Government Affairs Home > HIPAA

Statement on Standards for Privacy of Individually Identifiable Health Information

The Association of American Medical Colleges (AAMC) is pleased to submit its views on the Department of Health and Human Services Notice of Proposed Rulemaking (NPRM) “Standards for Privacy of Individually Identifiable Health Information.”  The AAMC represents this nation’s 125 accredited medical schools, approximately 400 major teaching hospitals and health care systems, and 91 academic and professional societies representing over 75,000 faculty members. Our members and institutions provide basic and specialized healthcare services, conduct research leading to the discovery of medical knowledge and the development of innovative treatments and therapies, and educate and prepare physicians to meet evolving health care needs.  Whether in utilizing health information in treating patients, educating future physicians, or conducting clinical research ranging from the etiopathogenesis of disease, translation and clinical trials to studies in epidemiology, prevention and health services, the AAMC is keenly aware of the need to protect the privacy of individuals and the confidentiality of individually identifiable health information.

The AAMC strongly believes that the only comprehensive and nationally coherent solution to the complex and emotionally charged problems of “medical information privacy” lies in federal legislation, and we have steadfastly supported the enactment of such to strengthen the protection of individuals’ personally identifiable health information from inappropriate disclosure and harmful misuse.  Any legislation will require a balancing between protecting individuals’ health information and allowing health care entities and providers reasonable access to information that can be shared for purposes of treatment, research, and education.

The NPRM’s preamble articulates the department’s concern with its limited authority under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the rationale for the stratagems it devised to craft regulations with the broadest possible reach in the face of those limitations, and it is punctuated with repeated calls for federal legislation as the much preferred approach.  These points are important to understanding the structure, complexity and potential impact of the regulations that have been proposed.  The preamble seeks frequent refuge in the principles articulated in Secretary Shalala’s thoughtful report to the Congress in September 1997, entitled “Confidentiality of Individually Identifiable Health Information.”  At the time, the AAMC expressed its strong general support of the principles, while noting their ultimate acceptability would turn on the details of their implementation, which the report did not address.  Given the complexity of the proposed regulations, their substantial financial and administrative costs, and the profound operational and behavioral changes that they would impose at every level of the health care delivery system, it is ironic to note that the relevant HIPAA authority derives from the Administrative Simplification provisions of the Act (Sections 261-264).  

Although the AAMC appreciates the work the department has invested in this NRPM, we have very serious reservations about certain of the approaches and implementation steps.  We fear that they would impose unreasonable burdens and unwise constraints on the day-to-day functioning of the health care delivery system and the conduct of medical research. While fully supporting the individual’s right to privacy and respecting the need for effective, systemic protections of the confidentiality of individually identifiable health information, we believe that some of the standards, implementation requirements, and procedures imposed by this NPRM would have real costs that far outweigh their theoretical benefits.   We believe that the NPRM requires major changes so that it will reasonably protect the privacy of individually identifiable health information without impeding the flows of health information required for the care of patients, the operations of the health care delivery system, or the conduct of health research.  In particular, the AAMC draws attention to the following salient concerns:  

 Impact on Delivery of Health Care: The enactment and implementation of any standards for medical information privacy will impose enormous costs and administrative burdens on the U.S. health care system.  In this regard, any federal regulations must be crafted with precision and with understanding of and sensitivity to the complexity and magnitude of the flows of individually identifiable health information involved in the health care of patients.  Unfortunately, the AAMC finds that many of the proposed provisions in the NPRM impose unreasonable burdens and unwise constraints on the day to day functioning of the health care delivery system.  In particular, the AAMC believes the concepts and applications of “business partners,” “minimum necessary,” and “de-identified protected health information” are poorly devised and ill-conceived.  In addition, the language establishing a “code of fair information practices” with respect to individual access, amendment, and correction of protected health information (PHI) needs to be more carefully tailored to the realities of the complex patterns and enormous volumes of continuous health information traffic that are necessary for the health care delivery system to function.  We urge the department to reconsider the proposed regulations in the NPRM, which would unjustifiably and unnecessarily impede the critical functions of the day-to-day operations of the entire U.S. health care system.

