107th Congress

Making Patient Privacy a Reality: Does the final HHS Regulation get the job done?
Senate Committee on Health, Education, Labor, and Pensions -- February 8, 2001

Members Present

James JeffORDs (R-VT), Chairman; Edward Kennedy (D-MA), Ranking; Hillary Rodham Clinton (D-NY); Susan M. Collins (R-ME); Christopher Dodd (C-CT); Tom Harkin (D-IA); Tim Hutchinson (R-AR); Patty Murray (D-WA); Jack Reed (D-RI); Pat Roberts (R-KS); and Paul Wellstone (D-MN).

Witnesses

Ms. Leslie G. Aronovitz, Director, Health Care - Program Administration and Integrity Issues, GAO; Ms. Janlori Goldman, Director, Health Privacy Project, Georgetown University; Ms. Jane F. Greenman, Deputy General Counsel, Honeywell International, Inc.(on behalf of the American Benefits Council); Mr. John P. Houston, Data Security Officer; and Assistant Counsel, The UPMC Health System (on behalf of the American Hospital Association); Ms. Judith L. Lichtman, President, The National Partnership for Women and Families; Dr. G. Richard Smith, Jr., Director for Centers for Mental Healthcare Research, University of Arkansas for Medical Sciences (on behalf of the Association of American Medical Colleges); Mr. Robert C. Heird, Senior Vice President, Anthem Blue Cross and Blue Shield (on behalf of BlueCross BlueShield Association).

Opening Statements

Senator JeffORDs offered opening remarks emphasizing the role of privacy in bolstering individual trust in the health industry, which is essential for the efficient and effective operation of the health care system. Senator Kennedy congratulated DHHS on its rulemaking efforts, compared the burden to industry to protect with the burden faced by individuals when information is misused, and that further legislative steps may be necessary to complete the privacy protections for medical information.

Key Points Raised During Questioning

Senator Hutchinson emphasized the need not to impede research and medical education efforts.

Senator Roberts emphasized the burden on small, rural hospitals and other providers in funding the privacy requirements. He also questioned whether the administrative simplification savings were real and targeted to the same entities bearing the expense.

Senator Dodd was concerned about employers, insurers and other entities that were beyond the reach of the current law. He noted that only 4 or 5 States currently had comprehensive privacy laws of their own that may not be preempted as more stringent. He was emphatic that reopening the rule was not wise and may provoke more of a legislative reaction than needed (especially if more compliance time is the primary concern).

Senator Murray approved of the rule as means of access to medical system, especially in areas of minors and domestic violence; she also questioned if small providers should have longer implementation time. Additional remedies, particularly a private right of action was needed.

Senator Clinton questioned if plans should be included in required consent through the enrollment process and whether the marketing provisions could be tightened.

Senator Harkin was concerned about the need for a private right of action.

Senator Harkin and Senator JeffORDs indicated need to obtain DHHS intention, pursuant to Card memo, on delaying or reopening the rule.

Senator Reed questioned GAO about problems with consent in call-in situations.

Senator Wellstone concentrated on the rule's requirements for psych. notes and special requirements for mental health information.

Senator Collins was concerned for the complexity, burden, and cost of the rule; the potential for negative impacts on care; but also for law enforcement access that exceeded that of video store records.

Panel I: The highlights of the testimony and questioning by Committee members follows:

Ms. Leslie G. Aronovitz (GAO) noted that the rule addresses dual concerns: privacy interests of individual and information needs of health industry and others. It is a federal "first" in the areas of an individual's right to access and amend their records, to have an accounting of disclosures and notice of privacy practices; there are penalties for violations; the rule makes privacy a part of business practice for plans and doctors

Of the 17 groups surveyed by GAO; all felt HHS was responsive; many expressed concerns for compliance uncertainty. Particular issues raised by those surveyed included:

• Partial preemption (consumers pro stronger state law; industry for national standard)
• Marketing and fundraising (consumers want initial opt in)
• Many questioned "how do we do this", especially regarding consent (handling pre-admission protected health information (phi), drug stores on call-in prescriptions)
• Costs (training, computers, forms, notices, redoing contracts)
• Ms. Aronovitz emphasized that some of the uncertainty may be just newness of rule; guidance may resolve many concerns. In response to questions, the she stated that in meeting with Department representatives about the rule GAO discussed HHS' authority to include paper as well as electronic information. GAO agreed with the Department's analysis on its legal authority. The Office of Civil Rights (OCR) which has implementation responsibility is trying to organize, do technical assistance, and plan enforcement. With regard to research, GAO thought the approach in rule was appropriate. IRB's currently undertake similar reviews, in terms of assessing privacy pertaining to "groups" not "individuals". Concerns being raised on this issue pertain more to the level of subjectivity to be involved.

