Chairman Franken's Opening Statemon on Gaps in Protections of Electronic Health Information
(As Prepared for Delivery)
This hearing of the Senate Judiciary Subcommittee on Privacy, Technology and the Law will be called to order. This is our second hearing and one focusing on the important issue of health privacy.
Over the past two decades, an incredible thing has happened-you can now put your entire medical history-every chart, every x-ray, every test, every last doctor's note, on a thumb drive this big. And even better: once that electronic health record is put on a network, any doctor authorized on that network can access that information instantaneously from across the state or across the country.
This means you don't have to rely on your memory to tell your doctor when your last tetanus shot was. It means that in a crisis, doctors in an emergency room can find out in seconds exactly what medicines an accident victim has been prescribed. And it means that when you change doctors or move cities, you can be sure that your doctors will know everything they need to know about you and your health history.
But the most powerful story I've heard explaining the need for electronic health records comes from the Hennepin County Medical Center, which I'm proud to say will be represented today by Kari Myrold, their privacy officer. HCMC was one of the first hospitals in Minnesota to develop an electronic health records system.
HCMC is actually just five or six blocks from where I live in Minneapolis. And as it turns out, HCMC is also just one mile from the I-35W bridge in Minneapolis, which collapsed in August 2007. And one month before that bridge collapsed, they had just completed a full implementation of electronic health records throughout the hospital. But that day in August, when the bridge collapsed, its policies still called for using paper records in the event of a major catastrophe.
So when the bridge collapsed and patients started coming in, staff used paper records-for the first two patients. After those first two, the doctors made the decision to switch to electronic health records. They found that it allowed them to call up patient charts and track patients throughout the hospital and in other systems far easier than paper records. When disaster struck, that decision to use electronic health records allowed the Hennepin County Medical Center to tend to those victims more quickly and more effectively.
Examples like this one quickly persuaded the medical community-and Congress-of the value of electronic health records. So in 2009, Congress wrote and passed bipartisan legislation called the HITECH Act to create financial incentives to get doctors and hospitals around the country to start using electronic health records. I'm proud to say that the Hennepin County Medical Center was one of the first hospitals in the nation to qualify for HITECH Act funds.
But we need to get all of the benefits of electronic health records while still protecting the extraordinarily sensitive information they contain. I believe all Americans have a fundamental right to know who has their personal information-and to control who gets that information and who it is shared with. I also think that our fundamental right to privacy includes the right to know that our sensitive information-wherever it is-is safe and secure.
And unfortunately, breach after breach of health data has shown us that when it comes to health information, our right to privacy is not being protected. On the evening of July 28, 2011, a laptop was stolen from the back seat of a consultant's car in the Seven Corners neighborhood of Minneapolis. That laptop contained the names, dates of birth, Social Security numbers, and medical information for approximately 14,000 patients of Fairview Health Services and the names and medical information for another 2,800 patients of the North Memorial Medical Center. Those hospitals had stipulated that the consultant was going to encrypt that data-but it wasn't encrypted. Sadly, that was the third incident in about a year where the health data of Minnesotans was put at risk as a result of a laptop theft. In fact, since the collection of breach records started in 2009, 91 laptops containing the health information of approximately 1.8 million people have been lost or stolen.
That's just a subset of a total of 364 major breaches since 2009 that resulted in the breach of the health data of over 18 million Americans. And this has been happening since far before 2009. In 2002, for example, the U.S. Veterans Administration Medical Center in Indianapolis sold or donated 139 computers without removing information on their hard drives that revealed the names of veterans who had been diagnosed with AIDS or mental illnesses. In 2001, the detailed psychological records of 62 children and teenagers were accidently posted on the University of Montana website for eight days. The truth is that the same wonderful technology that has revolutionized patient health records has also created very real and very serious privacy challenges.
Now, this is not a new problem-and we're not the first lawmakers to call it to light. In the last 15 years, Congress has passed major, bipartisan legislation to protect health information privacy. In 1996, Congress passed the Health Insurance Portability and Accountability Act-commonly known as HIPAA. HIPAA set out how health care providers and insurers have to protect their health data. It also required that they get their patients' permission before disclosing that information to certain third parties. Yet although HIPAA made strides toward better protecting patients' privacy, it left some substantial gaps.
So in 2009, Congress passed the bipartisan HITECH Act as part of the Recovery Act. The HITECH Act extended many of the same privacy and security rules that apply to doctors and hospitals to their contractors. This was called the "business associate rule." The HITECH Act also required health care providers and health insurers to notify people affected by a breach. And it increased the civil and criminal penalties for violations of all of these rules. When Congress passed the HITECH Act, it sent a clear, bipartisan signal that it was time to get serious about health information privacy.
Unfortunately, all signs indicate that we're still not there, either in terms of the protections we have in place or the way we're implementing and enforcing them. A lot of the crucial protections of the HITECH Act have yet to be implemented. For example, HHS has yet to issue final, enforceable rules on a number of critical protections-like the business associate rule.
And while the Department of Health and Human Services and the Department of Justice have increased enforcement in the past one to two years, the overall record of enforcement is simply not satisfactory. Of the approximately 22,500 privacy complaints that HHS has received since 2003 that it had the authority to investigate, HHS has levied a formal fine, or Civil Monetary Penalty, in one case-just one. They've reached monetary settlement agreements in six other cases.
DOJ's record on this is similarly mixed. Since 2003, HHS has referred about 495 cases to DOJ for prosecution. But since then, DOJ has prosecuted just 16 criminal HIPAA cases. DOJ has reported to me that they have prosecuted some cases under statutes other than HIPAA-like identity theft and computer hacking statutes. But DOJ has no records or estimates of how many. It is hard for Congress to conduct oversight over DOJ without this data.
Now, I want to be clear. There are explanations for these facts and figures-and a lot of the responsibility lies on the shoulders of Congress. Congress perhaps should have instituted stronger reporting requirements on DOJ for enforcement. And HHS's low enforcement statistics are in large part the product of what I think is a wise Department-wide policy to work with companies to fix privacy problems-not just fine them.
But I think it's safe to say that we need to do more to protect this data. And that's what this hearing is all about-figuring out if we are doing everything we should be doing to enforce existing laws, and then figuring out if we need new laws and regulations to fill the gaps.
Before I turn to my friend the Ranking Member, I want to recognize that the work we're doing today continues the work that has been done for 15 years here in the Judiciary Committee under Chairman Leahy and of course, in the Health, Education, Labor and Pensions Committee under Chairman Harkin-and their predecessors, on both sides of the aisle. I sincerely believe that health information privacy is a bipartisan issue and a bipartisan cause, and one that will require a bipartisan solution. With that, I will turn to Senator Coburn, who as a watchdog of the federal government - and as a physician - will have a very valuable voice in today's hearing.