information is at least pretty standard we have had those standards for many years, the security protection varies infinitely.

As was recently observed also in another article behind the cheers and high hopes that dominate the conference proceedings, vendor information and large parts of the scientific literature the reality is that systems that are in use in multiple locations that have satisfied users and that effectively and efficiently contribute to quality and safety of care are few and far between. Recent surveys show that roughly 75 percent of large IT projects out there in health care fail. This is an idea like any other medical technique and I would suggest it is not ready for prime time.

With a lack of accepted standards of reliability and security it is impossible to estimate the liability risk to health systems posed by electronic health information systems. In the absence of quantifiable risk it is unlikely that medical liability insurance will be available for systems that rely heavily or exclusively on electronic health information systems to provide care.

In conclusion I would just like to say that electronic health information systems should not be viewed as a magic bullet or panacea for rising health care costs. They should be viewed like any other medical device or procedure as another possibly useful tool and should be carefully tested and cautiously implemented.

Regardless of the system or design it should be applied in a manner that is consistent with traditional principles of medical ethics and practice. In the rush to implement evidence-based medicine we should first and foremost ensure that patients retain access to ethics-based medicine.

That said I would just like to point out that under federal constitutional common law the media has a protected right by the First Amendment to publish personal information about individuals in public life. That would be everyone in Congress, everyone in the Executive including President, Vice President and everyone else even if the information is unlawfully obtained. If someone hacks into the electronic health information system and obtains information unlawfully and gives it to the New York Times or the Washington Post they have a First Amendment right to publish it. I would suggest to you that means the medical privacy is not only essential for quality of health care, it is essential for quality government. I have attached to my testimony an article that recently appeared in the Legal Times that a Senator who is a physician who wants to run for President and he turns down the overtures of the insurance industry to advocate their views. They tell him certain information could become public. The insurance industry finds a way to have this information reach the papers. He tries to get an injunction to stop it and he can’t because the paper has a constitutional right to publish it. His political ambitions are quashed.

We know that has happened. We know that John Kennedy knew that if his medical information had been disclosed he would have never have run the presidency of the nation. We know that Ronald Reagan was quite concerned about disclosure of his medical information.

So, this is not a far-fetched idea. It is not a far-fetched concern.

DR. ROTHSTEIN: Thank you, Mr. Pyles for that very provocative testimony and we will have questions in just a minute for both of you but before that I want to read into the record some excerpts from testimony of the American Psychiatric Association which was invited to be on this panel and could not attend and the members of the Committee or Subcommittee should have a copy of the testimony and I am just going to read some highlights into the record for our Internet viewers or listeners as well.


DR. GREENBERG; Yes, I just wanted to report that I am in communication with various people who are trying to listen on the Internet and some of them are having success but I mean so it is being broadcast on the Internet,but I encourage everyone to really speak into the microphone and very distinctly because they are experiencing some difficulties.

DR. ROTHSTEIN: Thank you and I assume we are working on that.

So, here are some excerpts from the testimony.

DR. GREENBERG: Of course, all of the testimony will be posted on the web site subsequently.

DR. ROTHSTEIN: And you can follow along but I am going to be skipping around. The APA is our country’s oldest medical specialty society representing more than 36,000 psychiatric physicians nationwide and many in foreign countries.

We have members who feel that psychiatric records should remain paper based. We have members who feel that psychiatric records should be an integral part of the general medical record like any other specialty of medicine and we have members who feel that there is a middle ground.

The APA believes that the NHIN has a potential to decrease treatment errors and improve communications between health professionals and assist psychiatrists with evidence-enhanced guidelines.

However, as we have testified so often protections for privacy and security must be built into it from the ground up.

Regrettably it is too often overlooked that confidentiality is an essential element of high quality health care. Some patients refrain from seeking medical care or drop out of treatment in order to avoid any risk of disclosure of their records, and some patients simply will not provide the full information necessary for successful treatment.

Patient privacy is particularly critical in ensuring high quality psychiatric care. Both the Surgeon General’s report on mental health and the Jaffee versus Redmond decision conclude that privacy is an essential requisite for effective mental health care.

The Surgeon General’s report concluded, quote, people’s willingness to seek help is contingent on their confidence that personal revelations of mental distress will not be disclosed without their consent, end quote, and in Jaffee the Court held that quote, effective psychotherapy depends upon an atmosphere of confidence and trust. For this reason the mere possibility of disclosure may impede the development of the confidential relationship necessary for successful treatment, end quote.

The APA and its members hold these statements as core values.We must not abandon the very principles of privacy in NHIN that have enabled patients and physicians to forge a relationship of trust.

Then moving forward physician and patient decisions to take part in the NHIN should be voluntary. Many patients come to a psychiatrist with a clear directive that none of the information should go back to the referring primary care physician. For numerous reasons including stigma, office personnel, etc., they do not want easy access to their information.

Should they have this right? Child psychiatrists frequently are asked by their patients not to send information to their pediatricians because the child often feels that the referring physician will tell parents everything. True or not, should the adolescent be able to direct the psychiatrist to not communicate fully with the referring pediatrician?

Moving ahead, the NHIN must not be a centralized storage of electronic medical records but rather a decentralized system. Health professionals at the local level must keep medical records. This will allow networks to talk to each other when authorized physicians and hospitals need the information. A patient’s information must be exchanged over a secure system. The NHIN must be built on a set of widely accepted rules that users of the system must follow to be a certified member. These rules need to be strictly enforced to prevent violations of the privacy and security of the patient’s record. The physician-patient relationship is built upon trust and the NHIN must also be built in a way that will not undermine that trust.

There should be tough enforcement regulations in place to support privacy and security guidelines. Patients should have recourse if their medical privacy and security are violated in this country or offshore. The American Psychiatric Association wants to ensure there is no downstream release of information to marketers. Strong enforcement regulations will send a powerful message to patients and providers that privacy and security will be protected.

Much of health care is still provided by physicians in small practices. An estimated 60 percent of practices are in offices with 10 physicians or fewer and 35 percent in offices with three physicians or fewer. Small practices of psychiatrists are even more prevalent. Among the biggest barriers to health information technology adoption among small doctor groups are the high costs, more than $30,000 per doctor as well as staff time transition to electronic health records according to the American College of Physicians.

The cost of hardware, software and time lost in terms of patients not seen while physician learn and impute information or maybe this is input or whatever, either way, into the computer system are factored into this figure.

Many psychiatrists feel this is a federal unfunded mandate with little chance for recouping this significant investment through efficiency in their offices.

In conclusion the APA believes that the national health information network must be a system whose cornerstone protects the privacy and security of the patient’s medical information. It is essential that sensitive medical information including sensitive patient psychiatric records remain confidential and secure. The Hippocratic oath states, quote, first do no harm, end quote. It is imperative that a national health information network abides by this concept. This can be accomplished by focusing on these principles we suggest in an NHIN.

So, those are some of the highlights of the written testimony from the American Psychiatric Association and now we have time for some questions for the panel members and I have got a whole page full of them but I will just start with one and then ask my colleagues to participate as well and then maybe we can get back to some of the others.

The first question that I have relates to the testimony that we heard last week or at our last hearing in which it was suggested that there may be different kinds of health information, different levels of privacy protection and it was suggested that one of the most and I think this is something that you would both agree is one of the most sensitive kinds of information in health care records would be mental health and psychiatric information, but what concerns me is how we get a more precise handle on that sort of breakout and let me give you two examples and ask you if you could give us any guidance on how to draw lines.

Example No. 1 is information in a medical record that is 20 years old, a single event and it is information about a minor and quickly resolved episode of anxiety or depression in a particular patient.

Example No. 2 is information in a medical record that a patient currently is taking a prescription medical such as an SSRI or an antipsychotic medicine that might have very direct and immediate relevance to medical care, emergency care and so forth.

So, in the example I give, I hope it is an easy one, I think in the first example one could make a compelling argument that this is the kind of information that shouldn’t routinely be available or maybe even could be excised from the medical records, a thing we need to talk about later whereas the second one has direct relevance to care. You bring someone into an emergency room who may be having an adverse reaction to whatever and it is very important for treating physicians to immediately know that this person is on a particular medication. So, if we carved out the whole area of mental health from the quote, regular medical record that would create some problems in the appropriate treatment.

So, I am wondering first, Dr. Newman if you could comment on that problem that I am having.

DR. NEWMAN: Yes, I can’t say that I have 100 percent solutions to that problem because it really hits a nail on the head particularly in terms of if we are going to better integrate mental and behavioral health into the overall health care system how do we do that in a way that gives sufficient information to other health professionals who are engaged in the treatment of that individual. While we certainly have our concerns about the HIPAA privacy rule again we do think it did a good service by recognizing in its regulatory frame that there are different kinds of information some of which is summary information that is considered to be part of the general clinical record and some of the information is in fact higher protected more sensitive kinds of communication and information that should not be part of the clinical record.

So, you know I do believe we need to make some of those distinctions to determine what information can be maintained in the general record particularly if you have an integrated mental health, mental behavioral health and physical health record and what information goes too far too be included in that.

I don’t have any easy answer for how one goes about making that determination. I think we have got some precedential(?) experience in looking at some of the ways the current regulations try to make that divide and draw that line and I hope that can guide us in determining how to include sufficient information that is important versus not including information that is of too sensitive a nature and wouldn’t really add anything to the general health treatment of that individual.

DR. ROTHSTEIN: Mr. Pyles, do you want to comment?

MR. PYLES: I agree with the procedure which you suggest of having different levels of privacy perhaps in electronic health information systems. I don’t, however, find the substantive question a very difficult one to answer. If we take an ethics-based approach first as a practitioner and apply the ethical standard which would say in that case that a psychoanalyst should never disclose confidential information about a patient without the patient’s informed consent; so, whether it is medication or whether it is an incidental treatment for depression back when they were 20 years old it ought to be an ethically as has always been choice of the patient to decide what information should be disclosed by the practitioner and therefore I think should also be the choice of the patient to decide what goes into the more specifically highly protected category in a health information system. I don’t think any of us sitting around this room can make that decision for a patient. It is an interesting idea to carve out mental health information but we also know from HHS statistics that 600,000 people a year in this country don’t seek cancer treatment sufficiently early because of privacy concerns, that 2 million people a year don’t seek mental health treatment because of privacy concerns and millions don’t seek treatment for sexually transmitted diseases.

Sure there is an endless number of groups and individuals who can come up with great reasons why we need information but the mere fact that you can help someone gives you no right to do it. The choice is the patient’s. We never think of treating a patient, laying hands on a patient against the patient’s will if the patient is competent. So, I would suggest that if you take an ethics-based approach such as reflected in the history and tradition of the country I think you come out with a fairly simple answer and it is not one that destroys the efficiency of the health delivery system. It is one that —

DR. ROTHSTEIN: Let me interrupt. I just want to finish this point quickly before I give it to my colleagues. Taking your position to the extreme I think would be the end of electronic health records. Maybe that is what your intent is because if you have a totally subjective system in which the patient decides what goes in then to be sure they are not missing anything leaving aside the emergency situation then the physician at each treatment encounter is going to have to sort of back track to make sure that they can fill in all the gaps that the patient may have elected to keep out. You would lose the value of sort of the quick access efficiency and so forth and quickly you are at a point where I mean like why bother.

Now, as a matter of sort of ethics and policy I don’t want to debate the issue of whether you are right or not. I mean maybe that is an acceptable price to pay but I think unless there are objective rules the whole system is killed.

MR. PYLES: I guess I have two responses to that. One is that is the system that we have always had and no matter what you do in electronic health information that is the system we will have anyway because the patient will always have a choice to withhold information and not put it in the electronic health information. If you decided to disclose against the patient’s will then they will no longer disclose it to the practitioner. So, as the Supreme Court held in Jaffee versus Redmond and the 1998 decision of Swinberg(?) and Berlin(?) versus the United States it held that it is not a question of whether you protect the privacy or do not determine whether the information will be available. If you fail to protect privacy the information will never exist. So, I would suggest to you that to preserve the quality and efficiency of the health information system you must give the individual a choice as to whether their information should go into the electronic information system and I do believe that the British are experimenting with a system like that right now where there is an electronic black box and the patient decides what goes into it.

DR. NEWMAN: I had a 10-second thing. I failed to say this. I think it was perhaps my mistake to not that we do have a whole set of state laws related to mental health information that requires consent slash authorization in a manner that isn’t always available for physical health information.

So, the concern here would be not to set up a federal system that goes beyond or takes away what is available in state law protections because many of the state law protections currently are much higher than what is available through HIPAA.

MR. PYLES: I agree with that and I think also I will agree with the statement you read from the American Psychiatric Association where they strongly believe that whether information goes into the system should be a patient’s choice.

MR. HOUSTON: I remember a couple of years ago an individual who was a consumer of our health system wrote an article called Electronic Health Record and he wanted nothing to do with the system. He didn’t want it and so I talked to him at home and we spoke for about 10 minutes and during the course of the conversation I asked him, “You are driving on the Pennsylvania Turnpike towards Philadelphia. You happen to be in an auto accident. It just happens we have a hospital and you are unconscious and taken to the hospital. You have some serious allergy or some chronic condition and it will affect your treatment, what are we going to do for you if we don’t have the records online in that hospital?” He said that he doesn’t want his records online. I think that part of the problem and part of my concern is that we want to have absolute privacy and we want to have the highest quality health care and how to balance that out and especially in a society where that information should be available or the patient does not receive as high a quality care as possible. What happens to the physician there? He could have provided much higher quality care with information that should have been available.

MR. PYLES: We get this example all the time. Let me explain what you did was exactly what we advocated, patient choice rather than saying that the patient’s information no matter what all the mental health and cancer testing, sexually transmitted diseases, abortion records, rather than saying, “All of the record is disclosable by anyone in the country who has some sort of interest.” You can have a conversation where he says what he wants and that is the way we would do it.

MR. HOUSTON: One of the problems is when a patient presents to you unconscious. The evaluation in the absence of information is a much longer process. My concern is that it is definitely psychiatric in some way, shape or form and it might be the medication or it might be test results. By looking at the meds you clearly often know what is wrong with the patient. It can be some powerful psychotropic drug or whatever. Can you tell me what is wrong with that, what the patients were treated for and so, there is a lot of accurate, and I have heard this on many occasions from doctors and every one of them says, “I want to do my best possible,” and they deal with this on Saturday nights or whenever the patient presents, in the middle of the night. They get to deal with this patient in an often very hasty fashion.

MR. PYLES: Most states have and the original privacy rule had an exception for emergency treatment. That is not a bad idea. It is something to consider, but the question is should you decide or someone else decide what of the patient’s information should be used. Should the patient have any control over it at all? Medical ethics throughout the history of medicine has erred on the side of giving the patients a choice, controlling weight. As a matter of fact the American Medical Association’s standards say that if there is a conflict between someone else’s need and the patient’s, you err on the side of the patient’s right to privacy. So, one of the things I do find interesting in the example you gave is that a concern expressed among physicians is not particularly what treatment issues may come up but principles in terms of medical liability. So, the stories you are hearing are not for the patient’s interest but the physician’s interest.

MR.HOUSTON: Medical liability is a proven adverse outcome.

MR. PYLES: That I am going to get to but what happens if you did have a two-tiered system and the patient has choice and information isn’t in the right box and the patient has denied entry? The answer to that is the patient has to assume some risk and the physician is deprived of information just as if the patient presented at the office suffering from a potential heart attack and refused to disclose medications then that would be a defense the physician could raise, but the more fundamental question is what happens if you are going to treat a patient in a situation where you have the right to privacy for all information in all situations. The answer to that is the doctor doesn’t get anything.

DR. NEWMAN: In the hypothetical it wasn’t clear to me whether when provided the different scenario to the individual about the accident on the highway he changed his mind or he wanted it both ways. That is sort of what I heard and that is really what is the issue to be reckoned with here is is there a way in which that is even possible.

You know I am neither a technology expert nor naive, but wonder whether there aren’t some opportunities given the technologies to develop a system which is differentially accessible as long as that information is there somewhere but that there are different levels of access to that information and in fact under emergency circumstances the health care professional has to take some responsibility for making a decision that enables them to access at a different level that wouldn’t normally be accessible, you know, if they are wrong they are wrong. The key though I think is we have got patient interests. We have got health care interests. We have got privacy interests. They have got to be balanced. We can’t get enamored with one over the other and let one drive the entire system.

MR. HOUSTON: I absolutely agree. When the patient said, “I don’t want my records in this system,” I think that is the tension that a lot of the public had, and so you can’t do anything.

MR. PYLES: Could I just say that actually technology could enhance patient privacy through electronic medical records. There is no reason why we couldn’t have a black box in the electronic system which says that this information is not to be used without consent except in emergency situations. I also believe that it is balanced and folks talk about not all things having equal weight as a justice of the Supreme Court held in Jaffee versus Redmond. There is o balancing and no balancing should be applied when it comes to the issues. That is not only in the individual’s interests; it is in society’s interests.

DR. HARDING: Let me ask Mr. Pyles, you had said that the NHIN wasn’t ready for prime time. In the last Presidential campaign both sides of the political spectrum said that we need this and there ought to be a date certain, I think, 10 years or 8 years or something from both Kerry and Bush’s campaigns and it is starting to roll.Now, if it isn’t ready for prime time should we, you know, do you have recommendations for us about one, whether it should go, when it should go and under what circumstances and how it should be rolled out so to speak?

MR. PYLES: Yes. I have given some thought to that and based on my review of the recent literature no one knows what it is. No one knows what the standard of reliability is, what the standard of care it. There is almost nothing and as I said before we would never recommend a procedure or treatment for a patient that was just for research and untested. So, what I am saying is when I say that it is not ready for prime time, I am not saying that we shouldn’t allow systems and vendors to expand with it, but it should be voluntary with the patients. It should be experimented with on a case-by-case basis just as Cedar Sinai wasted apparently now $34 million on their system, they should be willing to do that but think of the disaster that would have been if it was like the FBI’s computer system that was trashed after years of development. So, I think that electronic health information is a good thing and one that will be used as a tool for enhancing quality health care at some point but I think one has to proceed cautiously as we would in the medical field for any treatment. We are not making toys here and we are not talking about some new device or efficiency to improve a single act. We are talking about somebody’s mother or somebody’s brother or somebody’s sister and we are talking about longstanding medical ethics. I would suggest that we start with the principles we know work, come at this from an ethically-based standpoint, allow some experimentation too take place and allow this to evolve over the next 3 to 5 years and in 5 years I suspect we will know what works and what doesn’t and at that point we will have the information that we to develop national standards but to rush into this now seems to be foolhardy from the clinical standpoint as well as the bioethics standpoint.

DR.COHN: I want to thank our presenters for some very interesting testimony, and I guess Mr. Pyles I guess I will have to disclose again that I do work for Kaiser Permnente though I will not engage you on that topic though I do presume that organizations that are named in testimony have a right to submit supplemental comments to the Subcommittee u to several weeks after the testimony occurs.

I guess first of all as I am sitting here listening to some of the discussion and Mr. Pyles obviously it is hard not to reference your comments. I am sorry the VA isn’t here or other large organizations who I think might indicate that maybe electronic health records aren’t such untested technologies. I think I am speaking into the microphone. It could just be the early morning. I was saying that there are many organizations who I think have testified and will continue to testify that electronic health records are not untested technologies. Large organizations such as Veterans Administration and Pittsburgh Medical Center, Medical System —


DR. COHN: Center, okay. Kaiser Permanente and I think there are many others. Having said that I think that the question I would have for both of you and I find the issue of privacy to be a, you know, I mean obviously I think we all support the HIPAA privacy rule and the question is does it need to be tweaked in some way as we move into the world of the NHII. I noted that conversations are often around access by another provider to one provider’s judgments or decision making and that seems to be some of what the discussions have evolved around.Can a pediatrician see a psychiatrist’s records, you know, and there are many others ways of describing this. I guess a question I would have for you and the thing that I guess maybe I am most concerned about as we have these conversations is the eventuality going down the road that we will do a very good job somehow preventing one provider who is making a legitimate diagnosis from seeing another provider’s legitimate diagnosis but the payers in all of this will have all the information and I guess I am sort of trying to think in my own mind are you concerned; is that the future that we are likely to get into as we more and more finely give permission or refuse permission from one provider to another to see legitimately made diagnoses? Russ, do you want to talk about that at all?

DR. NEWMAN: Yes, perhaps in an attempt to abbreviate and summarize that one particular issue. It wasn’t as apparent as it might otherwise have been. That in fact is a significant concern that in our opinion the level of information necessary to be made available to the payer is a far different matter than necessary information to be made available for purposes of delivery of the health service.

The current system is woefully inadequate in terms of its abilities to protect and in fact if anything right now payers probably have more ability to access information than do health care providers again with a disclaimer that I do not consider myself to be naive but one who is optimistic that there can be some future developments in our health care system that actually solve some of the horrendous problems that currently exist. I see this as one potential to develop some solutions to that problem and we need to appreciate that there are different needs and different accesses that ought to be occurring for payers than for health care professionals and this ought to be a system that is able to take that differentiation into consideration and to develop different ways and different levels of access, so we don’t have payers being able to access more than what health care professionals can access and frankly payers ought too be able to access a lot less than what health professionals access.

