[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                  DATA PRIVACY AND PORTABILITY AT VA:
                   PROTECTING VETERANS' PERSONAL DATA

=======================================================================
                                 HEARING

                               BEFORE THE

                      SUBCOMMITTEE ON TECHNOLOGY 
                             MODERNIZATION

                                 OF THE

                     COMMITTEE ON VETERANS' AFFAIRS

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                      WEDNESDAY, FEBRUARY 12, 2020

                               __________

                           Serial No. 116-56

                               __________

       Printed for the use of the Committee on Veterans' Affairs
       
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]       


                    Available via http://govinfo.gov
                    
                              __________

                                
                    U.S. GOVERNMENT PUBLISHING OFFICE                    
48-994                     WASHINGTON : 2023                    
          
-----------------------------------------------------------------------------------                       
                   
                     COMMITTEE ON VETERANS' AFFAIRS

                   MARK TAKANO, California, Chairman

JULIA BROWNLEY, California           DAVID P. ROE, Tennessee, Ranking 
KATHLEEN M. RICE, New York               Member
CONOR LAMB, Pennsylvania, Vice-      GUS M. BILIRAKIS, Florida
    Chairman                         AUMUA AMATA COLEMAN RADEWAGEN, 
MIKE LEVIN, California                   American Samoa
MAX ROSE, New York                   MIKE BOST, Illinois
CHRIS PAPPAS, New Hampshire          NEAL P. DUNN, Florida
ELAINE G. LURIA, Virginia            JACK BERGMAN, Michigan
SUSIE LEE, Nevada                    JIM BANKS, Indiana
JOE CUNNINGHAM, South Carolina       ANDY BARR, Kentucky
GILBERT RAY CISNEROS, JR.,           DANIEL MEUSER, Pennsylvania
    California                       STEVE WATKINS, Kansas
COLLIN C. PETERSON, Minnesota        CHIP ROY, Texas
GREGORIO KILILI CAMACHO SABLAN,      W. GREGORY STEUBE, Florida
    Northern Mariana Islands
COLIN Z. ALLRED, Texas
LAUREN UNDERWOOD, Illinois
ANTHONY BRINDISI, New York

                 Ray Kelley, Democratic Staff Director
                 Jon Towers, Republican Staff Director

                SUBCOMMITTEE ON TECHNOLOGY MODERNIZATION

                     SUSIE LEE, Nevada, Chairwoman

JULIA BROWNLEY, California           JIM BANKS, Indiana, Ranking Member
CONOR LAMB, Pennsylvania             STEVE WATKINS, Kansas
JOE CUNNINGHAM, South Carolina       CHIP ROY, Texas

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Veterans' Affairs are also 
published in electronic form. The printed hearing record remains the 
official version. Because electronic submissions are used to prepare 
both printed and electronic versions of the hearing record, the process 
of converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.
                         C  O  N  T  E  N  T  S

                              ----------                              

                      WEDNESDAY, FEBRUARY 12, 2020

                                                                   Page

                           OPENING STATEMENTS

Honorable Susie Lee, Chairwoman..................................     1
Honorable Jim Banks, Ranking Member..............................     3

                               WITNESSES

Mr. Paul Cunningham, Deputy Assistant Secretary and Chief 
  Information Security Officer (CISO), U.S. Department of 
  Veterans Affairs...............................................     5

        Accompanied by:

    Ms. Martha Orr, Deputy CIO for Quality, Performance and Risk, 
        Office of Information and Technology (OIT), U.S. 
        Department of Veterans Affairs

    Ms. LaShaunne G. David, Director for Privacy Service, Office 
        of Information Security, U.S. Department of Veterans 
        Affairs

Mr. Nick Culbertson, CEO and Co-Founder, Protenus................    17

Ms. Tina Olson Grande, Executive Vice President, Policy, 
  Healthcare Leadership Council..................................    19

Mr. Ramsey Sulayman, Associate Director, National Legislative 
  Service, Veterans of Foreign Wars..............................    20

Mr. Harold F. Wolf, III, President and Chief Executive Officer, 
  Healthcare Information and Management Systems Society (HIMSS)..    22

                                APPENDIX
                    Prepared Statements Of Witnesses

Mr. Paul Cunningham Prepared Statement...........................    33
Mr. Nick Culbertson Prepared Statement...........................    36
Ms. Tina Olson Grande Prepared Statement.........................    37
Mr. Ramsey Sulayman Prepared Statement...........................    48
Mr. Harold F. Wolf, III Prepared Statement.......................    50

 
                  DATA PRIVACY AND PORTABILITY AT VA:
                   PROTECTING VETERANS' PERSONAL DATA

                              ----------                              


                      WEDNESDAY, FEBRUARY 12, 2020

              U.S. House of Representatives
           Subcommittee on Technology Modernization
                             Committee on Veterans' Affairs
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:05 a.m., in 
room 210, House Visitors Center, Hon. Susie Lee [chairwoman of 
the subcommittee] presiding.
    Present: Representatives Lee, Cunningham, Banks, and 
Watkins.
    Also present: Representatives Takano and Roe.

           OPENING STATEMENT OF SUSIE LEE, CHAIRWOMAN

    Mrs. Lee. Good morning. This hearing will come to order.
    Before we get started, I want to say something briefly 
about the announcement by the VA earlier this week in delaying 
the go-live of the electronic health record project in Spokane, 
Washington. I have long said that getting it right is far more 
important than hitting a date on a calendar and, if there needs 
to be a delay to get the system to a place where veterans' 
lives are not at risk and the VA staff are ready to use it, 
then that is the right thing to do.
    However, I am concerned that, as we move closer to the go-
live date, we have been told repeatedly that there were no show 
stoppers in the implementation, that testing was going great, 
and things were on track. I get that in software development 
and testing conditions can change rapidly, but I require that 
the VA be as transparent and accountable for its actions. There 
are many questions that remain and the subcommittee needs 
answers in order to continue its oversight of the $16 billion 
project, especially as the President's budget proposes a 
speedup of the rollout.
    Therefore, the subcommittee will be scheduling a hearing on 
this topic in the coming weeks and will request to hear from 
decisionmakers at the VA, but now on to other aspects of VA's 
management of its technology portfolio.
    The Department of Veterans Affairs has long struggled with 
aging legacy IT systems and the need to invest in new and 
innovative technology is necessary if the VA is going to 
continue delivering quality health care and benefits to our 
Nation's veterans. However, implementing new technology is not 
simply a matter of buying new software or new tools, the VA 
must also ensure that its policies and business rules keep pace 
with the changing technology and, most importantly, ensure that 
veterans are confident in its ability to protect their highly 
sensitive information.
    I acknowledge that this is a difficult task, especially in 
the rapidly changing technology landscape. In the health care 
sector, the gray space in how we manage, use, and exchange data 
is growing more quickly than policymakers can keep up, but it 
is critical that we try. The VA is well situated to be a leader 
in this space. The electronic health record modernization 
initiative, coupled with this 4-year, $1 billion Department-
wide technology refresh, gives the VA the opportunity to set 
standards in rules from the outset. The requirements will not 
only benefit veterans, but might also serve as a nationwide 
example of balancing privacy with interoperability and big-data 
innovation with confidentiality.
    Health information and consumer data can be used to great 
benefit. VA's robust research and innovation programs have the 
potential to revolutionize care, reach more veterans, engage 
them in new spaces, and empower them with their own health 
care. Veterans can use their data to manage their care, find 
economic opportunity, and access the benefits they have earned; 
however, these advances are not without risk. The 
attractiveness of big data for monetary and marketing purposes 
is clear. In the first half of 2019, nearly 32 million health 
care records were breached and, as we examined at our hearing 
cybersecurity issues last October, that data is also attractive 
to bad actors that may seek to commit crimes or cause harms, as 
well as companies looking to monetize veterans' health 
information.
    We cannot assume that data is safe or secure, nor do we 
want to keep data static to avoid any risk. However, with the 
changing technology landscape, we need to be deliberate in our 
assessment and decisions about how data is used, who gets to 
access it, where that access occurs, and why.
    I want to hear from the VA about the process of vetting 
partners and vendors that participate in technology initiatives 
or develop apps. It seems to me that when the VA provides an 
app in its app store or promotes an app, a wearable device, or 
a medical technology, we expect the VA to assess the value of 
that technology or the benefit of that app and determine that 
the benefit to veterans outweighs the data security and privacy 
risk. I would like more information from the VA about this 
process and what it entails.
    However, there is another critical question. What 
protections exist or should exist in the space beyond the VA? 
If a veteran chooses to download health information from the VA 
and share it with a third party, may that third party use 
that--or sell that information for other purposes? What 
responsibility does the VA have?
    I am also concerned about the VA's increasingly widespread 
use of apps and potential risks to privacy that they pose. When 
a veteran downloads an app from the VA's app store, how much 
personal information does the VA receive, what is the process 
used to determine what is minimally required?
    In the lead-up to this hearing, the subcommittee has 
studied some of VA's apps. Many require significant elevated 
permissions and access to a user's data or device. For example, 
I have a chart behind me of apps and their permissions. Here we 
go. The Post Traumatic Stress Disorder (PTSD) Coach requires 
full network access, the ability to read all of your contacts 
and view any file on your phone. Concussion Coach allows access 
to a user's entire calendar. These permissions may be excessive 
and unnecessary invasion of a veteran's privacy, and may put 
the veteran at risk for identity theft.
    Why do these apps need access to location, a user's photos, 
calendars, contacts, and other information? Are these 
permissions necessary for its function? Does requiring 
excessive permissions lower the app usage rates and decrease 
their efficacy?
    In speaking with veterans and Veterans Service 
Organizations, I have heard repeatedly that transparency 
regarding data is a key concern. Here, we are also concerned 
about the VA's activity. The privacy policy for ACT Coach is 
988 words, it is right here in the blue, of legalese with 
clauses about incidental or consequential damages and a non-
exclusive license in consideration of your acceptance. Can we 
expect anyone to realistically read these and understand their 
terms?
    I would like this to be a conversation where we can assess 
the data landscape at the VA and in the larger health IT space, 
and understand where protections exist or do not exist, and 
whether we need more guardrails on that data highway. We need 
to understand if the VA is doing enough to protect veterans' 
privacy or if more needs to be done. Most importantly, we need 
to ensure that future decisions on strengthening, keeping, or 
perhaps even loosening privacy rules are made in an educated 
manner with input from all stakeholders.
    Today, we have two panels, one with VA officials, who are 
here now, and another with experts from health informatics, 
technology startup, and Veterans Service Organizations space. I 
look forward to engaging on these important topics and I thank 
all of the witnesses for being here.
    I would now like to recognize my colleague Ranking Member 
Banks to deliver any opening remarks he has.

         OPENING STATEMENT OF JIM BANKS, RANKING MEMBER

    Mr. Banks. Thank you, Madam Chair.
    First of all, I want to thank all of our witnesses on both 
panels for joining us here today. This is a distinguished group 
of VA and private sector privacy experts.
    On the other hand, I have to say that I am extremely 
disappointed that there is no VA witness here today to discuss 
electronic health record modernization, especially in light of 
the Department's recent decision to take more time to prepare 
for the implementation in Spokane. Dr. Roe, Mr. Watkins, and 
Mr. Roy and I felt strongly that the Office of EHR 
Modernization should be represented here today and we requested 
a minority witness, which the VA did not provide.
    I wholeheartedly, though, support Secretary Wilkie's 
decision to delay. I said in our previous hearing that I was 
cautiously optimistic that a March 28 go-live was still 
achievable, but developments to the contrary over the last 
several months are undeniable. I am glad, though, that we will 
have an opportunity to question VA very soon about how exactly 
the additional time will be used to make the implementation 
more effective.
    Turning to this morning's topic, there was a time when VA 
was a closed system that could exercise complete control of 
veterans' personal and health data; even then, privacy breaches 
happened. Many of us remember 2007 when a laptop and external 
hard drive containing 26 million veterans' records were stolen 
from a VA employee's home. Even though the records were 
eventually recovered untouched, the incident led to then 
Secretary Nicholson's resignation.
    Today, small-scale privacy breaches are common in VA, as 
elsewhere. They are usually attributed to email phishing scams 
and careless document handling at individual medical centers. 
However, VA has not been a closed system for many years. As in 
sophisticated private sector health systems, personally 
identifiable information and protected health information are 
increasingly stored in the cloud and provided to external apps.
    I want to say up front that I believe the Health Insurance 
Portability and Accountability Act (HIPAA) privacy rules need 
an update and I am glad to see the Department of Health and 
Human Services soliciting comments on how best to do it. When 
the privacy rule was written 20 years ago, there were far fewer 
entities accessing protected health information. There was a 
good reason to allow insurance companies and claims processors 
to access patient's data without written authorization every 
single time; there is no way our health system could function 
otherwise.
    Today some of HIPAA's permitted purposes to access 
patient's records when applied in new context may become 
loopholes. A health care provider's business associate 
agreements with its partners stipulate how patient data will be 
used, but patients rarely have any idea what those agreements 
say. Similarly, health care providers' notices of their privacy 
practices are often vague.
    The health technology landscape is evolving quickly. Mobile 
apps have already taken over the software marketplace and in a 
few years most health records will be stored in the cloud as 
well. It would be foolish to resist change and try to return to 
an earlier technology environment when fewer entities handle 
protected health information, privacy safeguards have to evolve 
as well.
    As we discussed in our cybersecurity hearing in November, 
the health care sector has become a hacking target somewhat 
later than other parts of the economy. Unfortunately, for most 
Americans personally identifiable information and often their 
financial information has been exposed in a list of data 
breaches that are too numerous to name.
    Earlier this week, Attorney General Barr unveiled criminal 
charges against the perpetrators of the Equifax hack of 145 
million Americans' personal information. Unsurprisingly, they 
were members of the People's Liberation Army. It would be naive 
to think that China and other nation-State cyber criminals are 
not already targeting protected health information. Protections 
for health information must remain strong in the realm of 
cybersecurity as well as privacy. They can never be allowed to 
deteriorate as protections for personally identifiable 
information clearly have into a State of widespread 
vulnerability.
    The question before us is whether VA has a unique role in 
protecting health information apart from HIPAA and other laws 
governing the entire health care sector, and apart from Health 
and Human Services (HHS). Without a doubt, VA must make smart 
strategic decisions with respect to its technology partners; 
however, I am skeptical that VA can or should drive the 
regulatory environment unilaterally. I look forward to 
exploring those issues with our witnesses here today.
    With that, Madam Chair, I yield back.
    Mrs. Lee. Thank you, Mr. Banks.
    I will now introduce the witnesses we have on our first 
panel. Paul Cunningham is the Deputy Assistant Secretary, 
Information Security, Chief Information Security Officer and 
Chief Privacy Officer at the Department of Veterans Affairs.
    Mr. Cunningham is accompanied by Martha Orr, Deputy CIO for 
Quality, Performance and Risk, Office of Information and 
Technology, and LaShaunne David, Director for Privacy Service, 
the Office of Information Security.
    We will now hear the prepared statements from our panel 
members. Your written statements in full will be included in 
the hearing record, without objection.
    Mr. Cunningham, you are now recognized for 5 minutes.

