Hubert H. Humphrey Building
Room 405-A
200 Independence Avenue, SW
Washington, DC
Call to Order and Introductions
First Panel: Employers and Insurers
Second Panel: Privacy Advocates
DR. HARDING: -- the vice chair of the National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality. We are meeting this morning for one of two days of hearings and questions that will be coming up.
Our chair, Kathleen Frawley, is coming. I'm just going to kind of get things started in her absence, and then she will assume the chair as soon as she comes in. We will be glad to see her.
I'd like to welcome everybody to these two days of testimony. We have a number of panels that will be looking at the issues of employers and insurers, pharmacy benefit programs, and other activities that are part of our charge, looking into the electronic transmission of medical data as the charge came from the K2 legislation in 1996, I believe.
What we do customarily is go around the room and have everybody in the room introduce themselves and their affiliation. Maybe we could start that. Maybe, Jeff, you could go first, and we'll just go right down the line and then down the other side and then across the groups of people who are here observing.
MR. BLAIR: I'm Jeff Blair with the Medical Records Institute. I am a member of the NCVHS.
DR. COHN: I'm Simon Cohn. I am a member of the NCVHS and member of this subcommittee. I'm the national director for data warehousing for Kaiser Permanente.
DR. HARDING: Richard Harding. I'm a child psychiatrist in South Carolina.
DR. HORLICK: I'm Gail Horlick with the Centers for Disease Control and staff to the subcommittee.
DR. GELLMAN: I'm Bob Gellman. I'm a privacy and information policy consultant in Washington and a member of the committee.
DR. FYFFE: Kathleen Fyffe, member of the committee. I work for the Health Insurance Association of America.
DR. GREENBURG: I'm Marjorie Greenberg from the National Center for Health Statistics, CDC, and I'm executive secretary to the committee.
MR. KUN: Luis Kun with CDC.
MS. ORENSTEIN: Karen Orenstein with IBM, from the health benefits department.
MR. KNETTEL: Anthony Knettel. I'm vice president for health affairs of the ERISA Industry Committee.
DR. TIGHE: Isabella Tighe. I'm the deputy director of the Workmens Compensation Board in Augusta, Maine.
MS. CATHEY: I'm Melody Cathey. I'm the deputy director for the International Association of Industrial Accident Boards and Commissions.
MR. FANNING: I'm John Fanning from the Office of the Assistant Secretary for Planning and Evaluation of HHS.
DR. ABBOTT: Good morning. I'm Dierdre Abbott. I'm with the College of American Pathologists.
(The remainder of introductions were conducted off tape.)
DR. HARDING: Thank you very much, and welcome, everybody. We are glad to have you here on a hot Wednesday morning. Hopefully things will get adjusted in the near future for the temperature.
Margie, do you have anything that you would like to say as our executive director before we get started with the testimony?
DR. GREENBURG: I don't think so. I think we have a full morning. I am interested in hearing from our panelists.
MR. BLAIR: Richard, can I just indicate that this fan is very helpful, but it is a little bit noisy. So it is really important that everybody speak into the microphone. Otherwise it is hard to hear over the fan.
DR. HARDING: Thank you, Jeff. We will all be mindful of that. If anything does interfere with that, just mention it and we will remind people to speak directly into the microphone, so that everybody can have a good shot at hearing the content.
We are going to proceed directly into the first panel today. One of the things that has come up a number of times in previous subcommittee hearings has been concerns about employers and the insurance and issues of rehabilitation and industrial accident boards and commissions. We are delighted to have a group of people here to bring these concerns up.
I can tell you that we usually have testimony, then later on in the morning have some time for questions and responses and so forth. That is informal, but we appreciate you being here very much, taking the time to prepare the material and be here for our edification.
Any questions? What we would like to do then is get started. The first member of the panel is Anthony Knettel, vice president of health affairs for the ERISA Industry Committee. Maybe you could just say a word about what the committee is and so forth before you start.
MR. KNETTEL: Thank you very much. It is a pleasure to be here this morning.
The ERISA Industry Committee is a trade association of about 125 employers, all of whom have at least 5,000 employees but on average have about 40,000 or 50,000. So we are talking essentially about the largest of the large major employers in this country.
We represent them with respect to employee benefits issues, although many of our members have broader human resource, fiance and legal department responsibilities. So although our issues are primarily employee benefits issues, our members actually are involved in a much broader range of activities than just that. They tend to be senior management and frequently senior corporate vice presidents for HR or finance. So in essence, I am here today discussing a large employer perspective on these sets of issues.
In some cases, I'll try to touch on some issues that would be of unique concern to small employers, but I really don't speak to them, so I'd like to make that clear at the outset.
We represent our members with respect to exclusively federal issues, both legislative and regulatory. We are a registered lobbying association.
With that then, I think all of you have a copy of the bulleted outline of my remarks. I'll be working straight off of that. In the interest of time, since I know that all of you are familiar with the background legislative history and so forth, I'm just going to skip right to a brief summary of ERIC's confidentiality principles, and then get into the points that I would like to make this morning.
My overview is organized into three sections. One is employers' interest in access and use of health related information. The second is primary or threshold issues that are raised for employers by any proposals relating to confidentiality. While this presentation is geared toward legislative proposals, all of the issues that I am going to raise are equally applicable to regulatory approaches as well.
Then time permitting, I think I might take a few minutes to talk about some of the pending legislative proposals, because I think their scope is even broader than your particular mandate. I think it would be helpful to discuss employers' concerns and illustrate them in that broadest context.
But first, let me go back and reiterate briefly for you ERIC's confidentiality principles. They are laid out for you in abbreviated form in the handout.
ERIC members believe that employers and their dependents may reasonably expect that their employer will limit the information that the employer seeks to such information as is necessary to satisfy a particular business need; that disclosure will be limited to information to persons within the employer or acting on the employer's behalf, who have a specific business need to know and use that information, and that once disclosed, the information will be used only for the specific business purpose for which it was disclosed.
Much of the discussion around confidentiality legislation and proposals has tended to focus on the area of health benefit plans and employer activities related to being sponsors of health benefit plans, but employers' interests are really much, much broader than that. So I would like to take just a few minutes to outline some of the areas of employer interest of using and accessing health related information.
The most obvious is with respect to health plan enrollment, paying claims, monitoring utilization, preventing fraud and abuse, typical core health benefit plan operational issues. But many employers, and especially ERIC member size employers, are really involved in a much broader range of activity than that with respect to health plans. They are actively monitoring patient satisfaction. Some of them have plans in place to monitor clinical outcomes and quality of care. All of these activities too necessitate access to and use of individually identifiable information in order to integrate it and access what is going on.
Also, many of our ERIC members provide on-site health clinics and fitness centers. Here again, those kinds of activities are going to generate information that would meet the definition of protected information under most of the proposals that we have seen, and access to and use of information, at least in a very limited way is necessary for example for employers to deal with liability issues in making those kinds of facilities available to their employees.
Many ERIC members are also involved in a variety of activities which, depending on how they are structured, may not strictly speaking constitute benefit plans within the meaning of ERISA. I don't think for current purposes we need to get into the ins and outs of when an employer initiative constitutes a plan under ERISA and when it doesn't.
But there are many activity is that fall on the borderline, sometimes in and sometimes out, and they would include such activities as health risk appraisals, health promotion and disease prevention, disease management and employee assistance programs.
Just as an illustration, some employers design their employee assistance programs to actually provide financial benefits to their employees, perhaps discounts on seeking counselling for managing stress or grief management or things like that. But other employers provide employee assistance programs that are really only a referral service. There is no financial benefit involved.
Depending on the structure of how the employee assistance program works, it may or may not be a benefit plan under ERISA. But no matter how it works, individually identifiable health related information is frequently going to be exchanged in the context of carrying out those activities.
There are also some other employer activities which are not strictly speaking medical plans, but that also involve health related information: short term or long term disability and employer provided group life insurance would be two examples
Then we begin to get into thins that move even farther afield from the core benefit issues which I deal with -- workers compensation, which we will be hearing some about later this morning, and I won't spend too much time with. Also, a whole range of other employer activities, fitness for duty determinations. One of my boss' favorite examples is, if you are an ERIC member company that manufactures toxic chemicals and you have to transport those from one place to another, you are very likely to be involved in fitness for duty determinations to make sure the truck driver of the truck full of the chemicals doesn't have some medical condition that might create a hazard in the transport of that material, also for a job that has a very stressful physical component to it. Again, there might be fitness for duty determinations being made. These kinds of activities too involve employer access to and use of health related information regarding the individual.
As well, there are federal and state occupation health and safety requirements, including monitoring of environmental exposure and so forth. But things like monitoring an employee's exposure to radiation, electromagnetic radiation, toxic substances in the workplace and so forth. There is a very broad range of circumstances and activities that employers are involved in, where health related information is involved, that are not just limited to the traditional health plan, disability plan or workers comp plan context.
What are some of the major concerns raised for employers with respect to confidentiality proposals, be they regulatory or legislative? For ERIC member companies, the first threshold issue before you get to anything else is whether the rules are nationally uniform. ERIC member companies do business in many states. Most of them do business in all 50 states. The administratability and their ability to comply with any privacy and confidentiality requirements depends to a great extent on whether or not those standards are nationally uniform.
I would hasten to point out though that national uniformity is not just an interest of a large employer, or for that matter, even a small employer in a metropolitan area like this, where you have multiple jurisdictions in close proximity. It is also vital to individuals being able to protect their privacy and confidentiality rights.
Before an individual can protect their rights if they are aggrieved, they first have to be able to determine which jurisdictional law controls their claim. If we are in a context where there are multiple jurisdictions whose laws might apply, federal, state and so forth, the individual has to first resolve those conflicts of laws issues before they can ever protect their rights.
In the context of employee benefits prior to the enactment of ERISA 1974, individuals who had grievances with respect to their benefit plans frequently had a very difficult time enforcing their rights, because they tried to go to court, the other parties to the suit would try to remove the case to other jurisdictions that they believe were more favorable to them, and individuals wound up having to litigate conflict of laws issues before they could ever get to protecting their own rights. Many individuals simply don't have the resources to do that.
So ERIC members believe that not only is national uniformity vitally important to an employer's ability to comply with the law, it is also vitally important to individuals' ability to protect their rights. If we have uniform standards, they don't have to expend the time and the resources settling conflicts of laws issues before they proceed to protect their rights.
The second set of threshold issues from an employer point of view has to do with the scope of two key terms that keep coming up in all of the legislative proposals we have been seeing, or some close variation of these terms.
One is, what is the scope of the definition of protected information. The second is, what is the scope of the definition of health plan operations. A number of the proposals, although not all of them, provide for considerably streamlined authorization processes in the context of health plan operations.
Specifically, the definitions of protected information have tended to be very broad. They include for example both oral information as well as information that has been reduced to written form. Typically, those definitions include not just information generated in the course of an individual seeking diagnosis or treatment of care, but includes any information about the physical or mental status of the individual.
To the degree that the definition of protected information is broad the employers' compliance burden is comparably broad. So from an employer point of view, employers' compliance burden is largely determined by the breadth of the definition of protected information.
That compliance burden is mitigated somewhat, depending on the breadth of the definition of the health plan operation. If you are dealing with one of the legislative proposals that permit what is frequently called consolidated authorization, in other words, one time, up front authorization, rather than getting individual authorizations on each use of information. If the proposal provides for consolidated authorization for health plan authorizations, the employers' burden is comparably narrower, depending on how broad the scope of health plan operations are. The more things that qualify as health plan operations, the more simplified the employers' compliance burden is. We will see in a moment how that operates in the real world.
The third threshold issue which is closely related to the definition of health plan operations is what employer activities are subject to consolidated authorization, and specifically, are there any activities other than health plan operations where an employer can use a consolidated authorization.
As I have already noted, permitting employers to obtain a single initial authorization is far less burdensome than requiring written authorization to be obtained each and eery time a piece of information is going to be accessed and used.
In terms of the various kinds of employer activities that we have discussed previously, things like paying claims and so forth under a health benefit plan would clearly fall within the definition of health plan operation under some of these proposals. But a lot of the other activities, it is much less clear. It depends on how the definition is written, for example, whether short term and long term disability plans, which have to make health related determinations, would fall within that definition, because some of the definitions have been written to refer to medical plan operations, and a disability plan may have to make a medically based determination, but the benefit provided is frequently a financial benefit rather than health care itself.
Then of course when we get into the broader range of activities, workers comp, fitness for duty determinations, workplace safety, environmental testing and so forth, at least some of those things have to fall outside of the scope of the definition of health plan operations. It just wouldn't be credible to stretch the definition so far as to incorporate all of those various activities.
So the key issues for employers are going to be, what if anything other than health plan operations can use consolidated authorization and what burden would be imposed on activities like fitness for duty and workplace safety, if consolidated authorization weren't available.
Then finally, the last threshold set of issues for ERIC member companies have to relate to what enforcement mechanisms are going to be used. The legislation that we have seen recently includes some or all of three major approaches: agency administered civil penalties, criminal penalties and private causes of action, tort like actions that might include equitable relief, compensatory damages, and possibly punitive damages as well.
What are the adverse consequences of limiting employers' access to use in these various areas? Unreasonably restricting employers' access -- and I want to make clear that ERIC members understand the need for and the appropriateness of confidentiality standards, so we are not suggesting that the various employer activities that I have described should be left out of any regulations or carved out of any legislation. But what we are saying is that it makes a big difference as to how those standards are structured, and in particular whether an activity can make use of consolidated authorization as to how burdensome the requirements would be. The unreasonably burdensome requirements will severely hamper if not render impossible the employer's ability to conduct the kind of activities that I have been talking about -- operating, health, disability and group life insurance programs, making fitness for duty and disability determinations, insuring compliance with federal and state health related laws and regulations, offering lifestyle counselling and risk assessment and so forth.
If employers' administrative compliance burdens are too high, or if the risk of being involved in litigation over their handling of confidential information is too high, they are going to be discouraged from engaging in these activities at all, if they are voluntary activities.
In particular, there is a risk that employers could get caught between confidentiality requirements and other government requirements. For example, if an employee refuses to provide authorization for the employer to access information that the employer needs in order to comply with workplace safety or a workplace environmental law, the employer is now caught in the situation of not complying with federal and state law and being subject to agency action, or accessing the information and being subject to private litigation for violating the individual's confidentiality rights.
So it is very important that there be active coordination between any confidentiality standards we have and any other applicable federal or state law in other areas, where employers are required by law to access and use health related information.
I would just note in passing that while a lot of the bills that are currently being considered, for example, have specific exceptions with respect to state regulation of public health, they generally don't have provisions that are broad enough to deal with all of these conflicting demands of confidentiality versus occupational health and safety requirements, for example.
Just as a way of wrapping this up and adding a little of the meat to the bones, I would just like to run through very quickly a couple of the legislative proposals that are currently pending, and how the issues that I have raised fit into that context. The bills that I am referring to are the Lehy bill, Jeffords-Dodd and Bennett.
On national uniformity, for example, Lehy does not pre- empt state laws that provide greater protections. Jeffords-Dodd is somewhat different. It doesn't pre-empt state laws that are enacted prior to enactment of the act, if those laws are at least as protective. Then the Bennett bill has a federal pre-emption of state law.
I am particularly troubled by the Jeffords-Dodd approach. As you can imagine, in a conflict of law situation, if a state law is more protective in some areas and less protective in other areas, and similar but not the same as the federal law in other areas, you are going to have to litigate to determine, does the state law controller, does the federal law controller in any given situation where an individual is trying to protect those rights. That is problematic enough under the Lehy bill, where the state law is not pre-empted if it provides greater protection when the standard is at least as protective. That is going to be an enormous legal morass in terms of trying to sort out the law case by case, to figure out which are jurisdiction controlled.
With respect to the scope of protected information, the bills take a slightly different approach from each other, but in the end they all come out in the same place. Lehy and Jeffords- Dodd, the definition includes oral and recorded information about mental and physical condition, as well as about diagnosis and treatment.
The Bennett bill on its face appears to be narrower, in that the definition is limited to information derived from the provision or payment for health care. But on the other hand, the definition of health care is broad and includes assessment of mental or physical condition. So in the end, I think you come out to a place that is roughly equivalent.
In terms of health plan operations, Lehy has no equivalent term. Jeffords-Dodd has similar definitions, but I think unintentionally, the Bennett definition is actually a little bit narrower than the Dodd definition.
With respect to activities subject to consolidated authorization, Lehy has no provision, although a so-called single authorization could be used for the very narrow activity of treatment or payment, whereas Jeffords, Dodd and Bennett both use the concept of health plan operations, although the breadth of those definitions differ somewhat. But neither of them currently provides for consolidated authorization for anything other than a health plan operation.
Then with respect to enforcement mechanisms, Lehy and Jeffords-Dodd include all three that I discussed, whereas Bennett excludes a private cause of action.
In terms of our overall assessment, by way of a summary, the Bennett bill is the only one that has both broad pre-emption and avoids the tort like private causes of action of the other two bills. While Jeffords-Dodd and Bennett permit single authorizations for a much broader range of activities than Lehy, all three of the bills do not provide for consolidated authorization. The full range of employer activities of that I have described. So I think there is a legitimate issue as to whether or not employers will be able to carry on those activities in a cost effective manner, because of the burden being required to engage in case by case authorization.
Thank you very much.
DR. HARDING: Thank you, Mr. Knettel. Just for my information, do any of you have to leave before 12:30 today from this first panel? Melody, you do? You have to go by --
MS. CATHEY: I have a 12:00 appointment.
DR. HARDING: What we will do then is, we will continue on with testimony. Then maybe after the first three, we will stop for a few minutes of questions and so forth, and then we will proceed on.
The next person is Melody CathEY, deputy executive director, International Association of Industrial Accident Boards and Commissions.
MS. CATHEY: I am Melody Cathey. I am the deputy executive director for the International Association of Industrial Accident Boards and Commissions. The association operates very much like this committee is operating. We are an association of government agencies who oversee or enforce workers compensation acts, or act as the insurer for workers compensation.
Our members include 72 government organizations in the United States, including the Department of Labor, BLS and NIOSH, as well as the state agencies. We also represent organizations in other countries, and we have associate members from research institutions, labor and industry.
In fact, representatives of member organizations are in the room as attendees at this particular committee hearing. I'm sure they have particular interest in what we are going to say today.
I am not able to come and present to you a position on privacy and workers compensation, because it is a matter of such hot debate among our members that it is in fact being debated. A position is being finalized by our board this month, and will be published later.
However, I was asked by Gail Horlick to answer some specific questions, to assist you in understanding the information flow that takes place in workers compensation, and what privacy issues may develop as a result of that.
The first question is of course, what information is provided in a workers compensation system. Workers compensation systems are not easily comparable from state to state, because they run the range of the provider, the payer, the insurance carrier to being an oversight agency that reviews the actions of another insurer, or a oversight body that reviews the actions of an employer who is maintaining there risk themselves through self insurance. However, the information that is necessary for any one of those systems to work is very similar.
We have had a lengthy debate over the course of the last seven years regarding what information flow is necessary in workers compensation. As a result of that, our electronic data interchange committee has come up with a series of business requirements groupings of types of data, and the data flow that is necessary. That is included in my written testimony as an appendix. I have excerpted from that those data groupings that I thought might be relevant to the explorations of this committee.
The average weekly wage information is used to determine benefit rates. Information pertaining to the employer is used to identify contact and provide statistical information for employing organizations of the employee at the time of the injury, to monitor health and safety violations, identify sources of lost income, validate compliance with coverage laws, and detect fraud.
The insured information, which may not be the same as the employer, is used to identify the named insured in the policy or the self insured or uninsured associated with the claim, or for statistical analysis. It is also used to verify coverage and to enable enforcement of legal requirements.
Information on the insurer is used to identify the financially responsible party, to relate the claim to a licensed insurer or self insured for purposes of validating coverage, for statistical analysis, for audits for insurers, assessments, licensing review and to insure regulatory compliance.
