Government Affairs Home > HIPAA

Statement on Medical Records' Confidentialtiy Legislation

Mr. Chairman and members of the Subcommittee, I am David Korn, M.D., Senior Vice President for Biomedical and Health Sciences Research at the Association of American Medical Colleges (AAMC). I assumed this position on September 1, 1997, when I became Vice President and Dean of Medicine and Professor of Pathology, Emeritus, at Stanford University, where I had been on the faculty for 29 years. The AAMC represents the nation's 125 accredited medical schools, nearly 400 major teaching hospitals, more than 87,000 faculty in 89 professional and scientific societies, and the nation's 67,000 medical students and 102,000 residents.

The AAMC strongly supports the general intent of current Congressional efforts to strengthen the protection of individuals' personally identified health information from inappropriate and harmful misuse that can lead to discrimination or stigmatization. This intent is presently expressed in several bills in both Houses, including Senator James Jeffords "Health Care Personal Information Nondisclosure Act," S. 1921, Senator Robert Bennett's discussion draft bill entitled "Medical Information Protection Act," and Representative Chris Shays' discussion draft bill entitled "Consumer Protection and Medical Record Confidentiality Act."

The AAMC is pleased that while according individuals a right of "confidentiality" of their individually identifiable health information and records, Representative Shays and Senators Jeffords and Bennett recognize that individual claims to "privacy" cannot be absolute in contemporary society. Rather, they must be tempered in a limited number of specific instances where public well being and responsibility require access to individuals' health information.

Indeed, the central challenge in any effort to protect the confidentiality of personal health information is to find the right balance point between the competing goods of individual privacy and the considerable public benefit that accrues from controlled access to health information for purposes of delivering medical care and conducting medical research

Confidentiality legislation must acknowledge the compelling public interest in continuing to ensure access to patient records and other archival materials required to pursue biomedical, behavioral and health services research. Medicine has always been, and largely remains to this day, an empirical discipline, and the history of medical progress has been created over many centuries from the careful, systematic study of normal and diseased individuals. From those studies has emerged our present level of understanding of the definition, patterns of expression and natural history of human diseases, and their responses to ever improving strategies of diagnosis, treatment and prevention. Using archival patient materials, that is, medical records and human tissue samples obtained during the course of routine medical care, researchers have been able to gain powerful insights into the nature, epidemiology, therapy and prognosis of major disorders of high prevalence, great human suffering and enormous societal costs. Similarly, epidemiological and health services researchers have been able to access these archival materials to collect the large, appropriately structured and unbiased population samples required to generate meaningful conclusions regarding the incidence and expression of diseases in specified populations, the beneficial and adverse outcomes of particular therapies, and the medical effectiveness and economic efficiency of health care system operations. A vast amount of important medical research remains to this day exquisitely dependent upon the continuing, ready accessibility of archived patient materials that have been accumulated over generations in the course of delivering medical care. Indeed, in the present climate of major public concern about the costs, quality and efficiency of our rapidly changing health care delivery system, the need to support and promote such retrospective epidemiological and health services research has become an urgent public priority.

The AAMC strongly believes that in attempting to deal with the difficult issues of medical information privacy, giving due recognition to both the complexity of our contemporary system of health care delivery and financing and the public benefits of medical research, the most feasible -- and in the long term, most effective -- approach is not to try to erect costly and burdensome new barriers to accessing medical information required to sustain these activities. Rather, legislative efforts should be directed, as most of the current proposals attempt to do, toward requiring the establishment of strong administrative, technical and physical safeguards to protect the confidentiality, security, accuracy and integrity of the classes of health information that are to be protected. Included among these safeguards should be strong institutional policies of confidentiality, which might appropriately meet federal standards to be developed. To complete the "security package," the bills should – and do – specify stiff criminal, civil and administrative penalties for intentional or negligent actions that violate medical information privacy. With stringent security requirements of this kind in place, the AAMC believes that legislation should refrain from attempting to construct elaborate barriers to the relatively unimpeded flow of medical information that is required for both the effective delivery of health care and the promotion of a comprehensive national agenda of medical research.

Given the substantial penalties contained in the confidentiality bills now in draft or under consideration, including those of Senators Jeffords and Bennett and Representative Shays, it is imperative that the bills' definitions be crafted with great care and clarity. A common pitfall in many of the proposed confidentiality bills is their lack of sufficient precision in defining the class of medical information that is to be circumscribed for statutory protection. Of particular importance then is the definition of "individually identifiable health information," the class of information most in need of protection from inappropriate disclosure and harmful misuse, and correspondingly, of "non-individually identifiable health information," the class that would fall outside of the requirements of the legislation. Some of the bills, in framing their definition of protected health information, add to unambiguous terms like "information that directly identifies an individual" such additional phrases as "information that may reasonably be used to identify an individual" or "individually identifiable information" without further specification. These kinds of terms are highly subjective and open to a variety of interpretations, which makes them controversial. The AAMC believes that the protected class of medical information should be sharply circumscribed and limited to "information that directly identifies an individual." Such a definition is least ambiguous and strikes to the heart of the information that the public is most concerned to protect.

