AAMC Comment Letter on NPRM
"Standards for Privacy of Individually Identifiable Health
Information"
 |
|
|
Related Resources
AAMC Documents
|
|
Since the passage of the Health Insurance Portability
and Accountability Act (HIPAA) in 1996 [Public
Law 104-191], Congress has made numerous attempts to develop
legislation to provide individuals with a right of medical
information privacy. Unfortunately, the enormous complexity
of the issues, and the irreconcilable differences among the
many disparate stakeholders, precluded Congress from passing
comprehensive privacy legislation by the deadline of August
21, 1999 established in the HIPAA. Thus, the Department of
Health and Human Services (DHHS) is now required by HIPAA
to develop a set of regulations to protect the privacy of
individually identifiable health information.
On November 3, 1999, the DHHS released the notice of proposed
rule-making (NPRM) entitled “Standards
for Privacy of Individually Identifiable Health Information;
Proposed Rule.” In the NPRM, the Department attempts to
develop a clear and consistent set of privacy standards with
the broadest possible reach, notwithstanding the fact that its statutory
authority under HIPAA would limit the application of any regulations to
the electronic exchange of patient health information for administrative
and financial purposes, and that the standards would apply only to three
classes of covered entities: health plans, health care clearinghouses, and
health care providers.
The AAMC recognizes the importance and complexity of the
privacy issue and appreciates the effort that the DHHS has
invested in developing the NPRM. However, we have serious concerns about
the potential effects of this regulation on the nation’s health care
system and the public health, as well as concerns about the strategies
that the Department has contrived in its attempts to exceed its statutory
authority. We have expressed these concerns in the attached document,
which was submitted to DHHS on February 17, 2000.
If you have any questions, please contact AAMC Division
of Biomedical and Health Sciences Research (fax:202-828-1125)
Download a Word version of the
AAMC Comment Letter.
February 17, 2000
Margaret A. Hamburg, M.D.
Assistant Secretary for Planning and Evaluation
United States Department of Health and Human Services
Attention: Privacy - P, Room G - 322A
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201
Dear Assistant Secretary Hamburg:
The Association of American Medical Colleges (AAMC) appreciates
the opportunity to comment on the notice of proposed rule-making
(NPRM) entitled "Standards for Privacy of Individually
Identifiable Health Information" [64 Federal Register
59917-60065]. The AAMC represents all 125 accredited U.S.
medical schools, more than 400 major teaching hospitals and
health systems, 91 academic and professional societies representing
75,000 faculty members, and the nation's medical students
and residents. Our members and institutions provide basic
and specialized healthcare services, conduct research leading
to the discovery of medical knowledge and the development
of innovative treatments and therapies, and educate and prepare
physicians to meet evolving health care needs. Whether in
utilizing health information in the treatment of patients,
in educating future physicians, or in conducting clinical
research ranging from the etiopathogenesis of disease, translation
and clinical trials to studies in epidemiology, prevention
and health services, the AAMC is keenly aware of the need
to protect the privacy of individuals and the confidentiality
of individually identifiable health information.
The AAMC strongly believes that the only comprehensive and
nationally coherent solution to the complex and emotionally
freighted problems of "medical information privacy"
lies in federal legislation, and we have steadfastly supported
the enactment of such to strengthen the protection of individuals'
personally identifiable health information from inappropriate
disclosure and harmful misuse. The Association has played
a leadership role in the vigorous discussions of privacy of
the past several years, engaging in seminars and debates,
and presenting lectures, briefings to Congress and the Administration,
Congressional testimony, and working closely with legislators
and their staffs in crafting various bills. A major thrust
of the Association's activities has been to educate listeners
about the critically important role played by the trove of
information accumulated in medical records over generations
in advancing medical knowledge and improving the health of
the public. We acknowledge the many attempts that have been
made in recent Congressional sessions to enact comprehensive
medical information privacy legislation, and especially those
in the first session of the 106th Congress, under the looming
deadline of the Health Insurance Portability and Accountability
Act (HIPAA) of 1996. Unfortunately, due to the complexity
of the issues and the unyielding partisan interests that consistently
thwarted efforts at compromise, neither chamber was able to
muster the bipartisan support necessary to pass a privacy
bill by the HIPAA deadline of August 21, 1999. Accordingly,
the Department of Health and Human Services (DHHS) is now
required under its relatively circumscribed HIPAA authority
to promulgate regulations to deal with a difficult national
problem that calls out for Congressional resolution.
The NPRM is a lengthy and complicated document, the majority
of which is preamble that shares with the reader the Department's
concern with its limited HIPAA authority and the rationale
for the stratagems it devised to craft regulations with the
broadest possible reach in the face of those limitations,
and it is punctuated with repeated calls for federal legislation
as the much preferred approach. These points are important
to understanding the structure, complexity and potential impact
of the regulations that have been proposed. The preamble seeks
frequent refuge in the principles articulated in Secretary
Shalala's thoughtful report to the Congress in September 1997,
entitled "Confidentiality of Individually Identifiable
Health Information." At the time, the AAMC expressed
its strong general support of the principles, while noting
that their ultimate acceptability would turn on the details
of their implementation, which the report did not address.
Given the complexity of the proposed regulations, their substantial
financial and administrative costs, and the profound operational
and behavioral changes that they would impose at every level
of the health care delivery system, it is ironic to note that
the relevant HIPAA authority derives from the Administrative
Simplification provisions of the Act (Sections 261-264).
Although the AAMC appreciates the work the DHHS has invested
in this NRPM, we have very serious reservations about certain
of the approaches and implementation steps. We fear that they
would impose unreasonable burdens and unwise constraints on
the day to day functioning of the health care delivery system
and the conduct of medical research. Moreover, some of the
most far-reaching and burdensome provisions appear to exceed
the authorities delegated to the Department by the Act, a
matter that the preamble acknowledges and attempts to rationalize
repeatedly and at length. While fully supporting the individual's
right to privacy and respecting the need for effective, systemic
protections of the confidentiality of individually identifiable
health information, we believe that some of the standards,
implementation requirements, and procedures imposed by this
NPRM would have real costs that far outweigh their theoretical
benefits, and would serve to deter legitimate and useful sharing
of information that may be vital for treatment, research and
medical education.
General Comments
1. Purpose of the Regulation (§160.101)
The purpose of the regulation is to define and limit the
circumstances in which an individual's protected health information
(PHI) (vide infra) may be used or disclosed by others. In
particular, the rule sets out the specific circumstances under
which covered entities (vide infra) would be permitted
to use or disclose PHI without individual authorization; all
other uses or disclosures would require specific authorization.
The rule would require covered entities to disclose
PHI for only two purposes: to permit individuals to inspect
and copy PHI about themselves, and for enforcement of the
regulation. The Department argues that under the rule most
uses and disclosures of PHI would not require explicit authorization
but would be restricted by the provisions of the rule. "We
propose to substitute regulatory protections for the pro forma
authorizations that are used today"(64 Federal Register
59924, column 3).
2. Scope of Authority
A. Protected Health Information - Applicability (§160.102,
§164.502)
Under HIPAA (Section 262) the authority of DHHS is limited
to the regulation of electronic transmission of patient health
information for "standard" (financial and administrative)
transactions by three classes of covered entities: health
care providers, health plans and health care clearinghouses,
all of which are defined straightforwardly. The Act requires
that (in the absence of legislation) the Department promulgate
regulations containing standards with respect to the privacy
of individually identifiable health information (IIHI) transmitted
in connection with such transactions. The regulations must
address (at least) (1) the rights that an individual who is
the subject of IIHI should have; (2) the procedures that should
be established for the exercise of such rights; and (3) the
uses or disclosures of such information that should be authorized
or required. The NPRM expands the reach of the legislation
by defining the information to be protected by the regulation
(protected health information (PHI)) as any IIHI that is or
ever has been or will be electronically transmitted, thereby
embracing such information when it is in paper form, as well
as when it is orally communicated. In other words, it is the
information that is protected, not the particular form
it may be in from time to time. In the contemporary workings
of the health care delivery system, the electronic transmission
of medical information is so ubiquitous that the existence
of paper records that lack even one or a few items of electronically
transmitted information must be rare indeed; and given the
logistical complexity of medical records management, it is
not likely that any covered entity would choose to maintain
separate systems of protection for two different forms of
health information. Accordingly, for all practical purposes,
the Department's definition of PHI would expand the reach
of the legislation to nearly all IIHI.
The AAMC has consistently argued that all IIHI should
have a uniformly high standard of privacy protection and has
opposed efforts to segregate health information into differentially
protected sub-classes based on particular diagnoses, disease
categories, or purported sensitivity. Accordingly, while recognizing
that such uniform protection would be better accomplished
legislatively, and acknowledging the stretch inherent in the
NPRM's definition of PHI, the Association is supportive of
the Department's approach. We note that the NPRM accommodates
a single exception to the principle of a uniform standard
of privacy protection by according a higher degree of protection
from use and disclosure to psychotherapy notes than to other
PHI (§164.508(a)(3)). The exception is carefully drawn,
excluding such information as medications, results of clinical
tests, and summaries of diagnosis, functional status, treatment
plan and prognosis, and the Association is supportive of it.
