This Transcript is Unedited
Room 705A
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201
Agenda Item: Call to Order, Introductions, Opening Remarks - Mr. Rothstein
MR. ROTHSTEIN: Good morning, my name is Mark Rothstein and I'm the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine and chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. NCVHS is a federal advisory committee consisting of private citizens which makes recommendations to the Secretary of HHS on matters of health information policy.
On behalf of the subcommittee and its staff I want to welcome you to today's hearing on disclosures of protected health information to third parties pursuant to authorizations. We are being broadcast live on the internet shortly although not at this minute so we should plan on making sure that our, when we speak we speak into the mics clearly and audibly. If any of you have cell phones or pages I would ask that you turn them off at this time.
Because of our late start if you will take a look at your schedules and simply add 15 minutes to each of the time breaks we'll just move everything back in the day 15 minutes. So today's first panel for example will end at 10:15 and we'll have our break at 10:15.
Dr. Richard Harding will chair the first panel of today's hearing, which will begin after our introductions and during the introductions I would ask subcommittee members to disclose any conflicts of interest. I will begin by merely observing that any of my conflicts I think should become apparent during the first presentation this morning. Richard?
DR. HARDING: I'm Richard Harding, I'm chairman of neuropsychiatry at the University of South Carolina School of Medicine and I have no conflicts that I'm aware of at this time.
DR. COHN: I'm Simon Cohn, I'm the associate executive director for information policy for Kaiser Permanente, I have no conflicts of interest to my knowledge.
MR. BLAIR: I'm Jeff Blair, vice president of the Medical Records Institute and I have no conflicts that I'm aware of.
MS. SUTER: I'm Sonia Suter, I'm associate professor of law at George Washington University and I'm testifying today, not a member of the subcommittee.
MR. SWIRE: I'm Peter Swire, I'm a professor of law the Ohio State University, I'm testifying today and I have no conflicts, I'm just testifying.
DR. RIPPEN: My name is Helga Rippen, I'm at the Office of the Assistant Secretary for Planning and Evaluation and staff member to the subcommittee.
MS. GREENBERG: I'm Marjorie Greenberg from the National Center for Health Statistics, CDC, and executive secretary to the committee.
MR. REYNOLDS: Harry Reynolds, Blue Cross/Blue Shield of North Carolina, member of the committee and no conflicts.
MR. HOUSTON: I'm John Houston, I'm with the University of Pittsburgh Medical Center, I am a member of the committee as well as the subcommittee and I have no conflicts.
MR. ASMONGA(?): Don Asmonga, director of government relations for the American Health Information Management Association, I'm in the audience and I'm regularly conflicted.
MS. TOWNSEND: Jessica Townsend from the Health Resources and Service Administration.
MS. MEYER: I'm Robbie Meyer with the American Council of Life Insurers and I'm a presenter this afternoon.
DR. HUGUENARD: I'm Dr. Joseph Huguenard, I'm with Swiss Re Life and Health North America and I'm here representing the ACLI, American Academy of Insurance Medicine, and I'm a presenter.
DR. HARDING: Well, thank you, and we look forward to a very interesting morning and afternoon and welcome to our guests as well as presenters.
We're going to start this morning with Chairman Rothstein who will be presenting, we're going to ask that people present for about 15 to 20 minutes, at 20 minutes I'll kind of give you the high sign if you're still going but that will allow us time for questions and answers which I'm sure will be forthcoming during that time. Mr. Rothstein.
Agenda Item: Introduction - Panel 1 - Mr. Rothstein
MR. ROTHSTEIN: Thank you, Mr. Chair. As everybody or most people know in this room I have served as a member of NCVHS since 1999 and as chair of the Subcommittee on Privacy and Confidentiality since 2000, and this is the first time I have appeared in the role as a witness before the subcommittee. And I've elected to do so because of the great importance that I attach to the topic of today's hearing and because I think the views that I'm going to present are not widely expressed in the discourse of the NCVHS or elsewhere and I'm very anxious to turn our attention to these issues. And I thank my colleagues and the subcommittee staff and the other witnesses for indulging me.
Today's hearing focuses on third party access to PHI via authorizations and the first panel will attempt to provide an introduction to the topic. I have titled my talk Reconceptualizing Health Privacy and Confidentiality and I hope to focus on these three questions, what are health privacy and confidentiality, why do people consider health privacy and confidentiality important, how effective are current efforts to protect health privacy and confidentiality --
Let me just stop for a second, are we on the internet?
PARTICIPANT: We will be in a minute.
MR. ROTHSTEIN: Okay, well that effects whether I read the slides so I just wanted to make sure so I don't mean to insult you by reading what you can read but the internet people can't get them.
Okay, so the first is what are health privacy and confidentiality, the first of the questions, and according to Anita Allen's formulation it can involve various dimensions including information, physical, decisional and proprietary privacy, today I'm going to be talking about informational privacy.
Privacy and confidentiality are often used interchangeably when they refer to two different concepts and I use the term privacy to refer to a two party relationship, that is whether an individual can keep certain information without being disclosed to anybody else, and that anybody else may be family, friends, or in the health care setting a physician. So it's the individual's option under privacy or right to privacy or however you want to phrase it to disclose information and we all have certain facts and bits of information that we don't want to disclose to other people and privacy is a way of retaining ones control over that information.
Now this is a quote from the introduction to the book by Ellen Alderman and Caroline Kennedy about ten years ago that talks about why they view privacy as important, it reads why we as Americans so cherish our privacy is not easy to explain. Privacy covers many things. It protects the solitude necessary for creative thought. It allows us the independence that is part of raising a family. It protects our right to be secure in our homes and possessions assured that the government cannot come barging in. Privacy also encompasses our right to self-determination and to define who we are. Although we live in a world of noisy self-confession privacy allows us to keep certain facts to ourselves if we so choose. The right to privacy, it seems, is what makes us civilized.
In contrast to this two party relationship in privacy I believe that confidentiality refers to a three party relationship so you start out with A, who now I've termed the patient, and A gives information to B the physician and now privacy, I'm sorry, confidentiality considers the issue of whether the second party, B the physician, can re-disclose information that was originally disclosed within the confines of a confidential relationship to some third party. And this third party could be family or friends or an employer, an insurer, a marketer, some entity that has more of a commercial relationship with the individual patient.
Now I'll be coming back to this three party diagram later in my talk when I discuss the issues of how we attempt to regulate the control of information from A to C through B.
Confidentiality is the source of professional obligations, legal liability, and vibrant policy debate as we all know. And the basis of confidentiality we can trace at least to the Hippocratic Oath, which provides in part and whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, and that relates to our discussion yesterday on archival information, holding such things as holy secrets.
I think that professional pledges of confidentiality by health care providers implicitly say to patients the following, it's okay to accept a lesser standard of secrecy going from privacy to confidentiality because limited disclosure is essential to your health care and your information will not be re-disclosed without your consent. I think that's the implicit bargain or premise of confidentiality.
Now why do people consider health privacy and confidentiality important? I think that privacy and confidentiality have both an intrinsic and a consequential value. So let's do the following mental experiment, suppose that before today's hearing I asked you all to pick up a copy of your complete medical records file and we all have in front of us a one foot high stack of all of our medical records from our pediatrician onward. And then I said okay what we're now going to do is we're going to exchange our medical records and tomorrow we'll bring them all back and return them to their owner and nothing bad will happen to anybody as a result of this exchange, you're not going to lose your jobs, your insurance, or anything like that, but we're just going to pass them around. And I think that more then a few of us would have some concerns about that and that is in my view goes to the intrinsic nature of privacy.
So there are certain health information that people do not want to share irrespective of any possible adverse consequences, they may be concerned about embarrassment, stigmatization, or the undermining of current or future relationships. A study that was published in 2003 actually asked several hundred patients with all sorts of conditions which of those conditions and what health information they considered to be most sensitive and then they were ranked. So the top six that I included on my list, which were responded in the top six, were abortion history, mental health history, HIV/AIDS, genetic test results, drug and alcohol history, and history of sexually transmitted disease. And then lower down the list which I didn't include on the slide are heart disease, cancer, and so forth. The interesting thing I think is that the sensitivities of individuals change over time and I think if you had a list from 25 years ago, well it wouldn't have had HIV/AIDS, it may not have had genetic test results, it probably would have had cancer which was much more stigmatized years ago and I don't know what the conditions will be in the future. So not only does it change over time but it varies by condition, that is the sensitivity attached to the condition varies by condition.
Now there are also consequential elements of privacy, people are concerned about the tangible consequences of disclosure including that they may be subject to health based, and I put in quotes "discrimination" and discrimination is a difficult word for us to get a handle on because we can use it in the civil rights sense when all discrimination is invidious or we can use it in the sense of making distinctions or drawing distinctions among people in the insurance sense where they have different risks. So I believe that discriminations means that it's the concern of individuals about health based discrimination can be one of two things, it can be either that inaccurate conclusions or predictions based on the health information will be used to deny them employment, insurance, or other opportunities, that this third party is going to somehow misuse their information and draw erroneous conclusions.
Or it could be that accurate conclusions or predictions based on health information will be used to deny them opportunities to which they believe they are entitled notwithstanding the health information. So for example a health insurer might accurately determine that they are at increased risk of becoming sick in the future but nevertheless they believe that they have some sort of entitlement or right or ought to have access to health insurance.
The third topic I want to take up is how effective are current efforts to protect privacy and confidentiality and I want to use as examples the HIPAA privacy rule which is near and dear to all of us, and also an example of genetic nondiscrimination laws in employment and health insurance.
One of the things about HIPAA I think is that it is so misunderstood, what it intends to do, how it does it, and so forth. Many people believe that HIPAA is a comprehensive law designed to protect health privacy and confidentiality and that it establishes a comprehensive system for doing so and that is of course not the case. HIPAA does not establish a comprehensive system for protecting the privacy and confidentiality of health information because HIPAA only applies to covered entities, health care providers, health plans, health clearinghouses and their business associates, HIPAA does not apply to employers, insurers, schools, or other entities that may have health information except to the extent that they perform as a covered entity.
HIPAA also only covers so-called protected health information which is defined as individually identifiable information. There may be an ethical obligation or a legal duty based on some other law to protect other forms of health information such as preventing the group based harms associated with anonymous but ethnically keyed genetic information but that is not covered by HIPAA because it's not individually identifiable.
HIPAA does not protect the privacy of health information if we define it in the two party sense that we talked about earlier as being the right of individuals to prevent the disclosure of health information to others. Under HIPAA the failure to disclose health information may result in the refusal of medical treatment or the refusal to reimburse providers for services. It would be lawful and reasonable for a health care provider to say look, if you don't tell me your history or what medications you're taking I can't treat you, I'll be afraid to do anything. I need to have certain information and so there is no right of privacy certainly under HIPAA to get medical care and withhold essential information.
I would also argue that HIPAA does not protect the confidentiality of health information which we just defined as the re-disclosure of information originally disclosed within a confidential relationship. Because even though an authorization is required for most uses and disclosures beyond treatment, payment, or health care operations such as marketing or research, HIPAA does not prohibit third parties from requiring the execution of an authorization, and I would add an unlimited authorization, as a condition of for example obtaining employment or an insurance policy, issues that we're going to be focusing on today.
So what is HIPAA? I think for all its complexities and controversy HIPAA and its privacy rule provide a limited system to protect the security of health information by preventing the unauthorized use or disclosure of protected health information as well as a series of fair information practices such as the right of access to medication records, the right to request amendment, the right to accounting for disclosures, etc. So I think HIPAA is not a privacy and confidentiality rule so much as a rule that protects security, even in the privacy rule not to mention in the security rule, and a series of fair information practices.
I would add parenthetically of course that I think that privacy rule has perhaps an even more important symbolic value in that it raises for health care providers around the country the notion that health privacy which always was a part of the code of ethics of all the health professions is really important and you need to take concrete steps to protect the privacy and confidentiality of the information that you hold.
So the final of the four things I want to suggest is that how effective, or consider, is the question of how effective are current efforts to protect health privacy and confidentiality. So let me go back to the three party relationship that I sketched out earlier for you where a patient gives information to a health care provider, in this illustration a physician, and then the physician or hospital or provider with the records then is faced with a question of disclosure to some third party, an employer, an insurer, or a marketer.
How as a matter of policy have we attempted to keep "confidential" or private information from A from being disclosed to C, the third party? And it seems to me the way that we've gone about it is to try to erect barriers between B and C. We set the conditions under which those in possession of the health records, the providers, the hospitals, the physicians, the nurses, etc., may release information to C and to prevent the inadvertent or unauthorized disclosure of information, or the wrongful disclosure of information. But that does only a partial job of preventing the disclosure of information from A to C. If we are serious about keeping unnecessarily broad and unnecessarily voluminous amounts of irrelevant patient health care information from reaching third parties we can't do it that way because anyone with the economic leverage, that is an employer or an insurer, can as a condition of employment or insurance, C, the third party, can go to the patient and say if you want this job sign this authorization releasing all of your medical records to us. If you want this insurance policy sign this authorization. And then B, the hold of the information is legally bound to disclose that information. So the model that we've adopted for regulation does not really address the issue of compelled authorized disclosures.
Now suppose we changed the law and said that information in the possession of the health care provider, B, could never be disclosed to C even with an authorization, would that help? And the answer of course is no because C would say they just passed this crazy rule that says I can't get your health information from your provider even with an authorization but you can so go get your health records from your hospital or your doc and bring them first thing Monday morning if you want this job or this insurance policy.
Well, that wouldn't help too much. Suppose we enacted a rule or a law that said okay, any information that was obtained in the clinical setting can never be disclosed to third parties who are not performing in the clinical setting. So A couldn't get the medical records, his own medical records from B and disclose them to C or C couldn't use those records, would that help, and the answer is no because C would then say to A I can't use any of the records that you have given in the course of your medical treatment so if you want this job, if you want this $10 million dollar life insurance policy, come in first thing Monday morning and we're going to do our own examinations and plan to be here for the better part of the day.
So this paradigm is not amenable to regulation with the tools that we have, the only way it seems to me that if we think that third parties are getting more information then they need, the only way to address that issue is not a procedural one, it's a substantive one, what information can C access and use. And that involves a whole series of much more difficult and complicated, and I would argue if I had to, contentious issues such as who should have a right of access to health insurance and health care? Under what terms should medical underwriting be undertaken in life insurance or disability insurance or long term care insurance?. What is the relative right of employers vis-à-vis employees to make decisions about whether employment in a particular workplace is in their best interest? And these are very difficult but they are substantive questions and can't be resolved by sort of procedural measures to restrict access in one way or another.
I think genetics presents us with a very good case study of how we've attempted to do this and how our efforts have failed. The starting point for analyzing the success of genetics regulation or the applicability of genetics regulation in the workplace setting is the Americans with Disabilities Act which was never intended to be a privacy and confidentiality law, it's a nondiscrimination law, but in preventing discrimination against individuals with disabilities Congress felt that it needed to control the amount of information and the timing of the information that employers had access to.
So what was created was a three stage process and at the pre-employment stage when you just walk in and say I'm here, I heard you're looking to hire law professors, the employer is not permitted to make any pre-employment inquiries as to whether you have a disability or the nature of your disability, whether you've filed worker's compensation claims, etc. in the past. However, after a conditional offer of employment, after the employer says you look terrific, your resume is great, your references check out, I'm prepared to make you an offer to start the 1st of March contingent on your getting a satisfactory report on your medical examination, these post offer medication examinations or pre-placement examinations are authorized by the statute and they may be of unlimited scope regardless of the medical condition of the individual, regardless of the nature of the job for which the individual applies, and significantly they may require as part of that the release, or now we call it authorization, to release all of the individual's medical records. By contrast medical examinations of current employees must be either job related and consistent with business necessity or voluntary.
So the result of that is that post offer genetic testing is not prohibited by the ADA. Post offer access to all health information is not prohibited by the ADA. And for reasons that you can either trust me on or defer to later because it's complicated, genetic predisposition is not a disability under the ADA.
Now since the Human Genome Project, I wouldn't trust me either but I'll just save that for now, since the Human Genome Project began in 1990 32 states have enacted laws that purport to prohibit genetic discrimination in employment. These laws address number one and number three above but not number two, which I'm going to go back to and fill in. Number one being that post offer genetic testing is now prohibited by these state laws, genetic predisposition which is variously defined is now considered to be a disability or to otherwise violate the law, but these laws, these 32 state laws, do not address the issue of post offer access to all health information. As a result, and I believe that Professor Suter will address this, many people decline genetic testing because they are concerned that employers can have access to the results. Our surveys have shown consistently that approximately 75 percent of people would be reluctant to undergo genetic testing if their employer or insurer could get access to the information.
So is their an alternative? Well, two states have enacted laws that say that, and those states are Minnesota and California, that employers may obtain access only to medical information that is job related and bears on the current ability of the individual to perform essential job related functions. This is the standard for current employees but what California and Minnesota have done is they have now applied that to all stages of the employment relationship. Notice that in attempting to regulate the flow of information the statues don't focus on genetic at all and therefore avoid that difficult definitional problem, the assumption being that in virtually every situation genetic information about future risks will not be job related and therefore if we restrict the information only to job related matters you've now washed out the genetics problem.
But here is the problem, even in states such as California and Minnesota there is currently no technologically or economically feasible way to separate job related from non-job related health information and I would add parenthetically genetic from non-genetic information and therefore health care providers routinely send everything even where hospitals and other providers get requests for limited information if it's not easily segregated, that is can you send me Joe's records from the last year, they send everything because it would take hours of time, be very expensive, and cause a nationwide white out shortage if the hospitals were in the position of having to redact medical records before they sent them to insurers and employers.
However we have a unique opportunity I think at this point, electronic health record architecture could be developed to facilitate this limited access, that is you can't do it feasibly with a paper record but with an electronic record if it were designed with enough fields built in so you could isolate diagnoses, isolate the nature of the service provider, isolate the nature of the services provided, etc., it would be difficult but it can be done I think, having talked to a variety of health informatics people, if you could create such a record you could promote a system where limited access were feasible. However, there are no efforts underway either within the department or at other institutions that I'm aware of.
Health insurance I'll just go through very briefly, we're not going to talk about health insurance in today's hearing but it certainly has been a fertile area of legislation. Since 1990 at least 43 states have enacted laws prohibiting genetic discrimination in health insurance, they don't apply to employer sponsored group health plans where 85 to 90 percent of people get their coverage. Fortunately another provision of HIPAA does, that regulates a group health insurance offered through employers, and the reason that state genetic nondiscrimination laws in health insurance are ineffective is that they apply only to people who are asymptomatic.
So if you apply for an individual life, sorry, an individual health insurance policy, and you have a genetic test that shows you're at increased risk of breast cancer or colon cancer or something in the future, it's unlawful in those 43 states to deny you an individual health insurance policy. But six months from now or next year when you get breast cancer or colon cancer or whatever that condition was depending on state law they may be able to deny renewal of your policy, or to increase your rates to rates that are no longer affordable.
So the issue then becomes well why should we focus on genetics, should they be able to deny coverage to anyone who is in bad health or at a high risk? And the question soon becomes it's not an insurance issue, it's not a genetics issue, it's a health care system issue, who should have a right of access to health care. And I think that prohibiting commercial health insurers from "discriminating" against individuals who are sick or more likely to get sick would change the nature of health insurance and it would no longer be insurance, it would be some sort of privately administered entitlement program or privately administered group insurance scheme, which may be defensible but it's not certainly possible within our current framework.
So I have the following four conclusions for you. Number one, HIPAA established security and fair health information practices to protect against unauthorized access to health information. Number two, measures to prohibit genetic discrimination are ineffective because they focus on procedural matters rather then substantive issues such as the relative right of employers and employees and the right of access to health insurance. Number three, there can be no effective protection of health privacy and confidentiality without focusing on the compelled authorized access to health information. And number four, measures to limit third party access to certain health information could be embedded in new electronic health records but no efforts are being taken at the moment to do so.
So I thank you for your indulgence and I think that perhaps you might have a question or two later.
DR. HARDING: We will and after each presentation we'll have a period of open discussion and questions and I'm looking forward to that.
The next speaker is Professor Sonia Suter, welcome, from George Washington University. Welcome.
Agenda Item: Introduction - Panel 1 - Ms. Suter
MS. SUTER: Thank you. Good morning, thank you for inviting me to testify today. I think the NCVHS and the Privacy Subcommittee have addressed a number of important issues and I'm pleased to be part of your discussion today about third party disclosure or access to health information and I'm going to be focusing on issues in the genetics context.
Let me give you some background, let me start with an overview of what I want to talk about today. I want to briefly tell you about my background and why it is that I'm focusing on genetics issues. I'll talk briefly about the value of privacy and some general approaches to protecting personal information. And then I'm going to be focusing on some of what Professor Rothstein addressed just a moment ago about concerns of third parties tying benefits to the authorized release of health information using genetics as a case study to describe some of the actual harmful health effects that result from the ability of third parties to retrieve this information. And then I'll conclude by describing some of the legislative approaches and needs for further legislation.
My interest in genetics comes from the fact that I did graduate work in human genetics in the research context and then I moved over to clinical genetics as a genetic counsel, so I worked with obstetric and pediatric patients in genetics. Just as I was leaving genetic counseling late onset genetic testing was becoming increasingly possible, that is testing for conditions that will develop later in life and this is where people have become extremely concerned about genetic discrimination where are currently healthy but have an increased risk of some genetic disease. So when I became a law professor I had the opportunity to look at these issues from the ethical and legal perspective in my writings on genetics and the law and bioethics.
Now why is health information privacy important? As Professor Rothstein noted there's intrinsic value and what he calls consequential or extrinsic value. I described intrinsic value as honoring the ability to control information or access to oneself, autonomy interests, and it's based on the idea of respecting the individual. But there's also extrinsic value and I'll be looking at this more closely shortly, it protects, or at least we hope it protects against discrimination and Professor Rothstein is right to point out that there are a number of definitions of discrimination and I don't tell attempt in this talk to narrow my definition here but uses of the information that we find problematic. It an build trust in the medical relationship and increase patient care, and it encourages participation in research.
Now there are some general approaches to protecting personal information. The first one that I think most people think of as privacy protections is to protect against unauthorized access to ones information. But I think we're also concerned about protecting against particular uses and our particular users of our health information, what I call nondiscrimination. The benefits of the privacy approach is that it honors this control that we see in privacy, it gives people at least theoretically the opportunity to decide who will receive their information and under what circumstances. So it theoretically keeps information from getting in the wrong hands as defined by the possessor of this information. Nondiscrimination protections can focus on the harms that we really worry about and so we can draft laws defining discrimination in the ways that we see fit.
But there are limitations to these two approaches, both of the approaches together or individually do not prevent third parties as Professor Rothstein pointed out from making disclosure of information a condition of some benefit so an insurer could say there may be laws against my discriminating based on your genetic information and there may be requirements that you authorize my access to your information. But please hand it over anyway as a condition of your receiving insurance coverage, I know I can't discriminate but sign the form.
Now the concerns regarding this compulsory disclosure are several, there's the concern that it becomes coercive, that we really don't have the full control over our information that the privacy statutes supposedly give us. There's another concern that once these third parties have this information it's hard to prove whether they're using the information for discriminatory purposes or not. So perhaps they decide that they're not going to cover certain kinds of medication treatments and they say no it's not because we saw that you were at risk of Huntington's Disease, that's just our policy, how do you prove that it was actually a discriminatory use of the information.
What I'm going to focus on primarily today though is the negative effects that this third party access can have in the area of individual health care, research, and public health. I want to point out although I'm focusing on genetics that our concerns regarding third party access to information cover a broad spectrum of health information, cancer, HIV/AIDS, sexually transmitted diseases, mental health information, reproductive health history, etc. I'm focusing on genetics information today though as one example of sensitive information.
There's been a great deal that's been written on why genetic information is so sensitive, it's predictive, it can tell us about people's increased risks to inherited forms of cancer, to various neurological diseases, etc. It can be stigmatizing, people may choose not to marry somebody because of their increased risks of various diseases, and of course it can be the basis of discrimination by employers, insurers, adoption agencies, financial institutions, etc.
Genetic information is also uniquely personal, the genetic information that each of us possesses is unique to each one of us and it's information that people think is highly personal whether or not it will be used as a basis of discrimination. It's also identifying information, we can use genetic tests to identify tissue samples from one person as opposed to another. And it reveals information about family members because we share much of our genetic information with our blood relatives.
Now what are the concerns regarding third party access to genetic information? One is, one of the primary concerns is the fear of discrimination in this area and there are a lot of reasons why people are so concerned about genetic discrimination. We have an unfortunate history of abuses in the area of genetics, there was a strong eugenics movement in this country and in others. Even in the ‘70s there was discrimination based on sickle cell testing, and several studies beginning in the early ‘90s have suggested that there are incidents of genetic discrimination today and the studies have focused primarily on the employment and insurance context. AS a result of these studies there's been a great deal of media attention to genetic discrimination and the popular culture reflects our fears in movies like GATTACA.
The data suggests that the fear of discrimination, that the risks of discrimination have affected individual health care, research, and public health. Before I tell you about the details there let me give you some background about the studies on genetic discrimination. Probably the seminal study and the one most widely cited is a study that was conducted by Dr. Billings and others, Dr. Billings will be testifying later today, and in this study they solicited responses from over 1,000 genetics professionals and genetic disease associations. And after soliciting responses they found and documented 32 incidents of employment discrimination and seven incidents of insurance discrimination. And some of the incidents were rather unfortunate and disturbing to the public and received a great deal of attention by the media.
A study four years later surveyed a number of individuals at risk for genetic conditions and out of 917 responses found 455 cases of discrimination. Another study interviewed or surveyed members of genetic support groups and found that either the respondents or family members had experienced a fairly high incidence of discrimination, 25 percent were denied life insurance, 22 percent were denied health insurance, and 13 percent were denied or lost employment.
Now there have been other studies that suggest that genetic discrimination is not so prevalent. One study found that only seven out of over 2,000 surveyed employers actually conducted genetic tests. Of course this doesn't tell us whether they're using genetic information from other sources for employment decisions.
One of the most rigorous recent studies is a study conducted by Mark Hall in which he interested genetic counselors, insurance agents, insurance regulators, and insurers themselves and found that although many people had heard about genetic discrimination they couldn't actually describe actual incidents of genetic discrimination in health insurance and he concluded that there was actually very little or non-existent discrimination in this context.
