The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics was convened on November 12, in the Hubert H. Humphrey Building in Washington, D.C. The meeting was open to the public. Present:
The Subcommittee met in working session for one hour as a breakout session of the full Committee meeting. They were briefed by two representatives of the National Association of Insurance Commissioners (NAIC) on the Health Information Privacy Model Act approved by NAIC in September and now available to states for adoption or adaptation. Subcommittee members and others expressed many concerns about the model act, particularly regarding information disclosure to employers, lax provisions for research including the lack of IRB involvement, and disclosure of data to the Medical Information Bureau. They discussed with the NAIC representatives the possibility of sending NCVHS comments to NAIC, possible for referral to the states.
The group also briefly discussed plans for the February meeting. Mr. Gellman briefed them on the European directive, concluding that it will have little effect on the U.S. because there is no significant evidence of identifiable data flowing from Europe to the U.S., except that given with patient consent. There are questions still to be answered, however.
Sitting in for Ms. Frawley, Ms. Fyffe opened the meeting and introduced two guest speakers, representatives of the National Association of Insurance Commissioners (NAIC). NAIC comprises insurance commissioners in all states and territories and the District of Columbia. The staff supports the commissioners, and the organization develops model acts to help legislatures, which are very active in regulating insurance. Of particular interest to the Subcommittee is the Health Information Privacy Model Act, adopted in September 1998 (and not to be confused with an NAIC model act on privacy in general, released in the 1980s).
Wendy Pellow, Legislative Counsel for NAIC, described the structure and functions of NAIC, which works through committees and work groups. Model laws are its way of developing public policy. They can be adapted or adopted by states, or neither.
Assistant Counsel Jennifer Cook, who staffed the Health Information Privacy Working group that developed the model act in question, described the group's process and the resultant model.
Meetings were public and they received a lot of comments from industry and consumer representatives. The final model was passed by NAIC by a vote of 37-13. The process took four years. HCFA and state Medicaid agencies were aware of the process but not extensively involved.
The purpose is to set standards to protect health information and procedures for its handling. The focus of the model is individually identifiable information. The scope covers all insurance carriers, health and other. The carriers covered include HMOs.
Ms. Cook described some of the provisions, such as that carriers remain responsible for privacy protection when they contract out services. Another concerns the conditions for access to protected health information and the authorization and record-keeping requirements for such access. The model also specifies authorized collection uses and disclosures.
Mr. Gellman called attention to provisions under which employers could access employees' information without consent. In general, he characterized it as not "the world's worst health bill," but he noted several problems including the one just mentioned.
In response to a question, Ms. Cook said states can decide whether this model would supersede more stringent state law. To another question, she said that self-funded ERISA plans are not covered by this model. It also does not cover third party administrators, although states are advised to consider extending it to them. Some questions from Subcommittee members remained unanswered about what companies are and are not covered by the model law.
In response to a comment, Mr. Gellman noted that most privacy bills, including this one, have similar structures; the differences are in the details.
Dr. McDonald raised a concern about the provision for permission for patient care, which is restricted to carrier physicians and might discourage patients from changing carriers.
Returning to the process, Ms. Cook said that while consumer groups had input, the decisions were made by NAIC members only. The model draws from several state laws.
There was considerable discussion of research/IRB questions. It was noted that the model law does not call for IRB review of proposed research uses of data, and that this might be a good thing to add. Also, there might be a specific list of legitimate research organizations entitled to identifiable data. Dr. McDonald questioned the feasibility of requiring patient permission to use data for large research projects. He supported the idea of using IRB approval as a constraint on access to data for research. Others seconded this recommendation. Mr. Blair expressed discomfort about having carriers be the source of identifiable data, rather than providers who can evaluate the medical merits of research. Dr. McDonald noted that Medicare provides data for use in research, but with IRB approval and strict requirements for justification. Mr. Gellman commented that some (but not all) privacy advocates support the use of IRBs in lieu of gaining individual consent.
Asked about the mechanics for amending the model act, and a possible process for receiving input from the Subcommittee, Ms. Cook said she would check. She welcomed comments from NCVHS and noted that the model would be going to the states, which can modify it.
Mr. Gellman described the function of the Medical Information Bureau and called attention to a provision of the model law permitting disclosure of health claims to that Bureau without patient consent. He called this outrageous, and also noted other "loopholes" without adequate patient protection.
Asked about the nature of the 13 dissenting votes, which she agreed are unusual for NAIC, Ms. Cook said that property and casualty insurers were concerned that the model would inhibit the way they use health information in their business. This issue had been studied with the conclusion that there would be no unintended consequences, but the dissenters were unconvinced.
Pursuing a scenario as to how the law would affect health plans, Mr. Scanlon established that patients can not opt out of provisions to share their data with employers, but they can opt out giving data for research and for marketing.
It was explained that this bill does not apply to underwriting practices. In response to a question, Ms. Fellows said NAIC did not consider the cost of implementing the model law.
Ms. Fyffe thanked the guest speakers and turned to planning the Subcommittee's February 2 meeting. It will have panels on uses of health information by employers and for pharmaceutical marketing.
Mr. Gellman was asked to comment on the new EU directive and its implications for the U.S. He said there is no significant evidence of flows of identifiable data from Europe to the U.S. Data connected with treatment usually travel with consent, and pharmaceutical study data are not identified overtly. Theoretically, it is possible for data from Europe to involve identifiers, e.g., with adverse drug reactions; but there has not been an authoritative statement on this. In general, the "panic" on this in the U.S. has not been warranted, although there are questions to be clarified.
Ms. Fyffe then adjourned the meeting.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/S/
_____________________________________________
Acting Chair Date