B. Preemption of State Law (§§160.201-204)
The AAMC strongly believes, and has consistently argued,
that the workings of the contemporary health care delivery
system, the mobility of American citizens, and the needs of
medical research, especially population-based research, all
call for federal legislation that would strongly preempt state
law (with only few limited exceptions for such things as public
health reporting) and establish a single, uniform national
standard of medical information privacy protection. The DHHS
does not favor such "strong" preemption, and in
any event asserts correctly that it does not have authority
under HIPAA to impose it by regulation. The HIPAA provides
that one of the limited exceptions to its general requirement
that any standards or specifications issued to implement the
Administrative Simplification provisions of the Act preempt
contrary state law is for those laws relating to the privacy
of individually identifiable health information that are contrary
to and more stringent than the federal requirements (Sections
262, 264).
The NPRM would establish a federal floor of protections and
would preempt only contrary provisions of state laws that
are less stringent than those imposed by the regulation. It
would thereby permit what is often described as a patchwork
of discordant state privacy laws of variable effectiveness
to remain in place. The NPRM's lengthy disquisition on the
interpretations of "contrary to," "less stringent"
and "more stringent" (64 Federal Register 59994-59999)
underscores the confusion and significant burdens that the
lack of a single, preemptive federal standard will place on
covered entities whose professional activities and business
transactions increasingly span state lines. The entities would
have to comply not only with the federal rule but with the
more stringent provisions of state law in every state in which
they operated. The AAMC is deeply concerned about the chaotic
business climate and extraordinary legal expenses that would
result from the imposition of this regulation, and fears that
as it is proposed, it will be unworkable. Acknowledging
the HIPAA language, and to comply with the goal of administrative
simplification that drives the authorizing Act, the Association
urges the Department to accept the responsibility of critically
assessing existing state laws and certifying those that the
Department judges to be acceptable substitutes for the proposed
rule. By so doing, the Department would effectively deem the
provisions of the regulation to be presumptively preemptive
of all other relevant state laws, thereby providing useful
clarification to covered entities and mitigating what would
otherwise be substantial administrative burdens and legal
costs.
C. Covered Entities (§160.102, §160.102), Business
Partners (§164.504, §164.506(e)), and Disclosures
for Health Oversight Activities (§164.510(c))
Under HIPAA, the "covered entities" that fall within
the Department's regulatory authority are exclusively health
providers, health plans and health care clearing houses. However,
once again to expand the reach of the legislation, the NPRM
defines an additional large class of diverse entities called
"business partners," who are any persons to whom
the covered entity discloses PHI so that the person can carry
out, assist with the performance of, or perform on behalf
of a function or activity for the covered entity. The definition
includes contractors, lawyers, auditors, consultants, data
processing and billing firms, third-party administrators and
any others who are not within the covered entity's workforce.
The NPRM requires that all covered entities must enter a contractual
relationship with each business partner, and it specifies
a detailed list of requirements that must be met.
The effect of this provision is to impose on the business
partners adherence to all of the provisions of the NPRM, as
well as compliance with the privacy policies and procedures
of the covered entity itself. The business partner, in turn,
would be obligated to impose similar contractual provisions
upon any of its partners or sub-contractors to whom it would
disclose for business purposes PHI from any of its covered
entity partners. Moreover, the business partner must agree
to subject itself to compliance audits by the Secretary. Finally,
the NPRM creates a "chain of trust" by holding the
covered entity liable for any contractual breaches by its
business partners: "A material breach by a business partner
of its obligations under [the contract] will be considered
to be noncompliance of the covered entity….if the covered
entity knew or reasonably should have known of such breach
and failed to take reasonable steps to cure the breach or
terminate the contract" (64 Federal Register 59949,
column 3).
The AAMC, while sympathetic to the Department's desire
to extend health information privacy protections as far as
possible, believes that it has over-reached its statutory
authority with this provision. For business partners that
may themselves be covered entities, or that perform services
for multiple covered entities, the practical implications
of implementing and adhering to multiple sets of information
policies and procedures for different sets of PHI are unrealistic
and beyond comprehension. The concept, while appealing in
the abstract, is impossibly unwieldy in its application. The
Association also strongly objects to the attempt (which has
been dubbed the "My Brother's Keeper" provision)
to hold a covered entity liable for its business partners'
breaches of contracts. The Association believes that the
maximum burden that could be imposed fairly on the covered
entity is the requirement that it make a reasonable effort
to perform its customary due diligence in enforcing its contracts
with business partners. Beyond that, the covered entities
should not be held accountable for their partners' failings.
We recognize that DHHS has no authority to take action directly
against business partners, but that fact simply underscores
once again the need for federal legislation. In no way does
it justify what we believe to be an unauthorized attempt to
impose liability for business partners' missteps on covered
entities.
The Association is concerned that the way this provision
has been drafted would impose upon the operations of the health
care delivery system such an impenetrable maze of administrative
requirements as to make its implementation impractical. If
the provision is retained in the final rule, then we urge
that the definition of "business partner" be limited
to entities that are not otherwise embraced by the definition
of "covered entity."
Another very important point needs to be addressed here.
The preamble's discussion of the proposed rule's provision
to allow the disclosure of protected health information without
individual authorization for the purpose of health oversight
activities states: "we would permit covered entities
to disclose protected health information …to a health oversight
agency to conduct oversight activities authorized by law.
Disclosures also could be made to private entities working
under a contract with or grant of authority from….[a] government
oversight agency….Oversight activities by private entities
operating pursuant to contracts with covered entities, such
as accreditation organizations [emphasis added], would
not be permitted to receive information under this provision,
even if accreditation by such an organization is recognized
by law as fulfilling a government requirement or condition
of participation in a government program" (64 Federal
Register 59957, column 3).
The role of private entities, such as the Joint Commission
on the Accreditation of Healthcare Organizations (JCAHO) and
the College of American Pathologists (CAP) Laboratory Accreditation
Program, in performing inspection and accreditation of health
providers is a well established and critically important mechanism
for promoting the quality of care. The AAMC objects strongly
to the seeming - and unfathomable - intent of the rule to
interfere with the ability of these entities to continue to
carry out their oversight activities without their being designated
"business partners" and becoming enmeshed in the
burdensome contractual requirements that the rule mandates
for such relationships. This point must be clarified in the
final rule. At a minimum, health care providers must be permitted
to disclose all necessary information to deemed organizations
so that they may continue to carry out their accreditation,
certification and quality assurance functions. In addition
to JCAHO and the CAP, for medical schools and teaching hospitals
such deemed organizations must also include the Liaison Committee
on Medical Education (LCME) and the Residency Review Committees
working under the authority of the Accreditation Council for
Graduate Medical Education (ACGME).
D. Private Right of Action (Application to Business Partners,
§164.506(e))
The Secretary's recommendations argued that there should
be legal recourse to persons harmed by the misuse of their
individually identifiable health information, a position that
is reiterated in the preamble of the NPRM. However, HIPAA
does not give the Department the authority to create (directly)
by regulation an individual private right of action. Notwithstanding,
the rule would require that contracts between covered entities
and their business partners "state that the individuals
whose PHI is disclosed under the contract are intended third
party beneficiaries of the contract…" (64 Federal Register
59957, column 3), thereby effectively establishing a federal
private right of action. This matter has been one of the most
contentious issues on the legislative front, strongly backed
by privacy advocates and equally strongly opposed by the health
care industry. Although the concept of providing legal recourse
to individuals is inherently appealing, the concerns that
have been expressed center on the ambiguities and confusions
that are certain to occur in the initial period of implementation
of any medical information privacy regulation or legislation,
the absence of a clear-cut definition of "harm"
or requirement of a substantial evidentiary threshold of "harm"
for bringing an action, and the risk that such a provision
will invite a deluge of insubstantial or harassing lawsuits
that will be exceedingly distracting, costly and detrimental
to the functioning of the health care system.
The AAMC believes that the complexity and contentiousness
of this issue demand that it be resolved by the Congress and
not by an unauthorized regulatory action by DHHS.
3. Definitions
A. Designated Record Set (§164.504)
A designated record set is a group of records under the control
of a covered entity from which individually identifiable information
is retrieved and used by the entity to make decisions about
the individual. The term "record" means any item,
collection or grouping of PHI maintained, collected, used
or disseminated by a covered entity. This definition is important
in that it is used in the sections of the rule that prescribe
fair information practices (vide infra). The preamble makes
the important point that a designated record set would only
exist for records from which individually identifiable information
is actually retrieved and used to make substantive decisions
that affect individuals, and not for records for which information
is only retrievable. Considering the subject of this proposed
rule, the AAMC recommends that the definition be focused and
clarified by changing the last clause of the definition to
read " …and which is used to make decisions about the
health care of an individual." In addition, the Association
urges that the definition be further modified to state that
the term "designated record set" excludes all research
files, records and databases that contain individually identifiable
health information, on the ground that such information, as
a rule, is not and should not be used to make [health care]
decisions about specific individuals. Our extensive comments
on Research are presented below in 4.G.
