Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share


Statement by
Carolyn M. Clancy  M.D.
Agency for Health care Research and Quality
U.S. Department of Health and Human Services

Draft Health Information Technology Legislation 

Energy and Commerce Committee
Subcommittee on Health
U.S. House of Representatives

Wednesday June 4, 2008

Chairman Pallone, Ranking Member Deal, and Members of the Subcommittee, thank you for inviting us here today to present the Administration’s views on draft health information technology legislation. I am Dr. Carolyn Clancy, Director, Agency for Health Care Research and Quality (AHRQ) and I have with me today Ms. Sue McAndrew, Deputy Director for Health Information Privacy, HHS Office of Civil Rights. Additionally, I will be speaking on behalf of the Office of the National Coordinator for Health IT. Dr. Kolodner is currently attending scheduled meeting of the American Health Information Community successor stakeholders. As you know, efforts to ensure availability of interoperable health information technology are one of the Secretary’s highest priorities. We appreciate your dedication to health information technology and share your commitment to this important issue.

Efforts To Date

Office of the National Coordinator for Health IT (ONC)

On April 27, 2004, the President signed Executive Order 13335 supporting the promotion of health information technology (health IT) to improve efficiency, reduce medical errors, improve quality of care, and provide better information for patients and physicians. The President also called for most Americans to have access to secure, interoperable electronic health records (EHRs) by 2014 so that health information will follow patients throughout their care in a seamless and secure manner. As part of this, the President directed HHS to establish the position of the National Coordinator for Health Information Technology.

In further support of this goal, on August 22, 2006, the President issued Executive Order 13410 to ensure that federal agencies that administer or sponsor a federal health care programs (as defined by the Order) promote quality and efficient delivery of health care through the use of interoperable health IT, transparency regarding health care quality and price, and better incentives for program beneficiaries, enrollees, and providers. Executive Order 13410 directs that "[a]s each agency implements, acquires, or upgrades health information technology systems used for the direct exchange of health information between agencies and with non-Federal entities, it shall utilize, where available, health information technology systems and products that meet recognized interoperability standards."

ONC has helped lead in a number of key areas. As part of this, yesterday, ONC released the Federal Health IT Strategic Plan. This 5-year Federal strategic plan is necessary to achieve the nationwide implementation of a health IT infrastructure.

American Health Information Community (AHIC)

The development of common standards, and a process to certify products and services as meeting those standards, is a key priority. Secretary Leavitt chartered the American Health Information Community (AHIC) as a Federal Advisory Committee to make recommendations on how to accelerate the development and adoption of interoperable health IT. The AHIC has provided the venue to make recommendations to the Secretary on priorities and has advanced other meaningful recommendations to realize the adoption of health IT. Health-related priorities recommended by the AHIC enable the identification of health IT standards by the Healthcare IT Standards Panel (HITSP) and certification of health IT products by the Certification Commission for Healthcare IT (CCHIT)

While HHS and the Federal government play pivotal roles in the health care system and in its forward progress, public and private stakeholders must also be aligned to rapidly and effectively achieve this interoperability. Therefore, the AHIC and HHS have had ongoing discussions regarding the best possible successor to the AHIC, including discussions of the successor entity’s role, funding, and governance structure. It is envisioned that the AHIC successor will be an independent and sustainable organization that will bring together the best attributes and resources of public and private entities, a public-private partnership. Such an entity must be a neutral, independent body that is not controlled by, formed by, or required to report to any branch of government.

LMI Government Consulting, assisted by The Engelberg Center for Health Care Reform at the Brookings Institution and working under a cooperative agreement with the HHS is convening stakeholders to create a nationwide focal point for health information interoperability as a public-private partnership. The goal is an orderly transition that will accelerate nationwide initiatives aimed at using information technology to enable improvements in the quality and efficiency of health care in the United States. In fact, the third AHIC Successor meeting is taking place today from 9 a.m. to 12 noon. During this meeting, recommendations from the Planning Groups for the AHIC Successor will be announced.

Standards & Certification

In fall 2005, HHS worked with the American National Standards Institute (ANSI) to form a public-private collaborative, known as the Healthcare Information Technology Standards Panel (HITSP), to harmonize existing health IT standards, and to identify and establish standards to fill any gaps in those existing standards. Experts from approximately 500 health care related organizations participate in HITSP and engage in a consensus-based process to harmonize relevant standards in the health care industry and to ensure that there is detailed guidance on how the standards need to be used. This process enables and advances interoperability of health care applications, and helps ensure that health data supporting the delivery of care will be accurate, exchangeable, private and secure.

