Mr. Chairman, Congressman Stark, distinguished members of the Committee: I appreciate
the opportunity to appear before you to discuss the Administration 's recommendations for
federal legislation to protect the privacy of health information.
As you may remember, Secretary Shalala first presented her recommendations, required by
the Congress under Section 264 of the Heath Insurance Portability and Accountability Act
(HIPAA), in September 1997. I think it is fair to say that the recommendations were well
received and have been used to assist others in crafting their own legislative proposals.
HIPAA also requires that if Congress fails to enact comprehensive privacy legislation
by August of this year, HHS must implement final regulations by February 2000. We have
assembled an interagency team to work on the regulations including representatives from
the Departments of Labor, Defense, Commerce, the Social Security Administration, the
Veterans Administration and the Office of Management and Budget. It is our intent to have
the regulations prepared in time to meet the statutory deadline.
While we are moving ahead to have the regulation ready, the President and Secretary
Shalala have made it very clear that their first priority is to see Congress enact a
comprehensive health information privacy bill. Our staff have been working closely with
many of your staff, and staff in the Senate, to assist you in achieving that goal. Again,
let me reiterate, we want to see legislation, and we want to work with you to make that
The issue of health information privacy is quite complex - in order to resolve it
legislatively, some difficult choices will have to be made. We believe that our
recommendations strike the appropriate balance between the privacy needs of our citizens
and the critical needs of our health care system and our nation. This is an issue that
touches every single American, and to reach resolution we will need a bipartisan effort.
THE NEED FOR LEGISLATION
It has been 25 years since former HEW Secretary Elliot Richardson set forth principles
that led to the landmark Federal Privacy Act. Those 25 years have brought vast changes in
our health care system.
Revolutions in our health care delivery system mean that we must place our trust in
entire networks of insurers and health care professionals - both public and
private. The computer and telecommunications revolutions mean that information no longer
exists in one place - it can travel in real time to many hospitals, physicians,
insurers, and across state lines.
In addition, revolutions in biology mean that a whole new world of genetic tests have
the potential to either help prevent disease or reveal the most personal health
information of a family. Without safeguards to assure citizens that getting tested will
not endanger their families' privacy or health insurance, we could endanger one of the
most promising areas of research our nation has ever seen.
Health care privacy can be safeguarded. It must be done with national legislation,
national education, and an on-going national conversation.
Currently, when we give a physician or health insurance company precious health
information, the level of protection will vary widely from state to state. We have no
comprehensive federal health information privacy standards. Because the practice of health
care is increasingly becoming interstate through mergers, complex contractual
relationships and enhanced telecommunications, we need strong federal standards.
Establishing a baseline that provides uniformity will help reassure the public that they
can trust their providers and insurers to keep their health information secure.
In developing our recommendations for federal legislation, we learned a great deal
through consultations with a variety of outside groups and from six days of public
hearings conducted by the National Committee on Vital and Health Statistics, our statutory
40 witnesses from across the health community, including health care professionals, plans,
insurance companies, the privacy community, and the public health and research
We believe our recommendations provide a balanced framework for legislation that can
protect the privacy of medical records, guarantee consumers the right to inspect their
records, and punish unauthorized disclosures of personal health data by hospitals,
insurers, health plans, drug companies or others.
The Secretary's recommendations for legislation are grounded in five key
principles: Boundaries, Security, Consumer Control, Accountability, and Public
The first is the principle of Boundaries: With very few exceptions, personally
identifiable health care information should be disclosed for health purposes and health
purposes only. It should be easy to use it for those purposes, and very difficult to use
it for other purposes.
For example, employers should be able to use the information furnished by their
employers to provide on-site care or to administer a health plan in the best interests of
those employees. But those same employers should not be able to use information obtained
for health care purposes to discriminate against individuals when making employment
decisions - such as hiring, firing, placements and promotions. To enforce these boundaries, we
recommend strong penalties for the inappropriate use or disclosure of medical records.
We recommend that the legislation apply specifically to providers and payers, and to
anyone who receives health information from a provider or payer, either with the
authorization of the patient or as authorized explicitly by legislation.
However, our recommendations acknowledge that these providers and payers do not act
alone. In order for a provider or payer to operate efficiently, it may need to enlist a
service organization to perform an administrative or operational function. For example, a
hospital may hire an organization to encode and process bills, or a managed care
organization may contract with a pharmaceutical benefit management company to provide
information to pharmacists about what medications are covered and appropriate for their
The numbers and types of service organizations are increasing every day. While most do
not have direct relationships with the patients, they do have access to their personal
health care information. Therefore, we recommend that they should be bound by the same
standards. For example, a health plan's contractor should be allowed to have access to patient lists in
order to do mailings to remind patients to schedule appointments for preventive care. But
it should not be able to sell the patient lists to a pharmaceutical company for a direct
mailing announcing a new product.
