I am Nan Hunter, Deputy General Counsel, U.S. Department of Health and Human Services. I am happy to be here to discuss the bill you have introduced, H.R. 4077, to provide a code of fair information practices for health information.
The topic is vitally important and we are pleased that you share our vision for careful, respectful treatment of health information. Personally-identifiable health information is used for many purposes to benefit individuals and for broader societal needs. The challenge in legislating rules for confidentiality is always how to strike the best balance between those purposes and the rights of individuals. Let me begin by discussing the principles which underlie our concern for protecting health in-formation.
The primary goal of confidentiality in health care is to permit patients to be totally frank about facts which bear on their health, and to subject themselves to examination and tests which reveal facts about them. Without confidentiality protection, sick people would be faced with having to choose between revealing information to obtain treatment, or retaining their privacy -- a cruel choice, and one that would in some cases lead to untreated disease, or falsified information.
In public health and research there are equally pressing reasons: we want the patient to be frank not only for his or her own sake, but also for the health of society more generally. Only if we keep the patient's confidences will he or she be candid about sensitive matters. This permits us to intervene to protect others and interrupt the spread of communicable disease, and to gather accurate information for research about disease.
The traditions and ethical principles of the medical and other health care professions have long called for confidential handling of information about patients. For physicians, the obligation is found in the Hippocratic Oath, dating from the fourth century B.C., and is continued in current ethical statements. Other professions have similar ethical principles and codes of conduct. At the same time, the development of the health care system has led to use of records by many organiza-tions that do not care for patients, and are not subject to the traditional ethical and social norms of the healing professions.
Legal protections for health-care information today are skimpy and uneven at best, as the subcommittee is aware. They exist primarily at the state level, and they vary greatly. A few states have comprehensive health-care information confidentiality statutes, including two (Montana and Washington) which have enacted the Uniform Health-Care Information Act of the National Conference of Commissioners on Uniform State Laws. Many have statutes covering particular types of information (like HIV-in-fection and mental health information), and some have statutes covering insurance information, including health information about beneficiaries. In addition, there is some case law establishing confidentiality duties.
The well-known physician-patient privilege (which most states have in some form), where applicable, applies only when the physician is asked to testify in court or in similar proceedings. It has nothing to do with decisions physicians or health care facilities make about disclosing patient information in other situations.
The only Federal health record confidentiality law covering the nation generally is one protecting information about patients in Federally-assisted drug and alcohol abuse treatment programs. The Privacy Act covers Federal records, including health records, held by Federal agencies that provide health care, such as the Department of Veterans Affairs, the Indian Health Service in the Department of Health and Human Services, and the military services. For health records of the Department of Veterans Affairs, two confidentiality laws apply, including one which provides specific protections for drug and alcohol, HIV infection, and sickle cell anemia records.
All these laws permit certain uses of patient information without the consent of the patient.
The array of existing laws provides some protection, but, as you know, there is no single, nationally-applicable set of legal controls on health care information.
A health care system as diverse and comprehensive as the U.S. health care system needs careful and well-designed controls on the use of information, to minimize risks to the privacy of patients. At the same time, these controls must allow for the appropriate use of information in providing health care to the American people.
Health records are used for many purposes today -- in the delivery of care to individuals, to operate the health care system, and for other purposes that are compatible with and related to the delivery of health care. People who work in a health care facility, in treating patients or in related activities like billing, need access to patient records.
Patients routinely authorize disclosure to health insurers to obtain reimbursement. Records are used for research to gain new knowledge to prevent and treat illness, often with patient identifiers so they can be linked with other records, although without further use or publication of the identifiers. Quality reviews and audits to assure that payments and reimbursements are correct require access to records. In some instances, medical conditions are reported to public health agencies, to permit investigation, and, as necessary, intervention. Health records frequently can be critical evidence in investigations and prosecutions of unscrupulous health care providers who defraud insurance programs, or deny their patients quality care.
