[Senate Hearing 107-] [From the U.S. Government Publishing Office] S Hrg 107-421 OVERSIGHT ON MEDICAL PRIVACY ======================================================================= HEARING BEFORE THE COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS UNITED STATES SENATE ONE HUNDRED SEVENTH CONGRESS SECOND SESSION ON EXAMINING MEDICAL PRIVACY ISSUES, FOCUSING ON THE STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (PRIVATE RULE), AND THE PROPOSED MODIFICATION TO THOSE STANDARDS, PUBLISHED BY THE DEPARTMENT OF HEALTH AND HUMAN SERVICES __________ APRIL 16, 2002 __________ Printed for the use of the Committee on Health, Education, Labor, and Pensions U.S. GOVERNMENT PRINTING OFFICE 78-950 WASHINGTON : 2003 ___________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS EDWARD M. KENNEDY, Massachusetts, Chairman CHRISTOPHER J. DODD, Connecticut JUDD GREGG, New Hampshire TOM HARKIN, Iowa BILL FRIST, Tennessee BARBARA A. MIKULSKI, Maryland MICHAEL B. ENZI, Wyoming JAMES M. JEFFORDS (I), Vermont TIM HUTCHINSON, Arkansas JEFF BINGAMAN, New Mexico JOHN W. WARNER, Virginia PAUL D. WELLSTONE, Minnesota CHRISTOPHER S. BOND, Missouri PATTY MURRAY, Washington PAT ROBERTS, Kansas JACK REED, Rhode Island SUSAN M. COLLINS, Maine JOHN EDWARDS, North Carolina JEFF SESSIONS, Alabama HILLARY RODHAM CLINTON, New York MIKE DeWINE, Ohio J. Michael Myers, Staff Director and Chief Counsel Townsend Lange McNitt, Minority Staff Director C O N T E N T S ---------- STATEMENTS Tuesday, April 16, 2002 Page Kennedy, Hon. Edward M., Chairman, Committee on Health, Education, Labor, and Pensions, opening statement.............. 1 Gregg, Hon. Judd, a U.S. Senator from the State of New Hampshire, opening statement.............................................. 2 Dodd, Hon. Christopher J., a U.S. Senator from the State of Connecticut, opening statement................................. 6 Harkin, Hon. Tom, a U.S. Senator from the State of Iowa, prepared statement...................................................... 9 Frist, Hon. Bill, a U.S. Senator from the State of Tennessee, opening statement.............................................. 9 Reed, Hon. Jack, a U.S. Senator from the State of Rhode Island, opening statement.............................................. 11 Warner, Hon. John W. a U.S Senator for the State of Virginia, opening statement.............................................. 11 Murray, Hon. Patty, a U.S. Senator from the State of Washington, opening statement.............................................. 12 Enzi, Hon. Michael B., a U.S. Senator from the State of Wyoming, opening statement.............................................. 31 Allen, Claude, Deputy Secretary, Department of Health and Human Services, prepared statement................................... 36 Karp, Sam, Chief Information Officer, California Healthcare Foundation, prepared statement................................. 42 DeWine, Hon. Mike, a U.S. Senator from the State of Ohio, opening statement...................................................... 46 Goldman, Janlori, Director, Health Privacy Project, Georgetown University, prepared statement................................. 48 Harding, Richard, M.D., President, American Psychiatric Association, prepared statement................................ 61 Clough, John C., M.D., Director, Health Affairs, Cleveland Clinic Foundation, prepared statement................................. 64 ADDITIONAL MATERIAL Articles, publications, letters, etc.: Letters signed by physician groups and a consumer organization............................................... 4 Questions of Senator Murray for Panel I...................... 14 American Hospital Assocation................................. 69 The Alliance of Medical Societies............................ 71 Blevins, Sue A., President, Institute for Health Freedom..... 72 OVERSIGHT ON MEDICAL PRIVACY ---------- TUESDAY, APRIL 16, 2002 United States Senate, Committee on Health, Education, Labor, and Pensions, Washington, D.C. The committee met, pursuant to notice, at 10:05 a.m. in Room 206, Hart Senate Office Building, Hon. Edward M. Kennedy (chairman of the committee) presiding. Present: Senators Kennedy, Dodd, Wellstone, Murray, Reed, Clinton, Gregg, Frist, Enzi, Warner, and DeWine. OPENING STATEMENT OF HON. EDWARD M. KENNEDY, A U.S. SENATOR FROM THE STATE OF MASSACHUSETTS The Chairman. We will come to order. I am pleased to hold this very important hearing on what is happening with patients' medical records. The blessing of high technology can also be a curse to personal privacy. With the click of a mouse our most personal information can be launched into cyberspace for millions to see. If we do not take steps forward to protect privacy in the information age, our most personal information will be available to every employer, every health insurance company, and every high-tech peeping Tom in America. This is not only unfair to patients; it is bad for their health. A recent study found that one out of every six patients withdraws from full participation in their own health care because they worry their medical information will be used. We have worked hard to strengthen privacy protection for America's patients. In the Health Insurance Portability and Accountability Act of 1996 we said privacy protections were so important that if Congress did not pass legislation to strengthen privacy the administration should put in place real protections. The Clinton administration did just that when it adopted a comprehensive set of protections to give all Americans control of their private medical records. However, the new rule recently proposed by the Bush administration would rescind these protections and would make private medical records an open book. This is a serious step backwards. Each time patients see a doctor or fill out a prescription they are at greater risk that their most personal medical information will be available to prying eyes. The administration has proposed new rules that say health providers do not have to get consent to determine how your medical records are used. Requiring consent assures that the patient plays a role in how their health information is used. It is the only real way to assure that patients and only patients control sensitive information. It restores faith in the health care system. Of course, certain narrow and common sense exceptions are needed. For example, your personal physician should be allowed to phone in your prescription to your pharmacist. There is no reason that you should have to make a separate trip to the hospital before surgery just to consent. We can address these practical challenges without undermining the core protections in privacy. The Bush administration's proposals say patients simply have to be notified, not asked, about what is going to happen with their medical information. We should not throw the baby out with the bathwater. All Americans should be assured that their personal medical information is theirs and theirs alone. The administration's plan also provides for a new back-door loophole that allows companies to use private medical records to market their products. This means, for example, that patients seeking treatment for mental illness would have that information shared with companies selling anti-depressants and other therapies. Those companies would be free to send open mailings to your work or to your home. The administration claims the new regulation grants new protections against abuse. They argue that a new authorization is required before a health provider or business can market to a patient. But the same proposal allows doctors and pharmacists to provide, without permission, the health information of their patients to businesses that will try to sell them new drugs, therapies, nursing home placements, and other care. This loophole is a telemarketer's dream and a patient's nightmare and it must be closed. I look forward to working with my colleagues on legislation to assure Americans that their medical records will be kept private and I welcome our distinguished witnesses to today's hearing. Senator Gregg. OPENING STATEMENT OF HON. JUDD GREGG, A U.S. SENATOR FROM THE STATE OF NEW HAMPSHIRE Senator Gregg. Thank you, Mr. Chairman. Medical privacy is an issue that affects every American, and yet prior to the passage of HIPAA in 1996, there was no Federal structure or law in place that would ensure that our medical information remains private. HHS has been working for several years to develop comprehensive rules that govern the use and disclosure of protected health information. This is no easy task, given the complexity and fragmentation of our health care system, including the fact that our private health care insurance system is employment-based and dependent upon a system of third party payers. I would like to commend the administration for proposing significant improvements to the rules. These changes provide important clarifications that will aid in implementation and compliance. Moreover, these changes will prevent the unnecessary and harmful disruption of a patient's care that would have occurred under the existing rules, a very important point. Although the proposed rule would clarify or improve several different provisions, the most important proposed modification pertains to the consent and notice requirements on direct treatment providers. Under the existing rules, a patient would have to give prior written notice, prior written notice, to each and every provider that the patient sees or even schedules an appointment with. Not only would this requirement disrupt and delay care but the protection it would have provided is merely illusory because a provider could withhold care if the patient does not provide the consent. There are numerous examples of how, if unchanged, this requirement will harm or delay patient care. For instance, a patient referred to a specialist by his or her physician may not even be able to schedule an appointment without first going to the specialist's office and completing a form. Because only patients can give consent, a sick or elderly person could not have a friend or a family member pick up their prescription unless they first go and sign a consent form with the pharmacy, resulting in serious delays in starting medication. Ordinary physician practices, such as arranging out-patient surgery or calling in prescriptions, would be in jeopardy. One hospital stay might result in a sick patient having to fill out multiple new forms, new consent forms, in addition to all the forms already required for treatment--one for the hospital, one for each nurse, one for each doctor, one for each medical technician that the patient sees under this proposal. There are numerous examples of disruption in patient care that would occur as a result of the prior consent requirement, and there are likely many more that have not been contemplated. Thus, the suggestion to keep this requirement in place but create exceptions for all the various situations in which prior consent would disrupt care is simply unworkable. By changing this provision we avoid a consumer backlash of major proportions. While consumers rightly seek the strongest possible privacy protection, they have little tolerance for bureaucracies and hoops that make it even more difficult to navigate our complex health care system, especially if the additional bureaucracy does not provide meaningful protection or enhance the quality of care. Consumers and physicians support the changes in the consent requirement, and this is an important point. A letter dated April 10 from a broad range of physician groups, including the American Academy of Family Physicians, the American College of Obstetricians and Gynecologists, and the American Medical Group Association, strongly support the administration's proposed changes in the consent requirements. These organizations represent over 400,000 physicians. In an earlier letter dated December 20, 2001, the National Partnership for Women and Families Consumer Organization and United Health Care co-signed a letter to Secretary Thompson raising serious concerns that the existing consent provisions will seriously jeopardize quality of care, I would like to submit all those letters for the record. Senator Dodd. [presiding]. Without objection, so ordered. [The letters follow.] April 10, 2002 The Honorable Edward M. Kennedy, Chairman Health, Education, Labor and Pensions Committee, Washington, DC. Dear Chairman Kennedy: The Department of Health and Human Services (HHS) recently issued proposed changes to the medical privacy rule ``Standards for Privacy of Individually Identifiable Health Information.'' The undersigned national health and medical organizations and specialty societies strongly support the proposed rule's approach in making prior consent discretionary. Unfortunately, various press articles and commentary have seemed to suggest that physicians do not support the proposed change. It is important for Members of Congress to know that many physician and provider organizations do support the proposed modification to make prior consent discretionary rather than mandatory. Physicians and practitioners strongly support meaningful Federal privacy protections for patients' medical information. Under the proposed rule, covered entities would not be required to obtain written consent from patients before using or disclosing protected health information for such routine purposes as treatment, payment, and health care operations. However, unlike the proposed regulation issued under the Clinton Administration, covered entities would not be prohibited from obtaining written consent if they choose. We believe this approach strikes the proper balance of protecting the rights and autonomy of patients, while removing unnecessary barriers that interfere with patient care and the efficient delivery of health care. It is important to note that eliminating the prior consent requirement does not detrimentally affect patients' privacy rights in any meaningful fashion. Even privacy advocates called the consent requirement meaningless because the regulation permitted providers to deny treatment to individuals who refused to sign the consent form. Furthermore, we believe that the written notice requirement is the true backbone behind patients' privacy rights. The written notice, not the consent form, is the means by which patients are informed of their rights under the regulation and how and to whom their medical information may be used or disclosed. The proposed rule actually strengthens the notice requirement, which we fully support. Not only would the prior consent requirement add yet another mandatory form to the already unmanageable paperwork burden that physicians and practitioners face on a daily basis, it could pose serious problems for patient care. HHS outlined many of the potential problems in the proposed rule. The prior consent requirement could confuse patients and increase patient waiting times. Physicians and practitioners would be prohibited from treating patients or providing other services for them, until the form is actually signed. For example, physicians who have privileges at a number of hospitals would need either to establish multiple organized health care arrangements or ask each patient in the hospital to sign a physician consent form in addition to the consent form provided for the hospital. If a patient were required to sign multiple consent forms to receive care at a hospital, this would hinder and delay patient care. Additionally, the prior consent requirement would potentially interfere with the ability of physicians and practitioners to continue many daily practices such as referring patients for treatment, arranging outpatient surgery, and calling-in prescriptions. Furthermore, physicians and practitioners might not be able to use patients' information to send important reminders regarding patient treatment (i.e., child immunization and mammography reminders). HHS faced the difficult challenge of protecting patients' privacy rights, while at the same time removing unnecessary barriers that interfere with patient care and the delivery of health care. We strongly believe that HHS met this challenge in the proposed rule, and we oppose any efforts to change it. Sincerely, American Academy of Dermatology Association; American Academy of Family Physicians; American Academy of Nurse Practitioners; American Academy of Physician Assistants; American Association of Neurological Surgeons/Congress of Neurological Surgeons; American Association of Orthopaedic Surgeons; American College of Cardiology; American College of Nurse-Midwives; American College of Obstetricians and Gynecologists; American Medical Group Association; American Podiatric Medical Association; American Society of Cataract and Refractive Surgery; American Urological Association Medical Group Management Association ______ April 12, 2002 Dear Member of Congress: As you may know, the Department of Health and Human Services (HHS) recently issued a Notice of Proposed Rulemaking (NPRM) proposing modifications to the final privacy rule. The undersigned organizations are writing to let you know of our strong support for the proposed modification in the NPRM giving health care providers the option of obtaining the prior consent of patients to use or disclose identifiable health information for treatment, payment and healthcare operations. The Department's proposal to make obtaining consent optional for providers strikes a workable compromise between the original proposed regulation from 1999 that prohibited providers from obtaining written consent and the final regulation from 2000 which mandated it. We strongly support meaningful Federal privacy protections for patients' medical records. An essential part of that commitment is ensuring that patients understand their rights and how their medical information will be used. However, adding yet another mandatory form to the burden that physicians, practitioners, pharmacists, hospitals and other health care providers already face on a daily basis does not effectively achieve the balance of providing privacy protections and assuring timely, efficient access to health care. We support the Department's proposed modification to make consent optional. The NPRM documented numerous disruptions and delays in receiving medical care that patients--particularly the elderly and those in rural areas--would face if the mandatory prior written consent requirement were not modified to make it optional for health care providers. For example, patients could experience significant delays in obtaining prescriptions because pharmacists could not fill the prescription until the patient were present to sign the consent. Friends and family picking up prescriptions for a sick individual would not have legal authority to sign the consent, and thus could not pick up the prescription. The NPRM described how patients referred to a hospital for outpatient surgery might have to make an extra trip to sign a consent form because the hospital could not use information about the patient to schedule and prepare for surgery. Nurses who staff telephone centers that provide health care assessment and advice, but never see patients, would be unable to counsel patients because they would be prohibited from using identifiable information for treatment and would be unable to obtain prior written consent. The NPRM also cites emergency medical providers who were concerned that even if a situation was urgent that they would have to try to obtain consent, even if inconsistent with best medical practices. There were also troubling questions about whether physicians who had privileges at several hospitals would have to obtain separate consent from patients at those facilities, even if patients had already signed consents for the hospital. These are just some examples of the potentially serious consequences of the mandatory prior written consent requirement. The Department wisely chose to correct the underlying problem with the proposed provision to make consent optional, rather than trying to address each adverse consequence of a mandatory consent requirement as it presented itself. Sincerely, ACA International; Academy of Managed Care Pharmacy Advance PCS; Advanced Medical Technology Association (AdvaMed); Aetna Inc.; American Academy of Dermatology Association; American Academy of Family Physicians; American Academy of Physician Assistants; American Association of Health Plans; American Association of Neurological Surgeons/Congress of Neurological Surgeons; American Association of Orthopaedic Surgeons; American Benefits Council; American Clinical Laboratory Association; American College of Nurse-Midwives; American Health Care Association; American Managed Behavioral Healthcare Association; American Medical Group Association; American Pharmaceutical Association; American Society of Cataract and Refractive Surgery; American Society of Consultant Pharmacists Association of; American Medical Colleges Biotechnology Industry Organization (BIO); Blue Cross and Blue Shield Association; Cardinal Health; Cleveland Clinic Foundation; The ERISA Industry Committee; Express Scripts; Federation of American Hospitals; Food Marketing Institute; Genzyme Corporation; GlaxoSmithKline; Health Insurance Association of America; Healthcare Leadership Council; Intermountain Health Care; Kaiser Permanente; Lahey Clinic; Marshfield Clinic; Mayo Foundation; Medical Group Management Association; Merck-Medco; National Association of Chain Drug Stores; National Association of Health Underwriters; National Association of Manufacturers; National Retail Federation; Pharmaceutical Care Management Association; Premier, Inc.; Quest Diagnostics; UnitedHealth Group; US Chamber of Commerce; Vanderbilt University Medical Center; VHA Inc.; WellPoint Health Networks ______ Senator Gregg. Some have suggested that the proposed change was driven by large corporate medical interests and thus is not in the best interest of consumers and patients. This is not the case. While nearly every sector of the health care system supports the proposed changes, the modifications in the consent requirement only apply, only apply, and this is an important point, to direct care providers. Moreover, the proposed rule does not affect the requirements governing use and disclosure of protected health information. Authorization would still be required for any other use of the protected health information. The proposed change to the consent requirement strikes the right balance. The original rule issued by the Clinton administration would have actually prohibited prior consent. I think that is an important point we have to stress here. President Clinton originally proposed that there would be no prior consent. And that change, the reason they changed it then was because the American Medical Association, allegedly on behalf of its constituency, and I cannot believe it, but that is the allegation, wanted the prior consent to be in place. I am tempted, quite honestly, very much tempted to say if the American Medical Association wants prior consent, we will give it to them, just for them, but we have not heard from the American Medical Association recently on this point and maybe their position has been modified. Many providers objected to the ban on prior consent and rightly so. The final Clinton rule would have mandated prior consent before any kind of interaction with the health care provider. This is far too disruptive. The proposed rule before us would not mandate prior consent. Instead, it would require providers to give notice of their privacy practices. This would allow patients to be fully informed of how their information will be used and would allow them to act accordingly. It is preferable to the coerced consent provisions contained in the existing rule. Finally, I would like to thank the administration for other proposed modifications of the rule, including the clarification to the marketing, parental consent, parental access, business associations, and the plan sponsors' enrollment provisions. I look forward obviously to hearing from the administration on this point. Thank you. Senator Dodd. Thank you, Senator. Senator Kennedy has temporarily been called away from the committee and will return shortly. We will get to Mr. Allen briefly but let me make a brief--I am going to ask unanimous consent to include the full text of my opening remarks and that will apply, by the way, for every member of the committee, those who are here and those who have not shown up yet, to share their views. OPENING STATEMENT OF HON. CHRISTOPHER J. DODD, A U.S. SENATOR FROM THE STATE OF CONNECTICUT Senator Dodd. First of all, let me commend our chairman, Senator Kennedy, for convening this hearing on relatively short notice but in light of the decisions made just prior to the departure of the Congress for the Easter-Passover break when the news came out about the change in policy here, we thought it was appropriate to try and gather together as quickly as we could to express ourselves on this issue. I do not know of another issue that provokes as quick or as strong a response from the public as the issue of privacy does, particularly in light of how the world has changed in the last decade. I often tell audiences at home in Connecticut that on the day that President Clinton was sworn into office on January 20, 1993 there were 55 pages on the World Wide Web. To give you some idea how the world has changed in a decade, today someone suggested I think the number is maybe almost a million pages an hour get added to the World Wide Web, or some number like that. The point is today the use of the Internet and technology to expand information and sources of it, as well as people's access to information has grown exponentially and there is a growing body of concern within the public about how much information people have, what they do with that information, and to the extent people are able to pry into the private lives and private information. We would not allow anyone to come rummaging through our house, to go through our waste baskets, to go through our medical cabinets and cases. We would not tolerate that, let anyone in our homes to do it. In a sense, if you can, in effect, do that today by rummaging through people's private, most privately held information, then you can begin to get some sense of the concerns people have. So the ability to control very personal information is an issue that is deeply felt by people and it crosses all your traditional ideological and political lines. This is as strongly held feeling among Democrats, Republicans, liberals, moderates, conservatives as any issue I am aware of, the issue of privacy. Since 1996 when the Health Insurance Portability and Accountability Act was passed many of us here have worked to develop legislation to try to protect medical records, and that is what we are talking about here today, in a meaningful and comprehensive fashion. Unfortunately, we have not yet developed a bipartisan legislative response. Senator Richard Shelby, my colleague from Alabama, and I chair the Privacy Caucus, co- chair it with colleagues in the House and the Senate, to give you some idea of the bipartisanship in trying to work on these issues. But these are complicated questions. None of us are going to suggest that dealing with this is a simple matter. We have tried ideas in the past and there are always some unintended consequences when you deal with this issue, but we have worked on it. Let me, in response to my friend from New Hampshire, point out that the Clinton Administration did, in my view, a tremendously admirable job in developing some very important privacy protections in the medical area. For the very first time patients were given the right to access their own medical records. I know that is a radical idea. It is hard to imagine, but for a long time you did not have any right to see your own information at all and these rights seem so basic, as I said, that it is hard to imagine they did not exist before. Imagine the frustration of being denied a request to see your own medical information or having a telemarketer contact you at home based on targeting data derived from those records, and that is rather commonplace today. In a very real way, this is a personal violation in the minds of many, many Americans. The final medical privacy rule was an immense undertaking. Upon announcing the regulations in late 2000, the Department of HHS received over 50,000 comments from health care providers, insurance companies, doctors, and patients across the country. The final rule that took effect did so in April of 2001. It was not thrown together haphazardly. It was created with an understanding of the difficulties and costs associated with its implementation. But the determination was made, correctly in my mind, that medical privacy should not be compromised. Yet now the Bush Administration has announced its intention to do exactly that in the views of many of us up here, Democrats and Republicans. Their proposals would undermine, in our minds, some of the most important protections that we have worked to establish over the last 5 years. The administration, as we understand it, wants to allow health care providers enormous discretion in how they use your medical records, your most personal and private information, something that in my view you, as a citizen, and you alone should be the one to make a decision about. The Bush Administration proposes to remove the provision in the medical privacy regulations that requires a health care provider to obtain a patient's consent in order to share his or her records for ``treatment, payment, and other routine health care operations,'' and that is a quotation. Those are not my words. Instead, they want to make it mandatory for providers to inform patients that their records have been shared. This can be done before or after the fact, according to the proposal. That is very generous. It is like a neighbor calling you to tell you that he has read your mail and gone through your medicine cabinet, except, of course, in the example, in that case you have some legal recourse. Here you would have none. The administration claims to be proposing these changes because privacy threatens the quality and timeliness of care. This, I think, is unacceptable. There should be no trade-off between quality, timeliness, and privacy, in my view. All are necessary and all are obtainable. I understand that there are instances where obtaining prior consent is not possible, such as emergency care, phoned-in prescriptions to a pharmacy. In those cases the law should allow the provider some leeway. But in general, privacy should not be compromised. It is not necessary. It is a phony argument to suggest it needs to be done. And I believe that we should be here trying to protect those rights when at all possible. Now let me turn to my colleague from Tennessee, who I know has a deep interest in the subject matter, as well, and my other colleagues, and then we will get to you, Mr. Allen. Let me just say, as well, on the issue here, I understand the importance of how sharing information for clinical trials and other areas can be tremendously important, but the idea that you could do that after the fact or not letting the patient know about it, that does not make any sense to me and I think any effort to do that is going to find a wall of opposition up here in terms of that effort. At this time I would like to submit a statement from Senator Harkin. [The prepared statement of Senator Tom Harkin follows:] Prepared Statement of Senator Tom Harkin I want to thank Chairman Kennedy for scheduling this important hearing. As health care practices have evolved over the past several years, and technology has allowed for the rapid mass transit of information, it has become critical to protect individual privacy--especially as it relates to personal medical information. If we are not strong on the protection, and vigilant on the enforcement, we will be putting ourselves and our loved ones at risk. Wouldn't it be ironic, and certainly tragic, if Americans are actually harmed when they go to a medical provider because their medical records were inappropriately used or shared? Plain and simple, your private medical records should be just that--private. Time and time again, I've heard from Iowans who are concerned about the misuse of their private medical information. Sadly, this Administration has failed to listen to the voices of the people. I have worked hard to pass strong medical privacy protections that make clear that a patient's medical records are not for sale. Patients must have a `right to know' how their medical information is used and they should have the right to say 'no' by controlling who has access to this most private of information. When I talk to the reasonable patients and providers throughout Iowa, they all share the same advice. Create a system that is not overly burdensome but appropriately protects individual's medical records. If there were problems with the existing medical privacy regulations, then the Administration should work with the Congress and the health care industry to fix those problems. But that is not what was done. This reversal by the Administration sacrifices patient privacy to the alter of special interests. Again, I thank the Chairman for scheduling this important oversight hearing and I look forward to working with him to find a reasonable and manageable solution that above all else, protects patients. Senator Dodd. With that, Senator Frist? OPENING STATEMENT OF HON. BILL FRIST, A U.S. SENATOR FROM THE STATE OF TENNESSEE Senator Frist. Thank you. And I want to thank the chairman and Senator Gregg for the opportunity to hold a hearing today on an issue that is contentious, as we have seen in some of the opening statements, and almost deservedly so because we all struggle, really struggle with this balance with information that is among the most intimate information known to mankind, the information about oneself, one's health, one's past, one's physical, one's emotional being, how much that information should be shared. There are certain advantages of the sharing, there are certain necessities of the sharing, but how we can build appropriate protections where the ultimate confidentiality, which is critical--it is critical to the doctor and the patient and that doctor-patient relationship and it is critical to delivering the sort of care which really has made American care the best in the world. But it does boil down to trust, to confidentiality, to security, and that much influences openness and how much a patient tells a doctor and how much a doctor puts into a record. And ultimately other people have to access that particular record and it might not be the same doctor. In fact, it might not be the same doctor. In fact, in all likelihood, given the mobility of society today, it will not be that same doctor. Yet to demand the standards that are implied with continuity of care and seamlessness, something that we all want, we have to have an accurate recording of that doctor- patient relationship, but in such a way that it is not to be abused. I have only been involved in this discussion at a policy level for the last 7 years, 6 years formally, and that balance is tough and we are seeing it play out before our eyes. I do appreciate the opportunity for all of us to examine in as objective way as possible the impact on health