Mr. Chairman, Senator Kennedy, distinguished members of the Committee: I
appreciate the opportunity to appear before you to discuss the recommendations I
am today submitting to the Congress under Section 264 of the Health Insurance
Portability and Accountability Act,(HIPAA) concerning standards for the privacy
and protection of individually identifiable health information .
As you mentioned in your invitation letter for today's hearing, HIPAA also
requires our Department to act in the areas of administrative simplification and
nondiscrimination in group plan enrollment. At your request, I would like to
address these issues briefly at the onset. As you know, the administrative
simplification provisions of the Act require our Department to adopt a series of
standards-to guide the interchange of electronic data for a number of
administrative, insurance-related transactions in health care. We also are
required to adopt standards for unique health identifiers for health care
professionals, plans, employers and individuals, as well as for data security
standards for data security or health indent for security
I am pleased to report that we've made significant progress. We will soon
publish the first set of proposed rules for health data standards. As you know,
HIPAA calls for final adoption of the standards by February 1998. The latest
information about our efforts in this area is available on the HHS web site.
In developing our proposals for the standards, we did extensive outreach and
consultation with the industry. We met with a wide variety of groups with
interests in health data standards. And our public advisory committee in this
area, the National Committee on Vital and Health Statistics, conducted eight
full days of public hearings, which included over 130 witnesses from across
the entire spectrum of the health community.
In addition, our Department's Health Care Financing Administration is
working with the Departments of Labor and Treasury to review comments on an
interim final regulation designed to prohibit a group plan from basing
enrollment eligibility on an individual's health status, medical condition
(physical or mental), claims experience, receipt of health care, medical
history, genetic information, evidence of insurability and disability.
Mr. Chairman, I am pleased to provide to you today recommendations for
federal legislation to protect the privacy of health information. I should note
that our report is today available on the HHS web site
(aspe.os.dhhs.gov/admnsimpo). In developing our recommendations, we have
benefited greatly from consultations with a variety of outside groups and from
six days of public hearings conducted by the National Committee on Vital and
Health Statistics. The hearing involved over 40 witnesses from across the
health community, including health care professionals, plans, insurance
companies, the privacy community and the public health and research communities.
vOur recommendations represent tough choices and difficult tradeoffs. They
strike a balance between the privacy needs of our citizens and the critical
needs of our health care system and our nation. And, most important, they must
be the first--not the last-- chapter in an ongoing bipartisan dialogue about an
issue that touches every single American.
Just a few weeks ago, the cover of Time Magazine read "The Death of
Privacy." While our privacy certainly is in danger, to paraphrase Mark Twain,
'rumors of its death have been greatly exaggerated. If we act now, we still have
a golden opportunity to safeguard our age-old right to privacy in a brave new
world of computers and biology. Nowhere is that more important than with our
most personal information, our family secrets: our medical records.
Until recently, at a Boston-based HMO, every single clinical employee could
tap into patients' computer records and see detailed notes from psycho-therapy
sessions. In Colorado, a medical student copied countless health records at
night and sold them to medical malpractice attorneys looking to win easy cases.
And, in a major American city, a local newspaper published information about a
congressional candidate's attempted suicide. Information she thought was safe
and private at a local hospital. She was wrong.
When we give a physician or health insurance company precious information
about our mood or motherhood, money or medication, what happens to it? As it
zips from computer to computer, from doctor to hospital, who can see it? Who
protects it? What happens if they don't? It all depends on the states you live
Every day, our private health information is being shared, collected,
analyzed and stored with fewer federal safeguards than our video store records.
Let me be frank. The way we protect the privacy of our medical records right now
is erratic at best-- dangerous at worst.
When Congress looked at the privacy threats to our credit records, our video
records, and our motor vehicle records, it acted quickly to protect them. It is
time to do the same with our health care records.
It's been 25 years since my predecessor, Secretary Elliot Richardson, set
forth principles that led to the landmark Federal Privacy Act. Those 25 years
have brought vast changes in our health care and our health care system.
Twenty-five years ago, our health care privacy was protected by our family
doctor who kept hand written notes about us sealed away in a big file cabinet.
We trusted our physicians to keep their file cabinets locked and their mouths
Today, revolutions in our health care delivery system mean that instead of
Marcus Welby, we must place our trust in entire networks of insurers and health
care professionals--both public and private.
The computer and telecommunications revolutions mean that information no
longer exists in one place. It often travels in real time across hospitals,
physicians, insurers, even state lines. And, it can no longer be protected by
simply locking up the office doors each night.
