Government Affairs Home > HIPAA

AAMC Testimony on the Final HHS Privacy Regulations

Mr. Chairman and members of the Committee, I am Richard Smith, M.D., Professor of Psychiatry and Medicine at the University of Arkansas for Medical Sciences. I am a practicing psychiatrist and also conduct mental health services research. I lead the Centers for Mental Health Services Research at the University of Arkansas, which is one of the nation's largest mental health and services research groups, as well as our College of Medicine's health services research program. I am a recent past member of the National Mental Health Advisory Council for the National Institute of Mental Health (NIMH). I also chaired the NIMH Initial Review Group for mental health services research, which reviews virtually all of the mental health services research grant applications submitted to NIMH.

I am speaking today on behalf of the Association of American Medical Colleges (AAMC). The AAMC represents the nation's 125 accredited medical schools, over 400 major teaching hospitals and health care systems, more than 87,000 faculty in 92 professional and scientific societies, and the nation's 67,000 medical students and 102,000 residents. The AAMC is committed to promoting integrity in all of the core missions of academic medicine - teaching, research, patient care, and community service - and has always underscored the over-arching importance of respecting patient autonomy and the privacy and confidentiality of individually identifiable medical information.

Accordingly, the AAMC has participated vigorously in the many failed efforts of past years to enact comprehensive federal law that would establish uniform national standards to protect the privacy of medical information and penalize its inappropriate and harmful misuse. The Association interacted intensively with the Department of Health and Human Services (DHHS) staff as they reluctantly undertook the awesome task of drafting the HIPAA-mandated medical information privacy rule. The AAMC wishes to acknowledge its appreciation for the efforts that DHHS made to become informed about the daunting complexities of our contemporary system of health care delivery, payment, and operations, and the critical importance to health research of access to archived medical information, and to seek consultation and advice broadly throughout the rule-making process.

The challenge for medical information privacy law or regulation is to find the appropriate balance point between the competing interests of individual privacy and the compelling public benefits that flow from the use of medical information in providing care, in teaching, and in pursuing the nation's biomedical, behavioral, epidemiological and health services research agenda. The Congress over many years of extraordinary bipartisan effort proved unable to find that balance; and not surprisingly, given the enormity of the task and the intensity of clashing values and passions with which the issues of individual privacy generally, and medical information privacy in particular, have become suffused, the Privacy Rule also fails.

The AAMC's testimony will focus on the effects of the rule on medical and health education and research, about which we have grave concerns. However, the Association's members are responsible for operating the nation's renowned teaching hospitals and health systems, and providing complex, cutting-edge medical care to all patients, including those covered by Medicare and Medicaid, and those with no health insurance coverage at all. Thus, we are very cognizant of the rule's enormous impact on treatment, payment and health care operations, to use the rule's vernacular, and we wish to endorse the comments made here today by the American Hospital Association (AHA). In particular, we agree with AHA that the rule is over-reaching; that it will be much more costly and burdensome than the rule's authors wish us to believe and will create an expensive new "privacy bureaucracy" that, absent sources of new funding nowhere yet identified, represents a substantial unfunded mandate; that it cannot be implemented effectively nation-wide within the 2-year compliance window specified; and that the inability of the rule to preempt state laws will prove to be increasingly problematic and burdensome, in an era in which individual mobility, interstate health care delivery, payment and operations, and interstate research are all commonplace.

While the bulk of our testimony will be directed to research where our concerns are especially acute, we will first make some brief comments about health professions education where a lack of clarity in the provisions of the rule is troubling. Teaching is referenced only three times in the final rule. The first occurs in Part 160.103 (Definitions) and asserts that "Workforce" includes "trainees and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity." Although the word "students" is not mentioned explicitly, we assume that they are meant to be included in the category of "trainees." The second reference is in Part 164.501 (Definitions) and states that "Health care operations" includes "conducting training programs in which students, trainees or practitioners in areas of health care learn under supervision to practice or improve their skills…" The third and final reference is found in Part 164.508(a)(2), which specifies that authorization is required for any use or disclosure of psychotherapy notes (which receive special protections under the rule) except for already consented treatment, payment, or health care operations, use by the originator of the notes for treatment, or (164.508(a)(2)(i)(B) use or disclosure in training programs.