GAO noted they did not conduct an independent assessment of cost; nor did they have an independent assessment of whether the implementation timeframe was realistic. ( The committee may ask them to assess)

Panel II:

Ms. Janlori Goldman, Health Privacy Project (consumer advocate) strongly urged that there be no delay in moving forward with implementation of the rule. She indicated that better law enforcement protections (only with process) were needed, along with tighter marketing/fund-raising (advance opt out/opt in) provisions. Ms. Goldman emphasized the need for better remedies (private right of action) and that Congressional action would be needed to resolve this point, as well as, to expand the scope of the protections (include employers, insurers, others).

Ms. Jane F. Greenman (Honeywell Int'l, Inc.) on behalf of American Benefits Council urged the Committee to reopen parts of rule, and also highlighted the need for more time to implement the provisions. She stated that HHS should be required to identify applicable state laws, which may conflict with the rule's provisions. Ms. Greenman stated the minimum necessary standard in the rule was too vague, and that a reasonableness standard should be used instead. With regard to group health plans, the Benefits Council perceives the rule to be too vague for large self-insured companies, and that the firewall requirements for small companies would be infeasible. Ms. Greenman also noted that model notices and forms were needed.

John P. Houston (UPMC Health System) on behalf of American Hospital Association also articulated the need to the rule reopened. Specifically, he noted the burden of modifying systems, and contracts. He also stated that some provisions of the rule could be implemented within the 2 year timeframe, but IT changes would need longer. The consents were burdensome, in his view, and the rules expansion to cover paper and oral communications was too broad. Like others, he indicated the need for legislation to establish federal uniformity.

Panel III:

Ms. Judith Lichtman, National Partnership for Women and Families, highlighted information her group had garnered from focus groups. With respect to women, privacy is THE issue. She emphasized that HHS got balance exactly right; limitations in law not the rule (ie, employer coverage). Her testimony went on to note that the rule was good with regard: to minors; domestic violence (notice if disclosures to law enforcement); sensitive data (right to request restriction). Finally, Ms. Lichtman stated that there was a need for legislation to provide broader coverage, better remedies (namely, a private right of action), and more resources for HHS to enforce the rules.

Dr. G. Richard Smith (Dir. Mental Healthcare, UAMC) on behalf of Association of American Medical Colleges testified that the rules would have a negative impact on teaching (ambiguity about teaching; subject to minimum necessary; chilling penalty if guess wrong. ) He also stated that the rules would have a negative impact on research for several reasons: while de-identified data is good, the rule is too complex; the IRB waiver is too vague; rights to access and disclosure are inconsistent (unclear from oral statement what conflict was); the rule was too hospitable to whistleblowers; potential liability will cause archived data sources to lock down rather than risk disclosure. Dr. Smith noted that these 'troublesome issues' should be reopened, that the implementation timeline should be expanded to 60 months; and that the Federal and State lawmakers should find way to fund implementation (model on Hill-Burton Act).

Mr. Robert Heird (Anthem Blue Cross/Blue Shield) for BCBS Association (Plans) noted that BCBS' customers have said they want privacy. However, (in BCBS' view) the HHS rule does not meet customer expectation. Those expectations being clear guidelines (having numerous state laws just confuses things). They want timely quality care - minimum necessary precludes complete access needed (in fact, the rule does not require minimum necessary review for treatment). He asserted that the business associate provisions were unworkable because it requires them to do notices and complex procedures. It was the view of BCBS that practical rules were needed, the consent structure would have negative downstream impact. His examples included a transition period scenario, and a call-ins on care situation. Mr. Heird noted that the transaction rule code sets requires too much re-engineering and then requiring that it be done again for privacy, was too much.