 Intrusion on Research: The AAMC strongly opposes the approach taken in the NPRM to divide medical research information into two broad classes, one “related,” the other “unrelated,” to treatment.  HIPAA gives the HHS no authority to regulate researchers. However, the NPRM attempts to do so by regulating covered health care providers who are also researchers.  The AAMC finds this approach unnecessary and poorly conceived.  The distinction of research information categories as described by the NPRM, in fact, would serve to weaken the protections of confidentiality of research data that are currently available, while imposing heavy burdens on medical researchers, and would be of little or no benefit to the safeguarding of individually identifiable health information.   Rather than separating research information that is “related or unrelated to treatment,” the AAMC believes that information obtained from research that is clinically relevant to the care of the subject should be entered into the individual’s medical record.  Thereby, the formal “research record” would remain separate from the medical record.  It is the Association’s strong position that research information and clinical information can and should be maintained separately, primarily to afford the research information a much higher degree of security than can be afforded to clinical information and medical records.

 Impact on Common Rule: The attempt by the department to regulate issues related to “protected health information” (PHI) in research is problematic.  In the NPRM’s preamble, the department notes that HIPAA gives HHS no authority to regulate health researchers.  Research involving human subjects is already subject to the Common Rule.  However, the NPRM attempts to amend the Common Rule by adding four new criteria to those already required of IRBs in consideration of waiver of individual authorization.  The AAMC strongly opposes this effort at piece-meal modification of the Common Rule.  The Association is unaware of any credible evidence indicating that protection of the confidentiality of PHI used in research is not being adequately respected and protected by IRBs and researchers working under the requirements of the existing Common Rule.  Moreover, with the imminent relocation and reorganization of the OPRR in the Office of the Secretary and formation of a new National Advisory Council for the new Office, the scrutiny of human research subjects protections underway by the NBAC, and similar studies being conducted by the IOM, the department’s approach is particularly untimely. The AAMC strongly urges the department to abandon this ill-advised approach and continue to regulate all research and researchers identically under the provisions of the Common Rule.

 Preemption of State Law: The AAMC strongly believes, and has consistently argued, that the workings of the contemporary health care delivery system, the mobility of American citizens, and the needs of medical research, especially population-based research, all call for federal legislation that would strongly preempt state law (with only few limited exceptions for such things as public health reporting) and establish a single, uniform national standard of medical information privacy protection.  The department does not favor such “strong” preemption, and in any event asserts correctly that it does not have authority under HIPAA to impose it by regulation.  The NPRM would establish a federal floor of protections and would preempt only contrary provisions of state laws that are less stringent than those imposed by the regulation.  It would thereby permit what is often described as a patchwork of discordant state privacy laws of variable effectiveness to remain in place.  The NPRM’s lengthy disquisition on the interpretations of “contrary to,” “less stringent” and “more stringent” underscores the confusion and significant burdens that the lack of a single, preemptive federal standard will place on covered entities whose professional activities and business transactions increasingly span state lines.  The entities would have to comply not only with the federal rule but with the more stringent provisions of state law in every state in which they operated.  The AAMC is deeply concerned about the chaotic business climate and extraordinary legal expenses that would result from the imposition of this regulation, and fears that as it is proposed, it will be unworkable.  The AAMC would urge the Secretary to conduct a state-by-state examination and certify those state laws that she deems “contary and more stringent than” the federal rules.  All other state laws bearing on medical information privacy would thereby be deemed to be preempted by the new rule. 

Although the AAMC appreciates the effort that the HHS has invested in developing this proposal, the AAMC feels that many of the standards in the NPRM would not in actual practice serve to enhance protections of  the privacy and confidentiality of individuals proportionately to the burdens and complications that they would impose on critical functions of the affected entities. In several instances, the department has exceeded the authority granted to it under HIPAA, a fact that underscores the need for Congress to revisit this complex issue to ensure that a system of protection of individually identifiable health information is logical, coherent and nationally uniform, not needlessly burdensome and costly, and will neither impede health care delivery nor vital health research.  While fully supporting the individual’s right to privacy and respecting the need for effective, systemic protections of the confidentiality of individually identifiable health information, the implementation of the standards and procedures imposed by this NPRM would have real costs that far outweigh their theoretical benefits and would serve to deter legitimate and useful sharing of information that may be vital for treatment, research and medical education.