Statement by Carolyn Clancy
Before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Health
June 4, 2008
Chairman Pallone, Ranking Member Deal, and Members of the
Subcommittee, thank you for inviting us here today to present the
Administration's views on draft health information technology legislation. I
am Dr. Carolyn Clancy, Director, Agency for Health Care Research and Quality
(AHRQ) and I have with me today Ms. Sue McAndrew, Deputy Director for Health
Information Privacy, HHS Office of Civil Rights. Additionally, I will be
speaking on behalf of the Office of the National Coordinator for Health IT.
Dr. Kolodner is currently attending a scheduled meeting of the American Health
Information Community successor stakeholders. As you know, efforts to ensure
availability of interoperable health information technology (health IT) are one
of the Secretary's highest priorities. We appreciate your dedication to health
IT and share your commitment to this important issue.
Efforts To Date
Office of the National Coordinator for Health
IT (ONC)
On April 27, 2004, the President
signed Executive Order 13335 supporting the promotion of health IT to improve
efficiency, reduce medical errors, improve quality of care, and provide better
information for patients and physicians. The President also called for most
Americans to have access to secure, interoperable electronic health records
(EHRs) by 2014 so that health information will follow patients throughout their
care in a seamless and secure manner. As part of this, the President directed
HHS to establish the position of the National Coordinator for Health Information
Technology.
In further support of this goal, on
August 22, 2006, the President issued Executive Order 13410 to ensure that Federal
agencies that administer or sponsor Federal health care programs (as defined by
the Order) promote quality and efficient delivery of health care through the
use of interoperable health IT, transparency regarding health care quality and
price, and better incentives for program beneficiaries, enrollees, and
providers. Executive Order 13410 directs that "as each agency implements,
acquires, or upgrades health information technology systems used for the direct
exchange of health information between agencies and with non-Federal entities,
it shall utilize, where available, health information technology systems and
products that meet recognized interoperability standards."
ONC has helped lead in a
number of key areas. As part of this, yesterday, ONC released the Federal Health IT
Strategic Plan. This 5-year Federal strategic plan is necessary to achieve the
nationwide implementation of a health IT infrastructure.
American Health Information Community
(AHIC)
The development of common standards,
and a process to certify products and services as meeting those standards, is a
key priority. Secretary
Leavitt chartered the American Health Information Community (AHIC) as a Federal
Advisory Committee to make recommendations on how to accelerate the development
and adoption of interoperable health IT. The AHIC has provided the venue to make
recommendations to the Secretary on priorities and has advanced other
meaningful recommendations to realize the adoption of health IT.
Health-related priorities recommended by the AHIC enable the identification of
health IT standards by the Healthcare IT Standards Panel (HITSP) and
certification of health IT products by the Certification Commission for
Healthcare IT (CCHIT)
While HHS and the Federal Government
play pivotal roles in the health care system and in its forward progress,
public and private stakeholders must also be aligned to rapidly and effectively
achieve this interoperability. Therefore, the AHIC and HHS have had ongoing
discussions regarding the best possible successor to the AHIC, including discussions
of the successor entity's role, funding, and governance structure. It is envisioned that the AHIC
successor will be an independent and sustainable organization that will bring
together the best attributes and resources of public and private entities, a
public-private partnership. Such an entity must be a neutral, independent
body that is not controlled by, formed by, or required to report to any branch
of government.
LMI Government Consulting, assisted
by The Engelberg Center for Health Care Reform at the Brookings Institution and
working under a cooperative agreement with the HHS, is convening stakeholders
to create a nationwide focal point for health information interoperability as a
public-private partnership. The goal is an orderly transition that will
accelerate nationwide initiatives aimed at using information technology to
enable improvements in the quality and efficiency of health care in the United States. In fact, the third
AHIC Successor meeting is taking place today from 9 a.m. to 12 noon. During this meeting, recommendations
from the Planning Groups for the AHIC Successor will be announced.
Standards & Certification
In fall 2005, HHS worked with the
American National Standards Institute (ANSI) to form a public-private
collaborative, known as the Healthcare Information Technology Standards Panel
(HITSP), to harmonize existing health IT standards and to identify and
establish standards to fill any gaps in those existing standards. Experts from
approximately 500 health care related organizations participate in HITSP and engage
in a consensus-based process to harmonize relevant standards in the health care
industry and to ensure that there is detailed guidance on how the standards
need to be used. This process enables and advances interoperability of health
care applications and helps ensure that health data supporting the delivery of
care will be accurate, exchangeable, private, and secure.
