Mr. Chairman, Congressman Brown, distinguished members of
the Committee: I appreciate the opportunity to appear before you to discuss the
Administration's recommendations for federal legislation to protect the privacy of health
information. With me today are, Dr. Lana Skirboll, Associate Director for Science Policy,
National Institutes of Health, and Dr. John Eisenberg, Administrator of the Agency for
Health Care Policy and Research.
I would like commend the members of this Committee, in
particular, Rep. Waxman, Rep. Markey, Rep. Dingell, and Rep. Brown for their hard work in
developing medical privacy legislation. The most recent bill was just introduced on
Tuesday, and we have not had the opportunity to review it in detail. We have noted
however, that the authors chose to take a new approach to the issue and in doing so have
helped provide momentum that will be needed to enact legislation this year.
As you may remember, Secretary Shalala first presented her
recommendations, required by the Congress under Section 264 of the Heath Insurance
Portability and Accountability Act (HIPAA), in September 1997.(1)
I think it is fair to say that the
recommendations were well received and have been used to assist others in crafting their
own legislative proposals.
HIPAA also requires that if Congress fails to enact
comprehensive privacy legislation by August of this year, HHS must implement final
regulations by February 2000. We have assembled an interagency team to work on the
regulations including representatives from the Departments of Labor, Defense, Commerce,
the Social Security Administration, the Veterans Administration and the Office of
Management and Budget. It is our intent to have the regulations prepared in time to meet
the statutory deadline.
While we are moving ahead to have the regulation ready,
the President and Secretary Shalala have made it very clear that their first priority is
to see Congress enact a comprehensive health information privacy bill. Our staff have been
working closely with many of your staff, and staff in the Senate, to assist you in
achieving that goal. Again, let me reiterate, we want to see legislation, and we want to
work with you to make that happen.
The issue of health information privacy is quite complex -
in order to resolve it legislatively, some difficult choices will have to be made. We
believe that our recommendations strike the appropriate balance between the privacy needs
of our citizens and the critical needs of our health care system and our nation. This is
an issue that touches every single American, and to reach resolution we will need a
THE NEED FOR LEGISLATION
It has been 25 years since former HEW Secretary Elliot
Richardson set forth principles that led to the landmark Federal Privacy Act. Those 25
years have brought vast changes in our health care system.
Revolutions in our health care delivery system mean that
we must place our trust in entire networks of insurers and health care professionals -
both public and private. The computer and telecommunications revolutions mean that
information no longer exists in one place - it can travel in real time to many hospitals,
physicians, insurers, and across state lines.
In addition, revolutions in biology mean that a whole new
world of genetic tests have the potential to either help prevent disease or reveal the
most personal health information of a family. Without safeguards to assure citizens that
getting tested will not endanger their families' privacy or health insurance, we could
endanger one of the most promising areas of research our nation has ever seen.
Health care privacy can be safeguarded. It must be done
with national legislation, national education, and an on-going national conversation.
Currently, when we give a physician or health insurance
company precious health information, the level of protection will vary widely from state
to state. We have no comprehensive federal health information privacy standards. Because
the practice of health care is increasingly becoming interstate through mergers, complex
contractual relationships and enhanced telecommunications, we can no longer rely on the
existing patchwork of state laws. The patchwork does not provide Americans the privacy
protections they need or expect. The Congress should seize upon this opportunity to create
strong federal standards and reassure the public that they can trust their providers and
insurers to keep their health information secure.
In developing our recommendations for federal legislation,
we learned a great deal through consultations with a variety of outside groups and from
six days of public hearings conducted by the National Committee on Vital and Health
The hearings involved over 40 witnesses from across the health community, including health
care professionals, plans, insurance companies, the privacy community, and the public
health and research communities.
We believe our recommendations provide a balanced
framework for legislation that can protect the privacy of medical records, guarantee
consumers the right to inspect their records, and punish unauthorized disclosures of
personal health data by hospitals, insurers, health plans, drug companies or others.