Now the studies that suggested genetic discrimination was so prevalent have been criticized as not necessarily giving us a very good understanding of how prevalent genetic discrimination actually is. Many of the accounts are anecdotal, the results depend on self reporting, the sampling is not random, and there is often a very small response rate. There's also differing definitions of what we mean by genetic discrimination. Are we discriminating based on pre-symptomatic genetic information, in other words a genetic test result that indicates that somebody is at an increased risk of a disease that they don't yet have, or does genetic discrimination mean discrimination based on susceptibility to a disease as well as actually having a genetic disease. And this is where we have to come to some agreement about whether we think both kinds of discrimination are problematic or just one of them.
But whether or not genetic discrimination is prevalent today I think it's fair to say that it's a very real and potential risk in the future. One study showed that most surveyed life insurance companies are interested in knowing about genetic testing results and I think most life insurers would want to know the results of genetic tests that an individual applicant has taken. Most insurance commissioners thought that insurers had a right to request genetic tests and I'm sure that most insurers would also believe they had a right to that.
Health insurers, a significant number of them, half to two thirds in Professor Hall's study said that they would like to use predictive genetic information if they were allowed to. And I think his last finding is probably the most important one, many health insurers believe genetic information will be more precise and therefore relevant to underwriting in the future.
So I think we can conclude that as the cost of genetic tests decrease and as their accuracy increases third party interest in genetic tests will increase. How big a concern discrimination will be in the future we don't know but the interest will increase.
What I think is most important is the public perception, whether discrimination is rampant today or will be in the future, the public strongly perceives it to be a real risk and this has affected the public's behavior in important ways. There is a great deal of fear of third party access to genetic information, a majority of individuals want to prevent insurers from accessing their genetic information. 75 percent of polled Americans wanted to prevent this access and 83 percent of members of genetic support groups did not want insurers to access their genetic information. The desire to prevent employer access to genetic information is even greater, 85 percent of polled Americans and 87 percent of surveyed support group members.
What is interesting is that there is not only a desire to avoid access but there have been cases of actual refusal to disclose this information to third parties. So 18 percent of genetic support group members refuse to reveal genetic information to insurers and 17 percent refuse to reveal that information to their employers.
In the area of genetic research because of these concerns we've seen some real effects. Francis Collins has testified that nearly one third of women at high risk for breast cancer or ovarian cancer refused to participate in a genetic study and other researchers have had this experience. Because of concerns of discrimination researchers often warn participants not to share their genetic test results with their physicians and/or to keep the genetic test results out of their medical record.
But I think what concerns people the most is how fears of discrimination may lead to people refusing to actually undergo genetic testing. Now I want to begin by emphasizing that genetic testing is not always appropriate for everyone, we don't necessarily want the entire population to undergo genetic testing even if at risk for an inherited condition. Whether or not to undergo genetic testing should be an informed decision by the individual based on their personal values but I think we would hope that the decision isn't based on fears of discrimination but based on other, based on personal values.
Now there's strong evidence that there's a theoretical refusal to undergo genetic testing, one study found that 63 percent of individuals probably or definitely would not undergo genetic testing if third parties could access their results. But what's even more troubling are the data suggesting that there is actual refusal to undergo genetic testing. One study found that nine percent of surveyed genetic support group members actually refused genetic testing for fear of discrimination. Another study and anecdotal accounts have shown that roughly one third of people offered testing, these are at risk individuals for colon or breast cancer, refused again for fear of discrimination.
Another study found that 43 percent of women at risk for inherited breast cancer refused genetic testing. Now there are many good reasons why they may refuse that testing but the unfortunate data is that 84 percent of the refusals were based on fears of discrimination which are not the reasons we want people to be refusing testing.
Even more troubling is that some individuals are refusing the actual genetic counseling let alone testing for fear of health insurance discrimination. One study found that it was the most prevalent reason to avoid cancer genetic counseling services. And this is disturbing because it means people aren't even getting in the door to talk to genetic counselors about the benefits and risks of genetic testing, they're not even getting the important information to make this decision.
It's interesting to look at the attitudes of genetic professionals. We see a fairly high percentage of genetic professionals who would actually like to have genetic testing for inherited cancers, 85 percent would be tested if at risk for breast cancer and 91 percent for colon cancer, not surprising since they're in a profession that offers genetic testing. But what is interesting is that 68 percent wouldn't want to bill their charges to their insurer for fear of discrimination and 26 percent would want to use an alias. Although 82 percent would share their results with physicians many of them would not want their results recorded in their medical record.
One interesting approach to this problem has been anonymous testing and there are differing percentages of patients who are interested in anonymous testing. One center in Cleveland that offers anonymous testing found that one in five patients who were seeking testing for Huntington's Disease, late onset neurological disease, wanted to do so anonymously. Another clinic that does not offer anonymous genetic testing found that only four percent of patients requested such testing. And my genetic counseling friends who work in the area of adult genetics find that there are frequently requests to use aliases when undergoing genetic testing.
Some people have suggested that anonymous testing is a good way for dealing with concerns about third party access to genetic information but there are concerns. A number of genetic counselors think that it inhibits good genetic counseling. Genetic counseling involves not only getting test results from an individual but collecting a wealth of information about the individual and their family history, it requires reviewing medical records of the patient and medical records of family members. It also requires a confirmation of diagnosis in affected family members. And if counselors are trying to anonymize all of the records it becomes next to impossible to get all of this data.
Professor Rothstein has suggested that anonymous testing encourages fraud because it implicitly suggests to patients come on in, we'll give you the information, but let's keep it hidden so that you can then lie to your insurer if they ask if you've ever had genetic testing. That's not necessarily what's intended but there is that possibility of that implicit message.
There's also a concern that it limits testing to those with the financial resources, obviously your insurer is not going to be paying for your tests if you're doing so anonymously and only the most wealthy can afford tests that can be fairly expensive.
So the summary of the effects of fears of third party access to genetic information. There are a number of effects with respect to individual health care. Physicians may not have full information to offer proper care to patients if patients don't disclose results. Obviously if people aren't getting tested for conditions for which there's some kind of preventive measure, for various cancers for example, then it's difficult to prevent or ameliorate disease, that can lead to premature death. There's also a concern that family members may not learn about their own risks and therefore may not get the counseling and testing that they would seek.
And we worry about patients not getting counseling in the first place because they don't learn about the risks that they face and what their options are. If people aren't participating in research obviously there's effects on research, we may not be able to study certain diseases if there aren't enough participants, and we may end up with potentially skewed data. There are public health effects as well, not only populations may be represented in studies, the Ashkenazi Jewish population has expressed a great deal of concern about discrimination against their ethic group because there have been findings that a number of mutations are associated with that population. If they don't participate in research we don't have well represented data. Poor data effect our ability to educate the population and obviously if a lot of people are not getting adequate health care that's a public health concern.
So the solution is to protect authorization of access to information, to require authorization, to protect against particular uses of information, nondiscrimination, and to prohibit benefits from being conditioned on the receipt of genetic information.
Since I'm short on time I will briefly go over the state legislation, Professor Rothstein pointed out that we have privacy legislation in 29 states and nondiscrimination in 32 states in the employment context and in different numbers with respect to health insurance, life insurance, disability and long term care. But some of the states are trying to prohibit this third party collection by not allowing employers or insurers to actually request the genetic information or to require the genetic information or to perform genetic tests. This is one way of trying to deal with that third prong of protection.
Federal law, we still don't have federal law in genetics and we have the HIPAA privacy rules which cover a few aspects of genetic discrimination. So the goal here is uniform federal prohibitions of unauthorized access to health information, we have that to some extent with HIPAA. To have uniform federal prohibitions of discriminatory uses of health information, however we define that. And this is a bit too broad but prohibitions against compulsory disclosure of health information by third parties as a condition of benefits. That obviously needs to be nuanced because third parties will need some amount of information but I think this is a goal that we should be working toward in the legislation area.
Thank you.
DR. HARDING: Thank you very much. For those on the internet we are running about 15 minutes behind, this panel will be concluding at 10:15 and then the next panel beginning at 10:30, 15 minutes later then was in the original schedule.
We're pleased to have Professor Swire back with the National Committee on Vital and Health Statistics after a several year hiatus, we're delighted that you're here and look forward to your presentation. Thank you Professor Swire.
Agenda Item: Introduction - Panel 1 - M. Swire
MR. SWIRE: Good morning and thank you for that welcome. Just one comment on Professor Suter's presentation, one place that pulls together a lot of information on the benefits of health privacy and confidentiality including getting people into the health system is in the proposed and final HIPAA rule, there was a regulatory impact analysis which is quite lengthy, over 100 pages, and it has quite a bit of data on that subject.
I'm going to be focusing on the topic that Professor Rothstein asked me to focus on, which is the sharing of medical records pursuant to an authorization. In my talk I'll briefly describe my background and I'll discuss the history of HIPAA as it relates to these authorizations. I'll talk about what I'm describing as the non-coercion rule in the HIPAA privacy rule for providers and other covered entities and point out that there's no similar rule for other entities such as employers or insurers. And then at the end I'll talk a little bit about the FACT Act which has a series of new non-coercion provisions that apply to financial institutions and might prove helpful as we're considering more broadly how to use medical data.
Today's themes, I have three themes, a great deal of the sharing with third parties with an authorization are to third parties who are not covered entities, and for these non-covered entities the HIPAA process simply didn't address what public policy is appropriate where an authorization exists, it wasn't part of the HIPAA, that lengthy HIPAA process that many of you participated in. And so this committee has an important role to play in addressing the public policy issues about sharing with third parties pursuant to an authorization.
My background includes the fact that from 1999 to the beginning of 2001 I was the chief counselor for privacy in the Office of Management Budget. In that role I had the great pleasure some days of being a coordinator for the proposed HIPAA privacy rule in 1999 for the final rule that issued in 2000, in December of 2000. Many of you know that Gary Claxton was my counterpart within HHS as we were working so hard on this rule.
I'm currently a professor at the Moritz College of Law at the Ohio State University, I live here in the D.C. area and a director of the D.C. program, internship program, and we're always looking for internships for students for the summer, so volunteers are welcome. Since 2001 I've also been a consultant in the law firm of Morrison & Forster working quite a bit on practical client issues connected to health information and so have that government perspective, academic and practical perspective. I've also worked quite a bit with the Markle Foundation on their Connecting for Health initiative, testified in front of part of this committee in connection with that, and that involves electronic medical records that go beyond the payment records that are most focused on in HIPAA.
So let's look at the history of HIPAA as it applies to these authorization because as Professor Rothstein said there's certain things included and certain things not included and the history helps explain why. Back in '96 it wasn't called HIPAA with two PPs or two AAs, however you spell it, it was called the Kennedy-Kassebaum bill. And this was a very high profile bill that was all about preexisting medical conditions and whether or not if you had a problem like that you could move to a new job. And that was about 99.5 percent of the public debate that year.
And industry during the political debate said gee, this is an unfunded mandate, it's expensive on us, we're industry, we're going to have to hire all these people who are going to cost us money in the health insurance system, please Congress give us something good. And Congress tried to give them something good, they gave them the transaction and code set rule. And that was good because there were literally thousands of payment formats for people passing around payment information and today that's been reduced to fewer then ten, which is really good, I've worked with clients who had over 2,000 payment formats in the old days and it's a whole lot easier to run their systems today in many respects.
But then Congress and various people said if we're going to make medication transactions become electronic for all these payment purposes, all these transactions, all these electronic records are going to be zipping around, what about privacy, what about security, we ought to do that too. And that's how HIPAA privacy happened, it was preexisting conditions who became transaction and code set which became security and privacy with relatively little idea of what the HIPAA privacy rule would become.
So where did HIPAA privacy come from? Well, Congress had tried going back to the ‘70s to write a medical privacy statute and in 1996 they tried to write the statute and they didn't come close. So they set themselves a deadline because we know deadlines force action, and the deadline said Congress has to write medical privacy law by August 1999 or else horror of horrors HHS is going to have to do it for them. And of course there's a political dimension because you had a Republican Congress that was going to have Democrats write a rule. But even with that enormous carrot in front of the Congress they couldn't pass a law, it was very contentious in Congress and not even a subcommittee passed a medical privacy statute so HHS was given the job of writing the rule.
The proposed privacy rule came out in October 1999, just two months after HHS had the power to work in this area. There was a moderate amount of public comments, 52,000 rolled in by February, and that reflects the fact that this is a bid deal, it was 14 percent, my latest figures show 15 percent of gross domestic product involved in health care, there are many, many, many stakeholders and so as we were trying to write this privacy rule we were trying to have a workable regime, and that's important to how the authorizations part came out. There was a 70 person team from 15 agencies to review those comments and respond to them, a final rule issue in December of 2000.
That winter in 2001 there were calls to cancel the rule, there were lots of additional comments on whether to do that, 24,000, and then to many people's surprise President Bush in a White House meeting overruled from my understanding Secretary Thompson and also his own staff and decided to keep the HIPAA privacy rule. That led to the August 2002 revised final rule, there were not important changes in authorizations, the topic that I'm talking about, there were changes on marketing some other issues, but much of the HIPAA privacy rule went into effect in April 2003.
Okay, so the focus today is what I'm calling the non-coercion rule, coercion in connection, requirements in connection with authorizations, so outside of the this scope are all the section 512 disclosures in HIPAA, such as research and law enforcement, they don't require the same kind of authorizations, that's not our topic.
The general rule for our topic is if there's a valid HIPAA authorization with all the right magic words in it that permits disclosure to third parties and the data flows from the covered entities out to the rest of the world with that authorization. But section 508(a)(4) of the HIPAA privacy rule, this non-coercion rule is what I'm going to call it today, does exist with respect to covered entities and authorizations.
And here's what it says, it says a covered entity may not condition the provision to an individual of treatment, payment, etc., cannot condition that on the provision of an authorization. And here's the logic, here's the easy sell politically, so you have the patient who's being rolled in on the gurney to the ER and the person is saying sure, we'll treat you, but just sign this form that lets us use your information for marketing and all other purposes. And there was some idea that that wasn't a truly voluntary moment, right, by the individual, they're being rolled in on the gurney, they're in pain, they want to get health care but no, no, no, let us market to you for the rest of your natural life with all your health care records. And so with that as the sort of vivid image we have this rule, covered entities can't condition these things on getting an authorization.
Now this provision in my experience has been widely accepted and has not been controversial, I have not seen calls to repeal this, this has been just part of the woodwork, part of HIPAA. Maybe some of you have seen otherwise but basically you can't condition treatment and payment, etc.
One reason it hasn't been controversial is that there's some important exceptions in the HIPAA rule, so if you're going to participate in a clinical research trial then the data can be used for research, otherwise it doesn't really make sense to get into that trial. There's an important exception for eligibility for a health plan that's somewhat complicated but basically enrollment for a health plan has not been taken over by this non-coercion provision. If protected health information is created specifically for a third party, like a fitness exam for an employer, then it can be given to that third party. And these illustrate I think, these exceptions illustrate the need for practical exceptions that have to be thought about where we should permit the authorization to be required, there's some instances where the thing only makes sense with an authorization and disclosure to third party and so there's work to be done if we're going to do the substantive job to think about the exceptions.
What's the scope of this rule, the section 508 rule? As all of you HIPAA aficionados know it applies only to covered entities. Why is that? Because the statute applies only to covered entities, that was the group that could be governed by the privacy rule, if HHS had tried to go broader then that it would have been a simple result, it would have been struck down in the court of appeals. And so in order to have an effective legal rule it applies to covered entities with a little business associates on the side.
So the implication for today's talk is HIPAA didn't consider whether these authorizations should be enough for employers or for insurers. There was no real policy process to date about what is good policy for these other recipients that get it subject to an authorization, it wasn't part of the HIPAA process.
Briefly on employers, HIPAA allows an employer to condition employment on giving authorization, there's nothing in HIPAA that limits the employer saying give me all your medical records or you're fired. And that's because we didn't have any statutory authority in HIPAA to talk about employers.
Now in California, I said I am told because I didn't go and do the good legal research but Professor Rothstein has done it fortunately, there's stricter state laws in Minnesota and California. Importantly in the European Union it's pretty much a blanket rule that employment relationships it's not considered voluntary, if you're an employer in Europe and you say give up your privacy so that I can see these records the basic rule for the data protection regime is that's not voluntary, you can't condition the employment relationship on giving up privacy, including for instance in France emails that you do at work cannot typically be looked at by employer for many purposes. And so many people I think would agree it's not really voluntary when the employer tells employees they must turn over their medical records, let's say every week, as a condition of employment.
Now when we think about coercion and employers I think employers do have legitimate interests in testing for fitness for duty, can this worker lift this weight, are they going to be harmed, are they going to be able to effectively do the job. The easiest thing to think of, somebody has to lift 75 pound packages, can they left them. But there's a possible distinction, the distinction that's in the California and Minnesota laws, could lead to limits on authorizations that go beyond the scope of what the employers need for fitness or other important workplace purposes. Basically if you need it to run the employment place then you get it, if you don't you don't get it, that's the basic distinction that I think the law would push to if you're going to regulate in this area.
Now let me talk about another place where this is currently, this non-coercion idea is currently being hotly fought here in this very town, but where probably most of the people here haven't been watching as much. So the Fair Credit Report Act was updated in 2003, it's called the FACT Act. They had a nice acronym but I forget it at the moment but these are facts in your credit histories, wonderful town. Anyway, section 411 of the FACT Act prohibits obtaining or using medication information in connection with the granting of credit. This is a very broad very strict as written rule that prohibits obtaining or using medical information in connection with the granting of credit broadly understood. Even an authorization by an individual borrower is not good enough and this is a version of the non-coercion rule, it's a federal statute now.
Based on my participation with the Hill and agency staff that this has been going through, here's the rational, here's what happened, use this kind of information so that's why it was okay to prohibit such a use. And there was a political consensus that medical data shouldn't be used for financial underwriting, so that was our sort of good government, everyone sort of had consensus that we shouldn't do this.
Now what I want to say in a theme in all of these things is there's a need for exceptions, if you're going to prohibit authorizations sometimes I think you're going to need them. And in practice a flat prohibition raises important problems, here's one example that's being debated right now by the federal regulatory agencies, the financial agencies. What about a lender who wants to finance elective surgery, $2,000, $5,000, $10,000 dollars or whatever, so if I'm a lender I'm going to make the loan. Well, I'd like to find out as part of that whether the surgery was ever performed. Right, that's just like an important anti-fraud thing, otherwise I'm writing this $10,000 dollar check to the borrower and I don't know if they used it for it or whether they're taking it to go off on a vacation somewhere. Well, that is getting medication information in the provision of credit under the plain terms of the fact that that's prohibited. So the agencies are trying to write a reg right now that will allow it when it makes sense but not allow it otherwise.
There was a Federal Register Notice of Proposed Rule in April 28, 2004, the agencies are still stuck on this and what other exceptions to do and they're fighting it out.
Okay, my concluding thoughts, sort of charge to the committee or ideas for you to think about what to do here. Do not assume that the HIPAA policy process, all those endless meetings, do not assume that the HIPAA policy process worked out the issues of when an authorization is good enough. The HIPAA provision only applies to HIPAA covered entities so when it talks about disclosure to everyone else we didn't have those debates, we didn't have all the stakeholders in the room and nuanced discussions of what to do. There's been no systematic process to date to consider other situations where authorizations are good enough or not good enough. When they're not covered entities we just haven't had those discussions. There's been the genetic issues that Professor Suter has talked about, there's the FACT Act for some of these lending sorts of things, but as a general matter we haven't had the public debate.
There likely are additional situations where the authorization isn't really voluntary, probably a lot of workplace settings is not really voluntary in the eyes of most of the people who participate there. And I think it's an important thing to look for those situations and I commend Professor Rothstein for helping get this debate going.
I would say it's important to recognize the need for practical exceptions. There's at least two important reasons to do the homework on the exception side. One reason is it's good government policy, right, there's some things like having lending for the surgery where you want to have the data flow. And the second is if you don't have the exceptions there's a simple prediction of what will happen, the rule will never become law, all the people who need to have, who have practical reasons to use the data for valid things will stop it in the lobbying process. So for good government and for practical politics reasons figure out the exceptions and figure out when the authorizations are good or not good.
And that's the importance of today's hearing and your continuing work and I thank you for asking me to come speak with you.
Thanks.
DR. HARDING: Thank you very much all three for excellent testimony and we have some time for questions and comments and we'll start with Mr. Houston.
MR. HOUSTON: Thank you very much. I thought this was very interesting and I think as genetic testing becomes more mainstream and important in the diagnosis and treatment of individuals I think the whole issue of how do you deal with the privacy of information and how do you deal with information, well, the use of genetic information and anonymization even of data is going to be more of a sticky issue. Obviously if you take out the individual identifiers out of a medical record today, the record is anonymized, I think now that we have genetic information and as testing becomes more and more commonplace how do you de-identify that information also but that's sort of a topic for another day.
I do have a couple of questions though and I guess the first one is as it relates to insurance. I have a fundamental problem insofar as an individual has the right to decide whether he or she wants to pursue getting insurance or at least, well, health insurance obviously is very important but just say we limit the discussion to life insurance. And if somebody has a genetic condition that predisposes them to die at an early age will they be more likely to pursue getting life insurance because they know that they're going to likely die at an early age. And isn't it then fair for the insurance companies to say if there's a, if people are more likely to pursue insurance if they know they're going to die early shouldn't we have some right to know that information, that's really my first question.
And my second question is have there ever been any studies that indicate that there is actually some impact on the workforce when employers do do pre-employment screenings? Is there any outcome? Is the workforce then an employer who does pre-employment screenings, medical screenings, is that workforce a better workforce versus one where the employers just simply decided to forego medical screening? I mean is there any impact actually in the workforce and is that sort of a non-issue for that? Or is it an issue?
MR. ROTHSTEIN: Let me see if I can answer your questions, the first one on insurance, it's very important to distinguish the different types of insurance products because the method of underwriting and the social impact of those product lines are quite different. So you need to separate health, life, disability, long term care, etc., etc. Now your question in the life insurance context is a legitimate one and there have been many studies on the issue of what might happen if individuals knew they were at higher risk, would they go out and buy life insurance policies or increase the amounts and so on. And in fact I have a book that I would commend for your reading on the issue of genetics and life insurance. But the answer to your question is yes, of course life insurance companies have an interest based on the way our current system works. Now there are other life insurance models in other countries but the way our current life insurance system is structured where it is mostly an individual product they would have an interest in obtaining this information but it's much more complicated then that. And we do have a panel this afternoon on life insurance where we have some experts from the industry who can address those questions.
The other part that you asked has to do with employment and medical examinations by companies tend to depend on two factors, the size of the company, larger companies are more likely to do them, and the type of work involved, whether it's hazardous exposure or strenuous work. Even some large, and some large employers are required by law to give medical examinations, if you think of transportation employees and so forth, but in other industries it's interesting, there have been studies showing that not using medical screening is just as effective, or using a questionnaire, as conducting medical examinations in certain industries. But it's been a tradition and it's just very widespread.
MS. SUTER: Can I follow up? In the context of life insurance I think you're right, the public doesn't view it quite the same way as health insurance and so you see a lot less legislation prohibiting life insurance discrimination and as I rushed through my last slides I didn't point out that although there's 16 states prohibiting life insurance discrimination in the context of genetics seven of the states allow discrimination if actuarially justified. So getting to what we mean by discrimination they're saying you can make distinctions as long as there's an actuarial basis. Not everybody wants that, some people think it should be used at all, and that gets to as Professor Rothstein pointed out how we construe life insurance and its purpose. Is it a right, is it a necessity, is it a luxury?
And I think one approach to take would be to say that small amounts of life insurance maybe if not a necessity something very valuable and important to people, but if you're looking for huge policies maybe we do want some actuarially based underwriting. You can make distinctions on that basis. But it's obviously a big policy issue of what we mean by life insurance and what its goals should be.
MR. SWIRE: Just two sentences. When HIV was a newly emerging disease there was a big issue of whether people could buy, who had been diagnosed with HIV could buy life insurance. And the risk of adverse selection is enormous there and eventually after there was some legislation I think in D.C. passed that would allow it for a while, I think all that legislation got repealed because it was just too expensive to the system.
DR. HARDING: Mr. Blair.
MR. BLAIR: Are we, I thought I recalled some years back when there was the NPRM for privacy regs that it was still possible for an employer to go to the medication information bureau of the insurance companies, or let's put it this way, to request, let me back up a sec. I'm trying to find out if we still have this exposure where someone would go to a company that's about to employ them and the employer would be able to say well, you're going to be covered by our health care insurance but before I employ you I want to check with medication information bureau to see if you have a preexisting condition and while the insurance companies and the medication information bureau couldn't release the medical records they could indicate to the perspective employer that if you hire this individual it would affect, it would raise your group insurance rates which effectively is a way of achieving the same purpose, alerting the employer that there is a health problem with that particular individual. Is that still, is this situation still an exposure for an individual?
MR. ROTHSTEIN: Well, Jeff, it never was an exposure because the medical information bureau is made up of insurance companies and they do not share that information with employers at all, it's only used for deciding the insurability of people who apply for insurance. Now before the ADA was enacted employers could use other kinds of sources to get information, not the MIB but other sources to try to predict whether somebody would be a high cost user and now that's illegal under the ADA.
That's why the ADA's provision is so sort of strange, after a conditional offer of employment an employer can get comprehensive unlimited medical information about individuals but if the employer revokes one of these conditional offers of employment it's illegal if the reason is for a non-job related medical reason. So the only legitimate reasons that an employer may withdraw this conditional offer of employment are one, it has nothing to do with medical at all, it's we've had a business down turn in the last two weeks or we had somebody better apply and we're revoking your offer, or there is a job related medical reason, your records demonstrate that you're going to die if you are exposed to this chemical because of some underlying condition you have. Those are the only two legitimate reasons, you can't refuse to hire somebody because you make the prediction that they are a high cost user or that they have even a family member who is going to be a high cost user.
Now your observation about the group plans is correct, for employers who purchase group plans you can't raise, because of another provision of HIPAA that we're not usually concerned about, you can't raise the rates of any individual in an employer sponsored group but the insurer based on claims experience could raise the rates for the group and therefore employers still have an incentive, depending on the size of the company, to exclude high cost users. But that's illegal, at least since 1990.
MR. BLAIR: That is illegal now?
MR. ROTHSTEIN: It is illegal, yes.