MR. PYLES: If I understand the question it was am I concerned that the payer has more information than professionals. I am to some extent concerned about that and I think one of the problems I see is that the insurers and providers are treated equally. I think that was a huge mistake because we know that patients do not regard with regard to privacy they do not regard payers the same way as they regard practitioners. Most patients would have no objection to their provider or their practitioner having access to their information, but they have a strong reservation and endless surveys have shown this, they have a very strong reservation about their information going in an unrestricted way to their insurer and perhaps then having the insurer disclose it beyond but again getting back to the problems at this point with the electronic health information system I think we can establish a system where some information is available to insurers across the country right now and other information is available to practitioners. The way it always happens my clients tell me is that there has been a referral from one practitioner to another and consent has always from for disclosure of information. That is what has always happened. There is some consent obtained by the initial practitioner that information would be disclosed down the line to another.

DR. COHN: I am not a lawyer. I am a doctor, but I understand that that is a state-to-state, has historically been a state-to-state legislation issue.

MR. PYLES: Actually it has been a question of medical ethics. That has been at least since 1847 in the AMS’s ethics, but I think you are onto something that is an interesting point which is again that health information technology can be used to protect rather than erode. Now, also, there is your comment about medical records not being untested technology. There is a big difference between national health information network and medical records and electronic medical records, a lot of those kinds of records have been tried on an isolated basis, a small range of information, with varying degrees of success. Cedar Sinai for example was a disaster. They tried it and it didn’t work. That is not to say that you shouldn’t experiment with it and keep working on it.

DR. ROTHSTEIN: Are there questions from staff?

Hearing none, I will thank the two members of our first panel very much for getting us off to an informative and lively start.

We are going to take a 15-minute break now and we will begin panel two at eleven and panel two will run from eleven to twelve-fifteen.

(Brief recess.)

DR. ROTHSTEIN: We are back with day one of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. We now move to panel No. 2 of today’s presentation and I want to welcome our three witnesses from panel No. 2 and we will ask them to testify in the order listed on the agenda if they have no objections, and we will begin with Ms. Bonk.

MS. BONK: Good morning. Physical therapists examine, evaluate, establish a diagnosis, formulate prognoses, develop treatment plans, provide interventions, educate our patients and their families, coordinate care with their other providers.

Interventions performed by the physical therapist include therapeutic exercise, functional training, manual therapy and the use of physical agents and mechanical modalities to achieve and further the patient’s condition. I would describe physical therapy as rather a high-touch profession within health care though obviously along with the rest of the world we have been moving to high tech, kicking and screaming sometimes all the way but certainly doing that.

One of the things that we deal with because of the situation that we have with examining and working with movement disabilities is that we will oftentimes see patients in very wide open spaces. If any of you have ever had the opportunity to visit a physical therapist and hopefully you haven’t but if you have oftentimes you may be treated in a large gym with many other patients there surrounding you.

There is a very positive atmosphere to that. It certainly drives our patients to do better. They see the patient next to them. They say, “I want to do what they are doing. I want to get well as fast as they are.” The down side of course to that is that there is a lot of open activity and for us with the HIPAA privacy rule those are things that we have to be concerned about. One would be verbal sharing and obviously I will get into that more but if we are talking to the patient and there is a patient on a mat right next to us we are concerned of course as we are talking to the patient. In my situation in a pediatric facility it is even more so because I have children in there but oftentimes have parents and siblings that are also gathered around the table and then other patients again can be right next door.

So, we worry about that sharing of information and yet it is something that has to be done as we are treating patients.

The other things that often happen as we are doing manual therapy if I can give you an example on the pediatric side, if I am treating your child with cerebral palsy I may have them strip down to their diaper working on sitting. Now, if that is a 6 month old that is probably not an issue but if it is a 10 year old it certainly can be and that is not an unusual situation in our setting where we are having older children who are very cognitively aware and concerned about what everyone else is seeing and we need to get our hands on these children.

So, one of the things obviously that we have had to deal with is our architectural surroundings and even though HIPAA did not require and does not require rebuilding we have had to go to some different processes to make sure that patients are comfortable, that their privacy is being controlled from that standpoint. Now, that is not an informational issue. That is a visual issue but I think it does reflect some of the problems that we are dealing with.

Physical therapists work in many practice settings including acute care hospitals, in patient rehab hospitals, private practices, skilled nursing facilities, home health care, schools and industry. Physical therapists also work with individuals across the life span from the neonate to the very old. The diversity of settings in which physical therapists practice necessitates an awareness of patient privacy and confidentiality.

In my situation I may have staff that actually flow from inpatient facilities to a gym as I described to a private exam room and they may also go out and do home health. So, just in one setting alone I am actually exposing my staff to numerous different types of situations that each setting presents different issues that we have to deal with from a privacy standpoint.

Our inpatient rooms by the way are all double rooms at this point and so we also deal with the fact that we have a very old facility and are constantly having to deal with going and treating patients when there are other family and patients in the same room.

Physical therapists like other covered entities generate clinical records for each of their patients. This clinical record includes information from the initial evaluation,our treatment plan, our goals for treatment and progress notes for each visit. Physical therapists also submit claims for reimbursement directly to third party payers. HIPAA compliance therefore has had an impact on the physical therapy profession raising the same issues that all other covered entities have had to face.

Now, I believe everyone would agree that what HIPAA and the privacy rule has brought about is really nothing more than what we should have been and probably had been doing for the most part all along. It just brought the awareness level up to a much greater point. I get questions on a weekly, if not daily basis from my staff regarding can I give this information out; can I give that information out, and I will go into a little bit of detail on that later.

In response to the mandates of HIPAA physical therapists, particularly those in private practice have created policy manuals, educated and trained their staff and educated their patients about HIPAA privacy. APTA has been very proactive in assisting members with HIPAA compliance through seminars, training modules and information on the web site.

From the standpoint of facilities I want the panel to understand that there is probably two different ways that this has affected our profession. From a private practice standpoint we have many therapists in private practice. They have had to oftentimes start at square one. Policies that were not in existence had to be created and we had to move forward with how we were going to then protect the privacy in a much more structured fashion than we did before for our patients.

If you look at therapists that work in facilities the thought would be well,no big deal. You work for an entity. They will take care of it for you. I just visually wanted to show you the policies that were created just since HIPAA for our facility.

Now, of these there are 32 here and of these 27 of them directly or indirectly relate to my staff and I was fortunate enough to sit on the committee that wrote these policies which was fun in and of itself. It was enlightening I would say but probably not the most fun part of my job, but I had to turn back and say to my staff, “We have got 27 policies that you may not need to memorize but you need to know how to access and you certainly need to have a general understanding.”

So I then had to go back to my staff and make sure that they had an understanding of this. So, it certainly has affected us and again I don’t imply that that is different than how it has affected other health care providers. I just want to make the point that we are not exempt from that piece of it.

In response to the mandates of HIPAA, excuse me. I wanted to make one other comment. Besides these policies we also as an institution had to go down the road of making policies for our human resource department because besides protecting the health information of our patients we also had to be concerned about protecting the health information of our employees. So, situations such as when I have an employee who has a work-related injury or perhaps even not a work-related injury and something that really is a situation that that employee wants protected where do I keep that information if they are on restricted work. Am I putting that in their personnel file? Am I keeping that in a separate file? So, all of those questions also did come up and we had to address those as we went along.

The practice is unique in some ways. Given that physical therapists are treating patients for functional impairments and physical disabilities either temporary or permanent the issue of disclosure of protected health information to other parties has been significant especially within the legal context. Patients, for instance who have a sustained injury due to automobile accidents or a work-related injury will often receive physical therapy services.

If a legal case ensues the issue then arises as to whom and under what circumstances can a physical therapist disclose that information.

The other situation that we deal with again at Children’s is the whole issue of legal guardianship. If a child comes in with dad and this happens, unfortunately more numerously than I would like to admit, but if a child comes in with the father but the father happens to not be the legal guardian and it is the mother my staff have to be aware of that because there may be a situation where mom has said, “I do not want my husband or my ex-husband” as is likely the case, “to have that information.” So, we have actually run into situations where the guardian has not wanted the non-guardian parent to be in the room when the treatment is occurring and yet as part of what we are and what we do with our children our expectation is that the family is involved because the treatment is not what we do. The treatment is what we teach the family to do with the child and for the child to do when he goes home and so we have too have that involvement and yet oftentimes we run into those situations. So, it gets a little bit sticky at times with our staff.

Additionally physical therapy interventions can often include the use of supplies and medical equipment. So, physical therapists often refer to other vendors to provide than equipment and then the therapist has to have a clear understanding of the business associate contract issues and how that relates. Again in a hospital facility I may have other, our legal department may be handling more of that. In private practice they have to do that from square one.

As physical therapists made changes to their administrative processes and the physical layout in response to the HIPAA provisions several additional questions arose. For all health care providers the issue of oral PHI is one that required some thought and for physical therapy practice it required additional consideration.

Since therapeutic exercise is such an integral part of physical therapy treatment facilities that provide these services will often have the open gym that I talked about earlier.

Due to that fact the physical therapy facility could have several patients in the gym at any given time and therapists have had to learn the finer points of minimum necessary provision. Although the HIPAA privacy provisions do not mandate those architectural changes many physical therapists did make adjustments to their facilities and procedures to ensure maximum privacy for the patient.

Such changes included limiting the amount of PHI that is transmitted orally while the patient is in the gym area, holding discussions concerning the prognosis and treatment in private treatment areas if possible and partitioning off more areas for private discussion.

Again, another thing that we have had to deal with is that in some of our smaller satellite spaces the staff computer is sitting in the middle of the gym. So, as we are documenting on computers whether it is an EMR or it is just our own documentation learning word processing we have had to deal with the fact that there may be patients in the gym that are not mine, might be of my colleagues’ but I am still in the process of trying to do my notes and documentation and yet there is a patient that is behind me.

So,we have had to deal with that and the space constraints again that an older facility has. We haven’t had the luxury of just saying, “Okay, we will find some more rooms to put the computers in.”

HIPAA in addition to state law requires mandatory disclosure to appropriate public health authorities in situations where a health care provider suspects physical abuse.

Due to the close contact physical therapists have with their patients physical therapists are sometimes the individuals who may discover evidence of suspected abuse. It has therefore been important for physical therapists to understand their obligations with regard to disclosures of PHI in suspected cases of abuse.

Again, I receive questions all the time, paged from the staff their concern about a child. The child is in with mom. The child is 15. What do I do? I think there is abuse. Do I have to talk too the mom about this? Where do I go? Well, we have got policies on that and certainly social work thank goodness, again, with the larger facility is where we head to, but again we are all documenting into the same record. So, information is flowing and as we move to the national database then obviously those concerns will continue to be there.

Maintaining patient confidentiality and privacy has always been important to the physical therapy profession. Several APTA core documents reflect the physical therapist’s ethical obligation to ensure the patient’s confidentiality, safety and well-being.

APTA’s guide for professional conduct which interprets the APTA code of ethics stresses the importance of patient confidentiality including compliance with all laws and regulations governing the practice of physical therapy.

In addition we have to meet vigorous state licensing requirements and follow state laws with regard to patient confidentiality. Within our accrediting body for our academic program certainly part of what is expected and what is looked at is whether or not we are teaching our students all of these issues regarding confidentiality. It falls under everything from ethics to just how we document. We also teach the students HIPAA issues at the get-go because our students are basically out with patients probably within 6 months of starting the physical therapist program.So, they are out there. When we get to the hospitals, the hospitals then have to take on that same role and make sure that even though they may have learned about HIPAA and documentation policy from the schools we then have to then make sure that they understand it from a facility standpoint because of course every facility has different guidelines as to how they relate too and answer the HIPAA question.

Recognizing the importance of electronic patient health care records and patient care APTA has developed a point of care electronic patient record software called APTA Connect in conjunction with Sederon(?) Medical of Davis, California. The electronic patient health care records offer the ability to gather critical and sensitive kinds of information about a person in one place and shared among health professionals in the best interests of the patient.

Like other professions physical therapists work with clinical support personnel such as physical therapist assistants in the delivery of care, administrative personnel and clinical operations. For those involved in the patient care and the use of Connect it is important to ensure that appropriate measures are taken to prevent inappropriate access to information.

When using Connect physical therapists must use passwords, train personnel and take other security measures that ensure privacy. I would, also, add that anecdotally the facility that I work at is just moving towards the electronic medical record and the physical therapy and occupational therapy departments are actually two of the Phase I departments that are going live along with our pulmonary department and our neurosurgery department.

I have had the joy again of sitting in about 15 hours of meetings on a weekly basis since the first of the year and we will continue with that until probably July working on pulling our electronic medical record together for our facility.

Now, I don’t suggest and I think it was mentioned with the previous group that the electronic medical record at a facility is the same as what we are talking about as far as national network of health information.

However, I certainly see in my experience what we have been going through and some of it is just process; what are the notes going to look like; how is the paper document going to look, but much of it becomes that security issue and one thing I would like to mention and point out is that I think even though there is concern about access and what we are going to be doing when we have data available nationwide, I want to make sure that we also don’t forget the fact that some of this is just that it is bringing our awareness up, that there has been abuse of the data present because of the paper documentation system ever since I have been providing health care and I am assuming it has been longer.

I know that there are times that people are accessing charts in the hospital that shouldn’t be. We have policy about that, but certainly how we enforce that policy and whether we are aware that the policy is being broken is very difficult.

Now, when we go through our electronic medical record process we talked about mental health information. We have those charts basically locked on our system and if I were to try to go in as a non-mental health care provider I would get a big stop sign, and it would say, “This is a locked document.”

Now, I can break that lock, and I can go in, again, because in an emergency standpoint that doc in the ED is going to want to be able to access that information perhaps but there is an audit trail now and it is not just a trail. If you break into that document on the system we are going into there is a report that goes to our privacy officer or the head of our health information systems on a daily basis that says, “Here are the people that went into unauthorized documents.” So, it doesn’t stop that from happening but the Pollyanna side of me says that there have got to be ways as we move down this path that we will be able to set up processes that will keep, at least make us quite aware if we are breaking the law or getting into things that we shouldn’t be and there will be some way that we can track who has done that in the process.

We believe that in some ways all the EMR issues that we are dealing with and facilities that APTA Connect this new software package that the association is producing for our private practitioners will provide them some of the same level of issues where they will be able to document on a much more hopefully efficient but certainly in a much more constructive manner and with information that then can be accessed by the appropriate personnel.

David Derive from APT Connect will also enable facilities and researchers to obtain valuable information about patient outcomes from physical therapy that could be used to improve patient care in the future. When Connect is used as a research database researchers must take measure to protect the patient privacy and comply with HIPAA and other state and federal privacy laws, and again we had to deal with the same thing. Research shouldn’t be left aside.

I know that the forms that we use for research have all changed since the HIPAA privacy rule has gone into effect. We have had to change what the patients are signing off on and as much as I like to think that being in a large facility that has been taken care of for us it isn’t always and we have to oftentimes rewrite some of the forms ourselves.

The challenges of protecting patient information will continue to evolve in the age of electronic medical records and transactions and many of those challenges will have a unique impact on the practice of physical therapy. The American Physical Therapy Association greatly appreciates the opportunity to provide this statement to the NCVHS Subcommittee on Privacy. We hope the Subcommittee and full Committee will continue to look at us as a resource as they deal with emerging privacy issues. We would be happy to demonstrate the APTA Connect application to the Committee and to discuss other efforts to assist our members in protecting the confidentiality of their patients’ health care information.

Thank you for the opportunity to contribute to your efforts.

DR. ROTHSTEIN: Thank you, Ms. Bonk, and we will be back with questions at the end of the panel discussion.

Dr. Inge?

DR. INGE: Thank you for the opportunity to present before the Subcommittee. My name is Dr. Ron Inge and I am a representative of the American Dental Association. The American Dental Association represents approximately 150,000 dentists in the United States. I will give an overview of what we see the impact of the HIPAA regulations and how we have responded to them.

First I would like to start by stating that the HIPAA regulations have been taken very seriously by the American Dental Association such that my division which is the Division of Dental Practice has developed comprehensive kits to allow our dentists to assess and to comply with the regulations as they have been written. Those kits are HIPAA privacy and HIPAA security.

To date we have distributed nearly 70,000 kits to member dentists throughout the United States. We felt that the kits were a first start. Once the kits were provided we also developed seminars that we provide on a regular basis to our members to allow them to understand and comply with the regulations.

Those seminars are put on by ADA staff with information and background provided by a legal staff who has reviewed all of the regulations.

I was asked to address four points in regard to the ADA, the first point being understanding how a dentist would handle privacy, confidentiality and security of patient records in a paper versus an electronic world. The paper world is easy to address in that I was a practicing dentist for 15 years. In the paper world our charts are located in locked files. We take common sense procedures in regard to keeping those files separate, having them available only to staff, also taking precautions in regard to basic locks, alarms for offices and the ability to only have staff pull and provide information from a paper environment.

This has been very standard. Dentistry has been progressively moving forward in the electronic arena. In regard to electronic records confidentiality is not necessarily the largest issue that faces dentists. Dentistry is slow in adapting. It may be unknown to this Committee but dentistry lags far behind medicine in regard to its use of technology in relation to its patient records and also claims submissions.

The average electronic submission of claims throughout the country is about 30 percent for dentistry. In the electronic environment dentists will represent more a problem from data integrity; with the growth curve of knowledge around electronic transmission dentists are still unfamiliar with the technological problems that could be presented from their computer systems. Many dentists have not followed with updating their systems, maintaining the integrity of backups and reviewing that process.

So, the ADA sees that as a bigger challenge to dentists than the confidentiality of electronic records. I was also asked to what extent do dentists utilize electronic health records. At this time there is no data available to demonstrate the use of electronic records in dentistry. However, the ADA does do surveys and in those surveys we ask about the use of computers in the office.

In our survey in 1994, it was determined that 67 percent of dentists had computers in their office and used them to some extent. In that survey 42 percent used them for their patient records. Twenty-two percent used them for diagnostic and monitoring.

In 2000 we repeated a similar survey. The number of dentists with computers in their office in 2000 had risen to 85 percent. The number using electronic health records had risen to 51 percent and the number using monitoring and diagnostics had risen to 40 percent.

So, we see a progression within dentistry that we are moving into the electronic era, but it is a slow evolution. I was asked to comment on the different cohorts of dentists who will utilize the electronic health record. The ADA did an environmental scan recently which demonstrated four different segments within the dental profession in terms of generations. We have the traditionalists. We have the baby boomers, gen Xers and the millennials. You have got to have a title.

What it does is it actually helps to stratify the acceptance of technology. The traditionalists and the baby boomers are rather slow adapters. They have been very conservative and very set in their delivery of dental care over the years. So, we see a strong population that is hesitant to move into an era that they don’t fully understand. The ADA has taken upon itself to help educate this population and move forward. The gen Xers are much more readily adapting to technology. So, you will see younger dentists, and I will use that term as a politically correct term, younger dentists much more active in regard to a paperless environment within their offices. These types of offices are scattered throughout the United States. We don’t have specific numbers but we know that the progression is moving forward.

The millennials or the new graduates are most accustomed to technology. These are young dentists who have only used computers and the electronic medium. It is now being part of their curriculum within dental school. So, they are very quick and are very challenging to the ADA to provide more information around the electronic record and how it can be used, how they can be included in it.

So, as an ADA representative we are very proactive in regard to moving forward in the electronic health record and we encourage all of our members to do the same, and with that I look forward to the discussion.

DR. ROTHSTEIN: Thank you very much. I am still trying to figure out which group I want to be in.


DR. ROTHSTEIN: I know where I am . I am trying to figure out where I want to be. We will be back to you as well with questions, and finally for this panel Dr.Miller.

DR.MILLER: Good morning, Mr. Chairman, members of the Subcommittee, ladies and gentlemen. My name is Dr. Pamela Miller. I am a practicing optometrist and an attorney and have maintained a private solo optometric practice in Highland, California for over 30 years. I am very pleased to appear before you today on behalf of the American Optometric Association representing the concerns and issues of the doctors of optometry in the areas of privacy and health information technology.

The AOA is closely monitoring developments in this area. The association of more than 30,000 members has already submitted broad formal comments to the Department of Health and Human Services on the President’s goal implementing nationwide use of electronic health records in 10 years. These comments were submitted in January as publicly requested of all stakeholders by Dr. David Brailer, National Coordinator of Health Information Technology who also reports to the Secretary of Health, the Honorable Mike Leavitt(?).

These are exciting times but also very daunting and even threatening for the private health care provider. Technological advances are so rapid that it is extraordinarily difficult to keep abreast of new changes and still maintain competency in this arena.

Furthermore some professions grant no continuing education for this integral part of practice. It is safe to say that there is both concern and apprehension on the part of my colleagues in optometry. There is a significant disparity in practitioners who utilize computer technology ranging from simple practice management software programs to complete EHR technology.

Solo practitioners or smaller practices will be less likely to utilize current technology due to the significant investment required and the realistic lack of financial return on that investment in the day-to-day operations of their practice.

