skip navigational links
HHS Eagle graphic US Capitol Building Search
HHS Home
Contact Us
ASL Header
Mission Button Division Button Grants Button Testimony Button Other Links Button ASL Home Button


    This is an archive page. The links are no longer being updated.

    Statement by
    Claude A. Allen
    Deputy Secretary, HHS
    Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) and the Proposed Modifications to those Standards
    before the
    Senate Health, Education, Labor and Pensions Committee

    April 16, 2002

    Chairman Kennedy, Senator Gregg, distinguished members of the Committee, it's a pleasure to be with you. I welcome the opportunity of appearing before you to talk about what we're doing at the Department of Health and Human Services to fulfill President Bush's goals of protecting both vital health care services and the confidence of every American to know that his or her personal medical records will remain private. Today, I'm going to discuss the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) and the proposed modifications to those standards that the Department published in the Federal Register for public comment on March 27, 2002.

    President Bush, Secretary Thompson and I believe strongly in the need for workable and effective federal protections to ensure patients' privacy. Americans have become increasingly concerned about the privacy of their health care information. Fear of misuse or abuse of sensitive medical information has deterred some patients from fully utilizing the necessary health care services available to them. When the Privacy Rule is fully implemented, we will have successfully completed our goal of giving American patients what they want: confidence that the privacy of their medical records will be protected and that our providers and health system will be able to deliver them the most advanced, and efficient quality care available. Because of the Privacy Rule, all Americans will, for the first time:

    • Have the right up front -- the first time they see a doctor or health care provider or enroll in a health plan -- to be notified of their privacy rights and how their information may be used or disclosed by the provider or the plan, so they may understand and discuss concerns with these providers and plans and get care that is consistent with their own personal preferences;

    • Have the right to access their own medical record and to have their record corrected, if it contains incorrect or incomplete information; and

    • Have control over most non-routine uses or disclosures of their information, including requiring written permission before their information is shared with employers for employment decisions, shared with life, disability or other insurers, or used for marketing.

    In April 2001, President Bush acted boldly to put into place these strong patient privacy protections. With laws already in effect to protect personal information contained in bank, credit card, and other financial records, and to require notification of Americans about how their electronic data are used for providing these financial services, the American public should not be made to wait any longer for protection of the most personal of all information -- their health records. At the same time, legitimate concerns were raised about whether parts of the Privacy Rule would compromise patients' access to care or the quality of that care. To address these concerns, the President directed Secretary Thompson to recommend appropriate modifications to the Rule that would identify and correct any unanticipated consequences that might harm patients' access to care or the quality of that care while still protecting patient confidentiality.

    The notice of proposed rulemaking published on March 27, 2002 represents the results of the Department's review of thousands of public comments, recommendations from public hearings on the Privacy Rule, as well as the letters and input from a broad and diverse group of lawmakers, interest groups, health care leaders, and individual citizens regarding the Rule. The changes that we have proposed will allow us to ensure strong protections for personal medical information without negatively affecting access to care. These recommendations were decided upon only after seriously examining the feasibility of all possible options. They are common-sense revisions that are intended to eliminate serious obstacles to patients getting needed care while, for the first time, providing federal privacy protections for patients' medical records.

    I would like to review briefly the major areas of the Privacy Rule where changes are being proposed and explain the Department's reasons for proposing these actions. At the end, I will be happy to answer any questions from the Committee members on these or any other of the proposed changes.

    Consent and Notice

    First, the Department has proposed a workable solution to the consent and notice provision that achieves strong privacy protections and ensures access to care. The original regulatory proposal published in November 1999, prohibiting a covered health care provider from obtaining consent for uses and disclosures for treatment, payment and health care operations, lacked a workable process to engage the patient to consider the providers' privacy practices, an essential part of adequately protecting privacy. The final regulation published in December 2000, mandating consent for these routine uses and disclosures created barriers to timely access to care.