Because we recommend a minimum floor of protection for all records, our report does not
distinguish among types of health care information based on sensitivity. For example, our
recommendations do not include specific provisions related to genetic information in
health records. Genetic information should be covered by the same rules. However, we
recognize that the public is especially concerned about the unique properties of genetic
information - its predictive nature, and its link to personal identity and kinship and its ability to
reveal our family secrets.
Therefore while you are developing privacy legislation, you should also consider how to
limit the collection and disclosure of genetic information and prohibit health insurers
and employers from discriminating against individuals on the basis of their genetic
information. Because of the speedy development of genetic technologies and its potential
for abuse, we recommend that legislation concerning discrimination in underwriting by
insurers or other improper use of such information be considered expeditiously. We look
forward to continuing our work with you on this issue.
The second principle is Security. Americans need to feel secure that when they give out
personal health care information, they are leaving it in good hands. Information should
not be used or given out unless either the patient authorizes it or there is a clear legal
basis for doing so.
There are many different ways that private information like your blood tests could
become public. People who are allowed to see it - such as lab technicians - can misuse it either carelessly or intentionally. And people who
should not be seeing it - such as marketers - can find a way to access it, either because the organization
holding the information doesn't have proper safeguards or the marketers can find an easy
way around the safeguards. To give Americans the security they expect and deserve,
Congress should develop legislation that requires those who legally receive health
information to take reasonable steps to safeguard it and face consequences for failure to
What do we mean by reasonable steps? The organizations should adopt protective
administrative and management techniques, educate their employees, and impose disciplinary
sanctions against employees who use information improperly.
We are addressing some of these steps in our Security Standards regulation,
implementing the Administrative Simplification mandate under HIPAA. Our NPRM laid out a
range of approaches for safeguarding the information to which the HIPAA mandate applies.
However, that regulation will only cover the security of specific electronically
maintained records. We need comprehensive privacy legislation to cover all health
information that needs this kind of protection.
We don't believe a law can specify the details of these protections because each
organization must keep pace with the new threats to our privacy and the technology that
can either abate or exacerbate them. But a federal law can require everyone who holds
health information to have these types of safeguards in place and specify the appropriate
sanctions if the information is improperly disclosed.
The third principle is Consumer Control. The principles of fair information practice
(formulated in 1973 by a Committee appointed by Secretary Richardson) included as a basic
must be a way for an individual to find out what information about him is in a record and
how it is used.@
With very narrow exceptions, consumers should have the right to find out what is
contained in their records, find out who has looked at them, and to inspect, copy and, if
necessary, correct them. Consumers should be given a clear explanation of these rights and
they should understand how organizations will use their information. Let me give you an
example of why this is important. According to the Privacy Rights Clearinghouse, a
California physician in private practice was having trouble getting health, disability,
and life insurance. She ordered a copy of her report from the Medical Information Bureau - an information service
used by many insurance companies. It included information showing that she had a heart
condition and Alzheimer's disease. There was only one problem. None of it was true.
Unfortunately, under the current system these types of errors occur all too often.
Consumers often do not have access to their own health records and even those who do are
not always able to correct some of the most egregious errors.
With that in mind, our recommendations set forth a set of practices and procedures that
would require that insurers and health care providers provide consumers with a written
explanation detailing who has access to their information and how that information will be
used, how they can restrict or limit access to it, and what their rights are if their
information is disclosed improperly.
We also recommend procedures for patients to inspect and copy their information, and
set out the very limited circumstances under which patient inspection should be properly
Finally, we recommend a process for patients to seek corrections or amendments to their
health information to resolve situations in which innocent coding errors cause patients to
be charged for procedures they never received, or to be on record as having conditions or
medical histories that are inaccurate.
The fourth principle is Accountability. If you are using information improperly, you
should be punished. This flows directly from the second principle of security - the requirement to
safeguard information must be followed by real and severe penalties for violations.
Congress should send the message that protecting the confidentiality of health information
is vitally important, and that people who violate that confidence will be held
We recommend that offenders should be subject to criminal felony penalties if they
knowingly obtain or use health care information in violation of the standards outlined in
our report. The penalties mandated in privacy legislation should be higher when violations
are for monetary gain, similar to those Congress mandated in the administrative
simplification provisions of HIPAA. In addition, when there is a demonstrated pattern or
practice of unauthorized disclosure, those committing it should be subject to civil
In addition to punishing the perpetrators, we must give redress to the victims.
We believe that any individual whose privacy rights have been violated - whether those rights
were violated negligently or knowingly - should be permitted to bring a legal action for actual damages and
equitable relief. When the violation is done knowingly, attorney's fees and punitive
damages should be available.
These first four principles - Boundaries, Security, Consumer Control and Accountability - must be carefully
weighed against the fifth principle, Public Responsibility.
Just like our free speech rights, privacy rights can never be absolute. We have other
yet often competing - interests and goals. We must balance our protections of privacy
with our public responsibility to support national priorities - public health and
safety, research, quality care, and our fight against health care fraud and abuse and
other unlawful activities.
