Testimony of the American Health Information Management Association to the Privacy and Confidentiality Subcommittee of the National Committee on Vital and Health Statistics

August 16, 2005

Opening Comments

Chairman Rothstein, members of the Privacy and Confidentiality Subcommittee, and ladies and gentlemen, good afternoon. I am Dan Rode, vice president of policy and government relations for the American Health Information Management Association (AHIMA). On behalf of the Association and its members, thank you for allowing us this opportunity to provide input on the issues arising on privacy and confidentiality as related to the electronic health record (EHR) and the national health information network (NHIN).

AHIMA is a not-for-profit, professional association representing 50,000 educated health information management (HIM) professionals who work throughout the healthcare industry. HIM professionals serve the healthcare industry and the public by managing, analyzing, and utilizing data and records vital for patient care and making it accessible to healthcare providers and appropriate researchers when it is needed most. Managing the records for healthcare has been a role for HIM professionals for over 77 years, and AHIMA members are now working diligently to ensure the proper development and implementation of standard, interoperable electronic health records (EHRs) and health information networks (HINs) that will improve the quality, access, and safety of patient care.

In these same 77 years, HIM professionals have regarded the protection of confidentiality and integrity of health records as a primary function in whatever aspect of information management they are involved. It is no surprise, therefore, that HIM professionals have become one of the prime professional groups serving as privacy officers in many HIPAA related entities and have for many years also been designated to oversee the release of information function in many hospitals and large clinics. In response to the requirements of HIPAA and AHIMA's desire to see fully trained healthcare privacy professionals, the Association also instituted three professional certifications related to privacy and security, two of these certifications are held jointly with HIMSS.

It is also this dedication to confidentiality and security that has led to AHIMA involvement in projects including advocacy for confidentiality needs in HIPAA legislation and regulations, genetic non-discrimination, and privacy preemption legislation. AHIMA is associated with the "Connecting for Health" projects, including work on HINs and privacy, sponsored by the Markle and Robert Wood Johnson Foundations. On the consumer side of these issues, AHIMA established a Web site directed at information on personal health records, www.myPHR.com, and now in more than 37 states we have initiated consumer forums that discuss both the concept and use of personal health records as well as patient rights and responsibilities for health record access and privacy under HIPAA. Finally, AHIMA has made public statements on privacy, confidentiality, and security as well as the need for genetic non-discrimination legislation, and copies of these statements are attached to this testimony.

The last few years have seen the acceleration of efforts to achieve a standard EHR and the infrastructure or network needed to exchange healthcare data to improve individual and population health. The ability to better collect data, and to collect better data, for quality improvement, public health, and other purposes that benefit our population, will be achieved through standardization, interoperability, and the implementation of EHR and an infrastructure. It has been hard for those of us in the industry to keep up with these changes, as well as a significant number of other Medicare, HIPAA, and industry healthcare changes, including the implementation of the privacy and security rules, new quality programs, prescription drug processing, medical error monitoring, pay for performance and so forth. If we in the healthcare industry find this pace difficult to keep up with, think of our patients who come in and out of our healthcare systems and have had "Notices of Privacy Practices" and other changes hit them differently from providers, health plans, pharmacies, and so on. In the meantime these same individuals are hearing and reading about lost or stolen electronic records, identify theft, and other situations that give them pause as to just what is happening, or not happening, in our industry to protect their health data.

As our AHIMA team discussed today's questions among ourselves, a thought that came to mind over-and-over was the need to understand what are our goals for healthcare data, and why we have embarked on this building of a standard EHR and HINs. This understanding is needed within our healthcare industry and by our patients and others who deal with health information for whatever purpose. We also need to ensure that as we build our HINs, and connect them with a variety of entities, this whole process and relationship be transparent to consumers, otherwise some of the issues hinted at in your questions will come to pass. Finally, we must all understand the need to build trust into this electronic information process and this new era of a national health information network (NHIN) and EHRs. Without such trust, without a commitment to confidentiality and security, there will not be a complete or reliable network.