B. Disclosure and Use (§164.504) and Covered Entity
(§160.103)
Disclosure means any divulging of PHI outside of the
entity holding the information. Use means essentially
any use of PHI within an entity that holds the information.
Since some of the provisions of the rule distinguish between
disclosure and use by making the use of PHI less burdensome
than its disclosure (and the AAMC will propose some
additional distinctions of this kind), the definition of "covered
entity" becomes a matter of great importance to medical
schools and teaching hospitals. More than 80 percent of the
medical schools exist in a variety of organizational and legal
structures within the frame of universities. The definition
in the NPRM simply defines covered entities as health providers,
health plans and clearinghouses, and it would seem to include
any persons who are within the covered entity's workforce.
It would thus appear that the question of what is the covered
entity in academic health centers will be determined in part
by which entity is the designated health provider, and in
part by how the workforce of the provider entity is defined.
For example, if the provider is a hospital or health system
and the faculty physicians are paid by the medical school
or faculty practice plan, would those faculty who are on the
medical staff of, but not paid directly by, the provider be
included within the covered entity? What about university
"health-related" faculty (biostatisticians, epidemiologists,
health service researchers, health economists, etc.) who are
not on the medical staff? Similarly, if administrative units
of the university provide business services (e.g., legal,
audit, fund raising) to the health provider, which require
access to portions of PHI, would those units be deemed "business
partners" and have to be bound by elaborate contractual
provisions that meet the requirements of the rule? The
AAMC requests that further thought and clarification be given
to the definitions of covered entity and business partner
with respect to the unique organizational models and relationships
of academic medical centers and their parent universities.
C. Uses and Disclosures for Treatment, Payment and Health
Care Operations (§164.506(a))
The rule states that individual authorization is not required
for the use or disclosure of PHI for purposes of treatment,
payment or health care operations, so these definitions are
important. Treatment includes health care management of the
individual through risk assessment, case management and disease
management, referrals, and the coordination of health care
services among providers. Payment includes the full range
of usual activities, including the review of health care services
with respect to medical necessity, coverage, appropriateness
of care, or justification of charges, and utilization review
activities. Health Care Operations, the definitional scope
of which has been a topic of much controversy in the legislative
arena, is broadly defined in the NPRM, and includes the conduct
of "training programs in which undergraduate and graduate
students and trainees in areas of health care learn under
supervision to practice as health care providers" (64
Federal Register 59934, column 1). The AAMC is pleased
with these definitions, which we believe are workable, and
especially with the inclusion of the education and training
of health professionals under health care operations, which
recognizes the intimate interweaving of patient care and health
education in academic health centers.
D. Individually Identifiable Health Information (IIHI)
(§164.504)
IIHI is defined as health information that identifies an
individual, or with respect to which there is a reasonable
basis to believe that the information can be used to identify
an individual. The AAMC regards the matters of the identifiability
and de-identifiability (vide infra) of health information
as critically important with respect to the regulation of
access to and use of health information in the conduct of
clinical research. The Association has previously expressed
its strong opposition to definitions that incorporate criteria
of "reasonableness" on two principal grounds: first,
they create ambiguity that would impose an unfair risk of
liability on every covered entity; and second, they would
drive entities to adopt overly defensive and restrictive practices
governing access to health information that would both hinder
essential health research and diminish (by removal or distortion
of essential data elements) the research value of whatever
information was permitted to be accessed. In the current era
of electronic information technology, with steadily increasing
computer power and the creation of enormous relational databases
outside of the health care enterprise, it becomes extraordinarily
difficult, if not impossible, for any holder of IIHI to be
"reasonably" certain about how many and which of
the potentially identifying data elements in any unit of medical
information would have to be stripped or distorted to preclude
the possibility that some recipient of that information might
be able identify the individual.
Because of the critical importance to medical research
of ready access to health information that, even if encrypted,
remains linkable to specific individuals, the AAMC believes
that the definition of IIHI should be as crisp and unambiguous
as possible, and favors, for example, "[IIHI is] information
that contains personal identifiers that directly reveal the
identity of the individual, or which provide a direct means
of identifying the individual." We strongly urge the
Department to reconsider the proposed definition.
E. Protected Health Information (PHI) (§164.504)
PHI is IIHI that is or has been electronically transmitted
or maintained by a covered entity and includes such information
in any other form. The definition excludes IIHI in education
records covered by the Family Educational Right and Privacy
Act.
F. Research (§164.504)
The definition of research is identical to that contained
in the Common Rule. The AAMC supports this choice because
of the importance for coherent oversight of medical research
that federal law and regulation be consistent in the use of
a well-established and well-understood definition of research.
4. Standards for the Use and Disclosure of PHI
A. Statutory Authorization (General Rules (§164.506(a)))
The regulation establishes as a general standard that a covered
entity may not use or disclose PHI except as otherwise permitted
or required by the rule. It then creates what is called a
statutory (or, in this case, regulatory) authorization
that permits a covered entity to use or disclose PHI to
carry out treatment, payment and health care operations without
having to seek specific authorization. Although the matter
of statutory authorization is one of the more contentious
issues in the medical information privacy debates, the industry
has contended successfully that carrying out treatment, payment
and health care operations requires the relatively unencumbered
flow of IIHI, and that granting individuals the right to authorize
how and what components of that information should or should
not flow for these purposes would severely impede the functioning
of the health care delivery enterprise. The two approaches
that have been considered in Congressional draft bills have
been statutory consent or mandatory consent, which requires
that an individual give consent as a condition for receiving
health care or coverage. Privacy advocates, ethicists and
others argue that mandated consent is coercive and an affront
to the concept of "informed consent;" and for different
reasons, they oppose statutory consent, as well. The Department
has agreed with the former argument in opting for what it
considers to be the less objectionable statutory approach.
The AAMC supports the position taken by DHHS and endorses
the approach of regulatory consent for treatment, payment
and health care operations.
B. Minimum Necessary (§164.506(b))
The rule establishes as a standard that "a covered
entity must make all reasonable efforts not to use or disclose
more than the minimum amount of PHI necessary to accomplish
the intended purpose of the use or disclosure" (64
Federal Register 59943, column 1). Exceptions to this
requirement are few: they include responses to an individual's
specific authorization for disclosure of his/her PHI or request
for access to his/her PHI, compliance audits, or for uses
and disclosures "required by law" and for
which the requirement of individual authorization may be waived
(vide infra). The rule requires that covered entities identify
appropriate persons to determine what information should be
used or disclosed consistent with the standard and ensure
that they make such determinations. It also requires that
covered entities, within the limits of their technological
capabilities, "provide for the making of such determinations
individually" (64 Federal Register 60054, column
1). The Association understands the last requirement to
mean that the rule intends that every single use or disclosure
of PHI within a covered entity be managed according to the
de minimus standard.
The idea of a de minimus standard for the use and
disclosure of IIHI is, on its face, appealing and consistent
with Hippocratic precept and ethically sound medical practice.
However, in reality, the determination of what is "the
minimal amount of information required" for any particular
purpose is ultimately a judgment call that can only be guided,
not dictated, by institutional polices. Adherence to the standard
would plainly be more feasible, consistent and effective for
entities with advanced electronic clinical information systems
that can greatly enhance the security of IIHI by imposing
rules and stratification of access according to staff categories
and functions, creating audit trails, and comprehensively
enforcing institutional use and disclosure policies. The fact
is, however, that the penetration and sophistication of clinical
information technology among health care providers remains
extremely uneven. At this time, paper records are still abundant,
if not predominant, in American medical practice (CenterWatch,
vol.7, 11, February 2000 cites data indicating that in 1999,
96% of patient records existed as paper charts). Accordingly,
the implementation of a de minimus standard can be
anticipated to be inherently much more difficult, less consistent
and less effective than anticipated in the proposed rule.
The AAMC believes on the basis of a recently conducted survey
of its members that the vast majority of teaching hospitals
and health care systems already attempt to limit access to
and disclosure of individually identifiable health information.
However, the survey results also indicate that few, if any,
of our member institutions currently have in place policies
and procedures that would approach the de minimus standard
set forth in the NPRM. The AAMC further believes that it would
be inappropriate and impractical in any case to apply the
"minimum amount' requirement, as a standard, to the settings
of treatment or research. With respect to treatment, withholding
of information in the treatment setting by any person could
put patients at serious risk. With respect to research, only
the researcher him or her self is capable of determining what
information from a medical record is necessary for the successful
execution of a research project.