                  STATEMENT OF PAUL CUNNINGHAM

    Mr. Cunningham. Good morning, Madam Chair Lee, Ranking 
Member Banks, and distinguished members of the subcommittee. 
Thank you for the opportunity to speak to you today about the 
Department of Veterans Affairs' mission to protect personal 
sensitive information of our Nation's veterans. As the VA Chief 
Information Security Officer and Chief Privacy Officer, I am 
pleased to represent the Department here today. I am here with 
my colleagues, Ms. Martha Orr, Deputy Chief Information Officer 
for the Office of Quality, Performance and Risk, or QPR, and 
Ms. LaShaunne David, Director of VA Privacy Service.
    First, I would like to thank the subcommittee for its 
continued support of VA and commitment to veterans. Because of 
your cooperation and commitment, veterans can continue to trust 
VA to protect and serve their interests. As the Chief Privacy 
Officer, I lead VA's efforts to secure and protect veterans' 
personal information.
    As a veteran, I have seen the value and impact VA has on so 
many that faithfully served. We can only provide that value 
through trust. That is why I am personally vested in protecting 
veterans' information from exploitation and misuse.
    Secretary Robert Wilkie is committed to promoting 
innovation, transformation, and technology to enhance the 
veteran experience. However, large organizations like VA face 
challenges as they modernize their IT environments. With new 
technologies come new risks. VA's privacy program must adapt 
and remain vigilant protectors of veterans' information as an 
environment of greater and faster access to data emerges.
    In the course of accessing VA benefits and services, 
veterans voluntarily share their personal information to the 
Department. To protect this data, VA establishes acceptable use 
policies, implements security controls, and proposes 
consequences for any violation of policy or agreement. We 
follow strict rules governing how the Department creates, 
stores, transfers, and destroys sensitive data. QPR's 
Enterprise Record Service oversees these activities and Office 
of Information Services (OIS) VA Privacy Service helps 
safeguard that data by partnering with QPR to conduct privacy 
risk assessments, compliance monitoring of systems that contain 
personally identifiable information and protected health 
information.
    The Department also implements a role-based access control 
system, which means that it only grants access to those who 
need the information to perform essential job duties or provide 
benefits or services. Each system is closely evaluated, 
equipped with appropriate access controls, and monitored for 
abnormal activity. When data is improperly accessed, VA takes 
appropriate action to limit further compromise and determine 
the root cause of the incident. If it is determined that human 
error or improper behavior is a causal factor, VA will take 
additional actions, including remedial training or revoking 
access to the user.
    VA is expanding access to information for veterans, 
especially through new digital technologies and platforms. 
However, ease of access should not mean less privacy or 
confidentiality. VA only collects information when necessary to 
provide care and services. VA will never sell or share 
veterans' information, and will only disclose information with 
veterans' consent or as authorized by law. Violations of these 
policies will result in consequences from possible dismissal to 
criminal charges.
    VA closely guards veterans' information; however, we often 
must share data with our third party partners to provide 
exceptional health care and benefits. In these cases, VA 
stipulates the term for acceptable use of VA systems and any 
veteran's information. Our partners must meet these 
requirements and protect our data as closely as we do.
    As with any organization that handles sensitive 
information, there is always risk. This risk can be reduced 
through effective policies, training, and technical controls; 
however, these safeguards will not fully prevent an incident 
from occurring, especially when humans are involved. Should an 
incident occur, VA will respond to and determine the severity 
of the incident, and be transparent and forthcoming in 
reporting to Congress. Together, these policies and activities 
ensure that veterans' information is kept safe on every 
platform, in every system, and even when shared. With this 
strategy in place, VA is making sure veterans' information 
remains safe and secure, which is an important part of the 
exceptional service that veterans so rightly earned.
    Madam Chair, Ranking Member, and members of the 
subcommittee, thank you again for this opportunity. I am ready 
to answer your questions.

    [The Prepared Statement Of Paul Cunningham Appears In The 
Appendix]

