[This Transcript is Unedited]



September 8, 2005

National Center for Health Statistics
3311 Toledo Road
Hyattsville, Maryland

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030

List of Participants:


P R O C E E D I N G S (9:20 a.m.)

Agenda Item: Welcome and Introductions

DR. COHN: Good morning, everyone. Would everyone please be seated, we are going to get started here momentarily.

I want to call this meeting to order. This is the first of two days of meetings of the National Committee on Vital and Health Statistics. The National Committee is the main public advisory committee to the U.S. Department of Health and Human Services on national health information policy.

I am Simon Cohn. I am the Associate Executive Director for Health Information Policy for Kaiser Permanente, and Chair of the committee. I want to welcome committee members, HHS staff and others here in person. I also want to thank Marjorie for taking us in at the last minute.

DR. GREENBERG: And my wonderful staff.

DR. COHN: And your wonderful staff. I want to welcome those listening in on the Internet.

I want to remind everyone to speak clearly and into the microphone, since we are being broadcast.

Before we do introductions, I want to take a moment to reflect on those affected by Hurricane Katrina, as well as the heroic actions of those called in to restore order and care for those that were in harm's way. The reason that we are not at the Hubert Humphrey Building today is that those meeting rooms are now being used as command centers for the Hurricane Katrina efforts. So I do want to apologize to committee members and others that had to come out here on short notice, but there is a good reason for our relocation for this meeting. Clearly, our thoughts are with those affected by this major disaster, both those personally affected as a result of the disaster, and those delivering care. I would just take a moment of silence to recognize those people.

With that, let's have introductions around the table, and then around the room. For those on the National Committee, I would ask if you have any conflicts of interest related to any of the issues coming before us today, would you please so publicly state during your introduction. I want to begin by observing that I have no conflicts of interest on any of the issues today.


DR. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics, CDC, and Executive Secretary to the committee. I do welcome you all here to NCHS.

DR. ROTHSTEIN: I am Mark Rothstein from the University of Louisville School of Medicine, member of the committee. I have no conflicts.

DR. HOUSTON: I am John Houston with the University of Pittsburgh Medical Center. I am a member of the committee and I do not have any conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina. I am a member of the committee and no conflicts.

DR. WARREN: Judy Warren, University of Kansas School of Nursing. I am a member of the committee and no conflicts.

MR. LOCALIO: Russell Localio, University of Pennsylvania School of Medicine. I am a member of the committee and I have n conflicts.

DR. STEINWACHS: Don Steinwachs, Bloomberg School of Public Health, Johns Hopkins University, member of the committee. I don't have any conflicts that I am aware of.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the committee, no conflicts.

DR. CAIN: Virginia Cain, NIH, liaison to the committee.

DR. LANSKY: I'm David Lansky from the Markle Foundation. I am a visitor.

MS. MC CALL: Carol McCall, Humana, member of the committee, no conflicts.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the committee and no conflicts.

MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, member of the committee and no conflicts.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Research and Quality, liaison to the committee and staff to the Subcommittee on Standards and Security.

DR. HUFF: Stan Huff with Intermountain Health Care and University of Utah in Salt Lake City, member of the committee and no conflicts for issues that are coming before the committee today.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, liaison to the full committee.

MR. BLAIR: Jeff Blair, Medical Records Institute, member of the committee, no conflicts I am aware of.

MR. HITCHCOCK: Dale Hitchcock, Office of Planning and Evaluation at HHS. I am here substituting for Jim Scanlon, who is tied up with the efforts the Department has ongoing on the hurricane relief plans.

MS. SQUIRE: Marietta Square, CDC, NCHS and staff to the committee.

DR. KYLE: Frank Kyle, American Dental Association.

MS. PICKETT: Donna Pickett, National Center for Health Statistics, CDC, and staff to the Subcommittee on Standards and Security.

MS. GOVAN-JENKINS: Wanda Govan-Jenkins, NCHS, CDC and staff to Standards and Security Committee.

MR. ALFANO: Bill Alfano, Blue Cross Blue Shield Association.

MS. LUKE: Marilyn Sigmund Luke, America's Health Insurance Plans.

DR. DEERING: Mary Jo Deering, National Cancer Institute, lead staff to the committee's Work Group on the National Health Information Infrastructure.

MR. RODE: Dan Rode, American Health Information Management Association.

MR. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC, committee staff.

MR. FERGUSON: Jamie Ferguson, Kaiser Permanente.

MS. BERNSTEIN: Maya Bernstein, Office of the Assistant Secretary for Planning and Evaluation. I am lead staff to the Subcommittee on Privacy and Confidentiality.

MS. SANCHEZ: Linda Sanchez, Office for Civil Rights.

MS. KANAAN: Susan Kanaan, writer for the committee.

MR. KING: Eric King, MEDTECH Systems.

DR. COHN: I want to welcome everyone. Before we do agenda review, I would like to start with a couple of comments.

As I am sure you are all aware, this continues to be an interesting and exciting time for the committee. Many of our recommendations, including the need for increased HHS leadership in health information technology and the NHII are clearly coming to pass. Since our last meeting, Secretary Levitz' 500-day plan, which incudes as a centerpiece the next phase of the HHS health IT strategy, is unfolding.

What we are talking about is an acceleration of the activities and efforts to move health care into the information age, to transform the health care system and improve the health of all Americans. This is the vision that we foresaw when we published our document, Information for Health in 2001, which laid out a strategic vision and framework for developing the NHII.

The Executive Subcommittee, Jim and Marjorie, have been working with me this summer on how we can best support and assist the Secretary and Department going forward in this accelerated environment. Indeed, because of our content, expertise and experience, we do have a lot to contribute here. In addition, we have a reputation for strategic focus and for an open collaborative process and the ability to deliver timely, thoughtful, practical recommendations that are supported by both the public and private sector.

We have had discussions over the summer with HHS leadership on how we can best make a contribution. This has included ongoing conversations with David Brailer, and I have also had a second conversation with the Secretary since we all last talked. While the new initiatives are of course unfolding, I believe it is safe to say that we will play an important role in helping to assure the success of the Secretary's health IT strategy and the new initiatives.

As I have commented, this is an exciting time. I want to acknowledge all of you for your continued hard work and support of the committee's mission, and also for your commitment to the betterment of the health of Americans in our population.

Since our last meeting, we have also had an executive subcommittee retreat. I want to thank the members of the executive subcommittee for their help and flexibility as we develop plans and priorities for this next fiscal year. I am anticipating tomorrow's subcommittee and work group chairs will share thoughts on work plans and priorities for this coming year.

Let me now shift gears. I want to take a moment and congratulate Jim Scanlon, our Director, on a well-deserved promotion at HHS. In fact, he has been promoted so far that we can't even attend the meetings anymore. Hopefully that is not the case.

He was previously acting Deputy Assistant Secretary for Science and Data Policy in the Office of the Assistant Secretary for Planning and Evaluation. He is now no longer acting; he has been promoted to full Deputy Assistant Secretary. We want to congratulate him, and I am sorry he isn't here.

DR. GREENBERG: In his absence.

DR. COHN: I have also on the advice of Bob Hungate appointed Justine Carr to be our liaison representative to the national advisory committee of AHRQ. Justice, congratulations, and thank you for being willing to take on this added responsibility.

DR. CARR: Thank you. I look forward to it.

DR. COHN: Now finally in terms of this, I do want to congratulation Carol McCall for being willing to take on the responsibilities of vice chair of the Quality Work Group. So Carol, thank you very much.

MS. MC CALL: Looking forward to it.

Agenda Item: Review of Agenda

DR. COHN: Let's now move into the agenda review. We are moving the agenda around a bit, as you all probably noticed. This morning, we begin with a presentation by David Lansky of the Markle Foundation on personal health record systems. This is an area that has had increased attention recently, because of the CMS RFI on this topic.

I should also comment that David participated -- we were together at this open forum recently. CMS for the RFI had an open forum, discussing the RFI on personal health records, and the NCVHS was a presenter at that forum. David's presentation is intended to be an overview of the topic, and I understand he is also going to be critiquing our letter prior to our consideration of this action item for later today.

After an early break, we will move to an update from the Department. Dale Hitchcock is representing Jim Scanlon from ASPE. I understand the CMS is unable to participate today in our meeting. I think we have Linda Sanchez, as I understand, presenting from the Office of Civil Rights. Linda, thank you for joining us. This will be after our first break.

This will be followed late this morning and potentially continuing after lunch -- we will discuss the letter on personal health record systems which comes to us for action at this meeting. This will be followed this afternoon by a discussion of the NCVHS 2003-2004 report which most of you reviewed at our last meeting. This has been further revised and we are bringing it forward for hopefully your approval today and tomorrow.

Finally, there is also the HIPAA report to Congress, our seventh annual. This is again an action item for this meeting.

DR. GREENBERG: We will not have the updates from ONCHIT.

DR. COHN: As you can tell, we are still working on the agenda as we are giving the agenda update here.

My understanding also is that even though ONCHIT. My understanding is that even though ONCHIT is on the agenda for an update, they are not going to be presenting an update today.

DR. GREENBERG: They are also totally occupied by the disaster efforts.

DR. COHN: I think we will have them on our November agenda, but we will confer with them for this meeting.

DR. GREENBERG: Also, I prepared a little sheet here for you, and I don't have it so I'll go up and get it, regarding some of the logistics on lunch. Do you mind if I just mention that, because we have to get closure on that?

DR. COHN: Sure.

(Remarks off the record regarding luncheon arrangements.)

DR. COHN: We will continue to be flexible with the agenda and timing of our sessions, and we will certainly try to accommodate this.

Let me talk a little bit about the end of the day. We will be adjourning mid-afternoon. After our adjournment, all three subcommittees are meeting simultaneously. What they will be doing is meeting about 75 minutes. After that, we will have about an hour to an hour and a half for the meeting of the NHII Work Group. I'm sure the principal discussion will probably be the personal health record letter.

This evening we have dinner in downtown Washington. We will after lunch take a show of hands to find our how many people are coming for that.

Probably most importantly, I just want to take a moment to talk about tomorrow morning a little bit. As you all remember, the timing of the agenda was based on our belief that we were going to be in downtown Washington. That was even a little early for those having to get into downtown Washington.

I looked at the agenda, and I am going to suggest that the full committee meeting start at 10:30 rather than at ten. I think that there are items there, especially the executive subcommittee retreat comments, which are not a discussion for this particular meeting.

I am going to also suggest that the subcommittees and work groups that are scheduled to start that morning begin at 9 o'clock and not at 8 or 8:30. Hopefully everyone is comfortable with that, given the added travel time to get here. I'm not hearing any objection to that idea.

Agenda Item: Personal Health Records Systems

With that, let's begin our first session. I do appreciate the committee's flexibility as we move through this agenda, because it still is likely that there may be some moving around of agenda items as we go through the day.

With that, I want to thank our first presenter, David Lansky. You obviously have other things going on today that interfered with your plans, so thank you for joining us, and we look forward to your presentation.

DR. LANSKY: Thank you, Dr. Cohn. Thank you all, first the Chair and everyone, for accommodating my change of schedule. The hurricane nightmare has gotten everyone involved very constructively in trying to take the lessons we have all learned from the last ten years or so working in this field, and make sure we are better able to respond to this situation in the next one.

I think the work you have been doing this year on personal health records is suddenly finding a forum in this horrible crisis. One of the lessons learned on the margins here is that the lack of infrastructure and capability to move peoples' health records around in a disaster of this magnitude becomes a huge problem for hundreds of thousands of people. So I know that ONCHIT and everyone else is very busy trying to do what they can to provide both a transitional solution to that, but also, sad as it is, to use this opportunity to advance improving the system as a whole.

I do very much applaud what you have done with the PHR letter that is in draft form now. I think your efforts to move this particular agenda forward is absolutely vital, and will now be more visible and recognized for its importance.

I know many of you have been on the subcommittee which has had many hearings on this subject, and are very, very well informed on all the issues. I think the letter reflects that. I prepared a very surface overview of a number of the components of the personal health record field, and I'll just go through it quite quickly, because I know you have all spent a lot of time with this. What I would like to do is fast-track through the first part of this material and go to the policy issues that come toward the end of it. Then if we have a few minutes to talk about that, I would be glad to do that. Again, thank you for accommodating my change of schedule today.

There are hard copies of my slides in the back of the room. Whether we can see them here, I don't know.

I wanted to start just by anchoring this discussion a little bit in the pillars of all of our work in the last five, ten years, the IOM reports. It is worth reminding ourselves as we look at the six aims for health care improvement that the IOM articulated some years ago, and have become ground rules for everybody.

The IOM at that time went further and identified a set of design rules, so-called, which would be implementation mechanisms to achieve these worthy nobel goals of safety and efficiency and so on. The design rules, ones that I italicized on the slide here, six of the ten are very patient centered in their intention. This is probably quite a shift from the classical paradigm of medical delivery, but the IOM in its wisdom saw that the increasing role of patients and consumers and families and caregivers in the delivery of health care services was critical.

As we talk about the personal health record as a technology or as an approach, I hope you will think of it as an instrument which is available increasingly to address these design objectives that the IOM articulated. Continuing healing relationships, using the personal health record as a medium of working more closely with professionals and patients of families, customization based on patient needs, identifying those needs and delivering services to meet those needs. The patient as a source of control is a critical theme, and we are going to come back to that. I know your letter discusses that at some length as well. Shared knowledge between the patient and professional and among professionals. The need for transparency, all that goes on in the health care system the public has a right to know and understand. The ability to anticipate needs, the use of health risk assessments and other tools to capture information from people in advance of and during the course of care.

So this is not an esoteric technology, an interesting thing on the margin. This is at the heart of what the Institute of Medicine and others have said needs to happen in health care.

The potential of a personal health record at this point, by giving people more engagement in their health care, more control over their health information, we all believe and many of us have experienced now seeing that it can improve peoples' ability to manage their health. Improve efficiency in the system, patient satisfaction and quality and safety of care, and communication among the whole health care team.

I didn't bring these as slides, I'll just wave them at you. As you think about this personal health record idea, we aren't coming up with something new. Hundreds of thousands or millions of people over the years have managed their health information themselves.

People send me periodically versions of this. Someone sent me a 50-page diary essentially, a personal narrative of a loved one's last illness, which was done as an e-mail circular to a number of friends and family, but is actually a personal health record in great detail about the patient's experience. Someone else sent me a spreadsheet with cancer patients, seven or eight years' worth of weekly readings on chemotherapy treatment, personal symptoms, blood counts, all kinds of things that this patient managed for himself in the course of his illness, and obviously found it very valuable.

So the application of technology of this is hopefully very helpful, but it is not really about the technology, it is about peoples' ability, as they already do in other media, to manage their own health information.

But of course, we do now have the advantage of new technology. This is actually Dr. Tang's own -- I hope it is familiar, Paul -- this is the portal that Palo Alto Medical Foundation has to permit their patients to access information that is in the medical record, that is maintained by the institution, and then gradually to have more capabilities to communicate with their providers and add their own information.

If we think of this personal spreadsheet that someone maintained as a completely unconnected personal tool and what Palo Alto Medical Foundation offers as a very connected relationship support tool, there are also other gradients in here. This is actually the Web M.D. solution, which is a commercial product, which is primarily managed offline, that is, between the patient directly, unconnected to their providers, but increasingly, these kinds of products have capabilities of connecting the patient to the provider. So this is just to say there is a spectrum of connectedness between the patient being totally on their own and the patient being very much connected to their professional team they may be working with.

So from a diagrammatic point of view, right now, if I am this patient and family, this mother and child sitting in the middle of this picture, I may have to go out and talk to a dozen different information sources. My PBM might have an online portal. My doctor may have an online portal. My insurance company may have an online portal, and so on and so forth. I may have a personal health record at a private company like Web M.D.

Actually, my mother, who is 84 and lives in Boston, has three portals that she manages herself for her PBM and two provider networks at all her consumer portals, which don't talk to each other. So on the one hand, it is wonderful that someone in her situation can have access to these tools. On the other hand, we are proliferating. As you know, CMS is developing a consumer portal. We are going to have a proliferation of these independent, unconnected, not standards based resources for people, and I think we have the opportunity to try to step into this flow and introduce some structure to it. One way to do that would be to create a personal health record hub, which all these portals and other technologies can talk to, and which gives the user one central way of accessing all of her or her family's health information.

Today, as your letter notes, there are a number of services and functions available. It is a plethora. There is not a uniform thing out there called a personal health record. You have got patient information content, we have messaging, scheduling and convenience features like that, preventative service reminders, adherence and disease management tools, patient diaries, symptom logs, health tracking tools, drug management tools, financial tools for consumer defined health plans, HSAs and so on. So it is a plethora of good ideas, but it is hard for people to locate them, hard for them to integrate with each other.

MS. MC CALL: This is first a process question. Will you entertain questions as you go along, or would you prefer that you wait?

DR. LANSKY: I'll leave it to the Chair's judgment on that.

MS. MC CALL: I want to honor the time.

DR. COHN: I think I am going to ask you to go through -- can you hold the question?

MS. MC CALL: Absolutely.

DR. LANSKY: I will go through briefly, and hopefully we will have more time.

So there is a variety of services available. People like these services, when polls have been done and products have been offered. People love e-mailing their doctor, they like looking at things like keeping track of their kids' immunizations. They are aware that there are often mistakes in their medical record and they would like the opportunity to review them and correct them. They like the ability to move information from one provider to another, and a very popular service is looking at my own test results as quickly as possible. So these things are popular, especially with people with chronic illness, especially with caregivers of young children or of spouses or parents. So the public interest in this is quite high when we talk about specific benefits, specific services of value to me in my own life.

When we talk about abstractions like a personal health record or even worse, an online medical record, a lot of concern is expressed. So we have to be thoughtful about understanding public reception of benefits and risks as we go forward.

I think the next slide summarizes the level of public anxiety about the potential risks. With all the privacy spills of this last year, and the publicity around them, there is certainly a heightened sensitivity that putting my personal health record online creates a new potential for exposure. We sometimes like to say, this is the only country in the world, or the only developed country, where the possibility of someone finding out my health status could mean the loss of my job or the loss of my ability to access health care. So that anxiety is very strongly felt by some portions of our population, and could be an impediment to moving this agenda forward.

I think as your letter points out quite articulately, there is no single personal health record today. But it is good to talk about the attributes of the personal health record, both prescriptively, what we think they should be, and descriptively. This is more prescriptive probably than descriptive. Most people in this field talk about the personal health record as something the individual can control. This concept of personal control is a significant one I want to come back to. It is probably one of the things that distinguishes this from other forms of health information management, the idea that the patient is the person who controls the information and who gets to see it. It is a significant attribute. It raises some question even in this Katrina situation, the notion that a person can have access to and control their health information regardless of these external circumstances, is an interesting feature of this concept.

Potentially it could contain information from a lifetime, that is, across all providers and across all episodes of care and time spans. It could be accessible from any place at any time. Again, in this Katrina environment, the notion that people who are now cut off from their medical history, and even the ability to call up a physician who might know their medical history, those people if this structure had been put in place, this idea of a lifelong record accessible at any place any time would have been very valuable to many people.

Private and secure is a vital American value as we think about this, and your letter addresses that well. Transparency; in this case we refer to the idea of an audit trail that anybody who sees information that is my personal health information, I should have the ability to know about that visit. Interactivity, meaning that I can share my information with providers or with other family members across time and space.

We have been using this term ecosystem of late to try to suggest that the personal health record is going to fold into a very complex and rapidly moving environment of information sources and services. I don't think we know what that ecosystem looks like and what the different flows of climate are across that space, what the landscape even looks like. But I think it is worth continuing to monitor what that environment is like as we think about the PHR services and products.

