TESTIMONY OF DONNA E. SHALALA
SECRETARY, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
Before the Senate Committee on Labor & Human Resources
Mr. Chairman, Senator Kennedy, distinguished members of the Committee: I appreciate the opportunity to appear before you to discuss the recommendations I am today submitting to the Congress under Section 264 of the Health Insurance Portability and Accountability Act (HIPAA) concerning standards for the privacy and protection of individually identifiable health information .
As you mentioned in your invitation letter for today's hearing, HIPAA also requires our Department to act in the areas of administrative simplification and nondiscrimination in group plan enrollment. At your request, I would like to address these issues briefly at the onset. As you know, the administrative simplification provisions of the Act require our Department to adopt a series of standards to guide the interchange of electronic data for a number of administrative, insurance-related transactions in health care. We also are required to adopt standards for unique health identifiers for health care professionals, plans, employers and individuals, as well as for data security [standards for data security or health indent for security]
I am pleased to report that we've made significant progress. We will soon publish the first set of proposed rules for health data standards. As you know, HIPAA calls for final adoption of the standards by February 1998. The latest information about our efforts in this area is available on the HHS web site.
In developing our proposals for the standards, we did extensive outreach and consultation with the industry. We met with a wide variety of groups with interests in health data standards. And our public advisory committee in this area, the National Committee on Vital and Health Statistics, conducted eight full days of public hearings, which included over 130 witnesses from across the entire spectrum of the health community.
In addition, our Department's Health Care Financing Administration is working with the Departments of Labor and Treasury to review comments on an interim final regulation designed to prohibit a group plan from basing enrollment eligibility on an individual's health status, medical condition (physical or mental), claims experience, receipt of health care, medical history, genetic information, evidence of insurability and disability.
Mr. Chairman, I am pleased to provide to you today recommendations for federal legislation to protect the privacy of health information. I should note that our report is today available on the HHS web site (http://aspe.hhs.gov/admnsimp/). In developing our recommendations, we have benefited greatly from consultations with a variety of outside groups and from six days of public hearings conducted by the National Committee on Vital and Health Statistics. The hearing involved over 40 witnesses from across the health community, including health care professionals, plans, insurance companies, the privacy community and the public health and research communities.
Our recommendations represent tough choices and difficult tradeoffs. They strike a balance between the privacy needs of our citizens and the critical needs of our health care system and our nation. And, most important, they must be the first -- not the last -- chapter in an ongoing bipartisan dialogue about an issue that touches every single American.
Just a few weeks ago, the cover of Time Magazine read "The Death of Privacy." While our privacy certainly is in danger, to paraphrase Mark Twain, 'rumors of its death have been greatly exaggerated.' If we act now, we still have a golden opportunity to safeguard our age-old right to privacy in a brave new world of computers and biology. Nowhere is that more important than with our most personal information, our family secrets: our medical records.
Until recently, at a Boston-based HMO, every single clinical employee could tap into patients' computer records and see detailed notes from psycho-therapy sessions. In Colorado, a medical student copied countless health records at night and sold them to medical malpractice attorneys looking to win easy cases. And, in a major American city, a local newspaper published information about a congressional candidate's attempted suicide. Information she thought was safe and private at a local hospital. She was wrong.
When we give a physician or health insurance company precious information about our mood or motherhood, money or medication, what happens to it? As it zips from computer to computer, from doctor to hospital, who can see it? Who protects it? What happens if they don't? It all depends on the states you live in.
Every day, our private health information is being shared, collected, analyzed and stored with fewer federal safeguards than our video store records. Let me be frank. The way we protect the privacy of our medical records right now is erratic at best--dangerous at worst.
When Congress looked at the privacy threats to our credit records, our video records, and our motor vehicle records, it acted quickly to protect them. It is time to do the same with our health care records.
It's been 25 years since my predecessor, Secretary Elliot Richardson, set forth principles that led to the landmark Federal Privacy Act. Those 25 years have brought vast changes in our health care and our health care system.
Twenty-five years ago, our health care privacy was protected by our family doctor -- who kept hand written notes about us sealed away in a big file cabinet. We trusted our physicians to keep their file cabinets locked and their mouths shut.
Today, revolutions in our health care delivery system mean that instead of Marcus Welby, we must place our trust in entire networks of insurers and health care professionals -- both public and private.
The computer and telecommunications revolutions mean that information no longer exists in one place. It often travels in real time across hospitals, physicians, insurers, even state lines. And, it can no longer be protected by simply locking up the office doors each night.