We have now identified many of the most important standards that need to be used for interoperable electronic health records (EHRs) and personal health records. To date, the Secretary has recognized 52 harmonized standards, and he will recognize 60 new harmonized standards in January 2009. Under Executive Order 13410, Federal agencies that administer or sponsor a Federal health care program (as defined in the Executive Order) are expected to utilize, where available, the health information technology systems and products that meet recognized interoperability when they implement, acquire, or upgrade health IT systems for the direct exchange of health information between agencies and with non-Federal entities. Those agencies are also expected to require in contracts or agreements with health care providers, health plans, or health insurance issuers that as each provider, plan, or issuer implements, acquires, or upgrades health information technology systems, it utilizes, where available, health information technology systems and products that meet recognized interoperability standards.

In the private sector, the Certification Commission for Healthcare Information Technology (CCHIT) will be certifying products that use recognized standards during its next cycle which begins this July.

Providers and consumers must have confidence that the electronic health information products and systems they use can perform a set of well-defined functions, are secure, can maintain data confidentiality as directed by patients and consumers, and can work with other systems to share information. CCHIT currently certifies both ambulatory and inpatient EHRs, and has also begun developing a certification processes for health information networks and specific components of PHRs. Through its public-private process, CCHIT develops specific certification criteria for health IT systems and then rigorously evaluates them to determine that they truly meet criteria for functionality, security and interoperability. After just two years, over 150 EHR products have been certified. These certified products now include over one third of the enterprise EHRs and, adjusting for market share, over 75% of the ambulatory EHRs being sold in the US today.

Nationwide Health Information Network

To support the goal of an interoperable network, there are presently sixteen separate trial implementations of the Nationwide Health Information Network (NHIN) Cooperative. The NHIN Cooperative involves public and private health information exchange organizations across the country that can move health-related data among entities within a state, a region or a non-geographic participant group. The NHIN is a “network of networks.” Our goal is to eliminate all of the obstacles to advancing the NHIN into a production-ready state by the end of this calendar year. To do so, the NHIN will need to demonstrate technical readiness with on-site, interoperable and secure health information exchange based on common specifications. Four core services will be included: 1) delivery of data, including a summary patient record, across the involved health information exchanges; 2) the ability to look up and retrieve data across the exchanges from EHRs and PHRs; 3) the ability for consumers to express preferences about whether and how, they will allow the electronic exchange of their data; and 4) supporting the delivery of data for our nation’s health uses, such as public health and emergency response.

Collaboration with NIST

In order to achieve interoperability and allow health care organizations to securely connect to each other, there must be rigorous testing of detailed data and technical standards. This testing requires testing tools and expertise that ensure that each participating organization and software system is exactly meeting these standards. Toward this goal, the ONC has been working with the National Institute of Standards and Technology (NIST) to advance testing architecture nationally. This work involves developing conformance testing capabilities and the use of testing to ensure that standards are adequate, that the standards are properly implemented in systems and, as a result, that the systems can interoperate. NIST has helped with the HITSP harmonization process and with CCHIT’s initiation of conformance testing capabilities. NIST is also helping with the rigorous testing activities necessary to support the NHIN and have a secure, interoperable network of networks operating on top of the public Internet.


HHS recognizes that there are important issues relating to the protection of information in an electronic health information exchange environment. Maintaining the privacy and security of information shared through the electronic exchange of health information is paramount. We believe that the use of health IT in accordance with appropriate polices can protect private information more successfully than can be done with paper records , can make it easier for individuals and their doctors to access and share health information, and can improve care coordination. Just as it was a core value underpinning the enactment of HIPAA in 1996, so too today, privacy is critical to the success of our new nationwide, interoperable health IT vision.

The Standards for Privacy of Individually Identifiable Health Information – better known as the HIPAA Privacy Rule have been in operation for the past five years, and have proven their workability and adaptability for the broad range of health plans and health care providers charged with keeping health information secure and confidential. HHS’ Office for Civil Rights (OCR) has a solid record of enforcement of these standards, having brought about significant and systemic improvements in compliance by over 6,100 covered entities as a result of its investigations and the voluntary compliance efforts of the entities.