There are three areas of concern when addressing privacy and health information technology. First is the physical hurdle of implementation and training. Most doctors and their staff are not techno savvy. There is significant fear and trepidation anytime we embark on an unknown road. Staff resistance is often most challenging. It is the staff who is charged with the responsibility of actual implementation, updating record entry and access. They rarely receive any formal education and attempt to fit new technology in whenever and wherever they can in an already busy day.

Most offices today have one full-time staff person who is responsible for electronic patient authorizations, billing, lab order and stock entries, etc.

This individual is often stretched to the limit just keeping up with the current day-to-day electronic entries.

Doctors are often no more and frequently less computer savvy than their staff. Their primary concern is meeting the care and health needs of their patients. Relatively few doctors currently utilize any form of electronic health records even in the most rudimentary form. The smaller practices comprised of one to a small handful of doctors are often the last to come on board often because they are the only one in the office who can initiate and maintain the entire process of electronic implementation.

The potential for widening the gap in patient care between offices that are involved in electronic health record communication and those that are not up to speed in this field is tremendous. Potentially doctors may leave practice for no other reason than the electronic technology demands on their offices thus depleting and already finite resource of patient care and choice.

The second area of concern is the cost factor. Both hard and soft costs enter into the picture. Not only is there the actual hardware and software costs but the soft costs of training, upgrading both software and staff doctor education over the ongoing period of implementation and utilization are significant. Every time the software is upgraded there is a new learning curve which takes place. Typically one staff person is the key computer or electronic entry individual. This person now becomes indispensable in the health care office.

When that person leaves the entire learning process often starts over. This is a recurring cost that is virtually impossible to put a dollar amount on. With the implementation of electronic health records it is critical to bear in mind that hardware and software costs will typically escalate. Realistically there will need to be access in every examination room, pre-testing station and every staff desk. Even in a small office this is a significant investment. Realistically we must also include the following factors to this basic cost, the ongoing maintenance issues and times when our computers or programs are down or inoperable, resulting in a significant loss of productivity and inability to see or care for our patients. Couple those issues with the fact that our cost factors increase proportionately and are difficult to recoup. These areas of concern add substantially to the mix when evaluating overall costs of initial implementation and ongoing maintenance.

The third area of concern is that of loss of privacy with respect to patient information and the increasingly significant potential for inadvertent or even intentional dissemination.

Patient confidentiality is sacred and has long been at the heart of the patient provider relationship. If that relationship is to stay healthy to optimize the care and well-being of the patient it must be vigorously safeguarded by every stakeholder who will have approved access to EHRs. Threats to this principle are more real than ever in the post 9/11 high-technology age. Our country now lives with the frightening specter of electronic terrorism that is aimed at disrupting large computer networks and infrastructures. Furthermore there continues to be the costly havoc periodically unleashed on public and private computer networks by grudge-holding or mischief-making hackers.

There are specific threats to EHRs both in the reality and in the minds of health care professionals. These include access to EHRs by patients’ employers, insurers or other non-privileged individuals, fraudulent information selling, wireless technology interception, etc.

With the implementation of HIPAA this concern is a significant one for everyone concerned with protecting the patient’s right to privacy. Privacy issues cover the gamut from the patient’s right to obtain information that is in their individual health care records to doctors’ notes which may or may not be intended for patients’ eyes, to the issues of billing and specific testing data in patients’ records.

There is no question that it is of the utmost concern that implementation be smooth, cost effective and easily integrated. The issue of accountability remains paramount. There are also three positive benefits to the implementation of electronic health records. First is the most obvious. Patients can and should receive improved levels of service and communication between their health care providers resulting in significantly improved treatment at a cost savings. Record transmission allows for more rapid diagnostic and treatment alternatives as well as improved consulting services between health care practitioners.

Second, the professional health care specialist is better able to consult with colleagues, keep everyone informed about the patient’s care and interact with fellow health professionals and practitioners to better serve the patient’s health needs.

This includes both diagnostic and treatment modalities as well as ongoing patient care. The third benefit is improved documentation, quicker and correct billing and coding and faster reimbursement. Effective electronic implementation allows for a faster turnaround time for authorization for services and also improved coordination of the appeal process of any denied claim.

I cannot emphasize enough that although the benefits of electronic health records, electronic transmission and telemedicine are impressive the financial impact on the health care provider cannot be underestimated or ignored. It runs the risk of escalating fixed expenses, presenting another potential burden to the practitioner coupled with flawed managed care delivery systems and the lack of adequate access to care that the individual practitioner must absorb.

I have three key recommendations to make which are specific to the privacy and security of EHRs. First, HIPAA compatible rules must be developed for the EHR environment. Second, as necessary new laws must be developed spelling out specific rules for safeguarding EHRs as well as the entire national health information network. Such laws must require the highest most sophisticated security access standards for approved EHR users and third the development of strong laws must also set forth harsh penalties for those not approved to access EHRs and who intentionally and fraudulently breach the security of EHRs.

These are indeed exciting times we live in. We are once again on the brink of a new way of conducting the business of patient health care and professional interaction. I thank you for the privilege of addressing this Subcommittee and being allowed to offer insight from an optometric point of view as my profession along with other health care professions prepare to meet this challenge.

Thank you.

DR. ROTHSTEIN: Thank you very much, Dr. Miller and once again, thank you to all of our panel members.

The floor is open to my colleagues for questions.

Dr. Harding?

DR. HARDING: Some of you were here for the previous testimony where we were talking about especially sensitive information and that there are some groups in medicine; it was mentioned mental health and it is often mentioned some ob-gyn, some infectious disease, some genetic material, some of those things where people consider it especially sensitive. Do you and your professions have that kind of categories of people who you know are especially sensitive about their information or some types of illness in your categories, in dentistry and so forth? I mean in dentistry teeth enamel erosion might tip off some other problem like bulimia or something along those lines. Are people very sensitive about what is in their dental, optometric, you know, physical therapy records? Do you have that feeling?

MS. BONK: From a physical therapist standpoint I think there are times. You alluded to the erosion from the dentist’s standpoint. Oftentimes we can run into the same thing, sports medicine. We may be treating a 17 year old and because we are spending a lot of time with them either they verbally tell us or we may become aware that they might be using steroids. That might be an issue. Who do we tell? Their coach who sent them to us? So, there are things that they would be concerned or would perhaps not share information with us if there was a concern that we were going to abuse that privacy and I think again I mentioned abuse cases. Oftentimes we are in that situation, elder abuse. So, it is not a specific category but we can also be treating that child with HIV or the adult with HIV. So, it would just be inherent in some of the things we do.

DR. MILLER: I think, also, within the optometric field a substantial part of care of the patient involves the case history and a great deal of information can be elicited during that period of time.

It is not unusual for a patient to refuse to give information to a staff person who is eliciting information, turn around and then give it to the doctor and in my records I will frequently code information because of the privacy concerns on the part of the patient where the patient does not wish information to distributed. Because we deal with third-party health care all patient records who fall under third-party reimbursement have health care records that are subject to periodic assessment and audit.

So, again, that privacy issue becomes very, very important. There are other issues that come into play for example when you are suspecting cases of abuse, etc., where you don’t have the diagnostic confirmation because that is outside the purview of the profession of optometry in many cases but it may be suspected.

So, privacy is a major issue to patients and patients within the last year or so have expressed a significant concern about where does the information go that is recorded in their health records and that becomes much more of a concern as patients switch health care providers, switch insurance providers and the information has to be repeated again and again between patient and doctor,but certainly in my practice privacy is a significant concern and what is put into the patient record sometimes has to be somewhat more judicious guarded.

DR. INGE: In dentistry it is important to have the integration of the patient’s overall health history. You mentioned erosion. Now, there are certain conditions that represent drug abuse and those are areas that are very important.

Also, aside from drug abuse there are also medications that have manifestations in the mouth and also have ramifications to treatment. So, those are very important. In regard to privacy I will relate a personal instance. Before HIPAA came around I was treating a woman and she actually had a full denture and her husband didn’t know it and I started a conversation with them both as a family and she panicked. So, in terms of privacy there are specific things that individual patients are very sensitive about and we now have to be more aware of those.

MR. HOUSTON: Dr. Inge, in your experience how integrated is the typical dental office with other types of health care services that would be provided?

Is it typical that a large hospital would employ dentists?

DR. INGE; Seventy-five percent of dental offices are single practitioners. However, we do have hospital-based practitioners as well. If you have noticed in the media more recently —

MR.HOUSTON: Do you have a number?

DR. INGE: Of hospital dentists? No, I don’t have the exact numbers on that but it is fairly small. Most of those will be oral surgeons and that will be the reference but as I was saying if you have noticed in the media more recently there are more and more articles that relate dental disease to systemic disease and there is more and more research that is showing a strong association between the two. As a result dentistry is moving more and more into the health care model and it is important to have that integration of information with a physician and with the dentist, not only for specific treatments within dentistry but for coordination of overall treatment planning for a patient and his systemic condition.

MR. HOUSTON: Is that based in terms of criticality?

DR. INGE: I think that it has a couple of critical points where it is very relevant. At the initial treatment or diagnostic and treatment planning stage it is essential to have as much information about a patient’s overall health care and then at the same time add implementation of treatment depending upon what that treatment might be. It is also important to reassess or confirm whether or not that information is available. To give an example it is very often that a patient will be asked to pre-medicate if they have mitral valve prolapse and it becomes a very daunting task for a dental office to call the physician and get that information. There simply is not that link and that can actually delay treatment.

MR. HOUSTON: With regard to Dr. Miller, one of your recommendations, your first two recommendations, and I guess the second one, too, I guess when I think of security and privacy rules I sort of thought that those rules would apply as a basis for what you are asking in one and two. Could you expand upon where you think those rules fall short?

DR. MILLER: I think the biggest thing that we are looking at is that we want to make certain that anything that we put into place is compatible with what already exists and many of the aspects of the HIPAA rules and the national technology that is going into effect are still somewhat nebulous. HIPAA is currently a one-sided situation so that it is triggered, a HIPAA violation is triggered by a patient complaint and the patient is not required to sign any information privacy acts.

In essence and I think that this was alluded to earlier in testimony if the provider is called upon to distribute information about a patient the patient currently has no recourse against that and that is a very serious concern. It still comes to the right of the patient’s privacy. It is not the right of the doctor to the privacy in whatever is in the patient’s records and certainly within the field of optometry this is a major concern because we are in the position where we not only are required to protect the patient but many times it is the optometrist who is the individual who diagnoses a particular health care problem, who is responsible for forwarding that information or forwarding the patient to another health care practitioner.

No information is received back from that referred source so that when we are looking at the electronic health information it still comes down to the patient’s right of privacy, and that is not something that is totally addressed by current HIPAA standards.

If we are looking to expand electronic health records and there are some distinct advantages to doing that, certainly within the realm of patient and doctor communication and interprofessional communication we still have the obligation to protect the patient’s right of privacy, and that is not in existence under current standards.

I don’t have the solution, however.

DR. COHN: I think I am actually sort of following on John’s comments and questions. Pamela, I actually want to thank you all for very good testimony. Pamela, I thought your testimony was sort of interesting in the sense that you move a little more into the security issues than I think some of the other testifiers that we have heard and you made comments such as things requiring the highest most sophisticated security access standards for approved EHR users which appeared to be a recommendation from your society.

I was curious on exactly what you mean by that and I am wondering is that an actual policy of your society and are you for example implementing digital signatures on all of your records that you use within your optometrist record, optometrist offices or what is going on with all of that?

DR.MILLER: Certainly for a formal statement you would need to talk with the American Optometric Association. Digitized signatures are certainly an area that is being explored. They are not widely used within the optometric field. Optometrists currently a little bit over 50 percent have private practices. The remainder are in some other form of health care system, whether it be at Kaiser, Rosloose(?) the military, any number of things or on staff and faculty of schools and institutions.

So, when we are looking at electronic data it becomes a very serious issue and we certainly don’t have the answers. Optometrists and dentists share many common responsibilities and many common fears. In the chain in terms of electronic records optometrists are probably at the lower end of the chain. They are a little bit slower to move in adapting new technology in terms of patient records and my office is a primary example. We pull authorizations electronically. We get paid frequently electronically. We submit orders electronically but our individual actual patient records are still hard copy and a lot of that is because of the stubbornness of the doctor in charge and I won’t mention her name, but the fear of losing patient records, of having patient records accessed by other sources is truly significant and as I indicated in my testimony it is the smaller practitioners that most likely will be the last to come on board and typically when the government looks at enforcing rules the smaller practitioner is not the one that they go after first because there is no money in it. There is no percentage in it.

So, in terms of my particular association they do not have a very specific line of site in terms of a directive for this Subcommittee. These are simply the concerns and I will say that they are my concerns as well as my association’s concerns.

DR. COHN: I think what I am hearing is a high-level concern that we should not necessarily assume that there has been widespread implementation of highly secure —

DR.MILLER: There currently is no widespread implementation. It simply does not exist within the optometric field at this particular point and we have great difficulty sometimes in getting information back from those individuals that we refer to as well.

DR. ROTHSTEIN: That is the point that I want to follow up on. In many states you can’t even access physical therapy services without a prescribing physician so that the patient already knows the connection between let us say their orthopedist or rehab doctor and PT services, but it is not the case generally speaking in dentistry or optometry.

So, my guess is that many of the patients who sort of self-refer to your services don’t have the understanding of the issue that was discussed earlier that is the connection between let us say dental health and more systemic problems or neurological problems and vision problems.

Has it been your experience that patients who have been asked to sign what used to be called a release, now is an authorization to get information or actually you don’t need an authorization under HIPAA because it is treatment but a release or their permission to get information from let us say their primary care or their specialist physician was surprised that that information would be necessary for their other treatment and maybe refused on grounds of privacy; they didn’t want their files, their primary care files accessed by their dentist or something?

Do you have any experience with that?

DR. INGE: In my experience I have had very few patients that ever declined to allow me to speak with their physicians and it was standard practice based upon whatever their medical history demonstrated if I felt there was a need to follow up that we did have an authorization that they would sign. This was prior to HIPAA and then that would allow me to contact the physician and tell the office that I did have permission to talk with them.

Very few declined that.

DR. MILLER: As a primary care practitioner I find that patients are very susceptible to basically whatever I tell them. If I say to a patient that I need to contact your primary care physician or I need to refer you to a retinal specialist or whatever there is virtually no resistance on the part of the patient to accept my recommendation because you have laid the ground work. You have informed the patient what the problem is, what you need to do and the pathway that you are going to go down.

You,also, have told the patient that you need that information back to better care for their needs because health care is a widely integrated system. It is not compartmentalized so that patient response is typically not a problem in terms of getting information. Accessing information quickly on the other hand becomes a problem because you are dependent upon other practitioners and their time period in getting information back and sometimes that can be a bit of a problem.

When you have an emergency situation then you are really looking at picking up the telephone, calling another practitioner and saying, “You have to see this patient right now, and I will fax the information over.” So, the current technology has aided the patient care tremendously and the resistance has not been on the part of the patient once you explain why you are doing what you are doing. It is just like any testing in my office. Frequently a patient will go, “I don’t want to have that test done,” and it is incumbent upon the practitioner to explain why you are doing the test, why it is important and what you are going to do with the test results but patients themselves are not reticent in terms of disseminating health care information given a specific reason and not the fact that you are just selling it on the street because some of that information is actually privileged.

We ask patients for example if they are using any drugs and we are not talking about prescription drugs because we ask about that as well and it is amazing the number of patients who will tell you that yes, they utilize non-prescription drugs that they purchase from the street corner and that now becomes a real serious problem.

So, there are different issues of privacy in terms of what the patient wants released.

DR. ROTHSTEIN: So, that was the intro to this question and that is anticipating that response I take it then that if the security issues and the other concerns that have been addressed are resolved satisfactorily and that is a big given that your practices and your relations with your patients and with other health care providers would not be undermined and in fact might actually be aided by an electronic health record system; is that a fair statement?

DR. MILLER: That would certainly be my expectation and I think that of my fellow practitioners. What we are interested in doing is taking care of our patients to the best level that we possibly can and that is both the promise and the threat of electronic health records.

DR. INGE: I would agree that it would be a benefit. It allows the practitioner the opportunity to understand the overall health environment that they are working in and not be left to chance. So, I look at it as a definite positive for the dentist.

DR. ROTHSTEIN: And for physical therapists I assume that you might have easier access to more comprehensive information than maybe you get now at times.

MS. BONK: Absolutely. I did want to state that there is actually a large number of states, certainly more than half that have some, and I don’t know the exact number at this point off the top of my head that have some form of direct access to therapy and so we don’t necessarily, and now the payer side is a different issue but on the treatment side we oftentimes are seeing patients without a doctor’s referral when they come in. “My back is bothering me.” I mean at that point again I think it would behoove us to have that record because we would be able to more readily access. We would be in the same boat as the others that we would have to be contacting that primary care physician or the orthopod, etc.

DR. HARDING: Since we have begun holding hearings on this topic an issue keeps coming up that you mentioned and I think that you have at Children’s Hospital and that being the black box or the locked box or something of an electronic medical record and it has always been discussed. It has been downplayed by some people who testified before us as being impractical, impossible to do in a large system. Others say that it can be but you need a very good audit system and so forth.

You were saying that anybody in, well, maybe I am misquoting but my impression was what you said that any health care professional within Children’s Hospital can access a black box but there is an audit trail. Is that correct or are there only special people who can crack the box open or how does that work?

MS. BONK: It is not that anyone that is a health care provider at Children’s can access say the mental health record. There are layers of security. So, a primary care physician might be able to access and break the lock. As a physical therapist I probably would not be able to because of where my security level would be. So, as we are getting into this it is an extremely intricate process that we are having to go through.

So, obviously from a national standpoint I can’t even begin to imagine from a technology directive how that would be handled.

DR. HARDING; There are so many variables in that that it —

MS. BONK: The technology gurus I guess have to be the ones to answer that because from our standpoint we are spending an inordinate amount of time making sure that we are setting the security levels up appropriately and for every question we answer we have raised two more in the process that we are trying to work through.

DR. ROTHSTEIN: Ms. Bernstein had a question.

MS. BERNSTEIN: Thank you. Both Dr. Miller and Ms. Bonk mentioned accountability in their testimony and I wonder if you could flesh out a little bit. You talked about the use of audit trails in the system that you have and I was wondering if you could flesh it out a little bit before and since the advent of HIPAA what was your experience with audit trails or accounting for disclosures which is required by the rule. Has that changed since the advent of HIPAA? Has it been an imposition? What has been your experience with that aspect of the rule?

MS. BONK: It has been a huge issue for us that we have had to address since HIPAA. Prior to, again as much as people understood the concept of confidentiality the tracking of those issues, what we fax out, what we send out to primary care, a primary care physician who is not a children’s physician but referred a patient to us, we are sending information out to them. Well, what if we fax to the wrong doctor? In fact we have many Dr. Millers on staff and not on staff. So, you will send out to a Dr.Miller and it gets to the wrong person. How are we tracking that? How are we accounting for that? There are multiple things that we have put in place , again, fax logs that would be one thing. Our e-mails we are not allowed to actually. Our policy is that we do not send patient information, health information across e-mails. Things of that nature that I think in the past we probably did much more frequently; e-mail became much more usable before HIPAA came around and so now we have backed off and said, “We are not supposed to be doing that. We had better be careful.” So, I think there have been a number of things now that have been put in place and the whole tracking of accountability there are numerous pieces of information that we have to send out to state regulatory bodies; something as simple as the fact that we do newborn hearing screens has to go to the state, that information and so that is going and we are having to keep track of all of that information that we send out.

MS. BERNSTEIN: Has that changed since before HIPAA? Has there been a change since HIPAA in what you were required to do before in your practice and what you are required to do now in that area?

MS. BONK: Absolutely. I used the newborn hearing screen actually that came out about the same time in the State of Illinois. So, they kind of came along together but yes, we certainly tracked disclosure to state prior but faxing issues and things of that nature we really didn’t keep the kind of logs that we keep now.

DR. MILLER: And we are finding that the accountability I am not certain that it has particularly changed but the awareness of it has changed so that for example if you are sending out a fax you have a cover letter and it basically states that if you received this fax in error please let us know. That is virtually useless. I have never had anybody call me back and say, “Gosh, we have got patient information here in error and it has been disclosed. What would you like us to do with it, burn it, shred it, etc.?”

So what has happened is we have had a greater awareness f how our offices and how our practices are conducted and I think that that has been to the patient’s benefit in terms of trying to safeguard the patient’s privacy and it is very easily explained to the patient who may get a little bit upset by simply saying, “Well, you know how the government works,” and patients somehow seem to accept that as okay if the government says that you have to be more aware of confidentiality issues that is fine, but in terms of what we do I don’t think that the basic premise has changed. It is a matter of how it is done since HIPAA has gone through.

A greater concern and this harks back to I believe the previous question is the audit trails and when third- party carriers come into play because for example when a third-party carrier comes into my office to do an audit they then have access to the patient records and it is up to the practitioner to make certain that that third-party payer is not allowed to access records prior to the point where they were taking care of services. So, when we are looking at HIPAA, when we are looking at electronic health information those gates now become wide open and that is a serious problem. So, when we are talking about threats and levels of security the insurance companies have a different need to know than the practitioners and patients also have a different need to know. Sometimes patients garner information that is only partially true or they build upon a premise based on a diagnosis or based on medication, etc., that has come across their desk. Some patients are pack rats when it comes to information and there is nothing wrong with that but there is something wrong with what that can lead to.