And, revolutions in biology mean that a whole new world of genetic tests
have the potential to either help prevent disease or reveal our families' most
personal secrets. Without safeguards that assure citizens that getting tested
won't endanger their families' privacy or health insurance, we could, in turn,
endanger one of the most promising areas of research our nation has ever seen.
We are at a decision point. Depending on what we do over the next months,
these revolutions in health care, communications, and biology could bring us
great promise or even greater peril. The choice is ours. For example, will
health care information flow safely to improve care, cut fraud, ensure quality,
and reach citizens in underserved areas? Or will it flow recklessly into the
The fundamental question before us is: Will our health records be used to
heal us or reveal us? The American people want to know. As a nation, we must
Today, almost 75 percent of our citizens say they are at least somewhat
concerned that computerized medical records will have a negative effect on their
privacy. If we don't act now, public distrust could deepen--and ultimately stop
citizens from disclosing vital information to their doctors, getting needed
treatment for mental illness or seeking genetic testing. As history has taught
us, distrust, if left unchecked, can undermine and stop progress in our entire
health care system.
The question is, what can we do? Some say we have already lost the battle.
They say privacy in this new electronic world is impossible. There are others
who say that consumers should not only have control over their health care
information, they should have complete control. They say that Americans should
even have the power to ensure that their records are kept on paper, not in
computers. Both sides are wrong. We cannot turn back the hands of progress or
turn our backs on public responsibilities like research or fighting fraud and
abuse--and we shouldn't.
But we can and must do what Secretary Elliot Richardson envisioned in 1972.
We must look ahead and balance our age-old right to be left alone with our
desire to fulfill the promises of a new age in health care. Health care
privacy can be safeguarded. I believe we must do it with national legislation,
national education, and an on-going national conversation.
As I said earlier, we have federal laws that protect the privacy of video
records, motor vehicle records, and credit records. But, when it comes to comes
to our private health care records, we rely on a patchwork of state laws. The
patchwork of state laws does not provide Americans the privacy protections they
need, particularly as our health information becomes increasingly
national--crossing state boundaries. Right now, we have no federal health care
privacy standards. We have no federal standards. We do have a national interest.
Now all of us must make a national commitment.
Today I offer our recommendations for federal legislation protecting health
care information. We want to work with you, Mr. Chairman, and other appropriate
committees to develop a comprehensive measure to protect the privacy of medical
records, to guarantee to consumers the right to inspect their records, and to
punish unauthorized disclosures of personal health data by hospitals, insurers,
health plans, drug companies or others.
These recommendations are grounded in five key principles:
The first is the principle of Boundaries: With very few exceptions, health
care information about a consumer should be disclosed for health purposes and
health purposes only. It should be easy to use it for those purposes, and very
difficult to use it for other purposes.
That means hospitals can use this information to provide and pay for quality
care for their patients. And, subject to the requirements of other laws such as
the Americans with Disabilities Act of 1990, employers could use it to provide
on- site care for their employees or to administer a self-insurance plan. But,
those same employers should not be able to use information obtained for health
care purposes to make decisions about job hiring and firing, placements and
promotions. We are recommending strong protections for Americans from the
inappropriate disclosure of their medical records.
Who should be bound by this law? Anyone who provides health care or pays for
it, or who receives health information from a provider or payer, either with the
authorization of the patient or as authorized explicitly by the legislation. Our
physicians, our nurses, our hospitals and payers are the foundation of our health
care system. They have been and must continue to be on the front lines in our
battle to protect the privacy rights of patients.
However, our recommendations acknowledge that these providers and payers do
not act alone. Whether it's an organization paid by a hospital to encode and
process bills or a pharmaceutical benefit management company that provides
information to pharmacists about what medications are covered and appropriate
for their customers, there are many new actors on the health care stage. The
numbers of service Organizations are increasing every day. Most do not have
direct relationships with the patients. But, they do have access to their
personal health care information. And, we are proposing that they too be bound
by the same tough standards.
For example, we recommend that service organizations be able to do mailings
to remind patients to schedule appointments for preventive care. But, they
should not be able to sell the patient lists to a pharmaceutical company for a
direct mailing announcing a new product.
We believe a federal privacy statute should define a range of health care
conditions and services and protect certain demographic information about the
patient collected during the health care process.
A federal privacy statute also should define "information" to include
records held in whatever form possible--paper, electronic, or otherwise.