DR. HARDING: I have a question, a little bit about the policy issues that you all have raised. Whenever I speak on HIPAA I always ask people what does the P stand for and they always say privacy, always --
MR. ROTHSTEIN: Is that the first P or the second P?
DR. HARDING: You're implying that privacy received a little bit of shortchange in the process and that it doesn't --
MR. SWIRE: In '96, there's been some attention paid to is since.
DR. HARDING: Yes, yes, and we're delighted with that but there are still holes in that policy and that there are other issues that need to be addressed such as non-covered entities and so forth. What are your general thoughts of what you feel should happen at this time that would help the process? Or who would be the people to do that? Or what are some, you all have obviously had some thoughts about how to improve genetic protections and other protections, what kinds of things would you recommend just in large brushstrokes here as we proceed?
MR. SWIRE: That could be the subject of a multi-day conference obviously, how to redo health confidentiality broadly in the United States. I think that part of the focus of today's panel as I understood it is a pretty big chunk of its own which is for all those third parties who aren't covered entities are there situations where these authorizations aren't working well. And one big candidate is whether on the employment side there ought to be national standards that are closer to the California approach or the European approach. Another possibility is that for genetics or for insurance in various ways there's places where the authorizations are given in too required a way and lead to various bad results. I think in some ways those problems of non-covered entities, certain kinds of insurance companies that aren't HIPAA plans and those employers would probably be the two places where I've heard the most concerns, that it's just outside the framework and needs attention.
MS. SUTER: But I do think that there needs to be an inclusion of other possible third parties, I mean financial institutions might have interests, schools, I mean really to bring the stakeholders together to talk about what sorts of limitations, there's going to be an interesting debate about this because obviously they're going to say that their need for a great deal of information is great and the individuals are going to say it's small and trying to tease out those exceptions that I don't allow for in my conclusions, I just sort of broadly say there shouldn't be this coercive access. But there are going to be important exceptions and a policy debate that tries to sort also what our goals are with insurance for example because deciding what policy you're going to have is going to depend on what you think the purpose of insurance is, is it really insurance in the true sense of insurance or is it a way to allow people to get access to health care, to life insurance or whatever. So I think bringing in those third parties and thinking broadly about how the third parties might be as this information becomes more useful to third parties in the future.
MR. ROTHSTEIN: I think certainly the discussion all today, by the end of the day I think we should have a clear idea that the HIPAA law and its privacy rule really do not address the whole range of issues especially raised by these compelled authorizations and the fix is very complicated as I tried to suggest, it's more then procedural, it goes to the essence of who has a right to X, Y, or Z and on what basis is it going to be financed so that is clearly an issue. There is then the question of assuming we wanted to fix it legislatively or legally how would we do it, I think it's an interesting question based on Peter's talk, should HHS be so inclined to incorporate in the privacy rule amendments, some sort of FACT Act statement that you can't have these authorizations, arguably that's beyond the statutory authority of HHS in the current version of HIPAA, even if the agency were so inclined to do that.
So then the question becomes how are we going to do that and I want to make clear that even in California and Minnesota where they have tried to limit in the employment setting access by employers to non-job related information there is a very practical problem involving health information and the form that it's in that at the least I think we ought to put on the agenda for the health informatics initiative to make sure that whatever system we come up with has the capacity to segregate information so that we can make limited disclosures.
DR. HARDING: Well, thank you, with that comment we will take a 15 minute break, we'll thank Professor Rothstein, Suter and Swire for their testimony and look forward to the next panel on employment that will start at 10:30 this morning. Thank you.
[Brief break.]
MR. ROTHSTEIN: Thank you, everyone, and welcome back, we are now prepared to begin panel number two which is on the issue of employment and I want to welcome all of our three speakers and we are very much looking forward to your testimony and after each of you has an opportunity to give your remarks then we will have a question period at the end. And for those of you who are listening on the internet because of the way our schedule has been rearranged lunch will begin at noon today.
So our first panel member is Mr. Lewis Maltby.
Agenda item: Employment - Panel 2 - Mr. Maltby
MR. MALTBY: Thank you, Mark. I'm Lou Maltby, president of the National Workrights Institute. The Institute is a not for profit organization that is focused exclusively on the expansion of human rights in the context of the workplace, particularly the private sector. And that missions Institute, it reflects my own somewhat strange history, I began life as a lawyer, that's an interesting comment, in 1972 as a public defender, wanted to be part of the Warrencore(?) Revolution, burned out after four years when I realized I wasn't emotionally cut out to deal with that kind of human trauma, took what I thought was a brief hiatus as the general counsel of what was then a small high tech corporation, and 12 years later woke up to find that I was the executive vice president as well as general counsel of what was now developing into a small multi-nation, which I was the chair of the Japanese subsidiary.
Then turned 40, realized that as much as I liked being in this role what I really liked was the HR job, the director of HR happened to report to me in our convoluted corporate structure and I'd always been a civil libertarian and I was challenged by the idea of how can we run a corporation that makes a buck at the end of the year that doesn't make me feel like I have to put a bag over my head when I go to meetings for the American Civil Liberties Union Board of Pennsylvania.
And at that time I had been pushing the ACLU to expand its mandate to include the workplace, I finally succeeded, not alone of course, they set up a new department within the national office of civil liberties in the workplace and then executive director Ira Glasser(?) came to me and said to me in essence, well you got us into this mess, we do want to do this, we don't want to make fools of ourselves, do you know anybody who's a good civil libertarian that knows something about the world of private sector management, and I said I thought you'd never ask, and I left the private sector to start up this new venture for the ACLU which five years ago spun off to become the Institute. So I happen to be the only civil rights lawyer that I know who spent most of his adult life as an senior exec in the private sector, which has come in exceedingly handy when it comes to trying to do what Peter says of thinking about how to come up with the exceptions and the nuances that you have to have to apply a good principle to the workplace and actually have it work in the real world and I thank you for inviting me here today.
If we're talking about the disclosure of medication information to third parties, the workplace is the number one issue because that is the most common source of disclosure for almost all of us. If you have a job bottom line is your employer has if not your entire medical history at least something very close to it. And that happens in two principle ways, the first is when you get the job the majority of people who apply for a job today have to go through a pre-employment medical examination, which doesn't mean just a 15 minute visit to the doctor, it also includes the review and disclosure of your entire medical history.
And the way that happens as Mark alluded to is this, once the employer has made a conditional job offer it can and will insist that as a condition of further consideration you have to sign a waiver that will authorize your doctor or doctors as the case may be to disclose every single medical fact about you since the day you were born if not conceived. It doesn't have to be job related, it doesn't have to be arguably job related, the employer doesn't even claim it's job related, everything comes out. Drug and alcohol, STD, abortions, vasectomy, psychiatric treatment, every personal painful thing about your past that you don't want anybody to know, you might not have even told your best friends, your boss is going to know. And as Mark said because we don't have a way of separating what's job relevant from what's not job relevant, even if employers were trying to do it right, it wouldn't work right.
And as if that weren't bad enough we also have disclosure of medical information in the claims administration process. Most employers today including relatively small employers are at least partially self insured which means employers are paying for some significant portion of your medical care. Now in most employers that process isn't handled in house, it's a specialty most people would subcontract to what's called a third party administrator. But eventually the TPA is going to come back to the employer and say we paid out $100,000 dollars in claims please replenish the fund, and someone in the employer is going to say okay, I'm sure that's true, we have to verify this, show me the claims you've paid, who did you pay this claim for and what was the medical treatment that you paid for. Now everything that's happened to you pretty much since the day you were hired is in the hands of your employer.
Now to some extent that's unavoidable and perhaps it wouldn't be too bad if the information stayed in the hands of the physician who looked at your pre-employment history, ostensibly and probably truly to see if you could do the job, and if the information stayed in the hands of the internal person in the accounting or HR department who checked the TPA records to make sure. There's only two people involved or maybe a handful of people and perhaps that's not so bad. But it doesn't stay there, that's the problem. For one thing these people are only human and if you find out that someone's got an STD or somebody had an abortion or somebody is being treated for depression because their wife or their mother died it's sad but true that people just gossip. And they particular gossip if there's nothing restraining them from gossip.
Now there may be some debate about this, Peter Swire gave me some information literally as I was coming up that we should be talking about, but it's not clear that, it's my view at least and Mark and I have also discussed this, that there's any law broken if this person who was reviewing the records from the TPA happens to say something they shouldn't say in a company cafeteria the next day. And it does happen.
The other way information gets out, which I think is more of a concern, is compelled disclosure. After all health care costs are high, employers are desperate is not too strong a word to hold them down, and some senior executives may very well walk into the TPA liaison's office someday and say I want to see where all that money went. And if they see if one particular employee has cost the company $100,000 dollars because of cancer treatment, heart surgery, organ transplant, or something else, the employer has a very strong incentive to get rid of them.
I have been in corporate offices and seen that happen, I have seen high senior level executives walk in and tell the TPA, or perhaps an occupational health nurse or a physician who works for the company, I want to see the records. And that employee who has the records is an employee at will, if they don't disclose the records they're going to get fired. And what do you think they do? They protect their job and they give up the records. It happens.
There was very moving testimony by an occupational nurse named Joanne Gass(?) before a Senate committee not that long ago where she talked about being an occupational health care nurse at a corporation, she had sensitive information, a higher ranking executive came to her office and said I want to see the records, give me the keys to the file cabinet, she said no, I can't do that, it's against the code of ethics of my profession, they said give me the keys or you're fired, she didn't give them the keys and she got fired. And if you talk to the people, the occupational medical professions like the occupational health care nurses they will tell you this is a major concern for them. Their members are consistently coerced into disclosing information they know they shouldn't disclose but what choice do they have, they've got families to support and when push comes to shove they've got to save their jobs, you can't really blame them.
And to make this worse there really isn't any legal protection that's worthwhile and effective to prevent this kind of disclosure. We already talked about the ADA which never ceases to amaze me, as a former corporate general counsel I could never understand why if I were building a skyscraper and I wanted somebody to be walking down out eight inch wide girders 100 feet in the air and some guy comes in in a wheelchair and wants to apply for that job, I never understood why I can't ask him excuse me Mr. Smith, exactly how do you propose to do this, can't do that, never made any sense that I had to take him to a conditional job offer then have the doctor tell me that he couldn't do the job. And at the same time I never, never understood, it makes no sense why once you make the conditional job offer why can you get information that is clearly not job related, what sense does it make to allow an employer to collect information that they would break the law if they used.
And again, we can debate this and I'm sure Peter should chime in, but in my view there's no legal protection for the information in the hands of the occupational health care nurse or other medical professional who works for the corporation or that TPA administrator. It's clear that whatever protection there is under exceptions to employment at will for public policy is really not a consistent effective protection here.
Now Peter says there may be protection under HIPAA and when Mark and discussed this yesterday that didn't come up, I think that's a subject we ought to discuss, but there are really two things that are clear. One thing is that the disclosure of information to employers in the hiring process ought to be restricted to what's relevant to the job. One could take a somewhat expansive definition of what's job relevant if you want to, that's not really the issue. The issue is the gynecological care, the psychiatric care, the care that is highly sensitive and not job related in any sense of the word that consistently gets revealed, that really ought to stop. And we need to determine if there is any legal protection for the person who is a corporate employee who's being pressured to give up information, to determine if there is legal protection for that and if not there really ought to be legal protection.
I could say a lot more but I don't want to use up more then my share of time and those are the two points I think are most critical from a human rights lawyer's perspective when it comes to medical information in the workplace.
MR. ROTHSTEIN: Thank you very much and we will have some questions for you I'm sure. Our next witness is Dr. Ed Bernacki, representing, well, I'll let you describe who you're representing. Thank you.
Agenda Item: Employment - Panel 2 - Dr. Bernacki
DR. BERNACKI: Well, I'm Ed Bernacki, director of the Division of Occupational Medicine at Johns Hopkins University School of Medicine, and I'm also the executive director of health, safety and environment for the university and the medical system, they have about 43,000 employees for both institutions.
I'm here today however representing the American College of Occupational and Environmental Medicine. On behalf of ACOEM and its members I thank you for this opportunity to participate about the disclosure of health information to third parties.
ACOEM represents about 6,000 physicians and that's in contrast to the occupational health nurses who comprise about 35,000, 40,000 individuals, 28,000 somewhere to 40,000. However we're the largest organization of physicians specializing in the practice of preventing, assessing, and treating occupational and environmental health problems.
Now protecting confidentiality and privacy is imperative to preserving patient trust and employee trust in the workplace, when to disclose and when not to disclose an employee's personal or family medical information to a third party is a question that the occupational health physician faces everyday. Basically as Lewis was talking about a lot of information can be transmitted to a health professional, whether it be a physician or a nurse, and it basically is up to us to know how to judiciously use that information to protect that individual.
Now ACOEM's Code of Ethics says that a physician should, and I quote, keep confidential all individual medical information, releasing such information only when required by law or overriding public health considerations, or to other physicians according to accepted medical practice, or to others at the request of the individual. And further more, I quote, recognize that all employers may be entitled to counsel about an individual's medical work fitness but not diagnoses or specific details, except in compliance with laws and regulations.
Now the occupational physician differs from the rest of the medical community because of the nature of his or her work, most physicians and basically most of the physicians at Johns Hopkins, we have roughly 800 faculty physicians, interact with patients and other physicians and insurance carriers who are covered by HIPAA. In contract however occupational physicians interact with employers, including CEOs, general counsel, human resources personnel, plant managers, and supervisors, mainly the line supervisors, other health and safety professionals, including nurses, industrial hygienists, safety engineers, and workers compensation carriers. Now furthermore occupational physicians practice in a variety of situations, some may be under contract to employers which is by far the overwhelming number of our members, there are a few employed by corporations but that number is diminishing all the time, very small minority now.
In addition to clinical services an OEM physician as we call them may engage in any or all of the following activities, and this really does take up most of our time, disease and disability management programs, medical surveillance, fitness for duty exams, independent medical exams, and the analysis of aggregated information to pick up trends in a workplace, do we see an increasing frequency of respiratory disease in a particular area. So our day is spent in assessing all these things and pre-placement exams are really a small part of the job.
Employer sponsored health promotion and wellness programs, occupational illness prevention programs, employee assistance programs, and onsite emergency care we feel are extremely valuable to both employees and employers. Now these benefits can result in early diagnosis which I've been part of for many years, in essence intervening early, getting an individual to a health care provider, to interrupt that course of their illness, and it's a great place to put on these programs, employees are there, pretty much captive, and in essence where they can't get it in the general medical scene, if they choose they can engage in these surveillance programs, of course they choose to do that. But for me that is probably one of the most significant parts of my practice is in essence for individuals for hypertension control programs, etc., really make a difference in their lives.
Now if medical information gathered from such programs is not kept private participation in these programs will be in jeopardy, the only reason they're going to be coming, an employee will be coming to you is because they know it's going to be kept confidential.
Now since 1994 ACOEM has, the confidentiality of medical records is an absolute necessity. It is ACOEM's position that physicians have an ethical obligation to keep medical information strictly confidential with information released only when required by law or by overriding public health concerns.
Each situation, however, is different. For example in a medical surveillance exam a physician finds that a hazardous waste worker has a liver function abnormality. If a work related illness or other occupational abnormality is noted should the employer be informed? We believe that the employer should be informed but should not be given specific diagnostic information and this happens all the time, certainly in the worker comp situation where an individual is out on worker's compensation, has a limitation to their ability to perform work, usually there's a dialogue between, in our situation our occupational health nurses and the supervisor on what that person can do so that they do not harm themselves. And this goes on all the time, all workplaces in the United States.
Now another example, if a liver function abnormality that results in alcohol use, previous hepatitis, medications, or some other factors, something not work related, in this case the employer should not be informed obviously. If a liver function abnormality is permanent and reflective of a non-occupational hepatic disorder should the employer be informed? Well, this is tricky, to share this information with the employer may protect the employee from further liver damage or exposure to hepatic toxins, however in essence we have to balance what information we're giving out so obviously we cannot give the diagnosis but some way we have to prevent that situation from damaging that individual's liver further.
Now unfortunately HIPAA does not address these, directly address the issue of access by employers and other third parties about medical information that could affect an individual's ability to work to work safety. We have previously recommended the following changes to HIPAA and you actually teed this whole thing up for me. Specify that personal health information gathered or maintained in connection with employment or employee health programs is within the definition of protected health information. Prohibit individuals within the company including those responsible for making personnel decisions from unfettered access to protected health information. Make the physician, not administrative or management personnel responsible for interpreting health information and determining what information is relevant and what should be disclosed to a third party. These recommendations if adopted would further ensure that the employee's medical information is kept confidential.
And thanks again for inviting me.
MR. ROTHSTEIN: Thank you very much, Dr. Bernacki, and we will have questions for you after our third witness, Mr. McGarrah from the AFL-CIO.
Agenda Item: Employment - Panel 2 - Mr. McGarrah
MR. MCGARRAH: Thank you Chairman Rothstein. I appreciate the opportunity and the AFL-CIO which I represent is very grateful to you for the opportunity to be part of this discussion today because this is a major concern for the over 13 and a half million working men and women that we represent all over the country, and of course their family members, coming up to as many as 40 million people.
I have been at the present time working in the area of worker's compensation in health care for the past three years and prior to that I was involved in all areas and aspects of health policy for the AFL-CIO as well as the American Federation of State County Municipal Employees and then began my career actually with helping Sidney Wolf and Ralph Nadar start the Health Research Group way back in 1972 and in fact I remember coming here actually to meetings with respect to confidentiality and disclosure of information with respect to professional standard review organizations, it was an issue of great concern. And as you know the department and the administration are making significant strides in trying to make sure that the public has adequate information on practitioners as well as providers of health care because these are important decisions that people need to know.
So we're meeting at a time and I'd like to just summarize my statement but we're meeting at a time when there's an incredible ability to determine what is in fact the best quality medical care and it can be in fact delivered to every American, and we can prevent occupational injuries and disease with this data, there are over five million injuries and diseases every year on the job in this country so this data is critical.
But we also know, and the Institute of Medicine has carefully documented this, that there are far too many medical errors and injuries and even deaths in our system and Americans are well aware of this and have great concerns and surveys by the Kaiser Family Foundation and others make this readily apparent, in fact a majority of people are quite concerned that they could be harmed or have in fact been harmed just by going to the doctor and hospital. And as you've heard in the discussion this morning at the same time they're quite concerned that their records, their medical records, will in fact be disclosed to their employers or to other individuals who could possibly deny them employment or insurance which is an incredibly significant concern, not only in getting adequate care but in maintaining your own employment.
Well, this is kind of a paradox and it's possible I think because we're now in an era of what Professor James Robinson calls medical management after managed care. Instead of the effort that we had in the early ‘90s to have rather intrusive medical managed care, where we had doctors being second guessed by medical algorithms or clerks and so on and patient's rights developed and I actually worked with the president on some of the development of that effort, patients are now involved in a different framework altogether. And in fact as Dr. Bernacki has described and I think he heads one of the more laudable efforts in the country on this there are ways to integrate medical information and create integrated disability management systems as he's done at Hopkins that can actually prevent diseases, prevent injuries, and work with employees to keep them on the job and provide excellent quality medical care, can save money, and his program in fact has been well documented in the effort to save money and there's significant initiatives that we're attempting to undertake throughout the country in this respect.
But there's a darker side to this as we've already begun to hear in what frankly we in labor are referring to as a Wal-Mart driven economy, which is of course the race to reduce costs at every opportunity and to reduce corporate exposure to diseases and disability and frankly to even eliminate the jobs of people whose care is going to cost the company more then they can afford, or that they deem that they can afford. Milt Freudenheim(?) of the New York Times just reported in fact this past week that the new concern in health care costs is literally leading companies throughout the country to remove group health benefits from the control or authorization of human resources departments and put directly under CFOs in major corporations because this is a significant issue, we all know that it costs more money to provide health care now and pay for it when you buy a car then it does the steel that goes into that car, that's been well documented going way back to Lee Iacocca.
We also know and it's a fact that ten percent of the people in any given health plan account for about 70 percent of the spending on that plan. And with respect to worker's compensation Governor Schwarzenegger found out when he took over, just last year, that disability claims within worker's compensation are frequently due to improper or inadequate medical care at the time of injury and that in itself dictates a much more thorough examination of the available health care information on individuals who consume the most medical care.
Now Fortune 500 companies and their National Business Group on Health have begun to develop and have already on their websites now metrics that actually enable them to benchmark the costs of health care, absences, and lost productivity. Companies like Ford, Verizon, and Quest, our union members and contracts throughout the country, recognize this and work with these companies, they separately measure all the costs associated with employee health, worker's compensation, absences, Family Medical Leave Act, short term and long term disability, and then they aggregate the results. They can also measure what they call presenteeism, which is understood to mean someone who comes to work, is present on the job, but frankly is incapacitated through either illness or disability and is not able to really do the job.
So this data allows companies to companies to manage the care and work of each affected employee and frankly the bright side of this, preliminary research is beginning to show that when this data is aggregated over an entire work site or a company or an industry you can actually prevent accidents and disease and it can save lives and money, so you can see there's a constant balancing that we're dealing with here.
But really with respect to confidentiality an employer who knows about an employee's absence problems is only a database away from examining the employee's group health claims, worker's compensation and disability insurance, in order to come up with a profile of that employee's costs to the company. And in for intervention at that point is very clearly possible and you can even deny important rights and benefits.
The most extreme kind of examples occurred in fact at the Polaroid Corporation, it was sold in 2003, all of its employees on permanent disability were terminated as a condition of the sale. And when Mercer Human Resources Consulting did a survey on this issue they found they 27 percent of the 723 companies they surveyed dismiss employees as soon as they go on long term disability. 24 percent dismiss them within six to 12 months.
Now property casualty insurers and many self insured employers take the position with respect to worker's compensation that the claimant has to demonstrate that any disease or injuries entirely due to the employment on the job. So that creates an adversarial system, as I say we saw it most apparently in California, most of the cases were as they call it controverted, that became a big battle ground between attorneys on each side, and had incredible amounts of hearings and so on. Liberty Mutual has helped employers with respect to this now, they are a significant provider of worker's compensation insurance, they recently announced that they'll even use extensive claims diagnoses and even credit scores to determine which claimants are likely to be significant problems for employers and need to be isolated and handled in a much more adversarial and contained fashion so privacy becomes almost an afterthought.
Now the dangers, we all know about the Burlington Northern Santa Fe Railroad case, those are very significant dangers at the workplace, those were employees who were seeking worker's compensation for carpel tunnel syndrome, suddenly they find that they're being tested for a possible gene, bogus medical tests, and fortunately that was dealt with but nothing really was done about it yet in Congress the insurance industry as you well know has been working in hand and frankly closely with the president as he has literally three days last week been throughout the country on medical malpractice tort reform and asbestos, we hope he devotes and the administration devotes similar attention to this issue. We would like to see legislation enacted, it did pass the Senate as we all know but it didn't go anywhere after that.
Now we have cases right now with respect to the transportation industry where we find that one of the major carriers requires consent forms, now this is a fitness for duty issue but frankly these are employees who already have passed their medical fitness for duty examinations, the employer says that we just saw that you had a claim coming in for an unrelated injury, shoulder injury, and we frankly now are going to demand that you disclose all your medical records to us to any doctor that we deem appropriate. And you will be suspended from duty unless you agree to provide those records, and you're suspended without pay I should point out. The union has this case in arbitration at the moment but frankly we will remain vigilant on this issue because we think it's a growing concern, not just with respect to fitness for duty.
Now this integrated benefits area as I said has great promise, we are in discussions and have discussed this issue with Aetna which has a contract with Active Health Management and I think it's quite interesting the way it's described by Dr. Lenny Reeseman(?), the head of this company, they say they can form an electronic medical record on a patient by patient basis, once they have that data they relate it to evidence based clinical standards which have been digitized and imbedded into the technology, they can actually call patients and physicians up and suggest alternative treatments. Now that's the good side of all this, we think that's appropriate because we want to get the best possible clinical care and as Dr. Reeseman says they can do this because they're classified as a business associate to either the health plan or the self insured employer who's the covered entity.
Now what does that mean on the other side of the coin though when we have the concern as I say with employers who are trying to hold down their costs. Employers are beginning to be encouraged to roll out higher deductible plans, various benefits, offer health savings accounts to people with chronic medical conditions, we've got significant privacy concerns with all of those because they involve this critical balance that we're constantly coming up against on provision of adequate medical care, and that's been discussed today and obviously the AFL-CIO will continue to maintain its position and call for and rally Americans around the issue of universal health insurance, it's got to be done, it's part of the solution.
We think that Congress and the administration ought to make legislation possible not only to protect Americans from genetic discrimination but that there ought to be protections, protective health information should extend to worker's compensation programs and what employers and unions need is of course the aggregate medication management and integrate benefits information, it will help them make the best decisions on how to pay for the right care and create the safest possible workplaces. So this is the sort of balance that we're prepared to achieve and work with business, insurance, and the administration, and make quality care available to everyone.
Thank you.
MR. ROTHSTEIN: Thank you very much and thanks to all of you. The floor is now open for questions from the subcommittee members. Mr. Houston?
MR. HOUSTON: I was unclear with Dr. Bernacki, is that how you pronounce your name? When you were talking about pre-employment screenings, is it possible that there could be a standard that the employer is only entitled to know that the employee is actually fit for duty versus having any specific information regarding the employee? And should maybe the physician be sort of the gatekeeper, at least on a pre-employment basis, to say based upon the employer's criteria for a qualified employee that they give the thumbs up or thumbs down rather then I think, I sense that they get a lot more information then that.
DR. BERNACKI: In workplaces I've worked at no, but there's a potential for that to happen. And quite frankly we as occupational physicians write restrictions and it's basically up to the supervisor to determine if the person can work within those restrictions or limitations so the idea is is we don't make an employment decision, it's the employer that makes the decision, we pretty much set what the bounds of that that individual is capable of doing at that moment. Now that could change, I mean I think that's the tricky part --
MR. HOUSTON: Would it be a workable process to put more authority in the hands of the physician who does, or the health care professional who does the screening?
DR. BERNACKI: Oh, we would love it, I mean --
MR. HOUSTON: But is that workable?
DR. BERNACKI: Yes, I think so, because if someone does pre-placement examinations or questionnaires, whatever it is, quite frankly I wouldn't trust the employer to do it, a non-medical person to do it because basically you've got to balance a whole host of facts, we're talking about chronological history. Well, it may have some relevance inter-digitating with another problem that a physician assesses and that could have an impact on the workplace. But there is no way that a non-medical person would come up with that diagnosis or an idea that that has any relevance. So quite frankly I would definitely say that that's necessary.
