Databases Called Lax With Personal Information

The Social Security numbers of millions of Americans, including Vice President Cheney and celebrity heiress Paris Hilton, are available to many subscribers of a widely used information database company, U.S. Sen. Charles E. Schumer (D-N.Y.) charged yesterday

Westlaw’s subscribers include government and law-enforcement agencies, law firms, corporations and news-gathering organizations. Westlaw, a division of Thomson Corp., said Social Security information is restricted to government agencies and a small number of corporations that need it, such as insurance companies investigating fraud.

“Fewer than 10 non-government customers have access to this type of information,” the company said in a written statement. “Furthermore, our terms of use restricting access go beyond federal law and current industry standards.”

But Schumer said the information is too easily available to any level of employee, adding that his investigation was prompted by complaints from consumers. He said the company has ignored his requests to restrict access to only those individuals who demonstrate they need the information, such as law-enforcement officers.

Schumer’s concerns add to a controversy over companies that buy and sell such data with little oversight to protect personal information.

Yesterday, Senate Judiciary Committee Chairman Arlen Specter (R-Pa.) said the panel would hold a hearing in response to the recent theft of Social Security numbers and other financial data of more than 100,000 people from ChoicePoint Inc., a Georgia-based database firm.

After setting up accounts with the company, identity thieves were able to gather information on at least 145,000 individuals.

“It’s time to turn some sunshine on these developments so the public can understand how and why their personal information is being used,” said Sen. Patrick J. Leahy (D-Vt.) in requesting hearings.

In the House, Rep. Joe Barton (R-Tex.), head of the Energy and Commerce Committee, has directed his staff to investigate the storage and security practices of database companies.

Schumer said comprehensive legislation is needed in an area that is largely unregulated at the federal level and governed by a patchwork of sometimes-conflicting state laws.

California, for example, requires companies to report breaches of their systems that result in exposure of personal data, a law that prompted disclosure of the theft at ChoicePoint.

Sen. Dianne Feinstein (D-Calif.) has proposed a similar federal law, which has been opposed by many technology and database companies.

In a news conference, at which were shown reproductions of Web pages displaying personal data of famous people, Schumer detailed how his staff was able to quickly retrieve Social Security numbers and addresses of former attorney general John D. Ashcroft, former homeland security secretary Tom Ridge, executives of Westlaw and others.

They tried President Bush, Schumer said, but his address came up as 1400 Pennsylvania Ave., instead of the White House’s address of 1600 Pennsylvania Ave.

“Westlaw’s service could be entitled ‘Identity Theft for Dummies,'” Schumer said. “To my mind, what bank robbery was to the Depression era, identity theft is to the information age. Everyone’s susceptible.”

In a written statement, Thomson West, the firm that operates Westlaw, said it shares Schumer’s concerns about privacy and identity theft. But the company denied the senator’s claims that it has been unresponsive to his inquiries.

Researchers at The Washington Post, a Westlaw subscriber, sought to replicate Schumer’s exercise and found that only the first five digits of an individual’s Social Security number were displayed.

But a Schumer spokesman said that a researcher at a major corporation not involved in credit checks or other investigations was able to get the complete numbers.

A spokesman for LexisNexis, a Westlaw competitor, said law-enforcement agencies, insurance and financial institutions can also get full Social Security data through LexisNexis’s service. But even if a potential customer is in the right industry, he said, they are screened to ensure they are legitimate.

Privacy experts say that in addition to raising questions about how well personal information is protected, the disclosures indicate an extreme overuse of Social Security numbers for identification.

“It has become the default identifier” for many commercial businesses, banks and Web sites, said Ari Schwartz, associate director of the Center for Democracy and Technology, a Washington group that studies digital rights and privacy issues.

When personal information is compromised, a Social Security number can be used as a tool for identity theft.

Many privacy advocates have urged businesses to create unique identification numbers for customers to use.

“The reliance on the Social Security number has created a false sense of security for businesses and a source of vulnerability for consumers,” Schwartz said.

© 2005 The Washington Post Company

Testimony of Dr. Alan F. Westin, Professor of Public Law & Government Emeritus, Columbia University, and Director of the Program on Information Technology, Health Records, and Privacy

INTRODUCTION

Good morning. My name is Alan Westin. I am Professor of Public Law & Government Emeritus, Columbia University, and Director of the Program on Information Technology, Health Records, and Privacy, a new activity of the non-profit Center for Social and Legal Research, which I head. I will describe the new program later in my testimony.

Issues of health care, technology, and privacy have been one focus of my research, writing, and advocacy for over forty years. A summary of my work in this area appears as Appendix One in this document.

I was asked to appear today to discuss current public attitudes toward health care and privacy, especially in the context of information technology applications and programs to develop a national Electronic Medical Record (EMR) system. I am very glad to see this topic of public attitudes included in the Advisory Committee’s two days of discussions. I am convinced that how the public sees the privacy risks and responding actions in any EMR system will be absolutely critical to this program’s success – or will be a major factor in its failure.

To address these issues, and to assist the Advisory Committee and HHS, my Program collaborated with Harris Interactive to place a set of exploratory questions on a representative national survey by telephone that Harris Interactive conducted this month, between February 8-13. The top line results and my analysis of their implications are being publicly released at this hearing, and will also be published in The Harris Poll.* In about two weeks, our Program will publish a full survey report, with demographic and factor analyses that should be quite useful.

Our telephone survey had 1,012 respondents. The national sample was weighted to be demographically representative of the public 18 years of age or older. This represents approximately 214 million adults. The sampling error is plus or minus 3%. (The questionnaire we used and the top line results we obtained appear as Appendix Two to this testimony.)

——————————————————————————-

Our Program and I are most appreciative of the contribution of David Krane of Harris Interactive to this survey and, as always, to the Harris Poll Chairman, Humphrey Taylor.

THE AMERICAN PUBLIC AND HEALTH-CARE PRIVACY: A BASELINE

SUMMARY

Our Program is aware of fourteen published national studies dealing in whole or in major parts with issues of health information privacy. We have summarized these in our Program’s first publication – How the Public Views Health Privacy: Survey Findings from 1978 to 2005. This is available free on the Program’s web site, at www.pandab.org

Before describing our February 2005 survey results relating to the Electronic Medical Records program, it is helpful to lay in the core findings of past health privacy surveys. In summary:

  • Surveys show consumers rate personal health information and financial information the two most sensitive types of consumer personal information
  • Persons with chronic and especially genetically-based health conditions express sharp concerns about circulation and use of their health status to deny them important consumer opportunities and benefits
  • Consumers also express concerns about privacy and security in the current move to greater collection and use of medical records electronically
  • While 80% of online consumers go to health sites for information, they express high concerns about privacy and security in their surfing
  • Because of their privacy concerns, many consumers using health information web sites do not share their personal data, and take full advantage of these sites
  • Consumers also express fears that their health information might be accessed or used improperly to commit identity thefts (Sources and details for these topline views are in the Program?s paper referenced above.)

With these well-established majority public views as a starting point, we turn to our new February 2005 health privacy survey.

OUR 2005 SURVEY RESULTS

How the Public Sees Handling of Personal Health Information in the Health Care System Today

We were able to use a trend question from 1993 to probe the public’s views on this issue, so that we could have a pre- and post-HIPAA reading.

In the 1993 national survey on “Health Information Privacy” that Harris and I conducted, we asked respondents whether they believed that a list of health system participants had “disclosed your personal medical information in a way that you felt was improper?”

Over a fourth of the public – 27% – then representing 50 million adults, said they elieved one or more of the listed persons or organizations had disclosed their personal medical information improperly. Specifically:

A doctor who has treated you or a family member……………………. 7%

A clinic or hospital that treated you or a family member …………… 11

Your employer or a family member’s employer ……………………….. 9

A health insurance company …………………………………………………… 15

A public health agency …………………………………………………………… 10

When we repeated this question in 2005, we asked about improperly-considered release by these same persons or organizations “in the past three years.” We recorded a dramatic drop in public perceptions of such improperly handled personal medical information.

In 2005, only 14% of the public – almost in half from 1993 – now believe their personal medical information has been released improperly. (While substantially lower than the 1993 results, it should be noted that this still represents 30 million adults in the current U.S. population).

The results in 2005 were down across each of the five categories, as follows:

A doctor who has treated you or a family member……………………. 5%

A clinic or hospital that treated you or a family member …………… 8

Your employer or a family member’s employer ……………………….. 5

A health insurance company …………………………………………………… 8

A public health agency …………………………………………………………… 5

This drop from 27% to 14% of the public may well represent effects with the public from the HIPAA Privacy Rule rollout since April 2003. We tested that in our next set of questions.

Experience With HIPAA Privacy Notices

We informed respondents that “a Federal Health Privacy Regulation (called the HIPAA rule) has required all health care organizations to give patients a privacy notice explaining how the organization will collect and use the patient?s health information, how it will keep the information secure, how patients can get access to their own health records, correct any errors, and control most disclosures of their information to people outside the health care system.” We then asked: “Have you ever received one of these HIPAA health privacy notices?”