AHIMA thanks this committee for taking on part of this task to ensure there is confidentiality and security in our records and network, and that the public can trust our industry to provide healthcare information in a way that improves the quality of their care and ensures their trust. AHIMA and our 50,000 member professionals look forward to working out the answers needed to ensure our information network and process deserves the trust of all our citizens.

Answering the Questions

Before I specifically address your questions, I want to set the stage a bit with regard to the difference between the EHR and the NHIN - or as I will phrase it, a health information network (HIN).

AHIMA sees the EHR existing at a provider site and administrated by the provider for the patient. EHRs can also exist at nonprovider sites such as government entities, foundations, health plans, and so forth. In these latter cases the EHR would most likely be in the form of a repository. All repositories, governmental, public, or commercial must be transparent - individuals should be aware that such EHRs or databases exist. Their existence should not be kept secret. Individuals should have the right to authorize any release of personally identified data except in cases defined by law or where prior authorization or consent is given.

HINs whether national or local, will serve as a means of electronically exchanging health information, in a secure manner. Some networks could contain a repository; others will simply serve as an exchange or network between appropriate entities. The former case will be discussed later. The latter case, therefore, is an interoperative electronic mechanism to exchange information, and to that extent is no different than any exchange we might have of data today, presuming that the EHR on any end of the network is itself not considered part of the network.

As our AHIMA team worked with your questions, we reordered them looking at issues first at the EHR site, and then from the perspective of an HIN.

Question 5:

Should individuals have the option of having their health records maintained only in paper form?

AHIMA believes that an individual should not, and cannot, be given the option of having their health records maintained only in paper form.

Individuals who seek treatment in the healthcare system must conform to the record keeping practices that exist as the industry standard. To provide an option for paper-only records would:

  • Result in significant costs resulting from a duplication of efforts and create an administrative nightmare,
  • Damage the integrity of the patient's information, especially if the individual's information had to be treated differently from other patients,
  • Add potential complications to ensure confidentiality and security in a hybrid office, and
  • Give the false impression that paper is safer than electronic.

While hybrid health record systems in the electronic world should not be the norm, every EHR and other collection or system of PHI must have the capability of being printed to paper, in an understandable fashion, should the patient or other legal authority require or request such a copy. Likewise, to avoid any fear of record loss, every EHR or collection or system of PHI must be protected against loss of data with appropriate back-up security (similar to that required by HIPAA).

Because individuals are familiar and experienced with the current health information standards, they are, for the most part, comfortable with existing paper health record systems. Rather than attempting to create a paper-form option to the EHR, the industry must address the healthcare consumers concerns regarding the EHR systems. As the nation transitions from a primarily paper-based health record system to an electronic health record system, paper will continue to play a role. However, as electronic health information systems become commonplace and refined, consumers will become more familiar and comfortable with electronic health information, just as they have come to become comfortable with similar changes in banking and finance.

The issue of education will be raised several times this afternoon. It will be very important to educate consumers and others on just how such systems work and why EHRs will facilitate better confidentiality and security, than what can be done today with paper records, and we will discuss why as we respond to your other questions.

Question 3:

What information, if any, should individuals be able to exclude from their electronic health record or the NHIN? What, if any, limits should apply to these exclusions?

First, we need to separate the EHR from the HIN, and assume at this point that we are discussing a provider's EHRs. AHIMA believes that there should be no exclusion of information in an EHR, just as there should be no exclusion of data in a paper record today. Exclusion of data from the record means that the provider has an incomplete record that could affect the care rendered in the future to the patient. Many providers will refuse to render care under such a restriction. On the other hand providers do segregate records or provide greater privacy for parts of the record, either at the request of the patient or because they are required to do so by law - for example, adoption records, HIV, and so forth. Somewhere in the organization is an indicator that a separate document exists and has limited access or is not to be shared.

In an electronic world, with the EHR, the same protection for such records can exist. In fact it probably, with some software improvements, can do a better job because access to parts of the record can be limited, electronic logs can identify who has actually accessed and seen data in the record, and an immediate signal or message can be triggered when such an action is occurring or has occurred. In the meantime, clinicians or staff with appropriate access credentials can be aware that additional information exists, and can seek to use such information when appropriate with patient or legal permission as needed.