Strong privacy protections can, if properly configured, form a backbone for the health information system that is essential to health reform. Legal controls of the type the subcommittee is considering prevent disclosures that are not appropriate or necessary. They reassure patients that there are orderly processes for dealing with their information, even if there is not absolute secrecy. They regulate government access to and use of information about people. They ensure that patients can see their own records if they wish, and provide remedies for patients whose records have been improperly used or disclosed.
Careful protections are especially important with the widespread computerization of records. Computerization can provide great benefits both for the patients and for management of the health care system. The effect on the privacy interests of patients is mixed. computerized records present certain new vulnerabilities, such as the possibility that an unauthorized user may get access to them through the communications system. If an unauthorized user does get access, large volumes of information can be transmitted quickly and easily, while, it is comparatively difficult to transmit large volumes of information in paper records.
At the same time, computerization can enhance privacy protection in many ways. For example, computerization makes it easier to pick out and disclose only information actually needed, rather than a patient's whole record. Further, when records are computerized, a more careful watch may be kept on their disclosure, through recording and auditing mechanisms built in to computerized record systems.
The President's proposal for health care reform, the Health Security Act (H.R. 3600) recognizes that clear and strong confidentiality protections are essential for the information that the new health care system will have about people, as well as for all the information traditionally held by health care providers.
The proposal envisions that the National Health Board will issue confidentiality rules, following principles of fair information practice set out in the President's bill, to protect personal data in the information network that the Board will establish to operate the system. For other records -- full medical records held by providers, for example -- the Board would be required to recommend confidentiality legislation to the President and Congress within three years.
Your bill offers immediate Federal legal protections for all health care records. We welcome this proposal, and are eager to work closely with you on it.
We are pleased that it has requirements to carry out many of the same basic policy goals set forth in the President's bill. Both bills share the following principles:
These are fundamental principles for the confidential treatment of records about people, and we share your commitment to them. They should be required by law, and should also be instilled as part of the basic outlook of everyone who handles health information.
The uses and disclosures of information allowed for, and carefully controlled, by the bill, address many of the situations in which records are now used.
The remainder of my testimony will address areas of convergence and divergence in the bills, in the hope of being helpful to the subcommittee in its consideration of H.R. 4077. First, I will describe the national framework for health information that we believe is critical to achieving the basic goals of reform. Then I will address several of the larger conceptual issues where the Administration has concerns regarding H.R. 4077.
The President's plan offers a new vision for a health information system that will empower consumers and relieve providers of the burdens of increasing and duplicative reporting requirements. We believe that H.R. 4077 as written is supportive of this information system, in that it attempts to establish the necessary disclosures, and to ensure that information so disclosed is protected from inappropriate further disclosure.
The national framework for health information described in title V of the Health Security Act is actually very simple. These are its key features:
This framework will provide all participants in the health care system with accurate, comparable, and timely health information. Improving the quality and efficiency of the health care system depends on ready access to information. At the same time that the health care system depends on access to information to perform multiple, vital functions, we are developing ways to reduce the paperwork burden and simplify the administrative workings of the system. We can use technologies already in place to collect information once, and use a core data set for multiple purposes.
Some uses of information in the system will be administrative and operational. For example, information will be used to pay providers, to resolve issues of coverage, and to advise patients of their portion of costs.
In addition, the information system can have a research and statistical function: it can produce certain aggregate information on the operation of the health care system and on the health of our Nation. This activity depends on individual, identified patient information, but does not use patient identifiers in its results, and does not affect patients individually.
Let me provide a few examples. National, uniformly-reported enrollment and encounter data provide unprecedented opportunities for many types of research, including clinical, outcomes, epidemiological, health services, and policy research. Enrollment offers the opportunity to collect a limited number of data items characterizing each individual (such as important sociodemographic factors). Encounter or claim data will provide a small, select number of elements characterizing encounters with practitioners, facilities, pharmacies, and laboratories (potentially including such elements as diagnosis, reason for service, service provided, site of service, provider, results, complications and charges).
Under the information system we envision, these data will be reported in the same way for all individuals and all encounters throughout the nation. Because it can be collected in a standard fashion across the nation, and will be comparable, it will be especially useful, and produce much better answers than more limited data from individual facilities, or particular states. The body of information available from these reports will be very valuable for research and statistical analysis -- to shed light on the operation of the health care system, to learn more about what medical treatments contribute most to improving health, to learn about the nature and course of particular disease conditions, and to document patterns of use of health care, and access to health care by various groups in the population.
