[Senate Hearing 107-]
[From the U.S. Government Publishing Office]


                                                            S Hrg 107-421
 
                      OVERSIGHT ON MEDICAL PRIVACY
=======================================================================

                                HEARING

                               BEFORE THE

                    COMMITTEE ON HEALTH, EDUCATION,
                          LABOR, AND PENSIONS
                          UNITED STATES SENATE

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

                                   ON



EXAMINING MEDICAL PRIVACY ISSUES, FOCUSING ON THE STANDARDS FOR PRIVACY 
OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (PRIVATE RULE), AND THE 
 PROPOSED MODIFICATION TO THOSE STANDARDS, PUBLISHED BY THE DEPARTMENT 
                      OF HEALTH AND HUMAN SERVICES

                               __________

                             APRIL 16, 2002

                               __________

 Printed for the use of the Committee on Health, Education, Labor, and 
                                Pensions






                           U.S. GOVERNMENT PRINTING OFFICE
78-950                            WASHINGTON : 2003
___________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001






          COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS

               EDWARD M. KENNEDY, Massachusetts, Chairman
CHRISTOPHER J. DODD, Connecticut     JUDD GREGG, New Hampshire
TOM HARKIN, Iowa                     BILL FRIST, Tennessee
BARBARA A. MIKULSKI, Maryland        MICHAEL B. ENZI, Wyoming
JAMES M. JEFFORDS (I), Vermont       TIM HUTCHINSON, Arkansas
JEFF BINGAMAN, New Mexico            JOHN W. WARNER, Virginia
PAUL D. WELLSTONE, Minnesota         CHRISTOPHER S. BOND, Missouri
PATTY MURRAY, Washington             PAT ROBERTS, Kansas
JACK REED, Rhode Island              SUSAN M. COLLINS, Maine
JOHN EDWARDS, North Carolina         JEFF SESSIONS, Alabama
HILLARY RODHAM CLINTON, New York     MIKE DeWINE, Ohio
           J. Michael Myers, Staff Director and Chief Counsel
             Townsend Lange McNitt, Minority Staff Director







                            C O N T E N T S

                              ----------                              

                               STATEMENTS

                        Tuesday, April 16, 2002

                                                                   Page
Kennedy, Hon. Edward M., Chairman, Committee on Health, 
  Education, Labor, and Pensions, opening statement..............     1
Gregg, Hon. Judd, a U.S. Senator from the State of New Hampshire, 
  opening statement..............................................     2
Dodd, Hon. Christopher J., a U.S. Senator from the State of 
  Connecticut, opening statement.................................     6
Harkin, Hon. Tom, a U.S. Senator from the State of Iowa, prepared 
  statement......................................................     9
Frist, Hon. Bill, a U.S. Senator from the State of Tennessee, 
  opening statement..............................................     9
Reed, Hon. Jack, a U.S. Senator from the State of Rhode Island, 
  opening statement..............................................    11
Warner, Hon. John W. a U.S Senator for the State of Virginia, 
  opening statement..............................................    11
Murray, Hon. Patty, a U.S. Senator from the State of Washington, 
  opening statement..............................................    12
Enzi, Hon. Michael B., a U.S. Senator from the State of Wyoming, 
  opening statement..............................................    31
Allen, Claude, Deputy Secretary, Department of Health and Human 
  Services, prepared statement...................................    36
Karp, Sam, Chief Information Officer, California Healthcare 
  Foundation, prepared statement.................................    42
DeWine, Hon. Mike, a U.S. Senator from the State of Ohio, opening 
  statement......................................................    46
Goldman, Janlori, Director, Health Privacy Project, Georgetown 
  University, prepared statement.................................    48
Harding, Richard, M.D., President, American Psychiatric 
  Association, prepared statement................................    61
Clough, John C., M.D., Director, Health Affairs, Cleveland Clinic 
  Foundation, prepared statement.................................    64

                          ADDITIONAL MATERIAL

Articles, publications, letters, etc.:
    Letters signed by physician groups and a consumer 
      organization...............................................     4
    Questions of Senator Murray for Panel I......................    14
    American Hospital Assocation.................................    69
    The Alliance of Medical Societies............................    71
    Blevins, Sue A., President, Institute for Health Freedom.....    72


                      OVERSIGHT ON MEDICAL PRIVACY

                              ----------                              


                        TUESDAY, APRIL 16, 2002

                              United States Senate,
       Committee on Health, Education, Labor, and Pensions,
                                                   Washington, D.C.
    The committee met, pursuant to notice, at 10:05 a.m. in 
Room 206, Hart Senate Office Building, Hon. Edward M. Kennedy 
(chairman of the committee) presiding.
    Present: Senators Kennedy, Dodd, Wellstone, Murray, Reed, 
Clinton, Gregg, Frist, Enzi, Warner, and DeWine.

  OPENING STATEMENT OF HON. EDWARD M. KENNEDY, A U.S. SENATOR 
                FROM THE STATE OF MASSACHUSETTS

    The Chairman. We will come to order. I am pleased to hold 
this very important hearing on what is happening with patients' 
medical records. The blessing of high technology can also be a 
curse to personal privacy. With the click of a mouse our most 
personal information can be launched into cyberspace for 
millions to see. If we do not take steps forward to protect 
privacy in the information age, our most personal information 
will be available to every employer, every health insurance 
company, and every high-tech peeping Tom in America.
    This is not only unfair to patients; it is bad for their 
health. A recent study found that one out of every six patients 
withdraws from full participation in their own health care 
because they worry their medical information will be used.
    We have worked hard to strengthen privacy protection for 
America's patients. In the Health Insurance Portability and 
Accountability Act of 1996 we said privacy protections were so 
important that if Congress did not pass legislation to 
strengthen privacy the administration should put in place real 
protections. The Clinton administration did just that when it 
adopted a comprehensive set of protections to give all 
Americans control of their private medical records. However, 
the new rule recently proposed by the Bush administration would 
rescind these protections and would make private medical 
records an open book.
    This is a serious step backwards. Each time patients see a 
doctor or fill out a prescription they are at greater risk that 
their most personal medical information will be available to 
prying eyes. The administration has proposed new rules that say 
health providers do not have to get consent to determine how 
your medical records are used. Requiring consent assures that 
the patient plays a role in how their health information is 
used. It is the only real way to assure that patients and only 
patients control sensitive information. It restores faith in 
the health care system.
    Of course, certain narrow and common sense exceptions are 
needed. For example, your personal physician should be allowed 
to phone in your prescription to your pharmacist. There is no 
reason that you should have to make a separate trip to the 
hospital before surgery just to consent. We can address these 
practical challenges without undermining the core protections 
in privacy.
    The Bush administration's proposals say patients simply 
have to be notified, not asked, about what is going to happen 
with their medical information. We should not throw the baby 
out with the bathwater. All Americans should be assured that 
their personal medical information is theirs and theirs alone.
    The administration's plan also provides for a new back-door 
loophole that allows companies to use private medical records 
to market their products. This means, for example, that 
patients seeking treatment for mental illness would have that 
information shared with companies selling anti-depressants and 
other therapies. Those companies would be free to send open 
mailings to your work or to your home. The administration 
claims the new regulation grants new protections against abuse. 
They argue that a new authorization is required before a health 
provider or business can market to a patient. But the same 
proposal allows doctors and pharmacists to provide, without 
permission, the health information of their patients to 
businesses that will try to sell them new drugs, therapies, 
nursing home placements, and other care. This loophole is a 
telemarketer's dream and a patient's nightmare and it must be 
closed.
    I look forward to working with my colleagues on legislation 
to assure Americans that their medical records will be kept 
private and I welcome our distinguished witnesses to today's 
hearing.
    Senator Gregg.

 OPENING STATEMENT OF HON. JUDD GREGG, A U.S. SENATOR FROM THE 
                     STATE OF NEW HAMPSHIRE

    Senator Gregg. Thank you, Mr. Chairman.
    Medical privacy is an issue that affects every American, 
and yet prior to the passage of HIPAA in 1996, there was no 
Federal structure or law in place that would ensure that our 
medical information remains private. HHS has been working for 
several years to develop comprehensive rules that govern the 
use and disclosure of protected health information. This is no 
easy task, given the complexity and fragmentation of our health 
care system, including the fact that our private health care 
insurance system is employment-based and dependent upon a 
system of third party payers.
    I would like to commend the administration for proposing 
significant improvements to the rules. These changes provide 
important clarifications that will aid in implementation and 
compliance. Moreover, these changes will prevent the 
unnecessary and harmful disruption of a patient's care that 
would have occurred under the existing rules, a very important 
point.
    Although the proposed rule would clarify or improve several 
different provisions, the most important proposed modification 
pertains to the consent and notice requirements on direct 
treatment providers. Under the existing rules, a patient would 
have to give prior written notice, prior written notice, to 
each and every provider that the patient sees or even schedules 
an appointment with. Not only would this requirement disrupt 
and delay care but the protection it would have provided is 
merely illusory because a provider could withhold care if the 
patient does not provide the consent.
    There are numerous examples of how, if unchanged, this 
requirement will harm or delay patient care. For instance, a 
patient referred to a specialist by his or her physician may 
not even be able to schedule an appointment without first going 
to the specialist's office and completing a form. Because only 
patients can give consent, a sick or elderly person could not 
have a friend or a family member pick up their prescription 
unless they first go and sign a consent form with the pharmacy, 
resulting in serious delays in starting medication.
    Ordinary physician practices, such as arranging out-patient 
surgery or calling in prescriptions, would be in jeopardy. One 
hospital stay might result in a sick patient having to fill out 
multiple new forms, new consent forms, in addition to all the 
forms already required for treatment--one for the hospital, one 
for each nurse, one for each doctor, one for each medical 
technician that the patient sees under this proposal.
    There are numerous examples of disruption in patient care 
that would occur as a result of the prior consent requirement, 
and there are likely many more that have not been contemplated. 
Thus, the suggestion to keep this requirement in place but 
create exceptions for all the various situations in which prior 
consent would disrupt care is simply unworkable.
    By changing this provision we avoid a consumer backlash of 
major proportions. While consumers rightly seek the strongest 
possible privacy protection, they have little tolerance for 
bureaucracies and hoops that make it even more difficult to 
navigate our complex health care system, especially if the 
additional bureaucracy does not provide meaningful protection 
or enhance the quality of care.
    Consumers and physicians support the changes in the consent 
requirement, and this is an important point. A letter dated 
April 10 from a broad range of physician groups, including the 
American Academy of Family Physicians, the American College of 
Obstetricians and Gynecologists, and the American Medical Group 
Association, strongly support the administration's proposed 
changes in the consent requirements. These organizations 
represent over 400,000 physicians.
    In an earlier letter dated December 20, 2001, the National 
Partnership for Women and Families Consumer Organization and 
United Health Care co-signed a letter to Secretary Thompson 
raising serious concerns that the existing consent provisions 
will seriously jeopardize quality of care, I would like to 
submit all those letters for the record.
    Senator Dodd. [presiding]. Without objection, so ordered.
    [The letters follow.]

                                                     April 10, 2002
The Honorable Edward M. Kennedy,
Chairman Health, Education, Labor and Pensions Committee,
Washington, DC.
    Dear Chairman Kennedy: The Department of Health and Human Services 
(HHS) recently issued proposed changes to the medical privacy rule 
``Standards for Privacy of Individually Identifiable Health 
Information.'' The undersigned national health and medical 
organizations and specialty societies strongly support the proposed 
rule's approach in making prior consent discretionary. Unfortunately, 
various press articles and commentary have seemed to suggest that 
physicians do not support the proposed change. It is important for 
Members of Congress to know that many physician and provider 
organizations do support the proposed modification to make prior 
consent discretionary rather than mandatory.
    Physicians and practitioners strongly support meaningful Federal 
privacy protections for patients' medical information. Under the 
proposed rule, covered entities would not be required to obtain written 
consent from patients before using or disclosing protected health 
information for such routine purposes as treatment, payment, and health 
care operations. However, unlike the proposed regulation issued under 
the Clinton Administration, covered entities would not be prohibited 
from obtaining written consent if they choose. We believe this approach 
strikes the proper balance of protecting the rights and autonomy of 
patients, while removing unnecessary barriers that interfere with 
patient care and the efficient delivery of health care.
    It is important to note that eliminating the prior consent 
requirement does not detrimentally affect patients' privacy rights in 
any meaningful fashion. Even privacy advocates called the consent 
requirement meaningless because the regulation permitted providers to 
deny treatment to individuals who refused to sign the consent form. 
Furthermore, we believe that the written notice requirement is the true 
backbone behind patients' privacy rights. The written notice, not the 
consent form, is the means by which patients are informed of their 
rights under the regulation and how and to whom their medical 
information may be used or disclosed. The proposed rule actually 
strengthens the notice requirement, which we fully support.
    Not only would the prior consent requirement add yet another 
mandatory form to the already unmanageable paperwork burden that 
physicians and practitioners face on a daily basis, it could pose 
serious problems for patient care. HHS outlined many of the potential 
problems in the proposed rule.
    The prior consent requirement could confuse patients and increase 
patient waiting times. Physicians and practitioners would be prohibited 
from treating patients or providing other services for them, until the 
form is actually signed. For example, physicians who have privileges at 
a number of hospitals would need either to establish multiple organized 
health care arrangements or ask each patient in the hospital to sign a 
physician consent form in addition to the consent form provided for the 
hospital. If a patient were required to sign multiple consent forms to 
receive care at a hospital, this would hinder and delay patient care.
    Additionally, the prior consent requirement would potentially 
interfere with the ability of physicians and practitioners to continue 
many daily practices such as referring patients for treatment, 
arranging outpatient surgery, and calling-in prescriptions. 
Furthermore, physicians and practitioners might not be able to use 
patients' information to send important reminders regarding patient 
treatment (i.e., child immunization and mammography reminders).
    HHS faced the difficult challenge of protecting patients' privacy 
rights, while at the same time removing unnecessary barriers that 
interfere with patient care and the delivery of health care. We 
strongly believe that HHS met this challenge in the proposed rule, and 
we oppose any efforts to change it.
    Sincerely, American Academy of Dermatology Association; American 
Academy of Family Physicians; American Academy of Nurse Practitioners; 
American Academy of Physician Assistants; American Association of 
Neurological Surgeons/Congress of Neurological Surgeons; American 
Association of Orthopaedic Surgeons; American College of Cardiology; 
American College of Nurse-Midwives; American College of Obstetricians 
and Gynecologists; American Medical Group Association; American 
Podiatric Medical Association; American Society of Cataract and 
Refractive Surgery; American Urological Association Medical Group 
Management Association
                                 ______
                                 
                                                     April 12, 2002
    Dear Member of Congress: As you may know, the Department of Health 
and Human Services (HHS) recently issued a Notice of Proposed 
Rulemaking (NPRM) proposing modifications to the final privacy rule. 
The undersigned organizations are writing to let you know of our strong 
support for the proposed modification in the NPRM giving health care 
providers the option of obtaining the prior consent of patients to use 
or disclose identifiable health information for treatment, payment and 
healthcare operations. The Department's proposal to make obtaining 
consent optional for providers strikes a workable compromise between 
the original proposed regulation from 1999 that prohibited providers 
from obtaining written consent and the final regulation from 2000 which 
mandated it.
    We strongly support meaningful Federal privacy protections for 
patients' medical records. An essential part of that commitment is 
ensuring that patients understand their rights and how their medical 
information will be used. However, adding yet another mandatory form to 
the burden that physicians, practitioners, pharmacists, hospitals and 
other health care providers already face on a daily basis does not 
effectively achieve the balance of providing privacy protections and 
assuring timely, efficient access to health care. We support the 
Department's proposed modification to make consent optional.
    The NPRM documented numerous disruptions and delays in receiving 
medical care that patients--particularly the elderly and those in rural 
areas--would face if the mandatory prior written consent requirement 
were not modified to make it optional for health care providers. For 
example, patients could experience significant delays in obtaining 
prescriptions because pharmacists could not fill the prescription until 
the patient were present to sign the consent. Friends and family 
picking up prescriptions for a sick individual would not have legal 
authority to sign the consent, and thus could not pick up the 
prescription.
    The NPRM described how patients referred to a hospital for 
outpatient surgery might have to make an extra trip to sign a consent 
form because the hospital could not use information about the patient 
to schedule and prepare for surgery. Nurses who staff telephone centers 
that provide health care assessment and advice, but never see patients, 
would be unable to counsel patients because they would be prohibited 
from using identifiable information for treatment and would be unable 
to obtain prior written consent. The NPRM also cites emergency medical 
providers who were concerned that even if a situation was urgent that 
they would have to try to obtain consent, even if inconsistent with 
best medical practices. There were also troubling questions about 
whether physicians who had privileges at several hospitals would have 
to obtain separate consent from patients at those facilities, even if 
patients had already signed consents for the hospital.
    These are just some examples of the potentially serious 
consequences of the mandatory prior written consent requirement. The 
Department wisely chose to correct the underlying problem with the 
proposed provision to make consent optional, rather than trying to 
address each adverse consequence of a mandatory consent requirement as 
it presented itself.
    Sincerely, ACA International; Academy of Managed Care Pharmacy 
Advance PCS; Advanced Medical Technology Association (AdvaMed); Aetna 
Inc.; American Academy of Dermatology Association; American Academy of 
Family Physicians; American Academy of Physician Assistants; American 
Association of Health Plans; American Association of Neurological 
Surgeons/Congress of Neurological Surgeons; American Association of 
Orthopaedic Surgeons; American Benefits Council; American Clinical 
Laboratory Association; American College of Nurse-Midwives; American 
Health Care Association; American Managed Behavioral Healthcare 
Association; American Medical Group Association; American 
Pharmaceutical Association; American Society of Cataract and Refractive 
Surgery; American Society of Consultant Pharmacists Association of; 
American Medical Colleges Biotechnology Industry Organization (BIO); 
Blue Cross and Blue Shield Association; Cardinal Health; Cleveland 
Clinic Foundation; The ERISA Industry Committee; Express Scripts; 
Federation of American Hospitals; Food Marketing Institute; Genzyme 
Corporation; GlaxoSmithKline; Health Insurance Association of America; 
Healthcare Leadership Council; Intermountain Health Care; Kaiser 
Permanente; Lahey Clinic; Marshfield Clinic; Mayo Foundation; Medical 
Group Management Association; Merck-Medco; National Association of 
Chain Drug Stores; National Association of Health Underwriters; 
National Association of Manufacturers; National Retail Federation; 
Pharmaceutical Care Management Association; Premier, Inc.; Quest 
Diagnostics; UnitedHealth Group; US Chamber of Commerce; Vanderbilt 
University Medical Center; VHA Inc.; WellPoint Health Networks
                                 ______
                                 

    Senator Gregg. Some have suggested that the proposed change 
was driven by large corporate medical interests and thus is not 
in the best interest of consumers and patients. This is not the 
case. While nearly every sector of the health care system 
supports the proposed changes, the modifications in the consent 
requirement only apply, only apply, and this is an important 
point, to direct care providers.
    Moreover, the proposed rule does not affect the 
requirements governing use and disclosure of protected health 
information. Authorization would still be required for any 
other use of the protected health information.
    The proposed change to the consent requirement strikes the 
right balance. The original rule issued by the Clinton 
administration would have actually prohibited prior consent. I 
think that is an important point we have to stress here. 
President Clinton originally proposed that there would be no 
prior consent. And that change, the reason they changed it then 
was because the American Medical Association, allegedly on 
behalf of its constituency, and I cannot believe it, but that 
is the allegation, wanted the prior consent to be in place. I 
am tempted, quite honestly, very much tempted to say if the 
American Medical Association wants prior consent, we will give 
it to them, just for them, but we have not heard from the 
American Medical Association recently on this point and maybe 
their position has been modified.
    Many providers objected to the ban on prior consent and 
rightly so. The final Clinton rule would have mandated prior 
consent before any kind of interaction with the health care 
provider. This is far too disruptive. The proposed rule before 
us would not mandate prior consent. Instead, it would require 
providers to give notice of their privacy practices. This would 
allow patients to be fully informed of how their information 
will be used and would allow them to act accordingly. It is 
preferable to the coerced consent provisions contained in the 
existing rule.
    Finally, I would like to thank the administration for other 
proposed modifications of the rule, including the clarification 
to the marketing, parental consent, parental access, business 
associations, and the plan sponsors' enrollment provisions. I 
look forward obviously to hearing from the administration on 
this point. Thank you.
    Senator Dodd. Thank you, Senator.
    Senator Kennedy has temporarily been called away from the 
committee and will return shortly. We will get to Mr. Allen 
briefly but let me make a brief--I am going to ask unanimous 
consent to include the full text of my opening remarks and that 
will apply, by the way, for every member of the committee, 
those who are here and those who have not shown up yet, to 
share their views.

 OPENING STATEMENT OF HON. CHRISTOPHER J. DODD, A U.S. SENATOR 
                 FROM THE STATE OF CONNECTICUT

    Senator Dodd. First of all, let me commend our chairman, 
Senator Kennedy, for convening this hearing on relatively short 
notice but in light of the decisions made just prior to the 
departure of the Congress for the Easter-Passover break when 
the news came out about the change in policy here, we thought 
it was appropriate to try and gather together as quickly as we 
could to express ourselves on this issue.
    I do not know of another issue that provokes as quick or as 
strong a response from the public as the issue of privacy does, 
particularly in light of how the world has changed in the last 
decade. I often tell audiences at home in Connecticut that on 
the day that President Clinton was sworn into office on January 
20, 1993 there were 55 pages on the World Wide Web. To give you 
some idea how the world has changed in a decade, today someone 
suggested I think the number is maybe almost a million pages an 
hour get added to the World Wide Web, or some number like that.
    The point is today the use of the Internet and technology 
to expand information and sources of it, as well as people's 
access to information has grown exponentially and there is a 
growing body of concern within the public about how much 
information people have, what they do with that information, 
and to the extent people are able to pry into the private lives 
and private information.
    We would not allow anyone to come rummaging through our 
house, to go through our waste baskets, to go through our 
medical cabinets and cases. We would not tolerate that, let 
anyone in our homes to do it. In a sense, if you can, in 
effect, do that today by rummaging through people's private, 
most privately held information, then you can begin to get some 
sense of the concerns people have.
    So the ability to control very personal information is an 
issue that is deeply felt by people and it crosses all your 
traditional ideological and political lines. This is as 
strongly held feeling among Democrats, Republicans, liberals, 
moderates, conservatives as any issue I am aware of, the issue 
of privacy.
    Since 1996 when the Health Insurance Portability and 
Accountability Act was passed many of us here have worked to 
develop legislation to try to protect medical records, and that 
is what we are talking about here today, in a meaningful and 
comprehensive fashion. Unfortunately, we have not yet developed 
a bipartisan legislative response. Senator Richard Shelby, my 
colleague from Alabama, and I chair the Privacy Caucus, co-
chair it with colleagues in the House and the Senate, to give 
you some idea of the bipartisanship in trying to work on these 
issues.
    But these are complicated questions. None of us are going 
to suggest that dealing with this is a simple matter. We have 
tried ideas in the past and there are always some unintended 
consequences when you deal with this issue, but we have worked 
on it.
    Let me, in response to my friend from New Hampshire, point 
out that the Clinton Administration did, in my view, a 
tremendously admirable job in developing some very important 
privacy protections in the medical area. For the very first 
time patients were given the right to access their own medical 
records. I know that is a radical idea. It is hard to imagine, 
but for a long time you did not have any right to see your own 
information at all and these rights seem so basic, as I said, 
that it is hard to imagine they did not exist before. Imagine 
the frustration of being denied a request to see your own 
medical information or having a telemarketer contact you at 
home based on targeting data derived from those records, and 
that is rather commonplace today. In a very real way, this is a 
personal violation in the minds of many, many Americans.
    The final medical privacy rule was an immense undertaking. 
Upon announcing the regulations in late 2000, the Department of 
HHS received over 50,000 comments from health care providers, 
insurance companies, doctors, and patients across the country. 
The final rule that took effect did so in April of 2001. It was 
not thrown together haphazardly. It was created with an 
understanding of the difficulties and costs associated with its 
implementation. But the determination was made, correctly in my 
mind, that medical privacy should not be compromised.
    Yet now the Bush Administration has announced its intention 
to do exactly that in the views of many of us up here, 
Democrats and Republicans. Their proposals would undermine, in 
our minds, some of the most important protections that we have 
worked to establish over the last 5 years. The administration, 
as we understand it, wants to allow health care providers 
enormous discretion in how they use your medical records, your 
most personal and private information, something that in my 
view you, as a citizen, and you alone should be the one to make 
a decision about.
    The Bush Administration proposes to remove the provision in 
the medical privacy regulations that requires a health care 
provider to obtain a patient's consent in order to share his or 
her records for ``treatment, payment, and other routine health 
care operations,'' and that is a quotation. Those are not my 
words. Instead, they want to make it mandatory for providers to 
inform patients that their records have been shared. This can 
be done before or after the fact, according to the proposal. 
That is very generous. It is like a neighbor calling you to 
tell you that he has read your mail and gone through your 
medicine cabinet, except, of course, in the example, in that 
case you have some legal recourse. Here you would have none.
    The administration claims to be proposing these changes 
because privacy threatens the quality and timeliness of care. 
This, I think, is unacceptable. There should be no trade-off 
between quality, timeliness, and privacy, in my view. All are 
necessary and all are obtainable.
    I understand that there are instances where obtaining prior 
consent is not possible, such as emergency care, phoned-in 
prescriptions to a pharmacy. In those cases the law should 
allow the provider some leeway. But in general, privacy should 
not be compromised. It is not necessary. It is a phony argument 
to suggest it needs to be done. And I believe that we should be 
here trying to protect those rights when at all possible.
    Now let me turn to my colleague from Tennessee, who I know 
has a deep interest in the subject matter, as well, and my 
other colleagues, and then we will get to you, Mr. Allen.
    Let me just say, as well, on the issue here, I understand 
the importance of how sharing information for clinical trials 
and other areas can be tremendously important, but the idea 
that you could do that after the fact or not letting the 
patient know about it, that does not make any sense to me and I 
think any effort to do that is going to find a wall of 
opposition up here in terms of that effort.
    At this time I would like to submit a statement from 
Senator Harkin.
    [The prepared statement of Senator Tom Harkin follows:]

                Prepared Statement of Senator Tom Harkin

    I want to thank Chairman Kennedy for scheduling this 
important hearing.
    As health care practices have evolved over the past several 
years, and technology has allowed for the rapid mass transit of 
information, it has become critical to protect individual 
privacy--especially as it relates to personal medical 
information.
    If we are not strong on the protection, and vigilant on the 
enforcement, we will be putting ourselves and our loved ones at 
risk.
    Wouldn't it be ironic, and certainly tragic, if Americans 
are actually harmed when they go to a medical provider because 
their medical records were inappropriately used or shared?
    Plain and simple, your private medical records should be 
just that--private.
    Time and time again, I've heard from Iowans who are 
concerned about the misuse of their private medical 
information. Sadly, this Administration has failed to listen to 
the voices of the people.
    I have worked hard to pass strong medical privacy 
protections that make clear that a patient's medical records 
are not for sale. Patients must have a `right to know' how 
their medical information is used and they should have the 
right to say 'no' by controlling who has access to this most 
private of information.
    When I talk to the reasonable patients and providers 
throughout Iowa, they all share the same advice. Create a 
system that is not overly burdensome but appropriately protects 
individual's medical records.
    If there were problems with the existing medical privacy 
regulations, then the Administration should work with the 
Congress and the health care industry to fix those problems.
    But that is not what was done. This reversal by the 
Administration sacrifices patient privacy to the alter of 
special interests.
    Again, I thank the Chairman for scheduling this important 
oversight hearing and I look forward to working with him to 
find a reasonable and manageable solution that above all else, 
protects patients.
    Senator Dodd. With that, Senator Frist?