I would like to define some specific terms for you that I use in my testimony. A claim administrator is an entity which is licensed or allowed by law to be designated to answer inquiries and resolve issues regarding the disposition of a claim, is performing the claim's adjustment function, and reports to the regulatory oversight body or overseeing the reporting to the regulatory oversight body.
That is different than a service administrator. A service administrator is not authorized to answer inquiries about a claim or resolve disputes, but is contracting for services to provide support work under contract for the claim administrator or other service administrator.
A regulatory oversight body may be a workers compensation board, it may be a health and safety board. It may be a court, it may be a federal government body such as BLS or OSHA or NIOSH.
The claim administrator information is used to uniquely identify the role of or locate and communicate with parties having authority to administer a claim, in order to establish and verify information, insure fair handling, insure quality of statistical data, identify the point of contact for dispute resolution.
Standard identifying information is used to identify or contact an individual or organization and coordinate reporting information between information sources of database. This may include an FBIN, if the entity is a business entity, unemployment identification numbers, passport numbers, VISA, green cards or specifically assigned numbers by a jurisdiction or a claim administrator that was handling that specific claim.
This is one of the areas of concern that I understand may be for privacy information, because it identifies all of the data that is flowing through the system with a particular individual.
The physician or hospital information is used to identify or contact the initial medical provider involved in the claim and to make liability determinations, determine the extent of disability or perform a treatment review or audit.
Managed care provider organization information is used to identify the managed care organization involved in the claim, determine whether the employee is covered by the managed care organization for purposes of determining liability, for regulatory enforcement of process, treatment review or audit, and the extent of disability.
The dependents information is used to identify the 100 employees' qualified dependents or identify nearest relative which they identify on a form with their employer, particularly in Texas and New York. This is used to assist in the calculation of the compensation rate, since some jurisdictions take the number of dependents into consideration when determining wage replacement benefits.
It is also used to determine benefit entitlement for dependents, establish the percentage of eligibility, and it captures addresses for mailing purposes in case this information becomes vital at a later time.
The employee information, also an area to concern I know to this committee, is used to identify and contact the employee for payment, for claim processing, monitoring, fraud detection, to gather employee statistical data, to communicate authorizations and releases of social security and medical data relating to the claim, to define the current employment, occupation and schedule, to determine eligibility for benefits and compensation rates, to contact the employee to request further information, mail benefits or inform them of rights, to insure enforcement of legal requirements, to relate the claim to an occupation, statistical analysis, to identify legal representation and define unique identifiers to relate the claim to other data sources.
The return to work information is used to identify when an employee returns to work and the conditions of restrictions, evaluate the length of disability by injury sustained, determine employee eligibility of benefits, determine the date the employee's work status changed, the effectiveness of return to work programs and to perform statistical analysis.
Information relating to the injury and description and location information are used to collect information regarding the physiological effects of the accident to the employee involved and provide information necessary to initiate claim actions, to code it for DCI, which is detailed claims -- I forget what the I stands for, and for BLS reporting to workplace injury statistics, to facilitate disability management, develop intervention strategies, reduce the occurrence of accidents, determine benefits, determine compensability, develop cost analysis, determine rate and set financial reserves.
This information is used not as a health plan benefit information might be used, but rather as information is used in a legal system, because workers compensation is not a health plan. It is a replacement for a tort litigation system. Therefore, the information flows frequently for legal purposes between the employer and the financial responsible party, who may be the insurer, to a health provider in order to be able to make determination of eligibility for benefits, or to defend against claims of benefits if it is determined that they are not eligible.
Of most importance in terms of information which is provided to an employer is medical information which is provided in a return to work situation. In a return to work situation, an employer may be actually working as a member of a team to assist in determining functional capacity and disability by working with the health care provider to analyze the requirements of the job with the limitations, the functional limitations of the injured worker.
In a managed care organization, where there is case management involved, there may be information communicated back and forth to facilitate the return to work process.
I have listed a flow of data there for you in the appendix. It goes into detail the anticipated route of data as it flows back and forth. Who has access to this information within a system, the information is handled with care because the information is necessarily individually identifiable.
As a matter of practice, and not necessarily regulation, when there is survey data, it is reported in a cumulative form or it is blind coded to remove individual identifiers. However, of importance to note for this committee is that some states consider workers compensation information to be subject to open records act and to be public information.
We did a recent survey for EEOC, in which we identified that there were 15 jurisdictions that regularly receive requests for workers compensation histories for conditional offers of employment, of which only 10 indicated that they required a release of information to be executed by the injured employee prior to release of that information.
Those cases were Connecticut, Idaho, Louisiana, Oregon, South Carolina, South Dakota, Utah, Vermont and Virginia. Seven of those states did report that workers compensation information was considered to be public, and five reported that they did not require proof of conditional offer of employment prior to release of the information.
The last question, and I'll try to wrap it up in about a minute, that was asked of me was whether or not the Health Insurance Portability and Accountability Act was going to affect state first report of injury. No.
DR. HARDING: You have another minute, but thank you very much. That was very helpful.
We are going to move right along now. The plan again is to ask Dr. Tighe -- ?
DR. TIGHE: Tighe.
DR. HARDING: Dr. Tighe's testimony of 15 minutes. We will then do some question and answers, probably concentrating mostly on Miss Cathey's testimony. Then we will break for a few minutes and then start back in with the panel members. I am on the Workers Compensation Board in Maine, which is the administrative board that manages workers comp, self insurers and insurers for workers compensation in the state of Maine.
Gail was kind enough to ask me the six questions, so I probably won't need my 15 minutes. Melody has adequately answered some of them.
I perhaps have a little different perspective on some of these situations. Just very quickly, when an employee is injured, the law requires that he report back -- he should report back to the employer. If there is lost time, there is a report of injury sent to us. That form has names and addresses and employees and employers and all of that.
In a very small block, it has what is the injury, what happened, which seems pretty innocuous at that point. If the employer through his insurance company or as a self insurer decides to controvert that case for whatever reason, then there is a flurry of activity to health providers for medical information relating to the injury.
Perhaps I should say, that is the way we expect it to be, lots of forms that have, Dear Doctor, please send us permission related to Jimmy's fall at work on whatever date.
Unfortunately, what happens is, there is a large net at times sent out that manages to scoop up all kinds of things related to that person's past medical history. That is when I see severe difficulty coming in.
The billing clerk, to use an example, is the one sending out the notice saying we are controverting this case, please send the medical information, and it comes back to a company or to an insurer, who may or may not understand the information but can be gossipy enough to say, did you know -- whatever, that when they were in drug rehabilitation, they had an illegitimate child, they had an abortion, whatever happened. That is where I see the danger.
I think we can get very bogged down in proposed legislation in closing down all kinds of gaps, but what needs to happen is, there needs to be a punishment for people who are passing around and talking about medical information.
Our regulation requires that a health provider, which is usually a physician, in the first go-around to complete an M1, which is pretty basic information. I have given you copies of it. That says, this is the patient, this is the current diagnosis, and now we are starting to talk about, our latest forms have an ICD-9 code on it. The opinion is work related, not work related, the exam, treatment to continue, what is the treatment plan. If they are unable to go back to work, what is the term of disability or when will they be expected to return. Then if they can't go back, are there restrictions and what are those restrictions. We unfortunately have situations where insurers once again consider the M1 not satisfactory and start looking for additional information.
The number four question that Gail asked me was, access to this information and it is, whoever is asking for the information has access to it. So this could be a representative of an insurance company, a company representative who self insures, or a health care provider who has been requested for a second opinion.
When the employee returns to work, what information does the employee have access to? That again is, what is their status medically, other restrictions, can they work full time, can they lift, can they drag, can they bend over.
What protections are in place for protecting the confidentiality of individually identifiable information? We like to think in the state of Maine that we have those protections, but anecdotally, each day it seems I am hearing situations where somebody has been embarrassed or is incredibly anxious because their employer has information about them that they didn't really want anybody to know, sometimes including their families, because of this, give me everything and anything you have on the following patient.
Remember, the state of Maine is quite rural. Sometimes in a small city or town when you are looking for information, we only have one hospital, we only have a couple of doctors. So it broadens the range of the gossip at times.
As I said, my concern is that the problem is that there is medical information, very specific personal information that is out there, that does not have -- is not treated with the sacrosanct means that I think medical information should be treated. I'm not sure that clerks in payroll offices or employer offices or in companies are aware of that. I don't think it is malicious, I think it is just perhaps human nature.
The claims adjustors don't have it, nor do they understand the medical aspects of it many times, so they are reacting to just the juicy bit. I would like to see penalties that -- and we are trying to do it with legislation, that we discussed in our senate in Maine, with penalties for the violation of the privacy of the medical records.
That's it. Thank you.
DR. HARDING: Thank you very much for your testimony. Could I clarify just one thing that you said? When you said that the M1 goes out first --
DR. TIGHE: The physician after seeing the patient after seven days must submit that to the insurer.
DR. HARDING: Then when is the request for the medical information which you say could be a limited specific narrow or any and all information on this patient. Is that the next step?
DR. TIGHE: Many times, what happens, Dr. Harding, is that an insurer will get that information, a claims adjustor will get that information and say, this is not enough for us to make a determination whether or not to cover that, so we need additional information.
DR. HARDING: And is that specific to that incident, or is it any and all?
DR. TIGHE: It should be specific to the incident. In fact, I have a copy of the form that we use. It is quite specific to the incident. We sent letters to providers to tell them to be careful of what we are doing because of their liability. But some of the self insurers finish up with a form that says everything, including psychological or substance abuse, HIV history, the whole thing, and employee, please sign this, because if you don't sign it, we won't be able to pay you your weekly benefit. That is very troublesome.
DR. HARDING: Thank you. We will open it up to the panel. Again, we are live on the Internet. If people could please identify themselves before asking the question, and to whom you are addressing it so that those that are listening can understand the conversation.
DR. FYFFE: A question for Melody. What is NIOSH? Also, why would courts in the United States be members of the IA IABC?
MS. CATHEY: We actually have workers compensation courts in some states in the United States which are organized, specialized courts. The systems vary so from state to state that there are three systems that are system actually court based systems, Rhode Island, Oklahoma and Nebraska.
DR. FYFFE: What is NIOSH?
MS. CATHEY: National Institute for Occupational Safety and Health. NIOSH is one of the offices in the Centers for Disease Control and Prevention. It is the National Institute for Occupational Safety and Health.
DR. HARDING: Other questions?
DR. COHN: I have a question that is a follow-on for Isabella Tighe. I just wanted to clarify some of the information flows. You commented that oftentimes after injury, the insurer will request information about the specific injury. I guess the question is, with things such as low back pain or cumulative trauma or otherwise, that effectively becomes the same thing as the medical record.
DR. TIGHE: That's correct.
DR. COHN: Isn't that pretty much the case? It is fine as long as you are dealing with an acute injury, but the minute you get into anything that has any taste of chronic disease, it effectively becomes all information almost immediately.
DR. TIGHE: That's correct.
DR. COHN: Is that part of the problem?
DR. TIGHE: That is part of the problem, but part is also -- certainly, the two diagnoses, low back pain and cumulative trauma, red flags go up all over the place when employers or insurers see that.
But there are other things, too. I talked to a gentleman the other day who suffered an injury at work. He was just enraged because his employer had requested information and found out that he had drug rehabilitation when he was 19 years old. Therefore, perhaps it is his drug use that caused him to suffer an injury 20 years later.
Now, you can laugh and you can say, that is silly. But in fact, that man is not getting any benefits. This thing gets through the system with people fighting all the way. I called up the insurer and said, you're crazy. But that is what happened.
MR. BLAIR: I'd like to describe a little bit of a scenario, and then I'd like to have your feelings of positive and negative about whether this is good or bad or mixed.
As things begin to evolve more and more to electronic data interchange and more toward electronic medical records, many folks have envisioned a situation where if the information were available on a terminal or a PC or a computer somehow, connected to a network, then we would be in a position to wind up having access controls where an individual would have to wind up identifying who they were if they wanted to look for a particular record. You could wind up identifying a person within that organization, their role, their responsibilities, their locations, the time that they are looking at that record.
In fact, the systems are available, where you could begin to have audit logs of who looked at that information, when they looked at that information, where they were when they looked at that information, and those audit logs could be available on request to the employee over time. So the employee would know who looked.
I am mentioning this little scenario because I noticed that when you described the kinds of abuses -- and I think you did a beautiful job of describing it, because you didn't say that they were malicious. I think your words were, they were just of interest to the people that were looking at it, and when it is in paper form, there is no way of knowing who looked at something. You were winding up saying, we need to have fines or punishment if there is a violation of confidentiality. My thought was, right now there is no way to identify who it was, or very little way. There is no audit or who saw it, when they saw it, what portion of the record they saw.
If this was in electronic form and we had those abilities, does that help? Does that hurt? Are there other considerations? What is your reaction to this potential evolution?
DR. TIGHE: Mr. Blair, I think obviously if technology caught up with this, that would be wonderful. But it seems to me that is not going to happen tomorrow, certainly not in the state of Maine.
But it seems to me that all of us, insurers and self insurers and everybody, needs to have a clear understanding and accept the fact that everybody's medical records are sacred. At that point, every clerk in your office has to be -- everybody has to be told that. If there is a violation of that, you can be terminated, you can be fined, you can be whatever. But it is not enough to say, it wasn't my fault, I didn't realize that the information -- that when she opened the envelope from the doctor's office, she was going to talk about it. I think we are too complacent about that.
DR. GELLMAN: Dr. Tighe, I was very interested in your comments about the way that information flows, because I think that that is exactly one of the major areas -- problems that information gets to an employer in some fashion, and there are no rules that get shared through gossip and other means.
How do we stop that? Where is the point of pressure? If you are devising a remedy, you've got what is, it seems to me at least, a legitimate request for medical information from the insurer or employer; they have to be able to evaluate what they are dealing with here. You have got a physician who is the stakeholder. They just have the records, and they are not necessarily carefully attuned to what exactly is being requested.
You've got an employee, as you pointed out, who is under pressure and is told, if you don't sign this form, you are not going to get any benefits. The forms are written by employers, so you have to disclose any and all of your medical information.
So who do we put the onus on not to collect, not to disclose, not to share, not to use the information? How do we control this?
DR. TIGHE: I don't think we can say you can't collect. What we need to do -- and just from a workers comp point of view because the states are different, what we are saying in the state of Maine is, we are educating the physicians and the medical community, don't give you general information. You are talking about what are you treating him for, the injury you are treating him for, that is the information that should be shown.
We need to work with insurers and self insurers and the employers to make them understand the importance of the confidentiality of medical records. I don't know -- obviously and ultimately, there should be fines, or employees should understand, if you gossip about medical records, then you will be terminated. I spend a lot of time in medicine and in hospitals. If you go blabbing around, you are out the door. That is what should happen.
DR. GELLMAN: I don't disagree with that. But it seems to me, just looking for a solution, as you pointed out, the employers or insurers will use any information that they can scrounge up to try and deny a claim. So they are happy to get as much information as they can. The employee, it seems to me, is really not a position to exercise any specific degree of control over what is disclosed. That will certainly be questioned by the employer or the insurer, and the employee doesn't have access to the records as a routine matter.
The physician is the one who is left making the disclosure. It is my understanding that it often is the case that when a request comes in to an office, the physician may not be involved; it is a clerk in a physician's office. They take a medical record, they stick it in the xerox machine, and they send it all off.
We have got an employee who seems to be institutionally incapable of protecting their own interests here, simply because they don't have the control over the data.
DR. TIGHE: Or they may not know.
DR. GELLMAN: May not know. We have got an employer and an insurer with clearly opposite interests here. If you put all the onus on the physician, it seems to me that at some level that is appropriate. But given the way that information flows and physicians' offices work, is that realistic?
DR. TIGHE: It may not be realistic, but it has to be tackled. I can sit back and say, it is none of my business. In my position, I can say, it is not my problem. It is my problem. We send out letters to the physicians, go to the county medical society meetings, go to the medical society meetings, talk to them about it. Don't let this thing get away from you.
DR. GELLMAN: If I am a physician and you impose -- I am fishing here, I am looking to see if there is a solution; I don't have one. If I am a physician and I get a request for information and attached to it is this copy of a state or federal law that says, if you disclose too much information you go to jail, you get sued you get a fine. My answer is, go away, I am not providing any information at all. Why should I? You want information, you get a subpoena so I am protected. Therefore, I don't have to worry about this, and we'll let the court or somebody else go through the data and decide what can and can't be disclosed. That doesn't seem very practical, somehow.
DR. TIGHE: The other thing that would happen is, they would say, we are not going to take (word lost) workers comp you. That would be the other way to deal with it. I know that. We find that threat.
DR. GELLMAN: Mr. Knettel, got an answer to my question?
MR. KNETTEL: I'll try. I think you are rightly identifying that what we need here is a culture change to put in place a culture on the part of all parties to better understand the need to protect the confidentiality of information. Many ERIC members have at least that informal confidentiality policy. Some of them have formal ones.
But we are still -- in the system as a whole, we are still looking at a need for a culture change. What I would urge is that you need to think about transition issues, about how do we get from here to there.
In the absence of a culture that routinely protects this kind of information, I think the first priority is to try to put systems and policies in place, to begin to change behavior and improve practices.
But I am very much concerned about creating for example a private cause of action immediately, because of the potential for a flood of litigation that would arise, where you have to remedy what -- the culture change has not yet taken place, and people have not been able to put into effect systems that would do a better job of protecting information.
So what I would urge is consideration of, for example, beginning with requirements for employers and medical providers and other affected entities to put procedures in place, maybe the publication of model authorization notices and so forth, and perhaps rely on agency penalties primarily as a way of implementing that, before we move to the second stage of even considering creating private causes of action, when the system simply isn't going to be ready to handle that.
If on day one we create a private cause of action, there is probably not an employer in this country that won't be violating confidentiality laws, even when acting in good faith at one point or another. We are going to have a tremendous transition problem.
So I think we have to -- ultimately there is a question about, once we have protective systems in place, what is the best way to compensate people who have been injured by inappropriate activity and so forth. I would just urge you to think about the transitional nature of the question. It may not be reasonable or appropriate to put all of the various remedies in place before the culture has had time to change and adapt to what its new responsibilities are.
I don't know if that is an answer to your question. But it is my concern about how we would get from here to there.
DR. GELLMAN: Let me come back to that. Do you have an answer to my question?
MS. CATHEY: Actually, I had a question to your question. I heard you say that you didn't feel that it was appropriate for a court to make a determination as to what sort of records should be released pertaining to a workers compensation case?
DR. GELLMAN: I just don't think it is very practical. How man workers compensation cases are there? If every single one of them has to get dragged into court just to make a decision about what records can and can't be disclosed, we can't operate that way.
MS. CATHEY: That is how we operate, though.
DR. GELLMAN: Is it?
MS. CATHEY: Yes.
DR. GELLMAN: In all cases?
MS. CATHEY: In almost all contested cases where there is a dispute over records being released. That is why there are court based systems and other types of systems, administrative law systems. Almost all workers compensation systems involve a determination, a judicial determination at some point of time as to what evidence is relevant to a case. So that is how the system operates.
DR. GELLMAN: I don't know anything about the flow of cases in the workers comp area. But first of all, it seems to me that there have to be a lot of cases where there are no contests over records, because employees just sign a form and the data goes.
So I am talking about, if we require some kind of independent review of record disclosure in all cases, whether there is a dispute or not, that is where I get to the concern that that doesn't seem practical.
So do you agree with that or disagree?
MS. CATHEY: I would say that the percentage of disputed cases are very, very small, and probably not because of a records disclosure issue, but it is a very, very small percentage.
When a case becomes disputed, in most instances a legal advocate becomes involved, and at that point in time then it usually becomes a dispute over what sort of medical record might be disclosed, if that is the nature of the case.
Like I said, not all jurisdictions are currently requiring releases of information before information is released, so that is a separate issue.