Therefore, the AAMC believes that it is premature and
impractical to impose the requirement of minimum disclosure
as a standard. Rather, we strongly believe that this requirement
would be far better and more realistically treated by placing
it in the section of the rule that deals with "Administrative
requirements," where it would be addressed by covered
entities' policies and procedures. If the standard remains,
we urge that it not be applicable to medical treatment, education
and research, which purposes should be explicitly exempted.
Moreover, since "the minimum information necessary"
will always be, at best, a judgment call about which reasonable
people can, and doubtless will, differ, the AAMC urges that
enforcement of the standard be carried out sensibly and sympathetically,
with clear recognition of the systemic limitations of information
management capability that currently exist in American medicine.
In this context, we specifically request that the rule be
amended to indicate that if a covered entity makes a reasonable
effort to comply with the standard, then no liability will
be incurred if it is subsequently determined that more than
the de minimus amount of information was actually used or
disclosed.
C. Right of an Individual to Request Restriction of Uses
and Disclosures (§164.506(c))
The rule requires a covered provider to permit individuals
to request that uses or disclosures of PHI for treatment,
payment or health care operations be restricted. The provider
is not required to agree to the request, but if the
provider does agree, then the request must be honored. The
rule would exempt uses and disclosures for which individual
authorization may be waived (vide infra), in emergencies,
or for purposes of compliance. The AAMC is very uneasy about
applying this right to uses and disclosures of PHI that are
statutorily authorized by the rule, which we fear would invite
protracted argument, delay, and even litigation, e.g., over
specific PHI provided to a health plan or third-party payer.
The AAMC does not find the Department's rationale for establishing
this right, as laid out in the preamble, to be convincing.
Although the provider's right to refuse requests might
appear to make the standard more tolerable, the Association
would prefer that the standard be stricken from the rule.
D. Use and Disclosure of De-Identified PHI (§164.506(d))
In our comments in 3.D (above) we tried to make clear that
our deep concern about the definition of individually identifiable
health information derives from the unique and irreplaceable
role of archived medical information in supporting a broad
range of health research. Such studies, which range from the
etiopathogenesis of disease, translational research and clinical
trials to research in prevention, epidemiology and health
services, are essential for advancing medical knowledge and
improving the public's health. If the point needs further
emphasis, we note the urgent calls for promoting more research
into the causes and prevention of medical errors, which accompanied
the recent release of the IOM report entitled "To Err
is Human," and we urge consideration of the vast quantities
of "informational raw materials" that will be required
to implement such a research agenda.
The Department emphasizes in the preamble its desire to enhance
the protection of the privacy of health information by encouraging
wherever possible the use of de-identified rather than individually
identifiable information. The AAMC strongly supports this
general objective and believes in particular that the great
majority of medical research can be conducted with de-identified
health information, but only if it is accurately encrypted,
(most often) linkable, and retains the accuracy and integrity
required to support the purposes of the research protocols.
We argued in 3.D and reiterate here that in the current era
of information technology, it becomes increasingly difficult
to be certain of when a given set of health information has
been sufficiently "de-identified" as to make the
probability of its re-identification less than some predetermined
value that would satisfy a criterion of "reasonably remote."
Experts in the field argue persuasively that the number and
kinds of data elements contained in the typical medical record
that would have to be removed or distorted to reach any given
level of assurance of non-identifiability will only increase
as computer power increases. Some also argue that in the near
future only substantially distorted health information would
in fact be unidentifiable. We note that the boundary between
substantial distortion and fabrication can be tenuous.
The AAMC will continue to argue, until presented with compelling
evidence to the contrary, that in the overwhelming majority
of settings and circumstances in which the use of de-identified
health information would be appropriate, e.g., in most health
research, it would be rare indeed for an individual or organization
with the necessary motivation, skills and determination to
set out purposefully and illicitly, to re-identify specific
persons when reasonable efforts have been made
to protect their identities, and substantial penalties are
in place. The Association believes that no rule (or law) can
be crafted with the intention of providing total protection
from misdeeds without imposing excessive, and unnecessary,
burdens. To attempt to craft the standard for the use and
disclosure of de-identified PHI with the intention of achieving
some theoretical goal of "maximum possible protection"
against re-identification will seriously degrade the integrity
and utility of the de-identified information. With respect
to research, we fear that for covered entities, and especially
those for which research is not an integral part of
their mission, the burden and liability associated with overly-zealous
requirements for de-identification will blunt their willingness
to permit their medical information archives to be accessible
to researchers. For the researchers themselves, the inadequacy
of the stripped information will force them to submit to the
far more burdensome and time-consuming processes required
to access PHI, when a more rational and less zealous approach
to de-identification would have made the resulting information
entirely suitable for a majority of research purposes.
Given these considerations, we argued in 3.D. for an unambiguous
and simple construction of the definition of "identifiability;"
we argue here for the complementary approach to the definition
of "de-identifiability." The AAMC is greatly troubled
by the approach set out in the NPRM, which, in spite of the
lengthy discussion of the matter in the preamble that seems
to agree with the Association's position, mandates a lengthy
"laundry list" of 18 specific data elements that
must be removed from health information and only begins to
satisfy the rule's definition of de-identifiability. The provision
goes on to require removal of "any other [identifier]
that the covered entity has reason to believe may be available
to an anticipated recipient of the information" (64 Federal
Register 59936, column 1), and that "the covered
entity has no reason to believe that any anticipated recipient
of such information could use the information, alone or in
combination with other information, to identify an individual"
(64 Federal Register 59936, column 2). The rule then
goes even further by indicating that "entities with appropriate
statistical expertise" (64 Federal Register 59936,
column 3) should employ their statistical prowess to further
satisfy themselves about the non-identifiability of the information,
or remove yet additional information….and on and on.
The AAMC is vigorously opposed to this entire approach,
which we regard as unreasonably burdensome, poorly conceived,
and ultimately futile in its quest for an impossible goal.
Indeed, the provision would require one to be a sooth-sayer
to deal with all of the required compounded "anticipations."
More seriously, it would succeed in gutting de-identified
health information, for example, by requiring the deletion
of geographic data ("geocodes"), age data (?chronocodes),
photographic images (a terribly general term that would include
photographic data such as pathological lesions, DNA gels,
radiograms, etc.), to the point of rendering the information
useless for much medical research. Perversely, the proposed
definition of de-identifiability would greatly stimulate the
need for identifiable health information to enable research
studies to be carried out.
The AAMC strongly urges the Department to revisit and
rethink its entire approach to de-identification, keeping
in mind the purpose of the rule: to reduce the need for IIHI
and promote the use of de-identified health information to
the maximum possible extent. The Association strongly favors
the following language: "Nonidentifiable health information
is [PHI] from which personal identifiers that directly reveal
the identity of the individual…or provide a direct means of
identifying the individual (such as name, address, social
security number) have been removed, encrypted or replaced
with a code, such that the identity of the individual is not
evident without (in the case of encoded information) use of
the key." The Association believes that this approach,
which must be coupled with strong penalties for misuse of
de-identified health information, is the only practicable
- and sensible - way to deal with this issue.
E. Uses and Disclosures for which Individual Authorization
is Required (§164.508)
Individual authorization is required for all uses and disclosures
of PHI not otherwise specifically allowed by the rule. An
authorization may be initiated by an individual or may be
requested of the individual by the covered entity. The
preamble makes clear the Department's intent to prohibit the
use of broad or blanket authorizations by covered entities.
The proposed rule would require that authorizations initiated
by the covered entity be narrowly tailored and explicit about
the PHI that is covered and the specific uses that are intended,
have a set expiration date, and be revocable. Moreover, with
the exception of authorization for a clinical trial, "an
authorization for use or disclosure of [PHI] for purposes
other than treatment or payment may not be in the same document
as an authorization for…treatment or payment" (64 Federal
Register 59954, column 2). (Since authorization for treatment
and payment would be "statutory" under the NPRM,
it is not clear why the preceding language was chosen.) Examples
of uses and disclosures that would require specific authorization
include: use for marketing of health and non-health items
and services by the covered entity; sale, rental or barter;
use and disclosure to non-health related divisions of the
covered entity; disclosure to an employer for use in employment
determinations; and use or disclosure for fundraising.
The AAMC has two objections to this provision. First, the
ongoing transformation of the health care delivery system
has spurred the formation of Integrated Delivery Systems (IDSs)
that are based on the concept of providing comprehensive health
care to populations and communities. Such IDS's often sell
such materials as durable medical equipment, and provide specialized
nursing facilities, home nursing care, respiratory, physical
and occupational therapy, etc. either directly or through
wholly owned subsidiaries. The Association believes that
it is reasonable to permit an IDS to use limited portions
of an individual's PHI to make him/her aware of the availability
of these subsidiary services. Second, non-profit health
providers in general are heavily dependent on disease-focused
philanthropy to support their activities, and this dependency
is an order of magnitude greater for medical schools and teaching
hospitals, which provide expensive, and often unreimbursed,
public services as part of their social missions of education,
research, and care to the disadvantaged. Particularly in these
times of health care financing tumult, it is essential that
the new rule do nothing to jeopardize further the financial
stability of these fragile institutions.