 OPENING STATEMENT OF HON. BILL FRIST, A U.S. SENATOR FROM THE 
                       STATE OF TENNESSEE

    Senator Frist. Thank you. And I want to thank the chairman 
and Senator Gregg for the opportunity to hold a hearing today 
on an issue that is contentious, as we have seen in some of the 
opening statements, and almost deservedly so because we all 
struggle, really struggle with this balance with information 
that is among the most intimate information known to mankind, 
the information about oneself, one's health, one's past, one's 
physical, one's emotional being, how much that information 
should be shared.
    There are certain advantages of the sharing, there are 
certain necessities of the sharing, but how we can build 
appropriate protections where the ultimate confidentiality, 
which is critical--it is critical to the doctor and the patient 
and that doctor-patient relationship and it is critical to 
delivering the sort of care which really has made American care 
the best in the world.
    But it does boil down to trust, to confidentiality, to 
security, and that much influences openness and how much a 
patient tells a doctor and how much a doctor puts into a 
record. And ultimately other people have to access that 
particular record and it might not be the same doctor. In fact, 
it might not be the same doctor. In fact, in all likelihood, 
given the mobility of society today, it will not be that same 
doctor. Yet to demand the standards that are implied with 
continuity of care and seamlessness, something that we all 
want, we have to have an accurate recording of that doctor-
patient relationship, but in such a way that it is not to be 
abused.
    I have only been involved in this discussion at a policy 
level for the last 7 years, 6 years formally, and that balance 
is tough and we are seeing it play out before our eyes.
    I do appreciate the opportunity for all of us to examine in 
as objective way as possible the impact on health information 
confidentiality regulations that were initially introduced in 
the shape that we are debating them and talking about them and 
discussing them by the Clinton Administration in the closing 
days, as well as looking at this administration's proposed 
modifications to those rules. I do applaud Secretary Thompson, 
his staff at the Department of Health and Human Services, for 
carefully reviewing these regulations and for proposing 
adjustments that, I believe, will go a long way in safeguarding 
privacy while, at the same time, ensuring that patients 
continue to enjoy access to quality health care.
    Secretary Allen, I appreciate you being here today to 
discuss these proposed modifications in more detail and laying 
them out in such a way that we can further discuss them in the 
following panel.
    The protection of the confidentiality of patient 
information is critical, but we also need to be extremely 
careful in this area so that we do not allow overly, 
unnecessarily restrictive rules that might threaten quality of 
care or the safety of care that patients receive. This, as I 
said a few moments ago, is not an easy balance to achieve.
    We have seen the effect of State legislation in certain 
cases. We will all be pointing to certain anecdotes and certain 
case studies, but we have seen cases where State legislation 
has gone too far. In Maine, for example, legislation requiring 
that patients give consent before identifiable information 
could be used by providers was repealed after only 12 days 
following reports that it interfered with patient access to 
prescription drugs and prevented hospitals from helping clergy 
and family members even locate their loved ones.
    During the past year, as physicians, nurses, scientists and 
consumers have received the Federal regulations proposed by the 
previous administration, it became clear that these rules would 
impose similar barriers to health care access and quality.
    There have been serious concerns raised in other areas, as 
well. Over 140 academic research institutions, medical 
specialty doctors, hospitals and others wrote to the Department 
of Health and Human Services to warn of potential problems 
caused by the original regulations' research provisions. They 
wrote that the rule, if implemented, ``will seriously impair 
our ability to conduct clinical trials, clinico-pathological 
studies of the natural history and therapeutic responsiveness 
of disease, epidemiological and health outcome studies, and 
genetic research.''
    While the administration's notice of proposed rulemaking 
does acknowledge that the rule's deidentification standard 
raises serious concerns, I strongly urge the administration to 
fully address the concerns raised by the research community in 
its final rule.
    Finally, I would strongly encourage the administration to 
carefully review all areas of the rule to make sure that it 
does not unintentionally impede the efforts of our public 
health officials, as well as our private health professionals, 
to respond to bioterrorist threats and attacks. The original 
rule's prohibition on the sharing of aggregate information 
could have made it impossible to effectively track and monitor 
disease outbreaks. I am pleased that some changes have been 
proposed in these areas, but because of the importance to 
quickly respond in these situations, I am hopeful that the 
administration will carefully review the entire regulation 
along these new lines in this new light.
    Again, Mr. Chairman and Senator Gregg, thanks for holding 
the hearing today and I look forward to hearing from our 
witnesses.
    Senator Dodd. Thank you very much, Senator.
    Senator Reed.

 OPENING STATEMENT OF HON. JACK REED, A U.S. SENATOR FROM THE 
                     STATE OF RHODE ISLAND

    Senator Reed. Thank you, Mr. Chairman. Just very briefly, 
thank you, Secretary Allen, for joining us today.
    These are vitally important regulations. There is no issue 
in America that is of more concern to individual Americans from 
every region of the country, every sector--everyone is 
concerned about the protection of the privacy of their health 
records and there are two particular concerns that these 
regulations raise. One is whether or not there really will be 
an effective at least one-time written consent for the release 
of health care information and second, whether or not the 
marketing aspects of these regulations invite the commercial 
exploitation of medical information, which I think most 
Americans would be horrified about. Think of the world of 
telemarketing with your health care records in hand and that's 
a frightening thought.
    Robert Frost, the New England poet, wrote that ``Good 
fences make good neighbors'' and the real question is whether 
these regulations are good fences so that we can be good 
neighbors. I will look closely and listen closely to the 
hearing today to see if we have made progress in that regard, 
but frankly, this is one of those issues that you do not have 
to be an expert to be concerned. You just have to be an 
American citizen. Thank you.
    Senator Dodd. Senator Warner, do you want to make any 
opening comments?

 OPENING STATEMENT OF HON. JOHN W. WARNER, A U.S. SENATOR FROM 
                     THE STATE OF VIRGINIA

    Senator Warner. Very briefly. I just wish to welcome 
Secretary Allen, who served the Commonwealth of Virginia with 
great distinction as our Secretary of Health and Human 
Resources. Now you have come to Washington to get one of the 
toughest issues that anybody has to solve. I wish you luck.
    Mr. Chairman, I want to commend my colleague Senator Frist 
for all the hard work that he does in this and so many areas 
related to health care. Thank you, Mr. Chairman.
    Senator Dodd. With that encouraging note we turn to Senator 
Murray.

OPENING STATEMENT OF HON. PATTY MURRAY, A U.S. SENATOR FROM THE 
                      STATE OF WASHINGTON

    Senator Murray. Thank you very much, Mr. Chairman. I just 
ask unanimous consent that my full statement be put into the 
record.
    Senator Dodd. Without objection.
    Senator Murray. I will just say that this is an extremely 
complex issue that this committee has been considering for some 
time and I think it is very important that we have these 
hearings today and further hearings before the administration's 
rules take effect to truly understand this because, as Senator 
Reed said, this affects every single American and we had better 
know what we are doing and the outcome of that before these 
rules are finalized because the impacts could be considerable.
    For me, the most important thing is that people do go to 
their doctor feeling confident. Otherwise, we may create a 
situation where individuals would fear seeking health care and 
that is absolutely the wrong thing that we should be doing.
    So I really look forward to this hearing and further 
hearings as we clarify what these rules would mean to general, 
average people. Thank you very much.
    [The prepared statement of Senator Patty Murray follows:]

               Prepared Statement of Senator Patty Murray

    Mr. Chairman, the Administration's decision--announced on 
March 23rd--to revise the regulations implementing medical 
records privacy has generated a great deal of concern.
    I think this hearing is an important step in better 
understanding the implications of these changes and an 
opportunity for this Committee to again focus on the urgent 
need to ensure greater medical records privacy.
    As we learned in 1999, the issue of medical records privacy 
is a complex and emotional one. There are no easy solutions.
    In addition, because of our fragmented health care delivery 
system, there are often numerous individuals who have--and in 
many cases need--access to medical records.
    These aren't just health care providers, and the ability to 
protect medical records privacy becomes further complicated by 
the number of individuals with access.
    In 1999, this Committee attempted several times to report 
out legislation implementing HIPAA privacy regulations.
    Unfortunately, we were not successful and had to default to 
the regulatory process to implement privacy standards. Clearly, 
this has created many of the problems and concerns.
    Because of the complexity and expense to providers of 
implementing these regulations, I supported additional relief 
for health care providers, especially smaller hospitals or 
physician practices.
    I supported an extension of implementation because I 
recognized the difficulty implementing these regulations.
    I also wanted to be sure that providers were able to 
implement them correctly and that patient privacy was the 
focus.
    Because there are limited private actions that an 
individual can take if his or her privacy is violated, it is 
critical that implementation is accurate.
    In reviewing the Administration's revised regulations, I 
have several concerns that I hope can be addressed or corrected 
legislatively.
    I am troubled that the Administration's changes in the 
consent requirements will gut any real protections for 
patients.
    Simply notifying a patient that their information will be 
reviewed or released is not adequate. Patients must have the 
right to consent to this release.
    While there are some cases that can be exempt from this 
requirement, I think that weakening the entire consent 
requirement does little to ensure patients that their medical 
records will be kept confidential.
    I also have some real concerns with the ability of parents 
to have access to a minor's entire health care record.
    This is one of the issues that derailed legislation in 1999 
and is nothing more than an attempt to impose a national 
parental consent or notification on all States.
    It also serves to jeopardize efforts to improve access to 
STD or reproductive health care and mental health care for 
minors.
    The language in the regulation does appear to give 
providers the ``discretion'' at releasing information to 
parents or making it available for review by parents.
    If a minor has any concerns or doubts the confidentiality 
of their records, they will NOT seek care. The guarantee of 
confidentiality has to be explicit, not up to a physician's or 
provider's discretion.
    It is also not clear how this provision impacts the 
language on State preemption.
    For example, Washington State guarantees a minor access to 
confidential reproductive health care and mental health 
services.
    This is not a tougher standard than the Federal regulation, 
so there is some concern that this regulation could preempt 
State laws and protections provided to minors in Washington 
State.
    I hope this Committee will have additional hearings on this 
issue. If legislative measures are needed to clarify or correct 
these regulations, I hope we'll take the necessary action.
    The failure to implement a national medical records privacy 
along with a prohibition on genetic discrimination has created 
a situation where individuals fear seeking health care and are 
not providing comprehensive background to their health care 
provider.
    The implications of this are staggering and jeopardize 
access to new break-through screening and prevention.

            Questions from Senator Patty Murray for Panel I:

    Question 1. In developing privacy regulations, the previous 
administration did not attempt to impose any new parental 
rights.
    The original regulations simply deferred to the States on 
parental consent or limitations on parental consent and 
notification.
    There was an effort in this Committee to impose this new 
national parental review or consent of the entire minor's 
health care records. However, as I mentioned earlier, it was 
one of the reasons legislative action stalled in the Senate.
     Why did this administration attempt to modify or 
expand parental consent or review rights?
     How does this new revision impact States that have 
not been silent but have acted to ensure a minor's access to 
confidential health care services?
     Does this provider discretion extend beyond the 
physician's office?
    Question 2. One of the major gaps in the current oversight 
is the fact that IRB requirements apply only to federally-
funded research.
    Private research and some off-shore research are exempt. 
However, the FDA approval process does provide some mechanism 
for ensuring the safety of human subjects in clinical trials.
     Can we expand this authority to improve safety or 
should we expand the jurisdiction of the Office of Human 
Research Protections at HHS?
    Question 3. It is difficult in today's market-driven 
research arena to ensure informed consent.
    Patients are often facing life threatening illnesses. 
Parents may have a child who is facing a devastating diagnosis.
    Often, patients are almost begging to get into a clinical 
trial. They will sign anything or agree to anything. They may 
not pay close attention to any financial link the researcher 
may have to the treatment.
     How can a research institution ensure that 
patients are fully aware of the risks associated with the trial 
as well as the risk associated with the established treatments?
     How can researchers ensure that patients 
understand the financial link that the researcher or 
institution may have to the treatment?
    Question 4. I have found that many patients and families 
are often surprised when they learn that there is a financial 
link between researcher and treatment.
    They're surprised when the learn that some physicians or 
doctors may be receiving some future financial benefit from a 
drug manufacturer or royalty payments for a patent.
    Of course, in a market-driven economy, it's difficult to 
separate what was justifiable compensation and what was 
provided as way of inducing a bias on the part of the research.
    Many outstanding physicians and researchers receive 
financial compensation for their discoveries or their 
developments--yet this never impacts their hope at finding the 
cure or treatment.
    To assume that any financial link presents an inherit bias 
will jeopardize how research is conducted and eliminate 
incentives for furthering science.
     Would more detailed disclosure requirements be 
enough to remove any conflict of interests doubts or 
allegations?
     How do we provide compensation to those conducting 
researcher or evaluating clinical trials?
     Is there a way to totally remove any bias on the 
part of researchers?
    Question 5. We place a great deal of oversight 
responsibility into the hands of the Institutional Review Board 
(IRB). But it appears there is limited oversight over the IRB 
or even the selection process for a local IRB.
    We know of cases of IRB shopping--where a researcher will 
simply apply through different IRBs despite being rejected or 
limited by another IRB.
    Once a researcher receives the approval of the IRB, the 
issue of monitoring becomes questionable.
     Would further accreditation of IRBs serve to 
standardize and improve the process?
     Would established criteria for all IRBs, including 
the scope and timing of research review ensure greater safety?
     How can we work to guarantee that IRBs have 
pediatric expertise or pediatric knowledge?
    Question 6. Recent press accounts of safety problems and 
violations in clinical trials have generated a great deal of 
concern.
     Has the public lost confidence in clinical trials?
     Is the lack of confidence or the issue of safety 
to blame for low participation rates in clinical trials?
     Will addressing some of the safety gaps restore 
confidence?
    Clinical trials are a vital part of our health care 
structure. If we are forced to wait until we eliminate any and 
all risks, we will lose too many patients and too many 
children. Greater access to clinical trials can mean the 
different between life and death, especially for pediatric 
cancer cases.

    Senator Dodd. Thank you very much, Senator.
    With that, Mr. Allen, we welcome you to the hearing on 
behalf of all of us here. Claude Allen is the Deputy Secretary 
of Health and Human Services. He is testifying today on the 
issue of medical privacy. He is now taking a leading role at 
HHS on a number of critical issues, including medical privacy.
    As the former Secretary of Health and Human Services for 
the State of Virginia, as has already been pointed out by 
Senator Warner, Mr. Allen has a great deal of experience 
working with health care plans, State welfare, and access to 
care issues. So we are delighted to have you here with us, Mr. 
Allen. We are looking forward to your testimony.
    We will include any materials, by the way, and supporting 
documents that you think are worthwhile for us to have as we go 
forward. So consider any additional information that you would 
like to have part of the record to be included. With that, we 
will accept your testimony.

