The Honorable Tommy Thompson
US Department of Health and Human Services
Office of Civil Rights
Attention: Privacy 2
200 Independence Avenue, SW, Room 425A
Washington, DC 20201
Dear Secretary Thompson:
The American Urological Association (AUA) representing 10,000 urologists in the United States appreciates the opportunity to comment on and offer our strong support for the modifications in the recently issued HHS Notice of Proposed Rulemaking (NPRM) regarding the Standards of Privacy of Individually Identifiable Health Information. The AUA and its members has always supported meaningful federal privacy protections for patients' medical records and believe that it is important for patients to understand their rights and how their medical information will be used.
However, AUA believes that the latest Department of HHS proposal ensures that patients have the information about their rights without burdening them or health care providers with another mandatory form that could delay or disrupt health care treatment. Despite recent media coverage to the contrary, this proposed modification still allows patients the assurance that the privacy of their medical records will be maintained without negatively impacting their access to quality health care. In particular, the AUA would like to comment on the prior consent requirements, the business associates requirements and several requirements as they relate to medical research.
Prior Consent (164.506)
When the initial requirement was first published, AUA agreed with the prior consent requirements as written but as our association grappled with educating members and their practices with the prior consent provision, the burden encompassed in mandatory consent become very clear. Without these much-needed changes to the current requirements, the impact on access to quality urological care could be greatly impeded. The rules as previously written required that every patient sign a comprehensive consent form acknowledging their privacy rights prior to treatment and could preclude:
The prior consent requirement could have a great potential to confuse patients and increase patient waiting times. Physicians would be prohibited from treating patients or providing other services for them, until the form is actually signed. For example, physicians who have privileges at a number of hospitals would need either to form multiple organized health care arrangements or ask each patient in the hospital to sign a physician consent in addition to the consent provided for the hospital. If a patient were required to sign multiple consent forms to receive care at a hospital, this would hinder and delay patient care.
AUA believes that the new proposal making consent optional strikes the proper balance of protecting the rights and autonomy of patients, while removing unnecessary barriers that interfere with patient care and the efficient delivery of health care.
Business Associates (164.502, 164.504, and 164.532)
While HHS has attempted to reduce some of the burdensome aspects of the business associate provisions those actions were severely limited. The AUA commented previously on the final rule that the business associate provision should not be used to expand HHS' authority nor should a covered entity ever be held responsible for the action or inaction of a business associate. The proposed modifications fall short of these changes and AUA continues to request that these two important revisions be made.
One burden this rule attempted to alleviate is to extend the deadline of compliance with the business associate provision. However, the additional year is available only if an existing contract or other written arrangement with a business associate is not renewed or modified between the effective date of this provision and the Privacy Rule's compliance date of April 14, 2003. Such contracts would be "deemed" to be compliant with the Privacy Rule until either the covered entity has renewed or modified the contract following the compliance date of the Privacy Rule, or April 14, 2004, whichever is sooner. AUA supports giving covered entities an additional year to operate under certain existing contracts with business associates.
AUA lauds the inclusion of the model business associate contract as guidance for physician's offices but we believe this falls short of being a duplicatible form that could be automatically incorporated into a urologists practice without costly legal review and assistance.
The 2001 final rule failed to adequately recognize how complex and non-standardized research is and erected severe barriers to the use of vital medical information in research. Moreover, we were very concerned that the rule would have a chilling effect on the willingness of covered entities—who provide a rich source of information to researchers—to provide researchers with information vital to life-saving medical research.
The proposed modifications would take major steps toward rectifying these problems while protecting the confidentiality of identifiable information. We applaud the proposals to:
The AUA finds this to be a refreshing governmental action that eliminates redundant or conflicting requirements in the waiver criteria, improves the transition provisions and streamlines the requirements for all authorizations. In addition, in assessing minimal risk to the privacy of individuals, HHS proposes that three factors, at a minimum, must be considered: 1) whether there is an adequate plan to protect identifiers from improper use and disclosure; 2) whether there is an adequate plan to destroy the identifiers at the earliest opportunity; and 3) whether there is adequate written assurances against redisclosure. The AUA strongly supports this new guidance and believes that they are an important step in helping research entities to in efforts to protect the patients.
Requirements For De-identification (164.514)
The final rule provides protections for identifiable health information. Use and disclosure of information that is de-identified is not subject to the rule as there are no privacy issues with such information. Under the final rule, a safe harbor is provided that requires 18 characteristics to be removed from data to render it de-identified.
The final rule's de-identification safe harbor that requires the removal of these 18 characteristics would render data useless for much research. The removal of such characteristics as dates, five-digit zip codes, and other data makes the data inappropriate for many kinds of outcome studies, epidemiological and biomedical research.
