ACS Views on Legislative, Regulatory, and Other Issues

HIPAA and Medical Records Confidentiality—

staff contact: Barbara Peck, bpeck@facs.org

• Letter to Robinsue Frohboese, 4/26/02
• Position Statement on Medical Records Confidentiality

Position Statement on Medical Records Confidentiality

Introduction

The American College of Surgeons was established in 1913 “for the benefit of humanity by advancing the science of surgery and the ethical and competent practice of its art.” As a result, the College has been dedicated to, among other activities, ongoing scientific and clinical research to determine the cause, nature, and cure of disease. To help assure the continuity of scientific and clinical research, the College has established cancer and trauma registries and has recently entered into ongoing clinical trials to help uncover new treatments for cancer as well as hernia repair.

Just as importantly, the College has consistently required its Fellows to uphold the precepts set forth in the Hippocratic oath, including “first do no harm.” This simple pledge carries with it an obligation to practice medicine with integrity, ethics, and compassion. It means placing intrinsic value on the relationship between physician and patient and nurturing the trust patients have placed in the health care profession.

Given the purposes, activities, and philosophies of the College, it is very interested in the issue of medical records confidentiality. We are particularly concerned about legislative and regulatory efforts that would affect the ability of health researchers to continue their mission of unearthing new information about the basis, prevention, and treatment of disease. At the same time, we realize that patients have heard horror stories about personal health information being leaked by some unscrupulous sources to the tabloids, marketing firms, and so forth, as well as being used to discriminate in the workplace. The College strongly opposes such activities, as they can dramatically affect patients’ willingness to discuss openly with surgeons their health care problems. Such hesitancy, in turn, impairs surgeons’ ability to arrive at diagnoses, treatment decisions, and cures.

Therefore, the College wants to play an active role in ensuring that any federal legislation and regulation properly balances the rights of patients to maintain their privacy with the need to preserve health research and the registries that contain the information on which this research often is based. To this end, the College has reviewed the three comprehensive medical records legislative proposals introduced so far in the Senate. We have tried to examine these bills not from the perspective of health plans, law enforcers, or corporations, but from those angles with which we are the most familiar—those of the health researcher and of the practicing physician who are trying to do their best to help improve the quality of care and maintain a stable, professional relationship with their patients. The specific matters we have analyzed from these standpoints include research involving identifiable patient records, existing safeguards used by medical registries, authorization for disclosure, patient rights, notice of confidentiality practices, law enforcement provisions, penalties, and preemption of state laws.

In scrutinizing the bills we have found that they take very divergent approaches to these matters, particularly the legislation introduced by Senators Robert Bennett and Connie Mack when compared to the bill brought forth by Senators Patrick Leahy and Edward Kennedy. The bill authored by Senators Jim Jeffords and Christopher Dodd, meanwhile, seems to incorporate elements from both sides. In general, the College favors the approach taken by Senators Bennett and Mack because it seems to leave in place that which is working in the medical and research communities and eliminate the problem areas posed by outside sources. Senators Leahy and Kennedy, meanwhile, would institute a whole new system for handling medical records, including the establishment of a new bureaucratic agency to regulate confidentiality. We consider this approach unwarranted and unnecessary in managing the existing problems. Our views on the bills and each of these areas follow.

Health Research and the Need for Patient Information

The College believes that Congress must keep as one of its foremost thoughts in addressing the issue of medical records confidentiality how the legislation would bear on clinical and scientific research. It hardly seems necessary to mention, but we feel compelled to remind Congress that this research has led to advances in the prevention, diagnosis, and treatment of a range of diseases and conditions that previously were incurable or even uncontrollable, such as prostate and breast cancer, AIDS, and heart disease, to name just a few.

The fact of the matter is that none of the research leading to these advances would have been possible had the facilities and individuals engaging in these efforts not had access to patient identifiable information. Patient identifiable information is vital for clinical trials, scientific research, and retrospective reviews. Health care research requires information drawn from personally identifiable internal medical records, which is then updated either through direct patient contact or data maintained in a registry to determine long-term effects. Without access to this information, some new clinical research projects would never originate and certainly would never be completed.