So, in reference back to your original question in terms of what has changed since HIPAA, HIPAA has been a big pain in the neck for some of us in terms of HIPAA compliance. It requires 100 percent attention all the time. I am constantly in my office telling my staff “Don’t say that, don’t use that term. Please cover that record. Don’t let a patient back in this particular area,” and it has probably more than anything else made us much more aware of the patient’s right to privacy and that is a good thing. That is not a bad thing.

DR. ROTHSTEIN: Okay, any further questions?

Dr. Harding?

DR. HARDING; Dr. Miller in your testimony you mentioned that post 9/11 has caused a lot of concern about electronic terrorism and so forth. I just wanted to comment that we have had a lot of testimony kind of pushing the other side, that is that one of the reasons for the NHIN is the issue of terrorism and contagion and outbreaks in various parts of the country that could be quickly recognized through a system like this. It kind of gets us into the Patriot Act versus all of those kinds of political things but while it is complicated we get both sides of that and this could really save us. That is one person testifying whereas others say that this can really take us down a road and there are really tough questions that we are wrestling with.

DR. MILLER: It is important to remember that once we go down the road we can’t turn around. So, we need to make certain we are taking care of things.

DR. HARDING: And if we miss that contagion millions of people will die.

DR. MILLER: Absolutely. Are you sure you are not an attorney?


DR. MILLER: There certainly are strong issues on both sides and your job is to try to make certain that we come up with a final solution that is appropriate for the needs of the people within this country.

MS. DOZIER-PEEPLES: This question is for whichever one of our presenters is actually working with electronic records at this time. Electronic health records are perhaps unjustly seen as more vulnerable to unauthorized disclosures and as less secure than paper records and since you are actually using electronic health records exactly what is your perception and your experience as to which is more protective of patient privacy, the electronic multi-layers or the paper records?

You testified that you are using them.

MS. BONK; I can speak to we are in the process of moving to the electronic medical records. So, we have not actually gotten to that point. I think there are multiple layers of that and I don’t think there is a this answer or that answer. I alluded to the fact that I think with the paper product there are opportunities for disclosure that shouldn’t occur. Anecdotally I can remember having a staff member in a hospital I was working at who delivered a high-risk infant, did not want her co-workers to be involved in the horrible situation she was dealing with as a new mom and what they were going to do to care or not care for that child and we discovered that we had staff that were actually out of concern running up to the floor opening up the chart and looking at something that they had absolutely no right to access. Could they access it in an electronic medical record? Yes, but that staff member who was in the hospital could have made a statement from up front that they did not want that disclosed and they probably by security levels within a system could have been stopped. The concern of hackers and situations like that I think it opens up again a technology question for me that I don’t know the answer to. When we go to an EMR are there ways that people can get in that the computer gurus have said, “No, they can’t” but personally at least to the level of a facility my gut feeling is that the EMR will actually be somewhat more secure than less for the most part.

DR. MILLER: I simply would like to make certain that you are aware when you are talking about breaching the security or the confidentiality of the patient it is one thing to breach one record which is hard copy. It is something totally different to have access to all of the electronic health records and significant numbers of patients’ information is breached and I think that that is something that really requires layering in terms of the security.

At this point we are not seeing secure systems and there was testimony earlier today certainly about the accessibility of records. You and I have all had I am sure where your credit card information has been accessed and you get a notification from your bank that says, “We have to issue new credit cards because all that information has been breached.”

So, when you are looking and weighing the pros and cons accessibility to one patient’s record while that may be serious for that particular patient when it is in hard copy is a little bit easier to actually control than a mass opening of the electronic health record system and going fishing.

DR. INGE: I would agree with the vulnerability of mass exposure. I think that in the dental environment there may be a naivete about that and most dentists are solo practitioners and they feel very comfortable within their own environment and as yet have not necessarily connected to the Internet and recognized the vulnerability that it exposes them to.

So, from that standpoint I agree that the hard copy is easier to protect on a one-to-one basis. The electronic health record does open up the opportunity for more massive exposure and it would require more sophisticated security and an understanding of that security.

DR. ROTHSTEIN: And it also seems to me that it suggests a higher level of training may be necessary for people who are sort of new to the electronic world and especially now that they are linked to a wider array of medical records by electronics so that they have to be more attuned to the dimensions of the implications of the security breach.

I want to thank our panel members for very helpful, thoughtful, engaging testimony. We will break now for lunch until one-fifteen and resume with panel three on institutional providers.

(Thereupon, at 12:20 p.m., a recess was taken until 1:24 p.m., the same day.)



DR. ROTHSTEIN: Good afternoon. We are back on the hearing of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics, our second round of hearings on privacy and health information technology.

We welcome the members of our third panel today to discuss the perspectives of institutional providers and we will begin with the representative of the American Hospital Association, Dr. Donna Boswell.

DR. BOSWELL: Thank you, much, Mr.Chairman and members of the Committee and thank you very much for letting me come here today to talk about the privacy and confidentiality issues that affect the creation and deployment of our new national health information infrastructure.

I am a health care lawyer and my name is Donna Boswell, and I have served as HIPAA counsel to the American Hospital Association on HIPAA issues including the privacy and security issues implementation under HIPAA and I have to say that HIPAA has been through some very interesting changes in hospitals and physician offices. Before the federal privacy rule under HIPAA providers’ protection of patient privacy was rooted in the medical relationship, the basic fact that patient trust is integral to the practice of good quality medicine. Medical ethics, best clinical practices. licensure and accreditation standards memorialize the duties of confidentiality stemming from patient’s expectation of privacy when seeking medical care.

In some states for some providers or some kinds of information state laws, regulations and constitutions codified these duties and provided for enforcement. As a result of HIPAA all that has changed, sort of. We have very specific federal requirements for protecting privacy. It is a matter of federal law, punishable, protected by federal criminal penalties of up to 10 years in jail and $250,000 for each violation, very serious penalties if disclosure results from their violation, and I have to say that your own hearing record over the years demonstrates and documents that patients were confused, concerned and uncertain about the system of protections that were in place before the federal regulation. They were fearful of imagined or real gaps and holes and rips in the curtain of privacy that protected their medical relationship and I have to say also that when it became clear in 1996, with the standardization of the HIPAA transactions that the health care system can no longer afford to responsibly function in the 21st century without state-of-the-art information and communication systems these fears, these patient fears lent their urgency to the call for a uniform federal standard for medical privacy.

We were looking for uniformity of rights and standards, predictability of procedures, realistic accountability for meeting these federal standards. We have learned many things as hospitals have revised their practices for protecting patient privacy to integrate these multiple specific federal requirements of the HIPAA privacy and security rules.

First, we learned that it is very costly, complex and disruptive to make changes to policies and procedures that affect the day-to-day activities of care givers and of the administrative personnel in our facilities.

A prime example of this is the seemingly harmless HIPAA requirement that documentation be kept to provide each patient with an accounting of disclosures to third parties.

Defenders of this requirement liken it to an audit trail memorializing access to a record in an electronic system, but the HIPAA requirement of an accounting is nothing like an audit trail, absolutely nothing like an audit trail. The accounting is an explanation of the legal requirements governing each information disclosure. It is the who, the what, the why, the when and under what legal authority every single disclosure to one of these third parties was made.

No system can be programmed to automatically record these judgments. The time of the care givers who actually call the social worker who actually talk to the health department or who dealt with the sample requester from the public health department or from the CDC, those people’s time is required to create the record required to provide the documentation to an individual patient.

Under the federal regulation this won’t be a simple electronic audit trail. In a regional health care information system where health authorities are lawfully given access to records through a centralized governance structure it would be impossible for individual hospitals, doctors, labs, pharmacies and payers to enforce their own institutional policies to make the records required for the documentation to provide such an accounting to individual patients.

This is one very important piece of the current privacy rule that will have to be fixed in order to allow for a well-functioning electronic health information structure.

The second thing we learned is that criminal penalties are a really great magnet for attracting the attention of in-house compliance personnel and that when in-house compliance personnel start making interpretations of federal and state requirements in order to prevent violations those interpretations are not always well received by patients and their family members and by law enforcement officials and newspapers and public health authorities who on a day-to-day basis interact with hospitals, facilities and doctors. The potential liability and risk to reputation from a criminal prosecution and the possible loss of federal program participation necessitates that an entirely different calculus be applied when making these interpretations. Decisions about health information can no longer be made on a subjective judgment about what is in the best interests of the patient or even on the basis of what is in the best interests of the health care system.

Rather a responsible facility, a responsible entity has to make decisions based on what its compliance program requires in order to minimize the risk and to establish responsible approaches for complying with the law and protecting institutions, patients and others from unnecessary risk and perhaps the most important thing we have learned in implementing the HIPAA privacy and security requirements is that the new federal floor for privacy protections does not yet provide the uniformity and predictability that was one of the biggest hopes of its proponents.

To a large extent this is because the federal standards were sort of grafted onto the existing patchwork of state, federal and local laws and the accreditation requirements and standards and customs and licensing requirements that were already there, already in place.

In effect, the new federal system overlays and trickles down through and around the practices and customs and requirements that are already imposed under local law and accreditation and licensing requirements.

Grudgingly I think just about everybody would agree now that we are a couple of years into its implementation that focused attention on systemic and systematic procedures for dealing with privacy rights and confidentiality protections has been mostly a good thing but we are not really that much farther along or that much closer to having a uniform predictable system to provide that foundation that is going to be key for having a national health information infrastructure.

In fact, there is some risk in this area because as political factions shop for new forums to deal with problems or issues that they have with existing standards and with the federal solutions that have been offered t creating new standards state legislatures are very, very attractive targets.

The state legislatures that seek to help, quote, improve on the federal standard that someone doesn’t like actually create greater problems with complying when we are talking about an interstate or a multi-state situation.

As a result we have a very unsystematic thicket of laws and even if this unsystematic thicket permits the building of a health information infrastructure use of such a system is going to be difficult if not impossible from a legal point of view for facilities and payers that must comply with federal and local laws as well.

As this thicket keeps growing more dense providers and payers end up weaving the new requirements of licensure boards and of state laws into the compliance programs that they put in place for complying with HIPAA.

In effect whether or not it makes sense to do so a local law or a state law which may not have a criminal penalty associated with it gets elevated to the same standard as the HIPAA requirements because as an institutional matter you have to have one compliance program. It has to be woven together so that your personnel know what they are doing and when and how they are doing it.

As a result some of these requirements that look harmless on a local level actually become quite significant and quite imposing when woven into the HIPAA framework for compliance individuals have.

I will leave it to other people to talk to you about the cost and the impossibility of the HIPAA preemption analysis. We have seen an awful lot of work on that, but I have got to tell you that as a practical matter the preemption analysis is only useful if I am in anticipation of litigation. Most of the health care community tries to comply with laws. They don’t simply hire lawyers in order to figure out which laws need to be complied with. So, on a day-to-day basis preemption, preemption analyses are not all that useful for facilities and for physicians who are trying to comply with the law.

I want to say that our national health care system can no longer beguile itself with the myth that quality care involves only one doctor and one patient alone in a room where confessions are made and promises are kept.

This is one piece of the puzzle and in some segments of our health care community such as in psychiatry the relationship, this one-to-one relationship is absolutely key to the therapeutic process, but it is foolish to take the one-to-one relationship,the one-to-one therapeutic encounter and use it as a metaphor for deriving a system of laws to govern modern health care.

Modern health care occurs in a system of hospitals, of specialists, labs, pharmacies and payers. This system undoubtedly involves communication and commerce that crosses state lines.

A visit with a physician may be the point of entry into the system for a given episode of illness but it contorts the process and potentially undermines the quality of care to prevent that an institution can be reduced to a personification of the secret protecting family doctor.

What is required to keep the patient’s trust that information is being securely and appropriately used is a set of standards that apply no matter what state the patient resides in, no matter what states the provider is licensed in, no matter what state the payer is licensed in and no matter where the regional health information system is located.

By definition a national or regional health information infrastructure will have to have single predictable set of standards to enable national health information, to enable providers and payers to rely on the information that it presents. No matter how much money we invest in such an infrastructure and no matter how much it could improve the quality of care and the efficiency of our health care transactions it can’t be used by providers and payers who have to comply with local laws, and if they do decide to use the infrastructure on a piecemeal basis only with respect to specific medical facts and episodes of care that are permissible under a specific state law over the long term it won’t be worth our investment in the infrastructure.

A provider looking at a clinical record accessed through the regional health information infrastructure must be able to trust the accuracy, integrity and completeness of the information if it is to inform diagnosis and provide a basis for recommending a course of treatment.

Finding the right standard to deliver health care with a reasonable expectation of privacy is integral to the success of this venture that we are on. If patients and providers are not confident that the standards protect the privacy of the patient-provider relationship they will not use the system.

They will be like the old timers who when faced with modern banking just decided to pay cash and avoid the banking system altogether. So, in sum, there are three issues that must be addressed in this privacy space in order to ensure that the current push for a national or regional health information infrastructure is not just another expensive boondoggle.

The first is preemption. We must have a uniform trustworthy national standard for safeguarding the confidentiality of health information. The second is this troublesome little thing, the accounting of disclosures. The requirement that each provider and payer provide each patient with an accounting explaining the legal basis for third-party disclosures must be lifted. This must be transformed and the third is liability issues. We can’t hold an individual provider at risk under applicable state and federal laws for the actions taken by those who are responsible for operating the regional or national infrastructure. We have seen what happens when the risks are too high.

I really appreciate your time. Thank you very much and I would be happy to address any questions.

DR. ROTHSTEIN: Thank you very much. I am confident that we will have questions for you at the conclusion of this panel and we would like to ask Ms. Grealy to proceed.

MS. GREALY: Chairman Rothstein and members of the Subcommittee, on behalf of the members of the HealthCare Leadership Council and the Confidentiality Coalition I would like to thank you for this opportunity to share our perspectives on the relationship between patient privacy protections and the development of health care information technology.

First, a note of introduction regarding the viewpoints and experience we bring to this important issue. The HealthCare Leadership Council is comprised of chief executive officers of many of America’s leading health care companies and institutions. Our members include hospitals, health plans, academic medical centers, pharmaceutical companies, medical device manufacturers, pharmacies, in fact virtually every sector of health care.

So, we are a little out of place on this panel because we are broader than just institutions fostering innovation and constantly improving the affordability and the quality of American health are the goals that unite our membership.

In 1996,. HLC began chairing the Confidentiality Coalition<. It is a broad-based group of over 100 health care and employer organizations that support workable national uniform privacy standards. The Confidentiality Coalition worked with members of Congress and the Administration to develop a privacy rule that would strike the appropriate balance between protecting the sanctity of a patient’s medical information while at the same time ensuring that necessary information is available for promoting quality health care and also for conducting vital medical research.

We sought a privacy rule that would create effective confidentiality safeguards but that would not unduly burden providers and patients with unnecessary paperwork or delays in their treatment.

We believe that the HIPAA privacy rule to a great extent achieved this balance and has increased consumer confidence about the privacy of their medical records and has also allowed providers to meet the dual goals of privacy protection and the delivery of cost-effective quality health care.

Both the HLC and the Confidentiality Coalition enthusiastically support the efforts of the Office of the National Coordinator of Health Information Technology to create a national health information infrastructure. We believe that an interoperable health information system will improve the quality of health care as well as the cost effectiveness of American health care.

In our extensive experience working with the HIPAA patient privacy regulations we have also come to the conclusion that there are several areas in which HIPAA will significantly impede the development and establishment of a national health information network.

I would like to touch on just a few of those this afternoon. Our first concern regards as Donna has pointed out state laws or more specifically the extraordinary difficulty in trying to navigate a confusing maze of state laws, rules and regulations.

The HIPAA privacy rule does not supersede state laws that are contrary to or more stringent than the federal privacy standard.

State health privacy protections vary widely and they can be found in a state’s health code as well as laws governing criminal procedure, social welfare, domestic relations, human resources, revenue and taxation just to name a few. Thus, any multi-state entity must do an analysis of the applicable privacy laws for each jurisdiction in which they operate.

Now, the HealthCare Leadership Council has tried to address this difficult compliance challenge by commissioning a multi-jurisdiction study of state privacy laws, case law and regulations that analyzes the relationship between the federal privacy rule and state laws. The initial study cost $1 million and the annual updates cost about $100,000. That is each year.

Now, clearly many organizations do not have the resources to conduct this research and let us navigate the sea of privacy laws on their own. Unless this situation is changed it makes a national health information technology network potentially impossible to achieve.

Making information available through a national electronic infrastructure could require participating entities to comply with a range of different state laws every time they disclose information.

This would be a compelling disincentive for participation. To be absolutely clear it is difficult to see how a national health information network can be viable unless we have federal preemption provisions that go further toward eliminating this great state variation in privacy standards.

Those state variations undermine interoperability and widespread participation in an electronic health information network.

Second, we must also address the HIPAA provisions regarding the accounting the disclosures of protected health information. Currently under HIPAA covered entities must track, record and keep documentation on such disclosures for 6 years.

Although some disclosures such as those made for the purpose of treatment, payment and health care operations are exempt from the rules accounting for disclosures requirement there are a substantial number of disclosures that must be tracked including numerous disclosures to public health and state entities that are required by law.

The organizations that we represent know from firsthand experience that this requirement is imposing undue administrative costs and erecting barriers to quality health care without significantly enhancing privacy protections.

A government accountability office report has echoed the same viewpoint. Now, these burdens will grow more complex and potentially more costly when considered in the context of a national health information network. This creates another disincentive to participation and must be considered in determining how to create a nationwide interoperable system and third, we believe that HIPAA privacy rules minimum necessary standard may also be unworkable in the context of a national electronic network.

The privacy rule states that covered entities in disclosing or requesting protected health information must make reasonable efforts to limit the information to the minimum necessary amount needed to accomplish the intended purpose.

This requirement has created legal uncertainties and has led to defensive information practices that have had the effect of restricting the appropriate sharing of information within the health care system,.

Health plans for example have had difficulty receiving the information that is needed to perform quality assessment and improvement programs as well as disease management functions.

Anecdotally I have heard of many instances that were due to what I would call hypercompliance with the HIPAA privacy rule.

Health professionals have had difficulty getting information from other health professionals that they need to provide necessary medical treatment.

In the context of a national health information network this rule presents us with conflicting goals. The Office of the National Coordinator has said that ineroperability is necessary for compiling the complete experience of a patient’s care and for ensuring that complete health information is available to clinicians. Yet these goals cannot be fully met if a physicians is required to adhere to a minimum necessary standard that unduly constricts the flow of information.

Consideration should be given to eliminating the standard or at a minimum creating safe harbors for the transmission of health information through a national or regional network.

Let me touch just briefly on two other areas of importance, relating to research and patient consent. In terms of research the Office of the National Coordinator clearly envisions that research will be crucial to achieving the key objectives of a national health information network.

As noted in a report from the Office of the National Coordinator eventually an interoperable network of electronic health records would be able to accelerate the translation of research into practice by tapping into national databases of clinical decision support and delivering the latest clinical knowledge to clinicians at the point of care.

We are concerned though that this goal will be difficult to meet under the HIPAA provisions that in some instances inappropriately restrict access to health information for legitimate and necessary health research.

One specific obstacle concerns HIPAA’s prohibition against individuals granting authorization to use their health data in unspecified future studies even though this has been permissible for decades under the common rule that has governed medical research involving human subjects.

The privacy rule needs to be modified for consistency in this area or this will have a significant impact on the ability of a national health information network to achieve its critical goals.

Lastly on the important issue of consent, there was a lengthy national debate during the promulgation of the HIPAA privacy rule on the subject of whether providers and payers should have to obtain prior written consent to use personally identifiable medical information for treatment, payment and health care operations.

This requirement of a prior written authorization was rejected because it became quickly apparent that it would seriously delay and disrupt patient care. The privacy rule does prohibit disclosing identifiable health information for any other purpose unless the patient does provide that specific prior written authorization. It is highly likely that some would see the advent of a national health information network as an opportunity to re-open this issue.

Some advocate that patients must have complete control over their own electronic health record deciding who can access what information for which reasons.

However, if the NHIN is to be utilized as part of care delivery patients simply must not be able to selectively withhold information that may be relevant for treatment purposes. Should this occur providers would be unable to rely on the NHIN as a tool for diagnosis and treatment as it may or may not include the facts that are necessary for the delivery of quality medical care.

In addition providers are very concerned about the liability that might result from their reliance on incomplete information.We cannot stress strongly enough that just as patients must have confidence that their information is protected providers must also have confidence in the data provided through an electronic network in order to ensure the utilization of such a system.

In considering the area of patient consent we urge the Subcommittee to carefully consider the ramifications for health care delivery and public health in its decisions.

Mr. Chairman, as I said at the outset of my testimony the Healthcare Leadership Council and the Confidentiality Coalition support the establishment of a meaningful and interoperable health information network and we look forward to working with this Subcommittee and with the Office of the National Coordinator to overcome any challenges that stand in the way of this goal.