    Mrs. Lee. Thank you, Mr. Cunningham. I will now recognize 
myself for 5 minutes for questions.
    Just getting off to a start with some background 
information. Who owns the veterans' data, Mr. Cunningham?
    Mr. Cunningham. Veterans own the veterans' data. VA is 
charged with protecting that data in performance of providing 
the benefits and services under our mission.
    Mrs. Lee. Does the VA treat health data differently than 
benefit or vocational data?
    Mr. Cunningham. Yes, we do. Personal identifiable 
information, PII, is protected under the Privacy Act; however, 
when it comes to medical records or health information, it 
falls under HIPAA.
    Mrs. Lee. Is there a difference between ownership and 
stewardship of data, and what is that difference?
    Mr. Cunningham. There is a difference. The difference 
resides in, at the end of the day, the veteran can decide who 
has access to that data. For instance, they turn their records 
over to VA to be custodians, and they also trust that VA is 
looking out for their interests in deciding who has further 
access under the laws and regulations.
    However, a veteran can provide consent to other third 
parties outside of VA's purview to gain access to their 
information, in some cases--in those cases we have no real 
authority or control over that.
    Mrs. Lee. Do you have concerns about that? I mean, are 
there areas along here where you are looking at what the VA can 
do to make sure that veterans really understand what that 
means?
    Mr. Cunningham. Certainly that is a challenge that we are 
concerned about. At the end, veterans do not work for VA, it is 
hard to impose regulations or requirements for them for annual 
training. We send out notifications or in our fliers, we give 
pamphlets, when they are visiting our sites and waiting for 
appointments, there are public announcements that talk about 
how to protect your data or how you should be concerned. It is 
difficult, as across the industry or across the United States, 
to make sure that people really understand, when they click an 
app and accept that app, do they fully understand the full 
access that they have and how that information is going to be 
used downstream.
    Mrs. Lee. What are the requirements for outside parties to 
access VA data?
    Mr. Cunningham. For third parties that are accessing VA 
data, they must meet the same standard as a VA system. As they 
connect to our networks, they also get scanned and checked.
    Mrs. Lee. I sent a letter to the VA on January 7th, 2020, 
asking about the VA's knowledge of the Ascension Health 
Partnership with Google and about how the VA oversees its 
community care provider, their third party data sharing. When 
can I expect a response to that letter?
    Mr. Cunningham. I will ask our congressional liaison to 
follow up on that.
    Mrs. Lee. Okay. Ms. Orr, what role does the VA have when a 
third party, whether it is a medical device, community 
partnership, Veteran Service Organization (VSO), enters the 
veteran health care space?
    Ms. Orr. The role that the VA would have I think goes back 
to your question about custodian and doing what we can if the 
data is in our purview to protect it.
    Mrs. Lee. Back to you, Mr. Cunningham, what are the VA's 
policies regarding the monetization of veterans' data by third 
party partners?
    Mr. Cunningham. The Department's position is it is not to 
be sold. Third party access through our networks, they have to 
agree to those standards. As through--there are also any sort 
of contracts that apply or any sort of contractors applying to 
our networks or using our networks' data, they have to agree to 
acceptable use, which includes not selling that information.
    Mrs. Lee. Does the VA have the capability, technical, 
organizational capability to monitor compliance with these 
restrictions, and have there been any examples where there has 
been a violation of that contractual agreement?
    Mr. Cunningham. I am not aware of any instance where we 
have been informed that a third party has taken VA-managed data 
and sold it. In cases where--I mean, we certainly review the 
records and the performance of a contract, as it is required in 
the contract law in Federal Acquisition Regulations System 
(FARS), and if there is an issue, it is identified and 
appropriate action is taken. Again, I am not aware of any case 
where an approved third party has sold VA's information.
    Mrs. Lee. You do have the ability and the technical 
capability and the organizational capability to monitor this 
performance for such breaches?
    Mr. Cunningham. Outside the----
    Mrs. Lee. Or are you being informed by a veteran who has 
been--like, how do you find out if that has happened?
    Mr. Cunningham. Well, certainly, if a third party was doing 
it outside of the contract or in a lot of cases these third 
parties are health care corporations that understand the value 
of protecting that data, but if that is occurring, they are not 
informing us and we are not policing their networks. With that 
said, if a case does come forward where an individual says 
their information was sold from a third party that is endorsed 
by the Veterans Department of Veterans Affairs, I would say 
that we will take swift action to investigate it and take 
appropriate actions accordingly.
    Mrs. Lee. Thank you. I am over time. I now yield to Mr. 
Banks.
    Mr. Banks. Thank you, Madam Chair.
    Mr. Cunningham, I want to return to an issue from our 
cybersecurity hearing last year. I asked you then whether the 
VA had ever purchased equipment from a list of Chinese 
technology companies and you took those questions back for the 
record. The VA provided answers from those questions just last 
week that, based on searches of the Federal Procurement Data 
System, the FPDS, there were a few contracts for equipment from 
Chinese companies that are now prohibited. I want to know more 
about those circumstances and that discussion should probably 
happen between us in private at some point soon.
    I have to say that the VA's answer gives me absolutely no 
confidence. FPDS is a public data base that contains at best a 
scant amount of details about what was actually purchased. If 
the VA is relying on FPDS to know whether blacklisted Chinese 
IT equipment was bought, I do not believe anyone in the 
Department knows what is really going on.
    Mr. Cunningham, my question is, is there a more 
authoritative record or is FPDS truly what you are relying on?
    Mr. Cunningham. I stand behind the response that we 
provided to you. I will be glad to have another opportunity to 
come talk to you specifically about how we manage our assets 
and in particular these blacklisted companies.
    As far as the response, we stand beside that as being the 
best way for us to provide the definitive answer to you.
    Mr. Banks. Okay, that is good to hear, but can you tell me 
more about why did the VA's official response cite FPDS and no 
other sources of information?
    Mr. Cunningham. Well, again, we were answering the question 
that you asked, was there purchase of blacklisted companies 
inside VA. We used the source that was most relevant to us and 
we feel we answered that question completely. Again, I would be 
glad to come back and talk more in depth about our processes of 
asset acquisitions, as well as how we manage our assets.
    Mr. Banks. Okay. Section 889 of the Fiscal Year 2019 
National Defense Authorization Act (NDAA) is coming into force 
in August. I strongly supported it in the Armed Services 
Committee, which I am a member of as well. As I am sure you 
know, it stops Federal agencies from contracting with any 
entity that uses blacklisted telecom equipment or services. Is 
the VA prepared to comply with that law?
    Mr. Cunningham. Yes, we are.
    Mr. Banks. How does the VA know whether a company is using 
blacklisted equipment or services? Now, I want to point out 
that the law applies to existing contracts as well as contracts 
in the future.
    Mr. Cunningham. It will take some time to go back through 
our contracts and work with our third parties to identify where 
this has occurred. Like you, I believe that there is probably 
equipment being used by our third parties because it was not 
restricted at the time they purchased it for use. We need to 
make sure that in contract language it is prohibited and it is 
removed if it is on our contracts.
    Mr. Banks. The HIPAA privacy rule was written before mobile 
apps and Application Programming Interfaces (APIs) existed. Do 
you think the HIPAA privacy rule is sufficient to stop 
technology companies from monetizing protected health 
information?
    Mr. Cunningham. There is not a clear statement in HIPAA 
regarding that. I think there is opportunity for us to expand 
on HIPAA laws to include how electronic records are managed, 
stored, and then downstream support from third parties or 
subcontractors.
    Mr. Banks. Does the VA individually or specifically have 
any role in stopping technology companies from monetizing 
veterans' health records--health care data?
    Mr. Cunningham. In contracts--and we kind of talked about 
this before--in order for them to access our networks, they 
have to meet the same agreements and standards that VA has, and 
that VA's policy is not to sell or share information outside of 
the roles that they are designed to do. In that case, if you 
are talking do we have the technology to monitor third parties, 
we do not, it is outside that contract. If they do it, we can 
definitely look at doing a review and figuring out how we are 
going to remediate that, whether it is remove them from 
contract or hold them liable for losses.
    Mr. Banks. Okay. With that, I yield back.
    Mrs. Lee. Thank you, Mr. Banks.
    I now recognize Mr. Roe for 5 minutes.
    Mr. Roe. Thank you, Madam Chair.
    Data privacy is an important issue in the VA and, as the 
ranking member mentioned, especially with the data breach with 
Equifax. Obviously, it became clear to most Americans it was a 
huge problem, and it is a problem throughout the entire health 
care and private sector. I am glad we are able to have this 
discussion, I have learned a lot already. However, I repeatedly 
asked that today's hearing be focused at least on part the 
electronic health record modernization and include a witness 
from that office. I am encouraged and I appreciate, the chair 
and I discussed before the hearing started, that they are now 
going to have a meeting, we are going to have a meeting very 
soon, and I appreciate that.
    Bill and I were in Seattle and Madigan recently, and then 
been to Spokane twice to see the rollout and there are issues 
there, which we will discuss later. Ranking Member Walz, my 
friend Ranking Member Walz, now Governor Walz, and I created 
this subcommittee with the intent of overseeing the EHR to be 
the core of its responsibility. I now recognize that parties 
can change along with the events, but even before Secretary 
Wilkie communicated his decision to delay the Cerner 
implementation in Spokane, this was already a pivotal month in 
that project. One of the delays that DOD incurred was security, 
that held up the DOD rollout. I expected us to be here either 
questioning VA about the Cerner deployment and what it was 
going to look like on March 28th or about what the delay would 
entail.
    I firmly believe Secretary Wilkie's decision to delay was 
the right call. I also believe strongly that the committee now 
needs to ramp up, not ramp down, its oversight of the project, 
and I look forward to that hearing, Madam Chair.
    I am going to go over several things quickly. I was just 
looking, I appreciate the chair's putting up on the whiteboard 
here, this is disturbing to me. When you look at the app here, 
the PTSD Coach, and I punch an ``Allow,'' well, what I allow to 
happen when I punch the PTSD Coach, which I may not know, is 
access to my contacts in my phone and ``Other,'' whatever that 
is, my storage, and along with the Concussion Coach. I give my 
calendar up, my contacts, photos, media files, microphone, I 
mean, on and on. The PTSD Coach has access to the mike on this. 
I find that very disturbing, because you might inadvertently 
hit that and not know. This disclaimer, obviously written by a 
horde of attorneys, nobody reads.
    I think we have got to simplify this. Certainly I think a 
lot of people, including me, could make a mistake and access to 
your entire phone could be here and it could be your financial 
information, other information on here. I think we have to be 
very, very careful with that and revise. I can not imagine why 
the PTSD Coach needs access to my microphone or my contacts or 
my schedule. Anyway, that said, I think we need to rethink that 
out.
    Mr. Cunningham, the VA sent out a notice of privacy 
practices, which I have here, in September, and it caused a lot 
of confusion with the veterans. I got a call when--Bill was 
pointing out when we were in Seattle about this--from a 
constituent--and I am sure many of my colleagues did too--
apparently the notice was written in a confusing way. It seemed 
to conflate VA's longstanding privacy practices under HIPAA 
with a change made by the MISSION Act that allows information 
about drug and alcohol use, HIV, sickle cell anemia to be 
shared with community care providers unless a veteran opts out. 
Can you explain what the VA meant with that?
    Mr. Cunningham. So----
    Mr. Roe. Here it is. It is a lengthy, front-and-back, 
eight-page--I just read it just a minute ago, a good bit of it 
on here, so I could see why a veteran was confused when they 
got this.
    Mr. Cunningham. It is certainly not the intent to confuse 
veterans; it is the intent to inform veterans. I am sure it has 
gone through numerous reviews for readability and, if we missed 
the mark on that, we can go back and find another way as well 
to relay what we are trying to convey.
    Mr. Roe. I guess probably a lot of people, Mr. Cunningham, 
why did I get this? I think, you know, and then when they read 
it, they thought, well--I mean, if you read on here, it is 
about your organ transplant, health care oversight, coroner, 
funeral services, national security workers, I mean, on and on. 
I guess a veteran would be asking, what in the world did I get 
this for?
    Mr. Cunningham. Well, I think it is important that, you 
know, for the MISSION Act, it opened up new avenues for the 
veteran, and we were trying to inform them on what that new 
avenues means and what information we were sharing in support 
of those new avenues and new capabilities. In so, if we 
confused them, you know, my sincere apologies. I am glad to 
take it back and see if there is a better way for us to convey 
when we go and add new capabilities, new benefits, and share 
information with new venues, that we make sure that the 
veterans understand what we are doing on their behalf.
    Mr. Roe. Yes, my time has expired. I think we just sort of 
overwhelmed them with too much information.
    I yield back.
    Mrs. Lee. Thank you, Mr. Roe.
    Mr. Cunningham, along this point with respect to the 
notification for veterans, you made the statement that veterans 
are not employees of the VA, so you do not have control. 
However, I do think that there is a trust relationship that 
veterans understand that, if there is something being promoted 
or endorsed or, you know, endorsed by the VA, that there is a 
trust relationship there.
    I do think that there is a higher level of accountability 
and responsibility to making sure that veterans understand in a 
clear, concise, easily understandable way. And what we are 
seeing again and again is it seems that we are getting caught 
up in all the legalese without this clear--you know, like I 
would expect that if you download an app and you are about to 
release all of your contact information that there is like a 
clear warning, you understand what you are doing here. I hope 
that we can look at that moving forward, because what is 
happening right now, we are hearing from our veterans in the 
field that there is, you know, ultimately a lack of trust, 
especially when it comes to this incredibly sensitive 
information.
    Ms. Orr, I wanted to ask you, before--does the VA--and this 
goes back to the apps, primarily because when a veteran 
downloads their data into a third party app, HIPAA no longer 
applies, and so I want to know, does the VA vet apps before 
recommending them or putting them on the app store?
    Mr. Cunningham. I would like to take a first glance at 
this. VA apps that are--apps that are on the VA store have been 
reviewed by VA. We see them as a value to the veteran and we 
look to make sure that they are meeting our acceptable use 
policy. In most cases, they are attaching to an API, that means 
that they are getting information from VA as part of that 
service to the veteran through that application.
    I will ask Ms. Orr----
    Mrs. Lee. What are the criteria for that app to pass this 
vetting process?
    Mr. Cunningham. Well, we are looking at where is the 
benefit for the veteran. Again, is it accessing our networks 
and does it meet those standards that we briefly talked about 
earlier? Then what is the intent of the company in providing 
that act. If they are selling that information, obviously, we 
would not endorse that sort of application.
    We do want veterans to look at those applications and know 
that VA is supporting those applications and reviewing them to 
get on that app.
    Mrs. Lee. Are there any requirements in terms of the app 
security, you know, including access to the VA-controlled data? 
Like, what are the criteria for that?
    Mr. Cunningham. VA-controlled data--and we would probably 
have to look at each app as it goes through, and we can come 
back and give you a more detailed decision process tree on 
apps, but in general we are looking to make sure that, if they 
are accessing personal information, personal identifiable 
information, or PHI, that they meet the same standards that we 
have, that they have to be protected and they have to agree to 
that standard in order to access the API.
    As far as non-PII-related applications--for instance, there 
might be an application that says where is the closest hospital 
and we want to make sure that veterans clinics and hospitals 
are on that application and it is out for the public, that in 
itself is not reviewed that close, but we see the value of it 
for the veteran and we would hope that they would look at that 
as a service that we are providing them.
    Mrs. Lee. Okay. Well, we will look forward to having some 
more information along those lines.
    I just wanted to ask, so given what we have heard today and 
your processes, are there any areas of concern? Are there any 
areas--how can we be helpful? What can we do to help the VA to 
make sure that veterans' data is secure?
    Mr. Cunningham. At this time, I do not think we are asking 
for any specific legislation or resources. You know, patience 
as we are trying to solve this bigger problem around this 
greater access of data. I thought this morning's comments were 
on mark and described the challenges that we have in this 
environment, especially as they relate to how do we make the 
risk-based decision. If we go strictly by compliance and if 
zero tolerance is what we are going for, we are going to miss 
out on a lot of opportunity that technology brings and even 
life improvement opportunities if we are not being able to 
share information with our third parties that are trusted, to 
the extent that we are trying to bring better value, better 
customer experience to the veteran, and that also includes 
security and privacy in that risk decision.
    Mrs. Lee. Thank you.
    I would now like to recognize Mr. Banks for 5 minutes.
    Mr. Banks. Thank you, Madam Chair. I will be quick.
    Mr. Cunningham, I want to read you part of the VA's terms 
of services for its API platform. Quote, ``When records 
regarding an individual are obtained through a VA API, you may 
not expose that content to other individual or third parties 
without specific explicit consent from the individual or his or 
her authorized representative, or as permitted by applicable 
law,'' end quote.
    Mr. Cunningham, is consent from the veteran always required 
or only required when there is not a law permitting the 
disclosure?
    Mr. Cunningham. If it is in line with what--for the APIs, 
it would be that they would have to consent to that data, 
unless it is provided by veterans--or Veterans Affairs, in 
regards that we have contracted with a third party to provide a 
specific app for Veterans Affairs.
    If it is a VA-built application, then we would not ask 
necessarily in every case that the veteran would have to click 
to it. However, if it is outside of our management, it would 
require the veteran to approve it.
    Mr. Banks. What exactly does a third party mean here and is 
it non-VA software? How about another API?
    Mr. Cunningham. If you are building an application and you 
are wanting to get data from an information source, in this 
case the one that VA actually owns, you are going to be 
accessing an API, and I would have to bring some of our more 
experienced API developers in here to talk to you about that 
exchange. In principle of that, before they can connect, they 
have to get approval between the VA and that third party that 
is requesting information, and in that case third parties can 
be a separate organization outside of VA's purview.
    Mr. Banks. It sounds like VA's partner that is using the 
API is responsible for getting the consent from the veteran. 
What role does the VA have in making sure that happens 
correctly?
    Mr. Cunningham. If it is on our application, our app store, 
we do verify that they are asking it. We do test and walk 
through it as if we are a veteran to ensure that it is there. 
Other than that, if a third party is providing an app to a 
veteran and it is outside of VA's purview, we have no real 
control of validating whether they are asking for that consent 
or how they use that information in agreement with that 
veteran.
    Mr. Banks. Okay, that is all I got. I yield back.
    Mrs. Lee. Thank you.
    I now recognize the chairman of the committee, Mr. Takano.
    Mr. Takano. Thank you, Chairwoman Lee.
    Mr. Cunningham, welcome. I recognize you are from the 
Office of OIT, but since you are the one from VA before us 
today, I would like to echo what Chairwoman Lee said earlier 
about the VA needing to be more transparent with us. It is very 
important that as we continue to move forward through the 
integration process that VA is as transparent as--you know, not 
just as possible, just plain transparent.
    Here is the thing. I was told last week by Secretary Wilkie 
that everything was on track with the electronic health record 
modernization rollout, but yet on Monday I am told that the go-
live was going to be postponed with no definitive time line 
about how long it will be delayed.
    You know, just with that as a sort of preface, what does VA 
need to get things back on track; is there anything that you 
need?
    Mr. Cunningham. As far as EHRM and Cerner, that is outside 
of my purview. From my understanding that we have what we need. 
We are partnered with DOD, we are sharing information, and the 
decision to delay was more a tactical one and not necessarily a 
resource-limiting issue.
    Mr. Takano. Okay. I realize that you are not the point 
here, but if you could take back to the Department, I want to 
know when you and others were first made aware that the EHRM 
go-live would be delayed. Just, you know, you do not have to 
answer that--if you know now, please, you yourself can answer 
that question, but I just want to know when this became 
apparent, because last week the Secretary himself said this was 
all moving forward and did not anticipate any issues. Go ahead.
    Mr. Cunningham. I will be glad to take that back. 
Personally, myself, I was aware of it yesterday.
    Mr. Takano. You became aware of it yesterday?
    Mr. Cunningham. That is correct.
    Mr. Takano. Okay. All right, thank you.
    Madam Chair, I yield back.
    Mrs. Lee. Thank you.
    I now recognize Mr. Watkins for 5 minutes.
    Mr. Watkins. Thank you, Madam Chair.
    Mr. Cunningham, I want to ask about VA's partnership with 
Apple Health. My understanding is that iPhones have memory 
chips that are physically separate for different kinds of 
information, how does that work in practice and what 
cybersecurity protections does that provide?
    Mr. Cunningham. I am not an Apple engineer and I think that 
might be outside my scope of experience. I would say that on 
premise, on theory, having a separate chip that manages data 
from the Apple applications themselves is wise in design.
    Mr. Watkins. Apple says it does not control any of its 
user's data that it transmits on its iPhone. When the company 
says that, it seems to be referring to third party apps. In 
other words, the iPhone is just a vessel for other apps, but 
Apple Health is actually one of the few apps that the company 
directly owns.
    What privacy protections specific to the VA are in place 
when veterans access VA medical records on Apple Health?
    Mr. Cunningham. For Apple Health, like any other third 
party that is accessing veterans' information, would have to 
meet the same standards for privacy and HIPAA.
    Mr. Watkins. Your testimony discusses a privacy threshold 
analysis, which is a tool the VA uses to ID privacy issues in 
new IT systems or projects. Can you explain what this is, how 
it works, and give some examples of privacy issues that you 
have identified in the past and how you have resolved them?
    Mr. Cunningham. National Institute of Standards and 
Technology (NIST) has a set of controls as it relates to 
privacy, as well as cybersecurity. Those controls are part of 
the system development and their system security plans. They 
are assessed in development, as well as in operations, and 
provided to the authorizing official to make a determination on 
whether the system meets the standards and what are the 
associated risks if not meeting the standards through either 
mitigating controls or possible POA&Ms or plan of actions, 
milestones to resolve them.
    How it works and some additional information, I will ask 
Ms. David if she would like to answer that.
    Ms. David. Sure, yes. The privacy threshold analysis is 
actually the vehicle for assessing systems, programs, 
operations for privacy impacts. It is a templated document that 
goes through the life cycle of the effort itself and discusses, 
for example, privacy risk, those risk mitigations, any other 
connected systems. Basically, any and everything having to do 
with point-in-time activity and then as the effort develops.
    It is a living document that gets revisited throughout the 
life cycle of the effort, and it also takes into consideration 
records, records retention, uses, and things of that such.
    Mr. Watkins. Understood, Ms. David. What are your specific 
privacy concerns?
    Ms. David. Generally, the privacy concerns would be how 
information is being shared. Is it being shared in accordance 
with routine uses, which are outlined in, for example, a system 
of record notice. The privacy concerns would also be how the 
information, based on its level of sensitivity, how it is being 
protected so that the protections are commensurate with the 
sensitivity of the information. Then also how information is 
handled in, for example, the incidence of a potential breach. 
We talk about that, as well.
    Mr. Watkins. Thank you. Thanks to the panel. I yield back.
    Mrs. Lee. Thank you. I now recognize Mr. Roe for 5 minutes.
    Mr. Roe. Thank you. Just to show you some of the confusion. 
Very quickly, Mr. Cunningham, I was reading, ``When we offer 
you the opportunity to decline the use or disclosure of your 
health information, patient directories, unless you opt out of 
the VA Medical Center patient directory when being admitted to 
a VA healthcare facility, we may list your general condition, 
religious affiliation, and the location of where you are 
receiving care. This information may be disclosed to people who 
ask for you by name. Your religious affiliation will only be 
disclosed to members of the clergy who ask for you by name.
    ``Note. If you do object to being listed in the patient 
directory, no information will be given out about you unless 
there is other legal authority. This means your family and 
friends will not be able to find what room you are in while you 
are in the hospital. It also means you will not be able to 
receive flowers or mail, including Federal benefits checks, 
while you are an in-patient in the hospital or nursing home. 
All flowers and mail will be returned to the sender.''
    That means if somebody thinks they are not going to get 
paid, they are always going to opt in. I think those are the 
kind of things I think that cause some confusion with veterans.
    My suggestion is, Madam Chair, do not opt into anything. 
That would be my--after listening to this. Maybe go back to 
carrier pigeons, because you do not have any privacy anymore. 
There is no such thing as privacy. As a physician, I got, this 
is years ago, because of access insurance companies had to very 
sensitive information, I would sometimes even limit what I put 
in a medical record, because I was afraid even then, before the 
access to hackers and all that people have. With these opt-ins, 
you have just opened the book on your life. I mean, as an OBGYN 
doctor, I got told some very private things, which I just had 
to leave between my ears because I was concerned with the 
privacy. That leads to my question.
    How does the VA decide which technology company it will 
collaborate with? Are there particular companies that the VA 
would be uncomfortable with? Or what specific privacy practices 
do the Department consider a red flag, because we know that the 
Chinese--we know this. The People's Liberation Army (PLA) is 
always looking for a back door into somewhere, which may lead 
to someplace else. How do you guys make that decision?
    Mr. Cunningham. Well, I think, one, we have to balance the 
availability and access. I mean, certainly, there is many 
veterans that benefit from the applications and the APIs that 
are being provided today.
    Mr. Roe. Yes.
    Mr. Cunningham. Quicker information. How we figure out who 
we work with, we do not have a black list of companies. We do 
not pick winners and losers in the market. We have an API that 
provides information when it is requested in the proper 
protocol. In there, we are verifying that the proper protocol 
is there. Obviously, if there is a known--I do not think there 
is a litmus test for what organizations are in or out. 
Certainly, we can talk a little bit more and go back for the 
record and provide more detail on what is the decision tree 
that we use in connecting with APIs. I hope that answers your 
question.
    Mr. Roe. Yes. I think, obviously, they have to bring a lot 
of advantages to people. I use them. We all do, that you can 
find a restaurant, or gas, whatever you may be using it for. I 
got that.
    The question is that is an advantage. I look at a risk/
benefit ratio. What are the risks you take? How can this 
information--I think both the chair and the ranking member have 
asked this question. How is this information shared? Is it 
accessible? How can it be used? Is it sold? I mean, when you 
purchase something on Amazon, I like to backpack. Well, I will 
have four tents on here today that Amazon is trying to sell me.
    Those are questions that I guess we as a society need to 
answer. Is VA protecting it, and really looking at who you 
partner with?
    Mr. Cunningham. We are looking at who we partner with. We 
look at who has connections to our APIs. What do they plan on 
using that information for? They have to sign acceptable use 
agreement. We police--when we find out that there is 
information that is being wrongly used, we police 
appropriately.
    With that said, what information are we talking about? If 
we are talking about health care information, obviously there 
is a higher standard of security that goes along with it. If 
you are talking about access to files, pictures, calendars on 
your phone, most users probably have, I am just estimating, 
probably 30 or 40 applications on their phone at any given 
time. They also carry two phones. How many of those 
applications are also providing that same sort of data and 
access to the information that they reside on their phone.
    Mr. Roe. My time is up. I did not say we were smart. I am 
just saying----
    Mr. Cunningham. Thank you.
    Mr. Roe. I yield back.
    Mrs. Lee. Thank you. Thank you. I just want to thank all of 
the witnesses for being here today. I would now like to--you 
are excused and I will call up the second panel. Thank you.
    We can take a brief recess while we set that up.
    (Recess.)
    Mrs. Lee. Thank you. I will now call this back to order. I 
would like to introduce the witnesses on our second panel. Nick 
Culbertson is CEO and co-founder of Protenus. Is that right? 
Protenus. And is an Army veteran. Tina Olson Grande is the 
executive vice president for policy at the healthcare 
leadership counsel and chair of the confidentiality coalition. 
Ramsey Sulayman is the associate director, National Legislative 
Service for Veterans of Foreign Wars and is a Marine Corps 
veteran. Harold Wolf is the president and chief executive 
officer of Health Care Information and Management System 
Society (HIMSS).
    We will now hear the prepared statement from our panel 
members. Your written statements in full will be included in 
the hearing record. Without objection, Mr. Culbertson, you are 
now recognized for 5 minutes. You can put your volume. Thank 
you.

                  STATEMENT OF NICK CULBERTSON

    Mr. Culbertson. There. Does that work? Great. Thank you, 
ma'am. I appreciate the opportunity to present. I am here today 
under three prefaces. I am a former, as you mentioned, a former 
non-commissioned officer in the United States Army. I was also 
treated as part of the Veterans Affairs. I sit here now as a 
entrepreneur and CEO of Protenus, which specializes in health 
data security.
    I think the data privacy is in constant juxtaposition with 
data sharing. We have heard much of that throughout testimony 
today. I think it is really important that this issue be 
addressed.
    Our research has shown that every year data breaches have 
increased. Just last year alone, 41 million medical records 
were breached in the United States and that is only what we 
know about or what has been discovered. The more we share data, 
the more of a threat we create to our patient's data, 
particularly our veterans' data.
    I have had experience with both the limitations of data 
being a challenge, but also seeing how the data sharing creates 
more of a challenge. My story goes back to when I was last 
stationed in Afghanistan. I was assigned to use this device 
called the MC-4 that was supposed to take patient data from 
combat casualties that I could wirelessly send to a flight 
medic, that would then transfer that information all the way 
back to retirement and VA. It was a seamless integrated network 
that data would persist from DOD all the way to VA.
    Unfortunately, we got trained many hours on this device, 
and then we took it into the field and then found out it did 
not work. We had to manually rewrite the medical notes to our 
flight medics and pass it off on pieces of paper that would fly 
away in the wind.
    I think that program is still being developed. I hope that 
it continues to persist. After I got out of the military, I 
sought treatment through VA for my wrist that I fractured in 
the military. I was a little bit shocked to hear from my VA 
physician that since my wrist had healed and there was no x-ray 
in my record, my wrist was never broken in the first place, and 
so I could not get my document updated to show that I had 
broken my wrist, and make sure that I had long term care for 
that. I had to seek physical therapy through private practice, 
through private insurance, which is unfortunate.
    On the other side of things, I have seen how health data 
becoming more accessible and shared creates more of a risk and 
more of a concern. As a medical student at Johns Hopkins, I saw 
how Hopkins rolled out the Epic integration, similar to what VA 
is doing now with Cerner on a different scale.
    Decades ago, the only person who had access to your medical 
record was the physician at the foot of your bed. Now anyone 
throughout the hospital system, any business associate, any 
partner health system, any other Epic clients can now access 
that data. Technology has created this great increase in access 
that helps improve patient care and outcomes, but at the same 
time drastically increases the risk.
    I think that--my belief is that while technology has 
created greater access, it also--there is an opportunity to 
create better assurance and better privacy with technology 
alone. I do not think this can be addressed just through policy 
and regulation. I think that we need to have security devices 
put in place, specifically with the VA as well.
    Our company developed an artificial intelligence that 
understands how any end user is accessing PHI and whether they 
are using it appropriately. And we send proactive alerts to 
privacy risk compliance officers that identify those threats so 
that they can deal with them in relative real time proactively, 
rather than waiting for something to happen.
    I know that this is an incredibly needed technology because 
of the amount of violations that we find. We estimate that 1 in 
300 workforce members in health care violates privacy per 
month. Unless a monitoring solution is put in place, or unless 
regulations are appropriately addressed or policies are put in 
place, that only will continue and get worse.
    I thank you all for taking the time to address this and I 
am looking forward to the conversation.