    The Department's proposal is two-fold: it would enhance the obligation that covered entities give notice of their privacy practices to their patients, by requiring a good faith effort to get patients to acknowledge, in writing, receipt of the notice of privacy practices, and it would allow providers to obtain consent for these routine uses. This change means only that under the Privacy Rule, patients are no longer required to provide consent for their doctors, hospitals, and other direct treatment providers to use and disclose information for those core activities that are essential elements of providing health care. Patient authorization is still required for most other purposes, such as marketing and disclosures to employers for employment purposes. Patients also would continue to have the right to request restrictions on uses and disclosures of their health information and would be able to enter into agreements with providers and health plans to further protect the privacy of their health information or to further limit the use of that information.

    We believe this approach provides new, meaningful patient privacy protection without impeding the delivery of high-quality care that patients need. The President and Secretary Thompson are dedicated to improving the delivery of quality care to patients, and the December 2000 privacy rule posed serious problems for patient access to care. Indeed, the comments received in March 2001 revealed a multitude of unintended consequences threatening patient safety and quality care. We also heard from many of you on this committee, Mr. Chairman, and other Members of Congress, all asking that we address these unintended consequences. Most importantly, we heard from health professionals that the proposed regulations would have serious consequences for the quality of patient care.

    I believe it was widely recognized that the consent requirements interfered with patients getting prescriptions filled in a timely manner; the ability of hospitals, specialists, or other practitioners to act timely to start care for patients referred from other providers; the ability to provide treatment over the telephone; and emergency medical providers.

    Potentially, the Department would have to repeatedly modify the privacy rule as each new barrier was identified. As many of you may recall, HIPAA allows modifications to the privacy rule standards only once yearly, thus the Department would be in the untenable position of knowing of serious problems that threatened patient care, but being unable under the law to correct these threats to patient care on a timely basis.

    Ultimately, we tried to put ourselves in the shoes of the patient and do what made the most sense from his or her perspective. And, we believe that the patient most values unimpeded access to quality care, generally limiting the use of his or her information to what is necessary to provide quality care, fair notice of how his or her information will be used, and more control over where -- other than to his health care providers and health plans -- his information goes.

    Indeed, requiring individual written consent for the routine uses necessary to provide care give the patient little actual control over that information. When coupled with the provider's ability -- and even necessity -- to condition treatment on the signing of a general consent form, the patient is forced to choose between signing the consent form and not receiving care. In the end, we determined that the risk of compromising patient care and safety outweighed any benefit of a mandatory consent process. We believe the backbone of patient privacy rights is preserved and strengthened and the spirit and intent of the mandatory consent is fulfilled by the written notice requirement. During each patient's first meeting with a provider, they will receive a notice of their privacy rights, as well as the providers' privacy policies, and how their information will be used. This notice requirement creates for the first time, a formalized process where the patient will pause and reflect on the value of the privacy of their medical records and be able to discuss any concerns that they have with the provider.

    Health care communications and practices

    Second, the proposal ensures the strong protections for all forms of health information, including oral communications. Plans and providers will be obligated to make reasonable efforts to limit the use and disclosure of protected health information to the appropriate minimum necessary to accomplish the intended purpose. We have, however, made clear that a doctor could discuss a patient's treatment with other doctors and health care professionals without fear of violating the rule if they are overheard if reasonable safeguards are in place. As long as a covered entity met the minimum necessary standards and made an effort to protect personal health information, incidental disclosures -- such as another patient overhearing a fragment of conversation -- would not be an impermissible disclosure. This proposed change does not in any way permits gossiping or other careless use of patient information.


    Third, the proposals would simplify the research provisions, removing many of the burdens on research and covered entities alike, thereby continuing to promote the highest quality of care that Americans have come to expect and have a right to demand and so that the nation's world-renowned medical research can continue at a vigorous pace, but with renewed confidence in patients that their personal medical information will be protected. The proposal would make it easier for patients who participate in research to understand all dimensions of the study, including privacy dimensions, through the use of a single combined form, instead of having multiple consent forms -- one for informed consent to the research and one or more related to information privacy rights. It streamlines requirements for obtaining a waiver of individual permission to access records for research purposes, so as to more closely follow the requirements of the "Common Rule," which governs federally funded research. These simplified provisions would, nonetheless, continue to include privacy-specific criteria and would apply equally to publicly -- and privately-funded research.