For example, say a surgeon is interested in complications associated with lower anterior resection for colon cancer (e.g., bowel and sexual dysfunction), and he or she wants to pursue prospective clinical trials. In developing such clinical trials, the surgeon will need to understand the baseline level of function. This requires retrospective review, using patient information. Patients studied in such retrospective reviews are identified from surgical lists, then contacted by phone or mail and asked if they would agree to answer a questionnaire. The results garnered from these surveys are essential to providing insight into prospective studies. Without patient identifiable information, the research project will never get off the ground, and the chances of helping patients who are suffering from these medical conditions will greatly diminish.

The Current Medical Research Approval Process

The College maintains that the debate surrounding the use of and access to patient medical records has not stemmed from any real or perceived fault on the part of health researchers or the registries upon which they depend. In fact, Congress would be hard-pressed to identify instances in which a researcher or registry intentionally spread information to the public sector regarding a patient’s medical history. Moreover, the College believes that most patients gladly submit their health information for research purposes, so it can be used to help find cures for their diseases or otherwise enhance the quality of care provided to patients with similar medical conditions. Consequently, we are pleased to note that all three bills under Senate review at this time would allow researchers access to identifiable patient records without specific authorization.

The College would assert that one of the reasons why the use of patient-identifiable medical records for health care research has not created problems for patients is because research entities already have the proper oversight protections in place. While some problems may exist within the Institutional Review Board (IRB) process, the College believes that protocols set by IRBs and similar oversight committees within research institutions, in general, do an exemplary job of protecting identifiable information. Oversight committees, when they adhere to IRB and IRB-like accountability processes, ensure that only patient information that is necessary to conduct the research in question is disseminated and shared with researchers. Therefore, the College submits that all research should be subject to approval by an IRB or similar institutional mechanism.

To make certain that research entities have proper approval protocols in place, the College supports provisions in Senator Bennett’s bill that would require research not conducted under a formal IRB review process but via a similar mechanism to be subject to the following: a) review by a board, committee, or other formal group designated by the entity conducting the research; b) analysis of personal health information previously created; c) written policies and procedures to assure the security and confidentiality of personal health information; d) written agreement between the entity and the recipient health researcher specifying the permissible and impermissible use of the personal health information; and e) maintenance of a record of all researchers to whom the information was made available.

The medical research community already has instituted sound standards for ensuring that federally funded clinical and scientific studies are conducted with integrity. And, indeed, it is important to note that almost all research conducted in the institutional setting already is mandatorily subject to IRB approval. To help guarantee that all research is highly principled, Congress does not need to impose new regulations. Rather, it simply needs to extend existing standards and models to all research activities, including research conducted on behalf of pharmaceutical companies.

Safeguarding Medical Records

All of the legislative proposals currently under consideration would require health plans, providers, employers, and other entities to establish and maintain appropriate administrative, technical, and physical safeguards to protect the confidentiality, security, integrity, and accuracy of identifiable health information. With regard to this matter, we would like to point out that the nation’s health care registries already have instituted sound safety practices.

These data bases, in establishing their security features and processes, follow a blueprint similar to the one presented in Senator Bennett’s proposal. His proposal suggests that entities should weigh the following factors in setting up security protocols: 1) the entity’s need for identifiable health information; 2) the categories of personnel who have access to the data; 3) and the feasibility of limiting access to patient identifiers. For example, computer-based cancer and trauma registries, by their very nature, require vast quantities of patient information so that various indicators of disease, treatments, and outcomes can be matched and sent on to the researcher. Because these data bases house enormous pools of highly sensitive information, they are equipped with fire walls that prevent improper use and dissemination of the information they hold. Additionally, the individuals who work for the registries are granted specific levels of “security clearance,” meaning that not all employees have access to the information. Additionally, the information that is transmitted from the data banks is stripped of as much patient identifiable information as possible, so that researchers see only as many personal facts as are absolutely necessary to conduct their studies.