The question gets a little more difficult if we think about the potential identifier registry in an HIN - the one that is built to allow a requestor to seek the location of records for an individual - we will call it the record locator service (RLS) in today's testimony.1 What if the identity of the record holder (provider) or type of record (communicable disease, genetics, behavioral health) in effect provides personal health information about the patient? Should there be some type of screening similar to what would be needed within the provider setting? Should patients be able to exclude the record locations of some of their records? Perhaps, but such exclusion is not without potential health consequences, and consideration must be given to the role and responsibilities of a requestor looking for records, just as they must be within an organization today.

A patient usually wants to restrict information in a record because of access issues or disclosures that you raise in a separate question. The patient's restriction is generally made out of fear regarding what would happen if such information were released. AHIMA is convinced that this fear or lack of trust in an organization's confidentiality, could become a significant barrier to the use of EHRs or HINs, and, even worse, could result in incomplete health information for use in making treatment decisions.

Another reason for a request to exclude data from a record comes from a lack of understanding the implications of such a restriction. Patients may not understand the impact on the provider or clinician's ability to treat the patient, or how the patient can be negatively affected if such information is not appropriately available. As we think of potential errors, we can see that in the future, a system's knowledge of restricted information could, to some extent, at least trigger a potential medical error message, which would in turn permit a better healthcare decision. But it will take education of patients - something more than just a privacy practice notice - to understand the benefits and options available in the EHR of the future.

Question 4:

What limitations, if any (beyond those of the HIPAA Privacy Rule) should be placed on access to personal health information in the NHIN? How should such limitations be developed and applied?

It is not clear that PHI will exist in a static mode within a HIN, if you take the perspective that EHRs, repositories, or registries existing at the provider or similar site, are not considered part of the HIN. HINs could have PHI contained in either an internal registry or the RLS. In either case, AHIMA believes that patients should have the same right to control access, as they do for records kept by HIPAA entities now. Patients or individuals whose PHI flows through a HIN must also have the knowledge that the HIN has been built, and is maintained, with security measures necessary to prevent an assault or inappropriate access to whatever PHI exists in the network.

This model suggests then that records kept at the tangential points of the network would continue to fall under current HIPAA constraints, if the entity is covered by HIPAA. As you are aware, however, the problem is that there are, or could be, entities attached to the HIN that are not covered under HIPAA, leaving the distinct possibility that confidentiality could be breached because necessary practices and security have not been employed to protect the PHI. If individuals are going to trust the HIN, then they must also know who is in the HIN and that all the entities are required and committed to maintaining the confidentiality of all individuals' PHI. The HIN will be judged on all its parts, not just some of the parts. Protections for confidentiality and security must be broadened to cover all entities holding PHI, whether or not they are currently covered by HIPAA. Because networks will cross state boundaries, the "HIPAA floor" of requirements must be raised to include best practices that shall apply in all localities and for all types of entities, public, private, or governmental.

When it comes to the HIN we often hear of benefits including:

  • Access to records in time of emergency,
  • Access to ancillary testing results by multiple providers to save time, pain, and money,
  • Access to data, perhaps de-identified, for research, public health and bioterrorism monitoring, and public policy making, and
  • Exchange of information in a trusted, secure network.

The network(s) linking PHI from EHR to EHR or similar registries will provide these benefits and have several advantages over our limited systems today. More appropriate detail will be exchanged more securely and faster. But the questions that arise as to who has access to the PHI in the tangential record - paper today, EHR tomorrow - remain, and if this HIN or NHIN concept is to be successful and useful for patient and population health, then these access questions must be addressed.

As a patient, I want to know who has access to my records. On rare occasions I might want to block a specific individual - my sister-in-law who works at the entity, for example. But, in general, I want to know that only those who really need to get to my information will have access. With an EHR there will be a much better means to block access to all or parts of a record, and we will have the ability to track access to the record.

