AAMC Home   Tomorrow's Doctors Tomorrow's Cures
  Home  Government Affairs   Newsroom   Meetings   Publications Shopping Cart   Site Map    

 

Home

Washington Highlights

Legislative Action Center

Testimony & Correspondence

Top Issues:
 

Education
 

GME & IME Payments

Health Reform

HIPAA

Labor-HHS Appropriations

Research

Teaching Hospitals

Teaching Physicians

Veterans Affairs

Workforce

Contact
 

Government Affairs Home > HIPAA

AAMC Comment Letter on DHHS Final Rule on "Standards for the Privacy of Individually Identifiable Health Information"

March 30, 2001

The Honorable Tommy G. Thompson
Secretary, U.S. Department of Health and Human Services
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201

Dear Secretary Thompson,

The Association of American Medical Colleges (AAMC) welcomes the opportunity to comment upon the impact of the Department of Health and Human Services (DHHS) final rule entitled "Standards for the Privacy of Individually Identifiable Health Information." The AAMC represents the nation's 125 accredited medical schools, over 400 major teaching hospitals and health care systems, more than 87,000 faculty in 92 professional and scientific societies, and the nation's 67,000 medical students and 102,000 residents. We submit this formal comment in accordance with the requirements of the Request for Comments on the Final Rule, 66 Federal Register 12738 (February 28, 2001).

The AAMC is committed to promoting integrity in all the core missions of academic medicine - teaching, research, patient care, and community service - and has always underscored the importance of respecting patient autonomy and the privacy and confidentiality of individually identifiable medical information. In the considered judgment of the AAMC, the final rule, although improved in some respects, does not yet serve these ends. Because it fails to preempt state laws, the rule does little to simplify the administration of health care. Equally important, the rule's complex procedural barriers to the use of protected health information may seriously impede healthcare delivery, research, medical education, and the essential fundraising activities of academic medical centers.

Our comments will focus largely on the effects of the rule on medical and health education and research, about which the AAMC has grave concerns. We do wish to emphasize, however, that the Association's members are responsible for operating the nation's renowned teaching hospitals and health systems, and for providing complex, cutting-edge medical care to all patients, including those covered by Medicare and Medicaid, and those with no health insurance coverage at all. Thus, the AAMC is very cognizant of the rule's enormous impact on treatment, payment and health care operations, to use the rule's vernacular, and on the ability of institutions to raise the private funds necessary to sustain teaching and research. In view of these concerns, we endorse in general the comments submitted by American Hospital Association (AHA).

We agree in particular with the AHA that the rule is over-reaching; that it will be much more costly and burdensome than the rule's authors wish us to believe and will create an expensive new "privacy bureaucracy" that, absent sources of new funding nowhere yet identified, represents a substantial unfunded mandate; that it cannot be implemented effectively nation-wide within the 2-year compliance window specified; and that the inability of the rule to preempt state laws will prove to be increasingly problematic and burdensome, in an era in which individual mobility, interstate health care delivery, payment and operations, and interstate research are all commonplace.

The comments that follow address issues of particular concern to the AAMC.

I. De-identification of Protected Health Information

The AAMC believes that the undeniably strong public interest in furthering epidemiological and health services research can only be served by a separate, more reasonable standard for the de-identification of protected health information for research purposes. Covered entities should be permitted to release information that has been de-identified under this research standard only if the recipient researcher agrees in writing not to attempt to re-identify or contact the subjects of the information, and not to further disclose the information except as required by law. To fully protect the subjects of epidemiological and health services research, the AAMC urges Congress to pass legislation punishing any attempt to re-identify individuals from information that has been de-identified for use in research.

To facilitate the use of health information for bona fide research purposes, the AAMC proposes the following amendments to

    §164.514: §164.514(a)(i) Standard: de-identification of protected health information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

      (ii) Exception for information disclosed for research purposes. Information that does not directly identify an individual and that conforms to the requirements of §164.514(b)(3) is not individually identifiable health information when disclosed to a researcher or researchers pursuant to each researcher's written assurance that:

      (A) The information will be used only for research purposes and will not be further disclosed except as required by law; and
      (B) The researcher will not attempt to re-identify or contact individuals who are the subjects of the information.