We believe that the privacy statute must strongly protect individuals from
inappropriate disclosures, but only in cases where these disclosures are in fact
inappropriate. These protections should only cover the information that is
Our recommendation on defining "identifiability" follows the text of the
administrative simplification provisions of HIPAA. For now, information should
be considered as identifiable if there is a reasonable basis to believe that the
information can be used to identify an individual. The potential for disclosure
of a person's identity increases when there are other pieces of information
present such as age, sex, marital status, race, ethnicity, place of residence,
and occupation. A determination of what is identifiable information may require
a case-by-case decision based on reasonableness and will certainly change as
We must remember that although explicit identifiers (name, social security
number, etc.) can be removed, the pieces of information remaining may still
yield an identity. Sometimes common information-- marital status, number of
children, place of residence--can become identifiable with combined with other
information--like age and ethnicity. For example, what if you say someone is a
male Korean college professor living in Akron, Ohio? He may be the only-person
there to fit that description. Therefore, you may not have to identify him by
name to have his identity be known. We want to insure that in these cases when
the identity can be known, privacy protections are in place.
Because the recommendations would create a minimum floor of protection for
all records, this report does not distinguish among types of health care
information based on sensitivity. However, we are well aware that there are
certain types of information that have been viewed as particularly
sensitive--such as mental health information.
We look forward to working with Congress, advocates, and others to discuss
these unique considerations. Where stronger protections for particular types of
information may be appropriate, the stronger protections provided by other
federal or state laws should remain in place. And new laws providing such
special protections could be enacted.
For example, our recommendations do not include specific provisions related
to genetic information in health records, Genetic information should be covered
by the same rules. However, we recognize that the public is especially concerned
about the unique properties of genetic information--its predictive nature, and
its link to personal identity and kinship and its ability to reveal our family
secrets. As you are aware, the President recently announced support for
federal legislation that would limit collection and disclosure of genetic
information and would also prohibit health insurers from discriminating against
individuals on the basis of their genetic information. Because of the speedy
development of genetic technologies and its history of abuse, we recommend that
legislation concerning discrimination in underwriting by insurers be considered
expeditiously. We look forward to continuing our work with you on this issue.
We have also elected to limit the scope of our recommendations to the health
care system and the information that flows directly from it. For example, DNA
results contained in a crime information data bank would not be included.
The Administration and Congress should continue to examine the privacy
concerns created when health information is held and used in other settings, and
recognize that further action may be required.
The second principle is Security. Americans need to feel secure that when
they give out personal health care information, they are leaving it in good
hands. Information should not be used or given out unless either the patient
authorizes it or there is a clear legal basis for doing so.
Think about all the ways that private information like your blood tests
could become public.
People who are allowed to see it--like those at a lab--can misuse it either
carelessly or intentionally. And people who shouldn't be seeing it--like
marketers--can find a way to do so anyway, either because an organization
doesn't have proper safeguards or they find an easy way around them.
To give Americans the security they deserve, we must develop legislation
that requires those who legally receive health information to take real and
reasonable steps to safeguard it. They must ensure that it isn't used
improperly by those who have access to it, and it isn't obtained improperly by
hackers or others on the outside.
What do we mean by reasonable steps? They include administrative and
management techniques, education of employees, and disciplinary sanctions
against employees who use information improperly. It also includes technical
security safeguards like audit trails.
We don't believe a law can specify the details of these protections, since
they must keep pace with the new threats to our privacy and the technology that
can either abate or exacerbate them. But a law can--and must--require everyone
who holds health information to have these types of safeguards to protect it.
The third principle is Consumer Control. Americans should not have to trade
in their privacy rights to get quality health care.
The principles of fair information practice (formulated in 1973 by the
committee that Secretary Richardson appointed) included as a basic right the
There must be a way for an individual to find out what information about him
is in a record and how it is used.
Americans should have the power to find out what rules protect their
records, who's looking in them, what's in them, how to inspect, copy and, if
necessary, correct them. They should be given clear explanations of how
organizations will use their information, and what their rights are. Let me give
you an example of why this is important. According to the Privacy Rights
Clearinghouse, a California physician in private practice was having trouble
getting health disability, and life insurance. She ordered a copy of her report
from the Medical Information Bureau--a clearinghouse used by many insurance
companies. It included information about her heart problems and her Alzheimer's
disease. There was only one problem. None of it was true. What if she hadn't
requested her records? With electronic data, mistakes can multiply--and sunlight
is still the best disinfectant. Unfortunately, under the current system these
types of errors are too often the case. Americans often do not have access to
their own health records and even those who do are not always able to correct
some of the most egregious errors.
With that in mind, our recommendations set forth a set of practices and
procedures that would require that Americans be provided a written explanation
from insurers or health care professionals detailing who has access to their
information; how that information is kept; how they can restrict or limit access
to it; how they can authorize disclosures or revoke such authorizations; and
what their rights are under the proposed legislation should an improper
We also recommend procedures for patients to inspect and copy their
information and set out the very limited circumstances under which patient
inspection should be properly denied.