The AAMC urges the Department to modify this provision
by eliminating the word "use" from the prohibition
against use and disclosure of PHI by the covered entity without
individual authorization for the marketing of health-related
items and services and for fund- raising.
F. Uses and Disclosures for which Individual Authorization
is Not Required (§164.510)
The NPRM, like all of the Congressional bills that have attempted
to address the question of medical information privacy, recognizes
a set of health-related purposes of compelling benefit for
which individual authorization is not required for the use
and disclosure of PHI. It is important to understand that
all of these exemptions are permissive and not mandatory:
the covered entity in every instance makes the determination
of whether or not to accede to a request. Included in this
provision are such purposes as public health activities, governmental
health data systems, public oversight activities, judicial
and administrative proceedings, investigations by coroners
and medical examiners, requests by law enforcement officers,
emergency situations, and research. Recognizing that others
will likely deal extensively with different items in this
provision, the AAMC will focus its remarks primarily on the
section that deals with research, but also comment on the
provision that deals with health oversight activities.
G. Research
1. Creation of New Classes of Research Information "Related"
or "Unrelated" to Treatment (§164.508) and
Uses and Disclosures for Research Purposes (§164.510(j))
The AAMC has grave reservations about the approach that the
Department has taken in crafting the provisions of the NPRM
that relate to health research. The Association strongly believes
and has consistently argued that given the nature of our systems
of health care delivery, financing and oversight, and the
ineluctable flows of IIHI required to support these functions,
the protection of the privacy and confidentiality of IIHI,
i.e., medical records, can under the best of circumstances
be limited. In contrast, the Association believes that it
is possible to provide orders of magnitude greater protection
to health research data, information and records because none
of the necessary (or unpreventable) multitudinous handling
and inspection of medical records is required, or, in fact,
customarily occurs, with research records. Indeed, we believe
that health research information should be used exclusively
for the purposes of the approved research and, when necessary,
for research oversight, or for safety and efficacy reporting
mandated by the FDA. There exists in statute a mechanism called
the Certificate of Confidentiality, originally enacted in
1970 as part of the "War on Drugs," to allow studies
of drug addiction and abuse and subsequently, and in 1988
incorporated into the Public Health Service Act, which shields
from compelled disclosure individually identifiable biomedical
or behavioral research information that an investigator deems
to be "sensitive." The Certificate provides to sensitive
information the tightest protections against trespass afforded
under American law. These protections have never been breached
over the three decades of their existence by any entity, including
by law enforcement officers or judicial actions. It is
important to recognize that the protections of the Certificate
of Confidentiality are exclusively for research information
and do not extend to clinical information or medical records,
that is, to information used in the provision of patient care.
The foregoing is meant to underscore the Association's firmly
held position that research information should always,
as the rule, be kept formally separated and distinct from
clinical information used in the provision of patient care
for three compelling reasons: first, because the clinical
utility of research information is most often unknown, and
thus, it is unsuitable for use in clinical decision making;
second, to provide the information with maximum security from
unauthorized trespass; and third, to allow medical researchers
to provide to individual research subjects, and to the public
at large, the greatest possible assurance that their privacy
and the confidentiality of any IIHI that may be obtained or
maintained in research files will be protected from disclosure.
The ability to make this kind of assurance is critically important
to the conduct of all clinical research, whether interactional
(or interventional) with human subjects, or archival, retrospective,
non-interactional studies, for which the unique and irreplaceable
research resource is patient information archives. It is an
assurance that cannot be made today regarding medical records
- and will not be able to be made tomorrow, irrespective of
the fate of this NPRM; and it is an assurance that will become
even more important as medical research rushes ahead into
the era of human genetics and post-genomics.
Accordingly, the Association vigorously opposes the approach
taken in the NPRM to divide medical research information into
two broad classes, one related, the other unrelated, to treatment.
"Research information unrelated to treatment" means
health information that is received or created by a covered
entity in the course of conducting research, for which there
is insufficient scientific and medical evidence regarding
the validity or utility of the information such that it should
not be used for the purpose of providing health care, and
with respect to which the covered entity has not requested
payment from a third party payer" (64 Federal Register
59942, column 3). The interpretation of this definition is
anything but straightforward: it would on its face include
most clinical trials. The Association believes that, as the
general rule, research information should not be disclosed
directly to a patient or directly used to provide patient
care. This is particularly true for "tests" performed
in research laboratories, which generally are never performed
under CLIA-approved clinical laboratory conditions and always
require further work to establish their analytical validity
and clinical utility. It is also true for retrospective non-interactional
studies, in which the researchers and the individuals whose
IIHI may be used in the study are unknown to one another.
The clinical trial is a special kind of clinical research
that involves the direct interaction of researchers with human
subjects, requires informed consent and merits separate consideration.
In recruiting individuals to participate in clinical trials,
the informed consent process affords ample opportunity for
subject and investigator to come to a mutual understanding
about whether the trial is designed to produce information
directly relevant to the subject's care, and, if so, whether,
when, and how the subject will be informed of it. Across the
entire spectrum of health research, it is almost uniquely
during the performance of clinical trials that "research
information related to treatment" may be obtained, and
in these circumstances the AAMC strongly argues that all such
clinically relevant information that may or will affect the
care of the subject should be entered into the individual's
medical record. Once the information is in the medical record,
it would become PHI and be covered by the provisions of the
NPRM. If the investigator, as is often the case, maintains
concurrently a separate and distinct research record, that
record should not become PHI and should not fall within the
strictures, accesses or uses mandated or permitted by the
rule.
The AAMC strongly disagrees with the premise of the NPRM
that a health provider-researcher cannot carry out two distinct
functions while performing research and providing clinical
care to research subjects. We further argue that even in such
a circumstance, the formal distinction between research information
and clinical information can and should be maintained, primarily
to afford the research information the much higher degree
of security that cannot be afforded to clinical information
and medical records. As proposed in the NPRM, all of the research
information "related to treatment" that is obtained
by the provider-researcher, whether it resides in a "research
file" or the medical record, would become PHI and thereby,
fully bound by all of the requirements and fully accessible
to all the parties and for all the purposes specified in the
proposed rule. Because of the contrived distinction, for example,
a researcher would have to follow two entirely different sets
of requirements with respect to the handling of information
obtained during the course of a single clinical trial, depending
on which bits of information were considered to be "related,"
and which, "unrelated," to treatment. The AAMC very
strongly objects to this approach.
We presume that the Department chose to go down this unfortunate
path to circumvent the limitation imposed by the fact that
HIPAA gives the Department no authority to create new regulations
for medical researchers or medical research. This matter is
discussed in the preamble: "However, under HIPAA, we
do not have the authority to regulate researchers unless the
researcher is also acting as a provider, as in a clinical
trial. We can only directly regulate the entities that disclose
the information, but not the recipients of the information.
Therefore…..we must impose any protections on the health plans
and health care providers that use and disclose the information,
rather than on the researcher seeking the information"
(64 Federal Register 59968, column 2). The Association
is not aware that the HIPAA creates a new entity subject to
regulation called a "researcher also acting as a provider."
Even granting this arrogation of authority, however, it in
no way justifies the creation of entirely new categories of
"research information related and unrelated to treatment."
Since the proposed rule does appropriately lay very firm and
precise conditions on the covered entities with regard to
their handling of all requests for use and disclosure
of PHI for research, we fail to see what benefit accrues to
any party from adoption of the "research information
related and unrelated to treatment" approach. On the
other hand, the precedent established and costs incurred by
decreeing that research related to treatment is PHI and subject
to the rule are substantial: the research information suffers
a substantial loss of protection of confidentiality;
and the researcher-provider becomes greatly encumbered by
the full weight of obligations imposed by the NPRM on covered
entities.
The Association acknowledges that the very strong protections
of confidentiality that can be afforded (uniquely) to research
information are unidirectional, in the sense that they are
directed exclusively at preventing unauthorized access or
trespass. Existing statute and regulation do not provide equivalent
protections against the possibility that individual researchers
might violate patient privacy. The Common Rule does require
that IRBs, in their review of research proposals, satisfy
themselves that "[w]hen appropriate, there are adequate
provisions to protect the privacy of subjects and to maintain
the confidentiality of data" (45CFR46.111(7)). Ultimately,
the protection of research subjects' privacy in health research
depends upon the professionalism and integrity of individual
researchers, and that will not change regardless of statute
or regulation.. As we state elsewhere in this letter, the
AAMC is aware of no credible evidence to indicate that violations
of subject's privacy, or the confidentiality of PHI created
or maintained in research records, has been a significant
problem. To the contrary, all of the egregious violations
of privacy of which we are aware have involved leakage of
clinical information from medical records, a fact that may
not be surprising when one considers the vast differences
in the amount of handling and extent of accessibility of clinical
information as contrasted with research information. Nonetheless,
the AAMC would strongly support a legislative or regulatory
provision that held health researchers accountable for breeches
of subjects' privacy to the same degree that covered entities
would be held accountable in the NPRM. That the limitation
of HIPAA authority does not permit the Department to address
this issue cleanly does not justify the troubling contrivance
created in the NPRM.