* * *

    §164.514(b)(3). Implementation specifications: requirements for de-identification of protected health information disclosed for research purposes. A covered entity may determine that health information disclosed pursuant to a written assurance meeting the requirements of §164.512(a)(ii) is not individually identifiable health information only if:

      (i) Under the procedures described in §164.514(b)(1), the covered entity has determined that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by the recipient researcher to identify an individual who is the subject of the information; or

      (ii) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

        (A) Names;
        (B) Street address;
        (C) Telephone numbers
        (D) Fax numbers;
        (E) Electronic mail addresses
        (F) Social security numbers
        (G) Vehicle identifiers and serial numbers
        (H) Photographic images depicting the full face or full profile; and

      (iii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other reasonably available information to identify an individual who is the subject of the information.

II. Criteria for Waiver of Patient Authorization for the Use or Disclosure of Information for Research

The AAMC is deeply concerned that certain criteria for waiver of authorization are internally contradictory and invite judgements about the merits of research that are properly reserved to IRBs acting in accordance with the Common Rule. In particular, we question how an IRB or Privacy Board should weigh the "reasonableness" of a risk to privacy under §164.512(i)(2)(ii)(E), given that the risk must already have been deemed "minimal" under §164.512(i)(2)(ii)(A) to warrant a waiver of authorization. We also remind you that under the Common Rule IRBs weigh all the risks and benefits of research - including any risks to privacy - when deciding whether to waive consent for participation.

Accordingly, the AAMC believes that the obligation of a covered entity's Privacy Board, or of the entity's IRB when undertaking a privacy review in compliance with this rule, should be limited to assessing whether risks to privacy exceed the "minimal" threshold, and if not, whether a waiver is necessary, and whether safeguards for the protection of subjects' privacy and confidentiality are adequate.

The AAMC proposes the following amendment to:

    164.512(i)(2)(ii): 164.512(i)(2)(ii). Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

      (A) The use or disclosure of protected health information involves no more than minimal risk to the individuals;
      (B) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;
      (C) (B) The research could not practicably be conducted without the alteration or waiver;
      (D) (C) The research could not practicably be conducted without access to and use of the protected health information;
      (E) The privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;
      (F)       (D) There is an adequate plan to protect the identifiers from improper use and disclosure;
      (G) (E) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and
      (H) (F) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.

III. Uses and Disclosures for Research Purposes

The AAMC believes that the rule's authorization requirements are needlessly burdensome and so complex as to be practicably unadministrable. Because most - if not all - research including treatment will require access to prior medical records, a clinical investigator would henceforth be required to obtain not only an individual's informed consent to participate in the research study, but also separate authorizations for (a) using and disclosing PHI in the individual's medical records, and (b) using or disclosing PHI to be created during the course of the research. The rule also fails to specify that participation in a clinical trial offering research-related treatment may be conditioned upon an authorization for use and disclosure of prior medical records.

In our view it is essential that covered entities be permitted to combine all authorizations necessary for the use of information in a clinical trial with the consent form for participation in research. When the consent form has been approved by an IRB, no additional authorization should be required for any uses or disclosures of contemporaneous or historic medical information in the course of the research. We urge you to exempt from the authorization provisions of §164.508 all uses and disclosures of information for research including treatment that has been approved by an IRB acting in accordance with the Common Rule, and to include uses and disclosures in connection with such research as a category of permissible uses and disclosures under §164.512 of the final rule.

IV. Accounting for Disclosures

In seeming disregard for the administrative burden imposed upon covered entities, the rule permits individuals to demand that covered entities account for most non-routine disclosures of PHI during the six years preceding such a request. Inevitably, this requirement will sharply curtail the exchange of health information between covered entities and those who conduct research or monitor trends in public health. Given the detailed nature of the required accounting and the rule's near prohibition on cost-recovery from individuals requesting yearly audits, many covered entities will simply be unable to meet the accounting requirement, and as a result, will decline to make patient records available to researchers or to make voluntary reports of adverse events to disease registries or pharmaceutical manufacturers.

