[This Transcript is Unedited]



February 26, 2001

Hubert H. Humphrey Building
200 Independence Avenue S.W.
Washington, D.C.

Proceedings By:
CASET Associates, Ltd.
8 10201 Lee Highway, Suite 160
Fairfax, Virginia 22030

List of Participants:


P R O C E E D I N G S (9:00 a.m.)

DR. LUMPKIN: Good morning. We have a quorum, and we have the federal official here, and now we have a quorum, but we are also legal, which is something that is also desirable.

For those of you on the Internet, my name is John Lumpkin, and I am Chairman of the committee. Before we get started with welcomes and introductions, I did want to thank Simon and the rest of you. At our last meeting, I don't believe I was here. Thank you for taking that opportunity.

As all of you know, we have been through some very trying times as a nation. For about three or four months after September 11, the governor's office was very hesitant to let me leave the state. I think it had something to do with the fact that on September 11, every emergency management agency director in the nation was meeting in Montana, at the national association, and many of them had great difficulty getting back to their states. So you never can tell. So I think the line from my governor's chief of staff was, if I were you, I wouldn't go, but you can do what you want. I thought that was pretty clear.

But things have moved forward. Obviously there has been a significant re-evaluation of our commitment as a nation to public health and to the public health infrastructure. A key component of that has been an increasing focus on our ability to monitor our surveillance of disease, and not only diagnose disease, but also disease complexes. I think that has heightened some of the weaknesses in our infrastructure, so our document that we recently released on NHRI was extremely timely in beginning to address those.

So it does point out that while many of us have thought that the work of this committee is very important, now increasingly we see its connection to national security, not only preparing the health of the nation, but also dealing with the security of the health of the nation.

So thank you all for working forward in my absence, and we look forward to a very fruitful meeting.

Why don't we go through introductions? We will start off to my left. Jim?

MR. SCANLON: Good morning. I am Jim Scanlon from the Office of the Assistant Secretary for Planning and Evaluation in HHS. I am the executive staff director for the committee.

DR. STARFIELD: I am Barbara Starfield from Johns Hopkins University, and a member of the committee.

DR. FITZMAURICE: I am Michael Fitzmaurice, Senior Science Advisor for Information Technology, the Agency for Health Care Research, liaison to the National Committee, staff to the Subcommittee on Standards and Security, and lead staff to the Secretary's new Council on Private Sector Initiatives.

DR. HARDING: I don't know what to say after that. I'm just Richard Harding from the University of North Carolina School of Medicine. I am also president of the American Psychiatric Association.

DR. SHORTLIFFE: I am Ted Shortliffe from Columbia University Department of Medical Informatics, member of the committee.

MR. BLAIR: Jeff Blair from the Medical Records Institute and a member of the committee.

MS. FROHBOESE: Good morning. I am Robinsue Frohboese, the Principal Deputy and Acting Director for the Office for Civil Rights here at HHS. The Office for Civil Rights is responsible for implementation of the privacy rule, so I will be chatting with you about that in just a few minutes.

MR. SCANLON: I'm still Jeff Scanlon.

MS. TRUDEL: Karen Trudel from the Center for Medicaid and Medicare Services.

MR. AUGUSTINE: Ray Augustine, Corporate Director for Special Projects in Gambro Healthcare and the president of Tiger Solutions Incorporated, member of the committee.

DR. LUMPKIN: Welcome to your first meeting.

DR. FRIEDMAN: Dan Friedman, Massachusetts Department of Public Health, member of the committee.

DR. COHN: Simon Cohn, a physician and National Director for Health Information Policy for Kaiser Permanente, and a member of the committee.

MS. COLTIN: I am Katherine Coltin from Harvard Pilgrim Health Care, a member of the committee.

MS. REED-FOURQUET: Lori Reed-Fourquet. I am the vice chair with E31.20 ASTM, and also a delegate to ICTC 215, focusing on health information security and PKI initiatives.

DR. WEAVER: Tom Weaver, American Optometric Association.

DR. SUTERS: Amy Suters with the PNA Group.

DR. FRADES: Kristin Frades with American Medical Security.

DR. FROHAGER: Elizabeth Frohager, Price Waterhouse.

DR. PICKETT: Donna Pickett, National Center for Health Statistics.

DR. GILBERTSON: Lorna Gilbertson, National Council for Prescription Drug Programs.

MS. KAMISKY: Stephanie Kamisky, the Office for Civil Rights and lead staff to the privacy subcommittee.

MR. FANNING: John Fanning, Department of Health and Human Services.

MS. JACKSON: Debby Jackson, NCHS staff.

MS. BEEBE: Susan Beebe, NCHS, staff.

DR. WILDER: Tom Wilder, American Association of Health Plans.

MS. KANON: Susan Kanon, lawyer for the committee.

MS. MC ANDREW: Sue McAndrew, Office for Civil Rights.

MR. STOSS: Eric Stoss, Center for Regulatory Effectiveness.

MS. ALD: Susan Ald, National Library of Medicine.

DR. SONDIK: Ed Sondik, Director of the National Center for Health Statistics.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention.

DR. MOORE: Bob Moore, Titan Systems Corporation.

MR. BOSTOWITZ: Roy Bostowitz, National Association of Chain Drugstores.

MS. GREGOVITCH: Nancy Gregovitch from the California Pacific Medical Center Foundation.

MR. DEWALD: Ian Dewald, Department of Justice, Criminal Division, Fraud Section.

DR. JOHNSON: Pam Johnson, American Society of Cataract and Refractive Surgery and American Society of Ophthalmic Administrators.

MS. FULLER: Sandy Fuller, the American Health Information Management Association.

MR. RUDIE: Dan Rudie of the American Health Information Management Association.

MR. BULLER: Lyle Buller, the National Coalition for Cancer Research.

MR. PATACORD: Doug Patacord. I am with the National Coalition for Health Information Policy and Quintiles Transnational.

DR. WHITE: Racie White, NCHS.

MS. CASE: Kirstin Case, Austin, Frank and Rida.

DR. FYFFE: Kathleen Fyffe, HHS, Office for Civil Rights.

DR. LUMPKIN: And we have a couple of other members.

DR. MAYS: Vickie Mays, University of California-Los Angeles, member.

DR. LENGERICH: Gene Lengerich, Penn State University, member.

DR. NEWACHECK: Paul Newacheck, University of California, member.

DR. LUMPKIN: Great. We have a full agenda ahead of us. Are there any additions that we need to make to the agenda? Seeing none, why don't we proceed with the update from the Department? Jim?

MR. SCANLON: Thank you, John. I wanted to this morning take a few minutes to update the committee on three activities that I have reported on back in November, and there has been progress made on all three.

Then I wanted to take a couple of minutes to follow up John's introduction to the meeting in terms of the increased investment in public health and public health preparedness and bioterrorism prevention activities, and the grant program that involves states and hospitals this month and next month. There is a fair amount of increased investment that will be directed at this area.

Let me start first of all on three activities that we briefed the committee before, and that the committee is following. The three are the National Academy of Sciences study on the adequacy of race and ethnicity data in HHS and in private sector health information systems. Secondly, I wanted to update the committee on our initiative in HHS on a Department-wide gateway to data and statistics, our base gateway. We have actually made a fair amount of progress now. Third, I wanted to brief the committee on a new development which is actually very significant for all federal agencies. It is the new OMB guidelines for insuring the quality of information disseminated by federal agencies. So let me bring you up to date briefly on those.

First of all, the National Academy of Sciences study. You will remember that about a year ago, the Minorities Health Research and Disparities Act passed by Congress directed HHS to fund a study at the National Academy of Sciences that would look at the adequacy of race and ethnicity data in HHS data systems, but in other data and local government, but private sector data systems as well.

I think I have given the committee a precis description; I can provide another one of what the study is to entail.

Late last year, we awarded a contract to the National Academy of Sciences for the study. We have met with the staff at the National Research Council to go over the expectations, and we have talked to some of the Senate and House staffers who were involved with this, to make sure we were heading in the right direction. We sent nominations for panel members as well.

I learned yesterday that Ed Perrin, I think many of you know, will be the chairman, has agreed to serve as the chairman of that panel. It sounds like they are aiming for perhaps an initial meeting, maybe in late April. I don't think they have selected any of the panel members themselves yet.

PARTICIPANT: Who is the chairman?

MR. SCANLON: Ed Perrin. Ed is actually a former member of this committee as well as former director of HCHS, and he is emeritus now at the University of Washington. He is a member of the IOM and the Committee on National Statistics.

What we are hoping that the panel will do, in addition to their own deliberations, we have asked them to hold a workshop where they would bring in representatives from the health care sector, plans, providers and so on, to look at what some of the obstacles and beliefs and ways of moving forward would be from the private sector perspective.

I think we have talked about this before. In our own federal data systems, we pretty much already collect race and ethnicity data. We collect it in a standardized way. If we have difficulties, it is usually in sample size.

In private sector data systems, or in situations where we have to rely on a third party, such as hospital abstract services or insurance data or so on, we really don't have control over what kind of information is collected. We basically buy or obtain the information.

Clearly, there is some confusion about what is allowable and what is not allowable in the area of race and ethnicity data. I know Robinsue's office has issued guidance in terms of what can be obtained and how it should be obtained. But clearly, in health care providers and insurance plans, there is still some confusion and there apparently are some obstacles that we need to look at. I think the Academy and the IOM can probably bring together the folks from that community to clarify the situation and see what they perceive as obstacles, and find a way of moving forward.

Questions on the Academy study? I know the full committee here and the population subcommittee are very interested in following that. We hope to set up some sort of a liaison as well.

Let me go on then to the second item, which is our web-based gateway to HHS data and statistics. I think I reported last November that just as we were looking at how we can better integrate our data collection activities within HHS, we also wanted to look at how we could begin integrating and improving access to the data on the dissemination and the analytic and dissemination end.

I don't have to convince the committee. We probably have at HHS some of the best in the world classed data systems, certainly among the best in the U.S., and certainly and conceivably the best in the world, ranging from surveys to research to epidemiology studies to administrative data and so on.

But it is fairly difficult to get at that data even for the sophisticated user, unless you know exactly what data source you are looking for. For the user who doesn't know all of the acronyms and which agency does what survey or what database, it is extremely difficult to navigate.

So the goal here was to put together from one Department perspective a webpage that, regardless of agency, allows you to find the kind of data that HHS produces. I should say a little bit about the scope here. We are limiting this to data and statistics that HHS agencies produce or other federal agencies produce, if it is Health and Human Services data. We are also including state and local data as well in the Health and Human Services area.

We have actually gone ahead now, and we developed a prototype of that gateway, which we have tested in our own office in ASPE. We now have it -- I guess it is something like a beta test under Data Council auspices here at HHS. If it works out, I think we will open it up more generally. There are still a few kinks, as you can imagine, to work out, but let me tell you a little bit of what it brings together.

Again, if you are looking for certain kinds of data, health insurance data, state health insurance data, infant mortality data, whatever it is, you don't have to know what exactly the name of the system is or who at HHS, or what the acronym is. You can simply take one of our shortcuts to the national vital statistics system. It will take you to all of the data that NCVHS has on their website in that area. If you were looking for disability data, it would take you to our major data sources on disability, health interview survey, the disability survey and some census surveys.

There is also a provision for relevance as well. We have had folks who actually know the data come up with judgments of -- when you are looking for disability data, what are the sources you are likely to find useful. So we have a relevance capability as well.

We also include on this first page access to our policy information center in HHS, which going back to the 1970s, includes virtually all of the major program evaluation and policy research that HHS has supported. It is all there in abstracts, and usually there is a direct link to the documents as well.

We have our HHS meta directory of virtually all of the major data systems in HHS. It is a little over 200, but that is a little bit misleading; some of them are very specific, stovepipe surveillance systems. But at any rate, if you really want to browse, find out what the major data systems are, you can browse that meta directory. We have links there to the actual data if it is on the website. We are in the process of updating that as well.

That basically includes a description of each of the major data systems. It includes extensive information as well about the kinds of race and ethnicity information that those data systems contain.

We have one click that takes you to our roughly two dozen major workhorse data systems in HHS, things like the health interview survey, the vital statistics system, the Medicare beneficiary survey. These are the major surveys that are meant to be general purpose in nature, and there we have shortcuts that will take you right to their websites, in terms of the data that they might have.

Then we also have links to a couple of other data policy areas. We have a link to the NCVHS website. We have a link to the Data Council website. We have a link to our administrative simplification for the HIPAA website, and a couple of other data policy websites.

Then we also have links to state data resources. This is done in two ways. We have a link to federal agency data about states, and then we have links to actual state data websites in the health area and in the human services area

Finally, we have developed a user friendly tool. If you just want to come in like the Google website, very simple; you come in, you want to search for some term. You simply type it in. We call it data finder. If you don't want to go through categories or agencies or anything else, you just type in the term you are looking for, disability, and it will take you to our major data holdings on the web in disability data.

So as I said, we have developed a prototype. Perhaps when we have worked out some of the kinks, maybe I can give a demo, we can provide a demo to the committee as well and maybe involve you in the testing. But at this point, we are still working on it.

We have now about 800 websites. There are easily three times that number just in the federal Health and Human Services data area.

This in a way of integrating, in the sense that when you go to a website, it could include data itself, reports on data, it could include methodology, questionnaires. It could also include access to data files. If they have been archived in a non-identifiable manner, you can laterally get access to those. There are some of our websites that actually allow you to create your own table, so you can go to some of the NCHS websites, for example, and you can actually tabulate information from the health interview survey and so on.

Then there are some websites that take you to one of our three research data centers, if you literally want to try to gain access to information for research purposes that otherwise would not be publicly available because of confidential concerns. We have three research data centers in HHS, one at NCHS, one at AHRQ and one at HCFA, where you can make arrangements to gain access. You would never get the individual records, but you could probably do the statistical analysis in some way.

DR. NEWACHECK: This is a question on what will be available on the gateway. I am thinking of the two examples that you gave of health insurance and disability. Those are defined very differently in different surveys and administrative data sets. Conceivably it could be very confusing to a user who wasn't familiar with those data systems as to which would be the right one to use.

For example, take health insurance. There are point in time estimates from various surveys, and then there are full year estimates, and they vary. Is it possible to have like a paragraph or a page that would accompany someone who hit on health insurance, that says, there are five different sources here, two used for point in time, three used for full year estimates, and the difference is X? The reason for using the one over the other might be Y or X, something like that. It would help to provide a little bit of additional guidance.

I know that would be hard, but maybe for some of the key indicators, like health insurance, disability, other measures like that, there could be a little bit of a descriptive guidance for users who are not familiar with individual data systems.

MR. SCANLON: That is an excellent idea, Paul. We haven't factored that in yet. I think our first effort was just to get the websites pulled together. But I think the idea of some guidance to what are the various indicators and what would you use for what purpose -- interestingly, we actually have at ASPE a paper on this subject, but we haven't rolled it into the gateway yet. But I think we can do that.

DR. NEWACHECK: It sounds like it is going to be a wonderful system, though.

MR. SCANLON: We are working through the kinks, but I think this is a good way of organizing. It is really the web that enables much of this. Otherwise it was quite complicated. If you didn't know what you were looking for, even sophisticated users, it is pretty hard to get to the data.

DR. MAYS: It sounds absolutely wonderful. Some of us can't wait for it to roll out.

Two suggestions. One is, in terms of the race and ethnicity, it would be great if not only it told you which ethnic groups you have, but what the numbers are, because right away, some people need -- because of the under utilization, some of the data sets often have to do with the belief already that they are not enough. So I think if the numbers are there, it might help people to decide to use it.

The second is, there is a set of papers that offer very nice road maps to be used with a lot of the NCHS data sets. Those are the papers that come from the data user meetings. But those are just on a CD-ROM. You can't search for them, you can't find them. It is almost like you have to have a CD-ROM and know about them.

If there is any way to link those in, because people who are just starting to use the data set, those papers I think would really help them to narrow what some of the issues are and to know who some of the key people are for the topic because they are interested in.

MR. SCANLON: Very good.

MR. AUGUSTINE: Are the limitations in these data sets going to be explained, so that people don't make inferences based on them incorrectly?

MR. SCANLON: For any one of these websites, there is a section on -- first of all, some of the reports themselves contain limitations, and that is going to relate to my next point as well. But in addition, you could get to the methodology and limitations descriptions themselves on the websites. But virtually all of the statistical reports at any rate describe the methods and the limitations, and how the standard errors and variances were computed and so on, and the response rates.

Again, if it is there, if the agency -- we are not trying to duplicate the fine work that our agencies are doing. We are just trying to pull together an overall framework for what our agencies have done. So we will probably get to the point where we will be looking at guidance for what the agencies may always want to include in anything they post.

DR. FRIEDMAN: Jim just raised the point that I was going to ask about standards for the agencies, in terms of meta data and so forth.

MR. SCANLON: Good. One thing I neglected. From the perspective of the user, we have a couple of other directions that they may want to take if they come to the website. If they come to the gateway, what they really are looking for is consumer health information, we have a click that takes them to the help finder and some NIH and other web pages dealing with consumer oriented health information.

In addition, if it is really research findings from the scientific literature, published research findings that the person is interested in, we take them to the National Library of Medicine and the Medline website. Finally, if it is research in progress, where there hasn't been a journal article, there is a data system that NIH maintains for all of our agencies, and it has descriptions of research projects underway. It is called the CRISP system.

So depending on -- we tried to give the user choices, not to make the decisions for them. But we do direct people to other major web holdings, if that is what they are really looking for.

DR. LUMPKIN: One other suggestion, and this is something that you can file away, because I know the highest priority is to get as much of the national data. But there are a number of comprehensive data sets that are only available at the state level For people who are looking for data, this is sometimes difficult for them to understand the difference between state and federal government. But you may want to consider links to those kind of websites.

MR. SCANLON: There are two things. We have federal data about states, and then we also have state data resources. That is clearly incomplete. There, we have most of the state health agencies that usually have a statistics page or a data page, and we are doing the same in the human services area. But that is clearly incomplete, it is hard to pull it together. But that is exactly what we would like to have, John.

DR. LUMPKIN: And I suspect when you get to that point, there can be a key contact in each state that may provide some assistance, because sometimes our own websites get a little bit arcane in trying to find all the health data and statistics. It is not always organized in the best way.

MR. SCANLON: Let me go to the third area. It relates to -- in January, OMB issued guidance for federal agencies for assuring the quality of information disseminated by federal agencies.

Let me remind you of a bit of the history. You will remember that last year, there was a law passed by Congress called the Shelby Amendment. In essence, it made information from research grants subject to FOIA. That was the first; Shelby One, it was known.

But a second part of that amendment dealt with a directive to OMB to issue guidelines for assuring the quality of information that federal agencies disseminate to the public.

OMB took that directive and they developed guidance which they published in proposed form in June and September for HHS comment. Then they published the guidelines in final form in January, January 3. I will make those available electronically to the committee.

Basically, they are not so much guidelines themselves that OMB issued as they are guidelines for the agencies to develop their guidelines. So every agency according to the statute and according to the OMB guidelines would be required to develop and issue their own guidelines that describe how they insure the quality of the information that they disseminate to the public, regardless of the medium, and across a wide range of types of information. It can be anywhere from scientific research information, from statistical information, from administrative and programmatic information to risk assessment and program management information and so on, so it is quite a wide range of the kinds of information that would be covered under the scope of these guidelines.

There is a special place and a deference given to external peer review, research and information that has been developed pursuant to that process. As a general rule, information that is disseminated that has been subject to external objective peer review such as journal articles, for example, are generally presumed to meet the quality standards, but not with certainty, necessarily.

There is a provision in the guidelines that says that if an agency disseminates influential statistical or financial information, then there is a higher standard of quality that has to be employed. It is basically a standard of what is termed substantial reproducibility.

For everyone familiar with research and the scientific method, these are not new concepts. The idea that you should be able to re-report any research or statistics or data should be transparent enough in the description of the methods and the analysis, so that someone else could carry out that analysis. That is not a new idea for the health area and certainly not to the social science area.

But that is the standard now, that if your agency disseminates information that fits into this influential category, which really means that it would be used for major public or private sector decisions and actions, then you must meet this capability for substantial reproducibility.

There are a lot of ways to do that. One of them is to simply describe when you disseminate the information the limitations, the procedures you followed, the methods you followed, the assumptions you made, the analytic processes that you used.

In other cases, it would mean actually making the data available, public use data available, for someone to do this.

As you can imagine at HHS, we have virtually all kinds of data. We are a microcosm of the whole panoply of federal agency data. Under the auspices of the Data Council, we formed a work group, and we are putting together a framework for HHS, though ultimately we will have to look at the individual agencies to describe what specific processes they employ.

Clearly peer review is one of the processes. There are other reviews and other kinds of processes that agencies would employ at the pre-dissemination stage, but probably at the total project stage, to meet these guidelines as well.

I think we are aiming for a draft to OMB by May 1, which changes the deadline a little bit. By May 1, we have to publish a Federal Register notice that indicates we have a draft of these guidelines available for public comment, and send a copy to OMB as well. After we get comments, we are to revise and have a final draft available by July, which we would submit to OMB. Then they would take effect this October. They would be subject to these new guidelines. We would also have to report to OMB periodically on any complaints we had received about the quality of data or any requests for correction of the data, and how we handled them.

Let me tell you a little bit about those second two requirements. What these guidelines do is not only require that the agency have processes to insure quality of the information they disseminate, but it also establishes an administrative mechanism whereby members of the public and the affected communities could actually contact someone at the agency, and if they have questions or complaints or have corrections, the agency has to have a process whereby they could deal with that and there are other appeals processes as well. We have to report back to OMB periodically on what that process looked like, and how many complaints and so on we received.

