January 27, 2009
Mr. Chairman, Members of the Committee: Thank you for inviting me to testify today. Consumers Union is the independent, nonprofit publisher of Consumer Reports, and we work on a wide range of health issues, including prescription drug safety and effectiveness, access to health insurance and controlling health care costs.
There's widespread agreement on the need to accelerate the use of information technology in our otherwise high-tech health-care system.1 Most hospitals and doctor's offices still store patient records on paper, making the history of medical care hard to transfer from one hospital or doctor to another.2 The inefficiencies of this system can lead to medical errors and the loss or misplacement of vital information. 3As for patients, we rarely see our own fragmented records or track our own health histories.4
Consumers Union therefore strongly supports the movement toward an electronic system of health records (EHR) and information exchange. By harnessing the power of modern information technology systems we can improve the quality of American health care and moderate health costs by:
1. Reducing Errors
2. Eliminating service duplication,
3. Promoting pay for performance, and
4. Providing the data necessary to evaluate the actual comparative effectiveness of various treatments and drugs.
A national system of electronic medical records has the potential to improve the quality of health care by reducing hospital-acquired infection rates. Through a network of electronic medical information, families can identify the safest and highest quality hospitals. As just one example of the tremendous improvements in quality and cost savings that are possible, Consumers Union has been conducting a national campaign to promote the disclosure of hospital infection rates (www.StopHospitalInfections.org)5
Each year, there are about 2 million patients who acquire infections in hospitals, and about 90,000 die. In twenty-four states, we have worked with state legislatures to pass laws to require hospitals to report their rate of infection based on the idea that public disclosure will prompt hospitals to adopt effective methods to reduce their infection rates. Electronic medical records technology and the public disclosure of more types of patient care data where the patient is not identified will make it easier for consumers to reward those who provide quality.
The Critical Need to Ensure Privacy
While there can be important public and private benefits of creating an effective electronic medical records system, we believe (and polls demonstrate6) that the American public will not support, fully use, or benefit7 from the great potential of such systems unless more is done now to ensure the privacy, security, and appropriate use of medical information. In short, this requires enabling patients to decide when, with whom, and to what extent their medical information is shared.
8 It is important that we all recognize that there is no hack-proof database or system. Once more medical data is moving electronically, it is subject to threats from hackers, identity thieves and others. That is simply a fact of life, re-confirmed almost daily by new stories of financial and medical record data violations.9Beyond the likely scenarios of security breaches, the value of electronic health information is such that many organizations will want to exploit secondary data sources for private financial gain, rarely (if ever) with patient knowledge, let alone consent. It is imperative that policy makers take aggressive steps to protect privacy. Otherwise, security breaches could doom expanded use of health information technology.
Additionally, some will say that it is too complex or too expensive to allow people to control their medical information. Computers have the ability to handle the task. They can be designed to deal with huge numbers of variables--like 50 state laws--and to create special files where certain data (such as mental health records) are only available to a designated provider on a "need to know basis." If we do not meaningfully address the privacy issue, polls show the public will not trust this system, many will go to "off the grid" medical care, 10 and we will just increase public cynicism about big government and big business controlling our lives. In an age when the talk is of consumer driven health care and ownership and empowerment, forcing people to share their most secret personal medical information is not the path to take.
Eroding Consumer Confidence
The inability of federal and state privacy laws to ensure the confidentiality of personal medical records continues to create grave concerns for consumers. This lack of confidence is reflected in a recent survey sponsored by the Institute of Medicine Project on "Health Research, Privacy, and the HIPAA Privacy Rule." The survey found that 58 percent of respondents believe that the privacy of personal medical records and health information is not protected well enough today by federal and state laws and organizational practices.11 Nonetheless, the public appears to recognize that electronic health records offer the potential of enormous gains for consumers and society in improved health outcomes and cost savings. In a recent survey by the Markle Foundation, two in three Americans (65 percent) would like to access all of their own medical information across an electronic network.12 Americans believe that having greater access to their information will reduce medical mistakes and costly repeat procedures. According to this Markle Foundation survey, 96 percent of respondents stated that they thought it was important for individuals to be able to access all their own medical records to manage their own health.13 At the same time, such a system raises serious concerns among consumers about personal privacy, data security, and the potential misuse of their information.14 And while an interoperable system of electronic health information holds great promise, the many possible benefits will not be realized unless appropriate policy measures to protect personal medical information are established up front.15
Better Understanding of Existing Rights
Consumers struggle with a lack of understanding about their rights stemming from existing medical privacy protections. For example, a national consumer health privacy survey found that consumers are unfamiliar with medical privacy protections. 16 In this survey, two-thirds of the survey respondents stated that they were aware of federal protections for their personal medical records, and 59 percent recall receiving a privacy notice but only 27 percent believe they have more rights than they had before receiving the notice.17 Simply put, the growing evidence of confusion must commit us to better educating the public, not to undermining support for the medical privacy protections for which the public clamored for decades.18In keeping with this effort to better inform the public, Consumers Union has used our publication Consumer Reports to inform our 8 million subscribers about their rights, as well as encourage others to visit the Health Privacy Project website which has merged with Center for Democracy and Technology to download their user-friendly brochure "Know Your Rights."