I'll just put out a few assumptions which we could discuss and I am sure you have spent much time discussing. Despite all the good efforts by many people in this room, electronic health record adoption is slow. So for a typical American out there who wants to have a personal health record that connects to their doctor's health record, 17 percent or 20 percent of the people have that capability today, 80 percent of the people don't. So we have to be thoughtful about the ability of the person regardless of how wonderful the PHR technology is, to establish that connectivity.

RIOs and other information exchanges, again despite enormously good effort, are moving slowly. We have no reason to think in three years or five years we will have a massive shift in that environment.

Standards and implementation guides to bring standards together for purposes of uniform adaptation and adoption, we are barely forming the infrastructure to develop those standards and harmonization mechanisms. It is realistic that it will be two years or five years or X years before that is widely in place.

However, it is worth noting in contrast, and you have heard this in your testimony earlier at the subcommittee, there is a high proportion of standardized electronic health data emerging from transactions. Those transactions include encounters, pharmacy dispensing and laboratory orders and tests and test results. So it is worth looking at these islands of highly standardized electronic data as one of the accelerators of personal health records, in conjunction with the other things that are going on in the field that we are aware of.

Finally, and this is a cross-cutting wind across the ecosystem, patients remain very loyal to and dependent upon their individual doctors for direction on how to access and use their health information. So to the extent that a physician environment offers a patient a PHR, there is a lot of likelihood of good success and a good outcome there.

We don't know about the other strategies that are employer based or health plan based or commercially based in terms of achieving that comparable level of success. We do know that physician sponsorship is very influential.

So as we look at this pattern of IT adoption of digital data and availability of culture and relationships, it affects the way we think about the emergence of PHRs as a tool in our society, despite the positives I mentioned earlier.

It is also worth remembering that alas, paper is now floating in New Orleans, but for many people in this country, paper remains the mechanism of storing their health information. In surveys we have done -- I think I have a slide later -- a large percentage of people, especially older Americans, only trust paper as the way of storing their health information. A paper personal health record is certainly a valuable tool that we should be supporting in collaboration with the electronic media that we might use.

I think I mentioned already the spectrum of product approaches. Portals we would call something where the person primarily gets to access online in a relatively passive way a body of their own health information. Large provider organizations are typically offering these today. They are very common now. We see roughly 15 percent of patients when they are offered this kind of a tool take advantage of it. I know Paul's organization has a better success rate, and I think Group Health is now doing better. So we are seeing some organizations with more time and more commitment getting higher numbers of patients using these tools.

It has a limited amount of patient source data. If I want to log my symptoms on a daily basis or upload by glucose meter, that is not very commonly available in these systems. They are primarily provider based system with a portal for the patient.

They are difficult to port. It is difficult to take a system I have maintained at one provider organization, then move across the country and take that data with me. And patients do not have much control over how that information is used and shared. It is typically a provider resource.

There are also independent personal tools. I don't think there are major successes to report there, despite some very fine products. The business model is difficult, the uptake rates are low. They are typically now sponsored by some third party, a drug company or an employer or a health plan, but they are not paid for directly by the users themselves.

They typically are more successful when they address a specialized audience, diabetes parents, you may have heard from Cynthia Solomon, parents with children with hydrencephalus. So highly specialized groups with very specific information needs are very likely to make up an independent approach and work with their providers to get it used.

The third category we haven't talked as much about, I know you had testimony from one source on this, are what are called transaction data driven. As I suggested a minute ago, take advantage of the data that is out there, go where the data is, and then do the best you can with populating a PHR from it. I think the health plans in particular are advancing that as a model, and we will have to see how successful that can be in bringing value to your patients.

In terms of market accelerators, there are a number of them. Of course, the Internet itself and the digital lifestyle many of us have slumped into, is one driver of adoption of PHRs. Demographics and some of the target groups like baby boomers are very high users of PHRs, more so than older populations, and those of us who have both parents and children with health needs are going to be early adopters and users of these tools.

There are some competitive pressures, both in the technology industry and among providers, to take up these tools. If you are in a market with a large provider system which offers a portal or a consumer tool, other providers are likely to take that up as well.

The consumer driven plan designs. Your letter mentions this as a potential driver. I share the uncertainty, whether that will be a factor, but it may be one in increasing patient interest and having health management tools of this kind.

Finally and very importantly now, public policy. The President has been articulate, a number of Senators have spoken on this, Dr. Brailer and Secretary Levitt are passionate about advancing this cause, and certainly CMS, VA and DoD are all moving very rapidly. So having a strong and increasingly coordinated national governmental push could be a big driver of adoption for the public as a whole.

There are some barriers as well. The reality is, consumer demand is modest for this kind of tools when they are offered. People do have privacy concerns. Not all of our fellow Americans have comparable computer skills, health literacy skills, numeracy skills and so on. The presentation of health data is complex, and we have not yet done a great job of making it understandable for people. The information is not usually ported from one provider or system to another. Patients don't have an ability to control their information, and they don't have a sense of transparency about the health information in many of these settings, and of course, there is not a trusted national brand yet that people in the public would say, that is a Nokia or that is a Quicken health record. I know I can trust that company to deliver a reliable product. So until we have comparable success in this field, it may be slow going with the public recognition of these products.

Physicians are not yet enthusiastic advocates of this. They of course themselves don't always have an electronic health record. They are not being paid to do any work around personal health records. Some of them do perceive it as a threat to their control of patient information. There is a work flow concern as we saw with e-mail. There is now that work flow concern with PHRs, that they will generate new work that they are not paid or prepared to handle.

There is a liability concern that has been more and more voiced that the personal health record, if I as a provider am expected to know what is in it and I am liable if I make a decision or something happens untoward for the patient because of some information I did not review in that personal health record, am I acquiring a new liability. The number of health provider organizations are beginning to express that. And we don't have a business model yet that make this viable.

I won't dwell on the data that I have shared here. I think you have seen most of it before. There is a public over estimation of the adoption of EHRs, so people believe their doctors are farther along than they actually are.

I think I will just skip through these graphics and move on to some of the policy issues, given our time today.

There have been some attempts to develop public communications efforts, to educate the public about why this might be helpful for them. I think the key takeaways from that research are these. People are unaware of or receptive toward the value of these services. People do want convenience and they do want control. Those are opportunities for us to talk about. People do want their information available electronically in health care and other sectors, but there is a comparable fear of doing that. People do want to work with their doctors to acquire this information.

Let me take a mental break there and move more into the policy implications. This is an overview of the landscape we seem to be in, the kinds of products out there, the kinds of services, what we know about the public mood.

Let me shift now to what some of the policy issues are that I know your letter and your hearings have discussed at length.

First of all, the federal role in personal health records. You have a distinct opportunity to inform the Secretary and to suggest ways to move forward. There is a strong rationale for the federal government playing a hand in this arena, which to some might look like it is a market situation, why does the government have a role. I think it is important to restate why there is a role for the government. The President has certainly said this is a national objective, and that gives us all a reason to give it greater attention.

PHRs as we saw with the IOM citation are one of the tools we can achieve a variety of public health goals that the nation has adopted. Many of the current federal activities will be strengthened by the use of PHRs in support of current federal activity, and some new and emerging federal policy objectives can be helped with this set of strategies.

You have done remarkable work over the years on the NHII. You have articulated in the past why the government needs to be the articulate leader of this strategy. No one else in our society has that opportunity and that role.

The need for connectivity. None of these individual objectives can be met unless there is an infrastructure which ties the pieces together, and there has to be national leadership to make that happen. It is not going to happen by itself in the market, at least, it hasn't in the last 15 or 20 years.

This slides summarizes as a reminder if you need it how big the government is in health care, and how many fingers it has touching different aspects of American life and the health care system. But the government's role in PHR is expressed in a variety of ways. It is as a provider of course in the VA and other settings. It is as a payor in the context of CMS and others, CHB, for example. It is a regulator, it is a researcher, it is a disseminator of primary knowledge to the public, it is a public educator, it sets policy, and it is an employer through the very large federal employee program. So there are many ways in which the government can be active in stimulating a successful PHR program, and conversely, by lack of coordination the government can be a little bit disruptive, putting out many different uncoordinated PHR agendas.

I think the issues that we have heard as we interviewed federal agencies, what they see emerging for them. First of all, how do they understand whether and how PHRs will advance their own objectives in their own agencies. What will it cost them to proceed down a path of supporting personal health records. If there are standards, and if there is an inoperable health information environment, what is the importance of standardizing the PHR piece of that. In other words, is the EHR standardization effort an interoperability effort enough, or is there a supplemental effort around PHRs that has to be taken on explicitly.

What are the privacy concerns? The question is, is HIPAA enough? You have raised it in your letter, and I think that is going to become an increasingly explicit topic of discussion.

How does the government encourage innovation and not stifle it? If the government were to put out 40 million CDs with the government's official PHR on it, that might not encourage innovation. But is there a way that the government's actions can stimulate what is a brand-new field and very unpredictable in its course of continuing improvement in the availability of information for patients and families.

Are there regulations needed or certification processes needed for PHR products. Then there are a number of other elements that are listed here in terms of the capacity of the federal government to be involved, how it ties to other federal agency objectives, Department of Homeland Security, for example, and document management has come up this week as a new set of challenges which overlap with the PHR issues.

A second broad category of policy concern is privacy and HIPAA. We know that the public cares about privacy. We know that HIPAA provides a very important framework for further analysis, but it is not clear that HIPAA when it was crafted in the mid-90s anticipated either the electronic health record or the personal involvement with their own health information that we are now seeing. So there are several questions that have to be revisited.

The individual has a right under HIPAA to access their own health information and to make demand for it. Is that an enabler of personal health records and if so, how do we exploit that in effect. Secondly, privacy protections your committee has raised very strongly. If the PHR offerer is not a covered entity under HIPAA, why privacy protections apply? What guarantees do the patients have about the uses of their information when shared with a third party non-covered entity?

HIPAA provides for personal representatives or proxies to manage health information. How does that play into the need in the PHR context for caregivers and proxies to be working with the patients themselves? The notifications of content provisions of HIPAA, do those apply equally, and how do they apply to the PHR environment?

One of the issues now with the California notification law or breach law has revealed to all of us the spills of private information, but that law is not national in scope, and there is no guarantee that spills of personal health record will -- I will receive notification if that were to happen to me, outside of California. Then, do we need provisions that are stronger than HIPAA as it addresses PHR information.

A third issue of public policy that I want to give attention to is personal control. Surveys we have done and others have done have said it is very important for people to control their information. There are several implications or challenges that raises.

First of all, we have seen this in Connecting for Health painfully and repetitively, do we mean control in the aggregate or in the granular level. If I am a patient and I say you may see my medical record or you may not, or can I say, you may see my psychiatric medications or you may not, or can I go down to a specific lab result, diagnosis or medication, and exclude or include certain people from seeing that. That is a question that is both a policy, philosophical and technical challenge.

What does control mean in the context of technical decisions about architecture? As we build the national health information network and we debate issues like unique identifiers and record locator services and other arcane issues of technology, what do those imply for the ability of a patient to control their health information. As we move out of the purely institutional and provider oriented way of thinking about it, these technical decisions have import for the ability of PHR to have personal control.

Does the exercise of personal control jeopardize patient safety? Do we have two fundamental American objectives that are at odds? Some providers are concerned that patients will exercise that control unintelligently if you will and sabotage their own best interest by controlling information that could be used in their own best interest and the patient's interest. Can physicians be effective if patients are limiting information access without adequate knowledge of how to do so. Then, the fear of secondary uses. Do we prevent secondary misuse of data, or do we provide consequences when those misuses occur.

These are all going to be the emerging policy challenges in the privacy area for the next several years.

The fourth area here is standards. The broad question is, do we need standards for patient supplied information. If the PHR is able to leverage, as you say in your letter, EHR standards for laboratory results and so on, what happens when I want to report my medication use patterns, I am splitting pills or I am skipping doses, or I want to report my symptoms, my pain level day by day, or my angina level day by day. We don't have a standard nomenclature and vocabulary to record all that. So does the PHR data become less portable for lack of portability of patient supplied data, and is there any mechanism to begin to introduce standards there.

Finally, I want to just mention the Medicare role, because it is such a dominant player in our health system and our society. As you know, Dr. McClellan in the program there is very interested in personal health records, as Simon said at the outset. We have done some work, and others are now providing input to CMS on how they might proceed. The prescription drug benefit program next January certainly may be an opportunity for CMS to jumpstart some attention to managing my own health information. I already have a consumer portal which could become a medication management portal.

Our recommendation to CMS is that they focus on becoming an information data supplier to the variety of personal health records that may be out there, and that CMS not become a vendor or distributor of personal health records themselves. I think it is a question for you all to ponder as you go forward, what is the right role of government and major agencies like CMS. Should they be an offerer of personal health records, supplier of information to third party personal health records, or some other combination thereof.

Finally on that subject, I just want to say that I think anything CMS does has the opportunity to educate all Americans, especially older Americans and their families, about all the issues you struggle with. It is very helpful and important that CMS do proceed in this way. Even if what they do on a technical level or a data supply level is modest, the mere act of doing it educates people that it is possible to see my own health information, make better decisions because of it, share with my doctors and my family. That is a very valuable role they can play.

This is some general thoughts on where the policy framework might need to go from here to extending where you have come with your letter so far.

First of all, this idea of a road map of some kind. It seems like everyone in this space, both in the EHR arena and the PHR arena, interoperability arena, would benefit from what we call a road map, a common sense of how do we move through this ecosystem going forward, what does it look like today, what do we want it to look like in ten years, what are the main roads that are going to cross that territory over the next ten years, and what do we need different components of the health care information system to do to traverse that landscape over the next ten years.

I think we need to monitor very closely -- and you suggest this in your research recommendations -- what the next generation of innovations will be. We don't know sitting here what the next equivalent is going to be to move us through this territory. We should watch closely to see what gets traction, both with professionals and patients.

We can certainly see experiments, where with what preliminary knowledge we have, we can see the next generation of ideas and find out what works. I think as I suggested briefly here, there are some policy tracks that need further debate.

A number of policy actions that should be considered. We think the Secretary and the new AHIC should designate a private-public panel or an extension of an existing panel to guide the deployment of PHR pilots so that CMS and others can learn in a systematic fashion what the next wave of challenges will bring. Employers plans, FEHB, CMS should explore incentives at the patient level as well as the professional level for adoption of these tools, and some coordination around those, what those incentives might be.

Using the medication environment, I think our broad thought is, it would be worthwhile for everyone to focus on a common area of implementation. Medications is probably the one with the greatest traction, greatest risk to public safety, greatest visibility because of the prescription drug plan under Medicare. If there were to be a single point of focus for the next few years, perhaps medication safety and medication management might be it, and give at least the federal initiatives and maybe private initiatives some direction there.

PHR-like functionality, whatever that might mean, might be something we encourage AHRQ, CMS and other federal payors and grantors to consider as a requirement of their federal IT spending, that they create a focus, as they are now doing with interoperability and that Congress is telling them to do, they do the same thing with giving the patient access to their own information as a condition of using federal money for IT.

Creating awards for state PHR pilots with Medicaid. Medicaid is always a forgotten stepchild with enormous potential, and reaches an enormous number of vulnerable Americans who have particularly acute health needs. It would certainly be desirable to make these technologies available through the Medicaid program.

Some consideration of the certification process for personal health records to address some of the issues I have summarized this morning. Then increase ONCHIT's ability to focus on this. They have always wanted to, it is in their original strategic framework, but they certainly have not given much attention to personal health records.

My last slide is a commercial. October 11, we will be sponsoring along with Robert Wood Johnson and AHRQ a conference on personal health records here in Washington. I hope you are all able to come and send your friends.

Thank you very much.

DR. COHN: David, thank you very much. Carol, should we start with your and your question, since you were kind enough to defer it until the end?

MS. MC CALL: Absolutely. These are some related questions. Back on slide nine, you talk about all the different things that can be in a PHR, and then acknowledge that they are not identical, and they may not be intended to be. So that is point number one.

Backdrop point number two has to do with data and data ownership, because I think that is going to be a key issue. So the question with those as backdrops is this. Who owns the data? I know that you have already put that out there, but within that context and aggregation, with so many different variations on a theme, how can you actually aggregate things that in no way fit together, no common vocabularies? Those things that you have talked about with folks and heard potential solutions for?

The reason I ask is because there is this huge assumption that at the end, we are going to have PHRs and we will have secondary uses, because it is all going to fit together. Yet it doesn't seem like the way people are thinking about it now it is actually designed to do that. So I would just love to hear your thoughts on that.

DR. LANSKY: I would distinguish the ownership issue from the control issue, and focus on the control issue and let lawyers discuss the ownership issue. Certainly in the personal health record context, to the extent that that is not a portal environment but it is actually in my custody, and I can truly control accesses to it, and review those accesses through some auto mechanism, that seems to be consistent with the philosophy of PHR, not to diminish the role of the electronic health record or the pure portal, but just to distinguish.

The aggregation issue I think applies equally to the interoperability environment and to the PHR environment. In the PHR environment in some ways it is easier, because I will choose voluntarily or not to relinquish my data. Someone knocks on my door and says, can I have your data for an adverse event study or for a quality reporting purpose, I may choose or not choose to participate in that. Whether I am properly informed is an important question.

The interoperability equivalent of the same issue, we did some animations and tested some explanations of the interoperable health information network. As soon as we got to the applications that were aggregate data, public health, surveillance, et cetera, quality reporting, there was huge pushback from many, many stakeholders.

So far in our testing in this country, the notion of aggregation is not an easy one to sell. The use of all these connectivity solutions for the purposes of improving clinical care is easy to sell. The idea that you can improve clinical care by aggregating data and feeding it back systematically is, we have a long way to go.

DR. STEINWACHS: I enjoyed your presentation very much, David.

A couple of things, just to get your reaction. You didn't mention explicitly some of the functionalities that might be tied to PHRs, like decision support. Elsewhere you mentioned things like reminders and so on, but when you were raising the issue about what information to share with the provider, it almost seemed to me, you could almost think of, is there a decision support tool there that says to the patient, you should share probably with your -- on your diabetes.

Is there much being done in thinking about decision support for the patient or the user of the PHR beyond just saying, remember to do this or remember to do that?

DR. LANSKY: I don't really know the answer to that. I think there are people thinking about it, and some small applications that do it. I hear a lot about it. I haven't seen very many sophisticated applications. Part of it is because since there is not a lot of connectivity, you can't bring a lot of resources to bear to apply the decision support to.

I think all of you would be in a much better position to comment on this. I think from the provider extensions of the EHR-PHR, where you have got the connectivity, the ability to reach into the home and deliver additional intelligence, there is more opportunity right now to do that than in a freestanding PHR product environment.

DR. STEINWACHS: Another thing I was looking for, you always listen to things from your own framework and orientation. One of the frustrations frequently when we talk about assessing quality and health care and so on is the lack of information on functional status, on how people are doing. So if you said, one of the stars out there that we may never reach, but the idea that a PHR might be a mechanism particularly for chronically ill stimulated by the providers, could be a way for the people to record, for this to be captured, to be shared.

Where do you see that? Is that way out there, or is it something in an achievable range in this three to five years?

DR. LANSKY: I think there are modest experiments, research projects which do that now, using home based technology to capture that information and feed it back to a central research facility.

So many of these things, and you know better than I over the last 20 years, in outcomes research and health status measurement and so on, they have remained essentially in the laboratory and not been used broadly in clinical care or in disease management or other applications, despite the potential of them, we think.

I observed in the Katrina disaster recovery discussions the difficulty of getting the principal establishment, so to speak, to take seriously that set of opportunities for capturing that patient supplied data as part of the mainstream of information flow.

So I guess I would say the technology will certainly permit it. There are companies like Intel that are building business strategies around that. Yet, I don't think it is considered to be a principal element of the short term thinking.

MR. REYNOLDS: David, nice job. You took a very complicated subject and made it very clear.

On page 32 you talk about incentives. It's the second bullet. You talk about rewarding doctors who provide PHRs. Then if you go back to page 17, you talk about some of the physician barriers, which are a lack of a EHR.