The Privacy Rule is carefully balanced to ensure strong privacy protections without impeding the flow of information necessary to provide access to quality health care. To that end, the Rule permits covered entities to share protected health information for core purposes – to treat the individual, to obtain payment for the health care service provided, and for health care operations – without obtaining the individual’s prior authorization. The Privacy Rule also permits other uses and disclosures of protected health information without an individual’s authorization, including those disclosures necessary for a limited number of public interest disclosures, such as for public health purposes. Additionally, of course, the individual may authorize in writing any other use or disclosure of protected health information, and must do so before a covered entity may use or disclose such information to market the goods or services of another to the individual. These protections apply to protected health information whether in paper or electronic form, and thus have proven effective in protecting information in electronic health record systems in existence today.

The HIPAA Privacy and Security Rules will also serve as an effective baseline of protections as we begin to transform health care through the use of healthIT and the electronic exchange of information through secure interoperable, interconnected networks. A privacy and security framework for the exchange of electronic health information built on the foundation of HIPAA, permits us to explore the enormous potential of health IT to bring new opportunities for consumer participation in and choices about their own healthcare, while effectively identifying and addressing new risks to privacy and new opportunities to secure health information. Together with public input through several advisory bodies, the Department is actively examining these issues. For example, healthIT can make it easier and faster to effectuate the individual’s rights under HIPAA to access and get a copy of their medical record, to have that record amended if it is incomplete or incorrect, and to know about certain disclosures of their information. We are equally concerned with the potential risks to privacy as a result of the easier flow of information through health IT. As the roles of vendors and service providers in the NHIN evolves, we will need to ensure that a privacy and security framework that guides their responsibilities and obligations to consumers, without unduly restraining the development or adoption of health IT.

Linking Quality and Health IT

The intersection between research and the application of how new knowledge is applied to improve care is the Agency for Healthcare Research and Quality’s (AHRQ) unique contribution to the health IT enterprise. Accordingly, the AHRQ Health IT program explicitly researches how health IT tools can improve the quality of health care, while ONC focuses on advancing the adoption and interoperability of health IT.

Since 2004, AHRQ has invested $260 million to support and stimulate investment in health IT. This translates to almost 200 projects in 48 States, many of which projects have been focused towards rural and underserved populations.

AHRQ-funded projects cover a broad range of health IT tools and systems, including electronic health records, personal health records (a term that specifically denotes health information collected by and under the control of the patient), health information exchange, electronic prescribing, privacy and security, clinical decision support, quality measurement, patient-centered care, provider workflow, and Medicaid technical assistance.

AHRQ created the publicly available, online National Resource Center for Health IT (the Resource Center) to disseminate research findings, lessons learned, and case studies on the implementation and impact of AHRQ-funded health IT projects. The Resource Center leverages our investments in health IT by offering help where it is needed—real world clinical settings that may feel ill equipped to meet the implementation challenge—facilitating expert and peer-to-peer collaborative learning and fostering the growth of online communities who are planning, implementing, and researching health IT.

AHRQ collaborates with ONC and others to assure that our investments are closely aligned and concentrate specifically on the use of health IT to improve safety and quality in diverse health care settings.

To ensure that we harness the power that health IT has to offer, we need to develop an evidence-based strategy to help clinicians and health care leaders decide which health IT innovations should be adopted and how they should be implemented to maximize value—both to clinicians and patients today and to the public health and research enterprises.


We appreciate the opportunity to provide initial comments on the discussion draft. We have been working with the Committee staff on the discussion draft and providing technical assistance. For purposes of this testimony, we will therefore take this important opportunity to discuss only the high-level issues we have with the proposed discussion draft.

Proposed Health IT Federal Advisory Committees (FACA)

The discussion draft would establish in statute two separate Federal advisory committees-an HIT Policy Committee and an HIT Standards Committee. We have significant concerns about freezing a particular set of structures in statute. In 2005, Secretary Leavitt chartered the American Health Information Community (AHIC) as a Federal Advisory Committee to make recommendations on how to accelerate the development and adoption of interoperable health information technology. For nearly a year, the AHIC and HHS have had ongoing discussions regarding the best possible successor to the AHIC, including discussions about its role, funding, and governance structure. It is envisioned that the AHIC successor will be an independent and sustainable organization that will bring together the best attributes and resources of public and private entities, a public-private partnership. Such an entity must be a neutral, independent body that is not controlled by, formed by, or required to report to any branch of government in order to assure independence and continue to build on progress to date.

The creation of new advisory committees under this bill would significantly interfere with the progress made in establishing an AHIC successor thus far. This approach would preempt and discount the significant efforts made by stakeholders to establish the AHIC successor, and impede efforts to foster the adoption of health information technologies and standards and realize an interoperable nationwide health information system.

