Index to this document:

• Part I. Overview
• Part II. The Need And Demand For Federal Privacy Protection
• Part III. The Medical Records Confidentiality Act
• Part IV. Recommendations for Improving the Bill
• Part V. Conclusion

Madame Chairwoman and Members of the Committee:

I. OVERVIEW

My name is Janlori Goldman and I am the Deputy Director of the Center for Democracy and Technology (CDT). I appreciate the opportunity to testify before you today on behalf of CDT in support of the Medical Records Confidentiality Act of 1995, (S.1360).

CDT is a non-profit, public interest organization founded by civil liberties advocates to advance public policies protecting civil liberties and democratic values in the development of new media. One of CDT s primary goals for the 104th Congress is the passage of federal legislation that establishes strong, enforceable privacy protection for personally identifiable health information. We believe the need for such legislation is the most critical information privacy issue facing our country today. Further, the passage of a medical records confidentiality bill should be viewed as an essential stepping stone to achieving other health care reform goals. The public will not have trust and confidence in the emerging health information infrastructure if their sensitive health data is vulnerable to abuse and misuse. We strongly support S.1360, and applaud Senators Robert Bennett and Patrick Leahy, as well as the bill's co- sponsors for their strong leadership towards enacting medical confidentiality records legislation this Congress.

At present, there is no comprehensive federal law to protect peoples' health records. However, a Louis Harris survey found that most people in this country mistakenly �believe their personal health information is currently protected by law. And most people mistakenly believe they have a right to access their own medical information. In fact, only 28 states allow patients access to their own medical records and 34 states have conflicting confidentiality laws. A federal privacy policy is urgently needed to address the fact that the traditional doctor-patient relationship is being intruded upon by increasing demands for health information. CDT believes Congress must act to protect personally identifiable health information so that the reality of our laws will finally conform, to some extent, with the perception and desires of the American public.

To that end, CDT has been working with a diverse coalition of privacy and consumer advocates, health policy specialists and industry representatives, to develop a consensus on privacy policy for personally identifiable health information (see attached letter to Senator Bennett). This consortium of groups has operated with a keen understanding of the advances in technology today.

The societal impact of technological innovations, including those that allow medical records, data and images to be transferred easily over great distances, is felt across our country in significant ways. The development of a national information infrastructure and information superhighway are changing the ways we deal with each other. Traditional barriers of distance, time and location are disappearing as information and transactions become computerized, and few relationships in the health care field will remain unaffected by these changes. In the absence of any Congressional action on S.1360, the collection and use of personally identifiable health information will continue to occurr within electronic networked environments without privacy protections.

But while this information revolution may hold great promise for enhancing our nation's health, CDT and others who support S.1360 believe that personal health information, in both paper and electronic form, must be handled within enforceable privacy rules. Even useful technologies pose potential risks, as conflicts may arise between an individual's need to keep health information confidential and the economic opportunities posed by the computerization of health records, from lowering the cost of processing insurance claims to selling personal medical records for marketing purposes.

Confidentiality must not be an afterthought in the design and use of information systems. A provision known as "administrative simplification" has been included in the House-passed budget reconciliation bill and mandates that certain personal health information be reported in standardized, electronic form. Although"administrative simplification" fosters the development of networked health information databases, the provisioin is silent on privacy. Without protections such as those incorporated in S.1360, CDT believes the "administrative simplification" section should not become law.

CDT strongly supports the Medical Records Confidentiality Act as the most comprehensive and strong privacy bill the Congress has yet considered in this area. Similiar legislation was widely supported by both Republicans and Democrats during last Congress' effort to enact health care reform. We commend Senator Bennett, Senator Leahy and this Committee for the leadership and commitment you have shown on this important legislation. Our testimony today outlines the need for this legislation, discussion of S.1360, and our recommendations for strengthening and clarifying several sections of the bill.

II. THE NEED AND DEMAND FOR FEDERAL PRIVACY PROTECTION

A. Consensus Exists

A consensus exists that federal legislation is needed to protect the privacy of personal health care records. At a conference in Washington, D.C. two years ago, co-sponsored by the U.S. Office of Consumer Affairs, the American Health Information Management Association, and Equifax, nearly every panelist and member of Congress supported the need for making privacy an integral part of the health care reform effort underway at that time. In agreement were panelists from the American Medical Association, CIGNA Health Care, the U.S. Public Interest Research Group, Computer Professionals for Social Responsibility and IBM.