From your viewpoint, which one is the chicken and which one is the egg, and where would we really want to focus incentives to get the doctors moving, versus having an individual doctor or someone offer a PHR versus working on their own EHR so it could be consolidated into a PHR?

MS. MC CALL: It is your birthday, make a wish. What would you love to see?

DR. LANSKY: On that issue, I think it is important to recognize the patient's confidence in their doctor as one of their agents of their health information. The doctor is a physical repository of a lot of it in the current environment.

If I were to make my wish and snap my fingers, we could move more rapidly to a portable interoperable PHR-based system, in which we reverse the information management infrastructure. But it is not going to happen, both for cultural reasons and for infrastructure reasons. So I think the realistic strategy for the next five to ten years is to do exactly as you suggest, to do complementary strategies, where we do what we can to incent providers to adopt standards-based interoperable IT to manage their clinical practice, and do what we can to encourage patients to interoperate with that infrastructure and to have their own web-based or in their pocket tools to manage their information. But they should go in parallel, and if anything, maybe have a multiplier effect, so that when we get synergy, when we have patients with the tools and their doctors with the tools, then we really encourage that kind of partnership.

MS. MC CALL: Just to clarify, I want to make sure I understand your last point, if they go in parallel, are you saying that -- is that consistent with the idea that people want them to come from their doctors? So they go in parallel, that means they are both out there, versus if I only trust my doc, that means the EHR has to come first.

DR. LANSKY: I don't personally cast it as either-or. I think it is a multi-factorial intervention. If the patient comes in with a USB stick to their doctor's office and says, here, plug this in, I want you to read what is on it, it came from my doctor in Omaha, that may be a brand new thing for that doctor, but it is a good lesson for that doctor to have, and maybe will help motivate that doctor, if it happens ten times, to consider an EHR themselves more quickly. So I think synergy is a desirable element here.

MS. MC CALL: You make a potential implication for Medicare to be a data supplier to private EHRs, which would be great if they could go on a parallel path, but not if one has to come before the other.

DR. LANSKY: What CMS might do in that respect would supply equally well the provider based portal and a freestanding PHR tool.

DR. COHN: Carol, that was actually the topic of the RFI from CMS. Michael, I think you are next.

DR. FITZMAURICE: Along with Don and Harry and everyone else, I want to compliment you on the clarity and the scope of your presentation, the issues that you covered.

Partly because of where I live, which is at the Agency for Health Care Research and Quality, we think sometimes in terms of research agendas. So with a research agenda for a personal health record, what are some of the important questions that need answers?

What I am hearing and what I am thinking, implications for the quality of care that might be enhanced by a personal health record, what happens to patient outcomes when they have it versus when they don't; are there patient safety considerations, both patient safety incidents that are ameliorated, patient safety incidents that may arise because of personal health records.

Marjorie always comes at us with the value of functional status. So maybe the value of functional health status information, self reported and continuously reported. Those are some of the thoughts that come up.

Have you thought about other things you would like to see in any research agenda, questions you would like to have answers for, because you have gotten an awful lot of answers about what the public thinks so far?

DR. LANSKY: I think your list is very good. We would be content to get some of those questions answered in the next few years. I think like the chronic care improvement program and the disease management programs, I think it is worth inviting people to do some research into redesign of the care model itself. If this infrastructure were in place, EHR, PHR, connectivity standards, what becomes possible to rethink the way care is delivered from our current paradigm? And what difference does it make?

I think we have all speculated, particularly in terms of functional outcomes and health status, there is an opportunity to make significant gains by reconfiguring the delivery of care. We haven't really seen that achieved yet. So that would be my meta objective.

DR. HOUSTON: I am going to echo the fact I thought it was a great presentation, and I have two separate questions.

The first being, can you touch briefly in one of your slides about the secondary uses? It really didn't go into much discussion about that. I know there has been a lot of discussion within the NHII Work Group regarding secondary uses and issues related to that.

At the same time, I noticed in your presentation you talked about the different models and the different products that are available. You even referenced Web M.D. What is your personal opinion regarding the issue of secondary uses? Is it as big an issue as I think some of us may suspect, in terms of maybe not Web M.D., or maybe it is Web M.D., using that data even on a de-identified basis for the purposes maybe of financial gain or whatever?

DR. LANSKY: Two thoughts. I think true transparency is the essential issue. People if they choose to participate in anything, a marketing program, a research program, whatever it might be, as long as they understand that is what is going on with their health information, then I think we are fine. Achieving that through transparency is a challenge.

The second issue I think is unforeseen consequences, like the privacy spills, the ChoicePoint and others. If three years from now someone suddenly discovers that all this information they have been disclosing under one set of expectations is being used for something quite different that they don't approve of, it could create a public unraveling of a lot of good that is being done right now in this larger arena.

So I think my concern about secondary uses is, many people in this country are very content to get things for free, because someone else picks up the bill in order to achieve something they need in exchange for providing a service. That is not inherently problematic. I think when it is problematic is when people are surprised that they have slipped into a relationship and a use of their very personal health information that they didn't anticipate.

DR. HOUSTON: Is that happening on a large scale? Are there PHRs out there with substantial secondary uses? Or is this something that is foreseen rather than actual?

DR. LANSKY: I think it is more foreseen. It is analogous to what is seen in other industries, where people are getting marketing calls and solicitations they didn't want and have a hard time getting rid of.

In the case of where you have AIDS and cancer, they start getting these solicitations, and someone figured that out, that would be extremely troubling.

MS. MC CALL: If it is something that is foreseen, how would you classify activities today with the tremendously standardized electronic pharmacy claims information? Where it is aggregated today and de-identified and bought and sold and used for a variety of things? Would you put that in the same bucket of, golly, if people understood that that were a use, do you think that would be of the same type? Or are you talking about something different in degree or different in kind?

DR. LANSKY: I think it is interesting that there are many uses put to our data that we are not aware of. When people find out about it, they tend to be troubled. I think we are at a fork in the road in our society on those issues, and I don't know what the right answer is.

DR. HOUSTON: I had another question. You indicated on slide ten of your presentation that there was a higher likelihood that people with chronic illnesses would use PHRs, or at least some aspects of PHRs. Yet there is a chart later on where, when you look at the demographics, I would think that the people that most likely have chronic illnesses, maybe I'm wrong, are people in the older category.


DR. HOUSTON: Yet, those are the ones that seem least interested in using a PHR. In fact, the statistics almost seem to go -- when I try to understand them, they almost run counter to your previous slide. It just seems like the slides either conflict, or my understanding of the use of PHRs by people above the age of 65 with chronic illnesses --

DR. LANSKY: Which title of slide are you looking at?

DR. HOUSTON: People vary in their preferences for PHR media.

DR. LANSKY: Yes, that is about media. The purpose of that slide, it is hard to see without color, is that the older population prefers paper over electronic media significantly.

DR. HOUSTON: My thought is when I read this though, understanding that, to me a paper record doesn't constitute a PHR at least in the context of what we are speaking of. Yet, it seems that age group is less likely to engage in the use of an electronic PHR, yet it seems like your earlier slides would seem to indicate that people with chronic illnesses would be more likely to.

Again, I am looking specifically at the last two bars on the right of this slide. It seems like people without chronic illnesses age 65 and above have a higher likelihood of using an electronic EHR than those who have chronic illnesses above the age of 65.

DR. LANSKY: My takeaway from the research is -- I think your point is exactly right. There are several attributes of people which make them more likely to use personal health record when it is available. One of them is being younger and being a comfortable Internet user or technology user. One of them is having chronic conditions. Those two tend to be opposite pulls.

I think our research says the sweet spot if you will right now are people between 45 and 60 who tend to be younger, very computer comfortable, and increasingly subject to chronic conditions. But people over 75 are very unlikely to use PHRs, though some will, but it is in the ten percent range.

DR. HOUSTON: But looking at these last two bars specifically, in the age 65 plus category, it appears that the intervention who do not have chronic illnesses are more likely to engage in the use of an electronic PHR than those who do have a chronic illness.

DR. LANSKY: I would just say that is a measurement error. I don't think it is a big distinction. It is a relatively small number of people with non-chronic in the over 65 population. I think the N in that bar is pretty small.

DR. COHN: Well, David, I want to thank you. I think this has been a very good introduction to the topic.

What I want to do is give everybody a ten-minute break, and then we will reconvene, and at that point we will continue on with the conversation. David, thank you very much, we appreciate you coming out.

(Brief recess.)

Agenda Item: NHII Letter on Personal Health Records

DR. COHN: Switching the agenda a little bit, as I have told you, this is sort of fluid today in terms of how we are handling things. But given that we just had a conversation about personal health records, it seemed to make sense to start talking about the letter. It turns out that both Dale and Linda will be able to be here for the discussion, and then be able to have the updates from the Department after we are done with the personal health record discussion.

So let me have you turn to Tab 3, which is the letter report to the Secretary on personal health records. I assume that everybody has read it, because I don't think I am intending to read through the whole thing. It is being brought forward for action at this meeting.

This has been the work of the NHII Work Group in close consultation and collaboration with the Subcommittee on Privacy and Confidentiality, who provided major input into the privacy section. We want to thank them for their help in terms of crafting something that I think represents wider views of the committee. So Mark, thank you for your help on that. I think everybody else is probably a member of both work groups, so it may be that that worked pretty well.

What I want to do is, without reading things, just briefly go through section by section, asking if there are comments. I do want to make sure that we stop when we get to recommendations to read through them, to make sure people are comfortable. We are at this point taking comments. We would like to at the end of today come to some sort of conclusion about any sort of major changes -- hopefully the won't be major changes, but any changes that need to occur so that these can be discussed by the work group tonight. So I think that would be the expectation of the conversation.

So anyway, we will go through, asking people about sections, then we will talk specifically about the recommendations, and hopefully get your input and thoughts as we go forward. Sound okay to everyone?

Our first section is background. I think as you know, what we try to do is anchor this from the NHII document from 2001. I found it helps frame the issues and the overlaps. I think David actually was also referencing that this morning, where he talked about the fact that these things don't have sharp edges to them, there is a lot of overlap between EHRs and PHRs and everything else. I thought that the NHII documents and graphics helped show a natural overlap and interconnection. So hence you see that in the introductory material.

Do people have comments, questions related to the background?

DR. ROTHSTEIN: I just have one suggestion in the last sentence of the first paragraph, the one that begins, each area. I'm not sure I agree with the statement that each area is equally important, that is, the areas mentioned in the preceding sentence, the one that begins, it incudes all those things.

So I would propose that we replace that sentence that says each area is considered equally important with, all of these areas are important, and have the goal of promoting information exchange.

PARTICIPANT: Or just strike the word equally?

DR. COHN: We get rid of considered equally. Maybe, each area is important?


DR. COHN: Will that work?

DR. ROTHSTEIN: If you read the rest of the sentence, the syntax doesn't make sense. So I will leave it to Mary Jo or someone else to clean up the syntax, but the point I want to make is, take out the equally, that's all.

DR. STEINWACHS: Simon, I would like to push back on that a little bit. I think we may have to clean up the sentence a little bit, but the areas we are referring to are the provider dimension, the personal health dimension and the population health dimension. I think the NHII report is very explicit on considering those three areas of equal importance.

DR. ROTHSTEIN: See, I didn't realize that. Then what we need to do to clear that up is instead of saying each area, just spell them out as you just did. I thought each area referred to the prior sentence.

DR. STEINWACHS: No, as soon as we said that I realized what your problem was.

DR. DEERING: I would support reiterating the names of them. That was why we put it in there, especially at the time that this was written the provider dimension was the only one that was getting attention, except because of bioterrorism, public health was coming along. So I think it would clarify the point to re-articulate that.

DR. HOUSTON: But earlier in the paragraph it says NCVHS identified three primary areas. If in this sentence we simply say, each of these primary areas is considered equally important, it is at least consistent in terms of the way we are trying to identify the area.

MR. BLAIR: Have we decided to get away from the words that we used in the report, where we refer to these as dimensions instead of areas?


DR. COHN: Jeff, that decision was made a number of versions ago, based on input from Harry Reynolds, based on his view that this was more readable and understandable.

MR. BLAIR: That's fine.

DR. DEERING: I'll give you some wordsmithing and bring it back, something like each of these areas serving health care providers, population health and individuals are considered important. So in other words, I use the word areas rather than dimension, but then I articulate what the three areas cover.

DR. COHN: In this sentence, you mean, or is this another issue?

DR. DEERING: It is on that last sentence, each of these primary areas.

DR. WARREN: In going back and looking at the paragraph, because every time I hear something like each area, I always go back and -- what does it refer to. But I think since you started that in the first sentence, if you just said each of the three primary areas, because it comes back to that first sentence in the paragraph, then we should be okay.

DR. FITZMAURICE: Could I suggest something? In that first sentence, identify three primary areas, I would put in parentheses dimensions, so that people know that it refers to the figure on the next page, that areas and dimensions are the same thing.

DR. COHN: Thanks for that point, that the graphic does talk about the dimensions.

DR. STEINWACHS: That helps.

DR. COHN: Maybe in the very first sentence here, where we are saying, identify three primary areas or dimensions. That is what you were referring to?


DR. COHN: Mary Jo, are you okay there?

DR. DEERING: And then the last sentence would read, each of these three areas or dimensions?

DR. WARREN: Each primary area. We just codify it to add the word dimension.

DR. FITZMAURICE: No, the first sentence.

DR. DEERING: I understand that, but I am trying to make them parallel.

DR. WARREN: I think if you got the dimension in the first sentence, I don't think you need to repeat it in the last one. I would just go back with each three primary areas, just so that you are in parallel with that first sentence, so we know which area is being talked about.

DR. COHN: Let's move on from this area. We will have Mary Jo and the work group try to wordsmith this one offline. Anything else in the first section?

Move to the second section. I do want to remind you that we are happy to handle minor wordsmithing issues offline. Mary Jo will be the holder of all of that. Indeed, I noticed things as we went through, but minor questions or whatever. We are most interested in substance.

So done with the first section, on to the second section, which is, personal health records are evolving in concept and practice. Here I think once again, we are reflecting things that David was saying when he was reflecting things that we were saying about the fact that this is an evolving area, it is not possible to define it particularly well, and it is more a question of how you describe it. So we are positing a framework for attributes which we are including here.

The recommendation one here is that NCVHS recommends that HHS support the development and promote consensus on a framework for characterizing personal health record systems, building on this initial framework. Recommendation two is, HHS and others should use the agreed-upon framework as a basis for public education efforts highlighting the benefits and risks of various types of PHRs, not only consumers and patients, but also health care providers and other stakeholders.

Comments, questions on this one?

DR. FITZMAURICE: On recommendation one, NCVHS recommends that HHS support the development and promote consensus, I am thinking by whom. If we mean a public consensus, I would suggest inserting the word, promote public consensus on a framework. But if we have somebody else in mind, then we ought to spell out whose consensus is needed. Stakeholder, public, government consensus?

DR. COHN: Public-private?

DR. FITZMAURICE: Public-private. Who has got to agree for this to move on?

DR. COHN: I think public-private. Other comments on this section? Good.

The next section is entitled, personal health record systems value depends on users, sponsors and functionality. There is no recommendations in this area. Basically it describes benefits. There are a couple of places where -- actually, one place where we talk about members which we will fix to some other word, on page six, line 17. But I think Mary Jo and I will figure out the right word to go in there.

Basically it sets up the privacy conversation here, noting that there may need to be some consumer protections, or at least the Department should keep a close watch on that. Are there any comments?

DR. WARREN: What line were you talking about?

DR. COHN: To me it was a wordsmithing issue, line 17, page six. We are talking about systems for their members. Members works for some of those categories, but not for others.

MR. HUNGATE: Maybe constituencies?

DR. COHN: Constituents? I don't know if an employer has constituents.

DR. DEERING: How about members, comma, patients, comma, or employees?

DR. COHN: That sounds good.

MS. MC CALL: In terms of the table that starts on page five and continues on to page six, given what we just heard, it may be that we want to talk about possible benefits, as opposed to, these are the benefits, that these are set in stone. We heard that these are very heterogeneous, and we go on to say so. That is point number one.

Point number two is that when I look back on the diagram, the circles that we have on page two, it seems that one of the dimensions in terms of population health is not necessarily -- we say that they will benefit, but I don't see anything that is specifically geared toward that particular constituency. I guess it would be in the role column.

Was that something that as a group you talked about?

DR. DEERING: We had public health in some of the earliest versions. I am trying to recall why we took it out. Steve, do you recall that? There was a role in there. It was a mix of -- the public health was not really a role, it was a generic sector as opposed to an individual, a patient, a provider.

DR. STEINDEL: Yes, my recollection is exactly the same. As we refined this table over many iterations, we focused the table down onto more specific benefits that can be attributed to an individual type group. When we started looking at public health and research, they were more societal benefits. So it was more difficult to fit into this type of table.

MS. MC CALL: Understood. What I am thinking about is that I am going back to a comment that Dave made, which is that secondary uses -- and if people don't understand that those are there, early signals are that people are very uncomfortable with that. So unless we write into a letter and recommend that we come to terms with all of that, and peoples' opportunities to play, because we call it out as a benefit to society, if it doesn't get addressed while things are being architected, we may find ourselves down the road with some policy issues.

DR. COHN: That issue is actually brought up in the privacy section, explicitly. I am more comfortable leaving it in privacy and not explicitly articulating it here, because I don't know what we would say about it specifically.

MS. MC CALL: Again, just in terms of the benefits. We talk about from -- if the anchor document is information for health, and one of the key dimensions and the overlap is the ability to do that lower circle, when we talk about benefits, do we want to articulate some of the benefits of in this section, as opposed to just leaving it for privacy. That is really the specific question.

DR. COHN: But I do want to point out that the dimensions graph was not a benefits graph, it was an overlap of information graph.

MS. MC CALL: Understood.

DR. STEINDEL: Another reason why we took out benefits with respect to public health, population health and research is, we don't have total clarity on what the benefits will be derived from the personal health record itself.

Now, we are relatively clear that we can derive benefits in the population health dimension from the electronic health record, and from the type of records that are being envisioned at that level. But when we go down to the individual, because there is so much diversity in what might exist as a personal health record, we thought it might be premature to state how it could benefit at a societal level.

MS. MC CALL: Right.

DR. GREENBERG: Having this vague memory of an e-mail exchange when it was decided to drop this, and objecting to it, but being too busy to comment. Now it is all coming back, I think.

But I really support what Carol has said. This committee's mission statement includes using information to improve the health of the population. Just by indicating that there is a benefit does not mean that people will have access to it, because payors and employers and even providers may not have access to personal health record data.

So I think to have something about population health, which is related to the consumers, but it is more at a population level, that the whole concept of people having a better understanding of their health care needs, their health care services, their resources available to them, access to all sorts of things that could be tied in to PHRs, should improve the health of the population. If it doesn't, why would we even be promoting this?

So I just think for the committee to come out with all these -- because this is the problem with everything you see in HIT. They always have the consumers, they have the patients, the providers, the payors, the employers, and they rarely say anything about population health, and this is an opportunity for the committee not to repeat that error.

DR. DEERING: We have called out that this is a potential benefit, and by the way, that is in the text above it, but it is not in the header of the table, so you are quite right.

With Simon and the members' permission, I too would come down on trying it, because if we are saying it is potential benefits, it is not so much from the direct use of the data, which is I think what made us take it out; are we talking about data flows from the PHR into public health. I think Marjorie has just framed it in a way that I am beginning to see some statements. It might only be a couple of bullets. It is a secondary benefit, not from the use of the information flow itself.

DR. HOUSTON: I think we were also dealing -- I think part of the discussion too as I recollect was that we were dealing with the personal health dimension directly in this letter. I guess to the extent that you could add bullets that demonstrate the value of the personal health record to patients in a public health way, I think is meaningful. I would tend to think that we shouldn't -- I don't think we should add a section to this for anything else, discussing public health benefits. I really thought we were trying to focus on --

DR. DEERING: On the personal health dimension.