With the paper record, a number of administrative problems arose related to privacy rule administrative requirements. To meet these needs the HIPAA rules established a provision that allowed waver of consent for release of PHI for treatment, payment, and operations, TPO. From AHIMA's annual privacy and security survey we know that more than half the states still require a consent for release of TPO information and many entities have decided to continue to obtain consent even though they are not required by HIPAA. Some of the barriers paper records present in the form of administrative procedures can be overcome with an EHR. For instance, having an EHR might be cause for me to have a conversation with my provider - or the administrator of my EHR - on who is allowed access. Yes, I want any physician who comes through the HIN to have access to all or some of my information. Yes, I want my child's pertinent information to be sent to the school nurse if needed. Yes, I understand that some non-PHI information will be sent to XYZ registry to study the region's healthcare. No, I don't want any nonauthorized access except in emergency situations.

These are all possibilities that arise out of an environment of EHRs and HINs. But two other needs arise. First, AHIMA believes the HIN systems must employ some way of identifying the requestor - who it is, and whether they are who they say they are (authentication). It also means there must be a mechanism of identifying what information they seek and why. These latter requirements come from the need to know how much or what part of a record is needed for the purpose at hand. It is a reflection of the minimum-necessary concerns that continue to arise when responding to requests. For instance, if information is needed for a claim, should it be necessary to send the entire record if asked? Even in cases of treatment, for example an emergency, some individuals, while wanting all pertinent information sent, would, in most cases, object to having their family counseling information sent.

From this discussion then, AHIMA is convinced that the EHR or HIN must have:

  • Access controls and monitoring.
  • Ability to identify the requestor (coming through the HIN), authenticate the requestor, and understand the reason or purpose of the request for PHI in order to exercise minimum necessary restrictions as defined between the patient and the provider or administrator of the particular EHR holding the information being sought.
  • Ability to log in the information regarding the requestor and request for accounting of the disclosure.

These recommendations require two comments. First, any requirements on the holder of EHRs must be flexible in the spirit of HIPAA. A small physician office will not need the same automated controls and logging as a large tertiary teaching hospital. Second, AHIMA has approached this subcommittee and the Secretary on more than one occasion asking for relief from some aspects of the "accounting for disclosure" requirement." These requests, which we still maintain, exist because of our existing paper systems and the difficulty in administrating such a requirement. In a world of EHRs and HINs accounting for disclosure administration becomes much more simple, especially if the abilities I just described are available.

There is a second need beside the software and elements we have described for an EHR and HIN. This is the need for the patient to fully understand the EHR, HIN, and their uses. AHIMA believes that if individuals are going to benefit from these technologies to the fullest, they need to understand how the technologies work and what the impact of consent or authorizations will have on how well they will work for that individual. It would be helpful, for instance, for a parent, to give upfront permission for release of their child's PHR for internal purposes, and also to specialists, emergency physicians, and the school nurse.

Many fear this new highway of health information because they don't understand it. Educating the patient means we should do more than give them a copy of a "Notice of Privacy Practices." We must have educated staff or clinicians sit down and explain the impact of decisions related to whether an individual wants or does not want to have information shared and the protections available to them. EHRs will give us more security and flexibility, but as an individual I cannot benefit from this if I don't understand it and my options.

I mentioned AHIMA's project on the personal health records. Already in many states, we are addressing how the HIPAA regulations work. Perhaps in the not-too-distant future we can educate consumers as to how HINs will work, what decisions the individual must make, what protections are in place (generally), and the benefits and limitations of these new information tools. Such an education, along with the transparency, previously mentioned, will do a lot to make the system work and individuals more comfortable.

Today there is the potential for too many competing standards, guidelines, rules, and regulations that hinder the success of such an HIN vision. To the extent feasible a single set of national privacy and security rules, and a single common framework for these protections across the networks must be encouraged. Variation in guidelines, rules, and regulations will add administrative complexity of personal health information management and the NHIN, as well as to confusion for the individual whose health information is the focus of such a network.

Question 2:

What are the implications of permitting patients to control whether their records are part of the NHIN? If permitting this option is appropriate, what mechanism should be used to obtain individual consent or authorization?

The historic IOM report on patient safety revealed a direct relationship between patient safety and the availability of health information. Health records that are incomplete or unavailable place the patient at risk. In order to provide the best possible care and ensure patient safety, the designated healthcare provider(s) must have access to the individual's complete health records. In this same light, providers can best serve the patient when they know they have as complete a set of information regarding the patient as possible.