The compilation of certain data will occur at regional data centers. The number, location, and organizational configuration of the data centers will be determined when the system is implemented. It is quite possible that regional data centers will be configured in a number of ways. Centers could be single discrete entities. A center could also be a consortium of interests that either runs a single data system or a network of geographically dispersed data systems. This flexibility would make it easier to build upon the existing data systems in a given region. Regardless of the configuration, all data centers would provide a minimum set of services and would be subject to the same privacy standards. Regional data centers would be electronically linked to facilitate access to information.
Data centers as envisioned under reform, as well as data utilities being considered under several state reform efforts, could have the research and statistical functions described above.
In performing those functions, they would receive certain encounter data, e.g., a minimum or core data set for visits with a physicians, but not the entire patient record. We believe that the highest degree of protection under the law should be considered for this information. Thus, we believe that legal safeguards comparable to those which govern the Census Bureau could be appropriate for the research and statistical functions of regional data centers. Those functions could be immunized from the scope of reporting laws and judicial process, just as the Census Bureau is. Individual providers would still be subject to the disclosure rules set out in the bill, so that they would be allowed to make disclosures permitted for health use trustees, such as those for disease reporting.
When encounter data are used for research and statistical purposes, they should not be used for actions against an identified individual. Limitation on the use of research and statistical information in this way -- called the principle of functional separation -- was recommended by the Privacy Protection Study Commission, in its report, Personal Privacy in an Information Society, in 1977, and the point was reiterated recently by a committee of the Committee on National Statistics in a report, Private Lives and Public Policies (1993).
Much health research can be conducted without patient identifiers. Computerization permits ready segregation of identifiers from other information about individuals, and public use files can be produced to permit extensive analysis in the many situations where it is not necessary to use identifiers to match health records with other records. But for research where records must be matched with other records, such as death certificates, identifiable information may be needed. With appropriate safeguards, this can be done with proper respect for privacy.
The committee might consider creating a special trustee class for entities that serve this function. A new section could be tailored to provide explicitly for disclosure of data for research and statistical purposes, and could provide additional protections for those data. This special class of information, (i.e., individually-identifiable health information when linked with other personal information) should not be used for all the purposes that the bill generally, and properly, allows for health oversight and payment agencies. We suggest consideration of the following restrictions on the use and disclosure of such data:
Personally-identifiable patient health information, once linked with other personal information for research and statistical purposes, should never be used to take any action affecting the rights, benefits, or privileges of an individual patient.
Such disclosures should take place only when there is a demonstration that there is no practical way to conduct the research or statistical activity without identifiers, that there is a reasonable possibility of accomplishing the intended inquiry, and that the recipient has adopted security measures to protect the information from any unauthorized redisclosure.
Disclosures should be made only following approval by a board, similar to the institutional board required in H.R. 4077 to review research disclosures. The board should be broadly representative (including members skilled in data and privacy issues) and should apply national standards in deciding whether to approve particular disclosures.
Researchers receiving identifiable data should not be allowed to disclose it further for any purpose, under the same penalties applicable to any other improper disclosure.
The bill as written provides for disclosure of records for the purposes of oversight. A wide variety of audit, investigative, and program evaluation activities require direct review of identifiable health records. In the vast majority of instances, the investigations are of health care providers, but there are some investigations of fraudulent actions by recipients with respect to payments for health care, and of collusion between patients and providers. These tasks are performed by the Office of Inspector General of the Department of Health and Human Services, by the Federal Bureau of Investigation, by other Federal investigative agencies, such as the Defense Criminal Investigative Service, the offices of Inspectors General (including the Inspectors General of the Department of Labor, the Department of Veterans Affairs, the Office of Personnel Management and the Department of Defense), and by State and local agencies, including specialized Medicaid fraud units in states.