information confidentiality regulations that were initially introduced in the shape that we are debating them and talking about them and discussing them by the Clinton Administration in the closing days, as well as looking at this administration's proposed modifications to those rules. I do applaud Secretary Thompson, his staff at the Department of Health and Human Services, for carefully reviewing these regulations and for proposing adjustments that, I believe, will go a long way in safeguarding privacy while, at the same time, ensuring that patients continue to enjoy access to quality health care. Secretary Allen, I appreciate you being here today to discuss these proposed modifications in more detail and laying them out in such a way that we can further discuss them in the following panel. The protection of the confidentiality of patient information is critical, but we also need to be extremely careful in this area so that we do not allow overly, unnecessarily restrictive rules that might threaten quality of care or the safety of care that patients receive. This, as I said a few moments ago, is not an easy balance to achieve. We have seen the effect of State legislation in certain cases. We will all be pointing to certain anecdotes and certain case studies, but we have seen cases where State legislation has gone too far. In Maine, for example, legislation requiring that patients give consent before identifiable information could be used by providers was repealed after only 12 days following reports that it interfered with patient access to prescription drugs and prevented hospitals from helping clergy and family members even locate their loved ones. During the past year, as physicians, nurses, scientists and consumers have received the Federal regulations proposed by the previous administration, it became clear that these rules would impose similar barriers to health care access and quality. There have been serious concerns raised in other areas, as well. Over 140 academic research institutions, medical specialty doctors, hospitals and others wrote to the Department of Health and Human Services to warn of potential problems caused by the original regulations' research provisions. They wrote that the rule, if implemented, ``will seriously impair our ability to conduct clinical trials, clinico-pathological studies of the natural history and therapeutic responsiveness of disease, epidemiological and health outcome studies, and genetic research.'' While the administration's notice of proposed rulemaking does acknowledge that the rule's deidentification standard raises serious concerns, I strongly urge the administration to fully address the concerns raised by the research community in its final rule. Finally, I would strongly encourage the administration to carefully review all areas of the rule to make sure that it does not unintentionally impede the efforts of our public health officials, as well as our private health professionals, to respond to bioterrorist threats and attacks. The original rule's prohibition on the sharing of aggregate information could have made it impossible to effectively track and monitor disease outbreaks. I am pleased that some changes have been proposed in these areas, but because of the importance to quickly respond in these situations, I am hopeful that the administration will carefully review the entire regulation along these new lines in this new light. Again, Mr. Chairman and Senator Gregg, thanks for holding the hearing today and I look forward to hearing from our witnesses. Senator Dodd. Thank you very much, Senator. Senator Reed. OPENING STATEMENT OF HON. JACK REED, A U.S. SENATOR FROM THE STATE OF RHODE ISLAND Senator Reed. Thank you, Mr. Chairman. Just very briefly, thank you, Secretary Allen, for joining us today. These are vitally important regulations. There is no issue in America that is of more concern to individual Americans from every region of the country, every sector--everyone is concerned about the protection of the privacy of their health records and there are two particular concerns that these regulations raise. One is whether or not there really will be an effective at least one-time written consent for the release of health care information and second, whether or not the marketing aspects of these regulations invite the commercial exploitation of medical information, which I think most Americans would be horrified about. Think of the world of telemarketing with your health care records in hand and that's a frightening thought. Robert Frost, the New England poet, wrote that ``Good fences make good neighbors'' and the real question is whether these regulations are good fences so that we can be good neighbors. I will look closely and listen closely to the hearing today to see if we have made progress in that regard, but frankly, this is one of those issues that you do not have to be an expert to be concerned. You just have to be an American citizen. Thank you. Senator Dodd. Senator Warner, do you want to make any opening comments? OPENING STATEMENT OF HON. JOHN W. WARNER, A U.S. SENATOR FROM THE STATE OF VIRGINIA Senator Warner. Very briefly. I just wish to welcome Secretary Allen, who served the Commonwealth of Virginia with great distinction as our Secretary of Health and Human Resources. Now you have come to Washington to get one of the toughest issues that anybody has to solve. I wish you luck. Mr. Chairman, I want to commend my colleague Senator Frist for all the hard work that he does in this and so many areas related to health care. Thank you, Mr. Chairman. Senator Dodd. With that encouraging note we turn to Senator Murray. OPENING STATEMENT OF HON. PATTY MURRAY, A U.S. SENATOR FROM THE STATE OF WASHINGTON Senator Murray. Thank you very much, Mr. Chairman. I just ask unanimous consent that my full statement be put into the record. Senator Dodd. Without objection. Senator Murray. I will just say that this is an extremely complex issue that this committee has been considering for some time and I think it is very important that we have these hearings today and further hearings before the administration's rules take effect to truly understand this because, as Senator Reed said, this affects every single American and we had better know what we are doing and the outcome of that before these rules are finalized because the impacts could be considerable. For me, the most important thing is that people do go to their doctor feeling confident. Otherwise, we may create a situation where individuals would fear seeking health care and that is absolutely the wrong thing that we should be doing. So I really look forward to this hearing and further hearings as we clarify what these rules would mean to general, average people. Thank you very much. [The prepared statement of Senator Patty Murray follows:] Prepared Statement of Senator Patty Murray Mr. Chairman, the Administration's decision--announced on March 23rd--to revise the regulations implementing medical records privacy has generated a great deal of concern. I think this hearing is an important step in better understanding the implications of these changes and an opportunity for this Committee to again focus on the urgent need to ensure greater medical records privacy. As we learned in 1999, the issue of medical records privacy is a complex and emotional one. There are no easy solutions. In addition, because of our fragmented health care delivery system, there are often numerous individuals who have--and in many cases need--access to medical records. These aren't just health care providers, and the ability to protect medical records privacy becomes further complicated by the number of individuals with access. In 1999, this Committee attempted several times to report out legislation implementing HIPAA privacy regulations. Unfortunately, we were not successful and had to default to the regulatory process to implement privacy standards. Clearly, this has created many of the problems and concerns. Because of the complexity and expense to providers of implementing these regulations, I supported additional relief for health care providers, especially smaller hospitals or physician practices. I supported an extension of implementation because I recognized the difficulty implementing these regulations. I also wanted to be sure that providers were able to implement them correctly and that patient privacy was the focus. Because there are limited private actions that an individual can take if his or her privacy is violated, it is critical that implementation is accurate. In reviewing the Administration's revised regulations, I have several concerns that I hope can be addressed or corrected legislatively. I am troubled that the Administration's changes in the consent requirements will gut any real protections for patients. Simply notifying a patient that their information will be reviewed or released is not adequate. Patients must have the right to consent to this release. While there are some cases that can be exempt from this requirement, I think that weakening the entire consent requirement does little to ensure patients that their medical records will be kept confidential. I also have some real concerns with the ability of parents to have access to a minor's entire health care record. This is one of the issues that derailed legislation in 1999 and is nothing more than an attempt to impose a national parental consent or notification on all States. It also serves to jeopardize efforts to improve access to STD or reproductive health care and mental health care for minors. The language in the regulation does appear to give providers the ``discretion'' at releasing information to parents or making it available for review by parents. If a minor has any concerns or doubts the confidentiality of their records, they will NOT seek care. The guarantee of confidentiality has to be explicit, not up to a physician's or provider's discretion. It is also not clear how this provision impacts the language on State preemption. For example, Washington State guarantees a minor access to confidential reproductive health care and mental health services. This is not a tougher standard than the Federal regulation, so there is some concern that this regulation could preempt State laws and protections provided to minors in Washington State. I hope this Committee will have additional hearings on this issue. If legislative measures are needed to clarify or correct these regulations, I hope we'll take the necessary action. The failure to implement a national medical records privacy along with a prohibition on genetic discrimination has created a situation where individuals fear seeking health care and are not providing comprehensive background to their health care provider. The implications of this are staggering and jeopardize access to new break-through screening and prevention. Questions from Senator Patty Murray for Panel I: Question 1. In developing privacy regulations, the previous administration did not attempt to impose any new parental rights. The original regulations simply deferred to the States on parental consent or limitations on parental consent and notification. There was an effort in this Committee to impose this new national parental review or consent of the entire minor's health care records. However, as I mentioned earlier, it was one of the reasons legislative action stalled in the Senate.Why did this administration attempt to modify or expand parental consent or review rights? How does this new revision impact States that have not been silent but have acted to ensure a minor's access to confidential health care services? Does this provider discretion extend beyond the physician's office? Question 2. One of the major gaps in the current oversight is the fact that IRB requirements apply only to federally- funded research. Private research and some off-shore research are exempt. However, the FDA approval process does provide some mechanism for ensuring the safety of human subjects in clinical trials. Can we expand this authority to improve safety or should we expand the jurisdiction of the Office of Human Research Protections at HHS? Question 3. It is difficult in today's market-driven research arena to ensure informed consent. Patients are often facing life threatening illnesses. Parents may have a child who is facing a devastating diagnosis. Often, patients are almost begging to get into a clinical trial. They will sign anything or agree to anything. They may not pay close attention to any financial link the researcher may have to the treatment. How can a research institution ensure that patients are fully aware of the risks associated with the trial as well as the risk associated with the established treatments? How can researchers ensure that patients understand the financial link that the researcher or institution may have to the treatment? Question 4. I have found that many patients and families are often surprised when they learn that there is a financial link between researcher and treatment. They're surprised when the learn that some physicians or doctors may be receiving some future financial benefit from a drug manufacturer or royalty payments for a patent. Of course, in a market-driven economy, it's difficult to separate what was justifiable compensation and what was provided as way of inducing a bias on the part of the research. Many outstanding physicians and researchers receive financial compensation for their discoveries or their developments--yet this never impacts their hope at finding the cure or treatment. To assume that any financial link presents an inherit bias will jeopardize how research is conducted and eliminate incentives for furthering science. Would more detailed disclosure requirements be enough to remove any conflict of interests doubts or allegations? How do we provide compensation to those conducting researcher or evaluating clinical trials? Is there a way to totally remove any bias on the part of researchers? Question 5. We place a great deal of oversight responsibility into the hands of the Institutional Review Board (IRB). But it appears there is limited oversight over the IRB or even the selection process for a local IRB. We know of cases of IRB shopping--where a researcher will simply apply through different IRBs despite being rejected or limited by another IRB. Once a researcher receives the approval of the IRB, the issue of monitoring becomes questionable. Would further accreditation of IRBs serve to standardize and improve the process? Would established criteria for all IRBs, including the scope and timing of research review ensure greater safety? How can we work to guarantee that IRBs have pediatric expertise or pediatric knowledge? Question 6. Recent press accounts of safety problems and violations in clinical trials have generated a great deal of concern. Has the public lost confidence in clinical trials? Is the lack of confidence or the issue of safety to blame for low participation rates in clinical trials? Will addressing some of the safety gaps restore confidence? Clinical trials are a vital part of our health care structure. If we are forced to wait until we eliminate any and all risks, we will lose too many patients and too many children. Greater access to clinical trials can mean the different between life and death, especially for pediatric cancer cases. Senator Dodd. Thank you very much, Senator. With that, Mr. Allen, we welcome you to the hearing on behalf of all of us here. Claude Allen is the Deputy Secretary of Health and Human Services. He is testifying today on the issue of medical privacy. He is now taking a leading role at HHS on a number of critical issues, including medical privacy. As the former Secretary of Health and Human Services for the State of Virginia, as has already been pointed out by Senator Warner, Mr. Allen has a great deal of experience working with health care plans, State welfare, and access to care issues. So we are delighted to have you here with us, Mr. Allen. We are looking forward to your testimony. We will include any materials, by the way, and supporting documents that you think are worthwhile for us to have as we go forward. So consider any additional information that you would like to have part of the record to be included. With that, we will accept your testimony. STATEMENT OF CLAUDE ALLEN, DEPUTY SECRETARY, DEPARTMENT OF HEALTH AND HUMAN SERVICES Mr. Allen. Thank you. Good morning, Mr. Chairman, Senator Gregg and the Members of the committee. Mr. Chairman, thank you for your leadership and devotion to health issues. Senator Kennedy has given much attention to these issues over the years and it has been a privilege to work with him over the course of this last year on this and many other issues that affect the health care of all Americans. We both share a passion for ensuring the confidence of every American to know his or her medical records remain private, and on behalf of Secretary Thompson and myself, I want to thank Senator Kennedy for his friendship, his support, and his counsel during this last year. Senator Gregg, I also wanted to extend the Secretary's and my thanks for his wise counsel, his friendship and his support during this last year, as well. I also want to thank Senator Gregg for his leadership on this committee and in the United States Senate on behalf of the people of New Hampshire and America. Senator Frist, your service to this country as the Senate's only physician is invaluable to all of us and we thank you for that. It has been a real privilege to work with you, not only in the areas focussing on health care, but also in terms of looking beyond the shores of this country, to Africa and your work there on the Foreign Relations Committee and looking at health issues globally, not just domestically. So thank you for your leadership in that regard. Members of the committee, I am here this morning to describe and discuss our changes to strengthen the proposed privacy rule. I welcome the opportunity to appear before you and the committee today to discuss this important issue. Last April, President Bush stated his desire to provide for the first time strong patient privacy protections at the Federal level. Prior to implementation of the proposed privacy rule, the President directed Secretary Thompson to review the rule and to recommend modifications to it that would identify and correct unanticipated consequences that might impede a patient's access to care or harm the quality of that care while, at the same time, ensuring strong privacy protections. The proposed rule achieved this goal. I am pleased to say that beginning next April, for the first time all Americans will have the right to require written authorization before their personal medical records are shared with employers for employment decisions or given to life, disability or other insurers or for marketing purposes. They will have the right up front, the first time they see a doctor or a health care provider or enroll in a health plan, to be notified of their privacy rights and how their information may be used or disclosed by the provider or the plan so they may understand and discuss any concerns with their providers and plans and get care that is consistent with their own personal preference. Additionally, they will have access to their own medical record and the right to correct it if it contains incorrect or incomplete information. Mr. Chairman, since the release of the proposed modifications to the rule, most of the attention has focussed on the issue of what is referred to as consent and notice, so I will begin with these provisions. We put ourselves in the shoes of the patient and we discovered the rule was not practical for patients, their doctors or pharmacists. Therefore, we tried to make changes that made the most sense from the patient's perspective. Our proposal gives patients more control over where their information goes and gives them fair notice of how their information is used while, at the same time, providing the patient with what matters most--unimpeded access to quality care. The new rule enhances the obligation that covered entities give notice of their privacy practices to their patients by requiring a good faith effort to get patients to acknowledge receipt of their privacy practices. The practitioner can still seek voluntary consent from their patients. Nothing in this proposed rule prohibits consent to normal treatment documents that doctors and hospitals use today. Patient authorization is still required before doctors, hospitals and other direct treatment providers could share personal medical records for non-routine purposes, such as disclosures to employers for employment purposes and marketing. However, patients would expect that their doctor, their hospital or other direct treatment provider could share medical information for those core activities that are essential elements to providing health care to the patient. Patients would continue to have the right to request restrictions on uses and disclosures of their health information. Real life examples provide the best illustration of why we made this change. Under the previous proposal, if a patient wanted or needed to receive care from a doctor he had to choose between signing a consent form prior to seeing his doctor and not receiving care. This requirement was the same for all providers. Mandating consent is coercive in nature and does not provide meaningful control for the patient. Now imagine that you have a twisted knee or a sore back that limits your mobility. You sign the form. The doctor sees you and recommends that you see a specialist and writes you a prescription for pain. The consent you signed only allows that doctor to treat you, but does not allow the specialist and pharmacist to look at your record or to provide your health care services. Therefore, before you can get that prescription filled you have to hobble to the pharmacist to sign another consent form. It is the same routine for the specialist. You have to go to the office to sign another consent form before you can make an appointment. And forget about doing it over the phone. Now, after seeing the specialist a few days later, she determines that you need surgery. First, she wants to take an MRI. This requires another trip to sign a consent form before the appointment is made and then you have to do the same for the MRI, and it goes on with each step. This is the impractical reality that we faced as we looked at how to implement the December 2000 rule. We viewed the mandatory consent as coercive and a fundamental hurdle to health care for patients and the doctors, hospitals and pharmacists that serve them. In addition, the previous consent form did not contain any information about what the patient's rights were and the privacy practices of the provider. That was an additional form. So we combined these into one form that would provide patients with all the information they needed to exercise and understand their privacy rights and protections. Now, Mr. Chairman, I would like to describe briefly other important changes. From the comments we received, the area of marketing seemed to satisfy no one due to its complicated nature. Therefore we simplified it while strengthening it at the same time. The proposal prohibits explicitly using or disclosing a patient's information for marketing without the individual's expressed authorization. At the same time, the proposal would permit doctors, hospitals, pharmacists and health plans to communicate freely with patients about individual treatment options and other health-related information, including disease management, case management, and care coordination. We did not to interfere with valuable communications between patients and doctors over new treatments they feel their patients need to know about. Nor should we interfere with programs that provide important information to those who suffer from chronic diseases, such as diabetes. Nor should we stop pharmacists from sending refill reminders to those customers who are on maintenance medications, such as blood pressure or cholesterol-lowering drugs. Our goal is to expand the definition of what marketing is in the old rule, defining more communications as marketing and thus requiring authorization and limiting direct communication to those things affecting a patient's immediate health care needs. We believe we have accomplished this goal. However, we recognize that others may see opportunities to expand further the definition and we welcome their input. We also found an unintended consequence in the areas of parents and minors. In order to provide clarity to the proposal, we made limited changes to clarify that State law governs disclosures of a minor's health information to a parent or guardian. The intent of the current rule was never to override State law. Over the years, States have developed a rich and broad legislative and legal history in this area and we wanted to preserve it rather than confuse it. In cases where State law is silent or unclear, the revisions would preserve State and professional practice by permitting a health care provider to use the discretion afforded by State or other law to provide or deny a parent access to such records. Just as State law now determines when a minor may be treated without parental consent, so too would the revisions effectively defer to State law on access to and control of the minor's information that results from such treatment. In the area of research, we simplify the provisions, removing the burdens on research and covered entities alike so the Nation's well-renown medical research can continue at a vigorous pace, but with renewed confidence in patients that their personal medical information will be protected. The proposal would permit researchers to use a single combined form instead of having multiple consent forms. The single form would contain informed consent and privacy rights information. The proposal would also simplify provisions on obtaining a waiver of individual permission to access records for research purposes so as to follow more closely the requirement of the common rule which governs federally-funded research. We also are seeking comment on the feasibility of making health information that does not identify directly the patients, but is important for research more readily available for researchers. To accomplish this, the department is seeking a consensus as to the type of information that would identify directly an individual and continue to be excluded from the proposed limited data set. To protect privacy further, we propose to condition the disclosure of this limited data set on a covered entity's obtaining from the recipient an agreement in which the recipient would agree to limit the use of the data set for the purposes for which it was given, to not reidentify the information or use it to contact any individual. Other changes that I would be happy---- Senator Wellstone [presiding]. Mr. Allen, I do not want to interrupt you and thank you so much for being here. If you can, I know there are many questions and a whole other panel and I might ask you to eventually summarize. It is very important testimony and I apologize for being impolite. I just want to make sure my colleagues have a chance for questions. Mr. Allen. Senator Wellstone, I am about to finish up right now. Senator Wellstone. Thank you. Then I apologize. Mr. Allen. Other changes that I would be happy to discuss in further detail during questioning include the clarifying and encouraging of public health reporting of adverse events and other post-market surveillance of the FDA, clarifying that a doctor can discuss a patient's treatment with other doctors, nurses, and health care professionals without fear of violating the rule if they are overheard inadvertently, providing model business associate contracts provisions and allowing up to an additional year for most covered entities to make their business associate contracts compliant with the rule, and permitting the sharing of information among health care providers and health plans for each other's treatment payment and quality-related health care operations. I want to assure you that Secretary Thompson and I are committed to working with this committee and Congress on a bipartisan basis to strengthen the privacy protections while preserving access to quality of health care. The need to get strong privacy protections in place now is a commonly held goal that transcends partisan politics. We owe the American people a privacy rule that works and they deserve no less. I want to thank you again for the opportunity to be here today and I appreciate your interest and commitment and I am happy to answer any questions that you have at this time. Senator Wellstone. Thank you very much. I guess what we ought to do is maybe go 7 minutes each. Is that okay, Senator Warner? I want to thank you again for your testimony. Mr. Allen, I want to ask you about the administration's decision to eliminate the patient consent from the privacy rule. That is obviously, I think, for people in the country a great concern. To me, consent is the centerpiece of patient privacy. It is what gives the patient a real say in health care and I also think helps restore confidence in the health care system. Now we know that there are glitches in the privacy rules that need to be fixed and I accept that. For example, pharmacists should be able to receive prescription refills over the phone and a patient should be referred to a specialist before consent is given. But why did not the administration address these problems in a more narrow manner instead of throwing out the underlying consent provision? I want to ask a question that I think goes to the heart of what I think will be the debate in the Senate and I think the debate in the country. Mr. Allen. Let me start out by first of all saying that we have not thrown out consent altogether. The modifications to the rule simply removes the requirement for mandatory consent at the initial meeting. We have allowed that providers can continue to seek consent and we would encourage that providers seek consent from their patients. The primary reason why we have moved from a mandatory consent to require a mandatory notice regime is because of the interference that consent would provide for the patient receiving care. It was very clear under the rule that you had an option. If you were a patient and you presented to the physician, if you did not sign the consent form a provider could refuse you care. It is that plain and simple. A provider could refuse you care because you did not sign a consent form. So therefore, consent was not the issue that we were trying to fully address here. We are trying to fully address ensuring that patients had adequate access, access to quality care but, at the same time, had their privacy rights respected. Therefore, what we did is after receiving an outpouring of comments--during the 30-day comment period we received approximately 11,000 comments--we began to focus on the issues that were being raised and the issues went far beyond simply the pharmacist example. For example, it also impacted emergency care providers that required an emergency care provider to, once they deliver you to the emergency room, they are off going to follow on the next emergency, but they still had to somehow double back to try to locate you to get you to sign a written consent form and that simply was unworkable. The issue with specialists, again that is an area that raised considerable concerns. We also had issues of those who did not even have direct personal contact with you--in this area we are talking about advancing technology, in the area of telemedicine--that we would require someone who you would have contact over the telephone before they can engage you would have to get a written consent. These were all items that were unworkable and therefore we sought a mechanism that allowed us to go further by requiring notice on your first visit of that practitioner's policies in terms of how they would treat your information and give you a meaningful opportunity to engage them on providing restrictions to the use of that information. Senator Wellstone. I want to ask one other question for the record to begin to cover some of what I think are the concerns. Let me just say I thank you for your answer. In some ways I think what you did was sort of speak to the question I raised in that again I think some of the problems you raised could be addressed in a more narrow manner. But again I think the problem is you just basically eliminate the underlying consent provision and I think that what you are going to hear from some of us in the Senate is yes, you are right; it is more than just pharmacists, but there is a way of addressing these concerns-- for the record I want to say this--without undermining the entire consent provision, and I think that is going to be the nub of the debate. Now one other issue before I run out of my time. It has to do with the marketing of people's private medical information. We have all heard stories where a pharmaceutical company gets information that a patient has been seeing a counselor and then starts marketing antidepressants. In this regulation you have changed what counts as non- marketing and what is therefore not subject to the protections in the rule and they include, and I quote, ``recommending alternative treatment therapies, health providers or settings of care to that individual.'' This is not counted as marketing. So basically that means that any communication that encourages a patient to use a product or a service related to health is not marketing, even if they are paid to make that communication. Now if that is not marketing, I do not know what it is and I am concerned that we have created a major loophole here that allows people to have their private records used for marketing purposes. And I wonder whether you could help me understand this change. Mr. Allen. I would be glad to try to do that, Senator. What we did in the rule, under the prior rule it prohibited the sale of personal health information without authorization or consent and required that it was a much--we thought that we have broadened the restriction or strengthened the privacy rights of individuals because what we did is that we more narrowly determined what was going to be marketing and then required a direct authorization from the individual for marketing purposes. Under the prior rule what would happen is that there was a broader definition of marketing, but what had to happen is there had to be a disclosure of whether you receive remuneration or not from that purpose. In doing that, you had a situation that we were concerned about and heard about from the comments and that was if you had, for example, a provider that gets reimbursed for participation in continuing medical education conferences--let us say they get travel reimbursement--to continue their medical education, if they then later had a client or patient that had a condition and they thought that that treatment regimen, that pharmaceutical product or that device might benefit them, they would have to go through an issue of determining whether they would be marketing to their client and to their patient. We have great concerns about again interfering with the treatment decisions that would be important to that patient- physician encounter. So therefore we broadened it and said that what was not marketing were issues that