The AAMC proposes the following amendment to §164.528:

    § 164.528. Accounting of disclosures of protected health information. (a) Standard: right to an accounting of disclosures of protected health information. (1) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:

      (i) To carry out treatment, payment and health care operations as provided in § 164.502;
      (ii) Made to researchers as provided in §164.508 and 164.512(i);
      (ii)(iii) Made for public health purposes as provided in §164.512(b);
      (iii)(iv)       To individuals of protected health information about them as provided in § 164.502;
      (iv) (v) For the facility's directory or to persons involved in the individual's care or other notification purposes as provided in § 164.510;
      (v) (vi) For national security or intelligence purposes as provided in § 164.512(k)(2);
      (vi) (vii) To correctional institutions or law enforcement officials as provided in § 164.512(k)(5); or
      (vii) (viii) That occurred prior to the compliance date for the covered entity.

V. Public Health Reports

The rule has eliminated providers' discretion to make voluntary disclosures of PHI to disease and exposure registries, under the questionable assumption that unless required by law, such reports are not "national priorities." Contrary to this view, the AAMC has emphasized repeatedly that the voluntary collection of data for public health purposes serves a societal interest at least as strong as the individual privacy interest asserted as the basis for the final rule. Disease registries operated by non-profit entities are an irreplaceable source of comprehensive data, without which much epidemiological and health services research could not occur.

Imposing the rule's complex authorization requirements on such data collection would discourage providers from making disclosures to disease registries. It is difficult to conceive of how a provider might obtain a patient's valid authorization for disclosures to a registry, because a registry by its very nature must not contain information that is subject to the expiration or revocation of the patient's authorization. Even if it were possible to construct a valid authorization for the collection of registry data, an authorization requirement would result in datasets of questionable utility, riddled with incomplete records and biased by varying rates of non-participation among patient subgroups. Seeking a waiver of authorization for non-mandatory disclosures of PHI to registries may not be a viable alternative, as it is unclear that a Privacy Board or an IRB could legally waive authorization for the collection of registry data when, as is common with a registry, the particular studies to be conducted with the data will not have been identified at the time of data collection.

The AAMC also reminds you that voluntary exposure registries and other surveillance activities conducted by manufacturers are essential for tracking product safety and effectiveness across a much broader range of patients than those who are exposed to products in clinical trials. Yet the rule would allow providers to disclose PHI for post-marketing surveillance only at the requirement or direction of the FDA, despite the fact that FDA typically encourages but does not require or direct sponsors to establish registries or to conduct post-marketing surveillance.

To the extent that DHHS is concerned to limit manufacturers' inappropriate use of registry data for marketing, legislation may be needed to penalize the unauthorized commercial use of PHI originally disclosed for public health purposes. The solution to the problem of unauthorized marketing is not, however, to burden legitimate public health reporting activities. The AAMC urges you to broaden the exception in §164.512(b) to encompass all voluntary public health reporting activities.

Specifically, covered entities should be permitted to disclose PHI for public health purposes upon receipt of an adequate written assurance that the information will not be used or disclosed for other than the specified public health activities. In the alternative, the Secretary should amend §164.512(i) to clarify that when adequate safeguards for preserving confidentiality are assured, an IRB or Privacy Board may waive authorization for disclosures to a patient registry, even when the specific research uses of the data have not yet been identified.

VI. Accreditation and Institutional Oversight of Research Integrity

In our comments to the Notice of Proposed Rulemaking for the privacy rule, the AAMC objected strongly to the proposed requirement that accreditation organizations become business partners of covered entities. The role of private accreditation organizations, such as the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) and the College of American Pathologists (CAP) Laboratory Accreditation Program, in performing inspection and accreditation of health providers is a well established and critically important mechanism for promoting the quality of care. We have similar concerns with respect to organizations such as the Accreditation Council on Graduate Medical Education (ACGME), the American Board of Medical Specialties (ABMS), and the Liason Committee on Medical Education (LCME) whose mission is to assess and ensure institutional and individual competence.