We have now identified many of the
most important standards that need to be used for interoperable electronic
health records (EHRs) and personal health records. To date, the Secretary has
recognized 52 harmonized standards, and he will recognize 60 new harmonized
standards in January 2009. Under Executive Order 13410, Federal agencies that
administer or sponsor a Federal health care program (as defined in the
Executive Order) are expected to utilize, where available, the health
information technology systems and products that meet recognized
interoperability when they implement, acquire, or upgrade health IT systems for
the direct exchange of health information between agencies and with non-Federal
entities. Those agencies are also expected to require health information
technology systems and products that meet recognized interoperability standards
in contracts or agreements with health care providers, health plans, or health
insurance issuers that as each provider, plan, or issuer implements, acquires,
or upgrades health information technology systems, it utilizes, where
available.
In the private sector, the
Certification Commission for Healthcare Information Technology (CCHIT) will be
certifying products that use recognized standards during its next cycle which begins
this July.
Providers and consumers must have
confidence that the electronic health information products and systems they use
can perform a set of well-defined functions, are secure, can maintain data
confidentiality as directed by patients and consumers, and can work with other
systems to share information. CCHIT currently certifies both ambulatory and
inpatient EHRs, and has also begun developing certification processes for health
information networks and specific components of PHRs. Through its
public-private process, CCHIT develops specific certification criteria for
health IT systems and then rigorously evaluates them to determine that they
truly meet criteria for functionality, security, and interoperability. After
just 2 years, over 150 EHR products have been certified. These certified
products now include over one third of the enterprise EHRs and, adjusting for
market share, over 75 percent of the ambulatory EHRs being sold in the United States today.
Nationwide Health Information Network
To support the goal of an
interoperable network, there are presently 16 separate trial implementations of
the Nationwide Health Information Network (NHIN) Cooperative. The NHIN Cooperative
involves public and private health information exchange organizations across
the country that can move health-related data among entities within a State,
region, or non-geographic participant group. The NHIN is a "network of
networks." Our goal is to eliminate all of the obstacles to advancing the NHIN
into a production-ready state by the end of this calendar year. To do so, the
NHIN will need to demonstrate technical readiness with on-site, interoperable,
and secure health information exchange based on common specifications. Four
core services will be included:
- Delivery of data, including a summary patient record,
across the involved health information exchanges.
- The ability to look up and retrieve data across the
exchanges from EHRs and PHRs.
- The ability for consumers to express preferences about
whether and how they will allow the electronic exchange of their data
- Supporting the delivery of data for our Nation's health
uses, such as public health and emergency response.
Collaboration With NIST
In order to achieve interoperability
and allow health care organizations to securely connect to each other, there
must be rigorous testing of detailed data and technical standards. This testing
requires testing tools and expertise that ensure that each participating
organization and software system is exactly meeting these standards. Toward
this goal, the ONC has been working with the National Institute of Standards
and Technology (NIST) to advance testing architecture nationally. This work
involves developing conformance testing capabilities and the use of testing to
ensure that standards are adequate, that the standards are properly implemented
in systems and, as a result, that the systems can interoperate. NIST has helped
with the HITSP harmonization process and with CCHIT's initiation of conformance
testing capabilities. NIST is also helping with the rigorous testing activities
necessary to support the NHIN and have a secure, interoperable network of
networks operating on top of the public Internet.
Privacy
HHS recognizes that there are
important issues relating to the protection of information in an electronic
health information exchange environment. Maintaining the privacy and security
of information shared through the electronic exchange of health information is
paramount. We believe that the use of health IT in accordance with appropriate
polices can protect private information more successfully than can be done
with paper records, can make it easier for individuals and their doctors to
access and share health information, and can improve care coordination. Just as
it was a core value underpinning the enactment of HIPAA in 1996, so too today,
privacy is critical to the success of our new nationwide, interoperable health
IT vision.
The Standards for Privacy of
Individually Identifiable Health Information—better known as the HIPAA
Privacy Rule have been in operation for the past 5 years, and have proven their
workability and adaptability for the broad range of health plans and health
care providers charged with keeping health information secure and
confidential. HHS' Office for Civil Rights (OCR) has a solid record of
enforcement of these standards, having brought about significant and systemic
improvements in compliance by over 6,100 covered entities as a result of its
investigations and the voluntary compliance efforts of the entities.
The Privacy Rule is carefully
balanced to ensure strong privacy protections without impeding the flow of
information necessary to provide access to quality health care. To that end,
the Rule permits covered entities to share protected health information for
core purposes—to treat the individual, to obtain payment for the health care
service provided, and for health care operations—without obtaining the
individual's prior authorization. The Privacy Rule also permits other uses and
disclosures of protected health information without an individual's
authorization, including those disclosures necessary for a limited number of
public interest disclosures, such as for public health purposes. Additionally,
of course, the individual may authorize in writing any other use or disclosure
of protected health information, and must do so before a covered entity may use
or disclose such information to market the goods or services of another to the
individual. These protections apply to protected health information whether in
paper or electronic form, and thus have proven effective in protecting
information in electronic health record systems in existence today.
