<DOC> [110 Senate Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:33874.wais] S. Hrg. 110-114 PRIVATE HEALTH RECORDS: PRIVACY IMPLICATIONS OF THE FEDERAL GOVERNMENT'S HEALTH INFORMATION TECHNOLOGY INITIATIVE ======================================================================= HEARING before the OVERSIGHT OF GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE DISTRICT OF COLUMBIA SUBCOMMITTEE of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED TENTH CONGRESS FIRST SESSION __________ FEBRUARY 1, 2007 __________ Available via http://www.access.gpo.gov/congress/senate Printed for the use of the Committee on Homeland Security and Governmental Affairs U.S. GOVERNMENT PRINTING OFFICE 33-874 PDF WASHINGTON DC: 2007 --------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800 DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS JOSEPH I. LIEBERMAN, Connecticut, Chairman CARL LEVIN, Michigan SUSAN M. COLLINS, Maine DANIEL K. AKAKA, Hawaii TED STEVENS, Alaska THOMAS R. CARPER, Delaware GEORGE V. VOINOVICH, Ohio MARK L. PRYOR, Arkansas NORM COLEMAN, Minnesota MARY L. LANDRIEU, Louisiana TOM COBURN, Oklahoma BARACK OBAMA, Illinois PETE V. DOMENICI, New Mexico CLAIRE McCASKILL, Missouri JOHN WARNER, Virginia JON TESTER, Montana JOHN E. SUNUNU, New Hampshire Michael L. Alexander, Staff Director Brandon L. Milhorn, Minority Staff Director and Chief Counsel Trina Driessnack Tyrer, Chief Clerk SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE DISTRICT OF COLUMBIA DANIEL K. AKAKA, Hawaii, Chairman CARL LEVIN, Michigan GEORGE V. VOINOVICH, Ohio THOMAS R. CARPER, Delaware TED STEVENS, Alaska MARK L. PRYOR, Arkansas TOM COBURN, Oklahoma MARY L. LANDRIEU, Louisiana JOHN WARNER, Virginia Richard J. Kessler, Staff Director Jennifer A. Hemingway, Minority Staff Director Emily Marthaler, Chief Clerk C O N T E N T S ------ Opening statements: Page Senator Akaka................................................ 1 Senator Voinovich............................................ 3 Senator Carper............................................... 4 WITNESSES Thursday, February 1, 2007 Robert Kolodner, M.D., Interim National Coordinator for Health Information Technology, U.S. Department of Health and Human Services....................................................... 5 Daniel A. Green, Deputy Associate Director, Center for Employee and Family Support Policy, Office of Personnel Management...... 7 David A. Powner, Director of Information Technology Management Issues, Government Accountability Office, accompanied by Linda Koontz, Director of Information Management Issues, Government Accountability Office.......................................... 17 Mark A. Rothstein, Herbert F. Boehl Chair of Law and Medicine, and Director, Institute for Bioethics, Health Policy and Law, University of Louisville School of Medicine.................... 19 Carol C. Diamond, M.D., Managing Director, Markle Foundation, and Chair, Connecting for Health................................... 20 Alphabetical List of Witnesses Diamond, Carol C., M.D.: Testimony.................................................... 20 Prepared statement with attachments.......................... 138 Green, Daniel A.: Testimony.................................................... 7 Prepared statement........................................... 44 Kolodner, Robert, M.D.: Testimony.................................................... 5 Prepared statement........................................... 35 Koontz, Linda: Testimony.................................................... 17 Prepared statement with attachments.......................... 52 Powner, David A.: Testimony.................................................... 17 Prepared statement with attachments.......................... 52 Rothstein, Mark A.: Testimony.................................................... 19 Prepared statement........................................... 130 APPENDIX Background Memorandum............................................ 29 Simon P. Cohn, M.D., M.P.H., Chairman, National Committee on Vital and Health Statistics, submitted copy of a report entitled ``Privacy and Confidentiality in the Nationwide Health Information Network''.......................................... 164 Response to questions submitted for the Record from: Dr. Kolodner................................................. 181 Mr. Green.................................................... 185 Mr. Powner................................................... 188 PRIVATE HEALTH RECORDS: PRIVACY IMPLICATIONS OF THE FEDERAL GOVERNMENT'S HEALTH INFORMATION TECHNOLOGY INITIATIVE ---------- THURSDAY, FEBRUARY 1, 2007 U.S. Senate, Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, of the Committee on Homeland Security and Governmental Affairs, Washington, DC. The Subcommittee met, pursuant to notice, at 2:33 p.m., in room SD-342, Dirksen Senate Office Building, Hon. Daniel K. Akaka, Chairman of the Subcommittee, presiding. Present: Senators Akaka, Carper, and Voinovich. OPENING STATEMENT OF CHAIRMAN AKAKA Chairman Akaka. This hearing will come to order. Today's hearing, ``Private Health Records: Privacy Implications of the Federal Government's Health Information Technology Initiative,'' will examine what actions the Federal Government is taking to ensure that privacy is an integral part of the national strategy to promote health information technology. Studies show that the use of health IT can save money, reduce medical errors, and improve the delivery of health services. For example, in 2004, the Center for Information Technology Leadership estimated that in ambulatory care settings the use of electronic health records (EHRs) would save $112 billion per year, or 7.5 percent of health care spending. In addition, EHRs are shown to help avoid duplicate tests and excess medication. In 2004, President Bush called for the widespread adoption of interoperable electronic health records within 10 years and issued an Executive Order that established the position of the National Coordinator for Health Information Technology. The National Coordinator is charged with developing and implementing a strategic plan to guide the nationwide implementation of interoperable health IT in both the public and private sectors. Two months later, the Department of Health and Human Services (HHS) released a framework for strategic action to promote health IT, which calls on all levels of government to work with the private sector to stimulate change in the health care industry. For example, the Departments of Veterans Affairs (VA) and Defense (DOD), the major Federal health care delivery organizations, are leaders in the use of health IT. VA, one of the country's largest health care providers, has had an automated information system in its medical facilities since 1985. DOD has provided IT support to its hospitals and clinics since 1968. As Chairman of the Veterans' Affairs Committee, we are looking at how to move DOD and VA forward in developing joint EHRs. This Subcommittee is particularly interested in the strategy, which calls for the Office of Personnel Management (OPM) to use its leverage as the administrator of the Federal Employee Health Benefits Program, which covers approximately 8 million Federal employees, retirees, and their dependents, to expand the use of health IT. OPM, through its annual Call Letter to carriers, has been encouraging carriers to increase the use of EHRs, electronic prescribing, and other health IT- related provisions. Although I support efforts to increase the use of health IT, I am deeply concerned about the level of privacy protections in the health IT network. In 2005, a Harris Interactive survey showed that 70 percent of Americans were concerned that an electronic medical records system would lead to sensitive medical records being exposed due to weak electronic security. This fear is understandable. Over the past few years, we have seen various data mining programs in the Federal Government that lacked key privacy protections. We also recall the loss of a VA laptop computer and the news of many other Federal data breaches that put the personal information of millions of Americans at risk. These incidents reinforce the need to build privacy and security protections into any system containing personal information. Our personal health information must not be subject to these same failings. Privacy and security are critical elements in health IT and should never be an afterthought. That is why I wrote to OPM in May 2005 seeking information on how Federal employees' health information would be protected under the efforts of OPM and the health insurance carriers. OPM responded that the Health Insurance Portability and Accountability Act (HIPAA) would address these privacy concerns. But while HIPAA is a foundation, HIPAA by itself is not enough. Privacy protections must be built in conjunction with the development of the health IT infrastructure. To ensure that this was happening, Senator Kennedy and I asked the Government Accountability Office to review the efforts of HHS and the National Coordinator to protect personal health information. GAO's report, which was released this morning, found that while HHS and the National Coordinator have taken steps to study the protection of personal health information, an overall strategy is needed to: One, identify milestones for integrating privacy into the health IT framework; two, ensure privacy is fully addressed; and, three, address key challenges associated with the nationwide exchange of information. Given the overwhelming evidence of the benefits associated with the expanded use of health IT, as well as the fact that 70 percent of Americans are concerned about the privacy of their health information, I am surprised to learn that HHS objects to this recommendation. It is clear that the health care industry faces challenges in protecting electronic health information given the varying State laws and policies, the entities not covered by HIPAA, and the need to implement adequate security measures. But while more and more companies, providers, and carriers move forward with health IT, I fear that privacy suffers while HHS takes time to decide how to implement privacy protection. HHS must address these issues in a more timely fashion in order to give the private sector guidance on how to move forward with health IT and protect the private health information of all Americans. I want to thank our witnesses for being here today to discuss this critical issue. I now turn to my good friend, Senator Voinovich, for any opening statement he may have at this time. OPENING STATEMENT OF SENATOR VOINOVICH Senator Voinovich. Thank you, Senator Akaka. I appreciate your holding this hearing today on a subject that is of interest to me. The widespread adoption of health information technology such as electronic health records will revolutionize the health care profession. In fact, the Institute of