The final rule would prohibit covered entities from disclosing PHI to accreditation organizations unless those organizations are designated "business associates" and thereby enmeshed in the burdensome contractual requirements that the rule mandates for such relationships. The AAMC believes that the public interest is not well served by requiring business associate agreements between covered entities and the organizations that accredit them or certify their staff members. At a minimum, health care providers must be permitted to disclose all necessary information to organizations that are deemed or otherwise recognized by health oversight agencies, so that these organizations may continue to carry out their customary accreditation, certification and quality assurance functions.

The AAMC is likewise concerned that the rule may impede the ability of academic institutions to comply with federal regulations that require them to conduct internal investigations into allegations of research misconduct, as specified in 42 C.F.R. Subpart A. When misconduct allegations arise in connection with its clinical research, an academic institution must appoint its own investigators, who in the course of their inquiry and any subsequent investigation may examine source documents to verify the accuracy and integrity of the research record. These source documents typically include medical records or other PHI maintained by the covered entity hosting or conducting the research.

The privacy rule's provisions for health oversight permit the covered entity to disclose PHI only to a health oversight agency for audits or investigations to determine compliance with regulatory standards, §164.512(d)(1). "Health oversight agency" includes federal and state authorities and persons or entities acting under grant of authority or contract with public agencies, §164.501. It does not appear that this term also includes persons appointed by an academic institution to conduct a misconduct inquiry or investigation under 42 C.F.R. §50.103. Absent clarification in the final rule, covered entities may be reluctant to permit institutional investigators the access to medical records necessary to conduct an adequate investigation of alleged misconduct in a clinical trial.

    To address the aforementioned concerns regarding accreditation and institutional research misconduct investigations, the AAMC suggests that §164.512(d) be amended as follows:

    (d) Standard: uses and disclosures for health oversight activities. (1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency, to an individual acting at the direction of a health oversight agency or in compliance with the regulations, guidance, or policy statements of a health oversight agency, or to an organization deemed or otherwise recognized by a health oversight agency, for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; research misconduct investigations; accreditation activities; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

      (i) The health care system;
      (ii) Research that is federally funded or otherwise subject to federal regulation;
      (ii) (iii) Government benefit programs for which health information is relevant to beneficiary eligibility;
      (iii) (iv) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
      (iv) (v) Entities subject to civil rights laws for which health information is necessary for determining compliance.

VII. "Minimum Necessary"

The AAMC is concerned about the "minimum necessary" requirement as it applies to information that is used for the treatment, payment and health care operations. It is easy to envision that the "minimum necessary" requirement could bring patient care to a virtual standstill as providers puzzle through what is the minimum necessary in any given treatment situation. Computer systems may be helpful in offering guidance, and general policies can be written, but in the end - especially in a treatment situation - there must be a judgement made by a provider on the basis of his or her experience and the needs of a particular patient. Patients may suffer from delays in treatment or from being treated by a someone who does not have all the relevant information needed to make the best decisions about that patient. The Association supports the elimination of the "minimum necessary" requirement for treatment, payment and health care operations.

Should DHHS choose to retain the "minimum necessary" requirement, changes must be made in the exception that is found in §164.502(b)(2)(i) for requests by a health care provider for treatment. There are two problems with the exception: (1) it does not apply to the use of information for treatment and (2) it does not cover students or trainees.

    A. Use of PHI for Treatment

As written, the treatment exception applies only to disclosures of information; in other words, to "the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information." (§164.501; emphasis added). If a physician or other provider wants to release information for treatment of a patient to another provider within the same entity--a use, not a disclosure-- this exception would not apply and the release of the information would be subject to the "minimum necessary" standard.

Providers must continue to have the freedom that they currently enjoy to make judgments about the sharing of protected health information with members of the treatment team. Nor should providers be forced to provide patient care under a cloud of uncertainty that the wrong decision may be a violation of the "minimum necessary" requirement. Patients should not need to worry that a provider's wrong decision about the "minimum necessary" information may result in poor care because someone who needed to know certain information about the patient was denied access to that information.