One thing that is quite clear and especially from the testimony that I heard this morning that we must do a much better job of educating the public. We need to educate them as to why we need this information, to provide them the best quality health care both now as well as in the future and more importantly we have to let them know how this information is going to be protected, how we are going to assure their privacy, how we are going to assure the security and then finally we also have to make clear to them that this information is not to be disclosed for anything other than treatment purposes, payment and health care operations. It is not to be disclosed to their employer. It is not to be disclosed to their neighbors. It is not to be disclosed to the newspapers and that there are very strong penalties in place that will be applied if this does occur.

I look forward to working with you and welcome any questions you might have.

Thank you.

DR. ROTHSTEIN: Thank you very much and again, you can count on questions.

The third member of our panel is Donna Maassen.

MS. MAASSEN: Thank you very much. I am Donna Maassen. I am the Compliance Manager and the Privacy and Security Officer for Extendicare Health Services. We are a long-term care provider. We have just over 400 nursing homes, assisted living facilities, rehab centers in about 20 different states. I am here today representing the American Health Care Association and the National Center for Assisted Living, NCAP.

The American Health Care Association and the National Center for Assisted Living is the nation’s leading long-term care organization. AHC and NCAL and their membership are committed to performance excellence and quality first, a covenant for healthy, affordable and ethical long-term care.

We represent more than 10,000 non-profit and proprietary facilities nationwide dedicated to continuous improvement in the delivery of professional and compassionate care provided daily to more than 1.5 million of our nation’s frail elderly and disabled citizens who live in nursing facilities, assisted living residences, post-acute centers and homes for persons with mental retardation and developmental disabilities.

On behalf of AHC and NCAL I would like to thank you for giving us the opportunity to discuss long-term care and the future of the National Health Information Network and an electronic medical record.

When we sat down and looked at our testimony for today we felt there were really four areas that we needed to discuss. The first is to describe the current status of health information technology in long-term care.

The second is the benefit that would be achieved by including long-term care in the electronic health information exchange initiatives.

The third are the impediments and the potential motivators to help expand health information technology adoption within the long-term care industry and the fourth are the specific concerns that we have regarding the impact of health information technology on the security, the privacy and the confidentiality of our patients’ protected health information.

I would like to start by giving you a perception of our current state of long-term care and technology. Many people perceive that in the long-term care industry we are 8 to 10 years away from adopting an electronic health record. That is really not the reality. The reality is that long-term care providers both the large national chains like myself as well as the independent owners are already looking at an electronic health record as a short-term goal. Right now there are over 16,000 Medicare and Medicaid certified nursing facilities who have to routinely submit their minimum data set electronically in order to comply with the state and federal requirements for certification.

CMS is right now actively engaged in looking at efforts to enable the automatic population of the MDS information from an electronic health record. Beyond just the MDS and the electronic submission nursing homes today and assisted living facilities also use technology to create billings, to generate patient assessments and progress, to look at care planning and even to generate electronic physician orders.

Nursing homes not only use software packages today, we are finally actually adding some new devices into our technology. We use Palm Pilots and touchpads today to document activities of our direct care staff. We, also, have table PCs on the medication carts to document and record the administration of medications.

So, we do have some technology stars in long-term care, and we certainly have a lot of people who are very excited about the efficiencies and the opportunities that the electronic health record provide us.

Unfortunately though predominantly we still have a paper-based health information process. Typically when a patient comes into a nursing facility today on the day of admission they come to us before their medical record gets there. What does that mean? That means that in some cases when we have to conduct a comprehensive assessment we don’t have all the information and it will impact potentially our care planning and the quality of care initially.

Paper records for an elderly person are typically very large and they expand over a great period of time. So,there are many gaps in the information that we receive and because of their size and because of the length of stay many of our patients have in long-term care their medical record becomes very voluminous over the time of stay. So, what happens typically with the paper-based record is that the information in the chart has to be parsed. It has to be split. So, the most current information, the information that needs to be used on a day-to-day basis is left in the medical record at the nurses’ station and the rest of the chart is the pulled out and moved into a locked file cabinet or put in archives for storage.

So, I think you can see that long-term care providers and professionals are probably very frustrated with this current process. It is unwieldy. It is insufficient, and it is very difficult to use.

So, as we move towards an electronic health record there are interoperable opportunities within networks that will greatly impact patient care and the quality.

We believe one of the key factors to the success of the national health information network will be the inclusion and the definition of all components in the spectrum of care. During the length of stay at a nursing facility a patient sees not only the staff within our nursing facility but they interact with multiple physicians and many ancillary providers such as pharmacies, labs and x-ray providers.

For example, at Extendicare we have just over 150 nursing facilities and we have over 5200 physicians that we work with on a daily basis.

If you look at a 100-bed typical average extended care facility who coordinates care and treatment with approximately 35 physicians every day that is not to mention the fact that we have a relationship with each hospital in our community for potential admissions and discharges as well as the multiple outpatient services I discussed previously, the pharmacies, the labs, the x-ray providers as well as dialysis centers.

The sharing of health information between these providers is critical to the effective care delivery for our patients. In a document dated January 13, 2005, provided by Kathleen Fyffe titled The Nationwide System of Electronic Health Records Overview states, and I quote, the HHS framework calls for an interoperable infrastructure or national health information network which will allow for the secure movement of health information so that the adoption and use of VHRs will realize their full benefits.

Interoperable health records will allow patient information to be portable and to move with consumers from one point of care to another.

Indeed, non-interoperable EHRs could actually impede access and harm care by protecting information silos and proprietary control over populations to limit mobility of patients. We believe that this statement clearly shows the intent of HHS is to ensure quality of care by setting standards of information sharing among all providers. AHC and NCAL strongly urge the Office of the National Coordinator of Health Information Technology or ONCHIT to include the electronic information needs of the long-term care providers in all of its efforts to address information technology and network connectivity.

In January 2005, this year, the keynote at the HIMSS annual conference Dr. Brailer addressed the group and highlighted some benefits of health IT adoption such as improved care, reduced wasteful and redundant treatments and the prevention of medical errors, but while he cited these very important benefits he cited them in the context of benefits to the hospitals and the physician practices.

AHC and NCAL again feel strongly that these health IT initiatives and benefits should be accrued for all of the patients of long-term care as well as the patients of ambulatory and acute care populations.

We believe that these benefits should be in parallel. They shouldn’t be in a linear process that allows one industry to be ahead of another. It should be done in a parallel process.

So, as we look towards impediments and motivators of how we get to a national health information network we would like to cover a few issues. The first that we just discussed is the fact that I think you have seen there is technology in long-term care. We have to admit we are a little slower in advancing to some of this but sophisticated technology but that is because of the significant costs and as most of you are aware the reimbursement for long-term care is typically generated by government programs and barely covers the cost of providing the health care services.

So, as we look to invest our limited dollars that we have towards technology and the opportunities of an electronic health record we need to try to reduce that risk to ensure that the providers are appropriately investing those dollars.

One of the initiatives that we feel will help reduce our risk is the Certification Commission for Health Care Information Technology. By including the long-term care in their initiative we believe that that will help assure long-term care providers that their software selections that they are making in the near future will meet the minimum standards.

We, also, believe that this initiative will help our providers especially those smaller providers who don’t have the benefits of the IT departments by ensuring that the software again meets those needs and that the security requirements are embedded in these applications.

Long-term care providers clearly are committed to finding the necessary resources to ensure that they, too, can take advantage of the benefits of an electronic health record system. However, we believe that it will be critical for CMS to develop programs that will allow providers the opportunity to engage in these initiatives.

We believe that there need to be government subsidies that help fund the start-up expenses such as equipment and training and once the infrastructures are there we believe that there should be tax incentives to be made available to the providers who actually are purchasing the hardware, the software and investing the time and resources so that they can benefit from their time.

As we discuss the sharing of electronic information it is apparent that we need to define some data sets and the issues I am going to cover next have already been covered by both Donna and Mary and I think you will see the continuity between the three organizations.

The minimum necessary standard is clearly an issue for us and as Mary defined it it is simply stated making a professional judgment as to the least amount of information necessary to be disclosed to meet the original request. It sounds very simple but again it is the professional judgment factor that is being put into place and as Mary said all of our industries are affected by that.

In the nursing home industry we look with the hospitals at pre-admission and discharge and sharing of information between health care providers.

You can argue the fact that clearly the privacy rule doesn’t intend for us to limit information for the purposes of treatment. That is not the goal of the privacy rule but again as Mary mentioned the liability factor organizations have made their own decisions of what the definition of minimum necessary is and that causes all of us to be challenged with the rule and the rule of minimum necessary.

We believe there may be a way to assist with the minimum necessary issue and that is with the emerging standard called the continuity of care record. The continuity of care record and the purpose of that is that it provides a snippet of the full medical record. It provides information of the most recent patient provider encounter as opposed to just whatever the provider deems as minimum necessary. AHCA is a sponsor of the continuity of care record and is currently in the process of developing the data components that will be required for a patient being referred to a nursing facility or a patient being discharged from a facility be it back to the hospital, be it to assisted living facility or to home and needing some community-based services.

We believe the minimum necessary disclosure standard is a key component in the future success of the national health information network. The second area of the privacy rule is preemption and I think we have discussed that already twice but clearly it is a challenge for all of us.

In the nursing home industry we have significant issues with preemption as it relates to access and the fact that in some states there are proxy laws, in some states there are no proxy laws and in one state everyone may have access because of a particular proxy law and in another state if you haven’t identified a legal guardian no one has access to the information.

We believe that in order for the system to be successful the system has to be able to discriminate between a legal guardian and a responsible party and it has to be able to prevent inadvertent and inappropriate disclosures.

Extendicare and AHCA are part of something called the HIPAA Long Term Care Consortium. It is a group of professionals of about 30 organizations that have been working together for about the last 4 years,and one of the things that we have been doing is in conjunction with the Health Care Leadership Council is trying to identify preemption and state laws. We, too, participated in the $1 million initiative. We have taken the data that came out from that document and we have spent hundreds and hundreds of man hours trying to identify long-term care specific state laws and create a tool that we could give back to the long-term care providers and say that this is for your state; this is how the law should be applied. We can’t do it. We have spent 3 years trying to meet that need and still today we do not have a document that is usable by our members of the long-term care committee.

One of the ways that we feel that may be a way to meet the requirement of preemption or make it less of a barrier is looking to the regional health information organizations, the RHIOs and asking the RHIOs to take accountability for identify what is an appropriate disclosure, what are the appropriate access levels in your area and then letting them feed the national level for disclosures.

We make that recommendation with a slight asterisk. We make that recommendation with an understanding that the long-term care facilities would be included in the RHIOs and that is not the case in most situations today.

The final area of HIPAA that I would like to just briefly discuss is the security rule. As we know the security rule was written with salability and flexibility as key components. However, it is very difficult for providers to identify what the minimum requirements are for a secure environment.

We believe that it is essential to the success of the national health information network that the minimum security requirements be delineated.

Patients expect us to protect their health information in all situations, be it at rest, be it in transport. Security will be the cornerstone to patient confidence and comfort in this new environment.

In the past CMS and OCR have indicated that they would provide guidance and assist providers in clarification of confusing or unclear issues and they have done that but there is still confusion I believe in individual industry sectors. Again, the long-term care consortium was put together to try to clear up some of those ambiguities in the rule.

We have met and produced many products for privacy and security that are now available for all long-term care providers on the AHCA web site to try to put clarity to some of these confusing issues. That is okay for today. I believe that is a reasonable progress. However, I don’t believe that it will be a reasonable process for tomorrow. I believe that defined security protocols will be a requirement not only by our patients but by us as providers.

As the security officer and the privacy officer I know I won’t allow our patient health information to be transmitted electronically without security minimums being defined and having an ability to ensure that those minimums are being met.

So, to conclude I would like to share that we are committed as a long-term care industry to these initiatives.

I hope that I have been able to show you that currently in long-term care we do use technology. We are poised to embrace an expanded role of technology.

We believe that the long-term care industry has significant contributions to make towards electronic health information exchange initiatives. Clearly we are all faced with fiscal and human resource impediments and we would embrace motivators to expand health IT adoption and lastly we have identified some specific concerns regarding privacy,confidentiality and security. We believe all of these do have answers.

AHCA and NCAL strongly support the National Health Information Network and the electronic health record and wishes to play an active role in the definition and development of both of these initiatives.

On behalf of both organizations thank you very much for the opportunity to provide input on these very important national initiatives.

DR. ROTHSTEIN: Thank you very much and once again thank you to all the members of the panel and I think you have raised very sort of fundamental questions that we are wrestling with in terms of national health information technology.

Let me ask you the first question and that deals with a point that was raised by Dr.Boswell in her testimony and touched on by all of you. It seems to me that whether unintentionally or indirectly or inadvertently our paper-based, our largely paper-based health care system which can be attacked for being inefficient and everything else one of the perhaps unintended consequences is that it does an excellent job of protecting privacy because nobody can find anything of any value. My pediatrician is long dead. My records if they exist and they probably don’t are in some moldy box somewhere and could probably not be found if we wanted it. The same thing could be true for all of my medical records probably until the last 20 years and it is only the last 5 years of my medical records that I have any confidence that exist in any form that anybody could use them in and so I think many people and certainly this was the testimony that we heard last month are troubled by going to a very efficient longitudinal system where cradle-to-grave medical records would be accessible by any health care provider without any restrictions whatsoever and even though it may improve efficiency and it may improve quality people are concerned and we have heard this repeatedly if they don’t have any control of the contents to some degree. We don’t know what that is yet and so one of the points that you made and I would like to start with you is that providers want an arguably are insisting on a complete medical record and I am wondering what your positions would be on some degree of patient control over information.

Now, it could be a 20-year statute of limitations. It could be a code by code carve out, a specialty carve out, you know any way you want to look at it but some degree of patient control over the content.

DR. BOSWELL: If I can start with one thing I thought about the silos and the boxes by the way and I have thought about it from the following point of view. I think that this goes to the question of public education and public understanding of how the health information is used by providers in our health care system because we take it as fact that that box of musty records form your long-dead pediatrician are more confidential than the information in a system but actually it is probably more likely that your privacy has been violated because somebody shuffled through that musty box somewhere. You just don’t know about it, and it is sort of illusory that our paper record system does a good job at protecting privacy and what from an educational point of view we need to be focusing on is the fact that those records are not available to the physician who treated you as an adolescent is probably more harmful to you than the illusion of privacy created by the fact that they are in a box somewhere does you good.

The importance of a provider having complete access to diagnostic information, prior episodes of care that might be related to some quirky ailment that you have now developed, that is what we are talking about here.We are talking about trying to make sure that health information is not just something that exists on a piece of paper but that exists for the purpose of ensuring that we deliver quality care and the control or lack thereof, I mean I don’t have any control over what happened to my pediatrician’s records. I have no idea what happened to them when he died.

It is illusory. There is on control there.

DR. ROTHSTEIN: The control is that they don’t exist anymore.

DR. BOSWELL: No, no, no, they do exist. They are in somebody’s attic somewhere. We don’t know that someone made for transition planning to actually destroy the things. As a matter of fact some of the biggest examples of problems have to do when a physician dies and nobody made provision for the appropriate disposal of records.

They end up in somebody else’s hands. I don’t have control over that.

DR. ROTHSTEIN: Let me interrupt you for a second. If I want to move tomorrow from Louisville to Seattle or to Hawaii or some other place I can pretty much start over with my medical record as a blank sheet of paper and that may be a mistake on my part but I start with a new set of providers and I am a blank sheet of paper. That is not going to be possible anymore if it is mandatory inclusion of an interoperable access from any place in the country.

DR. BOSWELL: But now you are talking about controlling your medical care and what your doctor knows about you. You are not talking about privacy because those records that you created when you lived in Louisville are still going to be there, right?

DR. ROTHSTEIN: I am talking about privacy. I am not talking about security.

DR. BOSWELL: They will still be there but you are saying you want to tell the doctor, “Please do surgery on me but I don’t want you to look at me. I don’t want you to see things about me before you render this care.”

I find that very troubling. I think in our age we re not doing episode-based care. We are talking about treating the whole person from a genetic physiognomic core. We are talking about trying to really get at the basis of where the disease process comes from, and it is not going to be prudent. It is not even going to be acceptable standard of quality care to say, “I don’t want to tell you anything about my past. Let us start from now. Here are the symptoms I have today. Don’t ask me any medical history questions.”

DR. ROTHSTEIN: But isn’t patient autonomy the right of the patient to make decisions that other people may disagree with, that may not be objectively valuable, that the right of privacy is the right for the individual to decide what information they want to share, and it may be a mistake, right?

DR. BOSWELL: And at some point I think you will come up against whether or not the physician is willing to accept the risk of practicing in a vacuum.


DR. BOSWELL: So, I don’t see that really as a can privacy be protected issue. It is a can a person who is so unwilling to trust a physician obtain state-of-the-art care.

DR. ROTHSTEIN: Let me just finish this. It is not a matter of trust. There are things that physicians do not need to know. I mean there is an underlying assumption that medical records somehow today contain all accurate information and that by limiting it in the future if we go to an electronic system we are going to have some of this great stuff is going to be lost. Medical records today as you all know consists of a lot of garbage. We are dependent on faulty memories, errors that are never corrected. Whether it is accurate or not is questionable. I have told this story before but it is very important.

I have gone to many pain clinics over the years because I have a back problem, and they first thing that they want to know at a new pain clinic is whether I am depressed because it is a cofactor for pain and they will either orally or through a questionnaire ask me a whole standard set of questions to see whether I am depressed and they will ask if I have any financial problems and how my sex life is, whether I get along with my boss and a variety of things and I routinely refuse to answer those questions because they are irrelevant in my judgment because I have disk problems and not emotional problems, well, maybe in addition to emotional problems and it is the doctor’s decision whether at that point knowing that I am wanting to withhold certain information out of a sense of privacy whether the doctors wants to treat me given that and I think that should be the right of the patient and right of the doctor. The doctor should say, “Look, I can’t treat you not knowing what meds you are taking.” I would never withhold that, but no doctor has ever decided not to treat me. Shouldn’t that be left up to the individuals and not if I at one time in my past told my primary care doc that I am thinking of leaving my wife, disowning my children, quitting my job and —

DR. BOSWELL: We are talking about what should be and should not be in the medical record. I mean we already have provision in HIPAA for certain kinds of information to not be a part of the information that is in the record.

DR. ROTHSTEIN: I am not talking about psychotherapy.

DR. BOSWELL: Exactly but if we have an accurate medical history the medical history kinds of questions that are being asked there may not be relevant things to be in the record for passing along. They may be part of a therapeutic encounter. I mean I think a part of the things that we are talking about in trying to come up with uniform standards for operating a shared health information system is to try to define what goes in there. Not just every piece of paper —

DR. ROTHSTEIN: Just to be clear and I will ask each of you, it is AHA’s position that you would not support any sort of carve out?

DR. BOSWELL: I don’t believe that that is an AHA position. AHA has not a position on this. I am speaking to you as a health care lawyer.

DR. ROTHSTEIN: But AHA does not have a position. What about your groups on the carve out?

MS. GREALY: I would underscore a lot of what Donna said, you know, about what is the real security of paper records, and I think we can make a strong argument that your electronic records can be encrypted and made much more secure than those paper files sitting somewhere that may not be secure.

When we talk about patients wanting control over their information I think the real concern is having control over making sure it is not inappropriately disclosed and that that is again I think what the public education needs to involve.

Again, why do providers want this information? We need to be able to make the case to patients, to the public that it is important to have that information to make sure that you are getting the best treatment and you know you may be making an appropriate judgment as to what you want to withhold but can we really rely on every patient to make the right decision as to what they selectively share or don’t share and not just looking with that particular patient but I think we also need to take the larger view of what are we doing in terms of research; what are we doing in terms of public health; what is it that we need to know?

Now we need to have protections as to who accesses that information and how they access it and what as Donna said information is available and that is what this debate, discussion really should be about; how do we develop, and what are those appropriate standards for the information that goes into the medical record that is shared?

DR. ROTHSTEIN: Is this your personal position or is this your organizational position?

MS. GREALY: As I look at how we have testified and what we said I think we have been pretty clear that we feel that there should be —

DR. ROTHSTEIN: So, you are —

MS. GREALY: — pretty comprehensive sharing.

DR. ROTHSTEIN: Okay, and Ms. Maassen?

MS. MAASSEN: I can’t speak on behalf of AHCA but I can speak to our relationship within a nursing facility. If we limit the information and allow our patients to decide if Dr. A and Dr. B and Dr. C are going to be able to share their information we would have to be very challenged to meet the full requirement and the breadth of a patient within a nursing facility and I think we would also compound the difficult we already have today with the simple fact that many of our patients don’t have the capability to make that cognitive choice in long-term care.

So, I can’t speak for AHCA. I don’t know the position of AHCA. I would anticipate that that would be something that we would not support.