Medicine, the National Committee on Vital and Health Statistics, and other expert panels have identified information technology as one of the most powerful tools in reducing medical errors and improving the quality of health. Unfortunately, our country's health care industry lags far behind other sectors of the economy in its investment in information technology. But, Senator Akaka and Carper, as I travel around Ohio I see a marked acceleration in the use of IT. The Institute of Medicine estimated in 1999 that there were nearly 98,000 deaths each year resulting from medical errors. Many of these deaths can be directly attributed to the inherent imperfections of our current paper-based health care system. Not only can technology save lives and improve the quality of health care, it also has the potential to reduce the cost of the delivery of health care. According to the Rand Corporation, the health care delivery system in the United States could save approximately $160 billion annually with the widespread use of electronic medical records. As technology advances, the issues surrounding protection of personal information will continue to be at the forefront of people's minds. Individual citizens continue to express concern over the security of personal, confidential information whether it is contained in an electronic health record or stolen from laptops, as Senator Akaka pointed out, at the Department of Veterans Affairs. However, the benefits of technology in the health care arena are undeniable, and I support the use of HIT. In fact, in the 109th Congress, Senator Carper and I introduced the Federal Employees Electronic Personal Health Records Act. I am sure we will be hearing more from Senator Carper about it. The bill will provide for the establishment and maintenance of electronic personal health records for individuals and family members enrolled in the Federal Employee Health Benefits Program. I have talked with one of the major health insurance companies and they support the use of HIT. I am hopeful the testimony today will assist my colleagues and me as we make decisions about implementing health IT. I personally look forward to learning from our witnesses ways Senator Carper and I might refine our legislation before introduction. As I say, we are making progress on privacy protections, and I am really pleased that the President issued an Executive Order specific to deployment of health information technology, including establishment of a National Coordinator for Health Information Technology. Since then, the Coordinator and the Department of Health and Human Services have made considerable progress toward the adoption of interoperable IT. But the successes have not come without criticism. Dr. Kolodner, your office has an enormous responsibility to continue to cultivate a strategic plan to guide implementation of nationwide interoperable health information technology. It is an important job. We must bring health care costs under control, and HIT is one part of that goal. However, there is some concern about whether information in IT systems is going to be private and secure. We cannot let those weaknesses impede our progress in this area. So, Mr. Chairman, I am looking forward to hearing from our witnesses. Chairman Akaka. Thank you very much, Senator Voinovich. Senator Carper. OPENING STATEMENT OF SENATOR CARPER Senator Carper. Thank you, Mr. Chairman, and to our witnesses and to my friend and colleague, Senator Voinovich. He telegraphed my pitch a little bit, but I think it is great that he did. Mr. Chairman, as Senator Voinovich has said, we introduced in the last Congress and I think we are close to reintroducing in this Congress legislation to require those who provide insurance under the Federal Employee Health Benefits Program-- they would have a period of time, I think maybe less than 2 years or so--to provide electronic health records for Federal employees insured under those policies if the employees wish to have that. And I know you have a strong interest in privacy protection, and we would look forward to working with you and your Subcommittee and your staff to make sure that we meet muster in that regard. Next month is a big month for us in Delaware, and I say this to our witnesses and others. We are beginning to stand up what we call the ``Delaware Health Information Network,'' an apple in my eye when I was Governor many years ago, and it is now actually coming to fruition as we try to electronically link our doctors' and nurses' offices and our hospitals and our labs and other providers. We are excited about the possibilities that holds for us. I am an old Navy guy, and I remember when I got out of the Navy--at least off of active duty, not out of the Navy, but off of active duty in 1973 and showed up at the VA hospital just outside of Wilmington. And it is not a place that, frankly, a lot of veterans wanted to go to for health care. I did not sense there was a lot of joy on the part of people who worked there being a VA employee, doctor or nurse or anything else. And, boy, that has really changed, especially in the last decade. I would never have imagined 33 years ago, that we would be looking to the VA to provide the way with respect to improving outcomes and holding down costs and saving lives. But they sure have come through for us. Mr. Chairman, don't you chair the Veterans Committee in the Senate? Chairman Akaka. Yes. Senator Carper. I thought so. OK. Well, you have sort of a double interest in this particular issue. But we really look forward to what you have to say. We do not have very strong attendance here today, partly because there is a concurrent just-called caucus of the Senate Democrats, and they are meeting as we speak to discuss a resolution that pertains to the President's proposed surge of troops in Iraq. So people may be drifting in to join us in a little bit, but that just began literally at the time that this hearing began. So we apologize for them. Those of us who are here are anxious to hear what you have to say. So thanks for coming. Chairman Akaka. Thank you very much. I welcome to the Subcommittee today's first panel of witnesses: Dr. Rob Kolodner, Interim National Coordinator for Health Information Technology at the Department of Health and Human Services, and Daniel Green, Deputy Associate Director, Center for Employee and Family Support Policy, at the Office of Personnel Management. It is the custom of this Subcommittee to swear in all witnesses, and I ask you to stand and raise your right hand. Do you swear that the testimony you are about to give this Subcommittee is the truth, the whole truth, and nothing but the truth, so help you, God? Dr. Kolodner. I do. Mr. Green. I do. Chairman Akaka. Thank you. Dr. Kolodner, please proceed with your statement. TESTIMONY OF ROBERT KOLODNER, M.D.,\1\ INTERIM NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Dr. Kolodner. Good afternoon, Chairman Akaka, Senator Voinovich, and Senator Carper. Thank you for inviting me here today to discuss the privacy plans, activities, and accomplishments of the National Health Information Technology agenda led by HHS. --------------------------------------------------------------------------- \1\ The prepared statement of Dr. Kolodner appears in the Appendix on page 35. --------------------------------------------------------------------------- Mr. Chairman, we appreciate Hawaii's efforts as pioneers in protecting patient health information and note that Hawaii's early work to develop a comprehensive privacy law informed and was an important resource for HHS when we developed the HIPAA privacy rules. Privacy and security are integral components of the national health IT agenda and are addressed by a spectrum of activities that advance our current understanding of the issues and multiple levels and lay the foundation for future activities. The widespread adoption of interoperable electronic health records will save lives, reduce medical errors, and improve the quality and efficiency of care, as you have noted. At the same time, it will create both new challenges and new opportunities with respect to protecting health information. HIPAA created a strong foundation of privacy and security protections for personal health information upon which States may provide additional privacy protections. We are vigorously addressing the new challenges by leveraging existing privacy policy foundations, building robust new public-private collaborations, partnering with States, health care organizations, and consumers to address State and business level protections, and considering privacy and security policies and implementation at a nationwide level. Ultimately, the effective coordination of health IT activities will help create an environment that improves the health status of both individuals and communities at the same time that personal health information is protected. The HHS Office of the National Coordinator for Health IT, ONC, is charged with leading the national health IT agenda across the Federal Government and the private sector by coordinating health IT activities, including those related to privacy and security. ONC has the lead for working with CMS, the Office for Civil Rights, or OCR, and others to develop the privacy policies for health IT, and OCR and CMS are responsible for the oversight and enforcement of the related HIPAA rules. The GAO report provides an excellent summary of the myriad of our successful health IT activities since 2004, and the report documents an active, progressive program of HHS activities that identify national privacy issues to be addressed as well as barriers to interoperability caused by privacy policy variations across States that need to be resolved. The tools we use to advance our privacy and security activities include contracts, including a recent one with the National Governors Association, an interdepartmental Federal Policy Council, and a public-private Confidentiality, Privacy, and Security Work Group of the American Health Information Community. The Community is a Federal advisory committee that is chaired by Secretary Leavitt himself and plays a central role in all of our activities. The members of the Community, consisting of senior leaders from the public and private sectors, participate in deliberations that guide our work and shape our understanding of how we can most effectively advance the health IT agenda nationwide, including privacy and security. Much like the historic journey by Lewis and Clark 200 years ago, who were crossing uncharted territory, we, too, are on a similar journey. Their goal was clear: to find a route to the Pacific Ocean, although the exact path was unknown at the beginning. Our goal is clear as well: The secure exchange of interoperable electronic health information. And the detailed milestones necessary to achieve our goal are also not yet knowable. Our approach is iterative. First, it requires an understanding