The other de-identification safe harbor provided for in the final rule—the "statistical method" is beyond the capability of most entities because of the cost and time required to use it. Moreover, most entities tell us that they would not use this method because of the subjectivity of statistical analysis and the potential liability of using it.
In an April 12, 2002 letter to Congress, 68 organizations—including AUA and several other physician organizations, nursing groups, hospitals, medical colleges, researchers, consumer and patient groups, and many others—wrote:
"Under the final rule, 18 characteristics would need to be removed from data to render it "de-identified", including name, address, telephone number, e-mail address, social security number, vehicle identifiers and vehicle serial numbers, and other characteristics which directly identify individuals. However, some of the characteristics—admission, discharge and service dates, date of death, age, zip code, one or more geographic units smaller than a state—do not facially or directly identify an individual. These additional data elements do not identify anyone, but they are key data elements for conducting medical research. For example, epidemiological studies routinely use admission dates, discharge dates and dates of death to track and understand disease. Such information could be critical in identifying an unusual outbreak of disease symptoms associated with a bioterrorist attack. Likewise, zip codes (and county) of the patient is often important for studies with demographic components such as examining environmental factors for disease."
The AUA commends the Department for considering an alternative approach to the safe harbor standard for de-identifying information. This approach would permit uses and disclosures of "facially de-identified" information for research, public health, and health care operations purposes, subject to a new data use agreement and we believe this new approach is a very workable solution. The AUA strongly supports the alternative approach the Department says it is considering, and upon which is requesting comments, "that would permit uses and disclosures of a limited data set which does not include facially identifiable information but in which certain identifiers would remain." The alternative is not for general purposes, but instead, for "disclosure of such information for research, public health, and health care operations purposes." To further protect privacy, the alternative would be conditioned on covered entities obtaining a data use agreement to limit the use of the limited data set to the specified purposes in the Privacy Rule, and limit who can use or receive the data, as well as agree not to re-identify the data or contact the individuals.
The Department solicited comment on whether another one or more geographic units smaller than State, such as city, county, precinct, neighborhood or other unit, would be needed in addition to, or be preferable to, five-digit zip code. For many studies, five-digit zip codes are sufficient, however, many studies require more specific geographic information. For example, some researchers looking at pathogens or patterns of health risks may need to compare areas within a single zip code. Other studies may need to examine data by county or neighborhood when looking for external causes of disease, as would be the case, for bladder cancer that has recently been shown to have environmental links.
The Department also solicited comment on whether date of birth is needed and, if so, whether the entire date is needed, or just the month and year. In fact, health care providers need the date of birth as part of the data set to make sure they do, indeed, have the right individual. Additionally, many urological diseases are related to the aging process and at a minimum birth year identifiers are necessary in order to determine the ages at which certain urological conditions and/or diseases begin to most commonly manifest themselves. To require that every record in a large data set be converted such that the birth date is either eliminated or changed is an unnecessary burden on entities that will not enhance the privacy of patients.
Finally, we urge that the Department not include in the list of direct identifiers subjective criteria such as "other unique identifying number, characteristic, or code," which is included in the final rule's de-identification standard.
Clarification and Simplification of Waiver Criteria (164.512)
Several of the criteria that IRBs or privacy boards would have to certify to waive the authorization requirement set an unreasonably and unnecessarily high burden for researchers to meet. In order for any authorization to be waived, the privacy board or IRB would have to conclude that the use or disclosure of protected health information (PHI) will not adversely affect the privacy rights of the individual, that the research could not practicably be conducted without the authorization of the waiver or without access to and use of PHI, and that the privacy risks are reasonable in relation to the anticipated benefits, if any, to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research. Aside from the difficulty and delay inherent in evaluating these elaborate and prescriptive new standards, they involve subjective determinations for which there is no guiding standard. Therefore, AUA strongly support the Department's proposal to eliminate these criteria.
Research Authorizations (164.508)
The AUA also supports the Department's proposed modification that allows for a single set of requirements that generally apply to all types of authorizations, including those for research purposes. In particular, the proposed clarification that an authorization for the use or disclosure of PHI for research may be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research is highly laudable. This clarification will greatly simplify the authorization requirements for patients and covered entities.
As we have already indicated, the AUA very much appreciates the efforts by the Department to reexamine the Privacy Rule and address ongoing concerns of all those who are required to abide by its requirements. We continue to believe as stated in our final rule comments that patients will not be fully protected until Congress acts to extend such requirements to all entities that maintain patient information including health plans. Overall, the AUA agrees that the proposed modifications are a step in the right direction with respect to reducing many burdensome aspects of the Privacy Rule for physicians.
William F. Gee, MD, Chair
AUA Health Policy Council