dealt with care coordination, issues that dealt with treatment, issues that dealt with disease management. These sort of items were not determined to be marketing. What we did do, though, is that we also limited marketing in the sense that where--if it was not related to treatment of the patient, that that patient would have to give prior authorization for someone to send information to them in terms of marketing. So we think that we have approached this in a very balanced way that once again gives considerable weight to patients having access to information that affects their health and their determination of what is in their best interest and their physician's best interest of their health care outcomes. Senator Wellstone. Well, I am going to turn to Senator Frist. I mean, we want patients to have access to information that affects their health, but what we do not want is the sort of indiscriminate marketing of people's private medical information. Mr. Allen. Certainly, and we think that we have narrowed this down sufficiently enough that in this regard we will defer in many cases to that patient and that physician, first of all, in that initial encounter, determine what those practices are, particularly as it relates to marketing, particularly as it relates to that patient's treatment decision-making. But we then narrow the scope and require affirmative disclosure and seeking authorization for further marketing of materials that might be unrelated to the treatment of that patient. Senator Wellstone. I thank you. I think we have too much of a loophole here and I do not think you have narrowed it down the way we need to, but I certainly appreciate your thorough answer, and thank you. Senator Frist. Senator Frist. Thank you, Mr. Chairman. Both of those issues that were just talked about, consent and care and the marketing provisions, are very important and I think in the second panel we will be coming back to the marketing provisions in the testimony that was sent to us because it is important, I think, to make sure that in this narrowing process that the net effect is not to weaken the privacy rule itself. But let me move to another topic, Secretary Allen, and that is on the research and public health and deidentification, issues that I mentioned in my opening statement. I very much agree and applaud the proposed change that would reduce that burden, that overly restrictive burden on scientists and research entities by requiring a single combined consent form rather than the multiple consent forms that were initially proposed by the previous administration. I note that the department is also considering changes to the proposed rule's so-called deidentification standard so that information could be used for research or public health purposes if it is facially deidentified, but still maintains or retains the important information for environmental health studies, infectious disease tracking. That would include things like zip code, date of service. I am very concerned that the previous administration's deidentification standard is much too stringent and could significantly slow down, hinder or impede efforts to track infectious disease outbreaks or to conduct public health investigations that again I mentioned in my opening statement that are important to surveillance, detection and response. It could also significantly skew the results of epidemiological research studies, which routinely use admission dates and discharge dates and dates of death to track and help us more fully understand disease. In this area why is the administration seeking additional comment rather than proposing a rule up front, as it has with other areas in this proposed rulemaking process? Mr. Allen. We believe that research in the United States is by far the very best in the world. We believe that we want to make sure that that research is able to continue and exactly for what you have cited, Senator, and that is that we not only need to be able to track infectious diseases and gather population-based information so that we can plan; for example, trying to address chronic disease. We are working very aggressively within the department, working with the National Institutes of Health and with the universities around the country who are looking into these issues and we were very concerned that by, up front, us proposing what we do not have all the answers to, and that is how significant and what is the best method of deidentifying data so that you protect the privacy rights of the individual, but we do not impede the advancement of research. So those were the balancing issues that we had to look at. Under the proposal we have laid out as an option for deidentification two alternative methods. One was to use what is known as basically an appropriate person who has knowledge and experience in statistical data and being able to say whether they thought that there was a greater risk or less risk of identifying the individual based upon the release of that information. You can get basically somewhat of a certification that that individual has made that decision or you had an alternative method where covered entities would have to remove all 18 identifiers. We were concerned about both of those and therefore we felt it probably was best to allow the research community to offer comment on that, rather than us try to-- Senator Frist. Have you gotten feedback from the research community? Their initial letters we have shared with each other and shared with you from the research community. Has it been long enough to get a feel for their response? Mr. Allen. We have gotten a few and because the comment period is still open I cannot close out the options for more coming in, but yes, we have begun to hear from the research community and we think that we are getting information to assist us in terms of how best to approach creating a limited data set, and that is really what the ultimate goal is, is what is the limited data set? That is, what are the limited number of identifiers that would be necessary to one, provide the information that we need for epidemiological research, et cetera, but, at the same time, to maximize the privacy protections of the individual so that their identity is not disclosed inadvertently or intentionally. Senator Frist. Let me return to this whole concept of consent and care, because as a physician, the previous administration's proposed consent rules would have placed me as a physician or physicians generally in a very difficult position with respect to their patients in terms of care delivery, but also from an ethical standpoint. It seems to me that it would have required me not only to provide notice of my privacy practices, the standards and the guidelines that would govern my own practice, but also would expressly allow me--in fact, it would have required me to withhold or deny treatment to those patients who failed or refused to provide me with a written consent. That is my interpretation just from reading it. It also seems to place patients in a difficult and an untenable position of signing a consent form or not receiving that care. You said in response to Senator Wellstone's questions that this is one of the key areas in which the administration is making modifications to the rule. And again I know we are in this comment period. Are patients and physicians responding to that objection and to the proposals that have been made? Mr. Allen. That is certainly what precipitated us making the proposed change initially, is that we had heard from patients, physicians and practitioners, all within the health care continuum. That would be providers, hospitals, plans, and patients. The problem with it was, as we have identified, it was unworkable because what you were putting the patient in the position of having to do is having to choose between signing a form that you may or may not understand or agree with and getting care that you need immediately. It put you in that conundrum, but also it put the practitioner in an even more difficult position in that if you see that client more than once, you were almost put in the position of requiring a consent form be signed every time that patient came in because of the revocation requirement. You would have to track whether that patient revoked his or her consent. So it was very difficult to do that and from an administration position it was very difficult for us to be able to address it because we can only address these issues once a year, so we would be put in a very difficult position that if there were a problem identified, if we had made changes already that year, we could not take action to make another change in that area, whether it was consent or somewhere else, for another year, and that raises serious concerns for health and safety. Senator Frist. I see my time has expired. Let me just add that physicians and patients and others would ask me about emergency rooms in response to acute care, as well as the problems with pharmacies themselves. Thank you, Mr. Chairman. My time has expired. The Chairman. Thank you very much. Mr. Allen, thank you again. I know that you are very much aware that these consent requirements were not part of the original Clinton proposal and then after they had a great many hearings, public hearings, really the American people spoke and they spoke with such a sense of urgency about the importance of medical privacy that they made these alterations and changes. Now you have made a different recommendation on the way to proceed on this. When you were considering what other changes should be there did you consider maintaining the proposal on consent and trying to deal with some of the principal areas-- for example, the prescription drugs, the scheduling of doctors visits, which were really the primary kinds of areas, as I understand on the basis of public hearings, where they would have to be altered or changed? My question is why not maintain the consent form and adjust it to take in to consideration some of the legitimate issues and questions, rather than going in a different direction, instead of going to a situation where they will be notified and they will be then on sufficient notice about what is happening to their medical records? Mr. Allen. Mr. Chairman, I think it is very important, as you point out, that with the prior administration they went from one position to a totally opposite position and we were-- The Chairman. Granting greater privacy. You would not question that. Mr. Allen. I think what we would question is whether that effected greater privacy in reality for the patient, from the patient's perspective. The Chairman. Wait a minute now. You do not think an individual having control over their medical records is greater privacy for that individual than the recommendation that you made? Mr. Allen. I think certainly an individual having greater control over the information about them is significant, balanced against them making sure--their primary reason for going to a physician is not privacy. Their primary reason for going to a physician is care. And if we put paperwork in the way of them accessing care, period, regardless of whether it is quality of care, the first idea is getting care. And the consent provisions as they were proposed, from the pendulum swinging from no consent provision under the prior administration to an absolutely mandatory written response, that pendulum swinging created the conundrum of putting patients at risk of not receiving any care at all. The Chairman. This is the committee that wrote that requirement in, Mr. Allen. It is because this committee was concerned about the issues of privacy that we put it in. So we do not have to be reminded about the requirements because we said that unless we were going to take action, that the administration was going to because it was such a sense of urgency. And what you are talking about now is the question of the privacy of the records versus care. Of course, we probably have a difference on this. We have taken notice of what has happened in the types of discrimination against individuals on the basis of genetic information and how that can be abused by insurance companies. Mr. Allen. Certainly. The Chairman. And we have taken notice, as well, in terms of particularly in the areas of mental health, as well as the marketing of various prescription drugs. Now I know, as I understand, you have made a response, I believe to Senator Wellstone, about the kind of protections that you believe are going to be adequate to effectively protect patients from the abuses that can take place from marketing private information. Am I basically correct, that you believe that the provisions that you have, the new regulations, are going to protect people's privacy from the marketing of sensitive information--for example, the needs that a person would have with regard to mental health or whether someone is an AIDS patient? Mr. Allen. We believe that we have, under this proposed rule, we have strengthened the marketing provisions to protect patients from the nonhealth disclosures of information that they would reasonably expect not to occur, whether it be in the case of HIV-AIDS status or the other inadvertent or intentional uses and misuses of that information. So we believe these proposed changes do effectuate that. In terms of what you cited, Mr. Chairman, you talked about genetics and mental health. I think it is important to note that as Senator Warner has already pointed out, as the secretary of Health and Human Resources of Virginia, Virginia is a State that protects its information, genetic information, from being used to discriminate in employment. We think that that also is an area of high importance at the Federal level, that this rule does not deal specifically with genetic information except for in terms of it prohibits an employer from using health-related information for employment decisions, period. It puts it as a prohibition with two very minor exceptions that we have to recognize, and that is in the case of ERISA, where an employer is a group plan. But that employer must also take precautions not to use that information inappropriately for employment-related decisions. So we believe that we have struck the appropriate balance, which would weigh in favor of the patient getting care, and weigh also in favor of strengthening and giving the patient the maximum protection of privacy of their information, but also not preclude them from having the ability to authorize, if they choose to, that information going other places, whether it is for marketing or other purposes. The Chairman. Well, I like what you say. The question is whether this language does exactly what you say. Now I have the regulations right here and this, as I understand, will still make permissible recommended alternative treatments--this is one of the exceptions--therapies, health care providers, or settings of care to that individual. This is on page 14,790. Now that seems to me, you say that this is not marketing, even if someone actually is involved in those kinds of activities, as I understand it. Mr. Allen. Senator, I do not have that paper in front of me. The Chairman. I apologize. Mr. Allen. If I understand what your question is---- The Chairman. Because this is not an enormously new section. As you are very much aware, there have been questions about the administration's proposal and there have been serious questions about the rule about how sensitive information could be used and those that have been critical have referred to this language that says, in the particular regulations, the basic definition. The point is that the definition means any communication that encourages a patient to use a product or a service related to health is not marketing, even if they are paid to make that communication. If that is not marketing, I am not sure what is and I am concerned that we have created a major loophole here that allows people---- Mr. Allen. Not at all, Senator. We do not believe that this is a loophole. Again we approached this from the perspective of the patient. If a patient has a particular condition, whether it be hypertension or allergies, for example, and the provider who is working with that patient has access to the latest and greatest information and product that that patient should know about, that that physician believes that it is in the best interest of that patient to have an opportunity to choose to change from, we have made this language allow for that to occur. It does not interfere with the patient-physician encounter. What it does narrow it to is it has to be related to treatment for that individual and therefore that is what we have said is not marketing. We believe a patient should have access to that information. The Chairman. The fact remains that under this language, as I understand it, individuals may very well receive a publication from a drug company about alternative AIDS treatments or alternative AIDS care centers or alternative mental health advertising and it could be received in their home or in their place of business. Mr. Allen. First of all, I think I need to approach it that the patient, stepping back, the patient has an opportunity to determine where that information will be received if it is going to be received. The Chairman. If they have gotten notice. Mr. Allen. Let me walk through it if I may, Senator. The Chairman. If they have gotten notice. Mr. Allen. Mr. Chairman, let me walk through if I can. At the very first encounter with that patient's physician, that patient will have discussed or have the opportunity to know what those practices are of that provider in terms of how they will use that information. Once that is determined and they agree with that--if they do not agree with it they can negotiate with that provider that that information not be used at all. If the provider says ``No, we will use this information,'' the patient has the choice to say ``I will seek other care elsewhere.'' Once that is done, that information that you have described is information, if it is consistent with treatment, it can only be approved for being sent to that patient by the covered entity, by the entity that has a relationship with that patient in terms of his or her treatment. Therefore, the idea that some unrelated company out there is willy-nilly getting access to that patient's information, we believe that we have addressed that in this rule, that it would be inappropriate, it would be a violation for information to end up in the hands of a third party that has no connection whatsoever either to the patient or to the patient's provider and thereby we believe that we have narrowed and limited that type of unsolicited or unrelated solicitations to that patient. Where it can occur that a covered entity--let us assume it is a pharmacy that is working with a patient and in the case of disease management or in terms of a prescription being refilled--that pharmacist, the covered entity, can have a business association with a company that they have relegated or delegated that responsibility for notifying that patient that your prescription has come due and we think that that is an appropriate use of the information to serve the patient in terms of his or her treatment. The Chairman. Well, I think we need strong language that makes very clear the protections of the privacy of the patient in this area and we will have an opportunity to consider that. Thank you very much. My time is up. Mr. Allen. Thank you, Mr. Chairman. The Chairman. Senator Warner? Senator Warner. Thank you, Mr. Chairman. I think we have had a very constructive hearing this morning. It is not over yet, but the point I wish to make is that Congress really has not been able to resolve these tough issues since 1996 and basically we have just forfeited this to the successive administrations of two Presidents to try to solve it. I have to assume that this administration, as did the previous, in a very conscientious and nonpolitical way--there should not be any politics, in my judgment, involved in this thing if we can avoid it--is trying to do what is best for the health care industry and patients. But these issues are at the very heart of our health care system and as I sat and listened I have one question and then one observation. The second panel will come forward hopefully with good constructive viewpoints on how things can be changed. You still have an open mind, do you not? Mr. Allen. We are required to by law. Senator Warner. Well, what about just following the law to the T? Keep that open mind because I think a lot of conscientious people are working on this. And I guess my question would be many have stated that a much more targeted modification could have been made that would have improved access to care while maintaining stronger privacy protections. Did you consider a less restrictive alternative in your deliberations? Mr. Allen. Senator Warner, yes, we did. We went through this and tried to find ways to make the consent provision work, but the bottom line, as we have already stated again, is that the issue was not--the consent did not give a patient control over the information. It actually took control out of that patient's hands and put it into the hands of the provider, who was forced to make a determination of whether you sign a piece of paper or not and determine whether you got treatment. When we looked at it we tried to address the issues of the pharmacist. We tried to address the issue relating to specialists. We tried to address the issues related to emergency care. And we went down the list and again and again it came to a place where we either were going to have a rule that applied broadly or we would have a narrow exception that addressed every specialty group that existed out there. I think the goal that we were trying to achieve was one that had a flexible approach, but a consistent approach across the board, that took into consideration that we want to maximize two things. We wanted to maximize the patient's ability to get care, but also wanted to maximize the patient's ability to control their ability to have their public health information shared outside of treatment, payment and operations that reasonably a patient would assume that their information would be used for. Senator Warner. If all the best intentions that you and your colleagues have manifested thus far simply prove in practice not to be workable, particularly the enormous costs that the hospitals and other health care deliverers, physicians are going to have to bear, you would be willing in the future to reopen this thing under the process prescribed by law? Mr. Allen. Yes, Senator. Under the law we would be allowed to revisit this issue once a year and that is why, that one point, under the rule, under the statute, we were only allowed one time a year to make changes. We were concerned that we would be put into a position that we would have made a change and then have other issues, unanticipated issues arise that were a detriment to the furtherance of either access to care or took away from the privacy rights of the individual and would not be allowed to address them, and that was an issue that we felt very strongly that we needed to weigh in on the side of maximum flexibility so that we can work it throughout the year without having to use that one-time-a-year exercise to try to address every problem that arose in the interim. Senator Warner. Well, I think you have delivered the administration's care very professionally and quite well. Mr. Allen. Thank you, Senator. Senator Warner. Time will tell. Thank you very much. Thank you, Mr. Chairman. The Chairman. Senator Clinton? Senator Clinton. Thank you, Mr. Chairman. I very much appreciate Senator Warner's comments because I think all of us are looking for an appropriate way to handle this new world of information that is out there and to protect people's right to privacy, especially the most personal and intimate information and details about them. So I am grateful for the recognition that this is probably a moving target to some extent that we will evolve a response to because I feel very strongly about the right to privacy and I also understand the need for health- related organizations to have access to good information. But I must confess, Mr. Allen, I am confused and it may be that this is such a complicated, difficult area that it is hard to follow, but I just wanted to run through a couple of issues. As I understand what the administration is proposing, we no longer will require affirmative consent, but instead, an acknowledgement that information about privacy rights has been provided. Is that correct? Mr. Allen. It is correct in the sense that we do not require that a written consent be given. Senator Clinton. Right. Mr. Allen. It does not preclude an entity from seeking consent. Senator Clinton. Well, that is what is interesting to me because as I study what you are proposing, on the one hand we no longer have an affirmative consent process, but you do permit entities to go ahead and voluntarily seek consent. Mr. Allen. And there is a good reason for that. The reason is this, that in some cases you may have, for example, a hospital that already has consent for treatment, which is what we call informed consent. They may want to go ahead and still have consent for using that information that will be consistent with treatment. Therefore some entities may choose to seek a written consent from a patient, but what we have not done is we have not required everyone to do that. Senator Clinton. But what you have done is when an entity does choose to require consent you have eliminated many of the consent requirements that would apply to the voluntary request for consent. Mr. Allen. And again the reason for that is because we are trying to maintain flexibility---- Senator Clinton. But you are trying to have it both ways. Mr. Allen. If you would let me answer my question? Senator Clinton. Mr. Allen, let me finish because I am trying to---- Mr. Allen. You asked me a question and let me answer the question. Senator Clinton. No, but let me pose the question. Mr. Allen. I thought you already did. Senator Clinton. No, I did not, Mr. Allen. Mr. Allen. Well, go for it. Senator Clinton. Thank you, dear. Now if you are on the one hand not requiring consent and then on the other hand when someone voluntarily pursues consent, you eliminate what the original rule had in for the provisions of consent, it seems to me you are going after consent from both ends. Either you offer it or you do not offer it, but when it is voluntarily chosen you undermine it. And I think if you look at what you have done to eliminate that in the name of flexibility, you have essentially vitiated consent even if someone voluntarily chooses to pursue consent. Mr. Allen. And your question is? Senator Clinton. Why have you done that? Mr. Allen. First of all, I would beg the question that we have not done that. I think what we have done is we have strengthened the process by one, when we remove mandatory written consent in terms of the rule we have now enabled a patient to get care, plain and simple. But, at the same time, we have enabled a patient for the very first time under this rule to have information about the practices of the provider, to have opportunity to review those practices and engage in a discussion about those practices and seek to restrict the uses of that information. That is all essential for protecting and providing protections for an individual in terms of how that information is used. That does not happen. That will now happen under this proposed rule that did not happen under the former rule. Beyond that, we have also provided again--we have not precluded entities from seeking to get a written consent and that written consent, we are not dictating the confines of that because again it is voluntary. It is something that some providers may seek; others may not. But what we can guarantee is that that patient will get information and notice of the practices and procedures of that entity, and that is what we think is essential to the decision-making of the patient, but also to the continuity of the care that that patient will receive from that provider. Senator Clinton. But you are also eliminating the requirements that the covered entity inform the patient it is receiving remuneration for making the communication, you are eliminating the much more restrictive definition of marketing so that very often a poor patient will receive information and will not know that there is a financial interest in the entity providing it. Mr. Allen. What we have done is a couple of things, again, Senator. One, in terms of consent, it only relates to what we have eliminated the consent for, is for treatment, payment and operations. Anything beyond that, you must get the patient's consent for the use of that information. In terms of remuneration, what you are discussing is how we address the issue of practices that, for example, I cited the example earlier. What we were concerned with is we have circumstances in which providers participate in continuing medical education conferences. Those conferences may be paid for by X company. What we do not want to have happen is having to have providers having to toil over whether or not they receive remuneration from a company simply because later on they prescribe a product that they think is in the best interest of their patient, but because they had been given the opportunity to participate in this conference we did not want that to have to be considered as marketing because that is consistent with that provider's treatment of the individual. So therefore we have broadened what we look for in terms of the definition of marketing, but we have limited it to that which is outside of the treatment-payment continuum. Senator Clinton. Well, Mr. Allen, I have to confess that I am very disturbed by some of these changes because I think the practical effect is to substantially weaken the privacy rule. I appreciate some of the difficulties that were brought to our attention in a hearing that we held last year and I certainly believe we should have targeted effective measures for dealing with some of those issues, like the ones that the pharmacists raise, but you have thrown the baby out with the bath, the best I can tell, and opened up a huge loophole for nearly any use of information without any effective check on it because we will not have any proof that the patient has ever been adequately informed. I think it is unrealistic to believe that many patients are going to be that well skilled in the nuance of these rules to even know the questions that they are supposed to be asking and I think we have an obligation to err on the side of privacy. And I think that this rule, the recommended changes to the rule really go in the opposite direction. So I will be very interested in following what you are proposing on this, but I think that the witnesses who will be coming to appear before us in the next panel have some very specific issues and I hope that you and your colleagues will listen very carefully because I think it would be quite useful to take another stab at trying to figure out how to do what you are trying to do in the name of flexibility without undermining privacy. Mr. Allen. Senator, I take your point very seriously. We are here to listen. We are in a comment period and we expect to get many comments. In fact, we probably will get, particularly after this hearing, a lot more comments and we welcome that. But I think from the perspective that we have taken, we tried to approach this from the patient's perspective. While you may think privacy rights are the most overriding issue, we stepped back and thought that it was far more important that in seeking to maximize an individual's right of privacy that it was far more important that we ensure that we do nothing, that we do absolutely nothing to impede their access to care because having a right to privacy means very little to a person who is desperately needing care, whether it be the mother who is---- Senator Clinton. You are not going to get any argument from any of us about that, Mr. Allen. We are all in favor of care. It is just that we are concerned that in the name of care, profit has a very big role in a lot of the efforts to use information available to health entities. There has to be a line drawn and you have ended up on one side of the line, and I think some of us are more comfortable on the other side of the line, but that is to be worked out and discussed and I appreciate your willingness to listen to the comments that will be coming to you. Thank you. Mr. Allen. Certainly. The Chairman. Senator Enzi. OPENING STATEMENT OF HON. MICHAEL E. ENZI, U.S. SENATOR FROM THE STATE OF WYOMING Senator Enzi. Thank you, Mr. Chairman. I would ask consent that a statement that I prepared be placed in the record. The Chairman. Without objection. Senator Enzi. Thank you. I appreciate your holding this hearing. This is an issue of tremendous concern to everyone that I know. I know that we as a committee deferred to the agency to go ahead and do the rules. They did those; they occurred at the end of the last administration and from comments that I am receiving, I am quite sure that that administration would have reviewed these, as well, and I so pleased that they have been reviewed and revised by the current administration. Now I know that privacy is of extreme importance to everybody. I saw a survey when we were doing banking privacy and it said that 94 percent of the people in the United States were concerned about their privacy--and I was wondering what was the matter with the other 6 percent. But on the medical privacy rule I have had a lot of comments when I've been in Wyoming. My prime concerns with the rule that we had, I heard from pharmacists. They are very concerned about elderly people having to come in and sign a form so that somebody can pick up their prescriptions for them, yet they are not even able to come in and sign the darn form. But we have some areas of Wyoming that have even bigger problems than that and I suspect that we are not alone in the country, although we may be. Cell phones have not gotten to all of Wyoming yet. I have people that rely not on telephones that are party lines, but on radios that are very definitely party lines because anybody can pick up the transmission. In fact, they rely on that feature. Everybody leaves their radio on and if somebody in that vast area of the back country is headed to town, they put out the word that they have a couple of things they need them to pick up when they are in town. They have relied on that for years and it creates a tremendous sense of community. But the privacy rule does not allow that sense of community. They are not even sure whether they are violating the law by letting somebody know that they need a prescription picked up. I hear from the doctors, as well. When the final rule first came out I had a number of them that said, ``to me it looks like I have to violate the law,'' again, because of our distances and our communication, so ``Senator, what can you do to protect me when I violate this rule that you allowed to go into place?'' When they put it that way I have a lot of sympathy for them. I also understand what the people are talking about when they talk to me and it has primarily been pharmacists and some doctors and hospitals. I appreciate very much your comments about the comment period not being up. One of the difficulties