There is one final distinction, but again, it is has to be applied in each case. The guidelines apply to information that the federal agency -- the dissemination the federal agency initiates or sponsors. So it is likely that where a research grant is awarded to an investigator and it is entirely up to the researcher how and when they will publish in the federal government, otherwise it is not involved, that would not be considered agency sponsored or initiated dissemination.

On the other hand, if the agency puts its imprimatur on it, in the sense that it then uses findings from research, it gives the impression that it is the agency's own findings, and they are attaching significance to it. If it has the agency imprimatur, it would be subject to these categories.

So we are working through these issues at HHS, and I think we are at the very developmental stage now where agencies are pulling everything together. But in HHS in many cases we do have fairly high quality data, and we have standards in the mechanisms that support that quality, though it is not universal, to be honest. I think our goal here is to put that high standard of quality across all of the data systems.

DR. FRIEDMAN: Jim, are any of the standards included in the guidance?

MR. SCANLON: Not directly. Quality is taken to include the concepts of utility, integrity, and I think utility would be included in that standard of timeliness. So I think we will try to have something like that as well. But quality is just the generic term that they are trying to put some flesh on the bones there. Utility and integrity were parts of the definition as well.

If I have a minute, can I talk about the $1.1 billion that the states are going to be receiving, may have already? I think HHS is going to be going to the states for a loan.

At the beginning of our meeting, there has been a tremendous ramp-up and attention to the role of public health in society and public health preparedness and bioterrorism prevention. At the end of January, the Secretary sent letters to the governors of all the states, announcing the availability of a couple of programs in the states in public health preparedness.

The total amount is something like $1.1 billion. It includes a number of implications in terms of support for investments in information infrastructure and technology. These are in the so-called public health preparedness grants and the bioterrorism prevention grants.

There is a minimum of five million dollars to each state, and then a formula grant that is used for additional money to each state based on the population of the state. So Illinois would get a fair amount, and Chicago and about five cities would get a fair amount in addition.

DR. LUMPKIN: Three, New York, Chicago and L.A. County.

MR. SCANLON: These are grants to the states. One set of grants is from the Centers for Disease Control, and it is to the state. Much of it presumably will end up in the public health agency within a state, but it is for a variety of public health preparedness activities.

The state must prepare a plan indicating how it will use the money, but they can spend 20 percent of the money immediately, and the plan would govern the expenditure of the remaining 80 percent. But there are provisions for including some of these funds to provide investments in information technology and improved surveillance, in having a professional epidemiologist in all communities of a certain size or above. Then another grant from our Health Resources and Services Administration, a grant to states who would then make grant awards to hospitals to improve their own emergency preparedness and infrastructure. It would include their potential provisions for interconnectivity and information technology, for information sharing and communications, which was a big part, as you remember, of the problem on September 11.

So hopefully, this will provide an infusion of funds to improve emergency preparedness, but probably for core public health functions as well. To the extent that this could be a standards oriented set of investments, I think it will help to improve the national health information infrastructure more generally.

Let me stop there.

DR. LUMPKIN: Robinsue?

MS. FROHBOESE: Good morning again, everyone. It has been some time since I have met with all of you, so I wanted to stop by this morning and update you on the privacy activities of both the Department as well as the Office for Civil Rights.

I think as all of you know, the Secretary made the decision last spring to delegate to the Office for Civil Rights the responsibility both for implementing the privacy rule as well as enforcing it. So we certainly have had a tall order over the past year, first in helping to analyze the comments before it became final in April of 2001, and then to work with the comments and the Secretary's commitment to make modifications to the rule, to insure that it was workable, and to address some additional issues that surfaced during the comment period when the rule was reopened.

Since I last met with you, the good news is that the Office for Civil Rights has really developed a very strong privacy team. I know that you have worked for some time with Sue McAndrew, who is heading up our policy effort within the privacy rule, and was involved in the initial proposed rule and the final rule, and has really been leading the effort in terms of looking at and drafting modifications to the rule. As you all probably know, Kathleen Fyffe, one of your own, we were very fortunate to have her join us last October to head up our public education outreach and technical assistance part of the privacy team.

One of the newest members of the privacy team, Stephanie Kamisky, who some of you also have met, is going to be staffing your privacy subcommittee. We are really pleased to have such strong leadership on the privacy end. There are many additional staff that we have hired over the past year, and I think we have been very fortunate to put together this strong team.

In terms of the modifications to the privacy rule, and I know that all of you on NCVHS and the audience today is very eager to find out the latest word and to have me announce the precise date. I know that we have heard a lot about the dates in the industry press out there.

I wish I could make the big announcement of the date, but I am not in the position to do that, other than to say that the Department continues to work very hard on putting the modifications together, doing it in a way that is as close to perfection as possible. As we all know, when we are dealing with such a complex rule that touches upon so many areas, it is really difficult to get it 100 percent accurate, but we are trying to shoot for that goal.

One of the things that you may or may not be aware of is, this past summer, the Secretary put together a privacy council within the Office of the Secretary, that is comprised of the senior leadership in the Secretary's office, to take a look at the privacy rule, and in keeping with the Secretary's commitment to one Department, to make sure that all of the components of the Department are working together and have a unified agenda for the privacy rule.

This privacy council has acted as an advisor to the Secretary and has been responsible for putting together recommendations and moving along the process of modifications to the privacy rule.

We certainly are very conscious of the passage of time, the fact that the rule is scheduled to go into effect 14 months from now. I think everyone is working as hard as we possibly can to get to the point of publishing the proposed rule.

Certainly the input of NCVHS has been really important. We are aware of and appreciate the hard work that you put into first of all organizing hearings. A number of the members of the privacy team from the Office for Civil Rights and the members of the Department attended those hearings. We looked at the transcripts. We certainly appreciate your first letter to the Secretary, summarizing major findings from the first set of hearings. We look forward to the recommendations that you will be giving us after this meeting on marketing and a few other issues.

With that, I think that covers the major highlights, in terms of where we are right now with the privacy rule.

One thing that I should say is that we have made a decision that during the next six months, we are going to -- we, the Office for Civil Rights, will be focusing on putting on additional guidance, technical assistance material for covered entities to assist them in coming into compliance.

We during the past year spent a great deal of our effort on the road, going out and making presentations. We really feel right now that it is important to get more written material together to be able to have standard uniform information that is available. That along with working through the proposed modifications -- remember that when we publish the modifications, they are in proposed form. We look forward to getting comments to the proposal and comments from NCVHS.

As you know, when the Secretary reopened the rule, we received 12,000 comments, between the interim of the proposed and final rule, we received 65,000 comments, so we anticipate that there is going to be a large volume again in response to this proposed rule. But as I mentioned, on all fronts within the Department, we have been working hard.

DR. LUMPKIN: There are primary questions that those of us in state government have, and then there are secondary question which people ask us about our role. I think that is something that would be very useful, not only for public health, but also for Medicaid agencies and other units of state government.

MS. FROHBOESE: Absolutely. We would appreciate any recommendations or assistance that you can give us in focusing on state governments.

When we sat down to look at the presentations we have made during the past year, we identified that as one area where we continue to need to put some effort, recognizing that state governments have a very essential role to play, and the whole public health sector is something where we do want to focus our efforts.


DR. COHN: Robinsue, first of all, thank you for coming and sharing your thoughts with us. I also want to applaud you on developing such a wonderful team to assist you.

Obviously, I represent the industry health plans, providers. I was a little concerned about the time line and the likelihood of success of the implementation according to that time line. One would observe that we are about 14 months before implementation. We still have some time before a proposed rule, and then we have yet a final rule.

I know many in industry are holding back from seriously beginning implementation, waiting to see what the next final rule is going to look like. What advice can you give, those who are both on the Internet and around the room, in terms of how we should proceed? We recognize that this is kind of a crazy situation, but the concern that everyone has that in an era where there is not enough money to do everything one needs to do, and while health care quality is the paramount concern, we are also trying to attempt an implementation around privacy that may change underneath us.

Would you like to comment?

MS. FROHBOESE: Certainly. As I mentioned, the Office for Civil Rights as well as other components of the Department and the Secretary are acutely aware of the time frames. As I said, we really are hopeful that we will be able to publish the proposed modifications in the near future.

The question of covered entities coming into compliance during this time is something that we have given a great deal of thought to. We are pledging our commitment to work with covered entities to insure timely compliance. That is one of the reasons for focusing on getting out some very specific guidance.

I think one thing to keep in mind is that the modifications that we are working on are all aimed to assist covered entities in making the privacy rule manageable while simultaneously protecting important privacy rights.

So we are hopeful that the concerns that covered entities have raised about implementing the privacy rule will be addressed by the modifications that we are proposing, so that in fact, coming into compliance will be an easier rather than more difficult task. The kinds of modifications will insure access to health care services and the ability of covered entities to provide needed health care services that do protect privacy, but don't add unnecessary burden. So that is the balance that we are trying to achieve there.

DR. FITZMAURICE: Like Simon, I too am impressed by your staff, but since I work with them weekly, I am impressed with their ability to grasp the issues that come up and to address them squarely.

I also can understand the reluctance to talk about the substance of the changes of the privacy rule, but the process is probably a different matter. As I understand the process, an office or an organization will develop a draft within NPRM, working with policy officials to make sure that it is the way they want it, send it through agencies for clearance, back up to the Office of the Secretary where changes are decided upon and made, then it goes from the Secretary's office to OMB. OMB might send it out to other relevant departments and collet information back, bring that information back to the Office of the Secretary. Changes again are made, maybe a final policy reviewed by the Administration, and then it is published.

Can you tell us where in that process, if I got it right, the privacy rule is now?

MS. FROHBOESE: As you set forth, it is a very complicated process that has many layers of review throughout. There are some last-minute issues that have been raised, so there are different portions of the proposed modifications that are at different stages of that review process.

But we are moving towards the point of having something ready for the OMB review, which is at the tail end of the process.


DR. LUMPKIN: Thank you very much.

MS. FROHBOESE: Are there any other questions? I unfortunately have another meeting that I need to go to, but Sue and Stephanie and Kathleen I know will be around over the next couple of days. If I am needed, since you are meeting right here in the building, I can stop back at some point.

But thank you all, and thank you for the hearings and the input that you have given us. It has been very helpful.

DR. LUMPKIN: Thank you. Karen?

MS. TRUDEL: Thank you. I will be as brief as I can. I want to in the interest of time concentrate on what is happening with the non-privacy aspects of administrative simplification that may be new to the committee.

We do have what is commonly called a delay legislation, or the Administrative Simplification Compliance Act, which was signed by President Bush on December 27. It was the culmination of many, many discussions within the Department and within the industry about the feasibility of the October 2, 2002 deadline for implementing the transactions and code sets.

What this act provides for is that it does permit a one-year delay in implementing the transaction and code set standards only, which means until October of 2003. But for a covered entity to receive that extension, they must submit a compliance plan.

The result of the passage of this legislation is, interestingly enough, that it has mobilized the industry. The discussion about whether there should or should not be a delay has been resolved. How long the delay should be has been resolved, how one attains a delay. Now we have an additional date certain of October 2003 to work towards.

We are finding that a number of areas of the industry are beginning to step up and begin to look at for the first time possibly the implications of the transaction and code set rules on their own business operations. I think that is a definite plus.

In the provisions of this delay legislation, Congress specified that the compliance plan that covered entities must submit need to include certain things, including the budget, implementation steps, a strategy for testing that would begin no later than April of 2003, which is the recognition that obviously, testing must begin sometime in advance of the implementation date.

It also states that the Secretary must provide a model plan that covered entities may use to request an extension. Use of the plan is not required; it is simply a model or a guide. The Secretary must do that by 31st of March of this year. That is next month.

Very unusually, the National Committee is provided with a role by virtue of this act. The NCVHS is to review a sample of the compliance extension plans that are submitted by covered entities. It doesn't specify what kind of a sample that is, though. The committee is to identify barriers to compliance and also to publish solutions to those barriers.

The Work Group for Electronic Data Interchange or WEDI, which is a cross-industry advisory group, immediately convened a work group to develop a set of proposals for what the model plan should contain. They and a number of other participants in that organization presented their version of a model plan to the Subcommittee on Standards and Security earlier this month.

The subcommittee in general seemed to be pleased with the industry's model form, made some minor recommendations for changes, and those are being considered. The implementation of these provisions has been delegated to CMS, and we are developing a model plan obviously based on the subcommittee's input. We are developing a web page that will be included in cms.gov, where covered entities can go to submit their compliance plans electronically and also to obtain additional information on the delay. We have developed a set of frequently asked questions, and they will be published very soon on the administrative simplification website. Thanks to Mr. Scanlon for that

At the moment, we are on target for being able to roll out the model plan on March 31. I believe the next thing that we will be concentrating on after that is an extensive rollout strategy to make sure that covered entities understand how to delay impacts on them, how they can request an extension, and general information on implementation of the transaction and code set standards.

Any questions?

DR. LUMPKIN: Just one that came to me, and it has to do with the NDC codes. To the extent that there are some changes that we are suggesting being made with that, I think some clarification may be useful to those who are covered entities, who are saying, we know there is a change coming down the pike. It is not final. Therefore, do we need to request a waiver for a rule that we know we won't have to meet.

So I think some clarification on that will be very important, because that may determine how many people will be looking for waivers.

MS. TRUDEL: We can very easily add that to the frequently asked questions.

DR. COHN: John, if you are completely compliant, you don't have to request a waiver. However, the issue gets to be what the process is and the timeliness. Even if there is an NPRM that is published, there is still an opportunity for industry comment and then final development of a final rule. Therefore, it is going to be hard for CMS or anyone else to assure that if specific conditions are met in advance of a final rule publication, that people will be in compliance.

I think the conundrum here is because of the timing. It is going to be very hard for almost any entity to not request a delay, even though the main reason they may be requesting a delay may be this uncertainty about what the final rule will have.

DR. LUMPKIN: I understand. But I think that to the extent that issue is addressed, I think it would be important for people to get that sort of guidance.

The other issue relates to the sample size. We would like to be actively involved with the scientific method used to collect the sample. I would like to point out that a lot of national polls, that usually number around 500 or 600, usually fits in as being a national sample, but obviously we are more than wiling to accept -- right, Simon? -- our task under the law.

DR. COHN: Yes. I think what we were trying to do is encourage the industry primarily to use the website to request extensions. If indeed things are electronic, then the sample size becomes relatively irrelevant, in terms of all that.

We have asked the newest member of NCVHS, Ray Augustine, who is senior statistician for his company, to take a look at some of the methodologic issues there. But certainly if it is all available in electronic, size may not be the major issue.

MS. TRUDEL: The web-based application will have a database behind it, and we are expecting that we will do a certain amount of statistical reporting as well as just providing individual compliance plans.

MR. AUGUSTINE: As of right now, I estimate that there will probably be some compilation both of population-based information that comes from the website, and also the papers that are sent in. We will take a sample of those, so that each of those populations are represented in the final sample.

DR. LUMPKIN: Thank you. Other questions?

DR. FITZMAURICE: In the delay legislation, it mentions a $44 million authorization, with 25 percent to be taken away at something like two-week intervals. I think in a previous question, Karen made us aware that an authorization is not an appropriation. That is not money that has been given to CMS; it is money that somebody thinks ought to be authorized for them to spend, but you have to write a check to it.

I am also aware that other standards such as the identifiers such as security, some of them need funding in order to do anything about it. Maybe a reluctance to issue those standards if there is no funding behind being able to actually assign the identifiers. Some people are raising questions about security, saying will it be released simultaneously with the privacy rule.

So these are all questions about the non-privacy rule standards. Have you been given any assurances that there might be some of that $44 million coming to CMS to help with HIPAA standards? Has it been requested in the budget? Has Congress said we want to give you some of this money?

MS. TRUDEL: It is my understanding that that is still being discussed at the Department's budget levels, so I really can't answer the question.

DR. FITZMAURICE: Secondly, do you have any information about the timing of the other standards, the identifier standards in particular, and then also the security standard?

MS. TRUDEL: We are currently working on all of them, at this point. They will all be moved forward. I don't see that anything will be published possibly within the next month, but we are continuing to move them as quickly as we can.

MR. AUGUSTINE: Those uncertainty issues we discussed earlier, I don't remember, are they an option on the extension form that someone would check in applying for the extension? Because if not, the quality of the information received may not be as good, because people are actually applying -- every company that I work with, two or three companies through one forum or another, they are all applying for an extension, even if they don't necessarily need it, because of that uneasiness.

So if that is not an option on the form, they are going to select something that may not actually reflect the reason why they are applying for that extension.

MS. TRUDEL: We have included that.

DR. LUMPKIN: Thank you. At this point, we are going to over on to the fifth report. I can't believe it; is it five years? Simon?

DR. COHN: This is a long report, and we are not going to go through reading it. In addition, it is in a very early state of draft, so this is really an opportunity A, to provide a brief overview of what it is we are going to be talking about in the report, get some feedback from all of you in terms of if there is anything else you would like to have in it, and then see from the mood of the group if we can identify the next steps that need to occur about this. It is certainly not in a position where even tomorrow we could vote on it as a final document.

Traditionally, this has been an activity that has been primarily sponsored by the Subcommittee on Standards and Security, because most of the activity in relationship to HIPAA has been in that area. This past year for the first time, privacy has been one of the main items of discussion and action, so I think at this point, we are co-sponsoring it with the Subcommittee on Privacy and Confidentiality.

Be aware that at least as of this moment, I don't believe we have received significant input from the subcommittee, so we are still awaiting that. For that matter, we have not really received full input from the Subcommittee on Standards and Security.

However, I think that the big issues that we will be addressing have to do with the issues of the release of the privacy rule and the work that has gone on in terms of advising the Secretary on modifications and changes, which we believe some of the comments will come back in a proposed rulemaking this year.

In relationship to the Subcommittee on Standards and Security, the main news will be once again recommendations we made in the last year that will hopefully result in notice of proposed rulemakings at some point this year, and the Administrative Simplification Compliance Act, which was passed at the end of the year 2001.

My hope for this draft, once again noting that it is somewhat long and repetitious, is that we are going to tighten up the executive summary, probably down to about three pages, moving all things that are not pertinent to the last year into the body of the text. Once again, it will look very different than what we have here.

But once again, we will obviously comment briefly on work in relationship to PMRI, which was mostly discussions to try to come up with recommendations, which are recommendations which will be brought up in a separate letter today. But we will not be spending a lot of time or a lot of space focusing in on those, recognizing that that will be a separate letter coming out today.

This is a great opportunity for anybody to provide input. Richard, do you have any comments for privacy?

DR. HARDING: Not at this time.

DR. LUMPKIN: Let me just ask a question on time lines. I think we all got an email; there were some additional comments that were not incorporated. What do you see as the time line for us adopting this? Do you see it there for our next meeting? Or are you suggesting a different mechanism?

DR. COHN: I am suggesting a different mechanism, but I want to first of all provide an opportunity for anybody to provide input into what we were talking about. I think if people are comfortable with the general direction that I am proposing, it may be the wishes of the full committee to allow the executive committee to oversee final draft revisions and approval of the final version for release between the two meetings.


MR. SCANLON: Just to clarify, the annual report covers the period of January through December, 2001. So much of additional recommendations that the committee would be forwarding would be in the next report.

I think the other issue that Simon was proposing, we have released the other reports previous years in March, because it was just enough time to close out the year. So I think we are aiming for that, but obviously with the comments and the edits and suggestions of all the members. But as we did last time, we agreed to a process for the executive subcommittee.

DR. LUMPKIN: And the report is on the agenda of the Subcommittee on Standards and Security meeting today. No?

DR. COHN: It isn't, but it could be. I want to emphasize, we will not have a final draft tomorrow.

DR. LUMPKIN: No, I understand that.

DR. COHN: I would also comment that we would love to have some input from the Subcommittee on Populations, as well as quality, if there is anything pertinent to this year also.

DR. LUMPKIN: What I am trying to get a feel for and we will have a better feel tomorrow, if the subcommittees that are meeting today have an opportunity in addition to this particular time to see if there are any subcommittee specific comments, that will give us a better idea of how close we are. Marjorie?

DR. GREENBERG: I think I would recommend that there be another draft, which would not only incorporate the comments that were received on this draft, but also make some of these modifications you suggested with the executive summary, et cetera, and that it be circulated to the full committee, so that everyone would have a chance to see it. Then we could have a very short conference call which the group could delegate to the executive subcommittee the finalization of the report. I think that might be a little premature to do that at this meeting, given that this is really the first draft.

But that would allow us to get it approved and to the Congress, hopefully within a month or so, or the end of March. I also prefer not to wait until June.

MS. COLTIN: I had a question that had to do with level of detail issues. In the past, have you included appendices with the report? I can't recall.

DR. COHN: I think the body of the report has sometimes looked like an appendix.

DR. GREENBERG: You can refer them to the website, which has all the various recommendations that the committee has made during the year.

DR. COHN: If there are subsequent recommendations, we try to abstract them from the letters, whether it is pertinent to HIPAA administrative simplification, and include them in the body. But if there is some really pertinent document that should be included as an appendix, I don't think we have an issue about that.

MS. COLTIN: I did see the references to the website. One of the things that struck me is, I would read a section in the executive summary and then go to look for more detail about it in the report, and what was in the report was exactly what was in the executive summary, no more detail. So paring back the executive summary will address that, but that really won't address my issue.

I do think that in a number of cases, the recommendations were not summarized, they were simply stated; we made recommendations on this topic, or a letter was sent to the Secretary with recommendations on this topic, and you can read the letter on the website, but not what the recommendations actually were. That is particularly true in the privacy section, for instance.

DR. COHN: Thank you.

