DHHS Eagle graphic
ASL Header
Mission Nav Button Division Nav Button Grants Nav Button Testimony Nav Button Other Links Nav Button ASL Home Nav Button
US Capitol Building
HHS Home
Contact Us
dot graphic Testimony bar

This is an archive page. The links are no longer being updated.

Statement on Medical Records Confidentiality by Margaret A. Hamburg, M.D.
Assistant Secretary for Planning and Evaluation
U.S. Department of Health and Human Services

Before the House Committee on Commerce, Subcommittee on Health and Environemnt
May 27, 1999

Mr. Chairman, Congressman Brown, distinguished members of the Committee: I appreciate the opportunity to appear before you to discuss the Administration's recommendations for federal legislation to protect the privacy of health information. With me today are, Dr. Lana Skirboll, Associate Director for Science Policy, National Institutes of Health, and Dr. John Eisenberg, Administrator of the Agency for Health Care Policy and Research.

I would like commend the members of this Committee, in particular, Rep. Waxman, Rep. Markey, Rep. Dingell, and Rep. Brown for their hard work in developing medical privacy legislation. The most recent bill was just introduced on Tuesday, and we have not had the opportunity to review it in detail. We have noted however, that the authors chose to take a new approach to the issue and in doing so have helped provide momentum that will be needed to enact legislation this year.

As you may remember, Secretary Shalala first presented her recommendations, required by the Congress under Section 264 of the Heath Insurance Portability and Accountability Act (HIPAA), in September 1997.(1) I think it is fair to say that the recommendations were well received and have been used to assist others in crafting their own legislative proposals.

HIPAA also requires that if Congress fails to enact comprehensive privacy legislation by August of this year, HHS must implement final regulations by February 2000. We have assembled an interagency team to work on the regulations including representatives from the Departments of Labor, Defense, Commerce, the Social Security Administration, the Veterans Administration and the Office of Management and Budget. It is our intent to have the regulations prepared in time to meet the statutory deadline.

While we are moving ahead to have the regulation ready, the President and Secretary Shalala have made it very clear that their first priority is to see Congress enact a comprehensive health information privacy bill. Our staff have been working closely with many of your staff, and staff in the Senate, to assist you in achieving that goal. Again, let me reiterate, we want to see legislation, and we want to work with you to make that happen.

The issue of health information privacy is quite complex - in order to resolve it legislatively, some difficult choices will have to be made. We believe that our recommendations strike the appropriate balance between the privacy needs of our citizens and the critical needs of our health care system and our nation. This is an issue that touches every single American, and to reach resolution we will need a bipartisan effort.


It has been 25 years since former HEW Secretary Elliot Richardson set forth principles that led to the landmark Federal Privacy Act. Those 25 years have brought vast changes in our health care system.

Revolutions in our health care delivery system mean that we must place our trust in entire networks of insurers and health care professionals - both public and private. The computer and telecommunications revolutions mean that information no longer exists in one place - it can travel in real time to many hospitals, physicians, insurers, and across state lines.

In addition, revolutions in biology mean that a whole new world of genetic tests have the potential to either help prevent disease or reveal the most personal health information of a family. Without safeguards to assure citizens that getting tested will not endanger their families' privacy or health insurance, we could endanger one of the most promising areas of research our nation has ever seen.

Health care privacy can be safeguarded. It must be done with national legislation, national education, and an on-going national conversation.

Currently, when we give a physician or health insurance company precious health information, the level of protection will vary widely from state to state. We have no comprehensive federal health information privacy standards. Because the practice of health care is increasingly becoming interstate through mergers, complex contractual relationships and enhanced telecommunications, we can no longer rely on the existing patchwork of state laws. The patchwork does not provide Americans the privacy protections they need or expect. The Congress should seize upon this opportunity to create strong federal standards and reassure the public that they can trust their providers and insurers to keep their health information secure.