Given the ubiquity of HIPAA privacy notices – handed out by every doctor, dentist, clinic, hospital, pharmacy, health insurer, etc. – I had anticipated a yes response from well over 90% of respondents. I assumed that persons away studying in Tibet since April 2003 would be the kind of respondents who would say no.

I was wrong.

A third of the American public – 32%, representing 68 million adults – said they had never received a HIPAA privacy notice (and only 1% chose to say Not Sure). This is both a surprising and disturbing result, since it seems sure that most of these persons did have a Privacy Notice given to them since April 2003. Obviously, they do not recall the paperwork as the Privacy Notice we described.

Two-thirds of the public – 67% – recalled that they had received a HIPAA notice, representing 148 million adults.

Confidence in Medical Record Handling Post-HIPAA

We followed up by asking respondents who remembered getting a HIPAA privacy notice personally – two thirds of the public - this question:

“Based on your experiences and what you may have heard, how much has this federal privacy regulation and the Privacy Notices affected your confidence that your personal medical information is being handled today in what you feel is the proper way?”

Two-thirds of the public (67%) said their confidence had been increased. Of these, however, only 23% said their confidence had been increased “a great deal,” while a much larger 44% chose “only somewhat.” Thirteen percent said “not very much” and 18% “not at all.”

EMR ? Levels of Public Awareness

With the questions just reported as a foundation, we moved on to probe public attitudes toward the EMR program. We first described what we called Electronic Medical Records - EMR:

“The Federal Government has called for medical and health care organizations to work with technology firms to create a nationwide system of patient Electronic Medical Records over the next few years. The goal is to improve the effectiveness of patient care, lessen medical errors, and reduce the costs of paper handling. Have you read or heard anything about this program?”

Our survey was conducted after President Bush had described the EMR program in his State of the Union message in January, and had also gone out to the Midwest in early February in several public meetings outlining and promoting EMR. However, since this remains a rather specialized issue, not directly affecting consumers now, and not generating much public debate, I assumed knowledge would be low.

This time I was right.

Less than a third of the public – only 29% - said they had read or heard about a national EMR program. This represents 62 million adults, and a quick look at our demographic data showed that these were, predictably, primarily the better-educated, higher-income, technology-using members of the public.

EMR: Privacy and Security Concerns

Having laid a foundation about EMR, we posed the following multi-part question to respondents:

“Here are some things that some people have said might happen under such a patient Electronic Medical Record system. How concerned are you [about each item read] – very concerned, somewhat concerned, not very concerned, or not concerned at all?”

The following list was used in a randomized order, with these results:

Table One: The Public’s Privacy and Security Concerns in an EMR System

ITEM Concerned (very + somewhat) + Very Concerned

Sensitive personal medical-record information might be leaked because of weak data security 70% (concerned) + 38% (very concerned)

There could be more sharing of your medical information without your knowledge 69%+ 42%

Strong enough data security will not be installed in the new computer system 69% + 34%

Computerization could increase rather than decrease medical errors 65% + 29%

Some people will not disclose sensitive but necessary information to doctors and other health care providers, because of worries that it will go into computerized records 65% + 29%

The existing federal health privacy rules protecting patient information will be reduced in the name of efficiency 62%+ 28%

Some observers of our survey may feel that respondents given a list of potential concerns in any program are likely to say that they share such feelings. This is not the record in most social-issue surveys and especially in privacy surveys over the past four decades.

In other consumer, citizen, and employee privacy surveys, including health privacy surveys, the public majority has demonstrated an ability to modulate its expressed concerns depending on its perceptions of the issues. In other words, when a list of potential privacy problems is offered to survey respondents, the American public majority can usually sort them out in a pretty sophisticated way – reflecting the public’s actual mood and perceptions on social issues, and not controlled by a general pro-privacy or anti-government or anti-business orientation.

This is proved in dozens of privacy surveys where concern levels expressed by respondents run the gamut from heavy to light to non-existent, depending on the public?s sense of the services offered, the privacy or anti-discrimination interests at stake, and how respondents believe a given program or process will be conducted.

Here, a solid two-thirds of the current American public – in a range from 62-70% -say they share the concerns of “some people” about adverse privacy and data security results taking place in the operations of an Electronic Medical Record system. And, those saying they are Very Concerned ranged from 28 to 42%.

These views are obviously shaped by general public awareness about the high incidence of identity thefts, a constant media “drip-drip” of stories about leakage or disclosure of personal consumer data from organizational databases, and accounts of hackers penetrating business and government web sites to steal personally identifying consumer files.

With these larger privacy-violation and data insecurity trends in the background, I believe our six-topic list represents the core of the privacy concerns that two-thirds of the public will be looking at – and want to have successfully addressed – before most Americans will be comfortable with an EMR system.

How the Public Divides on the Benefits and Privacy Risks of an EMR System

It is commonplace in surveys of this kind, after describing a new program and then measuring various concerns about it, to pose a “tie-breaker” question. This asks, essentially, taking into account supposed benefits of some business or government program or action and also the risks to privacy or other social value you may see, where do you come out on the program’s acceptability to you?

Our tie-breaker question on EMR was framed as follows:

“Supporters of the new patient Electronic Medical Record system say that strong privacy and data security regulations will be applied. Critics worry that these will not be applied or will not be sufficient. Overall, do you feel that the expected benefits to patients and society of this patient Electronic Medical Record system outweigh potential risks to privacy, or do you feel that the privacy risks outweigh the expected benefits?”

(The two alternatives were rotated in presentation to respondents to avoid presentation bias.)

And the winner was….. NO ONE.

The public divides equally on this fundamental question – 48% saying the benefits outweigh risks to privacy and 47% saying the privacy risks outweigh the expected benefits. The deciding 4% said they just weren’t sure.

What I draw from this key question is that half the American public does not feel today that an EMR program is worth the risks to privacy that they perceive as accompanying this development.

That is the reality that program advocates will need to consider, respond to, and overcome by a range of laws, rules, practices, technology arrangements, privacy promotions, and positive patient experiences – if EMRs are to win majority public support and high patient participation.

Segmenting the Public on EMR Privacy Concerns

In privacy surveys since 1991, I have created various segmentations of the public on consumer, citizen, and employee privacy issues. The goal is to ask sets of questions that tap basic orientations and preferences of respondents and, on most issues in a given area of privacy (health, financial, anti-terrorist powers, etc.) will identify High, Medium, and Low Privacy Concern segments of the public.

If the segmentation is sound, the total respondents will scale in their answers to the substantive policy issues involved in that area. The High respondents will express the sharpest privacy concerns, reject competing values, call for legal interventions, etc., while the Medium and Low respondents will each record less intense or little to no concerns.

We can then look at the demographic characteristics of each segment, and gain some insights into the underlying bases of each position.

We created our EMR Privacy Concern Segmentation from responses to the six isssues posed in the previous question discussed. Our units were:

Concern chosen in 5 or 6 statements…….High EMR Privacy Concern………………. 56%

Concern chosen in 3 or 4 statements…… Medium EMR Privacy Concern ………….16%

Concern chosen in 1 or 2 statements…… Low EMR Privacy Concern ………………..14%

Concern not chosen in any statement….. Not Concerned About EMR Privacy…….14%

The most obvious and important thing to note is that a solid majority of the American public today is in the High EMR Privacy Concern camp, representing a whopping 120 million adults. In comparison, only 35% of the public is in the High Privacy camp when it comes to overall consumer privacy issues.

Since we just received these survey data this past weekend, I am not able to present as yet the demographics on this segmentation, or on the populations represented in other questions. Our Program will prepare such a detailed report and issue it in approximately two weeks.

Empowering Patients From the Outset

We considered it important to see how the public felt about the role that patients might play directly in any EMR system, not as passive subjects but as technologicallyaided participants. Our question was:

“Since most adults now use computers, the new patient Electronic Medical Record system could arrange ways for consumers to track their own personal information in the new system and exercise the privacy rights they were promised. How important do you think it is that such individual consumer tools be incorporated in the new patient Electronic Medical Record system from the start?”

More than eight out of ten respondents – 82% - rated such consumer empowerment as important, and 45% of these considered it Very Important. Only 17% did not see this as important, with 1% not sure.

I view this result as a powerful, publicly-derived Privacy Design Specification for any national EMR system. It is a design approach that will be ignored, put off until a later time, or rejected as unworkable at the peril of any EMR system?s entire future.

CONCLUSIONS AND RECOMMENDATIONS

I start my judgments with the belief that further computerization of health information and a national program to create an electronic medical records network is both inevitable and – potentially – a very good thing for patients, the health care system, and American society.