MR. HOUSTON: But it doesn't happen necessarily today in any frequency is also I'm assuming from your --
DR. BERNACKI: Large companies for the most part, the practice is let the occupational physician, nurse practitioners, make those assessments, they don't want the information. But the problem is many workplaces that isn't true and I think there should be some provision in HIPAA.
MR. HOUSTON: So it's reasonable to make a recommendation sort of a standard that that be the case?
DR. BERNACKI: Yes.
MR. REYNOLDS: The HIPAA privacy rule requires that there be a health plan designation of who in a company is the health plan, I know for example working for an insurance company when you make them designate who the health plan is, who can get the records. If it's not a company that is self funded then most of that data never goes to them except, even to the company at all in an aggregated form. But I think I'm hearing from you that you don't feel that that designation by these employers of health plans really does give enough protection to the employee about how data is or is not access.
MR. MALTBY: Well, I will confess that I'm not a real HIPAA expert and if we get into hard HIPAA questions I may have to defer to Mark. But let me tell you what I've seen, I have seen the reports that come from third party administrators back to the corporation and they are not aggregate. And I don't know how they could be because the company is not going to pay an aggregate bill, the company wants to know if you want $175,000 dollars from us because you've granted claims for that much for our employees who were they. And the reports that I have seen have never been aggregated, they've all been individualized.
MR. REYNOLDS: And again, any time there's a third party administrator usually that company is self funded and is setting it up themselves, and then the rule designates who the health plan is and then you have to file other documentation if you're going to give it to other people other then who you have specified as the health plan. So my question continues to be, the information goes back because obviously the employer is completely funding it but there are laws where you have, the HIPAA law says you have to designate only certain people to see that, they are under certain jurisdiction, and if anybody else in that company, whether it be the CEO or any other executives of that company wants to see it, they have to have filed some other, fill out other forms and file some other information. So I'm trying to understand, now whether people are following that is questionable --
MR. MALTBY: It's another issue.
MR. REYNOLDS: Whether or not what is in place allows the appropriate jurisdiction, I mean obviously people can do what they want to do in a lot of cases, that's what I'm trying to get a sense from you as to whether or not --
MR. MALTBY: Harry, I'm glad you raised that question because that is precisely the question/comment that Peter made before he had to leave. Peter seems to be of the impression that the HIPAA rules do at least in theory prohibit this corporate bigwig from walking into the clerk's office and say I want to see where the money went. Mark and I talked about yesterday, that point did not come up so I think I'm going to punt the ball to Mark and Mark, what do you think, do you think that the HIPAA rules at least in theory prohibit this disclosure?
MR. ROTHSTEIN: No, you're supposed to be answering the question. You guys had your chance in the last session.
We will look into exactly what the rules are with regard to third party administrators, Helga, do you have that?
DR. RIPPEN: No, but I guess I'd like to parse it because there's a difference between claims that go to the third party but then there's a difference between what nurse practitioners usually obtain which is if they're doing a disease management program, if they're able to collect different types of information because of the course of someone being on site and sharing information. And so those are two different pieces.
MR. ROTHSTEIN: But there's also a related issue, not to, I really don't want to spend too much time on claims because that's really not the focus of the committee hearing today. With third party, with self insured and self administered employers, and the question is in what form does the claimant information get back to the company, now HIPAA permits the use of individual names as with third party administrators but tries to build a fire wall between the claims functions and all the other functions. And it seems to me we have not investigated enough the possibility of not using names, I mean we don't have to use names there, if we wanted we could use employee numbers and it would go through somebody to make sure that employee 275 is still employed, entitled to benefits, and so forth, and then you could have the information but somebody's coworker wouldn't necessarily know all the ins and outs of their case. But we chose not, we meaning HIPAA chose not to go that route in terms of a requirement which is I think just a different option that was taken, I would have preferred the former obviously. John?
MR. HOUSTON: Tell me if I'm wrong, the self funded employer who acts as a self funded insurance company, they have all the rights of an insurance company which means they have the right to look at the entire medical record if it's related to somebody they want to interview, which means that in the case of the example where the executive walks into, even if the office is fire walled off for HIPAA purposes and they're separated from the rest of the functioning of the HR department or the company, if the executive walks into that office and there's a complete medical record of an employee and the executive demands to see the record, the record is there. And I guess that's sort of the --
MR. ROTHSTEIN: But there are separate benefits, there are benefits files and there are occupational medicine files and they're not the same and they're not supposed to be. And then there are personnel files and they're not supposed to be --
MR. HOUSTON: They're not supposed to be commingled but the point is that if the employer acts in all those different capacities and even if they indicate that they have set up these barriers to restrict the commingling of files and in theory everything is supposed to be separate and protected, the example of the abuse is one that could be very telling because all they do is walk down the hall to each individual functional area and say okay, I need this record on John Doe because for whatever purpose and they could in theory based on what has been collected, which is permitted, they could see every scrap of medical information related to that employee. I think that sort of sounds to me like that's the beef, tell me if I'm wrong --
MR. MALTBY: And Mark, with all due respect, I don't know that users numbers instead of names is really going to help because if I'm the executive VP who wants to ax the guy who had the heart surgery and is costing us a lot of money, I'm going to go to the person who has all the codes and say I want to say that too and if you don't give it to me I'll fire you. It's really not a problem of commingling, at least to my understanding commingling and having information get in the wrong hands in the normal process of doing business isn't the big problem, the problem is the employer who wants to fire the guy who had heart surgery and is going to strong arm who ever has the information into giving it up so they can fire the guy. And I think Harry's raised a critical question which is is there some protection at least in theory under HIPAA against that sort of coercion because I know there isn't any protection anywhere else.
MR. ROTHSTEIN: We will check --
DR. RIPPEN: We're going to get a reading on that.
MR. HOUSTON: Mine was as much a question as to what's permitted because I don't know the bounds of it and Kathleen and I were speaking and I think we should ask OCR what are the bounds here.
MR. REYNOLDS: That was my comment, I'm not sure I agree with John's position and so I think we do need to have OCR take a look at it.
MR. HOUSTON: I don't know if I agree with it or not, I was sort of bringing it up --
MR. ROTHSTEIN: We will check on that. I want to change topics and get to one of the suggestions that Mr. Maltby made earlier and that was we need to limit disclosure to job related information, that is what the ADA calls the employment entrance exam or pre-placement exams. And I in my comments earlier said that we ought to explore the possibility of designing an electronic health record system that would enable us to do that and I want to ask the three of you what you would think in theory of the following sort of framework for a system.
Somebody applies for a job and we have a dictionary, an encyclopedia of job classifications that hasn't been updated maybe in a while but it would be, you would assign a number to it so somebody is applying to do 218 functions, they may have 15 other functions, but they would be limited. The job classifications would then be tied to the physical demands of the job and the physical demands would then be tied to a medical determination all in place of what kinds of health information would bear on the ability to do that job, and then that information would be keyed to the electronic health records that people have so that in theory you would just be able to punch in 218 and only that information would then flow to the company.
Now I recognize the million sort of technological and economic problems. In theory is that, and I'll ask all three of you to comment, is that the kind of system that you had in mind Lou?
MR. MALTBY: Mark, I'm just a human rights lawyer, I can barely send my email without screwing up so you may be asking the wrong person. But in terms of feasibility I'm way over my head but in terms of desirability it's a no-brainer, that's exactly what we need. As you said yourself right now with the paper record even if the employer wanted to do the right thing and they go to the doctor, I don't want the psychiatric records, I don't want the gynecological records, I just want the stuff that's job relevant.
I think a doctor could do it that way but the doctor would have to personally sit down and go through every page of the file, yes, no, yes, no, it's not going to happen that way. From a desirability standpoint the system you described is exactly what's needed.
MR. ROTHSTEIN: Ed, keeping in mind we're not going to consider what you say binding on ACOEM or you or anybody else.
DR. BERNACKI: Well, I mean obviously it's a technologic problem so --
MR. ROTHSTEIN: It might be an employment bill for occupational physicians.
DR. BERNACKI: Yeah, right. I mean most situations that I've ever encountered in my career you don't know any information about the job or very little information and sometimes you have to call a supervisor and say what is that person going to do and then you won't catch the supervisor so basically as an occupational physician it's wonderful if you know what the heck the demands of the job in that particular industry and over time you really pick it up. So if a person is going to this particular part of the plant and you know what those jobs entail, you've got all this fuzzy logic in there and you know more or less what they're going to do, then you have this information, they pull out this questionnaire and you take it and in your brain you come up with some sort of an assessment and it isn't perfect. And more or less you come up with something that the person can do that or they can do that with some restrictions. So I would say it's impractical, that it would be wonderful but things change so much and that's my assessment.
MR. ROTHSTEIN: Well, and companies may want to have individuals who are cross trained and cross qualified and so on but presumably that could be taken into account if you were transferring departments and so on, just an attempt to try to keep the most sensitive information from routinely being disclosed. Mr. McGarrah?
MR. MCGARRAH: I see some promise in this, Dr. Reeseman's efforts at Active Health Management I think has a digitized medical record system that is clearly able to, assuming the records are all available and that's what they seek, to intervene directly based on the medical algorithms and clinical evidence based medicine standards, I would think this could be done, I mean I doubt that they've done it yet but it's clearly feasible and it's a desirable objective I think with respect to confidentiality and privacy, it's something that we would like to see move forward.
The issue of cross training that you just touched on is something that's going on all the time now and we're finding that there's really no way that we can, in fact that's been probably the single biggest issue in some of the downsizing and changes is that we're cross training employees for all sorts of occupations so you would need a fairly expansive or at least flexible definition that you could put into this effort. But I think it's worth exploring and I would urge you to speak with Dr. Reeseman and others to see how this might be done.
MR. ROTHSTEIN: Another part of your testimony, Lou, you recommended that we need to somehow protect occupational health professionals from firing and adverse consequences who refuse to turn over medical records that are irrelevant and so forth. How would you propose to do that? Are you recommending state law, federal law, regulation?
MR. MALTBY: My fast answer which is probably too flip is anybody who will pass it. And as to whether state legislatures or Congress is more likely to act on that I can give you an informed answer but I can't do it now. My fast sense is that this might follow the typical model that I least I see in the employment world which is a few states try something out, they get it enacted, they find out what they did wrong and then some other states do it right and ultimately it percolates up to the federal government. That's certainly the model we've seen in genetic testing legislation as you and I have discussed many times. The early state statutes prohibiting discrimination based on genetics were probably totally ineffective, would really solve the problem and my fast reaction is that that's probably the model that would work best here but that's a fast reaction.
MR. ROTHSTEIN: Okay, let me call on Jeff Blair.
MR. BLAIR: If I recall the HIPAA legislation indicated that, and I don't know if it was exclusive to when health care information is in electronic form or whether it's broader then that, that the covered entities who were custodians of the record had to keep an audit trail, and correct me Mark or anyone else if I'm misstating these things because I'm trying to set down the premise to see if this could be a tool that could help protect the individual from inadvertent employer access to information that could be used in a negative way.
My understanding is that the covered entities have to keep an audit log of all individuals who request information whether or not that information, medical information was provided or not, but just the request or attempts to access the record. And that that log of attempts to access the record is then also available to the employee, in this case the patient. If that is the correct statement then maybe a little bit of strengthening of those audit requirements could be a little bit of a deterrent to somebody inadvertently going to an employee such as for example, in the example that you gave, instead of having this in a file drawer when an employee could just simply give that information to someone else, the system tends to provide protection and it becomes more difficult for an employer to intimidate an individual because the system is keeping the log of all requests for access.
So I guess my first question is did I state my understanding of HIPAA provisions correctly with respect to the audit logs and the rights of the patient to review the audit logs? And secondly can this be a deterrent for any kind of employer abuse of access to the records?
MR. HOUSTON: I think in theory that is a deterrent, in fact my example which I maybe make a little clearer which is that if the employer is also the insurer clearly they're supposed, the insurance component of that employer is supposed to be a separate covered entity which has an obligation to account for any disclosures, inappropriate disclosures of information and in theory if the executive walks into the office and demands a record that would be an inappropriate disclosure because the executive doesn't have the right to do so and if the employee, if the employee who had to disclose the records decided that was the case and put it into the record and then it would be available for the aggrieved employee to be able to look at and so oh my gosh, this particular executive looked at my record and that was inappropriate and why did it occur and it would be I think evidence of some type of inappropriate use by the employer.
The question is going to be though in that scenario is the employee going to make note of that, is it going to occur, and I guess in a perfect world I would argue that it should, or it would. But whether that would occur I guess is really sort of at the basis or the center of really the issue --
MR. ROTHSTEIN: Well, actually I think there's a larger issue that was raised, not only by Jeff's question but also in Dr. Bernacki's testimony and that is whether it is a good idea to expand the coverage of HIPAA to include protected health information or the HIPAA term protected health information in the workplace. And that is, I mean I would have to give that a great deal of thought, I can see some advantages because we're familiar with the privacy protections, on the other hand I can see some possible disadvantages of considering employer as a covered entity, covering employer, it may be just more practical if there's the will to have privacy confidentiality protections on employers, maybe we ought to do it through some sort of separate legislation rather then trying to sort of fit that in under HIPAA which was really never designed to do that.
I'm just not sure because when one thinks of all the things that come with being covered under HIPAA I'm not sure that that would work necessarily in the workplace setting. And an analogous problem that I think is raising from Dr. Bernacki's testimony regarding ACOEM policy is that we have a very unusual hybrid sort of professional relationship in occupational health where there are dual loyalties of the professionals, and from the, as I understand the recommendations there are, it would in some ways move the occupational physician/employee relationship closer to the physician/patient relationship in the non-employment world in terms of privacy and confidentiality and so forth.
And yet I think if anyone would do that part of the price for that would be saying that there is a physician/patient relationship and that price would change the way occupational medicine is now practiced. I would support this but I doubt ACOEM would because that would then mean that there is duty of informed consent, etc., etc., etc., all the things we expect in the normal physician/patient relationship. Even if we had agreement on the goals it's very difficult I think to steer this course because the workplace situation is so unusual, it just doesn't fit into our normal paradigm.
MR. MCGARRAH: If I could just interject, California as part of is worker's compensation reforms that were enacted and signed into law just this past April now provides, and I know that Safeway and a number of other companies are actively pursuing this, that an employer and a union can agree that if they have a group health benefits plan that that plan in effect will become the sole source of medical care for all worker's compensation claims. In other words that this is the single provider, all the data is all, it's a unified integrated benefits program, it's seamless, the intention is that you would effectively provide the best possible medical care and at the same time you've reduced all the transaction costs that are involved in worker's compensation claims.
From our perspective, and we supported this effort and we are pursuing this, we've actually been doing it for quite a few years in the construction industry, but as you can see when you have the adversarial worker's compensation system and disputes over claims all this data becomes a matter of public record. Not public record, well, in fact yes it does, it goes right to the worker's compensation commission and the employer is in a position to try to contest it. Employers are well aware that there's great seepage back and forth, in fact there's a recent study that's just come out in the Milbank Quarterly that describes as much as 80 percent of occupational disease seeps over into the group health side, that employers are increasingly concerned about that.
I really think that what we're aiming at is much more akin to uniform application of a physician/patient relationship in the entire delivery system with respect to occupational worker's comp and so on and we would advocate making worker's compensation making a part of this. In other words all medical care delivered with respect to any individual, whether it's occupational or under a group health or just traditional medical care be part of the same protected standard. I don't think you can work it any other way.
MR. ROTHSTEIN: Well, your point is well taken and I think it complements my point that picking out one or two issues in a system that is sort of suey(?) generous, unusual, is problematic and I don't know where's whether there's the will for a more comprehensive approach. I've got Kathleen and Helga and then back to John.
MS. FYFFE: Mr. McGarrah, I think you said something during your testimony that I'd like to ask you about, I might have misheard, but did you say something along the lines of worker's compensation claims turn out to be related to bad medical care?
MR. MCGARRAH: Well, frankly that is an issue, yes, it's often of great concern, in fact I can suggest, I think Dr. Bernacki and I are working on this with respect to some states right now, there is an issue of the adequacy, the qualifications of practitioners, and just the issue of mirrored provision of the medical care is at issue, in other words because this is an adversarial system carriers will often interpose objections and people will be delayed even getting treatment.
Then there's the issue is this totally work related, ACOEM we believe has the best standards for clinicians but you don't have to be an ACOEM practitioner or even adhere to ACOEM guidelines in most of the states to provide adequate medical care and that of course drives up the cost because you don't get good medical care immediately to the injured worker the person is going to need remedial treatment, be out of work longer, and possibly become one of these cases that I described where Liberty Mutual, well aware of these kinds of concerns realizes this and they have profiles to identify these individuals and even use as I said credit scores to determine if this person is a likely person to be essentially isolated and dealt with accordingly, in other words to terminate provision of care and benefits, and possibly employment as part of the settlement agreement.
MR. FYFFE: Thanks for clarifying.
MR. ROTHSTEIN: Helga?
DR. RIPPEN: As we all know there are lots of different mechanisms to pursue things that aren't done right, HIPAA is one if it falls within the HIPAA categorization but many times employers may have a written agreement with regards to not accessing personal health information especially when you talk about disease preventive services or health promotion at the work site. What are the legal, how well are the legal resource then for an employee then with regards to if there is a violation that someone did access that information?
MR. MALTBY: I haven't seen cases on exactly on point with what you're bringing up, Helga, but in general if an employer makes a written promise to do something or not to do something that promise is enforceable even if there was no legal obligation in the absence of the contract but once in a while you see judges who just won't go along with it. There is a very famous case in the area of electronic monitoring called Smythe(?) v. Pillsbury where the Pillsbury Company told the employees your email is personal and confidential, no one is going to read it, told them how to select a personal code number that no one would know but them and an access code.
And so Mr. Smythe went ahead and he did exactly what they told him to do and he sent some message to a coworker that was badmouthing his boss, you know what, his boss, I don't know but his boss just, I guess a little gremlin whispered in his ear and he went and he read Mr. Smythe's email and he saw with Smythe has said about him and he said Smythe you're fired, and Smythe went all the way to the Third Circuit Court of Appeals and said you can't do that, they made a written promise not to read my email and the judge said basically promise shomise, the employer has a right to read the email, they own the system and Smythe go suck an egg. So in general, Helga, I think those things are enforceable but you just have to keep a certain grain of perspective that sometimes judges are just going to follow their own instincts on what employers are allowed to do and not enforce the promises.
MR. MCGARRAH: I just comment to you, in fact Business Week this week has a piece about should you tell your employer if you have some cancer or some chronic disease and they point out that sure, you can challenge an employer if they take adverse action against you but it will probably cost you at least $50,000 dollars to litigate the case and few people really have those resources available, they're much more concerned with getting the proper treatment and getting adequate insurance just to get through the ordeal.
MR. ROTHSTEIN: And unless some adverse action were taken chances are you'd never even know that it were disclosed more broadly.
MR. MALTBY: Mark, if I could just throw on point in there, this is sort of a mega point that colors everything in employment law today, which is what Rob just brought up. The bottom line for most people is if, even if you lose your job in some egregious manner the chances are you're never going to get justice if you have to go to court because of reason of simple economics, you don't have the money, regular people can't afford lawyers anymore, it's just, you might as well try to win the Kentucky Derby.
And if we're concerned about any sort of substantive area of the rights of employees one thing you always have to consider is how is this right going to be enforced and just taking the standard language from federal statues that says oh you can sue and if you win you get damages and even attorney's fees isn't going to get the job done, there has to be some thought to less expensive ways for people to vindicate their rights, an administrative remedy with a federal agency, arbitration has proven to be remarkably effective, both in the union and the non-union context of giving people a way to get some justice without spending money they don't have. And whatever substantive issue we're thinking about those economic enforcement issues have always go to be the next question.
MR. ROTHSTEIN: Mr. Houston.
MR. HOUSTON: Mr. McGarrah, you indicated before that there's, that profiling occurs as it relates to worker's compensation claims and employees and their credit, and I'm assuming that the basis for that is that employees who have bad credit may be more likely to game in the system or to inappropriately file worker's comp claims or that they would try to make more out of them then there are, which I guess the question I have is if that is in fact the purpose in the case what's wrong with an employer trying to ensure that it fairly applies its worker's compensation rules and that you don't have workers who aren't trying to game the system. And I guess, are you also indicating that some employers maybe trying to reduce bona fide worker's compensation claims through that process?
MR. MCGARRAH: Well, very definitely, I mean the whole purpose of worker's compensation, I mean it was the first tort reform at the turn of the 20th century, it was literally employees gave up their right to bring an action in tort against the employer and the employer then got the exclusive remedy and is to provide and this became an issue actually in the California reforms to provide all necessary medical care for the workplace injury or disease. And because of the definitions of the system and because this has become, I mean as an attorney I'll say this candidly, there are far too many lawyers, far too many claims in the worker's compensation system to make it an adversarial process. And as the costs of Medicare, again driving the system, we have all the worst elements brought to bear, employers, and I think in this instance Liberty Mutual seeking for its own purposes, how are we going to deal with these kinds of claims as you say, what do we have if we have somebody who's a malingerer, what's a malingerer look like, do they have bad credit rating? I suppose the theory that Liberty Mutual had was yeah, they probably do and so we're going to use that to flag these claims, they were describing this at a conference in fact in San Francisco just this past year. This is one of the elements that they use to try to set up these profiles.
From the perspective of workers and from our point of view what we're seeking is that the person gets all the adequate medical care, all the necessary medical care to deal with the problem that is caused by the injury on the job. If they didn't get proper medical care for back injury and got improper treatment they may need repeated medical care, worker's compensation medical care is a lifetime requirement, it's called the long tailed claim. I don't think that your credit rating really has a heck of a lot to do with your medical status and I think that in that instance it should be an impermissible element of the insurers consideration or the employer's consideration and I think it's a great invasion of that individual's privacy to bring it to bear on their medical needs. But I don't believe at the moment there's any statutory vision to prevent Liberty Mutual from using this.
MR. HOUSTON: I guess my point is is if clearly the intent is to weed out the malingerers from bona fide claims and that the intent is not to try to reduce bona fide claims through this process I guess I would react one way. But if the intent of Liberty Mutual is also to try to coerce people into settlements that maybe were less, that were inadequate to address their long term disability because they recognized they had bad credit and maybe boy if I give them a settlement they'll go and pay off their credit card debt and the settlement may be pennies on a dollar and understand, I guess the question is is what is the intent and --
MR. MCGARRAH: Well, settlements, you've hit on I think a very important point here. Settlements within the worker's compensation industry are the preferred and desirable approach to take, in fact this department and CMS are right now struggling with a very significant issue with respect to worker's compensation claimants who are about to become Medicare eligible because the vast majority as I say of these claims are put to a settlement and Medicare has discovered, the GAO has made quite pointed criticism of CMS on this point, that look, you cannot allow insurers to settle these claims and then slough the claims off to the Medicare system for what really are occupational or injuries or diseases. And CMS is taking a very aggressive role in trying to profile these claims, determine the adequacy of the settlements, because this is the easiest surest way for a property casualty insurer to wall off liability and for the employer for that matter too. So I think these are elements that really need to be brought to bear in the consideration of privacy and confidentiality too, are they relevant.
MR. ROTHSTEIN: Mr. Reynolds?
MR. REYNOLDS: It would seem to me if you look at the trend of employers and health insurance right now you're seeing more of the defined contribution, or they're only going to put in X amount of money and then the employee has to pick up the rest, you're going to see extremely high deductibles, which are real, you're going to see more companies getting completely out of offering health insurance, they may give people more money and they don't do it, which would seem to me to throw more onto this environment that you're talking about, whether it's an employer owned clinic, more people are going to show up there because if they've got a $3,000 to $5,000 dollar deductible they're not necessarily going to go into the regular health care program, and that's real on the street all those kind of numbers.
When you start seeing people that don't get care and they end up, if my knee hurts and I can't pay the deductible in some of these things I'm going to stay on the job longer and then my knee is going to hurt on the job and then I'm going to be in worker's comp. So are you starting to see those things occur? And I know some of the unions you may have contracts but as you look at others who aren't influenced by that they are making those kinds of decisions so our earlier problem as to what the company might want to see if they get out of the health insurance business, it won't be an issue anymore.
But the issue that you're bringing up I think maybe becomes, Mark, from the standpoint of our committee, more of a prevalent situation where if they can control their health care costs from a standpoint of what they do and don't offer as benefits, as long as they're competitive they can still get employees, but then when it moves over to these other environments that right now may not be as protected then I think the individual employee is probably more exposed then they would even be currently.
So I'd love an opinion as whether you agree with that or not.
MR. MALTBY: Well, Harry, we're talking about very, very broad brush strokes here obviously but I think you're pinpointing what may be the most serious problem from the standpoint of worker's being able to get health care to begin with. We've had a model of for several decades now that says if you get a job you get health care through the job and at the time it seemed like a good idea because the world was not as competitive, well, we didn't have a global economy and employers could afford to do it and there were tax advantages and everything worked out just fine. And what we see year after year after year is employers being under more and more competitive pressure and more need to cut costs, they've got to cut costs if they're going to stay in business because if they don't stay in business the employee doesn't have a job and that sure isn't helping them any. But every year because of this inescapable financial pressure employers keep backing up more and more and more from giving real comprehensive health care to their workers. If there's anything on the horizon that indicates a change in that trend I sure don't see it. And we ask ourselves well, if people can't pay for it on an individual basis and certainly we can't, I mean whose got $100,000 dollars to pay for heart surgery, not even most of us professionals can afford that much less working people, well, then, where's the health care going to come from. The inescapable answer seems to be that we're going to have to move more toward a model of the government picking up the slack but clearly at this point there's no political consensus or I think even political awareness that we have to go in that direction.
DR. BERNACKI: I'd like to make a comment, I think there is a lot of pressure on worker's compensation from employers raising deductibles, a shift to the worker's compensation system to pick up those employees who submit a claim, whether it's work related or not. So I think that there's going to be a lot more pressure for that to happen and there's some evidence that that is occurring already although the frequency of claims in the United States is dropping and its continued to drop over the last 20 years. We'll have to monitor it but certainly --
MS. FYFFE: The frequency of worker's compensation claims.