Two features of the rule are especially consequential with respect to its effect on teaching. The first is the Standard: minimum necessary (164.502(b)), which requires that a covered entity limit the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the use or disclosure. The second is the extension of the rule's provisions (164.501 - "Protected Health Information") to all individually identifiable health information transmitted or maintained in any form or medium -electronic, written, or oral. One of the very few exemptions from the minimum necessary standard is for disclosures to or requests by a health care provider for treatment. In addition, the rule (164.514(d)(3)(iii)(C)) permits a covered entity to rely on the representation of a professional who is a member of the workforce that the protected health information requested is the minimum necessary for the stated purpose. Compliance with the standard for essentially all other uses or disclosures of protected health information must either be specified in the covered entity's policies and procedures when the uses and disclosures are routine or recurrent, or be dealt with individually on a case by case basis.

Since trainees are not defined in the rule as "health care providers" or "professionals," their use or disclosure of protected health information would be subject to the minimum necessary standard under the treatment exception and would not be permitted on the basis of the trainee's representation alone. Therefore, although the psychotherapy notes exemption might suggest that the rule takes a permissive stance with respect to students' access to and uses of protected health information, the fact is that nowhere does the rule explicitly allow disclosures of protected health information to health professions students which are not subject to the "minimum necessary" standard. The rule's ambiguity on this issue is a major concern for the AAMC, which believes strongly that the education of medical residents, medical students, nursing students, and other health professions students requires that their access to the medical information of their patients should be determined exclusively by their mentors in accordance with the needs of their respective educational programs. The AAMC supports the proposition that medical residents and medical and nursing students, as well as other health professions students, as necessary, should have unrestricted access to medical information of their patients - a proposition that the rule seems to recognize, peculiarly, only with respect to psychotherapy notes.

Currently, when a patient seeks medical care in a teaching setting, the consent form (that is, the traditional consent form, not the new consent required by the rule) typically includes a statement that the patient may be seen by health professions residents and students. It is also common practice that a patient's expressed wish not to be seen by students or residents is honored. The AAMC would prefer that these practices be permitted to continue, and that the traditional consent form language be incorporated into the teaching entity's Notice and (newly required) Consent for treatment, payment and health care operations, with a clear statement that students and residents will have full access to the medical information of their patients. A patient's objection should always be respected, as it is now.

The AAMC strongly urges the Committee to request DHHS explicitly to allow the sharing of protected health information within the content of accredited health professions educational programs. Failure to do so will seriously impair the quality of American health professions education, which is widely respected as the best in the world. It will also serve as a strong disincentive to community hospitals, clinics, and physicians to participate in health professions education, at a time when both changing medical practices and medical pedagogy are placing increasing emphasis on the importance of such educational settings and experiences. The disincentive will result both from the burden of having to apply the minimum necessary standard to each teaching interaction, and from fears of liability for inadvertent violations of the rule.

The rule will have substantial effects on the conduct of medical and health research, and the effect of some of its provisions will, we fear, be most unfortunate. The AAMC is disappointed that its strong objections to the relevant provisions in the proposed rule were largely ignored by DHHS. The Association has emphasized repeatedly in Congressional briefings and testimony, and in publications, the critical importance of access to archived medical records for a vast array of biomedical, behavioral, epidemiological, and health services research. We have pointed out that medicine has always been, and remains to this day, an empirical discipline, and that the history of medical progress has been created over the centuries from the careful, systematic study of normal and diseased individuals. From countless such studies has emerged our present understanding of the definition, patterns of expression and natural history of human diseases, and their responses to ever improving strategies of diagnosis, treatment, and prevention.

In particular, epidemiologists and health services researchers continue to depend upon the ready accessibility of archived patient records to collect the large and appropriately stuctured and unbiased population samples required to generate meaningful conclusions about the incidence and expression of diseases in specified populations, the beneficial and adverse outcomes of particular therapies, and the medical effectiveness and economic efficiency of the health care system. Indeed, in the present climate of public concern about the costs, quality, and efficiency of our rapidly changing health care delivery system, and with intensifying concern about health disparities within our increasingly multi-ethnic communities and the effectiveness and safety of novel drugs, devices and biologics in such populations, the need to promote and support large-scale, retrospective epidemiological and health services research has become even more urgent a national priority.