I have had with agencies has been when they have obviously failed to read the information that they were presented with and had already closed their mind--before they wrote their rule--about how the rule was going to come out. So however it comes out, I commend you on your openness on the rulemaking process. [The prepared statement of Senator Michael Enzi follows:] Prepared Statement of Senator Michael B. Enzi Mr. Chairman. I want to thank you for promptly holding this hearing on the new proposed rule to protect the privacy of medical records. This Committee mounted a serious bipartisan effort in the last Congress to advance privacy legislation. While we were not able to come to agreement on a handful of provisions, there was significant agreement on the details of the right policy for protecting people's medical information. I believe such protection is achievable while also allowing the appropriate use of medical information to improve the health status of all Americans through research and the development of better medical management protocols. The Clinton Administration took our legislative draft and used it as a foundation for a rule-making on medical records privacy. Having been issued in the final days of that Administration, President Bush was placed in the position of having to review the rule when he took office. Under Secretary Thompson's leadership, the rule underwent additional modifications. Which brings us to today. With that, I'd like to welcome Deputy Secretary Claude Allen, who will be explaining the latest iteration of the rule. I also welcome the other witnesses whose expertise in medical privacy has helped shape this policy over the last 4 years. I will comment very briefly on the new proposed rule. First, let me say that I support the new rule and believe it will afford strong privacy protections for medical information. I applaud the Administration's effort to carefully balance ``protections'' with ``progress'' in medicine. I look forward to the comments solicited in the preamble with respect to de- identified health information. The new rule was modified to correct the old rule's unintended consequence of threatening access to care and reducing the quality of care patients enjoy today. The goal of a privacy rule should be to enhance access and quality, not undermine these basics of good health care. Several other important modifications to the rule can be summarized by the phrase ``administrative simplification.'' Changes to make the privacy rule patient-friendly by making it user-friendly should be supported by this Committee. After all, the statutory mandate to develop a medical records privacy rule was included in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA also included requirements on both the private health care market and certain public programs to administratively simplify health care transactions. Since HIPAA was drafted by this Committee, it's only logical that we should support all efforts to make the privacy rule consistent with the our intent to simplify administrative burdens within the health care system. Mr. Chairman. I look forward to the testimony and again thank you for calling this hearing. Senator Enzi. Could you give me some of the factors that were motivating factors behind the changes that you made to the privacy rules and the more general comments you may not have been able to make? Mr. Allen. Certainly. When we received the comments--we received over 11,000 comments in about a 30-day period when we put these particular sections of the rule back out for additional comment and we had various--we have addressed somewhat earlier some of the issues that we are addressing. The one example that continued to come up was pharmacists not being able to fill prescriptions without having the patient to come in prior to the information being transmitted to the pharmacy and signing a consent form. That clearly was an impediment to care, to access to care. We then heard from specialists who were concerned about their practices and being impeded in providing care to the patient. Those were the sorts of examples that we had, also. Then we went down the list from there. We had emergency care providers who not only would have the burden of having to get a consent form, but the nature of their work precludes them from getting the consent when they first pick up the patient, but then would require them to disrupt their normal practices by having to double back to try to seek that access. The area that we heard a lot of comments about was in this area that we all have great concerns about, and that is marketing, particularly when the marketing is using your health-related information for nonhealth purposes. Nobody wants to receive an unsolicited advertisement or offer that discloses your public health condition or your health condition when you did not consent to that or were not aware that that was going to occur. So we began to look at ways of strengthening the marketing rule and we did that. We also had concerns raised about the role and the rights of minors vis-a-vis their parents in terms of access to information. In that area what we did there is that we made very clear that the Federal law defers to what the State law is. So whatever the State law is in this area, we defer to that. If there is no law in that regard or if the law is unclear, we defer to the practice of that State that looks to the health professional in exercising his or her discretion and access. But we also made sure, just as most States, to provide that, in cases of emergencies, physicians, and providers can provide information on a minor in the case of an emergency and we wanted to reflect that. So we tried to approach all of these issues. Research was another area where there were comments that came in and in that area we saw that we did not have all the answers. So what we have done is we have made an approach to how to address the issue of research so that we do not impede research going forward but, at the same time, finding out how do we get the information that is needed for the research to go forward, but also protecting the privacy rights of the individual so that they are not identified and their information is not disclosed. Senator Enzi. I certainly appreciate the thorough job that you are doing on it, particularly on revisiting things that you revised before it all becomes final. It is a breath of fresh air and will help take care of some of the people in our State. Your explanations today have been clear enough that people will understand this conflict between privacy and getting care and I know in all those cases they would opt for the care. Thank you. Mr. Allen. Thank you, Senator. The Chairman. Senator Gregg. Senator Gregg. Mr. Chairman, thank you. Mr. Allen, I unfortunately had to depart for a while, but I did have a chance at my other meeting to listen to you and I thought your presentation was excellent. Going back to this consent issue, I just wanted to talk about the unintended consequences of this mandatory consent language. It seems to me that I can think of three instances which would create really inappropriate events as a result of mandatory consent. One would be my situation, where if I went to a doctor, the only time I would ever go to a doctor is if I really had to go to the doctor. I cannot think of anything worse than sitting, other than maybe going to BWI and waiting to get through security. But when I walk into that doctor's office I have one thing on my mind and that is getting better. And the odds are he could put anything in front of me if it's reasonable. He could even ask that I sign off that the Red Sox would never win the World Series ever and I would probably sign it. I think that therefore the relevance of a mandatory consent is probably limited because your reason for going to a doctor is not to sign a form; but to get better. Second, I am concerned about the position it puts the doctor in. You have alluded to this, but it seems to me that there are certain laws that say a doctor must treat you, starting with his Hippocratic Oath, but also specific Federal laws in the area of emergency care, for example, and State laws. The doctors could find themselves in the untenable position of having a patient come in who may be one of these Wyoming types, you know, independent, who just refused to sign anything. The patient needs to be treated, and the doctor treats because they are a good doctor and they have to treat under the law if it is an emergency and they have to treat under their oath if it is not. What then does the doctor do? What does the doctor do with the information? He may not even be able to send the patients' information to a lab. Mr. Allen. That is right. Senator Gregg. And physicians certainly have opened themselves up to all sorts of liability in these situations. So this mandatory consent creates the unintended consequence of putting the doctor in an improbable and inappropriate position. And third, I am concerned that it may create an atmosphere where people could use the mandatory consent to harm the patient's rights. I mean, mandatory consent could end up with language in it, although there are limitations on this, but it could end up with language in it which contractually would significantly proscribe what a patient's rights are and what they are permitted to do. And, as I said, if you are going in to get care, you are going to sign that consent unless it is truly outrageous on its face, or unless you happen to be an attorney. So I see those three instances as examples of why mandatory consent probably makes no sense and why your approach is much more logical to this effort. But we do have the anomaly, I think, of the American Medical Association having been the ones who, I think, forced the Clinton Administration to back off from its original proposal, which was no mandatory consent, which was probably a more logical position. So I'm wondering if it would be appropriate for this committee to pass a regulation or rule or law, if the Chairman brings this forward, that says that if you are a member of the American Medical Association, then you shall be subjected to mandatory consent. Is that reasonable? Mr. Allen. I would say for those individuals who are members of the American Medical Association who might otherwise have commented or maybe members of other associations that support the notice provisions that we have, if we could exclude them you might want to find those members who would solely want to---- Senator Gregg. My question was fairly rhetorical. Mr. Allen. Mine was, as well, my comment. I think the issue there, Senator, if I may, in all seriousness, I think the issue there is I believe that with proper education, understanding of the rule and the way the rule works and brings an appropriate levity to the issue of privacy, but also the significant importance of access to care, I think that we can work with the American Medical Association and other organizations by educating them on how this rule ultimately will work to the benefit of the patient in both areas and making sure that they have the ability to have the prior consent, prior notification, prior authorization for use of their information when it is not related to treatment, payment or operations but, at the same time, to not be precluded from getting that care when it does relate to those areas. So I think in all seriousness I think we have an opportunity to educate, as well. Senator Gregg. I appreciate your presentation. I think it was a very effective representation of the administration's position. Thank you. Mr. Allen. Thank you, Senator. The Chairman. Thank you very much. [The prepared statement of Claude Allen follows:] Prepared Statement of Claude A. Allen Chairman Kennedy, Senator Gregg, distinguished Members of the Committee, it's a pleasure to be with you. I welcome the opportunity of appearing before you to talk about what we're doing at the Department of Health and Human Services to fulfill President Bush's goals of protecting both vital health care services and the confidence of every American to know that his or her personal medical records will remain private. Today, I'm going to discuss the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) and the proposed modifications to those standards that the Department published in the Federal Register for public comment on March 27, 2002. President Bush, Secretary Thompson and I believe strongly in the need for workable and effective federal protections to ensure patients' privacy. Americans have become increasingly concerned about the privacy of their health care information. Fear of misuse or abuse of sensitive medical information has deterred some patients from fully utilizing the necessary health care services available to them. When the Privacy Rule is fully implemented, we will have successfully completed our goal of giving American patients what they want: confidence that the privacy of their medical records will be protected and that our providers and health system will be able to deliver them the most advanced, and efficient quality care available. Because of the Privacy Rule, all Americans will, for the first time: Have the right up front the first time they see a doctor or health care provider or enroll in a health plan to be notified of their privacy rights and how their information may be used or disclosed by the provider or the plan, so they may understand and discuss concerns with these providers and plans and get care that is consistent with their own personal preferences; Have the right to access their own medical record and to have their record corrected, if it contains incorrect or incomplete information; and Have control over most non-routine uses or disclosures of their information, including requiring written permission before their information is shared with employers for employment decisions, shared with life, disability or other insurers, or used for marketing. In April 2001, President Bush acted boldly to put into place these strong patient privacy protections. With laws already in effect to protect personal information contained in bank, credit card, and other financial records, and to require notification of Americans about how their electronic data are used for providing these financial services, the American public should not be made to wait any longer for protection of the most personal of all information--their health records. At the same time, legitimate concerns were raised about whether parts of the Privacy Rule would compromise patients' access to care or the quality of that care. To address these concerns, the President directed Secretary Thompson to recommend appropriate modifications to the Rule that would identify and correct any unanticipated consequences that might harm patients' access to care or the quality of that care while still protecting patient confidentiality. The notice of proposed rulemaking published on March 27, 2002 represents the results of the Department's review of thousands of public comments, recommendations from public hearings on the Privacy Rule, as well as the letters and input from a broad and diverse group of lawmakers, interest groups, health care leaders, and individual citizens regarding the Rule. The changes that we have proposed will allow us to ensure strong protections for personal medical information without negatively affecting access to care. These recommendations were decided upon only after seriously examining the feasibility of all possible options. They are common-sense revisions that are intended to eliminate serious obstacles to patients getting needed care while, for the first time, providing federal privacy protections for patients' medical records. I would like to review briefly the major areas of the Privacy Rule where changes are being proposed and explain the Department's reasons for proposing these actions. At the end, I will be happy to answer any questions from the Committee Members on these or any other of the proposed changes. Consent and Notice First, the Department has proposed a workable solution to the consent and notice provision that achieves strong privacy protections and ensures access to care. The original regulatory proposal published in November 1999, prohibiting a covered health care provider from obtaining consent for uses and disclosures for treatment, payment and health care operations, lacked a workable process to engage the patient to consider the providers' privacy practices, an essential part of adequately protecting privacy. The final regulation published in December 2000, mandating consent for these routine uses and disclosures created barriers to timely access to care. The Department's proposal is two-fold: it would enhance the obligation that covered entities give notice of their privacy practices to their patients, by requiring a good faith effort to get patients to acknowledge, in writing, receipt of the notice of privacy practices, and it would allow providers to obtain consent for these routine uses. This change means only that under the Privacy Rule, patients are no longer required to provide consent for their doctors, hospitals, and other direct treatment providers to use and disclose information for those core activities that are essential elements of providing health care. Patient authorization is still required for most other purposes, such as marketing and disclosures to employers for employment purposes. Patients also would continue to have the right to request restrictions on uses and disclosures of their health information and would be able to enter into agreements with providers and health plans to further protect the privacy of their health information or to further limit the use of that information. We believe this approach provides new, meaningful patient privacy protection without impeding the delivery of high-quality care that patients need. The President and Secretary Thompson are dedicated to improving the delivery of quality care to patients, and the December 2000 privacy rule posed serious problems for patient access to care. Indeed, the comments received in March 2001 revealed a multitude of unintended consequences threatening patient safety and quality care. We also heard from many of you on this committee, Mr. Chairman, and other Members of Congress, all asking that we address these unintended consequences. Most importantly, we heard from health professionals that the proposed regulations would have serious consequences for the quality of patient care. I believe it was widely recognized that the consent requirements interfered with patients getting prescriptions filled in a timely manner; the ability of hospitals, specialists, or other practitioners to act timely to start care for patients referred from other providers; the ability to provide treatment over the telephone; and emergency medical providers. Potentially, the Department would have to repeatedly modify the privacy rule as each new barrier was identified. As many of you may recall, HIPAA allows modifications to the privacy rule standards only once yearly, thus the Department would be in the untenable position of knowing of serious problems that threatened patient care, but being unable under the law to correct these threats to patient care on a timely basis. Ultimately, we tried to put ourselves in the shoes of the patient and do what made the most sense from his or her perspective. And, we believe that the patient most values unimpeded access to quality care, generally limiting the use of his or her information to what is necessary to provide quality care, fair notice of how his or her information will be used, and more control over where other than to his health care providers and health plans his information goes. Indeed, requiring individual written consent for the routine uses necessary to provide care give the patient little actual control over that information. When coupled with the provider's ability--and even necessity--to condition treatment on the signing of a general consent form, the patient is forced to choose between signing the consent form and not receiving care. In the end, we determined that the risk of compromising patient care and safety outweighed any benefit of a mandatory consent process. We believe the backbone of patient privacy rights is preserved and strengthened and the spirit and intent of the mandatory consent is fulfilled by the written notice requirement. During each patient's first meeting with a provider, they will receive a notice of their privacy rights, as well as the providers' privacy policies, and how their information will be used. This notice requirement creates for the first time, a formalized process where the patient will pause and reflect on the value of the privacy of their medical records and be able to discuss any concerns that they have with the provider. Health Care Communications and Practices Second, the proposal ensures the strong protections for all forms of health information, including oral communications. Plans and providers will be obligated to make reasonable efforts to limit the use and disclosure of protected health information to the appropriate minimum necessary to accomplish the intended purpose. We have, however, made clear that a doctor could discuss a patient's treatment with other doctors and health care professionals without fear of violating the rule if they are overheard if reasonable safeguards are in place. As long as a covered entity met the minimum necessary standards and made an effort to protect personal health information, incidental disclosures--such as another patient overhearing a fragment of conversation--would not be an impermissible disclosure. This proposed change does not in any way permits gossiping or other careless use of patient information. Research Third, the proposals would simplify the research provisions, removing many of the burdens on research and covered entities alike, thereby continuing to promote the highest quality of care that Americans have come to expect and have a right to demand and so that the nation's world-renowned medical research can continue at a vigorous pace, but with renewed confidence in patients that their personal medical information will be protected. The proposal would make it easier for patients who participate in research to understand all dimensions of the study, including privacy dimensions, through the use of a single combined form, instead of having multiple consent forms-- one for informed consent to the research and one or more related to information privacy rights. It streamlines requirements for obtaining a waiver of individual permission to access records for research purposes, so as to more closely follow the requirements of the ``Common Rule,'' which governs federally funded research. These simplified provisions would, nonetheless, continue to include privacy-specific criteria and would apply equally to publicly- and privately-funded research. The Department is also seeking comment on the feasibility of making health information that does not directly identify the patient more readily available for research and limited other purposes. For example, many researchers and others who study the quality or accessibility of care have indicated a need for information that does not facially identify the patient, but nonetheless contains certain identifiers such as zip code or dates of admission and discharge. Under the Privacy Rule, the information would not be ``de-identified.'' In environmental cancer studies, zipcodes are often important for environmental health research. Duration of illness is important for infectious disease studies. Through the comment process, the Department is seeking a consensus as to how to construct a ``limited data set'' that could be disclosed for such purposes, and as to what type of information should continue to be excluded from the proposed ``limited data set'' because it would directly identify an individual. In addition, to further protect privacy, we propose to condition the disclosure of the limited data set on a covered entity's obtaining from the recipient a data use or similar agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given, as well as not to re-identify the information or use it to contact any individual. Parents and Minors Fourth, we have made limited changes to clarify that State law governs disclosures of a minor's health information to a parent or guardian. The rule and the proposed modification only address the rights related to a minor's medical records; neither has any impact on a minor's ability to obtain certain medical services under State law without parental consent. The intent of the current rule was never to override State laws that set standards for parental access to their children's medical records. In cases where State law is silent or unclear, the revisions would preserve physician flexibility and standards of professional practice by permitting a health care provider to use the discretion afforded by the State or other law to provide or deny a parent access to such records. Just as State law now determines when a minor may be treated without parental consent, so too would the revisions effectively defer to State law on access to and control of the minor's information that results from such treatment. Marketing Fifth, the proposal explicitly prohibits using or disclosing a patient's information for any marketing purposes without the individual's express authorization. At the same time, the proposal would ensure that doctors and other covered entities could continue to communicate freely with patients about treatment options and other health-related information, related to their treatment, including disease-management programs sponsored by the entity. The doctor may or may not receive remuneration. This proposal would strengthen the marketing provisions by requiring an individual to specifically authorize certain disclosures of health information that otherwise would be permitted without such authorization under the privacy rule. For example, a health plan would be prohibited from giving a pharmaceutical company its list of all enrollees for the company to send all patients information about their products without obtaining each individual's authorization even if that company is a business associate of the health plan. However, the proposal would continue to allow use of information for the health plan to send enrollees with diabetes information about a diabetes disease management program that may help them manage their illness. Patients want information about their treatment and treatment alternatives and the benefits and services offered by their plans and health care providers. Patients do not want their personal information used for unsolicited marketing pitches that have nothing to do with their care. This is the same common sense approach that governs all other revisions to the Rule: patients should have the right to get the best care possible, and to have their sensitive medical information protected while doing so. Other Provisions We have also proposed changes that would: Clarify and encourage public health reporting of adverse events and other post-marketing surveillance of FDA-regulated products or services; Provide model business associate contract provisions and allow up to one additional year for most covered entities to make their business associate contracts compliant with the Rule; and Permit the sharing of information among health care providers and health plans for each others' treatment, payment, and quality-related health care operations. Conclusion I want to assure you that Secretary Thompson and I are committed to working with this Committee and Congress, and with experts and the public, to provide the strongest possible protections for medical information while preserving access to and quality of health care. We look forward to specific comments on the proposed modifications to the Privacy Rule and we remain open to additional ideas for strengthening privacy protections while encouraging high quality care. But it is past time to move forward. Privacy rules have been drafted for many years, and inaction prevents needed medical privacy protections from being put into place. The need to get strong privacy protections in place now is a commonly held goal that transcends partisan politics. We owe the American people a privacy rule that works to allow them to continue to get the high-quality care that they expect they deserve no less. Thank you again for the opportunity to be here today. I appreciate your interest and commitment and I am happy to answer any questions. The Chairman. We have a panel now that we will hear from. Janlori Goldman devoted her career to privacy and civil liberties issues, founder and director of Health Policy Project, Georgetown University Institute of Health Care Research, also cofounded Center for Democracy and Technology, a civil liberties organization committed to preserving free speech and privacy on the Internet. Janlori has been a leader on the privacy regulations since day one and we look forward to the testimony. Sam Karp, chief information officer, California Health Care Foundation, coordinates the foundation's initiatives in health care privacy, worked on new business models, technology-based approaches for sharing health information. Mr. Karp is working to understand how providers are working to implement this regulation. John Clough currently is the chairman of the Division of Health Affairs, Cleveland Clinic Foundation. Previously the doctor served as chairman of the Department of Rheumatic and Immunologic Disease and we are pleased to get his input on this important issue. Senator DeWine will be here just momentarily to give us an additional introduction. Dr. Richard Harding, president of the American Psychiatric Association. Serves on the Subcommittee on Privacy, Confidentiality and the National Committee on Vital Health Statistics in the Department of Health and Human Services and he will be sharing his thoughts on the impact of privacy on health care providers. Mr. Karp. STATEMENT OF SAM KARP, CHIEF INFORMATION OFFICER, CALIFORNIA HEALTHCARE FOUNDATION Mr. Karp. Good morning, Mr. Chairman, Senator Gregg and Members of the committee. My name is Sam Karp. I am the chief information officer of the California Healthcare Foundation. The foundation is an independent philanthropy committed to improving California's health care delivery and financing systems. Thank you for the opportunity to testify today on an issue we believe is fundamental to improving the quality of health care. Over the past 5 years, the California Healthcare Foundation has supported a range of activities to heighten awareness and understanding of the need to establish strong rules to safeguard the confidentiality and security of personal health information both on and off-line. In December of last year the foundation commissioned an independent survey of health care organizations operating in California to see how implementation efforts are proceeding under the HIPAA privacy rule. The survey was intended to distinguish between the real and perceived barriers to compliance and to use the results to inform policy-makers and the general public debate. While I have submitted written testimony that details the survey findings, I would like to highlight two of the key findings here this morning. First a few words about the survey. The survey was conducted for the foundation by the National Committee for Quality Assurance, NCQA, and the Georgetown University Health Privacy Project. It was fielded in January and February of this year just prior to the March 27 proposed rule modifications issued by HHS. The survey represents the views of 100 health care organizations that do business in California, including 29 hospitals, 19 physician organizations, 26 health plans, and 26 other organizations, including disease management, behavioral health organizations, medical management groups, clearinghouses and large research organizations. The organizations that took part in the survey are fairly representative of entities covered by the privacy rule and some of the organizations operate in States other than California. With respect to implementation progress, if you refer to Table 1 in my testimony or the chart to your right, you will see the progress being made in implementing the privacy rule in California. Ten months into the 2-year compliance period, when asked about specific actions taken toward implementation, 81 percent of the respondents reported having developed a strategic plan. Sixty-seven percent indicated they have already conducted a gap analysis. Fifty-two percent have developed a readiness initiative and 12 percent of the respondents reported already completing their readiness activities. As the chart indicates, hospitals report having made the most progress to date, with 96 percent having developed strategic plans, 75 percent having conducted gap analyses, and 67 percent developing readiness initiatives. Physician groups report having made the least progress. Also with respect to implementation progress, 77 percent of the respondents to the survey indicated that they had designated a privacy official, as defined by the rule. Eighty- seven percent of those that had designated a privacy official also report they had identified the human resources within their organizations needed to prepare for HIPAA compliance. Now let me turn for a moment to the consent requirement. If you will refer to Figure 1 in the testimony, which is also in the chart on your right, this chart indicates that a majority of respondents, 51 percent, report that the consent requirements are somewhat workable. Another 29 percent reported that they were either workable or very workable, while 20 percent reported that they were less than workable or not workable at all. Hospitals and physician groups, those organizations directly affected by the consent requirements, were more likely than their counterparts to report that the requirements were somewhat to very workable, 90 percent and 79 percent respectively. If you refer now to Figure 3, also on the chart to your right, the survey found that those respondents that report having developed a strategic plan, conducted a gap assessment or completed their readiness initiative--in other words, those organizations that were further along in their compliance effort--were also more likely than their counterparts to report that the consent requirements were workable. There were a variety of open-ended comments about the consent requirements. Let me just mention a couple. Although the final rule required consent to be obtained only one time, many respondents expressed confusion and concern about their ability to track revocations and limitations of consent. There was also concern as a result that some covered entities would require patients to sign a consent form every time they sought treatment and that patients would be overwhelmed and confused as a result. There was also confusion expressed about whether one covered entity could share quality assessment information with another covered entity, but HHS provided modifications that have now made that clear, that as long as those two entities have an individual relationship with the patient, they can share that information. There are two take-aways from this survey. First, there is still considerable work to be done, as we have heard this morning, to address areas of confusion, misinterpretation, and to make the rules generally more workable. On the other hand, the survey provides clear evidence, some 14 months before the compliance date, that progress is being made in implementation. In fact, those organizations that I mentioned a moment ago that are further along in their compliance efforts are finding the rules more workable. The Chairman. I will give you another minute or two. Mr. Karp. So to remove a key provision of the rule at this time does not seem justified. Again, thank you for this opportunity to testify today. I am happy to answer any questions you may have. The Chairman. Enormously interesting study. [The prepared statement of Mr. Sam Karp follows:] Prepared Statement of Sam Karp, Chief Information Officer Good morning. Mr. Chairman, Senator Gregg, and members of the committee, my name is Sam Karp. I am the Chief Information Officer of the California HealthCare Foundation. The Foundation is an independent philanthropy, committed to improving California's health care delivery and financing systems. Thank you for the opportunity to testify today on an issue we believe is fundamental to improving the quality of health care. Over the past 5 years the Foundation has supported a range of activities--from research studies, surveys, educational publications, guides, workshops and conferences--to heighten awareness and understanding of the need to establish strong safeguards to protect the confidentiality and security of personal health information, both on- and offline. Our work is motivated by the belief that unless patients, and consumers generally, have confidence that the confidentiality of their health information is guaranteed, progress being made to develop better information systems to improve care and monitor and assess the quality of care will be thwarted. [The Foundation's work on health privacy can be found on our Web site at www.chcf.org.] California HIPAA Privacy Implementation Survey In December 2001, the Foundation commissioned the National Committee for Quality Assurance (NCQA) and the Georgetown University Health Privacy Project to survey health care organizations operating in California to see how implementation efforts are proceeding under the HIPAA Privacy Rule. The survey was intended to distinguish between the real and perceived barriers to compliance and to use the results of the survey to inform policymakers and the public debate. The survey represents the views of 100 health care organizations that do business in California, including 29 hospitals, 19 physician groups, 26 health plans, and 26 other organizations, such as disease management organizations, clearinghouses, medical management groups, behavior health care organizations and researchers. The organizations that took part in this survey are fairly representative of entities potentially affected by the Privacy Rule. Some of the organizations surveyed also operate in states other than California. The survey was conducted in January and February 2002, prior to the March 27, 2002 release by Department of Health and Human Service (HHS) of the proposed rule modifications (NPRM). When reviewing the findings of the survey it is important to note that the State of California has a history of strong patient confidentiality laws. Health care organizations operating in California generally have more experience operationalizing privacy protections than most of the rest of the nation. The Survey Findings The survey identified the following key findings: 1. Planning is proceeding; implementation progress varies. 