The AAMC strongly urges the Department to abandon the
burdensome and unnecessary dichotomization of research "related
to" and "unrelated to" treatment, and continue
to regulate all research and researchers identically under
the provisions of the Common Rule.
2. Requirement for IRB or Privacy Board Review (§164.510(j)(1))
The NPRM would permit a covered entity to use or disclose
PHI for research, regardless of the source of funding of the
research, provided that the covered entity has obtained written
documentation of a waiver of authorization that has been approved
either by an Institutional Review Board (IRB) or a Privacy
Board. The AAMC applauds the Department's decision to permit
medical research that must access PHI to proceed without the
requirement of individual authorization, but following review
and approval by an independent review body. For research overseen
by the Common Rule, oversight can continue to be provided
by an IRB; for all other research requiring access to PHI
an homologous body called a Privacy Board, working under nearly
identical requirements, will have to be established to serve
the review function. The AAMC fully supports this provision.
The Association believes that all research involving human
subjects should receive the same oversight and protections,
irrespective of the source of funding or the venue in which
the research is conducted. Although HIPAA does not authorize
the Department to expand the mandate of the Common Rule, the
Privacy Board provision is an important step in the right
direction.
3. Criteria to be Employed in IRB or Privacy Board Review
(§164.510(j)(3))
The NPRM requires that the IRB or Privacy Board determine
that the waiver of authorization satisfies eight specific
criteria. The first four criteria are identical to or slight
variants of requirements in the Common Rule for the approval
of waiver of informed consent:
(i) the research [in the NRPM, the use or disclosure of
PHI] involves no more than minimal risk to the subjects,
(ii) the waiver will not adversely affect the rights and
welfare of the subjects,
(iii) the research could not practicably be conducted without
the waiver, and
(iv) whenever appropriate, the subjects will be provided
with additional pertinent information after participation.
(The Association believes that this criterion is pertinent
to research that involves a direct interaction with human
subjects, but not, as a rule, to non-interventional retrospective
research requiring access to archived PHI.)
The next four criteria go beyond the requirements of the
Common Rule:
(v) the research could not practicably be conducted without
access to and use of the PHI;
(vi) the research is of sufficient importance so as to
outweigh the intrusion of the privacy of the individual
whose information is subject to the disclosure,
(vii) there is an adequate plan to protect the identifiers
from improper use and disclosure, and
(viii) there is an adequate plan to destroy the identifiers
at the earliest opportunity consistent with the conduct
of the research, unless there is a health or research justification
for retaining the identifiers.
The additional criteria v, vii and viii are consistent with
recommendations that the Association has made in prior Congressional
testimony to strengthen the protection of the confidentiality
of PHI used in research. However, the AAMC takes strong
exception to the new criterion vi, which we believe is unnecessary
and unsound in that it would impose on reviewing bodies the
explicit requirement to form and debate conflicting value
judgments about the relative "weights" of the research
proposal versus an individual's right to privacy. We note
that there is already in the Common Rule (Part 46.111: Criteria
for IRB approval of research) language that the AAMC believes
deals more appropriately and acceptably with the fundamental
issue raised in proposed criterion vi. .111(a)(2) states,
as a general requirement, that an IRB must determine that
"[r]isks to subjects are reasonable in relation to anticipated
benefits, if any, to subjects, and the importance of the knowledge
that may reasonably be expected to result. In evaluating risks
and benefits, the IRB should consider only those risks and
benefits that may result from the research…The IRB should
not consider possible long-range effects of applying knowledge
gained in the research…as among those research risks that
fall within the purview of its responsibility." The AAMC
believes that this well-established standard serves reasonably
and practicably to address the issue of "scientific value"
versus risk.
The Association is strongly opposed to the imposition
of new criterion vi, which we believe would force review bodies
to render judgments in the absence of clear-cut or normative
standards, and threaten to hold their decisions hostage to
the personal belief structures, biases, and ideologies of
the thousands of individual members who serve on these bodies.
The AAMC strongly urges that the new criterion vi be eliminated
from the final rule.
Although the NPRM would permit IRBs to retain the privilege
of "expedited review" (45CFR46.110, as recently
revised in FR63, No.216, 60353-56, November 9, 1998), it would
eliminate the possibility that research requiring access to
PHI could be determined to be "exempt" from IRB
review, as provided in 45CFR46.101(b). This can become a matter
of especial concern with respect to 101(b)(4) that exempts
"[r]esearch involving the collection or study of existing
data, documents, records, pathological specimens, or diagnostic
specimens, if these sources are publicly available or if the
information is recorded in such a manner that subjects cannot
be identified, directly or through identifiers linked to the
subjects." The AAMC supports the clear intent of the
Department to ensure that all access to PHI, which is unrelated
to treatment, payment, or health care operations, either requires
individual authorization or is provided for under §164.510,
and is comfortable with the elimination of the "exemption"
privilege.
4. Comment about Proposed Change in Common Rule
The preceding paragraphs present the Association's concerns
about the specific provisions of the NPRM that relate to research
and are presented in the event that the Department decides
to maintain this approach in the final rule. However, the
AAMC has a much more fundamental concern about the approach
in general. We believe that by setting out new criteria
that must be met by IRBs (as well as by newly established
Privacy Boards) in their review of requests to access PHI
for research, the NPRM is de facto proposing to modify
the Common Rule, while circumventing the processes required
by the Administrative Procedures Act, which, among others,
would require the assent of all seventeen Departments and
Agencies that have adopted the Common Rule. This is a very
significant action that the AAMC believes exceeds the Department's
authority under the HIPAA. This matter is of concern for three
major reasons:
-
The Department is presently in the midst of effecting
a major change in the way in which it oversees research
involving human subjects. The OPRR is being relocated
out of NIH and into the Office of the Secretary, and is
being renamed the Office for Human Research Protection
(OHRP). A nation-wide search is underway for the director
of OHRP, and the Secretary has agreed at the urging of
the research community to establish a National Advisory
Committee for the new entity. The AAMC believes that
the OHRP and its Advisory Committee should as an early
priority undertake a thorough, deliberate, and comprehensive
review of the Common Rule, including its protection of
human subjects' privacy, with adequate opportunity for
public input, and consider such changes as may be desirable.
Given that likely near-term opportunity, the Association
does not believe that piece-meal tinkering with the Common
Rule, as the Department is attempting via this NPRM, is
advisable.
-
The National Bioethics Advisory Commission is presently
engaged in an intense review of human subjects protections
and will undoubtedly propose modifications to the Common
Rule, as well as its regulatory oversight. The Institute
of Medicine is planning a study of the same issues. The
AAMC believes that it would be sensible to await these
impending assessments and recommendations before initiating
changes in the Common Rule.
-
For medical schools and teaching hospitals, which
now operate under the provisions of the Common Rule, the
NPRM will require that their IRBs conduct their research
review and oversight responsibilities under two different
and summative sets of requirements, the Common Rule and
the new medical information privacy rule, with all of
its burdensome provisions and liabilities. For example,
for research proposals that are of "more than minimal
risk," the NPRM would mandate that researchers not
only obtain an individual's informed consent, as required
by the Common Rule, but also his/her individual authorization
that complies with the very detailed specifications prescribed
in §164.508(c). This would be confusing to prospective
research subjects, unreasonably burdensome to health researchers
engaged in clinical trials and to IRBs that must review
their proposals, and a costly imposition on academic institutions
forced to maintain two separate systems of human subjects
protection.
-
The proposed standards of "de-identifiability"
and of "minimum necessary," unless changed as
we have urged earlier in this letter, would apply to the
use and disclosure of PHI for research purposes, imposing
on IRBs entirely new and disturbingly ambiguous standards,
and exposing the members, as well as their parent institutions,
to the severe civil and criminal sanctions associated
with violations. The IRBs working in the academic medical
community are under great strain, as has been amply documented
in the media in the past two years, and adding the further
very substantial burdens encompassed in the NPRM would
seem to the Association to be unwise and unnecessary.
The AAMC is aware of no credible information indicating
that the confidentiality of medical records and IIHI is
not being adequately respected and protected by
IRBs and researchers working under the requirements of
the existing Common Rule. The proposed provisions would
put in limbo the status of central IRBs and Data Safety
Monitoring Boards in multi-center clinical trials, and
jeopardize the willingness and ability of covered entities
to participate in such trials. What institution, facing
the liabilities established in this complex rule, would
be willing to entrust the use and disclosure of its PHI
for research to the oversight of an external body? Indeed,
the fact that the determinations of an IRB or Privacy
Board could result in major sanctions against the parent
institution could well serve as an impediment to any institution's
participation in research requiring access to PHI, and
a major deterrent to institutions for whom health research
is not part of their core mission.