DR. BERNACKI: Yes, and the cost per $100 dollars of payroll in worker's comp keeps dropping, 37 percent in the last 20 years. But the severity, i.e., the cost per claim, is increasing astronomically, 13, 14 percent a year, so that's a real problem now, obviously heavy industry is emigrating from the United States to other areas and so there's a lighter industry so that could be a reason for the reduction in the cost per $100 dollars of payroll. But the severity cost befuddles me because theoretically if you have less risk out there why are the injuries getting more severe and Rob and I have some theories on that.
MR. ROTHSTEIN: Well, I think you make a very good point about the privacy implications of different coverage levels in different systems so if you have first dollar coverage in worker's comp there is an incentive to get out of your high co-pay deductible area and be covered elsewhere and what does that do to the medical records and the like.
Are there further questions for members of this panel?
Before we adjourn for lunch I want to notify members of the subcommittee about the necessity of submitting by the end of lunch your comments, if any, to either John or me about the letter, the revised letter on legacy medical devices that was submitted yesterday because a final version has to be submitted to the executive committee for consideration on the 21st, so it's the letter that we distributed at the end of the day with John's revisions.
MR. HOUSTON: There's one typo at the bottom of the first page --
MR. ROTHSTEIN: There is a typo on the next to the last line after the word devices there should be a period and a new sentence beginning further.
MR. HOUSTON: We decided the delete was on the next paragraph so I inadvertently deleted it in both paragraphs.
MR. ROTHSTEIN: The result is that if you have no additional changes to make that will be the version that will be submitted to the executive committee in advance of the January 21st conference call and presumably then will come to the full committee at our March meeting.
So if there's nothing else we will adjourn until 1:00 and then we will hear from panel number three on life insurance. I want to thank the members of this panel very much for your excellent testimony.
[Whereupon at 12:00 p.m. the meeting was adjourned, to reconvene at 1:00 p.m., the same afternoon, January 12, 2005.]
MR. ROTHSTEIN: Good afternoon, we are back in session on our hearing on the issue of disclosure of protected health information to third parties pursuant to authorizations. This morning we heard an introductory panel setting the stage for the framework in which these disclosures are made and in late morning, panel two talked about employment.
This afternoon's first panel is on life insurance and as we mentioned this morning just to remind all of the subcommittee members and our guests there are many applications and life insurance is being used as an example not necessarily as the end all of the insurance industry because as they will point out there are quite distinct differences between different product lines. So this is an example and we don't mean to slight other insurance lines or to assume that what we're talking about here has general applicability.
So I want to thank the three members of the panel for coming, I appreciate it very much, and we'll begin with Ms. Meyer.
Agenda Item: Insurance - Panel 3 - Ms. Meyer and Dr. Huguenard
MS. MEYER: Thank you and actually Dr. Huguenard and I are going to present, or make our presentations together, so I'm going to defer to Dr. Huguenard to start.
MR. ROTHSTEIN: So it's a tag team presentation.
MS. MEYER: Exactly, exactly.
MR. ROTHSTEIN: Well then welcome to you Joe as well.
DR. HUGUENARD: Thank you. Good afternoon, first off I'd like to say we really appreciate being here, we always like to talk about what we do because it seems somewhat arcane to a number of people so it's an opportunity for us to kind of tell the story, as people go oh, so that's what it's about. So thank you very much for that opportunity.
The question or issue that we want to address this afternoon is how life insurers use health information and how that benefits the consumer, so we're going to focus on that. I'm Dr. Joe Huguenard, I'm with Swiss Re Life & Health, I also work with ACLI so I'm speaking on their behalf today, and I'm a member of the American Academy of Insurance Medicine and as an individual represent kind of a typical or opinion that they have about this.
MR. ROTHSTEIN: Joe, just for the benefits of our internet listeners could you say what ACLI stands for?
DR. HUGUENARD: We're going to do that in a moment. And with me is again Robbie Meyer from the ACLI and she's staff person, and then I'm going to turn it over to Robbie who will explain what that stuff means.
MS. MEYER: Well, Mark, that was such a good question, the American Council of Life Insurers is the ACLI, it's the primary trade association for life insurance companies. We represent about 370 life insurance companies that represent about 70 percent of life insurance premiums in the United States. Our primary role is a role of advocacy on behalf of the life insurance industry so we lobby on behalf of life insurers both on the state and federal levels, both before state legislatures and the Congress and before various regulatory bodies.
DR. HUGUENARD: And then I'm going to explain what the American Academy of Insurance Medicine is, it's also known as AAIM, A A I M, and this is a professional association for education and other support for physicians who happen to serve as medical directors or in the role of medical directors for insurance companies so it's a separate professional organization. Also I'm here obviously from Swiss Re and just so you know what that is, it's a re-insurer, what we primarily do is insure insurance companies who take risks in life. We're also the largest life re-insurer in the world and we re-insure and insure other kinds of business and have been active in the United States and probably best known for covering major property casualty damages such as the 1906 earthquakes, so even though the name is Swiss they've been in the U.S. a long time.
MS. MEYER: The goal of our presentation today is to give you a very broad overview of the very significant benefits that consumers derive from life insurers receipt of information, medical information, directly from the individual and also pursuant to the authorization of the individual, so hopefully this will respond to a number of the issues that were raised in the presentations this morning as to why in fact it is so very important at least in the context of life insurers to be able to continue to receive individual's protected health information and how indeed this is very, very important to American consumers and American families.
Life insurance, the primary goal of life insurance is to provide financial security for American families. Life insurers provide literally millions of life insurance policies yearly, in fact when I checked in the ACLI fact book, the last year for which we currently have statistics which was 2002 approximately 55 million policies were sold. So in fact most Americans do depend on some form of life insurance either individual or group to provide their families with long term financial protection for their families and to protect against financial hardship in the event of death, particularly of a breadwinner of the family. Indeed in 2001 69 percent of American families owned some type of life insurance and by the end of 2002 total life insurance in force actually reached 16.3 trillion.
Individual life insurance is a critical form of insurance, it is purchased and underwritten on an individual basis so the process of risk classification and medical underwriting that we're going to talk about in a minute is critically important to these products. And these individual products represented 61 percent of all life insurance policies in force by the end of 2002.
It's also important to realize particularly as we talk about underwriting and the concept of adverse selection that Dr. Huguenard is going to address in a moment, it's very important to recognize that individual life insurance products are voluntary products, in other words American consumers are not required to buy individual life insurance policies. By contrast in Great Britain individuals are required to buy mortgage insurance whenever they buy a home. As a result of that the fact that American consumers choose whether to buy, what type of product to buy, when to buy, they can choose to buy it when they're young, they can wait until they're older or until they're sicker, and the fact that it is a voluntary product subject to the wishes and the needs of the particular individual is particularly important to the risk classification process and how that works and how that process ultimately works to the advantage of American consumers.
When we life insurance companies begin to work with consumers who are, or who want to purchase life insurance contracts we need to obtain lots of information. Some of it is non-medical information, we need to know the individual's age, we need to know their occupation, often their income, their net worth, what other insurance they have in force, just basic information such as their beneficiary information. And in addition to that we need basic medical information in most cases and as Dr. Huguenard will explain the nature and the amount of that information and the source of that information does vary somewhat but for almost all life insurance policies, particularly individual policies, we do need information about individual's current health, their health history, their past illnesses, their injuries, their various medical treatments, and doctors that they may have or the names of doctors and other health care providers that they may have consulted in the past.
DR. HUGUENARD: Now probably more pertinent to what this committee is considering, the sources of that information, where do we get the information that we use when somebody applies for life insurance. And most information that we use in underwriting life insurance comes directly from the application, it's something that the applicant tells us when they fill out that form, that's where the bulk of the information comes from. In certain cases for older ages and higher amounts of insurance we also will do a medical examination of the individual and oftentimes laboratory testing, screening tests, so that some of the information is actually medical information that's obtained at the time of the application.
More information and in particular more health information is obtained in those cases or those circumstances such as advanced ages, particularly large sized policies, where the individual declares a medical history that's of importance, and some of our own exam results when we're doing an exam on the person maybe abnormal. Those are the cases where we seek more medical information but it's the last thing we look at.
Now the medical information that we're talking about, when we do go outside to request medical information we do use, though this is one of those double P HIPAA's here, sorry about that, missed it, we really use the single P HIPAA, applied authorized, not because we come under that regulation as you know but all of the individuals and health care providers that we seek information from do, so what we try and make sure of course is that we use the authorization that those individuals that hold that information will recognize and can use and need. During that process we also inform the applicant of course of how it's going to be used, which is usually fairly simple in life insurance because if you've applied for life insurance you probably have a high suspicion if we ask for your medication information it has something to do with your life insurance and that's correct.
The underwriting process, when an insurer gets an application from an individual what they try and do is group individuals into pools of similar mortality risk, easy one to say is people aged 20 have a different mortality risk then people age 60, but there are many criteria but the idea is to group people into roughly the kind of mortality risk the same for the whole group. The price of life insurance is primarily based on the risk of death, the applicant's gender, age, present and past state of health, health risk factors separate from being sick, you sometimes have factor's risk such as blood pressure, job, hobby, other activities, all may affect mortality and also may affect how you get entered into a risk pool.
The system overall is called risk classification and we're going to talk a little bit about risk classification. As we said insurers group together people with similar characteristics and then they take and calculate a premium based on that group level of risk. We don't insure individuals, we insure groups to which we attach the individual and then attach a premium. Those with similar risks pay the same premium so if you're in the same risk pool you pay the same premium.
This does two important things to us. When we determine a premium using risk classification we know that they'll be adequate funds to ensure the ability to pay future premiums. Premiums are paid hopefully years later after you apply for life insurance --
MS. FYFFE: Benefits or premiums?
DR. HUGUENARD: Pardon me, benefits. The benefits that are paid for your premium are hopefully years after you buy it and so the money has to be there for a long period of time and that may extend 50, 60 years depending on your age when you enter the pool. The other thing is we want to keep that fair, fair to the existing people in the pool and fair to prospective customers seeking to enter those risk pools.
The value that risk classification provides, is the fundamental framework that we use in the United States at least for the current private voluntary life insurance system. It enables life insurance companies to make produces widely available at affordable prices. If you look at people applying for life insurance 98 percent of the individuals who apply for life insurance are approved for coverage, so we're talking about most people can be fit into some risk level. 81 percent of those offered life insurance are at standard rates, in other words the rates that would be standard for your age and gender. 15 percent are actually offered prices at better then standard rates, these are called preferred rates, because some of your risk factors actually make you, we can put you in a pool that is even better then the general standard.
The medical information and the risk classification process. Life insurers rely on the applicants health statements, the examination results that we referred to, and the information from health care providers to determine the appropriate risk classification with respect to all medical issues. It's critical that the insurers have this information in order to set premiums that are fair and prudent, prudent in the sense that we'll have enough money to pay those benefits when they come due. The information that's obtained from health care providers oftentimes actually allows us to classify somebody as a better risk.
Let me give you an example of that. If you come in and when you're filling out your life insurance application it asks have you had medical care, surgery, etc., and you put down I had surgery and it was two years ago. If we go for information on that and find out that your surgery was an appendectomy or gall bladder, you've been back to the doctor and you've had no complications, that particular health event has no bearing on your risk classification because we don't expect it to come back and be any cause of mortality. So knowing the detail helps.
Sometimes if for instance you've had a heart attack, I use vernacular myocardial infarction for the physicians, you'll admit that in your application because it's asked. Now that does put you at a higher risk but there are very many different types of risks associated with that depending on how many coronary arteries involved, how much heart function is left and such, going for medical information will usually allow us to take most people into a lower risk class because most people who have had myocardial infarctions actually have fairly mild ones, at least as a first one. The supplemental information allows us to put that person in the best risk classification for somebody that has that illness.
More examples if you're interested on questions, just to give you an idea of why we particularly, the medical directors, like to see that information, we can usually do better with somebody.
Adverse selection, this was raised this morning I heard and it is an issue in life insurance and we have had some bad experiences with this as was referenced at least in the case of one disease this morning. It occurs basically when an individual fails to disclose information about a condition and as a result receives standard coverage or better coverage then they would have if we knew about that condition. It not only means that they get coverage but oftentimes the individual who knows they have a medical condition that may influence their longevity will seek more life insurance then the individual who doesn't know that. If you just had a myocardial infarction and you're 45 years old and you've got two dependents at home and you did not have to tell somebody that you would likely buy more insurance then the person who hadn't. Now who knows who's going to die first but at least as a group the people who have had a myocardial infarction, they're making a better bet, they're betting against themselves but it's out there.
The problem for the life insurer really depends in adverse selection on the number of cases that we see and the total amount of coverage. If this occurred once in a thousand it may not do much but if it's occurring several times in every thousand applicants it starts having an impact. If people choose much higher amounts of coverage then that also can have an effect, it can be relatively few cases but many dollars involved and it also has an effect.
The major negative consequences, increased cost for future customers because the experience continually leads us to reprise the risk pool so that if the experience goes up in mortality if we don't expect the risk pool cost goes up. As prices increase fewer Americans can afford coverage, indeed over the last several years we've actually been able to reduce prices in life insurance and what we see is also then more people buying insurance, so we've kind of run that test in reverse.
MS. MEYER: As I indicated before life insurance provides financial protection, life insurance policies are likely to be in force for decades, many companies have policies that are in force ten, 20, 30, 40, 50 years. So this process of risk classification occurs at the very beginning of the life insurance contract and we like to say we get one bite of the apple, we get one opportunity at the beginning of this contract that can last literally for decades to make a risk assessment that's going to provide for premiums that are financially sound so we can pay consumer's and customer's claims down the road, and also fair, so this process at the beginning of the contract is critical. And it's particularly critical because life insurance contracts cannot be canceled, and this is an issue that often comes up when I'm testifying, people will say oh well, if someone finds out they have a very serious condition or disease and the life insurance company is going to cancel their policy or raise their premiums, this is not possible, the only circumstances under which a life insurance policy can be cancelled by the insurer is if the policy owner stops paying the premiums. It doesn't matter how sick the insured gets.
MR. HOUSTON: -- fraudulent applications for insurance?
MS. MEYER: There is, we can cancel for fraud but that --
MR. HOUSTON: I'm sorry, the question was even if there's a fraudulent application or something was purposely --
MS. MEYER: Let me address that point, if indeed, for one thing, from a practical standpoint it is very, very difficult for an insurer to establish fraud but what they would do in that case actually is establish that there was fraud at the beginning of the contract so actually there was no real contract in the first place because of the fraud. What does happen which is a lesser degree of disagreement is insurers do have two years within which to contest the validity of the contract because of a material misrepresentation. And that's a misrepresentation by the applicant at the beginning of the contact, may or may not have been intentional, it does not rise to the level of fraud, but in fact even when an issue of material misrepresentation comes up, when the insurer does establish that in that case too what happens is the insurer shows that there was a material misrepresentation so that they wouldn't have issued the coverage at all, or they wouldn't have issued it at that price, so again they establish then if material misrepresentation is established it voids the contract so there is no agreement.
So I guess getting back to the broader point if in fact there is an actual contract it cannot be canceled if the individual gets sick. Probably more then you wanted to know.
But another interesting point is, and I think this is unique to life insurance policies, we can't increase the premiums either. I like to say it sounds trite but it's true, once we've got you we've got you for life and the only thing that can change I understand and Dr. Huguenard would know the details of this better then I would, it's my understanding that if in fact you're in poor health when you apply for a life policy and you're issued a policy at lower then standard rates, in some circumstances you can actually come back and have your premiums reduced. But the overall important point is is that for those 61 percent of the individually underwritten policies that I told you about this process of risk classification is critical because it is the mechanism that we use to make sure that we can, we get enough money in premium so we can serve our customers down the road and it may be decades down the road, and it also the mechanism that we use to be sure that what we're charging each individual is fair to them and it's fair to other policy holders and insurants so that everyone is paying the appropriate amount.
DR. HUGUENARD: Just coming back to the benefits of risk classification again, it's based on medical information, makes life insurance more widely available and affordable, actually more affordable and therefore more widely available.
Medical advances in the last 50 years have been and continue to be reflected in the risk pools we set up, I was talking to Dr. Billings just before we started here and telling him that what we've seen over the last 50 years is our basic life table, that's for the standard risk for your age and gender, have all reflected increased longevity and therefore decreased premiums over this period of time. And we also attempt to anticipate future improvements too, we base it on our experience but where we see trends we try to build those in too.
All of this helps keep that premium down and still allows us to be prudent in putting aside the money that's needed for the benefits to be paid later. It also means that as coverage is less expensive, obviously people can either afford more coverage depending on whether they need that, or more people who wouldn't have afforded the coverage to begin with are able to enter the market.
MS. MEYER: Dr. Huguenard, before we leave that particular slide I think one point that you can probably address better then I can, a very good example of the way medical advances have improved the affordability and availability of life insurance in the last 50 years, it's my understanding that 50 years ago individuals with heard disease had a very hard time being able to get coverage at all and medical advances in the last 50 years have not only made it so that these individuals thankfully can live much longer and much healthier lives but indeed a lot of these individuals now can get coverage who could never get coverage before and/or they can get coverage at a much cheaper rate then they could have before.
So these medical advances, and this comes up a lot in the context of genetics and discussions about genetics, as you all would guess we see the glass as half full rather then half empty, we like to believe that the historical improvements in science that have made insurance more widely available at better rates then the past, the same is going to be born out with future advances in medical science.
DR. HUGUENARD: And Robbie is correct, before World War II it was virtually impossible if you'd had a myocardial infarction to be able to go out and buy life insurance, you were considered too great a risk. Through the ‘50s and then on into the current time we've been able to include most people who've had a myocardial infarction are insurable, you're not insurable the same as somebody who didn't because obviously you have a different risk but you are insurable.
Another great story is diabetes, diabetes was an insurable event, actually it was unsurvivable event back in the ‘20s and ‘30s pretty much. Now it is survivable, there's still implications for your longevity but diabetics in almost all cases in the United States are able to find coverage at some cost today and more in the past.
MS. MEYER: Now we're going to talk a little bit about the whole issue of our protecting customer's health information once we get it and often experts on the HIPAA rule look at life insurers and they say that's, life insurance represents one of the gaps in the coverage of the HIPAA rule because life insurers aren't covered entities. But in fact life insurers may only obtain information from entities other then the individual themselves or from medical testing, the only way we can get information from third party health care providers if in fact our authorizations forms are HIPAA compliant.
So our ability to obtain protected health information from covered entities is very much governed by the HIPAA rule and indeed we wrote several hundred page letters to HHS explaining how the HIPAA rule very much and very significantly could impact life insurers so we could only get information from providers as provided under the HIPAA rule and then our ability to use the information and disclose it while not subject to the HIPAA rule is subject to a host of other privacy rules, subject to Title V of Gramm-Leach-Bliley, subject to the Fair Credit Reporting Act and I'll circle back to that in a few minutes, significantly impacted by the changes to the Fair Credit Reporting Act made by the FACT Act which was talked about earlier today.
We are subject to a host of state privacy laws and regulations that were enacted and promulgated as a result of Gramm-Leach-Bliley, these laws deal with both the confidentiality and the security of consumer information. And oh by the way, we're subject to a host of state laws and regulations that were also referenced this morning that deal with our ability to obtain and disclose information relating to particular diseases, to AIDS, to genetic testing, genetic information, domestic violence.
So I like to look at it, it was perceived particularly during the discussions about the HIPAA rule and I hear this all the time that well, what governs life insurers, well, I think there's really a fit here, it's not at all that we are getting a free ride here because our ability to get it is subject to HIPAA and then our ability to use and disclose it is subject to a whole host of other laws that provide for a continuing and affirmative obligation to protect not only the confidentiality of this information but the security of this information. And these laws also require that we have written policies and procedures to protect that information.
But not only that, even if you all didn't think that we were a reputable industry or nice people, the trust of the matter is is that it's not only in our customer's best interest to keep their information secure, it's in our best interest too because the bottom line is is that we have been obtaining customer's very, very personal information for decades and if our customers did not feel comfortable that we were going to keep that information confidential and secure they would go elsewhere. So it's not only in our customer's best interest to keep the information secure and confidential, it's in our best interest also.
And life insurers are and have been for decades strongly committed to the principle that we have a tremendous obligation to protect our customer's very, very legitimate concerns with respect to their personal information and we very much recognize that there are particular concerns with respect to the confidentiality of health information.
At the same time I think I should point out that we had to use this information, most significantly in the risk classification process which works to the benefit of our customers, but also for other basic insurance functions. We use health information in evaluation of claims or payment of claims once people submit their claims, the information is also part of the insurance contract, so we have to use it to perform basic insurance functions or insurance business activities. And it was mentioned today that there need to be exceptions to the prohibitions on disclosures of information even with authorization.
And the privacy laws that have been enacted, both on Capitol Hill and in the states in the last several years, indeed HIPAA itself provides for the exception for the limits on uses and disclosure for the performance of health care operations. And similarly the Gramm-Leach-Bliley privacy provisions, the recently amended provisions of the Fair Credit Reporting Act, in section 604(G) that Professor Swire talked about today, those laws as well as the new state laws that have been enacted as a result of Gramm-Leach-Bliley all recognize the fact that consumer's privacy has to be protected but at the same time financial institution insurers have to use that information to do the very thing that our customers come to us to do in the first place. So they all pretty uniformly recognize this very careful balance between life insurers' need to protect the confidentiality of their customer's information and their need to use that information in order to serve their customers.
So in conclusion consumers benefit significantly from life insurers ability to obtain and use their information, information that the life insurers obtain directly from the individual and information that they receive pursuant to the expressed authorization of the individuals. This information makes risk classification possible and because of risk classification life insurance is more widely available, more affordable then it would be otherwise. Premiums are fair and they are financially sound so that insurers have the ability to pay claims that they may have to pay decades, ten, 20, 30, or 40 years after the individual comes to us for coverage.
And in conclusion we are also very proud of our historic record of very carefully protecting that information once we get it.
DR. HUGUENARD: along with the handout that you received today we have a couple of supplemental pieces of information, we have the ACLI Confidentiality of Medical Information Principles, that is just sort of where we stand as an industry, I've included information on the American Academy of Insurance Medicine from their information sheet if you're interested in that.
And another good source if you're interested in medical underwriting, medical underwriting by one of my colleagues, Dr. Robert Gleason, Genetics and Life Insurance, Medical Underwriting and Social Policy, the editor is a Mark Rothstein --
MR. ROTHSTEIN: I think no home should be without a copy.
DR. HUGUENARD: If you don't want to look at the book for anything else this particular chapter does a good summary of medical underwriting and how information is used there and how it effects things.
MR. HOUSTON: He testified this morning and I think he could give us a free copy if we asked.
MS. FYFFE: The question is will they be autographed.
MR. ROTHSTEIN: Thank you both very much and I know we'll have some serious questions for you at the end of Dr. Billings' presentation. Paul?
Agenda Item: Insurance - Panel 3 - Dr. Billings
DR. BILLINGS: Thank you, Professor Rothstein and Dr. Rippen and members of the subcommittee for inviting me here to speak today. I'm going to make some general comments which are a part of my written testimony and then I thought I would turn specifically to a couple of issues in the life insurance sector.
The Council for Responsible Genetics, which was founded by scientists representative of labor and consumers, is the oldest non-profit unaligned biotechnology watchdog organization in this country. For more then 20 years CRG has provided informed criticism, and with others engaged in political action, to highlight examples of genetic determinism and reductionism, and the use of biotechnology as a form of social control. I appear here as a member of the CRG Board of Directors and as a practicing human and clinical geneticist. I do not here represent my employer, Laboratory Corporation of America Holdings, and none of my views expressed are policies or positions endorsed by the company.
LabCorp is a major provider of health care and genetic testing in the United States, it has adopted a policy that support protecting individuals against discriminatory uses of genetic test information and federal anti-discrimination legislation. If the subcommittee wishes to have this policy that LabCorp has adopted which I think is actually rather visionary I can supply it.
Genetic or genomic testing is primarily conducted to identify health risks, make diagnoses, or for other medical purposes. While forensic or public safety uses of DNA methods, including DNA fingerprinting of all inhabitants in this country, may soon outstrip medically directed genetic testing, now the results of these types of analyses primarily become a component of health information. For important reasons health data are increasingly digital, technology has made it increasingly easy and inexpensive to accumulate, store, and share health related data. This obviously has significant implications for the individuals and when considering genetic information for their relatives.
In addition technology has made it possible to assess an increasing number of factors that impact health, some of which are associated with genetics. Risks conferred by the genome, by mRNA expression in diseased tissues, or by arrays of protein levels in the blood are becoming accessible, validated by biostatistical methods and affordable by individuals. Soon many of these approaches applied to human conditions will be deemed cost beneficial or of significant public interest so that third party payers will make decisions to cover these tests as benefits and pay for them. Obviously this comment is primarily about life insurance, I mean about health insurance and the health insurance industry, but as that information enters the record and then flows through the application, the application process to the life insurance industry, this information will migrate into the life insurance industry as well.
A founder of CRG, the labor leader Tony Mazzocchi, said many years ago the problem with any screening and surveillance program is that it depends on who controls it and who administers it. In a perfect world genetic screening might be a very adequate surveillance measure, however this is not a perfect world. With our view of the growing acceptance and digitization of genetic and genomic testing, along with other important trends in biotechnology arising in our social and economic milieu, CRG began in 1999 a review and project in order to define a Genetic Bill of Rights.
After many years of study and political labor the organization adopted a set of statements that we believe are essential to support individualism, community, and freedom in the 21st century. A text reviewing this work, edited by Peter Shorett and Sheldon Krimsky, will soon be published and is entitled Rights and Liberties in the Biotech Age: Why We Need a Genetic Bill of Rights. It's going to be published by Littlefield. Article 7 of the genetic bill of rights adopted by the CRG Board of Directors states all people have the right to genetic privacy including the right to prevent the taking or storing of bodily samples for genetic information without their voluntary informed consent.
If we lived in a world where bad things did not happen and where the fear of such outcomes did not materially affect individual's lives, much of our discussion about privacy and confidentiality would be mute. But we do not. Discriminatory uses of genetic test results, and fears and perceptions of adverse outcomes as a result of genetic information, are very real and affect the conduct of genetic testing. They also limit the growth of the biotechnology industry that has recently turned to the development of diagnostics and other types of tests as an important early source of business revenue.