2. The consent requirements are somewhat workable. 3. Minimum necessary requirements are somewhat workable. 4. Information needed for quality assessment thought to be limited by the consent and minimum necessary requirements. 5. The business associate requirements are viewed as burdensome. 6. Resources are needed to assist preemption analysis. 7. Compliance efforts are not fully funded. 8. There is a general need for clarifications and/or modifications. 1. Planning Is Proceeding; Implementation Progress Varies Ten months into a 2-year compliance period, when asked about specific actions taken toward implementation, 81 percent of respondents have developed a strategic plan, 67 percent indicated they have conducted a gap assessment, and 52 percent have started to develop and implement readiness initiatives. Twelve percent of respondents reported completion of their readiness initiatives. Hospitals report having made the most progress to date, with Physician Groups having made the least progress. (See Table 1.) Payors with a Medicaid product were less likely than Payors with commercial products to have developed a strategic plan (64 percent to 92 percent), conducted a gap assessment (50 percent to 92 percent), or developed a readiness initiative (29 percent to 67 percent). Seventy-seven percent of respondents indicated they had designated a Privacy Official, as defined by HIPAA. Eighty-seven percent of those that had designated a Privacy Official also report they had identified the human resources within their organization needed to prepare for HIPAA compliance. Again, Payors with a Medicaid product were less likely (50 percent to 92 percent) than Payors with commercial products to have designated a Privacy Official and also less likely (63 percent to 91 percent) to have identified the human resources needed to prepare for HIPAA. Organizational challenges frequently identified by respondents included implementation, staff education, cost, time, and information technology. 2. The Consent Requirements Are Somewhat Workable Overall, 51 percent of total respondents felt that the consent requirements were somewhat workable. Twenty-nine percent felt they were either workable (19 percent) or very workable (10 percent), while 20 percent felt they were less than workable (13 percent) or not workable at all (7 percent). (See Figure 1.) Hospitals, Others and Physician Groups were more likely to feel the consent requirements were somewhat to very workable (90 percent, 81 percent, and 79 percent respectively) than Payors (68 percent). Respondents who had developed/completed a readiness initiative, developed a strategic plan or conducted a gap assessment were more likely than their counterparts to feel that the consent requirements were workable. Forty-six percent of survey respondents believe that the Privacy Rule will be useful in assuring patient confidentiality rights and achieving consistent national standards for confidentiality, however, 47 percent of respondents expressed concern about the paperwork burden. Although the final rule required consent to be obtained only one time, many respondents expressed confusion or concern about the practicability of tracking revocations and limitations on consent. There was concern that as a result, some covered entities would require patients to sign a consent form every time they sought treatment and that patients would be overwhelmed and confused as a result. Many respondents expressed concern that the burden of implementing consent would take time and money away from patient care. Respondents also expressed concern that covered entities would err on the side of caution and refuse to release information for fear of violating HIPAA. All respondents were asked to indicate what they deemed useful about the consent requirements, and what areas of the consent requirements caused them concern. Regarding aspects of the consent requirements that were useful: 30 percent said that the requirements were useful in assuring patient rights. 16 percent felt the requirements would provide national standards and increase consistency among providers. 16 percent said that there was nothing useful about the requirements. Regarding areas of concern related to the consent requirements: 19 percent of respondents cited continuity of care. 14 percent cited confusion about consent among patients, employees, and physicians. 9 percent cited cost. Payors were more likely to cite confusion about consent as an area of concern. Respondents were asked whether available tools and technologies could be used to implement four areas: 1) initial consent, 2) revocations of consent, 3) limitations on consent, and 4) accounting of disclosures. Implementing initial consent was thought to be the easiest and tracking limitations to consent the most difficult. It should be noted that between 17 and 25 percent of respondents did not know how to respond and were excluded from the results. Physician Groups were more likely than Hospitals, Payors, and Others to feel that available technologies could not be used for tracking initial consent. Of those who did know, 53 percent of respondents felt that initial consent could definitely be tracked. For revocations of consent, more than a quarter (28 percent) of respondents felt that they could not be tracked with available tools and technologies. Forty-five percent thought they could be tracked with available tools and technologies. Overall 37 percent of respondents thought that limitations on consent could be tracked, while 35 percent of respondents thought they could not be tracked with existing tools. Only 30 percent of Hospitals and 32 percent of Payors felt that limitations on consent could be tracked with existing tools. Twenty-nine percent of respondents thought that accounting of disclosure could not be tracked with existing tools, while 43 percent thought that they could be tracked. Physician Groups (33 percent) and Payors (33 percent) were more likely to say that they could not be tracked. 3. Minimum Necessary Requirements Are Somewhat Workable Overall, 58 percent of respondents felt that the minimum necessary requirements are somewhat workable. Twenty-three percent felt they were workable (18 percent) or very workable (5 percent), while 19 percent felt they were either less than workable (15 percent) or not workable at all (4 percent). Physician Groups were slightly more likely to see the minimum necessary requirements as workable, with Payors and Others slightly less likely to see them as workable. As with the consent requirements, respondents who had developed a readiness initiative or strategic plan or had conducted a gap assessment were more likely than their counterparts to feel that the minimum necessary requirements were workable. 4. Information Needed For Quality Assessment Thought To Be Limited By The Consent And Minimum-Necessary Requirements When asked if they thought the consent requirements would enhance or limit the flow of information needed to assess health care quality, 58 percent of respondents thought that the consent requirements would somewhat limit (51 percent) or greatly limit (7 percent) the flow of information needed to assess quality of care. Thirty-two percent of respondents felt the consent requirements would have no affect on the flow of information, while 10 percent percent felt the consent requirements would enhance (9 percent) or greatly enhance (1 percent) the flow of information. Sixty-five percent of Hospitals and 65 percent of Others felt that the consent requirements would somewhat or greatly limit the flow of information, while 42 percent of Physician Groups and 44 percent of Payors felt that the consent requirements would have no effect on the flow of information. Those respondents that felt the consent requirements would somewhat or greatly impact the flow of information needed to assess health care quality were asked to indicate in what way the consent requirements would impact assessment of health care quality. There were 60 open- ended responses to this question: 30 percent of respondents answering the questions felt that there would be process complications or additional burden associated with paperwork. 17 percent felt there would be confusion over requirements; 15 percent felt patient factors, such as revoking consent, would limit the flow of information and interrupt the continuity of care. 6 percent felt that there would be inadequate transfer/ flow of information needed for patient assessment. Inadequate time was a common theme in the responses. Hospitals were more likely to cite process complications, paperwork burden, and patient factors as limiting the flow of information, while Payors tended to cite confusion over requirements as limiting the flow of information. With respect to the minimum necessary requirements, the findings were less clear. While 45 percent of respondents' thought this requirement would greatly limit or somewhat limit the flow of information needed to assess the quality of health care, another 45 percent thought that the minimum necessary requirements would have no impact. Ten percent of respondents thought the requirements would somewhat enhance (9 percent) or greatly enhance (1 percent) the flow of information. Physicians and Payors expressed similar concerns that the minimum necessary requirement would negatively affect the flow of information for payment, delivery, and assessment of care. It appears that the belief that quality would be affected is related to the fact that the consent requirements in the final rule would not permit providers to share Personal Health Information (PHI) with health plans for the plans' quality assurance activities. There was generally a lack of clarity about the permissibility of disclosures for quality assessment purposes. Respondents did not seem to understand the permitted uses and limitations of PHI within and between covered entities. 5. The Business Associate Requirements Are Viewed As Burdensome The time and cost associated with contracting with business associates was a significant issue for respondents. Seventy-two percent felt there would be a substantial to large time burden to implement the business associate requirements; more than half of respondents said the cost of implementing these requirements was substantial to large. When asked if they believe that the regulations clearly define who constitutes a business associate, 65 percent of all respondents thought the regulations were clear. While 81 percent of Physician Groups thought the regulations were clear, only 50 percent of Payors agreed. While most respondents likely have existing contractual relations, the initial burden of recontracting is believed to be high. There is also disagreement and lack of understanding about the level of oversight and due diligence required by covered entities over their business associates. 6. Resources Are Needed To Assist Preemption Analysis Fourteen percent of respondents did not know whether they had conducted any preemption analysis. Of those who did know, more than half have not identified the laws in the states in which they do business that either are or are not preempted by HIPAA. When asked how they were planning to identify and track these laws, most respondents indicated that they hoped outside sources would develop and track preemption issues or that they were expending significant resources hiring outside legal assistance. Assistance provided by HHS with regard to preemption analyses would ease the burden on covered entities. 7. Compliance Efforts Are Not Fully Funded With respect to funding, only 21 percent of respondents said that their compliance efforts were fully funded. More than half of respondents indicated that their HIPAA compliance efforts were only partially funded or not funded at all. When asked whether they think the anticipated costs of complying with the Privacy Rule will eventually be offset by savings expected from implementing other components of HIPAA (e.g., the Transaction and Code Set regulations), 31 percent to 32 percent of respondents said they did not know. Of those that said they did know, 48 percent expect no savings, 22 percent expect some savings but not within the next 5 years, and 26 percent expect some savings within 3 to 5 years. While 51 percent of respondents reported a lack of funding, it is also important to keep in mind that many respondents have not developed a strategy or conducted a gap analysis of their organizations and this may have an impact on their knowledge of the funding requirements. The survey results also indicated there is a great deal of money being spent on redundant legal and outside consultant analysis of the regulations and compliance efforts. 8. There Is A General Need for Modifications And/Or Clarifications Seventy-eight percent of respondents felt that HHS needed to provide clarifications or make modifications to the final Privacy Rule. Many responders requested clarifications with respect to consent, minimum necessary, the definition and rules concerning business associates, the rules concerning communications, marketing and funding, and preemption. Others wanted clarification around research rules and how the regulations apply to disease management organizations. Conclusion The clear message from this survey is that there is a lot of work still to be done to address areas of confusion, misinterpretation and to make the rules generally more workable. 1. If you are a supporter of the Privacy Rule, the survey suggests it cannot be fully or successfully implemented, without clarifications and possible modifications. 2. On the other hand, there is substantial evidence that progress is being made in implementation, so that removing key provisions of the rule does not seem justified. Today, nearly 20 percent of Americans practice some form of privacy-protective behavior that puts their own health at risk or creates financial hardships. These behaviors include: paying out-of- pocket when insured to avoid disclosure; not seeking care to avoid disclosure to an employer; giving inaccurate or incomplete information on a medical history; asking a doctor to not write down the health problem or to record a less serious or embarrassing condition; or, simply not seeking care at all. It is in everyone's best interest to see that these rules are implemented. Again, thank you for this opportunity to testify today. I am happy to answer any questions you may have. The Chairman. I see my friend Senator DeWine here and I know that he wanted to---- OPENING STATEMENT OF HON. MIKE DeWINE, U.S. SENATOR FROM THE STATE OF OHIO Senator DeWine. Thank you, Mr. Chairman. I am just delighted to welcome Dr. John Clough, who is from the Cleveland Clinic Foundation in my home State of Ohio. Doctor, we welcome you here and we look forward to your testimony. He will shed some light, Mr. Chairman, on really the complexities involved with the implementation of these rules and the burdens that could fall on health care institutions. He has been with the Cleveland Clinic for a total of nearly 35 years and is currently chairman of the Division of Health Affairs at the Cleveland Clinic. In this capacity the doctor oversees the Departments of Government Affairs, Community Relations, and the Ambassador's Program. Last month he testified on the House side regarding the issue of medical privacy rights and has spent considerable time studying the impact of the proposed rules. Dr. Clough, we welcome you to the committee. We thank you very much for being here and look forward to your testimony. Thank you, Mr. Chairman. The Chairman. Thank you very much. Ms. Goldman. STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY PROJECT, GEORGETOWN UNIVERSITY Ms. Goldman. Thank you. Thank you, Mr. Chairman and Senator DeWine for inviting me to testify and thank you also for holding this oversight hearing and for your commitment to privacy. The mission of the Health Privacy Project is also to broaden access to care and to ensure that people get the quality of care that they need, but we know that people are afraid. People are afraid to go to the doctor. They are afraid to be honest with their doctor. They are afraid to fully share with their doctor because of what could happen to them, and their fears are real. We hear stories every day and we collect these stories about how people are hurt in the workplace; their benefits are denied. We know that, for instance, 40 percent of all people diagnosed with multiple sclerosis are afraid to tell colleagues and friends because of what could happen to them. People are afraid to get genetic tests. The number one barrier to people getting genetic testing and counseling is fear that their privacy will be violated. So in response to these concerns, the administration issued this landmark regulation in December of 2000, the privacy regulation, and the Bush Administration did allow it to go into effect. We realize that it has limits and weaknesses, but the truth is it is the most comprehensive privacy law that we have at the Federal level. My testimony is extensive. I want to keep it brief in my oral statement and I want to focus on two of the proposed modifications that the administration has made--in the area of consent and the area of marketing. And when I talk about marketing I am also going to mention an FDA provision. Signing onto our recommendations here, the National Multiple Sclerosis Society has also endorsed our position, our recommendation on consent, as has the Epilepsy Foundation, the National Association of Social Workers Legal Action Center, and a list of other groups, which we have included in our testimony. Let me just focus on why notice is not the same as consent. The administration comes here today and says that asking someone to sign a notice--not requiring, but asking them to sign a notice is the same as consent. That is just not accurate. Asking someone to sign a consent form is a significant and meaningful moment in the process of getting care and the process of enrolling in a health plan. It is asking someone to give their permission. It is not mandating the consent. A doctor could decide to condition consent on giving certain benefits, but the regulation does not require that the consent be mandated. In terms of paperwork burden, we know today that many, many hospitals, the vast majority of hospitals, and this was included in the preamble to the final regulation, do require people to consent to have their information used for payment. Most doctors do, as well, and for treatment. State laws in this area are different from what the Federal regulation is requiring. In State laws there are specific consent provisions related to certain kinds of conditions people might have--maybe in the mental health area or communicable disease or abuse and neglect, alcoholism--where specific consent is authorized, is required. But in the areas of treatment and payment, they are much more narrow than what the administration is proposing today, much more limited. Treatment is defined much more narrowly and directly related to the treatment of the individual. Most doctors and hospitals will tell you they have an ethical duty to seek consent of their patients before treating them and before having their information provided for payment. Marketing? I am very bewildered and disturbed by the administration's testimony today on marketing. They have contended that they have strengthened the marketing provision. They have done exactly the opposite. They have expanded what is now considered to be marketing and now called it treatment. They have called it health-related communication. What used to be in this box called marketing, where people had an opportunity to opt out after getting a communication, where people were told that there was a financial conflict of interest, that is now gone from the administration's proposal. Any communication from anybody, not just a doctor, anybody, a pharmacy, that is health-related, no matter whether there is a financial conflict of interest, does not require an authorization, does not give an opt-out, does not require up- front consent. That is very disturbing. A pharmacy can now sell your information under HHS's proposed modification to a drug company, to a travel agency, even to a tobacco advertiser under the FDA provision, and they would not have to get your consent and not have to give you notice. You have no control and there are no limits. I want to just focus for a moment on the cost issue. The cost issue comes up time and again, but the administration itself, in a recent report issued from the Office of Management and Budget, has shown that the privacy regulation, over the long term, will save $12 billion in our health care system when it is implemented along with the other regulations in HIPAA. So $12 billion of savings when privacy is implemented together with the other transaction regulations. How can we talk about then wanting to save an additional $100 by eliminating consent? It seems to me greedy and the wrong way to go. I want to just conclude by saying that President Bush campaigned on a number of pledges around medical privacy. He had very strong position statements during the campaign. And when he allowed the privacy regulation to go into effect last year he said he believed very strongly that medical privacy should be protected and people should not put themselves at risk when they get care. In fact, in a column in the New York Times shortly after President Bush allowed the regulation to go into effect, William Safire dubbed him ``the privacy President.'' What we are concerned about today is that if HHS's proposed rollbacks become law, if the consent and marketing provisions are weakened and if they become law, then they will legalize the most disturbing and unnerving practices in the health care system today and the kinds of practices that made consumers angry and caused them to send in 35,000 comments asking the administration to include consent, asking them to limit some of the marketing activities. Now they will become legal. I urge not only the administration not to roll back these provisions, but I urge the Congress to act. I know that you have struggled with this for over a decade, but to act to create a statute that then is not susceptible to these political back-and-forths. I very much appreciate being here today and I will be available to answer any questions. [The prepared statement of Ms. Janlori Goldman follows:] Prepared Statement of Janlori Goldman Committee Chairman Kennedy, Senator Gregg and Members of the Committee: On behalf of the Health Privacy Project, I am very appreciative for the invitation to testify before you today at this oversight hearing on medical privacy. The Project, which is part of the Institute for Health Care Research and Policy at Georgetown University, is dedicated to broadening access to health care, and improving the quality of care by ensuring that the privacy of people's medical information is protected in the health care arena. The Health Privacy Project also coordinates the Consumer Coalition for Health Privacy, comprised of over 100 major groups representing consumers, health care providers, and labor, disability rights, and disease groups. The Coalition's Steering Committee includes MRP, American Nurses Association, Bazelon Center for Mental Health Law, National Association of People with AIDS, Genetic Alliance, National Multiple Sclerosis Society, and National Partnership for Women & Families. The Health Privacy Project conducts research and analysis on a wide range of health privacy issues. Recent Project publications include: Best Principles for Health Privacy (1999), which reflects the common ground achieved by a working group of diverse health care stakeholders; The State of Health Privacy(1999), the only comprehensive compilation of State health privacy statutes, which we are currently in the process of updating; Implementing the Federal Health Privacy Regulation in California (2002); Privacy and Confidentiality in Health Research (2001), commissioned by the National Bioethics Advisory Commission; Report on the Privacy Policies and Practices of Health Web Sites (2000), which found that the privacy policies and practices of 19 out of 21 sites were inadequate and misleading; ``Virtually Exposed: Privacy and E-Health'' (2000), published in Health Affairs; and Exposed Online: Why the New Federal Health Privacy Regulation Doesn't Offer Much Protection to Internet Users (2001). All of our work is available to the public at our Web site, www.healthprivacy.org. The Health Privacy Project's mission is to foster greater public trust and confidence in the health care system, thereby enabling people to more fully participate in their own care and in research without putting themselves at risk for unwanted--and unwarranted--intrusions. It is wrong to force people to choose between seeking health care and safeguarding their jobs, benefits, and reputations. People should not have to worry when taking a genetic test for breast cancer, or filling a prescription for an anti-depressant, that this most sensitive health information will be used outside the core health care setting, but they do worry and with good reason. The new medical Privacy Rule,\1\ issued by the Department of Health and Human Services (the Department) in December 2000 and in effect since April 2001, is a landmark regulation, setting in place the first comprehensive Federal safeguards for people's medical records. With still a year to go before health care organizations must fully comply, the centerpieces of this new privacy law are in jeopardy. We appreciate the opportunity to share our concerns with this Committee about the Bush Administration's proposal to substantially weaken the medical Privacy Rule. We express particular concern about the Department's proposal to eliminate the patient consent requirement, and to severely weaken the limits on the marketing of people's medical records. Joining with us in opposition to these two proposed changes, are the following organizations: --------------------------------------------------------------------------- \1\ The Privacy Rule is contained in title 45 of the Code of Federal Regulations. All citations in this testimony are to the pertinent section of, or proposed amendment to, 45 C.F.R. unless otherwise noted. --------------------------------------------------------------------------- AIDS Action Council American Association for Geriatric Psychiatry American Counseling Association American Mental Health Counselors Association American Nurses Association American Psychoanalytic Association Bazelon Center for Mental Health Law Consumers Union CWA Local 1 168 Nurses United Electronic Privacy Information Center Family Violence Prevention Fund Genetic Alliance Hadassah National Association of People With AIDS National Mental Health Association National Organization for Rare Disorders NYC Chapter, National Association of Social Workers Title II Community AIDS Action Network Westchester Progressive Forum We expect that many other organizations and individuals will voice their opposition to these proposals before the comment period closes. Our testimony today will summarize both our concerns with and support for the Department's proposed modifications to the Privacy Rule. Our statement also includes a brief history of the Privacy Rule, and the urgent need within the public and the health care system for strong, enforceable medical privacy safeguards. In addition, we correct the misperception that the long-term cost of implementing the Privacy Rule--along with its companion HIPAA standards--will outweigh the benefits. In fact, the Office of Management and Budget (OMB) released a report last month documenting that protecting privacy, when done hand- in-hand with the related HIPM rules, will actually result in substantial cost savings. i. urgent public need for medical privacy The lack of a national health privacy law has had a negative impact on health care, both on an individual as well as a community level. One out of every six people withdraws from full participation in their own care out of fear that their medical information will be used without their knowledge or permission, as documented by a 1999 survey conducted for the California HealthCare Foundation. (Available at www.chcf.org.) These privacy-protective behaviors include patients providing inaccurate or incomplete information to doctors, doctors inaccurately coding files or leaving certain things out of a patient's record, people paying out of pocket to avoid a claim being submitted, or in the worst cases, people avoiding care altogether. More specifically, a 1997 survey documenting people's fears about genetic discrimination showed that 63 percent of people would not take genetic tests if health insurers or employers could obtain the results. (Genetic Information and the Workplace, issued on January 20, 1998 by the U.S. Departments of Labor, Health and Human Services, and Justice, and the U.S. Equal Employment Opportunity Commission). And, a recent study involving genetic counselors documents that fear of discrimination is a significant factor affecting willingness to undergo testing and to seek reimbursement from health insurers. (Hall, Mark A. and Stephen S. Rich, Genetic Privacy Laws and Patients' Fear of Discrimination by Health Insurers: The View from Genetic Counselors, 28 Journal of Law, Medicine & Ethics 245-57 (2000).) An April 2001 Harris survey documents that nearly four out of ten (40 percent) people with multiple sclerosis said they have lied or failed to disclose their diagnosis to colleagues, co-workers, friends or even family members out of fear of job loss and stigma. These survey figures come to life in the daily media reports of people being harmed by the use of their health information outside the core health care arena. To highlight just a few: Eckerd's Drug Stores in Florida is being investigated by the State Attorney General for its marketing practices. When Eckerd customers pick up their prescriptions, they sign a log indicating they do not want counseling from a pharmacist. Eckerd's has been using that signature as an authorization to use the customer's prescription drug records for mailing promotions and discounts financed by drug companies. Terri Seargent, a North Carolina resident, was fired from her job after being diagnosed with a genetic disorder that required expensive treatment. Three weeks before being fired, Terri was given a positive review and a raise. As such, she suspected that her employer, who is self-insured, found out about her condition, and fired her to avoid the projected expenses. The medical records of an Illinois woman were posted on the Internet without her knowledge or consent a few days after she was treated at St. Elizabeth's Medical Center following complications from an abortion at the Hope Clinic for Women. The woman has sued the hospital, alleging St. Elizabeth's released her medical records without her authorization to anti-abortion activists, who then posted the records online along with a photograph they had taken of her being transferred from the clinic to the hospital. The woman is also suing the anti-abortion activists for invading her privacy. Several thousand patient records at the University of Michigan Medical Center inadvertently lingered on public Internet sites for 2 months. The problem was discovered when a student searching for information about a doctor was linked to files containing private patient records with numbers, job status, treatment for medical conditions and other data. Joan Kelly, an employee of Motorola, was automatically enrolled in a ``depression program'' by her employer after her prescription drugs management company reported that she was taking anti-depressants. Eli Lilly and Co. inadvertently revealed 600 patient e- mail addresses when it sent a message to every individual registered to receive reminders about taking Prozac. In the past, the e-mail messages