    [The Prepared Statement Of Nick Culbertson Appears In The 
Appendix]

    Mrs. Lee. Thank you, Mr. Culbertson. I now recognize Ms. 
Grande.

                 STATEMENT OF TINA OLSON GRANDE

    Ms. Grande. Thank you. Chairwoman Lee, Ranking Member 
Banks, and Members of the House Committee on Veterans Affairs 
Subcommittee on Technology and Modernization, thank you for the 
opportunity to testify today.
    My name is Tina Grande. I am executive vice president of 
policy for the Healthcare Leadership Council, and chair of 
HLC's Confidentiality Coalition.
    HLC is an association of chief executives representing all 
disciplines within American health care. The Confidentiality 
Coalition advocates for policies and practices that safeguard 
the privacy of patients and health care consumers, while 
enabling the essential flow of patient information.
    The subcommittee's examination of how the Department of 
Veterans Affairs manages veterans' health data is especially 
timely, as new technologies continue to be introduced to the 
market. For every promising health information technological 
development, there is a risk of its misuse.
    There is a glaring oddity in our current health data 
regulatory scheme that certain health data is subject to robust 
Federal privacy protections, while other health data is not. As 
long as this disparate treatment exists, the challenges faced 
by an organization such as the VA to harness new technological 
innovations, while maintaining the privacy and security of 
data, will remain formidable. Any approach to health data 
privacy should preserve the existing HIPAA framework, which 
applies to treatment, payment, and health care operations for 
all patients, including veterans. New legislation should apply 
only to health data not governed by HIPAA.
    New innovations, while beneficial, have resulted in more 
and more health data falling outside the protections of HIPAA. 
This will be the case when the technology or services are not 
offered by or on behalf of a HIPAA covered entity, but rather 
by developers or technology companies directly to the consumer.
    For example, a consumer may download a third party health 
app to their smartphone that sends a summary report to their 
doctor. As long as the doctor did not hire the app developer to 
provide its services to patients, the data in the app is not 
protected by HIPAA, even if the app is recommended by the 
patient's doctor.
    Under HIPAA, covered entities are required to provide 
individuals with a notice that describes the entity's privacy 
practices, the purposes for which it uses and discloses 
protected health information, or PHI, and the individual's 
privacy rights and how to exercise those rights.
    This transparency is an important protection that is 
particularly relevant as businesses seek to monetize health 
data. At the same time, the HIPAA framework recognizes that 
health information is not a commodity, the flow of which is 
determined by the highest bidder. Great care was taken when 
establishing the HIPAA framework to balance various competing 
interests. This same approach should be taken in addressing 
non-HIPAA health data.
    Any new privacy framework should be consistent with HIPAA 
definitions. Conflicting or inconsistent terminology could have 
unintended consequences that could seriously and adversely 
impact the ability of health care organizations to aggregate 
and share health data for important care delivery and 
population health purposes.
    Equally important, security safeguards should be 
commensurate with the safeguards required by the HIPAA security 
rule. Robust security requirements for non-HIPAA health data 
are critical, not only for sophisticated businesses that 
collect vast amounts of data, but also for startups, developing 
new products and services, which should be incorporating 
security by design practices in their product development 
process.
    The promise of interoperability is another reason to ensure 
harmonization between laws governing PHI and non-HIPAA health 
data. And to have national standards for health information, 
privacy, and security. Interoperability cannot come to fruition 
if these organizations are subject to and constrained by 
different standards that do not align or potentially even 
conflict with one another. This is particularly critical for 
veterans who may seek care in community health systems in 
addition to the VA health system.
    We believe it is essential to replace the current mosaic of 
sometimes conflicting State privacy laws, rules, and 
guidelines, with strong, comprehensive national standards.
    In closing, HLC and the confidentiality coalition commend 
the subcommittee for seeking to address the challenges faced by 
the VA in managing veterans' health data. We believe a balanced 
approach, compatible with and modeled upon the existing HIPAA 
framework, and that provides protections for non-HIPAA health 
data, similar to that provided for PHI under HIPAA, is the best 
way to address these challenges and provide a comprehensive, 
consistent, and transparent health information privacy 
framework for the health data of those in service and beyond. 
Thank you.

    [The Prepared Statement Of Tina Olson Grande Appears In The 
Appendix]

    Mrs. Lee. Thank you, Ms. Grande. I now recognize Mr. 
Sulayman.

                  STATEMENT OF RAMSEY SULAYMAN

    Mr. Sulayman. Chairwoman Lee, Ranking Member Banks, and 
members of the subcommittee, on behalf of the men and women of 
the Veterans of Foreign Wars and its auxiliary, thank you for 
the opportunity to address our members' concerns about data 
privacy and portability, and VA's responsibility to protect 
veterans' privacy.
    The commercialization of date crept up on Americans and 
pounced like a tiger. You have covered the data breaches that 
revealed information, vulnerabilities, and systems and 
institutions we presumed were secure. Health care data breaches 
often occur through malicious attacks, as well as non-malicious 
errors, such as the loss of the laptop.
    Rarely do we focus on self-disclosed and user generated 
data, which accounts for a staggering amount of information on 
the average American. One's Facebook profile, Instagram 
picture, Spotify playlist, supermarket discount card, Fitbit 
data, pictures taken by a Ring door cam, internet service 
provider data. Yes, the one site that your friend told you 
about that you looked at just for a second, just that one time. 
All of that information is available and brokered.
    Companies scrape the internet for more photos and 
information on people who have no idea that this is happening, 
and certainly never consented. You have covered earlier the 
permissions that veterans are required to consent to use VA 
apps.
    Veterans live in this information and technology ecosystem 
and the same concerns apply. However, because veterans have 
access to a comprehensive suite of services from the VA, 
everything from health care to home loans, veteran sensitive 
information is concentrated in one location, the Department of 
Veterans Affairs.
    The requirement to consent to terms that are broad, rarely 
understood, and without alternative is a major concern. Changes 
in ambitious products at VA, the integration of health records 
with DOD, the Million Veteran Project, MISSION Act, and 
implementation present great opportunities, but data security 
challenges.
    VA partners with entities outside its IT ecosystem, and 
this seam is where vulnerabilities also lie. Veterans expect VA 
to set the tone and place data security and privacy as a 
foundational priority. You have already touched on past 
breaches and security lapses, such as the 2006 theft of a VA 
laptop that exposed the data of 26 and a half million veterans 
in active duty military.
    2015 OIG report detailed Chinese nationals accessing the VA 
network from China. In October 2019, OIG report detailed 
security lapses, including placing veterans' PHI and PII, their 
personally identifiable information and personal health 
information, on thumb drives and personal computers. The 2019 
OIG report on VA's ability to meet the Federal Information 
Security Modernization Act requirements noted significant 
challenges.
    This leads us to believe that data security management and 
protocols may not be at the level necessary. VA's transfer of 
information to entities outside its ecosystem through record 
sharing and simple IT processes like the single VA log on 
through ID Me are of concern. As noted in our written 
testimony, end user license agreements leave questions of 
access to and retention of veterans' information open. You also 
touched on that earlier in your questions and comments.
    It is not a question of understanding the terms. It is a 
question of what are the alternatives. Most often, there are 
none.
    We also noted the instance of Ascension's partnership with 
Google on a massive health data project, known as Project 
Nightingale, where Google collected sensitive health data as a 
HIPAA compliant business partner of the health system, without 
the explicit opt in of patients.
    As Ascension often marketed toward veterans and encouraged 
them to use Ascension with the Veterans Choice Program, it is 
unclear whether veteran medical records shared with Ascension 
as part of community care programs ended up in Google's hands.
    Let me be clear that just because I use an iPhone SE still 
does not make me a Luddite or a conspiracy theorist. I just 
really like small phones. Great good can come from data 
sharing, especially health data, and VA is in a very unique 
position. Access to health care data means that providers can 
apply artificial intelligence and machine learning to make 
diagnosis faster and better, as well as treat more effectively.
    Nick testified to the artificial intelligence capabilities 
of his platform. The trove of veterans he identified health 
data offers game changing research possibilities. These worthy 
goals must be pursued. To Dr. Roe's point about risk versus 
benefit, though, the Veterans of Foreign Wars of the U.S. (VFW) 
believes in these foundational priorities.
    The use of veteran's information should require informed 
consent and a plain language explanation of exactly what the 
veteran is consenting to, what will be used and collected, and 
how that data may be used. VFW and the other VSOs are more than 
willing to consult with VA on making VA communications easily 
understandable to veterans.
    Our executive director, BJ Lawrence, has directly offered 
that assistance and the offer stands. The VFW also believes 
that the minimum amount of veteran data should be collected 
through VA platforms, including by third party partners. VA and 
contractors should not pass on any more information than is 
necessary to their subcontractors or partners. Information 
should be retained for the minimum amount of time necessary, 
and then deleted. Veteran information should be de-identified 
where possible.
    I thank you for your attention to this important matter and 
look forward to answering any questions.

    [The Prepared Statement Of Ramsey Sulayman Appears In The 
Appendix]

    Mrs. Lee. Thank you, Mr. Sulayman. I now recognize Mr. Wolf 
for 5 minutes.

                STATEMENT OF HAROLD F. WOLF, III

    Mr. Wolf. Chairwoman Lee, Ranking Member Banks, and 
distinguished members of the subcommittee. Thank you for the 
opportunity to testify today. My name is Hal Wolf. I am the 
president and chief executive officer of the Health Care 
Information and Management System Society (HIMSS). HIMSS is a 
global non-profit advisor and thought leader supporting the 
transformation of the health ecosystem through information and 
technology, with a membership that includes more than 80,000 
individuals and hundreds of partners and organizations.
    We appreciate the committee holding today's hearings and 
addressing the role of Congress and the Department of Veteran 
Affairs in ensuring the confidentiality, integrity, security, 
interoperability, and availability of veterans' personal data.
    As significant advances in technological innovation in 
health care have allowed us to capture data and use information 
in unprecedented ways, we must ensure the proper processes are 
in place to protect the privacy and the security of the 
patient's most sensitive information without losing the 
potential benefit of its use.
    Our health care ecosystem has come to rely on an increasing 
number of tools and capabilities, which depend upon secure 
access to and use of patient data. The industry's fundamental 
goal is improved outcomes at a lower cost per episode. To meet 
this goal, we must have technology-enabled data collection and 
interoperable data sharing. Given the large population 
receiving services through the Department of Veterans Affairs 
health care system, it is not a stretch to see that the VA is 
facing the same pressures as the rest of the industry to use 
data-driven capabilities to help them better manage the health 
and the healthcare of their patient population.
    We believe the recently proposed Federal regulations, 
including the Centers for Medicare and Medicaid Services (CMS) 
interoperability and patient access rule, and Office of the 
National Coordiantor for Health Information Technology (ONC) 
information blocking rules will advance interoperability and 
support safe and secure access to health information and data-
driven tools that allow for more provider and consumer choice 
in care and in treatment.
    Now, any discussion around access to patient's health data 
inevitably leads to questions around who owns the data, who can 
access the data, what can be done with the data once it is 
granted, and what are the stewardship responsibilities over the 
data?
    It is imperative that our mind set shifts to the access and 
the appropriate usage of data that is needed or information 
that benefits patient or individual health outcomes. Generally 
speaking, data ownership refers to the entity or individual who 
owns or originates the data. However, the data may not be in 
the originator's possession when needed or having already been 
passed on. Most decision support tools, for example, use data 
from multiple entities that may begin to use more than just 
clinical data, such as social determinant information to make 
recommendations to the user.
    Data access simply refers to being granted permission of 
the data in some way or possession. This might include the 
ability to read, edit, or copy data for a variety of purposes. 
Its data usage and how the data could be transformed into 
information, storage of the data is permission for primary and 
secondary use, both short and long term. Rules around primary 
and secondary usage of data are where significant attention 
needs to be focused.
    Data stewardship largely focuses on providing a secure and 
trackable environment. Cybersecurity is an important component 
of data stewardship. In order to ensure both veterans and 
broader patient populations receive the best possible care, 
providers, patients, and caregivers must be able to access the 
right information at the right time. Access rights with clear 
usage guidelines are mission critical.
    HIPAA remains an integral part of our Nation's information 
security and privacy infrastructure for both veterans in the 
broader patient populations. With regard to the public dialog 
on possible HIPAA changes, HIMSS is focused on encouraging the 
safe portability of data.
    I would like to thank Chairwoman Lee and Ranking Member 
Banks for this opportunity to testify today, and all members of 
the subcommittee for prioritizing such a critical issue. Thank 
you and we look forward to your questions.

    [The Prepared Statement Of Harold F. Wolf, III Appears In 
The Appendix]