Individual autonomy surrounding personal information is central. Privacy is essential to exert control over one's life and is an important component of normal human development. The presumption of confidentiality is essential to the functioning of many professions and to balancing the power of social agencies and their agenda against that of individual autonomy. We live in a time when the primacy of the market, national defense, and the war on crime, and I might add health considerations, are frequently used as justifications for what might be perceived as intrusions into the traditional sphere of personal liberty and the right to be let alone.
Technology, including that which enables genomics and its related disciplines, is increasing the number of personal issues and social/cultural venues where conflict may arise between the personal use of information, including the right to keep it private and to ignore it, and social agencies' wishes to use it for their own stated or hidden purposes. The key points are to establish the importance of the individual right, to defend with policy and interpreted law that tenet, and then to seek a balance of influences so that individual lives are improved as our society evolves and encumbers technology driven social change.
The importance of personal freedom in decision making around health matters is undeniable. The role of confidentiality and privacy, along with enhanced access to high quality reliable information, is essential to moving the right to health, which is in fact a state right in the Universal Declaration of Human Rights, into the 21st century. It is important to the improvement of medicine and medical genetics. Our method of financing health care in the United States and the movement to improve quality of care by relying on evidence based medicine and the assessment of practice data, along with enhanced public health information collections for many purposes, poses real problems in balancing legitimate goals.
CRG believes that a restatement and proper enforcement of protections of privacy, and the identification and lessening of coercive powers applied to individuals that reflect social control and agendas not necessarily in the individual's interest are necessary now and will be in the future to properly resolve in all areas of concern conflicts between individual and non-individual interests.
Thomas Jefferson said vigilance is the eternal price of liberty. Protecting the individual against the group will always be part of the American policy landscape and deserves our diligent attention. For health and health care to improve in an age of more and better health and genetic information a statement and reinforcement of privacy rights, along with others, is essential.
Now let me just turn then briefly to the life insurance industry. The life insurance industry has historically functioned I think rather well, it was up until very recently more or less, unless you're talking about very small death benefits to cover funeral expenses, for the most part a luxury for many Americans. And because there was very little personal health information available was generally done with lack of information on both sides that was personal and related to health. But we are at a moment of stress here in this system, technology as I've indicated in my testimony is changing that balance, we are generating reams, lots, both at the level of the genome and of personal health as well as in the storage, a lot more personal related information including personal health related information.
What I think is fascinating about this discussion is that our focus then turns to what part of individual personal privacy, that particular liberty and right, should we give up so that we can continue to have a functioning let's say life insurance industry, or other kind of benefit. And we are not really considering what other kinds of information that's held as private or protected and asking to understand and reveal more of that information.
For instance the life insurance industry holds much of its business practice entirely private and it's patented and copyrighted and is not available for scrutiny. This has to do with its underwriting practices of individual companies and many of its sales practices. And we actually only understand some of these practices when problems occur, we recently had a problem with the sale of policies to people in the military for instance. And I would suggest even, I did a little back of the envelope math, if in fact there is $16 trillion dollars of face value of life insurance in the United States currently and we have 200 or 300 million people in the United States, that's a lot, that's a lot of life insurance per person. Now that may mean that we do have a lot of individuals holding hundreds of thousands of dollars of life insurance policy, or it may mean that there is over insurance or multiple policies being sold, more then we actually know. The fact is is that's private information and it's very difficult for the states or for that matter for the federal government to have access to that information.
So I would only suggest that if we're going to have a discussion about what kinds of information which are important to be held private or confidential are then by act of how the system works having to be revealed to a business entity. And of course that business entity then shares that information with other business entities because much of the life insurance industry obviously involves re-insurance, that some consideration as to what needs to be revealed about that as well as what needs to be revealed by the private individual ought to be considered.
MR. ROTHSTEIN: Thank you very much and thank you to Ms. Meyer and Dr. Huguenard. The floor is open for questions. Harry?
MR. REYNOLDS: Ms. Meyer and Dr. Huguenard, obviously you mentioned that the life insurance companies are not covered under HIPAA and that you do get your information through an appropriate authorization to get that. One of the things this committee has heard testimony on in the past is the whole idea of marketing, using data to market. Since you're not under the protected health information scenario of HIPAA that's clearly defined and since you're not under the clear definition of how data can be used to market, as well as, and I'll add one other thing, this whole idea of a business associate.
So as you mentioned on one of your slides you have to be able to do business. More and more as people do business not with themselves, not just themselves, they build a network of people who do the business for them. So now you start becoming more and more and more removed from the HIPAA law in the fact that you're not a covered entity, now you don't have a business associate agreement, now you start, so based on some other testimony we had and some of the issues that's where I'd like to at least have you maybe, you mentioned these other states laws and everything else you're covered under but I don't, I didn't get a sense of exactly how those close the marketing door, how they close the business associate door, and by having a slide that you want to do business but with outsourcing and everything else going on the world is a different place in today's world so if you could comment on that please.
MS. MEYER: Yes, I can comment on that. For one thing if you look at the ACLI principles of support, the ACLI supports legislation that would actually prohibit a sharing of medical information for marketing purposes, we recognize that there is this heightened concern with respect to particularly the sharing of medical information for marketing purposes. The NAIC model GOB confidentiality law has specific health provisions that have been enacted and I'm not sure how many states, I would say roughly 20 states, 25 states, that provide that if in fact medical information is going to be used for insurance purposes it may be disclosed without authorization when used for insurance functions but authorization is required when in fact the medical information is being required for purposes of marketing and that operates by process of elimination.
And similarly the old NAIC Model Privacy Act, which is in effect in another 20 or so states, provides when in fact there is sharing of medical information with an entity other then an affiliate, an insurance affiliate, for marketing, authorization has to be obtained.
So there is no one set rule, the recent amendment to the Fair Credit Reporting Act which Professor Swire talked about today recognizes that in fact there need to be disclosures of medical information for insurance function and does not specify a particular rule for disclosure of medical information in that section, however there is a new section of the FCRA, another section at the end that requires that when there is sharing of any customer information for purposes of marketing the individual has to be given notice of the fact that the information is being shared and an opportunity to opt out of that sharing and there are some exceptions to that general rule.
So there are a number of different rules out there that address marketing in different ways but the fact is is that the life insurance industry recognizes that there is this particular concern about sharing of medical information for marketing purposes and in fact strongly supported the enactment of the National Association of Insurance Commissioners, NAIC Model in the various states where its been adopted.
DR. HUGUENARD: Let me comment on business associates, a lot of the impetus to put business associate language in there is because in practice it was not a priority, people practiced, they didn't think about that, they were small entities or small groups. Groups such as life insurers who have contracted with people for years to do certain specific things, system development and research and such have had very similar kind of language, confidentiality language in all their contracts because they were businesses to begin with and appreciated how crucial it was to them staying in business to have those. So if you went back and looked today you'd find agreements that have been in standing with business associates, i.e., those outsourced if you will, kind of arrangements have been in place for years and years and all from the very beginning included very stiff language about confidentiality because it's been a sensitive issue since we've been in the business.
MR. ROTHSTEIN: Jeff?
MR. BLAIR: It's possible I may have missed this but does the life insurance industry have a policy towards either obtaining, storing, or using genetic information for either any purpose or specifically for the purpose of helping determine risk for insurance coverage?
MS. MEYER: The policy of the life insurance industry with respect to challenges concerning use of genetic information is that we recognize that consumers have a particular concern about life insurers' use of the results of genetic tests and genetic information. To our knowledge and for antitrust reasons we do not get into individual company underwriting practices. We're aware of no company however that requires individuals to undergo genetic tests. So for that reason we do not feel that there is any need for and in fact feel that it's premature given the state of the science to enact laws that would limit life insurers' use of the information.
Our biggest concern with these proposals is that they not either intentionally or inadvertently jeopardize life insurers' ability to underwrite based on traditional medical information and medical tests and it was discussed earlier today that it is very difficult to often distinguish between what is traditional medical information and traditional medical tests and what is genetic information and genetics tests. So we're very concerned that the ability, that these proposals not jeopardize traditional underwriting.
We are also concerned that if in fact there should be any limit that there be nothing that jeopardizes our ability, insurers' ability to know what a proposed insured knows when they come to us for coverage, in other words that we be able to underwrite based on information or genetic test results known to the applicant when they come to us for coverage, again so that we can have appropriate underwriting and our underwriting can be fair and we can determine financially sound premiums.
With respect to the confidentiality of genetic information we feel like genetic information in that respect is like all medical information and we feel very strongly as I said earlier that all medical information of our customers should be kept confidential and secure and that the level of that confidentiality and security should not be determined by the source of the information and by the nature of the information or whether or not the information may be characterized as genetic or not depending upon the source of the information or the particular definition.
MR. ROTHSTEIN: Dr. Billings, would you like to comment?
DR. BILLINGS: Yeah, I just, I made the comment earlier that the underwriting practices of individual life insurance companies are largely unknown. While some state law prohibits certain kinds of underwriting practices, whether it be race based underwriting or by geographic area or other kinds of characteristics, many of the practices, much of the individual detail of how life insurance policies are handled really aren't known. And I think the operative word here is what is required in an application to proceed with the consideration of a contract for life insurance. What is currently required in most contracts is that much of the list that we saw just presented, MIB, five years of past medical history, consultation with treating physicians, things like that. Exactly whether other things are then required for the contract to proceed, including in some cases comments like we will reconsider your application if we know the result of a particular medical test and that medical test may be a genetic test, is individual underwriting practice and again we really don't know the frequency of those kinds of events.
MR. BLAIR: I sort of need a little background information for me to determine whether my actual question is relevant or not. I have the impression that most folks that apply for life insurance are the principal providers of finance for their families and that they're doing so especially at the times when their children are being raised and maybe up through college. And then after that they are protecting, trying to provide financial security for their spouse, and then as they begin to approach retirement age the need for the insurance drops off and I guess I'm thinking of of course in terms of term life insurance and I'm almost assuming that all of your testimony has been in terms of term life, not full life. Is my impression of the profile of use of insurance, if it's what I said or am I wrong?
DR. HUGUENARD: I think that that traditionally has been true, I think we need to recognize today bread winners are usually two in a family rather then one so that's important. There's also been even the wife who's working at home rather then out has a financial value to the family and so we recognize that for life insurance. Certainly dependents, whether they be spouse in some cases or more commonly children, are one of the drivers that lead people to want to provide financial protection, so that's absolutely correct.
Later in life you're right, there's the surviving spouse, whichever, husband or wife, is one of the drivers. And then of course we see at least under the previous tax laws a need for what's been called estate planning and such for individuals that have high net worth will purchase life insurance to help with costs of settling an estate and the taxes involved in that. So those are the common drivers on an individual basis but we have many small companies in this country which are run by two or three individuals and it's very key to those companies that at the time one of those individuals dies what happens to that company, is there money to buy out if you will the other partners, is another important thing. There are also companies in this country that depend on one or two key individuals, even though they may be larger companies, for the product or for their ideas and it becomes very important for those usually relatively small companies to have protection against the loss of the individual that makes that company what it is so those are other drivers and there's a whole host of others.
MR. BLAIR: Thank you. Given your response then I'd express my concern, and my concern is that with the information that's been available so far the health insurance industry I think has been able to serve people at risk reasonably well --
MR. ROTHSTEIN: Jeff, do you mean life insurance?
MR. BLAIR: Life insurance, I'm sorry, I said health insurance, I meant life insurance, thank you. My concern is that if life insurance companies have access to genetic information and they are using that for risk purposes the individuals most at risk, that need insurance coverage for their families the most, will be those that will be first to be left without protection. Where is my thinking wrong?
DR. HUGUENARD: Well, I think the first thing and I think Dr. Billings can speak to this too, there are relatively little predictive genetic information that is right at the level of I would call deterministic, very few genetic findings will actually somebody is going to die. So for most of the genetic information we're talking about may have nothing to do with mortality at all, if it does have something to do with mortality it may be some small contributor in your lifestyle and a whole host of other things come into play. So that as a practical matter at this point the amount of predictive genetic information that one would say you're just not insurable is minimal and likely given my understanding at least of the genome in humans not going to be a whole lot of new findings there. So the overall impact of predictive genetic information on denying people for life insurance is going to be very small.
MR. BLAIR: If I may see if I understand you correctly, when you say it's small you mean the number of individuals that would be affected is small? In terms of there being either a significant rise in the cost of health care to those individuals or them denied coverage, is that correct?
DR. HUGUENARD: Well, I'm not speaking to their health care right now, the cost of health care --
MR. BLAIR: I'm sorry, I still meant life insurance.
DR. HUGUENARD: With respect to life insurance there are a small number of genetic, gene line genetic conditions for which one could say that the very presence of that is predictive of mortality --
DR. BILLINGS: If you don't mind, unfortunately, I mean the statement of the science is in fact true, which is that on a population basis the ability for a single gene or even a multi-gene array to accurately predict with very high degrees of certainty a mortality outcome or even a range of morbidity outcomes is yet, very poorly established for basically everything in the genome. That said if you look at the actual practice in life insurance underwriting of the use of shall we say not very good predictive information the fact is that it gets used. Take for instance hemochromatosis, there's a perfectly nice genetic disease where there in fact now exists predictive, pretty good predictive DNA based tests, which is also treatable and in which when treated has a normal life expectancy. Now there were many years, and this has been known for many years, there were many years where if you had hemochromatosis, whether you were treated or not, you were uninsurable as a life insurance risk. Now that's changed for the most part in the industry but it didn't change immediately and the fact is is we really don't even know that it's changed because as I said we don't really understand the underwriting practices very well.
MR. ROTHSTEIN: Well, it's interesting, this morning we talked about, at least I did, two different kinds of discrimination, one is discrimination in which people feel that their health information is going to be used inaccurately by the decision maker and certainly the misuse of hemochromatosis historically is a good example of that. I think Jeff raised initially however the issue of the unfair accurate use of information by an insurance company to deny coverage and I would answer that, Jeff, by saying that's the nature of life insurance because taking it out of the genetics context, to use your example, the people who need life insurance the most are the people who are in the ICU and the people who have fatal untreatable disorders, and I don't think anyone is suggesting that life insurance companies in the, they wouldn't even be life insurance companies anymore, they would be just sort of like a social welfare agency, should offer them life insurance at standard or even affordable rates when someone has hours or months to live.
MR. BLAIR: Actually if I can, I wouldn't argue with the scenario that you just offered, what concerns me is that somebody who is in their 20's and just starting a family and with the need for life insurance coverage for their family might be denied life insurance because they have a genetic disposition to something that might hit them in ten, 15, 20 years and they have a special need and in this case they're exactly the ones who will be denied. And I'm just wondering, I think that from a business standpoint I understand that life insurance companies want to be able to reduce their risks, I'm just thinking though that this is a dramatic change --
DR. BILLINGS: One aspect of the dramatic change, another aspect of what you're calling a dramatic change is the focus of this technology on childhood, newborns, the expansion of the number of tests that states are running on newborns, much less private companies are offering in the newborn and pediatric period, is breathtaking. And in fact that makes sense because the probability that you can prevent some risk that you identify through a genetic test in childhood, you have a longer period of time to prevent the outcome in many cases. So what we're going to see and what we are seeing slowly but which will pick up as the cost points come down and the technology gets a little better is an explosion of risk and predictive information present in kids, done for health purposes or for other kinds of social engineering purposes, on children by their parents with great glee. And I think that that's going to then have a lot of younger adults starting to buy contracts for all sorts of things where that information may actually have some legitimate business purpose or maybe not such a legitimate business purpose.
MR. ROTHSTEIN: Robbie, did you want to respond? And I would ask you to make it brief please.
MS. MEYER: Absolutely. I think I would just try to reiterate the fact that as I said earlier, indeed 98 percent of the people who apply for life insurance actually are offered coverage, 96 percent of those individuals at standard or better rates. So unfortunately while we'd like to be able to insure everyone 98 percent of those who apply are approved for coverage. There are thousands of life insurance companies all over the country that offer different types of coverage and there are a number of companies that specialize in certain risks and I would conclude with yes, we are ready to have dramatic change but as we said earlier a lot of the dramatic change in science has actually made it possible historically to insure more people at better rates. And even though more and more tests may be done on children it's very likely that those tests are going to tell us good things and not necessarily adverse things about their health. But in conclusion the vast, vast, vast majority of individuals who apply for life insurance are offered coverage under the system.
MR. ROTHSTEIN: Ms. Fyffe?
MS. FYFFE: Just as a point of information, I recall reading in my past I believe that in some other countries there's a tiered system by federal law whereby everyone is entitled to a base level life insurance policy without having to submit medical information, and then if you want to buy something above that then you do have to submit, can anyone comment about that just so that folks are aware of that?
DR. HUGUENARD: I've heard the same thing sometime but those countries that you're referring to tend to be part of the European Union and they have a very different approach to life insurance as a social good rather then a financial product sometimes. And so yes, it might be true, I have heard about that --
MR. ROTHSTEIN: Yes, it is true, those are indicated --
DR. HUGUENARD: -- but it's also in a very different system then we have here and certainly today we have if you will a life insurance product in Social Security that most people totally ignore and that is that if you are one of these young people that Jeff referred to over here as having a genetic problem and you are working your dependents have life insurance coverage under Social Security that will run until they're age 18. And certainly in a system where everyone is required to participate almost anything is coverable when it's in small amounts like this, no question.
MS. MEYER: And to that point also years ago --
MR. BLAIR: That's kind of what I was looking to hear a little bit so thank you for that point.
MS. MEYER: In England as I think I alluded to the fact that I believe individuals are required to purchase mortgage insurance when they buy a house and so insurers were required years ago I think to issue up to 100 pounds of life insurance without underwriting. The fact that the
MR. ROTHSTEIN: 100,000 --
MS. MEYER: 100,000 pounds, so the fact that the system there is different which was Joe's point, the fact that the purchase was or is required there while it's voluntary in this country, it makes it so you can't compare apples to apples because it's just a different system and the vulnerability to adverse selection is different.
MR. ROTHSTEIN: I'd like to switch gears a little bit and move off genetics for a second and go back to some of the discussion that we held this morning, and this morning in the introduction session and to some extent in the employment session we focused on whether it would be possible, feasible, to develop a way in which the end users of the health information could still get enough information to do their job but yet not necessarily disclose everything in the medical file that would include material that was irrelevant for them to do their job.
And so I would like to ask you, Joe, if you would accept in principle limitations on the disclosure of medical information to you in your role as a medical director, in other words to do medical underwriting, and I'll give you an example. If you wanted to do this, restrict the way, the amount of information that insurance companies got you could do it in one of two ways. You could come up with a list of stuff they can use or a list of stuff they can't use.
Just for example I want to go to the list of stuff that they can't use, because I think that's easier, and this morning I mentioned that in a study that was published in 2003 the number one thing on the list in terms of the most sensitive medical information according to various patient was abortion history. And in my knowledge and correct me if I'm wrong, a history of having an uncomplicated abortion is not a mortality risk for the woman, so the question is if we could do it somehow would you support some sort of scheme in which you now get this authorization and you get information, the medical record, but certain things that by agreement are sensitive and not necessary for you in your underwriting process just don't get there.
DR. HUGUENARD: That's a lot of questions but let me kind of --
MR. ROTHSTEIN: Well, pick two or three.
DR. HUGUENARD: Let me kind of step down here a little bit. First of off just to reflect back, one of my problems as a medical director if I'm looking at a case and trying to classify the risk is I have to look at information on somebody who's maybe 25 or 30 years old knowing that we're going to be on that risk for the next 50 years. Therefore it's very difficult for me to think of a list of things, just purely on medical, leaving the social medical things out, medical things that I wouldn't want to have access to in certain situations, not all, most 25 year olds we don't even go out for extra information. But if there was a medical problem, they said they saw a doctor and they had some problem, I'm trying to think of something that I could actually say would not have an effect on their life over the next 50 years that I might want to look at on an individual case, so it's very difficult that way.
I do agree with your conclusion that coming up with a list if we had to have a list of some type, it'd be much better to be doing it on what cannot rather then what can, because the can would go like a Webster's dictionary of all the things that you might have reason to look at because they have a mortality effect that you could show somewhere. So if we then go to that question, is there a list of cannot, what I'd say is insurance today already has a short list of cannots, we do not ask on the insurance application your racial background, though that's always hard to tell anyway, but by public policy it's not allowed to be used in insurance at this time. We accept that, we endorse that and it's a good public policy position. That's just not usable.
Now if you're saying are there certain public policy things that do not have anything to do --
MR. ROTHSTEIN: No, actually I'm saying something different because in the area of race we say notwithstanding a demonstrable difference in mortality risk for policy reasons you can't use that. In my example I'm saying that because there are no mortality risks associated with a certain medical condition you can't have that, so I think it's a little different.
DR. HUGUENARD: Well, I agree that your example, would I ever consider a woman who had an abortion to have a significant mortality effect from that? Barring some complication which would no longer be the abortion, some infection or something else, that no, there isn't. But I would say as a practical matter you could sit and go through lists and say how many of those will there be and you know what was on the list as well as I do 15 years ago, it was HIV, so we could say well that's the most sensitive thing so we shouldn't have that. But that does have --
MR. ROTHSTEIN: Well, the argument was made for other reasons, not because there was no mortality risk. I recognize that you don't want the nose of the camel under the tent and I recognize that there is a sort of a practical medical problem with what you're going to put on the list but I'm just trying to find some level of willingness to accept less then perfect information in the furtherance of an important privacy goal. I want to ask Dr. Billings if he wanted to respond --
DR. HUGUENARD: Let me come back, I think the practical limitation that I'm talking about is not on the life insurer, the practical implication as a physician I'm thinking about is that me keeping my records in such a way that that information never gets attached to anything else that's released, it becomes almost impossible.
MR. ROTHSTEIN: We talked this morning about a new electronic health record system in which that information would be in the system but it would not be in a field that would be released to life insurers.
DR. HUGUENARD: Let me give you a for example, if you are a woman and you go in for your routine physical quite often your obstetrician will note this is a woman whose gravita(?) 2, para(?) 1 means she's had pregnant twice, had one child, abortus(?) one, means she's aborted one. It's just a little note, not on the abortion but on your overall health care. To go through and cleanse the record of all those references I think puts just an enormous burden on the practitioners.
MR. ROTHSTEIN: That's why we need to do it via an electronic health record system if that could be developed. Paul?
DR. BILLINGS: I have a couple of responses to your hypothetical, Mark. First of all as you know whenever studies have been done about the privacy of the medical record or that privacy has been assessed in medical settings or in non-medical settings, the privacy of medical record is a kind of a myth right, in a typical hospitalization, whatever it is, 80 or 90 people assess the medical record, some of who have good reason to assess it and some of whom have less then good reasons to assess it. So it would seem to me, and in the limited way that it's been done in non-medical settings the same is true, so it would seem to me that one principle of your system would be consumer notification each and every time the record is assessed. And I think that what you might then find is that some companies would then begin to compete on the basis that they intrude or assess it less, that is they make one assessment and they sort of respect the privacy of the medical record more. So I would think that built into an electronic system would be very accurate and timely consumer notification of assessment of personal information.
The second thing I would say is that rather then listing all the things that might be excluded from appropriate assessment by a non-covered entity third party whatever you want to call it, that you might also want to include that those things that are assess have some evidentiary basis for their assessment. There are examples within the insurance testing industry of tests which are used, either as surrogates for other tests or because the cost of the primary test is too expensive to do on a bulk basis or whatever, where the evidentiary basis for the use of that test is poor or the test has other informative capabilities which were not revealed or known. So I would think that you might hold the industry to an evidentiary basis.
MR. ROTHSTEIN: Okay, I have one quick question and then we've got a question from Dr. Rippen and that is, and I guess this goes to either Robbie or Joe, is it possible that medical underwriting now involving the use of personal health information could be done offshore by contractors hired by life insurance companies? Do you know whether that's taken place?
MS. MEYER: I don't know, I mean, Joe, do you? Can you respond to that?
DR. HUGUENARD: If your question is do I know if it's being done offshore, no, I haven't heard of that. Could it possibly be done offshore? Well, there are people whose jobs have been outsourced in the last year who didn't think it was possible, such as some friends that I know that are radiologists whose x-rays are now being read in India, so I think the answer is could it be, yes, but I think that might apply to everything every one of us is doing in the room, could we be offshored, I think ultimately yes.
MR. ROTHSTEIN: The reason I raise that is because of the obvious privacy concerns when you're going to someone who's not even working for a covered entity and maybe working ten levels down.
MS. MEYER: I can respond to that. I don't know whether or not and I'd have to look at whether or not the Unfair Trade Practices Act would extend to activities performed by a third party contractor and I think they would. But I have looked into whether or not the privacy obligations under Gramm-Leach-Bliley to keep information, customer information secure and confidential we believe very strongly that those obligations extend to activities by third party service providers. So it doesn't matter where the information goes, if an insurance company shares the information outside the country with a service provider, either an affiliate or non-affiliate outside the country, they continue to have their Gramm-Leach-Bliley security obligation --
MR. ROTHSTEIN: In theory.
MS. MEYER: Well, I think the regulators could come after us to the same extent they could for violations in this country if in fact they could prove that it happened, I mean I recognize that's an issue. But we do feel strongly that those security obligations that we're subject to under Gramm-Leach-Bliley and all the state laws that implement the GLB security obligations continue regardless of where the activity is taking place.
MR. ROTHSTEIN: Thank you. Dr. Rippen had a question and then Harry.
DR. RIPPEN: One question and just one observation. If you have a member gets genetic tests and you have that record and they die and their child then wants to get insurance from your organization, is it possible or would you have access to the father's genetic profile?
DR. HUGUENARD: It doesn't happen I'm sure very often at all but the reality is that we would have access to what the child gave us in terms of family history, in other words that a parent died at a certain age. We would not that I know of be able to access the parent's medical record because the child cannot release that --
DR. RIPPEN: No, you already have it though, in theory --
DR. HUGUENARD: You're saying would it be in our old files? Well, number one, I doubt, even if we had an inclination we could never find that. And number two we do not underwrite people from other people's records, the only person we underwrite are on the records on that individual.
MR. ROTHSTEIN: So there are states in the United States, Kansas for example has enacted a law that prohibits insurers doing business in Kansas from underwriting X on the basis of Y's records. And so I take it you support that legislation?
DR. HUGUENARD: Not only support, I think that's always been the practice. And then there was a question off to the side about MIB, MIB does not contain medical information in the sense that it's at all usable for underwriting, what it includes is flags that says somebody was in and had some problem and we never underwrite from MIB, we simply say ah and then we go back to the applicant and say can you tell us about this.