The AAMC's concerns about the rule's adverse effects on research are several and include the following:

First, the AAMC believes that a great majority of retrospective research with archived medical records could and should be performed with de-identified medical information, but that is only possible if the definition of "de-identified" is simple, sensible, and geared to the motivations and capabilities of health researchers, not to those of advanced computer scientists and cryptanalysts with mischievous or criminal proclivities. The Association has earlier commended the approaches to this problem taken in the Bennett and Greenwood bills, both of which sharply circumscribed the definition of "identifiable medical information" to information that directly identifies an individual, and of "de-identified medical information" to information that does not directly identify the identity of an individual. And both bills appropriately coupled these straightforward definitions with the criminalization of unauthorized attempts to re-identify individuals from such de-identified medical information. An apt descriptor for this approach to de-identification is "proportionality," in that the burden of preparing de-identified medical information is proportional to the interests, needs, capabilities and motivations of the health researchers who require access to it.

Unfortunately, DHHS has persisted in setting a single bar for "de-identification," and that bar is much too high. Thus, the standard for de-identification of protected health information (164.514) requires either that "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" must determine that the risk is very small that the information could be used alone, or in combination with "other reasonably available information" to identify an individual and "documents the methods and results of the analysis that justify such determination;" or that 18 specific identifying elements are removed, including "geocodes" and most chronological data, that, in our judgment, would render the resulting information useless for much epidemiological, environmental, occupational and other types of population-based health research. Among the 18 elements to be removed are "device identifiers and serial numbers," which would make it impossible, for example, to use such information for post-marketing studies of device effectiveness or failure.

The AAMC continues to believe that the department's approach to de-identification is not only unfortunate but contrary to the dictates of sound public policy, which should be to encourage to the maximal possible extent the use of de-identified medical information for retrospective health research. Whatever an apt descriptor for the rule's treatment of this issue might be, it most certainly is not "proportionality". The Association urges the Committee to direct DHHS to rethink its approach to de-identification, and to create a standard that more appropriately reflects the realities of health research and the motivations and capabilities of health researchers, not of exaggerated fears of threats from lurking decryption experts. We also urge that revision of the standard should be accompanied by an unambiguous warning that unauthorized attempts at re-identification constitute a punishable offense. We remind the Committee that to our knowledge, there has never been a documented breach of the confidentiality of archived research records.

Second, the AAMC is deeply concerned about some of the new criteria created by the rule (164.512(i)(2)) for obtaining a waiver of the requirement for specific authorization for research access to protected health information contained in archived medical records. To begin, we wish to commend DHHS for persisting during the rulemaking process in its determination to define circumstances (164.512(i)(1),(2)) under which research access to archived medical records may be permitted without specific authorization, and to extend the reach of the new privacy protections to research that now falls outside the bounds of the Common Rule. The creation of Privacy Boards (PBs) closely modeled in structure and function on Institutional Review Boards (IRBs) is sensible and to be applauded. We also commend the department's wise decision to allow covered entities to permit researchers access to protected health information without authorization or IRB or PB review when the purpose is (164.512(i)(1)(ii)) solely to review the information "as necessary to prepare a research protocol or for similar purposes preparatory to research," or (164.512(i)(1)(iii)) "solely for research on the protected health information of decedents."

The rule requires that the IRB or PB determine that all of 8 new criteria (164.512(i)(2)(ii)(A)-(H)), which are intended to be in addition to the provisions of the Common Rule and any requirements of state law that are more stringent, have been satisfied before it can approve a waiver of the requirement for specific authorization for access to protected health information for research purposes. Two of the new criteria appear to be internally contradictory: criterion (A) requires the determination that "[t]he use or disclosure of protected health information involves no more than minimal risk to the individuals," while criterion (E) requires determination that privacy risks are "reasonable in relation to the anticipated benefits….and the importance of the knowledge that may reasonably be expected to result from the research." We do not understand how a threshold determination of "no more than minimal risk" can be squared with a subsequent requirement to determine that risks are "reasonable" in relation to anticipated benefits and the importance of new knowledge. By what newly devised metric is an IRB or PB to weigh the "reasonableness" of risk that it has already determined is no more than minimal?

