25 April 2002 U.S. Department of Health and
Human Services
Dear Sir/Madam: The following comments of the IEEE-USA are in response to the March 27, 2002 proposed rule modification of the Department of Health and Human Services' (HHS) regulation, Standards for Privacy of Individually Identifiable Health Information. IEEE-USA is an organizational unit of The Institute of Electrical and Electronics Engineers, Inc., created in 1973 to promote the careers and public policy interests of the more than 235,000 electrical, electronics, computer and software engineers who are U.S. members of IEEE. For more information, visit us online at www.ieeeusa.org. The IEEE-USA applauds the HHS' effort, through its proposed rule modification, to formulate practical and needed changes to the strong privacy protection provisions in the existing Standards for Privacy of Individually Identifiable Health Information. We recognize that efficiently managed national confidentiality rules ensure the safe and effective flow of health data. Patient information privacy standards support health care quality and strengthen consumer trust, an essential element in the relationship between patients and their health care providers. Efficient implementation of these standards is fundamental to the adoption and use of innovative health care information technologies, benefiting both providers and patients. However, IEEE-USA is concerned about the unintended consequences of removing the mandatory consent regulation that is being proposed as a means to enhance efficient record sharing among physicians and other medical professionals. Members from the IEEE-USA's Medical Technology Policy Committee, comprising a wide range of engineering and medical professionals, researched and developed the basic issues of concern to the committee, and then participated in an open dialog on the proposed rules. Their findings indicated that removing the mandatory consent regulation will erode consumer confidence lessen the benefits of the regulatory changes rather than providing efficiencies as promoted. In addition, we believe this will pose a threat to the public's willingness to undergo clinical testing. Without the ability of individuals to control the dissemination of personal health information, consumers may be discouraged from having tests that may lead to early detection of disease and reduced treatment costs. As an alternative, we propose that consideration be given to preserving the concept of routine consent for use of personal health information for Treatment, Payment and health care Operations (TPO), while listing as exceptions unintended areas such as emergency treatment and prescriptions. Positively, we believe the removal of "unintended" administrative burdens of the privacy regulation will facilitate incorporation of information technologies into the national healthcare infrastructure. The opportunities for these technologies to reduce medical errors, provide remote monitoring and reporting of illnesses, provide public awareness of disease risk and promote healthier outcomes are paramount to improving healthcare delivery. In principle, IEEE-USA strongly supports the adoption of generic standards for the introduction of technologies that enable us to design advanced products and systems that support reduction of existing administrative burdens. Further, we strongly advocate that Secretary Tommy Thompson and the Department of Health and Human Services publish the final HIPAA Security Regulations. We believe that privacy and security are intimately related with privacy policies being built on security technologies. We recognize the time is short for further analysis and change, but hope you accept our comments as constructive support and look forward to a continuing dialogue. Our specific comments follow in the attached pages. If you have any questions or would like further information, please contact Deborah Rudolph, IEEE-USA Manager of Technology Policy, at (202) 785-0017 x 8332. Sincerely, LeEarl A. Bryant, P.E.
Detailed Comments of the IEEE-USA Medical Technology Policy Committee regarding Notice of Proposed Rule Modification of the Department of Health and Human Services' (HHS) Regulation, "Standards for Privacy of Individually Identifiable Health Information" (March 27, 2002). Consent Requirements [67 Fed Reg 59 14780] The IEEE-USA supports the HHS' desire to lessen unintended administrative burdens imposed by the Privacy regulations. However, we have concerns that removing the present mandatory consent requirements for health care providers in order to address Treatment, Payment and health care Operations (TPO) may predispose the inappropriate sharing of public health information addressed by this standard. Specifically, the removal of the requirement for obtaining patient's consent for releasing specified information could be interpreted as the patient losing his/her right to limit access to his/her personal health information. Our concern is that the consequence may be abuse, the lack of documentation, and the inability of a patient to rescind use of his/her personal information for additional requests under the guise of TPO. Preservation of audit trails that track the use of personal health information by the healthcare system and confirm compliance with agreed to patient requests for restrictions upon the sharing of that information are important in building patient trust. As an alternative, we propose preserving the concept of routine consent for use of personal health information for TPO, but listing exceptions to these requirements such as emergency situations and prescriptions. The IEEE-USA views Notification as an information process that is different from authorization for use of the information. We support the proposed rule Notice modifications that strengthen and clarify notifying patients of their privacy rights. We support the concept of thorough disclosure and obtaining prior opt-in authorization from patients for use of personally identifiable health information outside of TPO. Group Health Plans [67 Fed Reg 59 14782] We support the proposal clarifying that a group health plan or health insurance issuer can disclose enrollment or disenrollment information to a plan sponsor without amending plan documents. However, the IEEE-USA has an overriding concern that, coupled with changes in the consent requirement, it will be easier for employers to obtain personally identifiable health information and to subsequently associate the information with specific employees. We feel patients need substantive protection of any information that can lead to identification when treatment/payment information is transferred from insurers to employers. Discrimination, such as job security or insurance premium increase, is a potential consequence of this abuse. It is recommended that a statement which excludes transfer of inappropriate information be added to this proposed section to ensure against possible abuses. Treatment, Payment and Health Care Operations Disclosures [67 Fed Reg 59 14782] Payment