At the conference, Louis Harris and Associates released their Health Information Privacy Survey, prepared with the assistance of Dr. Alan Westin, a privacy expert at Columbia University. The survey found that the majority of the public (56%) favored the enactment of strong comprehensive federal legislation governing the privacy of health care information. In fact, eighty-five percent (85%) said that protecting the confidentiality of medical records was absolutely essential or very important to them. Most people wanted penalties imposed for unauthorized disclosure of medical records (96%), guaranteed access to their own records (96%), and rules regulating third-party access.

A 1992 Harris survey showed that while a large majority of people recognize the benefits to society of innovative technology, nearly nine out of ten people believe computers make it easier for someone to improperly obtain confidential personal information. Twenty-five percent of the public believe they have been the victim of an improper disclosure of personal medical information.

In addition, a number of federal studies have concluded that a federal law is needed to protect peoples' medical records. In 1994, the Office of Technology Assessment (OTA) issued a report entitled Protecting Privacy in Computerized Medical Information, which addresses the effects of the computerization of medical records on people's privacy. In recommending comprehensive federal legislation, OTA found that:

[t]he expanded use of medical records for non treatment purposes exacerbates the shortcomings of existing legal schemes to protect privacy in patient information. The law must address the increase in the flow of data outward from the medical care relationship by both addressing the question of appropriate access to data and providing redress to those who have been wronged by privacy violations. Lack of such guidelines, and failure to make them enforceable, could affect the quality and integrity of the medical record itself. (OTA Report, p. 44).

The Institute of Medicine (IOM) of the National Academy of Science released a study that focused on the risks and opportunities associated with protecting the privacy and confidentiality of personally-identifiable health data. The IOM report recommended that Congress enact legislation to preempt state laws to establish a uniform requirement for the confidentiality and protection of privacy rights for personally- identifiable health data, and specify a Code of Fair Health Information Practices to ensure a proper balance between required disclosures, use of data, and patient privacy.

Most recently, Professor Larry Gostin concluded that a federal preemptive statute based on fair information practices was necessary to protect personal privacy as networked health information databases are growing. (80 Cornell Law Review 451 (1995).

All these efforts represent a tremendous pulling together of the public and private sector to achieve a critical goal -- the passage of a health records confidentiality law. Nearly twenty years ago there was similar pressure to craft a medical records privacy law. In 1977, the federal Privacy Protection Study Commission issued a report recommending legislation to protect private sector records, including medical and insurance records. The Commission's recommendations sparked a Congressional effort to enact a medical records privacy bill. In 1980, due in part to pressure from the law enforcement community for unfettered access to health records, the legislative effort failed.

B. Negative Consequences

The unauthorized disclosure of personal health information can have disastrous consequences. New York Congresswoman Nydia Velazquez won her House seat only after overcoming the results of an unauthorized disclosure. Her medical records -- including details of a bout with depression and suicide attempt -- were faxed to a New York newspaper and television station during her campaign.

More common, and in some ways more troubling than the well- publicized privacy invasions of public figures, are the consequences suffered by ordinary individuals whose privacy has been compromised by the disclosure of medical information.

In one instance, a journalist disguised himself as a doctor, obtained an actress medical record and published that she had been treated for a sexually transmitted disease. In another case, a physician at a large New York City medical school logged on to a computer system, discovered that a nurse was pregnant, and proceeded to publicize that information. Also, a Colorado medical student sold medical records to attorneys practicing malpractice law. These are just a few of the more well known stories; undoubtedly there are millions of similar breaches that occur either without the knowledge of the individuals harmed or outside the media's spotlight.

Further, errors in peoples medical records have been difficult to correct and control. For instance, Mary Rose Taylor of Springfield, Massachusetts went without health insurance for a year and a half because of a computer error at the Medical Information Bureau (MIB), a clearinghouse of medical information kept by insurance companies. MIB reported that Ms. Taylor had an abnormal urinalysis, even though she had only undergone a blood test. Ms. Taylor was forced to go to the insurance commissioner of her state to have the error corrected before she could finally receive health insurance.