The HIPAA Privacy and Security Rules also
will serve as an effective baseline of protections as we begin to transform health
care through the use of health IT and the electronic exchange of information
through secure, interoperable, interconnected networks. A privacy and security
framework for the exchange of electronic health information built on the
foundation of HIPAA, permits us to explore the enormous potential of health IT to
bring new opportunities for consumer participation in and choices about their
own healthcare, while effectively identifying and addressing new risks to
privacy and new opportunities to secure health information. Together with
public input through several advisory bodies, the Department is actively examining
these issues. For example, health IT can make it easier and faster to
effectuate the individual's rights under HIPAA to access and get a copy of
their medical record, to have that record amended if it is incomplete or
incorrect, and to know about certain disclosures of their information. We are
equally concerned with the potential risks to privacy as a result of the easier
flow of information through health IT. As the roles of vendors and service
providers in the NHIN evolves, we will need to ensure that a privacy and
security framework guides their responsibilities and obligations to consumers,
without unduly restraining the development or adoption of health IT.
Linking Quality and Health IT
The intersection between research and
the application of how new knowledge is applied to improve care is the Agency
for Healthcare Research and Quality's (AHRQ's) unique contribution to the
health IT enterprise. Accordingly, the AHRQ Health IT
program explicitly researches how health IT tools can improve the quality of
health care, while ONC focuses on advancing the adoption and interoperability of
health IT.
Since 2004, AHRQ has invested $260
million to support and stimulate investment in health IT. This translates to
almost 200 projects in 48 States, many of which projects have been focused
toward rural and underserved populations.
AHRQ-funded projects cover a broad
range of health IT tools and systems, including electronic health records, personal
health records (a term that specifically denotes health information collected
by and under the control of the patient), health information exchange,
electronic prescribing, privacy and security, clinical decision support,
quality measurement, patient-centered care, provider workflow, and Medicaid
technical assistance.
AHRQ created the publicly available, online National
Resource Center for Health IT (the Resource Center) to disseminate
research findings, lessons learned, and case studies on the implementation and
impact of AHRQ-funded health IT projects. The Resource Center leverages our
investments in health IT by offering help where it is needed—real world
clinical settings that may feel ill equipped to meet the implementation
challenge—facilitating expert and peer-to-peer collaborative learning and
fostering the growth of online communities who are planning, implementing, and
researching health IT.
AHRQ collaborates with ONC and others
to ensure that our investments are closely aligned and concentrate specifically
on the use of health IT to improve safety and quality in diverse health care
settings.
To ensure that we harness the power
that health IT has to offer, we need to develop an evidence-based strategy to
help clinicians and health care leaders decide which health IT innovations
should be adopted and how they should be implemented to maximize value—both to
clinicians and patients today and to the public health and research
enterprises.
HHS Views of Discussion Draft Health it Bill
We appreciate the opportunity to
provide initial comments on the discussion draft. We have been working with the
Committee staff on the discussion draft and providing technical assistance.
For purposes of this testimony, we will therefore take this important
opportunity to discuss only the high-level issues we have with the proposed
discussion draft.
Proposed Health IT Federal Advisory Committees (FACA)
The discussion draft would establish in
statute two separate Federal advisory committees—an HIT Policy Committee and an
HIT Standards Committee. We have significant concerns about freezing a
particular set of structures in statute. In 2005, Secretary Leavitt chartered
the American Health Information Community (AHIC) as a Federal Advisory
Committee to make recommendations on how to accelerate the development and
adoption of interoperable health IT. For nearly a year, the AHIC
and HHS have had ongoing discussions regarding the best possible successor to
the AHIC, including discussions about its role, funding, and governance
structure. It is
envisioned that the AHIC successor will be an independent and sustainable
organization that will bring together the best attributes and resources of
public and private entities, a public-private partnership. Such an entity
must be a neutral, independent body that is not controlled by, formed by, or
required to report to any branch of government in order to assure independence
and continue to build on progress to date.
The creation of new advisory
committees under this bill would significantly interfere with the progress made
in establishing an AHIC successor thus far. This approach would preempt
and discount the significant efforts made by stakeholders to establish the AHIC
successor, and impede efforts to foster the adoption of health information
technologies and standards and realize an interoperable nationwide health
information system.
Additionally, the proposed advisory
committees' membership would be determined through a political appointment
process. We are concerned that the membership of these FACAs would politicize
the successful collaborative advisory work ongoing through AHIC and the
collaborative work going on through the current conveners of the AHIC Successor
and would create barriers to rapid progress. Additionally maintaining two
organizations could prove duplicative and costly.