As the AHIMA team discussed this issue, the point was raised that the government should take a community or parental approach and simply pass a law that says everyone's information will be in the system, period. There was also the thought that perhaps a request for service (for instance, arrival at an emergency room) should be considered as permission to obtain any necessary records. These might work, but we do not believe that our American culture would tolerate such an approach no matter how good the intention.

From our comments, you can see AHIMA does not consider the decision to be one of whether the individual's records will be a part of the HIN. Rather, it is a question of a patient's desire to have PHI shared from one or more of his or her EHRs. The only time a patient needs to consider the HIN is when there is the potential for the use or release of PHI in an internal (to the HIN) registry or the RLS. If it is a registry, then the discussion must take place at the provider, health plan, or other entity that is sending information to this HIN registry - similar to any other disclosure discussion. The RLS will require a similar discussion, but the ramifications are different and will need to be explained. From this perspective, we suggest that HIN registries (where they exist) and RLS or similar functions require an opt-in approval of the individual, at the time that access and release decisions are made. This way the individual or guardian can maintain the right to safeguard PHI confidentiality. Remember AHIMA is also recommending educating individuals to make these choices. An opt-out option for PHI that might be in an HIN makes too many assumptions about the individual's desires and makes it easier for an EHR administrator to avoid the entire discussion.

Question 1:

With respect to the design of a National Health Information Network (NHIN) do you prefer a model based on a regional health information organization, a model where individuals carry their own personal health information on a device, a trustee model, or something else: Why? What implications does your preferred model have for privacy and confidentiality?

NHIN Model

For several years, AHIMA has worked closely with the Markle and Robert Wood Johnson Foundations' project Connecting for Health. AHIMA was one of 13 organizations that responded to the Office of the National Coordinator's November RFI on NHIN. Carol Diamond from Markle will be addressing the subcommittee tomorrow, and we recommend that you consider the work previously published on privacy and some of the current Connecting for Health work that is also being done from a policy perspective. From these efforts, as well as our volunteers' experiences, AHIMA favors the regional health information organization approach. AHIMA sees the NHIN as a network of networks governed by a common framework that would include approaches to identifying patients, providers, and requestor that we have addressed above. Our previous answers to your questions were based on this perspective.

Personal Health Devices

Your question raises the issue of individuals carrying their own PHI on a device, and certainly no NHIN model prohibits such an action. However, while AHIMA supports and promotes individuals' use of a personal health records (PHR), and the integration of PHRs with an individuals EHRs, we are concerned that hand-carried PHRs currently have obvious limitations that can affect the integrity of the data they possess, and lowers the level of confidentiality compared to using electronic record via the NHIN or a local HIN.


From a HIN perspective, AHIMA sees several implications that we believe must be addressed within the network:

  • HINs with internal registries or serving in the capacity of a central EHR will need to address the same requirements regarding access, use, and disclosure as the provider or plan that administrates an EHR.
  • If there is an identifier function that has to contain PHI then access, use, and disclosure will have to be addressed with the individual and the function itself must be built to ensure only appropriate access to patient approved information.
  • Any entity associated with (or using) the HIN must be covered by the same combination of privacy and security requirements as those of all the other entities in the network and to fully function there must be a privacy ceiling across all networks. The data exchange processes and security pieces associated to achieve access and disclosure within the network itself must also be uniform or information will not flow between networks. Healthcare data, especially PHI, must be protected no matter where it resides, or the industry will be spending considerable amounts of money and effort that will not result in the protection the public is seeking.

While there has not been "a decision" regarding which model will come into play, AHIMA's comments to your previous questions still remain true.

Question 6:

What other measures are needed to protect the privacy and confidentiality of personal health information and to build public trust in the NHIN?

AHIMA's recommendations fall into two categories:

Laws and Regulations Related to Misuse of PHI

While confidentiality and the accompanying security needed to protect PHI are our principal objectives in this discussion, there are no foolproof systems, processes, or regulations that can or will provide a 100 percent guarantee of protection without interrupting the continuum and quality of care. AHIMA believes to build and ensure trust in an EHR or a HIN, individuals must be free from the fear that they will be discriminated against if their PHI is inappropriately accessed, obtained, used, or disclosed. In a world where stories of identify theft, discrimination, and other breaches of privacy fill the news daily; individuals must be assured that such misuse of PHI will not be tolerated.