Additionally, the proposed advisory committees’ membership would be determined through a political appointment process. We are concerned that the membership of these FACAs would politicize the successful collaborative advisory work ongoing through AHIC and the collaborative work going on through the current conveners of the AHIC Successor and would create barriers to rapid progress. Additionally maintaining two organizations could prove duplicative and costly.

Accordingly, we encourage the Committee to strike proposed sections 3002 and 3003 and allow the current public-private collaborative process already underway to proceed.

Proposed Process to Develop and Recommend Standards, Implementation Specifications and Certification Criterion

The discussion draft proposed to establish a FACA advisory committee known as the HIT Standards Committee, to recommend standards, implementation specifications and certification criteria to ONC for endorsement. Upon ONC endorsement, the recommendations would be sent forward to the Secretary for adoption through a Federal rulemaking process.

The adoption of health IT standards, implementation specifications, and certification criteria through the use of rulemaking should be avoided. We have seen from prior statutory requirements that it significantly delays the applicability and usage of new and improved standards.

Proposed Privacy and Security Provisions

Business Associate Provisions

The Discussion Draft has three separate provisions relating to Business Associates. Section 316would state that organizations that require access to protected health information and transmit it to a covered entity, such as Health Information Exchanges, Regional Health Information Organizations (RHIO), and those involved in e-prescribing, must be treated as business associates for purposes of section 311. Section 311, in turn, would limit the use or disclosure of protected health information by a business associate to the purposes specified in the contract with the covered entity and would subject the business associate to civil and criminal penalties under HIPAA for violation of such contract terms. Similarly, section 301 would apply administrative, physical, and technical security standards to business associates and would also apply the HIPAA civil and criminal sanctions to a business associate for violations of these standards.

Under current law, only covered entities are subject to liability for violations of the HIPAA Privacy and Security standards. Business associates, because they are not covered entities, are therefore not liable for violations, through the covered entities themselves may, in some circumstances, be liable for the violations by their business associates. Under the Discussion Draft, RHIOs, Health Information Exchanges (HIE), and similar organizations, would still not become covered entities under HIPAA, but they would become liable for HIPAA civil and criminal penalties for using or disclosing protected information in a manner contrary to the terms of their business associate agreements with covered entities. While this is one approach to address gaps in the current coverage of HIPAA, the provision would not result in evenhanded treatment as other entities, such as PHR vendors, are not encompassed in this solution.

Moreover, in extending liability to business associates, the Discussion Draft would sweep all business associates under this same provision, making them all liable for contract violations. The potential exposure to criminal and civil liability may chill many from becoming business associates or may raise the cost of doing business in this manner. Many business associates (for example, interpreters) help consumers and others such as transcription services or accreditation services are essential for routine business operations.

Proposed Grants and Loans

Section 3011 of the discussion draft would provide for competitive grants and loans to facilitate the adoption of qualified health IT. The Administration does not believe that grants (or grant-supported state loan programs) are the most efficient manner to stimulate the widespread adoption of health IT; it believes the most appropriate and efficient ways to achieve widespread use of health IT are through market forces, rather than through direct subsidization of health IT purchases. In August 2006, the Centers for Medicare &Medicaid Services (CMS) and the Office of the Inspector General (OIG) promulgated two final rules with an exception to the physician self-referral prohibition and a safe harbor under the anti-kickback statute, respectively, for certain arrangements involving the donation of interoperable EHR technology to physicians and other health care practitioners or entities from businesses with whom they work. The exception and safe harbor have made it possible for physicians and other health care practitioners or entities to obtain EHR software or information technology and training at substantially lower prices, up to 85% below the market costs.

Other Comments on the Discussion Draft

The discussion draft codifies the Office of the National Coordinator for Health Information Technology. The Administration does not support statutorily establishing individual offices, which can limit needed flexibility to adjust duties and responsibilities as time requires.

The Administration continues to review this bill and anticipates having additional comments and questions about its impact and certain provisions. As part of this we are carefully reviewing sections 111 and 112 to assess and understand their potential impact on Federal programs, including Medicare, and the private sector. We are also carefully reviewing sections 302 and 315, regarding notification of breach of privacy, and section 312, to assess its impact on adoption of health IT.


The Administration shares the goals of the Committee with respect to health IT and looks forward to continuing work with you to improve the quality of our nation’s health care through its use. We hope to continue our work with the Committee as we move forward to address these concerns.

Last revised: June 18, 2013