DR. GELLMAN: Let me ask a broader question. I don't know if you can represent this view from the workers comp world. There seems to be a lot of interest and pressure from the health care establishment for uniform federal health confidentiality rules. I know you said policies are being -- can you represent the debate or discussion at this point? Is this a good idea for workers comp, is this a bad idea for workers comp? I'm just trying to get some feel for the view from that part of the world.
MS. CATHEY: I can tell you that the workers compensation boards and commissions would prefer to make their own regulations pertaining to workers compensation.
MR. KNETTEL: If I could comment on that, I think there are very legitimate concerns from the workers comp world for the need to handle it that way.
On the other hand, from the employer point of view, the employer has some other interests that may cut the other way. So I think there are legitimate issues on either side.
For example, there are coordination of benefits issues between workers comp and the employer health plan. There are questions of whether an injury occurred at work and should be a part of the workers comp system or did it really occur at home and should be payable by the health plan carrier.
So there is going to be coordination of benefits issues. The question about whether, if federal standards apply to health plan operations but didn't apply to workers comp, how would potentially inconsistent confidentiality requirements work when employers had to interact between this federal world and the state world.
The other set of areas -- many employers, especially ERIC member companies, are getting increasingly involved in integrated disability management. Return to work is an important issue in the workers comp area. It is also important in the general medical area. And employers are increasingly adopting integrated strategies across all of their activities to help improve recovery from disabling illnesses or injuries to help employees return to work faster. It improves their productivity, it makes them happier, healthier.
Again, there is an interaction issue. So we don't at all want to dismiss the legitimacy of the concerns of the workers comp folks, as to how disruptive it might be to have federal rules imposed on what has been traditionally system based systems. On the other hand, I think there are also legitimate questions of, everything else the employer is dealing with is largely in the context of uniform federal rules. There is going to be this dysfunction when they have to carry out activities between those and workers comp and trying to make the two match.
DR. GELLMAN: Let me ask a broader question that is beyond the scope of our jurisdiction and interest here. Would you like to see uniform federal workers compensation rules? Would your members support that?
MR. KNETTEL: Since as was pointed out, workers comp is an employee benefit, we only deal with employee benefits issues. So we would not take a position on federalization of workers comp one way or another. So I'm limiting my comments simply to the (word lost) issues.
DR. GELLMAN: That's fair enough.
DR. HARDING: We'll have one question from Dr. Cohen and then we'll take a break.
DR. COHN: This actually is a question for Miss Cathey. At the beginning of your testimony, you indicated that the IAI ABC had been unable to come to a position on privacy and confidentiality. I actually wanted to probe in that a little. Has it been discussed? What in your view are the range of views currently existing that are preventing some sort of a consensus? Is it focused primarily on the issues of privacy and confidentiality just within workers compensation, or are they mulling about wider issues also? What is happening there?
MS. CATHEY: I'll go backwards in responding. They are specifically speaking to issues of privacy and workers compensation. However, issues of privacy and workers compensation involve things beyond medical records.
The very existence of a workers compensation case is an issue of privacy that is of concern. Disclosures of previous workers compensation cases to prospective employers, that is an issue of concern that is debated.
Issues of concern for the business industry may be a disclosure of who the workers compensation carrier might be for a particular company. Issues of confidentiality in workers compensation come from every area. So there is a large debate also.
With respect to issues regarding medical records, that is our occupational health and disability management committee's number one agenda item. Isabella, Dr. Tighe, is one of the co- chairs of that IAI ABC committee, so she well knows that is their primary agency item this year.
The reason they have not come to a consensus -- everyone agrees that privacy is important. That they all agree. The issues of what records should be disclosed and to whom depends upon the interest that is represented, because it is a huge umbrella organization.
The reason that there isn't a statement issued yet is simply because there are multiple drafts being shuttled back and forth between executive board members now as they debate the fine points. I am simply not at liberty to discuss it until they do finalize it.
DR. HARDING: Dr. Orgel, who is one of the panelists, had a comment before we break.
MR. KUN: It is Luis Kun. I was the former chair on the general working group on internal medicine on privacy, security and confidentiality. The question I have is for Anthony Knettel. On your paper titled Overview of Issues, Proposals and Employer Concerns, and during your presentation, you mentioned in the three confidentiality principles the word specific business needs.
I wonder, if we assume that an employer pays 90 or 100 percent of an employee's health care bill, that a business need at some point could be to reduce the health care expenses. If we assume that in the future, you have genetic information record that confirms that an individual will have disease X or Y, that employer could choose not to employ or to promote that privacy, because that information goes in terms of the business needs. Could you clarify a little bit?
MR. KNETTEL: First, ERIC does not make any distinction between genetic information or any other health related information, in terms of the appropriateness of that information being held confidential. So we treat it all as part of the same general concern.
Secondly, with respect to benefit plan specific issues, we already have in the law non-discrimination requirements with respect to the use of health related, including genetic information in the context of administering benefit plans. I think that is already dealt with in the law there.
There are other federal laws that potentially are applicable with respect to health related information and protecting inappropriate employment based used, for example under the Americans With Disabilities Act.
But I understand the information that you are talking about is not necessarily going to rise to the level of the protected disabilities. There may still be some gaps in the federal law with respect to whether or not overall we have adequate protections for that kind of information.
But I think the issue that you have raised is not inconsistent with the principles that ERIC has laid out. For example, under our principles, if a health plan for purposes of for example health risk appraisal and screening and so forth provides among other things a genetic screening for various diseases and so forth, ERIC members would not argue that for example an employee's supervisor should have access to that information. The specific business need for the information is to provide the health risks screening purposes; it is not for purposes of hiring and firing.
So we certainly wouldn't condone the use of information that is collected for one purpose, improving the privacy's health status or identifying potential health problems that they may be able to modify their lifestyle to avoid or whatever, we certainly don't condone the use of that information for hiring and firing.
But I think you have raised a legitimate question, as to whether taken as a whole, the current law adequately addresses the particular issue of genetic information, because of the unique issues that it raises.
DR. HARDING: Thank you. We are going to take a 15 break now, so we will come back at 10:50. For those of you who are new, there are restrooms right in front of the elevators, take a left. If you want anything to eat or drink, you have to go to the top floor, where you can get Cokes and so forth. But there is nothing available on this floor. We will reassemble right at 10:50, right on the dot.
(Brief recess.)
DR. HARDING: -- confidentiality hearing here at the National Committee on Vital and Health Statistics. We would like to continue the morning's panel.
We have two additional panelists who will be presenting 15 minutes apiece, and I'll try to hold you to that. I apologize for the time limits, so we can have continuation of the question and answer period. We will have questions and comments from the committee members. We will also open it up for those here in the room, if they have questions or comments too, after the committee members have had their turn at getting things answered that they would like.
Our first panelist of this session will be Karen Orenstein, who is program manager of health benefits program for the IBM Corporation in New York. Miss Orenstein.
MS. ORENSTEIN: My name is Karen Orenstein. Thank you very much for the opportunity to present before the National Committee on Vital and Health Statistics Privacy and Confidentiality Subcommittee today. It is an honor to be here.
I have been asked to share with you how IBM controls the control of confidential privacy health care information while managing its health benefit plans. Confidentiality is an issue of great importance for IBM and its employees.
Let me give you some information about my background and current responsibilities. I am an IBM employee and work in the health benefits department in Armack, New York. I have been managing the mental health care program for about two years. Prior to that, I managed the IBM hospitalization plan.
My background and education are in health care. I have a master's degree from New York University in community health education. I have experience developing and managing chronic and infectious diseases prevention and treatment programs in hospitals and outpatient clinics.
I also worked for Johnson & Johnson designing and managing nationwide health promotion and disease management programs for Fortune 50 companies. Currently my role as IBM program manager for the mental health care program entails managing the IBM contract with Magellan Behavioral Health which I will refer to as Magellan.
Magellan is IBM's third party administrator for its mental health care program. The program provides IBM employees, retirees and their dependents with brief therapy of one to eight sessions at no cost to the member, as well as benefits for ongoing mental health and substance abuse treatment. Magellan provides case management for in-patient and out-patient treatment, and they also process claims.
The program is part of IBM's medical plan, which is a self funded welfare benefit plan under ERISA. Release of confidential information is done with the consent of the party whose confidential information it is, or as required by law or legal process. All of the program's policies to protect members' confidentiality are based on the concept that it is the members' responsibility to determine whether or not to disclose his or her medical information.
The IBM summary plan description documents the process for managing confidential information. All members have access to this summary plan description.
The administrative agreement with Magellan identifies confidential information and how it is handled. Magellan has legal and professional obligations to protect the confidentiality of information pertaining to IBM employees and dependents who contact Magellan regarding mental health and substance abuse problems and treatment for such problems.
I'm going to talk a little bit now about the appeals process, because there you see some flow of information. The mental health care program provides employees with benefits. Once benefits are determined, employees may disagree with the amount of level of benefits provided.
In accordance with ERISA requirements, the first level of appeal is at Magellan. After the appeals process is exhausted at Magellan, employees may still dispute the decision and may request IBM to review the benefit determination.
To initiate the appeals process, a member identifies himself so that a determination of benefits eligibility can be made. Information in a patient's medical chart is released if the patient or guardian signs a medical release form with his or her personal doctor or hospital and agrees to send the information to the third party administrator for clinical review during an appeal, or if that process is completed, to IBM's benefits staff for an appeal.
Information is never given to the employee's manager nor anyone else in the employee's management chain. The information is given to the IBM corporate benefits staff employees such as myself who are not part of the business unit where the employee is working. It is also given to Magellan clinical staff who have a need to know, such as whoever the case manager is who is managing the case.
Because Magellan manages clinical care, Magellan case managers develop their own case notes for the patient's care who they are managing. This information is shared between Magellan clinical staff with a need to know, such as a clinical supervisor, who would want to make sure that the case manager is delivering appropriate management of the care.
The only time case notes are shared with IBM benefits staff is if a member appeals a clinical decision and agrees in writing to release this information through the IBM appeal process. I don't see any information unless an employee designates that they want me to see it.
When a member self identifies due to an administrative grievance or appeal, only the claim amounts incurred and paid are released, not a diagnosis. If I have a problem with an employee in out-patient therapy for whatever reason and I think a particular claim should have gotten paid and it wasn't, it has nothing to do with the clinical care. We are only dealing with claim information when a person identifies themselves.
Sometimes a member sends information directly to the IBM staff person directly involved with the case. It doesn't necessarily have to go to an appeal. Someone may call up IBM and say, I have a problem with such and such claim, could you check it out for me.
Other measures to insure confidentiality. Other safeguards that are in place to protect the member are as follows. Magellan procedures. These are the procedures that Magellan has in place to insure confidentiality. Magellan has an employee handbook that addresses how employees should handle personal information about individual patients. Training on confidentiality is included in the new hire orientation. Clinicians on the IBM dedicated unit are licensed mental health professionals who are bound to uphold confidentiality as required by licensure.
So at IBM, Magellan has a special unit of people that just work for us, because we are so large.
Computer system access is granted on an as-needed basis, based on job requirements. Access is granted to the appropriate systems through passwords.
Regarding storage of confidential information, all information obtained at Magellan is considered confidential and is stored in an appropriate manner. Doors to the floors are locked and require security access. Desks are equipped with locks. File cabinets are locked as appropriate and office doors are locked. There is Magellan policy on the storage of records as well. For destruction of confidential information, documents are placed in locked containers and then shredded. There is also access to legal counsel for questions about confidentiality. If in a specific clinical situation Magellan is required by law to release confidential information, for example, child and elder abuse, the Magellan legal staff is consulted to insure legal compliance.
Magellan policy and standards has specific guidelines on how to handle confidentiality of member information.
I'll now talk about some additional procedures that IBM has in place. IBM staff are required to lock drawers, closets and offices every day. All information in a health benefits department is considered confidential unless it is in the public domain. Employee badge access is required for entry into each IBM facility, and guests are admitted according to IBM security procedures.
All confidential information is shredded prior to discarding it in locked containers and is again formally shredded. Oral information is considered confidential as well. Access to specific information is granted by pass codes. Procedures are in place to regularly review who has access, and passwords are changed at frequent intervals.
IBM's EAP part of the mental health care program is designed so that members receive treatment off IBM premises. Any additional benefits available under the program are delivered off IBM premises by providers participating in the Magellan network serving IBM and other eligible providers.
I also would like to add that we have -- every IBM employee has to sign up on business conduct guidelines; you must sign that. It is a written document that is online that everybody has to attest to. If you don't do that -- and this is not only related to medical information, it is any information that is confidential, you can lose your job. So all confidential information is protected.
DR. HARDING: Has anybody ever lost their job?
DR. ORENSTEIN: I wouldn't know. You would have to ask the people that lost the job.
Aggregate information. Program reporting. IBM aggregate information is compiled by the appropriate Magellan staff on an ongoing basis. The information is reported quarterly to IBM health benefits staff and the IBM medical staff liaison to the mental health care program. The purpose of the information is to monitor program progress and cost. No individually identifiable information is included in the report.
Customer satisfaction. Patients who use the EAP have an opportunity to complete a questionnaire and mail it to an outside vendor who consolidates responses and provides quarterly reports on overall program satisfaction to IBM health benefits staff. I am the person that gets that report.
The survey is anonymous, and patients are not asked to identify themselves. In 1998, program satisfaction was above 90 percent.
Also, twice a year, Magellan surveys a statistically significant sample of patients who use ongoing mental health and substance abuse treatment services. Aggregate information is reported twice a year to IBM. Survey responses are tabulated in the quality assurance department, which is on Magellan premises. There is no linkage to patient ID on the survey, and the reports provide no personally identifiable information. In 1998, program satisfaction was very high, above 90. I think the return rate was about 30 to 40 percent.
Both the surveys described above had to be approved by the IBM survey registry, which insures confidentiality guidelines are adhered to in all surveys conducted by IBM. The survey registry staff follow written guidelines.
Data consolidation. Any analysis of reports prepared by IBM contain aggregated information. As part of understanding IBM's actuarial risk, since our health plans are self insured, to facilitate corporate funding of all health benefits programs and to provide aggregate information to design programs, claims data from IBM's health benefits program is aggregated and housed with a benefits consulting firm. IBM requires that the benefits consulting company have security guidelines in place that protect patient confidential information, and this is mandated by a contractual agreement with the benefits consulting company.
It is very important to IBM that it be able to design and manage health benefits programs effectively while maintaining the confidentiality of the members who use the plan. As leaders in the technology industry, we trust that our data is secure and as employees, we can avail ourselves of the health benefits our company provides.
DR. HARDING: Thank you very much for that statement. We will continue, instead of asking a few questions right now, until Dr. Orgel has spoken. Then we will come back and we'll open it up specifically for questions for the two newest panelists, but then open it up for the entire panel the rest of the time.
The next presenter is Dr. David L. Orgel, M.D., Midwest regional medical director from IBM Corporation, stationed in Chicago?
DR. ORGEL: Rochester. Asking a doctor to read a statement is difficult, but I will read.
Thank you for asking IBM and me to the panel discussion of the National Committee on Vital and Health Statistics Privacy and Confidentiality. IBM is vitally interested in the issue of confidentiality. This is driven by both a deep interest in insuring its employees' trust as well as its leadership role in information technology.
As a technology company, we feel that information technology holds a great potential for improving the delivery of health care, both in a clinical and a public health perspective.
As a practicing physician responsible for approximately 22,000 employees in the Midwest region, including the over 5,000 at our IBM-Rochester, Minnesota location, I have seen the efficiencies the current information technology provides. IBM Global Occupational Health Services, a function of IBM that is separate from the benefits department, has an electronic medical folder which holds all of the relevant information from a patient's medical chart. This provides for efficient sharing of information within our department in Rochester, which allows for our staff to better understand and help our employees.
We also feel information technology holds great promise for delivering important health benefits to our employees from a public health perspective. Understanding the needs of our employees in terms of their concerns and problems when linked to appropriate outcomes can drive programs and improve health.
However, there is a long way to go in terms of improving clinical decision making tools, such as the electronic medical folder, as well as the data sets and their use for understanding the health needs of populations. Any regulation should allow these innovations to occur, since we feel there is great promise for improved quality and health with these programs.
Specifically, the question I was asked to address in this testimony relates to my role at IBM, management of workers compensation with IBM, and how IBM uses employee health information for disease management. Gail Sheehey also asked questions about third party administrators and their access to information, and does IBM have written policies and procedures to protect the confidentiality of employee health information.
In terms of my role at IBM, I am currently the Midwest region medical director. As I described, I am responsible for the approximately 22,000 Midwest region employees and a team of health and safety professionals to help insure a healthy and safe work environment.
My background in the area of information technology is fairly long. I have experience in preventive medicine through receiving a master's in public health at the University of Rochester, New York, followed by two years in the Epidemic Intelligence Service in the Centers for Disease Control, stationed at NIOSH. I have continued to work with local and national public health organizations. For example, as president of the local medial society, I sponsored Dr. Roz Lasker to speak about the role of public health in clinical medical collaboration in last years's annual meeting, and recently spoke at the Centers for Disease Control's Diabetes Translation Conference in Albuquerque on business' interest in disease management.
Our workers compensation process strives to strictly maintain confidentiality. While we work to understand clinical situations of each injured employee, management is only furnished with recommendations concerning medical limitations and accommodations pertaining to particular job requirements and the work environment. This follows IBM policy as well as the code of ethical conduct of the American College of Occupational and Environmental Medicine.
Our national occupational health recording center, NOHRC, which is centered in Rochester, Minnesota, receives all field reports of work related injuries and illnesses. This NOHRC is within the medical department, which is secure and badge accessible only to authorized individuals. The NOHRC takes the information and disseminates it within each secure IBM information technology system to the appropriate case manager throughout the United States, as well as to the electronic data interface to our Liberty Mutual carrier. This secure transfer of information assures the information is kept confidential.
In terms of clinical information, we require signed releases of information for exchange of medical information regarding an employee between clinicians. Workers compensation statutes allow for the exchange of medical information. Therefore, we do exchange information with our Liberty Mutual carrier without a signed release. However, we limit our discussions to facts which are relevant only to the workers compensation claim.
We have developed sophisticated information technology programs to help us understand our workers compensation experience. Each region receives an update of the relevant outcomes for the region as they relate to the cost, number of cases, et cetera of our workers compensation claims. This allows for us to follow more carefully the big picture of our executive committee experience.
In addition, on a monthly basis, we analyze our open claims to understand how they are changing. This allows for summary information on cost and claims which focus our case managers on those cases which have the highest business relevance. The exchange of this information uses secure technology.
In summary, our clinical services are delivered in a secure environment with strict policies as related to confidentiality and medical information. In particular, we require sighed releases for exchange of information, except within our own department and with our Liberty Mutual workers compensation carrier.
The electronic medium has provided a rich source for helping us manage and better delivery healthier services to our injured workers by improving the efficiencies of our communication within the department and between our carrier and IBM. However, we safeguard the information with appropriate technology and physical security as well as policies.
We believe continuing efforts to insure the safeguards of information which do not interfere with the ability to exchange information where appropriate is the best answer to the concerns raised regarding medical information. In that respect, we support the enactment of federal legislation on medical privacy. Others in my company have been involved in the HIPAA implementation process for HHS as well.
The interest in disease management is growing, but it is complicated by its multifaceted nature with public health and clinical medicine combined. In this area, education and communication with and among providers and patients is critical, with additional efficiencies related to improved quality.
Our experience is that people who are in disease management programs such as the diabetes management pilot that IBM partnered with our inter-core vendor to provide experience the fact that such programs can improve quality and potentially reduce costs as well. Participants in the diabetes program I just mentioned improved clinical measures of quality such as frequency of hemoglobin A1C testing, lipid profile and renal surveillance.
Our strategy for delivering these services is driven by increasing the health and well-being of our employees while reducing health care costs and improving quality. In addition, a major goal for the program is to maintain employee trust and confidentiality. We found that in our inter-core pilot we were able to maintain employee trust and confidentiality while improving quality. As indicated, we were able to improve clinical outcome measures, and our surveys indicated our employees were highly satisfied with the program, with few if any concerns regarding confidentiality.