DR. GREENBERG: Yes, but I don't see how that is contradictory.

DR. COHN: I think the only question is on this chart.

DR. HOUSTON: But I would say, make the discussion how it is a public health benefit, but in the context of the various constituent groups that we have identified.

MS. MC CALL: It may draw back to the sentence we just talked about, about optimum information exchange among them, that there is a personal dimension benefit.

DR. HOUSTON: But looking at the diagram though, if you look at all the different bullets that are within this chart, and the ones that overlap the personal health dimension, and fashioning those bullets into --

DR. COHN: I am going to make a suggestion here. I am very concerned about us going too far in this direction, first of all. I would probably be willing to have something that says, societal benefits, and something like improved health of the population, or something on that level, but I am not sure I would go much further than that.

DR. STEINDEL: Simon, I would like to point out that a lot of that was discussed in the NHII document. It actually is to a certain extent in the diagram itself, where we list the bullets in the population health dimension, where it says -- the two that come to mind are surveillance systems and health disparities data. So we do list some of the types of things we are envisioning that might come from the population health dimension in these areas. But I am uncomfortable with going into much detail as well.

DR. COHN: John Paul, I think you have some reticence on this one.

DR. HOUSTON: No, I agree. I didn't want to go into much detail. All I was trying to do is say, if you look inside the circle here, the ideas overlap between the personal health dimension and the population health dimension, and focus only on those items where included in this chart might insure that there is some coverage of population health without having to delve into it deeply.

DR. STEINWACHS: I'll leave it to you to figure out how you orchestrate it in the table, but it seemed to me that part of the issue here is, are there public health things that accrue to the patient level as well as to society.

You have implicit in here the opportunity for PHRs to support health promotion and disease prevention. That might be one piece. You talk about empowering other employers, you talk about empowering consumers. I don't know whether that is an employer thing or population, but I thought John Paul was going a little bit at, are there things here already that are things that accrue to public health benefits.

So you could talk about it and not make it a separate row, but have a paragraph that talks about it, or you could make it a separate row.

MR. HUNGATE: This is just a slightly different tack on the same content. CMS has stated that it is a public health agency. Every payor and every employer has a defined population. So population health is involved in a way through the payors and employers segments of the table. There is a broader society overlay on that, but there is a piece there that can be construed in that direction.

DR. HOUSTON: Let me give you an example, Simon, of how we can rectify this. If you look at the chart --

DR. COHN: My problem is, my version of the chart, I can't read anything on it. As you have me look at it, I am desperately looking for that --

DR. GREENBERG: What are you looking for?

DR. COHN: A version of the chart that I can read. Are you talking about the chart or the diagram?

DR. HOUSTON: The diagram, I'm sorry. If you look at the overlap area, there are two areas. There is one bullet that says public education materials, which is in the overlap area, and the neighborhood environmental hazards. Those are two items that you might decide under consumers in the chart to add as bullet points as benefits.

Do you see what I am saying? Add under consumers the concept of things such as neighborhood environmental hazards or public education materials as being a benefit to consumers of the personal health record.

DR. COHN: But are those benefits to the population?

DR. HOUSTON: They are in the overlap.

DR. DEERING: They are benefits to the consumer from the population health dimension that could be delivered via --

DR. HOUSTON: The personal health record. My point is, if you look at this diagram, you see it overlaps. Just by looking at the diagram on its face, you see it overlaps. Identify those items that might be part of the benefits section of a personal health record to the different populations, and add those bullets in. That is my only point.

DR. COHN: Okay. So you would have a box here that says societal benefits or population health benefits?

DR. HOUSTON: No, I would use the same boxes. But my example is that under consumers, for example, a benefit to a consumer might be from the chart public education materials or neighborhood environmental hazards information. The only thing is adding those bullets.

DR. DEERING: It draws a connection to the diagram that is there and makes the point in a very gentle way.

DR. STEINDEL: I could go along with that type of approach, yes.

DR. COHN: Is everybody okay with that as a solution?

DR. GREENBERG: I'm really just trying to understand what the strong objection is to adding a category that says population health and putting a few bullets. I'm just not getting what the risk is there. I can understand public health, because in this country we use them differently, and people might start thinking, they are going to send this data to public health. That is not the point, although we are not going to send it to payors or employers, either.

MS. MC CALL: I think that goes back to the point you were making earlier, to say that what you were trying to do in this table is to focus on benefits that accrue to the individual, not those that accrue to the population. Not to say that those aren't there, but that the intent of this table was to focus on things that accrue to people one at a time.

DR. GREENBERG: Build market advantage. Does that accrue to the individual?

MS. MC CALL: I'm a witness here, too, so we really have to go back to the authors. If the intent was to have that, I think it is to honor the intent of the table about individual accrual.

DR. COHN: Mary Jo, can you help us with this one? I am hearing two diametrically opposed --

DR. DEERING: I think it may actually be an overstatement to say that this is intended to remain purely within the personal health dimension, because clearly we have the whole provider area on the top of the second page, page six.

I think these are sectors. As I personally indicated, I am increasingly comfortable seeing population health as a sector for which there are again benefits that are not those directly related to secondary uses of data necessarily, but that are benefits that accrue because of the existence of the personal health record and personal health record systems. That is my feeling.

DR. COHN: So why don't we try a box that says population health? One is probably improved health of the American citizen rate.

DR. GREENBERG: Health promotion and disease prevention.

DR. COHN: Health promotion, disease prevention, and maybe we stop there.

DR. DEERING: Right. Keep it simple and high level and see what we think of it.

DR. COHN: And the work group will consider it and come back with that tomorrow. But it is high level and short.

DR. TANG: Suggest that we take out one bullet under payors, which is the push information marketing to beneficiaries.

DR. COHN: Okay, that is a friendly amendment there.

DR. HOUSTON: Why do we want to remove that?

DR. TANG: It is a borderline to no benefit to the patient.

DR. HOUSTON: But I think it is a conduit to provide information regarding the plans to the individuals through the PHR.

DR. DEERING: Just provide instead of push. Just provide information.

DR. TANG: We already support wellness and preventive care. I suppose it can support the disease management.

DR. HOUSTON: It can be alternative therapies.

DR. ROTHSTEIN: We have improved customer service transactions and information.

DR. HOUSTON: But I think there might be different therapies, formularies, things like that that the patient might be interested in that payors might want to provide to the beneficiaries.

MS. MC CALL: Think about it more along the e-disease management line, as opposed to -- it is really the use of the words push and marketing, as opposed to provide information and education.

DR. COHN: So Paul, are you okay with provide information and education to beneficiaries?

DR. TANG: Yes, that would be fine.

DR. COHN: That sounds a little better, doesn't it?

DR. ROTHSTEIN: Along those lines, I have several suggestions. Under health care providers, I would propose to delete the bullet, build market advantage. I would also delete under payors the last bullet, build market advantage.

I take this chart to mean that these are health care benefits to individuals, health care benefits of the system. So supporting wellness and preventive, that is fine, and promote portability, et cetera. Build market advantage, I don't see in there.

DR. DEERING: Just by way of explanation, originally if you look at the header of the overall section, it is about value. This section began as a discussion of value propositions. So the word value is still in the header on the prior page. That word value, originally the table was labeled key value propositions. Then the label got changed to key benefits and now key potential benefits. So the intention of the chart is changing. So I think it is up to the committee, if they want to continue down this evolution, then you are quite correct that that doesn't remain there. But originally this was a discussion about, what will actually make this work.

DR. HOUSTON: Can I suggest changing this to provide market intelligence, or --

DR. COHN: That is not what we are talking about here.

DR. HOUSTON: No, I think it is. I thought it was to help understand the market.

DR. COHN: No, I think what -- is a competitive advantage to a new marketplace to get market share.

DR. DEERING: How about customer loyalty?

DR. COHN: Which is why people do this.

DR. TANG: I hope this will be considered a friendly suggestion. I think you accomplish what you want in the words and the prose, and the table may actually be causing more trouble than it is worth.

DR. COHN: You're trying to get rid of the whole table?

DR. TANG: Just get rid of the table.

DR. COHN: No. Nice try, Paul.

DR. GREENBERG: That is certainly what happened to the research recommendations in the annual report; we will just get rid of them. I couldn't resist that, but anyway, I was going to make a slightly less drastic recommendation. That is, I think it is fair enough to say we are all public health people to some degree, but at the same time, we are a capless society, people have got to support these things. So the fact that there is value to providers and payors and employers in supporting it is not a dirty concept in the U.S.

But in the table, things kind of jump out. So down here, I would take that market language out of the table, because it seems to be geared more towards health benefits. Then in the sentence here at 16 and 17, we also heard of growing interest from payors, providers and employers to sponsor PHR systems with their members.

DR. COHN: It is already over here.

DR. GREENBERG: Okay, well, fine, you could mention it there, or it is already mentioned here, so that is fine.

DR. COHN: Line 14.

DR. GREENBERG: I would take it out of the table, but make sure it is acknowledged in the text.

DR. COHN: I think what I am hearing is that you can remove those bullets. It actually is already in the language of the text, customer loyalty and all this stuff. So I think it is there.

Mark, final comment, then we will move on to privacy.

DR. ROTHSTEIN: Phrasing it that way -- no, I question whether we should separate consumers from patients in the table. I recognize the theoretical distinction, but we use them together in the text.

So what I would propose is to eliminate the line between them and just have a category that says consumers, patients and caregivers, and lump those two categories together. If you do that, there are several bullets that can be eliminated because they are duplicates.

DR. STEINDEL: Mark, we actually did have extensive discussion around doing that during the development of this table.

DR. HOUSTON: I can attest to that.

DR. STEINDEL: That is why the asterisk is at the end of the table. We came to the conclusion there were differences between people who use the PHR when they are acting in a consumer role in particular and when they are acting in a patient role. Yes, there are some overlapping benefits between the two, but we decided that there was a distinction between people acting in either role. It also occurs in some of the other areas as well. We decided that if we started to do something like that, it would either be doing what Paul just suggested and eliminating the table altogether and somehow trying to figure out how to relate that in the text of the table, or just put the asterisk that said we recognize the fact that people do different roles.

DR. ROTHSTEIN: Well, actually my suggestion was trying to save your language as it is. If I were writing this from scratch, I wouldn't use either of those terms. I would just say individuals. But keeping the wording as you have it, I think we can combine them. I don't feel that strongly about it, if everyone is in a hurry to get to privacy.

DR. TABOR: Tables are useful when they are clarifying.

DR. COHN: Steve, do you have a comment you wanted to make on this one?

DR. STEINDEL: I thank Paul for his support of the table.

DR. COHN: Leave the table. No table is perfect, and I don't know that we have created perfection here.

DR. DEERING: I hate to say it, but I actually think -- I don't even know why I hate to say this despite all of our debate, but I think that Mark's solution actually has an editorial value as well, because we use those phrases all together throughout the text. We use them interchangeably, unless it is very clear in the sentence that it is only a patient.

So we actually do ourselves a greater service by following Mark's suggestion.

DR. COHN: So what is the title there? Is it individuals?

DR. DEERING: Consumers, comma, patients and their caregivers.

DR. COHN: Is everybody okay with that?

DR. HOUSTON: Simon, you moved the asterisk down from roles to the actual cell that says consumers, patients and caregivers, so that it is clear that --

DR. DEERING: Right. I'm not talking about a payor turning into a doctor. We are talking about people as individuals wearing different hats.

DR. COHN: Certainly one can be a payor at times and a consumer at other times.

DR. GREENBERG: Even payors are people.

DR. COHN: So Mary Jo, we will defer to you to play around with this one, and we will consider it. This is as I said futzing with the form.

Carol, I would like to get to privacy. Is this a critical piece?

MS. MC CALL: It is one quick clarifying -- I think it is a helpful comment.

DR. COHN: Sure, please.

MS. MC CALL: Marjorie had said something that this was in the title of the table. It is really about the health benefits that inure. So I think -- she had used the word, and I think it may help clarify to just call it health benefits.

DR. COHN: But this isn't just health benefits.

DR. DEERING: It is not just health benefits.

MS. MC CALL: I withdraw.

DR. COHN: If it fit it, we would use that, I agree. Okay, are we okay so far? Are we holding things together?

Let's move on to privacy, if that is okay. Let me just introduce it before people start jumping in here.

Privacy was one of the more -- I won't say contentious, but it took a long time to work on. There are still little areas I see which require a little bit of wordsmithing.

For example, on page eight, there is a sentence here which says -- this is line 11, 12 and 13, it says, consequently the committee is unaware of anything that compels the PHR vendor. I would suggest we are talking about PHR vendors not covered by HIPAA, because otherwise that sentence doesn't make much sense. That would be the one clarification there. So basically these are not covered by HIPAA, PHR vendors not covered by HIPAA. That was the only change I was making on that line, because that is what it applies to.

Beyond that, we have four recommendations. Let me just read them, and then we will let everybody raise their hands and comment.

First of all, recommendation three. In any public education program about PHR systems, HHS and other parties should inform consumers about the importance of understanding the privacy policies and practices of PHR system vendors, including the enumeration of potential secondary uses and disclosures of personally identifiable health information. Recommendation three.

Recommendation four. HHS should identify and promote best practices with respect to privacy policies and practices for PHR systems and models for plain language wording of notices describing these policies and practices.

Recommendation five. For any HHS sponsored pilot projects in any contractual relationships that CMS undertakes with entities intending to use CMS data in PHRs, HHS should require that these PHR systems provide advance notice of any uses or disclosures of the personally identifiable health information. In those situations where HIPAA does not apply, secondary uses or disclosures of information in PHRs should not be allowed without the express consent of the consumer or patient.

Recommendation six. Entities not covered by HIPAA that offer PHR systems should voluntarily adopt strict privacy policies and practices, and should provide clear advance notice of these policies and practices. This notice should specifically include a full description of all secondary uses of PHR data. In addition, NCVHS recommends that no health information in a PHR be used for secondary purposes without the express consent of the consumer or patient, which may be obtained in conjunction with the notice.

Recommendation seven. HHS should collaborate with other federal agencies as appropriate to review and assess issues related to privacy and other consumer protections for PHR systems. Such a review should evaluate existing authorities and mechanisms for addressing potential problems, identify gaps and recommend appropriate action.

Now, the floor is open. Russell, you had your hand up first, then Paul, then Jeff.

MR. LOCALIO: I'd like to kill two birds with one stone here. Mary Jo has a copy of some of my comments I e-mailed earlier in the week.

It seems to me that under both the privacy and the security recommendations, the one big gap has to do with the regulatory limitations that apply only to covered entities. I know the history of this, and I think everybody else around the table knows the history of this. It seems that especially in view of the previous speaker, who outlined some of the concerns that people have about privacy and associated security issues, that the gap is that there is today lacking Congressional authorization to regulate the entire spectrum of entities who might deal with PHRs.

So I would say that one of our recommendations should be very blunt in both privacy and security. That is, to recommend to the Secretary that the Secretary at least remind Congress of this gap and the need to close it. Simple as that. That would resolve a lot of problems.

DR. FITZMAURICE: How would you word that?

MR. LOCALIO: How would I word the recommendation to the Secretary? I would leave that to the work group to consider. But I just think the point is quite clear. There is a gap, we all know there is a gap. I think it needs to be filled. It doesn't help too much, a voluntary adoption of strict policies.

I don't think any patient out there is going to put much credibility into a voluntary adoption of strict privacy policies, when the person's only recourse is through some type of civil litigation which is too expensive. So there is going to be no recourse on anybody doing anything about this unless there is some type of regulatory control, and there ought to be regulatory control, I think people are in agreement with that. What is lacking is the Congressional authority.

I even think that recent concepts of federalism notwithstanding, there is probably ample room in the commerce clause for Congress to do this.

DR. COHN: There is ample what for Congress to do this?

MR. LOCALIO: The issue is, does Congress have the authority to doing these things. I still think because this could be a national system, the portability of personal health information across state lines falls into interstate commerce. Therefore, there is ample authority for Congress to do something. It is just that somebody has to say to Congress, we really want you to do something about this, because there is a big gap.

DR. COHN: I know there are people who are planning to speak. Do people want to talk about this particular issue and make a decision on what we want to do with that? Mark, do you want to comment on this?

DR. ROTHSTEIN: Yes, and defer the other comments on other things. Russell raises a very fundamental point.

DR. COHN: Jeff, do you have a comment?

MR. BLAIR: I don't have any objection to reminding Congress to fill in the gap. The only piece that I was concerned about is, we don't know how many years that is going to take.

DR. GREENBERG: You don't have what?

MR. BLAIR: We don't know how many years that will take. The exposure is one that is great. So some of them, like the full disclose of the use of secondary information was one that at least I had hoped could be something that could be implemented quickly.

So if you want to separate that and have a separate recommendation to Congress, then I would certainly support that. I just don't want them bundled where nothing happens until Congress acts.

DR. STEINDEL: Again, going back in the historian role, there was discussion of including worrying such as Russ pointed out in one of the very early drafts of this letter, and we decided not to go that route in the letter concerning the personal health record. If that was a direction that the committee wanted to go, that direction should be approached independently. We decided to stay within the bounds of what could be constructed within existing regulation, et cetera.

MR. HUNGATE: There was also concern about the dynamic nature of the development that is going on here, and the entrepreneurial effort that is taking place, the wide variation. There are a lot of things wherein standardization is going to need to be accomplished over time by the industry that is involved here, and protection of privacy is a critical element. We use voluntary standards participation quite a bit in the system to help make things move in the right direction. Open systems early upon that kind of collaboration between vendors.

I think we should give this model some opportunity and see how well it can work with the regulatory option held as a second choice and decision.

DR. TANG: I don't know if I agree with the recommendation. I'm not sure whether -- again, I would have to do a lot of thinking as to whether I personally would support what Russell proposes. I don't think there is a consensus on the committee that that is the be-all, or else I think we would have all come to that conclusion, because we had ample discussion about it.

I'm not sure whether I wouldn't personally want to impose this upon private PHR vendors, having an additional legal framework put in place. In fact, I think it may kill some of the private PHR vendor efforts if that is imposed on them. I believe there was discussion about just that.

DR. COHN: Maybe I will insinuate my comment before Paul and before Mark and before Don.

There was an introductory paragraph to this section that I want to remind everyone about where, while it doesn't rise to the level of a recommendation, it is a cautionary note saying to the Secretary and the Department, you need to closely monitor this situation, and if there are issues there may need to be regulatory or further action. I think that was how we -- how the work group decided to handle this particular issue. But that is just one's man view. I would direct you to that paragraph just as a comment.

DR. DEERING: Simon, I only wanted to jump in and say that recommendation seven specifically says the HHS and everybody else should take a very thorough look at what exists now, what is available and where the gaps are. So I think that was our ultimate fallback position.

MS. MC CALL: I too would point out recommendation seven, having a call to action to look at the gaps.

To the point about closely monitoring, and the fact that that is in the above paragraph, one idea is to enhance recommendation five by reinforcing a recommendation to closely monitor and then say, see recommendation seven, bringing that monitoring result into a dialogue where it is reviewed as a potential problem, and then they can recommend appropriate action if it is in fact a gap.

MR. BLAIR: Very good, very perceptive.

DR. DEERING: I'm not sure I really followed that, but I can follow up with you later maybe.

DR. STEINDEL: Mary Jo, the approach is reasonable, except recommendation five is focusing specifically on CMS sponsored pilots. It is not looking at the whole PHR industry, which is what we would need to do, to insert that type of wording that Carol suggested, that would be universal.

MR. BLAIR: Maybe Carol's suggestion then could be included in seven, where she is pointing not only the monitoring, but the results of the monitoring that are acted on. Maybe both of those need to be in seven.