of the multiple environments in which we are operating. To gain this understanding, we have initiated multiple complementary activities, such as the Nationwide Health Information Network prototypes, the Privacy and Security Solutions Contract, and the State Alliance for e-Health. And we have gathered input from other expert resources such as the National Committee for Vital and Health Statistics, or NCVHS. Second, our approach requires that we evaluate and analyze what we have discovered and learned. For example, only after we get the State level reports this spring that identify challenges and opportunities to protect and share health information will we have sufficient data to reliably establish the next set of milestones that we must achieve. An output from one source becomes input for another, such as the NCVHS recommendations that have been publicly shared with the Community work group I mentioned previously. As that work group moves from addressing security to addressing privacy concerns, we anticipate that these recommendations will inform the next set of privacy priorities. Our activities confirm the importance we give to confidentiality, privacy, and security. We have been executing an effective plan, originally described in our strategic framework that you mentioned, Mr. Chairman, and one that will continue to grow and evolve as we submit our health IT strategic plan later this year. We are using a results-oriented strategy of discovery and advancement that must be done in collaboration with a variety of stakeholders at the local, State, and national levels. GAO has documented the progress that we have made in the first 2 years of our work, and we continue to undertake multiple related productive activities to properly protect the electronic health information today, tomorrow, and into the future. Thank you for your time, and I welcome any questions you might have. Chairman Akaka. Thank you very much. I want our witnesses to know that your full statements will be included in the record. Mr. Green. TESTIMONY OF DANIEL A. GREEN,\1\ DEPUTY ASSOCIATE DIRECTOR, CENTER FOR EMPLOYEE AND FAMILY SUPPORT POLICY, OFFICE OF PERSONNEL MANAGEMENT Mr. Green. Mr. Chairman, Members of the Subcommittee, it is my pleasure to be here today to represent the Office of Personnel Management (OPM) Director Linda Springer. I plan to discuss how OPM is working with the Department of Health and Human Services and other organizations on the National Health Information Technology Initiative, and I will discuss how we at OPM are working with our health benefits carriers to implement health information technology (IT) that is secure and protects member privacy. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Green appears in the Appendix on page 44. --------------------------------------------------------------------------- OPM administers the Federal Employees Health Benefits (FEHB) Program, which covers approximately 8 million Federal employees, retirees, and their dependents. Like other large employers, we contract with private sector health plans. We have consistently encouraged participating plans to be responsive to consumer interests by emphasizing flexibility and consumer choice. We have also encouraged plans to adopt health information technology as an important consumer-oriented initiative. At the same time, we have placed great importance on the privacy and security of personal health information. FEHB enrollees have the same privacy protections under Federal law as all Americans. The Health Insurance Portability and Accountability Act of 1996, provides protections for privacy of individually identifiable health information. All FEHB health carriers are required to comply with HIPAA requirements. And now I would like to provide some background on OPM's initiatives in health information technology. In 2004, President Bush issued an Executive Order to develop and implement a nationwide health IT infrastructure to improve the quality and efficiency of health care. In response to the Executive Order, we have been working with our FEHB plans on focused efforts to promote health IT while at the same time ensuring compliance with Federal requirements on privacy and security. More specifically, we have asked our carriers to concentrate on specific short-term objectives which include education for consumers on health IT, offering personal health records to consumers based on their medical claims history, encouraging e-prescribing, linking disease management programs with health IT, and compliance with Federal requirements on privacy. We have found that while there are wide variations in the scope and extent of health IT use, most carriers have focused on providing consumers with claims-based information through their secured websites. Some have robust health IT systems. We have recognized them on our own website during Open Season so consumers would have this additional information to take into consideration in making their plan choices. Then, last August, President Bush issued a second Executive Order, which underscored his commitment not only to health IT, but also to health care cost and quality transparency. In support of the order, we required all FEHB carriers to report on quality measures, including data from the Health Plan Employer Data and Information set. We also encouraged them to provide information on cost and quality transparency. Along with the carriers that have state-of-the-art health IT capabilities, the carriers that made their best efforts to provide cost and quality transparency were also prominently positioned on our Open Season website last fall. Looking forward, OPM will continue to work with carriers on standards for interoperability of health information records as they are adopted in the health care industry, and we will continue to provide information for consumers on carriers' cost and quality transparency initiatives as well as their health IT capabilities. As a member of the American Health Information Community, OPM will monitor the recommendations of the Confidentiality, Privacy, and Security Work Group and determine if there are privacy and security requirements that should be applied to FEHB carriers. We firmly believe privacy and security of personal health information is important. We are encouraged by HHS's efforts to address this important issue. We plan to continue to work closely with HHS, the Community, and the Health IT Policy Council to ensure all necessary steps are taken to protect consumer privacy rights. We appreciate this opportunity to testify before the Subcommittee on this very important issue, and we will be glad to answer any questions you may have. Chairman Akaka. Thank you very much for your testimony. Dr. Kolodner, the GAO report notes that HHS disagreed with GAO's recommendation to define and implement the overall approach for protecting health information, including identifying milestones and integrating privacy efforts. Can you elaborate on HHS's objection to GAO's recommendation, particularly why HHS believes that setting milestones will impede progress and preclude stakeholder dialogue? Dr. Kolodner. Yes, Mr. Chairman. As I mentioned, the issue is not whether we have milestones. Milestones that we can set up right now based on what we know are very high level. They are, for example, to complete our Privacy and Security Solutions contract, to get the results of the contract, to analyze those results, and based on the content that was given in those analyses, to then determine the next set of milestones. That is pretty high level. That is not what we believe GAO was telling us to do, because that is basic project management, and we are doing that already. The idea of stating right now what those milestones will look like in June or July, when we have not yet received the report that will be received this spring, is something that we know would probably not accurately reflect what we will be executing in June, July, and August. So we see this as an iterative process of discovery and collaboration. A very important reality is that there are many parties that have very strong feelings, as you can tell, about this area, and privacy is important. We need to make sure that we advance deliberately, advance as quickly as we possibly can, but to make sure that we listen to and are informed by a variety of viewpoints. And as those deliberations occur and as those collaborations occur, we will advance forward. Chairman Akaka. Thank you. Mr. Green, OPM's contracts with carriers require compliance with HIPAA. As part of OPM's requirement to promote the use of health IT, the 2007 Call Letter required carriers to comply with Federal requirements to protect the privacy of individually identifiable health information. How does OPM monitor carriers' compliance with HIPAA privacy and security rules? And what steps are taken if a carrier is found to be noncompliant? Mr. Green. Mr. Chairman, in addition to the HIPAA law, we have required by contract that all our carriers follow the HIPAA rules, and we have also added privacy requirements that pre-date the HIPAA law, and those are in our standard contracts. We have also added certain measures that all our carriers are required to comply with concerning confidentiality of records and privacy and the regulations used to supplement the Federal Acquisition Regulations. They are called FEHBAR. The FEHB Acquisition Regulations apply to all our carriers. They are required to notify their contracting officer whenever they have an enforcement action resulting from noncompliance, as issued by a State or Federal authority. They are also subject to audit by both GAO and OPM, including OPM's Inspector General's office, and they run a system of audits against the computer systems of all our carriers on a rotational basis. And they will be introducing additional privacy audit steps this year into that audit. Chairman Akaka. Mr. Green, are there any circumstances that would result in electronic health records or personal health record networks being developed or used by FEHBP carriers that would not come under HIPAA? Mr. Green. Senator, the FEHB carriers are required to follow HIPAA rules, and so are their business associates, such as pharmacy benefit managers. So any subcontracts they have would also under our contract require them to follow HIPAA rules. Chairman Akaka. Dr. Kolodner, the statutory advisory committee, NCVHS, and the Secretary's advisory committee, AHIC, have made recommendations to the Secretary of HHS regarding the protection of personal health information. What is HHS's response to the recommendations, and how will they be incorporated into a nationwide health information architecture? Dr. Kolodner. Mr. Chairman, the NCVHS recommendations, which were accepted by the Secretary and then sent to the AHIC work group--the Confidentiality, Privacy, and Security Work Group--are, in fact, informing that group as they consider the