Our Department is acutely aware of the need to use personal health information for each
of these national priorities. For example, HHS auditors use health records to uncover
kickbacks, overpayments and other fraudulent activity. Researchers have used health
records to help us fight childhood leukemia and uncover the link between DES and
reproductive cancers. Public health agencies use health records to warn us of outbreaks of
emerging infectious diseases. In addition, our efforts to improve quality in our health
care system depend on our ability to review health information to determine how well
health institutions and health professionals are caring for patients.
For public health and safety, research, quality evaluations, fraud investigations, and
legitimate law enforcement purposes, it's not always possible, or desirable, to ask for
permission for access to the necessary health information. And, in many cases, doing so
could create major obstacles in our efforts. While we must be able to use identifiable
information when necessary for these purposes, we should use information that is not
identifiable as much as possible.
To demonstrate how access must be balanced against public responsibility, let me
outline a few of the areas in which we recommend that disclosure of health information
should be permitted without patient authorization.
Under certain circumstances, we recommend permitting health care professionals, payers,
and those receiving information from them to disclose health information without patient
authorization to public health authorities for disease reporting, adverse event reporting,
public health investigation, or intervention. This is currently how the public health
system operates under existing State and federal laws.
For example, consider the outbreak of E. coli in hamburger that resulted in the largest
recall of meat products in history. Public health authorities, working with other
officials, used personally identifiable information to identify quickly the source of the
outbreak and thereby prevent thousands of other Americans from being exposed to a
An important mission for the Department of Health and Human Services is to fund and
conduct health research. We understand that research is vitally important to our health
care and to progress in medical care. Legislation should not impede this activity.
Today the Federal Policy for Protection of Human Subjects and FDA=s Human Subject
Regulations protect participants in most research studies that are funded or regulated by
the federal government. These rules have worked well to protect the privacy of individuals
while not impeding the conduct of research. We recommend that similar privacy protections
should be extended to all research in which individually identifiable health information
is disclosed, and not just federally funded or regulated research.
All researchers must determine whether their research requires the retention of
personal identifiers. There are research studies that can only be conducted if identifiers
are retained; for example, outcomes studies for heart attack victims or the recent study
which identified a correlation between the incidence of Sudden Infant Death Syndrome and
sleep position. If, and when, personal identifiers are no longer needed, the researcher
should be required to remove them and provide assurances that the information will be
protected from improper use and unauthorized additional disclosures.
Under the Common Rule, if personal identifiers are necessary, an IRB must review the
research proposal and determine whether informed consent is required or may be waived. In
order for informed consent to be waived, an IRB must determine that the research involves
no more than minimal risk to participants, that the absence of informed consent will not
adversely affect the rights or welfare of participants, and that conducting the research
would be impracticable if consent were required. This or a similar mechanism of review
should be applicable for all research using individually identifiable health information
without informed consent regardless of funding source.
This recommendation is consistent with the Federal Policy for the Protection of Human
Subjects as well as the Privacy Act policies that have protected federal research
participants and research records for a quarter of a century and that have saved lives and
fostered countless improvements in medical treatment.
Our recommendations call for national standards. But, we do not recommend outright or
overall federal preemption of existing State laws that are more protective of health
Some protections that we recommend may be stronger than some existing State laws.
Therefore, we recommend that Federal legislation replace State law only when the State law
is less protective than the Federal law. Thus, the confidentiality protections provided
would be cumulative and the Federal legislation would provide every American with a basic
set of rights with respect to health information.
Mr. Chairman, the five principles embodied in our recommendations - Boundaries, Security,
Consumer Control, Accountability, and Public Responsibility - should guide a
comprehensive law that will create substantive federal standards and provide our citizens
with real peace of mind.
The principles represent a practical, comprehensive and balanced strategy to protect
health care information that is collected, shared, and used in an increasingly complex
In addition to creating new federal standards, we must ensure that every single person
who comes in contact with health care information understands why it is important to keep
the information safe, how it can be kept safe, and what will be the consequences for
failing to keep it safe. Most of all, we must help consumers understand not just their
privacy rights, but also their responsibilities to ask questions and demand answers - to become active
participants in their health care.
We cannot expect to solve these problems all at once. With changes in medical practices
and technology occurring every day, we need to be flexible, to change course if our
strategy isn't working and meet new challenges as they arise.
Mr. Chairman, we in the Department and the Administration are eager to work with you to
enact strong national medical privacy legislation.
Thank you again, for giving me this opportunity to testify. My colleagues and I look
forward to answering any questions that you may have.
Privacy Notice (www.hhs.gov/Privacy.html) |
FOIA (www.hhs.gov/foia/) |
What's New (www.hhs.gov/about/index.html#topiclist) |
FAQs (answers.hhs.gov) |
Reading Room (www.hhs.gov/read/) |
Site Info (www.hhs.gov/SiteMap.html)