I also believe that such a program has far greater chances to be successful in this decade than ever before. We should remember that earlier health-information computerization programs – in the 1970s, 1980s, and 1990s - failed badly or made only marginal improvements in the health care system, at enormous outlays of money and effort. This was essentially, I believe, for two reasons: (1) because large majorities of health care practitioners were not ready – or able – to embrace the technology tools offered and (2) because of weaknesses in the software and system technologies at those points in time.

It is only now, when this generation of health care practitioners is comfortable with information technology – from their cell phones and laptops to their use of databases and comfort in using medical and genetic research data – that greater computerization has the chance to succeed on the front lines of health service.

And it is only now that powerful new database and data mining technologies, along with data linkage techniques, may provide the bang for the buck that is needed to justify electronic medical records processes and networks.

Also, the EMR program is, fortunately, not one in which predominant business or government interests are in direct opposition to the main consumer and privacy advocacy communities, as is sometimes the case in privacy debates. Leaders in the health care community, health researchers, health data service providers, and government health programs have expressed concerns that strong privacy standards be installed, and are ready to help assure that patient privacy interests are protected – indeed advanced – in any EMR system. Of course, some privacy issues will divide the players in EMR debates, and finding ways to create privacy-enhancing solutions for those challenges will be critical.

Having said that, I return to the main theme from our new survey. If a national EMR program is to get anywhere with the American public – and through their views with the Congress and state legislators asked to appropriate the big bucks for EMR projects — the half of the American public that believes the privacy risks outweigh the benefits will have to be persuaded.

This will not be done by the President or HHS executives just saying that, of course, the privacy of your personal information will be protected (although such assurances are very welcome).

What is required, I submit, is an active, well-funded, and impressively staffed program to bring Privacy By Design into the EMR program NOW. This should parallel the excellent ELSI (Ethical, Legal and Social Issues) Program that Congress funded as part of the Human Genome Project, jointly administered by NIH and the Department of Energy.

Such a Privacy by Design Working Group for EMR should apply the tested wisdom and methodologies of privacy analysis, privacy policy-making, and privacy policy implementation and oversight that emerged in the 1970s and has had many successes since. It must pursue five main tasks:

1. Conduct Continuing EMR Privacy Risk and Threat Assessments – to identify the predictable pressures on patient privacy both from within the health care setting and from the many industries and governmental functions that claim access to identified health information for their programs. While data security is involved – representing the way that organizations keep their promises of privacy and confidentiality – it is the privacy risks that this Design Group needs to focus on. And, this assessment is not a one-time, but continuous, function to be based on case studies of operating EMR programs and reviews of each major new function being developed.

2. Design and Propose New Privacy Laws and Regulations to Accompany EMR Roll-Outs. The HIPAA Privacy Rules provide a good foundation but it will require laws and regulations tailored to the new EMR networks and systems.

3. Identify System Design Elements That Would Enhance Rather than Defeat Privacy Interests. A single integrated national patient record system, overseen by the federal government, no matter how benignly, would represent a privacy disaster. From the start, I believe, an EMR program should be designed to be decentralized but linked, with interoperable technologies, and with rigorous procedures for tracking personal information uses and movements in support of privacy rule observance.

4. Identify and test anonymization techniques to enable both advanced medical research and data-analysis services. From the start, EMR systems need to develop the identification filters and maskers that will enable researchers and data analysts to access anonymized health record sources. Surveys have shown the public to be very nervous about researcher access to their medical records, and this calls for powerful anonymizing processes to be installed, verified, and communicated to the public from the start, not retrofitted.

5. Identify and Test Procedures to Empower Individual Patients to Access the EMR Systems Directly, to Assert Their Privacy Rights and Carry Out Their Individual Privacy Choices. This will, inevitably, require techniques for secure identification of patients seeking direct access to the system, and probably a biometric ID. Properly administered, I view a patient and/or citizen biometric as inevitable by the end of this decade, since I cannot envisage empowering patients in the EMR systems without secure identification.

These activities might be initiated now, through a private non-profit association, and attached to the Regional EMR projects that have been organized. Both government and private funding should support such a Privacy by Design organization.

Finally, I believe that there needs to be an independent EMR Privacy Board, appointed soon, with a continuing problem-identification, investigative, and standards recommending assignment. If privacy is just a subset of a larger EMR Standards Body, its proposals will almost surely be vetoed more than they will be minded.

Many more issues and activities of such an EMR Privacy By Design working group could be described. But my central point has been made. Without an active, wellfunded and impressively-staffed EMR Privacy by Design function, privacy issues will be addressed too little and too late by EMR proponents – and at great risk to their important and promising idea.

OUR NEW PROGRAM ON INFORMATION TECHNOLOGY, HEALTH RECORDS, AND PRIVACY

The survey I have reported here is one of the first activities of our new Program, officially created in January, 2005. It was formed by our Center for Social and Legal Research (which was itself created as a non-profit think tank in 1985 to explore technology-society relationships) because we see the re-shaping of the nation’s health care system through advanced technology applications as one of the most important developments of the next two decades.

We outline this in a White Paper that will be available free in about two weeks at the Program’s Home Page and library, which can be found at www.pandab.org. The paper is titled Computers, Health Records, and Citizen Rights in the Twenty First Century, co-authored by myself and the Program’s Associate Director, Vivian van Gelder.

Our Program plans to conduct six main activities, all centered on the privacy aspects of these explorations:

· Conduct Continuing Public Opinion Surveys of the public and various leadership groups, with Harris Interactive as our privacy partner.

· Conduct Empirical Case Studies of the privacy experiences in emerging health information technology experiments and programs.

· Develop Legal and Policy Analyses of the privacy, confidentiality, subject access, and due process aspects of a national or decentralized-model EMR system.

· Track the privacy rules and experiences in EMR projects of other democratic nations.

· Publish White Papers and Reports, and a Quarterly Electronic Newsletter

· Organize Seminars and Conferences on Program Themes

As already noted, we have opened a Home Page and library at www.pandab.org.

We invite everyone interested in following our work and receiving our products to register at the Program site – under its strong privacy policies, of course – and to share your thoughts and reactions with us.

Our staff and contact information are on the next page.

I would welcome questions and discussions from the Committee, and appreciate the opportunity to share our survey findings with this audience.

Program on Information Technology, Health Records, and Privacy

An Activity of the Center for Social and Legal Research

Director:

Dr. Alan F. Westin, LLB, PhD

Professor of Public Law & Government Emeritus, Columbia University

Associate Director

Vivian van Gelder, LLB

Counsel

Robert R. Belair, LLB

Legal Staff

John Haley, LLB

Lyle Himmel, LLB

Kevin Coy, LLB

Program Administrator

Lorrie Sherwood

Communication Director

Irene Oujo

Research and Editorial

Natalie Kochmar

Christie Lawrence

Administrative Assistant

Julie Previzi

Webmaster

Hillary Sherwood

Survey Organization

Harris Interactive

Contacts: Mail: Suite 414, Two University Plaza, Hackensack, N.J. 07601

Tel. (201) 996-1154 Fax (201) 996-1883 email: ctrslr@aol.com

Dr. Westin’s direct email: alanrp@aol.com

__________________________________________________________________________

Appendix One

Dr. Alan F. Westin

Director, Program on Information Technology, Health Records and Privacy

Dr. Alan F. Westin is Professor of Public Law and Government Emeritus at Columbia University, where he taught for 37 years. He is the founder of the Center for Social & Legal Research and President of its Privacy & American Business activity. Dr. Westin is the author or editor of 26 books on constitutional law, civil liberties, American politics, and privacy, and has been listed in Who’s Who in America for three decades.

Professor Westin’s first major books on privacy – Privacy and Freedom, published in 1967, followed by Databanks in a Free Society 1972 (for the National Academy of Sciences) – are considered seminal works on privacy. Each correctly predicted how advances in data surveillance of the mid-1960s and new computer and telecommunication applications of the 70s would affect American organizations that keep records about consumers, employees, and citizens, from hospitals, health and life insurers, credit bureaus, banks to colleges, police, and welfare agencies. Both books called for creating new laws, new organizational policies, and continuous new technology privacy assessments in the governmental, business, and non-profit areas, if basic privacy values and rights were to be preserved in an increasingly information-technology driven world.

Dr. Westin is a leading authority on consumer-privacy public opinion surveys, and in understanding and interpreting the privacy attitudes of the American consumer. He has worked with Louis Harris & Associates (now Harris Interactive) and Opinion Research Corporation on over 50 national surveys since 1978 exploring consumer privacy issues.

He has created privacy indices, which are universally used and quoted. His reports on consumer privacy concerns and attitudes have been featured in the New York Times, Wall Street Journal, Consumer Reports, and dozens of other national publications, and he is a frequent commentator about consumer privacy on national television and radio.

Dr. Westin was the principal expert witness in the enactment of the first two national privacy laws in the United States – the Fair Credit Reporting Act of 1970, providing consumer rights in the credit-bureau industry, and the Federal Privacy Act of 1974. Over the past forty years, he has been a member of U.S. federal and state government privacy commissions; an expert witness before legislative committees and regulatory agencies; and a privacy consultant to many U.S. federal, state, and local government agencies, such as, at the federal level, the Census Bureau, Social Security Administration, General Services Agency, Department of Commerce, and Office of Technology Assessment.