The AAMC finds the language of new criteria (B) and (E) inherently very troubling. Criterion (B) requires the determination that "[t]he…waiver will not adversely affect the privacy rights and the welfare of the individuals," while criterion (E), as already noted, calls for a balancing of privacy risks against anticipated benefits and importance of new knowledge. There are no objective metrics or normative standards that IRBs or PBs can use to measure "privacy rights" or "privacy risks," and the AAMC is very concerned at the prospect of requiring IRB or PB members to render judgments on the basis of nothing more than their personal belief structures or ideologies. The decisions of IRBs or PBs must inevitably rest upon individual judgments that are informed by professional knowledge and experience, and reached through rational discourse, debate, and sometimes, compromise. We fear that debates about privacy rights and risks may be of a very different sort and more closely analogous to debates about such deeply held beliefs as "animal rights" or "right to life," in which positions are based upon beliefs or ideologies, and compromise proves impossible to achieve.

The Association has repeatedly warned about the dangers of introducing into the IRB, and now the PB, process determinations for which there is no experience, received wisdom, or consensus within the scientific or lay communities to turn for guidance. Privacy rights and risks may be comfortable terms for ethicists, privacy advocates, and constitutional lawyers, but how are they to be weighed or balanced in the assessment of specific research proposals that may require access to hundreds or thousands or even more medical records, as the rule now requires? For most reviewers, the evaluation of privacy risks or dangers to privacy rights would most readily be accomplished by examining the integrity of the confidentiality protections to be afforded the research files, such as those laid out in criteria (F), (G), and (H), with which the Association has no quarrel. But by listing the latter separately, the rule's architects clearly meant to distinguish them from the rights and risks that must be determined in criteria (B) and (E). We are very troubled by criteria (B) and (E) and urge the Committee to direct DHHS to reconsider its handiwork yet again, lest we find our IRBs and PBs mired in ideological gridlock that would make hollow the waiver provisions set out in this Subpart.

Third, the rule mandates a new set of patient rights, sometimes referred to as "Fair Information Practices," that includes the rights to inspect, copy, and amend medical records, and to obtain upon request a detailed record of each unconsented or unauthorized use or disclosure of protected health information during the preceeding 6 years. The rights of individuals to inspect, copy and amend (164.524, 526) are expressly limited to protected health information in a "designated record set." The rule (164.501) defines "designated record set" as a group of records maintained by or for a covered entity that includes medical, billing, enrollment, payment and related records, or is "used, in whole or in part, by or for the covered entity to make decisions about individuals." The rule defines "record" to mean "any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity."

The AAMC reads these definitions and the language of 164.524 and 164.526 as excluding research files created in research that does not include treatment from the right of access to inspect, copy or amend. For research that includes treatment (i.e., clinical trials), the rights clearly do apply, except in very limited circumstances during the active conduct of the trial. However, the language in 164.528 (Accounting of disclosures) is different. It does not restrict protected health information to that in a designated record set, and therefore it applies to disclosures of any protected health information for research purposes. Considering the large numbers of medical records required, for example, in epidemiological and health services research, the burden of recording each and every research disclosure could easily become onerous and costly. It would be helpful to the research community and the entire health care enterprise if the department would clarify its intentions here and indicate whether the AAMC's reading of these provisions of the rule is correct.

We observe that the AAMC has consistently espoused the wisdom of maintaining wherever possible, formal and sharp distinctions between clinical and research records. This is primarily because the needs for and magnitude of access to these two different kinds of records, and, therefore, the ability to protect their confidentiality, are so profoundly different. Such distinctions, if generally applied and scrupulously maintained, would protect research records and archives that may contain elements of protected health information from the very burdensome and complex provisions mandated in this rule. Enforcing this distinction should be straightforward in retrospective, or secondary, research in which an investigator requires access to patients' records but has no direct interaction of any kind with the patients themselves. Even in interactive or interventional research, in which the research may involve treatment, maintaining the distinction is arguably worthwhile, even though more difficult, in order to protect the use and disclosure of research information that has nothing at all to do with treatment from being entangled in the rule's many requirements.

