Read the full testimony (PDF)
Thank you for your invitation to testify today on the privacy and security of electronic health records. Our medical system is now striving to move toward what is often called the National Health Information Network. Today, less than 10 percent of our clinical records are accessible in electronic form. All of us hope that that number climbs sharply in the next decade. As my colleague Karen Davenport has stressed in a new report, improved health information technology is essential to improving the quality of our nation’s health care.
To make the shift to the NHIN, we need to get privacy and security right. Public surveys repeatedly show that privacy and security concerns are top-of-mind when it comes to the shift to electronic health records. Unless Americans are convinced that effective safeguards are in place, then many of the benefits of the NHIN may be delayed or lost entirely.
My testimony today highlights two key issues—preemption and enforcement.
First, preemption of state laws would effectively repeal many existing privacy and security protections. There is a national baseline of protection under the Health Insurance Portability and Accountability Act of 1996. The HIPAA privacy and security rules, on which I worked extensively, offer essential safeguards for patient records. They are incomplete, however. It is the states that provide the current protections for sensitive records such as mental health, HIV, genetic information, and other key categories of records. The NHIN should be an occasion for strengthening safeguards, and not repealing numerous safeguards in the name of federal preemption.
Second, the current “no-enforcement” system is not a credible basis for EHRs and the NHIN. HHS has received over 27,000 HIPAA privacy complaints but has yet to bring its first case for civil monetary penalties. HHS has needlessly adopted a “one free violation” policy, guaranteeing covered entities that they can violate the law the first time without financial punishment. And the Department of Justice has interpreted the HIPAA criminal provisions in misguided and narrow ways. As explained below, each of these problems can and should be fixed through targeted legislation or regulatory change.