MS. MC CALL: That would make them broader. That would be very good.

DR. DEERING: Another option for it is, in the paragraph that begins somewhere around line eight, depending on your version, on page eight, line eight or nine or ten, the whole paragraph there, gets at this issue. We could insert the language about monitoring into that paragraph with a reference to recommendation seven specifically below. I don't believe elsewhere in the document thought we explicitly draw attention to a given recommendation.

MS. MC CALL: No, it would actually be one recommendation referring to another. But I think that Steven's point is good, recommendation five is specific to CMS-related pilots. Therefore saying that there is monitoring activity, it would only be in reference to those.

Really what it is, my intent in the recommendation was to make it a broader monitoring activity. If there is voluntary adoption of strict privacy policies, and if that doesn't really address the need, then that is a gap that needs closed. But it needs to be done on a broader basis than just CMS.

DR. COHN: Probably if it needs to be anywhere, it needs to be in recommendation seven.

MS. MC CALL: I would agree, I would agree.

DR. DEERING: I was just thinking that if I heard you correctly, it sounds like the monitoring portion could be tacked onto recommendation six, because that is where you are saying we want voluntary practices and we want to let those voluntary practices proceed.

So it could be that if there was a final sentence added to recommendation six that says finally, NCVHS recommends that HHS monitor this carefully, so that the monitoring is related specifically to the voluntary implementation.

DR. COHN: I actually think it is still recommendation seven, where it says HHS should collaborate with other federal agencies as appropriate to monitor, et cetera, and to review and assess issues.

DR. STEINDEL: I am leery about introducing the concept of HHS and monitoring into a recommendation, because then that either directly or indirectly implies some type of regulatory role, or looking at some type of regulatory role, or gathering the information which we may or may not have authority to gather on a formal basis.

I can see endless discussions about how are we going to monitor, whereas in recommendation seven, we just say that we should collaborate with other federal agencies to review and assess. I don't think other federal agencies have a problem with reviewing and assessing, and going out and looking at their programs that they are sponsoring, asking how they are using this.

I know that based on recommendation seven, and we have heard numerous references to CDC and the use of personal health records here, we would be looking at and reviewing and assessing the personal health records that are out there in terms of our agency mission and reporting back on a regular basis. That is just part of what we do for a living.

I think the wording there is good enough for right now. I don't think it is good enough for what we will find after we review and assess.

DR. ROTHSTEIN: I wanted to get back to Russ' suggestion. First of all, on the merits, I couldn't agree more. But in terms of a strategy, even if you think that is where we ought to be going, I'm not sure that this is the right document to do that.

The privacy and confidentiality recommendations for the NHIN, which we will be discussing starting this afternoon and then tomorrow and then daily, in that content this is an issue that we absolutely cannot avoid, because this is a global issue that you have to deal with in the NHIN, whether we want to retain the HIPAA distinctions among the covered entities.

So because we are going to deal with that issue frontally in the NHIN report, I think this may not be the best vehicle for doing that, even though I agree with the sentiment.

MR. LOCALIO: Do you want to incorporate the NHIN report by reference? Or is that not far enough along so this would not be possible?

DR. ROTHSTEIN: Right, it is in draft form.

DR. TANG: I would like to support Russ' position, it being more proactive than monitoring and reacting to. It is telegraphing what the privacy and confidentiality, the trajectory it is going. But I think it is relevance to this document, because I think we need to be proactive to all the concerns we have had, at least in the PHR work group.

We are worried about the misuse or the unanticipated use or the unknown use of this information. If we don't get out ahead of it, this is privacy at its core, and I think it is worth putting in this document, even if we are going to telegraph a little bit about what we will say in more detail in the privacy report.

DR. COHN: We have heard pros and cons. I share Mark's view, because we really don't have anything in this document that -- this is a recommendation that sits out there, there is really very little supportive pieces. I am persuaded by him, in terms of that we should defer it to a wider view on this one, but I have to ask everybody else's view.

Marjorie, Don was first, and he has been very patiently waiting.

DR. STEINWACHS: I appreciate that people would like to start with a voluntary approach. I have the same misgivings in the same camp as both Russell and Paul.

It seemed to me possibly in the paragraph starting on line eight or ten, depending on the version you have --

DR. COHN: Of which page?

DR. STEINWACHS: Page eight. In a sense I think you are saying there that this issue is critical to confidentiality. It does not really, that paragraph, say something more explicit about starting with a voluntary approach, but recognizing that that may not be adequate, or do something in this paragraph that bridges what the paragraph is saying to me, which says it has got to be done, and then coming down here and saying, this is voluntary. So being voluntary, an organization can say, I'm not going to comply, but I am going to market my records. It may not be transparent.

DR. HOUSTON: I thought seven was to put a little bit of emphasis on the fact that if you don't voluntarily --

MS. MC CALL: Use the mike.

DR. HOUSTON: I thought number seven was really intended to be the stick out there that says, and if there isn't voluntary compliance and it does become an issue, --

DR. STEINWACHS: Seven doesn't really sound that way to me when I read it. It does not sound like a stick. It is too subtle for me, I guess.

DR. HOUSTON: That was the intent of number seven, was t be that stick; if you didn't do it, then --

DR. STEINWACHS: It doesn't come across that way to me.

DR. GREENBERG: I'm glad that Don didn't defer to me, because I wanted to comment on his as well as what I think I was going to say.

MR. BLAIR: Some of us are waiting patiently to comment on Locario's thing. Everybody is commenting on Locario's, and you have indicated several other folks came after --

DR. GREENBERG: Don's was on Russ', and that was what I was -- I am happy to cede the floor to Jeff.

MR. BLAIR: But you just said you were going to respond to that and then go on to some other points.

DR. GREENBERG: No, no, I was on this same issue.

MR. BLAIR: Okay, go ahead.

DR. GREENBERG: I don't know where I am, actually. What I was going to say before Don spoke was, although we can't refer to any recommendations, because we don't have a letter at this point form the work of the privacy committee, I think you could refer to the fact that the privacy subcommittee has been holding hearings on some of the limitations or whatever on current privacy regulations, and will be coming -- and the Department will be coming forward with further recommendations. So you could refer to that. That was my compromise there, without saying what -- because we can't prejudge on how the committee is going to come out on what the privacy subcommittee recommends, even if they reach consensus.

But I do think that it isn't going too far to take what Don has suggested to indicate here in number five, or whichever one it is about the voluntary sticks, that the committee recognizes that voluntary compliance may not be adequate. Otherwise, it could seem a little naive not to acknowledge that. But that doesn't commit you to anything. That is just saying you recognize that may not be adequate. So I thought that was a good suggestion.

I agree that seven doesn't speak to me in any kind of concrete way.

MR. BLAIR: Have we finished the discussion on Russ' --

DR. COHN: No. You are waiting for something else? Harry is on this point.

DR. GREENBERG: Let me just ask Maya, since you were organizing lunch today, what is the plan?

(Discussion off the record regarding luncheon arrangements.)

DR. COHN: Harry, were you going to comment on this issue?

MR. REYNOLDS: Yes, I am. Having been involved in the language of the one that you haven't seen yet and the one that we do see, the NHIN and this, and stepping back into somebody that is going to read this from the committee, we are looking at ourselves, but somebody else that is going to read this would see one recommendation if it is the individual person, because you are talking about the PHR. Then another, possibly stronger recommendation, when it turns into something that is related to the NHIN.

So I guess at issue is, we know we are looking at it from the NHIN standpoint, so I guess the question I would be a little bit schizophrenic, it is important if it is NHIN, and it is not as important if it is just the individual. The PHR is about the individual, the NHIN is about how it would be traversed other places.

All I am trying to do is make sure that we think about that, because if that is any indication that it is going forward philosophically, that may create -- back to Russ' point, that may create a situation where we have said we are going to be real strong about the individual, but we are may be more strong if it is going to be NHIN.

It is just a question, because both of these letters are going to the same place.

DR. COHN: Mark, I think I am going to try to let you address that.

DR. ROTHSTEIN: I understand what you are saying, Harry, but I think in this letter, it comes more out of left field than it would in the NHIN report.

What I would suggest we consider is possibly dropping a footnote somewhere in one of these recommendations, to be determined, and say the NCVHS is currently considering the broader issue of coverage of health privacy laws, in the context of the NHIN, and we will have a recommendation to you shortly, something like that, where we recognize the issue, clue them that it is coming, but without having to set out all the arguments for it in this document.

MS. MC CALL: Would the implication be that if we moved forward with a footnote that when it does come out, those recommendations essentially replace what is here?

DR. ROTHSTEIN: It depends what is approved. But hypothetically, if we approve the document in a month or two, whenever we get it, that says the three HIPAA categories have lost their meaning in the modern world and the same rules need to be applied across the board, I think that would necessarily pre-empt what we had said earlier. But we have heard open that possibility with this footnote, that is all I'm suggesting.

MS. MC CALL: With the footnote, I think it could be a great idea. I just don't want us to leave ourselves where Harry said we could be. We could have a footnote, it could come out, unless we actually replace what this says with what that says, we still could be in balance. We still could be a peer schizophrenic, which I think was your point.

MR. BLAIR: If it says replace, then there is no point in anybody acting on this. If it says expand upon, then I think --

DR. COHN: Mary Jo, did you have a comment? It looked to me like you were trying to help us move together.

DR. DEERING: I should probably come last because that is actually my function. But I thought I was hearing a potential approach that I can't come out with precise words on, but I am happy to work on over lunch, because I brought my lunch.

What I am hearing is twofold. I have heard a lot of people say that we are not recommending voluntary ad infinitum. It is a stopgap measure. We understand that there are a variety of concerns here.

I think that there is room to put in the two thoughts that several of you have said, and to probably put them into that paragraph, as opposed to altering the current recommendations. The two points that I heard are, number one, a statement regarding, the voluntary may not do it, there is an evolutionary area that we need to monitor, then secondly, I think it is very good to signal that we are going to be looking further into this in a subsequent report from the privacy committee. I wouldn't see that necessarily as a footnote, but all perhaps up there somewhere in that paragraph that precedes all the recommendations, or as a second, two or three stand-alone paragraph that introduces the recommendation.

DR. COHN: It sounds like Steve has an issue in this.

DR. STEINDEL: No, I have a direct comment with regard to Mary Jo. I was looking at that the same way, as, a footnote does not do it justice. My suggestion was going to be to add that concept to the end, where we talk about next steps.

DR. DEERING: The whole end of the letter?

DR. STEINDEL: The end of the letter, where we talk about next steps and key up the NHIN letter in the next steps section, maybe as a separate paragraph, that can give it a little more emphasis. But editorially, I agree with you, it is not a footnote. It needs to appear as textual data.

DR. COHN: Well, maybe it is both. That is probably the better answer. There is a sentence or two here, it is a small little piece at the end, at least as an option.

DR. DEERING: Yes, if only at the end, it might lose its power and its context, so you can do both.

DR. COHN: Paul, and then after that, I'd like to see if we can come to an agreement here about what we need to do.

DR. TANG: I don't think it is a footnote at all.

DR. COHN: I think we are all agreeing it is not a footnote.

DR. TANG: Well, but the followup point, it has been a central part of our discussion for a considerable amount of time. It is in some sense related to what Margaret said. It is an issue that came out of left field that became core, because we heard so much from our testimonies. I think that Harry's point is a wise one, that we should have a way that we can very much anchor and telegraph, not only refer to privacy.

I think it is no less dangerous to have a third party PHR that in our vernacular is not a covered entity, than it is to put your information on the NHIN. I think the dangers are the same. We have been saying that for the majority of our discussion. I think it would be much more consistent for us to take Russ' approach and be proactive about it and consistent along Harry's line, than to footnote or otherwise skirt the issue. Related to HIPAA, the patients or the consumers are the ones that are not at all going to appreciate this, because we didn't going in, but we learned a lot about it during the testimony.

DR. COHN: I am hearing as usual on privacy a spectrum of conversations. I think we need to somehow figure out where we want to be. I am hearing on one hand a whole recommendation that says Congress, we call upon you to enact comprehensive health information privacy policies, and leave it, but not specifying further, because we haven't held testimony to figure out what that means.

We have a middle position that describes some edition of asking HHS and other agencies or just HHS to monitor, recognizing that legislation may be necessary to close any identified gaps. That would also have to include sentences placed in this section and at the end that says, we are having further deliberations about the larger issues of health information privacy in relationship to the NHIN, and additional recommendations in this area will be forthcoming. Or we can pretty much leave things as they are.

It is sort of like A to Z with M in the middle here. Am I -- I'm not making a suggestion, I'm laying out the frame here, and what would people like to see happen.

MR. BLAIR: I like what you said. There is one other aspect that I would like to suggest, which is to preface that by indicating that we feel that there is a sense of urgency on this issue.

DR. COHN: Which one are you supporting? Are you supporting A or Z?

MR. BLAIR: I thought you were addressing the fact that we would be putting forth that compliance would be voluntary, interim to Congressional action. The reason for that would be because of the sense of urgency, that we need to have action before --

DR. COHN: No, what I was proposing as an M was something along the lines of monitor -- and if there are issues identified, recognizing that Congress may have to deal with identified gaps. So I wasn't -- there is a position here which says, we call upon Congress to do everything. Then I thought there was a middle position which is really the monitoring, analysis of issues, closure of gaps, either by regulation and/or legislation if needed, and then there is the status quo. So I was trying to make a differentiation here.

Do you want to comment on those, or do you have another proposal?


DR. COHN: I was just trying to lay out what I thought were -- we were hearing the broad choices here.

DR. FITZMAURICE: I am in support of what you laid out. I just want to add something else for your consideration. Do we know enough from current hearings to come to closure, or do you need also to say we will consider having hearings on this particular subject in the near future?

MS. MC CALL: I am going to answer your question. I think that you have clearly articulated the three different choices that we have in front of us, with one exception. In that middle row, M is for monitoring, I heard us talk about the fact that monitoring -- it needs to be more, not just monitor and maybe we will come and take a look and it is a problem, and if there is a problem we will do something about it, but that monitoring was an active part, tightly coupled, with volunteerism, and it would also actively come into a review process, that it is an interim piece.

So it really has to do with how active or passive such a monitoring activity is, and what its purpose is. Its purpose is to help close gaps, because we will know that they will be there. Its purpose is to inform is as speedy a fashion as possible.

So that would be my own comment on the middle road as a choice.

DR. COHN: So you would describe actively monitoring the evolving whatever it is?

MS. MC CALL: Right, that there be some activity. I do want to acknowledge that monitoring -- there may be an issue with that. I don't know how to do that.

DR. COHN: I guess the question is, we just need to figure out which of these areas we want to be in.

MS. MC CALL: Right, and if we can't execute on it, then I think that is what we need to talk about. I would like to talk more about whether or not -- monitoring is a word, but is it truly feasible. Because if it is not feasible, then I would get rid of that as one of the options and paths that we consider.

I do want to acknowledge Russell's comment. There is an issue here. I want our recommendations, no matter what path they take, to acknowledge the issue. If monitoring is not going to be a truly feasible approach during some interim, then we are not making a recommendation that actually does justice to the exposure.

DR. HUFF: I think your characterization of the options is accurate. The only new idea that occurred to me is that while there is an issue, the PHR -- I think it is better -- legislation is better directed at a broader issue. With the PHR, individuals can obviously be harmed by disclosure or unethical action by somebody who held a PHR. But ultimately I can do a lot of protection by choice in who I buy my PHR from. If they are not a reputable company, I can go somewhere else.

So in some sense, I am protected if I am educated enough to choose somebody that is reputable, I can protect myself from that.

I think the issue in general is more directed at the whole market EHRs in exchange with other entities, where that information is going to be collected as part of my medical care, and then if we don't have legislation and other measures to protect me, then it is out of my control.

In the PHR sphere that is a direct part of this discussion, it seems that I have a lot of control over when my information goes initially by who I buy it from and who I share it with. That is the only reason that I would vote to say basically, keep this the way it is now, but absolutely take it on head on in subsequent recommendations that have a broader scope, including the EHR and the data exchange and that part.

DR. HOUSTON: I tend to agree with Stan, who I think articulated that very clearly. I don't think that, going back to Paul's comment, that there is a -- that the risks are equal when we are dealing with NHIN and the PHR for specifically that reason. I think that my recommendation personally would be that we go with the way that it is worded, frankly, and that is all I'm going to say.

DR. GREENBERG: Mark whispered to me, it would be good if we had Jim Scanlon here, who has been around a long time downtown, and what would he think.

The main thing that Jim always told me was that we don't make policy in letters. It doesn't quite apply to a letter of recommendation, but I do think that extension of that is that we wouldn't recommend a major change in policy in a letter that is not directly related to that.

Two reasons. One is that it will kind of get lost and two, I think it will be confusing. I agree with Stan that PHR is not the biggest problem here, because there is more consumer control. So Jim isn't here, and maybe Dale has some idea of what he would think, but I think this discussion has been very useful. I think I do not actually support my esteemed colleague, John, about keeping the language the way it is. I think we have had enough discussion that there is some need in this letter for a stronger acknowledgement of recognizing the problems here.

I personally would indicate, because it is good to tell the Secretary, it is not just, yes, this is a problem, but tell him, yes, we are looking at this, so we will be coming forward with further recommendations in a way that defers, but I think it is a more appropriate context.

I think that would acknowledge the problems, but push it to a more appropriate vehicle. I do think that my esteemed colleague directly to the right of me, Dr. Rothstein -- I am particularly impressed that as the chair of the privacy committee, he doesn't think this is necessarily the right vehicle, either. So I would defer to him on that, but add some language that we acknowledge the issues.

DR. BERNSTEIN: I'm not sure why Steve is so concerned about the use of the word monitoring, although I understand that if you come from a more regulatory agency, it implies more -- monitoring to me means reviewing and assessing.

My only point is that it seems like we are talking about either voluntary industry compliance or legislation. There is a spectrum of possibilities in between those two things which we haven't fully talked about, and I think which could come out of this recommendation seven. One is seeing if other agencies already have regulatory authority there. Maybe something like the Federal Trade Commission has something we don't know about, or some other agency. We have the possibility for guidance. We might have the possibility of regulation before we get to legislation.

I think one thing Jim would say as a long-time federal civil servant is that you don't ask for the most extreme type of way of doing something like -- to me, legislation is the hardest to get in the longest time period and so forth. It is most likely to be done not the way you want. If you can do something with a regulation, then you shouldn't get legislation. If you can do something with guidance, you should avoid regulation. If you can do something with a meeting, you would with a meeting instead of avoiding all those other things which are more severe forms of getting to the goal you want.

I think we should consider that there is a possible spectrum of things in between voluntary industry compliance and legislation that could come out of the results of recommendation seven, that is, reviewing and assessing.

When I think of monitoring, in particular with PHRs, I don't think you need to regulate to monitor the industry. That is, PHRs are available to the public. Any member of the staff can go and look online and see what kind of notice they are getting to their -- you can go out on the Net and collect the kind of notice that they are giving to their customers. We can go out there and find information. You can look on the web, educate yourself.

Steve is shaking his head at me, but it is possible to understand some of what is going on in the industry without regulating it and making them by regulation send you data.

DR. GREENBERG: How about evaluate? Not as threatening as monitor.


DR. GREENBERG: I agree that monitor can be a problem.

DR. STEINDEL: I don't see the problem with the words review and assess, because that is doing basically what you are saying.


DR. STEINDEL: When you start bringing in the words monitoring, a lot of times what we say, especially when we can point to voluntary organizations that are over an area, we can ask them for information and ask them to monitor. We don't have an organization that is over PHRs, so we can't point to them.

So what we have to start doing, when we say monitoring, the first thing that is going to come from these organizations that are offering PHRs is what kind of information does the government want to have. You start listing the information that you want to have, and they are going to say, we are voluntary, we don't have to give it to you, we don't want to give it to you, so how are you going to monitor?