The AAMC believes that the NPRM as written would have
a chilling effect on clinical research and the recruitment
of young clinical investigators . Accordingly, the Association
strongly urges the Department to reconsider this attempt at
ad hoc modification of the Common Rule and agree to await
the formation and deliberations of the new OHRP, with its
processes of public input, the impending report of the NBAC,
and, if timely, that from the IOM. The Association is firmly
convinced that this would be the wiser, safer, and far more
preferable course for dealing sensibly, deliberately and comprehensively
with the protection of medical information privacy in research.
H. Health Oversight Activities (§164.510(c))
The provision states straightforwardly that " [a] covered
entity may disclose [PHI] to a health oversight agency for
oversight activities authorized by law…" (64 Federal
Register 60056, column 3), but the discussion of this
provision in the preamble raises serious concerns. As we earlier
noted in this letter, the preamble makes clear that the disclosure
permitted by this provision is to be restricted to health
oversight agencies and private entities working under a contract
with, or grant of authority from, one or more of the government
oversight agencies. Excluded are oversight activities by
private entities, such as accreditation organizations, even
if accreditation by such an organizations is recognized by
law as fulfilling a government requirement or condition of
participation in a government program. Under this rule,
therefore, accrediting organizations like JCAHO, the College
of American Pathologists, Residency Review Committees, and
the LCME would not be permitted to access PHI without either
individual authorization or the contractual relationship specified
for business partners. To restrict access to PHI by such
well-established accrediting organizations as those exemplified
above, whose role is so critical to oversight and quality
assurance in the health care delivery system, makes absolutely
no sense, and to surmount the restriction would be unduly
expensive and burdensome. The Association urges that this
restriction be eliminated.
5. Code of Fair Information Practices (§§164.512-516)
An important goal of the NPRM is to embed in federal regulation
a "code of fair information practices" with respect
to the use and disclosure of PHI. The Code of Fair Information
Practices was created by the DHEW Secretary's Advisory Committee
on Automated Data Systems in 1972 and contained five principals:
(1) There must be no personal data record-keeping systems
whose very existence is secret.
(2) There must be a way for a person to find out what information
about him/her is in a record and how it is used.
(3) There must be a way for a person to prevent information
about him/her that was obtained for one purpose from being
used for other purposes without consent.
(4) There must be a way for a person to correct or amend
a record of identifiable information about the person, and
(5) Any organization creating, maintaining, using or disseminating
records of identifiable personal data must assure the reliability
of the data for their intended use and take precautions to
prevent misuses of the data.
The federal Privacy Act of 1974 is in essence a codification
of fair information practices that applies to personal information
held by federal agencies.
The NPRM establishes a number of individual rights and covered
entity obligations that flow directly from the code of fair
information practices. These include the near-absolute rights
of individuals to inspect and copy their PHI, to request amendment
of their PHI, to request restriction of use or disclosure
of their PHI, and to obtain a record of every disclosure of
their PHI that is made. The covered entity must, among other
requirements: maintain a record of every disclosure of an
individual's PHI for as long as the PHI is held; have policies
and procedures in place that ensure that only the minimum
amount of PHI is used or disclosed that is required to meet
the purpose of the request, and that describe in detail the
physical, technical and administrative measures that the entity
has implemented to secure PHI; prepare a Notice of its information
practices that is in essence a summary of its policies and
procedures, and make the Notice available to all patients,
employees, business partners, etc; and maintain extensive
documentation of its policies and procedures and make no significant
changes in its information practices without first changing
its documentation and Notice. All of these obligations, as
well as all other requirements of the rule, are subject to
compliance audit by the Secretary.
Although these requirements will be burdensome and costly,
and will require major changes in well established medical
practices, it is important to recognize that "fair information
practices" have been the center-piece of every medical
information privacy bill that has been introduced by either
party in the Congress. Their eventual establishment by regulation
or legislation would seem to be inevitable. That being said,
the AAMC has reservations about the seemingly rigid, "one
size fits all" fashion in which these practices would
be mandated by the NPRM.
The Association urges that the application of these practices
to health information be carefully tailored to, and the pace
of their implementation informed by, the realities of the
complex patterns and enormous volumes of health information
traffic that are necessary for the contemporary health care
delivery system to function.
A. Notice (§164.512)
A covered entity must have procedures that provide adequate
notice to individuals of their rights and the procedures for
exercising their rights with respect to PHI about them. The
NPRM lays out a detailed specification of the information
that must be included in the Notice, which is in essence a
summary of the detailed policies and procedures required of
each entity for managing its uses and disclosures of PHI,
as well as specifications for its distribution and posting.
Although the AAMC is concerned about the prescriptiveness
of this provision, it is generally supportive of the Notice
requirement.
B. Access of Individuals to PHI (§164.514)
An individual has a near absolute right of access, which
includes the right to inspect and obtain a copy, to his/her
PHI in designated record sets (see 3.A.) of a covered
entity, including such information in a business partner's
designated record set that is not a duplicate of that held
by the covered entity. The exceptions are limited to circumstances
in which access would endanger the individual or another person,
or violate a pledge of confidentiality to another party; where
the information was compiled in anticipation of a legal proceeding;
or the information was obtained the course of a clinical trial
which is in progress, and the individual has agreed to the
denial of access in the informed consent, and the IRB
or Privacy Board has deemed the waiver of access to be appropriate.
The AAMC believes that this provision is overly broad and
would be unreasonably costly and burdensome. The Association
urges that the right of access be limited to the maximum extent
possible to designated record sets in the possession of the
originating provider, where we believe that the most complete
records of PHI would be maintained for patients or covered
persons.
The AAMC strongly objects to the way in which the provision
§164.514(b)(iv) deals with PHI obtained during the course
of a clinical trial. The Association believes that the sharing
of clinical trial data with a subject should appropriately
be addressed in the informed consent process, and that the
informed consent should thereafter govern. As we have addressed
in 4.F., the AAMC does not believe that individuals should
have any absolute right of access to PHI that might be contained
in research files; indeed, we do not believe that research
files fit within the definition of "designated record
sets" (vide supra, 3.A.) We have already indicated that
information obtained during a clinical trial that has been
agreed in the informed consent to be shared with the research
subject, or used in the course of providing health care, should
become part of the medical record, where it would be accessible
to the subject under the rule. The rule should provide no
absolute right of access to such information even after completion
of the clinical trial unless that access has been so agreed
in the informed consent process.
It is often stated that the "Gold Standard"
of research on new drugs and medical devices is the double-blinded,
randomized clinical trial. Providing subjects with an absolute
right to access clinical trial data during the course of the
trial would undermine the investigator's ability to design
and conduct the trial, and indeed, would vitiate the very
concepts of blinding and randomization. This would be a tragically
unwise, even if unintended, consequence of this provision
that must be avoided. The AAMC urges that this section of
the rule be modified to provide strong privilege to clinical
trial information (as we believe should be accorded all research
information that contains PHI), subject to any agreements
between investigator and subject to disclose such information,
which are documented in the informed consent process.
C. Accounting for Disclosures of PHI (§164.515)
An individual has a right to receive an accounting of
all disclosures of PHI made by a covered entity as long
as the information is maintained by the entity, except for
disclosures for treatment, payment and health care operations,
and when ordered by oversight or law enforcement entities
not to record disclosures in order to prevent impedance of
their activities. The language of the provision is ambiguous
and creates uncertainty about whether it addresses disclosures
only (as the title would indicate), or whether it includes
uses other than treatment, payment and health care operations,
as well. The AAMC believes that the provision should address
disclosures only, and not uses, which would make implementation
far more practicable and less burdensome. We come to this
conclusion on the grounds that all "uses" other
than treatment, payment and health care operations, which
are authorized by the rule, or those permitted without authorization
under 164.510, will require specific individual authorization.
We also note that the mandated Notice, which must be provided
to all individuals, must specify all of the covered
entity's information practices; accordingly, the individual
must be presumed to be aware of how the entity intends to
use or disclose his/her PHI. The Association believes that
the burdens and costs that would be incurred by covered entities
in specifically accounting for each and every "use,"
as well as "disclosure," would be excessive and
far outweigh any theoretical benefits.
D. Amendment and Correction (§164.516)
An individual has the right to request a covered entity to
amend or correct his/her PHI in designated record sets of
the entity for as long as the entity maintains the information.
An entity may deny the request if the information was not
created by the entity or would be inaccessible to the individual
for the reasons described in 5.B. If the covered entity makes
the requested changes, it must make reasonable efforts to
notify other persons who the individual identifies as needing
notification; and persons, including business partners, who
the covered entity knows have received the original information,
"and who may have relied, or could foreseeably rely,
on such information to the detriment of the individual."