Despite the public and private horror stories, many Americans trust that the information they share with their doctor is kept private. Indeed, the traditional nature of the doctor-patient relationship is intended to foster trust and to encourage full disclosure. However, once a patient's information is submitted to a third-party payor, or to any other entity, the ethical tie between doctor and patient evaporates. In fact, in a particularly telling statistic, 93% of those termed "leaders" in the Harris survey, including hospital CEOs, health insurance CEOs, physicians, nurses, and state regulators, believe that third party payors need to be governed by detailed confidentiality and privacy policies.

Within our current health care system, many people try to protect themselves against potential privacy violations. Some people routinely ask doctors to record a false diagnosis because they fear their employer may see their health records. Some people don t even tell their doctors everything about their medical condition for fear of losing control over this sensitive information. In psychiatric practices, it is common for many patients to ask doctors not to take notes during sessions for fear such notes could be leaked or even obtained legally with a subpoena. And some people try to avoid the creation of a record altogether by paying for medical services out-of- pocket, even though they are entitled to insurance coverage.

A few insurers have been candid enough to concede that their primary business relationship is with the employer/customer and not the employee/patient. These insurers may be reluctant to disclose individually-identifiable health information if requested by an employer, but they will comply if pressed. No federal law prevents disclosures by insurers to employers. Most patients, of course, believe the fiduciary relationship is between themselves and their doctors, and don't realize that a third party with no direct relationship to their medical treatment actually controls the information. It is intolerable to support a system in which an employer's payment of a portion of employees health care premiums, a normal part of most American employees compensation packages, amounts to employers controlling their employee's health records.

The problems that arise because of a lack of uniform, federal privacy protection for identifiable health information are often exacerbated by advances in technology. For example, at the state and local level today, employers, insurers, and health care providers are forming coalitions to develop automated and linked health care systems containing lifetime health histories on millions of Americans. The primary goals of these projects are cost reduction and improved quality of care.

Attempts are being made in some state coalitions to address the privacy, confidentiality and security of health data by crafting internal guidelines, regulations and contracts. In addition, in those states where the automation of health care information is seen as a key component of a state's health care reform package, state legislatures and public agencies are attempting to enact legislation that establishes a right of privacy in personally identifiable health care information. These states are also attempting to design effective enforcement penalties and oversight mechanisms to monitor the information practices of these newly created health data systems.

The outcome of this piecemeal, state by state, approach to protecting the privacy and security of health care information will be conflict among the states and a setback for the overall goal of privacy protection. Relegating the protection of health care information to the states' different guidelines, policies and laws leaves individuals subject to differing degrees of privacy depending upon where they receive their health care. In some instances, this means that individuals traveling across county or state lines to receive necessary medical treatment may lose their ability to control how their personal medical information is used. Moreover, states and local governments with different rules governing the use of health care information may be prevented from sharing health care information contained in their systems with neighboring states that insufficiently protect privacy.

Health care records, in both paper and electronic form, deserve privacy protection. But the vulnerability of information to unauthorized use grows exponentially as the computer makes possible the instant sharing of information. As a 1992 study by the Workgroup for Electronic Data Interchange (WEDI) pointed out: "The paper medium is cumbersome and expensive . . . Ironically, it is the negative impact of the paper medium . . . that has minimized the risk of breaches of confidentiality. Although a breach could occur, if someone gave access to health records or insurance claim forms, the magnitude of the breach was limited by the sheer difficulty of unobtrusively reviewing large numbers of records or claim forms. "

Nevertheless, technology itself is not the evil. Information systems can actually be designed to promote the confidentiality and security of personal information. For instance, a computerized system can sometimes be more closely guarded through technological devices than paper systems can sometimes be protected from prying eyes. The key is to recognize technology's potential to enhance privacy, not simply to focus on the risks technology poses to undermine privacy. There is widespread agreement among privacy and security experts that protections must be built in on the front-end; it is too difficult and risky to try to add them after the fact. Privacy and security must be viewed as the foundation on which health information networks are created. Only then can we acheive�the potential for enhancing privacy and security.

III. THE MEDICAL RECORDS CONFIDENTIALITY ACT

CDT strongly supports the Medical Records Confidentiality Act. In particular, we support provisions in the bill that:

• Gives people the right to see, copy, and correct their own medical records;

• Limits disclosure of personal health information by requiring an individual's permission prior to disclosure of his or her health information by doctors, insurance companies, and other health information "trustees";

• Requires the development of safeguards for the use and disclosure of personal health information;

• Creates a warrant requirement for law enforcement access to peoples' health records;

• Imposes strict civil penalties and criminal sanctions for violations of the Act, and provides individuals with a private right of action against those who mishandle their personal medical information; and

• Preserves state and federal laws that may be more privacy protective in certain areas, such as public and mental health.