Accordingly, we encourage the
Committee to strike proposed sections 3002 and 3003 and allow the current
public-private collaborative process already under way to proceed.
Proposed Process to Develop and Recommend Standards,
Implementation Specifications, and Certification Criteria
The discussion draft proposed to
establish a FACA advisory committee known as the HIT Standards Committee, to recommend
standards, implementation specifications, and certification criteria to ONC for
endorsement. Upon ONC endorsement, the recommendations would be sent forward
to the Secretary for adoption through a Federal rulemaking process.
The adoption of health IT standards,
implementation specifications, and certification criteria through the use of
rulemaking should be avoided. We have seen from prior statutory requirements
that it significantly delays the applicability and use of new and improved
standards.
Proposed Privacy and Security Provisions
Business Associate Provisions
The Discussion Draft has three separate
provisions relating to Business Associates. Section 316 would state that organizations
that require access to protected health information and transmit it to a
covered entity, such as Health Information Exchanges, Regional Health
Information Organizations (RHIO), and those involved in e-prescribing, must be
treated as business associates for purposes of section 311. Section 311, in
turn, would limit the use or disclosure of protected health information by a
business associate to the purposes specified in the contract with the covered
entity and would subject the business associate to civil and criminal penalties
under HIPAA for violation of such contract terms. Similarly, section 301 would
apply administrative, physical, and technical security standards to business
associates and would also apply the HIPAA civil and criminal sanctions to a
business associate for violations of these standards.
Under current law, only covered
entities are subject to liability for violations of the HIPAA Privacy and Security
standards. Business associates, because they are not covered entities, are
therefore not liable for violations, though the covered entities themselves
may, in some circumstances, be liable for the violations by their business
associates. Under the Discussion Draft, RHIOs, Health Information Exchanges (HIE),
and similar organizations, would still not become covered entities under HIPAA,
but they would become liable for HIPAA civil and criminal penalties for using
or disclosing protected information in a manner contrary to the terms of their
business associate agreements with covered entities. While this is one
approach to address gaps in the current coverage of HIPAA, the provision would not
result in evenhanded treatment, as other entities, such as PHR vendors, are not
encompassed in this solution.
Moreover, in extending liability to
business associates, the Discussion Draft would sweep all business associates
under this same provision, making them all liable for contract violations. The
potential exposure to criminal and civil liability may chill many from becoming
business associates or may raise the cost of doing business in this manner.
Many business associates (for example, interpreters) that help consumers and
others, such as transcription services or accreditation services, are essential
for routine business operations.
Proposed Grants and Loans
Section 3011 of the discussion draft would
provide for competitive grants and loans to facilitate the adoption of
qualified health IT. The Administration does not believe that grants (or
grant-supported State loan programs) are the most efficient manner to stimulate
the widespread adoption of health IT; it believes the most appropriate and
efficient ways to achieve widespread use of health IT are through market
forces, rather than through direct subsidization of health IT purchases. In
August 2006, the Centers for Medicare & Medicaid Services (CMS) and the
Office of the Inspector General (OIG) promulgated two final rules with an
exception to the physician self-referral prohibition and a safe harbor under
the anti-kickback statute, respectively, for certain arrangements involving the
donation of interoperable EHR technology to physicians and other health care
practitioners or entities from businesses with whom they work. The exception
and safe harbor have made it possible for physicians and other health care
practitioners or entities to obtain EHR software or information technology and
training at substantially lower prices, up to 85 percent below the market
costs.
Other Comments on the Discussion Draft
The discussion draft codifies the Office of the National
Coordinator for Health IT. The Administration does not support statutorily
establishing individual offices, which can limit needed flexibility to adjust
duties and responsibilities as time requires.
The Administration continues to review this bill and
anticipates having additional comments and questions about its impact and
certain provisions. As part of this, we are carefully reviewing sections 111
and 112 to assess and understand their potential impact on Federal programs,
including Medicare, and the private sector. We also are carefully reviewing
sections 302 and 315, regarding notification of breach of privacy, and section
312, to assess its impact on adoption of health IT.
Conclusion
The Administration shares the goals of the Committee with
respect to health IT and looks forward to continuing work with you to improve
the quality of our Nation's health care through its use. We hope to continue
our work with the Committee as we move forward to address these concerns.
Current as of June 2008
Internet Citation:
Health Information Technology (Health IT): Programs and Progress. Statement by Carolyn Clancy Before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Health, June 4, 2008. Agency for Healthcare Research and Quality, Rockville, MD. http://www.ahrq.gov/news/test060408.htm