  STATEMENT OF CLAUDE ALLEN, DEPUTY SECRETARY, DEPARTMENT OF 
                   HEALTH AND HUMAN SERVICES

    Mr. Allen. Thank you. Good morning, Mr. Chairman, Senator 
Gregg and the Members of the committee. Mr. Chairman, thank you 
for your leadership and devotion to health issues. Senator 
Kennedy has given much attention to these issues over the years 
and it has been a privilege to work with him over the course of 
this last year on this and many other issues that affect the 
health care of all Americans. We both share a passion for 
ensuring the confidence of every American to know his or her 
medical records remain private, and on behalf of Secretary 
Thompson and myself, I want to thank Senator Kennedy for his 
friendship, his support, and his counsel during this last year.
    Senator Gregg, I also wanted to extend the Secretary's and 
my thanks for his wise counsel, his friendship and his support 
during this last year, as well. I also want to thank Senator 
Gregg for his leadership on this committee and in the United 
States Senate on behalf of the people of New Hampshire and 
America.
    Senator Frist, your service to this country as the Senate's 
only physician is invaluable to all of us and we thank you for 
that. It has been a real privilege to work with you, not only 
in the areas focussing on health care, but also in terms of 
looking beyond the shores of this country, to Africa and your 
work there on the Foreign Relations Committee and looking at 
health issues globally, not just domestically. So thank you for 
your leadership in that regard.
    Members of the committee, I am here this morning to 
describe and discuss our changes to strengthen the proposed 
privacy rule. I welcome the opportunity to appear before you 
and the committee today to discuss this important issue.
    Last April, President Bush stated his desire to provide for 
the first time strong patient privacy protections at the 
Federal level. Prior to implementation of the proposed privacy 
rule, the President directed Secretary Thompson to review the 
rule and to recommend modifications to it that would identify 
and correct unanticipated consequences that might impede a 
patient's access to care or harm the quality of that care 
while, at the same time, ensuring strong privacy protections. 
The proposed rule achieved this goal.
    I am pleased to say that beginning next April, for the 
first time all Americans will have the right to require written 
authorization before their personal medical records are shared 
with employers for employment decisions or given to life, 
disability or other insurers or for marketing purposes. They 
will have the right up front, the first time they see a doctor 
or a health care provider or enroll in a health plan, to be 
notified of their privacy rights and how their information may 
be used or disclosed by the provider or the plan so they may 
understand and discuss any concerns with their providers and 
plans and get care that is consistent with their own personal 
preference.
    Additionally, they will have access to their own medical 
record and the right to correct it if it contains incorrect or 
incomplete information.
    Mr. Chairman, since the release of the proposed 
modifications to the rule, most of the attention has focussed 
on the issue of what is referred to as consent and notice, so I 
will begin with these provisions. We put ourselves in the shoes 
of the patient and we discovered the rule was not practical for 
patients, their doctors or pharmacists. Therefore, we tried to 
make changes that made the most sense from the patient's 
perspective. Our proposal gives patients more control over 
where their information goes and gives them fair notice of how 
their information is used while, at the same time, providing 
the patient with what matters most--unimpeded access to quality 
care.
    The new rule enhances the obligation that covered entities 
give notice of their privacy practices to their patients by 
requiring a good faith effort to get patients to acknowledge 
receipt of their privacy practices. The practitioner can still 
seek voluntary consent from their patients. Nothing in this 
proposed rule prohibits consent to normal treatment documents 
that doctors and hospitals use today. Patient authorization is 
still required before doctors, hospitals and other direct 
treatment providers could share personal medical records for 
non-routine purposes, such as disclosures to employers for 
employment purposes and marketing.
    However, patients would expect that their doctor, their 
hospital or other direct treatment provider could share medical 
information for those core activities that are essential 
elements to providing health care to the patient. Patients 
would continue to have the right to request restrictions on 
uses and disclosures of their health information.
    Real life examples provide the best illustration of why we 
made this change. Under the previous proposal, if a patient 
wanted or needed to receive care from a doctor he had to choose 
between signing a consent form prior to seeing his doctor and 
not receiving care. This requirement was the same for all 
providers. Mandating consent is coercive in nature and does not 
provide meaningful control for the patient.
    Now imagine that you have a twisted knee or a sore back 
that limits your mobility. You sign the form. The doctor sees 
you and recommends that you see a specialist and writes you a 
prescription for pain. The consent you signed only allows that 
doctor to treat you, but does not allow the specialist and 
pharmacist to look at your record or to provide your health 
care services.
    Therefore, before you can get that prescription filled you 
have to hobble to the pharmacist to sign another consent form. 
It is the same routine for the specialist. You have to go to 
the office to sign another consent form before you can make an 
appointment. And forget about doing it over the phone.
    Now, after seeing the specialist a few days later, she 
determines that you need surgery. First, she wants to take an 
MRI. This requires another trip to sign a consent form before 
the appointment is made and then you have to do the same for 
the MRI, and it goes on with each step.
    This is the impractical reality that we faced as we looked 
at how to implement the December 2000 rule. We viewed the 
mandatory consent as coercive and a fundamental hurdle to 
health care for patients and the doctors, hospitals and 
pharmacists that serve them.
    In addition, the previous consent form did not contain any 
information about what the patient's rights were and the 
privacy practices of the provider. That was an additional form. 
So we combined these into one form that would provide patients 
with all the information they needed to exercise and understand 
their privacy rights and protections.
    Now, Mr. Chairman, I would like to describe briefly other 
important changes. From the comments we received, the area of 
marketing seemed to satisfy no one due to its complicated 
nature. Therefore we simplified it while strengthening it at 
the same time. The proposal prohibits explicitly using or 
disclosing a patient's information for marketing without the 
individual's expressed authorization. At the same time, the 
proposal would permit doctors, hospitals, pharmacists and 
health plans to communicate freely with patients about 
individual treatment options and other health-related 
information, including disease management, case management, and 
care coordination. We did not to interfere with valuable 
communications between patients and doctors over new treatments 
they feel their patients need to know about. Nor should we 
interfere with programs that provide important information to 
those who suffer from chronic diseases, such as diabetes. Nor 
should we stop pharmacists from sending refill reminders to 
those customers who are on maintenance medications, such as 
blood pressure or cholesterol-lowering drugs.
    Our goal is to expand the definition of what marketing is 
in the old rule, defining more communications as marketing and 
thus requiring authorization and limiting direct communication 
to those things affecting a patient's immediate health care 
needs. We believe we have accomplished this goal. However, we 
recognize that others may see opportunities to expand further 
the definition and we welcome their input.
    We also found an unintended consequence in the areas of 
parents and minors. In order to provide clarity to the 
proposal, we made limited changes to clarify that State law 
governs disclosures of a minor's health information to a parent 
or guardian. The intent of the current rule was never to 
override State law. Over the years, States have developed a 
rich and broad legislative and legal history in this area and 
we wanted to preserve it rather than confuse it. In cases where 
State law is silent or unclear, the revisions would preserve 
State and professional practice by permitting a health care 
provider to use the discretion afforded by State or other law 
to provide or deny a parent access to such records.
    Just as State law now determines when a minor may be 
treated without parental consent, so too would the revisions 
effectively defer to State law on access to and control of the 
minor's information that results from such treatment.
    In the area of research, we simplify the provisions, 
removing the burdens on research and covered entities alike so 
the Nation's well-renown medical research can continue at a 
vigorous pace, but with renewed confidence in patients that 
their personal medical information will be protected. The 
proposal would permit researchers to use a single combined form 
instead of having multiple consent forms. The single form would 
contain informed consent and privacy rights information. The 
proposal would also simplify provisions on obtaining a waiver 
of individual permission to access records for research 
purposes so as to follow more closely the requirement of the 
common rule which governs federally-funded research.
    We also are seeking comment on the feasibility of making 
health information that does not identify directly the 
patients, but is important for research more readily available 
for researchers. To accomplish this, the department is seeking 
a consensus as to the type of information that would identify 
directly an individual and continue to be excluded from the 
proposed limited data set. To protect privacy further, we 
propose to condition the disclosure of this limited data set on 
a covered entity's obtaining from the recipient an agreement in 
which the recipient would agree to limit the use of the data 
set for the purposes for which it was given, to not reidentify 
the information or use it to contact any individual.
    Other changes that I would be happy----
    Senator Wellstone  [presiding]. Mr. Allen, I do not want to 
interrupt you and thank you so much for being here. If you can, 
I know there are many questions and a whole other panel and I 
might ask you to eventually summarize. It is very important 
testimony and I apologize for being impolite. I just want to 
make sure my colleagues have a chance for questions.
    Mr. Allen. Senator Wellstone, I am about to finish up right 
now.
    Senator Wellstone. Thank you. Then I apologize.
    Mr. Allen. Other changes that I would be happy to discuss 
in further detail during questioning include the clarifying and 
encouraging of public health reporting of adverse events and 
other post-market surveillance of the FDA, clarifying that a 
doctor can discuss a patient's treatment with other doctors, 
nurses, and health care professionals without fear of violating 
the rule if they are overheard inadvertently, providing model 
business associate contracts provisions and allowing up to an 
additional year for most covered entities to make their 
business associate contracts compliant with the rule, and 
permitting the sharing of information among health care 
providers and health plans for each other's treatment payment 
and quality-related health care operations.
    I want to assure you that Secretary Thompson and I are 
committed to working with this committee and Congress on a 
bipartisan basis to strengthen the privacy protections while 
preserving access to quality of health care. The need to get 
strong privacy protections in place now is a commonly held goal 
that transcends partisan politics. We owe the American people a 
privacy rule that works and they deserve no less.
    I want to thank you again for the opportunity to be here 
today and I appreciate your interest and commitment and I am 
happy to answer any questions that you have at this time.
    Senator Wellstone. Thank you very much. I guess what we 
ought to do is maybe go 7 minutes each. Is that okay, Senator 
Warner?
    I want to thank you again for your testimony. Mr. Allen, I 
want to ask you about the administration's decision to 
eliminate the patient consent from the privacy rule. That is 
obviously, I think, for people in the country a great concern. 
To me, consent is the centerpiece of patient privacy. It is 
what gives the patient a real say in health care and I also 
think helps restore confidence in the health care system.
    Now we know that there are glitches in the privacy rules 
that need to be fixed and I accept that. For example, 
pharmacists should be able to receive prescription refills over 
the phone and a patient should be referred to a specialist 
before consent is given. But why did not the administration 
address these problems in a more narrow manner instead of 
throwing out the underlying consent provision? I want to ask a 
question that I think goes to the heart of what I think will be 
the debate in the Senate and I think the debate in the country.
    Mr. Allen. Let me start out by first of all saying that we 
have not thrown out consent altogether. The modifications to 
the rule simply removes the requirement for mandatory consent 
at the initial meeting. We have allowed that providers can 
continue to seek consent and we would encourage that providers 
seek consent from their patients.
    The primary reason why we have moved from a mandatory 
consent to require a mandatory notice regime is because of the 
interference that consent would provide for the patient 
receiving care. It was very clear under the rule that you had 
an option. If you were a patient and you presented to the 
physician, if you did not sign the consent form a provider 
could refuse you care. It is that plain and simple. A provider 
could refuse you care because you did not sign a consent form.
    So therefore, consent was not the issue that we were trying 
to fully address here. We are trying to fully address ensuring 
that patients had adequate access, access to quality care but, 
at the same time, had their privacy rights respected. 
Therefore, what we did is after receiving an outpouring of 
comments--during the 30-day comment period we received 
approximately 11,000 comments--we began to focus on the issues 
that were being raised and the issues went far beyond simply 
the pharmacist example.
    For example, it also impacted emergency care providers that 
required an emergency care provider to, once they deliver you 
to the emergency room, they are off going to follow on the next 
emergency, but they still had to somehow double back to try to 
locate you to get you to sign a written consent form and that 
simply was unworkable.
    The issue with specialists, again that is an area that 
raised considerable concerns. We also had issues of those who 
did not even have direct personal contact with you--in this 
area we are talking about advancing technology, in the area of 
telemedicine--that we would require someone who you would have 
contact over the telephone before they can engage you would 
have to get a written consent. These were all items that were 
unworkable and therefore we sought a mechanism that allowed us 
to go further by requiring notice on your first visit of that 
practitioner's policies in terms of how they would treat your 
information and give you a meaningful opportunity to engage 
them on providing restrictions to the use of that information.
    Senator Wellstone. I want to ask one other question for the 
record to begin to cover some of what I think are the concerns. 
Let me just say I thank you for your answer. In some ways I 
think what you did was sort of speak to the question I raised 
in that again I think some of the problems you raised could be 
addressed in a more narrow manner. But again I think the 
problem is you just basically eliminate the underlying consent 
provision and I think that what you are going to hear from some 
of us in the Senate is yes, you are right; it is more than just 
pharmacists, but there is a way of addressing these concerns--
for the record I want to say this--without undermining the 
entire consent provision, and I think that is going to be the 
nub of the debate.
    Now one other issue before I run out of my time. It has to 
do with the marketing of people's private medical information. 
We have all heard stories where a pharmaceutical company gets 
information that a patient has been seeing a counselor and then 
starts marketing antidepressants.
    In this regulation you have changed what counts as non-
marketing and what is therefore not subject to the protections 
in the rule and they include, and I quote, ``recommending 
alternative treatment therapies, health providers or settings 
of care to that individual.'' This is not counted as marketing.
    So basically that means that any communication that 
encourages a patient to use a product or a service related to 
health is not marketing, even if they are paid to make that 
communication. Now if that is not marketing, I do not know what 
it is and I am concerned that we have created a major loophole 
here that allows people to have their private records used for 
marketing purposes. And I wonder whether you could help me 
understand this change.
    Mr. Allen. I would be glad to try to do that, Senator.
    What we did in the rule, under the prior rule it prohibited 
the sale of personal health information without authorization 
or consent and required that it was a much--we thought that we 
have broadened the restriction or strengthened the privacy 
rights of individuals because what we did is that we more 
narrowly determined what was going to be marketing and then 
required a direct authorization from the individual for 
marketing purposes.
    Under the prior rule what would happen is that there was a 
broader definition of marketing, but what had to happen is 
there had to be a disclosure of whether you receive 
remuneration or not from that purpose. In doing that, you had a 
situation that we were concerned about and heard about from the 
comments and that was if you had, for example, a provider that 
gets reimbursed for participation in continuing medical 
education conferences--let us say they get travel 
reimbursement--to continue their medical education, if they 
then later had a client or patient that had a condition and 
they thought that that treatment regimen, that pharmaceutical 
product or that device might benefit them, they would have to 
go through an issue of determining whether they would be 
marketing to their client and to their patient.
    We have great concerns about again interfering with the 
treatment decisions that would be important to that patient-
physician encounter. So therefore we broadened it and said that 
what was not marketing were issues that dealt with care 
coordination, issues that dealt with treatment, issues that 
dealt with disease management. These sort of items were not 
determined to be marketing.
    What we did do, though, is that we also limited marketing 
in the sense that where--if it was not related to treatment of 
the patient, that that patient would have to give prior 
authorization for someone to send information to them in terms 
of marketing.
    So we think that we have approached this in a very balanced 
way that once again gives considerable weight to patients 
having access to information that affects their health and 
their determination of what is in their best interest and their 
physician's best interest of their health care outcomes.
    Senator Wellstone. Well, I am going to turn to Senator 
Frist. I mean, we want patients to have access to information 
that affects their health, but what we do not want is the sort 
of indiscriminate marketing of people's private medical 
information.
    Mr. Allen. Certainly, and we think that we have narrowed 
this down sufficiently enough that in this regard we will defer 
in many cases to that patient and that physician, first of all, 
in that initial encounter, determine what those practices are, 
particularly as it relates to marketing, particularly as it 
relates to that patient's treatment decision-making. But we 
then narrow the scope and require affirmative disclosure and 
seeking authorization for further marketing of materials that 
might be unrelated to the treatment of that patient.
    Senator Wellstone. I thank you. I think we have too much of 
a loophole here and I do not think you have narrowed it down 
the way we need to, but I certainly appreciate your thorough 
answer, and thank you.
    Senator Frist.
    Senator Frist. Thank you, Mr. Chairman. Both of those 
issues that were just talked about, consent and care and the 
marketing provisions, are very important and I think in the 
second panel we will be coming back to the marketing provisions 
in the testimony that was sent to us because it is important, I 
think, to make sure that in this narrowing process that the net 
effect is not to weaken the privacy rule itself.
    But let me move to another topic, Secretary Allen, and that 
is on the research and public health and deidentification, 
issues that I mentioned in my opening statement. I very much 
agree and applaud the proposed change that would reduce that 
burden, that overly restrictive burden on scientists and 
research entities by requiring a single combined consent form 
rather than the multiple consent forms that were initially 
proposed by the previous administration.
    I note that the department is also considering changes to 
the proposed rule's so-called deidentification standard so that 
information could be used for research or public health 
purposes if it is facially deidentified, but still maintains or 
retains the important information for environmental health 
studies, infectious disease tracking. That would include things 
like zip code, date of service.
    I am very concerned that the previous administration's 
deidentification standard is much too stringent and could 
significantly slow down, hinder or impede efforts to track 
infectious disease outbreaks or to conduct public health 
investigations that again I mentioned in my opening statement 
that are important to surveillance, detection and response. It 
could also significantly skew the results of epidemiological 
research studies, which routinely use admission dates and 
discharge dates and dates of death to track and help us more 
fully understand disease.
    In this area why is the administration seeking additional 
comment rather than proposing a rule up front, as it has with 
other areas in this proposed rulemaking process?
    Mr. Allen. We believe that research in the United States is 
by far the very best in the world. We believe that we want to 
make sure that that research is able to continue and exactly 
for what you have cited, Senator, and that is that we not only 
need to be able to track infectious diseases and gather 
population-based information so that we can plan; for example, 
trying to address chronic disease. We are working very 
aggressively within the department, working with the National 
Institutes of Health and with the universities around the 
country who are looking into these issues and we were very 
concerned that by, up front, us proposing what we do not have 
all the answers to, and that is how significant and what is the 
best method of deidentifying data so that you protect the 
privacy rights of the individual, but we do not impede the 
advancement of research. So those were the balancing issues 
that we had to look at.
    Under the proposal we have laid out as an option for 
deidentification two alternative methods. One was to use what 
is known as basically an appropriate person who has knowledge 
and experience in statistical data and being able to say 
whether they thought that there was a greater risk or less risk 
of identifying the individual based upon the release of that 
information. You can get basically somewhat of a certification 
that that individual has made that decision or you had an 
alternative method where covered entities would have to remove 
all 18 identifiers.
    We were concerned about both of those and therefore we felt 
it probably was best to allow the research community to offer 
comment on that, rather than us try to--
    Senator Frist. Have you gotten feedback from the research 
community? Their initial letters we have shared with each other 
and shared with you from the research community. Has it been 
long enough to get a feel for their response?
    Mr. Allen. We have gotten a few and because the comment 
period is still open I cannot close out the options for more 
coming in, but yes, we have begun to hear from the research 
community and we think that we are getting information to 
assist us in terms of how best to approach creating a limited 
data set, and that is really what the ultimate goal is, is what 
is the limited data set? That is, what are the limited number 
of identifiers that would be necessary to one, provide the 
information that we need for epidemiological research, et 
cetera, but, at the same time, to maximize the privacy 
protections of the individual so that their identity is not 
disclosed inadvertently or intentionally.
    Senator Frist. Let me return to this whole concept of 
consent and care, because as a physician, the previous 
administration's proposed consent rules would have placed me as 
a physician or physicians generally in a very difficult 
position with respect to their patients in terms of care 
delivery, but also from an ethical standpoint.
    It seems to me that it would have required me not only to 
provide notice of my privacy practices, the standards and the 
guidelines that would govern my own practice, but also would 
expressly allow me--in fact, it would have required me to 
withhold or deny treatment to those patients who failed or 
refused to provide me with a written consent. That is my 
interpretation just from reading it. It also seems to place 
patients in a difficult and an untenable position of signing a 
consent form or not receiving that care.
    You said in response to Senator Wellstone's questions that 
this is one of the key areas in which the administration is 
making modifications to the rule. And again I know we are in 
this comment period. Are patients and physicians responding to 
that objection and to the proposals that have been made?
    Mr. Allen. That is certainly what precipitated us making 
the proposed change initially, is that we had heard from 
patients, physicians and practitioners, all within the health 
care continuum. That would be providers, hospitals, plans, and 
patients.
    The problem with it was, as we have identified, it was 
unworkable because what you were putting the patient in the 
position of having to do is having to choose between signing a 
form that you may or may not understand or agree with and 
getting care that you need immediately. It put you in that 
conundrum, but also it put the practitioner in an even more 
difficult position in that if you see that client more than 
once, you were almost put in the position of requiring a 
consent form be signed every time that patient came in because 
of the revocation requirement. You would have to track whether 
that patient revoked his or her consent.
    So it was very difficult to do that and from an 
administration position it was very difficult for us to be able 
to address it because we can only address these issues once a 
year, so we would be put in a very difficult position that if 
there were a problem identified, if we had made changes already 
that year, we could not take action to make another change in 
that area, whether it was consent or somewhere else, for 
another year, and that raises serious concerns for health and 
safety.
    Senator Frist. I see my time has expired. Let me just add 
that physicians and patients and others would ask me about 
emergency rooms in response to acute care, as well as the 
problems with pharmacies themselves.
    Thank you, Mr. Chairman. My time has expired.
    The Chairman. Thank you very much.
    Mr. Allen, thank you again. I know that you are very much 
aware that these consent requirements were not part of the 
original Clinton proposal and then after they had a great many 
hearings, public hearings, really the American people spoke and 
they spoke with such a sense of urgency about the importance of 
medical privacy that they made these alterations and changes.
    Now you have made a different recommendation on the way to 
proceed on this. When you were considering what other changes 
should be there did you consider maintaining the proposal on 
consent and trying to deal with some of the principal areas--
for example, the prescription drugs, the scheduling of doctors 
visits, which were really the primary kinds of areas, as I 
understand on the basis of public hearings, where they would 
have to be altered or changed?
    My question is why not maintain the consent form and adjust 
it to take in to consideration some of the legitimate issues 
and questions, rather than going in a different direction, 
instead of going to a situation where they will be notified and 
they will be then on sufficient notice about what is happening 
to their medical records?
    Mr. Allen. Mr. Chairman, I think it is very important, as 
you point out, that with the prior administration they went 
from one position to a totally opposite position and we were--
    The Chairman. Granting greater privacy. You would not 
question that.
    Mr. Allen. I think what we would question is whether that 
effected greater privacy in reality for the patient, from the 
patient's perspective.
    The Chairman. Wait a minute now. You do not think an 
individual having control over their medical records is greater 
privacy for that individual than the recommendation that you 
made?
    Mr. Allen. I think certainly an individual having greater 
control over the information about them is significant, 
balanced against them making sure--their primary reason for 
going to a physician is not privacy. Their primary reason for 
going to a physician is care. And if we put paperwork in the 
way of them accessing care, period, regardless of whether it is 
quality of care, the first idea is getting care. And the 
consent provisions as they were proposed, from the pendulum 
swinging from no consent provision under the prior 
administration to an absolutely mandatory written response, 
that pendulum swinging created the conundrum of putting 
patients at risk of not receiving any care at all.
    The Chairman. This is the committee that wrote that 
requirement in, Mr. Allen. It is because this committee was 
concerned about the issues of privacy that we put it in. So we 
do not have to be reminded about the requirements because we 
said that unless we were going to take action, that the 
administration was going to because it was such a sense of 
urgency.
    And what you are talking about now is the question of the 
privacy of the records versus care. Of course, we probably have 
a difference on this. We have taken notice of what has happened 
in the types of discrimination against individuals on the basis 
of genetic information and how that can be abused by insurance 
companies.
    Mr. Allen. Certainly.
    The Chairman. And we have taken notice, as well, in terms 
of particularly in the areas of mental health, as well as the 
marketing of various prescription drugs.
    Now I know, as I understand, you have made a response, I 
believe to Senator Wellstone, about the kind of protections 
that you believe are going to be adequate to effectively 
protect patients from the abuses that can take place from 
marketing private information. Am I basically correct, that you 
believe that the provisions that you have, the new regulations, 
are going to protect people's privacy from the marketing of 
sensitive information--for example, the needs that a person 
would have with regard to mental health or whether someone is 
an AIDS patient?
    Mr. Allen. We believe that we have, under this proposed 
rule, we have strengthened the marketing provisions to protect 
patients from the nonhealth disclosures of information that 
they would reasonably expect not to occur, whether it be in the 
case of HIV-AIDS status or the other inadvertent or intentional 
uses and misuses of that information. So we believe these 
proposed changes do effectuate that.
    In terms of what you cited, Mr. Chairman, you talked about 
genetics and mental health. I think it is important to note 
that as Senator Warner has already pointed out, as the 
secretary of Health and Human Resources of Virginia, Virginia 
is a State that protects its information, genetic information, 
from being used to discriminate in employment. We think that 
that also is an area of high importance at the Federal level, 
that this rule does not deal specifically with genetic 
information except for in terms of it prohibits an employer 
from using health-related information for employment decisions, 
period. It puts it as a prohibition with two very minor 
exceptions that we have to recognize, and that is in the case 
of ERISA, where an employer is a group plan. But that employer 
must also take precautions not to use that information 
inappropriately for employment-related decisions.
    So we believe that we have struck the appropriate balance, 
which would weigh in favor of the patient getting care, and 
weigh also in favor of strengthening and giving the patient the 
maximum protection of privacy of their information, but also 
not preclude them from having the ability to authorize, if they 
choose to, that information going other places, whether it is 
for marketing or other purposes.
    The Chairman. Well, I like what you say. The question is 
whether this language does exactly what you say. Now I have the 
regulations right here and this, as I understand, will still 
make permissible recommended alternative treatments--this is 
one of the exceptions--therapies, health care providers, or 
settings of care to that individual. This is on page 14,790.
    Now that seems to me, you say that this is not marketing, 
even if someone actually is involved in those kinds of 
activities, as I understand it.
    Mr. Allen. Senator, I do not have that paper in front of 
me.
    The Chairman. I apologize.
    Mr. Allen. If I understand what your question is----
    The Chairman. Because this is not an enormously new 
section. As you are very much aware, there have been questions 
about the administration's proposal and there have been serious 
questions about the rule about how sensitive information could 
be used and those that have been critical have referred to this 
language that says, in the particular regulations, the basic 
definition. The point is that the definition means any 
communication that encourages a patient to use a product or a 
service related to health is not marketing, even if they are 
paid to make that communication. If that is not marketing, I am 
not sure what is and I am concerned that we have created a 
major loophole here that allows people----
    Mr. Allen. Not at all, Senator. We do not believe that this 
is a loophole. Again we approached this from the perspective of 
the patient. If a patient has a particular condition, whether 
it be hypertension or allergies, for example, and the provider 
who is working with that patient has access to the latest and 
greatest information and product that that patient should know 
about, that that physician believes that it is in the best 
interest of that patient to have an opportunity to choose to 
change from, we have made this language allow for that to 
occur. It does not interfere with the patient-physician 
encounter.
    What it does narrow it to is it has to be related to 
treatment for that individual and therefore that is what we 
have said is not marketing. We believe a patient should have 
access to that information.
    The Chairman. The fact remains that under this language, as 
I understand it, individuals may very well receive a 
publication from a drug company about alternative AIDS 
treatments or alternative AIDS care centers or alternative 
mental health advertising and it could be received in their 
home or in their place of business.
    Mr. Allen. First of all, I think I need to approach it that 
the patient, stepping back, the patient has an opportunity to 
determine where that information will be received if it is 
going to be received.
    The Chairman. If they have gotten notice.
    Mr. Allen. Let me walk through it if I may, Senator.
    The Chairman. If they have gotten notice.
    Mr. Allen. Mr. Chairman, let me walk through if I can. At 
the very first encounter with that patient's physician, that 
patient will have discussed or have the opportunity to know 
what those practices are of that provider in terms of how they 
will use that information. Once that is determined and they 
agree with that--if they do not agree with it they can 
negotiate with that provider that that information not be used 
at all. If the provider says ``No, we will use this 
information,'' the patient has the choice to say ``I will seek 
other care elsewhere.''
    Once that is done, that information that you have described 
is information, if it is consistent with treatment, it can only 
be approved for being sent to that patient by the covered 
entity, by the entity that has a relationship with that patient 
in terms of his or her treatment.
    Therefore, the idea that some unrelated company out there 
is willy-nilly getting access to that patient's information, we 
believe that we have addressed that in this rule, that it would 
be inappropriate, it would be a violation for information to 
end up in the hands of a third party that has no connection 
whatsoever either to the patient or to the patient's provider 
and thereby we believe that we have narrowed and limited that 
type of unsolicited or unrelated solicitations to that patient.
    Where it can occur that a covered entity--let us assume it 
is a pharmacy that is working with a patient and in the case of 
disease management or in terms of a prescription being 
refilled--that pharmacist, the covered entity, can have a 
business association with a company that they have relegated or 
delegated that responsibility for notifying that patient that 
your prescription has come due and we think that that is an 
appropriate use of the information to serve the patient in 
terms of his or her treatment.
    The Chairman. Well, I think we need strong language that 
makes very clear the protections of the privacy of the patient 
in this area and we will have an opportunity to consider that. 
Thank you very much. My time is up.
    Mr. Allen. Thank you, Mr. Chairman.
    The Chairman. Senator Warner?
    Senator Warner. Thank you, Mr. Chairman. I think we have 
had a very constructive hearing this morning. It is not over 
yet, but the point I wish to make is that Congress really has 
not been able to resolve these tough issues since 1996 and 
basically we have just forfeited this to the successive 
administrations of two Presidents to try to solve it.
    I have to assume that this administration, as did the 
previous, in a very conscientious and nonpolitical way--there 
should not be any politics, in my judgment, involved in this 
thing if we can avoid it--is trying to do what is best for the 
health care industry and patients. But these issues are at the 
very heart of our health care system and as I sat and listened 
I have one question and then one observation.
    The second panel will come forward hopefully with good 
constructive viewpoints on how things can be changed. You still 
have an open mind, do you not?
    Mr. Allen. We are required to by law.
    Senator Warner. Well, what about just following the law to 
the T? Keep that open mind because I think a lot of 
conscientious people are working on this. And I guess my 
question would be many have stated that a much more targeted 
modification could have been made that would have improved 
access to care while maintaining stronger privacy protections. 
Did you consider a less restrictive alternative in your 
deliberations?
    Mr. Allen. Senator Warner, yes, we did. We went through 
this and tried to find ways to make the consent provision work, 
but the bottom line, as we have already stated again, is that 
the issue was not--the consent did not give a patient control 
over the information. It actually took control out of that 
patient's hands and put it into the hands of the provider, who 
was forced to make a determination of whether you sign a piece 
of paper or not and determine whether you got treatment.
    When we looked at it we tried to address the issues of the 
pharmacist. We tried to address the issue relating to 
specialists. We tried to address the issues related to 
emergency care. And we went down the list and again and again 
it came to a place where we either were going to have a rule 
that applied broadly or we would have a narrow exception that 
addressed every specialty group that existed out there.
    I think the goal that we were trying to achieve was one 
that had a flexible approach, but a consistent approach across 
the board, that took into consideration that we want to 
maximize two things. We wanted to maximize the patient's 
ability to get care, but also wanted to maximize the patient's 
ability to control their ability to have their public health 
information shared outside of treatment, payment and operations 
that reasonably a patient would assume that their information 
would be used for.
    Senator Warner. If all the best intentions that you and 
your colleagues have manifested thus far simply prove in 
practice not to be workable, particularly the enormous costs 
that the hospitals and other health care deliverers, physicians 
are going to have to bear, you would be willing in the future 
to reopen this thing under the process prescribed by law?
    Mr. Allen. Yes, Senator. Under the law we would be allowed 
to revisit this issue once a year and that is why, that one 
point, under the rule, under the statute, we were only allowed 
one time a year to make changes. We were concerned that we 
would be put into a position that we would have made a change 
and then have other issues, unanticipated issues arise that 
were a detriment to the furtherance of either access to care or 
took away from the privacy rights of the individual and would 
not be allowed to address them, and that was an issue that we 
felt very strongly that we needed to weigh in on the side of 
maximum flexibility so that we can work it throughout the year 
without having to use that one-time-a-year exercise to try to 
address every problem that arose in the interim.
    Senator Warner. Well, I think you have delivered the 
administration's care very professionally and quite well.
    Mr. Allen. Thank you, Senator.
    Senator Warner. Time will tell. Thank you very much. Thank 
you, Mr. Chairman.
    The Chairman. Senator Clinton?
    Senator Clinton. Thank you, Mr. Chairman. I very much 
appreciate Senator Warner's comments because I think all of us 
are looking for an appropriate way to handle this new world of 
information that is out there and to protect people's right to 
privacy, especially the most personal and intimate information 
and details about them. So I am grateful for the recognition 
that this is probably a moving target to some extent that we 
will evolve a response to because I feel very strongly about 
the right to privacy and I also understand the need for health-
related organizations to have access to good information.
    But I must confess, Mr. Allen, I am confused and it may be 
that this is such a complicated, difficult area that it is hard 
to follow, but I just wanted to run through a couple of issues.
    As I understand what the administration is proposing, we no 
longer will require affirmative consent, but instead, an 
acknowledgement that information about privacy rights has been 
provided. Is that correct?
    Mr. Allen. It is correct in the sense that we do not 
require that a written consent be given.
    Senator Clinton. Right.
    Mr. Allen. It does not preclude an entity from seeking 
consent.
    Senator Clinton. Well, that is what is interesting to me 
because as I study what you are proposing, on the one hand we 
no longer have an affirmative consent process, but you do 
permit entities to go ahead and voluntarily seek consent.
    Mr. Allen. And there is a good reason for that. The reason 
is this, that in some cases you may have, for example, a 
hospital that already has consent for treatment, which is what 
we call informed consent. They may want to go ahead and still 
have consent for using that information that will be consistent 
with treatment. Therefore some entities may choose to seek a 
written consent from a patient, but what we have not done is we 
have not required everyone to do that.
    Senator Clinton. But what you have done is when an entity 
does choose to require consent you have eliminated many of the 
consent requirements that would apply to the voluntary request 
for consent.
    Mr. Allen. And again the reason for that is because we are 
trying to maintain flexibility----
    Senator Clinton. But you are trying to have it both ways.
    Mr. Allen. If you would let me answer my question?
    Senator Clinton. Mr. Allen, let me finish because I am 
trying to----
    Mr. Allen. You asked me a question and let me answer the 
question.
    Senator Clinton. No, but let me pose the question.
    Mr. Allen. I thought you already did.
    Senator Clinton. No, I did not, Mr. Allen.
    Mr. Allen. Well, go for it.
    Senator Clinton. Thank you, dear.
    Now if you are on the one hand not requiring consent and 
then on the other hand when someone voluntarily pursues 
consent, you eliminate what the original rule had in for the 
provisions of consent, it seems to me you are going after 
consent from both ends. Either you offer it or you do not offer 
it, but when it is voluntarily chosen you undermine it. And I 
think if you look at what you have done to eliminate that in 
the name of flexibility, you have essentially vitiated consent 
even if someone voluntarily chooses to pursue consent.
    Mr. Allen. And your question is?
    Senator Clinton. Why have you done that?
    Mr. Allen. First of all, I would beg the question that we 
have not done that. I think what we have done is we have 
strengthened the process by one, when we remove mandatory 
written consent in terms of the rule we have now enabled a 
patient to get care, plain and simple. But, at the same time, 
we have enabled a patient for the very first time under this 
rule to have information about the practices of the provider, 
to have opportunity to review those practices and engage in a 
discussion about those practices and seek to restrict the uses 
of that information. That is all essential for protecting and 
providing protections for an individual in terms of how that 
information is used. That does not happen. That will now happen 
under this proposed rule that did not happen under the former 
rule.
    Beyond that, we have also provided again--we have not 
precluded entities from seeking to get a written consent and 
that written consent, we are not dictating the confines of that 
because again it is voluntary. It is something that some 
providers may seek; others may not. But what we can guarantee 
is that that patient will get information and notice of the 
practices and procedures of that entity, and that is what we 
think is essential to the decision-making of the patient, but 
also to the continuity of the care that that patient will 
receive from that provider.
    Senator Clinton. But you are also eliminating the 
requirements that the covered entity inform the patient it is 
receiving remuneration for making the communication, you are 
eliminating the much more restrictive definition of marketing 
so that very often a poor patient will receive information and 
will not know that there is a financial interest in the entity 
providing it.
    Mr. Allen. What we have done is a couple of things, again, 
Senator. One, in terms of consent, it only relates to what we 
have eliminated the consent for, is for treatment, payment and 
operations. Anything beyond that, you must get the patient's 
consent for the use of that information.
    In terms of remuneration, what you are discussing is how we 
address the issue of practices that, for example, I cited the 
example earlier. What we were concerned with is we have 
circumstances in which providers participate in continuing 
medical education conferences. Those conferences may be paid 
for by X company. What we do not want to have happen is having 
to have providers having to toil over whether or not they 
receive remuneration from a company simply because later on 
they prescribe a product that they think is in the best 
interest of their patient, but because they had been given the 
opportunity to participate in this conference we did not want 
that to have to be considered as marketing because that is 
consistent with that provider's treatment of the individual.
    So therefore we have broadened what we look for in terms of 
the definition of marketing, but we have limited it to that 
which is outside of the treatment-payment continuum.
    Senator Clinton. Well, Mr. Allen, I have to confess that I 
am very disturbed by some of these changes because I think the 
practical effect is to substantially weaken the privacy rule. I 
appreciate some of the difficulties that were brought to our 
attention in a hearing that we held last year and I certainly 
believe we should have targeted effective measures for dealing 
with some of those issues, like the ones that the pharmacists 
raise, but you have thrown the baby out with the bath, the best 
I can tell, and opened up a huge loophole for nearly any use of 
information without any effective check on it because we will 
not have any proof that the patient has ever been adequately 
informed.
    I think it is unrealistic to believe that many patients are 
going to be that well skilled in the nuance of these rules to 
even know the questions that they are supposed to be asking and 
I think we have an obligation to err on the side of privacy. 
And I think that this rule, the recommended changes to the rule 
really go in the opposite direction.
    So I will be very interested in following what you are 
proposing on this, but I think that the witnesses who will be 
coming to appear before us in the next panel have some very 
specific issues and I hope that you and your colleagues will 
listen very carefully because I think it would be quite useful 
to take another stab at trying to figure out how to do what you 
are trying to do in the name of flexibility without undermining 
privacy.
    Mr. Allen. Senator, I take your point very seriously. We 
are here to listen. We are in a comment period and we expect to 
get many comments. In fact, we probably will get, particularly 
after this hearing, a lot more comments and we welcome that. 
But I think from the perspective that we have taken, we tried 
to approach this from the patient's perspective. While you may 
think privacy rights are the most overriding issue, we stepped 
back and thought that it was far more important that in seeking 
to maximize an individual's right of privacy that it was far 
more important that we ensure that we do nothing, that we do 
absolutely nothing to impede their access to care because 
having a right to privacy means very little to a person who is 
desperately needing care, whether it be the mother who is----
    Senator Clinton. You are not going to get any argument from 
any of us about that, Mr. Allen. We are all in favor of care. 
It is just that we are concerned that in the name of care, 
profit has a very big role in a lot of the efforts to use 
information available to health entities. There has to be a 
line drawn and you have ended up on one side of the line, and I 
think some of us are more comfortable on the other side of the 
line, but that is to be worked out and discussed and I 
appreciate your willingness to listen to the comments that will 
be coming to you. Thank you.
    Mr. Allen. Certainly.
    The Chairman. Senator Enzi.