Dr. Westin has also advised many consumer-product companies, including IBM, American Express, Citicorp, Bell Atlantic, Empire Blue Cross and Blue Shield, Equifax, Microsoft, Chrysler, and Prudential Insurance, on privacy governance and policies within their companies as they effect their consumer-business relationships.

Health Information Privacy Activities

Since the mid-1960s, Professor Westin has maintained a continuing special interest in medical confidentiality and health-information-systems privacy issues.

A comprehensive field study of computerization trends and health information was led by Dr. Westin for the U.S. National Bureau of Standards between 1974-76, and produced Westin?s report on Computers, Health Records, and Citizen Rights (1976). The Privacy Code this report recommended was sent by NBS to every hospital in the U.S., and served as a model for hundreds of hospital and health institutions. The NBS Report was the leading empirical study of how computer use in the late 1960’s and early 1970’s was affecting the three main zones of health information use – direct care, payment and quality-assurance, and social uses of medical data.

Between 1978 and the early 1980s, he served as Research Director of the National Commission on Confidentiality of Health Records, a national association composed of the major health-care provider, payer, and quality-care associations in the United States.

During this period, he spoke frequently on privacy and health information issues at national conventions or special meetings of the American Medical Association, Health Insurance Association, American Medical Records Association, American Orthopsychiatric Association, American Psychiatric Association, and many other health professional groups.

Dr. Westin has been a featured speaker at the U.S. Department of Health and Human Services Privacy Task Force Conference on Medical Records and Privacy (February 1993); a reviewer of reports on privacy for the National Institute of Medicine (on emerging regional health data systems), the Journal of the American Medical Association, and for the U.S. Office of Technology Assessment (on privacy and the computerized medical record).

Dr. Westin was the privacy advisor to an award-winning 1994 Public Television Special Documentary on “Privacy and Health in the American Workplace.” Dr. Westin drafted a national corporate-employee and human resources executives survey conducted by Louis Harris and Associates for use on this program, covering employee health and privacy issues in depth.

In 1993, he served as the academic advisor for a national public and leaders Harris survey on “Health Information Privacy.” Results from this survey were released at a national conference in Washington, D.C. in November 1993, at which Dr. Westin spoke, cosponsored by the U.S. Office of Consumer Affairs, the American Health Information Management Association, and Equifax Inc.

Also in 1993-95, Dr. Westin served as Principal Investigator on a 15-month project on privacy issues in the uses of genetic testing and genetic-test applications, funded by the U.S. Department of Energy for the Human Genome Project and its ELSI Program (Ethical, Legal and Social Issues). In 1997-99, he led a study of future uses of genetic testing in the Life Insurance Industry, commissioned from the Center for Social and Legal Research by State Farm Insurance Company.

Over the past three years, Dr. Westin has led discussions of the HIPAA Privacy Rules at many national conferences. He has been a privacy consultant to several major pharmaceutical companies, from Eli Lilly, Glaxo Welcome and Smith Kline to Merck.

He was also privacy consultant to Empire Blue Cross, Blue Shield; State Farm Insurance; and Mutual of Omaha. Dr. Westin also led a Global HR Privacy Policy Development project of Privacy & American Business, covering trans-border personnel data flows of multi-national firms that involved the worldwide handling of medical and health data by those companies.

In January 2005, Dr. Westin created the Program on Information Technology, Health Records and Privacy. Its first activity is the release of a new survey in February 2005,

“How the Public Sees Health Records and an Electronic Medical Record Program,” for which Dr. Westin served as Academic Advisor.

Dr. Westin views the re-shaping of the nation’s health care system through advanced technology applications as one of the most important technology-society developments of the next two decades. It will be a priority of the new Program to help insure that privacy interests and patient empowerment are embedded in any new Electronic Medical Record systems — from the start.

+++++++++++++++++++++++++++

Appendix Two

HARRIS INTERACTIVE, INC.

161 SIXTH AVENUE

NEW YORK, NEW YORK 10013

February 16, 2005

PROGRAM ON INFORMATION TECHNOLOGY, HEALTH RECORDS AND PRIVACY CENTER FOR SOCIAL & LEGAL RESEARCH

TOPLINE RESULTS

DATASHEETED QUESTIONNAIRE

Study No. 23283

Field Period: February 8 – 13, 2005

Sample: 1,012 adults aged 18 or over

Methodology

Harris Interactive conducted this survey by telephone within the United States between February 8 and 13, 2005 among a nationwide cross section of 1,012 adults (ages 18 and over). Figures for age, sex, race, education, number of adults, number of voice/telephone lines in the household, region and size of place were weighted where necessary to align them with their actual proportions in the population.

In theory, with a probability sample of this size, one can say with 95 percent certainty that the results for the total sample have a sampling error precision of plus or minus 3 percentage points of what they would be if the entire U.S. adult population had been polled with complete accuracy. Statistical precision for the smaller samples is plus or minus 5 percentage points.

Unfortunately, there are several other possible sources of error in all polls or surveys that are probably more serious than theoretical calculations of sampling error. They include refusals to be interviewed (nonresponse), question wording and question order, interviewer bias, weighting by demographic control data and screening (e.g., for likely voters). It is impossible to quantify the errors that may result from these factors.

Notes on reading the results

The percentage of respondents has been included for each item. An asterisk (*) signifies a value of less than one-half percent. A dash represents a value of zero. Percentages may not always add up to 100% because of computer rounding or the acceptance of multiple answers from respondents answering that question.

© 2005 Harris Interactive, Inc.

SECTION 650: HEALTH PRIVACY QUESTIONS [WESTIN]

BASE: ALL RESPONDENTS

Q650 [1] In the past three years, do you believe that [Insert each item] has disclosed your personal medical information in a way that you felt was improper, or not? [RANDOMIZE]

Q651 1 2 8 9

Yes, No, Not Sure (v), Decline to Answer (v)

1 A doctor who has treated you or a family member 5 94 1 *

2 A clinic or hospital that treated you or a family member 8 91 1 *

3 Your employer or a family member?s employer 5 94 1 *

4 A health insurance company 8 90 1 *

5 A public health agency 5 93 2 *

NET 14%

BASE: ALL RESPONDENTS

Q655 [2] Since 2000, a Federal Health Privacy Regulation (called the HIPAA Rule) has required all health care organizations to give patients a privacy notice explaining how the organization will collect and use the patient’s health information, how it will keep the information secure, how patients can get access to their own health records, correct any errors, and control most disclosures of their information to people outside the health care system. Have you ever received one of these HIPAA health privacy notices?

1 Yes 67%

2 No 32%

8 Not sure (v) 1%

9 Decline to answer (v) –

BASE: HAVE RECEIVED HIPAA PRIVACY NOTICES (Q655/1)

Q670 [3] Based on your experiences and what you may have heard, how much has this federal privacy regulation and the Privacy Notices affected your confidence that your personal medical information is being handled today in what you feel is a proper way? Has it increased your confidence???

1 A Great Deal 23%

2 Somewhat 44%

3 Not Very Much 13%

4 Not At All 18%

8 Not sure (v) 1%

9 Decline to answer (v) *

BASE: ALL RESPONDENTS

Q675 [4] The Federal Government has called for medical and health-care organizations to work with technology firms to create a nationwide system of patient Electronic Medical Records over the next few years. The goal is to improve the effectiveness of patient care, lessen medical errors, and reduce the high costs of paper handling. Have you read or heard anything about this program?

1 Yes 29%

2 No 71%

8 Not sure (v) –

9 Decline to answer (v) -

BASE: ALL RESPONDENTS

Q685 [6] Here are some things that some people have said might happen under such a patient Electronic Medical Record system. How concerned are you that (READ EACH ITEM) ? very concerned, somewhat concerned, not very concerned, or not concerned at all?

Q686 1 2 3 4 8 9 [RANDOMIZE] Very Concerned, Not Very Concerned, Somewhat Concerned, Not Concerned at all, Not Sure, Decline

% % % % %

1 Computerization could increase rather than decrease medical errors 29 36 22 13 1 –

2 Sensitive personal medical-record information might be leaked because of weak data security 38 32 16 13 1 –

3 There could be more sharing of your medical information without your knowledge 42 27 18 13 * –

4 Some people will not disclose sensitive but necessary information doctors and other health care providers, because of worries that it will go into computerized records 29 36 20 13 1 –

5 Strong enough data security will not be installed in the new computer system 34 35 18 12 1 *

6 The existing federal health privacy rules protecting patient information will be reduced in the name of efficiency 28 34 23 14 1 *

Privacy Concerns Segmentation

High 56%

Moderate 16%

Low 14%

Very Low 14%

BASE: ALL RESPONDENTS

Q690 [7] Supporters of the new patient Electronic Medical Record system say that strong privacy and data security regulations will be applied. Critics worry that these will not be applied or will not be sufficient.