And, revolutions in biology mean that a whole new world of genetic tests have the potential to either help prevent disease or reveal our families' most personal secrets. Without safeguards that assure citizens that getting tested won't endanger their families' privacy or health insurance, we could, in turn, endanger one of the most promising areas of research our nation has ever seen.
We are at a decision point. Depending on what we do over the next months, these revolutions in health care, communications, and biology could bring us great promise or even greater peril. The choice is ours. For example, will health care information flow safely to improve care, cut fraud, ensure quality, and reach citizens in underserved areas? Or will it flow recklessly into the wrong hands?
The fundamental question before us is: Will our health records be used to heal us or reveal us? The American people want to know. As a nation, we must decide.
Today, almost 75 percent of our citizens say they are at least somewhat concerned that computerized medical records will have a negative effect on their privacy. If we don't act now, public distrust could deepen -- and ultimately stop citizens from disclosing vital information to their doctors, getting needed treatment for mental illness or seeking genetic testing. As history has taught us, distrust, if left unchecked, can undermine and stop progress in our entire health care system.
The question is, what can we do? Some say we have already lost the battle. They say privacy in this new electronic world is impossible. There are others who say that consumers should not only have control over their health care information, they should have complete control. They say that Americans should even have the power to ensure that their records are kept on paper, not in computers. Both sides are wrong. We cannot turn back the hands of progress or turn our backs on public responsibilities like research or fighting fraud and abuse-- and we shouldn't .
But we can and must do what Secretary Elliot Richardson envisioned in 1972. We must look ahead and balance our age-old right to be left alone with our desire to fulfill the promises of a new age in health care. Health care privacy can be safeguarded. I believe we must do it with national legislation, national education, and an on-going national conversation.
As I said earlier, we have federal laws that protect the privacy of video records, motor vehicle records, and credit records. But, when it comes to comes to our private health care records, we rely on a patchwork of state laws. The patchwork of state laws does not provide Americans the privacy protections they need, particularly as our health information becomes increasingly national -- crossing state boundaries. Right now, we have no federal health care privacy standards. We have no federal standards. We do have a national interest. Now all of us must make a national commitment.
Today I offer our recommendations for federal legislation protecting health care information. We want to work with you, Mr. Chairman, and other appropriate committees to develop a comprehensive measure to protect the privacy of medical records, to guarantee to consumers the right to inspect their records, and to punish unauthorized disclosures of personal health data by hospitals, insurers, health plans, drug companies or others.
THE PRINCIPLES
These recommendations are grounded in five key principles:
Boundaries
The first is the principle of Boundaries: With very few exceptions, health care information about a consumer should be disclosed for health purposes and health purposes only. It should be easy to use it for those purposes, and very difficult to use it for other purposes.
That means hospitals can use this information to provide and pay for quality care for their patients. And, subject to the requirements of other laws such as the Americans with Disabilities Act of 1990, employers could use it to provide on-site care for their employees or to administer a self-insurance plan. But, those same employers should not be able to use information obtained for health care purposes to make decisions about job hiring and firing, placements and promotions. We are recommending strong protections for Americans from the inappropriate disclosure of their medical records.
Who should be bound by this law? Anyone who provides health care or pays for it, or who receives health information from a provider or payer, either with the authorization of the patient or as authorized explicitly by the legislation. Our physicians, our nurses, our hospitals and payers are the foundation of our health care system. They have been -- and must continue to be -- on the front lines in our battle to protect the privacy rights of patients.
However, our recommendations acknowledge that these providers and payers do not act alone. Whether it's an organization paid by a hospital to encode and process bills or a pharmaceutical benefit management company that provides information to pharmacists about what medications are covered and appropriate for their customers, there are many new actors on the health care stage. The numbers of service organizations are increasing every day. Most do not have direct relationships with the patients. But, they do have access to their personal health care information. And, we are proposing that they too be bound by the same tough standards.
For example, we recommend that service organizations be able to do mailings to remind patients to schedule appointments for preventive care. But, they should not be able to sell the patient lists to a pharmaceutical company for a direct mailing announcing a new product.
We believe a federal privacy statute should define a range of health care conditions and services and protect certain demographic information about the patient collected during the health care process.
A federal privacy statute also should define "information" to include records held in whatever form possible -- paper, electronic, or otherwise.
We believe that the privacy statute must strongly protect individuals from inappropriate disclosures, but only in cases where these disclosures are in fact inappropriate. These protections should only cover the information that is personally identifiable.