 OPENING STATEMENT OF HON. MICHAEL E. ENZI, U.S. SENATOR FROM 
                      THE STATE OF WYOMING

    Senator Enzi. Thank you, Mr. Chairman. I would ask consent 
that a statement that I prepared be placed in the record.
    The Chairman. Without objection.
    Senator Enzi. Thank you. I appreciate your holding this 
hearing. This is an issue of tremendous concern to everyone 
that I know. I know that we as a committee deferred to the 
agency to go ahead and do the rules. They did those; they 
occurred at the end of the last administration and from 
comments that I am receiving, I am quite sure that that 
administration would have reviewed these, as well, and I so 
pleased that they have been reviewed and revised by the current 
administration.
    Now I know that privacy is of extreme importance to 
everybody. I saw a survey when we were doing banking privacy 
and it said that 94 percent of the people in the United States 
were concerned about their privacy--and I was wondering what 
was the matter with the other 6 percent.
    But on the medical privacy rule I have had a lot of 
comments when I've been in Wyoming. My prime concerns with the 
rule that we had, I heard from pharmacists. They are very 
concerned about elderly people having to come in and sign a 
form so that somebody can pick up their prescriptions for them, 
yet they are not even able to come in and sign the darn form.
    But we have some areas of Wyoming that have even bigger 
problems than that and I suspect that we are not alone in the 
country, although we may be. Cell phones have not gotten to all 
of Wyoming yet. I have people that rely not on telephones that 
are party lines, but on radios that are very definitely party 
lines because anybody can pick up the transmission. In fact, 
they rely on that feature. Everybody leaves their radio on and 
if somebody in that vast area of the back country is headed to 
town, they put out the word that they have a couple of things 
they need them to pick up when they are in town. They have 
relied on that for years and it creates a tremendous sense of 
community.
    But the privacy rule does not allow that sense of 
community. They are not even sure whether they are violating 
the law by letting somebody know that they need a prescription 
picked up.
    I hear from the doctors, as well. When the final rule first 
came out I had a number of them that said, ``to me it looks 
like I have to violate the law,'' again, because of our 
distances and our communication, so ``Senator, what can you do 
to protect me when I violate this rule that you allowed to go 
into place?'' When they put it that way I have a lot of 
sympathy for them.
    I also understand what the people are talking about when 
they talk to me and it has primarily been pharmacists and some 
doctors and hospitals.
    I appreciate very much your comments about the comment 
period not being up. One of the difficulties I have had with 
agencies has been when they have obviously failed to read the 
information that they were presented with and had already 
closed their mind--before they wrote their rule--about how the 
rule was going to come out. So however it comes out, I commend 
you on your openness on the rulemaking process.
    [The prepared statement of Senator Michael Enzi follows:]

             Prepared Statement of Senator Michael B. Enzi

    Mr. Chairman. I want to thank you for promptly holding this 
hearing on the new proposed rule to protect the privacy of 
medical records.
    This Committee mounted a serious bipartisan effort in the 
last Congress to advance privacy legislation. While we were not 
able to come to agreement on a handful of provisions, there was 
significant agreement on the details of the right policy for 
protecting people's medical information. I believe such 
protection is achievable while also allowing the appropriate 
use of medical information to improve the health status of all 
Americans through research and the development of better 
medical management protocols.
    The Clinton Administration took our legislative draft and 
used it as a foundation for a rule-making on medical records 
privacy. Having been issued in the final days of that 
Administration, President Bush was placed in the position of 
having to review the rule when he took office.
    Under Secretary Thompson's leadership, the rule underwent 
additional modifications. Which brings us to today. With that, 
I'd like to welcome Deputy Secretary Claude Allen, who will be 
explaining the latest iteration of the rule. I also welcome the 
other witnesses whose expertise in medical privacy has helped 
shape this policy over the last 4 years.
    I will comment very briefly on the new proposed rule. 
First, let me say that I support the new rule and believe it 
will afford strong privacy protections for medical information. 
I applaud the Administration's effort to carefully balance 
``protections'' with ``progress'' in medicine. I look forward 
to the comments solicited in the preamble with respect to de-
identified health information.
    The new rule was modified to correct the old rule's 
unintended consequence of threatening access to care and 
reducing the quality of care patients enjoy today. The goal of 
a privacy rule should be to enhance access and quality, not 
undermine these basics of good health care.
    Several other important modifications to the rule can be 
summarized by the phrase ``administrative simplification.'' 
Changes to make the privacy rule patient-friendly by making it 
user-friendly should be supported by this Committee. After all, 
the statutory mandate to develop a medical records privacy rule 
was included in the Health Insurance Portability and 
Accountability Act (HIPAA). HIPAA also included requirements on 
both the private health care market and certain public programs 
to administratively simplify health care transactions. Since 
HIPAA was drafted by this Committee, it's only logical that we 
should support all efforts to make the privacy rule consistent 
with the our intent to simplify administrative burdens within 
the health care system.
    Mr. Chairman. I look forward to the testimony and again 
thank you for calling this hearing.
    Senator Enzi. Could you give me some of the factors that 
were motivating factors behind the changes that you made to the 
privacy rules and the more general comments you may not have 
been able to make?
    Mr. Allen. Certainly. When we received the comments--we 
received over 11,000 comments in about a 30-day period when we 
put these particular sections of the rule back out for 
additional comment and we had various--we have addressed 
somewhat earlier some of the issues that we are addressing. The 
one example that continued to come up was pharmacists not being 
able to fill prescriptions without having the patient to come 
in prior to the information being transmitted to the pharmacy 
and signing a consent form. That clearly was an impediment to 
care, to access to care.
    We then heard from specialists who were concerned about 
their practices and being impeded in providing care to the 
patient. Those were the sorts of examples that we had, also. 
Then we went down the list from there. We had emergency care 
providers who not only would have the burden of having to get a 
consent form, but the nature of their work precludes them from 
getting the consent when they first pick up the patient, but 
then would require them to disrupt their normal practices by 
having to double back to try to seek that access.
    The area that we heard a lot of comments about was in this 
area that we all have great concerns about, and that is 
marketing, particularly when the marketing is using your 
health-related information for nonhealth purposes. Nobody wants 
to receive an unsolicited advertisement or offer that discloses 
your public health condition or your health condition when you 
did not consent to that or were not aware that that was going 
to occur. So we began to look at ways of strengthening the 
marketing rule and we did that.
    We also had concerns raised about the role and the rights 
of minors vis-a-vis their parents in terms of access to 
information. In that area what we did there is that we made 
very clear that the Federal law defers to what the State law 
is. So whatever the State law is in this area, we defer to 
that. If there is no law in that regard or if the law is 
unclear, we defer to the practice of that State that looks to 
the health professional in exercising his or her discretion and 
access. But we also made sure, just as most States, to provide 
that, in cases of emergencies, physicians, and providers can 
provide information on a minor in the case of an emergency and 
we wanted to reflect that.
    So we tried to approach all of these issues. Research was 
another area where there were comments that came in and in that 
area we saw that we did not have all the answers. So what we 
have done is we have made an approach to how to address the 
issue of research so that we do not impede research going 
forward but, at the same time, finding out how do we get the 
information that is needed for the research to go forward, but 
also protecting the privacy rights of the individual so that 
they are not identified and their information is not disclosed.
    Senator Enzi. I certainly appreciate the thorough job that 
you are doing on it, particularly on revisiting things that you 
revised before it all becomes final. It is a breath of fresh 
air and will help take care of some of the people in our State. 
Your explanations today have been clear enough that people will 
understand this conflict between privacy and getting care and I 
know in all those cases they would opt for the care. Thank you.
    Mr. Allen. Thank you, Senator.
    The Chairman. Senator Gregg.
    Senator Gregg. Mr. Chairman, thank you.
    Mr. Allen, I unfortunately had to depart for a while, but I 
did have a chance at my other meeting to listen to you and I 
thought your presentation was excellent.
    Going back to this consent issue, I just wanted to talk 
about the unintended consequences of this mandatory consent 
language. It seems to me that I can think of three instances 
which would create really inappropriate events as a result of 
mandatory consent. One would be my situation, where if I went 
to a doctor, the only time I would ever go to a doctor is if I 
really had to go to the doctor. I cannot think of anything 
worse than sitting, other than maybe going to BWI and waiting 
to get through security. But when I walk into that doctor's 
office I have one thing on my mind and that is getting better. 
And the odds are he could put anything in front of me if it's 
reasonable. He could even ask that I sign off that the Red Sox 
would never win the World Series ever and I would probably sign 
it.
    I think that therefore the relevance of a mandatory consent 
is probably limited because your reason for going to a doctor 
is not to sign a form; but to get better.
    Second, I am concerned about the position it puts the 
doctor in. You have alluded to this, but it seems to me that 
there are certain laws that say a doctor must treat you, 
starting with his Hippocratic Oath, but also specific Federal 
laws in the area of emergency care, for example, and State 
laws. The doctors could find themselves in the untenable 
position of having a patient come in who may be one of these 
Wyoming types, you know, independent, who just refused to sign 
anything. The patient needs to be treated, and the doctor 
treats because they are a good doctor and they have to treat 
under the law if it is an emergency and they have to treat 
under their oath if it is not. What then does the doctor do? 
What does the doctor do with the information? He may not even 
be able to send the patients' information to a lab.
    Mr. Allen. That is right.
    Senator Gregg. And physicians certainly have opened 
themselves up to all sorts of liability in these situations.
    So this mandatory consent creates the unintended 
consequence of putting the doctor in an improbable and 
inappropriate position.
    And third, I am concerned that it may create an atmosphere 
where people could use the mandatory consent to harm the 
patient's rights. I mean, mandatory consent could end up with 
language in it, although there are limitations on this, but it 
could end up with language in it which contractually would 
significantly proscribe what a patient's rights are and what 
they are permitted to do. And, as I said, if you are going in 
to get care, you are going to sign that consent unless it is 
truly outrageous on its face, or unless you happen to be an 
attorney.
    So I see those three instances as examples of why mandatory 
consent probably makes no sense and why your approach is much 
more logical to this effort. But we do have the anomaly, I 
think, of the American Medical Association having been the ones 
who, I think, forced the Clinton Administration to back off 
from its original proposal, which was no mandatory consent, 
which was probably a more logical position.
    So I'm wondering if it would be appropriate for this 
committee to pass a regulation or rule or law, if the Chairman 
brings this forward, that says that if you are a member of the 
American Medical Association, then you shall be subjected to 
mandatory consent. Is that reasonable?
    Mr. Allen. I would say for those individuals who are 
members of the American Medical Association who might otherwise 
have commented or maybe members of other associations that 
support the notice provisions that we have, if we could exclude 
them you might want to find those members who would solely want 
to----
    Senator Gregg. My question was fairly rhetorical.
    Mr. Allen. Mine was, as well, my comment.
    I think the issue there, Senator, if I may, in all 
seriousness, I think the issue there is I believe that with 
proper education, understanding of the rule and the way the 
rule works and brings an appropriate levity to the issue of 
privacy, but also the significant importance of access to care, 
I think that we can work with the American Medical Association 
and other organizations by educating them on how this rule 
ultimately will work to the benefit of the patient in both 
areas and making sure that they have the ability to have the 
prior consent, prior notification, prior authorization for use 
of their information when it is not related to treatment, 
payment or operations but, at the same time, to not be 
precluded from getting that care when it does relate to those 
areas.
    So I think in all seriousness I think we have an 
opportunity to educate, as well.
    Senator Gregg. I appreciate your presentation. I think it 
was a very effective representation of the administration's 
position. Thank you.
    Mr. Allen. Thank you, Senator.
    The Chairman. Thank you very much.
    [The prepared statement of Claude Allen follows:]
                 Prepared Statement of Claude A. Allen
    Chairman Kennedy, Senator Gregg, distinguished Members of the 
Committee, it's a pleasure to be with you. I welcome the opportunity of 
appearing before you to talk about what we're doing at the Department 
of Health and Human Services to fulfill President Bush's goals of 
protecting both vital health care services and the confidence of every 
American to know that his or her personal medical records will remain 
private. Today, I'm going to discuss the Standards for Privacy of 
Individually Identifiable Health Information (the Privacy Rule) and the 
proposed modifications to those standards that the Department published 
in the Federal Register for public comment on March 27, 2002.
    President Bush, Secretary Thompson and I believe strongly in the 
need for workable and effective federal protections to ensure patients' 
privacy. Americans have become increasingly concerned about the privacy 
of their health care information. Fear of misuse or abuse of sensitive 
medical information has deterred some patients from fully utilizing the 
necessary health care services available to them. When the Privacy Rule 
is fully implemented, we will have successfully completed our goal of 
giving American patients what they want: confidence that the privacy of 
their medical records will be protected and that our providers and 
health system will be able to deliver them the most advanced, and 
efficient quality care available. Because of the Privacy Rule, all 
Americans will, for the first time:
     Have the right up front the first time they see a doctor 
or health care provider or enroll in a health plan to be notified of 
their privacy rights and how their information may be used or disclosed 
by the provider or the plan, so they may understand and discuss 
concerns with these providers and plans and get care that is consistent 
with their own personal preferences;
     Have the right to access their own medical record and to 
have their record corrected, if it contains incorrect or incomplete 
information; and
     Have control over most non-routine uses or disclosures of 
their information, including requiring written permission before their 
information is shared with employers for employment decisions, shared 
with life, disability or other insurers, or used for marketing.
    In April 2001, President Bush acted boldly to put into place these 
strong patient privacy protections. With laws already in effect to 
protect personal information contained in bank, credit card, and other 
financial records, and to require notification of Americans about how 
their electronic data are used for providing these financial services, 
the American public should not be made to wait any longer for 
protection of the most personal of all information--their health 
records. At the same time, legitimate concerns were raised about 
whether parts of the Privacy Rule would compromise patients' access to 
care or the quality of that care. To address these concerns, the 
President directed Secretary Thompson to recommend appropriate 
modifications to the Rule that would identify and correct any 
unanticipated consequences that might harm patients' access to care or 
the quality of that care while still protecting patient 
confidentiality.
    The notice of proposed rulemaking published on March 27, 2002 
represents the results of the Department's review of thousands of 
public comments, recommendations from public hearings on the Privacy 
Rule, as well as the letters and input from a broad and diverse group 
of lawmakers, interest groups, health care leaders, and individual 
citizens regarding the Rule. The changes that we have proposed will 
allow us to ensure strong protections for personal medical information 
without negatively affecting access to care. These recommendations were 
decided upon only after seriously examining the feasibility of all 
possible options. They are common-sense revisions that are intended to 
eliminate serious obstacles to patients getting needed care while, for 
the first time, providing federal privacy protections for patients' 
medical records.
    I would like to review briefly the major areas of the Privacy Rule 
where changes are being proposed and explain the Department's reasons 
for proposing these actions. At the end, I will be happy to answer any 
questions from the Committee Members on these or any other of the 
proposed changes.
Consent and Notice
    First, the Department has proposed a workable solution to the 
consent and notice provision that achieves strong privacy protections 
and ensures access to care. The original regulatory proposal published 
in November 1999, prohibiting a covered health care provider from 
obtaining consent for uses and disclosures for treatment, payment and 
health care operations, lacked a workable process to engage the patient 
to consider the providers' privacy practices, an essential part of 
adequately protecting privacy. The final regulation published in 
December 2000, mandating consent for these routine uses and disclosures 
created barriers to timely access to care.
    The Department's proposal is two-fold: it would enhance the 
obligation that covered entities give notice of their privacy practices 
to their patients, by requiring a good faith effort to get patients to 
acknowledge, in writing, receipt of the notice of privacy practices, 
and it would allow providers to obtain consent for these routine uses. 
This change means only that under the Privacy Rule, patients are no 
longer required to provide consent for their doctors, hospitals, and 
other direct treatment providers to use and disclose information for 
those core activities that are essential elements of providing health 
care. Patient authorization is still required for most other purposes, 
such as marketing and disclosures to employers for employment purposes. 
Patients also would continue to have the right to request restrictions 
on uses and disclosures of their health information and would be able 
to enter into agreements with providers and health plans to further 
protect the privacy of their health information or to further limit the 
use of that information.
    We believe this approach provides new, meaningful patient privacy 
protection without impeding the delivery of high-quality care that 
patients need. The President and Secretary Thompson are dedicated to 
improving the delivery of quality care to patients, and the December 
2000 privacy rule posed serious problems for patient access to care. 
Indeed, the comments received in March 2001 revealed a multitude of 
unintended consequences threatening patient safety and quality care. We 
also heard from many of you on this committee, Mr. Chairman, and other 
Members of Congress, all asking that we address these unintended 
consequences. Most importantly, we heard from health professionals that 
the proposed regulations would have serious consequences for the 
quality of patient care.
    I believe it was widely recognized that the consent requirements 
interfered with patients getting prescriptions filled in a timely 
manner; the ability of hospitals, specialists, or other practitioners 
to act timely to start care for patients referred from other providers; 
the ability to provide treatment over the telephone; and emergency 
medical providers.
    Potentially, the Department would have to repeatedly modify the 
privacy rule as each new barrier was identified. As many of you may 
recall, HIPAA allows modifications to the privacy rule standards only 
once yearly, thus the Department would be in the untenable position of 
knowing of serious problems that threatened patient care, but being 
unable under the law to correct these threats to patient care on a 
timely basis.
    Ultimately, we tried to put ourselves in the shoes of the patient 
and do what made the most sense from his or her perspective. And, we 
believe that the patient most values unimpeded access to quality care, 
generally limiting the use of his or her information to what is 
necessary to provide quality care, fair notice of how his or her 
information will be used, and more control over where other than to his 
health care providers and health plans his information goes.
    Indeed, requiring individual written consent for the routine uses 
necessary to provide care give the patient little actual control over 
that information. When coupled with the provider's ability--and even 
necessity--to condition treatment on the signing of a general consent 
form, the patient is forced to choose between signing the consent form 
and not receiving care. In the end, we determined that the risk of 
compromising patient care and safety outweighed any benefit of a 
mandatory consent process. We believe the backbone of patient privacy 
rights is preserved and strengthened and the spirit and intent of the 
mandatory consent is fulfilled by the written notice requirement. 
During each patient's first meeting with a provider, they will receive 
a notice of their privacy rights, as well as the providers' privacy 
policies, and how their information will be used. This notice 
requirement creates for the first time, a formalized process where the 
patient will pause and reflect on the value of the privacy of their 
medical records and be able to discuss any concerns that they have with 
the provider.
Health Care Communications and Practices
    Second, the proposal ensures the strong protections for all forms 
of health information, including oral communications. Plans and 
providers will be obligated to make reasonable efforts to limit the use 
and disclosure of protected health information to the appropriate 
minimum necessary to accomplish the intended purpose. We have, however, 
made clear that a doctor could discuss a patient's treatment with other 
doctors and health care professionals without fear of violating the 
rule if they are overheard if reasonable safeguards are in place. As 
long as a covered entity met the minimum necessary standards and made 
an effort to protect personal health information, incidental 
disclosures--such as another patient overhearing a fragment of 
conversation--would not be an impermissible disclosure. This proposed 
change does not in any way permits gossiping or other careless use of 
patient information.
Research
    Third, the proposals would simplify the research provisions, 
removing many of the burdens on research and covered entities alike, 
thereby continuing to promote the highest quality of care that 
Americans have come to expect and have a right to demand and so that 
the nation's world-renowned medical research can continue at a vigorous 
pace, but with renewed confidence in patients that their personal 
medical information will be protected. The proposal would make it 
easier for patients who participate in research to understand all 
dimensions of the study, including privacy dimensions, through the use 
of a single combined form, instead of having multiple consent forms--
one for informed consent to the research and one or more related to 
information privacy rights. It streamlines requirements for obtaining a 
waiver of individual permission to access records for research 
purposes, so as to more closely follow the requirements of the ``Common 
Rule,'' which governs federally funded research. These simplified 
provisions would, nonetheless, continue to include privacy-specific 
criteria and would apply equally to publicly- and privately-funded 
research.
    The Department is also seeking comment on the feasibility of making 
health information that does not directly identify the patient more 
readily available for research and limited other purposes. For example, 
many researchers and others who study the quality or accessibility of 
care have indicated a need for information that does not facially 
identify the patient, but nonetheless contains certain identifiers such 
as zip code or dates of admission and discharge. Under the Privacy 
Rule, the information would not be ``de-identified.'' In environmental 
cancer studies, zipcodes are often important for environmental health 
research. Duration of illness is important for infectious disease 
studies. Through the comment process, the Department is seeking a 
consensus as to how to construct a ``limited data set'' that could be 
disclosed for such purposes, and as to what type of information should 
continue to be excluded from the proposed ``limited data set'' because 
it would directly identify an individual. In addition, to further 
protect privacy, we propose to condition the disclosure of the limited 
data set on a covered entity's obtaining from the recipient a data use 
or similar agreement, in which the recipient would agree to limit the 
use of the data set for the purposes for which it was given, as well as 
not to re-identify the information or use it to contact any individual.
Parents and Minors
    Fourth, we have made limited changes to clarify that State law 
governs disclosures of a minor's health information to a parent or 
guardian. The rule and the proposed modification only address the 
rights related to a minor's medical records; neither has any impact on 
a minor's ability to obtain certain medical services under State law 
without parental consent. The intent of the current rule was never to 
override State laws that set standards for parental access to their 
children's medical records. In cases where State law is silent or 
unclear, the revisions would preserve physician flexibility and 
standards of professional practice by permitting a health care provider 
to use the discretion afforded by the State or other law to provide or 
deny a parent access to such records. Just as State law now determines 
when a minor may be treated without parental consent, so too would the 
revisions effectively defer to State law on access to and control of 
the minor's information that results from such treatment.
Marketing
    Fifth, the proposal explicitly prohibits using or disclosing a 
patient's information for any marketing purposes without the 
individual's express authorization. At the same time, the proposal 
would ensure that doctors and other covered entities could continue to 
communicate freely with patients about treatment options and other 
health-related information, related to their treatment, including 
disease-management programs sponsored by the entity. The doctor may or 
may not receive remuneration. This proposal would strengthen the 
marketing provisions by requiring an individual to specifically 
authorize certain disclosures of health information that otherwise 
would be permitted without such authorization under the privacy rule. 
For example, a health plan would be prohibited from giving a 
pharmaceutical company its list of all enrollees for the company to 
send all patients information about their products without obtaining 
each individual's authorization even if that company is a business 
associate of the health plan. However, the proposal would continue to 
allow use of information for the health plan to send enrollees with 
diabetes information about a diabetes disease management program that 
may help them manage their illness. Patients want information about 
their treatment and treatment alternatives and the benefits and 
services offered by their plans and health care providers. Patients do 
not want their personal information used for unsolicited marketing 
pitches that have nothing to do with their care. This is the same 
common sense approach that governs all other revisions to the Rule: 
patients should have the right to get the best care possible, and to 
have their sensitive medical information protected while doing so. 
Other Provisions
    We have also proposed changes that would:
     Clarify and encourage public health reporting of adverse 
events and other post-marketing surveillance of FDA-regulated products 
or services;
     Provide model business associate contract provisions and 
allow up to one additional year for most covered entities to make their 
business associate contracts compliant with the Rule; and
     Permit the sharing of information among health care 
providers and health plans for each others' treatment, payment, and 
quality-related health care operations.
Conclusion
    I want to assure you that Secretary Thompson and I are committed to 
working with this Committee and Congress, and with experts and the 
public, to provide the strongest possible protections for medical 
information while preserving access to and quality of health care. We 
look forward to specific comments on the proposed modifications to the 
Privacy Rule and we remain open to additional ideas for strengthening 
privacy protections while encouraging high quality care. But it is past 
time to move forward. Privacy rules have been drafted for many years, 
and inaction prevents needed medical privacy protections from being put 
into place. The need to get strong privacy protections in place now is 
a commonly held goal that transcends partisan politics. We owe the 
American people a privacy rule that works to allow them to continue to 
get the high-quality care that they expect they deserve no less. Thank 
you again for the opportunity to be here today. I appreciate your 
interest and commitment and I am happy to answer any questions.

    The Chairman. We have a panel now that we will hear from. 
Janlori Goldman devoted her career to privacy and civil 
liberties issues, founder and director of Health Policy 
Project, Georgetown University Institute of Health Care 
Research, also cofounded Center for Democracy and Technology, a 
civil liberties organization committed to preserving free 
speech and privacy on the Internet. Janlori has been a leader 
on the privacy regulations since day one and we look forward to 
the testimony.
    Sam Karp, chief information officer, California Health Care 
Foundation, coordinates the foundation's initiatives in health 
care privacy, worked on new business models, technology-based 
approaches for sharing health information. Mr. Karp is working 
to understand how providers are working to implement this 
regulation.
    John Clough currently is the chairman of the Division of 
Health Affairs, Cleveland Clinic Foundation. Previously the 
doctor served as chairman of the Department of Rheumatic and 
Immunologic Disease and we are pleased to get his input on this 
important issue. Senator DeWine will be here just momentarily 
to give us an additional introduction.
    Dr. Richard Harding, president of the American Psychiatric 
Association. Serves on the Subcommittee on Privacy, 
Confidentiality and the National Committee on Vital Health 
Statistics in the Department of Health and Human Services and 
he will be sharing his thoughts on the impact of privacy on 
health care providers.
    Mr. Karp.