    Mrs. Lee. Thank you. I now recognize myself for 5 minutes 
for questions. Mr. Wolf, given when we talk about data 
management, data privacy, what should we really be looking at 
in how should the VA measure its success regarding patient 
protection?
    Mr. Wolf. A wonderfully complex question. I think we hit on 
a number of the challenges earlier. The initial point of data 
protection is the data that you have stewardship over at that 
particular moment and how you must protect it, but more 
importantly, how you use it in the care treatment and the 
pathways to ensure that the best possible treatment and 
recommendations are happening to the individual patient and we 
are getting the best recommendations to the clinicians that are 
there.
    We have to be able to look at that multi-tiered safeguard 
that was already been brought forward. Am I storing the 
information that I have possession of at that time with all of 
the appropriate safeguards? To whomever I am passing that 
information, we need to know their security on their side and 
where that information can and cannot go.
    The points about secondary use of information or its 
potential sale, those are huge issues. They really need to be 
legislated on a full scale basis. The VA can do what it should 
be doing in terms of protecting the information. But it also 
becomes an important congressional pieces.
    Mrs. Lee. How should the VA measures its success?
    Mr. Wolf. I think you measure your success, first of all, 
by are there any breaches that are occurring? That is the 
simple part of it. The second is measuring its success in its 
review of secondary apps or organizations that the information 
is passed to. Then, of course, in the end, how is that 
information being used to better the treatment of the patients 
that it has accountability for.
    That relies on understanding the use of the applications 
and how it is transmitted, and whether there is success 
protocols on value-based care being delivered.
    Mrs. Lee. Great. Thank you. Ms. Grande and Mr. Sulayman, 
could you please give me an example of in your experience in 
mind, what a worst case scenario would be with respect to how 
the VA treats its patient's data?
    Ms. Grande. Sure. A worst case scenario, we could 
consider--I think there could be many. I think largely falls 
outside of the non-HIPAA covered data that is identifiable, it 
is sensitive. It is related to detailed health care information 
that an organization who is not bound by HIPAA or strict State 
privacy laws either sells, monetizes, or mishandles information 
that A) the patient or consumer has no knowledge of because 
there is simply no--they are not aware that their information 
is not protected. Because consumers generally do not 
distinguish between, ``I am at a place where I have got HIPAA 
coverage,'' and--we just know we have our health information.
    We have trusted hospitals and health plans and pharmacies 
with our information, because largely HIPAA has worked pretty 
well. I think a terrible scenario would be information that is 
sensitive about our health care has been bought, sold, used, 
analyzed without our knowledge, and has trickled downstream for 
a number of years, and comes back to potentially discriminate 
against us in the long run. I think that that is a real risk 
that is occurring in a largely unregulated market that has 
access to identifiable information about us.
    Mrs. Lee. Thank you.
    Mr. Sulayman. I would tend to agree with Ms. Grande on that 
point. I mean, I think that HIPAA provides a framework, and it 
provides penalties, and it provides some clear guidance on what 
is and what is not acceptable. As I mentioned in my testimony, 
in both the written and the oral, the user generated data that 
we have, I mean the information that is collected off of the 
apps that you were talking about, you know, with the privacy 
policies written by committees of lawyers, ``hordes of 
lawyers'' I think is how Dr. Roe referred to it, having that 
information leak out and then being collated with other 
information that is out there.
    I mean, I think that that is really the danger just large 
across the entire--for the entire population, but for veterans 
especially if you are talking about Traumatic Brain Injury 
(TBI), PTSD, other sensitive information. Having that sort of 
health information be able to be gleaned from the purchases 
that you make through a doctor's use of the Zelth (phonetic) 
platform, for instance. You bought compression socks and 
syringes, so a machine looks at that and says, ``A diabetic.'' 
That sort of amalgamation of information that you didn't even 
know was out there and is not covered by HIPAA is the main 
danger.
    Mrs. Lee. Thank you. I now recognize Mr. Banks for 5 
minutes.
    Mr. Banks. Thank you, Madam Chair. This question is for 
anyone who wants to answer it. Do you believe the HIPAA privacy 
rules--the rule is adequate to govern apps that receive 
patients' protected health information?
    Ms. Grande. I am happy to start. I think that is a very 
complex question. The HIPAA privacy rule was promulgated many 
years ago. It was crafted very meticulously for a health care 
caregiving and payment system. As such, it was applied very 
specifically to that type of system that is directly in contact 
with patients, their payment, their claims.
    When we are looking at HIPAA as a potential framework for 
tech companies, who do not necessarily fit into the very 
precise definitions for a covered entity, and may not be 
functioning as a business associate, because they are not 
working directly for a covered entity, maybe sandwiching those 
companies into HIPAA as a new covered entity, it is very 
complicated and I do not think it is going to be easy at all.
    You could look at potentially a larger national privacy 
framework that would apply to those companies. Our 
recommendation is that when it comes to health information, 
that it harmonize with HIPAA. The last thing we want to do is 
to bottleneck important health information, because it stops 
because you have got two different privacy laws that are in 
play that could conflict or be confusing.
    If, for example, the Veterans Affairs Committee is 
considering new privacy legislation as it relates to veterans' 
health information and non-HIPAA covered data, we would suggest 
that you also work with other committees of jurisdiction that 
are overseeing the commercial and Medicare and Medicaid 
markets, so that as veterans flow in and out of the commercial 
and the VA system, their information is not getting 
bottlenecked because you have got two separate privacy laws at 
play.
    Mr. Banks. Okay. Let me move on to another question. This 
is for anyone who wants to answer it as well. If you agree that 
Apple and Google essential control software distribution 
through their app stores, what is their responsibility to 
police the apps they allow into their stores, not only for 
cybersecurity but also for privacy protection?
    Mr. Sulayman. I will take a stab at this first. I think 
that if you walked into a brick and mortar store and a product 
lopped your hand off when you went and grabbed for it, you 
would agree that the store is probably responsible for being 
negligent and offering that.
    I think that by and large, the tech sector's abdication of 
responsibility for the products that they carry in their 
virtual stores is something that really needs to be looked at 
and addressed. I mean, if you are carrying something that is a 
purveyor of malicious software or yesterday there was a report 
about three email clients that scrape data off phones, just by 
virtue of loading them and consenting through the data and 
privacy policy, the thing that you do not read and click 
accept. You know, one of them scrape the data and send it back 
to Rakuten, an online shopping platform.
    Literally, same sort of consent that you have with some of 
these apps: your microphone, your contacts, your pictures. 
Literally anything and everything that they want.
    Now, the response was, ``We only collect certain things.'' 
Again, it is not transparent. I think having the transparency 
and having the accountability, there needs to be some 
verification system that what you are downloading through a 
trusted platform is, indeed, trusted.
    Mr. Banks. I will move on to another question. Or anybody 
else? Yes.
    Mr. Culbertson. Could I just add onto that, that I think 
health data should--we could take a step further, that really 
should not be compared to other types of data that you might 
find on an iphone, just because of how valuable it is and how 
immutable it is.
    Just because we say something is appropriate or suitable 
for an iphone app, I think we should even go beyond that for 
health data.
    Mr. Banks. Very good. I do not have a lot of time yet, so I 
will yield back and save questions for later.
    Mrs. Lee. Thank you. This question is for Mr. Culbertson. 
How should the VA compare to private industry in areas of data 
privacy, consumer protection, and security?
    Mr. Culbertson. Well, I think if we ask that question today 
and we look at the top five offenders of HIPAA violation 
according to the Office of Civil Rights, the VA ranks among 
those top five. I think with this opportunity to modernize 
technology, I think there is an opportunity to correct that 
image.
    I know that what health systems outside of the VA are doing 
now, back to the question you asked for Mr. Wolf in terms of 
demonstrating a good privacy program, is not only are we 
looking at whether good policies are in place, do we have a 
business associate for every partnership, are we ensuring 
appropriate transfer of date according to HIPAA and other 
regulations.
    Health systems are also auditing proactively every access 
and accounting for all of those disclosures to ensure that they 
are being appropriately used under treatment and payment 
operations.
    I think there is an opportunity here to match that higher 
level of standard and additionally go beyond.
    Mrs. Lee. Thank you. Mr. Sulayman, should the VA be 
responsible for educating veterans on protecting their privacy?
    Mr. Sulayman. I think that is a great question, ma'am. I 
think that the obvious answer is yes, particularly as it 
related to any data that the VA is using or has in their 
possession.
    I mean, if you are talking about just general education, I 
think it would be helpful and certainly falls within the VA's 
purview on many of the programs that it manages. Certainly for 
IT and health care data, that as we said, the plain language 
explanation of what is being collected, how it is being used, 
what will be done with it, and any opt in or opt out options 
are something that the VA should clearly define.
    As I had said, we are happy to help the VA review that 
process for readability and understandability for your average 
veteran.
    Mrs. Lee. Thank you. Ms. Grande or Mr. Wolf, how far should 
that VA obligation to protect data extend?
    Mr. Wolf. Well, I will take a pass. I think that the--
coming back to this issue about the VA and the consistency of 
its needs and protecting the data has to be consistent with all 
of the other health systems that exist in the U.S.
    The harmonization point around HIPAA is a critical point as 
well. You do not want to create bifurcated environments. The 
reality is, of course, is that a person who is receiving care 
through the VA may well be also receiving care from other 
entities. The free passage of that information is critical for 
their own health, as well as future use of information.
    The simple point is that the VA has to be extraordinarily 
vigilant, as does every health care system on the use of that 
information and where it goes. Not just within its domain, but 
when it is passed, you have a responsibility to pass it to a 
quality organization.
    The testing and the variability, if you would, of the 
application that is receiving, falls to the responsibility of 
the VA, as it should with every health system.
    Ms. Grande. I agree completely. The VA does have a 
responsibility for those it oversees as it relates to their 
health information and how it is being used. I think consumers 
just simply do not distinguish between information that is 
protected by their hospitals, health plans, pharmacies, and 
that which is not.
    I think there had got to be more of an education, just 
nationwide for consumers about how their information is 
protected and not--and the ramifications of it, if it is not.
    Mr. Wolf. I would just tag on in our last 30 seconds that 
it is very important for establishing criteria, if you would, 
around where that information is going to go and how it is 
going to be used. There is a baseline assumption on the part of 
every consumer that they are protected. Even if they are 
looking at these incredibly long agreements, their underlying 
assumption is that their information is under proper 
stewardship.
    Ms. Grande. Concur.
    Mrs. Lee. I agree. I actually believe that veterans even 
have a higher level of expectation when it comes to the VA as 
well. I am going to recognize Mr. Banks for 5 minutes.
    Mr. Banks. Thank you, Madam Chair. Ms. Grande, is HIPAA's 
minimum necessary principal intention with the 21st Century 
Cures Act penalties for information blocking?
    Ms. Grande. Well, I know that the Office for Civil Rights 
sort of hinted around that in their HIPAA Request for 
Information (RFI) that came out last fall. We certainly will be 
commenting on that when the notice of proposed rulemaking comes 
out in short time.
    Our member organizations do believe that the minimum 
necessary standard is appropriate, that sharing only what is 
necessary to promote better health outcomes is the right way to 
manage health information.
    For example, in some of these scenarios where you have got 
to hand over your photos, your calendar, your contacts, that 
flies way beyond the minimum necessary standard under HIPAA. I 
think our member organizations have all agreed that that is way 
too much information to be sharing.
    That said, though, there is value in analyzing large data 
sets to find treatments and cures. That is one of the wonderful 
aspects of advances in technology so we can speed up treatments 
and cures. I think motive matters and really focusing on the 
motives behind what is trying to be done needs to be paid a lot 
of attention to.
    Mr. Banks. Okay. Let me move on. So far, our HIPAA 
conversation has been mostly about covered entities business 
associates that happen to be technology companies or apps. Your 
testimony, Ms. Grande, you highlight the lack of legal 
protections when patients opt to provide their health data to 
an app. Should HIPAA or something very similar be extended to 
these apps, or should it be something different?
    Ms. Grande. Well, the Federal Trade Commission (FTC) does 
have some authority in the non-HIPAA space. It is not there is 
no legal protection, but I think many feel that the FTC's 
limited authority is a problem and that the FTC should have 
more authority over the non-HIPAA space.
    In terms of legal protections in the non-HIPAA space, we do 
believe that regulation is necessary, that the information 
blocking rule out of ONC and the interoperability rule out of 
CMS, which both of which we very clearly support the move 
toward interoperability. It is necessary and imperative to 
improve health outcomes.
    At the same time, there are provisions in those two rules 
that require health plans and providers to direct protected 
health information under HIPAA into an API and third party app 
of a patient's choice. That does get back to the fact that 
people do not distinguish what is under HIPAA and what is not.
    If there is any way we could look at some kind of authority 
within those agencies where we could do a better job, perhaps 
some sort of a certification process, or something whereby you 
have at least a semblance of good data stewardship going on 
with these third party apps, we would recommend that. We do 
believe that there is a role for Congress in this place to 
ensure that penalties and enforcement that are meaningful are 
brought to the forefront.
    Mr. Banks. Let me finish with this final question for you, 
Ms. Grande. What are some specific privacy considerations for 
the medical device industry, especially concerning medical 
devices that are integrated with apps?
    Ms. Grande. If a medical device is not operating as a 
business associate, and many of them do, so therefore come 
under HIPAA, they are really working closely with doctors, 
hospitals, those that are in the HIPAA environment. I think, 
again, it gets to the point that while we do support regulation 
outside of HIPAA, but in this particular case, it is especially 
important to note that it really needs to harmonize so that you 
are not creating a new barrier to information flow that really 
matters for a beating heart, an insulin pump, things that are 
maybe tacked on through an app or something that helps support 
that, that may not be within the purview of a covered entity 
and therefore a business associate relationship. It has got to 
harmonize. You do not want to----
    Mr. Wolf. Terribly close to the Food Drug Administration 
(FDA)----
    Ms. Grande. Yes. Then you have got the FDA is really 
starting to look at some of this now too. Right.
    Mr. Culbertson. Could I just add on that one complication 
here is that data that may exist within the app that is not 
covered under the covered entity, once it touches data that 
came from that covered entity, then falls under that purview. I 
think that is a lot--that is a nuance that a lot of app 
providers do not really take into consideration.
    Mr. Sulayman. If I could just take 20 seconds to echo the 
comments that both you and the chairwoman made earlier, HIPAA 
was created in an era when it was paper records, when analyzing 
data sets was extremely difficult, when my Mac LC-3 with 80 
megabytes was really impressive. It really has not taken into--
it was not created and did not take into account the 
environment that we are in now. The harmonization of HIPAA and 
not blocking the flow of information, and allowing all of the 
good things that can happen with the analysis of big data sets 
and artificial intelligence and machine learning to health care 
issues is very important. We also need to remember that this 
was created 23 years ago in an entirely different world that 
was not foreseen at the time. Amazon was still just a 
bookseller that everybody thought was going to fail.
    Mrs. Lee. Thank you.
    Mr. Banks. Thank you. I yield back.
    Mrs. Lee. Thank you. We are now going to adjourn. I wanted 
to thank all of the panelists for being here. Thank you, 
ranking member. What do I have to say here? Here is my 
statement. Hold on. There is something I need to say.
    First of all, thank you at the VA for sticking around for 
this testimony, and I certainly think there is space for us to 
continue to look at this issue, especially as technology is 
accelerating and making sure that we are looking out for 
innovation and patient results and care results, but also 
taking into effect protecting our veterans from what could 
potentially long down the road be used for workforce 
discrimination, all sorts of things that could happen that 
would have incredibly negative impact, not just on the health 
care of our veterans, but on their entire life and employment, 
et cetera.
    I hope that this will be an ongoing conversation as this 
subcommittee continues oversight of the VA's innovation or 
technology modernization efforts.
    All members will have 5 legislative days to revise and 
extend their remarks and include extraneous material. This 
hearing is now adjourned.
    [Whereupon, at 11:50 a.m., the subcommittee was adjourned.]
      
=======================================================================


                         A  P  P  E  N  D  I  X

=======================================================================


                    Prepared Statement of Witnesses

                              ----------                              


                 Prepared Statement of Paul Cunningham

    Good morning Madam Chair Lee, Ranking Member Banks, and 
distinguished Members of the Subcommittee. Thank you for the 
opportunity to testify today about the Department of Veterans Affairs' 
(VA) mission to secure and protect the personal and sensitive 
information of our Nation's Veterans. I am Paul Cunningham, the Deputy 
Assistant Secretary for Information Security, Chief Information 
Security Officer (CISO) and Chief Privacy Officer. I am accompanied by 
Martha Orr, Deputy Chief Information Officer, Office of Quality, 
Performance, and Risk (QPR) within the Office of Information and 
Technology, and LaShaunne David, Director of VA Privacy Service within 
the Office of Information and Technology.
    I want to thank Congress, and especially this Subcommittee, for its 
support of VA's work to ensure Veterans' privacy. Because of your 
steadfast cooperation, Veterans can continue to trust that their 
information is safe and secure. As the Chief Privacy Officer, I lead 
the VA's privacy program that protects Veterans' personal information. 
This aspect of VA's mission is personal to me. As a Veteran of the U.S. 
Navy, I fully share the concerns of my fellow Veterans who receive VA 
benefits, care, and services. For this reason, I am personally 
committed to ensuring Veterans' information is protected from 
exploitation and is handled with care.

                              Introduction

    VA Secretary Robert Wilkie has pushed forward a Department-wide 
modernization strategy to transform the Veteran experience, including 
increased access to services and information and interoperability with 
the Department of Defense (DoD). To achieve this, VA must extend its 
digital footprint, introduce new technologies, and increase data 
sharing. However, such efforts bring new privacy and security 
considerations. VA understands that with IT modernization must come 
modernized privacy and security policies. VA's Assistant Secretary for 
Information and Technology and Chief Information Officer (CIO), Mr. 
James Gfrerer, and OIT are responsible for striking this balance among 
information technology (IT) modernization, IT operations, and privacy 
and security. Specifically, OIT's Office of Information Security (OIS) 
manages security and privacy policy and related activities Department-
wide, while OIT's QPR division manages the VA Records Management 
program, which provides oversight of VA's compliance with those 
policies.
    VA's mission is to provide Veterans the care, benefits, and 
exceptional service they have earned. In the course of that mission, 
Veterans voluntarily share their personal information with the 
Department. This information may include personally identifiable 
information (PII) such as an address or Social Security Number or 
protected health information (PHI) such as data captured during health 
care visits as well as PHI and PII information collected as part of 
their application benefits. Veterans may also provide information about 
their families or caregivers. An important part of VA's mission is to 
ensure we are good stewards of Veteran data.
    VA has a robust set of policies and regulations governing privacy, 
access control, data and records management, and data sharing. It 
employs a rigorous framework of clauses and agreements that enforce 
these policies within VA and with our partners. VA also boasts strong 
incident response protocols to address any violation of these policies. 
In general, VA has policies and Business Associate Agreements that 
govern its activity or relationship with partners; conducts activities 
to enforce the policies; and imposes consequences for any violation of 
policy or contract agreement. With this strategy, VA effectively 
ensures the privacy of Veterans and the security of their personal 
information.
    VA and many similar large organizations face challenges. As the 
Department moves to adopt and implement new technologies, its privacy 
and security policies and practices must keep pace and change 
accordingly. Emerging issues in technology require that VA continually 
emphasize the importance of privacy for our Veterans, the Department, 
and our Federal and commercial partners. As the Department rises to 
meet these challenges, VA remains a vigilant protector of Veterans' 
information.