In developing our recommendations for federal legislation, we learned a great deal through consultations with a variety of outside groups and from six days of public hearings conducted by the National Committee on Vital and Health Statistics, our statutory federal advisory Committee for health data and privacy policy. The hearings involved over 40 witnesses from across the health community, including health care professionals, plans, insurance companies, the privacy community, and the public health and research communities.

We believe our recommendations provide a balanced framework for legislation that can protect the privacy of medical records, guarantee consumers the right to inspect their records, and punish unauthorized disclosures of personal health data by hospitals, insurers, health plans, drug companies or others.


The Secretary's recommendations for legislation are grounded in five key principles: Boundaries, Security, Consumer Control, Accountability, and Public Responsibility.


The first is the principle of Boundaries: With very few exceptions, personally identifiable health care information should be disclosed for health purposes and health purposes only. It should be easy to use it for those purposes, and very difficult to use it for other purposes.

For example, employers should be able to use the information furnished by their employers to provide on-site care or to administer a health plan in the best interests of those employees. But those same employers should not be able to use information obtained for health care purposes to discriminate against individuals when making employment decisions - such as hiring, firing, placements and promotions. To enforce these boundaries, we recommend strong penalties for the inappropriate use or disclosure of medical records.

We recommend that the legislation apply specifically to providers and payers, and to anyone who receives health information from a provider or payer, either with the authorization of the patient or as authorized explicitly by legislation.

However, our recommendations acknowledge that these providers and payers do not act alone. In order for a provider or payer to operate efficiently, it may need to enlist a service organization to perform an administrative or operational function. For example, a hospital may hire an organization to encode and process bills, or a managed care organization may contract with a pharmaceutical benefit management company to provide information to pharmacists about what medications are covered and appropriate for their customers.

The numbers and types of service organizations are increasing every day. While most do not have direct relationships with the patients, they do have access to their personal health care information. Therefore, we recommend that they should be bound by the same standards. For example, a health plan's contractor should be allowed to have access to patient lists in order to do mailings to remind patients to schedule appointments for preventive care. But it should not be able to sell the patient lists to a pharmaceutical company for a direct mailing announcing a new product.

Because we recommend a minimum floor of protection for all records, our report does not distinguish among types of health care information based on sensitivity. For example, our recommendations do not include specific provisions related to genetic information in health records. Genetic information should be covered by the same rules. However, we recognize that the public is especially concerned about the unique properties of genetic information - its predictive nature, and its link to personal identity and kinship and its ability to reveal our family secrets.

Therefore while you are developing privacy legislation, you should also consider how to limit the collection and disclosure of genetic information and prohibit health insurers and employers from discriminating against individuals on the basis of their genetic information. Because of the speedy development of genetic technologies and its potential for abuse, we recommend that legislation concerning discrimination in underwriting by insurers or other improper use of such information be considered expeditiously. We look forward to continuing our work with you on this issue.


The second principle is Security. Americans need to feel secure that when they give out personal health care information, they are leaving it in good hands. Information should not be used or given out unless either the patient authorizes it or there is a clear legal basis for doing so.

There are many different ways that private information like your blood tests could become public. People who are allowed to see it - such as lab technicians - can misuse it either carelessly or intentionally. And people who should not be seeing it - such as marketers - can find a way to access it, either because the organization holding the information doesn't have proper safeguards or the marketers can find an easy way around the safeguards. To give Americans the security they expect and deserve, Congress should develop legislation that requires those who legally receive health information to take reasonable steps to safeguard it and face consequences for failure to do so.

What do we mean by reasonable steps? The organizations should adopt protective administrative and management techniques, educate their employees, and impose disciplinary sanctions against employees who use information improperly.

We are addressing some of these steps in our Security Standards regulation, implementing the Administrative Simplification mandate under HIPAA. Our NPRM laid out a range of approaches for safeguarding the information to which the HIPAA mandate applies. However, that regulation will only cover the security of specific electronically maintained records. We need comprehensive privacy legislation to cover all health information that needs this kind of protection.