MR. BLAIR: Maybe Jim Scanlon could help with this, Jim or Simon. In any event, in the past who has actually been reading the annual reports, and what kind of decisions or influence does the annual report have? I think that may help us a little bit in crafting it for this year, if we know how it is going to be used.

MR. SCANLON: It is a report to Congress, Jeff, so there is a certainly formality about to whom we send it. We send it to all of the committees in the Senate and the House that have jurisdiction over HIPAA. So there is the formality of the report to Congress in that regard. Again, we don't know who in Congress -- clearly they don't schedule sessions on the report.

DR. LUMPKIN: The most logical place for them to look is going to be our annual reports, and then direct them or point them to other documents where they can find that additional detail. So I think in that way, it will be a very useful tool to anyone who is trying to get up to speed on the issue.

DR. GREENBERG: I might just point out too that as time passes and we are moving to implementing the provisions of administrative simplification as well as promulgating them, then this report becomes increasingly important, and is supposed to report on what is the status of implementation and what are the barriers and impediments, et cetera, which is a feature also of what the committee is expected to report on after reviewing this sample of the compliance plan.

Up until now, no deadlines have passed. In fact, some have been extended for implementation of these provisions. But with some rather firm deadlines in place now, the report is expected to indicate just what the status of implementation is. That is something that both subcommittees have been devoting a fair amount of time to trying to determine.

So I think that in addition to reporting on what has happened in the past year and what the committee has recommended, looking towards trying to provide a status on the implementation is a major feature of this report in the future.

DR. LUMPKIN: Comments on the report? Do we have any comments the than the ones that have been sent in already? If it is agreeable, I would ask each of the subcommittees if you could take a look and see if there are comments that you want to make as a subcommittee.

I would like to propose that the methodology that we would follow would be to get a final draft that would be circulated to the full committee, and then we do a conference call. I am just a little bit concerned that this is a little bit too early to delegate to the executive committee. Then we will try to have a conference call within the next few weeks or so, depending on when that final draft is ready. We will then try to schedule a conference call for the full committee.

DR. GREENBERG: I have to urge any of the subcommittees that have not yet sent their comments or their input, to do so in the next week or two at the most, because I think we are still waiting for some input.

DR. COHN: Significant input. The process that Marjorie was describing, which is that everyone should have an opportunity to look at the report, comment and then from that, a final report that we vote on is probably the preferred process.

DR. LUMPKIN: It has been moved by Simon that the approach that we take between the meetings is consistent with our rules, that a near final draft be sent out. Members of the committee will have a chance to comment, and then we will have a conference call on the final revised document.

MR. BLAIR: Second.

DR. LUMPKIN: Seconded by Jeff. Is there further discussion on that motion? All those in favor, signify by saying Aye.

(Chorus of Ayes.)

DR. LUMPKIN: Opposed, say nay? Any extensions? Thank you. We now have a process. We are going to take a 15-minute break.

(Brief recess.)

DR. LUMPKIN: -- issue of national preparedness and the national health information infrastructure. As I mentioned in my opening remarks, the events of last year have markedly focused the attention of the nation on our preparedness, particularly in relationship to those issues of bioterrorism and other weapons of mass destruction.

Increasingly, we have been focusing on the role of our public health infrastructure, in fact, our health data infrastructure. The release of the report of this committee was in fact very timely in beginning to address those particular issues. So we have with us a very distinguished panel. I will ask them to introduce themselves. Just so you know, not to make you nervous or anything, but you are being listened to by literally hundreds of people on the Internet. More importantly, these proceedings are archived, and thanks to the largesse of the Veterans Administration, are available for subsequent listening. So we would like you to identify yourselves so that when people listen, they will be able to identify your voice. Also, I will ask you to speak into your microphones.

We will start with Claire.

DR. BROOME: Hi. I am Claire Broome from the Centers for Disease Control and Prevention, where I serve as an advisor to Jeff Copeland on integrated health information systems.

DR. LOONSK: My name is John Loonsk. I am also with the Centers for Disease Control and Prevention, and the CDC's associate director for informatics.

DR. RIPPEN: My name is Helga Rippen. I am the director of the Science and Technology Policy Institute at RAND.

MR. HAUER: I'm Jerry Hauer. I am senior advisor to the Secretary for the Department of Health and Human Services, for national security and emergency management.

MS. SCHULMAN: I am Roslyne Schulman. I am the senior associate director for policy at the American Hospital Association.

DR. LUMPKIN: Great. Helga?

DR. RIPPEN: First of all, I want to thank you very much for giving me an opportunity to talk today about some work that we have been doing, specifically an initiative to develop a framework for the information technology infrastructure for bioterrorism. As we all know, the events of September 11 and also some of the issues with bioterrorism are fairly significant.

My training is in preventive medicine and public health, in which I am boarded, and I have a Ph.D in engineering.

What is really the purpose of this initiative? It is to bring together stakeholders to identify the requirements of a national framework for an IT infrastructure for bioterrorism. The question of bringing together the stakeholders is really critical here.

In addition, we are to identify the policy issues that come up and evaluate the options, assess the state of the industry and identify issues and gaps, build on what works, and at the end bring together the national experts from all sectors to develop the recommended framework.

The process is a series of summit meetings. We held our first one 11/20 to define the environment and definitions, a second one to explore two specific components into more detailed communication and surveillance where those are deemed most critical, and the third which is coming up is to obtain private sector feedback. Then the next step as far as planning process for developing a blueprint.

Just so you know, the co-sponsors of the first two summits included the Institutes for Electricians and Electrical Engineers, known as IEEE USA, the American Association of Public Health Physicians, the e-Health Initiative, and the American College of Preventive Medicine, and RAND.

I want to show you a little bit about bioterrorism in the intersection of stakeholders and responsibilities. Why? Because it is very easy for us to look at the environment that we are used to and think of it in terms of that.

The issue is that you have a terrorist, you have a biological agent, and you have a living target. For people in public health, that is only one aspect. There are a lot of other aspects to it. What happens is, in an event there is an intersection and there is a significant requirement for communications and also for information infrastructure that goes beyond traditional sectors.

What are the implications of this? It is an infrastructure issue; it goes beyond one sector. There are multiple stakeholders interacting during a crisis, and there is a critical need for a seamless IT infrastructure that spans users and supports their needs. When I talk about that, it is not to re-invent the wheel. It is not to have stovepipe systems, but it is to think about where these things come together.

The other thing that is critical to know is that an event just doesn't stop in time. An event is a series of things that happen over the phase of an attack. It is the prevention of it in the beginning, which in preventive medicine is always the key, but then there is detection, early response, sustained response and then recovery.

One could argue about what the intensity level of IT needs are and where they are, but it is important to realize that it doesn't stop at one point in time.

What are the implications? There is a changing environment and needs, and there is a critical need for hading out responsibilities seamlessly. So we are building on a foundation.

The first meeting was to bring together stakeholders to have a common language. For those of you that are in IT, nothing is new. This is not rocket science, but it is the beginning of a discourse and terms.

The objectives, as far as what does the IT infrastructure need to support, could be grouped into eight general categories, from strategic planning to deterrence, surveillance, communications, coordination, resource management, education and training and research and development. Again, the top two that we delved into at the second meeting were surveillance and communications.

The capabilities, standard, connectivity, data management, procedures and applications, systems, security and operations management. The data needs are vast. They include content, procedural information, health, behavioral, resource, environmental, research and technology. And stakeholders is everyone, depending on where you are in the system and where you are in the course of the events.

What were the recommendations of the group to date? That it is important to continue the process, to develop a consistent and consolidated effort to develop an IT infrastructure for national biodefense preparedness and response.

For those of us in the public health sector, I believe that 80 or 90 percent of the needs are meet if the infrastructure for public health was there.

Assure a broad and inclusive representation from all stakeholders, build consensus among stakeholders, disseminate findings widely and provide a public forum for review, and develop a high-levels requirement document that is technology neutral to support evolving technologies.

Aim for sufficient flexibility, build upon current IT infrastructure to grow incrementally. I know the CDC has been working a lot in that area, as has the private sector. Encourage the participation of industry. I think with regards to what does this mean with this group, identify or create appropriate governance and funding mechanisms to assure appropriate planning and development of this infrastructure. I think that is critical.

One of the key themes that kept coming up during the meeting was the perceived lack of leadership from the government sector with regards to whose responsibilities and who is coordinating this. I think that was very important.

The next meeting is April 3 for vendors for the pre-summit meeting. The third summit is April 4. We are going to start putting together a website to categorize all of the applications that vendors have available to date, so that we can identify gaps.

That is where we are.

DR. LUMPKIN: Thank you. We will go through all of the panelists and then we will toss it open to questions from the committee. Jerry, do you want to go now?

MR. HAUER: That's fine. What I would like to do is take the next five or six minutes and tell you a little about what we are doing at HHS, and some of the key issues that we look to confront over the next 12 months.

As you know, a number of things have occurred in the last several months. First of all, our office was created, the Office of Public Health Preparedness, which is a new office headed by D.A. Henderson, reporting directly to the Secretary, which will oversee and coordinate all of HHS' bioterrorism initiatives.

That includes funding. None of the funding, the $2.9 billion that we just received, is being released unless we sign off on it. We are very anxious to insure that at the end of the day, we have a coordinated, one-department message that the money that goes out to state and local governments is used to rebuild the public health infrastructure, and that includes the IT infrastructure within the country.

The Secretary is very anxious to insure that this money is used to fund deliverables that at the end of the day have an impact on bioterrorism. I think that we have seen in the past, a lot of money has gone out the door, both here and in other federal agencies. I can say this, because I spent the last five years as a commissioner in New York City for emergency management, having been the recipient of a lot of that money. A lot of money went out the door to buy toys. At the end of the day, we don't necessarily have system, but we have these disconnected little nexuses of expertise around the country that don't necessarily at the end of the day work when it comes to bioterrorism.

One of the key components of the Secretary's goals is IT. We are putting an enormous amount of money out on the street to states and locals through the governors' offices. $1.1 billion just went out and is going out to states. We had the first rollout meeting yesterday.

A significant part of what we want to see is connectivity, connectivity between health care plans, hospitals, local health departments, state health departments, to insure that there is good two-way communications.

There is a very vigorous debate going on in the country right now about how we should be looking at data collection, whether or not syndromic surveillance works versus data mining. I tend to be one of those people who believes that we will never get syndromic surveillance off the ground. I just don't think we can ask primary care providers, particularly in emergency rooms and in practices, to fill out more paperwork or do more data entry. I think DoD has shown that syndromic surveillance at the end of the day probably won't work during a big outbreak.

But there is also a debate as to whether data mining will work, and whether or not we can actually narrowly that window of opportunity between the release of a biological agent, a clandestine release of a biological agent, and the detection of an actual event.

Many people feel that the real goal is physician education. We had a local outbreak that was not picked up by the data system that we had in New York City, but the education component of our bioterrorism program did work, because we had an alert infectious disease physician at the hospital who notified us that something had occurred.

I do believe that data mining will work. D.A. Henderson and I have this debate on a regular basis. He does not believe data mining will work, but I believe that we can develop sensitive enough data systems that have links to hospitals, to health care providers, to pharmacies to monitor sales of various types of over-the-counter medications, that can give us even a six or 12 hour advantage. With the clandestine release of biological agents, six to 12 hours would be a significant advantage as we look at responding.

So we need to have these two-way connected systems. As many of you know, our public health departments in this country have been allowed to lapse into a state of disrepair. I was in Indiana for seven years working for the governor, and I had most of the public safety agencies. We could rarely on the weekends get somebody from the Department of Public Health. It took us about two years to finally get somebody on call. Data reporting was done on paper. As you know, STDs have historically been a lot of pieces of paper in triplicate. You send it in, it maybe gets entered into a computer sometime down the road, maybe seven to 10 days. That is absolutely unacceptable when it comes to dealing with these types of emerging infectious diseases or dealing with clandestine release of biological agents.

So we have to rebuild the public health infrastructure. We have an opportunity to do it now. We are putting an enormous amount of money out in the field, but the Secretary wants to insure that that money is wisely spent, and that we do it in a way that we have good connectivity.

The other piece of this connectivity is, we are not going to just look for data from the department of health, but we are going to put information in their hands on an ongoing basis. CDC is working on that There are opportunities to continue to enhance what goes on with that. We are going to be convening a number of summits here in Washington on surveillance and IT and connectivity, looking to how to better enhance surveillance on a countrywide basis and mine it down into the local level, but also looking at what health departments need in getting inputs from state and local health departments, so that we can put information out during an incident, that helps them manage an incident.

So with that, we will take questions at the end. I'll wrap up.

DR. LUMPKIN: Thank you. Ros?

MS. SCHULMAN: Good morning. I am Roslyne Schulman, Senior Associate Director for Policy at the American Hospital Association. I am a member of AHA staff's hospital disaster readiness team and chair of the team's resources subgroup.

On behalf of the American Hospital Association's nearly 5,000 hospitals, health systems, networks and providers of care, I appreciate this opportunity to present our views on how national preparedness could be enhanced through improvements to the national health infrastructure.

The terrorist attacks of September 11 and the subsequent anthrax attacks have changed how Americans view safety and security. Over the past five months, the nation has focused on strengthening our national security and emergency readiness. As part of America's vital health infrastructure, hospitals play a central role in that effort, a role that is sure to be enhanced as we move forward.

The attacks have redefined the meaning of disaster readiness for hospitals. Hospitals are now compelled to plan for what was previously unthinkable, disasters that are intentionally inflicted, involving large numbers of casualties, and involving the use of chemical, biological or radiological agents.

Mass casualty incidents by definition overwhelm the resources of individual hospitals. They may overwhelm the resources of a community's entire health care system. Therefore, the response to mass casualty incidents is likely to require a broad array of community resources to supplement the health care system and requires coordination between these components.

The minimum components of an effective response will involve public health, hospitals, physicians, community emergency management officials and the traditional first responder organizations like fire, police and EMS. State and federal government resources will be tapped, depending on the scale of the disaster.

Mass casualty incidents that result from an infectious agent, as would occur in a bioterrorist attack, differ from other types of disasters in many ways, including, the onset of the incident may be unknown for several days before symptoms appear. Even when symptoms do appear, they may be distributed throughout the community's health care system and not recognized immediately by providers.

Once identified, the initial symptoms are likely to mirror those of the flu or other common illness, so that the health care system will have to care for both those who are infected as well as the worried well.

In order to increase readiness to respond to mass casualty events, particularly those involving biological agents, the AHA believes that hospitals must adopt a community wide perspective and broaden the scale and the scope of their existing disaster plans to link with and involve community partners. For instance, hospitals should establish and open and ongoing relationship with local health departments and its leadership. Biological incidents in particular require community-wide surveillance and control efforts to assemble apparently isolated symptoms into a recognizable pattern that alerts the community's health care and public health system about the potential for an epidemic, and initiates appropriate public health interventions such as immunizations and prophylactic antibiotics.

In addition, hospitals have an opportunity to use their existing EMS, trauma coordination and other relationships as a framework upon which to build expanded relationships for mass casualty readiness. These existing programs also provide a framework for communication linkages and data collection and sharing. Establishing these community-wide relationships can serve readiness by facilitating the creation or linkage of the data reporting system to provide an assessment of health needs and health care resources.

Because large-scale disasters increase the demand on all of the community's health resources simultaneously, there will not be enough time or available staff to survey hospitals and other communities in order to inventory capabilities after the incident starts. Systems that are designed to share a common architecture and that integrate real-time data from institutional operations will provide the best means for matching community needs to available resources. However, there are many challenges to making these community linkages work.

First, hospitals and others on the front-line responder community depend on an effective communications to provide emergency medical care, rescue accident victims and respond to disasters. One of the key lessons learned from the September 11 terrorist attacks and the subsequent anthrax attacks is that we must enhance our ability to gather information and communicate it efficiently to all relevant parties. In disasters, particularly those involving large numbers of casualties, it is critical that the hospitals have pre-established communication linkages with other front-line responders that are reliable and interoperable.

However, in disasters, most organizations experience problems with interoperability. Communications often degrade as a result of saturated cellular phone systems and wireless communications systems that interfere with public safety communications.

Public health services must be linked using secure connections to the Internet. High speed dedicated access to the Internet should be available for all public and private health care facilities and related organizations. There is a critical need for funding to upgrade, modernize and link front line responder communications systems and to address interoperability problems.

In the event of a disaster, many communities are not able to assess in a rapid and accurate way what health care resources are available for response. Readiness could be enhanced if all communities had a real time system in place to assess hospital capacity. This would ideally include frequently updated information on the number, type and location of available hospital beds, available stocks of drug supplies and equipment, and the number and location of trained staff.

Appropriate staffing poses a special concern in mass casualty incidents. For example, most hospital disaster plans provide for staff augmentation by extending the working hours of present staff or by calling in supplemental staff. If all of the disaster plans in a community are collected, they appear to provide for a substantial increase of staff. This includes medical staff, nursing staff, technicians, technologists and support services.

However, it is common for each hospital's disaster plan to be prepared individually. Thus, there is a real potential for double counting of potential staff. That is, two or more hospitals may envision using the same resources for staff augmentation. Therefore, in a mass casualty incident, when the full human resources of the community are stressed, hospitals improve their preparedness by working together to develop an unduplicated estimate of the number and source of additional staff.

In addition, disaster readiness would be enhanced by the development of a community-wide concept of reserve staff, that is, identifying physicians, nurses and others who have retired, have changed careers to work outside of health care services, or who now work in areas other than direct patient care. However, this concept of reserve staff will only work if adequate funds are made available to regularly train and update the reserves so they can immediately step into roles in the hospital.

Of course, next an effective public health and medical response to a covert bioterrorist attack will also depend on the ability of individual physicians, field providers and public health departments to quickly detect, accurately diagnose, rapidly contain and effectively treat an uncommon disease or illness.

Improving the capacity of hospitals, public health departments, public laboratories and clinicians to engage in disease surveillance and disease reporting will be critical in determining that a cluster of disease may be related to the intentional release of a biological or chemical terrorism agent, and in expediting an effective response.

The monitoring of sudden changes in syndromic information gathered by emergency departments, EMS communications centers, health departments and telephone nurse triage call centers can also provide an advance warning of community health threats.

While disease reporting and syndromic surveillance are critical in responding to biological and chemical terrorist threats, they also could serve other roles to improve the health of the public in other ways in the future, such as tracking population health status and health service utilization.

In addition, data captured from the surveillance system once it is analyzed can generate appropriate followup actions, such as the provision of just in time educational materials to providers to assist in the medical management of patients.

To facilitate this level of readiness, hospitals and public health departments will need adequate resources and significantly upgraded surveillance systems to detect and respond to unusual disease patterns of symptoms. Public health labs will need to upgrade their capacity to carry out essential analytic reporting functions, and all public health, laboratory and medical partners will require enhanced electronic information and communications systems to assure rapid and secure reporting and information exchange.

Furthermore, a successful surveillance system will to the maximum extent possible utilize and build upon sources of information that are already collected by hospitals and emergency departments. Automated retrieval of existing data from clinical databases and hospitals is preferable to systems that require manual entry of data, and may represent the best solution for the provision of surveillance data to public health departments. Such a solution should also be less burdensome and costly for providers. An environment in which every hour of patient care provided in an emergency department results in one additional hour of paperwork. It would be difficult to justify adding to this burden through new and manual data collection.

The AHA would also like to raise with NCVHS a serious conflict between the HIPAA privacy regulations and efforts to improve hospital disease surveillance capabilities. The HIPAA privacy regs place unnecessary roadblocks in the path of state hospital associations' efforts to share important health and demographic information with other hospitals in their states. The ability to continue to share such information can be critical to identifying an unusual pattern of symptoms that could indicate that a bioterrorist attack has occurred.

While the privacy rules permit state hospital associations to aggregate and analyze medical data from their member hospitals, it would not allow hospital associations to share this quote protected health information from one hospital to another hospital. Further, while the regulations do include an exception that would allow public health agencies to collect protected health information without consent, it is not clear that state hospital associations would fall under this exception. As a consequence, once the regulations go into effect in April 2003, state hospital associations would be barred from sharing critical disease surveillance data with contributing hospitals.

Among the data that hospital associations would be prohibited from sharing are county or neighborhood by zip codes, specific age of the patient and the date on which the hospital treated the injury or illness. These are data elements that are integral to disease surveillance activities.

I believe that HHS should either reform or clarify the rules to allow state hospital associations to share the critical elements of data with contributing hospitals and health researchers. This could be done most effectively by carving out these data from the list of identifiable data in the rule.

I would be happy to answer any questions.

DR. LUMPKIN: Thank you. John?

DR. LOONSK: Thank you. We are very pleased to be here today to talk about some of these issues.

The context in which I am speaking to you is as someone who is highly involved from the technical standpoint in working on the nation's surveillance infrastructure as part of the national electronic disease surveillance system before October, with Dr. Broome, as someone who was the information technology lead for the CDC's response to the October anthrax attacks, and as someone who has participated in the IT guidance as part of the bioterrorism guidance that has recently gone out to state and local health departments.

Prior to October 4, we were rebuilding the surveillance infrastructure in the country as part of the national electronic disease surveillance system. It is not a software system per se, but a vision and a process to integrate diverse public health systems, to connect to clinical data systems, and to use and promote national standards for the development of these systems and the exchange of their data. It includes a system architecture as well as specific use of national standards, and we have funded all 50 states and several large municipalities in this pursuit.

NEDSS uses national data standards and develops specifications internal to them, including an HL7-2.3 public health lab message, HL7 referencing, and HL7 information model used relative to data storage and version three messages for public health notification and the use of standard vocabularies for the coding of content internal to those messages and those stores.