DR. ROTHSTEIN: With the indulgence of my colleagues I just want to follow up one last thing. That is I want to comment on a statement that Ms. Grealy made twice which I don’t think is correct and that is you expressed a great deal of confidence in health care providers to not share information with third parties, employers, insurers, mortgage companies, etc. That is and I would agree there are ways to prevent the unauthorized disclosure of that information to these third parties but the fact of the matter is that people are concerned about the compelled authorized disclosure of that information. So, if I want a job in 48 out of the 50 states I can be required to sign and authorization as a condition of employment releasing all of my medical records to my employer and if I want a life insurance policy or a disability insurance policy or a long-term care insurance policy or a variety of other things third parties can lawfully demand that I sign this.

Each year in the United States by my conservative estimate there are 20 million compelled authorizations for the release of medical information that people have to sign or they don’t have a chance to do X, Y or Z. So, I am not concerned that through either negligence of maliciousness someone within a health care organization is going to be releasing medical records. It is that medical records are going to be released because they are pursuant to a lawful but compelled authorization and that is why people are reluctant to have their most sensitive information in files that are very broadly accessible.

MS. GREALY: I think that is a somewhat separate issue and you are talking about where it is done with your authorization and in instances —

DR. ROTHSTEIN: I am explaining why people are sort of nervous about having such comprehensive records located in one place that can —

MS. GREALY: Yes, I am struggling with the difference between you know we are talking about an electronic health record that information is now available in a paper record.

DR. ROTHSTEIN: Exactly but the fact that my paper records are stored in 20 different places makes it much more difficult to accomplish even though they could say, “I want an authorization from each of your 20 providers.”

MS. GREALY: Exactly. So, I mean if one wanted to one could access, have a requirement for every physician you ever had been treated by you must give us the authorization to access those records.

I still view that as a different issue. I think what you are really talking about is should life insurance companies be able to demand that authorization;should an employer be able to demand that authorization? I think that is completely separate than the issue that we are dealing with here today and how can we make sure we have an interoperable health information network that will improve the quality and the efficiency of care and sort of going back to what you were talking about where these records are scattered in very different places we have a lot of medical errors in the system today.

One of the goals of the system is how can we more comprehensively improve the quality and the efficiency of care. It is a huge challenge and it is one that we need to address and this is going to be a very significant tool in getting us down that road which is why we are arguing for not having too many barriers to achieving that goal.

DR. ROTHSTEIN: Thank you and now for my colleagues. I am sorry to ask so many questions. You may have detected that for the last several years I feel strongly about this issue.

DR.COHN: I am not sure if I want to ask questions from the fascinating panelists or our chair. Maybe I will confine my comments and questions to our panelists. I think it has been a very useful panel.

I actually maybe have a slightly different view on some of these things and a couple of different questions and it really falls into I think the issue of minimum necessary which I heard a couple of you bring up as a concept that might not be very applicable in the age of the NHII and so I wanted to understand that a little better.

I mean my understanding and I was actually conferring with one of my colleagues, a lawyer to my left as opposed to a lawyer to my right about being reminded about exactly how this plays out and at least my understanding has always been that in the case of treatment payment, health care operations the sort of definition of minimum necessary relates to the person asking for the information and that generally the person providing the information can rely on the nature of the request. Am I misunderstanding? It gets down to your issue obviously.

MS. MAASSEN: There is a difference. The law says, “For the disclosure of protected health information between health care providers for the provision of treatment and continuation of care.” The person who is providing the information can rely on the fact that the minimum necessary information has been requested. That is for treatment and that is between two health care providers.

DR. COHN: Okay, I think that is what I —

MS. MAASSEN: That is where the reliance can come into play. For payment you still need to apply minimum necessary. It is a concept of what information is going to be disclosed. The person that is providing the information does have to apply minimum necessary.

DR. COHN: Okay. I am sorry but I think what I was hearing or I thought from a couple of you was issues relating to the treatment process about, and I mean I think you talked about the CCR record as being a key way for us to enforce minimum necessary or come to agreement on minimum necessary and I don’t know that minimum necessary is the wrong concept still. I think it is the wrong concept for our Chair’s comments about concerns if we use information being looked at knowing that even though I tend to think there is a time value to information and I would certainly agree that most of my data from 30 or 40 years ago may not be of so much value generally one might sort of say, “Gee,my provider will decide what data he or she needs to look at to help inform them and that is sort of the concept of, you know, that is actually doing the concept of minimum necessary.”

So, if indeed it is not a provider issue explain to me what the issue is then in the new world with minimum necessary.

MS. MAASSEN: I think minimum necessary is an issue and I think what we, certainly the position that we have taken isn’t that minimum necessary isn’t an issue; what we are saying is let us define what minimum necessary is for certain types of disclosures. For example, the disclosure between a hospital and a nursing home in a pre-admission situation where we have made a decision and the patient has made a decision that they are going to come to our nursing home let us decide what are the data requirements for that transaction. How much information is the hospital going to share with us for every single time that a patient moves from a hospital to a nursing home not leaving it to the discretion each and every time for the hospital to decide today we want to give you Mr. Nursing Home this much information and tomorrow we will give a different nursing home a different set of information. It is trying to streamline the electronic exchange.

DR. COHN: When you have people that have severe and profound problems that need to be dealt with I would think it would be impossible for a nursing home to simply say that this is what I need every time. Just like a physician or anybody else has to treat that patient, it is, you know, that —

MS. MAASSEN: I think it is the minimum. I mean I think you can go through and you can identify core components. You are absolutely right. There is going to be in a situation additional information but I think the standards can be set but the diagnosis related to the most current, and we are only talking about initial admission information. There is going to be significantly more information that would come along.

DR. COHN: I guess what I am hearing from you is that you are not against minimum necessary. You just wanted to, I mean once again I think it is certainly a good, certainly developing good practices. Now, Mary, you also mentioned minimum necessary I believe in your testimony. I think that two of you did and I think, Mary you —

MS. GREALY: Yes, that was point No. 3. I think part of it, too, is again kind of this subjective analysis and I think to keep in mind every time we talk about compliance activities making that determination what is involved? Personnel are involved in doing that, time, cost, and it is a constant balancing act here that for all the time that is spent doing this and making that determination it is also time that is not spent on direct patient care. I mean resources are consumed in these compliance activities that can’t be used elsewhere and so I think that is part of the equation as well.

Also, I mentioned hypercompliance and I think that really is a problem we have run into where providers just aren’t sharing the information and citing HIPAA as a barrier.

Now, that may be misunderstanding on their part but the fact that we have this minimum necessary concept in there is something that raises that flag.

I have had social workers contact us about you know we need to get this information from physicians because our job is to be monitoring what is happening to a child in a particular family. So, we need to have that information and again they are just running into barriers trying to access that.

So, I think it does come back to the concept of how can we streamline these things, make it more workable and balance the need to protect privacy but also make sure we have the appropriate information, the full picture and then it is not overly burdensome.

DR. COHN: Okay, well, I guess my final comment and then I will give it to the next speaker is that I guess I mean I think we are all concerned about making things more workable in the health care system and I guess the only comment I would make is that as I hear people who have various solutions in the world if VNHII rather than the minimum necessary being unworkable it may be it will work moving forward in a reasonable fashion knowing that there are some things you can do that are best practices, some things that get down to individual clinical judgments and I was just observing as I see that in two of your documents as things that at least I read as unworkable and maybe this needs fine tuning rather than being thrown away. So, just a thought.

DR. ROTHSTEIN: Thank you. Dr. Harding?

DR. HARDING: Just kind of quick questions to al of you. We were talking about the burden of the counting of disclosures. I think several of you mentioned that. Give us, I mean should we recommend to the Secretary that public health mandated disclosures not be accounted for?

MS. GREALY: I would say strongly yes because I think that is something that can be dealt with in the privacy notice. It is expected that we are going to report births and deaths as required.

DR. HARDING: Would you take it any farther than that in the notice? I mean could you go farther than just the public health requirement to cut down on the burden?

DR. BOSWELL: Let me give you another example of a particularly burdensome one for accounting that is not just a public health, that sometimes comes up in a public health context but it also comes up in accreditation context where a state official is required to come in and conduct a survey, a random set of records that they pull and if it is an electronic-based system and they pull a sample of 100 records they are not pulling names, right, but they are pulling data which are protected health information. Often the facility or the payer won’t even have the right to know which records were pulled but the records were pulled and that fact has to be in the accounting of disclosures.

Now, the rule currently says that for every patient that is in my database at the time the records are pulled I have to put a note in that will be in their accounting that says that on so-and-so date for so-and-so purpose, under so-and-so provision of law records were pulled and yours may have been one of them.

It is not that I could prepare a list or put it in my notice that says that periodically the state department of blabitty blah comes in and pulls samples of records and evaluates the quality of care that we have rendered or evaluates the incidence of so-and-so disease in our population. It is that of the records in my database during the time of that survey which will be a different one every quarter when they come in. So, I have got to have a way if a patient from a given period was in the sample, I have got to have a way of annotating that set of patient’s records and not the others. I can’t just say to every single patient that has ever been to my hospital that they requested an accounting, “Your records sometimes in some place may have been pulled.” I have got to say,”In the first quarter of 1992, your records were in my database, and the department of blankety blank came in and pulled a sample of 6000 records and had a look and their law authorizing this is under law so-and-so.” Do you see where I am going? It is kind of dumb. The patient doesn’t want to know that, right? It is a little bit more information than is necessary to accomplish the purpose of saying, “These records are accessible to public health authorities for various different purposes.”

DR. ROTHSTEIN: May I just interject to comment that the Subcommittee already has identified the issue of accounting of disclosures as a topic that we are going to be taking up in the fall hearings.

DR. HARDING: The only other thing was in the issue of minimum necessary that we keep coming back to. I haven’t been in a fight about minimum necessary myself yet. Have you all and if so who determines what is minimum, the holder of the information or the requester or if there is a dispute how is that settled in your experience?

DR. BOSWELL: Disclosures are always permissive not required even for treatment purposes. So, if I hold the information and I am a hypercompliant person or I decide that the Chairman’s data are not appropriate for disclosure, any of them I —

DR. HARDING: And if that is disputed?

DR. BOSWELL: And if that is disputed by the patient the patient wins but if the other provider disputes it he has no cause to come after me.

DR. HARDING: And the same thing with insurance companies asking for information?

DR. BOSWELL: I may not get paid, but that is right. If I decide that I need to protect this record, for example, HIPAA requires me to, if I have promised a patient that I am not going to disclose this the patient has the right to ask me to protect information to a greater extent than is permitted under the rule and if I promise to protect that information or not to include that survey in my information that is disclosed for treatment purposes I am obliged under the penalty of law to respect that promise and nothing that the next treating physician says about asking for the information can compel me to disclose it. He has no rights to obtain the information.

MS. MAASSEN: The way we handle those situations in our organization, the issues that we have had typically what happens if one of my facilities has an issue it just goes to the privacy officer level. So, we speak privacy officer to privacy officer and go above the professional judgment and ask so that we can truly understand the interpretation of the law and Donna is absolutely right. The holder of that information absolutely wins out. We have that situation frequently.

DR. ROTHSTEIN: Mr. Houston?

MR.HOUSTON: I have a quasi comment slash question and I have another question. I am still I guess a little bit hung up on this idea that we are going to remove the whole concept of consent or not have the concept of consent. I know within HIPAA at least there is no obligation to get patient consent for purposes related to treatment.

Now, I happen to live in a state where consent is still required for any HIPAA disclosure outside of the covered entity. So between facilities we still need to get consent except in very limited cases and I guess I have always thought, envisioned that there is a workable model that could be put in place that could be done prospectively and I know, Donna your concern is that you know you said that the patient may or may not decide that they want to disclose information but I always thought there was a workable environment whereby you could have a master person index along with an authorization and authentication scheme which would allow the patient up front to decide what information he or she wants to make available and to whom and in what context.

For example, you know a patient is a registered part of an NHIN and they have psych data and they have MedSearch(?) data in there and they might decide that they don’t want to make any psych data available to anybody. So, as part of this NPI psych data would simply be not be something that could be queried for of the entities that have data.

I guess the question is why isn’t that workable?

DR. BOSWELL: The question is what is psych data and if it is psychiatric notes, okay, I get it but if it is meds psych meds interact with just about every other type of med that might be prescribed and the kinds of decisions that I make if I am assuming there are no psych meds when I am looking at this patient, if I am entitled to presume as a care giver when I am looking at a record that this is all the information that is available about this person, I could very easily make a big problem as a dermatologist by not understanding that the medication I was getting ready to prescribe was going to have an adverse interaction with the very powerful psych med that the patient is on.

I mean I guess that is where it gets down to the question of what is in the record and who is going to be deciding what is available through this information infrastructure. If our goal is to improve the efficiency of care so that the provider and the accuracy of care, so that the provider has access to medically relevant facts I guess I don’t particularly see how we can let the patient decide what is medically relevant.

MR. HOUSTON: It is interesting that you say that because I had an opportunity to sit down and talk to David Brailer and this was probably 4, 5, 6 months ago one on one. We just sort of talked about issues and one os his biggest concerns is the public confidence in the system and the need for the controls and the need for things to be in place so that a patient feels comfortable that his or her records though they might be accessible there is a certain level of control and accountability that the patient can see and maybe what you say is, and tell me if this is a good fall back, this is part of the solution of the NPI that you say, “Okay, I am not going to get in the way of what is disclosed to whom, but we are going to every time a transaction takes place, we are going to capture that transaction so that the patient can go back and say that okay the psych data was released to Presbyterian Hospital or to Dr.Cohn,” and that way the patient if he or she desired could go online to see if it was there. I guess maybe that is a counter is that a good counterbalancing type of control or —

DR. BOSWELL: I mean it is certainly going to be the case that whatever the regional authority is that operates the infrastructure that they are going to have to be accountable for only the right people or authorized people accessing data and for some kind of credentialing of people. It is not like we want the system to be something where as was mentioned earlier any old provider can jump in and look just for their own prurient reasons but I don’t think it makes sense to have it be the case that a patient can decide what is medically relevant for a given episode of care.

It becomes quite problematic from a liability point of view unless we are going to give waivers of liability for malpractice for every physician that uses the system which we are not going to get, right, but if physician A has access to one set of facts when I go to see him for disease A and physician B has access to an entirely different set of facts when I go to see him for the same disease what are we doing? We are not making a system that will improve the quality and efficiency of care. We are just making a system that is going to cause havoc in our medical decision making.

MR. HOUSTON: I do have one other question. Donna, in your testimony you had spoken to the fact that you thought that there should be minimum security requirements or your organization did and being responsible for security in an extremely large organization and knowing that threats change and technologies change I am going to sort of challenge you and say, “It is scares the living heck out of me to think that somebody is going to even give me a minimum requirement for security because if they get it wrong I am stuck trying to put a square peg into a round hole.”

MS. MAASSEN: I agree, I mean technology absolutely is changing every day but I think if you look today at the security rule and the addressable elements as opposed to the required elements and you try to look at audit trails even just addressing your question that you just asked about if we don’t have consent is it reasonable to have a log basically that says that every time there is a disclosure made the who and the when is an audit trail and basically that is what you are asking for, and if you look at the security rule today you can’t even define audit trail. You can’t even define the audit log. So, it is very difficult to define what should be kept in that information let alone the security that goes around it. Encryption isn’t a requirement in the security world of today. It is an addressable element not a required standard. So, in my opinion if you don’t have minimum requirements of how the data is going to exchange, minimum encryption requirements; is it 128; you know, what is the encryption requirement going to be, I feel a bit uncomfortable saying that it is okay to transmit protected health information through e-mail, but there is nothing in the security rule today that says we can’t do that. You might say that as a good standard of practice that that is not how we should be transmitting protected health information but the law doesn’t prevent me from doing that.

So, agree with you that to set the standard of technology is slightly overstated but I do feel strongly that there have to be rules and regulations that say that encryption is a requirement if information is going to exchange between providers in this environment or that environment and —

MR. HOUSTON: So, your comment really is restricted specifically to the operation of the NHIN and what in theory should be in place from a security perspective to participate in the NHIN then?

MS. MAASSEN: Correct.

DR. ROTHSTEIN: Dr. Rippen?

DR. RIPPEN: You all talked about different aspects of the sharing of information. We talked about the issues of information sharing within an entity like a hospital which physicians have a right to whatever and also the transfer of information from one care setting to another to long-term care, for example, and we are talking about a lot of the current ways that we look at things in that kind of a mode but I guess I would like to fast forward in theory in 10 years and then ask the question of if we truly do have an exchange and that you can in theory have 40 or 50 years of an individual’s life and I do go to a hospital is it now that I would use the concept of minimal sharing as far as minimal data set view so that I can download it into the hospital medical system so I could then take care from that point on or will the hospital or the other settings need all of this information within their own systems and what are some of the implications of that?

DR. BOSWELL: If I can jump in, I am sorry, when I think of the concept of minimum necessary in the context of this longitudinal access provision I think of it as more of a restriction on queries of the system.

As Donna was saying you don’t want the record of an adult who is in a long-term care facility. You don’t want that all popping to you when you are trying to make a decision but you do need to be able to query the record from all different settings for the kinds of things that you in your clinical judgment think may be relevant to your situation and it may be something 40 years ago, and it may be something current so that the query, the request for information of the system needs to depend on the requester rather than on somebody else censoring my access.

DR. RIPPEN: okay, but then let us take it the next step. Okay, I have queried because I believe these things are important but then the question is is that query a virtual query or now is it part of another record because as we all know, there are more uses for this information then direct patient care, for example, quality assurance market, you know just as far as what your population mix is so you can stay in business, the kinds of services you want to provide in the future. So, if an entity is deciding what information they believe to be important gets to pick that and then has it then the implications as far as what are other uses for that information will there be?

DR. BOSWELL: Now you are getting to the question of what are the rules that apply to users of the system, not just what kinds of queries can you make but can you print it out and keep it; can you query for someone who is not your patient because they might be an interesting person that you would like to know about? Under what circumstances can you download whole batches of information about patients with ICD-9 number so-and-so? Those are very important restrictions that will have to be thought about in terms of the standards for governing the accessing of information through this infrastructure.

We already have in position in HIPAA a provision that can be used for that purpose but it will have to turn into a work rule with respect to how the system works. For treatment purposes the question of whether or not I, if I am physician whether or not I will trust the system to portray me the data about the patients that I am treating is a very, very important one and I think that trust, the trust of the physician in the information system’s ability to portray the information is going to be a very big part of whether or not I am going to download it and copy it so that there are multiple instances of the same piece of information floating around in multiple offices.

We have that information problem today because you talk about the exchange of information in a hospital but all of the admitting physicians to that hospital think of the information about the episode of care, the surgery in the hospital as quote, their information, but it is information about the episode of care in the hospital. Routinely physicians ask for copies of that whole piece of information to transfer to their own files. Arguably privacy might well be better served by allowing them to access that information when appropriate for treating that patient rather than them having copies of the same stuff in their files that they pass along that they then are responsible for disclosing to researchers, to third parties, to others upon request. That is information about an episode of care in a hospital. Yes, the physician is part of it, but arguably should that whole piece be downloaded and stored separately in that file or should it mainly be accessible to the physician when she needs it to treat that particular patient?

MS. GREALY: I think as Donna pointed out there are restrictions on uses as well as disclosures and I think we would see the same in the electronic world as well.

DR. ROTHSTEIN: Dr. Harding?

DR. HARDING; Just a brief question. Do your organizations have or have in process development of policies regarding the transmission or storage of identifiable medical information in offshore settings?

DR. BOSWELL: I don’t know.

MS. GREALY: Our organization is so diverse it would really depend on each particular entity.

MS. MAASSEN: I can only speak for Extendicare. I don’t know for AHCA but at Extendicare we don’t have any offshore data.

DR. HARDING: American Hospital wouldn’t, all the transcriptions and all?

DR. BOSWELL: i am sorry, I don’t know. I just am not aware of it.

DR. ROTHSTEIN: Any other questions?

Thank you very much to our panel. It was a lively exchange as I expected, and we will take a break until three-ten and at three-ten we will have our statements from the public followed by Subcommittee discussion and I anticipate adjournment by 4 o’clock this afternoon for those of you on the Internet. So, we are in recess until three-ten.

(Brief recess.)

DR. ROTHSTEIN: We are ready to resume our first day of hearings on privacy and health information technology before the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics and at this time we are prepared to have our public comment period. There is only one person who signed up. So, we are happy to recognize and I hope I pronounce it correctly, Dr.Gourguechon.

DR. GOURGUECHON: Thank you. My name is Prudence Gourguechon. I am a medical doctor who has practiced psychiatry in the Chicago, Illinois area for 22 years. I am also trained as a psychoanalyst. I am grateful for the opportunity to speak here today and I speak for myself and for my patients.

I have a couple of pages of prepared remarks which I hope to get to but I had so many things I wanted to say in response to the discussion today that I am going to start with some more ad hoc comments.

I was very much struck and somewhat disturbed by the absence of testimony from practicing clinicians today and I will explain why. That is not just in principle but in practice. I think that is a disturbing problem. There was only one person who spoke today as a witness who actually treats patients to my knowledge. That is by my count.

We heard a lot this afternoon from representatives of the hospital industry and the nursing home industry and other health care industries and in their testimony I heard very little or no mention of medical ethics or very little mention of patients at least any discussion of patients’ experiences that I found realistic.