various privacy policies and privacy priorities. Those will then come back to the Community for recommendation up in terms of specifically what kinds of privacy policies and security kinds of architecture should be required as we move forward. The Nationwide Health Information Network prototypes also have brought forth a number of different solutions, and we have been using those to look at what should go forward for the next round of trial implementations that we plan to fund this next year. So they are very much guiding and identifying those requirements that need to be moving forward. Chairman Akaka. Mr. Green, I believe privacy protections must be built into the health IT architecture at the beginning instead of racing to address privacy violations after Americans lose trust in the system. However, after reading the testimony of the witnesses on our second panel, I fear that HHS is not acting fast enough to integrate privacy protections in the development of the health IT. With this in mind, Mr. Green, what risks are there to Federal employees' health information as FEHBP carriers push forward with health IT initiatives? Mr. Green. Senator Akaka, nothing in this world is perfect, and there is no absolute certainty anywhere. However, I am convinced that with the procedures that we have in place, the requirements we have in place today, protect our FEHB enrollees as fully or more so than any other citizen in this country against a chance of inappropriate misuse of that information. In addition, going forward with the implementation of health information technology, we are pleased and honored and excited about our participation in much of the work with the Department of Health and Human Services. As you know, we are a member of the AHIC. We are on several of the subcommittees, working groups, and, in fact, Director Springer for a time chaired the Consumer Empowerment Work Group, which is our deep interest because we feel like that is our responsibility--to support and protect our enrollees. They are our primary customers, after all. And, in addition, we work with the other Federal agencies that are heavily involved in this as part of an HIT Policy Council. So I am convinced that as we go forward, our Federal employees, retirees, and survivors and their family members will be as protected as we can possibly make them, and that is our promise to you, sir. Chairman Akaka. Thank you. Senator Voinovich. Senator Voinovich. Thank you. Dr. Kolodner, do you believe that the Office of National Coordinator has sufficient authority to facilitate communications among Federal entities, the private sector, and consumer organizations to lead the development and implementation of appropriate privacy standards? Dr. Kolodner. Yes, sir, I believe that we do, and I think that we have a number of avenues and a number of venues where we are already doing that, including the American Health Information Community, and also a number of the contracts with the States, like the State Alliance for e-Health. Senator Voinovich. Do you think outside groups looking in would say that they agree with you? Dr. Kolodner. We have several venues where we use public- private collaborations, and we certainly look for any other opportunities there might be, but we have been as open as possible in the development of the standards, and in deliberations by any of the work groups. They are all open, broadcast on the Web, and have opportunities for public comment throughout. Senator Voinovich. I know this is off the subject, but it is something I am interested in. We have not passed appropriations, and we are talking about a continuing resolution. I would be interested in your observations in regard to whether you feel that it has been harmful to your respective organizations to have a continuing resolution in which you are operating under. Dr. Kolodner. For the Office of the National Coordinator, we have been able to proceed on a variety of activities that we have underway, and we have not had to slow down because of the continuing resolution. And we also, as you know, have the good fortune of having both Secretary Leavitt's very strong backing--this is one of his top programs--as well as the President having passed two Executive Orders that allow us to move forward. Senator Voinovich. So no problem? Dr. Kolodner. No problem. Senator Voinovich. Mr. Green. Mr. Green. Senator, I cannot speak for all of the Office of Personnel Management on our budget issues. I will leave that to Director Springer. I can say that we are moving forward on our initiatives, and we have a very large agenda within the Federal Employees Health Benefits Program and the other benefit systems, and we are moving forward without slackening at all. Senator Voinovich. Do you have the personnel and resources to get the job done? Mr. Green. Sir, I argue and fight for as many resources as I can get with my leadership, but I think that would probably be best left inside the OPM doors. Senator Voinovich. Well, one of the things that bothers me is that we are asking many agencies to do all kinds of things, and we do not allocate the resources so they can get the job done. I know it is very difficult for the secretaries of these departments to be forthcoming about it, but it seems to me that during this new budget cycle we ought to be encouraging both of you to make it clear to the folks that are in charge if you need additional help. I just read, Senator Akaka, where the President is talking about flat funding the nondefense discretionary budget again. We just cannot keep going this way. There are too many responsibilities that are not getting done, and the nondefense discretionary budget is being cut. To be candid with you, we should be paying for the war, just not putting it on the tab. What it is doing is it is squeezing out other priorities that are essential. Have you, Mr. Green, had a chance to look at the bill that I joined Senator Carper in introducing, the Federal Employees Electronic Personnel Health Records Act? Mr. Green. Yes, sir, I have. Senator Voinovich. I would be interested in your comments about it. Mr. Green. Several comments, as a matter of fact. We note that the bill is consistent with the direction of the health care industry and the leadership provided by HHS, and it is also consistent with OPM's initiatives, as well, to move our carriers toward having PHRs. We do have some concerns about some of the aspects of the bill. Let me put it this way: We would be excited and would like to work with you and your staff and Senator Carper to move that forward, to deal with some of the issues we have. I think you will find them good points that we both want to work through, and we would be happy to do that with you, sir. But overall, yes, we do support a bill like that. Senator Voinovich. So if Senator Carper's and my staff got in touch with you, you would be able to tell us your concerns. Mr. Green. We would be pleased to do that. Yes, sir. Senator Voinovich. I was glad to hear from your testimony that you are interested in HIT yourself. I mean, it is not like we are asking you to do something that is not already being done. Mr. Green. No, that is true. And our carriers are interested as well. They see this as a real opportunity not only to provide for their members, but also to differentiate themselves in the marketplace. Our job and Mr. Kolodner job is to see to it that they are done interoperably and so that it is portable and also so that they are, in fact, secure, private, and the information is confidential and under the control of the enrollee. Senator Voinovich. Our thought is that we could use that as kind of a model for the rest of the country. I mentioned that I spoke with Aetna, while at the bipartisan health policy conference sponsored by the Commonwealth Fund and the Alliance for Health records with Aetna's CEO, who said he thinks implementing personal health records is a great first step, and that they seem to be interested in moving forward with it. So it would be wonderful if we could get the standards in place and get moving. Mr. Green. Aetna is one of our carriers, of course, a very large participant, so that is good to hear. Senator Voinovich. Thank you, Senator Akaka. Chairman Akaka. Thank you, Senator Voinovich. Dr. Kolodner, you testified that the current HIPAA statute provides the flexibility to protect health information while allowing best practices to emerge. However, as Mr. Rothstein on our next panel notes in his written testimony, some private sector companies are using electronic health record and personal health record networks that generally are not subject to any Federal or State regulation because the initiatives are not covered entities under HIPAA. Does HHS have a list of entities that may have access to personal health information under a health IT network, but are not covered by HIPAA? Dr. Kolodner. The HIPAA rules define the entities that are covered by HIPAA. There are other entities that are not covered by HIPAA, and he may be referring to some of those entities. The Confidentiality, Privacy, and Security Work Group and our Consumer Empowerment Work Group, which is another work group under the American Health Information Community, both have started to consider whether there are entities that should be covered under HIPAA that are not now being covered. We will be looking at those recommendations as they come forward and see whether there is sufficient authority in HIPAA to extend that. So we are considering that as part of the deliberations that I mentioned that are underway. Chairman Akaka. Dr. Kolodner, HHS has been without a permanent National Coordinator for Health IT since May 19, 2006. When will a permanent National Coordinator be named? Dr. Kolodner. Mr. Chairman, that would be a question that Secretary Leavitt would ultimately need to answer. He has asked VA to detail me over. VA did that starting in September. VA was gracious enough to extend the detail, so I will be here for another period of time, and it will be up to Secretary Leavitt to ultimately decide. Chairman Akaka. Thank you. Mr. Green, you testified that OPM is a member of several work groups focused on health IT. Can you share with us some of the recommendations that OPM has made to these groups? Mr. Green. Senator, the work groups operate under a consensus-based decisionmaking process. We contribute to those discussions on each recommendation as they come up. One of our primary objectives is to ensure consumer rights and responsibilities are protected, and we also share our knowledge on employer-based health benefits to shape recommendations that are achievable and promote the broad goals of the HIT initiative. Chairman Akaka. Thank you. Senator Carper. Senator Carper. Thanks, Mr. Chairman. Who did you succeed in your job? Dr. Kolodner. Dr. David Brailer was the first National Coordinator. Senator Carper. What is Dr. Brailer doing now? Dr. Kolodner. I believe he