                     Privacy Policy and Compliance

    As part of VA's efforts to create a more seamless experience for 
Veterans, VA has increased ease of access to information on such sites 
as VA.gov. VA does not solicit personal information and only asks 
Veterans for information necessary to provide care or services. VA 
directly communicates to Veterans about the PII it collects and how 
that information will be used. The Department's policy regarding the 
privacy and security protection of Veteran data is accessible to 
Veterans on VA.gov and includes information about how VA collects, 
stores, uses, and discloses Veterans' information. It also details 
Veterans' legal rights and information about how VA complies with 
Federal regulations and user agreements. Like all Federal agencies, VA 
must comply with the Privacy Act, which provides protections for 
Veterans' personal information.
    An example of proactive and tailored implementation of privacy 
policy is VA's Webpage privacy. VA maintains a general Webpage privacy 
policy, known as the ``General Policy,'' that applies to all VA.gov 
Webpages. Some pages have additional guidance, called ``Limited Privacy 
Policies,'' which are compatible with the General Policy. VA's Websites 
generally do not require registration or request personal information, 
but some portals require Veterans to input PII to register for access. 
When Veterans do provide information, VA will not disclose that 
information to outside parties except at the request of the Veteran or 
as authorized by law. Additionally, VA.gov will never sell or rent 
personal information to outside parties. Violation of any part of this 
policy within the Department would result in corrective actions 
including possible dismissal and could result in a criminal charge 
against the offending employee or contractor. These policies ensure 
that Veterans' digital experience remains as secure and confidential as 
a visit with their care provider.
    VA also has a review process in place to ensure that 
Administrations and staff offices integrate privacy compliance into 
their development and use of IT systems. The VA Privacy Service 
implemented the Privacy Threshold Analysis (PTA), a tool to help 
identify potential privacy issues within each new IT system or project. 
In certain cases, VA staff may be required to complete a Privacy Impact 
Assessment, which helps Veterans understand what information VA is 
collecting and how the information will be used and stored. This 
process ensures that system owners and privacy officers work in tandem 
so that any new IT system or project addresses all privacy concerns for 
the Veteran. As VA modernizes old systems and develops new systems, 
this specific review process establishes a Department-wide 
consideration of privacy.

                             Access Control

    VA has policies and practices to ensure that access to Veterans' 
information is strictly controlled. VA implements a role-based access 
control system, which means that the Department grants access only to 
those employees or contractors with an official need to know to perform 
essential job duties or health care functions. Often, VA must allow 
contractors or other third parties to access Veteran information in 
order to provide care or services; in these cases, the party enters 
into a clear, comprehensive, and strict agreement with VA about how it 
may or may not use that information. System owners under each of VA's 
Administrations must determine the level of access control to implement 
for the system containing VA data. Systems are not authorized to 
operate until a designated authorizing official reviews and determines 
the control configuration is acceptable. To maintain access to 
sensitive information, non-Department entities must protect VA data 
from access by any other outside party.
    To enforce these policies and use agreements, system owners conduct 
regular audits for compliance with the Federal Information Security 
Management Act (FISMA) and routine checks to ensure the system is 
compliant. Additionally, audit logs contain information about who 
accesses the system, when the system was accessed, and what data were 
accessed.
    Should data ever be improperly accessed, VA will act to restrict 
access to the system and initiate an incident review process to 
determine what happened. When the improper access was a result of human 
error or improper behavior, VA will take corrective actions which could 
range from remedial training to revocation of access. VA requires that 
all personnel including contractors undergo mandatory privacy and 
security awareness training and sign a National or Contractor Rules of 
Behavior agreement. The Department takes appropriate steps to enforce 
these agreements.

                      Data and Records Management

    VA's Records Management policy governs the storage, transfer, and 
destruction of sensitive data within the Department. Sensitive 
information may only be stored on and transferred between approved 
systems or repositories or those which are governed by the appropriate 
access controls. Contractors and other third parties must also comply 
with VA requirements regarding media sanitization, and destruction must 
often be supervised by a Federal employee. From collection to 
destruction, Veterans' information is handled with the greatest 
possible care.
    VA's QPR Enterprise Records Service oversees activities related to 
the creation, maintenance, and use of records and ensures compliance 
with National Archives and Records Administration VA Records Management 
policy and Federal regulations that allow the release of limited 
Veteran information under the Release of Names and Addresses (RONA) 
program. When required by law, VA also provides information to the 
Veteran and the public in responding to requests submitted under the 
Freedom of Information Act (FOIA). Protecting Veteran data during this 
release is an extremely high priority. VA's OIS Privacy Service 
oversees activities related to safeguarding the PII and PHI of Veterans 
and employees. VA OIS Privacy Service's duties include:

      conducting privacy risk assessments and ongoing 
compliance monitoring of VA systems;

      overseeing information storage and VA's system of 
records;

      tracking access to PHI; and

      delivering privacy training, orientation, and ongoing 
awareness campaigns.

    Should the VA OIS Privacy Service identify issues or receive 
complaints in the course of its oversight and monitoring, it will 
investigate and take corrective actions to enforce the Department's 
privacy policies in coordination with similar VA stakeholders and, when 
necessary, legal counsel.
    QPR's Privacy and Records Assessment Division (PRAD) and its 
Administration partners perform onsite assessments on privacy and 
records management compliance at VA facilities and staff offices. 
Assessment findings that cannot be remediated onsite are reported to 
facility leadership for action. Issues that are not corrected as part 
of this ongoing continuous monitoring effort are further elevated to 
senior leadership as potential risk issues that could impact overall 
compliance. QPR's Risk Management Division will assign risk analysts to 
make determinations on the level of risk and determine overall required 
remediation actions.

                      Data Sharing and Portability

    VA closely safeguards Veterans' information, but often must share 
data with partners to provide health care and exceptional service to 
Veterans. In general, VA does not share Veterans' information with non-
Department entities, except when sharing is necessary to provide care 
or services to the Veteran or in accordance with routine uses as 
described in applicable system of records notices. In these cases, VA 
agrees with its partners about acceptable use of VA's systems and any 
Veteran information contained in those systems. That contract or 
agreement contains VA's requirements related to data protection and 
media sanitization, which the partner must meet to access Veterans' 
information. Once granted access to VA and/or Veteran information, it 
must protect that information as closely as VA does. These requirements 
are in place to ensure that Veterans' personal information is guarded 
just as closely, even when shared.

                               Conclusion

    VA continues to improve the Veteran experience by consolidating 
health and benefits information in convenient digital platforms and 
increasing Veterans' access to their health records and data. However, 
VA understands that accessibility and sharing must not come at the 
expense of safety, security, and confidentiality. Additionally, 
emerging challenges in technology call for increased attention to data 
protection and privacy.
    In response to these challenges, VA maintains a comprehensive 
security and privacy program. The Department strives to achieve the 
highest standards for safeguarding the sensitive information of our 
Nation's Veterans. We comply with Federal regulations, maintain an 
organizational structure focused on data protection and records 
management, and facilitate ongoing privacy assessments, reviews, and 
monitoring based on strict access controls.
    Madam Chair, Ranking Member, and Members of the Subcommittee, thank 
you again for the opportunity to testify on behalf of the Department 
about the privacy safeguards we employ on behalf of the Veterans we 
serve and the exceptional service we strive to provide in the process.
                                 ______
                                 

                 Prepared Statement of Nick Culbertson

    Good morning, my name is Nicholas Culbertson and I'm the CEO of 
Protenus. I bring testimony today to the Committee on Veterans' Affairs 
Subcommittee on Technology Modernization with three different 
perspectives: that of a former non-commissioned officer of the US Army, 
that of a patient treated by Veteran Affairs, and that of a former 
medical student turned CEO of a healthcare compliance analytics and 
health data privacy firm called Protenus.
    In these roles, particularly in my current one, I have learned that 
health data privacy and security requirements are in constant 
juxtaposition of the need for health data sharing, interoperability, 
and innovation. On one hand, we need to make health data accessible to 
help improve direct patient care delivery speed and effectiveness as 
well as spur novel innovations, further accelerating the quality and 
capabilities of our healthcare industry. On the other hand, the more 
accessible health data becomes, the larger the threat surface becomes, 
exposing health data to privacy and security breaches, as well as 
misuse of data and fraud.
    The tension between protecting health data and sharing health data 
is not something that should be addressed lightly. We need to share 
data and we need to protect it. Any standard that tips favor in one 
direction will either stifle innovation or compromise the integrity of 
arguably one of the most valuable types of data in the world. I want to 
thank the Subcommittee for its efforts to consider setting a higher 
standard for health data privacy while modernizing VAs electronic 
health record system and hearing my testimony on the topic.
    In 2009, I prepped for my last deployment to Afghanistan with the 
20th Special Forces Group where I served as a Special Operations Medic 
and Advanced Tactical Practitioner. As an SF Medic on pre-deployment, I 
was trained to use a tactical palm-pilot device and laptop system, 
known as the MC-4, that was intended to capture SOAP notes and other 
medical documentation on the battlefield. The intent of this program 
was that medical documentation could be electronically transferred to 
flight medics during a rushed MEDEVAC and that documentation would 
persist in the soldier's medical record all the way from theatre to VA. 
I was disappointed to learn, however, that despite the time we spent on 
training, this program did not work and the notes I drafted never left 
the expensive device I carried in theatre. Instead, I had to re-draft 
documentation that was filed manually and, hopefully, not lost during a 
soldier's trip through recovery.
    As a veteran, I experienced the challenges associated with health 
data lost due to a lack of interoperability between the DoD and VA. 
After I left the military, I sought physical therapy from VA to 
continue treatment on my wrist that I fractured on my last deployment. 
Despite being certain of my broken wrist diagnosis, having seen the 
Xrays of the fracture myself, my VA physician told me that my wrist was 
never broken because there was no documentation for it and no copy of 
the Xray image in my file. As a result, I had to seek physical therapy 
through private insurance.
    As a civilian, I have seen how the digitization of medical records 
has greatly accelerated patient care and innovation. While in medical 
school at Johns Hopkins University, I was fortunate to be able to 
participate in research using electronic medical records during Hopkins 
transition from multiple electronic health record systems to one 
central system that currently spans the entire enterprise. While this 
upgrade made it easier to share health information, the magnitude of 
sharing is quite expansive. Not only do immediate care team members 
have access to a patient's record, but also any workforce member across 
the enterprise can now access any patient's record. Partner, affiliate, 
other business associates can also access patient data through health 
exchanges or other data-sharing programs. Both this increase in 
exposure and Hopkins's goal of being an innovation hub for health data 
allowed the opportunity to launch the startup that I now run.
    At Protenus, we've developed artificial intelligence that 
proactively audits how every end-user accesses and uses electronic 
health information to ensure health systems are compliant with 
regulations designed to protect patient privacy. With our technology, 
we've seen first-hand how access to health data can be abused, causing 
harm to the health system and patients alike. And we've also seen how 
access to health data, when governed correctly, can spur amazing 
innovations that ultimately help improve patient care overall.
    I've seen, first-hand, the limitations and risks associated with 
antiquated health technology systems. I've also seen how using 
technology in healthcare can create a slew of privacy and security 
challenges. So, privacy or innovation? The answer is both. We must find 
a way to promote innovation through accessibility and sharing. But we 
also must ensure that we do everything we can to protect health data 
from falling into the wrong hands. This is especially true of our 
veterans who deserve the best we can offer. The best we can offer 
combines both innovation and privacy.
    This is an opportunity for VA to set a higher standard. As 
technology continues to improve and create better access, so too must 
our standards for security and privacy continue to meet that standard, 
as well.
                                 ______
                                 