IBM does not receive any individually identifiable patient information, but instead asks the inter-core vendor to provide aggregate data.
As an indication, quotes from this program include the following. Quote, overall, I feel this program complements care I receive from my doctor, end quote. Quote, this is an excellent program and should be continued, end quote. In terms of maintaining trust and confidentiality, for example, one participant said, quote, I'm so glad you followed up with me. I know someone is watching over me, end quote.
IBM is interested in continuing efforts that provide this type of win-win for our employees in IBM. We believe in the legislation and regulation which occurs to allow delivery of these kinds of services to show the promise of improving the efficiency and equality of the health care system.
In terms of third party administrators and aggregate information versus individually identifiable information, we require releases to exchange information as I outlined above. We do however feel that aggregate data may provide insights into the problems that can focus programs and provide outcomes data which are relevant to global occupational health services, as well as IBM and the employee. Within the confidentiality constraints and policies as outlined, we believe allowing the exchange of information will be a benefit to all involved. An example of this is as described for disease management programs.
Finally, as Ms. Orenstein outlined, IBM does have written policies and procedures regarding the confidentiality of the employee health care information. In addition, we allow our employees access to their own medical records at their request, and strictly follow the American College of Environmental Medicine Code of Ethical Conduct as it relates to health care information.
I hope this brief outline provides some insight to you in terms of the policies and procedures within IBM. I will close by saying this is an extremely important area to IBM. I have noticed in my interaction with my peers outside of IBM that they too are vitally interested in this area. Your thoughtful approach and recommendations will be invaluable to a balance between the necessity to maintain personal medical information confidential and the need for communication and understanding of the health needs of our communities.
DR. HARDING: Thank you both for those succinct presentations. Because you were so succinct, we are a few minutes ahead of time. I know it is hard to limit yourself to written messages. Is there anything verbally that you would like to add to your presentations before we begin the question and answer period?
DR. ORGEL: Just that information is critical to everything we do. It is very important that we strike a balance. Clinically, I think that is key.
DR. HARDING: Could you expand on that just a little bit?
DR. ORGEL: Basically, we talked about efficiencies within the health care system as it relates to workers compensation. There are additional efficiencies in the health care system as it relates to delivery of services, and transfer of information is going to be an important part of that.
DR. ORENSTEIN: I would also like to add that IBM as a company has conscience. As you can see from our testimony, it takes confidentiality very, very seriously. So even though we are trying to do our work efficiently, we still balance even within our own borders the necessity to maintain confidentiality of information.
DR. COHN: I thought I would start out the questions. First of all, I want to thank all the panelists for an excellent set of presentations.
I am struck as I listened to both the IBM presentations as well as the presentations from ERIC about the intricate relationship between the employee and the employer to help safeguard and improve the health of his employees for a variety of reasons, some of which are altruistic, others of which affect the bottom line.
In this environment, it becomes obviously very difficult to -- there are multiple places where issues of confidentiality and privacy can either be compromised or get to be a big question. Certainly, as I reflect upon the confidentiality principles of ERIC, I find myself observing how high level and potentially ambiguous they can be.
Having said all of that, I am reminded that the NCVHS in its previous proclamations on privacy and confidentiality talk about both privacy and confidentiality as well as non- discrimination. I am wondering from the panelists, your views about, is the issue when you get down to it really privacy and confidentiality, or is it more concern by the employee that the information is going to be used to in some way discriminate against him and her? And should we be focusing on that as the next or bigger issue?
DR. ORENSTEIN: From where I sit, I haven't had any issues about discrimination. But that is handled in another area within IBM.
I handle the mental health care program. Since I have been doing this job as well as managing the hospitalization end for the company, I have not had any issues brought forward about discrimination. People just want to make sure that they get good clinical care and their claims get paid appropriately. They want to make sure that information is kept confidential.
So it is kind of a 50 percent answer to your question, but I haven't had that other piece come forward from where I sit.
DR. ORGEL: I think discrimination is obviously a concern for employees. Some may even have had personal experience being discriminated against for a health condition.
Personally, many employees will share their medical information directly with their manager, because they feel their manager is part of their -- they want them to know. That may be fine, but we try to steer clear of that kind of thing, because once a manager has that kind of information, it is very difficult for them to let go of it and make a judgment without having somehow had his thoughts influenced by that medical information. That is why we have a medical department, to try and provide just the restrictions, just the management advice, as opposed to the diagnosis.
MR. KNETTEL: I think most of the anecdotes that you hear are anecdotes about discrimination, and that privacy and confidentiality are viewed as the means to avoid the problem, which is discrimination.
The real challenge for you, as Dr. Orgel said, is to strike a balance between how much in terms of compliance cost is going to impose to try to wall off information to protect it and so forth, when the vast majority of the time, that information isn't going to be used for discriminatory purposes anyway. So trying to balance how protective to be versus addressing with appropriate sanctions discriminatory behavior that nobody would condone, no matter how stringent the confidentiality requirements are, from time to time even inadvertently those standards won't be met.
The real issue ultimately is going to be whether the information is used in an appropriate manner.
DR. COHN: I'm just curious based on your comment, is your organization supportive of strong anti-discrimination and non- discrimination laws?
MR. KNETTEL: I have to answer your indirectly. Most of the non-discrimination aspects have to do with things like hiring and firing and employment decisions, and those aren't ERIC issues. We only deal with employee benefits issues.
The only context where ERIC would take a position on a known discrimination issue would be with respect to for example the provisions in HIPAA that prohibit discrimination in eligibility for or premiums for health insurance based on health related information. ERIC supported that particular piece of legislation.
We were supportive of the concept of non-discrimination. I would note however that in the real world, when you draft something, you never know exactly how it is going to be interpreted by courts. We continue to be on the eave of issuance by the Department of Labor regulations interpreting those non- discrimination rules. We have some nervousness about how they will actually be implemented.
But conceptually, we were strongly supportive of the notion that the individuals should not be discriminated against in the structure of the benefit plans on the basis of the medical history.
DR. HARDING: Mr. Blair, did you have a question?
MR. BLAIR: Yes. This committee has received testimony during the last several months from payers, at which time it became clear that not all employers had the same high standards to protect the privacy of their employees with respect to health care information as IBM does. So I would like to anticipate some concerns that other employers might have, in terms of looking at the IBM practices as a model. I could anticipate that some of them might indicate that IBM is a large company and could afford to put in place the privacy and confidentiality practices and principles and technologies.
So if I could ask David and Karen, please, would you comment on whether IBM has taken any look at the business costs of maintaining these standards, whether you balance that off against other benefits. What response would you have to someone saying that they would have difficulty being able to afford the standards IBM has in place?
DR. ORGEL: I'm not so sure -- to answer your question directly, we have never done that. But I'm not so sure that it is really that impossible to do. I think as a member of the American College of Occupational and Environmental Medicine, there are a set of physicians who are sensitive to these kinds of issues.
When I teach a class on pre-placement examination for the Midwest Center for Occupational Safety and Health, or Health and Safety, there are a lot of discussions talking about ADA and how do you hold information confidential, what do you tell employers, what do you tell them up front about what can they expect from you as a physician when they send you one of their injured people. You set the expectation with the employer early on that they are going to get only a certain amount of information unless they have their own medical department.
There are ways of doing that kind of stuff. I'm not saying that it is done necessarily well in all places, but I think there are people out there, many dedicated people, who are trying.
DR. ORENSTEIN: I don't think it would be that difficult to do if you got to the high level process that needed to be implemented. For instance, you might have a lot of smaller companies still using the same insurers that IBM uses. So those insurers will have those security processes in place. If they are not releasing information to IBM, they shouldn't be releasing information to anybody else, even if they are dealing with the smaller companies.
So I think from that viewpoint, you could probably cover a whole lot of companies that are doing business with large insurers.
I also think that part of the culture of the company -- I think the issue of culture came up a little earlier, cultural change. If a company says, if you have got one person handling benefits for your whole company, it is not that difficult for a company to put a process in place that says, look, we don't want you divulging personal information, personal medical information about anybody, just like we don't want you sharing our profit margins. If you consider it as part of the cost of doing business, what difference does it make what you include under how you handle confidential information?
So I think it is really up to the business leaders to determine if that is important to them.
DR. HARDING: Do you have a followup question, Margie, on this before going to Mr. Gellman? Then Mr. Gellman is next.
DR. GELLMAN: I've got a bunch of comments and questions. First of all, on the discrimination issue that we were talking about earlier, I just want to make the point that I don't think confidentiality legislation is really intended to deal with the discrimination issue at work, for some of the reasons that you talked about. I don't think we can expect it to.
I'll make the obvious point that we prohibit discrimination on the basis of age, race and sex, and pretty much you can tell the age, race and sex of everyone you deal with. We don't require people to wear paper bags over their heads.
It simply isn't going to work. We have to find other solutions. To the extent that it helps, that's fine, but it is a byproduct, it is not a main purpose.
Secondly, I just want to say with respect to IBM that I think that we have a very bad sample here of employers, because IBM has always had very good policies, and that is exactly what you have described. If everybody did what IBM did, then this would be a lot easier to deal with.
Another comment. I am sorry that we don't have anyone here today talking about workers compensation or other issues from the labor unions. I think we would benefit a lot from hearing from those people. Perhaps if there is someone here or people on the Internet who can get in touch with us and we can stage another event to collect those points of view, I think it would be very useful. I think the workers compensation issue is one that has really received, up until recently, very little attention, and I think it is a very difficult area. I think it requires some more work.
I've got a couple of questions. Dr. Orgel, in your statement you said basically that we require some releases for exchange of information except within our department and with your workers compensation carrier. How far does that -- what are we talking about here in terms of -- what other kinds of disclosures get covered with signed releases?
DR. ORGEL: Practically speaking, generally -- it is not necessarily always for specific doctors. It is for a doctor in the Mayo Hand Clinic, for example. We think of it as being the Mayo Hand Clinic as opposed to being just that one specific doctor. It would then be the psychiatry department at Mayo Clinic. Does that answer your question?
DR. GELLMAN: What other management uses of information for cost containment or oversight -- is that covered by releases? How do you deal with that?
DR. ORGEL: You have to give me a more specific example of what you are asking, because I'm not sure I have the expertise in that area.
We get aggregate data back from our carrier, for example, under workers compensation. So we know where we are at and trends and things like that. We are able to know what the carrier has valued our claims at, so we know that Sally's problem has a reserve of $10,000 on it or something like that. So we know that that is an important case; we need to make sure that she is going to come back to work, or if she is not, that kind of thing.
Does that answer more specifically --
DR. GELLMAN: Partly. You are responding in terms of clinical uses of information.
DR. ORGEL: Right.
DR. GELLMAN: I am wondering about more uses of information for oversight of your health care plan.
DR. ORGEL: That's (words lost).
DR. ORENSTEIN: Could you repeat the question?
DR. GELLMAN: I want to get a better sense of what you get releases for. I understand the clinical side, but if you are using information -- and maybe you're not, I don't know, for any outcomes research, cost containment, any of those kinds of activities, do you deal with -- or any kind of research that might be done, do you have signed releases there? Do you have other ways, or do you make information available for those purposes?
DR. ORENSTEIN: I get an aggregate report, as I mentioned, from Magellan. I get that quarterly. It has got cost information in it, what is the cost for in patient care, what is the cost for out patient care, who are the folks that need attention, is it adolescents, is it young adults, is it older people, for which issues, so that we can work with Magellan to put program processes in place, to make sure the appropriate populations are getting the attention they need.
We don't have signed releases for confidentiality from individuals, because I am not getting individual data. I am only getting aggregate data. So I just get bulk information. There is nothing personally identified on there that I could track back to any individual.
DR. ORGEL: In my experience, I can't speak directly, we would inquire as to, can you look at this information for us, we don't understand what is happening to the number of cases of depression, I guess, over time; are they increasing, are they decreasing, how much, that kind of stuff.
We keep an arm's length to the data. We might send some information to a vendor, and they would collect information for us, and then we would ask them what is going on.
DR. GELLMAN: Okay, that helps. I want to turn to the subject of disease management. Can somebody tell me what disease management is? You have all mentioned it.
DR. ORGEL: It started out -- I just read an article on it, and it was fairly good. In summary, I think it started to say back five years ago, pharmaceutical companies were saying five percent is driving 20 percent of your costs, so we need to focus on them.
There is a broader aspect of general health information and improving the delivery of that kind of information and helping people access and work their way through the system, a very complicated system.
Within IBM, my concept of disease management is that if anyone has a particular problem disease such as diabetes, then if they are eligible for the program -- and they not all are, for example, this program is for our self managed plan, which is basically our indemnity plan. People volunteer for it and we post it, say this is available, are you interested. Then they volunteer for it, and a nurse helps them understand what it is they should be doing to get better quality health services.
DR. GELLMAN: So it is a voluntary program. Patients can opt in if they choose to.
DR. ORGEL: Oh, absolutely.
DR. GELLMAN: Now, Mr. Knettel, you talked about disease management. Is that your concept of disease management?
MR. KNETTEL: I don't think there is a standard definition. But it would include things like diabetes management, hypertension management, coronary aftercare management. And different employers handle it differently. Some, it is entirely voluntary. Some, the employers for example provide a financial incentive, will rebate a certain proportion of your health care premium if you participate in -- one I'm aware of is a coronary surgery aftercare program.
It usually has to do either with chronic illnesses or with aftercare to a serious acute care intervention like coronary surgery.
DR. GELLMAN: I don't dispute the value of these programs, at least in general. I haven't really seen the literature, but I have seen some reports about this, and there are clearly some benefits here. I've got a couple of concerns about this. This is a phrase that you find in some of the legislation, saying, you use information for disease management, and I don't know what it is. So I'll give you two hypotheticals that could or could not -- we don't know what it is, so anything could be disease management.
Situation number one is the CVS Pharmacy disclosure that came up a while ago, that somebody hires junk mail America to start bugging patients to take their pills. Or a worse example in some ways is that an employer decides we want to encourage people to take their medication, so we are going to tell their supervisor to go see them once a day and ask them if they have taken their Prozac today.
I want someone to tell me why that isn't disease management. You can't tell me what disease management is. Disease management may be the excuse for information being circulated to everybody everywhere for anything, and you say this is disease management, either benefitting the patient or benefitting the health plan.
I don't disagree there is some value here in terms of this activity. How do we control it? Anybody have an answer?
MR. KNETTEL: I see that you are as much concerned about the details of this as we are, because the employers obviously have the same kind of concern about wanting to understand, especially when we are dealing with statute, what the meaning of various terms are. I think your concern about the breadth of the term is a very legitimate one.
I would just give you an example of what I think is a legitimate disease management function that one ERIC member is involved in that under some of the legislation they would no longer be able to do in the form they do, and I think a value would be lost.
In this particular case, it is an employer where the health benefit plan is operated by a separate administrator from the pharmacy plan, so two separate vendors. The way they have set up their program is that the pharmacy manager monitors prescriptions that are written to see whether prescriptions are written in particular areas where the employer has a disease management program.
So if the pharmacy manager sees that a prescription is written for insulin, there is a diabetes management program. If a prescription is written for an antidepressant, there is a depression management program.
The way the program is set up, when a prescription like that is written and a management program exists, the pharmacy managing vendor sends a communication to the employee's treating physician who wrote the prescription, saying we have noted that you recently wrote a prescription for X and we want you to know that your patient has available to them a diabetes management program, a depression management program, or whatever it happens to be.
The communication is never shared with the employer. It goes between the pharmacy manager and the treating physician. It is with respect to a condition that the treating physician already knows about, because they wrote the prescription. But the treating intervention may be entirely unaware of the existence of this management program.
What the employer is trying to do is to target its resources to communicate the availability of the management program to those people who need it and would benefit from it, as opposed to having to absorb the cost of sending notices about diabetes management to all 50,000 employees, rather than sending it to the very small number who would actually benefit from it.
So it is an attempt to target the communication of the information to the individuals who can use it. I would argue that there is a very strong value to that, and that it is done in a way that is not raising substantial confidentiality concerns. But the way some of the legislation is structured, they wouldn't be able to continue to do it in that regard without first going through the added expense of getting an individual authorization to do that, which would substantially increase the cost of the program.
So again, it is back to the balancing.
DR. GELLMAN: I understand the point, and I can see some benefit in that. I think the confidentiality aspects of that aren't all that deep. But first of all, I'm not sure that any of the bills I have seen would prohibit that, because it is a treatment disclosure among treatment professionals.
MR. KNETTEL: It is employee information. For example, under the Lehy bill, you can only get up front disclosure for treatment or payment. I would argue that that is employee information, but it is not a treatment decision. It is not a payment, either.
So again, you would want to know what the terms mean and their definition. I'm not sure you could do that under the Lehy bill without a prior written disclosure for that particular communication.
DR. GELLMAN: I don't know, either, because I don't have the Lehy bill in front of me. The Lehy bill does have an authorization, mandatory authorization for treatment, The other bills have worse, where employees or patients, take your pick, are required as a matter of federal law under the Jeffords and Bennett bill to sign an authorization that they can't refuse to sign and that they can't vary, and that authorizes a whole series of uses, many of which are poorly defined. So essentially, the law puts a gun to the head of every employee and every patient and says, sign whatever form you are given by your health plan or your employer, and you sign away all your rights because you have just agreed to every kind of disclosure in the world. You actually haven't agreed to anything, and you have been forced by operation of law to sign a form.
That is one of the things that concerns me, that we have got a bunch of vague, undefined terms here that employers or health plans or anybody, even in good faith, can pour any kind of definition into, because the law doesn't define it.
MR. KNETTEL: At least until we get definitions and model disclosures which may define it for us. But I don't want to dismiss your concerns that the statutes are general. The kinds of concerns that you have, employers have the same kinds of concerns, that the terms aren't defined. So they are not sure whether they can continue to engage the activities they are currently engaging in.
DR. GELLMAN: Right. I probably don't disagree with your members about a lot of the activities they are carrying on, about the value of them. I think maybe some of them might require individual consent, but a lot of them can't. It is not practical or possible. My objection goes to the way in which this authorization is being done, more so than the individual terms.
I want to go back to your statement, the ERIC confidentiality principles. Somebody asked earlier about the phrase business needs. I sort of tripped over that when you went through it. Is that better defined somewhere, a summary of your policy?
Again, this is a term that has no clear boundaries to it.
MR. KNETTEL: Fortunately, this isn't legislation, so we are not dealing with legally enforceable rights. We do have a somewhat more detailed policy statement on confidentiality. I'm not sure whether the additional level of detail would be sufficient to address your questions, but I would be happy to provide that to you and the rest of the group.
In the need to be brief in this kind of a document, I am somewhat paraphrasing the various issues. Even our statement of principles I'm sure doesn't deal with everything in the level of detail.
I think what we were simply trying to communicate is that as sponsors of voluntary health and disability programs, as employers who are subject to state and federal law requirements to collect and in some cases report health information, there is such a thing as a legitimate business need for using this information, and that however the law is structured, it should recognize that.
On the other hand, I am also perfectly willing to acknowledge that there are illegitimate reasons for using this information. I think as our discussion earlier with respect to discrimination was concerned, ERIC members acknowledge that there are certain discriminatory activities which should be prohibited, and we don't oppose those.
So it is very hard in the context of a document like this to capture all of that. And of course until you actually discuss what the words mean, you don't know how to apply it in any given case. But I think what we were trying to accomplish here was to communicate that ERIC members value privacy and confidentiality. IBM is an ERIC member. Many other ERIC members also have confidentiality policies that are similar to theirs.
Also, it is in an employer's interest to protect an employee's confidentiality as a matter of not only keeping a satisfied and productive work force, but in terms of being able to hire the employees you need to get your job done. If you have a reputation for disregarding the confidentiality of your employees, you are shooting yourself in the foot in the labor market if you don't handle employees' information confidentially.