Prior to October 4, we were also involved in trying to support the investigation and evaluation of bioterrorism surveillance. We were participating in certain heightened surveillance activities in emergency departments around major events. Some of this was done with syndromic data, but always with followup on those syndromic data relative to the likelihood of an actual event. We were also participating in the evaluation of multiple drug source, clinical drug, or the counter absenteeism trials in the investigation and evaluation of surveillance and detection activities.

An ongoing theme for this work was that the bioterrorism infrastructure should not be separate from the non-bioterrorism infrastructure, and that they both need to work together.

In the area of connectivity and learning, the health alert network had been working to develop high speed continuous Internet connectivity for public health, as well as developing the capability to make emergency broadcast alerts to public health participants. You can see the numbers of those who had already participated in this activity, and that work is ongoing.

In terms of diagnostic capacity, the laboratory

response network was enhancing the capability of public health labs to process bioterrorism agents, to detect and identify appropriately results related to those activities. There were also activities in the educational realm, in terms of presentation on these pathogens to professional societies, public health and clinical personnel.

As we all know by now, the anthrax attacks in October were not executed as expected. There were many lessons learned. It started as a single case. It was an astute clinician who identified that, and the identification was not syndromic. There was also a major public health response, and there were many data and communication needs.

In terms of communication with the public, there were many press briefings, journalists involved. There were a huge television audience for some of this content, as well as an enormous amount of activity on the related web pages for downloading information.

There was also in the epi-X system a significant amount of discussion in a secure fashion for a discussion group type format among participants in the public health endeavor. There was substantial activity relative to the MMWR and distribution of information to clinicians and others.

In regard to bioterrorism surveillance and detection, bioterrorism detection is still investigational. The need for case data management exchange and communication are not. There is an increased priority as well as an opportunity to get clinical data, demographic data, presenting complaint, potentially syndromic data, as that is determined to be appropriate, sometimes directly from electronic information systems without manual entry, lab data, critically important, as well as utilization data and discharge data.

There are opportunities to work in these areas. Among them include the work with the e-Health Initiative, a series of providers and clinical information systems, developers who are working with us to try to get appropriate data out of their clinical information systems and move them to public health.

Some broad points about the general IT response to the anthrax. Even if they were in place, it is questionable whether the bioterrorism detection systems would have caught this initial event. They certainly would compete, particularly in a manual entry fashion, for clinical personnel's time and public health's time and attention.

The majority of the data needs in the response were not about the initial detection by any means. Although there were major needs in the learning realm, the majority of the data needs were about threats, managing potential cases, potentially contacts of those cases if it is a communicable disease, the management of calls and information exchange, the management of labs specimens, the management of lab results and the linking of content.

There were major issues exchanging data with the many participants that are involved in public health, clinical sites, local health departments, emergency responders, law enforcement, public health laboratories, commercial labs. Participants accumulated dissimilar data and they principally exchanged it manually.

There was a major lesson learned in terms of these data as well. These data need to be linked. In an ideal situation, detection and possible threats would lead to data management around possible cases, contacts, facility and geospatial data, as well as then leading to analysis and presentation to decision makers, and then leading on into alerts, prophylaxis and vaccination in a continuous manner.

There were many communication challenges with response teams, partners, the public. Part of the issue was not just getting information out, but getting specific information rapidly to the point of need, and not overloading people with information that was not relevant to their particular activity.

The rest of my presentation will be a brief discussion of the appendix to the bioterrorism cooperative agreement guidance that has recently gone out. In the guidance, there is a focus area that relates to health alert network, information technology and communication. It is now broader than it used to be; it is inclusive of some of the IT activities that I have been alluding to.

At the end of the entire guidance is an appendix that is described as IT functions and specifications. These functions and specifications link back into all aspects of the guidance and relate IT activities in the guidance to specific national standards, to specific architecture, and internal to those standards and architecture, the specifications for how we should exchange these data. It gets to this very specific need of exchanging comparable data between the many partners in public health.

The format for these specifications is that I will identify a need, I will identify the industry standards involved, and then I will allude to some of the specifications that have been written into this guidance.

Many of these specifications are not new. They are specifications that have been worked on for some time as part of the national electronic disease surveillance system, NEDSS. They have been worked on in terms of the health alert network, and activities in that regard.

There are some of these specifications that still need to be refined in the context of the data needs that I previously discussed. We are planning on working on that in the coming months to extend the specifications so that they are encompassing of the activities as I have described them.

The general areas for these IT functions and specifications include the automated exchange of data between public health partners, setting up a live network for data exchange, without manual upload, without the need for human intervention to exchange appropriate data between public health partners and indeed, the clinical sector as part of that, so that we don't have to manually or telephonically relate these data to each other.

This is an infrastructure that would be built on the EBXML national standards, which work indeed over secure transmission across the Internet. Internal to that message transport there is a need for the specific descriptors of content. Some of those come from the national electronic disease surveillance system, and public health notification messages that have been developed in this regard, using HL7 version three. Some of these are HL7 2.3 type messages, some could be X12 messages, and some importantly could be in the LDIF message format around directory exchange between public health partners when we manage lists of who is participating in the endeavor.

As I indicated previously, the majority of the data needs in the anthrax activity related to managing and tracing possible cases, from detection, through lab testing and confirmation, and then into possible prophylaxis and/or vaccination.

The standards involved in this include health level seven, vocabulary standards. The specifications for that are principally identified already in the NEDSS logical data model and vocabularies associated with that, but there is some extension work that needs to be done.

Managing lab results and specimen information. Managing the transport information associated with specimens was a major activity, linking lab results with possible cases was a major challenge. We need to facilitate a standards based community to having laboratories involved in the public health endeavor, electronically receive laboratory specimen requests, accept specimen data and sample data, manage those data, and then be able to immediately report those data out. The standards involved in that activity are well established in terms of health level seven, and there are other vocabulary standards that could be involved. The specifications of this include HL7 2.3 messages that have already been developed.

Another function and specification is the use of electronic clinical data for event detection, setting up the channel to allow for clinical information systems to move data to public health in a secure appropriate manner, using comparable message structure for that exchange. The standards, ebXML, HL7, can be X12s, and then internal to those there can be other vocabularies and codes involved, specifications, some of which are already identified, some of which need to be further refined.

There is a lot of activity that can go on right now using existing messages that are structured for requests for lab tests, for requests for activities and lab tests and results that occur in the clinical sector.

If we are going to do manual entry for event detection, there is certainly a role for this in the general public health infrastructure and perhaps in bioterrorism detection. We should be doing it in such a way that the data that we are accumulating are standardized, that they are being put into a store where standard table structures are used, so that we can develop algorithms for outbreak detection, algorithms for management and analysis of those data, and share those among the different public health partners, not build stovepipe systems in particular areas or particular functional areas.

So to do that, there are standards and specifications for both the security infrastructure for this as well as the implementation and the store for those data, to try to leverage into these opportunities.

That leads into the analysis and visualization capabilities. We should be able to share some of these technologies among public health. We should be building these things in such a way that they take advantage of commercial, off the shelf software where possible, as well as the standards and specifications for their implementation.

As another function and specifications internal to the guidance, is an indication of how we should store directories of participants in the public health endeavor, identifying not only who they are, but identifying their roles and responsibilities, and being able to match that up with messages that are also described relative to the appropriate receivers of those messages, so that we can get to the specific delivery of content, to those who need it in the context of their activities.

The standard for directories include the lightweight directory access protocol and the lightweight directory access protocol data exchange format.

We need to do more work on the messaging for learning and dissemination as I just describing, in terms of describing meta information about those messages, so they can be specifically delivered to those who need them. There has been some activity in this realm. We need to come to closure on some of these specifications in the short term.

Finally, specifications and functions around IT security and critical infrastructure protection. Having secure systems so that sensitive data can be transported and worked as appropriate with the many partners involved in this activity, as well as having systems that are reliable and can be counted on through redundancy and continuity of operations activities to be there when we need them to support this activity.

Thank you very much.

DR. LUMPKIN: Claire, did you have additional comments?

DR. BROOME: I gave John all my time.

DR. LUMPKIN: Thank you very much, panel. It has been a very interesting presentation. At this point we will go to questions. I will perhaps start it off with a comment and then a question.

My first comment is, having considered all this and looking at our implementation in Illinois and other states, in how we can best address this issue, I have come to the conclusion -- and it struck me in a meeting that I was at with the hospital association, the two hospital associations in Illinois, and they asked me what was the one thing that we ought to do for bioterrorism. It dawned on me that perhaps the highest priority ought to be to automate the electronic medical record in emergency departments around the nation. That is really the rate-limiting step.

We have looked at the issue of patient medical record information development, and we have thought about it as an enterprise wide endeavor for hospitals. Perhaps we ought to rethink that as maybe looking at the emergency department as being the proof of concept that meets a national need, because systems that -- my years of experience working in an emergency department showed me that if you give me an extra sheet of paper to do it, I might do it throughout September, maybe into October after the events, but after that, I have got other things to do. Certainly my experience trying to do research in data collection in emergency departments taught me that.

So if we are going to make a fundamental advance in our ability to conduct real time surveillance, the emergency departments may be the place to do it. We recently are investigating an outbreak in Illinois of pertussis in a small county. We identified about ten cases, and we began to do a record review, going back manually. We identified almost 300 symptom complexes that would be consistent with pertussis, that were never detected, and we could not have picked up without going back and doing the hand search.

Obviously, the ability to do surveillance and saying now we have identified something, let's go back and look at the records in the emergency department, instead of it taking us -- now we are about six weeks into the investigation; that could have been done in a very rapid fashion.

So I am just becoming more and more convinced that this is someplace that we ought to consider investing as a nation in looking at medical record automation.

Having now gotten off my soapbox, I do have a question. That has to do with the issue of coordination. We are sitting in the city which is touched by at least two states. People come in and out of D.C. all the time, so we have three different jurisdictions. People like me come from other states throughout the nation.

To what extent do we believe that the requirements established through these public health systems will assure that the kind of data coordination that system development and coordination will actually occur, rather than the creation of separate systems as we have seen in the past?

MR. HAUER: Let me take a shot at that, John. We have looked at that. One of our concerns as we looked at some of the states, you look at cities like Cincinnati, where you get people that work in the city from Indiana, Kentucky and Ohio. They exposed to something during the day, Thursday or Friday, they started reporting to their emergency rooms, or to call on their emergency primary care providers on Saturday and Sunday, it is likely that that connection wouldn't be there.

One of the things that we are trying to emphasize is regional approach. We are getting away from this city-centric kind of approach, but we have to figure out ways of getting state health departments to talk as well.

Our first goal is to get the hospitals talking with their city or county health departments and the counties talking with the states. Then we need to reach across into the -- across state lines.

That will be a little more difficult, because sharing data like that is not quite as easy. But I don't think it is an insurmountable task. I think it is just a matter of developing the linkages.

One of the things that we want to do, and CDC can address this as well, is develop a national linkage, where we have got all the state health departments linked together, so that we can look for patterns across states. But that will be a little bit of a greater challenge.

Did you want to comment about that?

DR. LOONSK: It is an impressive number of participants who were involved in the anthrax response, including contractors who had not previously been doing testing, who were brought in for testing purposes.

We clearly have to promote national standards for these data, and then internal to those standards we do have the reach right now to identify the specifications coordinated under those national standards to be very specific about the data we are exchanging.

There is obviously a good amount of work that needs to be done to then promulgate those specifications to the various participants, but I think that we are in a good place in terms of having the specifications relatively available to us in the short term to begin that activity.

DR. BROOME: But I do think one of the reasons why I can say that John has been working 80-hours weeks is the importance of having these national standards identified as early as possible in the process, because as John alluded to, the states and local health departments are receiving very substantial funding right now to have these specifications available, so that investment of these funds is done in systems which meet the national standards. Time is of the essence.

DR. LUMPKIN: Let me just ask a followup. One of the things that we have seen in our experience with HIPAA is that you can have a standard, and then there are the various implementation guides and so forth and so on. To what extent is the CDC or HHS considering the development of a reference system, so that as all of these systems are being developed, someone can test that their system can transmit a standardized message that is consistent throughout the system?

DR. LOONSK: We have been working in terms of the bioterrorism guidance to develop direct assistance possibilities for working with state and local health departments specifically to evaluate these types of things.

The thing that is most immediately pressing is around information security and around the ability of these participants to protect their accumulated data relative to the Internet. But shortly after that, we would like to advance the testing of this messaging infrastructure so that we can indeed not only identify the specifications, but identify exactly how well they are used and how well they are implemented, and what the catchment is relative to the data across these various specifications.

MR. HAUER: John, are you talking about having a model system that we could export from HHS to the various health departments?

DR. LUMPKIN: Actually, no. What I am talking about is that, if we build a system in Illinois, we want to make sure we have the standardized message format. There are a number of vendors in the HIPAA world who are creating systems that we can go into, send a standardized message, it gets back saying yes, we are doing that. Then my followup question to CDC is, are they being funded to develop such a system. I know there has been a lot of emphasis on money going out to the states, but I think that I and I assume others on the committee have concern that there are adequate resources at the CDC to provide the kind of leadership that they had been providing.

Then I will get Jeff to follow up, because I have asked too many questions.

MR. BLAIR: Do you see that there have been adequate resources for the CDC to continue the leadership role that we want you to play?

DR. BROOME: I think that is a very relevant question. I think as John mentioned, we certainly are looking -- there is the potential with the state awards for the states to use the funds for direct assistance, which means instead of taking money, they can go and get technical consultation. CDC is setting up ways to provide that in ways that support these standards.

So the states do have -- it is certainly optional, in terms of whether the states want to use that opportunity. In addition to that, as you know, almost a billion dollars going out to the states for the public health part of the guidance is one hundred percent to the states. So that does not include funding to CDC.

There are some funds that have been made available to CDC for bioterrorism preparedness, and certainly part of what we see as our responsibility is using some of those funds for this kind of support. But it is a complex environment.

I did also want to mention -- because I am not sure the committee is aware -- although the NEDSS initiative is a standards based surveillance approach, at the request of a number of states, CDC is also working with Computer Sciences Corporation to develop the NEDSS base system, which is a specific implementation of the NEDSS standards. It doesn't cover everything that is needed for bioterrorism preparedness, but it certainly does include very detailed specifications of the messages that John was describing, including implementation guides. So that does take us to having a very specific implementation of NEDSS standards, which are a part of the terrorism functions and specifications.

That is currently pilot testing in two states, in Nebraska and Tennessee, and we do have funding to deploy that in at least 20 states, probably more, in 2002.


MR. BLAIR: John, I really appreciate the way you outlined the NEDSS system. I'm not sure that there is a difference in philosophy or not when I heard the phrase connectivity.

At least in my mind, connectivity could enable information to flow from one facility to another, but it doesn't necessarily mean that you are going to be able to have that information in a form where you can have automated information systems to be able to readily interpret that data.

John, in the NEDSS systems that you are defining, it does seem to me as if you are heading down to that level, where we could really deal with a disaster where you have tens of thousands, hundreds of thousands, hopefully not more than that, information coming in from various sectors of the country all at once, and be able to have information systems assist that, not expect to have armies of people trying to interpret the data and being overwhelmed.

The only piece that I am not sure of, that I didn't hear you get down to -- because you wound up indicating that you would have the standardized messages, you referenced the terminologies that would be standardized.

One of the major missing gaps that I see is that even if we create this infrastructure where we wind up getting information from states and local facilities, and you are trying to get it from ambulatory and acute care institutions and laboratory information systems, but in reality as of today, that seems to me to be the biggest missing gap, is capturing the other information at the point of care.

We are not that far from being able to encourage the messages and the clinically specific terminologies to be implemented into vendor systems at the point of care, where we can capture that information and really have an effective system.

So my question is, John, does the NEDSS system go down to the next level of providing incentives for acute --

DR. LOONSK: Much of the discussion has been historically around connectivity from the standpoint of Internet connectivity. We very much have to get to the level of specification that we are promoting through these IT functions and specifications and through NEDSS to be able to share data, so we can have an automated system.

The reach of both these functions and specifications and NEDSS has been to the point of messages emanating from clinical information systems and encouraging the use of standard vocabularies and standard messages coming out. But that has been the reach of the activity heretofore.

We are working as I indicated through the e-Health initiative with information system vendors to continue to try to push on that, and to get data out in standardized form. But there is certainly a great deal of work that needs to be done at the point of care to include the initial entry of data in standard based form, so that it will be leveragable into greater use subsequently.

MR. BLAIR: So are you saying that there is a major gap? That somehow either your program doesn't feel that that is within its scope to be able to provide those incentives, capturing information at the point of care with clinically specific terminologies? Or you are looking for some other program, or the funding isn't there?

DR. LOONSK: The funding has not been there to get into clinical information systems to encourage that type of development.

DR. BROOME: I think it is hopeful to ask the committee to think a little bit about what kinds of incentives are going to be effective and realistic.

We have thought of several things. I guess I do think ultimately you would like to have something adjusted for prior probabilities as a prompt to clinicians.

DR. STARFIELD: But when you talk about syndromic surveillance, we don't have even in our current data systems, even the good ones, any way of reporting on presenting problems. If it is not something that is a firm diagnosis, we don't do very well on it. It isn't in our current efforts under HIPAA, either, to report syndromes, presenting problems that are not resolved through a diagnosis. As a country we do poorly on that, I think.

DR. BROOME: Are you talking about system interventions, or are you just talking about the need for astute clinicians to know who to call?

DR. STARFIELD: But what are astute clinicians going to report? You talk about skin lesions; that is not a diagnosis. I suppose there is an ICD code, but not in a standard way.

DR. BROOME: Public laws certainly permit -- and we are trying to encourage reporting of suspicious conditions of possible public health importance. It is not just restricted to a definite diagnosis of anthrax, but you do have to both educate clinicians to have an increased index of suspicion and to know who to call. So those are two major objectives for our surveillance activities.

DR. STARFIELD: Just to follow up, the core data elements that this committee developed in 1996 did have an item for presenting problems, but it hasn't gotten hardly any attention. Yet, I think if we are going to make physicians astute, they have to know what it is they are going to have to be astute to report, and it is not a diagnosis. They have to have systems to report what it is they are seeing.


MR. SCANLON: I wonder if I could follow up on the health care clinical information systems side of the equation.

Jerry, if I am remembering correctly, there is another side -- besides the grants for the public health departments and the states, there is a grant in the bioterrorism funding to the states to provide assistance to hospitals, regional planning and IT support and so on. I wonder to what extent the national standards oriented interconnectivity kind of a framework that is being thought of here could be used as a framework for that site as well. In other words, if the money could be used for IT planning by emergency departments, clearly we wouldn't want to have 6,000 different one-of-a-kind systems there as well. I think the interconnectivity would be just as important.

MR. HAUER: There is enough flexibility in the grants that if hospitals want to use this money develop their IT structure to link with the local public health department, and if the state and local public health department are developing programs and systems, they can go ahead and do it.

The only thing we are looking at is insuring that at the end of the day, we do have some commonality. I think one of the greatest concerns we have is that as different systems have been developed, be it syndromic or data mining, there has not been a commonality of data that is required. We will wind up with a group of systems around the country that don't necessarily talk with one another.

So I think what CDC is doing in developing these standards, and they have done an excellent job in putting standards together that can be exported and can be used as a basis for these kind of connected systems. Hospitals are free to use some of that money, and certainly we would be encouraging hospitals to use CDC's standards, so that the linkages are there.

DR. RIPPEN: I would like to interject a comment. When you are hearing all of this, some of the things to consider is the aspect that I don't think we are clear what it is that we need with regards to a true requirements document. So that in itself makes it a little bit more challenging to get to the specifics. We have some ideas and very deep in certain of the reporting requirements, but there are others that we do not know what the requirements are.

If you start expanding it beyond public health to the hospitals, to other agencies and to other needs, then we even become less clear. These systems have to support all the needs, not just one.

So again, I would just ask that you reflect about what it is that is really required all the way through, and then what pieces you may be able to address short term versus long term.

MR. HAUER: I think that is point is an excellent one. I think over the last several years, we have been evolving systems around the country, and there has not been a standard for the system. As you looked at what might have been done in one city versus the state level versus those systems that have been implemented for specific events, special events like the Olympics or DNC or RNC, they were not necessarily the same types of systems.

The needs were different.

One of the things that CDC has done is developed this vision that is a little more comprehensive than we have seen in the past. It gets into things like utilization, availability, personnel, some of the things you had talked about. We need to continue to evolve these systems.

I don't think though that any system we put in place is going to necessarily address your concerns about the astute physician who doesn't report. That is a challenge that we are going to continue to confront.

One of the goals that I have had is having passive systems that collect data that don't require any motion, activity or input by a primary care physician or an ER doc. As Dr. Lumpkin had said, in the research that I have done in emergency rooms and in ICUs, it is very difficult to get house staff to input.

There is another piece to that. That is knowing what to report and then who to report it to. Do you report a lesion that could be a leg ulcer or cutaneous anthrax? What is your threshold?

Part of that I think is education. I think that is just going to come with time. But part of it is, we are going to miss some, there is no question. There is going to be an ER doc somewhere that just misses a cutaneous anthrax lesion, because there is only one, and maybe it is that person who was making anthrax at home and had a cutaneous lesion. They walk into the ER and they just don't report it; they report it as some other kind of a skin lesion.

That is a problem that I am not sure we have answers to at this point in time. Part of that is going to be education of our primary care providers, sensitizing them and getting them to know that when they have these unusual clusters, they have to do something about it. Maybe that is a phone call to the hospital ID person, who then knows who to make the linkages with, or maybe that is a call to their local public health person. It can be either one. But there has to be some activity, some initiation and some reporting. That is not always easy.

DR. STARFIELD: I guess the problem is that we train our physicians to make diagnoses, and to make diagnoses, and in fact we don't want to do that --

MR. HAUER: The other side is, and we learned this in West Nyall, when we went back after West Nyall, we found 22 additional cases that basically fit into the pattern. But a lot of those were not reported, and we felt in talking with some of the physicians, they don't want to be wrong in reporting the diagnosis, so they would rather not report it.