Without protections such as those embodied in S.1360, the rise of patchwork regulation and the widespread electronic transmission of records will produce the worst of both worlds--confusion and red tape for legitimate data users, as�well as debilitating fear and mistrust for people seeking medical care.

IV. RECOMMENDATIONS

CDT believes that the Medical records Confidentiality Act represents a vast improvement on current law. Nevertheless, we urge that the bill be strengthened and clarified in a number of area, most notably by 1)requiring consent for disclosure to health researchers; 2)heightening the warrant requirement for law enforcement access; and 3)narrowing the scope of the oversight section.

A. Health Research

S.1360 currently allows researchers to receive protected health information without first obtaining an individual's authorization. We believe this is an unnecessarily broad exception and should be rewritten to incorporate a consent model.

We acknowledge that in some instances the use of records for health research may be a legitimate exception to the bill's authorization requirements. But CDT does not believe that the exceptions for research should be made broadly or routinely. Research does not usually require the release of identifiable data; anonymous non-identifiable data are often sufficient. In fact, research does not usually require the release of identifiable data without consent; it is often possible to get consent easily and prospectively.

CDT recommends that the research section be amended to require an individual's authorization prior to disclosure of personally identifiable information. We urge the committee to consider an analagous situation in which federal regulations that apply to NIH-funded biomedical research presume that consent will be obtained for use of personal medical records. Under those regulations, the nonconsensual release of records is only allowed when such records are required for the research to be effective, consent would be infeasible, and the project s significance outweighs the intrusion into privacy.

The regulations have worked well for years at institutions funded by the NIH. Since they acknowledge an individual's privacy interest while recognizing the value of research, we would urge the Committee to review them and to incorporate similar provisions in the bill.

B. Oversight

We believe that the use of records for authorized oversight functions may be a legitimate exception to the general rule of nondisclosure. However, we are concerned about the breadth of the exception currently in S.1360. As drafted, the oversight provisions of the bill have an almost undefined reach and could be over zealously extended. We recommend tightening this section by requiring oversight officials to obtain an administrative summons or subpoena for access to identifiable records.

We want to emphasize the importance of the general and specific limitations that are already in the bill. Under the general privacy rules of the bill, health oversight agencies cannot re-disclose identifiable information for other purposes not specially authorized. In addition, a health oversight agency may not use the information gathered in its oversight role for any actions against an individual other than those arising out of receipt or payment for health care or fraud.

With the inclusion of a legal process for access to identifiable information, CDT believes the bill will come closer to striking a fair balance between individual privacy and the government's legitimate needs to conduct audits and control fraud.

C. Law Enforcement

CDT strongly supports the creation of warrant requirement for law enforcement access to personal health records currently in S.1360. However, we urge that the proposed probable cause standard be heightened to equal the standard now in place for access to cable subscriber records. Under the Cable Communications Act of 1984, a warrant can not be issued for access to subscriber records until law enforcement can show "clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and the information sought would be material evidence in the case." We believe that federal privacy protection for peoples' medical records should be at least as strong-- if not stronger-- than we apply to peoples' cable records.

V. CONCLUSION

CDT believes the protection of personally identifiable health information is critical to ensuring public trust and confidence in the emerging health information infrastructure. Health care reform cannot move forward without assuring the American public that the highly sensitive personal information contained in their medical records will be protected from abuse and misuse. As the Harris surveys indicate, people are highly suspicious of large scale computerization and believe that their health records are in dire need of privacy protection. If people are expected to embrace and participate in a reforming health environment, the price of their participation must not be the loss of control of sensitive personal information.

In the end, any system that fails to win the public's trust will fail to win the public's support, and we risk having individuals withdraw from full and honest participation in their own health care. To allow people to fall through the cracks because their privacy is not fully protected is too serious a matter to continue to go unaddressed by the Congress. We urge you to continue your commitment to moving forward with this critical legislation.

We have come a great distance in achieving broad consensus on the principles of health information privacy and we look forward to working with you to refine and enact S. 1360.