So although concerns about discrimination are legitimate, I think it should also be acknowledged that employers also have strong reasons why they would want to protect confidentiality. It is not entirely a black and white issue. I think there are a lot of areas of gray, and we try to address those gray areas without being understandably too specific in this context.
DR. GELLMAN: Thank you. I think that is a fair statement of where you are coming from. I think that you recognize -- it is the same problem that we talked about in terms of legislation; what do the terms mean. It is clearly more important in legislation than in policy statements. But it still makes a difference in policy statements as well.
What I see here is better than some and not as good as others. That tends to be true with industry self regulatory statements. A lot of them, without characterizing this one in this way, are filled with lots of privacy words and absolutely no content. That is a real problem in terms of trying to figure out what is going on, trying to rely on some other ways of dealing with confidentiality problems. This is in every context, not just in the health context, where there is too much appearance of policy, but no actual policy there. That just remains a general problem with a lot of self regulatory efforts.
DR. ORENSTEIN: I have one other comment that I would like to make that really hasn't been brought up thus far, which in my profession is a big deal. That is that the individual take some personal responsibility as well. I think you can flip to the back of any magazine and see, buy this plastic suit and lose 10 pounds, or buy this vitamin and you will live forever.
I think as part of this, there is a public responsibility to make sure people understand some very basic information, in terms of how they might -- what they might want to consider when they make a purchase. I think the 10-pointer is not a discourse, just alerting people that -- I don't think it is the large employers as somehow came up before that it is really too much of a concern. Some of the other folks that are out there, who might have a variety of programs in place and maybe don't have the level of sophistication of understanding of what the issue is. I think making people aware of some very general guidelines I think goes a long way, just so people can be informed.
DR. GELLMAN: I think that is a fair comment. One of the problems is that -- and this is not very much an employment issue, it is more of a marketing kind of thing. When people go to a supermarket and use a frequent shopper card, they may not be thinking that they are making a record of everything they purchase, that somebody has and is free to use and resell and trade without any restrictions whatsoever. When you buy something in mail order of if you call an 800 number, they know who you are whether you have given them your name or not. They know at least where you have called from if you called from home.
For the most part, people engaged in these activities do not tell anybody. There are mailing lists available for people who bought all kinds of products, called 900 numbers, sex services, all kinds of products that nobody would have purchased in the entire world if they had any idea that their name was going to go on a list and be sold.
The problem here is that the people engaged in these activities don't tell anybody what their information practices are, and they don't do it for the obvious reason -- that they won't have any business with their current practices.
There are some people who don't care. If you look at the polls, there are 20 percent of the people who basically are privacy indifferent, it doesn't make any difference to them, they would probably do it anyway. But other people would very much care if they knew, and they simply can't get the information.
DR. HARDING: Individual responsibility is certainly an important concept. I have a little trouble when there is not the opportunity for choice. You can be individually responsible, but if it is sign here or nothing, that takes that away from you.
We have 30 minutes left here this morning. What I am going to do is ask Marjorie to ask the next question. If there are members here in the room who are not members of the subcommittee, if you would like to make a comment or a question to any of the -- we would be delighted to have you do so. I would only ask that you come up to the microphone and limit the comment or question to three minutes, so that everybody can have an opportunity to do that.
So if anybody after Marjorie's next comment would like to ask a question of the committee or the individuals testifying, if you would come up there to one of those, we will recognize you. I will give preference to the subcommittee's questions, but we certainly would like comments and questions from others.
Marjorie?
DR. GREENBURG: Thank you. I had two questions, and I think the second one was pretty much answered. That was the issue of how people are notified of these disease management programs, and whether people have an opportunity to self identify because it is posted somewhere that there is such a program, or whether there is some way the employer has information that, these are your employees with diabetes, now you can target them for the program.
It sounds like you are saying that it is at IBM completely self identifying.
DR. ORGEL: It is arm's length. We would post a general kind of thing. We wouldn't get the information and then send it to them.
DR. GREENBURG: You would target the persons who have these conditions.
DR. ORGEL: Right.
MR. KNETTEL: The practice differs among various ERIC members. Some make general communication, some post it, some use the targeting. Like anything else, the question is efficacy; what is the response rate if you just generally post a notice as to the availability or put a small piece in your employee newsletter, as opposed to the kind of confidentiality protected targeting information that other companies do.
I think not surprisingly, the takeup rate for employee participation is far higher when the communication is more targeted. But different companies have different policies and approaches as to how they deal with their work force on these issues.
DR. ORGEL: I want to be clear. We would not take any of this information for diabetes. IBM doesn't have that. But we might tell one of our vendors that this program is available. If you hear about it, if you hear from them you can tell them about the program, that kind of stuff. But it isn't that the vendor sends it to us and then IBM is sending a note, we know you have diabetes so you might want to sign up for this program.
MR. KNETTEL: Yes, and in all the cases I am aware of where there is targeting, the employer is entirely at arm's length from that. It is the vendors who do it directly.
DR. GREENBURG: Thanks. I wanted to ask Dr. Orgel if he could expand a little bit about the electronic medical folder that you described here, the IBM global occupational health services. Is this specifically related to workers compensation, or is this individually identified information? How is it collected and how is it maintained, and what is its purpose?
DR. ORGEL: It is the patient's chart.
DR. GREENBURG: From any health services that he or she receives on the site?
DR. ORGEL: Yes.
DR. GREENBURG: Not necessarily related to injury, because you have internal clinical services?
DR. ORGEL: Right. It is basically in electronic form, which allows us to internally pass information from the nurse case manager to me, and back and forth. It has helped with efficiency, because the secretaries are not running around trying to find charts in somebody's drawer. I can't tell you how many hours have been spent, I've got so and so on the phone, can you find Joe's chart, and three days later it appears from the bottom of some drawer.
The system still crashes every once in awhile; we still don't have it for three days. But overall it is more efficient.
DR. GREENBURG: Sure, this is for the health services you actually deliver. I assume there is a firewall and it is not available to anybody else?
DR. ORGEL: Yes. Technically I can't tell you all the --
DR. GREENBURG: Okay, thanks.
PARTICIPANT: We have heard about IBM's wonderful separation between the duties of the different departments, but applicable more to a smaller corporation, I would like to know how IBM handles the mental health issues of your own unit, not mental health issues of the rest of the corporation, but mental health issues of the unit that manages mental health, or the privacy issues of the workers compensation unit itself.
DR. ORGEL: Are you accusing Karen of being crazy?
DR. ORENSTEIN: If there are any members in my department that need mental health services, is that what you are asking?
PARTICIPANT: Yes.
DR. ORENSTEIN: They would call Magellan directly. I don't have access to information of anybody in my department or anybody in the IBM corporation that uses mental health services, because the services are off site and they call the third party administrator directly, they call Magellan directly. I have no idea who is using the medical services, division services, the mental health services.
DR. ORGEL: I think your question was more directed to be more pertinent, for example, if a member of the medical department had a medical problem in my department, what would we do? Would that be more to the point?
PARTICIPANT: Yes. This issue comes up in hospitals all the time, where the care providers would be patients themselves.
DR. ORGEL: Although we don't provide direct services obviously to our own employees, we help IBM manage efficiently, confidentially, et cetera, the medical problems of its employees. So I don't do liver transplants in the office.
But if someone becomes ill, then that person -- some other regional person that is not in my department, some other doctor or nurse from a whole other region who can't then look in the chart -- the charts are not kept in -- my chart is I don't know where, but it is not in my region. So if they become ill, someone else will help manage that case, and provide to me as the manager of the department -- I don't know what Joe has, for example, but he needs to have time for three weeks, and that's all I know. I may want to say I need him, but okay, fine. Does that make sense?
PARTICIPANT: This is not directly related to IBM's experience, but in your personal experience, how would you handle it if you cannot separate into a different region, say a smaller employer?
DR. ORGEL: A hospital, you mean?
PARTICIPANT: Or an employer, just a regular self insured employer.
DR. ORENSTEIN: I think you need to keep the job performance separate from the medical piece as much as possible, only if the medical piece impacts the job performance and the individual wants to bring that information forward. They are integrated, but they are separate.
My personal opinion, not speaking for IBM, it seems to me that you would need to separate that information and put the onus on the individual as to whether it was important enough for him -- and I'm sure there are other laws that come into place with sharing this information with ADA and so on. But I don't think an individual's medical condition -- unless they can't control the medical condition; if it is a psychiatric illness, then we don't share information about peoples' psychiatric illnesses with the medical department. If somebody is out, for whatever reason, they are out. When it is necessary for them to return to work, the medical department works on getting them returned to work, whatever the medical condition is.
DR. ORGEL: I think your question is more about how does the company address the issue of sick employees, small, medium or large. As I pointed out in my previous comments, from my experience teaching these classes, the doctors -- I can't speak to the hospital thing, because I think that is a difficult area; there are all kinds of cross things, and you would have to ask a particular hospital how they handle that.
But within the small company, I would suggest that the human resources function or somebody that is the contact, that they do not get medical information. They say, we have a problem with Joe, here are the performance behavioral issues that we have. Joe is not coming to work, he is talking nasty to people, he is not doing his job when he is here. Here are the set of things that are a problem. The external provider understands that they don't provide a diagnosis back to the employer. They say, Joe does or does not have a real medical problem that does or does not affect those five characteristics, and then it provides restrictions or suggested changes in the work environment, accommodations or whatever word you would use. Then you keep that separation between the company and the diagnosis.
MR. KNETTEL: If I could jump in just for a minute quickly, unfortunately the problem is even much more complicated than has already been discussed, because the various definitions of protected information are not limited to information that arise in a benefit plan context.
If you are a small employer -- our members are very big, but ERIC itself only has eight employees -- the person that has authority to hire and fire is the same person who signs the contracts for ERIC's health plan. It is the same person who, if an employee wanted to request extended leave under the Family and Medical Leave Act, that those requests could be made to, and all the way down the line of the various kinds of activities.
In the real world, in a small employer in particular, a firewall model just breaks down, it is not sustainable. It may be sustainable in some areas. For example, with a health plan under ERISA, the employer could decide to delegate entirely all fiduciary responsibility for making final claims decisions to their carrier and not retain their authority. Under that arrangement, the employer would never see or make a decision about a particular claim from a particular individual.
But even there, it doesn't mean there aren't circumstances where issues aren't going to come up in a context of an employee. Somebody leaves, or somebody has a dependent with a covert qualifying event and there are then questions. I don't want to go into all of the details where various kinds of information could come up, but in the real world for a small employer, it is just impossible to have a division under all circumstances .
I think as Mr. Gellman had stated earlier, ultimately there are situations where confidentiality alone doesn't deal with the problem, and you wind up falling back on whatever your non- discrimination rules are, because separation just isn't possible at some point.
DR. HARDING: Thank you. The next comment is from Dr. Peel. Dr. Peel will be here tomorrow testifying for pharmacy benefits management. Welcome.
DR. PEEL: Thank you. I just wanted to share a story with this group, because I think it is pertinent to the issue of medical privacy and what employers should or shouldn't know.
Let me just tell you the story. I was on a plane in January flying from Austin to Dallas, and struck up a conversation with a man. I was going to go give an interview about privacy, so we got to talking about how there was not a federal law that protects medical privacy. So this is the story he told me.
He said, I'm a CFO of a company of 270 employees outside of Austin. Recently, our insurance agent, the broker that sells our health insurance policy, came to me and the top executives of our company. And basically, what he said was, these six or seven employees here are costing you too much money in medical claims. You need to change their job descriptions, load them up and head them out of the door. This would be a business decision for you to do.
This particular company was ethical and he said, we showed them the door. But this is really the appalling kind of uses to which private medical information are being put. I think that employers, if they can get this information -- and clearly with all due respect, Mr. Knettel, you are saying you want every piece of information you can get, basically -- employers are going to use this information. The ones that don't value their employees -- like IBM clearly seems to value their employees as assets. Other smaller employees may view them simply as cost centers and use this information to harm employees.
So I hope this committee will look very much at what kinds of protections we need to put in place so that this information doesn't get out. This was clearly not even someone associated with a particular health plan; this was an independent broker that peddles different policies to different people. He wasn't even in a health plan. He was a totally independent insurance agent.
So these are the kind of disturbing things that -- if I can come across this, just stumble across this in Texas, I think we have to consider that this is a very broad problem. This is just one small example of what can happen. In talking with some of my colleagues -- maybe I could read this brief story in response to it.
It says, Dear Deborah, last night I evaluated a depressed medical patient with a three years history of illness and surgery. For reasons of privacy, I can't disclose the correct diagnosis. His work experience is relevant to your story. He worked at the same company for 10 years. During the past three years, his performance was affected by his medical condition to some degree -- absent for surgery, tiredness and so forth. Six months ago he was given two choices: resign or go on three months probation.
His new job description had so many additional stipulations that he decided he was unwilling to work under these conditions. He resigned. He now works as an independent contractor. He has no medical insurance of his own. Luckily he is covered by his wife's HMO. This may be an example where an executive of a company succumbed to the pressure of an HMO.
So I think these things are happening in the real world, which really speaks to the need for comprehensive legislation to protect people. I don't think the companies are going to protect people unless -- well, maybe some good companies are going to protect people, but I don't know that everyone can be counted on to have the ethics or the values of say IBM, as we have heard today.
DR. GELLMAN: I just want to say, that is a very telling story. I have heard something not quite as pointed as that, but I have heard over the years stories, often from insurance companies, who basically say, the employers come to me -- the employers being their customers, not the employees, the employers are the one who buy the health plan, and the employers say, give me all this information or I go hire another health plan, and the insurance companies are stuck in the middle of that. They feel they have no choice but to turn information over. I think that this is a problem.
One of the real problems is, a lot of bills that are floating around now wouldn't stop any of that. Matter of fact, they would authorize it.
DR. HARDING: Authorize it on the basis of health care operations?
DR. GELLMAN: Right.
DR. HARDING: And the loose definition.
DR. PEEL: Yes, that would be the point, that treatment and payment should be authorized separately from all the other commercial and whatever kinds of uses. People should have the right of informed consent.
Just to comment on disease management programs, I have some letters from patients in Texas that have received them, too. Maybe some of them truly are attempts to manage diseases, but at least in Texas, we have seen that a number of these kinds of plans are actually more versions of ways to continue to sell drugs that are promulgated by pharmacy benefits managers or pharmaceutical companies. But I can talk about that later tomorrow.
MR. KNETTEL: If I could respond just briefly, first I would like to make clear that of all of the employer activities that I cited as employers having an interest in, access to and use of information, I have not suggested that any of them be exempted from the act or not subject to confidentiality requirements.
What I have suggested is that employers be able to use consolidated authorization, which the legislation requires, that would include detailed descriptions of what the information would be used for and how, that these activities be able to use consolidated authorization rather than use by use authorization. So those activities would continue to be economically viable and employers could continue to engage in them.
I am not at all dismissing the various concerns about real world discrimination that goes on. It happens. Part of the reason why ERIC member companies have confidentiality policies is because it has happened to them.
One of our members, who has probably one of if not the strongest confidentiality policies that I am aware of among ERIC members said the reason why they have it is because they have a lot of plants that are located in small company towns. As you can imagine, as somebody said earlier, everybody knows everybody. What they discovered was that it would be a common practice. If somebody was out from work sick or something, the supervisor knew the employee's doctor, he would call him up on the phone and in complete good faith say, how is Joe doing, I'm really concerned about him, is he going to be back to work or whatever.
There wasn't anything malicious in that, but when the company found out that those kinds of situations went on, they were frankly horrified, because they understood that it was inappropriate. They have put in place a very stringent confidentiality policy to deal with those kinds of situations.
So our ERIC members understand and acknowledge that there are things that go on that aren't appropriate. On the other hand, advocates need to acknowledge that there are many valuable activities that employers engage in on behalf of their employees that materially improve their quality of life, that those employers might not be able to continue to afford to do if we have overly stringent and inappropriately restrictive confidentiality legislation, that doesn't at least let employers deal with authorization in a consolidated means rather than case by case. The difference may literally be the difference between an employer being able to afford to provide many of the services and benefits to their employers.
So I just want to get back to -- throughout the morning there has been a lot of discussion over the need to balance the various concerns. I think that is absolutely right. We have to understand that there is no free lunch, that you can't protect confidentiality without imposing substantial costs on employers, especially because we are not just dealing with a health plan context. We are talking about a very broad work place context. We have to understand that if that balance is tipped too far in one direction rather than the other, employers may very well be disincentived from engaging in very valuable activities. I think everybody would be hurt if those would be lost.
I just want to reiterate the call that we need to be balanced in how we deal with these issues, so that when we protect confidentiality, we prohibit discrimination; we don't on the other hand chase out of the marketplace very valuable activities that employers use.
DR. PEEL: Just a quick comment. I think all of us, physicians, patients and the public at large, are happy to have good programs in place, disease management or whatever. I think the public and the employees are going to want to sign up for them if they exist. But the idea that you are going to put somebody in these programs without their specific consent or knowledge is really quite abhorrent.
DR. GELLMAN: I don't disagree with a lot of what you said. There are other uses. I actually have said for years that medical records are not confidential. They haven't been for years. They are passed around from pillar to post, and we have to recognize that. It is not that the goal is to make records confidential in the way that people have it in their minds, but to set boundaries.
The issue is, how do we define the boundaries? We have talked about that. And what is the process for control? I actually don't disagree that an individual case by case -- can I use your records for this particular purpose, that doesn't work. It is too expensive and too difficult.
On the other hand, I think that having a gun to your head mandatory authorization that you sign or you lose your health coverage over is also offensive. That doesn't work, either. That doesn't give the patient an even break. We have to find another way to authorize and define some of these functions without using that mechanism.
MR. KNETTEL: Although if you put the employer in the position of requiring him to enroll an employee, whether or not the employee authorizes use of information prior to their enrollment, you are putting the employer or the employer's plan administrator in an impossible position, in terms of having a financial obligation to provide benefits without having authorization to use the information that they need in order to manage and administer the plan.
DR. GELLMAN: I recognize that. I'm not saying that that is the only way to do it. I just think that the form of statutory mandatory authorizations is legislative coercion, and it doesn't accomplish anything. If we authorize these functions, we have got to define them and put them in the law, which is my solution to this. We can fight over the solutions and the boundaries to that, and that is a fair fight.
MR. KNETTEL: It sounds like we are headed for negotiated rulemaking.
DR. GELLMAN: I'm not involved in that. But that is the problem of giving patients a mandatory authorization that they sign or their lose treatment and coverage. It is a perversion of informed consent.
MR. CORM: My name is David Corm. I am with the American Insurance Association. Our member companies write much of the workers compensation insurance that is written in the United States.
We just want to go on the record opposing the inclusion of state workers compensation programs in any uniform national standard on privacy, to the extent that doing so could delay determinations of compensability in workers compensation. This is a very important point and one that I don't think has been adequately aired in this group.
In workers compensation, an insurance company or an employer is obligated both statutorily and in contract to determine whether an injury or illness is related to employment, whether it arises out of or in the course of employment. Those are the statutory standards. To impose any kind of requirements that would delay that determination could cause great harm to injured workers, to employers.
It is important to point out that in workers compensation, over half of the benefits that are paid are not medical related; they are to replace lost wages. It is very important that determinations of compensability be made as quickly as possible. Otherwise, injured workers will have extended periods without any income. When that happens, claims are much more likely to result in litigation, attorney involvement, and no one wins in a situation like that.
So to the extent that any kind of privacy standard that involves having to go out and obtain an authorization before a carrier can have access to information that they need to determine whether or not it was a compensable claim, it can cause great harm to state workers compensation programs.
DR. ORGEL: There is a difference between a benefit which we provide voluntarily to compete in the marketplace to attract and retain good employees, and workers compensation is a right that people have within the United States to have.
You may place a Catch-22 if you are not very, very careful and very clearly define what you really want to do when it comes to workers compensation, because you have got to provide this right. It is not a benefit. That is a critical point. You really need to think carefully about what that means.