 STATEMENT OF SAM KARP, CHIEF INFORMATION OFFICER, CALIFORNIA 
                     HEALTHCARE FOUNDATION

    Mr. Karp. Good morning, Mr. Chairman, Senator Gregg and 
Members of the committee. My name is Sam Karp. I am the chief 
information officer of the California Healthcare Foundation. 
The foundation is an independent philanthropy committed to 
improving California's health care delivery and financing 
systems. Thank you for the opportunity to testify today on an 
issue we believe is fundamental to improving the quality of 
health care.
    Over the past 5 years, the California Healthcare Foundation 
has supported a range of activities to heighten awareness and 
understanding of the need to establish strong rules to 
safeguard the confidentiality and security of personal health 
information both on and off-line.
    In December of last year the foundation commissioned an 
independent survey of health care organizations operating in 
California to see how implementation efforts are proceeding 
under the HIPAA privacy rule. The survey was intended to 
distinguish between the real and perceived barriers to 
compliance and to use the results to inform policy-makers and 
the general public debate. While I have submitted written 
testimony that details the survey findings, I would like to 
highlight two of the key findings here this morning.
    First a few words about the survey. The survey was 
conducted for the foundation by the National Committee for 
Quality Assurance, NCQA, and the Georgetown University Health 
Privacy Project. It was fielded in January and February of this 
year just prior to the March 27 proposed rule modifications 
issued by HHS. The survey represents the views of 100 health 
care organizations that do business in California, including 29 
hospitals, 19 physician organizations, 26 health plans, and 26 
other organizations, including disease management, behavioral 
health organizations, medical management groups, clearinghouses 
and large research organizations. The organizations that took 
part in the survey are fairly representative of entities 
covered by the privacy rule and some of the organizations 
operate in States other than California.
    With respect to implementation progress, if you refer to 
Table 1 in my testimony or the chart to your right, you will 
see the progress being made in implementing the privacy rule in 
California. Ten months into the 2-year compliance period, when 
asked about specific actions taken toward implementation, 81 
percent of the respondents reported having developed a 
strategic plan. Sixty-seven percent indicated they have already 
conducted a gap analysis. Fifty-two percent have developed a 
readiness initiative and 12 percent of the respondents reported 
already completing their readiness activities.
    As the chart indicates, hospitals report having made the 
most progress to date, with 96 percent having developed 
strategic plans, 75 percent having conducted gap analyses, and 
67 percent developing readiness initiatives. Physician groups 
report having made the least progress.
    Also with respect to implementation progress, 77 percent of 
the respondents to the survey indicated that they had 
designated a privacy official, as defined by the rule. Eighty-
seven percent of those that had designated a privacy official 
also report they had identified the human resources within 
their organizations needed to prepare for HIPAA compliance.
    Now let me turn for a moment to the consent requirement. If 
you will refer to Figure 1 in the testimony, which is also in 
the chart on your right, this chart indicates that a majority 
of respondents, 51 percent, report that the consent 
requirements are somewhat workable. Another 29 percent reported 
that they were either workable or very workable, while 20 
percent reported that they were less than workable or not 
workable at all. Hospitals and physician groups, those 
organizations directly affected by the consent requirements, 
were more likely than their counterparts to report that the 
requirements were somewhat to very workable, 90 percent and 79 
percent respectively.
    If you refer now to Figure 3, also on the chart to your 
right, the survey found that those respondents that report 
having developed a strategic plan, conducted a gap assessment 
or completed their readiness initiative--in other words, those 
organizations that were further along in their compliance 
effort--were also more likely than their counterparts to report 
that the consent requirements were workable.
    There were a variety of open-ended comments about the 
consent requirements. Let me just mention a couple. Although 
the final rule required consent to be obtained only one time, 
many respondents expressed confusion and concern about their 
ability to track revocations and limitations of consent. There 
was also concern as a result that some covered entities would 
require patients to sign a consent form every time they sought 
treatment and that patients would be overwhelmed and confused 
as a result.
    There was also confusion expressed about whether one 
covered entity could share quality assessment information with 
another covered entity, but HHS provided modifications that 
have now made that clear, that as long as those two entities 
have an individual relationship with the patient, they can 
share that information.
    There are two take-aways from this survey. First, there is 
still considerable work to be done, as we have heard this 
morning, to address areas of confusion, misinterpretation, and 
to make the rules generally more workable. On the other hand, 
the survey provides clear evidence, some 14 months before the 
compliance date, that progress is being made in implementation. 
In fact, those organizations that I mentioned a moment ago that 
are further along in their compliance efforts are finding the 
rules more workable.
    The Chairman. I will give you another minute or two.
    Mr. Karp. So to remove a key provision of the rule at this 
time does not seem justified.
    Again, thank you for this opportunity to testify today. I 
am happy to answer any questions you may have.
    The Chairman. Enormously interesting study.
    [The prepared statement of Mr. Sam Karp follows:]
       Prepared Statement of Sam Karp, Chief Information Officer
    Good morning. Mr. Chairman, Senator Gregg, and members of the 
committee, my name is Sam Karp. I am the Chief Information Officer of 
the California HealthCare Foundation. The Foundation is an independent 
philanthropy, committed to improving California's health care delivery 
and financing systems. Thank you for the opportunity to testify today 
on an issue we believe is fundamental to improving the quality of 
health care.
    Over the past 5 years the Foundation has supported a range of 
activities--from research studies, surveys, educational publications, 
guides, workshops and conferences--to heighten awareness and 
understanding of the need to establish strong safeguards to protect the 
confidentiality and security of personal health information, both on- 
and offline. Our work is motivated by the belief that unless patients, 
and consumers generally, have confidence that the confidentiality of 
their health information is guaranteed, progress being made to develop 
better information systems to improve care and monitor and assess the 
quality of care will be thwarted. [The Foundation's work on health 
privacy can be found on our Web site at www.chcf.org.]
    California HIPAA Privacy Implementation Survey
    In December 2001, the Foundation commissioned the National 
Committee for Quality Assurance (NCQA) and the Georgetown University 
Health Privacy Project to survey health care organizations operating in 
California to see how implementation efforts are proceeding under the 
HIPAA Privacy Rule. The survey was intended to distinguish between the 
real and perceived barriers to compliance and to use the results of the 
survey to inform policymakers and the public debate.
    The survey represents the views of 100 health care organizations 
that do business in California, including 29 hospitals, 19 physician 
groups, 26 health plans, and 26 other organizations, such as disease 
management organizations, clearinghouses, medical management groups, 
behavior health care organizations and researchers. The organizations 
that took part in this survey are fairly representative of entities 
potentially affected by the Privacy Rule. Some of the organizations 
surveyed also operate in states other than California.
    The survey was conducted in January and February 2002, prior to the 
March 27, 2002 release by Department of Health and Human Service (HHS) 
of the proposed rule modifications (NPRM).
    When reviewing the findings of the survey it is important to note 
that the State of California has a history of strong patient 
confidentiality laws. Health care organizations operating in California 
generally have more experience operationalizing privacy protections 
than most of the rest of the nation.
    The Survey Findings
    The survey identified the following key findings:
    1. Planning is proceeding; implementation progress varies.
    2. The consent requirements are somewhat workable.
    3. Minimum necessary requirements are somewhat workable.
    4. Information needed for quality assessment thought to be limited 
by the consent and minimum necessary requirements.
    5. The business associate requirements are viewed as burdensome.
    6. Resources are needed to assist preemption analysis.
    7. Compliance efforts are not fully funded.
    8. There is a general need for clarifications and/or modifications.
1. Planning Is Proceeding; Implementation Progress Varies
    Ten months into a 2-year compliance period, when asked about 
specific actions taken toward implementation, 81 percent of respondents 
have developed a strategic plan, 67 percent indicated they have 
conducted a gap assessment, and 52 percent have started to develop and 
implement readiness initiatives. Twelve percent of respondents reported 
completion of their readiness initiatives. Hospitals report having made 
the most progress to date, with Physician Groups having made the least 
progress. (See Table 1.) Payors with a Medicaid product were less 
likely than Payors with commercial products to have developed a 
strategic plan (64 percent to 92 percent), conducted a gap assessment 
(50 percent to 92 percent), or developed a readiness initiative (29 
percent to 67 percent).
    Seventy-seven percent of respondents indicated they had designated 
a Privacy Official, as defined by HIPAA. Eighty-seven percent of those 
that had designated a Privacy Official also report they had identified 
the human resources within their organization needed to prepare for 
HIPAA compliance. Again, Payors with a Medicaid product were less 
likely (50 percent to 92 percent) than Payors with commercial products 
to have designated a Privacy Official and also less likely (63 percent 
to 91 percent) to have identified the human resources needed to prepare 
for HIPAA.
    Organizational challenges frequently identified by respondents 
included implementation, staff education, cost, time, and information 
technology.
2. The Consent Requirements Are Somewhat Workable
    Overall, 51 percent of total respondents felt that the consent 
requirements were somewhat workable. Twenty-nine percent felt they were 
either workable (19 percent) or very workable (10 percent), while 20 
percent felt they were less than workable (13 percent) or not workable 
at all (7 percent). (See Figure 1.)
    Hospitals, Others and Physician Groups were more likely to feel the 
consent requirements were somewhat to very workable (90 percent, 81 
percent, and 79 percent respectively) than Payors (68 percent). 
Respondents who had developed/completed a readiness initiative, 
developed a strategic plan or conducted a gap assessment were more 
likely than their counterparts to feel that the consent requirements 
were workable.
    Forty-six percent of survey respondents believe that the Privacy 
Rule will be useful in assuring patient confidentiality rights and 
achieving consistent national standards for confidentiality, however, 
47 percent of respondents expressed concern about the paperwork burden.
    Although the final rule required consent to be obtained only one 
time, many respondents expressed confusion or concern about the 
practicability of tracking revocations and limitations on consent. 
There was concern that as a result, some covered entities would require 
patients to sign a consent form every time they sought treatment and 
that patients would be overwhelmed and confused as a result.
    Many respondents expressed concern that the burden of implementing 
consent would take time and money away from patient care. Respondents 
also expressed concern that covered entities would err on the side of 
caution and refuse to release information for fear of violating HIPAA.
    All respondents were asked to indicate what they deemed useful 
about the consent requirements, and what areas of the consent 
requirements caused them concern. Regarding aspects of the consent 
requirements that were useful:
     30 percent said that the requirements were useful in 
assuring patient rights.
     16 percent felt the requirements would provide national 
standards and increase consistency among providers.
     16 percent said that there was nothing useful about the 
requirements.
    Regarding areas of concern related to the consent requirements:
     19 percent of respondents cited continuity of care.
     14 percent cited confusion about consent among patients, 
employees, and physicians.
     9 percent cited cost.
    Payors were more likely to cite confusion about consent as an area 
of concern.
    Respondents were asked whether available tools and technologies 
could be used to implement four areas: 1) initial consent, 2) 
revocations of consent, 3) limitations on consent, and 4) accounting of 
disclosures. Implementing initial consent was thought to be the easiest 
and tracking limitations to consent the most difficult. It should be 
noted that between 17 and 25 percent of respondents did not know how to 
respond and were excluded from the results.
    Physician Groups were more likely than Hospitals, Payors, and 
Others to feel that available technologies could not be used for 
tracking initial consent. Of those who did know, 53 percent of 
respondents felt that initial consent could definitely be tracked.
    For revocations of consent, more than a quarter (28 percent) of 
respondents felt that they could not be tracked with available tools 
and technologies. Forty-five percent thought they could be tracked with 
available tools and technologies.
    Overall 37 percent of respondents thought that limitations on 
consent could be tracked, while 35 percent of respondents thought they 
could not be tracked with existing tools. Only 30 percent of Hospitals 
and 32 percent of Payors felt that limitations on consent could be 
tracked with existing tools.
    Twenty-nine percent of respondents thought that accounting of 
disclosure could not be tracked with existing tools, while 43 percent 
thought that they could be tracked. Physician Groups (33 percent) and 
Payors (33 percent) were more likely to say that they could not be 
tracked.
3. Minimum Necessary Requirements Are Somewhat Workable
    Overall, 58 percent of respondents felt that the minimum necessary 
requirements are somewhat workable. Twenty-three percent felt they were 
workable (18 percent) or very workable (5 percent), while 19 percent 
felt they were either less than workable (15 percent) or not workable 
at all (4 percent). Physician Groups were slightly more likely to see 
the minimum necessary requirements as workable, with Payors and Others 
slightly less likely to see them as workable. As with the consent 
requirements, respondents who had developed a readiness initiative or 
strategic plan or had conducted a gap assessment were more likely than 
their counterparts to feel that the minimum necessary requirements were 
workable.
4. Information Needed For Quality Assessment Thought To Be Limited By 
        The Consent And Minimum-Necessary Requirements
    When asked if they thought the consent requirements would enhance 
or limit the flow of information needed to assess health care quality, 
58 percent of respondents thought that the consent requirements would 
somewhat limit (51 percent) or greatly limit (7 percent) the flow of 
information needed to assess quality of care. Thirty-two percent of 
respondents felt the consent requirements would have no affect on the 
flow of information, while 10 percent percent felt the consent 
requirements would enhance (9 percent) or greatly enhance (1 percent) 
the flow of information. Sixty-five percent of Hospitals and 65 percent 
of Others felt that the consent requirements would somewhat or greatly 
limit the flow of information, while 42 percent of Physician Groups and 
44 percent of Payors felt that the consent requirements would have no 
effect on the flow of information.
    Those respondents that felt the consent requirements would somewhat 
or greatly impact the flow of information needed to assess health care 
quality were asked to indicate in what way the consent requirements 
would impact assessment of health care quality. There were 60 open-
ended responses to this question:
     30 percent of respondents answering the questions felt 
that there would be process complications or additional burden 
associated with paperwork.
     17 percent felt there would be confusion over 
requirements; 15 percent felt patient factors, such as revoking 
consent, would limit the flow of information and interrupt the 
continuity of care.
     6 percent felt that there would be inadequate transfer/
flow of information needed for patient assessment.
    Inadequate time was a common theme in the responses. Hospitals were 
more likely to cite process complications, paperwork burden, and 
patient factors as limiting the flow of information, while Payors 
tended to cite confusion over requirements as limiting the flow of 
information.
    With respect to the minimum necessary requirements, the findings 
were less clear. While 45 percent of respondents' thought this 
requirement would greatly limit or somewhat limit the flow of 
information needed to assess the quality of health care, another 45 
percent thought that the minimum necessary requirements would have no 
impact. Ten percent of respondents thought the requirements would 
somewhat enhance (9 percent) or greatly enhance (1 percent) the flow of 
information.
    Physicians and Payors expressed similar concerns that the minimum 
necessary requirement would negatively affect the flow of information 
for payment, delivery, and assessment of care. It appears that the 
belief that quality would be affected is related to the fact that the 
consent requirements in the final rule would not permit providers to 
share Personal Health Information (PHI) with health plans for the 
plans' quality assurance activities.
    There was generally a lack of clarity about the permissibility of 
disclosures for quality assessment purposes. Respondents did not seem 
to understand the permitted uses and limitations of PHI within and 
between covered entities.
5. The Business Associate Requirements Are Viewed As Burdensome
    The time and cost associated with contracting with business 
associates was a significant issue for respondents. Seventy-two percent 
felt there would be a substantial to large time burden to implement the 
business associate requirements; more than half of respondents said the 
cost of implementing these requirements was substantial to large.
    When asked if they believe that the regulations clearly define who 
constitutes a business associate, 65 percent of all respondents thought 
the regulations were clear. While 81 percent of Physician Groups 
thought the regulations were clear, only 50 percent of Payors agreed. 
While most respondents likely have existing contractual relations, the 
initial burden of recontracting is believed to be high. There is also 
disagreement and lack of understanding about the level of oversight and 
due diligence required by covered entities over their business 
associates.
6. Resources Are Needed To Assist Preemption Analysis
    Fourteen percent of respondents did not know whether they had 
conducted any preemption analysis. Of those who did know, more than 
half have not identified the laws in the states in which they do 
business that either are or are not preempted by HIPAA. When asked how 
they were planning to identify and track these laws, most respondents 
indicated that they hoped outside sources would develop and track 
preemption issues or that they were expending significant resources 
hiring outside legal assistance. Assistance provided by HHS with regard 
to preemption analyses would ease the burden on covered entities.
7. Compliance Efforts Are Not Fully Funded
    With respect to funding, only 21 percent of respondents said that 
their compliance efforts were fully funded. More than half of 
respondents indicated that their HIPAA compliance efforts were only 
partially funded or not funded at all. When asked whether they think 
the anticipated costs of complying with the Privacy Rule will 
eventually be offset by savings expected from implementing other 
components of HIPAA (e.g., the Transaction and Code Set regulations), 
31 percent to 32 percent of respondents said they did not know. Of 
those that said they did know, 48 percent expect no savings, 22 percent 
expect some savings but not within the next 5 years, and 26 percent 
expect some savings within 3 to 5 years.
    While 51 percent of respondents reported a lack of funding, it is 
also important to keep in mind that many respondents have not developed 
a strategy or conducted a gap analysis of their organizations and this 
may have an impact on their knowledge of the funding requirements. The 
survey results also indicated there is a great deal of money being 
spent on redundant legal and outside consultant analysis of the 
regulations and compliance efforts.
8. There Is A General Need for Modifications And/Or Clarifications
    Seventy-eight percent of respondents felt that HHS needed to 
provide clarifications or make modifications to the final Privacy Rule. 
Many responders requested clarifications with respect to consent, 
minimum necessary, the definition and rules concerning business 
associates, the rules concerning communications, marketing and funding, 
and preemption. Others wanted clarification around research rules and 
how the regulations apply to disease management organizations.
Conclusion
    The clear message from this survey is that there is a lot of work 
still to be done to address areas of confusion, misinterpretation and 
to make the rules generally more workable.
    1. If you are a supporter of the Privacy Rule, the survey suggests 
it cannot be fully or successfully implemented, without clarifications 
and possible modifications.
    2. On the other hand, there is substantial evidence that progress 
is being made in implementation, so that removing key provisions of the 
rule does not seem justified.
    Today, nearly 20 percent of Americans practice some form of 
privacy-protective behavior that puts their own health at risk or 
creates financial hardships. These behaviors include: paying out-of-
pocket when insured to avoid disclosure; not seeking care to avoid 
disclosure to an employer; giving inaccurate or incomplete information 
on a medical history; asking a doctor to not write down the health 
problem or to record a less serious or embarrassing condition; or, 
simply not seeking care at all.
    It is in everyone's best interest to see that these rules are 
implemented.
    Again, thank you for this opportunity to testify today. I am happy 
to answer any questions you may have.

    The Chairman. I see my friend Senator DeWine here and I 
know that he wanted to----

 OPENING STATEMENT OF HON. MIKE DeWINE, U.S. SENATOR FROM THE 
                         STATE OF OHIO

    Senator DeWine. Thank you, Mr. Chairman. I am just 
delighted to welcome Dr. John Clough, who is from the Cleveland 
Clinic Foundation in my home State of Ohio. Doctor, we welcome 
you here and we look forward to your testimony.
    He will shed some light, Mr. Chairman, on really the 
complexities involved with the implementation of these rules 
and the burdens that could fall on health care institutions. He 
has been with the Cleveland Clinic for a total of nearly 35 
years and is currently chairman of the Division of Health 
Affairs at the Cleveland Clinic. In this capacity the doctor 
oversees the Departments of Government Affairs, Community 
Relations, and the Ambassador's Program.
    Last month he testified on the House side regarding the 
issue of medical privacy rights and has spent considerable time 
studying the impact of the proposed rules.
    Dr. Clough, we welcome you to the committee. We thank you 
very much for being here and look forward to your testimony.
    Thank you, Mr. Chairman.
    The Chairman. Thank you very much.
    Ms. Goldman.

STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRIVACY PROJECT, 
                     GEORGETOWN UNIVERSITY

    Ms. Goldman. Thank you. Thank you, Mr. Chairman and Senator 
DeWine for inviting me to testify and thank you also for 
holding this oversight hearing and for your commitment to 
privacy.
    The mission of the Health Privacy Project is also to 
broaden access to care and to ensure that people get the 
quality of care that they need, but we know that people are 
afraid. People are afraid to go to the doctor. They are afraid 
to be honest with their doctor. They are afraid to fully share 
with their doctor because of what could happen to them, and 
their fears are real. We hear stories every day and we collect 
these stories about how people are hurt in the workplace; their 
benefits are denied. We know that, for instance, 40 percent of 
all people diagnosed with multiple sclerosis are afraid to tell 
colleagues and friends because of what could happen to them. 
People are afraid to get genetic tests. The number one barrier 
to people getting genetic testing and counseling is fear that 
their privacy will be violated.
    So in response to these concerns, the administration issued 
this landmark regulation in December of 2000, the privacy 
regulation, and the Bush Administration did allow it to go into 
effect. We realize that it has limits and weaknesses, but the 
truth is it is the most comprehensive privacy law that we have 
at the Federal level.
    My testimony is extensive. I want to keep it brief in my 
oral statement and I want to focus on two of the proposed 
modifications that the administration has made--in the area of 
consent and the area of marketing. And when I talk about 
marketing I am also going to mention an FDA provision.
    Signing onto our recommendations here, the National 
Multiple Sclerosis Society has also endorsed our position, our 
recommendation on consent, as has the Epilepsy Foundation, the 
National Association of Social Workers Legal Action Center, and 
a list of other groups, which we have included in our 
testimony.
    Let me just focus on why notice is not the same as consent. 
The administration comes here today and says that asking 
someone to sign a notice--not requiring, but asking them to 
sign a notice is the same as consent. That is just not 
accurate. Asking someone to sign a consent form is a 
significant and meaningful moment in the process of getting 
care and the process of enrolling in a health plan. It is 
asking someone to give their permission. It is not mandating 
the consent. A doctor could decide to condition consent on 
giving certain benefits, but the regulation does not require 
that the consent be mandated.
    In terms of paperwork burden, we know today that many, many 
hospitals, the vast majority of hospitals, and this was 
included in the preamble to the final regulation, do require 
people to consent to have their information used for payment. 
Most doctors do, as well, and for treatment.
    State laws in this area are different from what the Federal 
regulation is requiring. In State laws there are specific 
consent provisions related to certain kinds of conditions 
people might have--maybe in the mental health area or 
communicable disease or abuse and neglect, alcoholism--where 
specific consent is authorized, is required. But in the areas 
of treatment and payment, they are much more narrow than what 
the administration is proposing today, much more limited. 
Treatment is defined much more narrowly and directly related to 
the treatment of the individual. Most doctors and hospitals 
will tell you they have an ethical duty to seek consent of 
their patients before treating them and before having their 
information provided for payment.
    Marketing? I am very bewildered and disturbed by the 
administration's testimony today on marketing. They have 
contended that they have strengthened the marketing provision. 
They have done exactly the opposite. They have expanded what is 
now considered to be marketing and now called it treatment. 
They have called it health-related communication. What used to 
be in this box called marketing, where people had an 
opportunity to opt out after getting a communication, where 
people were told that there was a financial conflict of 
interest, that is now gone from the administration's proposal.
    Any communication from anybody, not just a doctor, anybody, 
a pharmacy, that is health-related, no matter whether there is 
a financial conflict of interest, does not require an 
authorization, does not give an opt-out, does not require up-
front consent. That is very disturbing. A pharmacy can now sell 
your information under HHS's proposed modification to a drug 
company, to a travel agency, even to a tobacco advertiser under 
the FDA provision, and they would not have to get your consent 
and not have to give you notice. You have no control and there 
are no limits.
    I want to just focus for a moment on the cost issue. The 
cost issue comes up time and again, but the administration 
itself, in a recent report issued from the Office of Management 
and Budget, has shown that the privacy regulation, over the 
long term, will save $12 billion in our health care system when 
it is implemented along with the other regulations in HIPAA.
    So $12 billion of savings when privacy is implemented 
together with the other transaction regulations. How can we 
talk about then wanting to save an additional $100 by 
eliminating consent? It seems to me greedy and the wrong way to 
go.
    I want to just conclude by saying that President Bush 
campaigned on a number of pledges around medical privacy. He 
had very strong position statements during the campaign. And 
when he allowed the privacy regulation to go into effect last 
year he said he believed very strongly that medical privacy 
should be protected and people should not put themselves at 
risk when they get care. In fact, in a column in the New York 
Times shortly after President Bush allowed the regulation to go 
into effect, William Safire dubbed him ``the privacy 
President.''
    What we are concerned about today is that if HHS's proposed 
rollbacks become law, if the consent and marketing provisions 
are weakened and if they become law, then they will legalize 
the most disturbing and unnerving practices in the health care 
system today and the kinds of practices that made consumers 
angry and caused them to send in 35,000 comments asking the 
administration to include consent, asking them to limit some of 
the marketing activities. Now they will become legal.
    I urge not only the administration not to roll back these 
provisions, but I urge the Congress to act. I know that you 
have struggled with this for over a decade, but to act to 
create a statute that then is not susceptible to these 
political back-and-forths.
    I very much appreciate being here today and I will be 
available to answer any questions.
    [The prepared statement of Ms. Janlori Goldman follows:]
                 Prepared Statement of Janlori Goldman
    Committee Chairman Kennedy, Senator Gregg and Members of the 
Committee:
    On behalf of the Health Privacy Project, I am very appreciative for 
the invitation to testify before you today at this oversight hearing on 
medical privacy. The Project, which is part of the Institute for Health 
Care Research and Policy at Georgetown University, is dedicated to 
broadening access to health care, and improving the quality of care by 
ensuring that the privacy of people's medical information is protected 
in the health care arena. The Health Privacy Project also coordinates 
the Consumer Coalition for Health Privacy, comprised of over 100 major 
groups representing consumers, health care providers, and labor, 
disability rights, and disease groups. The Coalition's Steering 
Committee includes MRP, American Nurses Association, Bazelon Center for 
Mental Health Law, National Association of People with AIDS, Genetic 
Alliance, National Multiple Sclerosis Society, and National Partnership 
for Women & Families.
    The Health Privacy Project conducts research and analysis on a wide 
range of health privacy issues. Recent Project publications include: 
Best Principles for Health Privacy (1999), which reflects the common 
ground achieved by a working group of diverse health care stakeholders; 
The State of Health Privacy(1999), the only comprehensive compilation 
of State health privacy statutes, which we are currently in the process 
of updating; Implementing the Federal Health Privacy Regulation in 
California (2002); Privacy and Confidentiality in Health Research 
(2001), commissioned by the National Bioethics Advisory Commission; 
Report on the Privacy Policies and Practices of Health Web Sites 
(2000), which found that the privacy policies and practices of 19 out 
of 21 sites were inadequate and misleading; ``Virtually Exposed: 
Privacy and E-Health'' (2000), published in Health Affairs; and Exposed 
Online: Why the New Federal Health Privacy Regulation Doesn't Offer 
Much Protection to Internet Users (2001). All of our work is available 
to the public at our Web site, www.healthprivacy.org.
    The Health Privacy Project's mission is to foster greater public 
trust and confidence in the health care system, thereby enabling people 
to more fully participate in their own care and in research without 
putting themselves at risk for unwanted--and unwarranted--intrusions. 
It is wrong to force people to choose between seeking health care and 
safeguarding their jobs, benefits, and reputations. People should not 
have to worry when taking a genetic test for breast cancer, or filling 
a prescription for an anti-depressant, that this most sensitive health 
information will be used outside the core health care setting, but they 
do worry and with good reason.
    The new medical Privacy Rule,\1\ issued by the Department of Health 
and Human Services (the Department) in December 2000 and in effect 
since April 2001, is a landmark regulation, setting in place the first 
comprehensive Federal safeguards for people's medical records. With 
still a year to go before health care organizations must fully comply, 
the centerpieces of this new privacy law are in jeopardy. We appreciate 
the opportunity to share our concerns with this Committee about the 
Bush Administration's proposal to substantially weaken the medical 
Privacy Rule. We express particular concern about the Department's 
proposal to eliminate the patient consent requirement, and to severely 
weaken the limits on the marketing of people's medical records. Joining 
with us in opposition to these two proposed changes, are the following 
organizations:
---------------------------------------------------------------------------
    \1\ The Privacy Rule is contained in title 45 of the Code of 
Federal Regulations. All citations in this testimony are to the 
pertinent section of, or proposed amendment to, 45 C.F.R. unless 
otherwise noted.
---------------------------------------------------------------------------
     AIDS Action Council
     American Association for Geriatric Psychiatry
     American Counseling Association
     American Mental Health Counselors Association
     American Nurses Association
     American Psychoanalytic Association
     Bazelon Center for Mental Health Law
     Consumers Union
     CWA Local 1 168 Nurses United
     Electronic Privacy Information Center
     Family Violence Prevention Fund
     Genetic Alliance
     Hadassah
     National Association of People With AIDS
     National Mental Health Association
     National Organization for Rare Disorders
     NYC Chapter, National Association of Social Workers
     Title II Community AIDS Action Network
     Westchester Progressive Forum
    We expect that many other organizations and individuals will voice 
their opposition to these proposals before the comment period closes.
    Our testimony today will summarize both our concerns with and 
support for the Department's proposed modifications to the Privacy 
Rule. Our statement also includes a brief history of the Privacy Rule, 
and the urgent need within the public and the health care system for 
strong, enforceable medical privacy safeguards. In addition, we correct 
the misperception that the long-term cost of implementing the Privacy 
Rule--along with its companion HIPAA standards--will outweigh the 
benefits. In fact, the Office of Management and Budget (OMB) released a 
report last month documenting that protecting privacy, when done hand-
in-hand with the related HIPM rules, will actually result in 
substantial cost savings.
               i. urgent public need for medical privacy
    The lack of a national health privacy law has had a negative impact 
on health care, both on an individual as well as a community level. One 
out of every six people withdraws from full participation in their own 
care out of fear that their medical information will be used without 
their knowledge or permission, as documented by a 1999 survey conducted 
for the California HealthCare Foundation. (Available at www.chcf.org.) 
These privacy-protective behaviors include patients providing 
inaccurate or incomplete information to doctors, doctors inaccurately 
coding files or leaving certain things out of a patient's record, 
people paying out of pocket to avoid a claim being submitted, or in the 
worst cases, people avoiding care altogether.
    More specifically, a 1997 survey documenting people's fears about 
genetic discrimination showed that 63 percent of people would not take 
genetic tests if health insurers or employers could obtain the results. 
(Genetic Information and the Workplace, issued on January 20, 1998 by 
the U.S. Departments of Labor, Health and Human Services, and Justice, 
and the U.S. Equal Employment Opportunity Commission). And, a recent 
study involving genetic counselors documents that fear of 
discrimination is a significant factor affecting willingness to undergo 
testing and to seek reimbursement from health insurers. (Hall, Mark A. 
and Stephen S. Rich, Genetic Privacy Laws and Patients' Fear of 
Discrimination by Health Insurers: The View from Genetic Counselors, 28 
Journal of Law, Medicine & Ethics 245-57 (2000).)
    An April 2001 Harris survey documents that nearly four out of ten 
(40 percent) people with multiple sclerosis said they have lied or 
failed to disclose their diagnosis to colleagues, co-workers, friends 
or even family members out of fear of job loss and stigma.
    These survey figures come to life in the daily media reports of 
people being harmed by the use of their health information outside the 
core health care arena. To highlight just a few:
     Eckerd's Drug Stores in Florida is being investigated by 
the State Attorney General for its marketing practices. When Eckerd 
customers pick up their prescriptions, they sign a log indicating they 
do not want counseling from a pharmacist. Eckerd's has been using that 
signature as an authorization to use the customer's prescription drug 
records for mailing promotions and discounts financed by drug 
companies.
     Terri Seargent, a North Carolina resident, was fired from 
her job after being diagnosed with a genetic disorder that required 
expensive treatment. Three weeks before being fired, Terri was given a 
positive review and a raise. As such, she suspected that her employer, 
who is self-insured, found out about her condition, and fired her to 
avoid the projected expenses.
     The medical records of an Illinois woman were posted on 
the Internet without her knowledge or consent a few days after she was 
treated at St. Elizabeth's Medical Center following complications from 
an abortion at the Hope Clinic for Women. The woman has sued the 
hospital, alleging St. Elizabeth's released her medical records without 
her authorization to anti-abortion activists, who then posted the 
records online along with a photograph they had taken of her being 
transferred from the clinic to the hospital. The woman is also suing 
the anti-abortion activists for invading her privacy.
     Several thousand patient records at the University of 
Michigan Medical Center inadvertently lingered on public Internet sites 
for 2 months. The problem was discovered when a student searching for 
information about a doctor was linked to files containing private 
patient records with numbers, job status, treatment for medical 
conditions and other data.
     Joan Kelly, an employee of Motorola, was automatically 
enrolled in a ``depression program'' by her employer after her 
prescription drugs management company reported that she was taking 
anti-depressants.
     Eli Lilly and Co. inadvertently revealed 600 patient e-
mail addresses when it sent a message to every individual registered to 
receive reminders about taking Prozac. In the past, the e-mail messages 
were addressed to individuals. The message announcing the end of the 
reminder service, however, was addressed to all of the participants.
     A few months ago, a hacker downloaded medical records, 
health information, and social security numbers on more than 5,000 
patients at the University of Washington Medical Center. The University 
conceded that its privacy and security safeguards were not adequate.
    In the absence of a Federal health privacy law, these people 
suffered job loss, loss of dignity, discrimination, and stigma. Had 
they acted on their fears and withdrawn from full participation in 
their own care--as many people do to protect their privacy--they would 
have put themselves at risk for undiagnosed and untreated conditions. 
In the absence of a law, people have faced the untenable choice of 
shielding themselves from unwanted exposure or sharing openly with 
their health care providers.
                  ii. the genesis of the privacy rule
    The current Federal health Privacy Rule is a major victory for all 
health care consumers, and takes a significant step toward restoring 
public trust and confidence in our nation's health care system. The 
regulation promises to fill the most troubling gap in Federal privacy 
law, setting in place an essential framework and baseline on which to 
build. Each one of us stands to benefit from the Privacy Rule in 
critical ways, including greater participation in the health care 
system, improved diagnosis and treatment, more reliable data for 
research and outcomes analysis, and greater uniformity and certainty 
for health care institutions as they develop privacy safeguards and 
modernize their information systems.
    Most notably, the current Privacy Rule grants people the right to 
see and copy their own medical records; requires health care providers 
to obtain patient consent before using their records for treatment, 
payment and health care operations; imposes limits on using medical 
records for marketing; imposes safeguards on publicly and privately 
funded research use of patient data; somewhat limits law enforcement 
access to medical 4 records; and allows for civil and criminal 
penalties to be imposed if the Rule is violated.
    The Privacy Rule was issued by the Department in December 2000 in 
response to a mandate from Congress included in the 1996 Health 
Insurance Portability and Accountability Act (HIPAA), which required 
that if Congress did not enact a medical privacy statute by August 
1999, then the Department was required to promulgate regulations. This 
rule has been the subject of a lengthy, thorough, and robust rulemaking 
process--both before and since its December 2000 release in final form.
    Despite intense pressure from some in the health care industry, the 
Bush Administration allowed this important regulation to go into effect 
in April 2001. The first implementation guidance issued by the 
Department on July 6, 2001, addresses the many misstatements and 
exaggerations that some in the industry have been spreading about the 
Privacy Rule. On its face, the guidance was aimed at calming industry 
fears, and we hoped it would lead to greater acceptance of the 
regulation and foster compliance with the regulation. The guidance also 
indicated the changes the Department intended to propose to make to the 
regulation.
    We acknowledge that the Privacy Rule--as finalized--has serious 
gaps and weaknesses, some of which can only be remedied by Congress, 
and some of which are within the Department's authority to regulate. 
One shortcoming is that the rule only directly regulates providers, 
plans and clearinghouses, and does not directly regulate employers, 
pharmaceutical companies, workers' compensation insurers, and many 
researchers. The rule also lacks a private right of action that would 
give people the right to sue if their privacy was violated. Under 
HIPAA, only Congress and the states are empowered to address these 
limits. However, where the Department does have the power to strengthen 
the Rule, it has chosen instead to dilute it.
     iii. summary of the health privacy project's comments on the 
      department's proposed modifications to consent and marketing