is doing some private consulting. He is also a Special Government Employee, since he does still co-chair the American Health Information Community. Senator Carper. Thanks. If you ever see him, give him my best. Thanks. All right. Dr. Kolodner. I will do so. Senator Carper. I understand when I was out of the room in another meeting here in the anteroom that Senator Voinovich asked for some reaction from both of you to the legislation we are about to reintroduce. And I understand that you pretty well trashed it. [Laughter.] No. I understand you were pretty generous. Would you just recap for me what you had to say and any thoughts you might have for making it better? Mr. Green. Certainly, Senator. I explained that we have reviewed and commented earlier, at least within the Executive Branch, on the bill and that since the provisions in the bill are consistent with the direction that the health care industry is going and the leadership that HHS is providing, it is also consistent with OPM's direction of where we want to move with our carriers in the FEHB program. So we are supportive of the bill and its outline and its purpose. There are some issues that we would like to have the opportunity to discuss with you and your staff that we think we can help improve the bill to fit what goes on within the FEHB program and some other issues, to help deal with privacy concerns as well. So we would welcome the opportunity. Senator Carper. We gratefully accept that offer. I mentioned earlier in opening statement, that in Delaware we are standing up the Delaware Health Information Network, and we are doing so with the financial support from the Department that Secretary Leavitt leads and from some of the folks that are your colleagues, Dr. Kolodner. And the State of Delaware is matching that money over the next couple of years, and the private sector in our State is stepping up as well. We just learned that Blue Cross/Blue Shield of Delaware is the latest to step forward and say they want to be financially supportive of this, too. So we are very much encouraged. One of our focuses in standing up the Delaware Health Information Network is to protect patient privacy and patient records. And I know that you come out of the VA, don't you? Dr. Kolodner. Yes, sir. Senator Carper. How long did you work there? Dr. Kolodner. Twenty-eight years. Senator Carper. Twenty-eight years, wow. Did you start as a child? [Laughter.] But the VA approach on harnessing information technology-- just talk with us a little bit about what you did there to protect the privacy of patients and their personal or health records. And is there maybe a lesson there, a model for the rest of us, whether we are doing it at the State level or for Federal employees? Dr. Kolodner. The VA had privacy as a central part of the system from early on, and we actually--because it is a single system and not a network. A network obviously presents new opportunities, new challenges. But as a system, we actually would contract to security companies for them to try to break into the electronic health record system and find where the vulnerabilities were so that we could fix them before any breach had occurred. The VistA system, which started out as the Decentralized Hospital Computer Program is secure and has not been a source of any breaches. We also have a personal health record we provide to veterans, starting in December, we actually upload this robust data from. Senator Carper. Starting this past December? Dr. Kolodner. This past December. We had it in test with a few thousand veterans before that, but starting this past December, veterans can, in fact, have a copy of their clinical record--not just any claims data but the clinical data that is in this robust VistA system--uploaded to a personal health record if they choose. So it is an opt-in strategy. And we have security---- Senator Carper. It is opt in, not opt out? Dr. Kolodner. It is opt in for the personal health record, yes, sir. And we have gotten very positive response from the veterans who---- Senator Carper. Are they opting in? Dr. Kolodner. They are opting in. Hundreds of thousands have opted in so far. And as with any new technology, if you remember when the Internet started, many of us were a little skeptical. We wanted to see what was going on. Did we want to use our credit card over the Internet? And gradually what happens is you get the early adopters who were willing to take a chance, and the system gets more and more robust, more and more trusted, and more people, in fact, come on board. So there is a growth curve that is a natural growth curve. It is not that everybody comes on at once. But it is one where you get more rapid uptake over time, and we are beginning to see that, particularly as you offer services that--veterans had wanted to be able to refill their prescriptions online, and they can do that now. Senator Carper. Great. You may recall in the last Congress the Senate passed legislation dealing with health IT, passed a pretty good bill. I don't know that there was anybody who voted against it in the Senate. It went over to the House and it died. It died over there, and for reasons that are not altogether clear to me. What advice would you have for us as we come back and take up the legislation? There may be an effort to try to combine what Senator Voinovich and I are doing to actually make it part of the larger piece of legislation? I don't know if we will let that happen. Maybe we will, maybe we won't. There could be worse outcomes. But why did it die in the House? What might be different this time? And as we tinker with that legislation and prepare to pass it again in the Senate, what advice would you have for us, either of you? Dr. Kolodner. Senator, certainly the reason why it died in the House or why the Senate and the House could not get together on it is beyond my purview and my expertise, and I would leave that to you and your colleagues. Senator Carper. Well, we do not know either. [Laughter.] But we will figure it out. Dr. Kolodner. I know that there is great interest in the health IT bill, and certainly we will work with you and with your colleagues as the various bills go forward to certainly work on something that advances the whole health IT agenda. Senator Carper. Well, I don't know how familiar you were with the legislation that was enacted in the Senate. I am not going to dwell on it. But if you have any ideas for the record that you might like to suggest to us, either of you, for how to improve that legislation when it comes to the floor, which I think will come fairly soon, we would welcome your input. Do you all have anything else you want to say with respect to any of the questions I have raised here? [No response.] OK. Thank you. Thanks very much for your good work, particularly at the VA, and as a veteran myself of the Navy, you make us very proud, even prouder to be veterans. And for all the veterans around the country, in Delaware and other places, who have the opportunity to use what I call the gold standard for health care in this country today, thank you for helping to provide that system. Chairman Akaka. Senator Voinovich. Senator Voinovich. I would like to get back to the bill that Senator Carper and I are going to reintroduce. It is my understanding that originally the bill had a 1-year requirement, the bill Senator Carper had, and then we had a 2- year requirement, and then we talked to OPM and they said we might be moving too quickly. It is my understanding that OPM is reluctant to agree to a statutory deadline because the HHS standards have not been published. However, Dr. Kolodner, you indicated that you have the team necessary to get the job done. I just want you to know I do not want to see publication of the standards delayed. If you do not have the people that you need to get the job done, then we ought to know about it. I will pick up the phone and call my good friend, former Governor Mike Leavitt, and say, ``Mike, you guys have made a commitment. Now put the resources in it so we can get it done.'' I want this taken care of. So if you want to respond to that, you may. [Laughter.] Dr. Kolodner. One of the pleasures of being over at HHS has been the undying support of Secretary Leavitt for the area of health IT. I could not ask for any stronger support from him, and that has been one of the things that attracted me to take this interim appointment. The office actually was established a little over a year ago, and we are just finishing up staffing up to our authorized level. We had been filling those activities with contractors. We are now bringing on the staff that we need, and we are moving as fast as we believe that we can, again, with this iterative process that is necessary to make the best policy. Senator Voinovich. Well, we welcome your input on our legislation. We will be talking to you and Mr. Green about it more. Thank you, Senator Akaka. Chairman Akaka. Dr. Kolodner and Mr. Green, thank you very much for your valuable testimony. I look forward to working with each of you to ensure that privacy and security are integral parts of the health IT architecture. Thank you very much. Dr. Kolodner. Thank you, sir. Mr. Green. Thank you. Chairman Akaka. And now I ask our second panel of witnesses to come forward. Testifying on our second panel are David Powner, Director of IT Management Issues, and Linda Koontz, Director of Information Management Issues, from the Government Accountability Office; also Mark Rothstein, Director of the Institute for Bioethics, Health Policy, and Law at the University of Louisville School of Medicine, as well as the Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics; and Dr. Carol Diamond, Managing Director of the Markle Foundation. As you know, it is the custom of the Subcommittee to swear in all witnesses, so please stand and raise your right hand. Do you swear that the testimony you are about to give before this Subcommittee is the truth, the whole truth, and nothing but the truth, so help you, God? Mr. Powner. I do. Ms. Koontz. I do. Mr. Rothstein. I do. Dr. Diamond. I do. Chairman Akaka. Thank you. Mr. Powner, please proceed with your statement. TESTIMONY OF DAVID A. POWNER,\1\ DIRECTOR OF INFORMATION TECHNOLOGY MANAGEMENT ISSUES, ACCOMPANIED BY LINDA KOONTZ, DIRECTOR OF INFORMATION MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE Mr. Powner. Chairman Akaka, Ranking Member Voinovich, we appreciate the opportunity to testify on privacy initiatives associated with our Nation's efforts to increase the use of health information technology. With me today is Linda Koontz, GAO's Director of Information Management Issues and privacy expert. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Powner and Ms. Koontz with attachments appears in the Appendix on page 52. --------------------------------------------------------------------------- In 2004, President Bush issued an Executive Order that called for widespread adoption of electronic health records by 2014 and established a National Coordinator for Health IT to lead and to foster public-private coordination. Over the past several years, we have issued several reports and testified on numerous occasions, highlighting the need for detailed plans, milestones, and mechanisms to monitor progress if this 10-year goal is to be achieved. The benefits of health IT are immense and include reducing medical errors. However, it also raises concerns regarding the extent to which patient privacy is protected. The challenge here is to strike the right balance between patient privacy concerns and the numerous benefits IT has to offer this industry. This afternoon, as requested, I will summarize our report completed at your request, Mr. Chairman, on HHS's health IT privacy initiatives. Specifically, I would like to highlight three points: First, the importance of having a comprehensive privacy approach; second, HHS's initial efforts to address privacy; and, third, additional actions needed. Privacy is a major concern in the health care industry given the sensitivity of certain medical information and the complexity of the health care delivery system with its numerous players and extensive information exchange requirements. This concern increases as our Nation transitions to using more electronic health records. A comprehensive privacy approach is needed so that ultimately it is clear who these records are disclosed to, what limitations are placed on the use of the information, how patients can access their records, how inaccurate or incomplete information is corrected, and what administrative, physical, and technical safeguards are needed to protect electronic health information. HHS acknowledges in its National Health IT Framework the need to protect consumer privacy and plans to develop and implement appropriate privacy and security policies, practices, and standards for electronic health information exchange. HHS and its Office of the National Coordinator have initiated several efforts to address privacy. These include: Awarding several contracts that includes one for privacy and security solutions; consulting with the National Committee on Vital and Health Statistics to develop privacy recommendations; and forming a Confidentiality, Privacy, and Security Work Group to identify and address privacy and security policy issues. These efforts are good building blocks, but much work remains, including: Assessing how variations in State laws affect health information exchange; reporting and acting on the privacy and security contractors' findings; acting on advisory group recommendations; and identifying and implementing privacy and security standards. The National Coordinator's Office intends to use the results of these activities to identify policy and technical solutions for protecting personal health information as part of its continuing effort to complete a national health IT strategy. Ultimately, these and other efforts are to result in a comprehensive security and privacy policies, practices, and standards. However, how HHS plans to integrate the outcomes of its initiatives and when is unclear. Therefore, we recommended, Mr. Chairman, that HHS develop an overall privacy approach or a game plan that identifies milestones and an accountable entity for integrating the outcomes of its health IT contracts and recommendations from advisory groups. In addition, this approach should ensure that key privacy principles highlighted in our written statement are fully addressed. And, finally, this approach should address key challenges associated with legal and policy issues, disclosure of information, individual rights to access, and security measures. In summary, Mr. Chairman, while progress continues to be made through the National Coordinator's private initiatives, a comprehensive approach is needed to integrate the results of the initiatives to ensure that key privacy principles are addressed and to ensure that recommendations from the advisory committees are effectively implemented. Otherwise, HHS will not be providing the leadership called for by the President and its goal of safeguarding personal health information will be in jeopardy. This concludes our statement. We would be pleased to answer questions. Chairman Akaka. Thank you very much, Mr. Powner. Mr. Rothstein. TESTIMONY OF MARK A. ROTHSTEIN,\1\ HERBERT F. BOEHL CHAIR OF LAW AND MEDICINE, AND DIRECTOR, INSTITUTE FOR BIOETHICS, HEALTH POLICY AND LAW, UNIVERSITY OF LOUISVILLE SCHOOL OF MEDICINE Mr. Rothstein. Yes, thank you very much, Mr. Chairman and Senator Voinovich. I appreciate the opportunity to be with you this afternoon. I want to clarify for the record that I am appearing in my individual capacity and not as a representative of NCVHS, which may want to deny any responsibility for my statements, written or oral. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Rothstein appears in the Appendix on page 130. --------------------------------------------------------------------------- I want to make two points this afternoon. First, in my view, HHS has not made meaningful progress in developing and implementing measures to protect the privacy of health information in electronic health networks. And the second point is that time is of the essence. I believe HHS must begin to act immediately on these very difficult privacy issues and also that Congress needs to hold HHS accountable and make them meet the milestones that have been suggested by GAO or some of the other measures that I want to suggest to you this afternoon in my testimony. I specifically agree with the comments in the GAO report. I believe that they accurately captured the sense and the progress, or lack of progress, on the privacy issues. But I would add my own assessment that I believe that the focus on privacy is currently lagging behind the focus at HHS on technical development of the infrastructure of the NHIN. And I am concerned that the gap between the technical progress and privacy is actually widening, and that is not a luxury that we have, for reasons that I want to pursue in just a minute. In 2004, the head of ONC at that time, Dr. Brailer, asked NCVHS to do a comprehensive study on privacy and confidentiality issues in the Nationwide Health Information Network. And it took us 18 months of hearings throughout the country, dozens of witnesses, and lots of rather heated deliberation to reach our recommendations, which were delivered to the Secretary in June 2006. And just to emphasize the nature of these fundamental questions that have to be resolved, I want to go through a couple of them with you, if I may. First, NCVHS noted that a decision has to be made on whether individuals have a right to decide whether they want to be a part of this nationwide system, and if so, should that be opt in or opt out or some combination, should it be controlled locally or via some other method. So that is a fundamental question. Another fundamental question is whether individuals should have some control over the contents of their health records that would be disclosed via the NHIN. When you put together comprehensive, longitudinal, individual health records, they are likely to contain lots of old data. Some of it may be very sensitive. Some of it may be irrelevant to current care. These records are not usually available now because of the fragmentation of the system. You cannot get it from all these places. Electronically, it will be easy to obtain this information, and I am concerned that under an electronic system we should not have less privacy than we do today. So that is a concern of mine. I am also concerned about the scope of the disclosures when people have to sign an authorization to get a job or life insurance. About 25 million of these are signed each year in the United States, and when the records are released, typically the entire file is sent. And this may include all this sensitive information. NCVHS submitted 26 recommendations to the Secretary, and I don't think that very much progress, if any, has been made on any of these areas that we identified. And I believe that time is of the essence, as I emphasized in my written testimony. Private sector groups are working today--while we are still talking about these issues officially in terms of regulation, the private sector is marching ahead. Last month, we heard at our hearings from Wal-Mart about this huge personal health record system that it is putting together, with over 2.5 million employees represented, and this is a single company, in collaboration with other employers. They are not health plans. They are not covered entities under HIPAA. There is no regulation in place. So not only do I support the GAO recommendations, I think we need to be thinking beyond HIPAA. HIPAA is an archaic statute that was designed for totally different purposes. It was designed for the payment system. We now have a more comprehensive nationwide network involved, and I think we have to be thinking more comprehensively. And I believe that there are lots of things that need to be done, and I would recommend that the Subcommittee work with HHS and try to move the ball forward more rapidly on these very important issues. So I thank you for the opportunity to testify today and I look forward to your questions. Chairman Akaka. Thank you very much. Dr. Diamond. TESTIMONY OF CAROL C. DIAMOND, M.D.,\1\ MANAGING DIRECTOR, MARKLE FOUNDATION, AND CHAIR, CONNECTING FOR HEALTH Dr. Diamond. Thank you, Chairman Akaka, Senator Voinovich. It is a privilege to be invited to testify today. I am the Managing Director at the Markle Foundation, and in that capacity I also serve as Chair of a large public-private collaborative called Connecting for Health. Our goal at Connecting for Health is to make sure that vital information is available both for patients and their providers when it is needed and where it is needed in a way that protects privacy and earns the trust of the American people. --------------------------------------------------------------------------- \1\ The prepared statement of Dr. Diamond appears in the Appendix on page 138. --------------------------------------------------------------------------- As you heard today, numerous efforts are underway to promote the use of health information technology within HHS, other parts of government, and the private sector. Yet as the GAO report and Mr. Rothstein have stated, there has not yet been enough progress in establishing a policy framework that will earn the long-term public trust required to sustain and build upon current activities. Toward that end, I have two important recommendations to make. First, the Nation needs a well-defined, comprehensive privacy framework based on key policy and technology attributes that I will lay out. Second, while the entities and contracts created by HHS have been useful to initiate action in this field, we now need to find the