were addressed to individuals. The message announcing the end of the reminder service, however, was addressed to all of the participants. A few months ago, a hacker downloaded medical records, health information, and social security numbers on more than 5,000 patients at the University of Washington Medical Center. The University conceded that its privacy and security safeguards were not adequate. In the absence of a Federal health privacy law, these people suffered job loss, loss of dignity, discrimination, and stigma. Had they acted on their fears and withdrawn from full participation in their own care--as many people do to protect their privacy--they would have put themselves at risk for undiagnosed and untreated conditions. In the absence of a law, people have faced the untenable choice of shielding themselves from unwanted exposure or sharing openly with their health care providers. ii. the genesis of the privacy rule The current Federal health Privacy Rule is a major victory for all health care consumers, and takes a significant step toward restoring public trust and confidence in our nation's health care system. The regulation promises to fill the most troubling gap in Federal privacy law, setting in place an essential framework and baseline on which to build. Each one of us stands to benefit from the Privacy Rule in critical ways, including greater participation in the health care system, improved diagnosis and treatment, more reliable data for research and outcomes analysis, and greater uniformity and certainty for health care institutions as they develop privacy safeguards and modernize their information systems. Most notably, the current Privacy Rule grants people the right to see and copy their own medical records; requires health care providers to obtain patient consent before using their records for treatment, payment and health care operations; imposes limits on using medical records for marketing; imposes safeguards on publicly and privately funded research use of patient data; somewhat limits law enforcement access to medical 4 records; and allows for civil and criminal penalties to be imposed if the Rule is violated. The Privacy Rule was issued by the Department in December 2000 in response to a mandate from Congress included in the 1996 Health Insurance Portability and Accountability Act (HIPAA), which required that if Congress did not enact a medical privacy statute by August 1999, then the Department was required to promulgate regulations. This rule has been the subject of a lengthy, thorough, and robust rulemaking process--both before and since its December 2000 release in final form. Despite intense pressure from some in the health care industry, the Bush Administration allowed this important regulation to go into effect in April 2001. The first implementation guidance issued by the Department on July 6, 2001, addresses the many misstatements and exaggerations that some in the industry have been spreading about the Privacy Rule. On its face, the guidance was aimed at calming industry fears, and we hoped it would lead to greater acceptance of the regulation and foster compliance with the regulation. The guidance also indicated the changes the Department intended to propose to make to the regulation. We acknowledge that the Privacy Rule--as finalized--has serious gaps and weaknesses, some of which can only be remedied by Congress, and some of which are within the Department's authority to regulate. One shortcoming is that the rule only directly regulates providers, plans and clearinghouses, and does not directly regulate employers, pharmaceutical companies, workers' compensation insurers, and many researchers. The rule also lacks a private right of action that would give people the right to sue if their privacy was violated. Under HIPAA, only Congress and the states are empowered to address these limits. However, where the Department does have the power to strengthen the Rule, it has chosen instead to dilute it. iii. summary of the health privacy project's comments on the department's proposed modifications to consent and marketing A. Consent for Treatment, Payment, and Health Care Operations--Sec. 164.506 Proposed Modification: The Department proposes to eliminate the requirement that health care providers obtain an individual's consent prior to using or disclosing protected health information for treatment, payment, and health care operations. Health Privacy Project Recommendation: The Health Privacy Project recommends that the Department retain the Privacy Rule's prior consent requirement, and make targeted modifications to address the unintended consequences that result from the consent requirement in some circumstances. Rationale: The Privacy Rule requires that health care providers obtain an individual's consent prior to using or disclosing protected health information for treatment, payment, and health care operations. At the core of the Department's proposed modifications to the Privacy Rule is the elimination of this prior consent requirement. In its place, the Department substitutes a requirement that direct treatment providers make a ``good faith effort'' to obtain the individual's written acknowledgment that he or she received the provider's privacy notice. (Section 164.520 of the Privacy Rule requires covered entities to provide this notice of privacy practices.) This proposal to eliminate the consent requirement strikes at the very heart of the Privacy Rule and takes away a core privacy protection for consumers. The Privacy Rule's consent requirement is intended to bolster patient trust and confidence in providers and in health care organizations by respecting the patient's central role in making health care decisions. The Department's proposal to eliminate the consent requirement represents a huge step backwards for consumers--and one that will undermine trust in the health care system. This debate is about much more than the label on the piece of paper that a patient signs, or about whether a patient is given two pieces of paper (a notice and consent form) or just one (a notice). There are fundamental differences between a consent process and acknowledgement of a receipt of a notice. Seeking advance permission from a patient before using or disclosing health information acknowledges first and foremost that it is the patient's decision whether to entrust others with his or her private medical information and under what circumstances. The Privacy Rule's consent requirement gives individuals some control over how their health information is used and disclosed. Patients would certainly have more control if consent could be withheld without the provider refusing to provide treatment. However, it is by no means clear that providers will withhold treatment even though permitted to do so, particularly when the individual consents to some uses/disclosures (treatment and payment uses/disclosures), but withholds consent for others (some of the relatively vast number of ``health care operations'' permitted by the Privacy Rule). It is clear that without a prior consent requirement, patients will have no control over how their health care information is used or disclosed beyond the right to request a restriction. Asking an individual to acknowledge receiving a privacy notice reinforces that the individual patient has absolutely no say in the matter. The Privacy Rule's consent requirement is the best way to ensure that patients actually know how their health care information will be used or disclosed and know what their privacy rights are. The process of obtaining consent defines an ``initial moment''--as the Department acknowledges--in which patients can raise questions about privacy concerns and learn more about options available to them. Patients are more likely to read the notice, or at least ask questions about how their information will be used or disclosed, when they are being asked to give their consent. Asking a patient to acknowledge receipt of a notice does not provide a comparable ``initial moment''--especially when the individual is only asked to acknowledge receipt of a piece of paper, not whether they have read the paper or understood it or have questions about it. From a practical perspective, the consent form required in the Privacy Rule focuses attention on a new right that is central to the consent process--the right to request a restriction. By all accounts, the consent form is much shorter than the notice of privacy practices. Thus, information that is repeated in the relatively short consent form will be highlighted for patients. The Privacy Rule requires the consent form to State that the individual has the right to request a restriction. See Sec. 164.506(c)(4)(i). Including this information in the consent form, as well as in the notice, makes it even more likely that patients will be aware of this important right. That the Department has chosen radical surgery--total elimination of the consent requirement--when much more targeted, privacy-protective interventions would have sufficed is especially troublesome. The Department not only proposes to eliminate the consent requirement, it also proposes to delete several provisions that apply when providers or plans choose to require consent. The Privacy Rule includes various provisions that govern the content of the consent form (e.g., it must State that the individual has the right to review the privacy notice before signing the consent form) and the right to revoke. See Sec. 164.506(b) and (c). Under the Privacy Rule, these provisions apply when consent is required and when it is optional. The Department proposes to delete all of these provisions in order to ``enhance the flexibility of the consent process for those covered entities that choose to obtain consent.'' See 67 Fed. Reg. 14780. In addition, the Department proposes to delete provisions governing conflicting consents and authorizations; under the Privacy Rule, covered entities must follow the most restrictive. See Sec. 164.506(e). The Department also proposes to delete the provisions that govern joint consents by organized health care arrangements. See Sec. 164.506(f). By eliminating all of these provisions, the Department takes away important safeguards that should, at the very least, apply when consent is obtained voluntarily. B. Marketing--Secs. 164.501 and 164.508(a)(3) Proposed Modifications: The Department proposes to reduce the Privacy Rule's privacy protections that apply to communications that many consumers consider to be ``marketing.'' Under the Privacy Rule, a covered entity that is paid by a third party to encourage patients to purchase or use a product or service that is health related must adhere to certain conditions. In its first communication, the covered entity must give the patient an opportunity to refuse further marketing materials. The covered entity must inform the patient that it is receiving remuneration for making the communication. Additionally, the marketing materials must identify the covered entity as the party making the communication. The Department proposes to eliminate these requirements by removing from the definition of ``marketing'' all communications that encourage patients to purchase or use products or services that are health related, including communications that a covered entity is paid to make. The Department does propose to retain the Privacy Rule's requirement that a covered entity obtain an individual's authorization prior to using or disclosing health information for ``marketing.'' However, because the Department proposes to contract the definition of ``marketing,'' the prior authorization requirement will apply only to a narrow range of communications--those that encourage the purchase or use of a product or service that is not health related. The prior authorization requirement will not apply to communications that encourage the use or purchase of a health related product or service because such communications are excluded from the definition of marketing, even if the covered entity is paid to make the communication. The net effect of these proposed changes is to substantially weaken the Privacy Rule. Health Privacy Project Recommendations: The Health Privacy Project recommends that the Department: Revise the definition of ``marketing'' to include communications encouraging the purchase or use of a health-related product or service where a covered entity receives direct or indirect remuneration from a third party for making the communication. Revise the Privacy Rule so that a covered entity must obtain an individual's authorization prior to using or disclosing protected health information for all marketing purposes, including communications encouraging the purchase or use of health related products or services where the covered entity has received or will receive direct or indirect remuneration for making the communication. Retain the requirement that the authorization notify the individual if the marketing is intended to result in remuneration to the covered entity from a third party. Further modify the provisions to require that an authorization for marketing specify w whether the protected health information is to be used or disclosed for the marketing of health care related services or products or for products and services not related to health care. Rationale: The Privacy Rule classifies communications that encourage patients to purchase or use products and services in three categories: 1) Communications that are clearly treatment oriented and for which the covered entity does not receive remuneration from a third party (such as a doctor recommending a particular medicine to a patient because it is medically indicated); 2) Communications that are related to health but are at least partially financially motivated (such as a pharmacy being paid by a drug company to send a patient a letter encouraging her to switch her medication to the drug company's brand; and 3) communications that are clearly marketing because they do not relate to health (such as sending vacation advertisements.) See Appendix A at 1. Because the first category of communications is clearly treatment related, there is no requirement for prior authorization to use health information to make these communications. At the opposite end of the continuum, because the covered entity is being paid to use health information to market a product or service that is totally unrelated to health, the covered entity must obtain patients' prior authorization before it can use their health information for these marketing purposes. The treatment of these two categories of health information remains relatively unchanged under the proposed modifications to the Privacy Rule. See Appendix A at 2. With respect to the second category of communications, those that encourage the use or purchase of a health related product or service and for which the covered entity receives remuneration, the Department initially recognized that covered entities face a financial conflict of interest when they are paid to recommend a certain health related product or service. In light of these conflicts, the current Privacy Rule treats these communications as ``marketing.'' The Privacy Rule permits health information to be used without the patient's prior authorization in these circumstances only if certain conditions are met. The patient must be given an opportunity to opt out of receiving further communications. Additionally, the patient must be notified that the covered entity is the source of the communication and is being paid to make the recommendation. See Appendix A at 1. Many consumers believe that the Privacy Rule's delayed opt-out approach is insufficient to protect privacy. They have urged the Department to modify the rule to require that covered entities obtain patient authorization prior to engaging in this type marketing activity (i.e., where the covered entity is paid to encourage the use or purchase of a health related product or service). In response to these concerns, the Department essentially proposes to eliminate the protections (albeit inadequate) that currently exist. The Department accomplishes this by removing paid communications that encourage the use or purchase of a health related product or service entirely from the definition of ``marketing.'' This proposed change effectively allows covered entities to make this type of paid communication without any prior authorization or chance to opt out.\2\ See Appendix A at 2. --------------------------------------------------------------------------- \2\ The Department's explanation that it is proposing to ``explicitly require covered entities to first obtain the individual's specific authorization before sending them any marketing materials'' ``based on consumer concerns that the marketing provisions in the current rule does not protect individuals' privacy'' is disingenuous at best, given that they accomplish this by removing an entire category of communications from the definition of ``marketing.'' See Department's Press Release, March 21, 2002. --------------------------------------------------------------------------- We oppose this change on a number of grounds. First, we believe that the determination whether prior authorization for a communication is required should not rest on whether a communication is in some way related to health . The proposed exclusion of ``health related'' communications from the definition of ``marketing'' is extremely broad. It is hard to conceive of a communication that remotely relates to health that would be considered to be ``marketing.'' Many activities that health care consumers would consider marketing and find objectionable would be excluded from the definition of marketing under this proposal. For example, the proposed definition of marketing excludes ``a communication made to an individual. . . to direct or recommend alternative treatments, therapies, health care providers, or settings of care.'' (See Sec. 164.501 (defining ``marketing'').) Under this exception, a pharmacy can be paid by a drug company to identify and select patients based on their health information to send them material encouraging them to switch their prescriptions to the drug companys particular brand of medicine. This ``recommendation of alternative treatment'' is primarily motivated by profit and has little to do with what is medically best for the patient. Many patients believe that this financially motivated use of their health information is a violation of their privacy.\3\ --------------------------------------------------------------------------- \3\ See e.g., Robert O'Harrow, Jr., Prescription Fear, Privacy Sales The Washington Post, February 15, 1998 at Al; Henry 1. Davis, ``More Eckerd Questions,'' St. Petersburg Times, March 5, 2002 at 1E. --------------------------------------------------------------------------- Second, because recommending any health related product or service is not considered to be ``marketing'' there is no requirement that the consumer be informed that the covered entity is receiving remuneration from a third party to make these recommendations. In the above example, patients could receive materials from their pharmacy suggesting that they change their medicine to a different brand without ever being informed that the pharmacy was paid to make the recommendation. This approach encourages providers to engage in practices that are ridden with financial conflicts of interest.\4\ --------------------------------------------------------------------------- \4\ See Bernard Lo, M.D. and Ann Alpers, M.D., Uses and Abuses of Prescription Drug Information in Pharmacy Benefits Management Programs, 283 JAMA 801 at 809 (February 9, 2000). --------------------------------------------------------------------------- Third, the proposed modification eliminates any control that an individual may have over the use of his protected health information for receiving this type of recommendation. Because these communications are not ``marketing'' there is no requirement that the covered entity obtain prior authorization to use the information in this manner. Furthermore, there is no mechanism by which an individual can remove his or her name from the covered entity's mailing list for these ``recommendations.'' This approach does not respect health care consumers and leaves them powerless. Expanding the definition of marketing can cure these faults. We believe that marketing should include communications about a product or service to encourage recipients of the communication to purchase or use the product or service where the covered entity receives direct or indirect remuneration for making the communication. We would apply this standard to both health related and non-health related communications. Using this definition presents a rather bright line test. If a covered entity receives payment for a communication, the communication is marketing. In conjunction with this recommendation, we urge the Department to retain the proposed modification that would require covered entities to obtain an individual's authorization prior to using his or her health information for these marketing purposes. Health care consumers should have control over whether their health information is used for profit- making purposes that are only tangentially related to their health. Appointment Reminders and Prescription Refill Notices A number of concerns have been raised about communications, such as appointment reminders and prescription refill notices, that may potentially fall in the gray area of what should be considered to be marketing. We would expect that the vast majority of covered entities do not receive remuneration for sending their patients appointment reminders. Therefore, this type of communication would not be marketing. Likewise, where a pharmacy on its own volition sends a prescription refill notice or advises a patient of a potential adverse drug reaction and suggests an alternative it would not be marketing. However, where a pharmacy receives payment for encouraging patients to refill prescriptions or switch medicine brands, the communication would be marketing. We recognize that at times this definition may encompass some communications that provide useful information to health care consumers. However, if a covered entity is receiving payment from a third party for making the communication, it is pursuing activity that is at least partially in its self-interest, as opposed to the interest of the patient. In such a circumstance, the individual should be informed in advance that the covered entity receives remuneration for its communications and should have control over whether his or her health information is used in this manner. iv. summary of health privacy project comments on other proposed modifications 1. Hybrid Entities--Sec. 164.504 Proposed Modification: The Department proposes to modify the hybrid entity provisions in order to allow any covered entity that performs a mixture of covered and non-covered functions to have the option of being designated a hybrid entity or having the entire organization treated as a covered entity. Additionally, the Department would require that a covered entity that elects hybrid status include in its designated health care component(s) any component that would meet the definition of covered entity if it were a separate legal entity. The modifications would permit, but not require, the hybrid entity to designate a component that performs: (1) covered functions; and (2) activities that would make such a component a business associate of a component that performs covered functions if the two components were separate legal entities. Health Privacy Project Recommendations: Reject the proposal that any covered entity can elect to be a hybrid entity, and require those covered entities whose primary functions are not covered functions to be hybrid entities and to erect firewalls between their health care components and other components. Permit (as conditioned below) covered entities whose primary functions are health care to be hybrid entities. Modify the implementation specifications of the proposed modified hybrid provisions to require that, at a minimum, a hybrid entity must designate a component that performs covered functions as a health care component. Clarify that a health care provider (including a component of a hybrid entity that provides health care) cannot avoid being deemed a ``covered entity'' if it relies on a third party to conduct its standard electronic transactions. Clarify that with respect to hybrid entities, a health care provider cannot avoid having its treatment component considered a health care component by relying on a billing department to conduct its standard electronic transactions. 2. Disclosures of Protected Health Information Related to FDA-regulated Products or Activities--Sec. 164.512(b) Proposed Modifications: The Department proposes to create an extremely broad exception to the general requirement to obtain authorization prior to the disclosure of protected health information. The proposed modification would allow disclosures of protected health information to private entities as part of any data-gathering activity that can be termed ``related to the quality, safety, or effectiveness of such FDA-regulated product or activity.'' Under this proposed modification, disclosures would no longer be required by, or at the direction of, the FDA. HPP Recommendations: The Health Privacy Project strongly opposes the Department's proposal and urges the Department to retain the current provisions of the Privacy Rule. The Privacy Rule provides a specific series of public health related exceptions to the authorization requirement. The proposed modifications, however, would create a vague and general standard, under the rubric of ``public health,'' that would open the door to the release of protected health information to pharmaceutical companies and arguably to tobacco companies as well. We do not see a genuine public health need that justifies such a significant expansion in the Privacy Rule. 3. De-Identification--Sec. 164.514 Proposed Modification: The Department is not proposing any substantive modifications to the de-identification provisions of the Privacy Rule at this time, but is considering the creation of a limited data set that would not include ''facially identifiable health information. This data set would be available for research, public health, and health care operations purposes presumably without authorization. In addition, the Department is considering the requirement that covered entities obtain data use or similar agreements from recipients that limit the use and disclosure of the data set and prohibit the recipients from re-identifying or contacting individuals. Health Privacy Project Recommendations: The Health Privacy Project supports the Department's decision to maintain the de-identification provisions. Before proposing an approach for the use or disclosure of a limited data set, the Department must carefully consider what identifiers can safely be included and the adequacy of privacy protections for the data set. We have specific concerns about the ease with which identifiable information that does not include direct identifiers can be combined with other data to directly identify an individual, as well as concerns about the enforceability of data use agreements. 4. Research--Secs. 164.512(i),164.508(0, 164.508(c)(1), 164.532 Proposed Modifications: he Department proposes to: (1) modify the waiver of authorization provisions. (2) clarify that the Privacy Rule's provisions for IRBs and privacy boards would encompass a partial waiver of authorization for purposes of recruiting research participants. (3) maintain an individual's right to revoke an authorization. (4) permit research authorizations to be combined with other legal permission to participate in a research study. (5) permit an authorization to use or disclose protected health information for the creation and maintenance of a research data base without an expiration date or event, but limit it to the purpose of creating or maintaining that data base. (6) permit the use of individually identifiable health information after the compliance date for research protocols that received a waiver of authorization from an IRB prior to the compliance date. Health Privacy Project Recommendations: The Health Privacy Project: (1) is pleased that research protocols will still be required to meet waiver criteria that are more narrowly focused on the privacy interests of the research participants. (2) is pleased that the Department is not proposing modifications to the provisions on reviews preparatory to research so that researchers could remove protected health information from a covered entity's premises for recruitment purposes. (3) commends the Department for retaining an individual's right to revoke a research authorization, but recommends further guidance on how to implement the revocation requirement. (4) urges the Department not to permit research authorizations to be combined with an informed consent to participate in a study. (5) strongly agrees with the Department that the expiration date exception for the creation and maintenance of data bases should not be extended to authorizations for further research or any other purpose. (6) recommends that a research study that receives a waiver of authorization from an IRB prior to the compliance date, but begins after the compliance date, be re-evaluated to ensure that adequate privacy protections are in place. 5. Individual Authorization--Sec. 164.508 Proposed Modifications: The Department proposes to: (1) streamline the authorization process by consolidating the different authorizations in the Privacy Rule under a single set of criteria and removing some core elements from the authorization requirement. (2) tighten provisions on the use and disclosure of psychotherapy notes so that psychotherapy notes cannot be used or disclosed without individual authorization for another entity's treatment, payment, and health care operations purposes. (3) add clarifying language so that an individual who initiates an authorization would not be required to reveal the purpose of his or her request. (4) maintain the individual's right to revoke an authorization. Health Privacy Project Recommendation: The Health Privacy Project applauds the Department's proposal under numbers (2), (3) and (4) above. However, while we support the Department's effort to simplify the authorization provisions, we strongly urge the Department to: (a) retain the core elements required for research authorizations involving treatment of an individual under the Privacy Rule; (b) require remuneration disclosures in all authorizations, not only in authorizations for marketing; and (c) retain the plain language requirement as a core element of a valid authorization. It is critical that an individual knows how his or her information will and will not be used or disclosed so that s/he can make an informed decision about giving authorization. Furthermore, any request 11 for individual authorization to use or disclose information must be communicated in a manner that can be understood by the average reader so that people know what they are authorizing. 6. Accounting of Disclosures--Sec. 164.528 Proposed Modification: The Department proposes to expand the list of exceptions to the accounting of disclosures requirement so that it no longer requires covered entities to account for any disclosures made pursuant to an individual authorization. Health Privacy Project Recommendation: The Health Privacy Project opposes the Department's proposal and urges the Department to retain the requirement that disclosures of protected health information made pursuant to an authorization be included in an accounting of disclosures. Removing authorized disclosures from the accounting takes away the individual's means of verifying that his or her information was disclosed as specified in the authorization. Such a modification would also hinder an individual's ability to detect authorizations that have been fraudulently submitted or altered. 7. Balancing the Rights of Minors and Parents--Sec. 164.502(9)(3) Proposed Modification: The Department proposes to modify the Privacy Rule's approach to balancing the rights of minors and parents by permitting covered entities to decide when to disclose protected health information about a minor to a parent in cases where State or other applicable law is silent or unclear. Health Privacy Project Recommendations: The Health Privacy Project opposes the proposed modifications because they would deter minors from obtaining critical health services, such as mental health care, substance abuse treatment, and testing and treatment for sexually transmitted diseases. We recommend that the Department retain the approach in the current Privacy Rule, except its approach to non-preemption of State laws that are less protective of a minor's privacy. Specifically, we recommend that the Department apply the same preemption rules to State laws pertaining to minors and disclosures to parents that the Department applies to other State laws, as HIPAA requires. 8. Disclosures for Treatment, Payment, or Health Care Operations of Another Entity--Proposed Sec. 164.506(c) Proposed Modification: The Department proposes several modifications to clarify how covered entities may use or disclose protected health information for treatment, payment, or health care operations, and to permit covered entities to disclose protected health information to other entities (including non-covered entities) for the second entity's treatment, payment, or health care operations activities. Health Privacy Project Recommendation: Most troubling is the Department's proposal to permit covered entities to disclose protected health information to other covered entities for the recipient's health care operations. This constitutes a significant alteration of the structure of the Privacy Rule, and the Department is proposing it without adequate justification. The Health Privacy Project recommends that the Department reconsider the necessity for such a change and assess whether the concept of ``organized health care arrangement,'' which already is part of the Privacy Rule, addresses the quality assurance issues raised in the preamble. If the Department pursues modifications along these lines, the Department should craft narrow language that addresses actual problems--and only the problems identified in the preamble. 9. Definition of Protected Health Information and Proposed Exclusion of ``Employment Records''--Sec. 164.501 Proposed Modification: The Department proposes to amend the definition of ``protected health information'' in section 164.501 to explicitly exclude ``employment records,'' referred to in the preamble as ``individually identifiable health information . . . held by a covered entity in its role as employer.'' 67 Fed. Reg. 14804. Health Privacy Project Recommendation: The Health Privacy Project opposes this proposal because it threatens to undermine important safeguards in the Privacy Rule. The plain language of the proposed text appears to move outside of the Privacy Rule any use or disclosure of employees' health plan records, as well as information shared with an employer's on-site clinic where that clinic is a covered provider under the current Privacy Rule. Thus, through a sweeping ``technical correction'' in the applicable definition, this proposal takes health information that is protected by the Privacy Rule and renders it unprotected. This is especially dangerous because of the legitimate concern people have that employers will use protected health information, including genetic information, inappropriately to make employment-related decisions (such as deciding which employees to promote or fire). 