The entity must have procedures in place to make the amendment
or correction in any of its designated record sets and to
notify its business partners, as appropriate, and the procedures
must specify the process for correction or amendment.
The AAMC believes that this provision is overly broad
and burdensome. The Association would like to see the right
of amendment and correction limited to the maximum extent
possible to designated record sets in the possession of the
originating provider, and the point made clear that this provision
does not permit any deletions or alterations of the original
information. The former request would limit the burdens and
costs of complying with this provision, the latter would ensure
the preservation of direct observations, scientific data,
or professional impressions entered into the medical record,
and thereby protect the integrity of the record. The AAMC
is very strongly opposed to any provision, or interpretation,
that would allow retrospective alteration of medical records.
With this requested clarification, the provision should be
retitled "Amendment" only. The word "Correction"
should be eliminated from the title and the text. The Association
is also concerned by the language requiring notification of
those who "may have relied, or could foreseeably rely,"
language that once again seems to require prognostication
on the part of the holder of PHI. The AAMC requests that this
language be eliminated.
6. Administrative Requirements (§164.518)
The administrative and documentation requirements are very
extensive and prescriptive, and they will be costly. Each
covered entity must: designate a privacy official who is responsible
for the development and implementation of the entity's privacy
policies and procedures, as well as a contact person or office
for receiving complaints relating to compliance with the rule;
provide mandatory training to all members of the workforce
who, by virtue of their positions, are likely to obtain access
to PHI, at or close to the time of hire and at least once
every three years thereafter, and obtain from each employee
a signed certification of training and a pledge to honor all
policies and procedures required by the rule; establish administrative,
technical and physical safeguards to protect the privacy of
PHI; must maintain detailed records of complaints received
and their disposition; establish and apply sanctions against
members of its workforce who fail to comply with applicable
policies and procedures in connection with PHI held by the
covered entity or its business partners; and be duty-bound
to mitigate to the extent practicable any deleterious effects
from uses or disclosures of PHI that are in violation of the
rule.
The requirements for documentation and record keeping are
set forth in exceeding detail to cover each and every aspect
of the rule. The documentation is important not only for purposes
of compliance, workforce training, and informing patients,
business partners, et al., but also because "a covered
entity may not implement a change to a policy or procedure
[required by the rule] until it has made the appropriate changes
to the documentation required by this section and the [required]
notice" (64 Federal Register 60063, column 1).
The AAMC observes that that the NPRM's references to a
"privacy official" and a "contact person"
(for receiving complaints) mask the plain fact that this rule
will spawn the creation of a new "privacy industry"
that will add greatly to the size of the bureaucracy and the
costs of the American health care delivery system, which already
labors under one of the highest proportions of administrative
overhead expenses in the world. The Association is aware of
the roughly 10-fold discrepancy between the cost estimates
for implementing this rule that have been offered by DHHS
and the private sector, and we predict on the basis of our
study of the NPRM that the real costs will be much closer
to the higher than the lower values. Given the severe financial
pressures that are buffeting the nation's teaching hospitals
and academic health care systems, the AAMC strongly urges
that these added costs be recognized by the federal government
and by all public and private payers for health care. The
costs cannot be tolerated or absorbed as an unfunded mandate.
Concluding Comments
The AAMC shares with the Department regret that the Congress
has been unable to pass a comprehensive medical information
privacy bill that would provide a uniformly high standard
of protection across the United States. It would appear that
all of the segments of society that are stakeholders in the
"privacy debates" agree on this point, but the sharp
differences of opinion and belief among these stakeholders
has so far defied Congressional resolution. Under the circumstances,
the Department is mandated by the HIPAA to propose regulations
under a variety of authorization restraints that chafe in
the face of the broad scope of the problems that need to be
addressed. The AAMC commends the Department for the conscientious
effort it has made to discharge its mandate in the NPRM, while,
at the same time, noting its major reservations about the
regulations that have been proposed. In summary, our concerns
are principally focused on three large issues.
First, we believe that any regulatory or legislative solution
to the problems of medical information privacy will inevitably
impose enormous costs and administrative burdens on the health
care enterprise and usher in a lengthy period of confusion
and ambiguity as the highly diverse components of the enterprise
struggle to understand the new rules and implement policies
and procedures that will comply with them. We note these concerns
not to argue against the enactment of privacy protections,
which the Association strongly supports, but rather to support
our very strongly held view that the rules must be crafted
with precision and with understanding of and sensitivity to
the complexity and volume of the existing flows and uses of
individually identifiable health information that drive and
lubricate the workings of the health care delivery system.
From this perspective, the Association concludes that the
NPRM falls short, as we have tried to describe in the body
of this comment letter. In a word, the AAMC believes that
the establishment of new rights and the application of new
over-arching principles, like those embraced by fair information
practices, would be imposed too precipitously and in too blanket
a fashion to be workable. We have suggested above a number
of instances where the Association urges restraint and more
careful tailoring, and we would be pleased to discuss with
the Department these and additional recommendations that we
believe would make the application of these regulations more
tolerable and effective.
Second, the Association has grave reservations about the
way in which the Department has chosen to approach the issues
related to the use of PHI in medical research. We note, as
does the Department in its preamble, that the HIPAA gives
DHHS no authority to regulate health researchers, or, for
that matter, health research, and we observe that regulation
of human subjects research in this country is amply provided
by the Common Rule, notwithstanding contemporary evidences
of strain within the IRB system. The Common Rule deals
with research involving human subjects, and it explicitly
includes identifiable private information. One of the
general requirements of IRBs is that they assess the importance
of the knowledge likely to be obtained from a research project
against the risks posed to subjects, and a specific requirement
requires the IRB to determine that "when appropriate,
there are adequate provisions to protect the privacy of subjects
and to maintain the confidentiality of data."
Regardless of the Department's opinion of how well those
provisions are being carried out, the existing regulatory
language is clear and, in the view of the Association, sufficient.
In this context, the AAMC has no problem with the intent of
the NPRM to regulate the release by covered entities of PHI
for research by requiring either IRB or Privacy Board review,
but the Association does take exception to the Department's
attempt to use this NPRM to effect the "back-door"
amendment of the Common Rule by adding four new criteria to
those already required in consideration of waiver of individual
authorization (or, in Common Rule terminology, informed consent).
The Association actually agrees with the substance of three
of the proposed four new criteria, but we strongly object
to criterion vi, which we believe, as argued above, would
open IRB deliberations to intractable debates over competing
ethical values that would be driven by personal belief structures
and ideologies. Considering that the Department is in the
process of relocating, renaming and reshaping the OPRR, and
searching for a Director, and given the Department's intent
to form a long-needed Advisory Council for this Office, the
AAMC strongly urges the Department to consider deferring its
desire to modify the Common Rule until such time as the new
Office for Human Research Protection and its Advisory Council
are formed and can deal with this and other issues regarding
the protection of human subjects in research. At the very
least, the AAMC urges that the Department eliminate proposed
new criterion vi, which we believe is ill-advised and could
set a very dangerous precedent with respect to such controversial
and emotionally charged matters as mental health research,
animal research, and research with human stem cells or fetal
tissues.
Third, we again note our strong opposition to the contrivance
of creating new categories of research information related
or unrelated to treatment, which would be differentially regulated
under the NPRM. We have presented our arguments earlier in
this letter and will not reiterate them, other than to reaffirm
our view that such a strained dichotomization of medical research,
justified by little more than expediency, is ill-considered
and would in fact serve to weaken the protections of confidentiality
of research data that are currently available, while imposing
heavy and unnecessary burdens on medical researchers with
little or no benefit. These burdens would fall most onerously
on clinical (physician) researchers engaged in translational
studies and clinical trials, a species of investigator that
has repeatedly been labeled as "endangered," and
about which there is rising national concern. Most of the
strategies that have been suggested to make clinical research
a more attractive career option for young physicians are focusing
on creating incentives and reducing obstacles, real and perceived.
The burdens that would be placed disproportionately on these
researchers under the NPRM run counter to both of these objectives
and would only worsen what is already a daunting problem.
The AAMC urges that this approach be discarded as contrary
to the objective, which we share with DHHS, of enhancing the
protection of PHI obtained or maintained in research files
and databases.
The NPRM requires major changes so that it will reasonably
protect the privacy of individually identifiable health information,
while not impeding the flows of health information required
for the provision of excellent and efficient health care or
for the conduct of health research. In several instances,
the Department has exceeded the authority granted to it under
HIPAA, a fact that underscores the need for Congress to revisit
this complex issue to ensure that a system of protection of
individually identifiable health information is logical, coherent
and nationally uniform, not needlessly burdensome and costly,
and neither impedes health care delivery nor vital health
research.
Sincerely,
Jordan J. Cohen, M.D.
|