A. Consent for Treatment, Payment, and Health Care Operations--Sec. 
                    164.506

Proposed Modification:
    The Department proposes to eliminate the requirement that health 
care providers obtain an individual's consent prior to using or 
disclosing protected health information for treatment, payment, and 
health care operations.
Health Privacy Project Recommendation:
    The Health Privacy Project recommends that the Department retain 
the Privacy Rule's prior consent requirement, and make targeted 
modifications to address the unintended consequences that result from 
the consent requirement in some circumstances.
Rationale:
    The Privacy Rule requires that health care providers obtain an 
individual's consent prior to using or disclosing protected health 
information for treatment, payment, and health care operations. At the 
core of the Department's proposed modifications to the Privacy Rule is 
the elimination of this prior consent requirement. In its place, the 
Department substitutes a requirement that direct treatment providers 
make a ``good faith effort'' to obtain the individual's written 
acknowledgment that he or she received the provider's privacy notice. 
(Section 164.520 of the Privacy Rule requires covered entities to 
provide this notice of privacy practices.) This proposal to eliminate 
the consent requirement strikes at the very heart of the Privacy Rule 
and takes away a core privacy protection for consumers. The Privacy 
Rule's consent requirement is intended to bolster patient trust and 
confidence in providers and in health care organizations by respecting 
the patient's central role in making health care decisions. The 
Department's proposal to eliminate the consent requirement represents a 
huge step backwards for consumers--and one that will undermine trust in 
the health care system.
    This debate is about much more than the label on the piece of paper 
that a patient signs, or about whether a patient is given two pieces of 
paper (a notice and consent form) or just one (a notice). There are 
fundamental differences between a consent process and acknowledgement 
of a receipt of a notice. Seeking advance permission from a patient 
before using or disclosing health information acknowledges first and 
foremost that it is the patient's decision whether to entrust others 
with his or her private medical information and under what 
circumstances. The Privacy Rule's consent requirement gives individuals 
some control over how their health information is used and disclosed. 
Patients would certainly have more control if consent could be withheld 
without the provider refusing to provide treatment. However, it is by 
no means clear that providers will withhold treatment even though 
permitted to do so, particularly when the individual consents to some 
uses/disclosures (treatment and payment uses/disclosures), but 
withholds consent for others (some of the relatively vast number of 
``health care operations'' permitted by the Privacy Rule). It is clear 
that without a prior consent requirement, patients will have no control 
over how their health care information is used or disclosed beyond the 
right to request a restriction. Asking an individual to acknowledge 
receiving a privacy notice reinforces that the individual patient has 
absolutely no say in the matter.
    The Privacy Rule's consent requirement is the best way to ensure 
that patients actually know how their health care information will be 
used or disclosed and know what their privacy rights are. The process 
of obtaining consent defines an ``initial moment''--as the Department 
acknowledges--in which patients can raise questions about privacy 
concerns and learn more about options available to them. Patients are 
more likely to read the notice, or at least ask questions about how 
their information will be used or disclosed, when they are being asked 
to give their consent. Asking a patient to acknowledge receipt of a 
notice does not provide a comparable ``initial moment''--especially 
when the individual is only asked to acknowledge receipt of a piece of 
paper, not whether they have read the paper or understood it or have 
questions about it.
    From a practical perspective, the consent form required in the 
Privacy Rule focuses attention on a new right that is central to the 
consent process--the right to request a restriction. By all accounts, 
the consent form is much shorter than the notice of privacy practices. 
Thus, information that is repeated in the relatively short consent form 
will be highlighted for patients. The Privacy Rule requires the consent 
form to State that the individual has the right to request a 
restriction. See Sec. 164.506(c)(4)(i). Including this information in 
the consent form, as well as in the notice, makes it even more likely 
that patients will be aware of this important right.
    That the Department has chosen radical surgery--total elimination 
of the consent requirement--when much more targeted, privacy-protective 
interventions would have sufficed is especially troublesome.
    The Department not only proposes to eliminate the consent 
requirement, it also proposes to delete several provisions that apply 
when providers or plans choose to require consent. The Privacy Rule 
includes various provisions that govern the content of the consent form 
(e.g., it must State that the individual has the right to review the 
privacy notice before signing the consent form) and the right to 
revoke. See Sec. 164.506(b) and (c).
    Under the Privacy Rule, these provisions apply when consent is 
required and when it is optional. The Department proposes to delete all 
of these provisions in order to ``enhance the flexibility of the 
consent process for those covered entities that choose to obtain 
consent.'' See 67 Fed. Reg. 14780. In addition, the Department proposes 
to delete provisions governing conflicting consents and authorizations; 
under the Privacy Rule, covered entities must follow the most 
restrictive. See Sec. 164.506(e). The Department also proposes to 
delete the provisions that govern joint consents by organized health 
care arrangements. See Sec. 164.506(f). By eliminating all of these 
provisions, the Department takes away important safeguards that should, 
at the very least, apply when consent is obtained voluntarily.

B. Marketing--Secs. 164.501 and 164.508(a)(3)

Proposed Modifications:
    The Department proposes to reduce the Privacy Rule's privacy 
protections that apply to communications that many consumers consider 
to be ``marketing.'' Under the Privacy Rule, a covered entity that is 
paid by a third party to encourage patients to purchase or use a 
product or service that is health related must adhere to certain 
conditions. In its first communication, the covered entity must give 
the patient an opportunity to refuse further marketing materials. The 
covered entity must inform the patient that it is receiving 
remuneration for making the communication. Additionally, the marketing 
materials must identify the covered entity as the party making the 
communication. The Department proposes to eliminate these requirements 
by removing from the definition of ``marketing'' all communications 
that encourage patients to purchase or use products or services that 
are health related, including communications that a covered entity is 
paid to make.
    The Department does propose to retain the Privacy Rule's 
requirement that a covered entity obtain an individual's authorization 
prior to using or disclosing health information for ``marketing.'' 
However, because the Department proposes to contract the definition of 
``marketing,'' the prior authorization requirement will apply only to a 
narrow range of communications--those that encourage the purchase or 
use of a product or service that is not health related. The prior 
authorization requirement will not apply to communications that 
encourage the use or purchase of a health related product or service 
because such communications are excluded from the definition of 
marketing, even if the covered entity is paid to make the 
communication. The net effect of these proposed changes is to 
substantially weaken the Privacy Rule.
Health Privacy Project Recommendations:
    The Health Privacy Project recommends that the Department:
     Revise the definition of ``marketing'' to include 
communications encouraging the purchase or use of a health-related 
product or service where a covered entity receives direct or indirect 
remuneration from a third party for making the communication.
     Revise the Privacy Rule so that a covered entity must 
obtain an individual's authorization prior to using or disclosing 
protected health information for all marketing purposes, including 
communications encouraging the purchase or use of health related 
products or services where the covered entity has received or will 
receive direct or indirect remuneration for making the communication.
     Retain the requirement that the authorization notify the 
individual if the marketing is intended to result in remuneration to 
the covered entity from a third party.
     Further modify the provisions to require that an 
authorization for marketing specify w whether the protected health 
information is to be used or disclosed for the marketing of health care 
related services or products or for products and services not related 
to health care.
Rationale:
    The Privacy Rule classifies communications that encourage patients 
to purchase or use products and services in three categories: 1) 
Communications that are clearly treatment oriented and for which the 
covered entity does not receive remuneration from a third party (such 
as a doctor recommending a particular medicine to a patient because it 
is medically indicated); 2) Communications that are related to health 
but are at least partially financially motivated (such as a pharmacy 
being paid by a drug company to send a patient a letter encouraging her 
to switch her medication to the drug company's brand; and 3) 
communications that are clearly marketing because they do not relate to 
health (such as sending vacation advertisements.) See Appendix A at 1. 
Because the first category of communications is clearly treatment 
related, there is no requirement for prior authorization to use health 
information to make these communications. At the opposite end of the 
continuum, because the covered entity is being paid to use health 
information to market a product or service that is totally unrelated to 
health, the covered entity must obtain patients' prior authorization 
before it can use their health information for these marketing 
purposes. The treatment of these two categories of health information 
remains relatively unchanged under the proposed modifications to the 
Privacy Rule. See Appendix A at 2.
    With respect to the second category of communications, those that 
encourage the use or purchase of a health related product or service 
and for which the covered entity receives remuneration, the Department 
initially recognized that covered entities face a financial conflict of 
interest when they are paid to recommend a certain health related 
product or service. In light of these conflicts, the current Privacy 
Rule treats these communications as ``marketing.'' The Privacy Rule 
permits health information to be used without the patient's prior 
authorization in these circumstances only if certain conditions are 
met. The patient must be given an opportunity to opt out of receiving 
further communications. Additionally, the patient must be notified that 
the covered entity is the source of the communication and is being paid 
to make the recommendation. See Appendix A at 1.
    Many consumers believe that the Privacy Rule's delayed opt-out 
approach is insufficient to protect privacy. They have urged the 
Department to modify the rule to require that covered entities obtain 
patient authorization prior to engaging in this type marketing activity 
(i.e., where the covered entity is paid to encourage the use or 
purchase of a health related product or service).
    In response to these concerns, the Department essentially proposes 
to eliminate the protections (albeit inadequate) that currently exist. 
The Department accomplishes this by removing paid communications that 
encourage the use or purchase of a health related product or service 
entirely from the definition of ``marketing.'' This proposed change 
effectively allows covered entities to make this type of paid 
communication without any prior authorization or chance to opt out.\2\ 
See Appendix A at 2.
---------------------------------------------------------------------------
    \2\ The Department's explanation that it is proposing to 
``explicitly require covered entities to first obtain the individual's 
specific authorization before sending them any marketing materials'' 
``based on consumer concerns that the marketing provisions in the 
current rule does not protect individuals' privacy'' is disingenuous at 
best, given that they accomplish this by removing an entire category of 
communications from the definition of ``marketing.'' See Department's 
Press Release, March 21, 2002.
---------------------------------------------------------------------------
    We oppose this change on a number of grounds. First, we believe 
that the determination whether prior authorization for a communication 
is required should not rest on whether a communication is in some way 
related to health . The proposed exclusion of ``health related'' 
communications from the definition of ``marketing'' is extremely broad. 
It is hard to conceive of a communication that remotely relates to 
health that would be considered to be ``marketing.'' Many activities 
that health care consumers would consider marketing and find 
objectionable would be excluded from the definition of marketing under 
this proposal.
    For example, the proposed definition of marketing excludes ``a 
communication made to an individual. . . to direct or recommend 
alternative treatments, therapies, health care providers, or settings 
of care.'' (See Sec. 164.501 (defining ``marketing'').) Under this 
exception, a pharmacy can be paid by a drug company to identify and 
select patients based on their health information to send them material 
encouraging them to switch their prescriptions to the drug companys 
particular brand of medicine. This ``recommendation of alternative 
treatment'' is primarily motivated by profit and has little to do with 
what is medically best for the patient. Many patients believe that this 
financially motivated use of their health information is a violation of 
their privacy.\3\
---------------------------------------------------------------------------
    \3\ See e.g., Robert O'Harrow, Jr., Prescription Fear, Privacy 
Sales The Washington Post, February 15, 1998 at Al; Henry 1. Davis, 
``More Eckerd Questions,'' St. Petersburg Times, March 5, 2002 at 1E.
---------------------------------------------------------------------------
    Second, because recommending any health related product or service 
is not considered to be ``marketing'' there is no requirement that the 
consumer be informed that the covered entity is receiving remuneration 
from a third party to make these recommendations. In the above example, 
patients could receive materials from their pharmacy suggesting that 
they change their medicine to a different brand without ever being 
informed that the pharmacy was paid to make the recommendation. This 
approach encourages providers to engage in practices that are ridden 
with financial conflicts of interest.\4\
---------------------------------------------------------------------------
    \4\ See Bernard Lo, M.D. and Ann Alpers, M.D., Uses and Abuses of 
Prescription Drug Information in Pharmacy Benefits Management Programs, 
283 JAMA 801 at 809 (February 9, 2000).
---------------------------------------------------------------------------
    Third, the proposed modification eliminates any control that an 
individual may have over the use of his protected health information 
for receiving this type of recommendation. Because these communications 
are not ``marketing'' there is no requirement that the covered entity 
obtain prior authorization to use the information in this manner. 
Furthermore, there is no mechanism by which an individual can remove 
his or her name from the covered entity's mailing list for these 
``recommendations.'' This approach does not respect health care 
consumers and leaves them powerless.
    Expanding the definition of marketing can cure these faults. We 
believe that marketing should include communications about a product or 
service to encourage recipients of the communication to purchase or use 
the product or service where the covered entity receives direct or 
indirect remuneration for making the communication. We would apply this 
standard to both health related and non-health related communications. 
Using this definition presents a rather bright line test. If a covered 
entity receives payment for a communication, the communication is 
marketing.
    In conjunction with this recommendation, we urge the Department to 
retain the proposed modification that would require covered entities to 
obtain an individual's authorization prior to using his or her health 
information for these marketing purposes. Health care consumers should 
have control over whether their health information is used for profit-
making purposes that are only tangentially related to their health.
Appointment Reminders and Prescription Refill Notices
    A number of concerns have been raised about communications, such as 
appointment reminders and prescription refill notices, that may 
potentially fall in the gray area of what should be considered to be 
marketing. We would expect that the vast majority of covered entities 
do not receive remuneration for sending their patients appointment 
reminders. Therefore, this type of communication would not be 
marketing. Likewise, where a pharmacy on its own volition sends a 
prescription refill notice or advises a patient of a potential adverse 
drug reaction and suggests an alternative it would not be marketing. 
However, where a pharmacy receives payment for encouraging patients to 
refill prescriptions or switch medicine brands, the communication would 
be marketing.
    We recognize that at times this definition may encompass some 
communications that provide useful information to health care 
consumers. However, if a covered entity is receiving payment from a 
third party for making the communication, it is pursuing activity that 
is at least partially in its self-interest, as opposed to the interest 
of the patient. In such a circumstance, the individual should be 
informed in advance that the covered entity receives remuneration for 
its communications and should have control over whether his or her 
health information is used in this manner.
   iv. summary of health privacy project comments on other proposed 
                             modifications

1. Hybrid Entities--Sec. 164.504

Proposed Modification:
    The Department proposes to modify the hybrid entity provisions in 
order to allow any covered entity that performs a mixture of covered 
and non-covered functions to have the option of being designated a 
hybrid entity or having the entire organization treated as a covered 
entity. Additionally, the Department would require that a covered 
entity that elects hybrid status include in its designated health care 
component(s) any component that would meet the definition of covered 
entity if it were a separate legal entity.
    The modifications would permit, but not require, the hybrid entity 
to designate a component that performs: (1) covered functions; and (2) 
activities that would make such a component a business associate of a 
component that performs covered functions if the two components were 
separate legal entities.
Health Privacy Project Recommendations:
     Reject the proposal that any covered entity can elect to 
be a hybrid entity, and require those covered entities whose primary 
functions are not covered functions to be hybrid entities and to erect 
firewalls between their health care components and other components. 
Permit (as conditioned below) covered entities whose primary functions 
are health care to be hybrid entities.
     Modify the implementation specifications of the proposed 
modified hybrid provisions to require that, at a minimum, a hybrid 
entity must designate a component that performs covered functions as a 
health care component.
     Clarify that a health care provider (including a component 
of a hybrid entity that provides health care) cannot avoid being deemed 
a ``covered entity'' if it relies on a third party to conduct its 
standard electronic transactions. Clarify that with respect to hybrid 
entities, a health care provider cannot avoid having its treatment 
component considered a health care component by relying on a billing 
department to conduct its standard electronic transactions.

2. Disclosures of Protected Health Information Related to FDA-regulated 
                    Products or Activities--Sec. 164.512(b)

Proposed Modifications:
    The Department proposes to create an extremely broad exception to 
the general requirement to obtain authorization prior to the disclosure 
of protected health information. The proposed modification would allow 
disclosures of protected health information to private entities as part 
of any data-gathering activity that can be termed ``related to the 
quality, safety, or effectiveness of such FDA-regulated product or 
activity.'' Under this proposed modification, disclosures would no 
longer be required by, or at the direction of, the FDA.
HPP Recommendations:
    The Health Privacy Project strongly opposes the Department's 
proposal and urges the Department to retain the current provisions of 
the Privacy Rule. The Privacy Rule provides a specific series of public 
health related exceptions to the authorization requirement. The 
proposed modifications, however, would create a vague and general 
standard, under the rubric of ``public health,'' that would open the 
door to the release of protected health information to pharmaceutical 
companies and arguably to tobacco companies as well. We do not see a 
genuine public health need that justifies such a significant expansion 
in the Privacy Rule.

3. De-Identification--Sec. 164.514

Proposed Modification:
    The Department is not proposing any substantive modifications to 
the de-identification provisions of the Privacy Rule at this time, but 
is considering the creation of a limited data set that would not 
include ''facially identifiable health information. This data set would 
be available for research, public health, and health care operations 
purposes presumably without authorization. In addition, the Department 
is considering the requirement that covered entities obtain data use or 
similar agreements from recipients that limit the use and disclosure of 
the data set and prohibit the recipients from re-identifying or 
contacting individuals.
Health Privacy Project Recommendations:
    The Health Privacy Project supports the Department's decision to 
maintain the de-identification provisions. Before proposing an approach 
for the use or disclosure of a limited data set, the Department must 
carefully consider what identifiers can safely be included and the 
adequacy of privacy protections for the data set. We have specific 
concerns about the ease with which identifiable information that does 
not include direct identifiers can be combined with other data to 
directly identify an individual, as well as concerns about the 
enforceability of data use agreements.

4. Research--Secs. 164.512(i),164.508(0, 164.508(c)(1), 164.532

Proposed Modifications:
    he Department proposes to:
    (1) modify the waiver of authorization provisions.
    (2) clarify that the Privacy Rule's provisions for IRBs and privacy 
boards would encompass a partial waiver of authorization for purposes 
of recruiting research participants.
    (3) maintain an individual's right to revoke an authorization.
    (4) permit research authorizations to be combined with other legal 
permission to participate in a research study.
    (5) permit an authorization to use or disclose protected health 
information for the creation and maintenance of a research data base 
without an expiration date or event, but limit it to the purpose of 
creating or maintaining that data base.
    (6) permit the use of individually identifiable health information 
after the compliance date for research protocols that received a waiver 
of authorization from an IRB prior to the compliance date.
Health Privacy Project Recommendations:
    The Health Privacy Project:
    (1) is pleased that research protocols will still be required to 
meet waiver criteria that are more narrowly focused on the privacy 
interests of the research participants.
    (2) is pleased that the Department is not proposing modifications 
to the provisions on reviews preparatory to research so that 
researchers could remove protected health information from a covered 
entity's premises for recruitment purposes.
    (3) commends the Department for retaining an individual's right to 
revoke a research authorization, but recommends further guidance on how 
to implement the revocation requirement.
    (4) urges the Department not to permit research authorizations to 
be combined with an informed consent to participate in a study.
    (5) strongly agrees with the Department that the expiration date 
exception for the creation and maintenance of data bases should not be 
extended to authorizations for further research or any other purpose.
    (6) recommends that a research study that receives a waiver of 
authorization from an IRB prior to the compliance date, but begins 
after the compliance date, be re-evaluated to ensure that adequate 
privacy protections are in place.

5. Individual Authorization--Sec. 164.508

Proposed Modifications:
    The Department proposes to:
    (1) streamline the authorization process by consolidating the 
different authorizations in the Privacy Rule under a single set of 
criteria and removing some core elements from the authorization 
requirement.
    (2) tighten provisions on the use and disclosure of psychotherapy 
notes so that psychotherapy notes cannot be used or disclosed without 
individual authorization for another entity's treatment, payment, and 
health care operations purposes.
    (3) add clarifying language so that an individual who initiates an 
authorization would not be required to reveal the purpose of his or her 
request.
    (4) maintain the individual's right to revoke an authorization.
Health Privacy Project Recommendation:
    The Health Privacy Project applauds the Department's proposal under 
numbers (2), (3) and (4) above. However, while we support the 
Department's effort to simplify the authorization provisions, we 
strongly urge the Department to: (a) retain the core elements required 
for research authorizations involving treatment of an individual under 
the Privacy Rule; (b) require remuneration disclosures in all 
authorizations, not only in authorizations for marketing; and (c) 
retain the plain language requirement as a core element of a valid 
authorization. It is critical that an individual knows how his or her 
information will and will not be used or disclosed so that s/he can 
make an informed decision about giving authorization. Furthermore, any 
request 11 for individual authorization to use or disclose information 
must be communicated in a manner that can be understood by the average 
reader so that people know what they are authorizing.

6. Accounting of Disclosures--Sec. 164.528

Proposed Modification:
    The Department proposes to expand the list of exceptions to the 
accounting of disclosures requirement so that it no longer requires 
covered entities to account for any disclosures made pursuant to an 
individual authorization.
Health Privacy Project Recommendation:
    The Health Privacy Project opposes the Department's proposal and 
urges the Department to retain the requirement that disclosures of 
protected health information made pursuant to an authorization be 
included in an accounting of disclosures. Removing authorized 
disclosures from the accounting takes away the individual's means of 
verifying that his or her information was disclosed as specified in the 
authorization. Such a modification would also hinder an individual's 
ability to detect authorizations that have been fraudulently submitted 
or altered.

7. Balancing the Rights of Minors and Parents--Sec. 164.502(9)(3)

Proposed Modification:
    The Department proposes to modify the Privacy Rule's approach to 
balancing the rights of minors and parents by permitting covered 
entities to decide when to disclose protected health information about 
a minor to a parent in cases where State or other applicable law is 
silent or unclear.
Health Privacy Project Recommendations:
    The Health Privacy Project opposes the proposed modifications 
because they would deter minors from obtaining critical health 
services, such as mental health care, substance abuse treatment, and 
testing and treatment for sexually transmitted diseases. We recommend 
that the Department retain the approach in the current Privacy Rule, 
except its approach to non-preemption of State laws that are less 
protective of a minor's privacy. Specifically, we recommend that the 
Department apply the same preemption rules to State laws pertaining to 
minors and disclosures to parents that the Department applies to other 
State laws, as HIPAA requires.

8. Disclosures for Treatment, Payment, or Health Care Operations of 
                    Another Entity--Proposed Sec. 164.506(c)

Proposed Modification:
    The Department proposes several modifications to clarify how 
covered entities may use or disclose protected health information for 
treatment, payment, or health care operations, and to permit covered 
entities to disclose protected health information to other entities 
(including non-covered entities) for the second entity's treatment, 
payment, or health care operations activities.
Health Privacy Project Recommendation:
    Most troubling is the Department's proposal to permit covered 
entities to disclose protected health information to other covered 
entities for the recipient's health care operations. This constitutes a 
significant alteration of the structure of the Privacy Rule, and the 
Department is proposing it without adequate justification. The Health 
Privacy Project recommends that the Department reconsider the necessity 
for such a change and assess whether the concept of ``organized health 
care arrangement,'' which already is part of the Privacy Rule, 
addresses the quality assurance issues raised in the preamble. If the 
Department pursues modifications along these lines, the Department 
should craft narrow language that addresses actual problems--and only 
the problems identified in the preamble.

9. Definition of Protected Health Information and Proposed Exclusion of 
                    ``Employment Records''--Sec. 164.501

Proposed Modification:
    The Department proposes to amend the definition of ``protected 
health information'' in section 164.501 to explicitly exclude 
``employment records,'' referred to in the preamble as ``individually 
identifiable health information . . . held by a covered entity in its 
role as employer.'' 67 Fed. Reg. 14804.
Health Privacy Project Recommendation:
    The Health Privacy Project opposes this proposal because it 
threatens to undermine important safeguards in the Privacy Rule. The 
plain language of the proposed text appears to move outside of the 
Privacy Rule any use or disclosure of employees' health plan records, 
as well as information shared with an employer's on-site clinic where 
that clinic is a covered provider under the current Privacy Rule. Thus, 
through a sweeping ``technical correction'' in the applicable 
definition, this proposal takes health information that is protected by 
the Privacy Rule and renders it unprotected. This is especially 
dangerous because of the legitimate concern people have that employers 
will use protected health information, including genetic information, 
inappropriately to make employment-related decisions (such as deciding 
which employees to promote or fire).