The Secretary's recommendations for legislation are
grounded in five key principles: Boundaries, Security, Consumer Control, Accountability,
and Public Responsibility.
The first is the principle of Boundaries: With very few
exceptions, personally identifiable health care information should be disclosed for health
purposes and health purposes only. It should be easy to use it for those purposes, and
very difficult to use it for other purposes.
For example, employers should be able to use the
information furnished by their employers to provide on-site care or to administer a health
plan in the best interests of those employees. But those same employers should not be able
to use information obtained for health care purposes to discriminate against individuals
when making employment decisions - such as hiring, firing, placements and promotions. To
enforce these boundaries, we recommend strong penalties for the inappropriate use or
disclosure of medical records.
We recommend that the legislation apply specifically to
providers and payers, and to anyone who receives health information from a provider or
payer, either with the authorization of the patient or as authorized explicitly by
However, our recommendations acknowledge that these
providers and payers do not act alone. In order for a provider or payer to operate
efficiently, it may need to enlist a service organization to perform an administrative or
operational function. For example, a hospital may hire an organization to encode and
process bills, or a managed care organization may contract with a pharmaceutical benefit
management company to provide information to pharmacists about what medications are
covered and appropriate for their customers.
The numbers and types of service organizations are increasing every day. While most do not
have direct relationships with the patients, they do have access to their personal health
care information. Therefore, we recommend that they should be bound by the same standards.
For example, a health plan's contractor should be allowed to have access to patient lists
in order to do mailings to remind patients to schedule appointments for preventive care.
But it should not be able to sell the patient lists to a pharmaceutical company for a
direct mailing announcing a new product.
Because we recommend a minimum floor of protection for all
records, our report does not distinguish among types of health care information based on
sensitivity. For example, our recommendations do not include specific provisions related
to genetic information in health records. Genetic information should be covered by the
same rules. However, we recognize that the public is especially concerned about the unique
properties of genetic information - its predictive nature, and its link to personal
identity and kinship and its ability to reveal our family secrets.
Therefore while you are developing privacy legislation,
you should also consider how to limit the collection and disclosure of genetic information
and prohibit health insurers and employers from discriminating against individuals on the
basis of their genetic information. Because of the speedy development of genetic
technologies and its potential for abuse, we recommend that legislation concerning
discrimination in underwriting by insurers or other improper use of such information be
considered expeditiously. We look forward to continuing our work with you on this issue.
The second principle is Security. Americans need to feel
secure that when they give out personal health care information, they are leaving it in
good hands. Information should not be used or given out unless either the patient
authorizes it or there is a clear legal basis for doing so.
There are many different ways that private information
like your blood tests could become public. People who are allowed to see it - such as lab
technicians - can misuse it either carelessly or intentionally. And people who should not
be seeing it - such as marketers - can find a way to access it, either because the
organization holding the information doesn't have proper safeguards or the marketers can
find an easy way around the safeguards. To give Americans the security they expect and
deserve, Congress should develop legislation that requires those who legally receive
health information to take reasonable steps to safeguard it and face consequences for
failure to do so.
What do we mean by reasonable steps? The organizations
should adopt protective administrative and management techniques, educate their employees,
and impose disciplinary sanctions against employees who use information improperly.
We are addressing some of these steps in our Security
Standards regulation, implementing the Administrative Simplification mandate under HIPAA.
Our NPRM laid out a range of approaches for safeguarding the information to which the
HIPAA mandate applies. However, that regulation will only cover the security of specific
electronically maintained records. We need comprehensive privacy legislation to cover all
health information that needs this kind of protection.
We don't believe a law can specify the details of these
protections because each organization must keep pace with the new threats to our privacy
and the technology that can either abate or exacerbate them. But a federal law can require
everyone who holds health information to have these types of safeguards in place and
specify the appropriate sanctions if the information is improperly disclosed.
The third principle is Consumer Control. The principles of
fair information practice (formulated in 1973 by a Committee appointed by Secretary
Richardson) included as a basic right: "There must be a way for an individual to find
out what information about him is in a record and how it is used."