We don't believe a law can specify the details of these protections because each organization must keep pace with the new threats to our privacy and the technology that can either abate or exacerbate them. But a federal law can require everyone who holds health information to have these types of safeguards in place and specify the appropriate sanctions if the information is improperly disclosed.

Consumer Control

The third principle is Consumer Control. The principles of fair information practice (formulated in 1973 by a Committee appointed by Secretary Richardson) included as a basic right: "There must be a way for an individual to find out what information about him is in a record and how it is used."

With very narrow exceptions, consumers should have the right to find out what is contained in their records, find out who has looked at them, and to inspect, copy and, if necessary, correct them. Consumers should be given a clear explanation of these rights and they should understand how organizations will use their information. Let me give you an example of why this is important. According to the Privacy Rights Clearinghouse, a California physician in private practice was having trouble getting health, disability, and life insurance. She ordered a copy of her report from the Medical Information Bureau - an information service used by many insurance companies. It included information showing that she had a heart condition and Alzheimer's disease. There was only one problem. None of it was true. Unfortunately, under the current system these types of errors occur all too often. Consumers often do not have access to their own health records and even those who do are not always able to correct some of the most egregious errors.

With that in mind, our recommendations set forth a set of practices and procedures that would require that insurers and health care providers provide consumers with a written explanation detailing who has access to their information and how that information will be used, how they can restrict or limit access to it, and what their rights are if their information is disclosed improperly.

We also recommend procedures for patients to inspect and copy their information, and set out the very limited circumstances under which patient inspection should be properly denied.

Finally, we recommend a process for patients to seek corrections or amendments to their health information to resolve situations in which innocent coding errors cause patients to be charged for procedures they never received, or to be on record as having conditions or medical histories that are inaccurate.


The fourth principle is Accountability. If you are using information improperly, you should be punished. This flows directly from the second principle of security - the requirement to safeguard information must be followed by real and severe penalties for violations. Congress should send the message that protecting the confidentiality of health information is vitally important, and that people who violate that confidence will be held accountable.

We recommend that offenders should be subject to criminal felony penalties if they knowingly obtain or use health care information in violation of the standards outlined in our report. The penalties mandated in privacy legislation should be higher when violations are for monetary gain, similar to those Congress mandated in the administrative simplification provisions of HIPAA. In addition, when there is a demonstrated pattern or practice of unauthorized disclosure, those committing it should be subject to civil monetary penalties.

In addition to punishing the perpetrators, we must give redress to the victims.  We believe that any individual whose privacy rights have been violated - whether those rights were violated negligently or knowingly - should be permitted to bring a legal action for actual damages and equitable relief. When the violation is done knowingly, attorney's fees and punitive damages should be available.

These first four principles - Boundaries, Security, Consumer Control and Accountability - must be carefully weighed against the fifth principle, Public Responsibility.

Public Responsibility

Just like our free speech rights, privacy rights can never be absolute. We have other critical - yet often competing - interests and goals. We must balance our protections of privacy with our public responsibility to support national priorities - public health and safety, research, quality care, and our fight against health care fraud and abuse and other unlawful activities.

Our Department is acutely aware of the need to use personal health information for each of these national priorities. For example, HHS auditors use health records to uncover kickbacks, overpayments and other fraudulent activity. Researchers have used health records to help us fight childhood leukemia and uncover the link between DES and reproductive cancers. Public health agencies use health records to warn us of outbreaks of emerging infectious diseases. In addition, our efforts to improve quality in our health care system depend on our ability to review health information to determine how well health institutions and health professionals are caring for patients.

For public health and safety, research, quality evaluations, fraud investigations, and legitimate law enforcement purposes, it's not always possible, or desirable, to ask for each patient's permission for access to the necessary health information. And, in many cases, doing so could create major obstacles in our efforts. While we must be able to use identifiable information when necessary for these purposes, we should use information that is not identifiable as much as possible.

To demonstrate how access must be balanced against public responsibility, let me outline a few of the areas in which we recommend that disclosure of health information should be permitted without patient authorization.