appropriate longer-term process for determining both the policies and the technologies that will achieve the attributes of such a framework. Our national strategy for health information technology must be carried out by decisionmakers informed by and accountable to a broad range of interests with direct public accountability. Let me first talk about the required framework for health IT. Our group took 3 years to develop this framework, and the framework includes the attributes that are necessary to protect privacy and security. Efforts to gather and share information should achieve these attributes: First, information sharing at the national level should be done in a decentralized and distributed way. Simply put, health information sharing should not require the development of large centralized repositories of personal health information. Clinical data should be left in the hands of patients and those who have a direct relationship with them in their care, and leave decisions about who should or should not see that data with patients and providers directly involved with their care. Second, sharing should separate demographic and clinical information. Sharing should be accomplished with an index that does not contain clinical data but, rather, knows where relevant information resides. Only those with proper authorization are then allowed to access the information, and this does not require the use of a national identifier. Third, the framework should be a flexible platform for innovation. Participation in the network by a broad range of providers delivering products and services will be a result of using open standards and transparent policies. This will encourage innovation so that we can make critical rapid progress. Fourth, the framework should implement privacy through technology. This is a key attribute. Technology choices should be made so that they can enable the effective implementation of policies protecting privacy. These technologies should create audit trails, implement security, improve data accuracy, prevent both intentional and unintentional improper disclosure of information. They should build rules and permissions into the process of accessing and distributing data. Our fifth attribute is really a set of nine foundational privacy principles. These have been adopted from fair information practices and other sources internationally. These principles include things like transparency, specifying the purpose of data being collected, collecting only what is necessary, adhering to the uses agreed to by the individual, allowing the individuals to know and have a say in how their information is used, maintaining the integrity of data, audit, oversight, and remedies in the event of breach or misuse. Every health information initiative should be expected to disclose how it addresses each of these principles. In summary, HHS deserves praise for its success in elevating public and industry interest in health information exchange and for encouraging the adoption of technical standards. But focusing only on technical standards is like building an interstate highway system, without the rules for entering, exiting, or anticipating the speed limits that need to be accommodated. In order to serve the communities through which it passes, a highway must have a coherent set of rules, made obvious through signage and visibly enforced, and be embedded in the design of the highway itself. And for the users of health information, patients and their providers, an explicit policy framework is essential. Several years of public opinion surveys show that Americans have significant privacy concerns when it comes to their health information. Without a policy framework with the attributes we propose, our Nation runs the risk of inappropriate uses of personal information followed by public clamor for hasty remedies, which will undermine the sustainability of an information sharing network. And these policies that touch the most private concerns of every American require a clear framework for privacy and an accountable visible process that can encourage public interest, that will be maintained over time, and that will give consumers confidence that their interests are being looked after. Mr. Chairman, the lack of trust in health information technology may not only impede progress but, more profoundly, it may squander this amazing window we have to stimulate a much needed transformation of our overburdened health care system. Thank you for the opportunity to testify. Chairman Akaka. Thank you very much for your statements. I just talked to my friend, Senator Voinovich, and I am going to let him proceed first. Senator Voinovich. Thank you very much, Senator Akaka. First of all, you heard the testimony of Dr. Kolodner. You were here for his testimony, and I asked him whether or not he had the staff to get the job done. In your opinion, does he have the staff to get the job done? Mr. Powner. We specifically have not looked at whether he has the human capital and all the resources to get the job done. Our big concern, Ranking Member Voinovich, is that we do not see a road map to get from where we are at today to have a comprehensive privacy policy in place. Dr. Kolodner made some comments about sound project management. Sound project management is about having milestones and targets, and we go after those milestones and set interim performance measures to gauge whether we are making enough progress or not. That is what we do not see, sir. Senator Voinovich. OK. So you are saying plan, milestones and, in addition, metrics to judge if milestones are being met? Mr. Powner. Absolutely, and some of our other witnesses mentioned some of the key privacy principles that clearly need to be addressed as part of that approach. Senator Voinovich. Right. Senator Akaka, it might be good-- if you recall, what we have been able to do with the GAO High- Risk agencies. OMB and GAO have sat down together to develop a strategic plan on addressing these problems. They are making progress. It seems that process may have value here. The last question is for Mr. Rothstein. You said they are lagging behind the technical structure of developing IT. So what you are seeing is fast development without building privacy in at the beginning? Mr. Rothstein. Yes, Senator, and there are significant concerns that, unless privacy is built into the architecture of the system, we will not be able to come back and do it later. And that is why privacy protections have to be in from the start, and the longer it takes us to develop policies on what our privacy and confidentiality and security rules are, the more danger we have that it is going to be too late or it is going to be prohibitively expensive to go back and try to add the privacy protections. Senator Voinovich. Just another comment, Senator Akaka. It is nice that OPM may be saying they cannot do it because they are waiting to incorporate the privacy standards into the system. Thank you very much. I appreciate the chance to ask these questions. Chairman Akaka. Thank you very much, Senator Voinovich. Mr. Powner, you recommended in your testimony that HHS define a comprehensive privacy approach that includes detailed plans and milestones for integrating its various initiatives. GAO specifically mentioned the need to sequence the implementation of key activities appropriately. Would you explain that comment? Tell us why this is important. And what else is missing from HHS's current approach? Mr. Powner. Similar to Mr. Rothstein's comment, the sequencing is very important because his comment about building in privacy and security early, we see many examples throughout the Federal Government, Mr. Chairman, where we built in security or privacy after the fact, after systems and networks are built; and, one, it is very difficult to implement and, two, it is much more costly to do it after the fact. So it is very important that we sequence these activities. We are talking about prototypes right now for the National Health Information Network, and to Mr. Rothstein's point, what is happening is the technology is getting ahead of the policy, and we need to make sure that we get the policies in place so that we can actually make those appropriate technology decisions and build it in up front. Chairman Akaka. Dr. Diamond, I agree with your statement that public trust cannot be fully accomplished by relying only on existing legal provisions such as HIPAA. However, Mr. Green testified that OPM is pushing health IT through the FEHBP and is only requiring carriers to follow Federal privacy requirements. Do you believe OPM can earn the trust of Federal employees when carriers are increasingly using health IT? Dr. Diamond. Chairman, I would say two things. I think it is a very good thing for the Federal Government to help its employees find ways to see and access their own health information. But I would say that in the same way that the government can stimulate the use of information technology and stimulate the expectation that people can have their own information, it can also stimulate the adherence to a basic framework of privacy based on the attributes that I articulated today. As long as those both policy and technology things are clear to the user, that there is transparency, that people know how their information is used, then we can earn the trust. So I would say there is an opportunity to both stimulate people being more engaged in their health care by having personal health records and also to use the role of the Federal Government to make sure the attributes are built into every initiative that is put out there using information technology. Chairman Akaka. Mr. Rothstein, the privacy and security requirements of HIPAA and other laws do not cover all entities that exchange electronic personal health information. What can HHS do to ensure that gaps in legal privacy protection of health information are addressed by a privacy framework for the nationwide health information exchange? Mr. Rothstein. Mr. Chairman, one of the specific recommendations in my written testimony is that I believe that HHS should undertake a study to determine the number of health care providers that are, in fact, not covered entities under HIPAA at the moment. We have been doing that in my subcommittee--that is, the Subcommittee on Privacy and Confidentiality--and we are frankly astonished at the number of health care providers that are not covered entities. Unless you are engaged in an electronic billing transaction, you are not a covered entity. So all of the urgent-care, cash-paid doctors, many cosmetic surgeons that are not covered by any insurance plan, all sorts of other health care providers that are not covered--massage therapists, acupuncturists, and so forth--may not be covered entities under HIPAA. We don't know how many there are, and it seems that it is going to be Congress' role to enact new legislation or to amend the HIPAA statute to