10. Disclosure of Enrollment and Disenrollment Information to Sponsors 
                    of Group Health Plans--Proposed Sec. 
                    164.504(f)(1)(iii)

Proposed Modification:
    The Department proposes to permit group health plans (as well as 
HMOs and issuers) to disclose to the sponsor of the group health plan 
(usually an employer) information on whether an individual is 
participating in the group health plan (or is enrolled in, or has 
disenrolled from, the HMO or issuer).
Health Privacy Project Recommendation:
    The Health Privacy Project supports this proposed modification 
because it is limited to information about whether the individual is 
participating in or enrolled in the plan and does not permit the 
disclosure of any other protected health information.

11. Minimum Necessary and Oral Communications--Secs. 164.502(a) and 
                    Sec. 164.530(c)

Proposed Modification:
    The Department proposes to:
     modify the Privacy Rule to add a new provision which would 
explicitly permit certain ``incidental'' uses and disclosures that 
occur as a result of an otherwise permitted use or disclosure under the 
Privacy Rule; and
     modify the administrative requirements to expressly 
require covered entities to reasonably safeguard protected health 
information to limit incidental uses or disclosures made pursuant to an 
otherwise permitted or required use or disclosure.
Health Privacy Project Recommendation:
    The Health Privacy Project does not believe a modification 
expressly permitting incidental uses is necessary, but understands that 
the Department wishes to calm the fears of some of those in the health 
care industry. We commend the Department for including a related 
modification that expressly requires covered entities to reasonably 
safeguard protected health information to limit incidental uses or 
disclosures made pursuant to an otherwise permitted or required use or 
disclosure.

12. Business Associate Transition Provisions--Sec.164.532 (d) & (e)

Proposed Modification:
    The Department proposes new transition provisions to allow most 
covered entities to continue to operate under certain existing business 
contracts with business associates for up to 1 year beyond the current 
compliance date for the Privacy Rule.
Health Privacy Project Recommendation:
    The Health Privacy Project recommends that the Department retain 
the existing compliance date for all aspects of the Privacy Rule. The 
Department has provided covered entities with a model business 
associate contract which should ease compliance efforts.
        v. cost: omb reports privacy regulation will save money
    According to a March 2002 report just issued by OMB's Office of 
Information and Regulatory Affairs (OIRA), the Department estimates 
that the cost associated with implementing the Privacy Rule 
(approximately $17 billion over 10 years) will be greatly offset by the 
cost savings associated with implementing HlPAA's transactions 
standards (approximately $29 billion saved over 10 years). See Appendix 
B for excerpt of report. The cost of implementing the Privacy Rule must 
not be viewed in isolation. The Privacy Rule is an integral--and 
necessary--part of a package of Administrative Simplification rules. 
The goal of standardizing electronic health care transactions is to 
create efficiencies and save money. When the Privacy Rule is 
implemented together with the transactions standards and other 
Administrative Simplification rules, as contemplated by Congress, a net 
savings will be achieved. Finally, we must also acknowledge the 
benefits reaped by increased patient participation in health care and 
research, as well as the qualitative benefits that are achieved by 
furthering this important societal value.
                               conclusion
    When President Bush allowed the Privacy Rule to go into effect last 
April, he issued a strong statement about the need to protect patient 
privacy and foster confidence that people's ``personal medical records 
will remain private.'' The President also pledged during his campaign 
to support a law requiring that a ``company cannot use my information 
without my permission to do so,''and expressed support for strong laws 
protecting medical and genetic privacy. In fact, William Safire dubbed 
him the ``privacy President'' in a New York Times column shortly after 
the Privacy Rule went into effect. But, if the Department's proposed 
changes become final, the Privacy Rule will legalize many of the 
practices that caused public outcry for a law. We urge the Bush 
Administration not to roll back the important gains our country has 
made in protecting the privacy of people's medical records. We urge 
policymakers to look at the substantial progress being made by doctors, 
hospitals, and health plans in complying with the Rule. And finally, we 
urge that glitches in the regulation be addressed through narrowly 
tailored fixes that preserve the integrity of the final Rule.

    The Chairman. I think if someone heard you and heard Mr. 
Allen both describing the same piece of legislation, they would 
wonder how they could. We are grateful for your testimony.
    Dr. Harding.

    STATEMENT OF RICHARD HARDING, M.D., PRESIDENT, AMERICAN 
                    PSYCHIATRIC ASSOCIATION

    Dr. Harding. Thank you, Mr. Chairman and Senator DeWine. I 
am Richard Harding, President of the APA, American Psychiatric 
Association, and Professor of Psychiatry and Pediatrics at the 
University of South Carolina. I am also proud to be a member of 
the National Committee on Vital and Health Statistics, as you 
mentioned, but I am here speaking for myself and for the 
American Psychiatric Association.
    I want to express my appreciation for being here and for 
your committee's commitment to protecting medical records. I 
would also like to compliment you on your efficient and 
professional staff, who have been most helpful to all of us 
coming up to this hearing.
    Medical privacy and medical record confidentiality are 
issues about which all Americans are deeply concerned, at least 
94 percent, as the Senator was saying. Recently the Department 
of Health and Human Services has proposed regulations which 
will probably reduce administrative burdens on physicians and 
covered entities, probably. And, as such, this is appreciated 
as a physician speaking, but it is important to recognize that 
they are inadequate to protect patients.
    The APA objects to the elimination of consent by citizens 
because the citizens own the consent, and the substitution of a 
regulatory permission by Health and Human Services. We strongly 
believe patients should be able to choose who will see their 
medical records and to be fair, in the proposed changes a 
privacy notice is substituted for the written consent, but this 
is not privacy. Nor is protection of the patient's information. 
We found that out last week when a company was selling postal 
addresses and telephone numbers because citizens did not notice 
in the long privacy notice that only email addresses would not 
be released.
    It concerns me that the patients, under the proposed rule, 
do not have authority over their medical record, even if the 
patient pays out of their pocket, which is a rapidly growing 
trend because of the issue of privacy.
    The APA understands that there are previously described 
circumstances where a covered entity needs to use or disclose 
personal health information prior to the initial face-to-face 
encounter with a patient and therefore to obtaining consent. It 
would seem to me that the remedy for this is to modify the 
consent requirement in the privacy rule. The Department of HHS 
has overcorrected a problem, by a proposed elimination of the 
traditional patient right of affirmative consent altogether. 
This is a truly sea change event in American medicine, to go to 
this way of handling consent.
    The APA recommends Health and Human Services retain the 
privacy rule's prior consent requirement with targeted 
modifications, as mentioned in previous testimony.
    Briefly on marketing, marketing is defined, and I think it 
is important to define it, as ``to make a communication about a 
product or service to encourage recipients of the communication 
to purchase or use the product or service.'' The HSS proposed 
changes to the marketing provisions appear to require 
authorization before the patient receives marketing materials. 
In so doing, that is well intended, but it is flawed. There is 
no real effective privacy safety net against commercial usage. 
The real problem is the exclusions to the term ``marketing'' 
swallow the rule.
    Under the proposed changes, a long list of programs is not 
considered marketing. Marketers can use things such as disease 
management, as mentioned before, wellness programs, case 
management, prescription refills and so forth to send marketing 
materials. The regulations do not clearly restrict these 
marketing loopholes from abuses, and I will not get into the 
examples of that, which have already been stated.
    It is my experience as a practicing physician that patients 
have never dreamed of their personal health information being 
used for marketing. That just does not enter their minds. This 
is especially critical for marketing to minors.
    I strongly urge the committee to join us in requesting HHS 
require a patient's consent and their authorization for 
marketing before medical information is released under HIPAA.
    We thank you for this opportunity to testify and respond to 
your questions and continuing to work with the committee on 
these important issues. Thank you.
    [The prepared statement of Richard Harding, M.D. follows:]
              Prepared Statement of Richard Harding, M.D.
    Mr. Chairman, and members of the Committee, I am Richard Harding, 
M.D., testifying on behalf of the American Psychiatric Association 
(APA), a medical specialty society, representing more than 40,000 
psychiatric physicians nationwide. I serve the APA as its President and 
am currently Professor of Clinical Psychiatry and Pediatrics at the 
University of South Carolina School of Medicine. In addition, I serve 
as Vice-Chairman for Clinical Affairs of the Department of Psychiatry 
and maintain a busy outpatient practice.
    While I also serve on the Subcommittee on Privacy and 
Confidentiality of the National Committee on Vital and Health 
Statistics within the Department of Health and Human Services (HHS), 
the views I am presenting today are my views and the views of the 
American Psychiatric Association.
    First, I would like to thank Chairman Kennedy and the members of 
the Committee for the opportunity to testify today. My oral comments 
will be limited to two major concerns: consent and marketing. My 
written testimony is significantly more expansive as it reflects APA's 
comments on all of the NPRM privacy regulation changes, that we will 
formally submit to HHS, and I ask that it be made part of the hearing 
record.
    Mr. Chairman we greatly appreciate your commitment to protecting 
medical records privacy. Privacy and particularly medical records 
privacy is an issue that not only affects all Americans but also one 
that they are deeply concerned about. On behalf of our profession and 
our patients I thank you for holding this hearing on the recent changes 
HHS made to the Medical Privacy Regulation.
    While the Department of Health and Human Services (HHS) proposed 
HIPM privacy regulation changes will reduce the burden on physicians 
and other healthcare providers, it is important to recognize they are 
inadequate to protect patients. The APA objects to the proposed 
elimination of the consent requirement that patients give written 
consent before their records are disclosed to physicians, hospitals or 
insurance companies. Under the proposed changes, consent is optional 
for direct treatment providers. HHS now gives their ``regulatory 
permission'' to allow a patient's information to be freely disclosed to 
health plans, providers, and clearing houses without the patient's 
consent. The APA strongly believes patients should be able to choose 
who will see their medical records. The elimination of the consent 
requirement is a significant change not only to the historic doctor-
patient treatment relationship but also an impediment to physicians' 
efforts to provide the best possible medical care. The consent 
requirement gave the physician the opportunity to discuss where their 
medical information would be released. We need to take steps to ensure 
that doctor-patient confidentiality is preserved and strengthened.
    It is troubling to me as a practicing psychiatrist that a patient, 
under this rule, does not have consent authority over their medical 
records even if the patient pays out of pocket for their treatment. The 
proposed changes to the rule eliminate patient protection in a private 
payment situation with their provider by allowing information to be 
released without the patient's consent. For example, celebrities who 
seek help from a substance abuse center and pay in cash to be anonymous 
should be allowed to do so without their health information being 
released. Similarly, Medicare patients who elect to personally pay for 
treatment should not be at risk from the prying eyes of government.
    Under the proposed changes, a privacy notice is substituted for 
consent. A privacy notice serves as a long and cumbersome notice that 
the records will be released. This is not privacy nor is a protection 
of the patient's information. Furthermore, why must an ill patient have 
to look in the required privacy notice, which could be ten pages long 
as stated by the American Hospital Association. Buried within this 
lengthy notice is where a patient's medical information will be sent. 
As we have found out last week internet companies are selling a 
person's postal address and telephone number because the consumer did 
not notice in the long privacy notice that only e-mail addresses would 
not be released.
    The APA recommends HHS retain the privacy rule's prior consent 
requirement, with targeted modifications to address the unintended 
implementation hurdles that result from the consent requirement in a 
couple of circumstances.
    While the HHS proposed changes to the marketing provision appear to 
require an authorization from a patient before the patient receives 
marketing materials is well intentioned, the devil is truly in the 
details. The APA is concerned about the loopholes in the definitions of 
marketing through the enumerated exclusions from the appearance of 
protection by the so called marketing definition. There is no real 
effective privacy protection safety net against commercial usage of 
private patient information. Under HHS's changes, marketeers can use 
disease management, wellness programs, prescription refill reminders, 
case management and other related communications to send their 
marketing materials. These programs are not considered marketing. The 
regulations do not clearly restrict these marketing loopholes from 
abuses. It clearly is not in the best interest of the patient for a 
drug store to send a prescription refill reminder without the patient's 
authorization after the pharmacist was compensated by a pharmaceutical 
company. Recall not to long ago drug stores admitted to making patient 
prescription information available for use by a direct mail company and 
pharmaceutical companies. Now a pharmacy not only would be able to 
legally sell to a pharmaceutical company a list of patients that have 
been prescribed certain drugs in order to promote alternative drugs, 
but also the pharmacy could now in its own self financial interest in a 
medication's more profitable cost to them be suggesting a change in 
medication refill. The marketing communication would no longer need to 
identify the covered entity as the one making the communication, or 
need to State compensation was received.
    Moreover, the fund raising provisions despite overwhelming 
testimony to the NCVHS urging that there be an ``opt in'' (prior 
consent) not ``opt out'' after the fact, using without permission an 
individual patient's name for the fund raising purposes of the covered 
entity. Can you imagine sending out millions of letters telling you the 
names of persons served in your substance abuse treatment program--
without their consent or authorization, and only thereafter, if the 
fund raiser wishes to do it again, then have to ask for the 
individual's permission to use her or his name in the fundraising 
endeavor. Does this sound reasonable to anyone.
    I strongly urge the Committee to join us in requesting HHS require 
a patients consent and their authorization for marketing before their 
medical information is released under the Health Insurance Portability 
and Accountability Act (HIPAA). Also, in closing let me just briefly 
summarize our comments on parental rights to a minor's medical records, 
to wit: there should be no changes to these provisions which have the 
effect of reducing access to health care by adolescent patients.
    We thank you for this opportunity to testify, respond to your 
questions and continuing to work with the Committee on these important 
issues.

    The Chairman. Dr. Clough.

 STATEMENT OF JOHN C. CLOUGH, M.D., DIRECTOR, HEALTH AFFAIRS, 
                  CLEVELAND CLINIC FOUNDATION

    Dr. Clough. Good morning, Mr. Chairman, Senator DeWine. I 
am Dr. John Clough, Director of Health Affairs at the Cleveland 
Clinic Foundation and I have also been a practicing 
Rheumatologist there for over 30 years.
    The Cleveland Clinic Foundation supports Federal privacy 
protections for identifiable patient information. The privacy 
rule would give patients their first-ever Federal protection of 
identifiable health information and proposed modifications 
would improve it significantly. For the first time, Federal 
standards prohibit the use and disclosure of patient 
information for purposes other than treatment, payment, and 
health care operations without patient authorization. This 
morning I will focus on the proposed modification to the 
consent provision, as well as an important modification that 
the department is considering with respect to how patient 
information is deidentified.
    We support the proposed modification to the consent 
requirement for the following six reasons. First, this 
modification would remove barriers to patient access to care 
while strengthening patient privacy protections. The Cleveland 
Clinic, with 1.6 million patient visits annually and over 
50,000 admissions annually, routinely receives information from 
patients, from referring physicians around the world, and uses 
this information to schedule and prepare for examinations and 
procedures before the patients arrive. Prior consent, perhaps 
requiring an extra trip, would have to be obtained before any 
use of this patient information.
    Other inevitable problems include patients being unable to 
discuss their care over the telephone with covering physicians 
because these providers may not have signed consent forms. The 
same problem would preclude nurses staffing telephone call 
centers, such as the Cleveland Clinic's nurse-on-call service, 
from advising patients in many cases.
    The proposed modification eliminates these barriers to care 
without weakening privacy protections. It would strengthen the 
notice requirement by requiring that providers give patients a 
notice of their rights and obtain acknowledgement that they 
signed it.
    Second, the suggestion that the department make exceptions 
for every problem that arises as a result of the consent 
requirement, as opposed to fixing the underlying problem, makes 
little sense and is unworkable. Furthermore, the fact that 
HIPAA allows modifications to the privacy rule only once 
annually would produce long delays in getting problems fixed.
    Third, some have claimed that many States already have 
similar consent requirements. In fact, no State has a similarly 
broad prior consent requirement. Maine did attempt it in 1999, 
but had to suspend their law after only 12 days because of 
severe disruption of patient care.
    Fourth, the modification making consent optional is a 
workable compromise of two diametrically opposed approaches 
taken in the Clinton proposed regulation and the Clinton final 
regulation. In November 1999 the Clinton Administration's 
proposed privacy regulation prohibited providers from obtaining 
prior consent. They argued that such authorizations could not 
provide meaningful privacy protections or individual control 
and, in fact, could culminate an individual's erroneous 
understandings of their rights and predications and could 
impair care.
    In response to objections to this approach, the Clinton 
Administration reversed itself and mandated prior consent in 
the final rule. The proposed modifications strike the right 
balance between these two extremes.
    Fifth, even advocates for the most stringent privacy 
regulations testified last year that the prior consent 
requirement was meaningful and coerced because if the patients 
refused to sign the consent, the provider could deny treatment.
    Six, various press articles have suggested that physicians 
do not support the modification to the consent provision. It is 
important for Members of Congress to realize that many, if not 
most physicians organizations support the modification. In an 
April 10 letter to Congress, which is attached to my statement, 
organizations representing family physicians, surgeons, 
cardiologists, OB-GYNs and others, over 400,000 physicians in 
all, express support for making consent optional. I might add 
that many of those are members of the AMA.
    With respect to research and deidentification of patient 
information, the modifications proposed by the department make 
several key improvements that will eliminate unnecessary 
barriers to the conduct of research while protecting patient 
confidentiality. The modifications simplify the procedures and 
paperwork involved.
    In addition, however, we believe that the regulations 
should permit a limited set of facially deidentified data to be 
disclosed for research purposes. The department has said it is 
considering such a change. Under the final rule some 18 
characteristics would need to be removed to deidentify data. 
However, the 18 include such items as zip code, admission and 
discharge dates, dates of death and age that do not facially 
identify individuals and they are often important in 
epidemiological research, as well as in hospital disease 
surveillance activities, particularly important in detecting 
bioterrorism.
    Mr. Chairman, that concludes my statement. Thank you again 
for giving me this opportunity to testify this morning and I 
would be happy to answer your questions.
    [The prepared statement of John Clough, M.D. follows:]
               Prepared Statement of John C. Clough, M.D.
    Good morning. I am Dr. John D. Clough, Director of Health Affairs 
for the Cleveland Clinic Foundation. I am also a practicing 
rheumatologist.
    The Cleveland Clinic Foundation strongly supports meaningful 
Federal privacy protections for identifiable patient information. The 
privacy rule is intended to give patients the first-ever Federal 
protection of their identifiable health information. We believe the 
recently proposed modifications would make major and necessary 
improvements to the final rule that will help achieve privacy goals 
without erecting barriers to high quality and timely health care for 
patients.
    What has been missed in much of the reporting and debate about the 
modifications is that they retain, and actually strengthen, the most 
important new protections for patients. For the first time, Federal 
standards prohibit the use and disclosure of patient information for 
purposes other than treatment, payment, and health care operations 
without patient authorization. Thus, disclosing a patient's name and 
diagnosis to a newspaper, a bank, an employer, a marketer, without the 
prior, specific, written authorization of the patient is prohibited. 
The rule also gives patients new rights under Federal law to receive 
notice of their rights, to be informed as to how their information can 
and cannot be used, and to access their own medical record.
    In spite of the fact that the proposed modifications keep intact 
these protections and actually strengthened many of them, virtually all 
of the attention of late has focused on the ``prior consent'' 
requirement. This morning I will focus on the modification to the 
consent provision, as well as an important modification that the 
Department is considering with respect to how patient information is 
``de-identified.''
Consent
    We strongly support the proposed modification which would make it 
optional, rather than required, for providers to obtained a signed, 
written consent form before using or disclosing identifiable 
information for treatment, payment, and health care operations.

First: This modification would remove barriers to timely patient access 
    to care created by the requirement in the final rule. while 
    retaining and even strengthening strong patient privacy 
    protections.

    The following are a few of the many examples from the Cleveland 
Clinic's vantage point of how the requirement, without the proposed 
modifications, would create significant barriers to patient access to 
care.
     The Cleveland Clinic and other hospitals routinely receive 
information about a patient from referring physicians and use this 
information to schedule and prepare for procedures prior to the patient 
presenting themselves at the hospital. Prior consent would have to be 
obtained before any use of the patient's information for treatment. 
Thus, we could not use information to schedule procedures or begin 
intake procedures until we had such consents.
     This would be problem enough for the Cleveland Clinic, 
where 1.6 million visits are on an outpatient basis each year. But, the 
disruption and delay for patients should be viewed in the totality of 
their care from beginning to end.
     For the patient, the consent requirement would mean 
multiple trips to sign a new consent form before receiving care at 
every point. It would mean signing one consent form before visiting 
their physician, another before referral to a specialist, another 
before getting an MRI, one more before scheduling surgery at the 
hospital, another for the ambulance ride to the nursing home, another 
before sending someone to pick up a prescription, and on and on.
     Other inevitable problems included patients being unable 
to discuss their care over the telephone with physicians, nurses and 
others covering for their colleagues during non-business hours because 
these providers may not have a signed consent form. Also, nurses 
staffing telephone call centers would be prohibited from advising 
patients in many cases because there is not opportunity to obtain prior 
written consent from the patient.
    The proposed modification eliminates these barriers to care without 
eliminating privacy protections. It is the written notice, not the 
consent form, that is the means by which patients are informed of their 
rights and how and with whom their information may and may not be used. 
The modification retains and strengthens the notice requirement in the 
final rule by requiring that providers give patients the notice and 
obtain an acknowledgment that the patient has received it.

Second: The suggestion by some that the Department make exceptions for 
    every problem that arises as a result of the consent requirement, 
    as opposed to fixing the underlying problem, is unworkable.

    The Department cannot possibly anticipate every problem that could 
arise, as dozens have become apparent since issuance of the final rule 
a year and a half ago. More will arise after the rule takes effect. 
Because the Health Insurance Portability and Accountability Act (HIPAA) 
allows modifications to the privacy rule only once each year to address 
such problems, patients would have to suffer through disruptions and 
delays in care for over a year before such problems could be fixed.

Third: Some have claimed that many States already have similar consent 
    requirements. In fact, today NO State has a similarly broad 
    prohibition on use and disclosure of information for treatment, 
    payment and health care operations without prior consent.

    One State--Maine--did attempt such a broad prior consent 
requirement in 1999. The Maine law was suspended in an emergency 
session of the legislature after only 12 days because of severe 
disruptions in patient care.

Fourth: The modification making consent optional is a workable 
    compromise of two diametrically opposed approaches taken in the 
    Clinton proposed regulation and the Clinton final regulation.

    In November 1999, the Clinton administration's proposed privacy 
regulation not only rejected the idea of mandating that providers 
obtain consent, it went so far as to prohibit them from obtaining it. 
In doing so, the Clinton administration argued that ``(s)uch 
authorizations could not provide meaningful privacy protections or 
individual control and could in fact cultivate in individuals erroneous 
understandings of their rights and protections.'' In addition, they 
maintained that separate authorization for routine referrals ``could 
impair care.''
    Many physician and other groups objected to the prohibition on 
obtaining consent. In response, the administration went to the other 
extreme and mandated prior consent in the final rule. The recently 
announced modifications strike the right balance between these two 
extremes. Providers may obtain consent if they wish to do so. However, 
a provider will not have to delay treatment.

Fifth: Even advocates for the most stringent privacy regulations 
    testified last year that the prior consent requirement was 
    ``meaningless'' and ``coerced'' because if the patient refused to 
    sign the consent, the provider could deny treatment.

    If the patient refuses to sign, there are many situations in which 
laws, regulations, practice guidelines, and our code of ethics requires 
physicians to treat the patient. The physician following the code of 
ethics would then be in violation of the privacy regulation and subject 
to civil and even criminal penalties.

Sixth: Various press articles have suggested that physicians do not 
    support the modification to the consent provision. It is important 
    for Members of Congress to know that many, if not most, physician 
    organizations support the modification.

    In an April 10 letter to Congress which is attached to my 
statement, organizations representing family physicians, surgeons, 
cardiologists, OB/GYNs, and others--over 400,000 physicians in all--
expressed support for making consent optional.
Research and ``De-identification'' of Patient Information
    The modifications proposed by the Department with respect to 
research make several key improvements that will eliminate unnecessary 
barriers to the conduct of life-saving research, while maintaining 
important protections for patient confidentiality. In particular, the 
modifications simplify, for patients and researchers, the procedures 
and paperwork involved.
    However, one additional revision to the privacy regulation is 
needed. We believe the regulations should permit a limited set of data 
which has been ``facially de-identified'' to 4 be disclosed for 
research purposes. The Department is considering such a revision, but 
has invited further comment before making a final decision to make the 
change.
    The stringency of the final rule's requirements for de-identifying 
information prompts concerns that the standard would render data 
useless for much research. Under the final rule, some 18 
characteristics would need to be removed from data to render it ``de-
identified.'' Most of the characteristics make sense, such as names and 
addresses, which could directly identify an individual. However, some 
do not. For example, zip codes, admission and discharge dates, date of 
death, and age do not directly identify an individual. However, such 
information is often critical to conducting research. Epidemiological 
studies routinely use hospital admission and discharge dates, date of 
death to track and understand diseases. Such studies have taken on new 
importance with the threat of bioterrorism. Hospitals need to be able 
to share de-identified information for such purposes, as well as for 
improving the quality of care for patients, and improving community 
health services. Under the final rule, sharing this information is not 
permitted.
    There may be no other issue that has so united those in health 
care; the change is supported by virtually every corner of the health 
care community. This includes groups ranging from the Association of 
American Medical Colleges, the American Medical Association, State 
hospital associations, patient and consumer groups. Attached to my 
statement are two letters from these groups.
    Mr. Chairman, that concludes my statement. Thank you, again, for 
giving me this opportunity to testify this morning. I will be happy to 
answer your questions.