There was some mention off and on today of the balancing act necessary between privacy and records accessibility. I want to stress that from my point of view as a clinician trained in the standard medical philosophy of our country there is no balancing act where medical ethics are concerned. There is never anything to balance about medical ethics and privacy is one fundamental component of that.

One thing that struck me also listening was that there were a lot of notions about the benefits of this electronic national health record system that I find very naive actually. I don’t think the availability of records particularly a lifetime of records is anywhere near as important as it was made out to be today. I can think of very few clinical situations where you really need to know much more than you can get on an index card that a patient carries in his wallet or on an ID bracelet. Now, I can see the great benefits in a local network for a nursing home to be able to get records electronically from a hospital nearby but in terms of you moving from Maryland to Oregon and then needing to know what your records looked like, what your lab tests were when you were 12, it just doesn’t make medical sense. That is the main reason I wish there were more clinicians here today.

I am sure there are a few circumstances that one could come up with. The classic example of the guy having a heart attack is not one of them. I mean even I as a psychiatrist could treat a heart attack without a medical record. You look like you are having a heart attack. You are having a heart attack. It is one of the easiest things to, clearest things to diagnose and treat.

Now, if somebody was in the hospital for 2 weeks with a fever that couldn’t be diagnosed and you know you have had five specialists in and you can’t figure out what it is, yes, it might be very useful to find out that they — and they are comatose, I suppose, they can’t talk to you, yes, it would be useful to find out that they were diagnosed with sarcoid when they were 15 and they have no relatives and they are comatose, but how many times is this really going to happen and you are not going to be able to get that information from a paper record, not enough times to my mind to justify the compromise of privacy of every citizen in the country.

I hope that this Committee still has an open mind about the national system. I got the impression that it is, and I am not an expert in this by any means, I got the impression that it is kind of a done deal and the issue is how are we going to implement it or how are we going to best implement it. I hope there is still some question about whether it should happen at all, whether it is worth the investment.

One point that was made by one of the afternoon speakers is about the need for complete patient information, medical information in the system because otherwise the physician receiving the information isn’t going to know if they can trust it. So, in order to have the physician, the receiving physician able to trust the information we have to not give patients the right to withhold any information.

Well, any physician, that comment really struck me because another fundamental premise of medical training is you never trust anything except your own history and physical. You just don’t. You get new labs. You do a new history, do a new physical. If you are an intern and you are being taught how to practice medicine and you say, “Well, the record said they have a diagnosis of diabetes; so that is what they have.” you would get kicked out of the program. I mean you would probably get shot if you were at Duke or something like that. You just can’t think that way. You can’t talk that way.

So, i would never trust an electronic system and I can’t think of a, I actually was trying to think of a single example of when I would need it or value it, and I couldn’t think of one in my whole practice.

Now, I am a psychiatrist. That is more of a boutique kind of practice. I am not sitting in a big medical entity like Kaiser or a hospital. I think Kaiser should go ahead and develop or any other hospital or whatever any large system obviously needs electronic records. That is fine with me but not a national system. I was struck also by the question of what is the evidence that this kind of system being talked about will really improve quality and efficiency of care. This was stated as a given over and over again. Well, we have to do this because it will improve quality and efficiency of care. I don’t hear any evidence that it will. Again, when you are talking about what I assume are billions and billions of dollars one would like to see some evidence before spending the money.

Another reality of practice is that doctors don’t have time to review all this information. So, you could have 40 years of records but there is no doctor trying to treat patients who has time to look at it and I was thinking when would I actually sit down, not only find the time to put in the information which I don’t have but also to get it out.

Now, I would if I had a problem patient who I couldn’t diagnose or who wasn’t responding to treatment, I usually do find time to review records. This happens infrequently, every month or two where I sit down and make the time but this is not a daily occurrence. We just wouldn’t have time. So, I think you would have a classic garbage in, garbage out situation. I think doctors even those who are compliant with the plan would not put in good information because they wouldn’t have time. So, then you have patients withholding information either because they were entitled to or because they just did, doctors withholding information because they didn’t have time to enter it and you would have junk at the other end.

Finally, of my spontaneous comments I think you would have a real problem with physician compliance because you would be asking us to break a fundamental premise of medical ethics and I simply couldn’t do that. So, like a journalist who is asked to reveal a source I would not do it no matter what the consequences were. If a patient didn’t want information in or if I thought the system wasn’t trustworthy which I am inclined to think I would think. So, my guess is that I would be a non-compliant physician and that you would have many like me either because of principle or practicality or they didn’t have $30,000 to spend on setting up a system. So, again, you are going to have a garbage in, garbage out kind of system.

If I still have a few minutes I will go to my prepared comments. May I?


DR. GOURGUECHON: My contention today is that absolute control over the privacy of their ow medical records is essential to patients’ well-being and health and conversely that any threat to such control adversely affects patients both psychologically and medically and I want to bring the discussion down to, right down to the office level of a doctor and a patient and tell you a couple of anecdotes about the real suffering that privacy breaches causes real people.

These are two real examples. I asked the patients’ consent to discuss these stories here today and I changed their names. A week ago I canceled my Wednesday patients’ appointments so I could be here today and I told them that I was coming to testify to a committee investigating privacy. One patient, Carol when she heard where I was going tears immediately welled up in her eyes, and she said, intensely, “You tell them it is like having your arms and legs cut off and everyone circling about you looking at you. That is what it feels like when someone knows your diagnosis of mentally ill.”

Recently Carol had been on the phone with a new pharmacy plan trying to arrange to get her medication. The nameless person on the phone said, “What is your diagnosis?” Carol was shocked. She hasn’t even told her husband about her diagnosis of bipolar disorder. She is so ashamed of it and so afraid of the stigma it carries. “Why do you need to know?” she asked, crying. “We just do,” said the nameless person on the phone. “It is company policy.”

My patient refused to provide her diagnosis but she went to bed after the call and spent the rest of the afternoon crying.

Another patient, Laura recalled that when she was in the hospital after delivering a baby she was employed as a baby sitter by a Mrs. B.

Mrs B also happened to work as a nurse in the same hospital where Laura was a postpartum patient. Of course, Mrs. B was not on Laura’s labor and delivery team nor one of her care givers.

At ten that night Mrs. B came into Laura’s room. Laura was very surprised. Mrs. B said that she wanted to say, “Hi,” and she didn’t have to follow the no visitors rules because she was an employee in the hospital. “I looked up your record when I heard you had a baby,” she said.

Laura had a history of a previous eating disorder, something she desperately did not want Mrs. B to know about. She stayed up the whole night which I will emphasize was the first night after having a baby worried that her employer had seen the diagnosis and that she would lose her job.

Psychiatric patients are special and their needs are special but I see them as the canaries in the coal mine. Their diagnoses, histories and other clinical information are the most exquisitely sensitive.

Their private medical information is among the most apt to cause to disastrous problems with employers, neighbors and family members if inappropriately discovered.

Moreover even a threat to the privacy of the information in their records leads psychiatric patients to a breakdown of trust with the care giver, a loss of the openness that is vital to solving emotional and behavioral problems.

General medicine is beginning to rediscover what psychiatrists and psychoanalysts have known for a long time, that the relationship between doctor and patient is absolutely vital to healing.

The relationship it turns out is our most powerful drug. Any loss of control over confidentiality and privacy in the relationship between doctor and patient weakens that healing bond and leads to greater medical morbidity.

Already people don’t get help because of fear of exposure. They avoid seeking care for serious conditions like alcoholism, depression, bipolar disorder and eating disorders, not to mention STDs, cancer and other medical conditions mentioned earlier.

Many psychiatrists already advise patients who have the means to avoid using their insurance benefits that they have paid good money for because of the consequences for their future loss of privacy.

At the same time we know the terrible toll these disorders take on family life, on work place effectiveness and on the community.

I would like to address one final issue. Many of my patients have told me that when non-psychiatric physicians are aware of their psychiatric diagnoses and treatment they get substandard care.

As an aside there were numerous mentions of the importance of people on heavy duty psychiatric medications when they go to the ER the treating doctor has to know. First of all I am a psychiatrist. I can’t think of that many crisis situations where it really would matter if my patients refused to tell. It is not that big a deal medically. Secondly they can talk and if they want to get good care they are free to reveal their history. Third, they can give permission for the doctor to call me but there is a great exaggeration of the medical emergency situations here or the medical problems that this would allegedly solve.

An experience repeated to me frequently is that an internist or surgeon or gynecologist tunes out and stops listening when they hear of a patient’s psychiatric diagnosis or sees that they are on psychiatric meds. In my practice early diabetes, obstructive sleep apnea, epilepsy and hormonal imbalances and other conditions have gone undiagnosed while the patient’s symptoms have been attributed to psychotropic medication side effects or depression or an unusual sensitivity, in other words to neuroticism not medical illness.

My patients have been burned by disclosing their full medical information, and they know from necessity that they must remain in control of who knows what about them. To drive home the point even when medical information is shared only among physicians the compromise of privacy can have serious adverse health effects.

With our current technology electronic records will erode patient privacy. There are no fire walls, not promises that will make my patients feel safe to reveal their most painful truths to me.

Any further erosion of privacy will compromise care and thus cause casualties both for the individual, her family and society.

I thank you for your time and the opportunity to testify.

DR. ROTHSTEIN: Thank you very much. I have one question and then we will open it up.

There was something you said that sort of grabbed me and that was at the beginning when you said that in your view there is no balancing with patient privacy and other interests.


DR. ROTHSTEIN: That there is an absolute.


DR. ROTHSTEIN: And so let us assume that, are you saying that in your practice or medical practice period?

DR. GOURGUECHON: Medical practice period.

DR. ROTHSTEIN: So that I am an emergency department physician and somebody comes in and I diagnose them as having SARS or pneumonic plague or anthrax exposure and they are very embarrassed about this and they ask me to keep it confidential?

DR. GOURGUECHON: Oh, well, you know, I overstated then. Of course public health emergencies, true emergency care you know I think —

DR. ROTHSTEIN: Okay, so you are retracting this.

DR. GOURGUECHON: I am retracting the absoluteness of it.

DR. ROTHSTEIN: Thank you very much.

Mr. Houston?

DR. GOURGUECHON: But in all routine circumstances.

DR. ROTHSTEIN: Other than —


MR. HOUSTON: I am going to preface my —

DR. ROTHSTEIN: I didn’t want to get the CDC people —

DR. GOURGUECHON: Thank you. No, I definitely would want SARS reported.

MR. HOUSTON: I am going to preface my questions by saying that your comments are very compelling and I don’t think anybody on this Committee wants to be cavalier about providing access. I think we all want to try to understand it and I really do appreciate what you have said, and you obviously deal with a class of patients that have certain sensitivities that we need to be considerate of but to a couple of points you made in your last page of your testimony you talked about the fact that physicians who are advised of a patient’s psychiatric condition or the psychotropic medications that they may be on may be less inclined to look into diagnosing symptoms and just chalk it up to —

DR. GOURGUECHON: Right,very, very common.

MR. HOUSTON: Is that a privacy issue or is this an issue of working, ensuring that medical staff, clinicians don’t simply cavalierly look at that type of situation and say, “That person, you know, it is your medication; don’t worry about it”? I mean where is the cause and the effect and should we be as much concentrating on ensuring that a doctor is not cavalier in his simple dismissal of a patient’s claims simply because they are on a psychotropic medication?

DR. GOURGUECHON: You know in an ideal world it could be fixed by education but we don’t have any way of changing the hearts and minds of America’s physicians sufficient to stop this from happening either from the medical education level up or not or not. There are reasons that psychiatric disorders and other things like cancer even or AIDS are stigmatized. They cause emotional reactions in people, even doctors and when people have emotional reactions to things they stop thinking clearly. So, I think it is an educational problem that could never be solved because a lot of these are emotional issues.

I think the only way to protect patients is to give them the choice. Now, every patient is not going to choose to keep this information private. They might want to share it with their ENT doctor or their dentist or their gynecologist but they may not. I just think we have to give them the option because the government is not about to spend an equal number of billions of dollars on changing the minds of the American public about the stigma of mental health. I would be delighted if it did but I don’t think that is going to happen.

MR. HOUSTON: I am sort of driven by the fact that our chief medical officer in our health system where I work is a psychiatrist and I know he is very much for an electronic health records environment but I know also that he understands psychiatric disorders very well and he is a practicing clinician and I have heard him speak and talk about the need for access to information and I know he is an advocate of it. So, I just —

DR. GOURGUECHON: I can’t speak to why he is an advocate. I would really like to hear a doctor give a real example of where this is medically vital including him because all these hypotheticals about oh, you get to an ER and you have a heart attack. It is not vital there. So, what is the situation where it is worth compromising privacy which I think anything besides absolute consent, and I am not against sharing information but I am for consent overriding except in the public health emergency type of situation.

MR. HOUSTON: Two other questions real quick. You talked about the situation where a pharmacy plan had inquired as to why this patient was getting this medication. Is there any thought that there could be a medication fraud that somebody is trying to fraudulently get medication? Are these the types of drugs that —

DR. GOURGUECHON: You are talking about an antipsychotic. It is not associated with fraud and I don’t think that had anything, I don’t think there was any reason for that person to get that information, but the point was the reason I brought that anecdote in was to show the shame a real person feels. Why that company wanted that information I don’t know and she might have given consent. I mean she didn’t. She doesn’t give consent but somebody might but no it is not about fraud. There is no medical purpose to that. I assume it is a statistical purpose, frankly.

MR. HOUSTON: I was just interested.

DR. GOURGUECHON: You know, that it is an accounting type of thing. What kind of patients do we have in our plan and what kind of drugs are they using and how much is it going to cost us?

MR. HOUSTON: It is clearly a huge issue in industry, certain medications and fraudulence you know patients trying to fraudulently get them and I am just trying to understand whether there is any possible —

DR. GOURGUECHON: That whole prescription monitoring bill I think is addressed to that, right? This particular medicine was not one anybody would —

MR. HOUSTON: Thank you very much.

DR. COHN: I actually want to thank you I think for some very good testimony. I guess I should disclose. I actually am a doctor also and an emergency physician.

DR. GOURGUECHON: I said the witnesses.

DR. COHN: That is fine. Since you said it a couple of times now, I work with Kaiser Permanente and I have had the luxury as well as good fortune over the years to actually have relatively full medical records on patients when I come in and obviously we will be hearing from the emergency physicians tomorrow but I do want to sort of comment that this issue of people coming into emergency departments with heart attacks or whatever may not be quite a obvious as you are intimating. I mean if I have old EKGs it is great. I feel sorry, however, for people in outside emergency departments where they may not have access to these and certainly when I have over the years seen people who are not members of the health plan who are coming in you are typically scampering, calling around everywhere you can.

Now, obviously there are obvious cases of acute MI and we are both in agreement about that but there are many things for example, like left bundle branch block in the setting of chest pain. I am sorry for being technical here for a minute but it is an indication for thrombolytics if it is a new left bundle branch block with chest pain. If it is an old left bundle branch block then you don’t give them and obviously a thrombolytic medication is a serious thing to give, and it is these sorts of things where I think we all sort of, yes, on one level you can do a lot and I think that is really what you are trying to say.

DR. GOURGUECHON: I didn’t hear the last.

DR. COHN: I said that i think you can do a lot with incomplete information but I think even in this day everybody is running around. People are using, there probably is not a day where I work when I work in the emergency room where we haven’t been scampering around trying to find pieces of information especially on people that aren’t part of the unified medical record.

Now, I don’t think anybody think that an NHII is going to be the same thing as an electronic medical record held by the Pittsburgh Medical Center or Kaiser Permanente but to not provide for that access seems to me to be irresponsible.

DR. GOURGUECHON: I don’t doubt that the emergency physicians ethically have a very different perspective from mine and you are one. I understand that if I were faced with those kinds of problems every day, I guess I am trying to balance and I think somebody has to take very careful accounting of the risk/benefit ratio here that even though you can come up with beneficial instances I am giving you some of the risks, some of the risks with my patients I see.

DR. COHN: I do understand what you are saying and I do in a balanced perspective agree with many of the things you have said. I just wanted to, I thought in some cases you went a little too far, and that is my opinion.

DR. ROTHSTEIN: Thank you very much.

We will now go into a period of Subcommittee discussion which is open to the public and so our guests can stay if they so choose.

What I thought we would do this afternoon was to talk in a very preliminary way about our third round of hearings which is scheduled for June 7 and 8, and you will recall that the purpose of those hearings was to get some insights from health systems and health plans and health entities that have some experience with electronic health records and in addition to talk to some IT experts who have the technical expertise to answer questions like if we wanted to recommend this, is that doable somehow and so, we are trying to locate people like that who have the systems design expertise to answer questions that I am not even sure what the questions are yet, but I don’t want to be in the position of recommending things that are not doable, would be prohibitively expensive, would be burdensome, etc. So, I just want to kind of get a reality check from the people who do this for a living.

MR. HOUSTON: Are we looking at vendors or are we trying to stay to stay away from vendors?

DR. ROTHSTEIN: In the first category, let us go through the first category and then we will talk about the IT experts. In the first category of people I would like to hear and then we can add additional ones as you think might be relevant, I would like to hear from like the VA, Department of Defense, some large clinic organization or hospital like Cleveland Clinic, the Mayo Clinic, Kaiser, someone with experience to come.

DR. RIPPEN: What about other entities like industries that are trying to do it as far as how they are addressing some of these issues?

DR. ROTHSTEIN: Right and also I would like to, I was struck by what Jim Pyles testified this morning about that Cedar Sinai had a negative experience. So, I would like to hear from them. If that in fact is the case then why is it and what errors can be avoided.

DR. COHN: If I can just comment on that, first of all I think Kaiser would, and you can certainly ask Kaiser and they might be very happy to testify. It means we don’t have to ask them to write comments relating to the testimony today. In terms of Cedar Sinai I do want to clarify that what they were doing was A, a computer-based entry system and that was basically being pulled back and I don’t believe there were any privacy or confidentiality issues. It had to do with work flow issues primarily as I understand it.

PARTICIPANT: Yes, I think it was implementation issues.

DR. ROTHSTEIN: The point is we should also look to people who might testify as to the problems either privacy problems or technical problems. I don’t want to have a collection of witnesses who say that this is the greatest thing since sliced bread and we have never had any problems when other people may have had problems.

DR. RIPPEN; So, just to clarify you want to have plans that have implemented successfully EMRs or EHRs and to assess how they successfully are addressing or implementing the privacy component or —

DR. ROTHSTEIN: Exactly, particularly with a focus on privacy.

DR. RIPPEN: And what technologies they are deploying to do that and any issues they may have as opposed to the implementation of a —

DR. ROTHSTEIN: Have patients complained, etc., and I would also like to hear if we can identify experts who can talk to what other countries have done because we are not trying to replicate the Mayo Clinic. We are trying to decide on a national system, and I think maybe Don Detmer could talk as to what the UK is doing. I know they are working on the issue in Australia.

DR. RIPPEN: They have some interesting actually approaches to that.

DR. ROTHSTEIN: Maybe we could find someone who could speak to that, Sweden, some of the other countries.

MR. HOUSTON: One of the Middle East countries is throwing a whole pile of money into —


MR. HOUSTON: May I make a suggestion, too, in terms of specifics? As I recollect Vanderbilt had a very progressive EMR strategy a number of years ago when I had been involved with some people.

MS. RIPPEN: The hospital system?

MR. HOUSTON: Yes, which is I guess part of the university also.

DR. RIPPEN; There is the enterprise-wide component but then there may be also the ones that go beyond enterprise that actually have a very robust enterprise-to-enterprise relationship because that is another aspect of the privacy and then you go to the kind of real LHI.

DR. ROTHSTEIN: And so we also need to be thinking about not only what we organizations we want to invite but who at the organizations we want to invite and it may be that for example that one of these organizations we would like to talk to the privacy officer and see if there has been any change in the level of satisfaction or complaints or they had to intervene in some way.

So, maybe we would hear from the health information people at one hospital and a privacy officer at another hospital and maybe somebody, some clinician at a third organization but I would like to have a mix of presenters to try to give sort of a well rounded picture of how it is working.

MR. HOUSTON: We need to be very careful, not careful; that is the wrong word. We need to make sure that the individuals that come to testify are actually intimately involved in the EHR strategy at their facility because privacy officers may have a very hands off approach. Other ones may be tightly integrated into the strategy or the process.

DR. ROTHSTEIN: I think one of the things that I would like Mia to check on is you know we talked to the privacy officer hypothetically at Vanderbilt and we want to make sure that they are familiar with the electronic system and have something to say on the issue of the impact of the system on privacy.

Maybe they don’t, and maybe somebody at Stanford has more to say on that.

DR. RIPPEN: Are you also interested in going beyond just the health care setting meaning something like the entities that might provide personal health record support for consumers directly and their experiences with issues as it relates to privacy?

DR. ROTHSTEIN: We did hear from some of the people at the last hearing. We could go back to that. I mean I don’t know how many more hearings we are going to need. My plan is to, after the next hearing to sort of have a discussion among all of us and sort of take stock. Where are we? What more do we need? Who do you think you need to hear from and so forth?