With very narrow exceptions, consumers should have the
right to find out what is contained in their records, find out who has looked at them, and
to inspect, copy and, if necessary, correct them. Consumers should be given a clear
explanation of these rights and they should understand how organizations will use their
information. Let me give you an example of why this is important. According to the Privacy
Rights Clearinghouse, a California physician in private practice was having trouble
getting health, disability, and life insurance. She ordered a copy of her report from the
Medical Information Bureau - an information service used by many insurance companies. It
included information showing that she had a heart condition and Alzheimer's disease. There
was only one problem. None of it was true. Unfortunately, under the current system these
types of errors occur all too often. Consumers often do not have access to their own
health records and even those who do are not always able to correct some of the most
With that in mind, our recommendations set forth a set of
practices and procedures that would require that insurers and health care providers
provide consumers with a written explanation detailing who has access to their information
and how that information will be used, how they can restrict or limit access to it, and
what their rights are if their information is disclosed improperly.
We also recommend procedures for patients to inspect and
copy their information, and set out the very limited circumstances under which patient
inspection should be properly denied.
Finally, we recommend a process for patients to seek
corrections or amendments to their health information to resolve situations in which
innocent coding errors cause patients to be charged for procedures they never received, or
to be on record as having conditions or medical histories that are inaccurate.
The fourth principle is Accountability. If you are using
information improperly, you should be punished. This flows directly from the second
principle of security - the requirement to safeguard information must be followed by real
and severe penalties for violations. Congress should send the message that protecting the
confidentiality of health information is vitally important, and that people who violate
that confidence will be held accountable.
We recommend that offenders should be subject to criminal
felony penalties if they knowingly obtain or use health care information in violation of
the standards outlined in our report. The penalties mandated in privacy legislation should
be higher when violations are for monetary gain, similar to those Congress mandated in the
administrative simplification provisions of HIPAA. In addition, when there is a
demonstrated pattern or practice of unauthorized disclosure, those committing it should be
subject to civil monetary penalties.
In addition to punishing the perpetrators, we must give
redress to the victims. We believe that any individual whose privacy rights have
been violated - whether those rights were violated negligently or knowingly - should be
permitted to bring a legal action for actual damages and equitable relief. When the
violation is done knowingly, attorney's fees and punitive damages should be available.
These first four principles - Boundaries, Security,
Consumer Control and Accountability - must be carefully weighed against the fifth
principle, Public Responsibility.
Just like our free speech rights, privacy rights can never
be absolute. We have other critical - yet often competing - interests and goals. We must
balance our protections of privacy with our public responsibility to support national
priorities - public health and safety, research, quality care, and our fight against
health care fraud and abuse and other unlawful activities.
Our Department is acutely aware of the need to use
personal health information for each of these national priorities. For example, HHS
auditors use health records to uncover kickbacks, overpayments and other fraudulent
activity. Researchers have used health records to help us fight childhood leukemia and
uncover the link between DES and reproductive cancers. Public health agencies use health
records to warn us of outbreaks of emerging infectious diseases. In addition, our efforts
to improve quality in our health care system depend on our ability to review health
information to determine how well health institutions and health professionals are caring
For public health and safety, research, quality
evaluations, fraud investigations, and legitimate law enforcement purposes, it's not
always possible, or desirable, to ask for each patient's permission for access to the
necessary health information. And, in many cases, doing so could create major obstacles in
our efforts. While we must be able to use identifiable information when necessary for
these purposes, we should use information that is not identifiable as much as possible.
To demonstrate how access must be balanced against public
responsibility, let me outline a few of the areas in which we recommend that disclosure of
health information should be permitted without patient authorization.
Under certain circumstances, we recommend permitting
health care professionals, payers, and those receiving information from them to disclose
health information without patient authorization to public health authorities for disease
reporting, adverse event reporting, public health investigation, or intervention. This is
currently how the public health system operates under existing State and federal laws.