All of these patients should have been reported under the law, because meningitis is a reportable disease. They were not, because they didn't know whether the patient had meningitis, they were worried about being embarrassed, they were worried about being wrong, and they were concerned about the diagnosis, rather than just calling and saying, I've got something, maybe I could use some help with this.

It is very difficult to get through that. I am not sure that I know the answer to that at this point in time. It is not an easy problem to solve.

DR. LUMPKIN: We have got time for two more. I have Simon and Mike on the list, so we will go first with Simon; and Ted, so we will do three more, and then we will have our lunch break. Simon?

DR. COHN: John, first of all, thank you very mich for your comments. Also, as an emergency physician, the comments that you are making really sound true, in terms of the difficulties in making diagnoses, especially in the emergency room. Even though I would always like to know the case when I see it, oftentimes it is the lab that gives me the truth the next day or whatever.

I actually want to applaud Claire and John for your standards based approach. I would urge you for more specificity, because that is really going to get to where it matters.

Jerry, the government is going to be sending a lot of money out to the states for public health improvements, many of which will be IT infrastructure. The one piece that I wasn't quite sure in all the discussion about was how pegged some of those IT improvements are to adopting the standards based approach that is being advocated by the CDC. I hear recommended, I hear encroachment, I hear it is a good idea.

Given the history of public health in all of this stuff and these stovepipe developments, can you provide me some certainty about this?

MR. HAUER: We are not going to prescribe how local public health agencies do this. But we certainly want to insure that at the end of the day there is some commonality, that these systems are not so far off base that they don't accomplish what they want.

So we are encouraging local public health departments to use CDC standards, so that we can have networks that share data. If we don't share data, a lot of this will break down. CDC has developed some excellent standards, they have put a lot of work into this, and we think they could be the basis for a national system that starts at the local level and goes to the state and then goes to the national.

So standards are just that. I don't need to tell this group that, but we are going to rely heavily on those standards. Maybe that is the best way to couch it.

DR. BLOOM: I appreciate folks' endorsement. I was cringing a little at calling them CDC standards, because what we are trying to do really is get away from agency specific and really focus on national, industry or SDO generated standards and good informatics principles. But we will take credit, too.

MR. HAUER: I think CDC has put a lot of work into this. They have been the umbrella. However you want to couch it, I think CDC has been the umbrella that we go to for looking to these standards, and they have done an excellent job and deserve a lot of credit for it.


DR. FITZMAURICE: I want to address a question to Dr. Rippen, and also, to thank whoever put this panel together. Really sharp people up in front of us who have been a major policy coordinator and overseer of the funds for bioterrorism, the major agency to help build the public health information infrastructure, and detection response to bioterrorism.

The major industry component is going to have to invest in something for communications, and help us respond to the capacity for addressing bioterrorism. Dr. Rippen has brought forth a framework for information technology infrastructure for bioterrorism. I don't know enough about your consensus group. What group have you brought together? Who are they? Did you get any participation from HHS and the White House on this? Can you describe the group and the expertise?

DR. RIPPEN: Our stakeholders, given the scenario and the components we talked about included a broad array of individuals and organizations. The selection was based on whether or not they were involved, and represented organizations as opposed to individuals.

Actually, Claire was there, and there were several people from NSF. There were people from the intelligence community. The public health associations, ASTO and NACHO, AHA, the vendor EHI, the e-Health Initiative and many others.

The key was to bring together people that will have to work together and share information when there is a bioterrorism event. Because of that -- and we even had consumer representatives, too, because it is their information that is being shared.

So again, it is bringing together all the stakeholders that we could, and provide a public commentary period where people could post and respond to the draft white papers.

The intent of it is to think hard about what is needed, and to really help define the requirements document, because no system can be built without a good requirements document.

DR. FITZMAURICE: It sounds like a broad base of people, and the recommendations are sure good, but they are not done. There is so much more work to be done.

DR. LUMPKIN: If you look under Tab 4, there is a document. The appendix on page 16, there is a list of participants.

DR. RIPPEN: And people from OMB and the Hill participated also.

DR. LUMPKIN: Marjorie?

DR. GREENBERG: I just wanted to make one observation from the HIPAA experience related to standards. I realize I am sitting next to a system health officer, so I certainly wouldn't argue against offering states flexibility, et cetera.

But I think the experience with the HIPAA standards showed that when people and industry supported the standards and were encouraged to use them, they didn't. So finally, Congress had to come along and pass HIPAA, and industry asked Congress to pass HIPAA, because they said the devil has got to make us do it.

So encouragement of using standards has not been overly successful. Even now, people are kicking and screaming and asking for extensions, et cetera, which probably are necessary, given some of the realities.

I don't know what the requirements exactly are, and the extent to which the Department is prohibited from mandating a standards based approach. But I do think we need to be aware of what has happened in the past when we have encouraged standards rather than requiring them.

MR. HAUER: I appreciate your comments.

DR. SHORTLIFFE: I have been thinking, ever since Jerry Hauser's initial comments, I would like to go back to the syndromic surveillance issue just one more time, if I might.

I realize that we are dealing with the reality short term of what it takes to try to get the data that, as Jerry pointed out, would be required to do this kind of surveillance. Your comments about the necessity for data entry and motivating physicians and the like, those are very real issues. They are exactly the kind of issues that have prevented many other -- even before bioterrorism concerns, have prevented many other kinds of idealistic views of what would be great, if only clinicians or others that were involved in the clinical setting would do the data entry that was incremental to their routine task.

I think there are many people looking farther out to the actual acceptance of the standards and the like, would believe there is a model that should be achievable eventually whereby incremental data entry is never required, and where the data are in standardized formats in the records because people are keeping track of what they are seeing and doing as they always have. They are just doing it in a more standardized way.

You point out, you went back and could find cases that were probably West Nyall virus in New York, for example. Presumably that is because you looked at the charts. People have written the stuff down; it just hasn't been reported in an automatic way through any kind of a surveillance mechanism.

I think the real concern here is imagining and working for a day when that kind of a standardization in medical record content exists, and the knowledge that that doc may not have about what is reportable, but you have, and others at CDC have. The rules can be written and they can be integrated into those clinical settings, and the actual submission of the observable data happens as a byproduct of routine care, not because somebody had to remember to be an astute clinician.

We would like everybody to be an astute clinician and to know all this, but I am just a little equally pessimistic about the chances of getting a truly halcyon day when everybody knows exactly what they should be reporting. I would much rather see really smart systems in place, properly integrated into a seamless public health environment.

MR. HAUER: I couldn't agree with you more. I am the eternal optimist on things like this. I actually believe that one day, we will have -- I have been looking at some of what they are doing in ICUs, where residents are now doing all their notes on the hand-held devices. I believe that you can train those things to capture certain key words, certain prescribing patterns, certain drugs that are prescribed in the ICU and the ER, so the ER doc, the nurse, does not have to do anything other than do their notes, and the computer will capture what is necessary, and we will get what we need passively without them having to do any additional entry.

I agree with you. I think we will be there one day. I am also a realist. I tried for a number of years to get the 59 ERs, the 911 receiving ERs in New York City, and it was very difficult. We had a great relationship with the Greater New York Hospital Association. We were able to put a data mining system in place. But when I went to good friends, like Lou Goldfrank at Bellevue and said to Lou, we would like to do some additional capture of data, the reality was, we were not going to get interns and residents to fill out more paper. We were not going to get them to do additional data entry into computers.

So we have to be smarter and figure out how to use what is there. As technology evolves, I think it will be easier to do. I think we just need to insure that we were ready for capturing that data, because the data will be presented to us.

DR. SHORTLIFFE: I think if we can agree that that vision is where we know we ultimately want to be --

MR. HAUER: No question.

DR. SHORTLIFFE: -- and be working towards that, while at the same time we try to cope pragmatically in the short term.

I am as aware as you are that it is going to be very hard to get incremental data entry manually by busy clinicians. On the other hand, except for when they actually miss that anthrax lesion, it never gets reported at all. An awful lot of the asyndomic information that would be valuable is being recorded somehow today.

MR. HAUER: Agreed.

DR. SHORTLIFFE: And if only we could capture it. We have no experience yet anywhere in capturing this and doing the surveillance as a purely secondary byproduct of routine data collection, except in the most limited kinds of examples like maybe an occasional IC or what have you.

MR. HAUER: We had a data mining system in New York where we captured data, but there is a lot of question about the value of some of those systems. Al Selikov out at Sandia and I have had this debate for five years, about syndromic versus data mining and what will work.

We just need to look at it and figure out what does work. There has not been a good study to see which of these systems is going to work. That is what you were alluding to, is figuring out what it is we need. We are going down this path of capturing data, and this is where D.A. and I have this debate. D.A. was a dean when I was a graduate student at Hopkins, so I always have to defer to him, but he keeps saying that it is not going to narrow the window between clandestine release and when we recognize that we have -- it is going to be the astute physician and not data.

But we are going down this path with capturing a lot of data. I disagree with him respectfully, but I think we need to validate that our thinking is correct on this. So I think we have got some homework to do.


DR. LOONSK: We agree entirely with the approach of getting primary use clinical data as the opportunity, and that there is still a lot of work to do in the detection realm. But I would again like to re-emphasize the fact that a lot of these data exchanges and a lot of the data that need to be managed in the case of a bioterrorism event are not in the detection realm. The standards for them are well identified, the specifications internal to those standards are available to us, and if we develop further momentum on exchanging those, I think we have made tremendous headway in the short term in this regard.

DR. LUMPKIN: I think at this point we need to move on. Let me just make a brief comment. Jerry started out with his presentation, talking about the fact that in the past, sometimes preparedness money has bought really good toys that have not developed a system. I think that we as a committee share the concern.

We recognize that appropriate and wise investment in developing a public health infrastructure will have implications far beyond preparedness, but also to day to day work dealing with infectious diseases, coordinating clinical services and so forth, as well as quality. We talk about syndromic surveillance; one of the key issues in dealing with quality is being able to measure and identify at the point of services delivered, rather than three or four weeks later that quality service is being delivered. So I think that this is an investment that is wise for the nation.

I would like to pose to the committee perhaps where we ought to go from this discussion. I wonder, given the time frames, if perhaps we ought to generate a letter to the Secretary, making some recommendations. Perhaps we can do a work group to come up with a draft for it tomorrow, but something along the lines that would encourage first of all that the standards -- because I can tell you, knowing myself and other colleagues, that if they are not mandated, they won't be followed. The issue of the role of CDC in enhanced standard development and support for them to do that development, which we think needs to be done at a tighter time frame, the ability of CDC to do testing as well as technical assistance.

I think those four concepts have come out. If there are others, then if you will share with me and perhaps Dan and Simon and I can work in the breaks to put together a letter that we will bring back to the committee tomorrow, if that is agreeable.

I would like to thank the panel. Obviously it generated a lot of discussion. We probably will want to not only offer to all of you our committee and any advice that we can give you in relation to this as things develop, but also that we will want to follow this issue fairly closely, either at our next meeting or at the subsequent meeting to keep abreast of what is happening in this very important development. Thank you very much for coming.

We now have a lunch break.

(The meeting recessed for lunch at 12:15 p.m., to reconvene at 1:00 p.m.)

A F T E R N O O N S E S S I O N (1:00 p.m.)

DR. LUMPKIN: We are running a little bit behind on our afternoon schedule, but Richard has assured me that we will make up some time in our 2 o'clock scheduled item. I think that is because he hasn't been committee chair bringing up privacy letters before. But hopefully we will be able to accomplish that.

We have in front of us a panel on the PKI. This has been an ongoing series as we have monitored this technology. Why don't we ask the panel if you would mind -- starting with Glen -- introduce yourself?

MR. MARSHALL: I am Glen Marshall. I am here from Siemens Health Services. I am also the co-chair for HL7's security and accountability section.

MS. TUCCI-KAUFHOLD: My name is Ruth Tucci-Kaufhold from UNISYS Corporation and also task leader and NCPDP for e-signatures and data security.

MS. GILBERTSON: Lynne Gilbertson from the National Council of Prescription Drug Programs. I am the director of standards development for the organization.

MR. MC FAUL: Andy McFaul with DEA Office of Diversion Control. I am the chief of regulatory drafting and basically one of the principals on the development of our e-commerce initiatives.

MR. BRUCK: My name is Steve Bruck. I am with PEC Solutions. I am the project manager for PEC's support for DEA's electronic commerce initiatives.

MS. REED-FOURQUET: Lori Reed-Fourquet. I am with e-Health Signs Consulting. I am the vice chair of e31.20 from the ASTM on health information. I am also the U.S. delegate to ICO 2C215, health care informatics working group four, which is health information security, through which we have just competed the ISO standard for health care PKI.

DR. LUMPKIN: We also have on the telephone Kepa. Would you introduce yourself?

DR. ZUBELDIA: I am Kepa Zubeldia, member of the subcommittee.


MR. MARSHALL: I have introduced myself, Glen Marshall. I am currently with Siemens, and have been in health care IT for my entire career, which is now 35 years.

For today's testimony, I was asked to provide information about what sort of transactions would be amenable to the health care public key infrastructure, or PKI. In general, PKI is about managing records of identities of people who participate in health care, enabling them to digitally sign it. It is also about reducing health care administrative costs, improving efficiencies, and lowering the risk of medical fraud and abuse.

My testimony will not dive into the technical details. What I am going to describe today is well within the reach of current standards and technology, however.

PKI technology supports automation of the processes to reliably identify participants in health care and to maintain authenticity for those identities over time.

The primary data from this are called digital identity certificates. These certificates enable participants to receive encrypted data, and also electronic signatures with the attributes of authenticity, integrity and non-repudiation. It is quite possible to provide any one of these signature attributes or even two of them at the same time with the technologies other than digital signatures. By that, I mean X.509 compliance signatures, but you can't do all three at the same time without the digital signatures.

In health care, PKI technology can provide significant benefits in three categories of transactions: messages where the data has a relatively short value over time, for example, paying a bill, persistent data where the data have long term value, for example, medical records, and third is credentialling, where the data are security relevant and can impact the authenticity and integrity and attributes of other non-repudiatable data.

The message in case is perhaps the simplest. It is analogous to how we use bank checks. When we write the check, assuring appropriate safeguards are taken to prevent forgery, the results are as a document that is authenticated by signature, has integrity due to the anti-forgery measures, and when the bank clears it, it cannot be repudiated. The bank can rely on this and pay funds accordingly. The receipt of a cancelled check completes the message as it communicates, receives the check, and serves as evidence that the payment cannot be repudiated. The value of the cancelled check diminishes over time and can eventually be safely discarded.

In a PKI enabled environment, when entry transactions are essentially paperless, there is direct and even more secure electronic equivalence for every element of the paper-based manual transaction. Digital signatures are virtually impossible to forge. The data's integrity is bound to signatures in a manner that enables -- that it is virtually impossible to duplicate, and non-repudiation is as strong as the signatures.

PKI technology also enables public key cryptography. Electronic records in a PKI enabled environment have reliable security, can be communicated simply, far quicker and less expensively than the paper equivalents. Participants in the electronic record use well established and ubiquitous standards, so the technology is not a significant entry barrier. It is easy to rebut offerability among the partners.

The rapid growth of e-commerce and electronic banking attest to the benefits of a PKI secure transaction environment. Financial health care transactions can achieve comparable benefits. On the other hand, if health care financial transactions do not employ standard digital signatures, and lack the opportunity to use PKI based cryptography, assuring their authenticity, integrity and non-repudiatability and confidentiality, interoperability becomes more expensive and complex than necessary.

I would assert that the HIPAA transaction standards are incomplete, especially for low volume small providers and their trading partners without the option to use PKI enabled environments.

It is worth noting here that the security of digitally signed data is also as strong as the signer's ability to protect access to the digital certificates, and as strong as the PKI's authentication policies to prevent credentials being issued to imposters. A person who is careless with access to a digital certificate or a PKI which does not require strong proof of identity seriously weakens security. This is true for all uses of PKI technology and digital signatures. As with all security, the human element remains quite important.

What PKI provides is a structure for increased speed, lower cost for reducing the varieties of opportunities for human fallibility, as compared to paper based or semi-automated alternatives.

The persistent data case is perhaps more complex. In health care, the best analogy is a medical record entry, let's say a lab test. First comes an order for the test which identifies the patient and the test to be performed. It has an indication for the medical purpose for the test. It is signed by an authorized person.

When a sample is collected, it is loaded with the patient's identification. Next, the lab technician, perhaps using automated test equipment, performs the test and provides the result. Finally, a person who ordered the test or another authorized person reviews and lab report and may annotate and sign it. All of the documents, the order, test result and annotation, may be stapled together or made a part of a single electronic record and then placed in the patient's medical record.

The value of this medical record entry is highly persistent over time. For example, when a payor wants evidence of a medical necessity, a proof that a test was performed, the contents of the medical record provide this data. It is certainly valuable to provide baseline data for subsequent medical acts, and it may be used as a reliable evidence for legal actions.

However, in the medical records case as described, authentication is only as secure as the health care provider's ability to prevent forgery. Integrity is as secure as the provider's ability to prevent alteration or destruction of the data over time. Non-reputability is as secure as the provider's ability to detect forgery, data alteration and data destruction. When the data is exported from under the umbrella of a provider's security practices, it loses these attributes.

That is a lot of what-if qualification, and it represents significant opportunities for medical fraud and abuse. In a PKI enabled environment, each step of the process can be electronic and digitally signed. A possible implementation would be a chain of countersigned documents, so that each part of the document is signed, each documented step in the process refers to its predecessor, and the references themselves are signed. The result would be an electronic document in which a complete record of the chain of events is given authentication, integrity and non-reputability.

The data can be supported outside of the provider's environment without losing these attributes. This provides key enabling elements for a portable, reliable electronic health record that can reduce the cost, complexity and latency of paper based manual records.

Credentialling, the last case, is a significant business activity for health care providers. The objective is a directorate of reliably identified people who can then be granted permissions to perform professional duties, create and access data, and interact with fellow professionals.

It involves a lot of communication as well as licensing and accrediting authorities to verify the credentials of the professional staff. This includes periodically refreshing the data to determine, for example, that credentials are still current. It also includes monitoring various data sources to quickly know when

professional credentials have been revoked.

The form that the inter-editing messages take is variable, so it takes a goodly amount of administrative knowhow, persistence and attention to detail to perform this job adequately.

In a PKI enabled environment, the credentialling task can be simplified, streamlined and made intrinsically more reliable. The first element is a rigorous and consistently applied set of policies for establishing and verifying a person's identity. In health care credentialling, this may require a formal process in which for example a person provides at least two independent forms of identification in person.

Based on this proof of identity, a digital identify certificate is created, and is digitally signed by the PKI administrator, attesting to the person's identity. The validity of the certificate can then be made known electronically to health care security administrators, who given that they trust the PKI administrator, can rely on it. The person who has the certificate can present it via a variety of technologies for authentication and digitally sign any messages and data.

Finally, if other people want to communicate securely with a certificate holder, they can use the public key encryption associated with the certificate to send in messages.

Recently published updates to the underlying technical standards for PKI enable the creation, communication and administration of a person's permissions. The data for this are called attribute certificates. Essentially, an attribute certificate is a digitally signed reference to an identity certificate. The person or organization that creates an attribute certificate thus associates data access or other types of permissions with the person who holds the identity certificate, presuming of course that the identity is created with a level of assurance that is acceptable to the attribute issuing authority.

For example, if you have a well assured identity certificate, a professional licensing board can issue an attribute certificate that says you are licensed. I suggest a more specific possibility is for the DEA to issue attribute certificates for electronic prescription writing credentials.

With PKI technology, credentials that are created can also be easily revoked. Also, if the underlying identity certificate expires or is revoked, it revokes any attribute certificates. Alternatively, the validity of an identity or attribute certificate can be queried online if immediate and current verification is required by the health care provider.

With recently published updates, we now have a structure in which to avoid the cost, complexity and added security risk of issuing multiple uncoordinated identity certificates to an individual. We also have a framework in which to equitably share the cost of PKI technology among those who will benefit from it. Thus, some significant barriers to acceptance of PKI technology in the health care provider community are now lowered.

All of the foregoing is standardized, provides a framework for a web of trust among trading partners, enables electronic communication of professional identities and attributes. The level of automation in the PKI enables accurate credentialling to be expanded to cover health care employees, business associates, automated equipment and even patients, bringing even more cost, complexity and latency out of our health care delivery systems, while providing greater assurance of privacy and security.

Much of what I have described is available and widely used today. It is a fundamental part of the transaction security for both sellers and buyers in e-commerce. In addition, there is significant and growing experiment in the health care information technology community to implement PKI technology to simplify and improve the security of their computer uses of identification and authentication.

The key X.509 standard update for attribute certificates has been published. ISO-TC215 has approved the health care PKI framework technical standard. In addition, there are two essential ingredients needed. First, a standard framework for health care PKI needs to be affirmed for HIPAA conferment use. This will provide clear regulatory recognition with a compliance date for PKI enabled encryption and digital signatures to be used for health care transactions.

Second, support for digital attribute certificates, making them as simple to use and manage as digital identity certificates, needs widespread implementation in commercial off the shelf products. I believe this follows naturally from HIPAA regulatory action just mentioned.

I hope my testimony here today has served to help move forward the objective of implementing PKI enabled health care transactions. Thank you.

DR. LUMPKIN: Thank you. Ruth?

DR. GILBERTSON: Ruth and I are tag-teaming, so this is Lynne Gilbertson from NCPDP. I will be going first, and then Ruth will follow.