DR. RIPPEN: The other observation was there was a discussion about the usefulness of having genetic information in underwriting in general and then the perception of the public that they don't want you to have information, genetic information and actually would not even have it done because they were concerned that it might wind up in life insurance. And then we also know that that information may actually benefit the individual in the future with regard to treatment which then result in a reduced risk for life insurance. So I guess in situations like that are there ever approaches to say well this is information that we would say we wouldn't, we'd exclude?
DR. HUGUENARD: It would be difficult to say that because I think in order to keep the system in balance, if you as the applicant know something about your health and you're entering into a contract and we're saying essentially that we're going to write a contract that says oh, you're as healthy as the next person but you know that isn't true, there's a misbalance --
DR. RIPPEN: No, I'm saying before, I mean you decide not to get tested because you're concerned, I'm not talking about fraud or implied --
DR. HUGUENARD: You're talking about behavior in individuals --
DR. RIPPEN: And the implications downstream.
DR. HUGUENARD: My impression is that despite some of the information this morning most people who do not get genetic testing do not get that because they don't want the results, or their family brings pressure, I know a number of women who have not had breast cancer genetic testing because their sisters don't want them to know because it would have implications for them. And I think there's many, many things operating and even though I think life insurance is important I really don't think it makes the top list of reasons people don't get genetic testing today.
MR. ROTHSTEIN: Mr. Reynolds, last question.
MR. REYNOLDS: In the HIPAA privacy rule at least we have covered entities minimum necessary, I haven't heard those words come out of your mouth at all, I haven't heard those, and especially since we heard some testimony this morning and in my regular job, when you ask for a medical record, even if you, in other words you listed for example that you don't ask for race on an application but I'm more --
DR. HUGUENARD: -- medical record, that's just something I've seen in the last 30 years.
MR. REYNOLDS: You tend to get a complete record, hospital notes and everything else --
DR. HUGUENARD: For the period of time and if you've told us something --
MR. REYNOLDS: I guess back to Mark's earlier comments, whether it's minimum necessary or whether it's a list of exclusions or whether it's the other things, especially as you, because minimum necessary has at least required people that are covered under HIPAA --
MS. MEYER: We're subject to that. Because we, don't forget we can only get the information as permitted under HIPAA --
MR. ROTHSTEIN: No, actually you're not, Robbie, because when you get pursuant to an authorization the minimum necessary doesn't apply.
MR. REYNOLDS: Once you get it, there's a difference between what somebody sent you because if you ask for, if you get an authorization you are more or less asking for a particular situation because they wrote down I have this, so you say okay I want authorization to get your medical information. Most people don't know that you're not just getting the information on that particular situation.
DR. HUGUENARD: No, no, actually when, we'll tell people that essentially we're after, we do not say we're only going to get the information on your skin cancer, we say we'll go after the medical information, because it's too limited for us --
MR. REYNOLDS: But as you look at most medical records now tend to deal with diagnosis and procedures and things that have gone on, when you get into this genetic testing and everything now you're starting to get into dramatic future indicators and those a lot of times will come forward with it.
DR. HUGUENARD: I think I'd use the word potentially dramatic future indicators because the actual number that are really dramatic indicators in the future are relatively rare.
MR. REYNOLDS: Well, at this time. And again, you can with technology and everything now you can stamp a point in time, whether or not that point in time stays is what we're trying to oversee, we're not just making this decision for today, we're also hoping to put things in place and put positions in place that are going to hold for more then an hour and a half of the technology changes that are going on.
MR. ROTHSTEIN: Well, I want to thank both of you for your fine testimony and Dr. Billings had a plane to catch and had to leave just a minute ago, it was very enlightening, appreciate your coming here, we will take a ten minute break and begin at 2:50 with panel number four and I apologize to the panel four members for the late start.
[Brief break.]
MR. ROTHSTEIN: Good afternoon everyone, we are back for the fourth of our panel discussions today and throughout the day I know our last panel members didn't necessarily hear our prior hearings but one of the frustrations that we had all day was we spotted problems that we would have liked to have been able to solve and yet we weren't able to solve them and we were sort of continually flailing around and working to try to solve them, but fortunately you will solve all of the problems that we have identified today.
So our first problem solver of the day is Amy Bergner, welcome.
Agenda Item: Approaches - Panel 4 - Ms. Bergner
MS. BERGNER: Thank you. I'm Amy Bergner, I'm an attorney with the law firm of Reed Smith here in Washington but I'm here today on behalf of the Society for Human Resource Management.
SHRM is the world's largest association devoted to HR management, it represents more then 190,000 individual members and the Society's mission is to serve the needs of HR professionals by providing the most essential and comprehensive resources available. As an influential voice the Society's mission is also to advance the human resource profession to ensure that HR is recognized as an essential partner in developing and executing organizational strategy.
SHRM is well position to provide unique insight on the issues surrounding the disclosure of health information in the workplace. HR professionals are at the forefront of employer benefits in designing and administering health care plans to recruit and retain employees. In this capacity HR professionals confront numerous challenges organization face as they strive to balance legitimate business needs of the organization while maintaining the confidentiality of personal medical information.
It's understandable that individuals worry about their health information being accessed by third parties. Some fear that the unauthorized disclosure of their medical information will be used to deny them employment or health care coverage. Some have expressed concerns about protecting their privacy where the disclosure is made with the individual's authorization. First let me underscore that SHRM strongly supports efforts to protect the privacy of medical records and health information in the workplace. However, there are certain disclosures of health information that are legitimate and necessary for the employer in the process of administering benefits.
SHRM believes that protecting the confidentiality of medical information in the workplace is a high priority yet employers must negotiate the balance between an employee's right to privacy and the employer's legitimate need for essential health related information. SHRM recognizes that health information should not be disclosed to an employer for unlawful reasons, such as decisions to hire or to terminate employment because of a disability.
Employers already have to comply with numerous laws, including the Americans with Disabilities Act, the Family and Medical Leave Act, worker's compensation laws, and the HIPAA privacy rules. A fundamental element of each is the collection and use of an employee's medical information.
My remarks will focus on the following areas, fist, the legitimate need for health information by employers, second, the challenges for employers in protecting employee health information, and third, the steps or approaches employers are taking to safeguard this sensitive information.
Probably the primary area in which HR professionals come across employee health information is in the area of health care plan design and administration. Of course a motivated and productive workforce is key to the success of any organization and employee benefits are a critical component of that. Health care coverage is one of the most important but also the most expensive benefits that employers provide. In designing, implementing and administering this benefit HR professionals and their outside consultants need access to individual health information.
In designing the appropriate health care benefits for its workforce HR professionals depend on access to plan beneficiaries' health information to determine the features and levels of benefits offered in their plans. For example, in setting annual out of pocket limits the employer needs to have health claim data on expenses based on its particular workforce. Similarly HR professionals need health information to assess plan design and operation and make changes where appropriate. While most of this data is in aggregate form individual data is at times also necessary and should be readily available to the HR staff who need it.
In health care plan administration HR professionals frequently engage outside consultants to provide them with methods and programs for among other things identifying and treating high risk, chronically ill or seriously ill employees more effectively then can be done under their existing health plan programs. In those circumstances HR managers and others will often need access to relevant health information from employees, their families, and their providers, and share that information with consultants. They may also need to receive health information from the consultants directly.
An HR professional in many instances will also need and use summary health information and that sort of information is already governed by HIPAA which permits the use and disclosure of health information and permits limited disclosure without authorization.
Finally employers use health information to assess an employee's eligibility for other non-health benefits, including disability, worker's comp, wellness benefits, and some employee assistance plan functions such as tracking compliance with substance abuse treatment programs. In those programs employee information often must be shared among the different benefit programs in order to allow an employer to design, manage, and tailor their health benefit plans more appropriately to meet the needs of the employee population, to improve health benefits effectiveness and quality, and to manage the various programs more cost efficiently.
Of course the HIPAA privacy rule already permits a group health plan to disclose individually identifiable health information to an employer that sponsors the health plan provided the information is used for plan administration purposes. In order for a group health plan to disclose information to the employer there are a number of administrative steps that have to be taken including amendment of the plan documents and certification by the employer. The employer is also required to establish firewalls so that only employees who need health information to perform functions on behalf of the group health plan have access to such information. And of course the minimum necessary standards of the HIPAA privacy rule also apply.
One of HIPAA's main objectives is to ensure that employers don't misuse employee's private health information available to the employer through the sponsorship of the group health plans. So of course it would be illegal for a supervisor to ask someone in the HR department whether an employee who's up for a promotion has a chronic health problem that might interfere with productivity.
HR professionals also obtain health information in the process of advocating on behalf of plan participants with benefit questions, disputes, or appeals. And this is one of the areas that has probably caused the greatest challenge post HIPAA to HR professionals. It's not uncommon for an employee to ask HR to contact the health plan on the employee's behalf to get a claim paid or to inquire about a covered benefit. Administering the health care benefits from an HR professional's perspective also includes helping employees understand the benefits and the processes. And in many ways HIPAA has made administering health care benefits more challenging. In practical terms compliance with the HIPAA privacy rule in the context of an employer's group health plan tends to delay the resolution of certain issues and can create confusion and frustration for employees.
Turning to disease management and wellness programs, which are also kind of cutting edge programs that a lot of companies are implementing now, employers are embracing disease management programs to improve the health of their workforce. We help a patient work with physicians to manage chronic conditions like asthma, diabetes, heart disease, to improve quality of life, and can potentially help prevent emergency care or hospitalization needs. Disease management programs increase productivity and reduce medical insurance costs, both of which can have a dramatic effect on the bottom line.
But in determining whether their organization is a good candidate for a disease management program HR professionals and their outside consultants start by gathering data on the frequency, severity and consequences of diseases and illnesses among their workforce. The information is often gathered from claims data provided by the health insurance plan or the insurance company that is administering the plan and the prescription drug plan. In most instances, and as many HR professionals would prefer, this information has no individual identifiers but rather reflects population based data. Information is then used to structure a disease management program that best meets the needs of the workforce. So in analyzing the claims data the HR professional and outside consultants can determine the workforce's disease profile, for example they may decide that the disease management program should focus on chronic diseases like diabetes or asthma rather then conditions that are not as prevalent in this particular workforce like hypertension or allergies.
Employer sponsored wellness programs are another instance where employers may uncover health information. Faced with continued increases in premiums many employers have implemented wellness programs to improve the overall health of their workforce and control costs. According to a recent SHRM study 56 percent of organizations are providing wellness programs for their employees.
Establishing a wellness program often involves a confidential individualized health risk assessment done by an outside consultant for each individual who signs up for it and provides him or her with a roadmap of how best to lower his or her individual health risks. In conducting the risk assessment information is collected that may include family history, blood samples for cholesterol screening, and other health information. Employers that are offering wellness programs aren't conducting these programs to gather health information on employees, but rather simply trying to improve the health and safety of their workforce and plan beneficiaries.
In most instances employers don't receive the results of these individual risk assessments and therefore they don't receive or maintain individual health information. However, in order for employers to measure the value of such programs they need access to aggregate level health information such as utilization rates or treatment outcomes. This type of analysis assists employers in determining the appropriate programs to implement as well as to determine if the wellness program is meeting the goal of a healthier employee population.
Employee assistance programs have been around a little bit longer and they provide services that allow organizations to help employees and their families identifying and resolving personal concerns that may include health, alcohol, drug, legal, and other issues that can affect job performance. In most cases HR professionals only learn of an employee accessing these EAP type benefits when the employee voluntarily requests information. In this context the HR professional will protect the employee's privacy by keeping the information volunteered by the employee confidential and indeed most contracts between EAP providers and employers specifically state that the information the employee provides to the EAP is confidential and not accessible to the employer.
In other cases there may be mandatory referrals to an EAP in the event of a substance abuse situation, many companies require a mandatory referral to an EAP after an employee has turned up with a substance abuse program. The EAP would have authorization to disclose limited information to specific individuals at the employer who have responsibility for monitoring the employee's adherence to the EAP program. For example the EAP might report that the employee had attended three out of five sessions but they wouldn't necessarily report any particular individual health information or treatment.
In some cases these disclosures are already subject to the HIPAA privacy rule, or as I mentioned the contract between the EAP provider and the employer already contains confidentiality provisions. In other cases internal procedures of the company would require the HR or other internal staff to protect the employee's privacy. Other areas where HR professionals come into employee health information in the work context would involve pre-employment screenings, worker's compensation, workplace safety, and family and medical leave requests.
I'm just going to touch briefly on the Family and Medical Leave Act situation because that's probably the most prevalent situation where HR professionals would come into medical, more detailed medical information. As you know the FMLA allows an employee to take up to 12 weeks of unpaid leave for a serious health condition of the employee or a family member. In order for an organization to determine whether an employee qualified for this type of leave the employer has to collect relevant medical information on the nature of the serious health condition. An employer may and often does require a doctor's written certification before an employee takes medical leave for a serious health condition.
The documentation received in the form of this certification is considered an employment record, not a health care record, and is technically not subject to HIPAA. Nevertheless in practice employers treat such records as confidential and use them solely to verify the need for leave, the extent of the leave, the employee's fitness to return to work, or any schedule accommodations that might be required after an employee's return. Requiring any additional layers of screening of health information could delay an employer's ability to grant the medical leave, which would negatively impact the employee and would fail to secure additional protections.
I know that you're anxious to have us solve the problem so I'm going to skip over some of the prepared remarks and if you have questions about some of those areas we can go to them later.
Now I'd like to briefly summarize the challenges for employers in protecting employee health information. The administrative burden, including oversight, reporting, disclosure, tracking, legal and staff training activities and the expense of compliance with the numerous federal and state laws that govern employer's use of health information may be overwhelming for employers. HIPAA has already resulted in major new expenditures for employers, including expenses for redirection of staff time to compliance activities, software and hardware acquisitions, and lost business opportunities. Now employers are in the process of complying with the adjunct HIPAA security regulations, also a time consuming and costly effort.
Ensuring legal compliance with the vast array of federal and state human resource laws is growing increasingly complex. According to the SHRM 2004-2005 workplace forecast strategic outlook the most important HR trend that impacts the workplace is the growing complexity of legal compliance. Moreover penalties for violating HIPAA's privacy regulations loom large over employers, civil penalties of course can be assessed up to $100 dollars per day per violation to $25,000 dollars per violation.
SHRM believes that a voluntary common sense approach built on best practices and current law represents the most appropriate approach to the issues surrounding third party disclosures of health information in the workplace. SHRM members already are subject to numerous laws and regulations governing the privacy and confidentiality of health information. Aside from these mandatory approaches most HR professionals have adopted policies or procedures that are designed to safeguard individual health information. Even prior to the HIPAA privacy rule employers had taken numerous steps to safeguard employee health information. For example employers never allow health information to be reviewed by employees that do not have a need to know.
In complying with the HIPAA privacy rule many employers have already looked at their policies and procedures with respect to all types of health information. For example under HIPAA in order to protect employee health information employers must develop appropriate safeguards to protect against unintended disclosures of private health information in their group health plans. In conjunction with that activity many employers extended the same or similar safeguards to non-group health plan health information. Employers have implemented internal policies governing access to medical records, including keeping a log to record when an employee's health information is disclosed. Employers must provide and document the training of employees who have access to health information as well as develop a system of sanction for those individuals who violate the privacy policies and safeguards. It's safe to say that the level of understanding and sensitivity to the confidentiality of health information in the workplace has been much heightened since HIPAA.
While SHRM sees safeguarding employee health information in the workplace as a high priority SHRM believes that current law adequately protects the privacy of employee health information. Any proposal that would mandate new laws for employers regarding the privacy of health information would be a serious concern to SHRM and its members. In addition SHRM would caution against any approach that would add to the time and cost of compliance with the existing protections for health information as the ability to respond to the needs of both the employer and the employee in a timely manner is critical.
Further, any third party involvement would likely result in more frustration and inaccuracies for all involved and would be counterproductive and may increase the probability of unauthorized disclosures of health information.
In conclusion it's important to keep in mind when this body is providing recommendations to public policy makers that the collection and flow of employee information is an important issue for employers. In many respects employment information is a double edged sword, with proper information employers can make informed employment related decisions and provide wonderful benefits for their employees, improving the quality of their life. As a general rule employers should only collect information that they may legally use in making employment decisions, ensure such information is properly retained, and limit access to the information.
I'd like to thank the committee for the opportunity to appear before you today and will be pleased to respond to any of your questions regarding my statements.
MR. ROTHSTEIN: Thank you very much, I know we're going to have some questions for you but we will defer for a few minutes until we hear from the rest of our panelists, Dr. Baker, please.
Agenda Item: Approaches - Panel 4 - Dr. Baker
DR. BAKER: My name is Dixie Baker and I'm group vice president for technology and the chief technology officer for the health and life sciences practices at Science Applications International Corporation. I've worked in the areas of information protection and high assurance architecture for over two decades and for the past six years I've applied my knowledge and expertise to the areas of health care and public health. Today I am representing the Healthcare Information and Management Systems Society, or HIMSS, the large membership organization representing health care information systems, users, vendors, and consultants.
We applaud the subcommittee's recognition of the privacy risks posed by the release of electronic health records to third parties. Clearly given today's technology and business environment limiting the exposure of electronic health information released to third parties is a daunting challenge. Yet some emerging and existing technologies offer potential solutions. I will begin my testimony today by describing the prevailing security model. Then I will set forth the business and personal imperatives that drive a set of requirements. Then finally I will describe what I see as the most promising technology solutions.
The historical and currently prevailing security model is based on the granting and denying of subjects' requests to access objects. Security mediation and enforcement within this model consists of four steps, the authentication of the subject's identity, mapping the subject's identity to a set of access rules relating to the requested object or privileged action, allowing or denying access to the requested object or privileged action, and finally auditing the access or action.
This model is designed to keep the bad guys out, it's not very useful for allowing controlled sharing and collaboration. The first problem is that this model assumes and requires that all subjects and objects be under the control of a single trusted mediator. Secondly, this model is too rigid, it does not allow context-specific flexibility. For example, the model does not allow for emergency access as required by the Health Insurance Portability and Accountability Act security rule. Third, this model enforces security policies on protected objects at a uniform level of granularity throughout the system with protected objects usually taking the form of files, folders, database tables, and file systems.
Finally, this model does not enable security policy to persist throughout the life of the object, when a subject is granted read access to an object she is also able to copy that object and can then share it with others. For example, if I'm able to read a file I can save it to another name and email a copy to whomever I choose. Today, the ease with which digital files can be copied and transmitted is resulting in serious breaches of copyright laws, particularly in the entertainment industry, we see that in the paper daily.
Cryptographic schemes follow this same basic model with two important exceptions. First, encryption is applied to data and not to the objects in which those data are stored. The bad buy might have access to a file containing secret data but if those data are encrypted then the information is still protected. Secondly, cryptographic solutions control access to information through the distribution of secret keys rather then by mediating each subject's access to an object. That is at some point someone, or something, authorizes a subject to access encrypted data by giving them a secret cryptographic key. Once they have this key they can unlock the data whenever they want with no further mediation required.
Public-key cryptography adds a new twist by eliminating the need for the two people to share a single secret key. Public-key cryptography uses two keys that are mathematically related in a way that if one is used to encrypt data the other is needed to decrypt those data. One key is made public and the other is kept private. So if I want to give someone access to my data I simply encrypt the data using the person's public key so that the only person who can decrypt the data is the person holding the associated private key.
The business imperative we are addressing today is the need for third parties, such as employers and insurance companies, to review individual's health information in order to effectively manage business risks that might be accrued in a relation with that individual. Naturally the third parties' desire is to have as much of the individual's health information as possible so that they can construct a complete picture of associated risks, and I think you've heard multiple instances of that today.
The personal imperative is to protect personal privacy by releasing a minimal set of information to as few people as possible. Further, we want assurance that the rules we place on our information will be enforced into perpetuity, not just for the initial release. We do not want our insurer to be able to pass our health information on to other business partners. Because privacy is values-based no consistent set of rules will work for every person or with every third party.
These conflicting business and personal imperatives present a significant challenge from both social and technological perspectives. Addressing these imperatives is clearly beyond the reach of today's security technology model and clearly beyond what is required by the HIPAA security regulation.
To effectively and safely share information with third parties requires a solution capable of operating across multiple organizations governed by different security policies and controls. The solution must enable the owner of an electronic health record to assign privacy attributes in accordance with his own value system, within the bounds of law and regulations. These attributes, captured as metadata, must persist with the information throughout its lifecycle and must be uniformly interpreted and translated into security rules that are enforced across enterprises, organizations, applications, and systems. This will require the specification and adoption of uniform metadata standards for representing privacy attributes.
To assure the integrity of the rules captured the solution must be capable of authenticating the identity of the owner of the information, that is the individual or system authorized to establish the security rules to be enforced with respect to that information and the third party to which the information is authorized for release. The solution almost must be capable of authenticating the data. That is, assurance must be provided that the data that are shared, and the rules governing their release, are authentic and have not been corrupted or modified in any unauthorized way. The specific granularity of protection must be flexible enough to be applied to a complete medical record or to an ICD-9 code or to anything in between.
We also need for the security solution to be able to evolve with technology. For example, encryption historically has struggled to keep one step ahead of the speed of processors. As processors have gotten faster and more recently as processors have begun to collude with each other, both the complexity of encryption algorithms and the length of encryption keys have had to be extended.
I want now to address the feasibility of using technology to address the challenge of providing continuing protection of personal privacy when electronic health records are released to third parties. My objective here is not to recommend a particular solution but to assure you that this is not an intractable problem. Existing and emerging technologies can be applied to effectively manage the risks associated with third party release of electronic health records.
The technology that I believe is the most capable of meeting the requirements we've discussed is digital rights management, commonly called DRM. DRM is a highly controversial technology developed primarily to enforce copyright protection on digital content distributed over the internet such as eBooks, music, and movies. Ironically the controversy around DRM stems from the perception that the very features that make DRM attractive for controlling electronic health records released to third parties are in fact serious threats to individual privacy. Specifically DRM systems enforce restrictions on what individuals can do with copies of works they have purchased, and collect information about purchasers' activities and report back to the copyright owner, both viewed by many as infringements on personal privacy.
The first generation of DRM emerged in the mid-1990s and used access control and encryption to lock content and to limit its distribution to only those who had paid for it. The second generation has greatly expanded the capabilities of DRM to include a broad range of technologies that give parties varying degrees of control over how digital content and services are used, including by whom and under what conditions. A DRM system enforces usage rights based on originator-controlled policies addressing permissions, constraints, obligations, and rights holders, and automates a workflow that includes the following steps.
First, a user obtains an encrypted resource, such as an eBook, a video, or an electronic health record, and attempts some use of it.
Second, a trusted DRM client sends the attributes of the user's request to a license server, which checks applicable policies to determine whether the requested use is allowed.
Third, a financial transaction may be conducted, if required, for example in the case of movies.
Fourth, a license server constructs a license package consisting of a rights specification, identifies, revocation information and cryptographic keys to the content and returns it to the DRM client over a secure connection.
Fifth, the DRM client authenticates the license package, evaluates the policies, decrypts the content, and issues an authorization to a viewing component.
And finally the client, the content is rendered in accordance with the license authorizations.
First generation DRM solutions were proprietary, client applications that offered very weak assurance. However, as trusted computing principles are migrating into end-user systems DRM is being implemented at the operating system level, increasing its practical application and its market demand. DRM policies are explicit, conditional statements written using standard policy language to specify how to handle actions that authenticated users attempt on protected resources. For example, a DRM policy applies to an electronic health record might enable an insurance company to review those portions of the record necessary for coverage authorization purposes, but not allow the record to be saved on the company's server. Sound familiar, Mark?
MR. ROTHSTEIN: My head is spinning --
DR. BAKER: A number of vendors, industry groups, and standards bodies are involved in DRM standardization efforts. A proposed XML based Rights Expression Language, REL, standard called eXtensible rights Markup Language, or XrML, is widely considered the most technically capable rights expression language. The Motion Picture Experts Group, or MPEG, a working group of the International Standards Organization, used XrML as the basis for its own REL. The MPEG REL and its associated Rights Data Dictionary establish standards for managing the consumption rights of all forms of content. Although the MPEG REL is targeted toward the protection of rights for coded representations of digital audio and video the Open eBook Forum is using the MPEG REL specification as the basis for its REL specification for digital text, and I believe it could serve as the basis for developing an REL specification for electronic health records.
DRM Technology could be useful in defining rights associated with electronic health records and in enforcing those rights as these records are passed to third parties. The ability to control and to receive reports on what third parties do with the records released to them would indeed be highly valuable in protecting individual privacy while enabling sharing. A DRM solution could enable the direct transfer of electronic health records from health care providers to third parties, with assurance that privacy rules would be enforced throughout the lifetime of that information. This solution would require that the health care provider implement a DRM server and that third parties implement DRM clients, something that is likely to become a standard feature of personal computer operating systems in the relatively near future. Unfortunately, at this point, DRM is mired in controversy and plagued by accusations of patent infringements, which would thwart efforts to develop and implement open standards.
A more immediately feasible, though less capable, approach the health care industry could consider is the use of a trusted intermediary to manage the sharing of electronic health records with third parties in accordance with privacy rules prescribed by the information owners. In this solution the trusted third party could use the prevailing security model, that I discussed earlier, and existing technology to enable a patient to authorize the sharing of specific information with a designated third party. Many, though not all, of the functions provided by DRM could be implemented using this model.
For example, the trusted intermediary could provide a user interface that would enable an individual to request and authorize the sharing of her electronic health record and to prescribe specific permissions, constraints, and obligations relating to that information. These rules could be managed in a relational database management system and enforced at the time the third party requested access. Screen sharing technology could be used to prevent third parties from making copies of the information and sharing it in unauthorized ways. That is, third parties would be able to display an image of the information on their screens but the data would not persist as a file on the client machine. While disabling the print screen capability would require a more complex solution simply replacing a file transfer with a shared screen image would greatly increase the privacy protection afforded to the patient. More complex rules that DRM technology enables, such as enforcing a limit on the number of digital copies that can be made, would not be possible using this solution.
Of course the trusted intermediary itself would need to gain the trust of record owners that their health information would be managed safety and responsibly. In order to do that the intermediary would need to be perceived as independent and trustworthy. The intermediary would need to implement very strong security protection and to communicate these protections in a way that would provide users assurance that their information was safe. Also, depending upon the business model, the trusted intermediary might need to execute business associate agreements with the health care organizations that provided protected health information to them.