Although the College is satisfied with the safeguards that are used by medical registries, we recognize Congress’s concerns are much broader and seek to address the need to set security standards for the range of health care institutions, practitioners, and other providers. In managing this effort, we would suggest that Congress bear in mind that different facilities have different needs and varying capabilities and resources. For example, a large health plan would require significant identifiable information to process an individual’s claim, but only those individuals who are directly involved in processing the billing statement would need those data. A computer technician who is responsible for installing and maintaining the software on which the data are filed, however, would not need to and should not be able to view this information. Further, a large health plan would have the resources to purchase and run software with encryption capabilities. A small surgical office, however, would function under very different circumstances. Most of the full-time staff would need access to identifiable information to perform their jobs—the surgeons and nurses to provide care, the office staff to submit claims, and so forth. Further, such an office probably would not have the resources to devote to encryption technology and administration.

We, therefore, believe the National Committee on Vital and Health Statistics (NCVHS)—which has thoroughly examined this and other components of the medical records confidentiality with input from the affected entities—and the Secretary of the Department of Health and Human Services (HHS) need to continue to work in concert to determine what safeguards need to be installed. Senator Bennett’s bill calls for this exchange, and we support that mandate.

While the College believes that Senator Bennett’s proposal offers the most reasonable and workable solutions to installing safeguards, we do have one concern about a detail in the legislative language addressing this matter. Specifically, the College notes that the Health Insurance Portability and Accountability Act (HIPAA), which mandated the development of confidentiality legislation, only required the imposition of safeguards for the security, confidentiality and integrity of the information in electronic medical records. “Accuracy” is not included in the HIPAA requirements, but is included in Senator Bennett’s bill, as well as those of Senators Jeffords and Leahy. While integrity, security, and confidentiality all directly pertain to the issue of who has legitimate access to medical records and how those records are protected from unauthorized examination or modification, “accuracy” pertains to whether the diagnosis, treatment, and other portions of the medical record are factually correct. We are not clear why “accuracy” is being brought into this discussion. The prime issue when it comes to safeguards is security. The determination of accuracy seems to be one that can only be resolved through physician/provider communication with patients. The College is not certain how a legislative mandate regarding accuracy can be enforced, and we would like further discussion of this language.

Patient Authorization

Perhaps the most contentious issue within the medical records confidentiality debate pertains to obtaining patient authorization for disclosure of health information. We have already explained why researchers often need patient identifiable information to perpetuate improved quality of care. But, we empathize with our patients’ sense that perhaps they should have greater control over who has the privilege of seeing their medical records and how those files would be used. Indeed, this is where the balancing act begins.

The bills introduced so far attempt to answer the following broad questions pertaining to standards for authorization and disclosure: 1) Should patients have the right to sign a variety of authorization forms for various types of disclosure and to authorize disclosure of only some their medical history? 2) To whom, other than insurers, health researchers, physicians, and other providers should information be disclosed without specific authorization? 3) Should family members have access to genetic information?

Multiple Authorization/Segregation of the Medical Record
The College is concerned about provisions in the bill that Senators Leahy and Kennedy have introduced that would prohibit the disclosure of identifiable health information unless authorized by the individual or for the purposes outlined in the legislation. The College fears that this type of provision would create a huge administrative burden, requiring physicians and other providers to repeatedly obtain patient permission. Additionally, it could very well obstruct the ability of registries to obtain pertinent patient data. Essentially, patients could pick and choose what information could be disclosed and what could not. It is very likely that some of the information they would not disclose is that which could eventually be passed on to researchers and lead them to find root causes and future cures for medical conditions or enable other treating physicians to make proper diagnosis and treatment decisions.

This scenario raises another important point about the same legislation. The bill that Senators Leahy and Kennedy have introduced would allow patients to authorize release of their health information on a piecemeal basis and have certain information segregated from their medical record. The College recognizes that patients are understandably hesitant to release some very private information—such as treatment for mental health problems, sexually transmitted diseases, and debilitating medical conditions—to their employers, friends, acquaintances, and the press. Some unethical members of our society, unfortunately, have preyed upon individuals suffering from these problems. However, Congress must know that such information gives researchers insights into possible adverse reactions to certain medications and other therapies that could help to solve other health care problems they are battling. Physicians and researchers can only help patients when they have a complete composite of the patient’s health status. The way to answer patient concerns about the release of this very personal information is not through imposing legislation that would, in effect, inhibit health care professionals from helping patients become well, but through the development of legislation that will ensure that this information is confined to the health care setting and used only for purposes of treatment, payment, and research.