NCPDP is grateful for the opportunity to address the National Committee on Vital and Health Statistics. To give you a little bit of an overview, in January of 2001, NCPDP was notified that Glen Marshall would be leading an SDO signature/security endeavor. The following work products were noted in the original information: define a scope and a project plan, consider EDIINT A2, ASTM E1762 and E2084, S-MIME version three, and XMLd-sig, develop use cases, ballots by SDOs if necessary, develop implementation guides for IP and non-IP implementations, vendor enrollment, ASTM E31.24 cooperation, ASTM E31.17 cooperation and involvement of other SDOs. I think that is where we came in.

NCPDP work group 12, data security and patient confidentiality, was charged to evaluate and participate in this activity. The work group formed a task group, led by Ruth Tucci-Kaufhold of UNISYS, which consists of providers, software vendors, health plans, payors, physician software vendors and other interested parties.

By March, documentation was coming out of the multi-SDO digital signature project via a listserv. At this time, NCPDP members began participating in conference call discussions with other members of the project. Since this area was new for some of the participants, Glen Marshall, project leader, provided helpful insight via email and conference calls to answer participants' questions.

NCPDP's task group, working as part of Glen's larger group, was tasked to answer the question of, what health care business cases might need electronic signatures. NCPDP understood that there was a parallel effort to define how would electronic signatures work in health care.

NCPDP members began working on a use cases document. This document, White Paper for the Multi-SDO Electronic Signature Project, is attached in your packet. Please recognize that this document is still considered draft, because there were quite a few questions still unanswered. We found that without truly understanding how certification and validating electronic signatures might work, and how you might convert a paper process today to use electronic signatures, it was hard to envision the process steps.

The participants created the use cases from a brainstorming perspective of how might the signatures be used. Some of the business cases do not exist electronically at this point, so the actual technical application was only a guess.

The members very strongly recommended that for currently transmitted transactions on direct connection/closed networks such as current usage of VISA protocol dial-up, lease lines, frame relays, et cetera, the digital signature does not appear to have a business case.

Examples of the transaction that are being communicated today without the signature are billing for claims, electronic prescriptions and eligibilities.

Since NCPDP submitted the white paper to the project, we have had no further updates or tasks from the lead team via the listserv. We look forward to hearing any updates that are available.

MS. TUCCI-KAUFHOLD: I am just going to highlight a few of the use cases that we found in our project when we started defining how pharmacy would use a digital signature in their current processes.

In our brainstorming sessions, we went ahead and threw everything out on the table and decided to classify them. The rankings are one for immediate use, if we could employ digital signatures today, where would we do that; moderate benefit, if the cost was a factor here, what would be the benefit on that, and then future benefits. We just decided to have three categories that we would look at.

Some of the ranking one possibilities for immediate use included requests for new prescription and/or refill from a prescriber to a pharmacy, prescription change when performed over the Internet. Another one was the process of credentialling. Pharmacy prescribers, including all technicians and assistants, how would those processes be defined and how would we credential, credential verification inquiry, enrollment from a pharmacy to a health plan, i.e., Medicare-Medicaid enrollment, currently what we do today with pharmacies and all of the other people associated with those entities.

A ranking two possibility included pharmacy transmitting method control substance reporting via the Internet to a regulatory agency or clearinghouse. Ranking three possibilities included patient-consumer requesting information from a pharmacist or prescriber, i.e., the email, fill out a form on the websites and so forth, transfer of a prescription from one pharmacy to a second pharmacy over the Internet, either retail or hospital to home care, et cetera, requests from pharmacy to prescriber for identifier such as a DEA number, UPIN, a Medicaid provider number, state license number, obtaining formulary lists.

Some of the questions that remain to be answered with the industry's participation included, how does a participant keep up with the number of certificate authorities that could be used, how many revocation lists and how often are they updated, how does electronic signature really work in the environments that are transmitting online real time transactions in seconds. The model of the current PC environment with email did not appear to fit the real-time transaction model; can you continue the business model use in real time transactions, or does the environment severely change the processing in place.

So from this exercise, NCPDP participants learned there is much more to be learned. An important element of this process is the education, not only from the technical perspective, but also from the operational perspective.

We thank you again for this opportunity to testify.

DR. LUMPKIN: Andrew?

MR. MC FAUL: Andy McFaul with DEA again, to go over our experiences and history to this point with our electronic commerce initiatives.

Essentially, we have two separate initiatives that we instituted, in part on the invitation or request of the pharmaceutical industry, that being principally from the pharmacy industry, with also a strong interest expressed by the wholesale industry to, I believe as they put it, drag ourselves out of the regulatory stone age and into modern electronic age, and also recognizing a current big push in the federal government for recognition of electronic commerce and utilization of some of the new technologies that are available.

We have two key initiatives that we are working on, electronic prescriptions for controlled substances, what we refer to as EPCS. There, we are dealing with approximately a million active DEA prescriber registrations that we currently have, and the current estimates over the next couple of years are something in the region of probably 500 to 600 million controlled substances prescriptions being issued each year.

The other project is our controlled substances ordering system, essentially an electronic alternative to the present DEA Form 222 paper order forms for schedule one and two controlled substances.

What we anticipated and certainly what the industry wanted was a more efficient means to do things, in terms of improving health care efficiency, reducing medical mistakes, reducing prescription forgeries and basically reducing overall costs.

One key point that we do like to stress is that our projects and the electronic systems that we do develop will be an alternative, an additional means of accomplishing the required function, as opposed to a mandatory means. The original forms of prescribing or ordering will also remain in place.

Basically, one thing we had to deal with is the fact that whatever the efforts to work cooperatively with the pharmaceutical or controlled substances industry to maintain cooperative programs for accountability of controlled substances, the final result is, we are a law enforcement agency, so certainly in considering any type of systems that we would adopt, we had to take ultimately from that perspective.

So the principal issues that we had to deal with are pretty much standard, authentication, non-repudiation, transaction and record integrity, but from the perspective of legal admissibility in terms of legal action being taken against participants within the system. That includes administrative, civil and where necessary, criminal action. So certainly we have to look for the highest possible standard to insure we did not compromise our primary mandate.

In looking at the different technologies, what we did find was ultimately that PKI as was earlier mentioned was the only system currently identified which provided assurances in all three areas. For us, one of the key issues, authentication, we have a regulatory requirement and a responsibility that we release on the pharmacy industry and specifically on the pharmacists that in filling prescriptions, they have a corresponding liability to insure that the prescription they receive is valid, it is from an appropriately authorized individual, and it is issued for a legitimate medical purpose.

As far as the authentication of the individual and their authority to issue a prescription, PKI with its strong authentication capability will take care of and satisfy the pharmacists' corresponding liability as far as the issues of who issued the scrip and were they authorized to do so. From there, the only remaining liability on their part would be any issue of whether or not there was something with that prescription or that circumstance that might indicate there was not an appropriate medical reason for the issuance of that prescription.

Key to our specific legal mandate as far as being a law enforcement agency, the big issues were non-repudiation, the ability for us to tie to an individual prescriber the action that is being order, the dispensing of controlled substances. With PKI, we have a circumstance coupled with some additional security provisions that we would require, specifically that the private key be stored, the signing key be stored on some form of secure token, and we are currently looking at proposing biometric access controls to get to that signing key. That would put the practitioner in the position of not being able to deny having signed the scrip without otherwise incriminating themselves by admitting that they provided others access to the signing key and thus the authority to actually issue prescriptions, which in itself would be a specific violation of the law and would be basically, damned if you do, damned if you don't type situation.

Also an important factor, this is something that we are in a little bit of a gray area with respect to e-sign, the electronic signatures and global and national commerce act. We have a position presently that we are not subject with the CSA required transactions to the specific provisions of that piece of legislation. However, there remains some discussion with OMB as to a final clearance on that.

But whether we are subject to e-sign or not, e-sign does provide that while you cannot invalidate a transaction based solely on its being signed electronically, federal agencies do have the authority to establish standards with respect to the issue of record integrity.

That is a critical element within our program also, because without specific assurance of record integrity, the issue of non-repudiation comes into question. The practitioner may not be able to deny signing a specific prescription; however, absent assurance of record integrity, they can repudiate the specific document with which they are presented. They can say, yes, I signed that, however that is not the original document that I signed. It has been altered following signature.

So from our perspective, one of the key elements in the system is assuring the record integrity, and PKI at this point is the one technology we see with the document summaries and the ability to generate those both at signing and at any time following signing, allows us that specific assurance that the document has or has not been tampered with following signature.

Given the number of registrants that we are dealing with, a million or more, and potentially a somewhat higher number since we will allow hospitals and other appropriately authorized institutions to delegate the use of their DEA number to staff doctors, et cetera, for prescribing purposes, we did not want to get directly involved in the issuance directly of the certificates.

So we are currently planning the establishment of a hierarchical PKI, in which DEA will set the standards through a root CA, and then simply let the industry forces drive who actually will end up issuing the certificates themselves through establishment of subordinate CAs.

This type of system is critical to DEA because with respect to the identity authentication and credentialling of the actual certificate holders, we must remain in direct influence over the issuance of the certificates. We see that through the use of the root and actual subordinate CAs that are certified by the root.

As far as the core policy provisions, probably a couple of the most important areas on identification and credentialling. We do have the benefit of operating within a closed system, so we already know who the participants will be through the fact that they will be DEA registrants. So the issue of credentialling will already have been dealt with prior to the issue of actually providing certificates to the participants.

We will require -- we are currently proposing a written application with photo identification and appearance before a public notary, personal appearance, for notarization of the application, and the one additional element that gives us a further level of assurance is, with the application will have to come an actual copy of the DEA registration certificate for the applicant. In large part, for us the issue of identity is solved or authentication of identity is solved through the fact that the individual applicants' credentialling, which extends not only to the issuance of the DEA registration, but also that registration is predicated on the individual being appropriately licensed by the state in which they practice, so we have a long chain of licensing and registration processes during which the identity has to be confirmed. At that point, it is simply furnishing proof of that, that gives us the principal authentication of the identity.

Operational requirements. We will have a revocation grace period of six hours, during which if there is any following discovery of compromise of the certificate or the private signing key, there is a six hour grace period in which the certificate holder is responsible to report to the certifying authority of the compromise and request revocation.

CRL issuance we will require every four hours, and as part of any system of verification in processing digitally signed transactions, the full CRL and authentication checking will be a mandatory part of any system.

Additionally, as I had mentioned earlier, we will be looking to require storage of the private signing key on a token, at this point, it is anticipated most likely a smart card, and use of a biometric access control to authorize access to the private key, thus tying any issue of signing specifically to the physical person to whom the certificate was issued.

To the extent possible, the system has been designed to be application neutral. We do not mandate the use of any standards. Simply any standard to which the digital PKI process can be adapted can be utilized there. It is our understanding that a number of the organizations are already working on adopting the standards.

Our requirement is very simply, the electronic prescription must be digitally signed using the certificate issued by a DEA recognized certifying authority, and the pharmacy must take the appropriate mandated steps to validate that.

That pretty much sums it up. I'll pass it on. I believe Steve had a couple of comments to address certain technical issues here.

MR. BRUCK: I would just take a moment to give you a contractor's perspective on delivering the PKI.

I would start off by saying we would agree with Glen that by and large, PKI technology is here today. I would also say that early on, we did take a look at attribute certificates. They do like like the type of certificate that would be very useful in this environment. I think we came to the same conclusion, that we didn't see a lot of widespread commercial implementation of that technology, and so it is something that we continue to monitor.

In terms of developing a PKI, I don't think it is difficult; I think it is complicated. What you find is a number of different areas that are highly interrelated. You have the technology angle, you have the policy angle, and you have an accreditation angle that you need to work in parallel. To be successful you do need to work them in parallel, because you may find that technically, you are not able to meet a policy provision, or that your policy provisions need a change, depending on your application.

So from the very beginning, what we have tried to do is stay very focused on the mission that DEA has given us, which is to make sure that we can PKI enable electronic prescriptions for controlled substances. From the start, we have given policy a front seat in terms of what we devote our attention to. That drives technology. We also have engaged industry from the very beginning, making sure that we have as much input from industry associations, individual practitioners, corporations that all have a stake in the outcome of this effort.

We have held these meetings and will continue to hold them, so that is a very high level perspective on delivering it, but I think policy is very important in making sure that you end up with something that matches the mission or the business need.

DR. LUMPKIN: Thank you. Lori?

MS. REED-FOURQUET: I am going to talk about the policies surrounding PKIs that we would need to support the digital signatures required in health care.

As I indicated, I am the vice chair of ASTM E31.20. In that standards group we have a near final version of the health care model policy, which is intended to guide the health care PKI policies, and we have the privilege management infrastructure, which touches upon attribute certificates.

I am also the U.S. technical representative and co-author of the health care PKI document coming out of ISO. The document public key infrastructure for secure exchange of health information across national boundaries is a three-part document. It has taken a few years to put together. It involved quite a number of nations around the world who are grappling with very similar issues as to how do we secure our health care transactions using PKI.

Just a few other scenarios as to where we would use digital signature in health care. We would use it under attestation scenarios such as consent four access to records, whether it be a patient or an agent for the patient. We would do it for medical record content accuracy, authorization for things such as prescriptions, patient referrals, medical orders and for devices. We may have devices which are applying signatures to their measurements.

The security risks in a PKI are a few fold. Identity fraud, which would be the ability to trick the DEA into issuing a certificate to the wrong person. This might be done during the registration process, by misrepresenting yourself to the CA, within the CA management, such as bribing the staff, within the CA hardware-software, hacking at the machine and forcing it to sign a certificate for you, or forging a signature. So we need to be able to protect the CA signing key.

Credential fraud. That means, fool the CA into attesting to the wrong credentials and stolen identities. So once an individual is given a key, they must protect that key. So the protection of the private key is incorporated into our certificate policies, and user education as to why they should not be sharing those keys.

The requirements for the PKI also include objectives of meeting the reliable secure binding of unique and distinguished names to the subject. We can't be representing multiple people under a common name. Professional roles of the health care subject. What we have distinguished in the health care that is not typical of other PKI activities is that we want to bind the professional health care role to the individual's professional certificate. This insures the health care context. Attributes when used; we need to make sure that they are securely bound.

We need a high level of assurance within the infrastructure. The infrastructure has to be highly available, because we are using this for health care purposes, and high level of trust, and it must be compatible over the Internet, across multiple jurisdictions. We need to be able to facilitate the evaluation and comparisons of certificate policies. So when we have multiple PKIs that are popping up that we can compare them and certify across those PKIs.

What we have defined in ISO are a number of policy types. We have the public key certificates which would include cross-bridging certificates between certificate authorities, certification authority certificates and endentity certificates, which I will describe as, the details of individuals and organizations would have devices and applications as endentities. We also have attribute certificates.

Individuals. Regulated health care professionals, doctors, nurses, those that carry -- in our country we call it licensing; in other countries, licenses mean something else. But those are regulated by the government to practice medicine.

We have the health care employee who also must carry a health care certificate, a medical record clerk, for instance. Non-regulated sponsored health care professionals. These are folks that are practicing medicine; in some places they might be regulated, in some places they may not. Midwives, social workers are subject to different licensing.

Supporting organization employees, so the insurance claim processing clerk needs to have representation in the PKI. Consumers. We allow for anonymous consumers and identified consumers. There was a great push to be able to keep an individual who wants to sign up for Internet services as an anonymous individual. We don't care who you are, as long as you are the same individual who comes into the service time after time, as opposed to being able to specifically identify the patient of a specific medical record number, coming into your organization that time after time is given tracked treatment.

Organizations. We have regulated health care organizations such as the pharmacy and supporting health care organizations, those that do business with health care that need to be trusted within that domain.

We also have multiple assurance levels. Part of the reason for this -- we call it high grade-low grade. The nomenclature is unimportant, but the high grade is what our goal is. In the European nations, it is what is required. It is minimally stored on a token. In Europe they have what they call a qualified certificate, which binds that non-repudiable signature to some legal framework for which they are issuing the certificates. Again, it is a minimal requirement in most European nations.

Low grade was somewhat of a compromise. There is no token required, and we do this so that we can enable the introduction of the technology without having excessive expenses for those nations that cannot afford to participate.

Separate keys is another important component. We have the encryption key. This enables you to back up your key. In case you lose your key, you can recover encrypted data. The long term storage of medical records; we need to be able to track that information, although we want to keep it private. So recoverability is very important in health care.

Key escrow. If you have an employee who leaves your organization and doesn't surrender their key upon termination, you need to be able to access the information about the patients that that employee touched.

Alternatives to doing that. There are other technologies around the key escrow component, but we separate the keys to enable it.

The shining key shall not be escrowed. We need to be able to insure the integrity of the individual's signature. If we allow backup of that key, you would compromise the trustworthiness of that signature.

Authenticating your organization's identity. We have got supporting organizations or persons acting on behalf of them. The proof that they must provide is to prevent evidence of their existence in health care role by presenting their government-issued documentation verified by registration authority. The registration shall verify the representative's authority to act in the name of the organization, so that the organization is validated on the individual's authority to act on their behalf.

For the individual's identity, we have the same proof as required to issue a passport, is recommended. Through ISO we had to back down off of the requirement to enable the introduction of the technology, but we highly recommend an in-person registration, face to face, demonstrating a government-issued photo ID and some secondary form of identification.

There is also the concept of active in the community test. This was put forth by the Australian community. They wanted something such as a telephone, a bill or something to demonstrate that you are a real person in the community.

We took that concept and we said we wanted to demonstrate active in the health care community, which is really what you do when you demonstrate your license. So regulated professionals shall present proof of their professional credentials established by the regulatory or accrediting body in their jurisdiction. Non-regulated professionals or sponsored providers would present sponsorship or employment proof of the health care organization that binds them to the health care world. Supporting organization employees provide proof of employment by the supporting health care organization.

Security controls are primarily referencing ISO standard 17799, previously known as BS 7799. This is the standard against which most of the auditing companies are already conducting their audits, physical controls, procedural controls, personnel controls, network controls, cryptographic module, engineering, repository management, security audit and records archive.

Qualified certificates. They identify a person with high level assurance for a legal recognition of an electronic signature. There is a standard, IATF RSC 3039, which describes the full use and technical details behind it.

It is recommended for the regulated health care professionals and non-regulated health care employees. Again, we use recommended because in Europe it is required. In other countries, they don't have the framework with which to make this take place.

It is optionally asserted therefore as a qualified certificate extension. It is being written into many of the European digital signature laws, and in the absence of the legal criteria, it is inappropriate to use the extension.

The health care role extension will have as a goal to have a single extension enabling the assertion of the health care profession, of any regulatory identifiers associated with them, any professional identifiers, consumer identifiers, employee roles. By creating that common extension for health care, we can include the information and certificate to which we are attesting, which is that health care identifier and license, and simplify those who need to parse this. There is a standard by which those supporting health care can parse the certificate to retrieve that data.

Attribute certificates were recognized as a goal for the assertion of authorization information and volatile information, information which changes frequently. The details for that in the ISO document are abstracted from work in the United States on ASTM privileged managed key infrastructure. There are no management specifications in the document due to the immature testing and deployment stages of the attribute certificates at the time that this was written.

So we do have strong policies. We need strong policies for the support of digital signatures in health care. We have standards for such policies defined at this point, and the standards are health care specific, based upon well-established international technology standards for X.509 certificates and security management. With those policies we can establish a trustworthy infrastructure to enable digital signatures for health care.

DR. LUMPKIN: Thank you. I think we have time for a few questions. Maybe I can start off with one. I have been trying to keep track.

It seems to me that I would end up with a personal certificate for my own health care and a token, a professional certificate and a token, and then if my parents' caregivers or guardian or medical decision makers, I would have a separate certificate and potentially a token. Then I would have my financial token, and because I am on the CDC system, I have the CDC token.

I think I now have CAs at least, and five tokens. It is like keys. I only have four keys. Is that a correct conclusion, looking at this? Kepa?

DR. ZUBELDIA: A problem that I am having is that it is very difficult to hear on the telephone. The Internet feed is like one minute behind.

DR. LUMPKIN: But Kepa, we can't tell the difference.

DR. ZUBELDIA: I am unable to participate interactively with the telephone.


DR. FOURCROY: In an attempt to answer your question, this is one of the reasons we want to start to assert attribute certificates. We would like to have one base identity certificate and complement it with the attribute certificates, which may be managed through different sources. That way, the attribute certificate is pointing to your base certificate.

What we said minimally in health care at this point, in the absence of that, we have at least one binding to your health care profession. Whether or not you can use an individual certificate to be somebody's guardian, that is to be seen in the implementation.

DR. MC DONALD: For Kepa's benefit, I think you have to be about a foot from the microphone before you can hear, and those microphones aren't working for him. So everyone be sensitive to that.

DR. LUMPKIN: Let me follow up on that question then. The technology and the approach that we are proposing now, if right now we are talking about individual certificates for each attribute that you may have as a person, versus a single certificate with multiple attribute certificates, by implementing technology today, are we able to then migrate tomorrow to the new technology with the attribute certificates? I see heads shaking up and down.

MR. MARSHALL: Yes, you could do that. I think the imperative is to speed up the migration.

You have hit the nail on the head in terms of having the electronic key ring, if you will, and the inconvenience and annoyance of that. From a position of being a security professional, when I see somebody with five different passports, I begin to suspect there may be a problem. As a matter of fact, of late that has become a very noticeable type of thing we don't want to have.

So I don't want to perpetuate that electronically at all. Therefore, I do favor reducing the number of individual identity certificates down to one, and then use of attribute certificates to associate perhaps a more rapidly changing attribute such as licensure or other types of permissions with it.

I believe that we are fairly close to getting that structure. Frankly, what I think we need is a regulatory starting gun.

