AAMC Comment Letter on Privacy
NPRM
April 11, 2002
The Honorable Tommy G. Thompson
Secretary, U.S. Department of Health and Human Services
Office of Civil Rights
Attention: Privacy 2
Hubert H. Humphrey Building
Room 425A
200 Independence Avenue, SW
Washington, D.C. 20201
Dear Secretary Thompson,
The AAMC welcomes the opportunity to comment on the Secretary's
March 27, 2002 proposal to modify the federal medical privacy
rule. The AAMC represents the nation's 125 accredited medical
schools, nearly 400 major teaching hospitals and health care
systems, more than 105,000 faculty in 98 academic and scientific
societies, and the nation's 66,000 medical students and 97,000
residents. We submit this formal comment letter in accordance
with the requirements of the Notice of Proposed Rulemaking
(NPRM).
The AAMC deeply appreciates and commends the Secretary's
willingness to increase the rule's "workability"
by reducing the significant obstacles that the rule erects
to the conduct of essential biomedical, epidemiological, and
health services research and the provision of healthcare.
With this NPRM the Secretary moves substantially toward restoration
of the necessary balance between medical privacy and other
equally important public interests, including quality healthcare
and research-related advances in treatment and prevention.
The AAMC offers our strong endorsement of the NPRM while identifying
some remaining concerns about the rule and its application.
Our comments regarding certain specific proposals in the March
27, 2002 NPRM are listed below.
Provisions of the Final Rule Affecting Research
Our March 29, 2001 comment letter on the final rule reflected
the AAMC's concern that the rule would create substantial
impediments to all research involving protected health information.
Although we remain concerned that the modified rule would
still impose unwarranted liability and unnecessary procedural
burdens upon covered entities who use and disclose health
information in federally-regulated research, the AAMC is greatly
encouraged that the Secretary proposes to improve the rule's
workability for research. We offer the following specific
comments on proposed changes to the research provisions:
Authorization and Waiver
The AAMC welcomes the Secretary's proposal to streamline
the authorization requirements, to provide one authorization
form for all purposes, and to permit all authorization elements
to be combined with the consent form for participation in
research. We appreciate that the NPRM recognizes the use of
an authorization to obtain permission for disclosure of PHI
to a repository or database maintained for research purposes.
The AAMC also enthusiastically supports the proposal to revise
the rule's waiver criteria to focus on the practical need
for a waiver of authorization and the adequacy of the researcher's
plans to protect patient confidentiality.
The AAMC requests, however, that the Secretary clarify the
requirement in proposed §164.508(c)(2)(iii) that authorizations
must state "the potential for information disclosed pursuant
to the authorization to be subject to redisclosure by the
recipient and no longer protected by this rule." The
AAMC requests that this criterion be modified as it is not
possible for a covered entity even to estimate the risks of
disclosure in any particular instance because these risks
will be largely unknown to the entity and often outside its
control. AAMC requests that DHHS clarify in guidance that
when information is disclosed pursuant to an authorization
for IRB-approved research, the requirement at §164.508(c)(2)(iii)
is met with a statement in the authorization that the researchers
are only permitted to use or disclose the protected health
information for purposes that have been authorized by the
IRB or as required by law or regulation.
De-identification
The AAMC believes that the undeniably strong public interest
in furthering epidemiological, public health, and health services
research can only be served by a separate, more reasonable
standard for the de-identification of protected health information
for research purposes.
Covered entities should be permitted to release information
that has been de-identified under this research standard if
the recipient researcher agrees in writing not to attempt
to re-identify or contact the subjects of the information,
and not to further disclose the information except as required
by law.
The NPRM acknowledges that the research community perceives
a pressing need for an alternative de-identification standard,
yet the Secretary has not formally proposed to create one.
This issue is of critical importance; the AAMC believes
that the "workability" of the rule for research
hinges upon adoption of a modified de-identification standard
for research uses and disclosures. We have consistently urged
the Secretary to adopt the following modification to §164.514:
§164.514(a)(i) Standard: de-identification
of protected health information. Health information
that does not identify an individual and with respect to
which there is no reasonable basis to believe that the information
can be used to identify an individual is not individually
identifiable health information.
(ii) Exception for information disclosed for research
purposes. Information that does not directly identify
an individual and that conforms to the requirements of
§164.514(b)(3) is not individually identifiable health
information when disclosed to a researcher or researchers
pursuant to each researcher's written agreement that:
(A) The information will be used only for research
purposes and will not be further disclosed except as required
by law; and
(B) The researcher will not attempt to re-identify
or contact individuals who are the subjects of the information.
* * *
§164.514(b)(3). Implementation specifications:
requirements for de-identification of protected health information
disclosed for research purposes. A covered entity may
determine that health information disclosed pursuant to
a data use agreement is not individually identifiable health
information if:
(i) Under the procedures described in §164.514(b)(1),
the covered entity has determined that the risk is very
small that the information could be used, alone or in
combination with other reasonably available information,
by the recipient researcher to identify an individual
who is the subject of the information; or
(ii) The following identifiers of the individual or
of relatives, employers, or household members of the individual,
are removed:
(A) Names;
(B) Street address;
(C) Telephone numbers
(D) Fax numbers;
(E) Electronic mail addresses
(F) Social security numbers
(G) Vehicle identifiers and serial numbers
(H) Photographic images depicting the full face or full
profile; and
(iii) The covered entity does not have actual knowledge
that the information could be readily used alone or in
combination with other reasonably available information
to identify an individual who is the subject of the information.