bring in all these other health care providers. But I think it would be very helpful to the Congress if we had a sense of how many there are that need to be covered. Chairman Akaka. Dr. Diamond. Dr. Diamond. Yes, Chairman. As was stated previously by other witnesses, HIPAA was written at a time where we did not contemplate a Nationwide Health Information Network, nor did we contemplate the number of entities and parties today who are part of the use and sharing of health information. I do think, as I stated in my testimony, the two comprehensive things to do would be to require a policy framework based on key attributes and to establish a public process to build in and make sure that each information technology initiative that is proposed lives up to those attributes. Chairman Akaka. Thank you. Dr. Diamond and Mr. Rothstein, based on the work of HHS to date to promote health IT, are there any legislative changes that we in Congress should consider making to ensure that the privacy of health information is protected? Mr. Rothstein. Senator, I believe there are two areas in which congressional action would be indicated. First, is to extend the coverage of health privacy legislation; in other words, to expand the number of covered entities that are currently covered under HIPAA or under some other replacement law. The second is of a more substantive nature, and that would be to try to limit the amount of information that third parties can require individuals to provide as a condition of getting a job or a life insurance policy or some other commercial transaction. At the moment, it is lawful to require that individuals sign basically an unlimited release and then all this information and, increasingly, more comprehensive information will be disclosed electronically to people who do not have a legitimate interest in this extra information. An employer or insurer may have a legitimate interest in knowing your current health status, but maybe not things that happened 20 or 30 years ago that would be of a very sensitive nature. And I think restricting those kinds of information requests would be very helpful. An example would be under the Americans with Disabilities Act, the Federal statute dealing with disability discrimination says that if you are a current employee, the employer can only ask about job-related health information. But if you are an individual who has a job offer but have not started yet, then they can have an unlimited request for information. If you applied that same standard that is applicable to current employees to these applicants, then the amount of information would be reduced substantially. Chairman Akaka. Dr. Diamond. Dr. Diamond. I think there is an opportunity right now to consider what the right process is for this next level of public input and discussion that is required around privacy and security. And I think what I propose in my written testimony is what I will repeat here. Based on a set of foundational principles, there does need to be a process that will have appropriate public input, notice and comment, and deliberation so that we can move forward in a way that people feel trust in the health information network and the way their information is being shared. And I do think reverting to the policies and the attributes that I laid out today serve as a good yardstick or metric for trying to determine how to move forward. Chairman Akaka. Thank you. This question is to all of the panelists. You all heard the testimony of OPM that Federal employees' electronic health information is protected, despite the fact that HHS's efforts on privacy and security are lagging behind. Do you agree with OPM? Mr. Powner. Mr. Powner. Sir, I do not believe we are in a position to comment on OPM's efforts in that area. We have not looked at it in any detail at all. Chairman Akaka. Thank you. Mr. Rothstein. Mr. Rothstein. I would only note that the companies that offer insurance to Federal Government employees are covered entities under HIPAA because they are health plans. Therefore, they are regulated in the way that other covered entities are. But individual employees are not protected in the sense that for all of this information that is suddenly going to be aggregated and available electronically at a single point in time, we do not have new rules that apply to the network. What we are applying to government employees are the old rules under HIPAA. Chairman Akaka. Dr. Diamond. Dr. Diamond. Yes, I am not familiar with OPM's efforts. I will just offer that under the existing HIPAA rule, there have been 22,000 complaints to OCR, and very few have actually resulted in penalties. And I think there is an opportunity to look at not only these new attributes that I laid out here and the principles as a way to ask ourselves if we are doing enough, but also to look at appropriate remedies in the event of breaches, because we are in an information world today. This is the Information Age, and I think every one of us, while we enjoy the benefits of it, also have to acknowledge that we need to think about the protections that need to be in place to participate fully. Chairman Akaka. Mr. Powner, what do organizations that store and exchange personal information consider when balancing the benefits realized from IT with the risks introduced by storing large amounts of personal data in electronic format? Ms. Koontz. I will answer that, if I may. We found, in terms of the research that we have done on privacy, that best practices organizations do a number of things. First of all, they get continuous and early input from stakeholders, from experts, and from the public in some form. And I emphasize the word ``continuously'' because as these kinds of initiatives are worked on, they tend to evolve and change, and there needs to be a constant going back to the privacy principles to touch them to make sure that we are consistent with the framework that we have selected. I think successful organizations also use fair information principles. I agree with many of the other witnesses on the panel today that HHS needs to take a broad look at privacy, and it is useful to look at the fair information practices which are broad, very internationally accepted principles as a way of facilitating discussion on the balance that should be struck between privacy and other interests. I think best practices organizations assess privacy protections, as many of the other panelists have said, before information technology is acquired or developed. Technology can be an enabler to help build in privacy protections, but once a system is built, it is very difficult and often very expensive to go back and retrofit those kinds of protections. To the extent that HHS uses these kinds of best practices, I think it increases their chance of success in this. Chairman Akaka. Thank you, Ms. Koontz. Mr. Powner, HHS has been without a permanent National Coordinator for Health IT for almost a year. What effect has the absence of a national coordinator had on HHS's progress toward defining a privacy framework as part of its national strategy for health IT? Mr. Powner. First of all, I think we need to give some credit to Dr. Brailer for getting the ball rolling here, and Dr. Kolodner has kept it rolling. But longer term, when you look at whether we need a permanent national health IT coordinator, we believe we do, for a couple of reasons. There are going to be some tough decisions. What we discussed here today, tough privacy decisions from a policy perspective are going to have to be made. Having a permanent leader would be very important for that. Also, too, because of the collaboration that needs to occur with the private sector, having a permanent leader sends a message that this is a presidential priority. Having an interim leader does not. Chairman Akaka. Thank you very much. Mr. Rothstein and Dr. Diamond, in June 2006, the National Committee on Vital and Health Statistics sent a letter to HHS Secretary Leavitt with 26 recommendations on privacy and confidentiality in the Nationwide Health Information Network. Meanwhile, the Markle Foundation is working with various stakeholders, including government, industry, and health care experts, to address the challenges of creating a Nationwide Health Information Network. What has been the response from HHS on your initiatives? Mr. Rothstein. Mr. Chairman, in terms of the NCVHS, we received in the fall a letter from the Secretary acknowledging receipt of our report, but that has been the extent of our official response from the Department. Chairman Akaka. Dr. Diamond. Dr. Diamond. Mr. Chairman, we have been involved in many of the discussions within the work groups of the AHIC and also within the NHIN contract, and I think the groundwork that we did in laying out the framework for sharing information with privacy has been very instrumental in those discussions. However, we have not yet had the opportunity to see those privacy principles or the comprehensive framework that I discussed today make its way into the current initiatives on the NHIN. And to echo what some of the other witnesses have said, we worry that the technology efforts and the standards efforts are moving too far ahead of some of those privacy principles and privacy requirements that the technology should fulfill, that we should not be trying to correct later on. We know firsthand from doing our own prototype the year prior in three communities--in Indianapolis, Boston, and Mendocino County, California--that it is possible to connect disparate communities with different technologies using privacy and security. But those decisions about privacy and security changed the way technology was implemented. They drove decisions in the way that technology was implemented that we would like to see inform the process going forward. Chairman Akaka. Well, I want to thank you, Mr. Powner, Mr. Rothstein, and Dr. Diamond, for your testimonies and also Ms. Koontz, for your responses as well. And I want you to know that you have provided this Subcommittee with valuable information, and we appreciate all that you have done to ensure that Americans' health information is protected. Today's hearing underscored the need for HHS to integrate privacy into the nationwide health IT infrastructure. We heard repeatedly that individuals must have trust and confidence in the system to encourage them to share their personal health information. If we want health IT programs to succeed, we must have privacy and security protections in place at the beginning. I look forward to working with HHS, OPM, and the various stakeholder groups to make this happen. As there is no further business, the hearing record will be open for one week for additional statements or questions from Members of the Subcommittee. The hearing is now adjourned. [Whereupon, at 4:17 p.m., the Subcommittee was adjourned.] A P P E N D I X ---------- [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] <all>