Fourth, the standard of "minimum necessary" applies to the disclosure of protected health information for research that will be performed under a waiver of specific authorization approved by an IRB or PB. In such instances, the rule requires the IRB or PB to determine that the information requested by the investigator meets the "minimum necessary" requirement. The AAMC is unclear about how IRB or PB members can possibly make this determination with any confidence in judging proposals that require access to very large numbers of medical records. We are very concerned that the expectation that the standard has been met will generate a substantial risk of liability not only for the covered entity, but for the IRB/PB members themselves, and discourage both IRBs/PBs from granting, and covered entities from acknowledging, waivers of authorization. This, in turn, makes even more discouraging the department's approach to the issue of de-identification, which, as we have explained earlier, will force many researchers who would not otherwise have chosen to do so to seek protected health information for their projects.

Finally, on the basis of the above concerns, and because of the generally forbidding tenor of the rule, its complexity, ambiguities, burdens, and costs, the AAMC is very concerned that a particularly unfortunate outcome may well be to encourage any covered entity for whom research is not part of the core mission to "lock down" its medical archives and refuse to make them accessible for research of any kind. Why should such an entity subject itself to the gratuitous costs, risks, and liabilities that it could face from releasing protected health information for any purpose other than those central to its core operations? And yet, access to medical archives in covered entities outside of academic medical centers is essential for many kinds of large, population-based epidemiological, health services, and public health research studies, as well as for post-marketing studies of the effectiveness and safety of approved drugs and devices. That the rule could produce an outcome of this kind is not inconceivable, although certainly not intended. It would be much sounder policy for the Committee to direct the department to reconsider these troubling provisions of the rule to ensure that such a tragic outcome does not occur rather than to deal with its aftermath. The AAMC commends this Committee for convening this hearing to gather initial reactions to the effects of the new Privacy Rule. The Association urges the Committee to be mindful of the fact that the education of health professionals, as well as the facilitation of biomedical, epidemiological, and health services research are compelling public priorities that have served this nation well and offer bright promise for the future. The issues that surround medical information privacy are very difficult, as the Congress, and this Committee in particular, have learned in recent years. The DHHS has stated repeatedly that this nation needs a sensible, comprehensive, national standard of protections of medical information privacy that can only be accomplished through wise federal legislation. The difficult challenge for lawmakers and regulators alike is to find the correct balance between the need to protect the privacy rights of individuals and the many social benefits that flow from the appropriate use of medical information in teaching and research. It has been repeatedly noted that medical information is different from all other kinds of information that may exist about an individual - more personal, more private, more intimate and sensitive, and therefore, that it needs higher protections. What has not been adequately recognized in the public debate is the essential, indeed, irreplaceable, role that medical information plays in a vast array of medical and health research that benefits all humankind. That is a feature of medical information that is also different from any other kind of information about individuals, and it, too, demands protection. The AAMC continues to believe that both the private and the public goods that are inextricably entangled in medical information privacy policy would best be served by federal legislation. Absent that, the Association urges the Committee to direct DHHS to clarify the regulations with respect to the ambiguities associated with training health professions students, and to rethink and revise those provisions that we believe pose serious threats to the vitality of biomedical and health sciences research that requires access to archived medical records. In addition, the AAMC supports the position of others in the health community that the 2-year implementation schedule is overly ambitious given the state of electronic information technology now in place in the health care delivery system. Finally, irrespective of whether federal regulation or legislation is the chosen mechanism for protecting the privacy of medical information, the AAMC is convinced that the capital costs of developing and implementing nationwide the information technology systems required to bring the health care system into compliance will demand resources far beyond the capacity of the system to generate. Therefore, the AAMC suggests that a bold federal-state-private sector initiative, perhaps analogous to the post World War II Hill-Burton Act, will be necessary to reach this goal. The AAMC stands ready to work with other interested parties to help develop the agenda for this effort. Thank you very much for the privilege of testifying before this Committee today.