In the preamble to the proposed rule the Secretary describes
a possible set of "direct" identifiers that might
be removed to create a modified de-identification standard
for research. The Secretary's list comprises the elements
listed above, with the addition of URLs and IP addresses.
We recognize the need to add URLs and IP addresses to the
list of direct identifiers and urge that with the addition
of these two elements our proposal for a research de-identification
standard should be adopted in the final rule.
We note, however, that the preamble discussion of de-identification
lists examples of "identifiable information" (e.g.,
admission dates and five digit zip codes) that a covered entity
might be permitted to include in a "limited dataset"
to be used or disclosed for research purposes. We assume that
the Secretary did not intend that this "limited dataset"
be restricted to those data fields described in the NPRM.
The AAMC believes that a covered entity should be permitted
to include any information in the research or "limited"
dataset that is not a direct identifier, as described above,
and regarding which the entity does not have actual knowledge
that the information could be readily used, alone or in combination
with other reasonably available information, to identify an
individual who is the subject of the information.
Accounting for Disclosures
Patients who authorize a non-routine disclosure of PHI are
plainly aware that the disclosure will occur; therefore, the
AAMC agrees with the proposal to eliminate the accounting
requirements for disclosures made pursuant to patient authorization.
We remain concerned, however, that continuing to require
a specific accounting for all research disclosures made pursuant
to a waiver of authorization will impose a tremendous administrative
burden upon providers.
We fear in particular that community providers and hospitals
that do not view research as their primary mission will be
reluctant to assume this burden and thus unwilling make patient
records available to researchers. This unfortunate result
would impede or even prevent much valuable epidemiologic and
health services research, to the great detriment of patients
whose care is enhanced by new medical knowledge.
The AAMC urges the Secretary to further modify the accounting
for disclosures provision. Covered entities should be permitted
to meet this requirement with respect to research disclosures
by providing the patient with a list of all protocols (to
include researchers' names and contact information) under
which the patient's information may have been disclosed
pursuant to a waiver of authorization. A covered entity could
meet this requirement by providing a patient, upon request,
a disclosure such as the following: "During the previous
six years, this (institution or provider) has disclosed information
under a waiver of authorization in support of the research
projects listed below."
Public Health Disclosures
The AAMC agrees with the Secretary's proposal to permit covered
entities to disclose PHI to sponsor-initiated registries,
provided that these registries are created for the purpose
of activities related to the quality, safety, or effectiveness
of FDA-regulated products. We note, however, that the Secretary
does not permit covered entities to make the same disclosures
to registries maintained by academic investigators and institutions,
or by other non-profit organizations, even when such registries
are operated under IRB supervision and do not disclose direct
patient identifiers to the researchers who access the registry
data. These registries are vitally important to researchers
who study epidemiological patterns of disease or track the
success of health interventions across broadly dispersed populations.
The AAMC sees no justification for the rule's new double standard,
under which industry may receive PHI without authorization
or waiver to construct registries for legitimate research
purposes, but the academic and other non-profit communities
may not.
Healthcare Delivery Issues
Consent
The AAMC strongly supports the Secretary's proposal to permit
providers to care for patients without first obtaining consent
for the use or disclosure or protected health information
(PHI). Requiring instead that providers document a good faith
effort to obtain patients' acknowledgment of the notice of
privacy practices is a reasonable approach that will facilitate
timely care.
With this proposed change in the rule, patients will still
be apprised of the permitted uses and disclosures of their
health information, but they need not fear that their care
will be impeded by the final rule's rigid insistence upon
prerequisite forms.
This change is also consistent with the intent, as expressed
in the initial NPRM, that protected health information be
allowed to move efficiently throughout the healthcare system
for the core purposes of treatment, payment, and healthcare
operations.
Exemption for Incidental Uses and Disclosures
The AAMC supports the rule's proposal to exempt incidental
uses and disclosures of patient information that cannot reasonably
be prevented, are limited in nature, and occur as a by-product
of an otherwise permitted use or disclosure under the privacy
rule. This exemption recognizes the importance of communications
among caregivers, trainees and patients, and does not penalize
covered entities for unavoidable incidents.
Business Associates
The AAMC supports the proposal to provide a one-year grandfathering
of existing agreements, and we appreciate the model language
that the Department has provided. We urge the Secretary to
make the following additional modifications: (1) eliminate
the requirement that covered entities enter into business
associate contracts with one another; (2) develop a certification
program for suppliers that would eliminate the need for many
business associate contracts; and (3) create an "incidental
disclosure" safe harbor that would clearly eliminate
concerns that a business associate contract will be needed
with organizations where contact with protected information
would result only inadvertently, if at all (e.g., janitorial
services).