Overall, do you feel that the expected benefits TO PATIENTS AND SOCIETY of this patient Electronic Medical Record system outweigh potential risks to privacy, or do you feel that the privacy risks outweigh the expected benefits? [PROGRAMMER NOTE: ROTATE THE EXPECTED BENEFITS OUTWEIGH

POTENTIAL RISKS AND PRIVACY RISKS OUTWEIGH EXPECTED BENEFITS]

1 Benefits outweigh risks to privacy 48%

2 Privacy risks outweigh the expected benefits 47%

8 Not sure (v) 4%

9 Decline to answer (v) 1%

BASE: ALL RESPONDENTS

Q695 [8] Since most adults now use computers, the new patient Electronic Medical Record system could arrange ways for consumers to track their own personal information in the new system and exercise the privacy rights they were promised. How important do you think it is that such individual consumer tools be incorporated in the new patient Electronic Medical Record System from the start? Is it…?

1 Very Important 45%

2 Somewhat Important 37%

3 Not Very Important 11%

4 Not Important at all 6%

8 Not sure (v) 1%

9 Decline to answer (v) *

U.S. PUBLIC SHARPLY DIVIDED ON PRIVACY RISKS OF ELECTRONIC MEDICAL RECORDS

February 23, 2005//Hackensack, NJ:U.S. adults are divided right down the middle on whether the potential privacy risks associated with a patient electronic medical record system outweigh the expected benefits to patients and society, according to Dr. Alan F. Westin, Professor of Public Law & Government Emeritus, Columbia University and Director of a new Program on Information Technology, Health Records & Privacy at Privacy & American Business (P&AB).

In testimony given today before the National Committee on Vital and Health Statistics of the Department of Health and Human Services, Dr. Westin released the results of a new national Harris Interactive® survey on the American public and what are known as Electronic Medical Records (EMR).

This telephone survey was conducted in conjunction with the new Westin Program and was fielded February 8-13, 2005.

Major Findings

  • Half of U.S. adults – 48% – say the benefits to patients and society of a patient Electronic Medical Record system outweighs risks to privacy but 47% say the privacy risks outweigh the expected benefits. Four percent said they weren’t sure.
  • Majorities – between 62 and 70% of adults – are worried that sensitive health information might leak because of weak data security; that there could be more sharing of patients’ medical information without their knowledge; that computerization could increase rather than decrease medical errors; that some people won’t disclose necessary information to health care providers because of worries that it will go into computerized records; and that existing federal health privacy rules will be reduced in the name of efficiency.

“I am convinced that how the public sees the privacy risks and responses from EMR managers will be absolutely critical to the EMR system’s success – or will be a major factor in its failure,” Dr. Westin said. “That is the reality that program advocates will need to consider, respond to, and overcome by implementing a range of laws, rules, practices, technology arrangements, privacy education, and positive patient experiences – if EMRs are to win majority public support and high patient participation,” Dr. Westin added.

  • In what Dr. Westin calls the most important policy-input from the survey, more than eight out of ten respondents – 82% – say offering consumers tools to track their own personal medical information in the new EMR system and to assert their privacy rights is important to implement at the start of any EMR system. In fact, 45% of U.S. adults considered this to be Very Important. Only 17% did not see this as important, with 1% not sure.

“I view this result as a powerful, publicly-derived Privacy Design Specification for any national EMR system,” Dr. Westin said. “It is a design approach that will be ignored, put off until a later time, or rejected as unworkable at the peril of any EMR system’s entire future.”

Additional Findings

  • 14% of the public now believe their personal medical information has been released improperly, representing 30 million U.S. adults – down from 27% who thought this in 1993 (Harris-Equifax Health Information Privacy Survey).
  • Two-thirds of the public – 67% – recall that they had received a HIPAA notice, representing 148 million adults. However, a surprising 32%, representing 68 million adults, say they had never received a HIPAA privacy notice. (Only 1% chose to say Not Sure).
  • Two-thirds (67%) of those who remember receiving a privacy notice say their confidence in how their medical records are handled has increased a great deal (23%) or somewhat (44%), based on their experience and what they may have heard about HIPAA and the privacy notices. Thirteen percent said their confidence increased “not very much” and 18% “not at all.”
  • Less than a third of the public – only 29% – said they had read or heard about a national EMR program. This represents 62 million U.S. adults. Our demographic data showed that these were, predictably, primarily the better-educated, higher-income, technology-using members of the public.

Recommendations

In his testimony, Dr. Westin made several recommendations to the Committee, based on the survey findings:

  • Create a “Privacy by Design Working Group” in the EMR Program now to:
    • conduct continuing EMR Privacy Risk and Threat Assessments design and propose new privacy laws and regulations to accompany EMR roll-outs
    • identify system design elements that would enhance rather than defeat privacy interests
    • identify and test procedures to empower individual patients to access the EMR systems directly, to assert their privacy rights and carry out their individual privacy choices.
  • Create an EMR Privacy Board with continuing problem-solving identification, investigative, and standards-recommending duties.HARRIS INTERACTIVE, INC.

161 SIXTH AVENUE

NEW YORK, NEW YORK 10013

February 16, 2005

HOW THE PUBLIC SEES HEALTH RECORDS AND AN EMR PROGRAM

Conducted For:

PROGRAM ON INFORMATION TECHNOLOGY, HEALTH RECORDS AND PRIVACY CENTER FOR SOCIAL & LEGAL RESEARCH

TOPLINE RESULTS

DATASHEETED QUESTIONNAIRE

Study No. 23283

Field Period: February 8 – 13, 2005

Sample: 1,012 adults aged 18 or over

Methodology

Harris Interactive conducted this survey by telephone within the United States between February 8 and 13, 2005 among a nationwide cross section of 1,012 adults (ages 18 and over). Figures for age, sex, race, education, number of adults, number of voice/telephone lines in the household, region and size of place were weighted where necessary to align them with their actual proportions in the population.

In theory, with a probability sample of this size, one can say with 95 percent certainty that the results for the total sample have a sampling error precision of plus or minus 3 percentage points of what they would be if the entire U.S. adult population had been polled with complete accuracy. Statistical precision for the smaller samples is plus or minus 5 percentage points. Unfortunately, there are several other possible sources of error in all polls or surveys that are probably more serious than theoretical calculations of sampling error. They include refusals to be interviewed (nonresponse), question wording and question order, interviewer bias, weighting by demographic control data and screening (e.g., for likely voters). It is impossible to quantify the errors that may result from these factors.

Notes on reading the results

The percentage of respondents has been included for each item. An asterisk (*) signifies a value of less than one-half percent. A dash represents a value of zero. Percentages may not always add up to 100% because of computer rounding or the acceptance of multiple answers from respondents answering that question.

© 2005 Harris Interactive, Inc.

SECTION 650: HEALTH PRIVACY QUESTIONS [WESTIN]

BASE: ALL RESPONDENTS

Q650 [1] In the past three years, do you believe that [Insert each item] has disclosed your personal medical information in a way that you felt was improper, or not?

Yes % No % Not Sure (v) Decline to answer (v)

1 A doctor who has treated you or a family member 5 94 1 *

2 A clinic or hospital that treated you or a family member 8 91 1 *

3 Your employer or a family member?s employer 5 94 1 *

4 A health insurance company 8 90 1 *

5 A public health agency 5 93 2 *

NET 14%

BASE: ALL RESPONDENTS

Q655 [2] Since 2000, a Federal Health Privacy Regulation (called the HIPAA Rule) has required all health care organizations to give patients a privacy notice explaining how the organization will collect and use the patient’s health information, how it will keep theinformation secure, how patients can get access to their own health records, correct any errors, and control most disclosures of their information to people outside the health care system. Have you ever received one of these HIPAA health privacy notices?

1 Yes 67 %

2 No 32 %

8 Not sure (v) 1

9 Decline to answer (v) –

BASE: HAVE RECEIVED HIPAA PRIVACY NOTICES (Q655/1)

Q670 [3] Based on your experiences and what you may have heard, how much has this federal privacy regulation and the Privacy

Notices affected your confidence that your personal medical information is being handled today in what you feel is a proper way? Has it increased your confidence???

1 A Great Deal 23%

2 Somewhat 44%

3 Not Very Much 13%

4 Not At All 18%

8 Not sure (v) 1%

9 Decline to answer (v) *

BASE: ALL RESPONDENTS

Q675 [4] The Federal Government has called for medical and health-care organizations to work with technology firms to create a nationwide system of patient Electronic Medical Records over the next few years. The goal is to improve the effectiveness of patient care, lessen medical errors, and reduce the high costs of paper handling. Have you read or heard anything about this program?