Finally, we recommend a process for patients to seek corrections or
amendments to their health information to resolve situations in which innocent
coding errors cause patients to be charged for procedures they never receive or
to be on record as having conditions or medical histories that are inaccurate.
The fourth principle is Accountability. If you're using information
improperly, you should be severely punished. This flows from the second
principle of security. The requirement to safeguard information must be followed
by real and severe penalties for violations. When someone's health care privacy
has been violated, it's not enough to say it's wrong. We need to show it's
wrong. We need to send the message that protecting the confidentiality of
peoples' medical information is vitally important, and that people who violate
that confidence will be held accountable.
People who knowingly disclose medical records improperly, or who
misrepresent themselves to obtain health information, should be subject to
criminal penalties. Federal legislation should include punishment for those who
misuse personal health information and redress for people who are harmed by its
We believe offenders should be subject to criminal felony penalties
(including fines and imprisonment) if they knowingly obtain or use health care
information in violation of the standards our report outlines. This includes
passing out information to those who shouldn't have it and obtaining it under
The penalties mandated in a federal privacy law should be higher when
violations are for monetary gain, similar to those Congress mandated in the
administrative simplification provisions of the HIPAA for misuse of personal
identifiers and other violations. And, when there is a demonstrated pattern or
practice of unauthorized disclosure, those committing it should be subject to
civil monetary penalties.
But, in addition to punishing the perpetrators, we must give redress to the
victims. We believe that any individual whose rights under the federal privacy
law have been violated--whether those rights were violated negligently or
knowingly--should be permitted to bring a legal action for actual damages and
equitable relief. When the violation was done knowingly, attorney's fees and
punitive damages should be available.
These four principles--Boundaries, Security, Consumer Control and
Accountability--must be weighed against the fifth principle, Public
Just like our free speech rights, privacy rights can never be absolute. We
have other critical--yet often competing-- interests and goals. We must balance
our protections of privacy with our public responsibility to support national
priorities-- public health, research, quality care, and our fight against health
care fraud and abuse.
As a major payer of health care in this country, our Department is acutely
aware of the need to use health records to fulfill those responsibilities.
For example, HHS auditors use health records to zero in on kick-backs,
over-payments and other fraud--so we can bring the perpetrators to justice and
the money back to taxpayers. Researchers have used health records to help us
fight childhood leukemia and uncover the link between DES and reproductive
cancers. Local public health agencies use health records to warn us of outbreaks
of emerging infectious diseases.
In addition, our efforts to improve quality in our health care system
depends on our ability to review charts to determine quality of care provided by
health institutions and health professionals and to examine adverse events to
see if they reflect underlying structural or practice problems. The practice of
medicine itself is grounded in the review of profile cases in certain clinical
domains to evaluate the quality of care provided to the patient.
In these cases, it's not always possible to ask for permission. And, in
many cases, doing so would create major obstacles in our efforts to protect
public health and fight crime. But that doesn't give us a free pass. Allowing
access doesn't mean we can forget about protecting privacy. And we shouldn't.
PUBLIC RESPONSIBILITY CHOICES
Let me outline a few of the areas in which we recommend that disclosure of
health information for particular purposes under specified conditions be
permitted without patient authorization.
Under certain circumstances, we propose to permit health care professionals,
payers, and those receiving information from them to disclose health information
without patient authorization to public health authorities for disease
reporting, public health investigation, or intervention. Why is this important?
Think about the recent outbreak of Ecoli O 157 in hamburger that resulted in the
largest recall of meat products in history. Public health authorities, working
with other officials, were able to identify quickly the source of the outbreak
and thereby prevent thousands of other Americans from being exposed to a
A recent consultant's report to HHS on health privacy and research concluded
that if people don't trust the research community to protect their personal
information, they may refuse to participate in clinical trials and they may even
oppose the use of their records for all research under any circumstances.
Research which improves the health of all citizens must not only survive,
but thrive, under strong assurances that privacy of personal information will be
carefully protected. We must make every effort to see that this happens.
These are situations under which personal information should be made
available to researchers without consent. These conditions should include a
determination by an Institutional Review Board (IRB) that the research involves
minimal risks to participants; that the absence of consent will not adversely
affect the rights or welfare of participants; and that conducting the research
would be impracticable if consent were required.
In addition, the researcher should be required to remove the personal
identifiers and to provide the IRB with assurances that the information will be
protected from improper use and unauthorized additional disclosures.