Our recommendation on defining "identifiability" follows the text of the administrative simplification provisions of HIPAA. For now, information should be considered as identifiable if there is a reasonable basis to believe that the information can be used to identify an individual. The potential for disclosure of a person's identity increases when there are other pieces of information present such as age, sex, marital status, race, ethnicity, place of residence, and occupation. A determination of what is identifiable information may require a case-by-case decision based on reasonableness and will certainly change as technology advances.
We must remember that although explicit identifiers (name, social security number, etc.) can be removed, the pieces of information remaining may still yield an identity. Sometimes common information -- marital status, number of children, place of residence -- can become identifiable with combined with other information -- like age and ethnicity. For example, what if you say someone is a male Korean college professor living in Akron, Ohio? He may be the only person there to fit that description. Therefore, you may not have to identify him by name to have his identity be known. We want to insure that in these cases when the identity can be known, privacy protections are in place.
Because the recommendations would create a minimum floor of protection for all records, this report does not distinguish among types of health care information based on sensitivity. However, we are well aware that there are certain types of information that have been viewed as particularly sensitive -- such as mental health information.
We look forward to working with Congress, advocates, and others to discuss these unique considerations. Where stronger protections for particular types of information may be appropriate, the stronger protections provided by other federal or state laws should remain in place. And new laws providing such special protections could be enacted.
For example, our recommendations do not include specific provisions related to genetic information in health records. Genetic information should be covered by the same rules. However, we recognize that the public is especially concerned about the unique properties of genetic information -- its predictive nature, and its link to personal identity and kinship and its ability to reveal our family secrets. As you are aware, the President recently announced support for federal legislation that would limit collection and disclosure of genetic information and would also prohibit health insurers from discriminating against individuals on the basis of their genetic information. Because of the speedy development of genetic technologies and its history of abuse, we recommend that legislation concerning discrimination in underwriting by insurers be considered expeditiously. We look forward to continuing our work with you on this issue.
We have also elected to limit the scope of our recommendations to the health care system and the information that flows directly from it. For example, DNA results contained in a crime information data bank would not be included.
The Administration and Congress should continue to examine the privacy concerns created when health information is held and used in other settings, and recognize that further action may be required.
Security
The second principle is Security. Americans need to feel secure that when they give out personal health care information, they are leaving it in good hands. Information should not be used or given out unless either the patient authorizes it or there is a clear legal basis for doing so.
Think about all the ways that private information like your blood tests could become public. People who are allowed to see it -- like those at a lab -- can misuse it either carelessly or intentionally. And people who shouldn't be seeing it -- like marketers -- can find a way to do so anyway, either because an organization doesn't have proper safeguards or they find an easy way around them.
To give Americans the security they deserve, we must develop legislation that requires those who legally receive health information to take real and reasonable steps to safeguard it. They must ensure that it isn't used improperly by those who have access to it, and it isn't obtained improperly by hackers or others on the outside.
What do we mean by reasonable steps? They include administrative and management techniques, education of employees, and disciplinary sanctions against employees who use information improperly. It also includes technical security safeguards like audit trails.
We don't believe a law can specify the details of these protections, since they must keep pace with the new threats to our privacy and the technology that can either abate or exacerbate them. But a law can -- and must -- require everyone who holds health information to have these types of safeguards to protect it.
Consumer Control
The third principle is Consumer Control. Americans should not have to trade in their privacy rights to get quality health care.
The principles of fair information practice (formulated in 1973 by the committee that Secretary Richardson appointed) included as a basic right the following:
There must be a way for an individual to find out what information about him is in a record and how it is used.
Americans should have the power to find out what rules protect their records, who's looking in them, what's in them, how to inspect, copy and, if necessary, correct them. They should be given clear explanations of how organizations will use their information, and what their rights are. Let me give you an example of why this is important. According to the Privacy Rights Clearinghouse, a California physician in private practice was having trouble getting health disability, and life insurance. She ordered a copy of her report from the Medical Information Bureau -- a clearinghouse used by many insurance companies. It included information about her heart problems and her Alzheimer's disease. There was only one problem. None of it was true. What if she hadn't requested her records? With electronic data, mistakes can multiply -- and sunlight is still the best disinfectant. Unfortunately, under the current system these types of errors are too often the case. Americans often do not have access to their own health records and even those who do are not always able to correct some of the most egregious errors.
With that in mind, our recommendations set forth a set of practices and procedures that would require that Americans be provided a written explanation from insurers or health care professionals detailing who has access to their information; how that information is kept; how they can restrict or limit access to it; how they can authorize disclosures or revoke such authorizations; and what their rights are under the proposed legislation should an improper disclosure occur.