When consumers are confused, they are fearful that there is widespread misuse of personal medical information. This concern regarding the privacy of their medical information manifests itself in consumers engaging in "off the grid" medical care. These privacy-protective behaviors include patients providing false or incomplete information to physicians, doctors inaccurately coding files or leaving certain things out of a patient's record, people paying out of pocket to avoid a claim being submitted, or in the worst cases, people avoiding care altogether. 19 Therefore, it is critical that consumers have a full understanding of their medical privacy rights and confidence in the federal health privacy law to preserve the confidentiality of their medical records. Otherwise, people are forced to choose between shielding themselves from discrimination and receiving health care services.
Thus, Consumers Union along with members of the Consumer Partnership for e-Health, a non-partisan group of consumer, labor, patient, and research organizations is dedicated to broadening access to health care, and improving the quality of care by ensuring that consumer's medical information is safeguarded in the health care arena. We believe that health information technology and exchange (HIT/HIE) are critical underpinnings of a more patient-centered health care system. It can facilitate better coordination of care regardless of patient location, encourage higher quality and more efficient care, increase system transparency, and encourage patients' active engagement in health care decision-making. However, sound policies must ensure that the systems and processes developed for the purpose of HIT/HIE enable consumer engagement and hold all those with access to personal health information accountable for how this information is handled and used. The Consumer Partnership for e-health thus has developed a set of principles that achieve an effective balance between promoting HIT/HIE and systemic privacy safeguards. These principles are attached to my written testimony for the Committee's review and consideration when developing legislation to address medical privacy concerns in the context of HIT. Thank you
1 Jim Guest, President and CEO of Consumers Union, "Have You Heard: Your Medical Data, In Bits and Bytes, Consumer Reports, March 2006, p. 5.
5 William Vaughan, Consumers Union --- Nonprofit Publisher of Consumer Reports, March 16, 2006 Testimony before the Subcommittee on Health, Committee on Energy and Commerce, U.S. House of Representatives.
6 See as just one example Alan F. Westin, "Americans Overwhelming Believe Electronic Personal Health Records Could Improve Their Health - Nearly 9 in 10 Say Privacy Practices Are a Factor in Their Decision to Sign Up for One," Markle Foundation - Connecting for Health, June 2008
7 For example, polling of Americans shows 63% to 75% would not participate in, or are concerned about loss of medical privacy in an electronic system. See work of Professor Alan Westin, February 23, 2005; California Health Care Foundation, January 2000; and 65 Federal Registrar 82,466.
8 Testimony of Joy Pitts, Assistant Research Professor, Georgetown University, July 27, 2005 before the Ways and Means Health Subcommittee, citing the Rep. Velasquez and former President Clinton examples, page 2. See also Robert Dallek's An Unfinished Life (p261ff) for a description of LBJ's effort to obtain medical information on JFK and how Kennedy avoided certain medical tests so as not to have a medical record.
9 As HHS said in the Federal Register, "there is no such thing as a totally secure [electronic information] system that carries no risk." 68 Federal Register at 8,346. For very recent examples of hacking and intentional misuse of data, see Information Week, March 9, 2006, "PIN Scandal "Worst Hack Ever; Citibank Only the Start," and The Washington Post, March 14, 2006, Business Section, page 2, "Datran Media Settles Probe."
10 Joy Pitts, op.cit., p.4.
11 Dr. Alan F. Westin, Professor of Public Law and Government Emeritus, Columbia University, Director, Health Privacy Program, Privacy Consulting Group at the Institute of Medicine Workshop on "How the Public Sees Health Research and Privacy Issues," Washington, DC, February 28, 2008.
12 Markle Foundation, "Americans See Access to Their Medical Information as a Way to Improve Quality, Reduce Health Care Costs, December 7, 2006, p. 1.
14 Consumer Partnership for e-Health, Letter to the Honorable Patrick J. Leahy, Chairman, Committee on Judiciary, U.S. Senate, May 15, 2008.
16 California HealthCare Foundation, "National Consumer Health Privacy Survey", November 2005.