MR. MC FAUL: One other minor note in connection with this, I did not mention specifically during my presentation, but DEA certainly would not prohibit cross-agency use or other agencies' recognition of our certificates if there was a decision to do so.

DR. COHN: Andrew, thank you very much for your discussion about the DEA activities. I specifically want to thank you for your description of litigation strength digital signatures, which I think is about what we need.

Now, I had a couple of questions for you. In the presentations, I couldn't figure out whether what you were doing was planned or is actually happening in terms of your activity, just because I am a DEA provider, I haven't seen anything in the mail about being able to get PKI certificates. So I was wondering if this is planned or happening.

I was also trying to figure out if -- I get a little confused about standards versus implementation here, that is, is what you are doing consistent with what everybody else is talking about in the panel.

MR. MC FAUL: As far as the first question, it is planned. We are in the process of basically regulatory development. In fact, we should have included a slide on our diversion control website, which is dea.diversion, or many people see it as dead.iversion -- usdoj.gov.

Last Friday, we met with the principal prescriber groups, AMA, ADA, osteopathic, various mid-level and such groups, to discuss the current status of the project. Fortunately, the experience has been that it is not an issue of whether we should use PKI, but rather, how are we going to implement PKI.

One of the key issues being raised in that regard was the absence of any established infrastructure. Basically we are going to have to build the infrastructure at the same time we are building the system, from both ends of the coin.

I feel overall, I think all of us are in general agreement as far as, PKI is the answer. There are certainly some issues with the specific technical approaches and attribute certificates are one of those. I as Steve recognize that as something that will be part of an evolutionary process.

I think the key issue right now is -- and Steve always loves hearing this, we feel at least at DEA we have the electronic prescriptions that we can actually give PKI a way to be introduced and put into fairly wide-scale use. Then from there, we do anticipate seeing an evolution of the systems from there, and attribute certificates will deal with some of the concerns we at DEA have also had with how big a key chain do I need to have to deal with PKI in not only the health care world, but within daily life itself generally.

DR. LUMPKIN: Do you think this will help reduce drug errors, or is it a killer ap? Sorry. Clem.

DR. MC DONALD: I wanted to get two issues. I am hearing a very, very rosy sense of all this, and that is not the impression I have gotten from the world. I specifically wanted to ask Kepa if he or someone could figure out where the hard parts are in this.

The second part has to do with the DEA controls. I hope everyone is aware that at one time, we had these extremely fierce controls in narcotics. If you read the newspapers, it sometimes is laughable, because we worry about milligram doses coming through doctors' offices, and they come across the border in tons. So the intensity of the effort seems to be on the wrong side of it. But that is just an aside.

The second piece of it is, today by Joint Commission rules, we have to write every single visit, what the patient's pain level is, whether they come in for sneezing or whatever, and if it is greater than seven, write a note how we are dealing with it. It really translates into giving them narcotics, by and large.

So we have on the one side this rock that is squeezing on us, give everybody a lot of pain medicine, and on the other side saying, you are going to jump through a lot of hoops. I think we have to at least be sensitive that we are not getting strangled in a dead man's loop here that we are not going to be able to get out of.

DR. LUMPKIN: So that is the killer ap.

DR. MC DONALD: But this is not easy stuff, from my understanding, where are the problems and pitfalls and where we are going to fall on our face.

MR. MARSHALL: Actually, I won't get into what might be a killer ap or not, but I have spent an inordinate amount of time on the phone over the last two weeks, speaking with health care providers who would very much simply like to reduce their credentialling problems.

We are not talking about writing prescriptions, which is a very important application, but we are talking about the ability to electronically enable their institution for not only physicians, but the health care workers in their patient populations. When they think about having to manage that user population without some sort of an electronic assist, they stop dead in their tracks. I believe that it is a big roadblock.

With a ubiquitous PKI technology, we can address those things which basically are heavy cost elements in the system. We can go after some institutionalized costs today.

DR. LUMPKIN: Let me just add to that, that is a big issue for preparedness, a big question about individuals who are credentialed in one state and then move to another one in the event of a disaster, trying to verify those credentials.

DR. ZUBELDIA: I've got my hand raised.

DR. LUMPKIN: Kepa, you have to wave it a little bit higher for me, please. Go ahead.

DR. ZUBELDIA: Thank you, John. PKI is good. I don't think that anybody is going to argue that PKI is going to be horrible. It is a new component, but it is good.

What I am having trouble understanding is how we are going to actually make it work for health care for signatures. I understand how PKI can support encryption, authentication, non-repudiation and access control, all of that. But even with the DEA project, if there is not a standard signature, we may have some that are certificates, we may have some that are authentication mechanisms, a registration process, we may have a standard method of registration, but in 800 different -- let's say there is not 800, let's say there is only 20 of them. Are you going to implement the signatures different, even though they may all have the same attribute certificates, even if it was issued by the same certification authority, which I understand DEA is not going to issue those. If each one of those vendors implement a signature different, then the pharmacist is going to have to verify signatures with totally different methods.

There are electronic management vendors that send their systems to physicians and hospitals. There are probably over a thousand of those. If only ten percent of them decide to implement electronic signatures and there are 50 different systems with an electronic signature, how is the pharmacist going to keep track of how each signature is going to be verified? How is the DEA going to keep track of what type of signature mechanism each one of the pharmacists or wholesalers is using?

I am having a little bit of trouble understanding this, so I would like to hear Andy's reaction to how are you going to make this work, not just on the PKI side, but on the actual signature side?

DR. LUMPKIN: I saw a few heads shaking, so whoever wants to jump in on that, answer.

MR. MC FAUL: To begin with, and I'll let Steve jump in also here, basically from DEA's perspective, on the orders side, we will be the sole CA. So we will set the standard there specifically as the sole certificate provider.

On the pharmacy side, while we will not actually be issuing the certificates, we will basically dictate to the certifying authorities things like certificate profiles, and also basically subscriber standards, relying party standards, things of that sort.

Certainly within the pharmacy industry, we anticipate that simply as a matter of competitiveness and the ability to attract business -- and I know pharmacy is as cutthroat as any out there -- there is going to have to be a certain level of consistency that would have to be achieved there, but from the basic perspective, issues such as the type of signature, the profile of the certificate that is being used to sign, things like that, I think that we will be able to mandate a fairly high level of

consistency there.

DR. ZUBELDIA: Let me throw in some examples. In a prescription promotion PDP, there are security structures that can be applied to manufacturer's infraction, using something called 9735. Chapter 6 and 8 of 9735 specify how the signature would be applied to a manufacturer infraction.

X12 has something called X12.58 that specifies how the signatures can be applied to the pharmacist, that will also be used not just for prescriptions, but all things.

Then there is ADXML, or a multitude of XML signature mechanisms. There is ESMAN, PGP and some private X.509 extensions to the signatures. I am not talking about the certificates now, I am just talking about the signatures. Once we have a neutral structure that can issue certificates, we are going to to have to do something with it.

I'm afraid that laying the PKI tracks today is good, is positive, as long as there is a way to put engines on those tracks. I am afraid that we are laying PKI tracks without really understanding how the engines are going to run on those tracks.

MR. BRUCK: Kepa, can you hear me?


MR. BRUCK: In building the DEA PKI, the term that we like to use is that we are establishing the trust framework. I think your comment there goes to something that we see as well, which is a chicken or the egg scenario; which comes first, the health care application or the PKI public key infrastructure that will enable certain health care transactions which to date have been not allowed.

I know that I was in Orlando a year ago, when -- I know you were there at the X12 meeting, where I listened in. I understood that at that point, you guys were struggling with the same issue.

So rather than DEA define for you specifically how you build this animal, rather, DEA would limit its role to defining the performance standards, and give you as much flexibility as you can to meet those performance standards, without essentially building it for you.

MR. AUGUSTINE: Speaking for private industry, this is a tough pill to swallow. We have a task force in my company right now looking into electronic signature. We have a proprietary system for over 600 clinics and thousands of physicians. We looked into PKI and we looked into the two-level authorization, using the password and having the key card and whatnot, and decided on the latter. It was financially driven, without getting guidance from regulatory authority.

This paper in front of me from the Gardner Group was what was given to me. It says that through the end of 2003, the cost-benefit ratio of deploying PKI and issuing digital certificates to large populations of patients or physicians will remain favorable in almost all situations.

These type of papers are going around private industry, and that is what they are citing when they are balking at PKI right now, even though they are interested in the long term applications.

MR. MC FAUL: I think there was a question earlier about rosy predictions of PKI from the panel. But what you have seen in terms of reading the periodicals is otherwise.

My feeling on this is that to date, when people have set out to build a public key infrastructure, they have done exactly that. What they end up with at the end is an infrastructure. What happens in the real world is that folks don't buy infrastructure, they buy applications.

So after you have gone through this complicated process of building your policy, establishing the certificate authority, going through and getting accredited, if you have done all three of those, which in many cases people don't do all three, they probably just focus on technology and try to pick some low-hanging fruit, if you don't have an application at the very end, then you struggle with proving to your upper management that this whole effort was valuable, that you have been successful, and that you ought to continue.

PKI can be expensive. It is very complicated. I think what needs to happen more frequently is a partnership between not only infrastructure development, but application development.

I would also say that people aren't going to buy certificates, they are going to buy applications. So when a doctor consciously understands that he has five key pairs on that smart card or token or three pairs on that token, that should be transparent to that practitioner.

Safeguarding the private keys can be decoupled from how many private keys can be decoupled from where and how you store that information. So I am not arguing that we shouldn't be looking to simplify all of this; I'm just saying that there is a mission model here that needs to be applied and a return investment focus that needs to be attended to, to make sure that all of these rosy predictions end up making it into a real-world system.

DR. LUMPKIN: We have a comment from Lynne, a question from Simon, and then we are going to have to cut off.

DR. GILBERTSON: It sounds like we have quite a bit of buy-in in at least one technology, but we have operation issues. We have the business of running businesses. It is very important not only when you talk about how many tokens are on your ring, now a system -- when a pharmacy or let's say a doctor works with a metropolitan area, where they send prescriptions to 50 different pharmacies, they have to keep revocation lists or get access to revocation lists of who is good or who is bad at any moment in time. You multiply that.

It is very important, if we have got an infrastructure or we have got a technical solution, but we have to pay attention to the operational and making sure it works for business as well.

DR. LUMPKIN: I know Simon has a question, but I need to clarify one thing. Who is we? When you say, we have to take care of.

DR. GILBERTSON: We is all of us as health care professionals. We would be remiss if we recommend one train track and don't pay attention to what is running on that track.

DR. LUMPKIN: So you perceive -- what I am getting to is, one of the issues that always comes before the committee is, is this something that we are recommending that there be regulations filed by HHS, a new NPRM, or is this something that the committee ought to be monitoring, because it is going to be a private sector solution.

DR. GILBERTSON: At this point, I am aware of -- and I was not involved real heavily in either of them, but there were two initiatives that I was aware of that the health care industry was trying to do, having to do with interoperability. I don't know if either of them got off the ground.

If we don't have good models to go from, we can hypothesize or build environments like -- I understand where the DEA is headed, because they have a business need that they are addressing. But in some respects, that could be silo, because you are addressing the needs that you need, and somebody has to be out there doing it.

But I don't know how many initiatives we have seen that are across the health care environment and how can we recommend or even, heaven help us, mandate or regulate something that the industry hasn't seen as an active part of scribbling out a form and sending it via mail.


DR. ZUBELDIA: I'll give you an example of what could very easily happen with the DEA project. A company that is technologically advanced, that has thousands of pharmacies, could enter their certificates to a physician that prescribes to Wal-Mart pharmacies, and nobody else will be able to read those signatures or verify those signatures, because they are a proprietary scheme for Wal-Mart.

The same thing could happen for CDS and all the other pharmacy chains. They use proprietary schemes, and those prescriptions cannot be verified by a third party. We have the standard for signatures. We may have the best PKI in the world, but it won't be very useful.


DR. COHN: First of all, I really want to be thankful that we actually have Kepa taking the lead on digital signature. Kepa, thank you very much. You can hear this, can't you?

Having said that, I think that it is time -- we are not going to make a decision today about what is going on. This is more of an update. I think it is probably time for the subcommittee that has been working on this to go back and take another look at it, with the idea being that maybe there isn't a recommendation for a solution right now, but more that there may be some things that need to be done to move us in that direction.

Certainly I am very excited about what the DEA is doing. If they can produce something that they are willing to put a stamp on as being litigation-strength digital signature, I can't think of anything much more that I could hope for in my life. Actually, that is not true, but it would certainly be a wonderful thing that they would be standing behind in the Department of Justice.

However, on the other hand, this is on the drawing board, hasn't been tested, is still being developed. We have all seen rosy pictures of things to be, and it would be nice to deal with them a little bit. I think you need to be talking to everybody however, to figure out some way to leverage what is going on, as well as make this whole area a little more mature than it is right now.

So Kepa, I am hoping that out of this conversation that we will be able to schedule, maybe sometime this summer, a hearing to figure out what we ought to be doing and recommending

DR. ZUBELDIA: I hope that the DEA project is addressing some standards for signatures that could be voluntarily adopted by the industry, that would force the development of a PKI. But we hope the standards for signatures is going to help justify a PKI standard.

DR. LUMPKIN: Lori, last word.

DR. FOURCROY: The PKI signature standards aren't the issue. It is what we are wrapping up with the digital signature that is at issue. So the PKI technology can support the use of digital signatures. Now we have to figure out, when we package up the message, what we are packaging and where we are applying that signature, and whether the signature is part of the package or the signature is wrapping the package.

Yes, I agree, the joint SDO is a good place to do it, because we have activities in most of the SDO's addressing how do we deal with health care signatures.

DR. LUMPKIN: I would like to thank the panel. The subcommittee will be following this as a key task. We will be monitoring the development in this area; obviously it is an important one.

I will take to heart something that Steve said, that this is complicated but not difficult. I think maybe that is the way we need to approach it. Sometimes little steps which are not difficult steps, but when you look at all of them, it seems to be complicated. We want to work our way through it, because it is essential to maintain the kind of security and privacy we think ought to be in health care. Thank you very much for coming.

Simon, you're on.

DR. COHN: Speaking of digital signature, we have our PMRI recommendations letter for our first reading.

DR. LUMPKIN: I thought I have seen six or seven different versions of this letter.

DR. COHN: It is in Tab 6, for those who want to read along.

I guess before we starts doing this paragraph by paragraph, Jeff, do you want to make any opening comments about the PMRI letter?

MR. BLAIR: The only thing, for the benefit of the full committee, just a very concise position of how we got here.

What we are doing in this letter is, we are picking what Clem referred to as low-hanging fruit, which is the message format standards, and looking at those, which we could come to fairly ready agreement on. Other PMRI standards we will be looking at later.

We have gone through a process in doing this, where we developed criteria which were derived from the guiding principles, that were used originally for the financial administrative transactions and then modified for use with PMRI standards a year and a half ago.

We are also drawing upon a number of the recommendations from our PMRI report, which were issued to the Secretary in August of 2000. Some of those recommendations defined areas of incentives, HHS incentives to accelerate the development of certain standards, especially PMRI standards. So we call upon that within this letter on specific standards.

The other items that I think might be background for people to understand are kind of in the first page or two of the letter, where we wind up discussing the things we are trying to accomplish and the tilt towards using guidance rather than mandates.

So I think from here on, Simon, maybe you can lead us through it.

DR. COHN: Sure. John, do you want me just to read through it, or just ask for comments?

DR. LUMPKIN: There is one other comment, and it came up earlier in this discussion that we had on preparedness.

We are now changing the paradigm from -- or recommending that the paradigm change from mandated standards to essentially the term that we use, recognized standards. I think it is important for the committee to note that for all the reasons that are listed in the letter, we think the NPRM process lags behind where the industry is going, that there needs to be clear leadership on behalf of the Department, and this is a mechanism that the Department can take to issue leadership and move the standard development process.

Is that a fair summary of where we are in going to this letter?

MR. BLAIR: It is. Jim Scanlon, are you here?


MR. BLAIR: Jim has also done a little bit of research within HHS to make sure that the pathway appears to be clear from HHS and from a legal standpoint, that the way we have crafted the wording in this letter, when we have indicated HHS guidance to industry and the government, that that would be acceptable.

Jim, do you have any other comments?

DR. SCANLON: Just so the committee understands, guidance means voluntary. The Secretary won't direct anyone to follow his guidance. You can issue guidance to do it if you want, you don't do it if you want. If you really want to mandate somebody to do something, then you can call it guidance, but it is basically going to require some sort of a formal rulemaking process.

So you are basically talking here, guidance means voluntary throughout. That is basically the approach.

MR. BLAIR: I think when you go down this path, then you really need to have some degree of consensus in the industry that the guidance that we are giving is reasonably in line with the direction that the health care industry is taking anyway. So what we are trying to do is be a catalyst and to accelerate and converge what already appears to be a growing consensus in the industry.


DR. MC DONALD: There was interest in the subcommittee though to avoid required actions by the private industry, but to stimulate government actions which would facilitate the use of these standards. So we hope something happens, and I am assuming that is still okay, and that doesn't require an NPRM.

DR. SCANLON: Again, if you recommend that Medicare require something, then that is a mandate, pretty much.

DR. MC DONALD: No, I know, but let me ask, and this is not a case in point, but the VA used something as a government agency.

DR. SCANLON: You can always recommend that in its own federal programs, a federal agency adopt this sort of an approach. You can also recommend that the federal government use its market position and other levers to promote and encourage. But when you actually want the federal government to tell someone else to do something, you are getting close to a mandate.

DR. LUMPKIN: Right, it is the federal government using its market position, which does require rules, but it is a different kind of rulemaking process than mandating other business partners using the transaction. Simon?

DR. COHN: I was going to comment also, the other piece of that is the issue of incentives, and trying to provide clear incentives to the country to move forward, which I think is the other differentiation here. Rather than mandating X, we are going to provide guidance, but we are also going to try to encourage HHS to provide incentives to help everyone move forward.

That is how this perhaps differs from some of the other final rules and proposals we have made. I hope everybody is okay with that. If there are big issues with the approach, we obviously need to hear about it both today and tomorrow before we start voting on it.


DR. MC DONALD: One more comment. I think we all felt that you can actually do more good maybe than with a carrot and a stick, with this kind of an approach than saying, thou must. We will see.

DR. LUMPKIN: Not that there isn't a stick somewhere, potentially.

MR. BLAIR: I think we always shave the opportunity a year and a half from now, if we feel as if this hasn't been enough encouragement to the industry to move forward, and the incentives are not strong enough, a year and a half from now we can visit this and see if we need to make a recommendation for something stronger.

DR. LUMPKIN: Right. So we are all -- looking around the room, I don't see any naysayers as of this point. So let's walk through the document.

DR. COHN: I apologize. This is a four-page document. Shall I speak real fast?

DR. LUMPKIN: Maybe we can go in chunks.

DR. COHN: That sounds good.

DR. LUMPKIN: The first chunk is the two introductory paragraphs.

DR. COHN: Okay. Dear Secretary Thompson. As part of its responsibilities under HIPAA, the NCVHS was called upon to study the issues related tot he adoption of uniform data standards for patient medical record information --

DR. LUMPKIN: I'm just wondering, since everybody has a copy, I don't know if we need to read through the whole document.

DR. COHN: That would certainly save my voice for our meetings later on today.

DR. LUMPKIN: Jeff, are you comfortable enough with the document? I thought so.

MR. BLAIR: So you just want to have people consider it paragraph by paragraph and ask questions?

DR. LUMPKIN: Questions or comments. If we can just walk through it that way, maybe it will be a little bit quicker. First paragraph.

MS. COLTIN: This report, where you hadn't before described a report, you said you were called upon to study this. I am wondering if it might say something like, presented the results of this study in a report to the HHS.


MS. COLTIN: It sounds like you are referencing a report that you didn't describe.

DR. LUMPKIN: Right. Anything else on paragraph one? Michael, you are tracking changes?


DR. LUMPKIN: Thank you.

DR. FITZMAURICE: The question is, somebody is going to want to know at some point, can I see a copy of that study.

DR. LUMPKIN: We can put a footnote. That is the report of the committee on the patient medical record information.

MS. COLTIN: It says attached here.

DR. LUMPKIN: Right, but it never names the report. I think that is the point. It is really an editorial comment.

DR. FITZMAURICE: We might change it to, NCVHS presented the results of studying these issues. We studied these issues, but I am not aware that we wrote a report.

DR. LUMPKIN: I'm not sure. I don't think this is a content issue or a positional issue. It is a style issue. I think if we just take that as a comment and then somehow in the final one we can fix it, and we can move on.

MR. BLAIR: May I make a suggestion? I'm not sure this is exactly the right point. Where we reference the fact that we did present the report on PMRI standards to the Secretary in August of 2000, I think we should consider whether, when this letter is sent, that there is an attachment to it that has a copy of the report.

The reason that I am thinking maybe that would be helpful is that one of the last three comments that we had from responses from the AHIMA, it was the only comments that expressed confusion as to the premises for what is in the letter.

But there might be other people that will be reading this for the first time, and I think it will be helpful for them to see the document upon which this is based. So could you add that, Michael? I heard, John, you saying you think that is a good idea. If the rest of the committee does too, then --

DR. LUMPKIN: August 9 of 2000, didn't we have a different Secretary?


DR. FITZMAURICE: So, Jeff, you want another statement?

MR. BLAIR: Not another statement, I think maybe a footnote or something.

DR. FITZMAURICE: It is really all tied with Kathy's comment.

MR. BLAIR: Yes, and when the letter is presented, attached to the back of the letter is the report to the Secretary from August of 2000.


DR. LUMPKIN: Any other comments on paragraph one? Paragraph two. Paragraph three, which is the process to select PMRI message format standards.