                Prepared Statement of Tina Olson Grande

    Chairwoman Lee, Ranking Member Banks, and Members of the House 
Committee on Veterans' Affairs Subcommittee on Technology and 
Modernization (Subcommittee), thank you for the opportunity to testify 
today.
    My name is Tina Grande. I am Executive Vice President of Policy of 
the Healthcare Leadership Council (HLC) and Chair of the 
Confidentiality Coalition (Coalition).
    HLC is a coalition of chief executives representing all disciplines 
within American healthcare, including hospitals, academic health 
centers, health plans, pharmaceutical companies, medical device 
manufacturers, laboratories, biotech firms, health product 
distributors, post-acute care providers, home care providers, and 
information technology companies. It is the exclusive forum for the 
Nation's healthcare leaders to jointly develop policies, plans, and 
programs to achieve their vision of a 21st century healthcare system 
that makes affordable high-quality care accessible to all Americans.
    The Confidentiality Coalition, founded to advance effective patient 
confidentiality protections, is composed of a broad group of hospitals, 
medical teaching colleges, health plans, pharmaceutical companies, 
medical device manufacturers, vendors of electronic health records, 
biotech firms, employers, health product distributors, pharmacies, 
pharmacy benefit managers, health information and research 
organizations, patient groups, and others. The Coalition's mission is 
to advocate for policies and practices that safeguard the privacy of 
patients and healthcare consumers while, at the same time, enabling the 
essential flow of patient information that is critical to the timely 
and effective delivery of healthcare, improvements in quality and 
safety, and the development of new lifesaving and life-enhancing 
medical interventions. I have attached to my testimony information 
about the Coalition, HLC and the membership of each.
    Through the breadth and diversity of our membership, HLC and the 
Coalition are able to provide a broad-based and nuanced perspective on 
any legislation or regulation affecting the privacy and security of 
health consumers. We work closely with key legislators and regulators 
to help strike the right balance between protecting privacy and 
allowing the appropriate sharing of health information to ensure safe, 
high-quality, and coordinated healthcare.
    We understand that the Subcommittee is examining how the Department 
of Veterans Affairs (VA) manages veteran's data, including 
interoperability, privacy and security issues, in light of the 
challenges posed by changes in technology and the increasing 
monetization of data.
    This examination is especially timely as new technologies are being 
marketed every day that allow for not only the generation of new data 
not previously available, but the ability to transmit and share data 
more easily, and to use it for purposes as varied as targeted 
advertising to developing artificial intelligence (AI) tools for the 
early detection of cancer and other debilitating diseases. For every 
promising health information technological development there is the 
risk of its misuse, and as the value of data increases, so does the 
incentive to misappropriate it. The more consumers are able to control 
and direct the sharing of their health data, the greater the likelihood 
of the data finding its way into the hands of third parties not 
committed or bound to protect it.
    The Coalition's members having been grappling with these same 
challenges as they seek to use data to improve healthcare outcomes, 
quality and efficiencies, and to facilitate data sharing among 
patients, healthcare providers and other healthcare organization. 
Congress too, through the 21st Century Cures Act, has sought to address 
some of these challenges by directing the Department of Health and 
Human Services (HHS) to implement regulations to advance 
interoperability, support patient access to their electronic health 
records, and eliminate information blocking.
    While these steps are laudable and essential, there remains the 
glaring oddity in our current health data regulatory scheme that 
certain health data is subject to robust Federal privacy protections 
while other health data is not. As long as this disparate treatment 
exists, the challenges faced by an organization such as the VA to 
manage health data in a way that harnesses new technological 
innovations while maintaining the privacy and security of all this data 
will remain formidable, if not insurmountable.
    My testimony, therefore, focuses on how this regulatory gap should 
be addressed, and the principles that we believe the Subcommittee and 
others in Congress should consider in seeking to ensure that all 
consumer health data is appropriately protected while at the same time 
being available as seamlessly as possible for necessary healthcare 
functions and activities.
    Health data that is governed by the Health Insurance Portability 
and Accountability Act (HIPAA), including data held by VA covered 
entities, is protected by a framework that has for over 20 years 
provided individuals with strong privacy rights and protections. 
HIPAA's well-established rules and guidance, together with its robust 
and consistent enforcement by HHS, has made it a trusted and accepted 
national standard for the protection of personal health information. It 
has also provided HIPAA covered entities and their business associates 
with a clearly delineated framework and parameters within which to 
operate. Therefore, any approach to health data privacy should preserve 
the existing HIPAA framework, and new legislation should apply only to 
health data not governed by HIPAA.
    We support the development of new health information technologies, 
whether at the consumer level in the form of mobile health apps and 
wearable devices, or at the enterprise level, such as sophisticated new 
tools that aggregate and analyze vast quantities of data that can 
transform healthcare. These new innovations in health information 
technology are not only empowering consumers to be more engaged in 
managing their health outside of traditional healthcare settings, but 
are enabling healthcare organizations to develop new treatments and 
cures that will deliver enormous benefits to patients and greatly 
improve our healthcare system.
    These innovations have also resulted in more and more health data 
falling outside the protections of HIPAA. This will be the case when 
the technology or services are not offered by or on behalf of a HIPAA 
covered entity, but rather, by developers or technology companies 
directly to the consumer. For example, a consumer may download a third 
party app to their smartphone that tracks diet, exercise and weight, 
and uses the app to send a summary report to their doctor before their 
next appointment. As long as the doctor did not hire the app developer 
to provide its services to the doctor's patients, the data in the app 
is not protected by HIPAA, even if the app is recommended by the 
patient's doctor.\1\
---------------------------------------------------------------------------
    \1\ See The Department of Health and Human Services Office of Civil 
Rights Guidance documents, Health App Use Scenarios & HIPPA. February 
2016 (``Developer is not creating, receiving, maintaining or 
transmitting protected health information (PHI) on behalf of a covered 
entity or another business associate. The doctor's recommendation 
implies her trust in the app, but there is no indication that the 
doctor hired the app developer to provide services to patients 
involving the handling of PHI. The consumer's use of an app to transmit 
data to a covered entity does not by itself make the app developer a 
[business associate] of the covered entity.'')
---------------------------------------------------------------------------
    Today, consumers may not fully appreciate which of their health 
data is collected by an entity subject to HIPAA, and so protected by 
HIPAA, and which is not. To the extent personal health information is 
not already covered by HIPAA (``non-HIPAA health data''), privacy and 
security rules comparable to HIPAA should apply to it. This is not only 
vital to maintain consumer trust, but also necessary to honor the 
rightful expectations of all consumers that their health information, 
among the most sensitive of personal information, is appropriately 
safeguarded, and that they may exercise the same types of privacy 
rights with respect to it as they enjoy with respect to data covered by 
HIPAA. As the Subcommittee continues to assess the management of 
veterans' health data, we are pleased to share the Confidentiality 
Coalition's ``Beyond HIPAA'' Privacy Principles that outline our views 
on the protection of non-HIPAA health data. A copy of these principles 
is attached to my testimony.
    The Coalition believes that any Federal legislation to protect non-
HIPAA health data should do so in a manner that harmonizes with the 
existing HIPAA framework. This includes HIPAA's implied consent for the 
use and disclosure of health information for treatment purposes, and 
minimum necessary information for payment and health care operation 
purposes. It also includes the requirement to obtain an individual's 
written authorization to use or disclose their protected health 
information (PHI) for marketing purposes or to sell their PHI. HIPAA 
authorizations put individuals on notice that, once disclosed, their 
data may no longer be protected by HIPAA. They also require HIPAA 
covered entities to be transparent and disclose if their marketing 
communications are funded by the entity whose product or services are 
being marketed. In addition, covered entities are required to provide 
individuals with a notice of privacy practices that describes the 
entity's privacy practices, the purposes for which it uses and 
discloses PHI, and the individual's privacy rights and how to exercise 
those rights. This transparency is an important protection that is 
particularly relevant as businesses seek to monetize health data.
    At the same time, the HIPAA framework recognizes that health 
information is not a commodity, the flow of which is determined by the 
highest bidder. Great care was taken when establishing the HIPAA 
framework to balance various competing interests--the privacy rights of 
the individual, the public interest served, the need for information to 
be used for essential health activities consistent with consumer 
expectations, and the burden on covered entities - and HHS repeatedly 
cited this balancing approach when it first issued its Privacy Rule \2\ 
and in subsequent modifications to it. This same approach should be 
taken in addressing non-HIPAA health data.
---------------------------------------------------------------------------
    \2\ See, for example, 65 Fed. Reg. 82462 (December 28, 2000) at 
82464 (``The rule seeks to balance the needs of the individual with the 
needs of the society''); 82468 (``The task of society and its 
government is to create a balance in which the individual's needs and 
rights are balanced against the needs and rights of society as a 
whole''); 82471(``Neither privacy, nor the important social goals 
described by the commenters, are absolutes. In this regulation, we are 
asking health providers and institutions to add privacy into the 
balance, and we are asking individuals to add social goals into the 
balance''); and 82472(`` The need to balance these competing 
interests--the necessity of protecting privacy and the public interest 
in using identifiable health information for vital public and private 
purposes--in a way that is also workable for the varied stakeholders 
causes much of the complexity in the rule'').
---------------------------------------------------------------------------
    Harmonization, including alignment with HIPAA concepts, definitions 
and standards, is critical to provide consumers with the assurance of 
consistent protection of all their health information, and to ensure 
the appropriate exchange of health information by health organizations, 
whether covered by HIPAA or not, is not impeded. For example, even as 
seemingly technical an issue as the definition of de-identified data 
could have potentially major ramifications if the HIPAA definition is 
not used. This is because data that is considered de-identified under 
HIPAA may not be considered de-identified under a new law and so 
potentially not covered by it. The unintended consequence of this is 
that it could seriously and adversely impact the ability of healthcare 
organizations to aggregate and share health data for important public 
policy purposes such as developing evidence-based standards, quality 
metrics and standards, medical research, and management of healthcare 
delivery, to name only a few.
    The same can be said for other HIPAA definitions and concepts, 
including permissible uses and disclosures without explicit 
authorization, the requirement to be transparent about uses and 
disclosures in the form of a notice of privacy practices, and the right 
of individuals to access and receive portable copies of their 
electronic health records, among other things. Aligning any new 
legislation to govern non-HIPAA health data with the HIPAA definitions 
and requirements will also provide consumers with a more coherent and 
seamless privacy framework, allowing them to more easily understand how 
their health data is protected and exercise their privacy rights.
    Equally important, security safeguards should be commensurate with 
the safeguards required by the HIPAA privacy and security standards. 
These require reasonable and appropriate administrative, technical, and 
physical safeguards to protect the confidentiality of all protected 
health information, and the integrity and availability of electronic 
health information. Like the HIPAA Security Rule, any security standard 
should be technology neutral, scalable, and allow for a flexible risk-
based approach. Robust security requirements for non-HIPAA health data 
are critical not only for large and sophisticated businesses that 
collect vast amounts of data, but also for smaller companies and 
startups developing new products and services, which should be 
incorporating security-by-design practices in their product development 
process. Whether their personal health data is covered by HIPAA or not, 
consumers should know that those to whom they entrust this data will 
keep it secure in accordance with well-vetted and accepted national 
security standards.
    The Coalition strongly supports efforts to increase 
interoperability to facilitate the appropriate sharing of health data 
among healthcare organizations, as well as the access and availability 
of electronic health records to consumers themselves. This is another 
reason to ensure harmonization between laws governing PHI and non-HIPAA 
health data and to have national standards for health information 
privacy and security. The great promise of interoperability - using 
technology to engage patients, deliver meaningful insights to help in 
the identification and diagnosis of disease, and guide treatment 
decisions--depends on the ability to appropriately share health data 
among HIPAA covered entities and others for these purposes. This 
promise cannot come to fruition if these organizations are subject to, 
and constrained by, different standards that do not align or, 
potentially even conflict, with one another. This has proven to be a 
challenge for the appropriate sharing of patient substance use disorder 
information. The investment of effort at the outset when crafting 
legislation so as to avoid this type of misalignment will yield 
significant dividends in the form of improved healthcare outcomes and 
quality of care, not to mention a more seamless and workable privacy 
framework for veterans, healthcare organizations and service providers. 
This is particularly pertinent today as the Administration seeks to 
execute on the requirements of the 21st Century Cures Act to improve 
health information interoperability with the goal of promoting greater 
data sharing among patients, healthcare providers, payers, researchers, 
and other healthcare entities. As the Office of the National 
Coordinator of Health Information Technology stated in its recently 
released draft 2020-2025 Federal Health IT Strategic Plan:

    [N]ew technologies, along with existing claims and EHR data, mean 
that the volume of health and health-related data being generated and 
available for improving care quality has never been greater. 
Collecting, organizing, analyzing, interpreting, and applying this 
``big data'' to clinical decisionmaking is both a challenge and a 
significant opportunity.\3\

    \3\ See The Department of Health and Human Services Office of the 
National Coordinator of Health Information Technology document, 2020-
2025 Federal Health IT Strategic Plan. January 2020
---------------------------------------------------------------------------
    For the same reasons, as healthcare organizations make the 
transition to a nationwide, interoperable system of electronic health 
information, we believe it is essential to replace the current mosaic 
of sometimes conflicting State privacy laws, rules, and guidelines with 
strong, comprehensive national standards.
    In closing, the HLC and Coalition commend the Subcommittee for 
seeking to address the challenges faced by the VA in managing veterans' 
health data in a world where the value of this data has never been 
greater, the risks posed to it more serious, or the opportunities for 
its beneficial use more abundant. We believe a balanced approach, 
compatible with and modeled upon the existing HIPAA framework, and that 
provides protections for non-HIPAA health data similar to that provided 
for PHI under HIPAA, is the best way to address these challenges and 
provide a comprehensive, consistent and transparent health information 
privacy framework for the health data of those in service and beyond.
    Attachments
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
                 Prepared Statement of Ramsey Sulayman

    Chairwoman Lee, Ranking Member Banks, and members of the 
subcommittee, on behalf of the men and women of the Veterans of Foreign 
Wars of the United States (VFW) and its Auxiliary, thank you for the 
opportunity to address the issues of data privacy and portability and 
our members' expectations of the Department of Veterans Affairs' (VA) 
responsibilities to protection their privacy.
    As the Department of Defense (DOD) and VA move toward a joint 
electronic health care record (EHR), veterans' information will become 
more accessible for VA and DOD providers and their community partners. 
This is a good thing. The concentration of personal data in a joint 
electronic health care record also makes the record more desirable for 
nefarious actors from foreign governments, non-State actors, and 
criminals acting as part of organized crime groups or individually. In 
2018, the White House Council of Economic Advisers estimated that 
cybercrime cost the United States' economy between $57-109 billion. A 
person's health record contains a vast amount of personally 
identifiable information that can be used for ill.
    While the loss or compromise of veterans' health care data 
certainly comes with an economic cost, it also carries the non-
quantifiable costs in the loss of dignity, trust, and confidence. In 
creating an EHR that can communicate and easily exchange data with 
other government agencies, as well as commercial health care systems, 
insurers, and private providers, VA must ensure that veterans' 
information remains secure when it leaves the VA ecosystem. VA must 
also ensure that control of data remains with VA and the veteran, and 
define the expectations for data retention and control with community 
partners. VA is responsible for ensuring that sufficient protocols are 
in place to guard against an unthinkable trusted insider intrusion or 
even simple unauthorized access.
    The VFW is not opposed to commercial off-the-shelf solutions; there 
is no need for VA to reinvent the wheel when it comes to technological 
solutions. Creating information technology (IT) solutions is not the 
VA's core strength. Therefore, the strongest possible privacy 
protections from third-party vendors must be in place. Very specific 
policies and procedures must be in place that address data collection, 
data use, transfer of information, and information retention, in 
particular through End User License Agreements (EULA). EULA are the 
terms of service that must be accepted, often unilaterally, for a 
veteran to use an app or website. EULAs generally incorporate a privacy 
policy that specifies the four criteria above. As mentioned, EULAs are 
often ``take it or leave it'' terms. The difference between the effects 
of a EULA on a commercial site and a EULA on a VA site is that veterans 
who opt to ``leave it,'' risk losing access to benefits and services 
earned through service. VA has a monopoly on administration of 
veterans' health care and benefits. Whereas monopolies in the 
commercial market are largely outlawed, so consumers are able to seek 
service from a competitor if they ``leave it'' in the private sector.
    Beginning with EULAs, VA must ensure that partners collect the 
minimum amount of information, have the shortest retention time 
possible, and provide clear opt-in criteria. Opt-in was not a slip of 
the tongue. Veterans and service members should have to opt-in to data 
collection rather than opt-out; the strictest criteria and the most 
minimal collection should be the standard. We will address health care 
data sharing, which the VFW supports as an opt-out, later in this 
testimony. Data collection must be limited to only necessary and 
pertinent data. Tracking a veteran's data from usage of specific sites 
is not necessary to the conduct of that veteran or service member's 
business with VA or DOD.
    As an example, VA is in the process of consolidating all its 
veteran facing websites into its updated VA.gov portal. To access their 
VA.gov portal, veterans are prompted to sign up with ID.me, without a 
reliable alternative. The use of the ID.me login credentials places 
veterans in the unique position of having to accept the terms of 
service and privacy policy in the EULA in order to log on and access VA 
benefits earned through service. The ID.me process is much easier and 
reliable, for example, than acquiring a DSLogon account or other VA log 
on if the veteran is not enrolled in the VA health care system or with 
the Veterans Benefits Administration, or is no longer active in the 
Defense Enrollment Eligibility Reporting System (DEERS) or the Defense 
Financial and Accounting Service (DFAS). While the ID.me EULA and 
privacy policy specifically states that no veteran information will be 
sold by ID.me, it also specifically states that data may be transferred 
to partner websites that have a different privacy policy over which 
ID.me has no control. In other words, to use ID.me services, a 
veteran's information may be transferred to a trusted ID.me partner. 
However, the EULA does not guarantee ID.me's partners will not sell or 
utilize that data for a commercial purpose, including aggregating it 
with other sources that may personally identify the veteran.
    The security of veterans' health information is of paramount 
importance. As health care technology advances and more details become 
available through diagnostic and genetic testing, that information will 
become more concentrated in locations like the EHR. The VFW urges VA to 
place the highest priority on security and utilizing the strongest 
possible technological solutions to safeguard veterans' health data.
    Project Nightingale, a joint commercial venture between Google and 
Ascension Health, the Nation's second-largest health care system, 
underscores some of these issues surrounding data collection and 
utilization. Google partnered with Ascension to digitize the health 
records of Ascension's patients and then apply tools such as artificial 
intelligence (AI) to look for patterns. While some of these patterns 
related to early prediction of disease or better treatments for 
existing conditions, one of the goals of the program was also to see 
where more revenue could be squeezed out of care. While the attempt to 
use health care data to generate new revenue streams is of concern, the 
larger philosophical concern is that patients' private health care data 
may migrate to Google without the prior consent of patients. Ascension 
could provide these records because, under the Health Insurance 
Portability and Accountability Act of 1996 (HIPPA), Google is a 
business associate of Ascension helping Ascension execute 
administrative functions necessary to the provision of health care. I 
use Ascension as an example because Ascension very actively marketed 
its services to veterans participating in the VA Veterans Choice 
Program. Ascension is a fine health care system noted for its quality 
of care, but what is important for VA and veterans is that a veteran 
who uses Ascension (or any other health care system that has external 
partners with big data programs) does not automatically have his or her 
health care information vacuumed into a program to which he or she did 
not consent by virtue of existing business partners or covered entity 
relationships between health care providers, systems, or insurers and 
data focused enterprises.
    Provider records, however, is not the only kind of health care 
information that people generate. User-generated data, such as that 
from wearable devices like FitBit, are not covered by HIPAA. I pick on 
FitBit versus Apple Health or Huawei Health because FitBit is owned by 
Google. One can see that the acquisition of health care data from 
HIPAA-protected sources and unprotected user generated data is a major 
effort for Google. Google is not alone, though. Apple, Amazon, 
Facebook, and Microsoft are but a few of the major established 
information technology players also working on cornering the big data 
market in health care. The combination of data from FitBit users whose 
data is also contained in Project Nightingale leads to questions about 
what that data and its commercialization will lead to.
    Smaller players like Xealth are also in the market and working on 
similar products and initiatives. Xealth, which has attracted investors 
that include the Cleveland clinic, University of Pittsburgh Medical 
Center, Atrium Health, and Amazon, has developed a product where health 
care providers can check off products and services from a digital 
shopping list, and offer or prescribe them to patients as part of the 
visit or consultation. Patients can then use the recommendations from 
Xealth to order products, services, and prescriptions directly from 
vendors, including Amazon. Even excluding the sharing or leakage of 
health data, purchasing patterns of consumer goods can lead to 
predictions about health conditions. For example, the purchase of 
compression socks, syringes, and testing strips can be analyzed to 
determine that a consumer suffers from diabetes - all from non-HIPAA 
protected information.
    Genetic information adds to the mix and can present daunting 
questions of privacy. While major commercial providers of DNA testing 
for purposes of determining ancestry and genealogy are pretty good 
about requiring opt-in for certain information sharing, and informed 
consent for research purposes, they also note that they are not 
required to comply with HIPAA and that they may store and share 
information, including genetic information, with their service or 
business partners. As with EULAs, these partners may have different 
privacy policies, and one has to review all the privacy policies of all 
partners. Other sites, for instance GEDmatch, make all genetic 
information submitted publicly available. It is estimated that 60 
percent of Americans who are of Northern European descent can be 
identified through data in public data bases, with that figure expected 
to rise to 90 percent in the next few years.
    How does this affect veterans? VA's Million Veteran Program (MVP) 
immediately comes to mind. VA is merging the health care and genetic 
data of veterans who opt-in in a landmark study that has revolutionary 
implications for the provision of health care. However, little is 
discussed about data security, and what is available is not in plain 
language. However, VA does note that ``There could be a slight risk of 
a breach of confidentiality, and if information about you does leak 
out, the VA will not be able to guarantee that it will be protected.'' 
VA must do what it takes to ensure a breach does not occur. The VFW 
also urges VA to be more transparent about the policies and procedures 
in place to assure data safety, and provide prominent links to the full 
policies, as well as plain language translations.
    While all this when placed in a certain context may be Orwellian, 
we must not see a conspiracy around every corner. Health care data 
sharing can yield immense benefits. As much as we believe that medicine 
is science, it is also art and relies heavily on providers' experience 
and judgment. At a certain point, the symptoms of a common cold can 
look an awful lot like those of a life-threatening disease, or a major 
medical event such as an aneurysm, heart attack, or stroke. Growing up 
in a medical family, I have heard enough anecdotes about medical 
miracles and missed diagnoses that I could churn out scripts for 
tearjerkers on the Hallmark Channel indefinitely into the future. 
Often, these missed moments or life-saving revelations were the result 
of experience and noticing details that may have been overlooked, or 
were not in a provider's experience base. Technology can help solve 
this.
    A doctor can have a patient's entire medical history at hand 
without relying on the limitations of a patient's memory or self-
reporting. The availability of the complete medical record can allow 
the doctor to make a more informed diagnosis. That diagnosis can be 
checked by an impartial AI system that might see patterns missed in the 
rush of an emergency room visit on a busy day. User-generated 
information from health trackers can objectively report a patient's 
activity levels, sleep, and other vitals without having to rely on 
memory and self-reporting from patients who may be in crisis or less 
than one hundred percent. Amalgamated, de-identified patient data can 
be searched, and research populations identified, with big data tools 
in a fraction of the time as in the past by hand. There are benefits, 
but the benefits must balance the risks, and we must look at what may 
be possible in the future versus what we merely see as possible today.
    The laws governing privacy rights, particularly with electronic 
data, are more of a patchwork than a comprehensive whole. HIPAA was 
passed in 1996, in an era before big data when records were kept 
locally and on paper before today's computing power was available. For 
reference, Amazon was merely an online book seller and my Apple 
Macintosh LC 3 had a whopping 80 megabytes of memory. The VFW applauds 
this subcommittee for looking at this issue intently and, ever so 
importantly, with an eye to the effects from the perspective of 
veterans. As institutions that safeguard the rights for which our 
veterans fought, and as organizations that represent our veterans' best 
interests, we must ensure that privacy and security, or information, 
particularly health data, is paramount and that veterans remain in 
control.
    This concludes my statement. Thank you for your time and I look 
forward to answering any questions you may have.
                                 ______
                                 

