Senate Judiciary Hears Praise, Concerns About Health IT Privacy Legislation

The senators appeared to be on board with handling privacy provisions now rather than in a stand-alone measure. Sen. Sheldon Whitehouse, D-R.I., who chaired the hearing, said there are two ways to deal with the spiraling costs of health care: the toolbox of benefit cuts, lower provider reimbursements and higher taxes; or reform that takes advantage of health IT, quality and reimbursement reform. “If we waste this moment, the time will come when we're only left with that bloody toolbox,” he said. Sen. Patrick Leahy, D-Vt., also said Congress shouldn’t put off addressing privacy as some have suggested. Without privacy safeguards, he said, the health IT system will fail. Sen. Orrin Hatch, R-Utah, said he has long been a supporter of health IT, having co-sponsored a bipartisan bill for the last two Congresses about health IT, but said the stimulus language was crafted without input from Republicans, including his office.

Several witnesses said privacy protections for health information will require an ongoing commitment, rather than a one-time solution. Michael Stokes, principal lead program manager for Microsoft’s HealthVault, emphasized three principles he said should underlie privacy protections: transparency, control and security. Those principles can carry an ongoing framework through technology changes, he said. But Pitt’s Houston said it’s important to get the privacy protections right. “I just want to get it right and get it right once,” he said. He said he’s concerned by provisions for studies and reports, because those things should be done upfront, before setting legislation.

Houston, whose written testimony said UPMC has “one of the most progressive and longstanding” health IT programs, also expressed concern about what he called the “patchwork” nature of the bill and provisions like the one allowing patients to see who’s had access to their data. It’s not uncommon for more than 200 people to have access to an in- patient record, he said, and requiring providers to disclose each of those access points would be costly and do little to help the patient. He also said there should be a framework that covers all aspects of health IT, including regional health information organizations and personal health records, which are handled differently by the House bill. Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, disagreed, saying PHRs, which are designed for use by consumers rather than health care professionals, necessitate a different level of protection and don’t fit well under HIPAA, which regulates health organizations. Houston agreed that HIPAA wouldn’t be the right vehicle, but maintained that he'd like a fix to the patchwork nature of the bill.

David Merritt, project director for the Center for Health Transformation and the Gingrich Group, said there are two areas he'd like to change in the bill. The first regards de-identified data. Patients shouldn’t be able to opt out of having their de-identified data used for health research, he said, because it skews results and ultimately harms the practice of evidence-based medicine. There should also be a clear link between obtaining funds and using products certified by the Certification Commission for Healthcare Information Technology. Merritt, a CCHIT commissioner, urged lawmakers to be careful about replacing or creating parallel organizations to CCHIT or the Healthcare Information Technology Standards Panel, which he said would confuse the marketplace and cause the country to pay a huge opportunity cost as new organizations gear up.

Whitehouse suggested Congress might have to tinker with the current framework because it has a big hole. “There has to be some entity that watches this,” he said. Although he applauds the work of CCHIT and other organizations working on health IT, he said, “I think we kind of have to mess with what’s already happening.” James Hester, director of the Health Care Reform Commission for the Vermont State Legislature, said oversight is something Vermont has struggled with as well. It’s established the Vermont Information Technology Leaders group, but the group’s role is promotion and education about health IT, he said, and the policeman shouldn’t also be in the role of promoter. McGraw said the bill offers solid first steps forward. Still, she said it could benefit from a provision putting the Secretary of Health and Human Services in charge of ensuring accountability for privacy. Houston said an ombudsman-like position would be helpful to assist organizations in getting privacy right. Merritt said he doesn’t support a federal health board of the type proposed by Secretary-designee Tom Daschle in his book, but there is a role for tying best practices to payment reform. Payment reform, he said, can help drive changes in health IT and quality improvement.

All the witnesses emphasized the importance of public buy-in. Adrienne Hahn, program manager for health policy at Consumers Union, said surveys show even greater concern among minorities about the privacy of their health information. This minority distrust will become a bigger factor as U.S. demographics move toward a majority-minority nation, she said. Hester said distrust can be difficult to overcome. Vermont has seen that, even in the limited-use setting of allowing emergency room doctors to access a list of medications the patient is taking, about three to five percent of people refuse to participate, he said. With a broader system that expands beyond emergency room doctors, the anxiety levels increase, he said.