1 Yes 29%

2 No 71%

8 Not sure (v) –

9 Decline to answer (v) –

BASE: ALL RESPONDENTS

Q685 [6] Here are some things that some people have said might happen under such a patient Electronic Medical Record system. How concerned are you that (READ EACH ITEM) ? very concerned, somewhat concerned, not very concerned, or not concerned at all?

Very Concerned Somewhat Concerned Not Concerned Not Very- Concerned Not Sure Decline to Answer at all

1 Computerization could increase rather than decrease medical errors 29 36 22 13 1 –

2 Sensitive personal medical-record information might be leaked because of weak data security 38 32 16 13 1 –

3 There could be more sharing of your medical information without your knowledge 42 27 18 13 * –

4 Some people will not disclose sensitive but necessary information doctors and other health care providers, because of worries that it will go into computerized records 29 36 20 13 1 –

5 Strong enough data security will not be installed in the new computer system 34 35 18 12 1 *

6 The existing federal health privacy rules protecting patient information will be reduced in the name of efficiency 28 34 23 14 1 *

Privacy Concerns Segmentation

High 56%

Moderate 16%

Low 14%

Very Low 14%

BASE: ALL RESPONDENTS

Q690 [7] Supporters of the new patient Electronic Medical Record system say that strong privacy and data security regulations will be applied. Critics worry that these will not be applied or will not be sufficient. Overall, do you feel that the expected benefits TO PATIENTS AND SOCIETY of this patient Electronic Medical Record system outweigh potential risks to privacy, or do you feel that the privacy risks outweigh the expected benefits? [PROGRAMMER NOTE: ROTATE THE EXPECTED BENEFITS OUTWEIGH POTENTIAL RISKS AND PRIVACY RISKS OUTWEIGH EXPECTED BENEFITS]

1 Benefits outweigh risks to privacy 48%

2 Privacy risks outweigh the expected benefits 47%

8 Not sure (v) 4%

9 Decline to answer (v) 1%

BASE: ALL RESPONDENTS

Q695 [8] Since most adults now use computers, the new patient Electronic Medical Record system could arrange ways for consumers to track their own personal information in the new system and exercise the privacy rights they were promised. How important do you think it is that such individual consumer tools be incorporated in the new patient Electronic Medical Record System from the start? Is it…?

1 Very Important 45%

2 Somewhat Important 37%

3 Not Very Important 11%

4 Not Important at all 6%

8 Not sure (v) 1%

9 Decline to answer (v) *

Bush cousin opposes Markey on bill

Representative Edward J. Markey, who has been touting a bill to keep thousands of data-entry jobs generated by healthcare companies from going overseas, ran into a spirited opponent between the sushi boat and the open bar at an inaugural party last month: Jonathan S. Bush, theWaltham healthcare entrepreneur and President Bush’s cousin.

Bush is the president of athenahealth Inc., which employs about 200 low-wage workers in India to enter medical data for its clients, including many doctors and hospitals in Massachusetts. Bush insists Markey’s proposal would put his company out of business, leaving 370 workers in Markey’s own district out of work.

The contretemps between the two men offered a glimpse into the increasingly heated politics of outsourcing, and whether global free trade creates US jobs or takes them away. It also could be a preview of a larger debate to come, when the president launches a planned nationwide system of medical records, creating tens of thousands of data-entry jobs, jobs that, barring the success of Markey’s bill, could easily and cheaply be filled by workers inIndia.

Markey and Jonathan Bush engaged in an impromptu debate at the reception hosted by Governor Mitt Romney at Washington’s Mandarin Oriental last month. Bush, the son of former President George H. W. Bush’s younger brother Jonathan, said Markey would drive up healthcare costs inMassachusetts; Markey countered that he is trying to protect privacy and save jobs that could go to lower-income people in Eastern Massachusetts.

“Markey’s bill would kill us,” Bush said later. “We’re providing a very valuable service, and we’re netting a huge number of jobs. This is crazy.”

Markey, a Malden Democrat who is cochairman of the Congressional Privacy Caucus, is seeking to outlaw the transmission of any health or financial information about US citizens to people in other nations: The bill would prohibit outsourcing of jobs in financial services and insurance as well as in healthcare.

The congressman justifies outlawing the outsourcing of medical-data jobs on the grounds that other countries do not have nearly as extensive privacy laws as the United States. His bill, which he filed last year and intends to reintroduce in Congress this year, aims to protect consumers’ privacy and American jobs in a single measure, according to the congressman.

“It’s becoming increasingly clear that both our jobs and our privacy are being shipped offshore, and federal regulators aren’t doing nearly enough to stop it,” Markey declared. “If their business is in Boston, the bill doesn’t affect them. If the business is inBombay, then they need to get the individuals’ permission.”

The measure was bottled up by the Republican-controlled Congress last year. But it is part of a package of measures supported by the Democratic leadership to slow the offshoring of jobs, and Markey said consumer privacy and offshoring are bipartisan issues in an era of identity theft and the loss of US jobs to distant countries.

Though athenahealth has not had any problems with personal records leaking into the public domain, incidents involving other companies have drawn alarm. In 2003, a Pakistani woman who entered data for the University of California-San Francisco Medical Center threatened to display patients’ medical records publicly unless she was paid more money.

Jonathan Bush argues that the bill is not needed, because US-based companies are covered by health privacy laws regardless of where they hire workers.

“If that data, while under our control, was in any way compromised, we’re dead meat if something goes wrong with that information,” said Bush, who cofounded athenahealth in 1997.

Bush said Markey’s bill could actually harm patients’ privacy, because money now being spent on protecting privacy would instead have to be spent to pay higher wages to American data-entry workers: “Because we have [the low-wage workers], we can afford to do a very sophisticated and elaborate blinding system to separate identity from the information.”

Athenahealth hires about 200 workers in India to enter medical records, lab results, and billing and insurance claims into computers. Bush said those workers cost between $6 and $8 an hour to hire — including overhead associated with their work stations and managers — and estimated that similar work would cost twice as much in the United States. He said he did not know how much the individual workers make because the work is contracted through another firm in India.

He said athenahealth’s partners in India also give the company the flexibility to hire additional workers whenever they are necessary, something that would be more difficult to achieve in the United States, which has costly bureaucratic requirements whenever a new employee joins a company. Plus, many of the Indian workers hold advanced degrees, making them far more qualified for the job than the pool of talent that would be available in America, Bush said.

Markey concedes that healthcare providers could face steeper costs under his measure, but he insists that electronic data are still cheaper to process than paper records, and that cost should not be a factor when it comes to protecting personal privacy.

“We don’t have federal marshals in Bombay,” he said. “These records are the most sacred information a family has, and Americans don’t view privacy as a commodity. It’s not a razor blade. It’s not an automobile. It’s a value. It’s the identity of their family.”

US companies are covered by federal privacy-protection provisions, but the problem comes in enforcement, said Jonathan Bogen, president of HealthCIO, a consulting company on health privacy issues. Workers in India may not be properly trained, and the federal government has no way to check up on how private data is being handled by overseas workers, Bogen said.

Bush said the jobs he is creating in India are contributing to a boom in that country, with new schools and medical facilities being constructed with the wages he is paying. He sees his company as taking advantage of the best that globalization has to offer — lifting up a developing country with jobs that would be difficult to fill in the United States, and forging a new path in the US with an industry that didn’t exist a few years ago.

“This is the best thing that could ever happen to the Commonwealth,” Bush said.

But Markey said the data-entry jobs should be back inMassachusetts — and with medical privacy involved, the importance of bringing the jobs under USoversight is heightened.

“Every method of reducing cost is not equally acceptable,” he said.

Rick Klein can be reached at rklein@globe.com.

Only felons should lose DNA privacy

In November voters passed Proposition 69, requiring all felons to submit DNA to a statewide database. Two months later, Los Angeles County sheriff’s deputies arrested a suspect in a 2-1/2-year-old murder case thanks to that law and the database it expanded.
Detectives had turned up no major leads in the August 2001 kidnap and stabbing death of Christina Burmeister of Cerritos, a 20-year-old student at Cal Poly Pomona.
Burmeister set out for a sorority event at a Pomona fraternity house. Her body was found the next morning inside her pickup truck on a state Highway 39 turnout in San Gabriel Canyon.
Authorities found a discarded cigar butt with her body, but it wasn’t until the passage of Proposition 69 that the piece of evidence yielded a breakthrough.
Deputies arrested James Winslow Dixon Jr., 32, on Jan. 14, but withheld information about the arrest until Monday because they were seeking at least one more suspect in Burmeister’s murder. The state had held a DNA profile from Dixon, described as a former Monrovia gang member, since he was released from prison in 1993.
Authorities were unsure then whether Dixon met the criteria for offenders who should go into the database. But Proposition 69’s passage cleared that up by making it mandatory that all convicted felons’ DNA go into the database. Dixon’s DNA was entered and it matched DNA taken from the cigar butt found in Burmeister’s vehicle.
Prop. 69 worked exactly as envisioned in this case, allowing authorities to crack a crime that had so far proved unsolvable. We applaud that aspect of the law, and the work of law enforcement authorities in implementing it.
But the law has an Orwellian flaw.
Unfortunately, the law doesn’t stop at convicted felons. It mandates that, by 2009, all adults and juveniles who are arrested on a felony charge not just those who have been convicted will be sampled and placed in the “all-felon’ database.
That raises major invasion-of- privacy issues.
We have no objections to taking the fingerprints of anyone arrested for a crime, because fingerprints are not useful for anything besides identification they tell nothing else about the person.
That’s not so with DNA, which holds a person’s complete genetic profile. That sort of information could have huge implications for a person’s medical insurability, and no doubt for many other aspects of life in the future that we haven’t imagined yet.
We consider it an unreasonable search and seizure, a violation of our constitutional personal protections, for an innocent person to have to yield that information. And since Americans are innocent until proven guilty, they should not give up the right to DNA privacy unless and until convicted of a felony.
That database of criminals is no place for innocent people.