    The exception for treatment must cover both uses and disclosures; therefore the AAMC proposes the following amendment to

    §164.502(b)(2)(i): §164.502(b)(2)(i) Use or Ddisclosure to or requests by a health care provider, for treatment; . . . .

    B. Application of "Minimum Necessary" to Students and Trainees

In an academic setting the "minimum necessary" requirement poses a major impediment to the training of future health care professionals, including physicians, nurses and many others who are so essential to the health care system. "Trainees" are included under the definition of "workforce" but they are not included under the definition of "provider" and thus cannot qualify for the treatment exception. The regulation recognizes that part of health care operations is "conducting training programs in which students, trainees or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers . . . ." (§164.501). Yet if all students, trainees, and practitioners are subjected to the "minimum necessary" standard, it may become virtually impossible to provide the type of learning experiences that, to date, have resulted in the best trained health care professionals in the world.

When students and trainees work in a clinical setting, they function as part of a health care team. The AAMC believes strongly that the education of medical residents, medical students, nursing students, and other health professions students requires that their access to the medical information of their patients should be determined exclusively by their mentors in accordance with the needs of their respective education programs. The AAMC supports the proposition that medical residents and medical and nursing students, as well as other health professions students, as necessary, should have unrestricted access to medical information about their patients.

Currently, when a patient seeks medical care in a teaching setting, the consent form (that is, the traditional consent form, not the HIPAA consent form) typically includes a statement that the patient may be seen by health professions residents and students. It also is common practice that a patient's expressed wish not to be seen by students or residents is honored. As is true for providers, students and trainees must be excepted from the "minimum necessary" standard when protected health information is being used treatment purposes. This is the only way to ensure both the optimal training experience and the highest level of patient care.

The AAMC proposes that the following exception be added to §164.502(b)(2):

    §164.502(b)(2)(vi) Uses or disclosures made within training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or to improve their skills as health care providers.

VIII. Fundraising

The AAMC endorses the comments submitted by Johns Hopkins University and Johns Hopkins Health System concerning the detrimental impact of the proposed rule on the fundraising capabilities of academic medical centers. Under §164,514(f) a covered entity is allowed to use protected health information for fundraising purposes without an authorization only if the PHI used is limited to "demographic information relating to an individual" and the dates of service. "Demographic information" is left undefined by the rule, but from the preamble discussion it seems to include name, address and other contact information, age, gender and insurance status. It does not include any information about the reason for which the patient was treated. This means that absent authorization from a patient, institutions are precluded from attempting targeted fundraising efforts. If DHHS does not change this provision of the rule it will result in a serious impediment to the fundraising that is necessary for academic institutions to sustain their core missions of teaching, research and patient care.

When patients come to academic institutions, it is generally with the expectation that they will be cared for in a particular department or division that has expertise and renown for treating the condition from which the patient suffers. It is through these departmental and divisional centers that critical funds are raised to foster future teaching and research. The chief of the department, division chairs and the attending physicians all play a part in appeals to their patients to support the vital work of the departments that rely on their help. The critical role of targeted appeals can be seen by looking at the Johns Hopkins Health System where in FY00 .02% of monies raised were secured through general mailings, and 99.98% were the result of departmental and divisional appeals. Institutions such as Johns Hopkins Health System must be allowed to continue the targeted fundraising efforts without which they will lack sufficient resources to support their core missions.

The AAMC urges DHHS to make the following change in §164.514:

    (f)(1) Standard: Uses and disclosure for fundraising. A covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of section 164.508:

      (i) Demographic information relating to an individual;
      (ii) Dates of health care provided to an individual. ; and
      (iii) The physician, department, or division of the covered entity from which the individual received treatment.

IX. Academic Medical Center Components as "Affiliated Entities"

In academic medical centers it is not uncommon that the various components--typically a medical school, faculty practice plan(s), and affiliated hospital(s)--are legally separate entities and are not under common ownership or control. Operationally, however, the components are affiliated, through either written affiliation agreements or long-standing relationships that evidence their affiliation. Perhaps most importantly, the components of an academic medical center have a symbiotic relationship that supports the academic missions of teaching, research and patient care.