10. Disclosure of Enrollment and Disenrollment Information to Sponsors of Group Health Plans--Proposed Sec. 164.504(f)(1)(iii) Proposed Modification: The Department proposes to permit group health plans (as well as HMOs and issuers) to disclose to the sponsor of the group health plan (usually an employer) information on whether an individual is participating in the group health plan (or is enrolled in, or has disenrolled from, the HMO or issuer). Health Privacy Project Recommendation: The Health Privacy Project supports this proposed modification because it is limited to information about whether the individual is participating in or enrolled in the plan and does not permit the disclosure of any other protected health information. 11. Minimum Necessary and Oral Communications--Secs. 164.502(a) and Sec. 164.530(c) Proposed Modification: The Department proposes to: modify the Privacy Rule to add a new provision which would explicitly permit certain ``incidental'' uses and disclosures that occur as a result of an otherwise permitted use or disclosure under the Privacy Rule; and modify the administrative requirements to expressly require covered entities to reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. Health Privacy Project Recommendation: The Health Privacy Project does not believe a modification expressly permitting incidental uses is necessary, but understands that the Department wishes to calm the fears of some of those in the health care industry. We commend the Department for including a related modification that expressly requires covered entities to reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. 12. Business Associate Transition Provisions--Sec.164.532 (d) & (e) Proposed Modification: The Department proposes new transition provisions to allow most covered entities to continue to operate under certain existing business contracts with business associates for up to 1 year beyond the current compliance date for the Privacy Rule. Health Privacy Project Recommendation: The Health Privacy Project recommends that the Department retain the existing compliance date for all aspects of the Privacy Rule. The Department has provided covered entities with a model business associate contract which should ease compliance efforts. v. cost: omb reports privacy regulation will save money According to a March 2002 report just issued by OMB's Office of Information and Regulatory Affairs (OIRA), the Department estimates that the cost associated with implementing the Privacy Rule (approximately $17 billion over 10 years) will be greatly offset by the cost savings associated with implementing HlPAA's transactions standards (approximately $29 billion saved over 10 years). See Appendix B for excerpt of report. The cost of implementing the Privacy Rule must not be viewed in isolation. The Privacy Rule is an integral--and necessary--part of a package of Administrative Simplification rules. The goal of standardizing electronic health care transactions is to create efficiencies and save money. When the Privacy Rule is implemented together with the transactions standards and other Administrative Simplification rules, as contemplated by Congress, a net savings will be achieved. Finally, we must also acknowledge the benefits reaped by increased patient participation in health care and research, as well as the qualitative benefits that are achieved by furthering this important societal value. conclusion When President Bush allowed the Privacy Rule to go into effect last April, he issued a strong statement about the need to protect patient privacy and foster confidence that people's ``personal medical records will remain private.'' The President also pledged during his campaign to support a law requiring that a ``company cannot use my information without my permission to do so,''and expressed support for strong laws protecting medical and genetic privacy. In fact, William Safire dubbed him the ``privacy President'' in a New York Times column shortly after the Privacy Rule went into effect. But, if the Department's proposed changes become final, the Privacy Rule will legalize many of the practices that caused public outcry for a law. We urge the Bush Administration not to roll back the important gains our country has made in protecting the privacy of people's medical records. We urge policymakers to look at the substantial progress being made by doctors, hospitals, and health plans in complying with the Rule. And finally, we urge that glitches in the regulation be addressed through narrowly tailored fixes that preserve the integrity of the final Rule. The Chairman. I think if someone heard you and heard Mr. Allen both describing the same piece of legislation, they would wonder how they could. We are grateful for your testimony. Dr. Harding. STATEMENT OF RICHARD HARDING, M.D., PRESIDENT, AMERICAN PSYCHIATRIC ASSOCIATION Dr. Harding. Thank you, Mr. Chairman and Senator DeWine. I am Richard Harding, President of the APA, American Psychiatric Association, and Professor of Psychiatry and Pediatrics at the University of South Carolina. I am also proud to be a member of the National Committee on Vital and Health Statistics, as you mentioned, but I am here speaking for myself and for the American Psychiatric Association. I want to express my appreciation for being here and for your committee's commitment to protecting medical records. I would also like to compliment you on your efficient and professional staff, who have been most helpful to all of us coming up to this hearing. Medical privacy and medical record confidentiality are issues about which all Americans are deeply concerned, at least 94 percent, as the Senator was saying. Recently the Department of Health and Human Services has proposed regulations which will probably reduce administrative burdens on physicians and covered entities, probably. And, as such, this is appreciated as a physician speaking, but it is important to recognize that they are inadequate to protect patients. The APA objects to the elimination of consent by citizens because the citizens own the consent, and the substitution of a regulatory permission by Health and Human Services. We strongly believe patients should be able to choose who will see their medical records and to be fair, in the proposed changes a privacy notice is substituted for the written consent, but this is not privacy. Nor is protection of the patient's information. We found that out last week when a company was selling postal addresses and telephone numbers because citizens did not notice in the long privacy notice that only email addresses would not be released. It concerns me that the patients, under the proposed rule, do not have authority over their medical record, even if the patient pays out of their pocket, which is a rapidly growing trend because of the issue of privacy. The APA understands that there are previously described circumstances where a covered entity needs to use or disclose personal health information prior to the initial face-to-face encounter with a patient and therefore to obtaining consent. It would seem to me that the remedy for this is to modify the consent requirement in the privacy rule. The Department of HHS has overcorrected a problem, by a proposed elimination of the traditional patient right of affirmative consent altogether. This is a truly sea change event in American medicine, to go to this way of handling consent. The APA recommends Health and Human Services retain the privacy rule's prior consent requirement with targeted modifications, as mentioned in previous testimony. Briefly on marketing, marketing is defined, and I think it is important to define it, as ``to make a communication about a product or service to encourage recipients of the communication to purchase or use the product or service.'' The HSS proposed changes to the marketing provisions appear to require authorization before the patient receives marketing materials. In so doing, that is well intended, but it is flawed. There is no real effective privacy safety net against commercial usage. The real problem is the exclusions to the term ``marketing'' swallow the rule. Under the proposed changes, a long list of programs is not considered marketing. Marketers can use things such as disease management, as mentioned before, wellness programs, case management, prescription refills and so forth to send marketing materials. The regulations do not clearly restrict these marketing loopholes from abuses, and I will not get into the examples of that, which have already been stated. It is my experience as a practicing physician that patients have never dreamed of their personal health information being used for marketing. That just does not enter their minds. This is especially critical for marketing to minors. I strongly urge the committee to join us in requesting HHS require a patient's consent and their authorization for marketing before medical information is released under HIPAA. We thank you for this opportunity to testify and respond to your questions and continuing to work with the committee on these important issues. Thank you. [The prepared statement of Richard Harding, M.D. follows:] Prepared Statement of Richard Harding, M.D. Mr. Chairman, and members of the Committee, I am Richard Harding, M.D., testifying on behalf of the American Psychiatric Association (APA), a medical specialty society, representing more than 40,000 psychiatric physicians nationwide. I serve the APA as its President and am currently Professor of Clinical Psychiatry and Pediatrics at the University of South Carolina School of Medicine. In addition, I serve as Vice-Chairman for Clinical Affairs of the Department of Psychiatry and maintain a busy outpatient practice. While I also serve on the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics within the Department of Health and Human Services (HHS), the views I am presenting today are my views and the views of the American Psychiatric Association. First, I would like to thank Chairman Kennedy and the members of the Committee for the opportunity to testify today. My oral comments will be limited to two major concerns: consent and marketing. My written testimony is significantly more expansive as it reflects APA's comments on all of the NPRM privacy regulation changes, that we will formally submit to HHS, and I ask that it be made part of the hearing record. Mr. Chairman we greatly appreciate your commitment to protecting medical records privacy. Privacy and particularly medical records privacy is an issue that not only affects all Americans but also one that they are deeply concerned about. On behalf of our profession and our patients I thank you for holding this hearing on the recent changes HHS made to the Medical Privacy Regulation. While the Department of Health and Human Services (HHS) proposed HIPM privacy regulation changes will reduce the burden on physicians and other healthcare providers, it is important to recognize they are inadequate to protect patients. The APA objects to the proposed elimination of the consent requirement that patients give written consent before their records are disclosed to physicians, hospitals or insurance companies. Under the proposed changes, consent is optional for direct treatment providers. HHS now gives their ``regulatory permission'' to allow a patient's information to be freely disclosed to health plans, providers, and clearing houses without the patient's consent. The APA strongly believes patients should be able to choose who will see their medical records. The elimination of the consent requirement is a significant change not only to the historic doctor- patient treatment relationship but also an impediment to physicians' efforts to provide the best possible medical care. The consent requirement gave the physician the opportunity to discuss where their medical information would be released. We need to take steps to ensure that doctor-patient confidentiality is preserved and strengthened. It is troubling to me as a practicing psychiatrist that a patient, under this rule, does not have consent authority over their medical records even if the patient pays out of pocket for their treatment. The proposed changes to the rule eliminate patient protection in a private payment situation with their provider by allowing information to be released without the patient's consent. For example, celebrities who seek help from a substance abuse center and pay in cash to be anonymous should be allowed to do so without their health information being released. Similarly, Medicare patients who elect to personally pay for treatment should not be at risk from the prying eyes of government. Under the proposed changes, a privacy notice is substituted for consent. A privacy notice serves as a long and cumbersome notice that the records will be released. This is not privacy nor is a protection of the patient's information. Furthermore, why must an ill patient have to look in the required privacy notice, which could be ten pages long as stated by the American Hospital Association. Buried within this lengthy notice is where a patient's medical information will be sent. As we have found out last week internet companies are selling a person's postal address and telephone number because the consumer did not notice in the long privacy notice that only e-mail addresses would not be released. The APA recommends HHS retain the privacy rule's prior consent requirement, with targeted modifications to address the unintended implementation hurdles that result from the consent requirement in a couple of circumstances. While the HHS proposed changes to the marketing provision appear to require an authorization from a patient before the patient receives marketing materials is well intentioned, the devil is truly in the details. The APA is concerned about the loopholes in the definitions of marketing through the enumerated exclusions from the appearance of protection by the so called marketing definition. There is no real effective privacy protection safety net against commercial usage of private patient information. Under HHS's changes, marketeers can use disease management, wellness programs, prescription refill reminders, case management and other related communications to send their marketing materials. These programs are not considered marketing. The regulations do not clearly restrict these marketing loopholes from abuses. It clearly is not in the best interest of the patient for a drug store to send a prescription refill reminder without the patient's authorization after the pharmacist was compensated by a pharmaceutical company. Recall not to long ago drug stores admitted to making patient prescription information available for use by a direct mail company and pharmaceutical companies. Now a pharmacy not only would be able to legally sell to a pharmaceutical company a list of patients that have been prescribed certain drugs in order to promote alternative drugs, but also the pharmacy could now in its own self financial interest in a medication's more profitable cost to them be suggesting a change in medication refill. The marketing communication would no longer need to identify the covered entity as the one making the communication, or need to State compensation was received. Moreover, the fund raising provisions despite overwhelming testimony to the NCVHS urging that there be an ``opt in'' (prior consent) not ``opt out'' after the fact, using without permission an individual patient's name for the fund raising purposes of the covered entity. Can you imagine sending out millions of letters telling you the names of persons served in your substance abuse treatment program-- without their consent or authorization, and only thereafter, if the fund raiser wishes to do it again, then have to ask for the individual's permission to use her or his name in the fundraising endeavor. Does this sound reasonable to anyone. I strongly urge the Committee to join us in requesting HHS require a patients consent and their authorization for marketing before their medical information is released under the Health Insurance Portability and Accountability Act (HIPAA). Also, in closing let me just briefly summarize our comments on parental rights to a minor's medical records, to wit: there should be no changes to these provisions which have the effect of reducing access to health care by adolescent patients. We thank you for this opportunity to testify, respond to your questions and continuing to work with the Committee on these important issues. The Chairman. Dr. Clough. STATEMENT OF JOHN C. CLOUGH, M.D., DIRECTOR, HEALTH AFFAIRS, CLEVELAND CLINIC FOUNDATION Dr. Clough. Good morning, Mr. Chairman, Senator DeWine. I am Dr. John Clough, Director of Health Affairs at the Cleveland Clinic Foundation and I have also been a practicing Rheumatologist there for over 30 years. The Cleveland Clinic Foundation supports Federal privacy protections for identifiable patient information. The privacy rule would give patients their first-ever Federal protection of identifiable health information and proposed modifications would improve it significantly. For the first time, Federal standards prohibit the use and disclosure of patient information for purposes other than treatment, payment, and health care operations without patient authorization. This morning I will focus on the proposed modification to the consent provision, as well as an important modification that the department is considering with respect to how patient information is deidentified. We support the proposed modification to the consent requirement for the following six reasons. First, this modification would remove barriers to patient access to care while strengthening patient privacy protections. The Cleveland Clinic, with 1.6 million patient visits annually and over 50,000 admissions annually, routinely receives information from patients, from referring physicians around the world, and uses this information to schedule and prepare for examinations and procedures before the patients arrive. Prior consent, perhaps requiring an extra trip, would have to be obtained before any use of this patient information. Other inevitable problems include patients being unable to discuss their care over the telephone with covering physicians because these providers may not have signed consent forms. The same problem would preclude nurses staffing telephone call centers, such as the Cleveland Clinic's nurse-on-call service, from advising patients in many cases. The proposed modification eliminates these barriers to care without weakening privacy protections. It would strengthen the notice requirement by requiring that providers give patients a notice of their rights and obtain acknowledgement that they signed it. Second, the suggestion that the department make exceptions for every problem that arises as a result of the consent requirement, as opposed to fixing the underlying problem, makes little sense and is unworkable. Furthermore, the fact that HIPAA allows modifications to the privacy rule only once annually would produce long delays in getting problems fixed. Third, some have claimed that many States already have similar consent requirements. In fact, no State has a similarly broad prior consent requirement. Maine did attempt it in 1999, but had to suspend their law after only 12 days because of severe disruption of patient care. Fourth, the modification making consent optional is a workable compromise of two diametrically opposed approaches taken in the Clinton proposed regulation and the Clinton final regulation. In November 1999 the Clinton Administration's proposed privacy regulation prohibited providers from obtaining prior consent. They argued that such authorizations could not provide meaningful privacy protections or individual control and, in fact, could culminate an individual's erroneous understandings of their rights and predications and could impair care. In response to objections to this approach, the Clinton Administration reversed itself and mandated prior consent in the final rule. The proposed modifications strike the right balance between these two extremes. Fifth, even advocates for the most stringent privacy regulations testified last year that the prior consent requirement was meaningful and coerced because if the patients refused to sign the consent, the provider could deny treatment. Six, various press articles have suggested that physicians do not support the modification to the consent provision. It is important for Members of Congress to realize that many, if not most physicians organizations support the modification. In an April 10 letter to Congress, which is attached to my statement, organizations representing family physicians, surgeons, cardiologists, OB-GYNs and others, over 400,000 physicians in all, express support for making consent optional. I might add that many of those are members of the AMA. With respect to research and deidentification of patient information, the modifications proposed by the department make several key improvements that will eliminate unnecessary barriers to the conduct of research while protecting patient confidentiality. The modifications simplify the procedures and paperwork involved. In addition, however, we believe that the regulations should permit a limited set of facially deidentified data to be disclosed for research purposes. The department has said it is considering such a change. Under the final rule some 18 characteristics would need to be removed to deidentify data. However, the 18 include such items as zip code, admission and discharge dates, dates of death and age that do not facially identify individuals and they are often important in epidemiological research, as well as in hospital disease surveillance activities, particularly important in detecting bioterrorism. Mr. Chairman, that concludes my statement. Thank you again for giving me this opportunity to testify this morning and I would be happy to answer your questions. [The prepared statement of John Clough, M.D. follows:] Prepared Statement of John C. Clough, M.D. Good morning. I am Dr. John D. Clough, Director of Health Affairs for the Cleveland Clinic Foundation. I am also a practicing rheumatologist. The Cleveland Clinic Foundation strongly supports meaningful Federal privacy protections for identifiable patient information. The privacy rule is intended to give patients the first-ever Federal protection of their identifiable health information. We believe the recently proposed modifications would make major and necessary improvements to the final rule that will help achieve privacy goals without erecting barriers to high quality and timely health care for patients. What has been missed in much of the reporting and debate about the modifications is that they retain, and actually strengthen, the most important new protections for patients. For the first time, Federal standards prohibit the use and disclosure of patient information for purposes other than treatment, payment, and health care operations without patient authorization. Thus, disclosing a patient's name and diagnosis to a newspaper, a bank, an employer, a marketer, without the prior, specific, written authorization of the patient is prohibited. The rule also gives patients new rights under Federal law to receive notice of their rights, to be informed as to how their information can and cannot be used, and to access their own medical record. In spite of the fact that the proposed modifications keep intact these protections and actually strengthened many of them, virtually all of the attention of late has focused on the ``prior consent'' requirement. This morning I will focus on the modification to the consent provision, as well as an important modification that the Department is considering with respect to how patient information is ``de-identified.'' Consent We strongly support the proposed modification which would make it optional, rather than required, for providers to obtained a signed, written consent form before using or disclosing identifiable information for treatment, payment, and health care operations. First: This modification would remove barriers to timely patient access to care created by the requirement in the final rule. while retaining and even strengthening strong patient privacy protections. The following are a few of the many examples from the Cleveland Clinic's vantage point of how the requirement, without the proposed modifications, would create significant barriers to patient access to care. The Cleveland Clinic and other hospitals routinely receive information about a patient from referring physicians and use this information to schedule and prepare for procedures prior to the patient presenting themselves at the hospital. Prior consent would have to be obtained before any use of the patient's information for treatment. Thus, we could not use information to schedule procedures or begin intake procedures until we had such consents. This would be problem enough for the Cleveland Clinic, where 1.6 million visits are on an outpatient basis each year. But, the disruption and delay for patients should be viewed in the totality of their care from beginning to end. For the patient, the consent requirement would mean multiple trips to sign a new consent form before receiving care at every point. It would mean signing one consent form before visiting their physician, another before referral to a specialist, another before getting an MRI, one more before scheduling surgery at the hospital, another for the ambulance ride to the nursing home, another before sending someone to pick up a prescription, and on and on. Other inevitable problems included patients being unable to discuss their care over the telephone with physicians, nurses and others covering for their colleagues during non-business hours because these providers may not have a signed consent form. Also, nurses staffing telephone call centers would be prohibited from advising patients in many cases because there is not opportunity to obtain prior written consent from the patient. The proposed modification eliminates these barriers to care without eliminating privacy protections. It is the written notice, not the consent form, that is the means by which patients are informed of their rights and how and with whom their information may and may not be used. The modification retains and strengthens the notice requirement in the final rule by requiring that providers give patients the notice and obtain an acknowledgment that the patient has received it. Second: The suggestion by some that the Department make exceptions for every problem that arises as a result of the consent requirement, as opposed to fixing the underlying problem, is unworkable. The Department cannot possibly anticipate every problem that could arise, as dozens have become apparent since issuance of the final rule a year and a half ago. More will arise after the rule takes effect. Because the Health Insurance Portability and Accountability Act (HIPAA) allows modifications to the privacy rule only once each year to address such problems, patients would have to suffer through disruptions and delays in care for over a year before such problems could be fixed. Third: Some have claimed that many States already have similar consent requirements. In fact, today NO State has a similarly broad prohibition on use and disclosure of information for treatment, payment and health care operations without prior consent. One State--Maine--did attempt such a broad prior consent requirement in 1999. The Maine law was suspended in an emergency session of the legislature after only 12 days because of severe disruptions in patient care. Fourth: The modification making consent optional is a workable compromise of two diametrically opposed approaches taken in the Clinton proposed regulation and the Clinton final regulation. In November 1999, the Clinton administration's proposed privacy regulation not only rejected the idea of mandating that providers obtain consent, it went so far as to prohibit them from obtaining it. In doing so, the Clinton administration argued that ``(s)uch authorizations could not provide meaningful privacy protections or individual control and could in fact cultivate in individuals erroneous understandings of their rights and protections.'' In addition, they maintained that separate authorization for routine referrals ``could impair care.'' Many physician and other groups objected to the prohibition on obtaining consent. In response, the administration went to the other extreme and mandated prior consent in the final rule. The recently announced modifications strike the right balance between these two extremes. Providers may obtain consent if they wish to do so. However, a provider will not have to delay treatment. Fifth: Even advocates for the most stringent privacy regulations testified last year that the prior consent requirement was ``meaningless'' and ``coerced'' because if the patient refused to sign the consent, the provider could deny treatment. If the patient refuses to sign, there are many situations in which laws, regulations, practice guidelines, and our code of ethics requires physicians to treat the patient. The physician following the code of ethics would then be in violation of the privacy regulation and subject to civil and even criminal penalties. Sixth: Various press articles have suggested that physicians do not support the modification to the consent provision. It is important for Members of Congress to know that many, if not most, physician organizations support the modification. In an April 10 letter to Congress which is attached to my statement, organizations representing family physicians, surgeons, cardiologists, OB/GYNs, and others--over 400,000 physicians in all-- expressed support for making consent optional. Research and ``De-identification'' of Patient Information The modifications proposed by the Department with respect to research make several key improvements that will eliminate unnecessary barriers to the conduct of life-saving research, while maintaining important protections for patient confidentiality. In particular, the modifications simplify, for patients and researchers, the procedures and paperwork involved. However, one additional revision to the privacy regulation is needed. We believe the regulations should permit a limited set of data which has been ``facially de-identified'' to 4 be disclosed for research purposes. The Department is considering such a revision, but has invited further comment before making a final decision to make the change. The stringency of the final rule's requirements for de-identifying information prompts concerns that the standard would render data useless for much research. Under the final rule, some 18 characteristics would need to be removed from data to render it ``de- identified.'' Most of the characteristics make sense, such as names and addresses, which could directly identify an individual. However, some do not. For example, zip codes, admission and discharge dates, date of death, and age do not directly identify an individual. However, such information is often critical to conducting research. Epidemiological studies routinely use hospital admission and discharge dates, date of death to track and understand diseases. Such studies have taken on new importance with the threat of bioterrorism. Hospitals need to be able to share de-identified information for such purposes, as well as for improving the quality of care for patients, and improving community health services. Under the final rule, sharing this information is not permitted. There may be no other issue that has so united those in health care; the change is supported by virtually every corner of the health care community. This includes groups ranging from the Association of American Medical Colleges, the American Medical Association, State hospital associations, patient and consumer groups. Attached to my statement are two letters from these groups. Mr. Chairman, that concludes my statement. Thank you, again, for giving me this opportunity to testify this morning. I will be happy to answer your questions. The Chairman. Thank you very much for your very interesting statement, which I think with the other statements puts this in some perspective. I would like to ask Ms. Goldman, the difference between notification and consent and how you respond to points which were raised recently by Dr. Clough and others about these areas of treatment which are necessary and really in the interest of the patient, and by failing to do sort of a more comprehensive, like the administration is doing, that we really can be perceived as putting the patient at risk. These are some of the balances. Your response? Ms. Goldman. I think it is important to keep in mind that we put the patient at risk today by not protecting privacy and we have data that shows that, that people are putting their own care at risk. They are withholding information and they are afraid to seek care. So people are at risk. Protecting privacy does not put them at risk, particularly if there are doctors who want to get the consent to their patients before using their information to treat them or to pay for their care. Someone may decide to pay out-of-pocket and the consent form gives them the opportunity to say to their doctor, ``I am going to pay out-of-pocket, so I do not want to consent to have the information shared for payment purposes.'' Many doctors, I think, including Dr. Harding and others, would say that they would want to use the consent. It is optional certainly for them to decide they want to mandate it, but they do not have to do that. And asking someone to consent to having their information used is certainly different than asking them to sign a notice just telling them how their information is going to be used. It is a dramatically different kind of piece of paper and not one I think which is just about paperwork burden, but which is involving the patient in decisions about his or her care. The Chairman. Well, how do you respond to these points that have been raised that by not taking--we have had the example of the pharmacist and we have had doctors mention these others kinds of areas. Are you suggesting that we have the right to privacy or the consent form and then have exceptions for these particulars? And can you ever get enough on the list? Your answer? Ms. Goldman. Well, the Health Privacy Project has been saying for a year that certain glitches and certain unintended consequences in the privacy regulation should be fixed. We think they should have been fixed a year ago. So we think that what the secretary of HHS should have done was to make targeted modifications to the privacy regulation to address the consent problems. Pharmacies should have--this problem should be fixed. Making referrals, exactly the same problem, that information occasionally needs to be received before a prescription is filled or a referral is made. Those are glitches that should have been fixed and we say in our testimony very specifically, we make recommendations that those problems should be fixed. But there is no need, and I think it is unjustified to use those examples to eliminate the consent requirement completely. The Chairman. Dr. Clough. Dr. Clough. The problem, I think, is that glitches as they occur under the current rule would interfere with treatment and would interfere with it until they get corrected. Glitches under the other approach would not interfere with treatment and could be corrected later with less disruption of care. And with respect to prior consent, I would say that if you think about what happens in a physician-patient encounter, when I first see a patient, I have never seen them before, they have never seen me before and I am asking them to sign a blanket agreement that what I do is okay, I think that is less meaningful than getting some information on the table, deciding what it is that needs to be consented to, and then get the consent for treatment because I think that is where the important consent really is. Patients can tell me that they do not want their information released and I respect that and I do not release it if they do not want it released, and I think every physician does that. So I would say that these modifications improve the functionality of the rule without diluting it and give a chance to change the rule in the direction of greater privacy if that is necessary, but without interfering with patient care in the process. Ms. Goldman. Mr. Chairman, can I respond to what Dr. Cough has said? The Chairman. Go ahead. Ms. Goldman. It is an interesting point that when a patient asks him to maintain confidentiality and not to share information, that he respects that and the consent form that is in the final regulation gives his patients the opportunity to have that conversation with him. It is exactly that initial moment that triggers that kind of a conversation. A notice is much less likely to ever trigger that conversation and ever allow for that to happen between Dr. Clough and his patients. The Chairman. I am going to have to submit the other questions, but I thank you. This is an enormously important area. As I said, there are few values that we have that are really more important than privacy as a country and a society and I think in the medical area it is right at the top. We have heard a lot of good testimony today, conflicting testimony, but it does not lessen the importance that I think we have as a committee and as a Senate to do what is necessary in terms of both giving the assurance of good treatment, but also in terms of protecting the privacy, and we are committed to trying to do that. I thank our panel very much. We will submit some questions for you. The hearing stands in recess. ADDITIONAL MATERIAL Prepared Statement of the American Hospital Association The American Hospital Association (AHA) and its nearly 5,000-member hospitals, health systems, networks, and other providers are committed to safeguarding patients' medical information and ensuring that patients understand and have appropriate access to their medical information. We believe Congress shared these goals when it enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. Unfortunately, the final regulations implementing that vision elevated bureaucracy above common sense in a number of crucial respects. Before the Administration proposed changes last month, the rule's most alarming provision for hospitals and our patients was the requirement that patients read, review and return a 10-page privacy notice and a separate consent form before they could be cared for. Hospitals were deeply distressed by visions of parents with sick or injured children being met at the hospital door not with care and compassion, but with a lengthy privacy notice that had to be read, and a consent form that had to be signed, before care could be provided for the child. Yet, that is precisely what the medical privacy regulations required hospitals to do. Make no mistake--hospitals are genuinely committed to ensuring that patients know how their medical information is being used, what their rights are and how they can exercise them. That is not up for debate. What is up for debate is whether the current medical privacy regulations enhance medical privacy or frustrate it by delaying care for patients. The current privacy rule prohibits patients and their physicians from scheduling any testing procedures, outpatient surgery or other care the government determines isn't an emergency until the patient (1) receives and reads their privacy notice, and (2) signs and returns the consent form to the hospital. For hospitals, the answer is clear: the written consent requirement will frustrate patients and providers to no necessary end. To test consumer reaction to these written consent requirements, the AHA commissioned an independent research firm, Market Strategies, to poll more than 900 consumers this month about their reaction to the way hospitals were required to implement the consent requirement under the medical privacy regulation. Here's what consumers told them: 86 percent think asking a sick person to sign a legal document that could be 10 pages when they see a doctor, nurse or pick up a prescription at the pharmacy is an unnecessary burden. 