State: Attorney general rules state FOI law trumps privacy rule

Texas Attorney General Greg Abbott ruled Friday that the state’s public information law takes precedence over a far-reaching federal medical privacy law, a legal opinion he called the strongest in the nation.
His decision means Texas media outlets and individuals will have access to public information that some hospitals and authorities have declined to release under the Federal Health Insurance Portability and Accountability Act, known as HIPAA.
“In Texas, government records are presumed open unless a specific exception applies. HIPAA is not an exception to the rule of openness in the state of Texas,” Abbott told the board of directors of the Freedom of Information Foundation of Texas at The Associated Press’ Dallas bureau, where he released his legal opinion. HIPAA, a sweeping overhaul of the federal health care privacy laws that took effect in April, has frustrated journalists and others who have found most basic information hard to come by. “What this means is, governmental bodies who’ve been using HIPAA as a shield just lost that protection,” Abbott said.
Abbott said Texas authorities worked closely on the language of the ruling with the U.S. Department of Health and Human Services, which created the privacy regulations under the law. Still, he said, he wouldn’t be surprised if the ruling were challenged in court. “I would not be surprised if there was a lawsuit, but I don’t see one imminently,” he said.
A Health and Human Services spokesman didn’t return a call seeking comment Friday.
HIPAA itself says medical information is open if required under another law, Abbott said. He said the Texas Public Information Act is that law.
The ruling arose from a dispute between the Lubbock Avalanche-Journal and local officials. The city attorney there initially declined to release information under HIPAA, but later changed her position while awaiting the attorney general’s ruling, said Randy Sanders, editor of the Lubbock newspaper and a member of the FOI board. “We’re just really excited about the attorney general’s willingness to rule on this issue,” Sanders said. “I never had any idea that this little deal would come up from our newspaper and maybe change the way other communities will rule on these things.”

Teen sex reporting rule may threaten doctor-patient confidentialit

Kansas officials want doctors to report any sexual activity by someone younger than 16 as sexual abuse, a requirement that physicians say would harm adolescents instead of helping them.
A federal appeals court is now considering a challenge to a temporary injunction against the attorney general’s interpretation of a Kansas state law on which this requirement is based.
With this article
Case at a glance
See related content
Regional news: Midwest
Physicians say they fully support protecting children from sexual abuse, but they say mandatory reporting will breach sacred patient-physician confidentiality. And without confidentiality, physicians say adolescents who need to see a doctor will be afraid to seek medical care and won’t.
These concerns led Aid for Women, a Kansas City (Kan.)-based practice that provides general care and abortions for women; a number of physicians and other health care professionals to sue the state attorney general in October 2003.
A lower court last year issued a preliminary injunction so that physicians don’t have to report every case while the challenge is under way. But the state is appealing the injunction, and it is now up to the 10th U.S. Circuit Court of Appeals to decide whether Kansas physicians will need to follow this reporting requirement.
The outcome of this case is expected to be precedent-setting. While the courts have ruled extensively on an adult’s right to privacy in the doctor’s office, case law for adolescents isn’t as developed, said Bonnie Scott Jones, a staff attorney for the Center for Reproductive Rights, which is representing the clinic and physicians suing the state.
There have been rulings on adolescents and abortion, she said, but not on consensual sexual activity.
“The public health implications of this ruling is enormous,” Jones said. “When confidentiality isn’t guaranteed, it hurts patient care.”
Kansas authorities push reporting
Like other states, Kansas requires physicians to report suspected child abuse, including sexual abuse.
The state law criminalizes intercourse, kissing, fondling and other touching with a child younger than age 16, even if the sexual contact is consensual or if the people are of a similar age.
A previous attorney general in 1992 interpreted the measure in a way that let physicians and other health care professionals use their judgment to decide which cases to report. He reasoned that sexual activity involving someone younger than 16 may harm the child, but not necessarily.
In 2003, though, now Attorney General Phill Kline issued a new opinion on the subject, saying that every case a physician encountered needed to be reported, even if the doctor believed that the sexual act was consensual and with someone near the same age. Kline reasoned that children might not truthfully tell physicians about the nature of the sexual relationship.
“An abused child states whatever the abuser tells her to say,” Kline said in a statement. “And so, the 13-year-old child tells the abortion intake nurse that she is pregnant because of her 15-year-old boyfriend while the 27-year-old abuser who got her pregnant waits in the car outside.”
State investigators have a duty to protect children by following up on each incident to determine whether abuse had in fact taken place, Kline said. He points to health care professionals who have endorsed the state’s opinion.
In an affidavit, Parsons, Kan., family physician Gary Yarbrough, MD, said minors are not honest about their sexual histories, especially when it comes to physical, emotional or sexual abuse.
“Minors in abusive relationships will frequently lie about the relationship, saying that it is not abusive,” Dr. Yarbrough said in a statement. “Because it is so difficult to tell if a minor is truthfully describing the nature of a relationship, sexual or otherwise, I believe that to protect minors under the age of 16 it is important to report for further investigation all instances of sexual intercourse.”
Doctors argue for privacy
Many physicians disagree.
The American Academy of Family Physicians, American Medical Association, American Medical Women’s Assn. and nearly a dozen other physician, nurse and social work organizations argue that patient care will suffer under mandatory reporting. The groups filed a friend-of-the-court brief on behalf of Aid for Women.
Doctors and others point out that Kansas’ reporting laws require that the physician should have “reason to suspect that the adolescent has been injured.” They say the attorney general’s interpretation removes that professional discretion.
But an even bigger concern in this situation is that mandatory reporting puts physicians in a position where they have to breach patient-physician confidentiality.
“The cornerstone of medicine is the patient-physician relationship,” said AMA President John C. Nelson, MD, MPH.
“Extremely personal information is being exchanged. Drug-abuse history. Sexual history. Menstruation. That relationship has got to be based in trust so that patients have the ability to share feelings,” Dr. Nelson said.
And a mandatory reporting requirement breaches that trust, physicians say.
The fear of being reported leads adolescents — abused or not abused — to choose not to go to the doctor, even if something appears to be wrong with their health.
“Studies show that adolescents … will forgo treatment if they believe their confidentiality will be breached,” AAFP’s general counsel Tom Robinett said.
And those who do seek care will be less likely to share vital information, Dr. Nelson said. That’s especially concerning, he said, because studies have shown that women who have experienced violence are more comfortable talking to their physician about it rather than talking to the police or other authorities.
“Eighty-five percent of a diagnosis is made by the history that physicians take,” Dr. Nelson said. “You’re not going to tell me if I’m going to rat on you.”

SENATE BILL REPORT SB 5158

As Reported By Senate Committee On:
Health & Long-Term Care, February 10, 2005

Title: An act relating to making certain provisions in the uniform health care information act consistent with the health insurance portability and accountability act privacy regulation, by addressing the period of validity of an authorization, accounting for disclosures, reporting of criminal activities, sharing quality improvement information, and modifying provisions on payment for health care, health care operations, and related definitions.

Brief Description: Modifying the uniform health care information act.

Brief History:

Committee Activity: Health & Long-Term Care: 1/27/05, 2/10/05 [DPS].

SENATE COMMITTEE ON HEALTH & LONG-TERM CARE

Majority Report: That Substitute Senate Bill No. 5158 be substituted therefor, and the substitute bill do pass. Signed by Senators Keiser, Chair; Thibaudeau, Vice Chair; Deccio, Ranking Minority Member; Benson, Brandland, Franklin, Kastama, Parlette and Poulsen.

Background: In April 2003, the Health Insurance Portability and Accountability Act (HIPAA) privacy regulation established new federal standards for disclosure of protected health information by hospitals and other covered entities. Because both state law and HIPAA govern disclosure of such information, hospitals have expressed concerns over the additional administrative burdens and the potential for the application of the different laws to result in inconsistent standards and lowered quality of care. There is hope that changing state law to reflect the HIPAA standards can improve patient care and may ease hospital administrative burdens.