               Prepared Statement of Harold F. Wolf, III

    Chairwoman Lee, Ranking Member Banks and Members of the 
Subcommittee--thank you for the opportunity to testify today on behalf 
of the Healthcare Information and Management Systems Society (HIMSS) on 
how to safely and securely manage veterans' health data.
    My name is Hal Wolf, and I am the President and Chief Executive 
Officer of HIMSS. I represent more than 80,000 members globally who are 
dedicated to transforming the health ecosystem through information and 
technology. As a mission-driven non-profit, HIMSS offers a unique depth 
and breadth of expertise in health innovation, public policy, workforce 
development, research and analytics to advise global leaders, 
stakeholders and influencers on best practices in health information 
and technology. Headquartered in Chicago, Illinois, HIMSS serves the 
global health information and technology communities with focused 
operations across North America, Europe, the United Kingdom, the Middle 
East and Asia Pacific.
    We appreciate the Committee holding today's hearing on ``Data 
Privacy and Portability at the VA: Protecting Veterans' Personal 
Data.'' Today's hearing around the role of Congress and the Department 
of Veterans Affairs in ensuring the confidentiality, integrity, 
security, interoperability, and availability of patient data reflects a 
larger conversation occurring across the healthcare ecosystem. Namely, 
as the significant investment in technological advancements in 
healthcare now allows us to capture and use data and the ensuing 
information it provides in unprecedented ways, to realize the full 
potential of that data to improve health outcomes, we must ensure the 
proper processes around privacy and security are in place to protect 
the patient's most sensitive data and information.
    Before joining HIMSS, I served at The Chartis Group as Director; 
Practice Leader of Information and Digital Health Strategy, and prior 
to that I was Senior Vice President and Chief Operating Officer of 
Kaiser Permanente's The Permanente Federation. During this time, I was 
responsible for the development and implementation of critical care 
delivery strategies, data management and governance, population care 
management environments and the implementation of unique innovations 
and large-scale programs that impacted end-to-end operations. Critical 
to the innovations introduced within these functions was maintaining 
the security and protection of the confidential information entrusted 
to us by our patients. These responsibilities require the same 
vigilance in all systems undergoing strategic change.

Changes in the Digital Health Ecosystem Driving Data Availability, 
Access, and Use

    Our healthcare ecosystem is undergoing a profound transformation 
that is increasing pressure on all stakeholders to drive innovation. A 
significant piece of that change is in the digital health space, 
particularly around the need to provide patients access to and use of 
their data and information to derive meaningful benefits for their own 
health.
    As a matter of principle, HIMSS firmly believes that seamless, 
secure, ubiquitous, and
    nationwide data access and interoperable health information 
exchange should ensure the right people have the right access to the 
right health information in a usable format at the right time to 
provide the optimal level of care.
    However, until you take data, that is essentially ones and zeros, 
categorize it, and put it into digestible pieces to create information, 
we do not have the ability to use it in the way that we want. Data 
alone isn't the solution - it is fundamentally useless until you turn 
it into information.
    For example, the health app on your smartphone takes data and turns 
it into information that is then used by the individual. Subsequently, 
when you do a comparative analysis, that information becomes knowledge 
that can provide real health benefits to the patient and to the 
ecosystem at large.
    As we transition from volume to value-based care to achieve the 
goals of improved care outcomes, lower cost per episode, and enhanced 
delivery of care, technology-enabled data collection and interoperable 
data sharing will play a vital role in supporting these efforts. Given 
the large population receiving services through the Department of 
Veterans Affairs healthcare system, it is not a stretch to see that VA 
is facing the same external pressures to make more data available to 
and for veterans and help them better manage their health.
    Technology has advanced to the point that it is ubiquitous in most 
healthcare interactions, and it plays such a critical role in how we 
connect clinicians, patients, caregivers, and applications. Further, 
based on the convenience of mobile apps and devices in other 
industries, patients are growing more sophisticated in their knowledge 
of the health system, and ability to understand and act upon the 
information shared through these technologies. As a result, patients 
are more resolute in their needs and expectations--they expect the same 
level of access, connectedness and engagement with their healthcare 
that they experience in other facets of their lives.
    Particularly, in the last several years, we have seen an incredible 
attention shift to a consumer-based approach regarding integrated care. 
With greater incorporation of technology into the healthcare ecosystem, 
and as more information becomes readily available and accessible, many 
in the health ecosystem have been looking toward the use of data and 
available information as a means to solve the multitude of problems we 
have in healthcare. This data is particularly important, for instance, 
when a patient goes for a second opinion.
    The Federal Government, particularly the Department of Health and 
Human Services (HHS), Centers for Medicare and Medicaid Services, and 
Office of the National Coordinator for Health IT, has played a vital 
role in helping the healthcare ecosystem prepare for the continuing 
increase in data and information access and usage. Through recent 
proposed regulations that we believe will advance interoperability and 
support greater patient access to data, HHS is seeking to increase 
innovation and competition by giving patients and their healthcare 
providers safe and secure access to health information and new tools 
that will allow for more choice in care and treatment. The regulations 
also propose to adopt standardized application programming interfaces 
(APIs) in the healthcare industry to help allow individuals to securely 
and easily access structured electronic health information (EHI) using 
smartphone applications. This advancement places a strong focus on a 
patient's ability to access their health information through a 
provision requiring that patients can electronically access all of 
their EHI at no cost.
    Healthcare stakeholders should demand integration among all 
interoperability approaches, entities, and trusted exchange frameworks, 
and support combining administrative and clinical data to enhance 
transparency and enable value-based care delivery for the public good.
    Moreover, health IT systems must be designed to ensure patients and 
consumers are at the center of care delivery and obtain the right 
information at the right time to enable them to make informed decisions 
about the delivery and coordination of their care and seamlessly 
communicate with their providers.

Growing Challenges and Opportunities Around Patient's Personal 
Healthcare Data

    Differences and Distinctions Between Data Access, Ownership, Usage 
and Stewardship

    Any discussion around a patient's health data inevitably leads to 
questions around who owns the data, who can access the data, what can 
be done with the data once access is granted and what are the 
stewardship responsibilities over the data when it is in possession of 
any entity. . An obstacle we often hit is getting bogged down in 
ownership - we spend time arguing over who owns the data, resulting in 
an unwillingness to share. This construct does neither the patient and 
caregiver nor the provider any good. It is imperative that our mindset 
shifts to that which benefits patient or individual health, and that 
includes sharing across multiple platforms and systems to realize the 
full potential of data in improving health outcomes.
    Generally speaking, data ownership refers to the entity or 
individual who owns the data. For example, in the current way of 
thinking, healthcare providers own the designated record set, and 
health plans may own the data of its members. It is important to note 
however, that data may not necessarily be in the ``possession'' of 
someone/something, but it can flow through an entity, for example, like 
a conduit. Possession does not imply ownership. Additionally, the 
complexity of applications, such as electronic decision-support (EDS), 
use not only clinical data, but also social data such as lifestyle 
information to help guide individual recommendations. Those data 
sources can be numerous and often involve multiple pass throughs.
    Data access simply refers to being in possession of data in some 
way. This might include the ability to read, edit, or copy data for a 
variety of purposes. From a security standpoint, access is controlled 
according to rules based on ``need to know.'' Access control is 
frequently based on the role of the person requesting the data. 
Thinking beyond individual access--it isn't just a person who may have 
access to the data, but also an entity, such as an intelligent 
artificial agent that performs tasks on behalf of a larger entity such 
as a health system. And access control issues are further nuanced, 
moving beyond who has the need or right to access the data to include 
the more important concept of what that person or entity can do with 
the data once in their possession. This idea of what can be done with 
the data falls to the concept of data usage - which is where I think 
the conversation should center.
    Data usage is basically the rules and rights of how the data can be 
appropriately stored, movement of the data, and its secondary use both 
short and long term. Rules around usage have impact on many areas such 
as secondary research, resale of data for commercial purposes as well 
as impacts on access hierarchy as mentioned above. The goal of data 
usage is to achieve the greatest possible benefit that may be realized 
from the effective and appropriate access to the data, while, at the 
same time, protecting the rights of the individual and originating data 
entity.
    Data stewardship focuses on minimizing the risk to patients and to 
the organization in both the access and use of the data by providing a 
secure and trackable environment. Cybersecurity is an important 
component of data stewardship. Data use and stewardship falls squarely 
in the realm of governance.

    Personal Healthcare Data- Who has access? Who should have access? 
Who shouldn't?

    It is safe to say that there is nothing more personal and valuable 
to an individual than their health information. When you look at the 
fact that healthcare, which is the largest industry in the world from a 
Gross Domestic Product standpoint, is being driven by data and the use 
of information, it stands to reason that the information and data held 
by this sector is a valuable asset. Data has to be protected at the 
human level, and the economic level, which creates complications. In 
order to ensure that both veterans and broader patient populations 
receive the best possible care, providers, patients, and caregivers 
must be able to access the right information at the right time to allow 
for the most accurate decisions about the delivery and coordination of 
care for our veterans.
    There are several public policy levers in place that the Department 
and the veteran community can leverage to achieve true data access and 
use by this population. Alignment of data access and use paradigms 
across VA as well as the broader healthcare delivery system will prove 
beneficial to veterans that receive some care in VA facilities, but 
also utilize community providers.
    The Health Insurance Portability and Accountability Act (HIPAA) 
remains an integral part of our Nation's information security and 
privacy infrastructure for both veterans and the broader patient and 
consumer populations. A Proposed Regulation with changes to HIPAA is 
under development in the HHS Office for Civil Rights. With respect to 
the public dialog on possible HIPAA changes, HIMSS has focused on 
encouraging the safe portability of data. Specifically, HIMSS believes:

      It is imperative that HIPAA Regulations work in concert 
with the 21st Century Cures Act Information Blocking Rules

      Any Changes to HIPAA Rules Should Prioritize the Needs 
and Role of the Patient in Care Coordination Activities

      Rule Modifications Should Ensure Alignment and Eliminate 
Regulatory Gaps Between HIPAA and State Laws as well as Other Measures

      HHS Must Redouble Efforts to Educate the Public and 
Providers About the Scope and Reach of HIPAA

    Ultimately, HIMSS would like to keep HIPAA focused on articulating 
the standard ways that individuals' health information is to be used 
and disclosed. Our broader perspective on interoperability remains 
focused on ensuring the right people have the right access to the right 
health information at the right time. While we have made great strides 
over the past generation, seamless, secure, nationwide interoperable 
health information exchange has continued to elude us. Ensuring that VA 
continues to build on the advances undertaken by HIPAA as well as other 
measures promulgated at HHS will be huge steps in the right direction 
for the veteran community and could lead the larger health ecosystem.
    In addition, HIMSS wants to continue working toward creating a 
healthcare ecosystem that reinforces the secure access to, exchange of, 
and use of electronic health information. This includes building upon 
these existing protections and helping to ensure patient privacy as 
well as access in a HIPAA-regulated world and for non-covered entities 
under HIPAA.

Addressing Patient's Privacy and Security Concerns

    We are all in agreement that patient data needs to be protected, 
for both information privacy and security purposes. However, healthcare 
delivery and coordination of care cannot be achieved without data 
shared in an interoperable manner across various systems. Thus, a 
careful balance must be made between the need to keep the data private 
and secure, while remaining shareable across various environments to 
help ensure that patient care is not impeded.
    The HIPAA Privacy and Security Rules govern how protected health 
information may be used and disclosed, as well as how it may be secured 
in terms of physical, technical, and administrative safeguards to 
ensure the confidentiality, integrity, and availability of information. 
Good cybersecurity practices help to ensure that data will indeed be 
kept confidential, have integrity, and be available on demand.
    Cybersecurity, a key responsibility to data stewardship, is a 
necessary predicate to data privacy, access, and usage. These elements 
cannot exist were it not for cybersecurity, especially within an 
electronic environment. Additionally, data should be protected, not 
just to preserve data privacy, but also to protect the patient and 
preserve patient safety. Recognizing the value of such data, we need to 
have robust cybersecurity practices (and policies) in order to ensure 
interoperability of healthcare data as well. People, processes, and 
technology must work in tandem with each other.
    HIMSS has long believed that maturing and advancing the state-of-
the-art for security and information privacy across the global health 
sector should be supported to: (1) protect the confidentiality, 
integrity, and availability of patient data and other sensitive 
information and assets of stakeholders, (2) ensure the continued and 
effective delivery of patient care and coordination of care, (3) 
protect patient safety and privacy, and (4) further the delivery of 
safe, secure, and effective technology-enabled care-delivery across 
disparate health systems.
    I would like to thank Chairwoman Lee and Ranking Member Banks for 
this opportunity to testify today, and all members of the Subcommittee 
for prioritizing such a critical issue. The VA has no greater priority 
than ensuring that our veterans receive the best possible care, and 
this cannot be done without ensuring the safety and security of their 
personal data and health information.

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                                 [all]