Correspondingly, the definition of "nonidentifiable health information" should encompass " information that does not directly reveal the identify of an individual." The definition should explicitly include coded or encrypted information (sometimes called "anonymized"), whether or not the information is linkable to individuals, as long as the encryption keys are secured and kept separate from the encrypted information itself. The justification for including encrypted, linkable information in the definition of nonidentifiable health information is significantly strengthened by adding the additional provision that makes it a crime to attempt to use encrypted patient data to discover an individual's identity by any means other than the lawful use of an encryption key.

The AAMC believes that a set of properly constructed definitions of individually identifiable and nonidentifiable health information will serve both to foster medical research and establish an incentive system for using nonidentifiable health information in such research to the maximum extent practical. Thus, under the definitions of individually identifiable and nonidentifiable health information favored by the AAMC, the burdens of enhanced security protections and detailed patient authorizations mandated in the Jeffords, Bennett and Shays bills would not be applicable to retrospective, non-interventional studies of archival patient materials using encrypted linkable data. Researchers would therefore be strongly encouraged to utilize encrypted data whenever the objectives of their research projects would not be compromised.

The intense concern of the AAMC with the definition of the classes of medical information to be protected by or excluded from the proposed legislation derives from the fact the precision of those definitions will significantly determine the effect of any new legislation on medical research. We are especially concerned with the potential impact on what is commonly referred to as secondary research, that is, retrospective non-interventional studies of archival patient records or tissue samples. Such studies, although typically never requiring knowledge of individual patient identities per se, do as a rule require that the individual research materials be linkable both horizontally and longitudinally over time. That is, the investigator of disease must be able to link a given patient's tissue samples with her/his corresponding medical records, or to link the temporally or geographically separate medical records of specific patients to follow the course of particular disease processes and their responses to therapy. The very same requirements for linkage apply to large-scale population-based studies conducted by epidemiologists, health service researchers, and those who study strategies of promoting health and preventing disease in large populations.

For this reason, we are very concerned with any proposed definition of protected health information that uses ambiguous descriptors like "reasonably identifiable" or "individually identifiable" that could be construed to embrace linkable encrypted medical information. All of the proposed bills would require specific and detailed authorization for each instance of disclosure of protected health information, except in specified circumstances defined as "exceptions," which largely pertain to medical treatment, payment, health system operations, public health requirements and the needs of the legal system. To construe encrypted linkable medical information as "protected health information," and thereby to require specific and detailed authorization for each access to that information would be not only exceedingly burdensome but chilling to the conduct of secondary research on archival patient materials.

These studies utilize patient records as primary research materials and do not involve any interaction with individual patients. Archival materials have been accumulating in academic medical centers for generations and constitute an enduring record of the expressions of human diseases, and the successes and failures of therapeutic interventions, over time. The materials represent a unique research resource and collectively constitute a "national archive"; they are essentially immortal, like the contents of the Library of Congress, for example, and that very fact defines much of their research value. It is veritably impossible at the time of encounter with an individual patient to predict -- or attempt to describe to the patient -- the particular types of research questions, methodologies or particular studies for which these materials might prove valuable in future years to deepen understanding of human disease.

In contrast to the typical interventional clinical research study, in which researchers directly interact with patients in well-defined clinical protocols and can provide them the detailed information required for informed consent, the uncertainties and unpredictability of secondary research make the applicability of the traditional informed consent procedure problematic. Accordingly, under the provisions of the Common Rule, such retrospective research has been singled out for special attention and, under the criterion that the proposed research may be deemed to be of no more than minimal risk to the research subjects, has typically been handled by Institutional Review Bodies (IRBs) by waiver of review or use of the expedited review mechanism. The AAMC urges that any new medical information privacy legislation should take care not to introduce unnecessary and perhaps unintended, obstacles to secondary research on archival patient materials. The Association believes that for secondary research on encrypted, linkable patient records, conducted in organizations and under circumstances that meet statutory requirements for safeguarding the security of medical information, neither specific patient authorization nor IRB (or equivalent) notification should be required.