Currently, a patient may only authorize disclosure of his or her information for up to 90 days. There is specific concern that this small time window creates barriers to sharing information electronically, particularly in community health networks. State law also requires an accounting of every disclosure of information, including disclosure made for health care operations and quality improvement purposes. Health care facilities, particularly hospitals, have commented that being required to account for disclosures that the patient already expects creates a significant administrative burden and does not assist patients. Patients are currently required to specifically authorize disclosures that will be made for payment purposes. Current state law does not facilitate health care providers sharing quality assurance information when only one of them benefits from the information shared.

Summary of Substitute Bill: The state’s 90-day limit on the length of validity for a health care information disclosure authorization is removed. The bill brings the state law in line with the HIPAA regulations by requiring that an authorization include an expiration date or event that relates to the individual or to the purpose of the use or disclosure. A patient’s authorization to disclose health care information is applicable to health care providers or health care facilities. The patient may also designate a particular class of persons to whom information may be disclosed instead of merely
designating particular individuals.

To further align state law with HIPAA, clarifying language is added to the provision that allows a health care provider or health care facility to disclose information to a law enforcement official that the provider or facility in good faith believes constitutes evidence of criminal conduct that occurred on the premises. The provider or facility may also disclose basic identifying information for a patient brought by a public authority. Additionally, providers and facilities may disclose patient information for payment purposes without receiving specific patient authorization to do so.

Required accounting for routine disclosures is changed to exempt those disclosures made for treatment, payment, and health care operations, as well as other areas where the patient would expect disclosure to be made routinely. A provider or facility is allowed to disclose information to another provider or facility for operational purposes, if each had a relationship with the patient, the information is related to the relationship, and the disclosure is for limited purposes.

Substitute Bill Compared to Original Bill: The substitute bill clarifies that an authorization for disclosure of health care information may be kept as an original or as a copy, and that disclosures to immediate family is not limited to oral disclosures.

Testimony For: It has been exceedingly complicated for hospitals to negotiate the intersection between state and federal privacy laws. Bringing the state laws in line with the federal laws will alleviate administrative burdens, improve the quality of care, and increase
patient access to care. Getting rid of the 90-day limit on authorizations will be of particular help to patients whose providers employ electronic medical records and similar technologies.

Testimony Against: None.

Who Testified: PRO: Taya Briley, WA State Hospital Association; Richard Meeks, University of Washington Medicine; Mary Minniti, Whatcom County Pursuing Perfection & St. Joseph’s Hospital; Ellen Ruben, Harborview Medical Center.

The Honorable Michael Leavitt Secretary U.S. Department of Health and Human Services

Hubert H. Humphrey Building

200 Independence Avenue, SW

Washington, DC 20201

Dear Secretary Leavitt:

The undersigned members of the more than 100 health care organizations that make up the Confidentiality Coalition urge you to use the authority provided in the Health Insurance Portability and Accountability Act (HIPAA) to modify the HIPAA privacy rule’s accounting of disclosures requirement.

The Confidentiality Coalition is a group of hospitals, health plans, pharmaceutical companies, medical device manufacturers, biotech firms, health product distributors, pharmacies, employers, medical teaching colleges and others. The Coalition was founded to advance effective patient confidentiality protections, and is led by the Healthcare Leadership Council, a health care association which brings together the chief executive officers of the nation?s leading health care companies and institutions.

Under the HIPAA privacy regulation, all covered entities must track and account for the disclosure of patient health information (PHI), with certain exceptions, and maintain records on all patients – records that can then be used to furnish accounting of disclosures on demand, even when such disclosures are required by law, regulation or request of a regulatory agency.

Individuals can request an accounting of all such disclosures made over a six-year period.

This regulation has been extremely burdensome and costly. In fact, one hospital estimated that compliance with this requirement meant the hiring of two full-time employees whose sole job consists of HIPAA-related paperwork. While only a small percentage of patients will ask for a list of disclosure accountings after their care, the hospital must maintain a specific record of each disclosure in case a former patient should happen to request an accounting of disclosures.

As another example, state Departments of Insurance (DOI) require health plans to turn over thousands of records every year for various DOI claim verifications and auditing functions. In addition, health plans and providers are sometimes required to report immunization, birth, death and other records to state authorities. Tracking millions of records every year, requests, is extremely costly. In addition to the cost of tracking, there is an enormous storage cost as health plans and providers must secure gigabytes and terabytes of computer storage for this very significant level of records.

The Coalition noted with great interest the recent recommendation of the Government Accountability Office (GAO) to reduce the administrative burden created by the accounting of disclosures requirement in the HIPAA privacy rule. In its September 2004 report, “Health Information: First-Year Experiences under the Federal Privacy Rule” (GAO-04-965), the GAO recommends that HHS modify the rule to exempt mandatory disclosures to public health authorities from the disclosures that must be reported under the accounting of disclosures requirements.

Importantly, GAO concludes the report by expressing serious concern that the rule’s requirements regarding accounting of mandatory disclosures to public health authorities do not support the rule’s goal of ensuring effective patient privacy protections without imposing unnecessary costs or barriers, and thus urges modification of the rule’s requirements.

While the Confidentiality Coalition supports the GAO recommendation regarding disclosures to public health authorities, we believe it is important to clarify that this exemption also includes disclosures to other government entities, such as state insurance departments. In our view, this should not be limited to mandatory disclosures, but should be expanded to cover routine disclosures to government entities.

Further, the burdens associated with the accounting of disclosures provision grow more complex when considered in the context of a national health information infrastructure and interoperable electronic health records, an important goal of President Bush. It will be extremely costly and administratively complex to maintain these records, thereby discouraging entities from participating in a regional information exchange.

As you know, HIPAA provides the Secretary with the ability to modify the HIPAA requirements as deemed appropriate, but not more often than every 12 months. The last modifications of the HIPAA privacy rule were incorporated into the final rule, published on August 14, 2002, making modifications allowable at any point.

Therefore, we urge HHS to take immediate steps to modify these requirements for all mandatory and routine disclosures to government entities. This action is consistent with the law?s goal and would provide important cost savings.

If you have any questions about the Confidentiality Coalition’s recommendations, please contact Theresa Doyle, Senior Vice President for Policy at the Healthcare Leadership Council (202)452-8700. Representatives from the Coalition would also be happy to meet with you or your staff in person should you wish to discuss our recommendations or concerns.

Sincerely,

America’s Health Insurance Plans

American Clinical Laboratory Association

American Hospital Association

American Medical Group Association

Association of American Medical Colleges

Blue Cross and Blue Shield Association

Federation of American Hospitals

Healthcare Leadership Council

Premier, Inc.

VHA, Inc.

Court Considers Challenge of Patient Privacy Regulations

Federal regulations that took effect two years ago have made it harder for people to keep their medical files private, a lawyer for a group of health care advocates told a federal appeals court Wednesday.

The U.S. Department of Health and Human Services implemented the regulations in 2003 with the intent of strengthening patient privacy and eliminating bureaucratic barriers to the flow of information between medical professionals involved in a patient’s care.

But some critics have assailed a portion of the rules that allow doctors and other health care workers to circulate records on a limited basis without consulting patients first.

James Pyles, an attorney for the Washington-based consumer group Citizens for Health, told a three-judge panel of the 3rd U.S. Circuit Court of Appeals that patients have a right to control who sees their records and who doesn’t.

“The right to medical privacy is deeply rooted in this nation’s history,” he said. “All we are asking for in this case is a restoration and recognition of the right to say no.”

The 3rd Circuit panel is considering whether to overturn a judge’s decision last April to throw out a lawsuit that contended that the new rules were unconstitutional.

Government attorney Charles Scarborough told the judges that the regulations haven’t done anything to alter long-standing ethical practices regarding the secrecy of medical files. The new rules placed a host of restrictions on who could access private medical data, and they don’t require doctors to share more information that they have in the past, he said.

“The privacy rule, if anything, ratchets up the level of privacy,” he said.

The judges hearing arguments in the case Wednesday questioned the attorneys at length about the practical impact of the rules.

Judge Theodore McKee asked what would happen if, for example, he was seeking medical care for HIV, the virus that causes AIDS, and didn’t want anyone to know he had tested positive. If he was paying for the treatment out of his own pocket, he asked, could he instruct his doctor not to release any information about his condition to anyone else, under any circumstances?

Probably not, Scarborough said.

But, he added, the new regulations would expressly forbid the doctor from sharing that medical data with anyone who wasn’t involved in treating the patient, paying for his treatment, or coordinating health care operations at the facility where he received his care.

McKee asked whether a particular type of medical information might be shared on the basis that it was being used for “health care operations.” Scarborough said he wasn’t sure.

“Well, if you don’t know that, how is the patient going to know that?” McKee said.

The court did not indicate when it would rule in the case. It could let the lower court decision stand, rule that the new privacy regulations are unconstitutional, or send the case back to a U.S. District judge for further review.