Public Health

Under certain circumstances, we recommend permitting health care professionals, payers, and those receiving information from them to disclose health information without patient authorization to public health authorities for disease reporting, adverse event reporting, public health investigation, or intervention. This is currently how the public health system operates under existing State and federal laws.

For example, consider the outbreak of E. coli in hamburger that resulted in the largest recall of meat products in history. Public health authorities, working with other officials, used personally identifiable information to identify quickly the source of the outbreak and thereby prevent thousands of other Americans from being exposed to a contaminated product.


An important mission for the Department of Health and Human Services is to fund and conduct health research. We understand that research is vitally important to our health care and to progress in medical care. Legislation should not impede this activity.

Today the Federal Policy for Protection of Human Subjects and FDA's Human Subject Regulations protect participants in most research studies that are funded or regulated by the federal government. These rules have worked well to protect the privacy of individuals while not impeding the conduct of research. We recommend that similar privacy protections should be extended to all research in which individually identifiable health information is disclosed, and not just federally funded or regulated research.

All researchers must determine whether their research requires the retention of personal identifiers. There are research studies that can only be conducted if identifiers are retained; for example, outcomes studies for heart attack victims or the recent study which identified a correlation between the incidence of Sudden Infant Death Syndrome and the infant's sleep position. If, and when, personal identifiers are no longer needed, the researcher should be required to remove them and provide assurances that the information will be protected from improper use and unauthorized additional disclosures.

Under the Common Rule, if personal identifiers are necessary, an IRB must review the research proposal and determine whether informed consent is required or may be waived. In order for informed consent to be waived, an IRB must determine that the research involves no more than minimal risk to participants, that the absence of informed consent will not adversely affect the rights or welfare of participants, and that conducting the research would be impracticable if consent were required. This or a similar mechanism of review should be applicable for all research using individually identifiable health information without informed consent regardless of funding source.

This recommendation is consistent with the Federal Policy for the Protection of Human Subjects as well as the Privacy Act - policies that have protected federal research participants and research records for a quarter of a century and that have saved lives and fostered countless improvements in medical treatment.


Our recommendations call for national standards. But, we do not recommend outright or overall federal preemption of existing State laws that are more protective of health information.

Some protections that we recommend may be stronger than some existing State laws. Therefore, we recommend that Federal legislation replace State law only when the State law is less protective than the Federal law. Thus, the confidentiality protections provided would be cumulative and the Federal legislation would provide every American with a basic set of rights with respect to health information.


Mr. Chairman, the five principles embodied in our recommendations - Boundaries, Security, Consumer Control, Accountability, and Public Responsibility - should guide a comprehensive law that will create substantive federal standards and provide our citizens with real peace of mind.

The principles represent a practical, comprehensive and balanced strategy to protect health care information that is collected, shared, and used in an increasingly complex world.

In addition to creating new federal standards, we must ensure that every single person who comes in contact with health care information understands why it is important to keep the information safe, how it can be kept safe, and what will be the consequences for failing to keep it safe. Most of all, we must help consumers understand not just their privacy rights, but also their responsibilities to ask questions and demand answers - to become active participants in their health care.

We cannot expect to solve these problems all at once. With changes in medical practices and technology occurring every day, we need to be flexible, to change course if our strategy isn't working and meet new challenges as they arise.

Mr. Chairman, we in the Department and the Administration are eager to work with you to enact strong national medical privacy legislation.

Thank you again, for giving me this opportunity to testify. My colleagues and I look forward to answering any questions that you may have.

1. "Confidentiality of Individually-Identifiable Health Information, Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996" can be found on the HHS web site at: <aspe.os.dhhs.gov/admnsimp/>.

Privacy Notice (www.hhs.gov/Privacy.html) | FOIA (www.hhs.gov/foia/) | What's New (www.hhs.gov/about/index.html#topiclist) | FAQs (answers.hhs.gov) | Reading Room (www.hhs.gov/read/) | Site Info (www.hhs.gov/SiteMap.html)