For secondary research on archival patient records that are individually identified, i.e., that fall within the definition of protected health information, the AAMC believes that a statutory requirement of specific authorization would be unwise and could seriously bias, and thereby undermine, the integrity of these vital research databases. Rather, the Association recommends that all such proposed research must be reviewed by an IRB or equivalent mechanism. The IRB would, in addition to satisfying itself about those matters currently specified in the Common Rule, be required to determine that (1) the organizational setting in which the research will be conducted is in conformity with statutory requirements for safeguarding medical information privacy; (2) the research requires the use of individually identified patient information and could not be performed without it; and (3) it would not be practicable or feasible for the investigators to attempt to obtain individual informed consent from the subject population. Such a review protocol, in the opinion of the AAMC, would sufficiently protect the privacy interests of research subjects, while at the same time continuing to facilitate the conduct of a broad spectrum of beneficial secondary research on archival patient materials.

In this regard, the Association opposes legislative language that would order IRBs to weigh the value or significance of proposed research and somehow balance that against the invasion of the research subjects' privacy rights. Such a requirement would go well beyond the kinds of assessment typically delegated to IRBs and would involve the introduction into the IRB review process of value judgments about the importance of research that the Association believes would be highly idiosyncratic and inappropriate.

The AAMC strongly supports the argument that any new federal legislation dealing with medical information privacy be preemptive of state laws on this topic, with the exception of those dealing with public health reporting requirements, which are well established, time tested and closely integrated with the nationwide data collection and evaluation activities of the Centers for Disease Control and Prevention. The Association recognizes that this recommendation is controversial, but argues that the support of medical research is a long-established and high priority of the federal government, and that there is therefore a compelling federal interest in ensuring that medical research is facilitated, and not hindered or blocked by a discoordinated patchwork of burdensome state privacy legislation. Much contemporary medical research, especially epidemiological and health services research, requires access to large, unbiased population samples encompassing many states. Accordingly, the Association recommends that any new federal confidentiality legislation should over-ride state laws to ensure consistent nation-wide governance of access to archival patient materials for research. For this reason, the Association is troubled by the provisions in the Jeffords and Shays bills that would exempt from federal preemption state laws dealing with the protection of mental health information. While acknowledging the sensitivity of this issue, we point out that many different diseases are considered especially sensitive by those who suffer from them and their advocates, and to single out mental health information for special protection opens a loophole in the intended federal preemption that the AAMC believes would prove very difficult to limit.

The issues encompassed by concerns with medical information privacy are complex and difficult. We have constructed a health care system in this country that does not guarantee affordable access to quality care for all of our citizens. Accordingly, the risk of being denied access to affordable health insurance is real, and individuals are understandably concerned with safeguarding the security of and limiting access to their private and personal medical information. But the very complexity of our system of health care delivery and payment frustrates efforts to devise comprehensive and effective measures that would restrict access to medical information to the degree that the average citizen might desire. The AAMC believes that it is intrinsically possible to ensure a much greater level of protection for medical information created, maintained and used in the course of research than can be designed for medical information used in the course of providing medical care. Accordingly, the Association has recommended the erection of a fire-wall around human databases created in research that would make them nearly impregnable, and offer them far more security from trespass than would be possible for clinical records used in health care delivery and payment.

The AAMC has earlier proposed that all entities conducting research on human subjects or archival patient materials, which have in place institutional policies and procedures that meet federal standards for safeguarding the confidentiality of medical information, should be eligible by some form of assurance mechanism to receive a federal protection modeled on the existing Certificate of Confidentiality. The protection would embrace all of an institution's human subjects research databases and shield them from forced disclosure of individually identified medical information to anyone, including family members, employers, insurers, health care organizations, or legal and judiciary processes. The Certificate of Confidentiality was created in 1970 to enable research projects on drug use patterns by Vietnam War combatants and veterans. It was incorporated into the Public Health Service Act in the mid-1970s, and was expanded in 1988 to embrace a wide range of research projects on human subjects, which generated sensitive or potentially stigmatizing information. To our knowledge, the confidentiality protections afforded by this certificate have never been breached, even though they were originally enacted to facilitate studies of activities and behaviors that were often criminal. The Association continues to urge that protections of institutional human research databases akin to those of the Certificate of Confidentiality be considered in crafting medical information privacy legislation.

The AAMC commends the Subcommittee for convening this hearing to address the need for confidentiality legislation, and the efforts of Senator Jeffords, Senator Bennett and Representative Shays to craft legislation that would enhance the security of medical records. The Association urges the Congress, as it wrestles with this difficult challenge, to be mindful of the fact that the facilitation of biomedical, epidemiological and health services research is a compelling public priority that has served this nation well and offers bright promise for the future of human health. The AAMC strongly believes that the combination of legislatively mandated safeguards of the security of individually identifiable medical information, stiff penalties for violations, and the creation of special protections of medical information that is created in research and maintained in research databases, as we have suggested, make it unnecessary to elaborate new, burdensome and potentially chilling restrictions of access to medical information for purposes of retrospective, non-interventional research.