For purposes of obtaining payment for services provided, IEEE-USA supports the proposed rule modifications that permit entities covered by the rule to disclose protected health information to another covered entity and health care providers that are either covered or not covered by the privacy rule. This modification is particularly sensitive to the manner in which information technologies are applied by healthcare providers. Establishment of standards for the application of new technologies can streamline the practice environment and thus benefit patient health care. As currently practiced, this modification is helpful because hospitals often require information technology companies to provide a patient's name or another form of protected health information on billing and payment invoices in order to properly match the health information to the patient receiving it. If the proposed modification is not applied, then the resultant efficiency would be degraded by forcing hospitals and healthcare providers to limit information transfers to entities that were specifically covered by the current privacy rules. This would be an unnecessary administrative burden and the modification will allow transfers to be handled more efficiently through proper applications that support controlling the privacy of information, assuring that information content is unchanged en route, and offer capabilities such as non-repudiation of information transfers by senders and receivers and authenticated digital signatures. We believe that technology can and must be applied to assure compliance with the law and strong accountability for those organizations sharing personally identifiable information. Business Associates [67 Fed Reg 59 14788] The proposed up-to-one-year extension for modifying existing business contracts is not helpful. In our view, covered entities must still be in compliance with all aspects of the privacy regulation by April 14, 2003 and therefore, in fact, their partners' business contracts must also be in compliance. The actual contract language does not absolve a business partner from complying with HIPAA privacy practices. We hope the Department will clarify this rule further or provide a mechanism whereby a Business Associate (BA) can perform a "self certification" of compliance with HIPAA requirements. With the ongoing introduction of more advanced medical devices incorporating automated processes that potentially transfer patient information with the diagnostic data, we recommend that the Department seek further clarification on the BA requirements from device manufactures to assure that the enhanced functions being performed are not violating the proposed changes to the regulation. It is unclear if the proposed changes to the regulation require that the medical device vendor maintain a BA "contract" or that the vendor simply performs a "function or activity on behalf of a covered entity." We support the model BA language, but have concern that it will "serve as a point of departure" and request that the Department redraft the standard with less ambiguity to try to be more forceful in creating a standard for compliance. Data De-Identification [67 Fed Reg 59 14799] HHS has requested comment in the proposed rule modification on an alternative data de-identification approach. The alternative approach should permit uses and disclosures of a "limited data set" which does not include facially identifiable information but in which certain identifiers such as admission, discharge and service dates, date of death, age and five-digit zip would remain We support an HHS approach that requires covered entities which use a limited data set for disclosure of health information to obtain an agreement from the recipient(s) that restrict the use of the limited data set(s) to the specified purposes set forth in the HHS privacy rule. This rule limits who can use or receive the data and assures that no re-identification of the data at a later time will occur nor will the individual be contacted by a third party for a change in their agreement. We encourage clarification as to the nature and specifics of the data use agreements. The significance of key elements in the new limited data set for epidemiological and public health functions should not be underestimated. For example, epidemiological studies routinely use admission dates, discharge dates and dates of death to track and understand disease; and refined age data in infant populations is often needed to carry out public health surveillance activities. Such information could be critical in identifying an evolving epidemic or unusual outbreak of disease symptoms associated with a bioterrorism attack. Further, the IEEE-USA urges that device serial numbers and product identification numbers be included in the limited data set. They are vital to the execution of product recall and patient safety initiatives. Public Health [67 Fed Reg 59 14801] We encourage the Department to expand on the current rule's definition of a "public health authority." This would maximally ensure that information sharing involving both domestic and international public health-which is done through the World Health Organization as one example-- is covered by the definition. In the current rule, only a U.S.-based entity is considered a public health authority and disclosures to foreign public health entities would be prohibited without the permission of the FDA or similar U.S.-based public health authorities. Ensuring public health is a global imperative and medical technology and electronic information systems help achieve this goal across geographic boundaries. Many health care information technology companies are BAs under the current rule and therefore subject to a myriad of the rule's requirements as a result of BA contracts or data use agreements. Current "public health authority" provisions as constructed would not permit submitting protected health information covered by this section to foreign governments or notified bodies in Europe. This creates trade and product approval complexities and introduces barriers to international transmission of public health data, which might save lives and prevent the spread of disease. Relationship to Other Laws [64 Fed Reg 59 994] The IEEE-USA encourages the Department to seek further legislative authority from Congress regarding preemption provisions. The unintended outcome of current privacy preemption may cause a flurry of State enacted regulations over the prescribed next 24 months that create a hindrance to information sharing across State lines. With the advent of online technologies, this is not a reasonable outcome. We support creation of a national privacy standard for sharing of healthcare information that facilitates interstate information flow. Healthcare stakeholders need consistency and congruency of Federal and State privacy law. | Top of Page | Policy Log | Public Policy Forum | IEEE-USA | Last Update:
26 April 2002 Copyright ©
2002, The
Institute of Electrical and Electronics Engineers, Inc. |
|