The next section, on guiding principles used as criteria for selection. Any comments on that? The next section, recognition of current standards and incentives for emerging standards. The next section, recommendations to encourage HHS guidance and incentives, rather than mandates.

DR. SCANLON: The only thing here is, do you want to include also market position and other influence.

MR. BLAIR: Jim, I couldn't hear you.

DR. SCANLON: You may want to include some language here that says that HHS set forth guidance for the industry, as well as use its market position, something like that, to promote and encourage, rather than just issue guidance. We can work with Mike on some language.

DR. LUMPKIN: Is that agreeable, to work that language in?

DR. COHN: Are you referring to the last sentence in the recommendations encouraging HHS guidance? Where were you planning on putting that?

DR. FITZMAURICE: I think it talks about incentive to industry, and it talks about them adopting it as an example. But that could be using the regular business processes, as opposed to their incentives as part of being part of the marketplace. So I think it is somewhat of an enhancement of that incentive statement.

MR. BLAIR: Is it useful to think of it as three separate things? One is guidance to the industry, two is HHS incentives for acceleration of emerging standards, and the third is HHS early adoption?

DR. FITZMAURICE: I think that does it.

DR. SCANLON: I think the guidance is the what, and the incentives and the leadership are the how.

DR. LUMPKIN: That's it, leadership and incentives. Anything else under that paragraph?

The next one, recommendations for specific PMRI message format standards? Next section, retired standards?

DR. COHN: That section was core PMRI message standards.

DR. LUMPKIN: I wish we had a word we could pronounce. PMRI message format standards under that retired standards. Current standards, next section. The next section, entitled emerging standards.

The next section, market segment PMRI message format standards. Under that, current standards.

DR. COHN: The only comment I was going to make there is that this section where we talk about the NCPPD scrip standard fits very closely in with our previous conversation about PKI. So speaking of killer aps.

DR. LUMPKIN: Okay, good. Emerging standards. The next section then on harmonizing amongst PMRI message format standards. Then the final section, PMRI standards for future consideration.

DR. COHN: Those on the Internet should be aware that this letter specifically focuses on message format standards. In the last paragraph, we are identifying that issues around code sets and medical terminologies are going to be further investigated, with future letters related to those topics.

DR. LUMPKIN: I think that what I have heard are two editorial changes. My guess would be that this committee is ready to vote on this document, unless the committee feels they need to work on it any more.

So it has been moved by Jeff and seconded by Simon. Is there further discussion? With the two editorial changes discussed, the motion is to adopt this letter and to send it forth. All those in favor, signify by saying aye.

(Chorus of ayes.)

DR. LUMPKIN: Those opposed, say nay. Any abstentions? Okay, thank you. I know from the multiple versions I saw before this meeting, it was a lot of hard work, and we appreciate that. Thank you.


DR. ZUBELDIA: I am going to have to leave.

DR. LUMPKIN: Thank you, Kepa, and we hope things go well with you.

DR. ZUBELDIA: Thanks. Goodbye.

DR. HARDING: I am Richard Harding. I am one of the members of the privacy subcommittee. Mark Rothstein is not here today. He will be here tonight and will be here tomorrow morning for our subcommittee meeting. At that time, we will be going over a proposed letter to Secretary Thompson.

You all should have in your possession a draft letter that was on your desk and on the table, as well as marketing and fundraising recommendations. They aren't marked draft, but they should be marked draft, because they are the first cut, so to speak, of that letter and other recommendations.

For those of you who are new on the committee or new here with us today, we are talking about privacy and confidentiality, because the NCVHS is required to monitor the implementation of the final rule. The final rule came out about in December of 2000, a year ago, with a deadline of about 14 months from now. So we have been coming out with a series of letters to the Secretary on issues such as consent, minimum necessary, research and how those areas apply to privacy.

We are grateful for having a good staff. We have had good staff in the past, we continue to have that fortunate experience. Stephanie Kaminsky is our current lead staff. There she is over in the corner. You came right at the end of the last committee. We are delighted that you are here.

Privacy, as Steve Bruck said earlier, he said something about, don't think it is difficult, it is just complicated. Well, privacy is complicated and difficult. It has got it all. We are going to be talking about it in about 15 minutes. I appreciate having the time.

We are not going to ask the committee to do any voting today. All you are going to get is a brief summary of the process that we have gone through, some of the preliminary determinations that we have made, but tomorrow morning from eight to ten, we are going to have another subcommittee meeting, and at that time come up with final recommendations for the committee, and bring those forward tomorrow at 1 o'clock, or sometime in the afternoon. Mark will be here to bring those things forward.

Again, in just a moment of reviewing, the NCVHS monitors implementation of the final rule. We have done. That at the present time, the final rule has gone from the NPRM or the notice of proposed rulemaking, to the final rule at the present time. There were changes made during that process of going from the proposed rule to the final rule. I am going back over things for those of you who are veterans on the committee, but I think it is important to just review for a second.

There were some changes made, and there were some basic issues that I think you have to keep in mind as we begin talking about some of the recommendations that we are proposing at this time and will come back tomorrow with in more final form.

One is that consent has a special meaning. That is, an individual gives consent in the final rule to TPO, three things, treatment, payment and health care operations. We refer to it as TPO, treatment, payment and operations.

Beyond that, a person must authorize release of information, but to give consent gives the right for that information to be used for the health care operations and so forth.

A basic issue is what is health care operations, and how much is brought into that term, health care operations. The two issues that we are addressing is marketing and fundraising. One of the key issues is, is marketing a part of health care operation, and is fundraising a part of health care operation.

In hearings for privacy and confidentiality, we had justifiably a difference of opinion among many of the people who were coming before us, just as we always do in this case, with some feeling that the final rule was just right, some feeling that it went too far, and some feeling that it didn't go far enough. As you can imagine -- and I think the staff was very wise to present it in that way, and bring people to give us the spectrum of ideas.

But when you get to marketing, and we'll take that first, at the present time in the final rule, that is under health care operations, with a couple of exceptions. That is, if you have face to face marketing, if there are some things of nominal value and so forth. There are exceptions, but basically marketing is in the TPO.

The committee tried to break it down into how to make a recommendation to the Secretary. Those of you who are on the committee, correct me or help me out with this, because Mark will be here tomorrow to explain things more clearly. But one of the scenarios was that the committee recommend to the full committee that we return to the stance of marketing that was in the proposed rule. That is, it is not a part of health care operations, and to do any marketing of somebody's personal health information, the individual must give authorization. That goes beyond consent into authorization for anything else to be done. That always would have to have some exceptions. We are proposing that there are some exceptions to be made.

The other side of it is to say that the final rule should include marketing and then you can make some variations on that, but the basic decision to be made is, do you start with marketing in the health care operation or outside of it, and then you build from there and you make modifications from there. I hope I am being clear.

So with that, we had a number of ideas or propositions that were very controversial but very difficult to get your arms around. I would like to have you remember, we are talking about either having marketing be in the health care operations or outside. If it is outside, one of the difficulties you get into is defining what is marketing, as opposed to treatment.

That gets us into issues such as disease management. Disease management, is that something that is a commercial product and therefore is sold or pushed by someone for monetary gains? Or is it a wonderful treatment option for people to use that will help outcomes in the long run? That is the borderline kind of decision that is very difficult and that we will be trying to make some decisions on.

Another one is the proverbial opt in and opt out. It keeps coming up. It has been going on in this committee for four years or five years, and it is always talked about with a great deal of passion. The committee will come back with some ideas. Many people feel that to ask people to opt in will cut down significantly on participation; others feel that it is critical for their privacy to be able to opt in, and we can talk about opting out at another time.

There was the issue that many of the pharmacists brought up. We had people from various groups, trade associations, medical associations and so forth, where they felt that marketing should not be included in things like asking people about refills on their prescriptions. That is not marketing, that is treatment. That should be included in the treatment and not marketing. Others felt that any kind of contact like that without the patient's permission would be considered marketing.

There was the issue of consumer and patient control, who should have the burden of making sure that their health information is protected. There was the issue of special case marketing, should minors be marketed, should those with especially sensitive health issues such as infectious disease, psychiatry, substance abuse, genetics and so forth, should they be marketed the same as everyone else, or should there be special precautions or something for those types of individuals.

The committee did not at any time have all of the members present, so we have not made a firm recommendation. We are going to wait until tomorrow when we have a quorum to bring some of those recommendations back. But tentatively, the committee was in favor of actually going back to the proposed rule in the area of marketing, but in fundraising, staying with the final rule. That is, that is the way that we came out, but that was not the full committee, and we may have a different proposal tomorrow.

With that, I would like to ask if anyone else has any thoughts who was on the committee, Stephanie or Simon, who were present, and maybe John, if he is on the line still.

Stephanie or Simon? I'm sorry that I rambled, but I am just trying to get everybody on the same page. Please look at the draft letter, and then look at the marketing recommendations, if what we recommend, that is, that the marketing go back to the proposed rule and then if the fundraising recommendations stay within the final rule, then we would want to have exceptions and clarify certain issues. These are the issues that we feel would need to be clarified in a final rule.

DR. LUMPKIN: To structure the discussion, if you are on the privacy and confidentiality committee, you will have plenty of opportunity to comment tomorrow morning. So what we would like to do is get out comments or concerns from the members of the full committee who are not on the subcommittee at this particular time.

DR. HARDING: That would be great.

DR. STARFIELD: I have a question of Richard. You said the marketing and fundraisng recommendations are to be considered? They are not your recommendations, they are --

DR. HARDING: They are not the recommendations yet, because we didn't have what we felt was a good enough number to have a clear idea of the committee's recommendations. We had three and four people present, and it was a split vote. So we wanted to be sure that we had the full group tomorrow from eight to ten before we did that.

DR. LUMPKIN: But now would be the time to register any reservations about the overall conceptual model, which is that we are not comfortable with the final rule, which goes to the model that marketing is okay with the following restrictions, that we want to separate marketing from fundraising and treat them differently, and that we want to go back to saying that marketing should not be allowed except for the following exceptions. That is the rough framework for which the subcommittee will be coming back with its recommendations tomorrow.

DR. HARDING: Probably.

DR. LUMPKIN: Maybe. Clem?

DR. MC DONALD: I think you summarized it well, but these are very, very complicated things.

DR. HARDING: And difficult.

DR. MC DONALD: Yes, and difficult. One of the challenges I had in reading it is that it was difficult to be clear about what qualified what. There is like seven or eight different funnels. So given that context, I think this is very ambitious, to know what this really means, this many different things that you are talking about.

The research side in the current proposal has some really deep tangles. Some people in our place can't figure out what to do anymore to take care of patients in research organizations, and especially the problem of contacting patients to invite them into studies would touch on this very tightly.

But I wonder if anyone talked about making the division -- if the care system was responsible for the provider, if you discriminated between them, and maybe you can't, if the care system felt it was useful under some kind of executive committee or some high standards to contact a patient, that will be okay, but if an outside company did it, it wouldn't. Those borders get a little fuzzy.

But part of what people feel bad about is having Joe Blow be calling at night asking you anything, versus all those things that range across disease management to, have you checked your refills or how do you feel today, or we saw you in the hospital yesterday and wanted to know how you liked it, all those kind of things. We are going to really have trouble if we make these hard lines where human judgment can't be made to decide what is part of the care process.

So I think you have bitten off a lot.

DR. HARDING: You are raising the exact questions that we were discussing, that difference between treatment, which is covered -- you can call a patient and ask them all kinds of things in the treatment process, but then what is focused marketing also. That is where it gets very difficult.

DR. STARFIELD: I have a quick question and then a comment on item two. The quick question is, does this have a relationship to the letter we got from the Association of Health Care Philanthropy? That is related to what you are talking about, isn't it? Did you see that letter? It came yesterday. Okay, if you haven't seen it.

The other thing that I wanted to comment about was number two on the marketing recommendations, which says, the definition of marketing should be clarified, such as disease management activities, a primary purpose. Those are three separate words. It doesn't say the primary purpose, it doesn't say a purpose, or it doesn't say the purpose. They all have different meanings. It depends in whose eyes. So I think that is a confusing set of three words that you might want to take a look at.

DR. HARDING: We will.


MR. BLAIR: Richard, actually Barbara began to touch on the question I was about to ask. I thought we had one of the individuals testify to us when we were having the hearings on marketing with respect to disease management, and they were going to provide a definition of specific functions that were included in disease management. Did that not happen?

DR. HARDING: Jeff, I think you are referring to last summer's hearings?


DR. HARDING: We did ask an individual who was the head of the National Organization of Disease Management to come back with some information, and I don't know where that went. They didn't -- this time we didn't have those same people testify, so that isn't fresh in my mind, and I apologize.

MR. BLAIR: The reason I come back to that is because I really like the balance that you struck, which is that marketing is not considered part of treatment, diagnosis, treatment and operations.


MR. BLAIR: TPO. I like that, with the idea that we wind up saying, okay, disease management is included as treatment, but then the way we refine that to make it specific is with that definition that we seem to be lacking, of what disease management includes, so that we can bound inappropriate marketing from within the definition of disease management.

DR. HARDING: That is following up on Barbara's comment, where we need to parse those phrases and definitions.


MS. COLTIN: I am following up on that comment as well. I too like the balance that you struck. I agree that items one and two, refills and disease management, should be considered treatment.

What bothers me a little bit is, who has the patient's consent to render treatment, given that they have given consent under that TPO. So I think it would bother me a bit if an independent disease management company contacted me, either without my doctor or my health plan knowing about it.

So if they are doing it under contract or in partnership with a covered entity, or an entity that has consent, that is one thing, and if they are not, that seems to be something else.

MR. AUGUSTINE: There are a lot of really hardworking disease management companies out there, but there are some out there that don't do that good of a job, either, that don't measure, don't do followup. It is hard to stay on top of these, to make sure that they are doing their job correctly.

There are some accreditation agencies. NCQA, JCHO and URACT all started accreditation programs for disease management programs. We made sure that they fulfill the requirements of patient confidentiality and privacy.

DR. LUMPKIN: It is generally not our practice to have high-paid consultants comment at this point.

DR. BRAITHEWAITE: I just wanted to make sure that the subcommittee considers a piece of testimony we heard a long time ago, which was that some insurance companies do carry out disease management programs on behalf of their beneficiaries, but there are some states that insist that health plans cannot carry out treatment. Therefore, if you decide that disease management is treatment, they will no longer be able to do it.

DR. COHN: I was just going to observe myself, marketing is a very tough area. I just want to re-emphasize that; I think we have all observed that. Richard certainly commented, tough and complex.

However, I do want to reinforce that tomorrow there will be a letter that will come forward now. It may only be on fundraising, and we may have to defer the marketing to a later time if we can't reach consensus in the two hours. But I do think that the marketing issues are important enough that they do need to be represented, and are far less controversial.


DR. MC DONALD: A whole lot of these specific points, I find it hard to figure out how you are going to do these things, or the effect it is going to have. All marketing rights must include a notice of the right to opt out; that seems reasonable.

DR. LUMPKIN: Number seven.

DR. MC DONALD: Yes. After consumers have received this notice, the marketer must notify the consumer how they request -- you are getting down to really detailed things.

You are saying that covered entities should not be allowed to solicit authorizations from unrelated third parties. I don't know what that may break, if you already have these other constraints. You are saying they can only be limited -- which is redundant, a little bit -- to activities engaged in by the covered entity or business association to matters that directly relate to the health of the patient.

First of all, someone can always write a small contract to make the relationship. I just think this is way too detailed for before we have even tried out the big standards. There will be a lot of things that will break.

So I guess I really wonder what Bill would think about this much changing around. There are so many connections in the proposal. I can see saying generic big things, like the committee was asking about. But we are really getting down to great detail. We are saying that the users can authorize specific categories of data that should be released. How do we define that? What happens if they screw up on that? What happens when they zip charts? Does that mean you have to black out the parts? Who has to read that to justify that they really are not excluding OB findings. Some findings are done for OB reasons and other reasons. If someone is doing a hormone test for cancer -- I just think you are making a very hard set of things to implement.

DR. LUMPKIN: But I think we have to be careful by saying what we are recommending in the first part, which is that marketing should not be allowed except in certain restrictions. Then I think it is allowable to say that there are certain hopes that you would go through.

I would assume that our recommendations saying that marketing is not something that we think is part of the business of health care or the operations, the TPO, then unusual restrictions or more than normal restrictions would be appropriate.

There is some assessment that people would consider marketing and do consider marketing to be intrusive into their personal lives, and that is something that should be controlled.

So I am not quite as uncomfortable. I think that perhaps we should suggest to the committee that they look at this and consider the level of detail that we want to get into our recommendations, but I think that there is a higher test when we consider that we do consider it to be intrusive.

The other piece -- and Bill raised the issue about what various states consider treatment. I think we have to be careful about that, because state law defines what treatment is in those particular states, not federal regulations or laws.

In the state of Illinois, we license a whole host of facilities. To be certified under CMS rules, they just have to be licensed. They may be certified as one type of facility and licensed as a totally different kind of facility, and it meets the federal guidelines.

So there may be those who may raise that as an argument. I'm not sure that that is necessarily as significant a roadblock. If states want to prevent them from doing it, they will find any reason to define that as treatment, including federal regulations.

DR. HARDING: One interesting part was the issue of opting out. In the current rule, you can make contact with the person, and then they have the right to opt out after that initial contact.

The difficulty often arises though, if there are multiple programs in a multiple family, and does a family have to opt out of 20 things, or can they have one opt-out stop all marketing, or is it an individual marketing initiative, that that is the only thing they cancel when they make contact and say don't market me anymore, or is it a blanket. That is not clear in the regulation.


DR. MC DONALD: One other clarification. I don't recall all what is in the current one, but basically the first thrust of this is, we are going to reverse it and require authorization for marketing.

DR. HARDING: That is the major thrust of this, for marketing.

DR. MC DONALD: But then it goes on to say much more. You can't even do marketing for some things. You can't do it with authorization for some things. So the way I read this says, reversing it and adding a whole bunch of additional constraints.

DR. HARDING: With authorization you can do anything you want.

DR. MC DONALD: Didn't the previous one say you had to have authorization?

DR. HARDING: The final rule that we are operating under right now says that in effect, marketing is under TPO, with three exceptions: face to face -- pardon me.

DR. GREENBERG: I think those are the exceptions that might get under TPO. It is under TPO if it is face to face, of nominal value and what was the third one? And complies with rules for health care marketing, including disclosures and opt-out. So if it meets those criteria, as far as I understand it, then it can be covered under that general consent for TPO.

MR. BLAIR: I thought that one of our recommendations that we are considering right now --

DR. GREENBERG: Is to change that.

MR. BLAIR: -- is to say that marketing is not under treatment for TPO, and instead will wind up being explicit about those functions that might be considered marketing, such as disease management, and then put disease management back in, and then craft explicitly what functions within each of those areas may or may not be included.

DR. GREENBERG: Can I just raise one question?


DR. GREENBERG: I agree, the hearings were really excellent. I thank those who put them together. One thing I didn't really understand then and I don't now, either, is, if in fact one were to make this change and so authorization was required, then to go the next step and to say under five that covered entities should not be able to solicit authorizations for unrelated third parties, it is not clear to me how anyone would be able to get an authorization.

To say that you would require now authorization -- I can understand saying that a covered entity should not make its treatment -- and I think there is something about that with research, should not make it contingent upon your signing the authorization, yes. But to not even allow them to solicit the authorization, how is an organization supposed to seek this authorization from appropriate people, other than just everybody in the citizenry? But if you want to seek it from people who might have some health condition that would make it relevant, to me that is kind of a Catch-22. I felt that way at the time, and I still do, but maybe I am missing something.

DR. HARDING: It is kind of like you go through the metal detectors at the airport randomly and you pick up a few. That is confusing. We will look at that.

DR. LUMPKIN: One more comment, and then maybe we should toss this back to the subcommittee.

MS. KAMINKSY: I just wanted to respond to Clement's comment from before, that it seems as though the subcommittee is proposing a narrowing or stricter kind of interpretation of the way marketing should be done, and then all of these proposals push that even further.

I think that is a little bit of a reflection of some of the process issues that Richard mentioned to begin with. This really is a draft, and it was developed as a -- it could be recommendations one, seven and ten, or two, four and six.

It is stated in affirmative terms, but they really still are questions; should we do this, should we do this, should we do this. So I think it might just be a little bit the way it was presented, that it seems that the subcommittee is recommending, which it is not quite yet, one particular stance, and then pushing that stance in a particular direction, for whatever that is worth.

DR. MC DONALD: But for the record though, this is not simply returning to the status of the previous. This is going a lot further. There are five or six things that will be difficult to implement and prohibit marketing of any kind. I'm not an academic, and I don't want to be called at night.

So I am interested in protection on both sides, but we are piling on on this. I think without knowing all the implications -- I am particularly worried about, we will never be able to call for bona fide research and ask a patient, would you like to participate in something and I'll help you, because that can be construed as marketing.

DR. LUMPKIN: I think first of all, we need to be very clear that we need to look at research differently than we look at marketing. That may need to have some revisitation, but I think it is very important to totally separate those two out. But I think that the issue of piling on is legitimate, and there are certain things that have been raised, and we will ask the subcommittee to look at. Again, depending upon the time line, we will either revisit this tomorrow, or when the committee is ready to move forward with the letter.

DR. HARDING: Mark will be here.

DR. LUMPKIN: Okay. So at this point, procedural.

DR. GREENBERG: I know we are about to break into our working sessions. I just wanted to remind you that we have organized a group -- no host -- dinner tonight at Beefsmith's, which is at Union Station.

(Remarks off the record.)

DR. LUMPKIN: We are done.

(Whereupon, the meeting was adjourned at 3:27 p.m.)