Definition of a "Hybrid Entity"
The Secretary proposes to revise the definition of a "hybrid
entity" by allowing entities to determine whether they
will function as single covered entities or as hybrid entities
with designated healthcare components. Under the proposal,
a hybrid entity may include within its healthcare component(s)
any component that engages in covered functions or in activities
that would make the component a business associate if it were
legally separate. A covered provider must be included in the
healthcare component, but a provider who does not engage in
standard transactions may be included at the discretion of
the covered entity.
The AAMC remains concerned that the privacy regulation prevents
many academic medical centers from organizing for HIPAA compliance
in a manner that reflects the necessary integration of operations
between the medical school and affiliated faculty practice
plans and teaching hospitals.
Even as modified, the rule would not permit many academic
medical centers to designate themselves as either a hybrid
entity or an affiliated entity, since the components of each
must belong to a single legal entity or share common ownership
or control.
Although the Secretary has provided an alternative means
of affiliation, the organized healthcare arrangement (OHCA),
for legally separate entities who must share PHI to manage
and benefit their common enterprise, it appears that a typical
medical school would not be eligible to participate in an
OHCA. Such participation would require that the school engage
in one of the prerequisite activities (utilization review,
quality assessment/improvement activities on behalf of the
covered entity, or payment activities where the financial
risk of delivering care is shared by participating entities).
As the AAMC noted in our March 29, 2001 comment letter, "the
components of an academic medical center have a symbiotic
relationship that supports the academic missions of teaching,
research and patient care." It is essential that there
not be impediments to the flow of information within an academic
medical center. The AAMC urges HHS clarify §164.504(a)
as follows:
Academic medical center consists of a medical
school and all faculty practice plans and teaching hospitals
that designate themselves, either formally or informally,
as affiliated components of the same academic medical center.
Common control exists if an entity has the power,
directly or indirectly, significantly to influence or direct
the actions or policies of another entity, and is presumed
to exist among the components of a self-designated academic
medical center.
Fundraising
Under §164.514(f) of the final rule, a covered entity
is allowed to use protected health information for fundraising
purposes without an authorization only if the PHI used is
limited to "demographic information relating to an individual"
and the dates of service. Absent authorization from a patient,
institutions are precluded from attempting targeted fundraising
efforts. This restriction creates a serious impediment to
the fundraising that is essential for academic institutions
to sustain their core missions of teaching, research, patient
care, and community service.
When patients come to academic institutions, it is sometimes
with the expectation that they will be cared for by a specific
individual of high repute, but more generally with the expectation
that they will be cared for in a particular department or
division that has expertise and is renowned for treating the
condition from which the patient suffers. It is through these
individual physicians and departmental and divisional centers
that the excellence of the institution is established and
publicized, and critical funds raised to foster future teaching
and research.
The AAMC continues to urge DHHS to make the following change
in §164.514:
(f)(1) Standard: Uses and disclosure for fundraising. A
covered entity may use, or disclose to a business associate
or to an institutionally related foundation, the following
protected health information for the purpose of raising
funds for its own benefit, without an authorization meeting
the requirements of section 164.508:
(i) Demographic information relating to an individual;
and
(ii) Dates of health care provided to an individual.
; and
(iii) The physician, department, or division of the
covered entity from which the individual received treatment.
De-Identification for Quality Comparisons and Benchmarking
The AAMC shares the concern of the American Hospital Association
that quality comparisons and benchmarking activities critical
to improving the operations of our member hospitals may be
severely impeded by the final rule, to the extent that these
activities require the exchange of HIPAA identifiers such
as full zip codes and dates of service. We urge the Secretary
to permit covered entities to use and disclose data stripped
of the list of facial identifiers, as discussed earlier and
in conjunction with a data use agreement, for specified quality
comparison and benchmarking purposes.
* * *
The AAMC recognizes that DHHS never intended that the Privacy
Rule unduly burden or prevent vital biomedical and public
health research or the provision of healthcare. We are grateful
to the Department for its responsiveness to the concerns raised
by the scientific community. The AAMC firmly believes that
strong protections for the privacy of medical information
can be accomplished without jeopardizing either medical care
or health research, and that the changes proposed in the NPRM
go far to correct the imbalances contained in the Privacy
Rule.
Thank you for the opportunity to express our strong support
for the important modifications proposed thus far. We emphasize,
however, that with respect to the provisions that we identify
in this letter (particularly de-identification and fundraising)
further modifications are necessary if the privacy rule is
to become a truly workable standard that does not unduly impede
patient care and research.
Should you wish to discuss our comments further, please contact
David Korn, M.D., Senior Vice President, Division of Biomedical
and Health Sciences Research, or Jennifer Kulynych, J.D.,
Ph.D., Director, DBHSR, at (202) 828-0484.
Sincerely,
Jordan J. Cohen, M.D.
This page contains documents in Portable Document Format (PDF).
The Adobe Acrobat® Reader® is required to view PDF documents. Download
Acrobat® Reader®.
|
