Thursday, February 7th 2002
The Honorable Tommy G. Thompson
Secretary of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
United States Senate
Committee on Health, Education, Labor, and Pensions
Washington, DC 20610-6300
Dear Mr. Secretary:
We share your strong desire to establish effective and workable federal standards to protect the confidentiality of patient information. As the Department considers modifications to improve the confidentiality regulations developed under the Health Insurance Portability and Accountability Act (HIPAA), we urge that the Department issue these changes expeditiously, but with certain improvements set forth below that will better protect patient privacy and ensure access to higher quality health care.
The Guidance issued by the Department in July recognizes inherent flaws in the current rules. However, the Guidance implies that new rulemaking may attempt to address each problem as it arises. Rather than attempt to address the myriad of problems that may arise under the rule on a case-by-case basis, we instead urge you to make fundamental modifications to the rule to address its shortcomings while maintaining strong privacy protections for consumers.
While we believe there are problems that need to be addressed in several areas (including prior consent, research, minimum necessary, business associates, independent practice associations, marketing, oral communication, sponsor-plan relationships, health promotion, electronic notice, and joint benefit determinations), a few basic improvements to the prior consent and research provisions would significantly improve the rule's workability and effectiveness. We also urge that you pay particular attention to the impact that the rule may have on the ability to rapidly identify and treat victims of bioterrorism and other public health emergencies.
Prior Written Consent
We believe the final rule's requirement that prior written consent be obtained from a patient before patient information may be used or disclosed for routine purposes (treatment, payment, health care operations - "TPO"), is ineffective and unworkable. We are concerned that patient care could suffer dramatically as the rule hinders the ability of health care providers to deliver care.
Among the list of essential health care activities that patients would find altered (or even eliminated) under the current rule: phoned-in prescriptions, prescription refills; first-time referrals by physicians; scheduling and preparing for surgery appointments; quality assurance programs; chronic disease programs; transitions for physicians using existing patient information; use and disclosure of patient information by paramedics and ambulance personnel; and surveillance and communications functions necessary for providers to treat patients who may be victims of bioterrorism.
Stakeholders raising concerns with the prior written consent provision range from consumer groups, to group practice physicians, to hospitals. These, and others, point out that the regulation's prior consent requirement may impose substantial barriers to care, as patients may not receive medical treatment if they do not consent. This provision will particularly inconvenience senior citizens, disabled individuals, and those who live in rural areas. Moreover, it almost certainly will require vast, unnecessary expenditures for the development of data systems capable of tracking millions of written consents.
We recommend a straightforward solution: return to the "regulatory consent" approach proposed by the previous Administration. The Clinton Administration's 1999 Notice of Proposed Rulemaking (NPRM) had it right when it argued forcefully that protection of patient information during routine uses and disclosures for treatment, payment, and health care operations should not require patients to provide their prior, written consent. The proposed rule's preamble went to great lengths to explain that such consent was unworkable and would not create meaningful privacy protection.
We are also concerned that the research provisions of the final rule could prevent patient access to medical breakthroughs and improved health care. Over 140 academic research institutions, medical speciality doctors, hospitals and others recently wrote to the Department to warn of the potential problems caused by the rule. "[The rule] will seriously impair our ability to conduct clinical trials, clinico-pathological studies of the natural history and therapeutic responsiveness of disease, epidemiologic and health outcome studies, and genetic research."
We believe that there are key problems with the research provisions of the rule. First, the current "de-identification" standard is so stringent that it will render data inappropriate for or incapable of use in research. Therefore, this provision will have the opposite of its intended effect - it will create a disincentive for "de-identifying" health information because the standard is unnecessarily high. A research entity that arranges for the secure research use of data that is stripped of direct identifiers (not including characteristics such as dates, zip codes) should be allowed access to Personal Health Information without special authorization or review. The regulation should be modified accordingly.
Also, we do not believe that the rule should impose unnecessarily stringent privacy requirements on research that is reviewed by an Institutional Review Board (IRB). The current rule requires new authorizations for "research related to treatment" that add explanations of details regarding the HIPAA privacy regulation to the informed consent documents that are used in clinical trials. These new requirements are confusing, are inconsistent with other, current requirements, and do little to enhance privacy protections. Instead, IRB-reviewed research should be afforded greater deference in the modified rule.
In addition, we are concerned by the new criteria for waiver of authorization that asks a Privacy Board to weigh the benefits of the research against the privacy risks to the individual. This requirement may not be workable, as it would require the Board to struggle with a subjective, value-laden decision that would have little impact on individual privacy. This requirement will result in confusion rather than clarity, and impose additional unnecessary burdens on research.
Finally, the overly restrictive conception of public health registries in the rule could threaten patient safety, which depends on using data collected in registries to improve clinical care. A small change to the regulation text that would allow post marketing surveillance as necessary or appropriate to assure safe and effective use of products regulated by the FDA would correct this problem.
Bioterrorism and Other Public Health Threats and Emergencies
The events of September 11, and subsequent anthrax attacks, have heightened awareness of the risks our nation faces from bioterrorism. We applaud the efforts your Department has made during the past several months to improve our nation's public health system to protect against bioterrorism and other public health threats. In light of these recent efforts, we strongly encourage you to review all aspects of the privacy regulation to ensure that it does not unintentionally impede the ability of state and local governments, the federal government, and private entities, to work together to rapidly identify and treat victims of bioterrorism. In particular, we are concerned that the rule's prohibition on the sharing of aggregate information containing certain information (such as geographic location and date of service) would make it impossible to effectively track and monitor disease outbreaks in a timely fashion.
We appreciate your consideration of these comments. As noted above, the proposed changes will go a long way toward addressing some of the most troubling aspects of the current regulations.