That is why I say, it has got to get to the point where when you start asking for this information, you have to start asking for it formally, if you want to put us in a monitoring role. If you leave us in a review and assessing role, what you are saying in my mind can happen. You can look at a PHR and you can say internally, this is what I have seen. Maybe we should bring this up someplace.

DR. BERNSTEIN: I agree we are just talking a semantic difference, really. I just don't apply all those regulatory things to the word monitoring, but that is okay. If you do, or if there is a population out there that does, we should avoid that word.

All I am saying is, there are ways to get information that are not regulatory. There are steps we can take to influence what industry does aside from legislation.

DR. STEINDEL: Where my mind set is coming from, and this is coming from the years I spent in the clinical laboratory industry, which is regulated from both sides, the delivery of laboratory care and also the medical devices that come into it, and the word monitoring there was a very red flag to that industry.

DR. COHN: Mary Jo, do you want to comment?

DR. DEERING: It did sound like you needed a vote on whether there was to be a recommendation for legislation.

I was simply going to add that it does sound like everyone is persuaded that regardless of any other action that we may take here, that between the paragraph about HIPAA that precedes the recommendation, I do believe we need some sort of an indication that the committee is continuing to look at this in other areas, and recognizes that it is important and that more is coming.

So at an absolutely minimum, we need one or two paragraphs before the recommendations that do signal that more is coming. What more than that other people want, I think you have to vote on.

DR. COHN: I need the help from the committee at this point. You can now understand, those of you who weren't part of the NHII or the privacy subcommittees, why we spent hours on these recommendations in this area, because the discussions are complex. It isn't as though there is an absolutely clear answer to all of this.

Now, I guess I need some sense from -- we are not voting on this letter today, but I really do need a sense from the committee of what the work group needs to do to fashion the right solution here. I have heard some people say do nothing and leave it alone. That is one option. Maybe I am off on this one, but I see Russ nodding his head with some recognition that we are not unsympathetic with the issue, but that this may not be the right vehicle.

MR. LOCALIO: I like the idea of deferring it until it can be addressed completely. So long as we recognize in this document that it is going to be continued, then this document and the forthcoming one would be consistent. So we aim for consistency and address the issue in full at the appropriate time, among the appropriate people, and we will be back discussing this at some time in the future.

DR. TANG: I just want to say, I can live with that, as long as we say it is in the broader context of NHIN that we are going to evaluate this. I can agree with that.

DR. STEINDEL: Simon, based on a lot of discussion and how it has gone round and round, I am hearing very good closure on the idea of basically leaving the letter alone with the insertion of the broader paragraphs. That we would touch, but we would not touch the other areas.

MR. BLAIR: I agree with Steve, and I hope this is arriving at consensus. My suggestion is that when we add the wording, that there will be additional recommendations on a broader perspective for the NHIN, that we use the word additional. I am only concerned that if we say there are other things that are coming, I don't want these recommendations to sit on the shelf with the idea that they are not complete. I think we ought to imply that these are complete for PHRs, and that we will have additional recommendations for a broader perspective of NHIN.

MS. MC CALL: It is a great point. We don't want to make them impotent. In other words, just leave them out. But are they complete for PHRs?

DR. COHN: This is our first report on PHRs. This is not the penultimate. Kevin, you have been quiet also.

DR. VIGILANTE: Actually, I would just like to make a motion.

DR. COHN: What is your motion?

DR. VIGILANTE: The motion is that we agree to empower Mary Jo with the authority to craft some middle-ground language that formally recognizes the gap, expresses our concern, that we have embraced the voluntary as the first stage, but realize that it is related to NHIN, and recommendations for the NHIN which will be forthcoming will be considered consistent and integrated with any solution for PHRs.

DR. DEERING: Which we will expand on, right.

DR. VIGILANTE: And then have the work group look at that, and then resubmit to the committee. That is my motion.

DR. STEINDEL: Second. I would just charge the work group with adding language in here that points appropriately -- and I think Jeff's language about additional, et cetera, so that these recommendations are not neutered, to the upcoming NHIN recommendations.

DR. VIGILANTE: I second that.

DR. COHN: So it is an amended motion that you are comfortable with. Is everyone -- do we want to vote? Is everyone in favor of that as a solution to this particular set of issues? All in favor?

(Chorus of Ayes.)

DR. COHN: Opposed? Abstentions. Oh, my God, we made it through one issue in privacy.

I guess I would ask everyone, I know that you have other issues that you want to bring up. It is now 12:20. Would you like to break for lunch at this point, or do you want to finish up the whole privacy section? Let's break.

DR. BERNSTEIN: You have guests here who are on the schedule who have to leave at a certain time. You want to keep track of those people. I believe Linda has to leave at 2 o'clock. You want to make sure to get her on the schedule before she has to go.

(Whereupon, the meeting recessed for lunch at 12:25 p.m., to reconvene at 1:07 p.m.)

A F T E R N O O N S E S S I O N (1:07 p.m.)

Agenda Item: Update from the Department

DR. COHN: What we are going to do is, we are going to break from the PHR discussion for just a second, because we would like Linda Sanchez and Dale Hitchcock give us the Departmental review. I know Linda probably is not going to make it through our entire PHR discussion, so I thought we would just take this break at this moment and do that, and then we can get back to the PHR letter.

Linda, do you want to start out?

MS. SANCHEZ: Sure, thank you. I am Linda Sanchez from the Office for Civil Rights. Suma Gandru wasn't able to be here, but with the new location it didn't work out. But I am happy to be here in her stead.

I am just going to provide some general information about where we are with compliance, and then let you know about a bulletin we put out last week regarding the privacy rule and Katrina relief effort.

As of August 31, 2005, OCR has received over 14,916 complaints, and we have closed 68 percent of those cases. Case closures include -- and I think you are probably used to this list -- cases where OCR lacks jurisdiction under HIPAA, such as something that happened before the compliance date, or an entity that is not a covered entity, cases where the activity does not violate the rule such as when a covered entity does not disclose based on an authorization, since that is a permissive disclosure, not a required one, and cases where the matter has been satisfactorily resolved through voluntary compliance, efforts by the covered entity.

The allegations raised most frequently in the complaints -- and this has remained pretty much the same over time -- has been, number one, the impermissible use or disclosure of a person's protected health information, second, the lack of adequate safeguards to protect that information, three, the refusal or failure to provide the individual with access to or a copy of records, and this continues to be a problem, four, the disclosure of more information than is minimally necessary, and five, failure to have the individual's valid authorization for disclosure that requires one.

Complaints are most often filed against private health care practices, number one, and then general hospitals, pharmacies, outpatient facilities and outpatient primary care facilities.

As you know, we do refer to the Department of Justice cases that appear to involve a knowing disclosure or obtaining a protected health information in violation of the rule for their criminal investigation. At this point, or as of August 31, we referred over 231 cases to DOJ.

I just want to mention a little bit about what was in the Katrina bulletin which is available on our website. We didn't announce any changed policies in this bulletin. We just wanted to clarify for covered entities some issues that may have been raised in their efforts to respond to the disaster.

First is that a covered entity may share for treatment purposes without getting any sort of consent or authorization. This includes sharing information with non-covered entities for triage or case management, so certainly they could share with a relief agency or with relief workers as needed to treat the patient.

Regarding notification, a covered entity may disclose information on patients as needed to locate family or friends that are responsible for their care or to let people know the location of this patient. This could be done through an intermediary such as through the police or website or relief agencies. So they can certainly provide the identity of a person if they are trying to locate people who need to help them.

Also, a reminder that the privacy rule does have a special provision for disclosures to disaster relief agencies and appoint people to that, and to note that if it appears that attempting to obtain a person's opportunity to object to a disclosure to family and friends, would actually impede those emergency relief efforts, that that requirement can be waived.

I am happy to take any questions.

DR. HOUSTON: Linda and I spoke, and the next time we are at an the HHS facility, I am going to meet with them and we are going to go over statistics and what we might try to do. The agreement is that the next time we are in the HHS facility down at the Humphrey Building, we are going to sit down and meet about trying to come up with what we want to try to do statistically. So I agreed that I wouldn't ask the questions.

DR. STEUERLE: I'm not going to ask that question, but you mentioned these exceptions that are being made per the Hurricane Katrina. I am wondering if there are further implications. If you are making exceptions in this case, does that imply that there are certain aspects of existing law regulations that you consider possibly harmful for other situations?

MS. SANCHEZ: I'm sorry I wasn't clear.

DR. STEUERLE: Or are these exceptions essentially within the law?

MS. SANCHEZ: This is already in the law. None of these are changes to what is in the privacy --

DR. STEUERLE: This is clarification?

MS. SANCHEZ: We just wanted to clarify for providers that might be in a situation they are not used to.

DR. HOUSTON: HIPAA is in my mind clear as to what we are permitted to do. I think what they are trying to do is make sure they get the word out so that people not understanding HIPAA might use this as a reason not to disclose information. So HIPAA is very clear as to what it allows you to do, and it does allow us to release data in these types of situations.

MS. SANCHEZ: I think it is quite likely that many covered entities have never thought about or looked closely at the provision regarding emergency relief agencies. That just probably has not come up for them in the past. We wanted to point that out to them. The other provisions, they may be asked to be making disclosures that they wouldn't normally to organizations they haven't necessarily thought through in the normal policies. So we just wanted to clarify some of that for them.

DR. STEUERLE: I'm sorry. My point wasn't whether what you were doing was something that is illegal. Obviously you are not. It is whether the declaration of an emergency, which then relieves some of the regulatory requirements, is something that has implications for other things that might be almost an emergency or not quite an emergency, or somebody has declared it.

If we are saying that some of the requirements of HIPAA are too tight to allow information to be processed and passed on in a useful way in an emergency, does that also have implications that there are other cases that might not be declared full-fledged emergencies for which a similar need for information might be there, but we can't relax. I don't know if that makes sense or not.

MS. SANCHEZ: I don't really have a response for that. I am sure it is something we can look at.

DR. STEINDEL: Gene, as I understand it, none of what was mentioned has anything to do with the fact that an emergency was declared. These already exist within HIPAA. What the COR was doing was just pointing out to providers, this is what you are allowed to do in any circumstance.

I think the only thing that may have raised a little flag is the emergency relief agency, which also exists today. It is just that they usually don't become prominent in the release of health care information until an actual emergency exists. But it could also occur like if there was a fire in your town.

DR. STEUERLE: I'm just looking at the section right now. Very specifically, HIPAA says a covered entity may disclose public health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities, a use or disclosure is permitted by paragraph da da da, and section. So it is very explicit. I just think I'm reminding everybody.

DR. TANG: I just want to commend the Department for doing that, because I think that was very useful. There is so much confusion normally, so in this case I thought it was a really smart idea to do.

MS. SANCHEZ: Thank you.

DR. COHN: Other questions or comments?

MS. SANCHEZ: Thank you.

DR. COHN: Linda, thank you.

MS. SANCHEZ: We are also very interested in personal health records.

MR. HITCHCOCK: Thank you, Simon. It is a pleasure to be here. Jim sends his regrets, he wished he could be here, but he is being pulled in any number of ways these days.

Just one comment about his promotion that Simon announced this morning. This is significant. It is the only career Deputy Assistant Secretary position in ASPE. The others are political appointees. So what this means, and I can't think of a better person to do this, is that Jim will be the stability and the continuity, if you will, when administrations change, and he will continue to bring his knowledge and experience to the Department, only at a very high level.

I said, Jim, people are going to want to know what you are doing about the hurricane efforts, what it is that you are up to. He started giving me this line about, he could tell me but he would have to -- you know how that goes.

What he is actually doing is, he has a team of people detailed to him from around the Department, and they are putting together daily briefing books for the senior staff, letting them know what the current and daily issues are in New Orleans, what progress is being made, what remains to be done, what the new emerging problems might be, what the successes are. They get a huge volume of paperwork from the field that gets faxed or e-mailed in around 4:30, and they have to pull together these briefing books for the senior officials in the Department, so they will have them either that evening or the next day. Beyond that, he spends most of his time in the Secretary's command center or in the Deputy Assistant Secretary's conference room, going over issues and working on solutions. So that is what he is up to.

Since we last met, there have been a number of significant developments related to data policy. I will just touch on a few of those today.

We will start with the Data Council. The Data Council is currently focusing its efforts in several priority areas. We look at the HHS data collection strategies, priorities. One of those you might be interested in is, we are still working on ways to either collect or report and analyze better racial and ethnic data. We are also involved in the data budget reviews for FY 07, reviewing plans for all the major surveys and data collection systems, and looking at the preliminary budget requests.

The budgets are still, as you might suspect, tight overall, so there are no large budget increases. But most of our major data systems are being supported at at least the current levels, and there are some small improvements planned. We did not identify any new large data initiatives.

We are looking at data improvement initiatives in the five areas of population data. One of them is going to be prescription drug utilization and expenditure data. We are looking at these data for program and policy purposes, as well as for research and statistics. Several enhancements are planned and underway for these areas.

The discussion in the prescription drug data is being directed to the data that might be available, and I stress the might. This is not really clear yet who can get this and when under the new Part D Medicare drug benefit plan. For health insurance data, we have got a number of sources that we deal with, both within the Department and Bureau of Census, that produce, as most of you probably know, estimates that differ slightly from each other. We are looking at ways to understand and reconcile those differences and estimates among four surveys. The four surveys are the national health interview survey, medical expenditure panel survey that AHRQ does, current population survey and American Community Survey, I believe is the fourth one that we are looking at.

We are also looking at ways to collect better data from the states on health care access, utilization and health insurance at the state level, and we are looking at ways to improve our income measures, primarily ones that would include looking at assets as well as just income, and all the major surveys. Like I alluded to earlier, we are looking at ways of collecting and/or using current resources and combining years and that sort of thing to provide better estimates by race and ethnicity.

Privacy and confidentiality issues and Health and Human Services data are always on our plate. Maya Bernstein, who we heard from today, did a splendid job organizing our lunch, --

DR. GREENBERG: Woman for all seasons.

MR. HITCHCOCK: Woman for all seasons. Maya has reactivated the Data Council's privacy and confidentiality work group.

Our office, Jim and mine, we are starting a study on best practices, research and statistical confidentiality and privacy practices. Again, this is a project of Maya's. Also in the auspices of the Data Council we have initiated a study of fiscal data collection standards, major HHS data collection systems, what is available, what is used, and what are some opportunities for improvement and/or integration of these standards.

That is really what I have to say in Jim's behalf. I will be happy to try to answer any questions people might have, or take comments back to Jim, for that matter.

DR. STEINWACHS: One question I guess is, I remember after September 11, we spent a lot of effort trying to figure out what the health consequences were of that tragedy. I was just wondering whether or not there was discussion in the Department about the health consequences of the natural disaster.

It raises a variety of issues, because populations disperse, and may never come back. It seemed to me there are some difficult methodological issues about how do you know what the impact is and is there something to be learned from it, other than -- you can count the deaths that attribute very quickly, but after that, we may lose.

Maybe there is nothing we can do that is stupendously great for this, but how are we prepared in the future, because these things will happen again, and you don't always know what kinds of consequences and what risks will people face when you look at longer term outcomes.

MR. HITCHCOCK: I'm sure there have been all sorts of discussions that have been held at the highest level of the Department. At this point I don't think they are more than what-ifs or what should we be doing, sort of thing. I think the attention as it is across all parts of government are focused on the search and rescue and medical care provision in the areas that are affected right now.

MR. BLAIR: I didn't know, Dale, whether you have information to follow up on CMS' efforts on implementing our e-prescribing recommendations. Will we receive testimony from somebody else or hear from somebody else?

MR. HITCHCOCK: That one I can't answer.

DR. COHN: I think we will likely have testimony at the subcommittee in September from CMS on that. Steve, did you want to make a comment?

DR. STEINDEL: Yes, I just have a response to Don. The issues that you have raised obviously are of interest to CDC, and they have been raised at the Department leave within the context of the Katrina events, and are being looked at with the monitoring systems that we are putting in at CDC.

DR. GREENBERG: I was going to say something similar in that regard. There is a very high effort to look at infectious diseases and all of that, and the overt kind of health issues.

But I think what you raise, Don, is very important and I would suggest that the Populations Subcommittee might want to spend a little time talking about that. When you mentioned 9/11, it reminds me, I have a colleague, now retired, but who was very much involved with the ICF, the International Classification of Functioning Disability and Health. He wrote an op-ed piece that was published somewhere, I'm not sure, but after 9/11, called ICF and Terrorism.

We are very good at counting deaths in the U.S. We are very good at counting hospitalizations and even we have a pretty good sense of what people are seen for in doctors' offices, but things that don't result in real diagnoses, which is basically what ICD can capture, can have a profound effect on peoples' health and well-being. I think this raises that issue in this context as well as everyday life and chronic disease.

So I would really encourage the Populations Subcommittee to talk about that a bit, and whether the way we currently collect this data, even if you could find the people, tells us what you are asking, some of the mental health issues, some of the functioning issues, some of the participation issues, all of that.

DR. ROTHSTEIN: Just briefly on another topic, in the spirit of my colleague, Mr. Houston, I would like to restate my query request that we post on our website the Secretary's responses to our letters. We post our letters, but we don't post the responses by the Secretary. Also, some sort of grid which would indicate which letters that we have sent have not yet been addressed by the Secretary. I think that is very valuable for the public to be able to see that.

DR. COHN: Point well taken. I don't know that we need to address that right now.

DR. GREENBERG: If I might suggest a little variant on that?

DR. ROTHSTEIN: At every meeting I raise this.

DR. GREENBERG: But since you made this recommendation and you added with this grid, we used to include something in the -- well, we have the work plan, but we used to have a grid that we gave you every time about what the status of the recommendations were, and letters in response. Of course, often the responses are what I refer to as a bread and butter response,, partly because of what Jim said, that you don't make policy in letters.

But nonetheless, we have taken that on board. I don't know if we have had any responses, and often we don't get them electronically, but we have to solve that little technical glitch. We will certainly commit to putting the responses on all the ones we can get. Let's make that a high priority, staff.

But I myself, although I think it would be good to provide you all with such a grid, I think the proof is more in the pudding. If we start putting those responses there and there is no response, it is obvious there is none to post. I would not personally support a grid on the public website saying, these we referred responses and these we haven't, partly because it is not a yes-no thing. There is such a variant in how that response -- we have taken all of your recommendations and we put them into an NPRM, or thank you, we will take this under advisement. To count both of those as responses is --

DR. STEINWACHS: Couldn't we have a little caricature of Simon there that says, Simon says we have received this, we haven't received that?

DR. GREENBERG: Would you agree to that?

DR. COHN: Sure. Mike?

DR. FITZMAURICE: I wanted to refer also to Don's question about what is HHS doing. I don't know how much Linda mentioned this, so I may be duplicating what she said. With Katrina, the concern is getting care to the evacuees as quickly as possible. Secondly, there is a group formed to get information to those treating new evacuees as quickly as possible. The concern is that they come into shelters, and the physicians don't know what drugs the patients need.

In general, they don't know what drugs need to be brought in to supply the patients. So there is a concerted effort among the PPMs and among HHS, some information vendors, to try to pull together that information for those people in New Orleans and to make it available wherever the patients are.

You get the same kind of issues that we deal with in all of our hearings: How do you identify the patient, how do you know this information is about that patient. But if you can get aggregate information, you know how much insulin to send to a given area, or how much other drugs for specific kinds of conditions, even if you don't know those specific patients have those conditions. Overall, this is what the New Orleans area was consuming, and you need to provide that level of consumption wherever the patients go.

As you get more detailed to the individual, then how do you capture the information that the physician is generating or the health care provider is generating when the patient comes into the shelter? Then the patient gets triaged to Washington, D.C., the armory gets triaged to Houston; how do you follow that patient with the necessary information to continue care?