We also recommend procedures for patients to inspect and copy their information and set out the very limited circumstances under which patient inspection should be properly denied.
Finally, we recommend a process for patients to seek corrections or amendments to their health information to resolve situations in which innocent coding errors cause patients to be charged for procedures they never receive or to be on record as having conditions or medical histories that are inaccurate.
Accountability
The fourth principle is Accountability. If you're using information improperly, you should be severely punished. This flows from the second principle of security. The requirement to safeguard information must be followed by real and severe penalties for violations. When someone's health care privacy has been violated, it's not enough to say it's wrong. We need to show it's wrong. We need to send the message that protecting the confidentiality of peoples' medical information is vitally important, and that people who violate that confidence will be held accountable.
People who knowingly disclose medical records improperly, or who misrepresent themselves to obtain health information, should be subject to criminal penalties. Federal legislation should include punishment for those who misuse personal health information and redress for people who are harmed by its misuse.
We believe offenders should be subject to criminal felony penalties (including fines and imprisonment) if they knowingly obtain or use health care information in violation of the standards our report outlines. This includes passing out information to those who shouldn't have it and obtaining it under false pretenses.
The penalties mandated in a federal privacy law should be higher when violations are for monetary gain, similar to those Congress mandated in the administrative simplification provisions of the HIPAA for misuse of personal identifiers and other violations. And, when there is a demonstrated pattern or practice of unauthorized disclosure, those committing it should be subject to civil monetary penalties.
But, in addition to punishing the perpetrators, we must give redress to the victims. We believe that any individual whose rights under the federal privacy law have been violated -- whether those rights were violated negligently or knowingly -- should be permitted to bring a legal action for actual damages and equitable relief. When the violation was done knowingly, attorney's fees and punitive damages should be available.
These four principles -- Boundaries, Security, Consumer Control and Accountability -- must be weighed against the fifth principle, Public Responsibility.
Public Responsibility
Just like our free speech rights, privacy rights can never be absolute. We have other critical -- yet often competing -- interests and goals. We must balance our protections of privacy with our public responsibility to support national priorities -- public health, research, quality care, and our fight against health care fraud and abuse.
As a major payer of health care in this country, our Department is acutely aware of the need to use health records to fulfill those responsibilities.
For example, HHS auditors use health records to zero in on kick-backs, over-payments and other fraud -- so we can bring the perpetrators to justice and the money back to taxpayers. Researchers have used health records to help us fight childhood leukemia and uncover the link between DES and reproductive cancers. Local public health agencies use health records to warn us of outbreaks of emerging infectious diseases.
In addition, our efforts to improve quality in our health care system depends on our ability to review charts to determine quality of care provided by health institutions and health professionals and to examine adverse events to see if they reflect underlying structural or practice problems. The practice of medicine itself is grounded in the review of profile cases in certain clinical domains to evaluate the quality of care provided to the patient.
In these cases, it's not always possible to ask for permission. And, in many cases, doing so would create major obstacles in our efforts to protect public health and fight crime. But that doesn't give us a free pass. Allowing access doesn't mean we can forget about protecting privacy. And we shouldn't.
PUBLIC RESPONSIBILITY CHOICES
Let me outline a few of the areas in which we recommend that disclosure of health information for particular purposes under specified conditions be permitted without patient authorization.
Public Health
Under certain circumstances, we propose to permit health care professionals, payers, and those receiving information from them to disclose health information without patient authorization to public health authorities for disease reporting, public health investigation, or intervention. Why is this important? Think about the recent outbreak of E. coli O 157 in hamburger that resulted in the largest recall of meat products in history. Public health authorities, working with other officials, were able to identify quickly the source of the outbreak and thereby prevent thousands of other Americans from being exposed to a contaminated product.
Research
A recent consultant's report to HHS on health privacy and research concluded that if people don't trust the research community to protect their personal information, they may refuse to participate in clinical trials and they may even oppose the use of their records for all research under any circumstances.
Research which improves the health of all citizens must not only survive, but thrive, under strong assurances that privacy of personal information will be carefully protected. We must make every effort to see that this happens.
These are situations under which personal information should be made available to researchers without consent. These conditions should include a determination by an Institutional Review Board (IRB) that the research involves minimal risks to participants; that the absence of consent will not adversely affect the rights or welfare of participants; and that conducting the research would be impracticable if consent were required.
In addition, the researcher should be required to remove the personal identifiers and to provide the IRB with assurances that the information will be protected from improper use and unauthorized additional disclosures.