Both DRM and trusted intermediary solutions assume the availability of a security infrastructure that includes user authentication, metadata management, cryptography, and auditing. Authentication is required to irrefutably establish the identity of the health record owner and the third party to whom the information is being released. Metadata will be needed to specify the rules in XrML and to specify confidentiality attributes. The evolving HL7 clinical document architecture standard could be useful in standardizing the metadata used for electronic health record sharing.
Cryptographic capabilities will be needed to protect data confidentiality, data integrity, and data authenticity. A trusted intermediary will want to encrypt data stored in its repository. Both DRM and trusted intermediary solutions will require an encrypted communication link, such as secure sockets layer, or SSL, to protect information exchanged between the information provider and the third party to whom that information is being released. SSL protection will be required for exchanges between the information provider and the information owner, for example, for enabling the owner to specify rules to be enforced. Also, both solutions could potentially use public key encryption as part of their user authentication strategies.
In conclusion, thank you very much for the opportunity to present this testimony and to get me thinking about these problems. I hope that I've given you useful information about some of the existing and emerging technologies that could be applied to the protection of electronic health records released to third parties. As a strong advocate of initiatives and standards to advance the implementation and use of electronic health records HIMSS is gratified to have the opportunity to contribute to your work. As an organization recognized for its expertise in health care information legislation, regulations, policies, standards, technologies, and practices HIMSS continues to dedicate resources toward activities that contribute to the advancement of the safe exchange of electronic health records. Uniform adoption of data standards in health care is critical to our vision of advancing the best use of information and management systems for the betterment of human health. We look forward to working with other industry leaders and the Subcommittee on Privacy and Confidentiality to further this cause.
MR. ROTHSTEIN: Thank you very much, I do have several questions for you but they will wait until after Mr. Tayloe's presentation, thank you for joining us.
Agenda Item: Approaches - Panel 4 - Mr. Tayloe
MR. TAYLOE: Thank you. Good afternoon, I'm Keith Tayloe, president of Portal Dynamics, thank you for the opportunity to address the subcommittee today on the topic of third party disclosure of health information. My comments today do not represent a specific position of Portal Dynamics, rather my comments represent the convergence of more then two decades of experience providing IT solutions to government organizations and for-profit entities with my experience buying and administering health care benefits for employees, with my experience implementing health care legislation for the federal government, with my experience as a doctoral student pursuing the future of computing, and my personal experiences as a health care consumer and caregiver.
Throughout my comments I will refer to the phrase personal health information. I use this phrase to refer to any and all data about the past, present, and future physical or mental health of an individual.
Any discussion or comment on third party disclosure of health information needs to have context. In today's post-HIPAA world personal health information is owned and controlled by the health care provider by default though HIPAA provides recognition that consumers have an ownership stake in their personal health information. In this bilateral context a discussion of when and how personal health information can be disclosed to a third party for any purpose is germane.
However, I believe that current and future discussions of third party disclosure need to be focused in a different context, one that is the current and future reality where consumers exercise ownership responsibility for their personal health information and any question of disclosure is a two party question and not a three party question. The Framework for Strategic Action formulated by HHS in response to the President's April 2004 Executive Order promotes a vision of a customer centered and information rich health care industry. Engaging the consumer is increasingly positioned as a fix for a health care system in need of repair. Unfortunately, consumer driven health care will only be a panacea unless the consumer is allowed to drive.
Engaging the consumer as a catalyst to improve the quality and efficiency of health care requires the simple recognition that the consumer is the owner of and controller of their personal health information. HIPAA implies as much and there is nascent agreement across a broad population of individuals and organizations that the consumer owns their personal health information. The Confidentiality, Ethics, Privacy AND Access Breakout Group at the 2004 National Health Information Infrastructure Conference recommended that a regulation be established that will "assign ownership of the electronic health record to the consumer." I salute this group's intent and suggest that the wording should be changed to read acknowledge ownership of the electronic health record by the consumer.
What I am suggesting today is more then a token declaration acknowledging that ownership of personal health information rests with the consumer. I am suggesting that consumers initiate and maintain their electronic health record based on government and health care industry standards. This consumer managed electronic health record provides a summary picture of the past, present, and future physical and mental health of the consumer, and it provides the pointer to the detailed records that reside with the individual health care providers. When a consumer seeks health care services they grant access to or unlock their electronic health record at the time of service. Consumers can choose to support studies or other requests for health care information by making information available from their electronic health record without including identifying information. This keeps the consumer in complete control of their personal health information. With consumer managed electronic health records the question of disclosure is a direct, addressable question.
There are many potential objections to putting electronic health records in the hands of consumers. Many of these potential objections stem from current mental models that promote assigning ownership versus acknowledging ownership. Other potential objections stem from misconceptions that a vast national infrastructure is needed to store and forward health care information. Technically there are no barriers to putting electronic health records in the hands of consumers. Advances in peer to peer computing that do not require servers or central administration and leverage the current internet infrastructure can support this approach to consumer centered health care today. Practically speaking consumers do not need a vast national infrastructure to begin management their personal health information.
Putting electronic health records in the hands of consumers is not a silver bullet that will improve the quality and efficiency of health care overnight. Putting electronic health records in the hands of the consumers will begin to improve the quality and efficiency of health care tomorrow. More importantly it will unleash the inherent innovation in the marketplace and force the health care industry to be responsive. The lessons of the internet provide the best testimony to the potential of the consumer. We can now place our own orders, track our shipments, book travel arrangements, get home loans, and manage our stock portfolios when and where we want to thanks to consumer demand and marketplace innovations.
Within the health care industry the pharmaceutical industry offers two strong testimonials about the power of the consumer. First, pharmaceutical companies clearly believe consumers can and will influence their doctors, as demonstrated by the unending barrage of drug commercials that dominate television advertising. Second, every bus load of senior citizens heading to a Canadian pharmacy is a bus load of consumers driving health care.
In closing I recommend that the topic of third party disclosure be deferred to the consumer. Let consumer demand drive the quality and efficiency of health care by letting the consumer drive their electronic health records. Let the consumer decide whether or not personal health care information should be disclosed. Let the consumer decide the terms for that disclosure. Consumer managed electronic health records will provide more information. More information will lead to better diagnoses, better decisions, and fewer errors. Thank you.
MR. ROTHSTEIN: Thank you for a very provocative presentation and I'm sure if no one else maybe some of your other panel members would have some remarks to make. The floor is open for questions. Harry?
MR. REYNOLDS: Excellent. First I'd like to thank you Ms. Bergner because that's, I've been looking at HIPAA for a long time and that's one of the best summaries of how employers ought to look at health data and I'm glad it's public now, I think it's nicely usable for others.
MS. BERGNER: Thank you.
MR. REYNOLDS: Ms. Baker, really interesting, I was really interested in your approach. Also wonder if you've extrapolated it, once you have the situation where a third party could get the information, let's say that the health record was in the hospital and a payer got it. Obviously they can't copy it, I'm looking at page nine of your testimony, have you extrapolated that if at that point anything that they extracted off there they would have to capture? Because obviously what's going to happen, anybody that asks for records obviously when they make a decision using those records they're going to have to show some idea that what information they used to decide what they're going to do, they're going to have to document something because obviously you don't, you don't look at a screen, look at a medical record and then go I'm going to deny it, or anybody, I'm going to change coverage if you're somebody else, what treatment is or any of that, regardless of who gets it. So somebody has to keep some documentation as to what they did, didn't do, how they did or didn't do it, and so what would be your thought process on how that might be done.
DR. BAKER: Well, first of all exactly what they can do with the information looking at the DRM solution is defined in the policy that is included with the data in terms, in the form of metadata. So depending on what the rules were industry wise, like I heard some rules from the life insurance industry here, it may be that you would have to include rules where they could in fact make a copy of some piece of the information.
In other cases you may just want them to be able to look at the information and check a box and say yes, I've looked at this, this person does qualify for health insurance through our employee health plan let's say. And that employer does not, I'm no HR expert but I wouldn't think the employer would have to retain a whole lot of information about that, I would think that that would be more of a matter of reviewing some information against some criteria that the employer had and say yes, they qualify or no they don't.
So it would depend on the situation what you really had to capture but the technology would allow you to either capture it or not.
MR. REYNOLDS: Mr. Tayloe, with your idea of the consumer owning their own record with, the internet to many of us in certain segment of the country and certain segments of business and everything else have access to things like the internet and others, how do you see it working for those people who really don't have quite the access and with the fact that medical records are still in many disparate locations, and yes, at some point we may get a central one but they're still in a lot of disparate locations, how would you see?
MR. TAYLOE: Well, the key organizational unit that needs to have access to the internet would be the health care providers, the individual, all they would need depending on how it would be implemented would be the physical key, the physical device, whatever that they had that stored, some restored the index of providers. What I'm promoting through the internet is exactly that, leave those records distributed, it's a question of how much information do you need at what point in time and by whom, that information would then be viewed, accessed, at the point it's needed without bringing them together. So it is in fact possible for an individual with no computer and no internet access to still manage their own electronic health record depending on the media chosen to do that.
MR. REYNOLDS: So you're recommending, they're kind of building an index.
MR. TAYLOE: They're building an index, correct.
MR. ROTHSTEIN: I have a question for each of you and let me start with Ms. Bergner. On the last page of your testimony you say, this is the second to the last sentence, thus as a general rule employers should only collect information that they may legally use in making employment decisions. Okay, I'll just stop there because that's what I want to focus on. The way the law currently stands now, and we talked about this in the employment panel earlier, after a conditional offer of employment as a condition of employment the prospective employee can be required to sign an authorization releasing to the company all of their medical records of any type without restriction. All of that information cannot be used however because if a job offer is withdrawn, etc., etc., etc. So do I, am I correct in drawing from that sentence of yours some support for the notion that employment entrance examinations as used in Section 102(D)(3) of the Americans with Disabilities Act, or pre-placement examinations, which are now unlimited in 48 states, you might not object to having a job relatedness condition imposed on that because that is information that can be legally used, in other words we'll get in a minute to the issue of how you might get that information segregated but in theory at least is it SHRM's position that restriction post offer examinations and inquiries to job related information would be acceptable?
MS. BERGNER: I don't think SHRM has a definitive position on that right now, I don't think there's any specific proposal out there to amend the ADA in that way. But certainly I think it's, as a general rule employers aren't anxious to have a lot of extraneous health information about their employees.
MR. ROTHSTEIN: Actually about five years ago, maybe a few years more then that, I was actually working with SHRM on a proposal to do as I described as an alternative to enacting all these what I consider to be ill-conceived state genetic non-discrimination laws. Because if you had a law that said you could only get job related information you wouldn't get any genetic information to begin with and you wouldn't have to face all the definitional questions and it would then be the same standard that applies to current employees when it's only job related. And it seemed to me that would be easier for everybody concerned but that never went anywhere either, like most of my ideas. And I just wanted to see if you were in general support of that.
MR. BERGNER: Well, I think it bears further discussion certainly.
MR. ROTHSTEIN: Okay, I want to skip Dr. Baker for a second because I think logically, the way my mind works at least, I want to go to Mr. Tayloe first with a question. If the individual maintained control over his or her electronic health record, and incidentally that's the topic of our February hearings on patient control of health information, what would stop an insurance company from saying to that individual if you want to apply for life insurance or disability insurance I want all of your health records, send me everything.
MR. TAYLOE: It is the free market so that's what puts the consumer at that risk if it in fact it was done that way.
MR. ROTHSTEIN: So changing the "ownership" from the health care providers to the patient or the individual really in your model still doesn't get around the question of how much information they can use their economic leverage to require to be disclosed to them. So we would need to do something else too.
MR. TAYLOE: Correct.
MR. ROTHSTEIN: So now I'm to Dr. Baker and the question is what is that something else to. Under either the DRM technology or the trusted intermediary model wouldn't we still need to come up with some way, somebody, some algorithm, we'd have to make a decision as to which, where to make the cuts of the information that's disclosable versus non-disclosable to any particular user right?
DR. BAKER: I'm not sure we have to make --
MR. ROTHSTEIN: Somebody does.
DR. BAKER: I suspect, well, I think, this is an area, a point I kind of agree with Keith on, I think the default should be that the consumer decides that, if it's your health record. And privacy, privacy as I mentioned in my statement, it's a value based concept and what one person thinks is absolutely not disclosable to anybody under any circumstances may be totally open for public scrutiny to another individual. So it's really hard, yeah, we have the technology that if somebody gives me a list of things that they want protected and things that can be released I certainly can implement a system that will do that. But I think coming up with a single set of rules that is acceptable to every patient and every provider, organization, across the board I think is a really difficult challenge.
I also think that the whole issue of even giving patients authority to decide what to share and what to not, that will vary on the capability of the patient too.
MR. ROTHSTEIN: Well, I mean just as a guess, our friends from the life insurance industry might not be crazy about the idea of the applicant deciding how much health information they want to send to the life insurance company. And so what we've been searching for is a way that we can protect the sensitive non-essential health information in some sort of objective way from getting to third parties who can compel these authorizations for broad disclosure. And I recognize that the trusted intermediary model and the DRM may be sort of a technical solution but that's I think a downstream sort of issue from the fundamental question of what information gets through that system.
I also think that, I have some concerns about whether it might be too expensive or too complicated for like small employers to use that. For a large hospital chain they might be, they've spent a zillion dollars to comply with HIPAA, this might not be that much more but for a small mom and pop operation I just, I have some questions about that.
So I've asked too many --
DR. BAKER: Let me, I think, I'm sorry I missed your question, what you were really talking about is how do you come up with this low water mark of what is the minimum, maximum that can be disclosed to --
MR. ROTHSTEIN: Right, and see in the employment context we already have this standard of job relatedness, it's part of the ADA, it's I think what HR people are accustomed to in other contexts, if we could only deliver that, I don't know that we can yet, they might be satisfied with that, I don't know what would satisfy the insurance companies. But what I think you're giving us is a very interesting suggestion about the technology that might deliver that after we make this sort of substantive call.
DR. BAKER: Which is what I was asked to do.
MR. ROTHSTEIN: Which I appreciate your doing that. So we'll go to Kathleen, then Marjorie, and then Helga.
MS. FYFFE: Everyone, thank you very much for providing very informative testimony. Dr. Baker, you say that you've worked in information protection and high assurance architecture for over two decades, I am under the impression, and it could be that my impression is not accurate, that the security architectures and security protections for data have vastly improved over the past several years. And the reason I say that is because I don't remember reading in the newspaper recently that some big hacker was caught, the last one I remember, and this was several years ago, was Matnick(?) I think his name was.
DR. BAKER: Metnick(?), yes.
MS. FYFFE: I used to refer to this as sort of technological leapfrogging, the good guys in the white hat like you would set up protective systems and the bad guys in the black hats would hack in and then you would have to get out in front of them to counteract what they did and sort of technically leapfrogging into the future so that you would develop better and better protections. Is my sense correct that really things are a lot more secure then they were just ten years ago or not?
DR. BAKER: No.
MS. FYFFE: No, okay.
DR. BAKER: The reason you don't see it in the paper is it happens too often.
MS. FYFFE: Okay, well, thank you.
DR. BAKER: It used to be, I remember when my father bought a TV it was in the newspaper. Things happen too often it doesn't make it anymore.
I think that personal, the security, first of all security is directly related to complexity, so as our systems become more and more complex they become less and less secure, that's a given. And years ago when we didn't have personal computers in every home, those systems were, well, Unix which came out in the last ‘70s I think, has the same security, had the same security when it came out that XP just implemented. So there was a little glitch in the development of information technology where when personal computers came out they had zero security at all and now they've finally caught up to where Unix was in the early ‘70s --
MS. FYFFE: 30 years ago, yeah.
DR. BAKER: Right, so I think the vulnerability of technology is, technology is more, computer systems are more vulnerable then they've ever been, there are new vulnerabilities coming up, the spy ware, the viruses, Trojan horses have been around forever and ever and ever, but also computer systems are much more ubiquitous, I also think that, from a health care perspective I think that the risk is getting higher, not lower. For example they're starting, things that have always been self contained medical devices they're starting to host on personal computers, that clearly introduces vulnerabilities that were not there before. So the situation is changing, on the other side there are things that we can do with technology today in health care that are highly beneficial too so I don't want to paint this as one way street but to say that our systems are much more secure then they used to be is not correct.
MR. ROTHSTEIN: Marjorie.
MS. GREENBERG: Well, after that cheery, thank you to all of you. I have a question for Mr. Tayloe and then also a suggestion to the subcommittee or a thought I had. Mr. Tayloe when your, I guess it's on page three here, well, you're talking about the consumer driven electronic health record and the consumer basically having ownership of the electronic health record and then in that regard complete control over to whom he or she released it. But on page, I'm not quite sure what you're defining here as an electronic health record because on page three you say this consumer managed electronic health record provides a summary picture of the past, etc., and it provides the pointer to the detailed records that reside with the individual health care providers. Now would those detailed records that reside with the individual health care providers also be owned by the consumer?
MR. TAYLOE: No, actually it perpetuates the current model where the health care provider has his records of what they have performed and so what they've done, the details they write on the chart now that may still be written on the chart, so the detail is there and it is really a joint ownership of that record. But the summary and the key to that can't be released it's authorized by the consumer.
MS. GREENBERG: So you're saying that the individual health care providers might also have electronic health records --
MR. TAYLOE: Correct.
MS. GREENBERG: But that they would not be allowed to release anything from them --
MR. TAYLOE: Correct.
MS. GREENBERG: Zero, without the consumers --
MR. TAYLOE: Informed consent, right.
MS. GREENBERG: Agreement. So that would be public health information, I mean if you think of all the kind of exceptions now that are under HIPAA or research, if there's an IRB, etc., none of that would be possible without the active action of the consumer.
MR. TAYLOE: Correct.
MS. GREENBERG: Okay. And is that really what the Confidentiality, Ethics, Privacy and Access Breakout Group recommended?
MR. TAYLOE: No, I wouldn't put those words in their mouth. I think it's important to recognize the concept of the electronic health record, can it improve health care, it can if it gets adopted, so the way to begin adoption is to let the consumers take it and run with it and of course that's a compromise, it's a tradeoff between things that make government uncomfortable. However, if you look at the internet today and the willingness of people to volunteer information and resources for research, there are cancer research projects based on grid computing that use the computers of three million citizens, I think people for their own health would gladly participate, provide anonymous information, for such things as studies and other information. The issue of monitoring diseases and outbreaks needs to be addressed, I mean I understand the sensitivity to that and the need to do that.
MS. GREENBERG: Okay, thanks. And then I had a suggestion, you've been, I want one of your ideas to actually --
-- [Laughter.] --
MS. GREENBERG: You've talked about this idea of segregating or really being able to kind of segment information in a way that now even if people wanted to, or providers wanted to really limit what they provided it's so difficult to do so and so impractical and they don't have the resources to do so that it doesn't happen and so possibly coming up with a way that it would, through electronic health records that it would be easy to do so, at least technologically easy. Now the hard part seems to be, none of it's easy really but certainly a hard part is saying what really is relevant and what isn't and when you pressed the life insurance group understandably, because they are not required to make those limitations, they are at this point unprepared to say that anything might not be relevant because this is why people go on fishing expeditions all the time, certain things you don't think are relevant and they turn out to be. On the other hand there is this job related requirement under ADA and is that defined somewhere?
MR. ROTHSTEIN: Well, it's based on a whole long history of case law but that standard is currently used for medical examinations of current employees, they have to be either job related or voluntary, that standard does not apply to these sort of post offer examinations where anything goes except in Minnesota and California.
MS. GREENBERG: But I mean is there case law that information was provided to an employer for an already existing employee and someone could make the case that wasn't really job related?
MR. ROTHSTEIN: Well, there was a famous case that raised that issue but it wasn't actually tried, if you remember the Burlington Northern case where the employer surreptitiously performed testing to try to determine whether these claimants for carpel tunnel syndrome were genetically predisposed to carpel tunnel syndrome. The theory of the EEOC in bringing that case was that because these were current employees they could only perform tests that were job related and consistent with business necessity. That has not been ever tried by the court, EEOC might have lost on that case because, for reasons that I'll spare you, but I think that it's an easier way to go then certainly with the insurance industry where we have sort of nothing to go on.
MS. GREENBERG: Well, it strikes me that when you asked the life insurance folks they weren't going to bite on that but at least the people --
MR. ROTHSTEIN: It would have shocked the heck out of me if they --
MS. GREENBERG: Of course. But also even when you asked something similar to the occupational health physician he said he didn't think that was practical either. And to me this is potentially an opportunity for health services research, epidemiologic research. I mean there is no way in life that you can avoid every possible risk so what you try to do is avoid the major risks or your prioritize risks. And I think that there is information, large databases certainly on mortality, but morbidity, etc., where analysis could be done to identify, to try to parse out what maybe some of these things are that are of much lower risk in an evidence sort of way rather then people speculating about it. And to me this is something that might be useful.
MR. ROTHSTEIN: Marjorie, I couldn't agree more and I can supply you with various grant applications I've filed over the years to do that.
I think one of the problems that we run into is that we're not going to make any progress in this area unless we have sort of a societal understanding that privacy is not free, it costs, not only in terms of the compliance costs that people but everybody wants, everybody, the employers, the insurers, they all want sort of the most information that they can, the perfect information. Well, we don't have perfect information now, it depends on the memory and selective whatever of a whole bunch of people and it may be that we need to push a little bit for them to say okay I'm willing to make my decisions based on, you can't have maximum everything and privacy as well. Dr. Rippen?
DR. RIPPEN: Again, thank you all, I thought it was really great information and Dixie actually your ideas are pretty exciting, I'm a little biased because I kind of thought it was actually very interesting. And actually I would like to say that there are two, at least two if not three questions, one is what is the scope, okay, that's one of the questions that we talked a lot about which you can't address with technology because that's a policy decision.
The second actually has to do with if you've agreed on the scope well how long does the information stay and what's a secondary or tertiary uses of that information which is of significant concern to many people, not only to make the initial decision for employment or insurance but also for other issues that may be related to business.
And then the third problem of if you do make a decision, that initial decision, how do you document that initial, that decision so that you can actually reconstruct for a lot of different reasons that decision and actually tying it into then this consumer issue and the technologies.
And let me kind of vocalize a concept, the first one we can't address here, I mean the policy issue. The second with regard to some of the new technology of being able to limit or at least track the information flow, and maybe even to have it expire which is actually an interesting concept too, would allow then the ability to have someone informed with regards to how information is being used and some level of assurance of the use of that information.
Now if it goes to the consumer for example the consumer then would be able to get that report with regards to when someone accesses it and some of the implications depending on what the agreement is. And it could in theory also potentially document what information pieces were used in making the decision.
So again, I think some of the technology has some interesting implications of addressing at least the secondary uses and potentially the documentation issue because you always have to document on what you based your decision on. It will be an interesting discussion as far as well where should that information reside.
MR. REYNOLDS: The reason I find this, as I've tried to, since I'm in systems as well as operations as well as taking care of elderly parents I can see all this up close and personal
But the reason I like the mix of all the discussions are, and I'll just use mine as an example, I've been with Blue Cross for 27 years so there's only one place in the United States that has my index of what's actually occurred to me and that's Blue Cross and Blue Shield of North Carolina because all my procedures, all my drugs, not over the counter, but mostly everything I've done is there. So setting up a personal health record where I could establish here's the doctor's I've seen and here's what I agree to and here's what I agree to be on there is one thing.
Obviously as we've talked earlier about the life insurance and everything else the fact that I've had orthopedic surgeries may not be important in life insurance. The fact that I've seen these kind of doctors may be. And so as you look at this whole idea, the whole idea of trying to put something together that allows a clear definition of everything about me, at least in categories, high categories, because right now we go all the way from an index where you get it all, and we've heard that clearly today, you either get a little snippet or you get a phone call and ask for a specific thing or you get the whole deal.
And automating that whole deal to me in the longevity of that whole deal being out there and whether it's got every result or everything else is still I think a significant debate and I feel personally that there does need to be some kind of an overall infrastructure because again being somebody that sat over there and testified about the HIPAA, the fact now that there is a standard format means that we can communicate data a whole lot better regardless of which of the three ideas we have from each of you, whether you're getting it as an employer or anybody else.
So I think obviously the debate still rages but I think the idea is that people are coming much closer to having at least an idea as to the fact that we need to do something, but that something and who gets added is still the ongoing struggle that I think we face and I'd like any comments any of you would have on this.
MR. TAYLOE: Well, I think again if you do nothing life goes on and we all get our health care what it is, it's not a matter of it all has to be there and in fact I don't think it will work that way, it has to incrementally roll out. So you actually have the luxury of maybe piloting different things in different places given the different populations to see if it will work, which is like anything from consumer side, it's those folks who have, as the life insurance people said, who have a need, will be the first to step up and want to participate. So starting with something and incrementally growing it offers the opportunity to learn and factor back in the lessons.
I've had some spirited discussion around the electronic health record in a consumer's hand and what happens if they lose it. What happens if they do lose is? Assuming it's destructed and nobody gets their hands on it, it would be encrypted, it would be secure as long as they had it, no different then today going into the emergency room, you start from scratch and the doctor asks you the same questions. So it's not something that has to be there, it doesn't exist today, so we can't, I don't want to say getting any worse is not, it can only get better so adding some information gets closer, the more information the better, the better it can grown on.
DR. BAKER: I think it's, I agree with you, Mark, it's always a matter of trades and I don't think that's ever been as dramatically demonstrated as when all the anti-terrorist activity and the privacy act came to the forefront and people really started thinking about, and that may help us deal with this in health care too because people are becoming very, very aware that they can't have complete privacy and protection at the same time. That might be a more dramatic example for them then life insurance or any particular thing, and you know our whole society is facing that right now so we may be getting some help.
MR. ROTHSTEIN: Well, I want to thank all of you for your comments, just for the record I want to note that this was not an action item type of hearing where we contemplated a letter to the Secretary in a month or two, this was really a background hearing of issues that are obviously very important to me and I hope increasingly so to the other members of the subcommittee and perhaps even to the full committee. And it's something that we are going to be continuing to follow and hope to work toward proposals and solutions and several avenues.
So I want to thank Dr. Helga Rippen for her fine work in putting today's program together and as always our wonderful staff and AV people and we will be meeting again in February to consider the issue of patient control of health care records, we like to take on these easy projects, and until then we are adjourned. Thank you.
[Whereupon at 4:15 p.m. the meeting was adjourned.]