We don't have the answers, and our infrastructure is not really set up to supply those answers, but we are weighing in a very rapid manner how do you resolve the issues of privacy concerns with the HIPAA privacy rule, do you have these business associate agreements, how rapidly do you have to revise them to allow people to consolidate information for public health purposes? Do you go with the emergency provisions, the public health provisions? All of those things are happening rapid fire.

We don't think any of it is standing in the way of treating individual patients at this time, but in terms of planning for the very short term of how do you get the necessary drugs into the right place? That is the problem that this information group which is led by David Brailer is focusing on. After drugs, maybe it is laboratory information, but drugs is the top priority at this time.

DR. COHN: Michael, thank you. I guess I am hoping that somebody has sent in a copy of our e-prescribing recommendations to help with all of that.

DR. FITZMAURICE: We are concerned more with the immediate problem at hand. We are meeting daily. As we get a couple more days, we will want to get into the interoperability, because if we solve the problem for the area -- think of it as one large RIO, but right now we are thinking of it as individuals who need to be taken care of. How can we be sure that the physicians have the supplies of things to get there to take care of the patients?

DR. COHN: And Michael, I did not mean -- that came out sounding facetious, and I did not mean it that way. What I was really referencing was more the capabilities already existing with groups like Rx Hub and all of this to actually get information down to the site of care that already exists.

DR. FITZMAURICE: Many of the organizations that have testified to us and provided us with good expertise are the very same organizations that are supplying that expertise at --

DR. COHN: Thank you. Other comments, questions? After taking a deep breath, let's move back into privacy and the personal health record letter.

I think we have handled the first issue on privacy. My understanding is that there were some other hands with what were felt to be other issues on privacy. Jeff, do you remember what yours was?

MR. BLAIR: I do, and Maya has been able to take care of that during lunch. I had a question on question six, and she was able to resolve the question.

DR. COHN: Great. Mike Fitzmaurice.

DR. FITZMAURICE: I have a question on recommendation five, or a suggestion, which starts on my line 31. The second part of it says, in those situations where HIPAA does not apply, secondary uses or disclosures of information in personal health records should not be allowed without the express consent of the consumer or patient.

I am scratching my head saying who should not allow this? Then I am thinking, maybe we could reword it to say, in those situations where HIPAA does not apply, we believe the consumer or patient should control secondary uses of that information, secondary uses or disclosure of that information. We state it as a principle rather than saying, somebody should control this and not allow it.

It also carries over to recommendation six as well.

DR. BERNSTEIN: Forgive me. You are in recommendation five?

DR. FITZMAURICE: I am in recommendation five, the last sentence. It starts on my line 34. I would suggest the same kind of wording could be used for the last half of recommendation six.

DR. BERNSTEIN: I'm not sure I follow you.

MR. BLAIR: Am I able to react to Michael's?

PARTICIPANT: Could you actually restate it, please?

DR. FITZMAURICE: It reads, in those situations where HIPAA does not apply, secondary uses or disclosures of information in personal health records should not be allowed without the express consent of the consumer or patient. Does that mean that the vendors must be the policemen? Who controls this?

PARTICIPANT: What do you say your addendum is?

DR. FITZMAURICE: My addendum is, in those situations where HIPAA does not apply, the consumer or patient should control secondary uses or disclosures of information in or from personal health records. I would strike the, should not be allowed.

DR. COHN: Jeff, do you want to react? I assume Maya was going to jump in also.

MR. BLAIR: The thing I am struggling with, you can see the expressions on my face, I think the reality is, there are probably very few cases where the patient controls the information, because it is being provided as services. Whether it is being provided by a government agency or a private sector company or the employer or what, matter of fact, I can think of very few where the consumer or patient actually controls. They use it.

I guess, Michael, my only thought is that if we wind up using that wording even if we would like that to be the case, I feel as if we can't change control to the patient, and I think in a lot of cases we can't, then the rest of the recommendation, which I think has value, would be either ignored or considered nonoperable.

DR. FITZMAURICE: I understand what you are saying, but I am thinking of the information that now is residing in a personal health record. If that information comes from some other place, that other place controls the information. But if the information comes into an individual's personal health record, --

DR. BERNSTEIN: Can I point out, we keep reminding ourselves that recommendation five only applies to HHS sponsored pilots and contractual relationships that CMS enters into. It can therefore write into those agreements or contracts or legal instruments these rules.

So when you ask who is it that should allow in the context of that relationship, that is what we are recommending, that those instruments should not permit those other secondary uses. So it really is HHS in that case who is in control of that. The two parties who are in that relationship can negotiate, but they are not going to give you the contract or the pilot project unless you agree to their terms.

The idea is that we would ask -- that the committee is asking HHS to impose those requirements on its own pilots and contracts.

DR. FITZMAURICE: So you are talking about data that is in the hands of individuals. Somebody else was holding on to their personal health record, not the patient or individual.

DR. COHN: Michael, there are many different models of personal health records.

DR. FITZMAURICE: So I do not understand what the issue is with regard to the secondary uses of those data. A patient may want secondary use, or a patient may want to forbid it, but are you saying that we are not advocating that the patient control the secondary uses of the patient's data in a personal health record?

DR. BERNSTEIN: Yes, we are saying express consent of the patient.

DR. COHN: Michael, I am struggling here. The only thing I am hearing from you is wordsmithing. Am I hearing a different concept that I am missing here?

DR. FITZMAURICE: The only concept that I was trying to put is the patient control. Maya points out that the express consent of the patient or consumer is required. Maybe those are the same thing. Maybe you're right.

DR. VIGILANTE: If the patient is in control, they can choose to release or not release to a second party. I think the point is here, let the patient know that the entity with whom they are in a relationship may or may not use their data, de-identified for secondary uses, and to require consent to that effect prospectively. I think it is a more rigorous position than the one you are adopting.

DR. FITZMAURICE: Maybe my confusion was that I didn't realize who the third party was, and so the third party is whoever is undertaking the pilot for CMS. That was my confusion.

MS. MC CALL: What is interesting is that we keep having to remind ourselves that recommendation five is only with respect to pilots with CMS. Every comment that we make seems to be trying to make it broader. So it begs an issue, is there something missing.

PARTICIPANT: I would just direct your attention to recommendation six. This is the one that is designed to cover those other -- the private sector.

MS. MC CALL: Exactly. We need to understand that these are different twists on the same theme. So as we talk about any changes in here, not wordsmithing necessarily, but that we make sure that we understand that that is paired as a set.

DR. STEUERLE: This is one of the few areas where I did weigh in in the phone conversations. My concern is that there are some secondary uses, particularly in this case, where you might have an HHS pilot project, where they might think of some data merges or other things that would be useful down the road. It is not really useful to go back.

This happens all the time in services, because you don't go back all the time and ask them. You try to get some up-front consent that you can use, with whatever limitations you put on it. I'm not saying that the passive tense is better than the active tense which you are going for, but I still like the current wording a little better than yours. Yours you could read as saying you have got to go back, the patient constantly is in control of it. I think it is part of Jeff's statement, what does control mean.

DR. FITZMAURICE: I like your position better, Gene. I did not mean continuous forever and ever each time.

DR. STEUERLE: The word express consent gets us around that. If HHS is smart enough to design express consent up front the right way, then we dodge that problem.

DR. FITZMAURICE: Maybe we can just add pilots, disclosure of information and PHR pilots.

DR. COHN: It is also in any contractual relationships that CMS undertakes.

MR. BLAIR: Maybe Michael's suggestion of adding pilots makes sense. I think that helps a lot.

DR. COHN: I don't think so, Jeff. This is more than just pilots. This is also contractual federal relationships.

DR. ROTHSTEIN: I was just going to give some history of where these two recommendations came from in San Francisco, when we revised them substantially.

Our thinking was that ideally, we would like to apply this rule across the board, but we can't, because there is no legislative authority to do so, as we discussed this morning. So we drafted in recommendation six, or attempted to draft, some recognition that for the non-covered entities there is not much we can do except go down and encourage voluntary compliance in the interim, until we have some legislative authority.

However, in recommendation five we recognized that there are certain kinds of PHRs that are developed under contract with CMS or pilot programs, that HHS can write into those contracts anything that it wants, and it does have that legislative authority to do so. So for that sub-class, we want this higher standard to apply.

That was the intent. That is why five and six have different levels of requirements.

MR. BLAIR: That was very helpful. Thank you, Mark.

A lot of folks have had difficulty realizing the distinction. I can't see it. I think there are some type of headings. Maybe we can make the headings more prominent to clarify that to a new reader. There are no headings?


DR. BERNSTEIN: The recommendations are just numbered, Jeff. They don't have titles.

MR. BLAIR: Maybe we need to do that, because there is a lot of confusion today, and we have had to go back and clarify why each recommendation is different. They address different contexts.

MS. MC CALL: Can there be a broader recommendation with an A and a B, so that the context is set in the header?

DR. COHN: I am looking to Mary Jo. We can decide to put titles on all of these. I actually don't think it is all that confusing personally, but --

DR. DEERING: We have lived with it for three months. We know this chid inside and out.

DR. COHN: I guess we could bold specific words in these recommendations. If people feel this is very confusing, the work group either here or subsequently will come up with titles for each of these recommendations.

DR. TANG: Or perhaps we have more of an introduction on, here is the principles we are looking for, and we recognize -- almost like Mark said, we recognize that we can actually apply them in the legal arrangements we have with government funded projects. Things that we don't fund are not covered by HIPAA. But we have the introductory paragraph, recommendations, and introductory paragraph, recommendations. That is a different way of putting a heading around it, but maybe that is a way that makes it clearer. It basically gives the annotation Mark just gave.

DR. COHN: So is everyone okay with this at this moment before we move on to the next issue on privacy?

DR. DEERING: I'm not sure I see how -- there is a total of five paragraphs. This is the only one that lends itself to an introductory paragraph. So would we have language in front of these two?

DR. VIGILANTE: If you put HHS-sponsored pilot projects in italics, I think that would be sufficient.

DR. DEERING: Bold and italics?

DR. BERNSTEIN: I thought I heard a suggestion that we perhaps explicitly say what Mark described in the text, saying that we understand that there is authority. That may make it more understandable when we get down to the recommendations.

MR. BLAIR: No, that was not what I was reacting to. When I said it was very helpful, what Mark said, it was, but I didn't feel like we needed to -- what am I missing?

DR. BERNSTEIN: Then let me just ask, do you think it would be appropriate or useful?

MR. BLAIR: I wasn't suggesting that all those words be then put in. All I was suggesting was that this is an example of all day today where a number of folks have gotten these recommendations out of the context that they were intended to be in.

DR. BERNSTEIN: The subcommittees have done the same thing for the two months that we have been meeting.

MR. BLAIR: So I think this latest recommendation, you just have a little label or title, highlight that recommendation six is for situations where you don't have a covered entity. You do own some of them, but I guess I can't see them. Just a little bit of a label to help --

DR. BERNSTEIN: Is there a reason why it would be inappropriate to do what I suggested?

DR. COHN: Which is what?

DR. BERNSTEIN: Which is to just add a sentence or two that is more explicit that says, we know we have, authority is to strong a word, but a method for --

DR. COHN: I think that is what the paragraph before these recommendations says, I thought.

DR. BERNSTEIN: It doesn't talk about what we can do within the Department already with our contracts and whatever, as opposed to what the Department can impose on the private sector. I am wondering if it is worth making what Mark said more explicit, so there is more understanding of the recommendations that follow.

DR. ROTHSTEIN: If we are considering that, what I would also suggest is that we flip recommendations five and six, so we start with the general rule and then go to the exception for the government contracts. Maybe it is confusing when you start with the exception and then go to the general rule.

MS. MC CALL: Another fairly straightforward -- leave the same order, but in recommendation six, start the sentence that says, for any work that is not an HHS-sponsored pilot, and entities are not covered by HIPAA, then.

DR. COHN: I am actually getting persuaded that we need to come up with two or three word titles on each of these recommendations. That seems to me the easiest solution to the quagmire that I feel like we are wandering into.

For example, calling recommendation three public education programs or something like that, recommendation four best practices for privacy policies, recommendation five HHS-sponsored pilots, recommendation six non-HIPAA covered entities, that sort of thing.

DR. GREENBERG: The recommendations are embedded in the letter, which makes it sometimes -- like, I was having trouble finding two when this was three. But if you have the italicized or bolded headings, it will make them stand out more.

DR. COHN: What I would ask is, this is something that we don't need to vote on, the wording of those titles. These will be handled after -- anyway, but this is the type of wordsmithing that we go forward with. So are we okay with this? Just things to point out what they are.

Other privacy section issues?

DR. TANG: This is making a statement more precise and accurate, and it reflects a little bit of the concept. Page seven, line 43, and the statement down there says, while several PHR vendors testified that their companies have no access to any patient data, the committee is concerned. I don't think they actually said they have no access, because all of these vendors would be definition have to have access, so that is not precisely true. So may I suggest, testified that their companies do not mine patient data currently, however the committee is concerned that some business models. They can only make the statement about what they do now.

DR. DEERING: That they do not use patient data, or something.

DR. GREENBERG: Is that what they said?

DR. TANG: Yes.

DR. DEERING: That they make no secondary use of patient data?

DR. TANG: Correct, currently.

DR. DEERING: That they currently make no secondary -- I would not like to say currently, because that implies that those who said it are holding open the door to doing it later. There were some who said our business practice is founded on the principle that we will never.

DR. TANG: I didn't think anybody said that.

DR. DEERING: I thought some of them did.

DR. TANG: I only remember one testifier saying in response to a question that they do not do that.

DR. COHN: I like your wording. I'm not sure we need to use the term currently, which I think is what we are arguing about right now. I think the point is still made in the sentence that we are concerned, so I don't know that the word currently needs to be there.

DR. TANG: Fine.

DR. COHN: But I think the point is well made. Are people okay with that?

MS. MC CALL: I think that going back to page eight, within recommendation six there is the sentence, this notice should specifically include a full description of all secondary uses. I think that could be clarified to say it should lay out what is considered to be a secondary use.

I bring that up because of something Eugene said a little while ago, which is that there could be some links or transformations of data that could be -- they could without articulating all the details be interpreted to be secondary use. Yet, they may not be within the domain of use as we think about it.

So there may be some things that are considered derivative uses that are not considered to be secondary. I just wanted to try to clarify that language, that that action items needs to be clear about what is and is not secondary use.

DR. COHN: Paul, do you have a response to that?

DR. TANG: I think what was helpful is to set the context, because this came up. It used to say no secondary use even though it may only result in reports of de-identified data. We struck that latter phrase out.

The context is, when a patient signs up for a PHR service from a third party that does store their information, then the expectation by the consumer is that I am storing my data only for the purposes I am donating it for, not for any other. So any derivative use of that data would be considered secondary use of information, according to what we were thinking.

DR. GREENBERG: Or would require consent.

DR. TANG: Would require consent, correct. So it is true that any derivative, even along the lines that you mention, would be considered secondary use and would have to be disclosed up front or not done.

DR. GREENBERG: Not just disclosed, but would refer --

DR. TANG: Consent, correct.

MS. MC CALL: I'm going to pick on you, Eugene. Was there an example in your mind when you said those words earlier, that there may be some linkage of data?

DR. STEUERLE: I'm just thinking that in some cases, data is gathered. We don't always think ahead, whether we are government or we are a private entity or whatever, we don't think always ahead what exactly are we going to do with it. So we go to words like full description of. It is implying a knowledge that we may not have in advance.

I didn't even know what these imply. If my house burns down and somebody wants to have access to my PHR, do they read this to say no, they can't provide it? Any time you start -- the harsher the regulation, we don't fully understand --

MS. MC CALL: The broad question is, so what is secondary use. You are saying anything other than just spitting it back at me, exactly as I put it in, no transformations, no changes, no nothing.

DR. STEUERLE: What if George Washington Hospital wants access to data on somebody who came up from New Orleans, and the developer of the PHR didn't put in any information at all about secondary use, or didn't put it in the contract, what do they have to go through to get it?

DR. TANG: They have to go through the patient.

DR. STEUERLE: No, the patient is in a coma. So how do you resolve that issue? I'm not saying we have to resolve it here. Let's be careful about our language, that we don't do things we don't understand.

DR. DEERING: I only wanted to observe that a small point is that that is absolutely one of the classic use cases that is usually written into a PHR, do you want this used in an emergency when you are unconscious. So I don't think that is the scenario that we necessarily -- if we actually got there.

But the other point was that -- I think it was made somewhere over there on the table that it is not secondary if you sign up in advance. It may be a secondary use of the original clinical data point or whatever it is, but if you signed up so it will be used for X, Y and Z, we are doing this for all of these purposes, we may come back to you for X, Y and Z, this is as much a question to the experts, is it secondary if it is one of the things you signed up for in advance?

DR. COHN: It is a permitted use then.

DR. DEERING: It is a permitted use?

DR. COHN: You are in consent.

DR. DEERING: Then the home point is, does this not then cover -- does that not address your concern? Or not?

MS. MC CALL: I'm not yet comfortable that it does, only in that I think we have buried it in the definition, which is to say, that which is not permitted is denied, and we will make sure to lay out that which is permitted. Anything that you buy from me and I sell to you is permitted.

But I think it may just push the issue out. The example that you gave, you have given me some clinical data, some lab results or something, and there are some services that this PHR vendor is going to provide, that is a use of the data, you are an outlier, it is time to pick up the phone and call somebody. Is that permitted? It is permitted generally but not specifically? I didn't know that you were going to do that. I didn't know that you were going to try to send me a reminder, so do I have to as a vendor articulate every single possible reminder that I could get off of a raw value?

So it is really -- I want us to try to think through some of those, and just be careful today with our language, that we recognize that not all things may be able to be articulated.

DR. ROTHSTEIN: I think maybe there is a hangup on the word secondary. We could easily eliminate using the word secondary by spelling out uses beyond those to which the consumer has agreed when they signed up.

Now, the difference between an EHR and a PHR, even though they are different models of PHRs, is that for public policy reasons, we don't want to put absolute restrictions on what you need consent or authorization for, for public health and so on. PHRs are voluntary. There is no requirement that you have one, and when you sign up to have a PHR, you should have a right to know the uses. If it is for use that you did not agree to, I think the position of this document is, that is not permitted. So the default is, you can't disclose that information.

MR. BLAIR: Friendly amendment to your suggestion, Mark. Instead of eliminating the word secondary, you just gave a definition of secondary use, and my suggestion is that you just add that definition there either in a sentence before or after or in parentheses or something, but don't eliminate the phrase secondary use.

DR. DEERING: Just a friendly observation here, editorially. We need to go on to the very last clause in that sentence, because what you have just suggested obviates that clause. We specifically added the phrase, recommends that no health information in a PHR may be used for secondary purposes without the express consent of the consumer or patient, which may be obtained in conjunction with the notice.

We wanted to provide by adding that clause that if you can think in advance of things that you want to do, then you can indeed get it up front. I'm afraid that if we only substitute what you have said, then we are going back to -- it sounded somehow to me like you are making it more likely that there will be multiple recurrences.

DR. ROTHSTEIN: That wasn't my statement. My statement was consistent with the language that you read.

DR. COHN: I'm going to let Judy make a comment, then I want to go back to you, Carol. I am concerned that where you are going is going to be far more restrictive than what you have been arguing against. So I think you better rethink about whether you are that upset about leaving it a secondary, so I'd just have you think about that.

DR. WARREN: My concern is, we are throwing around the word secondary uses. In Standards and Security we are already doing hearings about secondary use of data. We are looking at it granted more from an EHR perspective, about things we can learn from that data, but the examples in the use cases I have heard in this discussion to me all are examples of primary use.

So I am beginning to think that maybe what we need to do is define primary use and secondary use and be consistent between all of our documents on what those terms mean.

DR. GREENBERG: I am having the exact same concern.

DR. HUFF: In some of the discussion we just had, in my mind secondary use just means uses of data that were not anticipated at the time it was collected. It doesn't have anything to do with whether somebody approved or disapproved.