For example, consider the outbreak of E. coli in hamburger
that resulted in the largest recall of meat products in history. Public health
authorities, working with other officials, used personally identifiable information to
identify quickly the source of the outbreak and thereby prevent thousands of other
Americans from being exposed to a contaminated product.
An important mission for the Department of Health and
Human Services is to fund and conduct health research. We understand that research is
vitally important to our health care and to progress in medical care. Legislation should
not impede this activity.
Today the Federal Policy for Protection of Human Subjects
and FDA's Human Subject Regulations protect participants in most research studies that are
funded or regulated by the federal government. These rules have worked well to protect the
privacy of individuals while not impeding the conduct of research. We recommend that
similar privacy protections should be extended to all research in which individually
identifiable health information is disclosed, and not just federally funded or regulated
All researchers must determine whether their research
requires the retention of personal identifiers. There are research studies that can only
be conducted if identifiers are retained; for example, outcomes studies for heart attack
victims or the recent study which identified a correlation between the incidence of Sudden
Infant Death Syndrome and the infant's sleep position. If, and when, personal identifiers
are no longer needed, the researcher should be required to remove them and provide
assurances that the information will be protected from improper use and unauthorized
Under the Common Rule, if personal identifiers are
necessary, an IRB must review the research proposal and determine whether informed consent
is required or may be waived. In order for informed consent to be waived, an IRB must
determine that the research involves no more than minimal risk to participants, that the
absence of informed consent will not adversely affect the rights or welfare of
participants, and that conducting the research would be impracticable if consent were
required. This or a similar mechanism of review should be applicable for all research
using individually identifiable health information without informed consent regardless of
This recommendation is consistent with the Federal Policy
for the Protection of Human Subjects as well as the Privacy Act - policies that have
protected federal research participants and research records for a quarter of a century
and that have saved lives and fostered countless improvements in medical treatment.
Our recommendations call for national standards. But, we
do not recommend outright or overall federal preemption of existing State laws that are
more protective of health information.
Some protections that we recommend may be stronger than
some existing State laws. Therefore, we recommend that Federal legislation replace State
law only when the State law is less protective than the Federal law. Thus, the
confidentiality protections provided would be cumulative and the Federal legislation would
provide every American with a basic set of rights with respect to health information.
Mr. Chairman, the five principles embodied in our
recommendations - Boundaries, Security, Consumer Control, Accountability, and Public
Responsibility - should guide a comprehensive law that will create substantive federal
standards and provide our citizens with real peace of mind.
The principles represent a practical, comprehensive and
balanced strategy to protect health care information that is collected, shared, and used
in an increasingly complex world.
In addition to creating new federal standards, we must
ensure that every single person who comes in contact with health care information
understands why it is important to keep the information safe, how it can be kept safe, and
what will be the consequences for failing to keep it safe. Most of all, we must help
consumers understand not just their privacy rights, but also their responsibilities to ask
questions and demand answers - to become active participants in their health care.
We cannot expect to solve these problems all at once. With
changes in medical practices and technology occurring every day, we need to be flexible,
to change course if our strategy isn't working and meet new challenges as they arise.
Mr. Chairman, we in the Department and the Administration
are eager to work with you to enact strong national medical privacy legislation.
Thank you again, for giving me this opportunity to
testify. My colleagues and I look forward to answering any questions that you may have.
1. "Confidentiality of Individually-Identifiable Health
Information, Recommendations of the Secretary of Health and Human Services, pursuant to
section 264 of the Health Insurance Portability and Accountability Act of 1996" can
be found on the HHS web site at: <aspe.os.dhhs.gov/admnsimp/>.
Privacy Notice (www.hhs.gov/Privacy.html) |
FOIA (www.hhs.gov/foia/) |
What's New (www.hhs.gov/about/index.html#topiclist) |
FAQs (answers.hhs.gov) |
Reading Room (www.hhs.gov/read/) |
Site Info (www.hhs.gov/SiteMap.html)