    The Department is also seeking comment on the feasibility of making health information that does not directly identify the patient more readily available for research and limited other purposes. For example, many researchers and others who study the quality or accessibility of care have indicated a need for information that does not facially identify the patient, but nonetheless contains certain identifiers -- such as zip code or dates of admission and discharge. Under the Privacy Rule, the information would not be "de-identified." In environmental cancer studies, zipcodes are often important for environmental health research. Duration of illness is important for infectious disease studies. Through the comment process, the Department is seeking a consensus as to how to construct a "limited data set" that could be disclosed for such purposes, and as to what type of information should continue to be excluded from the proposed "limited data set" because it would directly identify an individual. In addition, to further protect privacy, we propose to condition the disclosure of the limited data set on a covered entity's obtaining from the recipient a data use or similar agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given, as well as not to re-identify the information or use it to contact any individual.

    Parents and Minors

    Fourth, we have made limited changes to clarify that state law governs disclosures of a minor's health information to a parent or guardian. The rule and the proposed modification only address the rights related to a minor's medical records; neither has any impact on a minor's ability to obtain certain medical services under state law without parental consent. The intent of the current rule was never to override state laws that set standards for parental access to their children's medical records. In cases where state law is silent or unclear, the revisions would preserve physician flexibility and standards of professional practice by permitting a health care provider to use the discretion afforded by the state or other law to provide or deny a parent access to such records. Just as state law now determines when a minor may be treated without parental consent, so too would the revisions effectively defer to state law on access to and control of the minor's information that results from such treatment.


    Fifth, the proposal explicitly prohibits using or disclosing a patient's information for any marketing purposes without the individual's express authorization. At the same time, the proposal would ensure that doctors and other covered entities could continue to communicate freely with patients about treatment options and other health-related information, related to their treatment, including disease-management programs sponsored by the entity. The doctor may or may not receive remuneration. This proposal would strengthen the marketing provisions by requiring an individual to specifically authorize certain disclosures of health information that otherwise would be permitted without such authorization under the privacy rule. For example, a health plan would be prohibited from giving a pharmaceutical company its list of all enrollees for the company to send all patients information about their products without obtaining each individual's authorization -- even if that company is a business associate of the health plan. However, the proposal would continue to allow use of information for the health plan to send enrollees with diabetes information about a diabetes disease management program that may help them manage their illness. Patients want information about their treatment and treatment alternatives and the benefits and services offered by their plans and health care providers. Patients do not want their personal information used for unsolicited marketing pitches that have nothing to do with their care. This is the same common sense approach that governs all other revisions to the Rule: patients should have the right to get the best care possible, and to have their sensitive medical information protected while doing so.

    Other Provisions

    We have also proposed changes that would:

    • Clarify and encourage public health reporting of adverse events and other post-marketing surveillance of FDA-regulated products or services;
    • Provide model business associate contract provisions and allow up to one additional year for most covered entities to make their business associate contracts compliant with the Rule; and
    • Permit the sharing of information among health care providers and health plans for each others' treatment, payment, and quality-related health care operations.


    I want to assure you that Secretary Thompson and I are committed to working with this Committee and Congress, and with experts and the public, to provide the strongest possible protections for medical information while preserving access to and quality of health care. We look forward to specific comments on the proposed modifications to the Privacy Rule and we remain open to additional ideas for strengthening privacy protections while encouraging high quality care. But it is past time to move forward. Privacy rules have been drafted for many years, and inaction prevents needed medical privacy protections from being put into place. The need to get strong privacy protections in place now is a commonly held goal that transcends partisan politics. We owe the American people a privacy rule that works to allow them to continue to get the high-quality care that they expect -- they deserve no less. Thank you again for the opportunity to be here today. I appreciate your interest and commitment and I am happy to answer any questions.

HHS Home ( | ASL Home ( | Disclaimers ( | Privacy Notice ( | FOIA ( | Accessibility ( | Contact Us (
Last revised: April 27, 2002