This recommendation is consistent with the Federal Policy for the Protection
of Human Subjects and the Privacy Act-- policies that have protected research
participants and research records for a quarter of a century and that have saved
lives and fostered countless improvements in medical treatment.
Law enforcement officials seek access to health care information for a
variety of reasons, depending on the target of their investigation--from the hot
pursuit of an injured fugitive in an emergency room to the review of health care
information to determine if a crime has been committed by a hospital or
We recommend that a federal health privacy law not interfere with the
well-established procedures of the criminal justice system. Information would
be disclosed without patient authorization for purposes required by State
law--like the reporting of gunshot wound victims, the identification or
location of an injured fugitive--or for other legitimate law enforcement
The report calls for national standards. But, it does not recommend outright
or overall federal preemption of existing State legislation that is more
protective of health information.
In HIPAA, Congress generally expressed a preference for leaving stronger
State laws in place and that is the right thing to do. Although most State laws
are in no way uniform or comprehensive, these recommendations concern an area
already regulated by State laws. Some protections that we propose may be
stronger than some existing State laws. Therefore, we recommend that Federal
legislation replace State law only when the State law is less protective than
the Federal law. Thus, the confidentiality protections provided would be
cumulative, and the Federal legislation would provide a floor. Federal
legislation should provide every American with a basic set of rights with
respect to health information. All should be assured of a national standard of
Many have argued for one law in the interests of administrative
simplification. We may reach a consensus one day, after watching the rapid
evolution of health care, in which we determine the interests of nationwide
administrative simplification for health transactions justifies preemptive
federal legislation. I am not convinced that day has arrived.
Nevertheless, the impact of leaving in place more restrictive State laws on
the effective use of health information bears careful watching. If dual
regulation impairs care or the operation of information and payment systems,
poses risks to confidentiality because of confusion about two levels of law, or
creates uncertainty among patients about their rights and forms of redress, we
may want to revisit the notion of a preemptive federal law.
As we seek to protect privacy in the information age, we will always be
shooting at a moving target. As technology develops, and as we continue our
implementation of HIPAA, there may need to be adjustments or additional
legislation in the future to address emerging concerns.
Mr. Chairman, the five principles embodied in our recommendations
--boundaries, security, consumer control, accountability, and public
responsibility--should guide a comprehensive law that would give our nation real
federal standards and our citizens real peace of mind.
They represent a practical, comprehensive and balanced strategy to protect
health care information that is collected, shared, and used in an increasingly
At the same time, we need to build on the efforts of the American with
Disabilities Act and the Kassebaurn-Kennedy law to address another legal issue
that has a tremendous impact on how people view their privacy: health care
discrimination, including genetic discrimination. Because our efforts on health
care privacy will never be enough until we give all Americans confidence that
information in their medical records will not be used to deny them jobs or
affordable health insurance.
Yet, as we know from past experience, national legislation alone will not
inspire trust in one's rights or commitment to one's responsibilities. It's
going to take education. Every single health care professional, every public
health official, every pharmacist-- every single person who comes in contact
with health care records must understand why it's important to keep them safe,
how they can keep them safe, and what will happen to them if they don't.
Most of all, we must help consumers understand not just their privacy
rights, but also their responsibilities to ask questions and demand answers--to
become active participants in their health care.
We need an informed public, because, as the National Research Council
recently pointed out, we need an informed public debate. An ongoing
We cannot expect to solve these problems all at once. With changes in
medical practices and technology occurring every day, we need to be flexible, to
change course if our strategy isn't working and meet new challenges as they
Twenty-five years ago, Secretary Richardson and the Congress looked into an
uncertain future and tried to chart a course on which individual rights and
privacy would prevail. The result, as I mentioned, was the landmark Federal
Now a similar challenge is before us. Twenty-five years from now, what will
they say about the footsteps we left? Will we leave the next generation with
real federal privacy standards based on fundamental principles? Will we have
boundaries to ensure that, with very few exceptions, our health care information
is used only for health care? Will we have assurances that our information is
secure? Will we have control over what happens to it? Will those who violate our
privacy be held accountable? And will we be able to safeguard our privacy rights
while still protecting our core public responsibilities like research and public
In short will we harness these revolutions in biology, communications, and
health care to breath new life into the trust between our patients and their
doctors, between our citizens and their government, between our past and our
We can. We must. And, I believe, working together, we will.
Mr. Chairman, we in the Department and the Administration are eager to work
with you to enact strong national privacy legislation.
Thank you again, for giving me this opportunity to testify. I look forward
to answering any questions that you may have.