The Honorable John D. Dingell, Jr.
U.S. House of Representatives
Committee on Energy and Commerce
2125 Rayburn House Office Building
Washington, DC 20515-6115

The Honorable Joe Barton
U.S. House of Representatives
Committee on Energy and Commerce
2125 Rayburn House Office Building
Washington, DC 20515-6115

RE: Comments on Discussion Draft of Health Information Technology Legislation

Dear Chairman Dingell and Ranking Member Barton,

On behalf of the ACLU, a non-partisan organization with more than one half million members, and our 53 affiliates nationwide, we write to comment on your draft Health Information Technology bill circulated May 22, 2008. 

In poll after poll, the American public clearly demands rigorous protection of its medical data, expressing the sentiment that it is the personally identifiable information it most worries about being misused, improperly shared, sold, breached or stolen.  Americans understand the risks of creating electronic medical records and the databases needed to store and share them.  We believe Americans will not embrace technology that discloses their intimate medical information to anyone not involved in their medical care or in the payment and delivery of services. Therefore, Congress must statutorily require meaningful, national privacy protections not only  after an improper sale, sharing, misuse or breach, but to prevent these from occurring in the first place and provide patients with the ability to consent to uses of their information.  Your bill deserves substantial praise for providing post-breach protections – an important improvement over other pending legislation from this Congress and prior Congresses – and it can be further strengthened by inserting statutory mandates to safeguard data in the first place and empower patients to take charge of their records and how they are used.

Electronic health records have the potential to improve greatly the quality of Americans’ health care and to reduce the frequency of treatment errors from incomplete information.  If the records or the databases are built without adequate privacy protections, however, then they may also facilitate many undesirable outcomes including:

(i)      Accidental publication of patients’ sensitive or embarrassing personal information;
(ii)    Snooping by nosey colleagues on co-workers’ records;
(iii)   Review by insurance companies or potential employers to prescreen against employees and their families who might be expensive to insure or employ;
(iv)  Identity theft; 
(v)    Invasive direct marketing to patients by competitors; and
(vi)  Commercial resale or misuse of personal health information.

Any bill marked-up by your Committee should include statutory protections that prevent any societal benefits obtained from facilitating the building of Health Information Technology (“HIT”) systems from being outweighed by these very real threats to patient privacy. We commend you for understanding this imperative and seeing the need for rigorous protection of privacy in any bill that moves through Congress. 

The Dingell-Barton draft bill takes important steps toward resolving privacy problems after patients’ medical records are compromised either accidentally or deliberately through a data breach.  In requiring affected patients receive timely notice of a breach, the Dingell-Barton bill will help patients and users of electronic medical records reduce the potential negative consequences of a breach.  This will, no doubt, reduce the likelihood that a breach will lead to identity theft.  Statutes in 43 states, the District of Columbia, and Puerto Rico require any company, irrespective of industry, whose customer data is breached to provide customers with notice.  The Dingell-Barton draft bill requires the remaining seven states to provide notice of a breach of electronic medical records. 

Second, section 312 of the Dingell-Barton bill requires business associates of a covered entity to use protected health information only pursuant to contractual arrangements, and creates civil and criminal penalties for failure to abide by contractual terms.  This provision creates true financial incentives for companies to respect privacy of patient records.  It is only as good, however, as the contractual terms at issue.  If the company fails to protect and safeguard the records it owns or controls, then neither the provision nor the contract achieves the intended protection.  Therefore, we urge additions to the bill to create robust privacy standards that all companies must incorporate into all of their contracts involving electronic medical records.  Such standards should not prevent corporations from including additional contractual clauses requiring additional privacy and information security requirements. 

Dangers to personal privacy are inherent in the use of electronic medical records.  To diminish the likelihood of a breach in privacy, the Committee’s bill should require more protections in the form of robust mandatory privacy standards. We urge you to respond to your constituents’ concerns and include basic privacy principles in any legislation promoting health information technology. 

Basic privacy principles are an essential component to a successful health information technology infrastructure. Without adequate privacy protections, individuals are exposed to an increased risk of identity theft, and discrimination by employers and health insurers. Health care consumers understand these risks, and may choose to forgo the benefits of electronic medical records if they believe the health information network is insecure.

Privacy provisions should be integrated into the foundation of a health information technology infrastructure to maximize their effectiveness. If the provisions are omitted at the outset and breaches imperil the privacy of electronic medical records, it will be far more difficult to implement the necessary changes by amending the framework, and they will not function as efficiently within the infrastructure.  Further, it may be costly or technologically difficult to retrofit computer software and hardware to build in privacy protections and information security controls as compared with doing so as part of the original design of the electronic records and databases needed to store and share those records.

In the battle to protect personally identifiable health information (“PIHI”), it is essential to articulate in statute a patient’s right to privacy. This begins with including in your draft bill a definition of “privacy” so that those interpreting your bill once it is enacted can implement the intent of the bill fully to protect patients’ private information.  This also requires including the right to informed consent for disclosure of PIHI, the right to review and correct PIHI, and the right to deny access to and to receive notice of disclosure of PIHI. These rights give individuals real ownership of their personal information and encourage greater participation in the medical decision-making process.

To enable enforcement of these rights, legislation must include appropriate administrative, organizational, and technical safeguards to secure an individual’s PIHI.  If records are to be dealt with electronically, a health information network is unavoidable.  Therefore, restricting the disclosure of PIHI to essential parties is critical to minimize the information distributed, and to limit the use of the information once disclosed.  The best way to achieve this is to require individuals to “opt-in” to disclose PIHI while using each health information network. As a rule, any disclosure of PIHI should require obtaining informed consent that may be revoked or amended by the individual at any time. An additional written authorization must be required for disclosures to entities involved in marketing PIHI.

The basic privacy principles outlined above, combined with substantial penalties for violation of these principles, such as those set forth in section 312 of the proposed legislation, are essential components of any legislation promoting health information technology. We urge you to include all of these components in any health information technology legislation approved by the House Energy and Commerce Committee.

Sincerely,

Caroline Fredrickson
Director, Washington Legislative Office

Timothy Sparapani
Senior Legislative Counsel