MS. BERNSTEIN: Do you also, you have named sort of big organizations mostly, very significantly large organizations that may have large and complex systems. You don’t want to hear from sort of smaller offices that are using just within their office; that is not what you are trying to get at this time or is there a reason why you might want to get advanced smaller practices?

DR. ROTHSTEIN: People may differ on this but my thinking is we are not dealing with the issue of an electronic health record per se. We are dealing with an interoperable system where you have got Kaiser at point A can send stuff to Kaiser at point B and multi-specialty clinics where stuff moves around and those are the kinds of issues that I would like to explore with them not whether Dr. Smith is happy with using electronic versus paper or order entry prescribing, whatever.


DR. HARDING: Something just kind of thinking about all this would be to have some system like a state department of mental health system that has used electronic medical records or alcohol and drug and department of mental health and all the things that they bump into.

DR. ROTHSTEIN: So your point is specifically to identify sort of a high sensitivity health care delivery?

DR. HARDING: A state-run big, I mean I keep thinking of Medicaid with all this because most DMH, department of mental health disorders are mainly in Medicaid.

DR. ROTHSTEIN: What about state mental health facilities?

DR. HARDING: Most of those are Medicaid now or indigent and there aren’t many big facilities left but there is that whole system that is kind of like the VA and Department of Defense but it is a little bit different. It is a state as opposed to the federal.

MR. HOUSTON: I can do two things here.

DR. ROTHSTEIN: Western Psych?

MR. HOUSTON: Not Western Psych. We keep them out of that, too close a relationship there. We have two organizations. We have a software development company that actually develops software for the psych industry. It is an ADGS development group and I can, I am sure that we could get somebody from that organization to come to talk about if there are specific technical considerations related to development of software for use in the psych industry and the second thing is we have a managed care company specifically for the psych area. It is community care behavioral health which is also regional, works with Medicaid population. So, I think, also, I can get somebody to speak from that if we wanted to talk about that type of thing.

DR. COHN: Actually just sort of following what John was describing about I think psychiatric issues really mental health issues in relationship to this there is actually a national meeting being planned for September that SAMHSA is sponsoring relating mental health and NHII and all of this. I believe there is actually a planning meeting next month occurring and you might want to talk to, is it Ron Mander, yes.

DR. GREENBERG: Ron Manderscheid? He has actually worked with the, he might even officially be staff to the subcommittee on populations. He certainly has worked with the national committee over the years.

DR. ROTHSTEIN: And as a liaison or staff on the subcommittee as well.

DR. COHN: But you might find out where they are going and see if there is some way to leverage, give you some planning or they might have somebody or some perspective on this that would be helpful.

The other thing I think, Marjorie, I am saying the same thing you are as you were talking about sort of the what we are looking for in terms of these hearings. I guess I am sort of mulling over how, I almost have to describe this one but the issue is clearly not the use of electronic health records within the facility so much. It is really we were talking about the NHII. We are talking about all the stuff that happens when things move from one place to another sort of outside.

So, probably even organizations like the VA and Kaiser for that matter, you could talk to them about how the VA is moving it from region to region or how they deal with all of that or Kaiser but you can also talk about what plans do they have and what security issues or privacy issues do they have as they begin to sort of expand beyond that which might be useful.

DR. ROTHSTEIN: I agree. That is exactly what —

DR. COHN: It sounded like where you were going.

DR. ROTHSTEIN: Marjorie?

MS. GREENBERG: Yes, and this may be just to follow up on that but one thing that kind of struck me listening to a lot of the testimony today as you said the issue although there are issues with that, too, but the issue is not so much the electronic exchange of information as, that is one issue but that another issue that I think was just kind of a subtext that this Subcommittee and I think standards and security as well might want to address and the NHII work group. I mean these things start kind of converging, but it is the whole issue of a longitudinal health record. To some degree that is kind of held up as the Holy Grail.

I mean it is the same thing in epidemiologic studies or in population-based data where you get this snapshot of people when you go in and survey them and you get a sort of a snapshot of a person when they come in for a medical encounter. You are able to expand on that snapshot if you can take additional tests or whatever.

We know that in epidemiologic data it is always greatly enriched when you can link it with say claims data, if you link the survey data with claims data and if you could link it with tax records. I mean there are benefits there. Of course, they are always also risks and even within a very statistical environment and now we are talking more about the real world but I think I was struck by the last speaker mentioning that and I respect her experience and knowledge that as a practicing clinician she wasn’t just swimming with ideas about how her care for patients would improve if she had this longitudinal record.

On the other hand, as Dr. Cohn pointed out you know working in an emergency room he can think of opportunities and of course you think of the IOM study on medication errors and there certainly is evidence that in some cases having this information can be helpful, could save lives and could certainly save money but at the same time I think that maybe there hasn’t been sufficient really evidence-based research and information developed and this of course relates to the whole idea of this Subcommittee and others making recommendations for a research agenda for the department which is something we have talked about at the Executive Subcommittee in the past but the evidence of what a longitudinal record as opposed to having just-in-time information what a longitudinal record, what the benefits, the costs are and what is this idea of the continuity of care record. I don’t think that has been really talked about. It has been mentioned. It hasn’t really been substantively addressed in the standards and security subcommittee, I don’t think.

So, this is a whole area of inquiry that I think would be very rich for the national committee and might be something we could discuss at the executive subcommittee meetings that are coming up because it certainly does have implications from a population health point of view. I mean you hear people talk about the value of some of the longitudinal data they have had in the UK and there are research implications but there are privacy implications. There are just so many interesting issues and I think that we would benefit from some systematic inquiry and identification of the kind of research that might help shed light on it.

DR. ROTHSTEIN: I think as usual Marjorie makes a wonderful point, and it is something that I haven’t really expressed nearly as well as you just did and that is I think that the moral justification for an electronic health record system nationwide has to be that it is going to improve the outcomes of the physician-patient encounter. It may be that indirectly we are going to be able to all this neat health services research and all this neat epidemiology and people are going to be able to design new systems but that is not what people sign up for when they go to the doctor. That is why we require specific informed consent to engage in research and this is not a research record. This is a clinical record that may have secondary benefits, and I think unless we can demonstrate that a longitudinal record and a virtually complete record is essential to high-quality health care for patients and would save lots of time for physicians which translates into more health care for everybody because they are not taking a duplicative record again and again, then a lot of the sort of compelling rationale for the system kind of fades away. I mean you are going to have a harder time convincing people to give up privacy in exchange for saving money for allowing researchers to get queries that they couldn’t get previously.


MR. HOUSTON: Two points. I don’t think it is necessarily up to us to decide that aspect of it because I think you get a pretty strong argument from some people that the collection of this data maybe not in NHIN environment but having a fidelity and cradle-to-grave medical record is of extreme value overall to improving the quality of care whether it is actually directly used in any specific patient encounter, I mean I hear what you are saying and I am just saying that other people would use that argument and say that it is still extremely important to have this type of environment in place.

Now, I think it is not the right question for us necessarily to answer.

DR. ROTHSTEIN: We can debate that but maybe we ought to have the facts.

DR. GREENBERG: That is what I was suggesting, I mean both to lay out the issues and the assumptions and where there is data to support the assumptions, what type of research might be desirable or feasible to address those assumptions.

DR. ROTHSTEIN: Maybe we should recommend that the IOM do a study.

DR. GREENBERG: Yes, I mean it certainly fits in also with the quality work group work. You know it just cuts across the whole Committee I think.

MR. HOUSTON: I have another point that is sort of on another vein but I think it is important here. Last year when we went to the NHII conference they had awarded a variety of organizations grants to do a variety of research topics related to NHII.

Is it fair game for us to go back to look to see what those organizations are doing and maybe see if any of those, if there is a value to having somebody from some of those organizations?

DR. GREENBERG: I think those are the patient safety grants or from AHRQ, is that what you are thinking of?

MR.HOUSTON: I am thinking but I wasn’t sure exactly what the breadth of them was and whether there aren’t some that maybe have some applicability to this.

DR. GREENBERG: I don’t know whether they would have like outcome data yet but like Mass Share and that, is that the type of thing?

DR. RIPPEN: Yes, and they may have some experience at least with how they grappled with the privacy issues because they had already come up with some of their planning especially some of the planning grants and that is something that we could actually talk to Scott about.

DR. ROTHSTEIN: It may be that there isn’t anybody there from any of them but we should at least ask the question.

MR. HOUSTON: And it may be a topic for a fourth hearing is research, I mean what do we know and what don’t we know in this area and possibly we would hear from these people and others who could be identified.

DR. ROTHSTEIN: Other comments or suggestions. I think this was a very productive discussion. We actually didn’t talk too much about the IT experts.

So, before we break for the day I want to talk about the IT experts who we want for the hearing and John raised the question earlier do we want to hear from vendors and I have no problem with that.

They may have sort of the unique expertise in designing these systems but I don’t want them to be there as the vendor for X company.

I want them to be there as an expert. I am going to assume that there is no off-the-shelf system that can do everything we want it to do especially because I am not sure I know what I want it to do. But we may find people in vendors. We may find academics. We may find people who are working for large companies like the Director of IT at the VA or somebody who could tell us what the capabilities are of the system but we may need extra help in that area and I don’t know who we should start with. Does anybody have any ideas?

DR. RIPPEN: HEMS(?) provided the security expert before and there are a few other organizations. One could consider also NIST with regard to some of the standards as it relates to security.

PARTICIPANT: What about Gardner or Meta(?) or something like that. I don’t know that NIST —

DR. RIPPEN: Yes, I know. That is why I was like, yes, they are technology.

MS. BERNSTEIN: One thing that I would be concerned about is how much we get toward the security and standards side where we are going into the purview, not that we can overlap with other committees but how we are making use of our time if another committee is going to handle some of the things that are really standards issues or straight security issues.

DR. ROTHSTEIN: Here is how I envision ideally that part of the hearing to be. I would like the Subcommittee to sort of brainstorm in some capacity and come up with a whole series of questions that we can ask them to address, not all of them but some such as is it possible, you know, how much discretion is it feasible to build in for patient control over X, Y and Z?

If we wanted to carve out mental health as an issue how do we do that when most of the mental health information is in primary care records and not in psychiatric records? Is that just sort of a deal breaker because what would we need to do to get that coded properly; is that infeasible, but if we came up with a list of 10 or 20 questions to ask the IT people then I think that would be the best use of their expertise at least for me.

DR. COHN: I would be cautious on this one because it is IT and those who don’t deal with IT very much ascribe a lot more knowledge and insight to IT than really exists. I mean IT can make anything happen. It is just a question of how much money and how much work flow interruption —

PARTICIPANT: Are you finished with this line?


DR. COHN: And I think that many of the questions you are asking will impact work flow and it is a question of process redesign and I mean these are the things you would be asking organizations and a piece of IT is how do you architect X, Y and Z; how might you do it, but you might equally ask any of the organizations, ask the VA if you are going to have people sign every time they talk about X, Y and Z, how would you do that and I think is a big question.

DR. RIPPEN: We have to figure out a strategy to do that whether it is possible or what would be involved or is it feasible or can you suggest a way in which we can get to this end point that we want.

DR. COHN; And one problem is we don’t agree with what the end point is. So, that is a real problem here.

DR. RIPPEN: Yes, in general as was alluded to before if you can think at the technology actually can be more than likely built; it is just money and effort, I guess the first premise is what are the requirements and then what should be considered to be the requirements and after that then what are the implications of implementing those requirements from a technology perspective as far as is there already off-the-shelf kind of application for it or what are the implications on design of systems. I think those are very important things that we need to ask.

The question is what is the timing of them.

MR.HOUSTON: But let me say this though. We are getting to some degree anecdotal evidence and we have the RFI that has been completed where I think they have got probably an enormous amount of data about a lot of what we are talking about.

Unfortunately the question is going to be asked. The point is that there has already been a data gathering about a lot of this and I guess the question is how much do we leverage versus how much do we try to do on our own realizing it is probably something that your group is going through already and is there any value for us to be doing some of these things?

DR. RIPPEN: I think the questions are different. I think the questions are ultimately different in the essence of what are the issues with regard to privacy and what are some of the options that might be explored with regard to addressing some of these as opposed to can you segment information, limit access to certain parts and things like that and yes, there is going to be overlap with regard to what people are saying technology and there will be significant impacts to organizations that already have systems and so there is a lot of different layers of complexity and I don’t have the answer and I guess it depends on the Subcommittee to determine at what point do you want to explore the options and the implications from a technology perspective.

DR. ROTHSTEIN: I, also, think it is important as a federal advisory committee that we conduct hearings because it is open to the public. It is broadcast. We get to ask questions and engage with the people as opposed to them just sending in comments.

MR. HOUSTON: I don’t disagree. I am just trying to think of time well spent and leveraging where we can leverage. RFI was more information from more sources than I think Helga would care to agree.

MS. BERNSTEIN: If as Helga says that the questions are different and we determine that the kinds of questions are different one thing we can do is look at the responses to the RFI and just see who is it that has a, from their response you can sort of gage who is it who has a fairly sophisticated level of response and who might have something that would be useful for us to say. We can use that as a tool to identify proper —

DR. ROTHSTEIN: Are those accessible to the Committee?

DR. RIPPEN: I believe that the responses that this Subcommittee and again this is just my belief that the Subcommittee can request that certain questions be answered that might be relevant to the types of things that were submitted, but that is something that we can find out.

MS. BERNSTEIN: Are you asking if members of the Subcommittee can look at specific comments?


DR. RIPPEN: That I am not sure of but I would believe that the Subcommittee could request that certain questions be asked that can be summarized but I am not sure.

MR. HOUSTON: If the Subcommittee were to formulate questions would it be possible for somebody to go back through the responses to define not only and find information but to potentially contact people that submitted information to ask whether they would be interested in further discussing it?

DR. RIPPEN: I will ask.

MS. DOZIER-PEEPLES: I was one of the RFI reviewers on the privacy and confidentiality and I have access to those comments but I don’t know what availability I can provide to the Subcommittee but I can certainly inquire tomorrow morning about that and report back to you.

DR. ROTHSTEIN: We certainly don’t want you to breach confidentiality.

MS. DOZIER-PEEPLES: No, but I can inquire about what level of information can be fed back to this Committee before the report is issued.

MR. HOUSTON: Even if we were to say, simply say that you serve as the honest broker who could identify individuals or organizations that submitted responses which were meaningful and then see if they would be interested in separately coming and talking to us that would be helpful if nothing else in sort of pre-qualifying organizations that might provide us some type of substantive information without us ever having seen the responses or having known who these individuals were except that they said, “Yes.”

MS. DOZIER-PEEPLES: Okay, I think that that is probably a very doable thing. I know that some of the responses are up on the actual entity’s web sites already and especially the more sophisticated ones.

DR. ROTHSTEIN: Do they identify the name of the —

PARTICIPANT: Like the HIMS(?) have it on their web site.

MS. DOZIER-PEEPLES: And actually the more advanced ones that you would probably be interested in I mean we could ID those.

DR. COHN: Of course we know I think a number, I mean we have already listed groups that we think are likely candidates who might be testifying on this one but I think there is a piece here that we are sort of talking about which is more along the lines of innovative approaches and ideas in terms of how all this plays out.

MS. DOZIER-PEEPLES: There was a lot of that in the RFIs.

DR. COHN: Isn’t that really what we are talking about in the these RFI responses that we need to hear about rather than, I mean since we really don’t know what it is we are talking about yet?

MS. DOZIER-PEEPLES: Interestingly the work group as a unit had identified within themselves the more interesting and compelling responses for reading by other members of the group.

So, they did kind of self-identify the more innovative, interesting ones. I think there are about 15 of those now that were like ideas like very highly specialized and everyone should read.

DR. COHN: The point I was making was that since we don’t really know what it is we are talking about that we would want to ask an IT vendor what could you do beyond the issue of what could you do innovatively that —

MS. DOZIER-PEEPLES: Yes, I am not sure that is helpful.

DR. COHN: And what I was commenting was that I thought that maybe with the RFIs maybe the issue is really more innovative approaches that maybe we need to hear about and maybe that helps inform our thinking about what it is we need to be asking vendors.

DR. ROTHSTEIN: I have a suggestion to make and this was informed by Mia’s comment and that is to take out the IT aspect of hearing three and substitute health plans because even though we are going to hear from Mayo and Cleveland Clinic and so forth we haven’t heard from the Blues, Humana, the large health plans and they are going to have a clear role in this and part of the testimony today if you remember this morning was Simon brought up the issue of well is it possible that health plans might have more information than the providers and we would have to explore the willingness or the implications for health plans of limiting the amount of information that they have a right of access to and I am sure they have strong views on that but I would like to have them explain the basis for their views.

So, if that is okay we will have the health plans one day or maybe half a day depending on how many we have and then also hear from the users of the electronic health systems and then we will defer on the IT experts maybe combining that with a research where are we; what do we know; what don’t we know, etc., at a fourth hearing at a date that we will have to come up with.

Is that acceptable?

MR. HOUSTON: Do we have some way to sort of put the notes that we can look at them?

DR. ROTHSTEIN: Can we get that? Mia is taking care of that.

MS. BERNSTEIN: Do you want it by the end of tomorrow or do you want it in a week?

MR. HOUSTON: We might want to have a sort of conference call to flesh out some of this.

MS. BERNSTEIN: I am just writing a note to Mark saying that perhaps you want to schedule a conference call for the Subcommittee after you have had a chance to mull it over a little bit what we talked about this afternoon and further coordinate what you want to do in June.

DR. ROTHSTEIN: How about tomorrow if during our Subcommittee discussion time we take up the issue of a conference call time to figure out what it is we are going to do at the June hearing in a little more detail and also to try to identify a time for hearing No. 4 and we will get dates but we don’t have yet at least to my satisfaction a sense of what it is we want to do. We will circulate dates but we need to have a clearer idea of what we want to do and then of course the important question of where we want to hold it.

MS. BERNSTEIN: May I just go back one step a bit? I am flaunting my ignorance for a minute not being a health person on health plans and those types of organizations. Are there also kind of clearinghouses, pharmacy sort of mail-in pharmacies that are neither pharmacies nor you know those sorts of organizations that are PBNs, other things that are at all like health plans that we might want to include?

DR. COHN: That is an interesting question. Under the prescribing it is likely that PBNs will be directly providing providers with medication history or at least there is a standard coming down —

MS. BERNSTEIN: Have we already from them at a previous hearing before my time?

DR. COHN: That has been through prescribing but of course most of those are business associates of health plans. So health plans should be able to speak.

MS. BERNSTEIN: But they might have a different point of view being business associates and not being directly covering, you know if that is an issue. I am just trying to brainstorm about whether there are other organizations that are in the same category that you might want to include. I am going to go off and find out whatever you want. I am just trying to —

DR. COHN: I know tomorrow’s weather is not supposed to be great. Does it make sense for us to maybe try to pull lunch into here and maybe sit in here and talk about it? I don’t know. This might be helpful to digest for the evening and then sort of sit back down and talk about it.

DR. ROTHSTEIN: We have scheduled tomorrow from two-forty-five to four Subcommittee discussion and —

MS. BERNSTEIN: I am aware that some of the members of the Subcommittee have planes to catch and so forth and need to get out of here at a reasonable hour.

DR. ROTHSTEIN: So, how about if we do this, how about if we have a working lunch from twelve-thirty to one-thirty, take up this issue and we will adjourn at two-forty-five after panel No. 6?

Mary Ann, we are going to have a working lunch tomorrow from twelve-thirty to one-thirty. Can you figure out how to do that?

Do we have to be on the record? The only reason I ask that is because it might be easier to tell them we are going to have a table for eight or nine.

MS. BERNSTEIN: You can’t have it in the restaurant for example downstairs. We can’t get a table for this group in the restaurant. It has to be open.

DR. ROTHSTEIN: I guess we could simply order and have them bring it back up to us.

I am fine obviously with health plans and PBNs and whomever. I am not sure that we are going to find a tremendous amount there but I think it is certainly worthy of at least one panel. It would be nice though if we —

MS. GREENBERG: I am just not aware. You will tell me.

DR. COHN: Yes, and we can help guide you on that one. I guess the only question I would bring up is whether or not, I mean this initial issue which was sort of innovative approaches to begin to sort of see if people have out of the box thinking potentially informed by the RFI responses, whether or not a panel of some of those people who responded might be very valuable just to help us maybe think bigger thoughts before we start talking about IT people.

DR. ROTHSTEIN: That is what I am thinking about for hearing No. 4.

DR. COHN: Bringing IT people along with them?

DR. ROTHSTEIN: I don’t know. Let us work on No. 3 first, but I think that is certainly a possibility.

MS. BERNSTEIN: Is there anything else that any of the members of the Subcommittee need for tomorrow or anything we can do for you for tomorrow?

DR. GREENBERG: You decided to adjourn now at two-forty-five tomorrow?

DR. ROTHSTEIN: Correct. So, if there is on other business we are adjourned for today, and we will resume tomorrow morning at 9 o’clock.

Thank you.

(Thereupon, at 4:20 p.m., a recess was taken until 9 a.m., the following day, March 31, 2005.)