Authorization for Disclosure to Parties Outside the Patient Care Setting
Patients are understandably concerned that their medical records will be used by drug companies for marketing and profit-making purposes, by employers in making promotion and downsizing decisions, by computer hacks to spread malicious rumors. First, let us be very clear that we believe instances in which pharmacies have passed patient profiles on to drug companies for marketing purposes are abhorrent, as are the actions of muckrakers who feel it is their right to publish in newspapers or on the Internet information regarding an individual’s mental or physical health status. To help prevent these types of situations from occurring, the College believes most requests for patient identifiable medical records that come from outside the health plan, provider, or research setting should be granted only after permission is obtained from the patient or a legally recognized designee.

Release of Genetic Information to Family Members
Likewise, the College believes patients should have control over whether genetic information is provided to family members. It should be noted, though, that most testing of stored tissues for genetic markers does not link the information to patient identifiers. Therefore, the use of these tissues for research purposes usually could not be made known to family members by the researcher, but more likely by the attending physician or surgeon. On the other hand, family members may approach a patient’s care giver for this information. In this situation, the College would honor the patient’s desire for confidentiality.

Release to Manufacturers
With regard to questions of whether patient information should be provided to pharmaceutical companies, device manufacturers and so forth, the College supports a provision in Senators Bennett’s and Jeffords’s bills that allows disclosure without consent to drug, biologic, and device manufacturers for the purpose of verifying the safety and efficacy of approved products. We would strenuously add, however, that these companies only should use patient information for examining the uses and possible side effects of the products. This information must not be passed on to the marketing branches of the firms for the sake of sale or promotional purposes. Patients should only be presented with alternative therapies through their physicians.

Employer Access
In addition, one of the thorniest issues in this debate is whether employers should have access to patient information. To help ease patient concerns about whether their personal health information could be used to prevent them from securing employment or achieving promotions, Senator Leahy would prohibit employers from disclosing identifiable health information to any employees or agents who are responsible for making employment, work assignment, or other personnel decisions without explicit authorization. The College is not convinced that this provision is enforceable. Just as insurers require some patient identifiable information to make coverage decisions, employers need to know how their money is being spent on employee benefits. Often the same personnel departments that make employment and work assignment decisions also are responsible for administering benefits. How can any legislation stop the exchange of information within these divisions? Perhaps a more realistic approach would be to require the health plans to strip all employee identifiers from claims forms before forwarding them to human resource personnel.

Patient Rights

The College believes that one way to bolster patient confidence in health care professionals would be by allowing patients to have greater access to and control over personal files. To these ends, the College supports legislation that, generally, would allow patients to inspect, copy, and add relevant notations or arguments of dispute to their own medical records. All three Senate bills would grant patients these opportunities.

The College, however, is concerned about some of the language used in the bills. The Bennett and Jeffords proposals, for instance, currently state that patients could “amend” their medical records; however, this term could be gravely misinterpreted to mean that patients could actually change, rather than simply contradict, the contents of the medical record. Meanwhile, the Leahy bill substitutes the word “supplement” for “amend.” “Supplement” is not a very precise term either, as it simply means that patients could add information to their charts. For the sake of clarity, we believe the legislation should contain language stating that patients may submit for addition to the medical record written statements expressing their opinions about the information in the record. This change—combined with the already strong rule of construction in both the Bennett and Jeffords bills stating that patients cannot modify the records as to type, duration, or quality of treatment the individual believes he or she should have been provided, or with respect to factual observations and test results—will help to alleviate any ambiguity. The College also supports the “rule of construction” in Senator Bennett’s bill that no formal or informal hearing or proceeding be mandated in situations in which the patient and physician disagree about medical record information. This would help to prevent time-consuming and possibly costly appeals or even litigation.

While the College maintains that patients should have the right to include pertinent information in their personal records, we do believe there are certain circumstances under which patient review of the medical chart would not be prudent. These instances include those in which there is a reasonable expectation that the information could endanger the life or safety of any individual or could reveal a confidential source, as acknowledged in both the Bennett and the Jeffords bills. To help sustain the viability of clinical trials the College further maintains that patients should have access to personal health information that is being examined and shared during an IRB-approved clinical trial only to the extent permitted by the Common Rule, as described in Senator Bennett’s bill. Patient access and possible additions to the record could disturb the research process.

