June 4, 2007

Mr. Steven Posnack

Office of the National Coordinator

330 C Street, SW, Suite 4090

Washington, DC 20201

Re: CPS June 2007 Public Comment

Dear Mr. Posnack: The American Medical Association (AMA) appreciates the opportunity to provide its views to the Confidentiality, Privacy, and Security (CPS) Workgroup on confidentiality, privacy, and security protections for participants in an electronic health information exchange network at the local, state, regional, and national level. Specifically, we are pleased that the CPS Workgroup is considering whether all persons and entities that participate in an electronic health information exchange network should be required to meet privacy and security criteria at least equivalent to relevant Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule requirements.

The AMA strongly supports extending the HIPAA Privacy and Security Rule requirements to all persons and entities that participate in an electronic health information exchange network. Currently, the Privacy Rule applies only to health plans, health care clearinghouses, and health care providersso-called “covered entities.” Many entities, however, also maintain or use health information, including marketers, billing companies, contractors, accountants, and lawyers. These entities, referred to as “business associates,” are beyond the law’s authority to regulate and sanction. Thus, the obligation to monitor “business associates” and ensure that they comply with important privacy and security standards has been that of “covered entities.” This unfair delegation of responsibility has created significant burdens and liabilities for “covered entities.” Specifically, the Privacy Rule requires that providers or plans obtain assurances from “business associates” that all personal health information (PHI) will be used solely for the purposes for which the business associate was engaged, it will be safeguarded from misuse, and the business associate will help provide individuals with access to their health information and history of disclosures.

Holding “covered entities,” including physicians, responsible for ensuring that their “business associates” meet the requirements of the HIPAA Privacy rule creates a significant gap in federal privacy protection coverage that leaves large volumes of health information vulnerable to improper access and disclosure without meaningful enforcement mechanisms or remedies. Physicians do not have the ability to control the actions of third parties, nor do they have the authority to enforce federal regulations. Moreover, this attempt to indirectly regulate “business associates” through “covered entities,” saddles physicians with unreasonable costs, liabilities, and burdens. The rule places potential liability on physicians by unreasonably requiring them to police their business associates and holds them accountable for privacy violations they did not commit. In order to eliminate this fundamental unfairness, and to strengthen privacy protections, all health privacy laws and/or regulations should impose restrictions directly on those entities that receive protected health information, including the agents and contractors of health care providers and health plans.

The AMA recognizes the importance of health information privacy and believes that its business associates should respect the privacy rights of patients. “Business associates,” however, should be independently liable for violating a patient’s right to privacy. We applaud the CPS Workgroup for its commitment to protecting the privacy of personal health information and we are eager to assist the Workgroup in its efforts to reform or eliminate the “Business Associates” provision. Should you have any questions please contact Mari Johnson at (202) 789-7414 or mari.johnson@ama-assn.org.

Sincerely,

Michael D. Maves, MD, MBA