This recommendation is consistent with the Federal Policy for the Protection of Human Subjects and the Privacy Act -- policies that have protected research participants and research records for a quarter of a century and that have saved lives and fostered countless improvements in medical treatment.
Law Enforcement
Law enforcement officials seek access to health care information for a variety of reasons, depending on the target of their investigation -- from the hot pursuit of an injured fugitive in an emergency room to the review of health care information to determine if a crime has been committed by a hospital or insurance company.
We recommend that a federal health privacy law not interfere with the well-established procedures of the criminal justice system. Information would be disclosed without patient authorization for purposes required by State law -- like the reporting of gunshot wound victims, the identification or location of an injured fugitive -- or for other legitimate law enforcement purposes.
PREEMPTION
The report calls for national standards. But, it does not recommend outright or overall federal preemption of existing State legislation that is more protective of health information.
In HIPAA, Congress generally expressed a preference for leaving stronger State laws in place and that is the right thing to do. Although most State laws are in no way uniform or comprehensive, these recommendations concern an area already regulated by State laws. Some protections that we propose may be stronger than some existing State laws. Therefore, we recommend that Federal legislation replace State law only when the State law is less protective than the Federal law. Thus, the confidentiality protections provided would be cumulative, and the Federal legislation would provide a floor. Federal legislation should provide every American with a basic set of rights with respect to health information. All should be assured of a national standard of protection.
Many have argued for one law in the interests of administrative simplification. We may reach a consensus one day, after watching the rapid evolution of health care, in which we determine the interests of nationwide administrative simplification for health transactions justifies preemptive federal legislation. I am not convinced that day has arrived.
Nevertheless, the impact of leaving in place more restrictive State laws on the effective use of health information bears careful watching. If dual regulation impairs care or the operation of information and payment systems, poses risks to confidentiality because of confusion about two levels of law, or creates uncertainty among patients about their rights and forms of redress, we may want to revisit the notion of a preemptive federal law.
As we seek to protect privacy in the information age, we will always be shooting at a moving target. As technology develops, and as we continue our implementation of HIPAA, there may need to be adjustments or additional legislation in the future to address emerging concerns.
CONCLUSION
Mr. Chairman, the five principles embodied in our recommendations -- boundaries, security, consumer control, accountability, and public responsibility -- should guide a comprehensive law that would give our nation real federal standards and our citizens real peace of mind.
They represent a practical, comprehensive and balanced strategy to protect health care information that is collected, shared, and used in an increasingly complex world.
At the same time, we need to build on the efforts of the American with Disabilities Act and the Kassebaum-Kennedy law to address another legal issue that has a tremendous impact on how people view their privacy: health care discrimination, including genetic discrimination. Because our efforts on health care privacy will never be enough until we give all Americans confidence that information in their medical records will not be used to deny them jobs or affordable health insurance.
Yet, as we know from past experience, national legislation alone will not inspire trust in one's rights or commitment to one's responsibilities. It's going to take education. Every single health care professional, every public health official, every pharmacist -- every single person who comes in contact with health care records must understand why it's important to keep them safe, how they can keep them safe, and what will happen to them if they don't.
Most of all, we must help consumers understand not just their privacy rights, but also their responsibilities to ask questions and demand answers -- to become active participants in their health care.
We need an informed public, because, as the National Research Council recently pointed out, we need an informed public debate. An ongoing conversation.
We cannot expect to solve these problems all at once. With changes in medical practices and technology occurring every day, we need to be flexible, to change course if our strategy isn't working and meet new challenges as they arise.
Twenty-five years ago, Secretary Richardson and the Congress looked into an uncertain future and tried to chart a course on which individual rights and privacy would prevail. The result, as I mentioned, was the landmark Federal Privacy Act.
Now a similar challenge is before us. Twenty-five years from now, what will they say about the footsteps we left? Will we leave the next generation with real federal privacy standards based on fundamental principles? Will we have boundaries to ensure that, with very few exceptions, our health care information is used only for health care? Will we have assurances that our information is secure? Will we have control over what happens to it? Will those who violate our privacy be held accountable? And will we be able to safeguard our privacy rights while still protecting our core public responsibilities like research and public health?
In short will we harness these revolutions in biology, communications, and health care to breath new life into the trust between our patients and their doctors, between our citizens and their government, between our past and our future?
We can. We must. And, I believe, working together, we will.
Mr. Chairman, we in the Department and the Administration are eager to work with you to enact strong national privacy legislation.
Thank you again, for giving me this opportunity to testify. I look forward to answering any questions that you may have.