DR. GELLMAN: I think the point that you made about the effect of federal legislation on workers compensation is perfectly fair. I don't think any of the bills to date has faced the issue. It has to be dealt with. It ha to be dealt with to some extent on its own terms, because workers compensation is different than anything else, for reasons Dr. Orgel talked about. It is in all the states, and it is all different.
On the other hand, having said that and recognizing the need to deal with it, the reaction for many communities to this legislation has been very consistent over the years. Everybody says confidentiality is important, we need a law, and we ought to be exempt. I hear this from the public health people, you hear it from researchers, you hear it from the law enforcement people, you hear it from the fraud and abuse people.
I don't know that anyone is going to get exempt, at least not in the way that they would like. I think one of the problems here is that the whole health care community and its secondary and tertiary organizations is all integrated. The flow of information is incredible, back and forth. It is simply not possible to say, we are going to take this piece and exempt it, because everybody is dealing with other players who are going to be covered by legislation and subject to rules. To say that one community or one kind of use isn't going to be, or one place won't be subject to it simply won't work. There has got to be a way to bring the problem under the umbrella, if you are going to have a comprehensive legislation, and deal with the concerns that you have, which are perfectly legitimate.
I don't know what the answer is. You may. But that is the solution here, as opposed to saying we are just not covered by this.
DR. HARDING: Any other questions or comments from anybody else in the room? We have about two minutes before we break. Do you have a comeback comment?
DR. CORM: No, no. I agree. I am just looking forward to that process, I guess. It is (word lost) for us quite frankly to make our issues known and dealt with. That is our challenge, I guess.
DR. HARDING: Thank you. I would like to thank the panel members this morning for being here, and also those of you who asked questions and comments at the end of the panel.
We will be breaking here for lunch from 12:30 to 1:30. this afternoon we will have several panel members, privacy advocates, Janlori Goldman and Chai Feldblum from the Georgetown University School of Law.
With that, again with appreciation we will thank the panelists for being here and adjourn until 1:30.
(Whereupon, the meeting recessed for lunch at 12:28 p.m., to reconvene at 1:30 p.m.)
DR. HARDING: I'm Dr. Richard Harding. I am the vice chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. We are beginning our second panel discussion.
I would like to ask the members of the subcommittee if they would introduce themselves, and we'll go around the room and have everybody introduce themselves again, because it is good for the record. Jeff, would you start, please?
MR. BLAIR: Jeff Blair with the Medical Records Institute.
DR. COHN: Simon Cohn of Kaiser Permanente and a member of the committee.
DR. HARDING: Richard Harding, a child psychiatrist from South Carolina and member of the committee.
DR. HORLICK: Gail Horlick from CDC, staff to the committee.
MR. FANNING: I'm John Fanning from the Office of the Assistant Secretary for Planning and Evaluation in HHS.
DR. FELDBLUM: I'm Chai Feldblum from Georgetown University Law Center.
DR. GOLDMAN: Janlori Goldman from Georgetown University Health Privacy Project.
(The remainder of the introductions were conducted off tape.)
DR. HARDING: Thank you. We appreciate the panel members coming today in a very busy time for privacy and confidentiality in the world of Washington and other places too, actually.
Our first panel, for the sake of those listening in on the Internet, this committee will be meeting between now and about 3:30. At that time, we will stop and then continue tomorrow morning. Instead of breaking for a period of time and then coming back, we are going straight through and finish a little bit early, rather than go and then coming back in, for the sake of our guests as well as ourselves.
Our first speaker today is Janlori Goldman, who is director of the Health Privacy Project Institute for Health Research and Policy, Georgetown University Medical Center here in Washington. Welcome. We are glad to have you.
DR. GOLDMAN: Thank you. I thought what I would do is just talk for maybe 15 minutes or so, and then leave opportunity to answer questions and have a bit of a conversation.
With this issue of privacy and health information, one of the things that we have found with the Health Privacy Project is that protecting privacy is critical to improving the quality of care in this country and to insuring access to care as well.
While we have traditionally approached protecting peoples' health information as a civil liberties issue and talked about privacy as a core individual right, we are finding now that it is actually a health policy issue and a health care issue. We have probably known this for a long time, but it is only recently that we have been able to actually create a framework for thinking about it as a health policy issue.
We talked for a long time about how fears about confidentiality affect peoples' behavior, probably in negative ways in terms of how they seek care, whether they seek care, what they are willing to share with employers, fear about employer access to information. But it isn't until recently that we actually now have some empirical data to support what has been for the most part anecdotal.
In a survey that was done commissioned by the California Health Care Foundation conducted by the Princeton Survey Research Associates and released in January of this year, we found that people have a higher degree of trust in their doctors and other health care providers, even including hospitals in terms of maintaining confidentiality, but that they are very afraid how their health information will be misused by employers and the government.
Now, to some extent, this trust and confidence in a provider's ability to maintain confidentiality we may see as an illusion of confidentiality, since many providers are now required to disclose detailed encounter data in order to be paid for their services, or they may even be required in a self insured environment to disclose information to personnel managers in an employment context. But people do still believe that this doctor- patient confidentiality somehow protects the information that they share within the four walls of a doctor's office.
It is once that information is disclosed, or fear about that disclosure, that is affecting their behavior. What we found is that one in five people believe that their health information has been improperly used in some way by someone. Again, the higher levels of trust were with the providers. As it moves through the chain of custody, as health information flows, that trust decreased.
One in six people acted on that fear that the information was misused by engaging in some form of privacy protective behavior, such as withholding information from a doctor when they are seeking care, giving inaccurate information to the health care provider, asking the doctor not to write something down, can I just share this with you, but please don't write it down, doctor hopping as a way to avoid a consolidated medical record, or in the worst case scenario, not seeking care at all, for fear that by getting a test, by seeking certain kinds of treatment, they would be jeopardizing certain critical benefits such as a job, health care, damage to reputation, embarrassment, some form of discrimination.
One in six is a very high percentage. When I saw these numbers I was surprised. Even though I had suspected given the anecdotal evidence that the number would be high, one in six seems intolerably and unacceptably high, particularly when you look at other sectors, where there is a high degree of sensitive information.
Let's look at the financial sector, for instance. If the banking industry had such information that one in six potential customers kept their money under a mattress for fear that the bank wouldn't safeguard their money or that the bank would misuse or improperly use information about their finances. It would wreak havoc in the banking industry. They would be first in line seeking for reforms to give the public trust and confidence.
As somebody said in talking about the survey, maybe this is peoples' perception that the information is being used, and because of their perceptions they are engaging in privacy protective behavior. It doesn't matter whether it is perception that is based on a fear that they may have that is not necessarily supported by the law or policy of that health care entity, or whether the law is there but they don't believe in it. The truth is, people are jeopardizing their care. They are undermining their own care, because without accurate information shared with a provider, diagnosis and treatment will be undermined, the ability to accurately and effectively diagnose and treat.
Then the information that the providers end up sharing with the health plans and with researchers and with public health departments lack reliability and credibility. So we have public health departments and the NCHS and CDC and others who are relying on the accuracy and the completeness of reported data.
We don't even know where the information is not wholly reliable. It is impossible to trace it back. If people are withholding information and not telling their doctors or they are providing inaccurate information, we know they are not seeking care; that is going to be a very tough thing to measure, the cost to peoples' care and the impact on research.
So all of this leads me to the conclusion that protecting privacy is critical to insuring improved quality and access in our health care system. While we hear often that protecting privacy may be a barrier to using information or to getting information, we need to look at the hurdles that the lack of privacy creates at the front end of the system. We need to try to measure it and take it into account and address it.
In an employment context, there are many points that which employers either have access to information or can have access to information. Again, since we are operating in an environment where there aren't federal rules governing -- completely governing, and I'll get to some of this in a moment -- access to employee information, health information, I would suggest
that we need to look at both the pre-employment area, where the ADA covers access to information in a pre-employment context, where the employer is paying for or providing the benefits.
Oftentimes, the employer is considered the customer. The patient or the employee is not considered the customer. I think that creates a terrible tension, were the employer for instance were to ask for information that might be identifiable, to understand why their premiums have doubled or why a particular employee has been out for long periods of time.
There is nothing in the law that prevents employers or prevents health plans from making that information available. How they use it is a different question, or whether they use it is a different question. But the access to that information of an existing employee is not fully governed by federal law.
Another issue is the employee assistance programs, which again I understand are set up and run for both the benefit of the employers and employees, but that is another collection and access point. Workers comp background checks that might be done for promotion purposes.
I don't want to suggest that employers as a sector are nefarious or malicious in their desire to use personal information. What I want to suggest is that there is a lack of regulation and a lack of rules about what is appropriate and what is not appropriate, and often of carelessness that is leading to abuses and this perception that employees are at risk of having information known about them that they would choose to keep confidential, that is not tied to their ability to do a job.
When I say careless, I have heard story after story from employers and managers and occupational nurses who have said, we get the information from the plans and we don't ask to have it strip of identifiers. That doesn't occur to us. What we get is the identifiable data. What should we do? Or managers might say, the employer is demanding access to the identifiable information or the occupational nurses say that they are often forced -- because who is their employer -- to give identifiable information, and they are put in an ethical bind, as to whom do they owe a duty of confidentiality.
So I think that the absence of regulation and the absence of enforceable rules has created an uncertain environment. I think people have responded in a way that undermines their care. Why would we want someone to be afraid to participate in an employee assistance program? They are there ostensibly for the benefit of employees. If they are worried that there is going to be some retaliation or that they will lose some benefit, or that their privacy will be violated, even if it is a question of gossip within their company or their place of employment, that is enough I think to have a chilling effect on their desire to seek care.
One of the things that I have said a lot, and why it is such a pleasure to be working with Chai, is that in many ways, privacy is the first line of defense against discrimination. When we are looking at how to create some real limits, not only on what employers can know or should know, but on what they can do with that information. We need to do both. We need to both protect privacy and prohibit discrimination.
Again, another analogy that comes to mind is, when you are in a courtroom trying a case and something outrageous is said and the judge says to the jury, disregard that. Well, of course, that is the only thing the jury is going to remember.
So in many ways, when we tell employers what they can and can't do with the information, and we put a big red flag on it and say, this is the good stuff that you can't know about, I think it creates a terrible temptation. There are also issues of burden of proof and proving that somebody acted on information in a discriminatory way.
So my hope is that within the year, as Congress moves to meet the deadline created under HIPAA to enact comprehensive health privacy information, that we will create a comprehensive scheme to protect people in employment, and other sectors as well, by protecting privacy and prohibiting discrimination.
DR. HARDING: Thank you very much. You are going to be leaving soon.
DR. GOLDMAN: Do people want to try to do questions now?
DR. HARDING: Maybe we could ask questions then of Ms. Goldman, questions about some of these things.
DR. GOLDMAN: Do you have any?
DR. COHN: Maybe I'll just start. This morning when we were talking about the employers and others around these issues, I asked them the relative importance of privacy legislation versus anti-discrimination legislation. I hear you describing them both as a one-two punch.
First of all, how far are we going to get this year if we just get privacy legislation versus if -- we also need anti- discrimination. What are your thoughts on that?
DR. GOLDMAN: I think Chai will follow, but there is already the Americans with Disabilities Act. There is already anti-discrimination legislation. So the missing piece is the privacy legislation. That is the piece that we don't currently have, and where I am hoping that when we do, that it will create a more comprehensive set of safeguards.
DR. COHN: Just to follow up on that, I guess I thought that that piece of legislation dealt with people with disabilities. Is that more comprehensive than my understanding?
DR. GOLDMAN: That is a fair point. I think that the idea is, whether someone has a disability or not is not always evident. So the employer access to medical information and the use of that information applies regardless of whether someone actually does have a disability, whether they can learn whether somebody has a disability or some other condition.
So the employer access to the information would apply regardless of that individual's status.
DR. COHN: So your conclusion then is that that piece of legislation is sufficient at this point?
DR. GOLDMAN: Because again, in my view, if employers are limited in what they can get access to, unless they are able to get access under the Americans with Disabilities Act, if they are limited to what they can get access to, then that is that first line of defense against discrimination. If they don't know it, they can't act on it, whether the person has a disability or doesn't have a disability. They can't act on it. Even if it is not considered a disability, but for whatever reason carries a stigma, if they are being treated for depression, but it might be episodic, it might not rise to the level of disability, if there is a stigma attached to that, and there often is with people with mental illness, with any kind of seeking mental health treatment.
I was on a plane not too long ago, sitting next to a woman who was a relatively high level computer executive. I told her what I did for my job and she said, that is so interesting. I have been so anxious at my job lately, and I am trying to learn how to manage the stress and anxiety that I feel at work. I am thinking about going to see a psychologist, but if my employer finds out, then I might jeopardize a promotion.
Now, I of course suggested to her that she just pay for the care out of her pocket, given that she probably had the means to do so. But that might not be an ADA covered condition, but certainly a barrier to her seeking care. Why the employer should ever have that information in the first place is beyond me.
MR. BLAIR: Ms. Goldman, maybe you could help me with this. You have probably struggled with this idea already. But I would like to know what your thoughts might be, some guidance that you might have for us, in terms of a balance. Clearly, we need to do a much better job of protecting employees from not only the inappropriate use of their health care information by employers, but to some extent maybe creating some barriers to access to their health care information by employers.
So I think that that is clear that that needs to be done. One of the things is that more and more, this nation is moving to the information age, where we have many more small employers, with just a few employees. The realities of the marketplace, the survival of these small firms, is based on the fact that they employ employees that have skills and knowledge and that are available.
If we wind up going to one extreme in protecting employees that may have disabilities or other health care conditions, we put a burden on the employer, especially small employers that may not survive as a company if they have many employees that are not available to be productive.
DR. GOLDMAN: Or that cost a lot.
MR. BLAIR: Or that cost a lot. Do you have some thoughts as to where the balance could or should be in these situations?
DR. GOLDMAN: The way that you pose it does point out what the tension is. I guess when I look at this, I don't necessarily posit it as a balance, because I think in this circumstance, given what we know now, where people are afraid that their privacy will not be safeguarded -- again, not absolutely safeguarded, but where there are appropriate limits, they are afraid to seek care. They are afraid to fully share with their doctors, to fully participate in their own health care. That is going to be far more costly in the long run than the cost of seeking that care and insuring that an accurate diagnosis is made, the appropriate treatment is prescribed, and that person hopefully can get some decent monitoring of whatever condition they might have.
But that is cheaper and more humanitarian and probably benefits our community as a whole in the long run, as well as the individual. So for me, I don't necessarily balance the employer's interest against the employee's interest. I see that we need to be able to see the long run, and that there are going to be costs that will be tough to measure, if not impossible to measure. They might be social costs as well as economic.
But I think here, particularly from what we know about people withdrawing from full participation in their own health care, there are going to be serious costs attached to that.
So I think that we need to take that into account when we are thinking about creating a work force -- or allowing employers to try to craft just the healthiest, most able-bodied work force. It is not realistic, and I think ultimately it is going to drive people away. People will be afraid, if they know that their employer is reticent about having somebody who may have a condition, such as this woman who was afraid to seek counselling, for exactly that reason. It was a large employer, but she was afraid that it would go against her in a promotion.
DR. HARDING: This morning, one of the panelists was talking about the culture of employers, and that some cultures are aimed at good confidentiality issues. We had a representative here from IBM who had a very unusual for the industry program of checks and balances and protections and firewalls. It was very impressive.
We asked a couple of questions about the cost issue of that, and of course that gets into cost versus benefit and so forth. Do you feel that there are -- I am not much of a punisher and wanting to fine and put in jail people who don't do the right thing and so forth, but instead would like to incentivize the right things. What are the incentives to privacy that make sense to employers and to industry, because they have to meet their bottom line every quarter, and the stock is going to go up or down on the basis of what their bottom line is.
DR. GOLDMAN: IBM does seem to be doing well.
DR. HARDING: But somehow or other --
DR. GOLDMAN: It has been a good year for them.
DR. HARDING: They haven't suffered, but do you have -- in your experience, have you had thoughts along the line of incentives for privacy protection?
DR. GOLDMAN: It's a good question. I have worked on this issue for 10 or 12 years now, so in the absence of a federal law, all I have is this opportunity to create incentives to do the right thing. IBM is one of those companies that I have worked closely with. In fact, they are on a health privacy working group that we have, where we are trying to arrive aa set of best principles. We are using them in many ways as a model and as a gold standard for how you do the right thing in the absence of a law requiring you to do so, not necessarily because they are altruistic good guys, but because they know it is in the best interests of their company, that there is a bottom line that is met by making sure that employees feel they can participate in employee assistance programs. It is a large self insured company. Their employees can seek health care and not worry about reprisals.
I think again, their focus is on having a healthy work force, that this is the way you insure that. So the incentives in a voluntary self regulatory environment are tough, because you have to make the case. It is not obvious. I think the temptations to use information in ways that are more immediately profitable are greater.
That is what we found. There is a market incentive to use information for profit, or to use information to cut costs at a more immediate level. So the case has to be made that it is in peoples' health care interest and therefore in the interest of the bottom line of that company to do the right thing and to create those firewalls in the accountability and the oversight and the audit trails and the limits.
It is much easier to do again in a large company than in a small. But I firmly believe that the greatest incentive to protecting privacy is having a federal law that will punish people who don't do the right thing. While I appreciate your desire not to be punitive, I think that an incentive which is positive in the sense that, if you can fall outside of the scope of that regulatory regime, if you can fall outside the scope of a law that is regulating the flow of information, by using non-identifiable information, which under most of the federal proposals that we have been looking at would not be covered, and if they are not covered you can do whatever you want with non-identifiable information, short of turning it into identifiable information, and not worry that you will be penalized, either with a civil or criminal penalty or some other lawsuit.
So I actually think that in the marketplace as I have come to understand it, that is the incentive that works. Industry has had decades to self regulate in this area, and we do have some models to point to. But they are models and they are the exceptions, not the rule.
DR. FELDBLUM: I am Chai Feldblum. I think what it makes the most sense to do is to give you some of my basic comments in terms of the context, and then maybe respond to some of the questions that came up.
I direct a federal legislation clinic at Georgetown University Law Center, where I train students to be what I call legislative lawyers, which is a lawyer who understands law and understands politics both, so that they can research, draft and negotiate effective legislation, which in this town means knowing both law and politics.
This is what I did 10 years ago during passage of the ADA, the Americans with Disabilities Act. I served as the chief legislative lawyer for the disability community, negotiating, researching and drafting provisions of that law. So I am coming to you today in the context of my experience with the ADA, and also my more recent experience -- I don't have Janlori's 12 years, I have a mere six years of working on this federal privacy law.
For several years in the clinic, Janlori was actually our client. She went off for a year to academia. We continued working on this proposed legislation for the Consortium of Citizens with Disabilities, that is, the disability community.
What I want to talk to you today in the context of employment is to spell out what currently exists in the law in terms of anti-discrimination, what are the current prohibitions on employers, both in terms of discrimination and in terms of privacy, and then to explain more clearly where the gaps exist, because as Janlori said, this is now the need for the privacy law to fill in the gaps.
So let me start with existing law. The reason these are connected is that people often say we need a privacy law, because as that woman was concerned about, she was concerned that she would be denied a promotion if the employer found out she had gone to a psychiatrist.
So the question is, is that true under current law, that the employer could deny her a promotion on that basis? So that is what I want to answer first.
The first question, and Dr. Cohen asked this in his question, is, who is covered under the Americans with Disabilities Act? Who has a disability? This is actually a quite relevant question at the moment, and we will have more direction from the Supreme Court in about a month and a half on this question. But I will tell you what the assumption was 10 years ago when Congress passed the Americans with Disabilities Act, as to who was covered.
That is, any person with a serious medical condition was covered as a person with a disability. So disability did not just include what was considered traditional handicaps, people who use wheelchairs or people who are blind or people who are deaf, but people who had any medical condition -- epilepsy, diabetes, depression, cancer, severe back problems. All of these were considered people with disabilities.