    The Chairman. Thank you very much for your very interesting 
statement, which I think with the other statements puts this in 
some perspective.
    I would like to ask Ms. Goldman, the difference between 
notification and consent and how you respond to points which 
were raised recently by Dr. Clough and others about these areas 
of treatment which are necessary and really in the interest of 
the patient, and by failing to do sort of a more comprehensive, 
like the administration is doing, that we really can be 
perceived as putting the patient at risk. These are some of the 
balances. Your response?
    Ms. Goldman. I think it is important to keep in mind that 
we put the patient at risk today by not protecting privacy and 
we have data that shows that, that people are putting their own 
care at risk. They are withholding information and they are 
afraid to seek care. So people are at risk.
    Protecting privacy does not put them at risk, particularly 
if there are doctors who want to get the consent to their 
patients before using their information to treat them or to pay 
for their care. Someone may decide to pay out-of-pocket and the 
consent form gives them the opportunity to say to their doctor, 
``I am going to pay out-of-pocket, so I do not want to consent 
to have the information shared for payment purposes.'' Many 
doctors, I think, including Dr. Harding and others, would say 
that they would want to use the consent. It is optional 
certainly for them to decide they want to mandate it, but they 
do not have to do that.
    And asking someone to consent to having their information 
used is certainly different than asking them to sign a notice 
just telling them how their information is going to be used. It 
is a dramatically different kind of piece of paper and not one 
I think which is just about paperwork burden, but which is 
involving the patient in decisions about his or her care.
    The Chairman. Well, how do you respond to these points that 
have been raised that by not taking--we have had the example of 
the pharmacist and we have had doctors mention these others 
kinds of areas. Are you suggesting that we have the right to 
privacy or the consent form and then have exceptions for these 
particulars? And can you ever get enough on the list? Your 
answer?
    Ms. Goldman. Well, the Health Privacy Project has been 
saying for a year that certain glitches and certain unintended 
consequences in the privacy regulation should be fixed. We 
think they should have been fixed a year ago. So we think that 
what the secretary of HHS should have done was to make targeted 
modifications to the privacy regulation to address the consent 
problems.
    Pharmacies should have--this problem should be fixed. 
Making referrals, exactly the same problem, that information 
occasionally needs to be received before a prescription is 
filled or a referral is made. Those are glitches that should 
have been fixed and we say in our testimony very specifically, 
we make recommendations that those problems should be fixed. 
But there is no need, and I think it is unjustified to use 
those examples to eliminate the consent requirement completely.
    The Chairman. Dr. Clough.
    Dr. Clough. The problem, I think, is that glitches as they 
occur under the current rule would interfere with treatment and 
would interfere with it until they get corrected. Glitches 
under the other approach would not interfere with treatment and 
could be corrected later with less disruption of care.
    And with respect to prior consent, I would say that if you 
think about what happens in a physician-patient encounter, when 
I first see a patient, I have never seen them before, they have 
never seen me before and I am asking them to sign a blanket 
agreement that what I do is okay, I think that is less 
meaningful than getting some information on the table, deciding 
what it is that needs to be consented to, and then get the 
consent for treatment because I think that is where the 
important consent really is.
    Patients can tell me that they do not want their 
information released and I respect that and I do not release it 
if they do not want it released, and I think every physician 
does that.
    So I would say that these modifications improve the 
functionality of the rule without diluting it and give a chance 
to change the rule in the direction of greater privacy if that 
is necessary, but without interfering with patient care in the 
process.
    Ms. Goldman. Mr. Chairman, can I respond to what Dr. Cough 
has said?
    The Chairman. Go ahead.
    Ms. Goldman. It is an interesting point that when a patient 
asks him to maintain confidentiality and not to share 
information, that he respects that and the consent form that is 
in the final regulation gives his patients the opportunity to 
have that conversation with him. It is exactly that initial 
moment that triggers that kind of a conversation.
    A notice is much less likely to ever trigger that 
conversation and ever allow for that to happen between Dr. 
Clough and his patients.
    The Chairman. I am going to have to submit the other 
questions, but I thank you. This is an enormously important 
area. As I said, there are few values that we have that are 
really more important than privacy as a country and a society 
and I think in the medical area it is right at the top.
    We have heard a lot of good testimony today, conflicting 
testimony, but it does not lessen the importance that I think 
we have as a committee and as a Senate to do what is necessary 
in terms of both giving the assurance of good treatment, but 
also in terms of protecting the privacy, and we are committed 
to trying to do that.
    I thank our panel very much. We will submit some questions 
for you.
    The hearing stands in recess.

                          ADDITIONAL MATERIAL

        Prepared Statement of the American Hospital Association
    The American Hospital Association (AHA) and its nearly 5,000-member 
hospitals, health systems, networks, and other providers are committed 
to safeguarding patients' medical information and ensuring that 
patients understand and have appropriate access to their medical 
information. We believe Congress shared these goals when it enacted the 
Health Insurance Portability and Accountability Act (HIPAA) in 1996. 
Unfortunately, the final regulations implementing that vision elevated 
bureaucracy above common sense in a number of crucial respects.
    Before the Administration proposed changes last month, the rule's 
most alarming provision for hospitals and our patients was the 
requirement that patients read, review and return a 10-page privacy 
notice and a separate consent form before they could be cared for. 
Hospitals were deeply distressed by visions of parents with sick or 
injured children being met at the hospital door not with care and 
compassion, but with a lengthy privacy notice that had to be read, and 
a consent form that had to be signed, before care could be provided for 
the child. Yet, that is precisely what the medical privacy regulations 
required hospitals to do.
    Make no mistake--hospitals are genuinely committed to ensuring that 
patients know how their medical information is being used, what their 
rights are and how they can exercise them. That is not up for debate. 
What is up for debate is whether the current medical privacy 
regulations enhance medical privacy or frustrate it by delaying care 
for patients. The current privacy rule prohibits patients and their 
physicians from scheduling any testing procedures, outpatient surgery 
or other care the government determines isn't an emergency until the 
patient (1) receives and reads their privacy notice, and (2) signs and 
returns the consent form to the hospital. For hospitals, the answer is 
clear: the written consent requirement will frustrate patients and 
providers to no necessary end.
    To test consumer reaction to these written consent requirements, 
the AHA commissioned an independent research firm, Market Strategies, 
to poll more than 900 consumers this month about their reaction to the 
way hospitals were required to implement the consent requirement under 
the medical privacy regulation. Here's what consumers told them:
     86 percent think asking a sick person to sign a legal 
document that could be 10 pages when they see a doctor, nurse or pick 
up a prescription at the pharmacy is an unnecessary burden.
     85 percent agree that elderly Americans will be hurt the 
most because they see many different physicians and often have someone 
else pick up prescriptions for them.
     84 percent believe that time spent in a doctor's office 
should be spent on patient care, not filling out more paperwork.
     77 percent agree that the government should not make 
hospitals wait to schedule tests until the patient reads the privacy 
notice and signs and returns a consent form to the hospital.
    The April poll confirms what the AHA had learned earlier this year 
from a series of four focus groups that Market Strategies conducted in 
Tampa and St. Lois. When apprised on the written consent requirements, 
consumers said:

                ``This will be a paperwork nightmare.''

 ``They should simply require that hospitals and pharmacies post this 
         [privacy notice], but signing a form is ridiculous.''

 ``I've waited 2 hours to see the doctor and he's got to do all this?''

    The recent announcement by the Department of Health and Human 
Services (HHS) that it was proposing to replace redundant written 
consent requirements with a written acknowledgment came as welcome 
news. That proposal does not weaken, much less eliminate, any of a 
patient's privacy rights. It does not change the fact that hospitals 
are not permitted to use patients' information for marketing or 
research, without their express written permission. Instead, it allows 
hospitals to immediately work with patients and their doctors to 
provide or schedule medical treatment or tests. Hospitals are still 
required to try and obtain written acknowledgment from a patient that 
he or she has received the privacy notice, but they can do so when it's 
convenient for the patient--not the government. Moreover, asking 
patients to acknowledge in writing that they have received the 
hospital's privacy notice signals to patients that the notice contains 
important information that they should read and understand.
    Hospitals welcome the proposed change because we care for and about 
patients--we want all of our patients to be met at the hospital door 
with care and compassion, not paperwork and delay. Written 
acknowledgement will let us keep that promise.
    Many lawmakers agree. On July 3, 2001, 165 members of the House of 
Representatives sent a bi-partisan letter to HHS Secretary Tommy 
Thompson telling him that ``scheduling patients for surgery, x-rays or 
other vital services should not depend on patients having to complete 
an exhaustive privacy and consent form that could be 10-or-more pages 
long.'' HHS responded by replacing redundant written consent with 
written acknowledgement, which eliminates a barrier to patient care.
Conclusion
    A top priority for America's hospitals is safeguarding patient 
privacy while ensuring that nothing gets in the way of patient care. 
HHS' proposal to replace the redundant written consent requirement with 
patient acknowledgement removes one of the privacy rule's key 
roadblocks to the delivery of good patient care. It is good for 
patients and hospitals and does not sacrifice patients' privacy rights.
    why written acknowledgement is better for patients and providers
    As a result of HHS's proposed changes to the HIPAA privacy rules, 
the AHA has prepared a series of Qs & As to help hospitals respond to 
inquiries from patients and the public.
    Question 1. Will I know what my rights are if I don't have to sign 
a written consent form for hospitals to use my health information?
    Yes. Hospitals are still required to provide you with a written 
notice of their privacy practices (called a ``privacy notice'') that 
explains how hospitals are permitted to use your medical information. 
Hospitals are permitted to use your medical information for only three 
purposes: (1) treating you; (2) obtaining payment for your care; and 
(3) for their own operations, including improving their ability to 
provide quality care to you and other patients. Hospitals are not 
permitted to use your medical information for any other purpose, such 
as for marketing or research, without your written permission, except 
in a medical emergency or other very limited circumstances, such as 
those permitted or required by Federal and State law.
    The privacy notice explains your medical privacy rights, such as 
your right to see and copy your information or request to change that 
information. It also tells you, for example, where you need to go to 
see and copy your information or to request to change it.
    Question 2. Doesn't signing a written consent form make it more 
likely that I will learn about or understand my privacy rights?
    No. The privacy notice you will receive from the hospital--not the 
written consent form--explains your privacy rights. The written consent 
form didn't provide any additional information that isn't already in 
the privacy notice. Under the changes proposed, hospitals will be 
required to have you acknowledge in writing that they have given you 
their privacy notice. Hospitals want patients to know and understand 
their medical privacy rights. And by having you acknowledge that you 
were given a copy of their privacy notice, hospitals are letting you 
know that the privacy notice has important information that you need to 
read and understand.
    Question 3. Will I be losing any of my privacy rights if I'm not 
required to sign a written consent form?
    No. None of your privacy rights will be lost. Your rights are 
guaranteed by the rule and by the notice, whether or not you sign a 
consent form. For example, you will still have the right to request 
that the hospital not contact you at the office with any test or 
medical results, but only call you at your home.
    Question 4. Was there something wrong with having patients sign a 
written consent form?
    Yes. Hospitals could not work with you or your doctor to schedule 
any testing procedures, outpatient surgery or other care the government 
determined wasn't an emergency until you (1) received and read their 
privacy notice, and (2) signed and returned the consent form to the 
hospital. Hospitals were not allowed to make any exceptions to this 
rule, even for disabled or elderly Americans or those who lived in 
remote rural areas. Hospitals were very concerned that their ability to 
respond quickly to the needs of their patients would be hampered by 
this unnecessary requirement and that patients would be frustrated with 
them because they were not allowed to make exceptions to this Federal 
law.
    Question 5. Will the hospital be able to use my health information 
in ways that are not approved by the Federal privacy rule if I don't 
sign a written consent form for the use of my information?
    No. The rules continue to obligate hospitals to use your health 
information only for (1) treating you; (2) obtaining payment for your 
care, and (3) for their own operations, including improving the quality 
of care they provide to you and other patients. Hospitals must explain 
the ways they will use your health information in the privacy notice 
they have to give to you. A hospital cannot use or disclose your health 
information in other ways, such as for marketing or research, unless 
the hospital gets your written permission before doing so.
    Question 6. Is a hospital prevented from getting my written consent 
to use my health information?
    No. Hospitals and doctors are still permitted to ask for your 
written consent before they use information about you to provide health 
care services; however, if they use a written acknowledgement, they 
won't have to delay providing care for you until you (1) received and 
read their privacy notice, and (2) signed and returned the consent form 
to the hospital or doctor.
    Question 7. Will hospitals know that I received their privacy 
notice if I don't have to sign a written consent?
    Yes. The proposed changes to the privacy rules require hospitals to 
have you acknowledge, in writing, that you received their privacy 
notice. At the time you receive the notice, the hospital will ask you 
to acknowledge in writing that you received the notice.
    Question 8. Will this new proposal requiring me to acknowledge that 
I have received the privacy notice mean that I'm spending more time 
filling out forms in the hospital admission office or emergency room?
    No. Signing an acknowledgement should not increase the time you 
have to spend in the admission process. In an emergency situation, this 
acknowledgement can even be delayed to allow you to give it at a less 
stressful and more convenient time.
    Question 9. Why is a written acknowledgement that I received the 
hospital's privacy notice better than the requirement that I sign a 
written consent?
    The written acknowledgement allows hospitals to immediately work 
with you or your doctor to treat you or to schedule any testing 
procedures, outpatient surgery or other care. In an emergency 
situation, hospitals can even delay getting your written 
acknowledgement until a less stressful and more convenient time for 
you. The acknowledgement does not take away any of your privacy rights. 
And it is still an effective way for hospitals to let you know that the 
privacy notice they give to you has important information about your 
privacy rights that they want you to read and understand.
    The written consent requirement, on the other hand, forced 
hospitals to delay scheduling any testing procedures, outpatient 
surgery or other care or giving you any treatment the government 
determined wasn't an emergency until you (1) received and read their 
privacy notice (which could be as long as 10 pages in order to meet 
Federal requirements), and (2) signed and returned the consent form to 
the hospital or doctor. Hospitals were not allowed to make any 
exceptions, even for disabled or elderly Americans or those who lived 
in remote rural areas. The written consent requirement increased the 
paperwork burden for patients and hospitals without giving you any new 
privacy rights that the rule and the privacy notice doesn't already 
guarantee or any additional information about your rights that isn't 
already in the privacy notice.
    Question 10. Do the proposed changes to the privacy rules affect 
any of my privacy rights?
    No. The proposed changes to the privacy rules do not do away with 
or weaken any of your privacy rights. Your rights continued to be 
guaranteed. The proposed changes only get rid of a significant 
roadblock that would have forced hospitals to delay your treatment 
until you (1) received and read their privacy notice, and (2) signed 
and returned the consent form to the hospital or doctor, and cut the 
unnecessary paperwork burden for patients and hospitals.
   Prepared Statement of Members of the Alliance of Medical Societies
    As you are aware, on March 27, 2002, the Department of Health and 
Human Services (HHS) issued a proposed rule to modify the ``Standards 
for Privacy of Individually Identifiable Health Information.'' We, the 
undersigned members of the Alliance of Medical Societies, strongly 
support the proposed modifications that HHS is considering with respect 
to prior consent and research and would also like to comment on the 
business associates provision.
    The Alliance of Medical Societies comprises 12 national medical 
societies representing more than 150,000 specialty-care physicians. Its 
mission is to promote sound Federal health care policies that will 
enhance the ability of specialty-care physicians to provide the best 
possible health care to their patients.
Prior Consent
    The proposed modifications to the prior consent portion of the rule 
represents a workable compromise between the original proposed 
regulation issued in 1999 that would have prohibited providers from 
obtaining consent and the final privacy regulation issued in 2000 that 
mandated prior consent requirements. These modifications maintain the 
patient privacy protections required by Congress without disrupting 
patient access to quality health care.
    The Alliance supports meaningful privacy protections for patients' 
medical records and believes that it is important for patients to be 
notified of their rights. The proposal for regulatory permission as 
opposed to mandatory written consent would not change the ethical and 
professional practice of physicians and most health care providers to 
obtain patient consent. Not only would the prior consent requirement 
add yet another mandatory form to the already unmanageable paperwork 
burden that physicians and practitioners face on a daily basis, it 
could pose serious problems for patient care. HHS outlined many of the 
potential problems in the proposed rule. We strongly believe that HHS 
chose wisely in proposing to make prior consent discretionary, and we 
oppose any efforts to change it.
Medical Research
    We also thank the Administration for improving the provisions 
governing medical research. The proposed modifications alleviate the 
burdens placed on medical researchers and removes obstacles that would 
impede important public health research. In particular, the Alliance 
supports the Administration's proposal to simplify the authorization 
process and to eliminate the inconsistent privacy review criteria for 
Institutional Review Boards. Without these critical changes, health 
care studies may be abandoned or avoided altogether as the burdens and 
liability associated with compliance would deter many medical 
researchers.
    In addition, although HHS did not propose to modify the de-
identification standard, we appreciate their call for additional 
comments on this provision. We urge the Department to reconsider the 
Final Rule's current standard, which requires the removal of 18 
characteristics from data in order to render it ``de-identified.'' Some 
of the data that must be removed--specifically, dates of admission or 
service and device serial numbers--are often needed when evaluating 
medical records for epidemiological and other health related research.
    We believe the regulation could be improved significantly by 
modifying the de-identification standard to require that information 
instead be stripped of direct identifiers that would facially identify 
an individual. Direct identifiers would be defined as name, address, 
electronic mail address, telephone number, fax number, social security 
number, health benefits number, financial account numbers, drivers 
license number or other vehicle numbers that are in the public records 
system.
Business Associates
    While the Administration proposes to provide a 1-year window for 
covered entities to revise their contracts with business associates, 
these same covered entities will be required to comply with the new 
rule regardless of whether or not a new contract has been secured. 
Hence, the 1-year window provides a false sense of flexibility. We are 
further concerned that HHS will require business associate contracts 
between two covered entities. This seems to defy reason since each 
covered entity will be required to comply with the regulation 
independently.
    To conclude, we strongly support meaningful and workable privacy 
protections for patients' medical records and appreciate this 
opportunity to express our views on the modifications to the privacy 
regulations proposed by HHS.
    Sincerely, American Academy of Dermatology Association; American 
Assoc. of Neurological Surgeons/Congress of Neurological Surgeons; 
American Association of Orthopaedic Surgeons; American College of 
Cardiology; American College of Radiology; American Society of Cataract 
& Refractive Surgery;
                  Prepared Statement of Sue A. Blevins
    Thank you, Mr. Chairman and Committee members, for holding this 
timely public hearing to examine how the proposed revisions to the 
Federal medical privacy rule will affect patients' control over their 
personal health information. I appreciate the opportunity to submit 
written testimony and focus on the concerns raised by thousands of 
citizens who submitted comments to the U.S. Department of Health and 
Human Services (HHS) opposing access to their personal health 
information without their consent.
    In particular, sections 164.502 and 164.506 of the revised rule 
give the Federal Government the regulatory authority to decide for each 
and every citizen who can access individuals' medical information-
including genetic information-for most purposes, including medical 
treatment, payment and health-care operations. The U.S. Department of 
Health and Human Services and the medical industry should not be making 
these decisions for individuals. In fact, a national Gallup survey 
shows that Americans want to be the ones to decide who can see their 
personal health information with--or without--their consent.
Majority of Americans are Concerned About Medical Privacy According to 
        a National Gallup Survey
    The Institute for Health Freedom commissioned a national Gallup 
survey to find out how Americans feel about medical and genetic 
privacy. We had heard from privacy advocates across the country about 
their concerns. But we wanted to find out how ordinary citizens across 
the Nation--not just privacy advocates--feel about the issue.
    The national Gallup survey was conducted between August 11 and 
August 26, 2000 and the results are posted at the Institute for Health 
Freedom's Web site: www.ForHealthFreedom.org. (As of April 2, 2002, the 
survey had not been updated by the Gallup Organization.) The survey of 
1,000 adults nationwide found an overwhelming majority of Americans do 
not want third parties to have access to their medical records--
including genetic information--without their consent.
     95 percent say banks should not be allowed to see 
patients' medical records without individuals' consent;
     92 percent oppose allowing governmental agencies access to 
patients' medical records without permission;
     88 percent oppose letting police or lawyers review medical 
records without explicit consent;
     84 percent say employers should not be allowed access to 
patients' medical records without permission; and
     67 percent oppose researchers accessing patients' medical 
records without consent.
    The national Gallup survey also included two important questions 
about genetic privacy. One asked whether doctors should be allowed to 
test patients for genetic factors without their consent. Only 14 
percent of respondents would permit such testing; 86 percent oppose it.
    The other question asked whether medical and governmental 
researchers should be allowed to study individuals' genetic information 
without first obtaining their permission. More than nine in ten adults 
(93 percent) feel medical and governmental researchers should first 
obtain permission before studying their genetic information.
    What's more, when asked whether they are aware of a Federal 
proposal to assign a medical identification number--similar to a Social 
Security number--to each American, only 12 percent said they had heard 
anything about it. College-educated adults (16 percent) are more likely 
than those with less than a college education (8 percent) to be aware 
of the proposal. Regardless of their knowledge about it, however, an 
overwhelming majority (91 percent) oppose the plan.
    I strongly encourage this committee to consider how the final and 
revised Federal medical privacy rule is going to strip patients of the 
ability to decide who can access their personal health information 
(including genetic information) with--or without--patients' consent.
    Finally, following is a ``questions and answers'' summary about the 
proposed revised Federal medical privacy rule:
Update on the Federal Medical Privacy Rule: Questions and Answers*
    Americans are being told they will have stronger medical privacy 
protections under the revised Federal medical privacy rule published in 
the Federal Register on March 27, 2002.\1\ However, the following 
``questions and answers'' summary shows that the revised rule does not 
provide patients stronger medical privacy. Rather, it actually weakens 
individuals' ability to restrict access to their medical records.
---------------------------------------------------------------------------
    \1\ ``Standards for Privacy of Individually Identifiable Health 
Information,'' Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 
14776-14815, [http://www.access.gpo.gov/su--docs/fedreg/aO20327c.html].
---------------------------------------------------------------------------
    The following summary is based on a review of the revised Federal 
medical privacy rule (published March 27, 2002) \2\ compared to the 
final Federal medical privacy rule (published December 28, 2000).\3\ 
Citations to specific key pages are provided to help the public, media, 
and policymakers understand the serious implications of the rule.
---------------------------------------------------------------------------
    \2\ `` Ibid.
    \3\ ``Standards for Privacy of Individually Identifiable Health 
Information,'' Federal Register, Vol. 65, No. 250, December 28, 2000, 
pp. 82462-82829, [http://www.access.gpo.gov/su--docs/fedreg/
aO01228c.html].
---------------------------------------------------------------------------
Does the revised Federal medical privacy rule provide consumers greater 
        control over the flow of their personal health information?
    No, under the revised Federal medical privacy rule, patients will 
not be in control of deciding whether they want health insurers, 
doctors, and medical data-processing companies to share their personal 
health information--including genetic information--with others. Rather, 
health insurers, doctors and medical data-processing companies are 
actually granted ``regulatory permission'' to share patients' health 
information for any activities related to patients' health care 
treatment, processing of their health care claims, or ``health care 
operations''--a term which encompasses many activities unrelated to 
patients' direct care (such as permitting FBI officials to search 
medical records looking for fraud and abuse activities).\4\
---------------------------------------------------------------------------
    \4\ Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 14780, 
14812.
---------------------------------------------------------------------------
    Also, under the revised Federal medical privacy rule health 
insurers, doctors, and medical data-processing companies will not need 
to get patients' written, informed consent before sharing patients' 
personal health information--including past medical records and genetic 
information--with many third parties.
How Does Congress or HHS Define ``Medical Privacy'' or ``Privacy''?
    They don't. Ironically, while the Federal medical privacy rule 
includes many definitions, the terms ``medical privacy'' or ``privacy'' 
are not clearly defined in the rule.\5\ Instead, a Federal committee 
composed primarily of fact-gathering experts was given the legal 
authority to advise HHS in establishing standards for Americans' 
medical privacy.\6\
---------------------------------------------------------------------------
    \5\ Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 
82798, 82803-82805; Federal Register, Vo1. 67, No. 59, March 27, 2002, 
pp. 14810-14812.
    \6\ Federal Register, Vo1. 67, No. 59, March 27, 2002, p. 14777.
---------------------------------------------------------------------------
Are patients guaranteed the right to sign private contracts with their 
        doctors to withhold personal health information from third 
        parties?
    No, patients cannot withhold their personally identifiable health 
information from the U.S. Department of Health and Human Services. In 
fact, the rule creates a massive Federal mandate that requires every 
doctor and other health care practitioner to share patients' records 
with the Federal Government--specifically the U.S. Department of Health 
and Human Services (HHS)--without patient consent.\7\ The Federal 
Government even has the right to access an individual's psychotherapy 
notes in order to monitor compliance with the rule.\8\
---------------------------------------------------------------------------
    \7\ Federal Register, Vo1. 65, No. 250, December 28, 2000, p. 
82802.
    \8\ Ibid., pp. 82811, 82805.
---------------------------------------------------------------------------
Will patients be guaranteed the right to an accounting of to whom and 
        when their personal health information was disclosed for health 
        care services related to their treatment and processing of 
        health claims?
    No, patients will not receive an accounting of to whom and when 
their records were disclosed for most health care services, including 
activities related to treatment, payment, or health care operations (a 
broad definition encompassing many uses).\9\
---------------------------------------------------------------------------
    \9\ Ibid., p. 82826.
---------------------------------------------------------------------------
    In just a few years, patients' personally identifiable health 
information is going to be flowing over the Internet--without patients' 
permission--for purposes related to treatment, payment, and health care 
operations. But patients won't even know this is happening because they 
won't be able to obtain an accounting of disclosures for treatment, 
payment, and health care operations.
Will President Bush's proposed changes to the Federal medical privacy 
        rule (published March 27, 2002) strengthen or weaken Americans' 
        medical privacy?
    It is important to note that the Clinton Administration initially 
proposed prohibiting doctors and hospitals from getting patients' 
consent before releasing their medical information.\10\ But after 
receiving more than 52,000 public comments, the Clinton Administration 
revised the rule and added a very weak, coercive consent provision.
---------------------------------------------------------------------------
    \10\ Federal Register, Vol. 64, No. 212, November 3, 1999, p. 
59941.
---------------------------------------------------------------------------
    However, the Bush Administration is legally permitting health 
insurers, doctors and medical data-processing companies to release 
patients' personal health information without asking patients for their 
permission. Instead, these entities can simply provide notices of how 
the information will be shared. This policy takes the active 
decisionmaking authority away from patients and shifts it to doctors 
and hospitals. This is a major shift away from the precious health care 
ethics that we have honored for many years in this country: the ethics 
of consent and confidentiality.
In addition to allowing patients' medical records to be disclosed for 
        treatment, payment and health care operations, who else can see 
        patients' records without patients' consent?
    Under the Bush Administration's revised rule (as under Clinton 
Administration's final rule), Americans' medical records can be 
disclosed for many broadly defined purposes without patient consent, 
including, but not limited to, the following:
     Oversight of the health care system
     FDA monitoring (including dietary supplements)
     Public health surveillance and activities
     Foreign governments collaborating with U.S. public health 
officials
     Research (if an IRB or privacy board waives consent)
     Law enforcement activities
     Judicial and administrative proceedings
     Licensure and disciplinary actions.\11\
---------------------------------------------------------------------------
    \11\ Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 
82525, 82528, 82813-82817.
---------------------------------------------------------------------------
Does the Federal medical privacy rule provide patients recourse if 
        their privacy is breached?
    No, patients are not guaranteed any recourse other than the right 
to complain.\12\ They can complain to their health care providers or 
institutions about privacy breaches. They also can complain to the 
Secretary of the U.S. Department of Health and Human Services. However, 
the HHS Secretary does not have to investigate the complaint. The final 
rule reads that the Secretary ``may,'' not ``shall,'' investigate 
complaints.\13\
---------------------------------------------------------------------------
    \12\ Ibid., pp. 82801-82802.
    \13\ Ibid., p. 82802.
---------------------------------------------------------------------------
    Additionally, individuals do not have a private right of action 
(they can't sue) if their privacy is breached under the final medical 
privacy rule.
Why was the Federal medical privacy rule created in the first place?
    The Federal medical privacy rule was established as dictated by the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
that fosters the development of a national health information network 
through standardized codes for all health care services nationwide.\14\ 
The HIPAA law requires health plans to use national standardized codes 
for electronic transactions for payment of medical care. The HIPAA law 
additionally requires that unique health identifiers be assigned to 
four groups, including every: (1) individual, (2) health care provider, 
(3) employer, and (4) health plan.\15\ Those identifiers will 
facilitate electronic transactions for all types of health care, 
whether services are paid by government or privately. (Note: the 
individual identifier has been put on hold temporarily for 1 year.)
---------------------------------------------------------------------------
    \14\ ``Health Insurance Reform: Standards for Electronic 
Transactions; Announcement of Designated Standard Maintenance 
Organizations; Final Rule and Notice,'' Federal Register, Volume 65, 
No. 160, August 17, 2000, pp. 50312-50313.
    \15\ Ibid., p. 50313.
---------------------------------------------------------------------------
    The result will be that each patient's visit to a doctor or 
hospital will be easily tracked.
    In the next few years, it is going to become increasingly simple to 
transfer electronic medical records over the Internet. With just a 
click of a mouse, it will be much easier to access and share 
individuals' records with many third parties. That is why all Americans 
should become informed about the Federal medical privacy rule and 
demand the right to control their most personal information--their 
health information, including genetic information.
    * This update analysis on the Federal medical privacy rule was 
prepared by Sue Blevins, President, Institute for Health Freedom and 
Deborah Grady, Research Associate, Institute for Health Freedom. Many 
of the Federal medical privacy rule provisions remain the same as those 
analyzed in a previous paper titled ``The Final Federal Medical Privacy 
Rule: Myths and Facts'' by Sue Blevins and Robin Kaigh, Esq. (February 
8, 2001), see [http://www.forhealthfreedom.org/Publications/Privacy/
MedPrivFacts.html].

    [Whereupon, at 12:10 p.m., the hearing was adjourned.]