85 percent agree that elderly Americans will be hurt the most because they see many different physicians and often have someone else pick up prescriptions for them. 84 percent believe that time spent in a doctor's office should be spent on patient care, not filling out more paperwork. 77 percent agree that the government should not make hospitals wait to schedule tests until the patient reads the privacy notice and signs and returns a consent form to the hospital. The April poll confirms what the AHA had learned earlier this year from a series of four focus groups that Market Strategies conducted in Tampa and St. Lois. When apprised on the written consent requirements, consumers said: ``This will be a paperwork nightmare.'' ``They should simply require that hospitals and pharmacies post this [privacy notice], but signing a form is ridiculous.'' ``I've waited 2 hours to see the doctor and he's got to do all this?'' The recent announcement by the Department of Health and Human Services (HHS) that it was proposing to replace redundant written consent requirements with a written acknowledgment came as welcome news. That proposal does not weaken, much less eliminate, any of a patient's privacy rights. It does not change the fact that hospitals are not permitted to use patients' information for marketing or research, without their express written permission. Instead, it allows hospitals to immediately work with patients and their doctors to provide or schedule medical treatment or tests. Hospitals are still required to try and obtain written acknowledgment from a patient that he or she has received the privacy notice, but they can do so when it's convenient for the patient--not the government. Moreover, asking patients to acknowledge in writing that they have received the hospital's privacy notice signals to patients that the notice contains important information that they should read and understand. Hospitals welcome the proposed change because we care for and about patients--we want all of our patients to be met at the hospital door with care and compassion, not paperwork and delay. Written acknowledgement will let us keep that promise. Many lawmakers agree. On July 3, 2001, 165 members of the House of Representatives sent a bi-partisan letter to HHS Secretary Tommy Thompson telling him that ``scheduling patients for surgery, x-rays or other vital services should not depend on patients having to complete an exhaustive privacy and consent form that could be 10-or-more pages long.'' HHS responded by replacing redundant written consent with written acknowledgement, which eliminates a barrier to patient care. Conclusion A top priority for America's hospitals is safeguarding patient privacy while ensuring that nothing gets in the way of patient care. HHS' proposal to replace the redundant written consent requirement with patient acknowledgement removes one of the privacy rule's key roadblocks to the delivery of good patient care. It is good for patients and hospitals and does not sacrifice patients' privacy rights. why written acknowledgement is better for patients and providers As a result of HHS's proposed changes to the HIPAA privacy rules, the AHA has prepared a series of Qs & As to help hospitals respond to inquiries from patients and the public. Question 1. Will I know what my rights are if I don't have to sign a written consent form for hospitals to use my health information? Yes. Hospitals are still required to provide you with a written notice of their privacy practices (called a ``privacy notice'') that explains how hospitals are permitted to use your medical information. Hospitals are permitted to use your medical information for only three purposes: (1) treating you; (2) obtaining payment for your care; and (3) for their own operations, including improving their ability to provide quality care to you and other patients. Hospitals are not permitted to use your medical information for any other purpose, such as for marketing or research, without your written permission, except in a medical emergency or other very limited circumstances, such as those permitted or required by Federal and State law. The privacy notice explains your medical privacy rights, such as your right to see and copy your information or request to change that information. It also tells you, for example, where you need to go to see and copy your information or to request to change it. Question 2. Doesn't signing a written consent form make it more likely that I will learn about or understand my privacy rights? No. The privacy notice you will receive from the hospital--not the written consent form--explains your privacy rights. The written consent form didn't provide any additional information that isn't already in the privacy notice. Under the changes proposed, hospitals will be required to have you acknowledge in writing that they have given you their privacy notice. Hospitals want patients to know and understand their medical privacy rights. And by having you acknowledge that you were given a copy of their privacy notice, hospitals are letting you know that the privacy notice has important information that you need to read and understand. Question 3. Will I be losing any of my privacy rights if I'm not required to sign a written consent form? No. None of your privacy rights will be lost. Your rights are guaranteed by the rule and by the notice, whether or not you sign a consent form. For example, you will still have the right to request that the hospital not contact you at the office with any test or medical results, but only call you at your home. Question 4. Was there something wrong with having patients sign a written consent form? Yes. Hospitals could not work with you or your doctor to schedule any testing procedures, outpatient surgery or other care the government determined wasn't an emergency until you (1) received and read their privacy notice, and (2) signed and returned the consent form to the hospital. Hospitals were not allowed to make any exceptions to this rule, even for disabled or elderly Americans or those who lived in remote rural areas. Hospitals were very concerned that their ability to respond quickly to the needs of their patients would be hampered by this unnecessary requirement and that patients would be frustrated with them because they were not allowed to make exceptions to this Federal law. Question 5. Will the hospital be able to use my health information in ways that are not approved by the Federal privacy rule if I don't sign a written consent form for the use of my information? No. The rules continue to obligate hospitals to use your health information only for (1) treating you; (2) obtaining payment for your care, and (3) for their own operations, including improving the quality of care they provide to you and other patients. Hospitals must explain the ways they will use your health information in the privacy notice they have to give to you. A hospital cannot use or disclose your health information in other ways, such as for marketing or research, unless the hospital gets your written permission before doing so. Question 6. Is a hospital prevented from getting my written consent to use my health information? No. Hospitals and doctors are still permitted to ask for your written consent before they use information about you to provide health care services; however, if they use a written acknowledgement, they won't have to delay providing care for you until you (1) received and read their privacy notice, and (2) signed and returned the consent form to the hospital or doctor. Question 7. Will hospitals know that I received their privacy notice if I don't have to sign a written consent? Yes. The proposed changes to the privacy rules require hospitals to have you acknowledge, in writing, that you received their privacy notice. At the time you receive the notice, the hospital will ask you to acknowledge in writing that you received the notice. Question 8. Will this new proposal requiring me to acknowledge that I have received the privacy notice mean that I'm spending more time filling out forms in the hospital admission office or emergency room? No. Signing an acknowledgement should not increase the time you have to spend in the admission process. In an emergency situation, this acknowledgement can even be delayed to allow you to give it at a less stressful and more convenient time. Question 9. Why is a written acknowledgement that I received the hospital's privacy notice better than the requirement that I sign a written consent? The written acknowledgement allows hospitals to immediately work with you or your doctor to treat you or to schedule any testing procedures, outpatient surgery or other care. In an emergency situation, hospitals can even delay getting your written acknowledgement until a less stressful and more convenient time for you. The acknowledgement does not take away any of your privacy rights. And it is still an effective way for hospitals to let you know that the privacy notice they give to you has important information about your privacy rights that they want you to read and understand. The written consent requirement, on the other hand, forced hospitals to delay scheduling any testing procedures, outpatient surgery or other care or giving you any treatment the government determined wasn't an emergency until you (1) received and read their privacy notice (which could be as long as 10 pages in order to meet Federal requirements), and (2) signed and returned the consent form to the hospital or doctor. Hospitals were not allowed to make any exceptions, even for disabled or elderly Americans or those who lived in remote rural areas. The written consent requirement increased the paperwork burden for patients and hospitals without giving you any new privacy rights that the rule and the privacy notice doesn't already guarantee or any additional information about your rights that isn't already in the privacy notice. Question 10. Do the proposed changes to the privacy rules affect any of my privacy rights? No. The proposed changes to the privacy rules do not do away with or weaken any of your privacy rights. Your rights continued to be guaranteed. The proposed changes only get rid of a significant roadblock that would have forced hospitals to delay your treatment until you (1) received and read their privacy notice, and (2) signed and returned the consent form to the hospital or doctor, and cut the unnecessary paperwork burden for patients and hospitals. Prepared Statement of Members of the Alliance of Medical Societies As you are aware, on March 27, 2002, the Department of Health and Human Services (HHS) issued a proposed rule to modify the ``Standards for Privacy of Individually Identifiable Health Information.'' We, the undersigned members of the Alliance of Medical Societies, strongly support the proposed modifications that HHS is considering with respect to prior consent and research and would also like to comment on the business associates provision. The Alliance of Medical Societies comprises 12 national medical societies representing more than 150,000 specialty-care physicians. Its mission is to promote sound Federal health care policies that will enhance the ability of specialty-care physicians to provide the best possible health care to their patients. Prior Consent The proposed modifications to the prior consent portion of the rule represents a workable compromise between the original proposed regulation issued in 1999 that would have prohibited providers from obtaining consent and the final privacy regulation issued in 2000 that mandated prior consent requirements. These modifications maintain the patient privacy protections required by Congress without disrupting patient access to quality health care. The Alliance supports meaningful privacy protections for patients' medical records and believes that it is important for patients to be notified of their rights. The proposal for regulatory permission as opposed to mandatory written consent would not change the ethical and professional practice of physicians and most health care providers to obtain patient consent. Not only would the prior consent requirement add yet another mandatory form to the already unmanageable paperwork burden that physicians and practitioners face on a daily basis, it could pose serious problems for patient care. HHS outlined many of the potential problems in the proposed rule. We strongly believe that HHS chose wisely in proposing to make prior consent discretionary, and we oppose any efforts to change it. Medical Research We also thank the Administration for improving the provisions governing medical research. The proposed modifications alleviate the burdens placed on medical researchers and removes obstacles that would impede important public health research. In particular, the Alliance supports the Administration's proposal to simplify the authorization process and to eliminate the inconsistent privacy review criteria for Institutional Review Boards. Without these critical changes, health care studies may be abandoned or avoided altogether as the burdens and liability associated with compliance would deter many medical researchers. In addition, although HHS did not propose to modify the de- identification standard, we appreciate their call for additional comments on this provision. We urge the Department to reconsider the Final Rule's current standard, which requires the removal of 18 characteristics from data in order to render it ``de-identified.'' Some of the data that must be removed--specifically, dates of admission or service and device serial numbers--are often needed when evaluating medical records for epidemiological and other health related research. We believe the regulation could be improved significantly by modifying the de-identification standard to require that information instead be stripped of direct identifiers that would facially identify an individual. Direct identifiers would be defined as name, address, electronic mail address, telephone number, fax number, social security number, health benefits number, financial account numbers, drivers license number or other vehicle numbers that are in the public records system. Business Associates While the Administration proposes to provide a 1-year window for covered entities to revise their contracts with business associates, these same covered entities will be required to comply with the new rule regardless of whether or not a new contract has been secured. Hence, the 1-year window provides a false sense of flexibility. We are further concerned that HHS will require business associate contracts between two covered entities. This seems to defy reason since each covered entity will be required to comply with the regulation independently. To conclude, we strongly support meaningful and workable privacy protections for patients' medical records and appreciate this opportunity to express our views on the modifications to the privacy regulations proposed by HHS. Sincerely, American Academy of Dermatology Association; American Assoc. of Neurological Surgeons/Congress of Neurological Surgeons; American Association of Orthopaedic Surgeons; American College of Cardiology; American College of Radiology; American Society of Cataract & Refractive Surgery; Prepared Statement of Sue A. Blevins Thank you, Mr. Chairman and Committee members, for holding this timely public hearing to examine how the proposed revisions to the Federal medical privacy rule will affect patients' control over their personal health information. I appreciate the opportunity to submit written testimony and focus on the concerns raised by thousands of citizens who submitted comments to the U.S. Department of Health and Human Services (HHS) opposing access to their personal health information without their consent. In particular, sections 164.502 and 164.506 of the revised rule give the Federal Government the regulatory authority to decide for each and every citizen who can access individuals' medical information- including genetic information-for most purposes, including medical treatment, payment and health-care operations. The U.S. Department of Health and Human Services and the medical industry should not be making these decisions for individuals. In fact, a national Gallup survey shows that Americans want to be the ones to decide who can see their personal health information with--or without--their consent. Majority of Americans are Concerned About Medical Privacy According to a National Gallup Survey The Institute for Health Freedom commissioned a national Gallup survey to find out how Americans feel about medical and genetic privacy. We had heard from privacy advocates across the country about their concerns. But we wanted to find out how ordinary citizens across the Nation--not just privacy advocates--feel about the issue. The national Gallup survey was conducted between August 11 and August 26, 2000 and the results are posted at the Institute for Health Freedom's Web site: www.ForHealthFreedom.org. (As of April 2, 2002, the survey had not been updated by the Gallup Organization.) The survey of 1,000 adults nationwide found an overwhelming majority of Americans do not want third parties to have access to their medical records-- including genetic information--without their consent. 95 percent say banks should not be allowed to see patients' medical records without individuals' consent; 92 percent oppose allowing governmental agencies access to patients' medical records without permission; 88 percent oppose letting police or lawyers review medical records without explicit consent; 84 percent say employers should not be allowed access to patients' medical records without permission; and 67 percent oppose researchers accessing patients' medical records without consent. The national Gallup survey also included two important questions about genetic privacy. One asked whether doctors should be allowed to test patients for genetic factors without their consent. Only 14 percent of respondents would permit such testing; 86 percent oppose it. The other question asked whether medical and governmental researchers should be allowed to study individuals' genetic information without first obtaining their permission. More than nine in ten adults (93 percent) feel medical and governmental researchers should first obtain permission before studying their genetic information. What's more, when asked whether they are aware of a Federal proposal to assign a medical identification number--similar to a Social Security number--to each American, only 12 percent said they had heard anything about it. College-educated adults (16 percent) are more likely than those with less than a college education (8 percent) to be aware of the proposal. Regardless of their knowledge about it, however, an overwhelming majority (91 percent) oppose the plan. I strongly encourage this committee to consider how the final and revised Federal medical privacy rule is going to strip patients of the ability to decide who can access their personal health information (including genetic information) with--or without--patients' consent. Finally, following is a ``questions and answers'' summary about the proposed revised Federal medical privacy rule: Update on the Federal Medical Privacy Rule: Questions and Answers* Americans are being told they will have stronger medical privacy protections under the revised Federal medical privacy rule published in the Federal Register on March 27, 2002.\1\ However, the following ``questions and answers'' summary shows that the revised rule does not provide patients stronger medical privacy. Rather, it actually weakens individuals' ability to restrict access to their medical records. --------------------------------------------------------------------------- \1\ ``Standards for Privacy of Individually Identifiable Health Information,'' Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 14776-14815, [http://www.access.gpo.gov/su--docs/fedreg/aO20327c.html]. --------------------------------------------------------------------------- The following summary is based on a review of the revised Federal medical privacy rule (published March 27, 2002) \2\ compared to the final Federal medical privacy rule (published December 28, 2000).\3\ Citations to specific key pages are provided to help the public, media, and policymakers understand the serious implications of the rule. --------------------------------------------------------------------------- \2\ `` Ibid. \3\ ``Standards for Privacy of Individually Identifiable Health Information,'' Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82462-82829, [http://www.access.gpo.gov/su--docs/fedreg/ aO01228c.html]. --------------------------------------------------------------------------- Does the revised Federal medical privacy rule provide consumers greater control over the flow of their personal health information? No, under the revised Federal medical privacy rule, patients will not be in control of deciding whether they want health insurers, doctors, and medical data-processing companies to share their personal health information--including genetic information--with others. Rather, health insurers, doctors and medical data-processing companies are actually granted ``regulatory permission'' to share patients' health information for any activities related to patients' health care treatment, processing of their health care claims, or ``health care operations''--a term which encompasses many activities unrelated to patients' direct care (such as permitting FBI officials to search medical records looking for fraud and abuse activities).\4\ --------------------------------------------------------------------------- \4\ Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 14780, 14812. --------------------------------------------------------------------------- Also, under the revised Federal medical privacy rule health insurers, doctors, and medical data-processing companies will not need to get patients' written, informed consent before sharing patients' personal health information--including past medical records and genetic information--with many third parties. How Does Congress or HHS Define ``Medical Privacy'' or ``Privacy''? They don't. Ironically, while the Federal medical privacy rule includes many definitions, the terms ``medical privacy'' or ``privacy'' are not clearly defined in the rule.\5\ Instead, a Federal committee composed primarily of fact-gathering experts was given the legal authority to advise HHS in establishing standards for Americans' medical privacy.\6\ --------------------------------------------------------------------------- \5\ Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82798, 82803-82805; Federal Register, Vo1. 67, No. 59, March 27, 2002, pp. 14810-14812. \6\ Federal Register, Vo1. 67, No. 59, March 27, 2002, p. 14777. --------------------------------------------------------------------------- Are patients guaranteed the right to sign private contracts with their doctors to withhold personal health information from third parties? No, patients cannot withhold their personally identifiable health information from the U.S. Department of Health and Human Services. In fact, the rule creates a massive Federal mandate that requires every doctor and other health care practitioner to share patients' records with the Federal Government--specifically the U.S. Department of Health and Human Services (HHS)--without patient consent.\7\ The Federal Government even has the right to access an individual's psychotherapy notes in order to monitor compliance with the rule.\8\ --------------------------------------------------------------------------- \7\ Federal Register, Vo1. 65, No. 250, December 28, 2000, p. 82802. \8\ Ibid., pp. 82811, 82805. --------------------------------------------------------------------------- Will patients be guaranteed the right to an accounting of to whom and when their personal health information was disclosed for health care services related to their treatment and processing of health claims? No, patients will not receive an accounting of to whom and when their records were disclosed for most health care services, including activities related to treatment, payment, or health care operations (a broad definition encompassing many uses).\9\ --------------------------------------------------------------------------- \9\ Ibid., p. 82826. --------------------------------------------------------------------------- In just a few years, patients' personally identifiable health information is going to be flowing over the Internet--without patients' permission--for purposes related to treatment, payment, and health care operations. But patients won't even know this is happening because they won't be able to obtain an accounting of disclosures for treatment, payment, and health care operations. Will President Bush's proposed changes to the Federal medical privacy rule (published March 27, 2002) strengthen or weaken Americans' medical privacy? It is important to note that the Clinton Administration initially proposed prohibiting doctors and hospitals from getting patients' consent before releasing their medical information.\10\ But after receiving more than 52,000 public comments, the Clinton Administration revised the rule and added a very weak, coercive consent provision. --------------------------------------------------------------------------- \10\ Federal Register, Vol. 64, No. 212, November 3, 1999, p. 59941. --------------------------------------------------------------------------- However, the Bush Administration is legally permitting health insurers, doctors and medical data-processing companies to release patients' personal health information without asking patients for their permission. Instead, these entities can simply provide notices of how the information will be shared. This policy takes the active decisionmaking authority away from patients and shifts it to doctors and hospitals. This is a major shift away from the precious health care ethics that we have honored for many years in this country: the ethics of consent and confidentiality. In addition to allowing patients' medical records to be disclosed for treatment, payment and health care operations, who else can see patients' records without patients' consent? Under the Bush Administration's revised rule (as under Clinton Administration's final rule), Americans' medical records can be disclosed for many broadly defined purposes without patient consent, including, but not limited to, the following: Oversight of the health care system FDA monitoring (including dietary supplements) Public health surveillance and activities Foreign governments collaborating with U.S. public health officials Research (if an IRB or privacy board waives consent) Law enforcement activities Judicial and administrative proceedings Licensure and disciplinary actions.\11\ --------------------------------------------------------------------------- \11\ Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82525, 82528, 82813-82817. --------------------------------------------------------------------------- Does the Federal medical privacy rule provide patients recourse if their privacy is breached? No, patients are not guaranteed any recourse other than the right to complain.\12\ They can complain to their health care providers or institutions about privacy breaches. They also can complain to the Secretary of the U.S. Department of Health and Human Services. However, the HHS Secretary does not have to investigate the complaint. The final rule reads that the Secretary ``may,'' not ``shall,'' investigate complaints.\13\ --------------------------------------------------------------------------- \12\ Ibid., pp. 82801-82802. \13\ Ibid., p. 82802. --------------------------------------------------------------------------- Additionally, individuals do not have a private right of action (they can't sue) if their privacy is breached under the final medical privacy rule. Why was the Federal medical privacy rule created in the first place? The Federal medical privacy rule was established as dictated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that fosters the development of a national health information network through standardized codes for all health care services nationwide.\14\ The HIPAA law requires health plans to use national standardized codes for electronic transactions for payment of medical care. The HIPAA law additionally requires that unique health identifiers be assigned to four groups, including every: (1) individual, (2) health care provider, (3) employer, and (4) health plan.\15\ Those identifiers will facilitate electronic transactions for all types of health care, whether services are paid by government or privately. (Note: the individual identifier has been put on hold temporarily for 1 year.) --------------------------------------------------------------------------- \14\ ``Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard Maintenance Organizations; Final Rule and Notice,'' Federal Register, Volume 65, No. 160, August 17, 2000, pp. 50312-50313. \15\ Ibid., p. 50313. --------------------------------------------------------------------------- The result will be that each patient's visit to a doctor or hospital will be easily tracked. In the next few years, it is going to become increasingly simple to transfer electronic medical records over the Internet. With just a click of a mouse, it will be much easier to access and share individuals' records with many third parties. That is why all Americans should become informed about the Federal medical privacy rule and demand the right to control their most personal information--their health information, including genetic information. * This update analysis on the Federal medical privacy rule was prepared by Sue Blevins, President, Institute for Health Freedom and Deborah Grady, Research Associate, Institute for Health Freedom. Many of the Federal medical privacy rule provisions remain the same as those analyzed in a previous paper titled ``The Final Federal Medical Privacy Rule: Myths and Facts'' by Sue Blevins and Robin Kaigh, Esq. (February 8, 2001), see [http://www.forhealthfreedom.org/Publications/Privacy/ MedPrivFacts.html]. [Whereupon, at 12:10 p.m., the hearing was adjourned.]