At all other times, though, we do believe patients should have access to their medical records. It is one of the most personal logs any individual possesses and, therefore, each person should be able to inspect it for his or her own peace of mind.

Patient Notification

The College also believes that patients would have a heightened sense of security about the exchange of their medical records if they had a greater understanding of this process and its purposes. To help ensure that patients would be aware of how their personal health information would likely be used, the College supports legislation that would require health plans, providers, employers, and other designated entities to post or otherwise provide a written notice of their confidentiality practices. These notices should be written in clear, everyday language devoid of legal jargon.

Legislation should further require that these notices include: a) a description of an individual’s rights relating to their personal health information; b) the uses and disclosures of personal health information; c) procedures for authorizing the disclosure of identifiable health information and those for revoking such authorization; d) procedures established for the exercise of individual’s rights; and e) the right to obtain a copy of the notice of confidentiality practices. These notices also should provide explanations and examples of how patient information might be used. In developing the model notices, the College supports provisions in Senator Bennett’s bill that would direct the HHS Secretary, in consultation with the NCVHS, to develop model notices of confidentiality practices. We would add that such model notices should be made available before the requirements they are intended to satisfy become effective. Finally, the College also believes that entities that use the model notices should be protected from claims of inappropriate notice.

Law Enforcement Agency Access to Patient Records

The College can imagine only very rare instances in which law enforcement agencies would need immediate or even particularly ready access to patient medical records. Therefore, we support the inclusion of law enforcement agencies among those entities to whom strict restrictions on disclosure of identifiable health information would apply. Specifically, we believe law enforcement agents should only be allowed access to patient medical records when acting under a subpoena and pursuant to a valid court order. These court orders can be issued in a matter of hours and, therefore, should not derail any investigatory activities. These provisions, meanwhile, would go a long way toward preventing private information from being obtained for non-judicial purposes and from allowing agents to disrupt patient care. Moreover, they would help to ensure that physicians and other providers have a clear legal explanation to offer patients regarding why they were forced to relinquish this information. This would, in turn, help physicians to maintain the sanctity and trust patients have vested in them.

Penalties

The College believes that any health plan personnel, pharmaceutical marketer, database operator, physician, or health care provider who fails to abide by the provisions of medical records confidentiality legislation and uses patient information with malicious or profit-seeking intent or for personal gain should be penalized. More specifically, the College supports the tiered penalties structure described in the major bills, which would base the severity of penalties on the individual’s level of culpability. Specific actions that the College believes should be subject to penalization are purchasing, selling, transmitting, or disseminating patient records for commercial use, personal gain, or malicious intent.

Preemption

Lastly, the College knows that Congress is debating whether the federal legislation it enacts should preempt existing state laws. The College, for one, does believe that in this case state law preemption would be necessary. We live in an age in which patients often cross state lines to receive care, an era in which information can be transmitted from Portland, ME, to Portland, OR, with the push of a button. Given the interstate nature of modern health care in the United States, it is imperative that a national standard be set for these sorts of issues to assure that patients have equal rights and safeguards.

Conclusion

The College applauds Congress for its courage and determination in attempting to pass legislation that would balance the need for patient information in the conduct of health care research with each individual’s right to privacy. We believe surgeons, other physicians, and other segments of the medical community may be at an advantage in helping Congress to weigh these issues. Indeed, surgeons have sought every day to promote health care research and improve quality of care while doing “no harm” to the patient-physician relationship. The academics among us routinely ask themselves how much patient information is necessary to engage in lifesaving research. The practicing surgeons in our ranks must always ask themselves what they can do to keep the confidence of the patients who come to them for care and, in the process, reveal the most intimate facts about themselves.

Hence, the College believes it can serve as a valuable, experienced resource to Congress in this debate. We hope to work with Congress constructively as it seeks to fulfill the mission of protecting patient privacy and preserving quality of care.

Back to top

ACS Views on Legislative, Regulatory, and Other Issues

Advocacy and Health Policy