Among the issues that need attention to assure effective efforts against fraud and abuse are these:
Some investigations of fraud and abuse in the health care treatment and payment system are done by units of general law enforcement agencies, such as the Department of Justice, the Federal Bureau of Investigation, other Federal agencies such as the Drug Enforcement Administration and the U.S. Postal Inspector, and State and local police agencies. Additionally, there are civil and administrative as well as criminal enforcement agencies. Nearly every health care fraud investigation involves health records that would be covered by the bill.
These agencies use identifiable records from health care providers in the same way as specialized health oversight agencies, and access by such agencies ought not to be made more cumbersome than is strictly necessary to preserve patient privacy interests. We note that the bill provides that if these agencies get access as health oversight agencies, they may not use patient-specific information except in actions or investigations relating to receipt of or payment for health care.
While the bill provides for disclosure in connection with criminal activity or to determine if a crime has been committed, it is important to recognize that many investigations seek to determine whether civil fraud is occurring.
It might be desirable to simplify access for investigations of illegal activities not directly related to "receipt of health care or payment for health care", but involving health care in some fashion. Investigations of fraud in liability claims, disability program applications, or workers compensation claims need patient records.
Patient access to their own records in the hands of health oversight agencies, and patient awareness that their records have been disclosed by providers to investigative agencies, can in some instances reveal to patients that an investigation is underway, and permit evasive action.
Existing subject access rights to Federal records, in the Privacy Act, include exceptions to address these concerns.
In connection with use and disclosure of records for investigations, the Department of Justice is preparing detailed comments on the bill and will provide them to the Committee soon.
We note that the bill prevents the establishment or continuation of State law that is inconsistent with the bill's provisions, but does not occupy this field of law to the exclusion of State law. We interpret this to mean that the confidentiality rules would be cumulative. If a disclosure is prohibited by either this bill or State law, it would not be allowed, i.e., if State law prohibits a certain disclosure, that disclosure could not be made even if allowed by the Federal law, and if the Federal law prohibits a certain disclosure, that disclosure could not be made even if allowed by State law.
We appreciate the intention to let the State laws that offer stronger protections than this bill remain in place, especially with respect to especially sensitive types of health information. At the same time, we note the benefits of a totally preemptive Federal law in situations involving the filing of claims electronically, and other activities involving transmission through national, computerized systems. Individual State requirements for patient authorization for disclosure, or review and approval processes, for example, can vitiate the benefits of standardized, automatic claims transmission.
Some consideration might be given to preempting State law totally for disclosures for payment of claims and related oversight activities and the health care information system. Other disclosures could be subject to both Federal and State law.
We note that the bill is silent on coverage of deceased persons.
Most privacy statutes, including the Federal Privacy Act, do not apply to deceased persons. Substantial practical and administrative problems are created by confidentiality rules when there is no effective possibility of obtaining authorization from the patient. Approaches that rely on consent from next-of-kin or executors are difficult because such persons may not exist or may not be able to be found. In addition, the presumed protection may be meaningless because next-of-kin or executors may in some cases be the very people from whom the patient would have wanted to conceal information. However, even in the absence of legal protection, there are some safeguards:
The bill includes a requirement that a health information trustee may use protected information only for a purpose that is compatible with and related to the purpose for which the information was collected or received. Restrictions on use -- restrictions on what can be done with information within an organization -- are important controls to assure that patient information is not used for other than its intended purpose, or seen by personnel who do not need it for their duties. Such restrictions become especially significant when an organization is large and carries out widely varied functions, such as the Department of Health and Human Services.
At the same time, it is important to allow for the ordinary supervisory mechanisms, necessary for accountability, in which persons not involved in direct health care, and having other, wider responsibilities, may need in some instances to see patient records. Internal audits are such a case. In addition, it might be desirable to clarify the extent to which personnel of a facility conducting an activity such as research, using the facility's own records, must observe the same requirements that would have to be met for a disclosure outside of the facility.
We hope this testimony will prove helpful to the subcommittee. In addition to the points we have made here, we have additional technical comments which we would be pleased to offer as you continue work on the bill. We stand ready to answer any questions, and to help the subcommittee as needed.