That is not quite in sync with how the public often thinks about disability, because the myth of disability is that it means disabled, unable to function, unable to do anything. I have heard judges say, I know lots of people with cancer who do a lot of things, as if disability is somehow inconsistent with doing a lot of things.
The concept of the ADA, of a civil rights law, is that there are many people with a range of medical conditions who are in fact perfectly capable of doing lots of things. That is why there is a law to prohibit discrimination against them, in hiring, in promotions, et cetera.
So conceptually, the ADA covers the range of people with medical conditions. Judges have had a problem with that over the past 10 years, because as I said, of this concept that disability means unable to work. For years, the only disability they saw were people asking for disability cash payments. Those were the cases that came before them. So in their minds, disability meant unable to work. That is why they were asking for cash payments. They haven't quite been able to jibe that there is a difference in disability when you are trying to get cash payments, because you can't work, and disability under a civil rights law, when the whole point is that you can work. They have had some trouble with that. Perhaps in a month and a half, the Supreme Court will give some direction, perhaps not, we'll see.
But for the moment, I think we should assume that under the ADA, people with a wide range of medical conditions are covered. So now the question is, what is prohibited, what is allowed. Under the law, the law says that a qualified person with a disability cannot be discriminated against, a qualified person with a disability.
This is the only civil rights law where the word qualified is put in the law. Title 7 of the Civil Rights Act of '64 says you can't discriminate based on race or gender or religion. It doesn't say you can't discriminate against qualified people based on race or qualified people based on gender, because the whole assumption is they are qualified, but you are not hiring them because they are African-American or they are a woman.
Disability is the only law that has the word qualified in it, because when this initial law was passed in 1973, the one that the ADA was patterned on, it was like, oh my God, non- discrimination based on disability? That could mean blind bus drivers, right? So the response was to say no, the person has to be qualified, and if they have a disability, and by virtue of that disability they can't do the job, you don't have to hire them.
But of course from the perspective of disability, it is excellent to get the word qualified in there, because a lot of blind people are not trying to become bus drivers, but they are trying to be chief executive officers, they are trying to be salespeople, they are trying to be lawyers. In each of these areas, someone who is blind is perfectly qualified to do these jobs.
So the point about putting qualified in the statute is, it forces the employer to explain why it is that that disability makes that person not qualified to be chief executive officer, salesperson, et cetera. So you have to be qualified.
A second element of the ADA is that unlike race and gender, where all you need to do is simply ignore race, ignore gender, and treat the person as you see them, in disability there is an affirmative obligation on the employer to make what is called a reasonable accommodation to modifications of policies and practices or use of devices.
Let's say the person says, oh, you're blind, you want to be CEO? Perfect, come on. Oh, you need a computer that talks? We can't do that because our computers don't talk. Oh, you need a reader? That is having another person do your job. If you just treat the personas if they are just like any other person, you are not giving them equal opportunity.
The reason why it is a civil rights mandate, not charity, not pity, a civil rights mandate to get the computer that talks, is because we have set up our society as if there were only non- disabled people in our society. We make computers that don't talk, because we just assumed that everyone can see. We have already made decisions in our society that assume that everyone is not disabled, which is wrong. Our society is made up of people with a range of medical conditions.
So the point of ADA is to say, the employer must make an affirmative obligation, must make some affirmative changes to accommodate the fact that our society includes a range of people, people who might need to go for treatment once a week, so they can't be a rigid nine to five. They have to come from 10 to six. We set up our society as if people don't need to go for treatment once a week.
That is the reasonable accommodation requirement. It has a limit. It can't cost the employer too much. It can't be too burdensome procedurally. A receptionist probably couldn't get a 10 to six schedule, if you need nine to five, and a lawyer could. It is very individualized.
Now, all of this is to say that you also cannot refuse to hire someone because they might need that reasonable accommodation. You can't refuse to hire someone because you are afraid they are going to cost you more medical costs, or if you found out that someone was going to see a psychologist, you couldn't use that information to deny her a promotion unless she wasn't otherwise qualified for that promotion.
It sounds lovely on paper, and sometimes even lovely in implementation. But often, just because you have the protection doesn't mean that you -- just because you have the legal protection doesn't mean you will get the real protection in life. They won't tell you you didn't get the promotion because you went to a psychologist. What? No, we love psychologists. We just didn't like how you interacted with one of your subordinates. Who is to know? Even if you have some information, bringing a lawsuit is very draining. It is draining financially, emotionally. People don't wake up in the morning and say, oh boy, I get to sue now. What they want to do is wake up in the morning with a promotion.
So that is Janlori's point of, we need to have some law to make sure that the employer doesn't have this information from the get-go.
What does ADA say in terms of privacy right now? ADA has some confidentiality protections. What I want to conclude with is tell you the confidentiality protections that the ADA does have and then what it doesn't, what a privacy law would complement, and how passing a privacy law would not stop employers from getting information that they do actually need.
In terms of what the ADA does right now, I brought pieces of paper. I apologize, because I ran out, but I will get them both on disk and by email so we have it in other formats. But the one- pager is called Limitations on an Employer's Ability to Obtain and Use Identifiable Health Information Under ADA. So that is the one- pager. And because I am also an academic, you have got the Law Review article that spells out in detail all the information about medical exams and injuries. This is when you can't go to sleep, and you can amuse yourself with that.
But let me just use for this the one-pager that I have given you. The ADA divides confidentiality issues into a pre- employment moment and a post-employment moment. Pre-employment, the ADA has a rule that says that when I come for a job, the employer cannot ask me to fill out a medical questionnaire, the employer cannot call my doctor to find out about my medical condition, the employer cannot subject me directly to a physical exam, not do any of those things right when I first show up for the job.
The idea being that if you could have someone fill out that questionnaire and someone asks, have you ever seen a psychiatrist, were you treated for clinical depression, fill out any condition you have, and you put down epilepsy, if you give that in and then you have your interview and they check your job references, and then they call you back -- and you filled out that you have epilepsy or you were treated for clinical depression, and they say, you almost made it, but you just didn't and we hired someone else.
You have no clue whether the reason they didn't hire you was that you were treated for clinical depression five years ago. The idea here is to force the employer not to get any of that information up front. Then the employer once he checks your writing sample or the job references and whatever else for the particular job, the employer then offers you a conditional offer of employment, conditioned on perhaps getting necessary medical information. If you are applying to be a lawyer, they may not need to know your medical condition. But if you are applying to be a firefighter, they certainly might want you to go through a physical exam.
So it is simply to divide the time period, so that there is a conditional job offer. After that conditional job offer, the employer can ask any question -- it doesn't even have to be relevant to the job. He can ask any question about medical information, can call your physician because you will authorize that. This is how a privacy law would still work, because every privacy law allows information to be given upon authorization. These are one of those compelled authorizations; if you want this job, you will authorize us to talk to your doctor about your physical condition. Can talk to your doctor, can get medical records, can do a physical exam.
The only limitation then is a limitation that exists in the law generally, that the results of the examination can only be used if those results indicate that you are not qualified for the job. So if you are applying to be a truck driver, and then they do the eye examination and they find out you cannot see even with your contact lenses, that job offer can be withdrawn, because you are no longer qualified for the job.
But let's say you are applying to be a truck driver and they find out that you were treated for clinical depression five years ago. They can't say, you might have a sudden relapse while you are driving a truck, or you might cost us more money because mental health care is so expensive. They can't withdraw that conditional job offer for being a truck driver.
All the information that an employer collects through these questionnaires, physical exams, talking to doctors, the ADA says that that information must be kept separate from the general personnel records, because that information gets certain confidentiality protection. That is under the ADA. That information that the employer collected, not if the employee just happened to share, but if they collected in this context of employment, that information can only be disclosed to a person's supervisor if the person is asking for an accommodation. If they are not asking for an accommodation, it doesn't go to anyone. But to a supervisor if you are asking for an accommodation, first aid or safety personnel, if necessary in a particular situation, the government officials investigating compliance to the ADA, and to state workers compensation offices. Those are the only entities that that information can be given to.
An employer that wants to get this information has to ask it of everybody. They can't say, you look sickly, I'd like you to fill out a questionnaire. All employees in any class of jobs have to be asked the same question.
Once an employee is on the job, then there is a slightly different rule that attaches to qualification. That is, an employer can ask any employee, including just one employee, to undergo an exam, a physical exam or to answer questions. Those questions or exams are what is called job related, and consistent with business necessity. In other words, the employer needs to know.
So for example, you have been a truck driver, and then you have an accident. They can ask you to take a vision exam without forcing everyone else to take a vision exam, because they have some reason to need to know that you are still okay. But if someone's hair starts falling out, but they are otherwise doing their job just fine, the employer can't say, do you have cancer, I want to see your medical records. So there, it is just tied to the person's capability to do the job.
Again, any information that is obtained with those types of questions are subject to the same confidentiality protections.
So there are some privacy components to the ADA, but these are all only related to information that the employer gets for employment reasons. It doesn't cover an employee assistance program. Nothing in the ADA is going to stop the employer, if the employer believes that this person is not doing the job well, to call the employee assistance program and say, I want to see all of their medical records, because they will just say, I need to know, it is job related, consistent with business necessity.
There is no other limitation on how much of the medical record you get. There is no analysis in terms of privacy. Plus, if on their own a hospital decides to call up an employer and give some information, as happened with one of the CCD clients, one of the people who testified, someone who went for counselling and he worked for the FBI, and they called the FBI. You should know about this. The guy got fired.
Under the ADA, he should not have gotten fired. No, but thank you for sharing. It's nice, but it doesn't help after the fact. So there is this need to make sure that information that should not be shared is not shared up front. I'm sure the last thing he wanted to do was to bring a lawsuit, so everyone can know about his counselling, as opposed to just his employer and the people that he has to tell that he got fired from the job. So lawsuits or not, as I'm sure many of you know, are not the answer to the overall situation.
So that is the setup. We have an anti-discrimination law. It has some confidentiality protections, not the end-all and be-all in terms of privacy. There is a need, as Janlori said, to just complete the loop here with the privacy law, though that privacy law because of the ability to authorize information to go to employers, will be used when it is necessary, when employers need information, but will hopefully stop unnecessary or inappropriate disclosures.
DR. HARDING: Thank you. Questions or comments?
DR. COHN: First of all, thank you for a very interesting and educational presentation on the ADA. It is obviously much more expansive than I had understood it to be. I think I like others tend to think of disabilities as you described.
Having said that, is it going to be sufficient? If we actually had a piece of good privacy legislation in there, is the problem solved and you all look for new employment? Or is there still going to be issues around disability that are not appropriately being handled? I tend to think of issues like stigmata discovered in medical records or otherwise inadvertently.
DR. FELDBLUM: I think it is sufficient as a law, assuming that it is interpreted to cover a broad group of individuals. But no law can change peoples' attitudes about stigma.
Even if you had a privacy law that says information should not be inappropriately disclosed, you have to allow medical information to go to employers, because sometimes they need that information. So a privacy law is not going to stop medical information from flowing to employers, because sometimes they need it.
Some of that medical information will be information of a stigmatizing character, whether it is mental health or former substance abuse or HIV or any number of other stigmatizing characteristics.
Now, the law is then there to say, you can use this as the basis for an employment decision or a promotion decision, et cetera. But there are going to be limits to that. As I said, people will come up with other reasons. Perhaps the person didn't get the job. They withdrew the condition law, not because of the HIV but because of some other reason. So there will always be limits to what the law can do.
But what a privacy law would do is make sure that information for example about your past mental health history just never even gets to the employer when the employer is dealing with a promotion issue. It just stops it from the get-go. But there will be times when information will flow and there will be a law that says you can't use it inappropriately. But to be honest, I think we need to do a lot more education to reduce the stigma around these conditions before we really change the society in a more broad based way.
MR. BLAIR: The question that I had asked earlier about any guidance on the balance, the testimony you just gave us frankly is the first time that I have heard some guidance on the balance. Apparently you did it by injecting the concept of qualification to perform the job, as distinct from what the medical condition or disability might be.
I think it is interesting. The other qualification you just made is that you put these legal parameters in place, they could go only so far. We may just have to accept the reality that other than these parameters, you can't legislate the heart and soul of individuals.
DR. FELDBLUM: I think that is right. I also think there is a different type of balancing question when you have a piece of privacy legislation versus an anti-discrimination legislation.
One of the decisions that was made very consciously in the ADA wa that we were not going to second guess an employer's judgment of what he or she needed an employee to do. Qualified means qualified up to the standards of the employer. That is both qualitative standards, how good I need my employee to be, and quantitative standards, how much I need my employee to produce. That is in the hands of the employer. If the employer wants to be a real stickler, they can.
The only thing the employer can't do is use the fact that someone has a disability to presume that they can't meet those high standards, and an affirmative obligation on the employer to make accommodation if the person needs that modification in order to meet the high standard. But if an employer makes the modification and the employee is still not performing up to standard, that employee can be fired.
So that was the decision that was made. I think in terms of privacy legislation, the balancing becomes, when do people appropriately need information and when can we rest assured that that information should be given through consent, and when do we believe as a society that that information might be appropriately taken even without the person's consent.
I think we all feel that those should be very rare circumstances, when that information goes without the person's consent. But there are some situations in public health, in law enforcement if there is a warrant. There are certain situations where that information goes without the person's consent.
DR. HARDING: Janlori was talking earlier that there is about to be a markup in the next week or so on the Senate side of a bill coming up. Do any of the current three bills before Congress and in the markup eventually have any wording or a take on issues that would be important here?
DR. FELDBLUM: Oh, yes. All three bills on the Senate side include employers as entities that are bound by the provisions of the law, the soon to be, we hope, law.
All three bills have this in common. One, they note that entities such as hospitals and clinics and doctors may not disclose information to anyone unless it has been authorized by the person who is the subject of the information, or unless the law has said you can disclose without that person's authorization, without that person's consent. All three proposed bills have that structure. Where they vary is how big their exceptions are, or what they require to be in what we call the compelled authorization. That is, when you come in to get treatment, all three bills have this assumption that in most cases you will be forced to sign an authorization in order to get treatment. Then the question is, how broad that authorization is going to be. So we call that the compelled consent, as opposed to the true consent, which is for a number of other areas.
In all of these bills, none of these bills say that a provider can disclose to an employer under the compelled consent. So when you go to a hospital and you sign your consent for your information to go, they want to use it for treatment and payment, and they also want to use it for some business operations. None of them assume that they are going to give it to an employer.
However, they can ask you to sign an authorization that is not compelled on your treatment to anyone else -- for marketing, for research, and presumably if they got a call from your employer asking for your medical records, if your doctor got that call and that was legitimate under the ADA to get those records, your doctor would have to get you to sign the authorization. But that authorization cannot be conditioned on you continuing to get treatment from that doctor.
So they all have that structure. They all also have exceptions from informed consent when it can go to someone without your consent. In none of the bills is there an exception from informed consent for it to go to your employer without your consent.
The only difficult question is those insurers who are self insured. So they somehow have information for payment purposes within their system. My belief is that all three bills protect against inappropriate disclosures to employers because every bill says that information can only be disclosed for the amount necessary to achieve the purposes of the initial disclosure.
So if I signed an authorization for my information to go for payment purposes, that information can be disclosed within the big IBM perhaps, but only for purposes of payment. So every bill I believe would prohibit information going -- even if it is just down the hallway, if it is for a purpose different from the one for which it was obtained.
Now, some bills make it more clear than others, but that is what I believe all of the bills would entail.
DR. HARDING: You are saying that if it is a self insured company, ERISA, it doesn't count?
DR. FELDBLUM: No. I'm saying even with the self insured -- if I am a self insured company and I have an office on the second floor that deals with all that self insured issues and payment, so an employee's medical information will go on to floor number two. But under the law it will never go up to floor number three to a supervisor, because that is not consistent with the purpose for which the person authorized disclosure. They authorized disclosure for payment purposes. You can only disclose as much as you need for payment purposes.
So I actually think that this law -- if any of these bills pass, with regard to employers we would get the necessary protection that doesn't exist right now, even for self insured employers. I think some people are not as comfortable, and they like to see that spelled out more clearly in the bills, so some of them do it differently in terms of clarity. But I actually believe that all the bills would have the same ultimate protection, assuming they become not just bills, but laws. As long as they are bills, they are zero protection.
DR. COHN: One of the things that we talked about this morning was occupational medicine and workers compensation. Some of these are an exception to almost every other rule we talk about, since it is state regulated, the employer has pretty much unlimited access.
First of all, do any of the laws attempt to in any way deal with the access issues around that? And regardless, do you have any thoughts about that one? Because that seems like it is a big controlled area generally.
DR. FELDBLUM: It is interesting, because when we were drafting the ADA -- and you can see in the chart, the statute only says that you disclose to supervisors for reasonable accommodation, to safety personnel and to government officials, and we didn't include state workers compensation offices or second injury funds, which really was probably an oversight.
What happened is, the EEOC just added those folks in their regulations, and no one has ever challenged that. They didn't have the authority to do that under the law, because I think everyone actually agrees that when you have a situation where a person with a medical condition is coming forward and asking for something, they are asking for benefits based on the fact of their medical condition. In that situation you have to have full disclosure of the medical information that is relevant to that workers compensation.
Now, what a privacy law could potentially do is make sure that only information that is relevant to that workers compensation claim gets disclosed, not the fact that someone had an abortion five years ago.
DR. HARDING: Who determines relevant?
DR. FELDBLUM: In all of the bills -- again, it is the same standard that says you must disclose only what is necessary for purposes of the disclosure. So actually in that case, it would be the employer who knows what he or she needs to decide the workers compensation claim, would say, here is the claim, here is what I need.
The doctor who is disclosing information would -- it looks like there is something being asked for, that that doctor does not believe is at all relevant to the workers compensation claim. I think that doctor could invoke the law, to say, the law says I have to disclose as much as necessary for the purpose of the disclosure, and I think that what you are asking for 15 years back is not appropriate, I'm only going to give you the last two years. So the doctor gets to make that decision within the standard.
Let's say the doctor goes ahead and gives all 15 years. Then the person has a private right of action to say that was a completely inappropriate disclosure. The checks and balances here is ultimately the court system, but as I have already said, that is not great to have to be there. So better is to have the guidance - - once a law like this gets passed, to have guidance about what would be the necessary amount of disclosure for example for a workers compensation claim.
What I think a privacy law needs to do is allow that disclosure to happen, because that is necessary information. The way a privacy law would allow that is through the second tier, what we call the non-compelled authorization. That is, in order to get that workers compensation claim addressed, you might have to fill out that authorization. So it is compelled for purposes of the workers compensation claim, but not compelled in terms of whether you are going to get treatment.
So there is a compelled authorization, you've got to sign this if you are going to get treatment, and then a non-compelled authorization, non-compelled for purposes of treatment and payment perhaps compelled because you want your workers compensation claim, you want your social security benefit check, you want a job that needs a physical exam test.
But the privacy law will allow that disclosure through the authorization mechanism because the authorization will be limited, that you don't disclose beyond the authorization. You get the protections built in after you have disclosed what you have needed to disclose for that purpose.
It actually can work.
DR. HARDING: As we did this morning, we are going to ask if anybody in the room would like to ask a question or make a comment about some of the things that you have been talking about. We have asked that they come to the table and get in front of a microphone, identify themselves clearly and limit their comments and questions to three minutes, so that anybody who wants to have that opportunity can.
As I said this morning, the members of the committee will take preference on questions, but we are glad to have others doing so.
DR. PARSONS: Thanks very much. I'm Don Parsons. I am at Kaiser Permanente. We have sat across the table from each other before. I am always impressed by your eloquence and your ability to turn very complicated matters into things that even a simple doctor can understand, which is very kind of you.
I have a question for you. It has to do with some of the bills and perhaps all of the bills. In a situation where an employer actually is a provider, when an employer runs an EAP or has a workplace wellness program or whatever, and actually has a medical department or something of that sort, it has occurred to us that possibly, as a provider they become then able to access more information than they would just as an employer.