The final rule indicates that legally separate covered entities may designate themselves an "affiliated covered entity" only if they share "common ownership or control." § 164.504(d)(2). As defined by the rule, "common control" exists "if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity." 164.504(a). This definition is far too ambiguous to permit the covered entity components of an academic medical center that do not share common ownership to designate themselves an "affiliated entity" with confidence.

To allow for the seamless care of patients within an academic medical center, it is imperative that the center's covered entity components be allowed to designate themselves as a single affiliated entity. The AAMC requests that HHS clarify §164.504(a) as follows:

    §164.504(a). Definitions. As used in this section:

    Academic medical center consists of a medical school and all faculty practice plans and teaching hospitals that designate themselves, either formally or informally, as affiliated components of the same academic medical center.

    Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity, and is presumed to exist among the components of a self-designated academic medical center.

X. Cost of Compliance and Effective Date

In addition to the specific concerns described above, the AAMC would like to reiterate that two broader issues are of concern to our member institutions: the cost of the regulation and the amount of time that is needed to achieve compliance.

When the proposed rule was published it drew criticism on multiple fronts, including what many considered to be a major underestimate of the costs of implementation. The cost estimates in the final rule continue to underestimate the financial investments that will be required--particularly for the large, complex institutions that are our nation's major teaching institutions. For example, the AAMC's most recent data show that the median number of employees at an AAMC member teaching hospital is nearly 3000 individuals, virtually all of whom will require some level of training in the requirements of the regulation. In some job categories there is frequent job turnover; for instance, at major teaching institutions hundreds of new medical residents may begin their training every year. Each of these individuals must receive appropriate training at the time of hire and those who remain at the institution must be trained every three years after that. Any material changes in policies or procedures also will trigger the need for new training. These training costs are in addition to the considerable expense that AAMC member institutions already incur in the regular conduct of compliance training.

While the training costs will be considerable, even greater financial investment will be required for the acquisition and development of the computer systems that will be necessary to ensure compliance with the Privacy Regulation. Institutions will be faced with this investment at a time when many are struggling financially. Although it may be possible to address the financial expenditure problem through legislation, DHHS should remain cognizant of the actual expenditures that will be necessitated by the mandates that the final rule imposes. Please also be aware that for major teaching and other institutions that have not yet begun to put in place the necessary computer systems for HIPAA implementation, it will be virtually impossible to come into compliance in two years. The Secretary has already exercised considerable discretion in amending parts of the rule--for example, in extending the proposed rule to cover oral communications--and should exercise discretion once again to extend the compliance dates. Based on discussions with AAMC members, we believe that, at a minimum, health care providers, health plans and health care clearinghouses will require an additional two years to achieve compliance.

The AAMC proposes the following changes to §164.534:

    (a) Health care providers. A covered health care provider must comply with the applicable requirements of this subpart no later than February 26, 2003 2005.
    (b) Health plans. A health plan must comply with the applicable requirements of this subpart no later than the following date, as applicable:

    (1) Health plans other than small health plans--February 26, 2003 2005.
    (2) Small health plans--February 26, 2004 2006.

    (c) Health care clearinghouses. A health care clearinghouse must comply with the applicable requirements of this subpart no later than February 26, 2003 2005.

* * *

The AAMC respectfully asks that you give full consideration to each of our suggested modifications to the final rule. In addition, as you revisit the rule we urge you, in keeping with the communitarian values reportedly espoused by the new Administration, to carefully balance concern for the privacy of the individual with our society's interest in affordable healthcare, new medical products, and new scientific knowledge - all of which require shared access to protected health information. In protecting patient privacy and autonomy, social responsibility and communal good cannot be compromised.

Should you wish to discuss any of the issues raised in our letter, please contact David Korn, M.D., Senior Vice President for the Division of Biomedical and Health Sciences Research, at (202) 828-0509.

Sincerely,

Jordan J. Cohen, M.D.

Contact Us    © 1995-2010 AAMC    Terms and Conditions    Privacy Statement    Supported Browsers
Become a fan on Facebook  Follow Us on Twitter