To this end AHIMA:

  • Supports current efforts to see enactment of a genetic nondiscrimination law (AHIMA's position statement is available here.).
  • Supports efforts to ensure that serious penalties, in the form of fines and criminal penalties, exist and are forcefully employed for any misuse of PHI including, but not limited to, discrimination, identity theft, or inappropriate commercial use. To this end AHIMA also supports efforts to ensure that individuals, as well as institutions, are held responsible for any misuse of PHI.
  • Supports efforts to ensure that nondiscrimination protections apply to all PHI, and that such protection apply to PHI whenever and wherever such violations occur, including those committed outside of entities currently covered by HIPAA.

AHIMA believes that in the long run, if we do not address and resolve these issues, an NHIN will fail to meet its goals. We hope that the NCVHS will join others and us in endorsing this effort.

Education and Understanding - Best Practices - Communications

We have discussed several concepts throughout today's testimony:

  • AHIMA believes that if we are going to build a fully functioning HIN, then the public and those employed in healthcare or who use health information must understand how the EHR and HIN work. Included in this education, is an understanding of when, how, and where information is sought, recorded, and stored and how it is used.
  • AHIMA suggests that this subcommittee and professional associations like AHIMA are in a position to work together to ensure education is available in a number of forms so the public can understand the system, the protections for confidentiality, and the impact of decisions they will make to allow for access, use, and disclosure of their PHI. To this end, and to ensure more uniformity to this understanding, AHIMA is committed to working with interested parties to identify best practices and uniform approaches to this understanding and education.
  • AHIMA further suggests that in addition to general consumer education, education must take place at the provider or entry site. Unfortunately, while the best materials and education can be made available, for many the actual need for education is at the time when they first present as a patient. If the HIN, supported by modern standard EHRs is going to function, then healthcare professions must be able to discuss the meaning and impact of consent and authorization for PHI data with the patient, and have available at their disposal resources to assist in this discussion. This means making a bigger commitment than providing a written notice of privacy practices or a schematic of an HIN. The government and healthcare industry are going to have to acknowledge such an encounter and be willing to accept some payment responsibility for providers, especially to perform this necessary function.

    Education has been necessary for some time. The conversion to EHRs and HINs is not going to happen overnight, but there will be a time when the use of EHRs and HINs will become the norm, just as our use of information technology outside of healthcare has permeated our daily life. So, while education may never completely go away, as the system is built, understood, and used, some of the educational activities and resources suggested could be reduced.

  • Communication is a form of education, but for the public to truly engage in and trust in an HIN, ongoing, uniform communication is required across the industry and the country to avoid the confusion we have seen among privacy practice notices and so forth. The process and workings of our HINs and the NHIN must also be transparent - there should be no black boxes of data, rather it should be clear what the purpose of each registry, EHR, and similar collection is, how it is used, and the benefits to the individual and the population.


The introduction and use of EHRs and the establishment of an NHIN will multiply the opportunity for health information to serve the individual and the public. We still do not have all the answers as to how EHRs and HINs will fit together, but we do have experience with the issues of confidentiality and security, and we do know of the technical possibilities that exist to ensure confidentiality and security exists at the highest levels in the future.

AHIMA and its members are working diligently across the country to see these goals achieved, and we congratulate the subcommittee on raising these questions and seeking input to allow our industry and government to build a system that our consumers will use and trust. We thank you for the opportunity to add to today's discussion, and we welcome any opportunity to join in the effort to achieve these goals in the future. I will be happy to answer any questions you might have today or in the future.

Thank you.

Dan Rode, MBA, FHFMA
Vice President, Policy and Government Relations
American Health Information Management Association
1730 M Street, NW, Suite 409
Washington, DC 20036
Telephone: (202) 233-1525

1The term "record locator service" comes from the Connecting for Health, et al. collaborate response to the November 2004 ONCHIT RFI.