Because of the definition of a provider, not only indicating that the provider be someone with a license, a health care professional, but also an officer, employee or agent as well, makes me interested in asking this question: Can an employer as a provider assert access to PHI from some other provider, and then allow that information to get outside of the hands of the licensed provider into an agent, officer or employee, where it might be used inappropriately? What is the protection?
Now, if you were Kaiser Permanente, if you were Dr. Cohen, you would be really nasty to employers and you would say, we won't release information without the signature of the employee. But if this were to become a law, would employers who are providers in these circumstances have authority to access information?
DR. FELDBLUM: You need to also compare what is the situation right now versus what the situation would be if a law passed.
The situation right now is, if an employer is also a provider, that provider -- let's call the doctor Susan and the supervisor Joe. They are both hired by the same employer. Susan is acting as a provider. As a provider, she can -- and I'm let's say the employee. She can access my entire medical record, because presumably when I have gone to that EAP program, that employee assistance program, I have authorized her to access all my information. So she has got all my information, and she can talk to other providers to get information about me whom I am consulted with.
Under the law right now, there is nothing that prohibits Susan from calling Joe and saying something about my medical condition to Joe. There is nothing under current law that stops her. Current law does stop Joe from using that information against me if I am still qualified, but there is nothing under current law that stops Susan from telling Joe my medical information. There might be ethical reasons and all that stuff, but not a federal law.
So now the question is, if any of these three bills passed, even though Susan and Joe are still the same employer, Susan would not be able to call Joe and give Joe information about me, because while she can go talk to someone else if it is to further my treatment, she can go access my complete medical record to further my treatment, unless somehow talking to Joe is to directly further my treatment, something that I have authorized, if any of these three bills pass, she could not talk to Joe. That would be a major change in the law.
DR. PARSONS: Because it would not be for the purposes --
DR. FELDBLUM: Because it would not be for the purposes for which I had authorized her. Remember, the way all laws operate, you may not disclose to anyone unless either it has been authorized or we as a law have decided you can disclose without authorization.
So Susan can't disclose to anyone unless it is authorized or it is some exception. Obviously, the biggest authorization will be for treatment and payment purposes. So Susan in fact could send information up to Mary, who maybe is doing the payment. So she can disclose for treatment, she can disclose for payment. She cannot disclose to Joe's supervisor for pure information enhancing modalities.
DR. PARSONS: Just a brief followup. In the case of a small employer, and you can reduce that as small as you want, perhaps the person who is in charge of the EAP and the person who is the supervisor of the patient may be the same person. What happens in that case?
DR. FELDBLUM: We have actually struggled with that question. I think the answer simply has to be, if you are a small employer such that you are the same person, you can't say to your half a brain not to listen to the other half. So clearly, that disclosure happens. It is not a liability under the law, it just can't be.
So we have accepted that in those really small businesses where the person is doing the payment and the treatment and supervising all the same, it sounds like that person should get a new job, it sounds a little overwhelming, but assuming that is their job, obviously that is the reality; there will be that disclosure.
Then you at least have the ADA that says that when you are operating with the part of your brain that is the supervisor, and even though you know all this medical information in the part of your brain that was the EAP director, you can't use it unless the person no longer qualifies.
DR. PARSONS: My other question had to do with the private right of action, and whether or not you as lawyers have a lot of experience can foresee that opportunity opening up of a real Pandora's box of litigation on these issues, or if there is some way that the bills should be constructed to limit the opportunity for that.
DR. FELDBLUM: It's a very fair question. Because we are a litigious society, we just are, the question is, let's make sure we are crafting laws that make sense and are not going to be unduly burdensome.
I think there is no doubt that you have to have the ability for an individual person to bring a private right of action if we are going to have the law make sense at all. We could fund this building 10 times over and we are still not going to be able to give the government the right to do all this oversight and monitoring. Number one, who would want to do that? Number two, even if you gave them all the money, they are not going to be effective. You can't be effective monitoring across the whole country.
The best way to have effective monitoring is what we discovered through the law -- to give each individual person the right and the capacity to say you violated the law vis a vis me. It is the most effective approach.
The truth is, people don't go into litigation easily, because of the amount of money that it costs, because of the draining factor. What giving that private right of action does though is create a capacity for the particular employee to negotiate with the employer if something problematic has happened. That is why very few cases actually get caught and most cases are settled. The law sets out the parameters. People now know how they can operate. Then they settle out of court because no one wants to go to court.
But by having a law with that private right of action, you create two things. You create incentive for the employer to get it done right. If the employer knows if they get it done wrong, maybe the government will come in some oversight capacity, that will never happen, but if the employer knows that any person that they wronged could come forward, that is a significant incentive.
Two, when someone does violate the act, you get much more effective enforcement, because the person whose rights have been violated can come forward. The fact of the matter is, this is not an area where you can have a huge amount of damages. It is just not. In some rare situations you will be able to prove a large amount of damages, not in most cases. So this isn't going to be the type of treble damage lawsuits that exist in some areas where you have more of a problem than here.
DR. PEEL: I am Deborah Peel. I am a physician from Austin, Texas. I just heard a bit of what you were saying about these bills. I had a couple of questions, because some of the ways that I have interpreted them and heard them interpreted vary a little bit from what you said.
I thought it was only the Lehy bill that makes it clear that the doctor decides what is relevant for disclosure. I think that is spelled out in Lehy and not the others, that it is not the employer who gives more power to the physician to protect the patients. Is that how you -- you sounded like you didn't see it that way.
DR. FELDBLUM: No, I don't see it that way. I think the Lehy bill is a much more protective of privacy bill generally. But I see that because most importantly, they don't require a lot of information in the compelled authorization. They give people a lot more autonomy in terms of information that will be disclosed. There are exceptions from informed consent that are much more narrowly drawn. That is the ways in which it is more protective of privacy.
On the issue in a workers compensation claim, how that would play out, that is all going to be through an authorization in any of the bills. The person, when they fill out their workers compensation claim, they are going to fill out a sentence that says, I authorize my employer to get medical information.
Once they sign that authorization, each of the three bills have the exact same sentence, that says, someone who discloses can only disclose the amount necessary to achieve the purpose of the disclosure. Each three bills have that same sentence. It is one little sentence, might as well not even mention it, and it is so critical, because that is a very important protection.
Now, in none of those bills does it say who decides.
DR. PEEL: I thought it actually did in Lehy.
DR. FELDBLUM: I'll go back and check that. I would be surprised.
DR. PEEL: There is a section there that says the doctor would be the one who decided which was the relevant information to disclose.
DR. FELDBLUM: But I feel that even if it doesn't say that, that to me is the correct answer. It is the person asking who says what they are asking for. They are the ones who establish the purpose of the disclosure. That might be the public health department or the employer or whoever. But then the person disclosing, which is always going to be the doctor or the hospital, they decide whether that meets the standard.
So I think even if it doesn't say it in the bill, by force of law that is how I think it would operate. But Lehy- Kennedy is often more clear in a lot of these areas. I don't remember this as a point of clarity, but generally they often are.
DR. PEEL: I had one other. Actually, the man who spoke before me was getting at the same kind of things. In reading these bills, it does look like in some of them that employers are newly defined as health care providers, which I think would give them massive access to information. Maybe it is only in these situations where they run an EAP or a clinic in the building, like we were talking about.
But as someone who actually treats sick people, I don't think most of the public believes that their employer is a health care provider. So I think this is going to create a lot of problems if employers really -- suddenly find themselves like physicians or nurses or people like that, that actually give services to sick people.
As I said in my answer to the question, these bills would enhance the protection that exists under current law. Right now, many employers do have EAPs, are self insured, and there is no federal law that stops that flow of information.
So what these bills are intended to do is, when an employer acts in that capacity, when they are already acting in that capacity, here are the laws that will now apply, not transforming employers into providers. But it is important to remember that it could be misconstrued in this way, and make sure that the proper education is given out there once these bills do become law. I do believe one of these bills in some version will.
DR. HARDING: Any further questions or comments from those present?
MS. SANCHEZ: I'm Linda Sanchez. I work for Health and Human Services. I have a general question for Chai and the providers in the room. One of the things that we have been hearing is that for an authorized disclosure, for all kinds of reasons, if you put the onus on the provider to make the judgment about what is minimally necessary for the purposes of the disclosure, that a lot of providers will balk at providing any information at all, because they will feel that they are legally at risk. If you consider the provider to be say a hospital records room, they will not want to have to go through the entire medical record and find out what was relevant to X, Y or Z condition or accident, what have you. If they are no longer able to just xerox the entire record, they will stop making any disclosures at all.
So I am wondering, what is the proper balance here in terms of what burden or responsibility you are putting on the providers, who often are the ones most clinically able to say what might be relevant, but also are not in any way compelled to make the disclosure, and giving responsibility without any reason for them to actually take it on.
DR. FELDBLUM: It's a great question. This is why I almost feel sometimes that you have got to have a strong stomach if you are going to work on legislation. You know it is a good thing you are trying to do, but you also know that you cannot foresee everything. You hope you get questions like this before the bill passes.
I still have a folder called Things To Fix in the ADA that I have gotten post ADA enactment.
I don't believe that perhaps enough thought has been given to the standard of minimum amount necessary for the disclosure, in the context of treatment versus in the context of other situations. In other situations, I think providers are going to appreciate the fact that they are now given some protection. They don't have to just give over their whole medical record. They have some control over that information that they give over.
Where I think they could find it burdensome would be in the area of treatment, where they are trying to share a lot of information.
My gut at the moment is that -- my personal read about the minimum amount necessary to accomplish the purpose when it is treatment is often a very broad amount. It might not include the abortion the person had five years ago, but it certainly inclusive of everything that is in their medical record of the last two years. For treatment purposes, often you don't know what is going to be relevant. If you are sending it for a consult, you don't want to be parsing it out. The whole point is to get some extra information.
So I would hope, and I think it is important for the legislative history of the bills to make clear that this is intended to be a very expansive concept when we are talking about treatment. We don't want people self censoring themselves in terms of giving out records. We want to give them this protection when it is beyond treatment, but not creating inappropriate constipation of records when it is actually going to help the patient.
I believe that the law as written allows that expensiveness. But I also know that people sometimes read laws narrowly because they are afraid. I think therefore it behooves any of us who are working on the bill now to make sure that the right message is sent, that they should not be afraid in that way. That becomes a drafting question, perhaps drafting within the legislation or drafting within the legislative history.
MS. SANCHEZ: For non-treatment purposes, if an individual authorizes disclosure, sends an authorization to their provider, saying I am involved in a lawsuit, please provide my health record.
DR. FELDBLUM: Sends that to the provider?
DR. HARDING: Could you talk into the mike?
MS. SANCHEZ: The provider would still I believe be bound by the minimal necessary requirement. How is that provider going to make that assessment? Isn't it possible the provider might not want to provide anything, because it might inadvertently provide information the individual did not think was relevant?
DR. FELDBLUM: If I am involved in a lawsuit and I ask the provider to disclose information relating to the lawsuit, number one, anything that is disclosed to me is not a disclosure under the law. The definition of disclosed means anyone other than the subject of the information. So the provider could just say, I'm just sending it all to you and then you decide what you want to use in your lawsuit. Then the provider is completely home free, because the disclosure to me is not a disclosure.
That is easy, if I am the one calling the provider. I think the more complicated question is, I filed the lawsuit, I put in the medical information I wanted to put in, and now the employer who is defending the lawsuit wants to get additional information. Now the employer has the right -- there is a section under the judicial proceedings that the employer has the right to ask that information of the doctor.
In a lawsuit, you are going to have the intervening factor of the court. All of the sections of the bill reference existing rules of evidence. So the court through discovery requests -- if there is a lawsuit there will be lawyers, and they will know how to use the motions, et cetera. But there would have to be a clear direction to the doctor what they want, what I the defendant want you to give me. Then it is an obligation on the defendant to show that is necessary for the lawsuit. That comes from general rules of evidence, not anything in the privacy bill.
So it is not going to be great, because besides the rules of evidence you can have this federal law looming out there. The federal law is intended to jibe with the federal rules of evidence in the current system. So I think in practice, it will probably shake out okay.
Linda is someone who goes as far back as I go on this privacy bill. The first time we met was over on the Hill. This is part of health care reform. Remember that?
DR. HARDING: The golden year of '92. Other questions or thoughts? Jeff.
MR. BLAIR: In any of the work that you have done, have you explored the area of where the boundaries could or should be in determining what is patient identifiable information and what is not? That has been an area that is vague. It would be helpful if we could get greater clarity on that for a number of different reasons.
DR. FELDBLUM: The answer to that is yes, we have certainly worked on that, struggled with that at times. I would say that where we settled -- and it is reflected in some of the bills, it is certainly reflected in the committee bill that is currently being circulated -- is the following.
Obviously, information that directly identifies the person, that is personally identifiable health information, what we would call protected information. Information where you reasonably could identify the individual, there is enough other information besides the name that you could reasonably identify the individual, is also protected health information.
Information which has been coded in some way, so that it is not immediately apparent from the face of the information the identity of the person, that would not be considered identifiable information, even if the person who holds that code might be down the hall, because that is often the way it operates. Even if the person who holds the code is down the hall, that information without the code is not identifiable information.
However, when the code is combined with the information, not even combined so as to be identified, but simply combined in the sense that the same person holds both the key and the encoded information, then we call that an act of disclosure. It is not like the non-identified information has become identifiable information, but giving the key over is an act of disclosure. Sometimes that is an act of disclosure that will be appropriate and sometimes it will be not appropriate.
So instead of mucking with the fact -- suddenly, the fact that I hold the key, this information is now re-identifiable? No, it is not, because I haven't done anything yet. To get away from the metaphysics of that, you simply say that giving me that key is an act of disclosure. So if it is appropriate, fine, and I can use the key to re-identify, and if it is not, then the violation has occurred right there when I have gotten the key, as opposed to the violation occurring five minutes later when I use the key.
MR. BLAIR: Got you. Can I expand the question a little bit?
DR. HARDING: Sure, go ahead.
MR. BLAIR: That was helpful. Any thoughts or discussion -- clearly this could vary in terms of the size of the population, like for a small employer, obviously. Just simply an indication of what the disease or condition is might be in a very small population sufficient to identify the individual, even if there is no name, no address.
Is there any, for lack of a better way to describe it, a way to indicate scalability for where the boundary is?
DR. FELDBLUM: This is why the law comes up with things like reasonable person, where you can reasonably be expected to identify. This is the reason the law comes up with these words. You can't possibly imagine every single situation. But you can, once you are given the facts, say whether it is reasonably apparent who the person is versus not.
So that is why -- although I think this is dropped from some of the bills, but I have always felt that it is appropriate to say that protected health information is information that is either directly identifiable or reasonably identify the individual. That term reasonably allows the flexibility that human life requires.
People hate these words sometimes, but we come up with them because that is how the world operates. So I believe that concepts needs to be maintained.
DR. COHN: Could I respond to that a little bit? This is an area that has been dealt with and looked at pretty extensively. Oftentimes people talk about cell size issues. I don't know if that is going to be reflected in any legislation or any regulations, but there is a whole statistical science around how big the cell size has to be before you make things truly unidentifiable. It is based on frequency of disease and all these other pieces. It is not an area that we have to figure out, other than, if we decide it is an important issue, take testimony on.
DR. HARDING: We had testimony actually last year with the doctor from MIT, Latonya Sweeney, who impressed us all with the fact that just about nothing is non-identifiable with a few nuggets of information. But again, reasonable. That is with an MIT Ph.D working at it, as opposed to a different standard perhaps. You are talking about a reasonable --
DR. FELDBLUM: Actually it is two things. There is a provision in the bill that I personally now call the Latonya Sweeney provision, because I also had the advantage of hearing her give this at a conference.
There is one thing that reasonably on its face could identify the individual, even if you are not Latonya Sweeney. That is some of the examples that you gave, that there is enough about the person right there in the information that someone could know who they are.
Then you have got a coded database. Then there are people like Latonya that can take the coded database and then use other publicly available databases and manipulate those databases so as to then de-identify information. Because there is someone out there who can do it does not make that initial de-identified database protected information, because if you did that it would be crazy. All of the stuff would be protected information, just because three people out there could do it. So you don't want to create a law that says that.
Instead, what all the laws say is that anyone who manipulates databases so as to create identifiable information has engaged in a disclosure. It is just like the key, but instead of someone giving me the key, I was smart enough that I created my own key, in the way that she can. Then I have created a disclosure.
But the reason I call it the Latonya Sweeney provision is, right now if she does it, it is not illegal at all. She can post on the Web Governor Weld's medical records. She might have other repercussions, but no federal law says that she did anything wrong. If this bill passes, then that act of manipulating the databases would be the act of disclosure itself, which would be a violation of the law if she then posted it on the website. It would be a further inappropriate disclosure.
PARTICIPANT: Following up on the same train of thought with the Latonya Sweeney technology, in your opinion -- and I don't want to have a confrontation between Latonya and yourself, but leaving in the personally de-identified information things like the zip code or date of birth, would that compromise the information de-identification? Could that be considered identifiable or non- identifiable, if you leave zip code and date of birth, which are two of the key elements Latonya uses to do the matching?
DR. FELDBLUM: I actually see no conflict between me and Latonya. It was just so appropriate to have her show how things are not protected right now under current law.
But here is where I would defer more, as Dr. Cohen said, to people who have a sense of what is needed for databases, in order to make them effective, as well as something -- just because you have it, whether it makes it on its face reasonable identifiable.
To me, a zip code is not making something reasonably identifiable, even though there are some people who can manipulate databases to make it identifiable. Date of birth perhaps is more of a question, but I don't even know how much more of a question. If you just have date of birth and nothing else, my gut right now tells me that is not protected health information under the statute. But again, I would defer to people who would know more about the implications of that.
But because so much protection attaches to protected health information if a bill like this becomes law, because so much protection attaches, we must be confident as policy folks that we are allowing non-identifiable information to be out there and used. We don't want to limit the system in a way that makes it inappropriate for research, most importantly, for CDC, for public health issues. We don't want to limit the system inappropriately.
One of the ways not to limit it is to allow non- identifiable information to be out there, used without limitations. If we start getting so worried that someone can start putting things together and it becomes identifiable, I think we have hurt ourselves.
So I would rather just make the violation the act of manipulation, as opposed to more protections on what seems to most ordinary people to be non-identifiable information.
PARTICIPANT: I have a related question. For those entities that are engaged in de-identifying information so it can be statistically manipulated without compromising anybody's identity, is there a necessity to retain the key, so law enforcement can have access to the information, or some emergency research process can have access to the information? Or is it more or less appropriate to throw away the key so it can never be retrieved?
DR. FELDBLUM: Good question. I think that there is absolutely no reason to keep the key for issues like law enforcement, public health, research, et cetera. The premise of your question was that you got this identifiable information from somewhere, and then you de-identified it, which means the originating provider, -- there is someone else who has that information, so if it is needed for law enforcement, public health, research, et cetera, there is a better entity for them to go to than the folks who did the de-identifying.
The reason why it makes sense to throw away the key is what I said before, in terms of the act of disclosure. You keep it around and then you have a disgruntled employee who is not happy, and all that employee has to do is put together that key and that identifiable database, and you have engaged in an invalid act of disclosure.
DR. HARDING: Other questions from those on the panel or in the room? Hearing none, we greatly appreciate your coming today. It was very helpful, and a good panel this afternoon.
We are going to adjourn the subcommittee. Sorry about those of you who have just come in. We are combining the two sessions into one. We will start again though in the morning at 9 o'clock, when we will start on pharmacy benefit management companies and the policies thereof.
So with that, I move we adjourn. We are adjourned until tomorrow morning at 9 o'clock. Thank you very much.
(The meeting adjourned at 3:15 p.m., to reconvene Thursday, May 20, 1999 at 9:00 a.m.)