DR. GREENBERG: They could have been anticipated.

DR. HUFF: They could have been. So anticipated secondary uses and approved secondary uses and all other kinds of things, but the principle of secondary is the idea that I collected this blood pressure to know whether you are hypotensive right now, and later I can use that for purposes of deciding whether you have got chronic hypertension or whatever.

That is the idea of secondary use, is just that it is a use -- and then there is a whole different dimension or axis area that says whether that secondary use has been approved or not approved or other things, and let's not confuse those two issues.

MR. BLAIR: Given what Stan has said and what Judy just points out, I think Mark is right. I think Mark proposed that we change the word secondary use and instead say exactly what we mean, which is use for purposes that the patient did not understand it was going to be used for. Your wording was probably better than mine.

DR. COHN: Maya, did you have wording for us?

DR. BERNSTEIN: Carol and I have been having a slight side conversation when she said maybe we should talk about secondary uses. I literally was thinking to myself, I really don't want to pick that scab, because trying to define what we mean by secondary uses is very difficult.

I don't necessarily want to shy away from it, because it is probably important for us to understand. But so far around the table, I have heard about four different definitions of what people completely intuitively think we mean by secondary uses.

Paul earlier said -- he used the phrase patient expectation. Mary Jo then said -- she referred to the up-front notice, the list of things that a patient gets told. Then somebody else over here said -- I'm sorry, I don't know your name.

DR. COHN: Judy.

DR. WARREN: Said we should make a definition an industry standard of what counts as a primary use and what is a secondary use. That is different from what the patient might expect when they think a PHR is. What if the vendor just puts in their notice, we are going to use your information for marketing purposes? Does it become a primary use because we have been notified up front, or is it really a secondary use because it is not the sort of thing that we normally would associate directly with a PHR?

All I am saying is, this is not an easy problem to solve.

MR. BLAIR: But Mark's definition I thought was very appropriate. He said, we replace the words secondary use. I can't phrase it as well as Mark's, but Mark's was essentially any use of the data that the patient was not aware of when they signed up for the service.

DR. WARREN: Actually, he said uses beyond those to which a consumer has agreed in advance, which means -- what does that mean, to agree in advance? Does it mean I got the notice and I signed on the line that it is okay?


DR. WARREN: Therefore, if the list included marketing, that's okay?

DR. COHN: What is the primary PHR use? I would ask everyone, I think I may even go where Maya is going perhaps, which is, do we really need this level of precision in this recommendation, I guess is the question. Are we being helped by this?

DR. TANG: One of our recommendations is to come up with a taxonomy. While we could defer this to that exercise as well, since so much of what we are recommending hinges on this, particularly around privacy, it would be worth our while to make sure we are clear.

DR. BERNSTEIN: I take your point. If these recommendations are taken up, first of all I don't think we can solve the definition of what secondary use is here, given the different possibilities. I think all of them are completely reasonable ideas about what secondary use is. I think that if we try to define it further in this letter, it is going to take us awhile and it will be difficult, and the letter has to go out.

My understanding of the committee's goal is to get this letter out. I do think that this is just the type of issue that the privacy committee has expertise in, and that if we want to go into further detail, it is the sort of thing we can -- it might be more than one subcommittee, actually, could think about it.

But since we are only recommending voluntary industry compliance anyway, any vendor who takes up any of those definitions of secondary uses and follows it will be doing more than probably we expect, and it will be a good thing. So whether they decide that they go by Paul's patient expectations or they use Mark's language, whatever it is in the list and we have a consent, or they use some industry standard or their company standard and they stick to it, that will be a good thing, based on this recommendation.

So I'm not sure that it is really required to really understand what we mean just yet. If we want to understand it further, I do think it is something that the Privacy Subcommittee could pick up.

DR. DEERING: I have such a simple fix.

DR. COHN: Okay, please.

DR. DEERING: Just simply delete the word secondary. I think it does it all.

MR. BLAIR: That is the thing that concerns me. If you want to replace that with what Mark said is the principal exposure, then I can understand that. But if you just delete it without -- then what is left?

DR. DEERING: I'll read it to you. Let me read it to you. In those situations where HIPAA does not apply, uses of disclosure of information in PHRs should not be allowed without the express consent of the consumer or patient.

DR. COHN: Then the next sentence --

DR. DEERING: The next one is virtually the same. NCVHS recommends that no health information in the PHR be used for purposes to be used without the express consent of the consumer or patient. In other words, you are not going to use it unless they say so.

DR. GREENBERG: I agree. Obviously the patient is going to agree to it being used for himself.

MR. BLAIR: Mark, do you feel comfortable with that?

DR. ROTHSTEIN: This would not be the way I would draft it, but hearing such support for it, far be it from me. I can live with that.

DR. COHN: And if you have other thoughts, we can consider them during the NHII Work Group meeting. So does that help? Carol, are you happy with the outcome?

MS. MC CALL: I think for now. There is work to be done, that is obvious. But for now, I think it actually makes more clear the issues. It gets to what Mark was saying which is, this is complete transparency. If you want to do something, you have got to let me know, and I have to know that and agree to it. Otherwise you can't do it. Otherwise, it just begs the definition of secondary, which is what I did not want us to get stuck on from this recommendation.

DR. CARR: I was going to say the same thing. In this voluntary patient decision, this is just the patient's permission. I think secondary is very important for us to define in a retrofit to this perhaps, but I agree. So I was going to say the same, take the word out.

DR. BERNSTEIN: What would you like to do with the third sentence?

DR. COHN: Of which recommendation?

DR. BERNSTEIN: Of recommendation six, or five, for that matter. If you take out the word secondary from the third sentence, you have got a problem.

DR. GREENBERG: You take out for secondary purposes. You just say no information in a PHR can be used without the express consent of the consumer.

DR. BERNSTEIN: I'm saying it means that every use, internal or external, minor or major, any use, you have to have a notice about it, you have to be able to describe it, and you have to then get permission for it, which is cumbersome, let's just say.

If you are a vendor, I think it is cumbersome. I'm not even talking about the things you didn't anticipate. These are just the things you can anticipate.

DR. ROTHSTEIN: But I don't think there is any way of getting around that.

DR. BERNSTEIN: Okay, that's fine then.

DR. ROTHSTEIN: Because secondary, the word, tried to contemplate all those uses to which people wouldn't normally consent without their knowledge.

Keep in mind, what we are talking about are PHRs that people are voluntarily -- they think this is their records. If other people aggregate data or refer for other purposes, let's get their permission, and especially in number five where we are talking about pilot projects, where presumably the Department has greater control over things. I don't see that as a problem.

DR. COHN: I am hoping that maybe we will make it beyond privacy sometime in our lives, but I hold that as a hope rather than a reality. Any final comments about privacy before we move on to security?

Okay, let's move on to security. The security recommendation, it says for any HHS-sponsored pilot projects and any HHS contracts to produce PHR systems, HHS should require that security protections consistent with the HIPAA security rule be implemented.

DR. DEERING: You skipped one.

DR. COHN: Oh God, I'm not going to read that. HHS should work with relevant stakeholders to promote and develop a standard framework for authentication, access control, authorization and auditability based on a variety of principles, which I will not read all together here.

I think there is some wordsmithing pieces, where we bounce back and forth between consumer-patient and patient and all of that in the first paragraph. We probably want to use the term individual. Other than that, I thought it was okay.

DR. TANG: Let me try to set the context first.

DR. COHN: Is this a question or a comment?

MR. TANG: It is a change to that recommendation.

DR. COHN: Which recommendation?

DR. TANG: Recommendation eight, fourth bullet, last part of the last sentence.

DR. COHN: Do you want to read that whole --

DR. TANG: Well, one of the things is a long sentence, but the last part of the sentence talks about the ability of the patient to add information to the PHR, should include functionality that provides the patient with the ability to control who has access to patient entered information, comma, including specific subsets of that information.

One of the issues around this whole control aspect has been whether it is feasible technically to allow a patient to control access to parts of information. We had divided it between PHR and EHR. EHR has very explicit uses defined by HIPAA and by common practice. So in this particular bullet four, it talks about giving the patient the ability to cordon off or use what is in their PHR in any way they choose, which is reasonable, but it is making the assumption that this PHR is a stand-alone PHR. In the case where the information is either a view of or has been submitted to the providers and incorporated into an EHR, I don't think -- the patient would not be able to subset that particular piece of information from use.

Jeff is nodding, and you are --

DR. COHN: I am confused. I see we have a section here that describes PHR and then PHR systems which are views into the provider, which is what I think you are talking about. You are talking about the specific patient information the patient is entering themselves.

DR. TANG: Yes. This statement says we recommend a PHR vendor should give the patient control over specific subsets of data that they enter. While that can be true in a PHR that is stand-alone, it would be -- for the reason we discussed before concerning EHRs, it would be impractical for information that the patient has entered through a PHR, that is essentially posted in the EHR. Was that clearer?

Let me give you two extremes of PHRs. One is a self-contained stand-alone. The patient enters information, has control over it, and can share pieces of it to whomever they choose.

PARTICIPANT: Give me an example.

DR. TANG: Sexual history. The other extreme is that the PHR is essentially a portal into an EHR. If a patient enters information such as their sexual history into that PHR, which is basically an application view into the EHR, then it will be impractical for the provider, who has accepted that piece of information you have contributed to segregate it from other pieces of the EHR.

So this statement appears, when I look at it more carefully, that it is assuming the stand-alone PHR, and this recommendation could not be applied to the integrated EHR-PHR.

MR. BLAIR: So are you suggesting that we have a context label for this, saying for stand-alone PHRs?

DR. TANG: Either that, or I was going to append, where this sentence becomes two sentences, but incudes specific subsets of that information, comma, if it has not been incorporated into the EHR.

DR. COHN: John Paul, would you like to comment on this once, since you provided major input int this?

DR. HOUSTON: I don't agree with Paul that you can't control access to that type of information programmatically within this type of environment.

I would say this, that maybe in cases where someone would design something so that they can't -- you can't do what you are talking about, you can't have the patient control access to the patient's information. But I think that is a design issue.

But having said that, maybe if there is a way to couch this in terms of, to the greatest extent practical, or something of that sort. But again, I don't agree with the premise in its entirety.

DR. TANG: My claim is that there is no commercial system that I am aware of where you can segregate out information.

DR. HOUSTON: I don't know of that many commercial systems where there is a -- I shouldn't say that. I know there are a few systems out there where there is a merging of PHR information and EHR information. But I don't think there are a whole lot of them that are out there. In fact, I think a lot of them actually segment the data.

DR. HUFF: This whole part is future, anyway. It says we are creating a framework and standards that we want people to adhere to in the future, right? It is not talking about whether it is implemented in systems today.

So I am just supporting what John is saying. I think it is accurate the way it is stated, according to our intent. I think it is. Programming is programming. You can program something to do this. We are not setting any time frame. We are setting an objective, and I think this is the appropriate objective.

DR. TANG: Conceptually, if you are taking a history verbally rather than electronically, and my point will be that there shouldn't be a difference, then when you tell me something, I either include it in the record or I don't. Once I include it in the record and EHR, then I deal with it the way HIPAA allows me to deal with it, that is, minimum necessary disclosed for treatment.

If I receive it electronically, I don't see why that should be any different, or why you should program a system to segregate all the --

DR. HUFF: That isn't what this says. This says, if I independently enter data in my record, and you include it in the PHR, I should continue to have control of that.

DR. TANG: What is the difference between independently electronically and independently --

DR. HUFF: Because in the one case, the information came through you, and you are the instrument and it is attributable to you, the fact that you heard it and recorded it in the record.

DR. VIGILANTE: And you often don't say what the patient did. The patient may write a very, very long narrative history that you condense down into a sentence or two.

DR. TANG: We are dealing with this right now. Once the medical record is an official instrument of the provider, when the patient brings a piece of paper or a diary or whatever and they choose to extract it, and they choose to incorporate it wholesale or choose not to keep that document and put it in our medical record.

Similarly, I think patient submitted data must be validated and accepted into the provider's EHR.

DR. HOUSTON: But there is another aspect to this. If the patient doesn't necessarily know architecturally how the PHR that he or she is interacting with, whether it is bolted to an EHR in the back end, whether it is freestanding, or what. I think from a consumer expectation, the fact that one provider says -- one PHR provides access controls to the patient, it allows the patient to decide how his or her information can be viewed by whom, you might have another provider who will say, I'm sorry, we can't because all your information goes into my EHR, and since it is in my EHR you don't have any controls over it now because it is part of my EHR.

I just believe this is functionality you can program into it.

DR. HUFF: What we are talking about is attribution of information and being able to accurately attribute information to its source. If it is a complicated source, that can be complicated. But for instance, I have the obligation already, if I receive laboratory data from an outside laboratory, I have to attribute that information not to my lab's -- I have to keep in the record that this information came from that primary laboratory. I think we are just requiring the same here. If the initial source

was the patient, that should be noted. Sometimes that is noted by the fact that you are saying it is in the history section of this thing. In other words, I know that somebody told me this. I didn't see it. Other times it is more explicit, where you say it was this laboratory that this lab data came from.

I think all this is saying, you need to be able to attribute data to the patient when they are the original source, and you need the capability in your system to then allow access to that accordingly.

DR. TANG: First of all, the attribution is always there. I think what this statement is saying is, we are giving them -- they obviously have access to the information; that is guaranteed by HIPAA. But this statement is recommending that they have additional control over a piece of their medical record.

DR. HUFF: All they have control over is this stuff that they have entered.

DR. TANG: I understand, but --

DR. GREENBERG: If it is attributed, then why couldn't -- if it is clear, and you have to attribute that this information was submitted by the patient, then it would seem technically you could allow them that access. You could allow them that decision power.

DR. TANG: You could, of course. So now we are breaking up the record into pieces, and the principle of HIPAA, meaning you share the minimum necessary in order to treat the patient, falls apart if we are having to say, by attribution the rule only applies to information that is not attributed to source A.

DR. HOUSTON: We are not talking about an EHR, though.

DR. TANG: So my qualifier, I am just adding a qualifier to that phrase that says, if it has not been incorporated into the EHR. If you submitted the information to me, then I would take that as consent to incorporate it into my record about your care.

PARTICIPANT: But the problem I have is this. A PHR that is bolted to an EHR, tethered to an EHR, the consumer-patient may have no idea that that is occurring. To them, the PHR that they interact with, and they put their wellness information, or their other information related to their diabetes and whatever else, they view that potentially just the same as they view a PHR that is untethered to something else. So the fact that behind the scenes Hospital X decides that it is going to merge all that information into an EHR can be done without the patient ever having any knowledge or understanding that he or she has now given up rights to that data.

DR. STEUERLE: -- for electronic submission of information, a PHR, how does that differ from verbal transmission of information?

MS. MC CALL: I think that is actually key here.

DR. STEUERLE: A hospital designated that it came from me, even my name, that it came from me or it came from somebody else, are things that I might submit in a handwritten document.

I think you are saying, Paul, you can't even apply it to the electronic transmission of data, you have got to apply it to all data provided by the patient. You have to have a consistent rule.

DR. TANG: From patient verbally in office.

MS. MC CALL: I think the situation that is being described is, imagine that I go to Dr. Simon and verbally give you the information that I am X height and weight, and that goes into the EHR, and there it is. Now I can look at that through this portal.

Alternatively, I don't give you my height and weight, and then I come in and I add that to the PHR separately, and I put in my height and I put in my weight. On those elements that I added myself, I hear us saying yes, I can let you see them or not, but for those that I give to you verbally, that came trough the EHR door, and those are -- they are treated differently.

DR. VIGILANTE: On the other hand, when you take information from a patient, very often there is an interaction. You test that information, you go back and forth. Someone says, I was unconscious. Then you find they really weren't unconscious, they are a little drowsy, or they describe pain as being sharp, or there is always this interchange with them that generally improves the quality of the information in terms of its medical relevance.

I see that historical information provided by patients may not have the same medical meaning as interactively with pain history. I think distinguishing that at some level is important.

DR. COHN: I know you are trying to argue your case. I am looking at the whole four. You are trying to make a little change that at least to my view makes the differentiation between PHRs and EHRs and all this. I can't tell the difference any longer as you start describing this. I don't know with a connected really PHR when it becomes EHR information versus when it becomes PHR information.

DR. TANG: I think that is a crucial piece, though.

DR. COHN: Well, it is, but how do you tell?

DR. TANG: Let me take Carol's example, if she does not tell me her height and weight. She goes home and enters it into her PHR. That is still completely hers. When she hits the submit button, then it becomes mine to accept into the EHR and to deal with it as part of the EHR.

DR. HOUSTON: I would argue it doesn't. Take the same scenario and apply it to a freestanding PHR. You have no rights to that data if it is freestanding and unbolted.

DR. TANG: No, when you hit submit to the doctor, it becomes part of the doctor's --

DR. HOUSTON: But in this context the PHR is the personal health record. This patient might be entering data into his or her PHR for the purposes of his or her health management, not understanding that the fact that this data becomes available for other purposes, because of the fact that it is bolted to an EHR. T hat is the issue.

If you take the HMP and you enter data into the EHR, yes, I absolutely agree with the right. I think we are talking about the fundamental issue here of the patient --

DR. HUFF: Just to clarify and make sure that we are not misunderstanding each other, to me if I tell you the information in my office, obviously I wanted you to understand it, because I shared it with you personally by saying it. If I am at home and I choose to use IHC's personal health console, which is our portal into the record, and there is a sexual history questionnaire there that I fill out, and I say, there is some stuff I want to record here or who knows what, my expectation is not that because I used IHC's PHR that that information would necessarily come to your knowledge.

I just want to make that part explicit. I don't think because I chose to use IHC's PHR I should give up the right or have the assumption that the data that I entered is now available to everybody who uses IHC's EHR.

DR. TANG: But that is not what I am saying, that is the most important piece.

DR. HUFF: That is why I wanted to see if we were understanding each other.

DR. TANG: I don't think we are. Regardless of the technology, how information is stored, that is your point, patients have rights over what they enter, meaning to keep private, no matter where it is stored. So the difference is the send button. So in our case, the value people get out of the PHR that we have, which is a view of their EHR, is because it is a view of their EHR. In a separate, clearly marked place is a place they can enter as much information as they want into various sections, and it goes nowhere but -- it is visible to no one but them. That may be their supplement.

When we have a -- we call it pre-visit questionnaire or HRA, that stays with them. When they hit submit, it becomes our privilege to accept and incorporate that information that they have submitted to us in the EHR. From then on, it is treated as part of the EHR.

So the case that you just presented, Stan, if I store stuff not intending to send it to me, it should go nowhere. When you hit the submit button, then it is like telling us.

DR. HUFF: So I think we are agreeing then what the behavior should be. I thought this expressed that pretty well. So what would you add?

DR. TANG: The addition is, comma, if it has not been incorporated into the EHR because the definition of PHR may include the functionality that most patients do want actually, to be able to use it --

DR. HUFF: I don't think that helps, because what is the definition of the EMR? That personal part of the data to me would be in the same database in the same file using the same coding system, so it is in the EHR from one perspective, so I'm not sure when it is added to the EHR it clarifies what our intent is.

DR. CARR: Painful as this might be to say, it actually does tie back to the privacy thing, because once it is in an EHR, it becomes available for secondary uses. I think the reality is, we are trying to create divisions in something that is really a continuum, and the more we get into it, the more confusing it becomes. As John says, the patient doesn't know what the architecture is.

But I completely agree with what you say. Once it is there, if there is a chart review that has to be done or -- as with a paper record. A patient hands you something and it gets put into the record, it is there and visible to anybody who does the chart review. So we are just making -- it is more tractable and auditable now, but I think the reality is exactly as Paul says. I think that we are leaving patients with this arbitrary confusion, but we can't say that it won't be used for secondary uses once it is submitted.

DR. DEERING: I had an editorial suggestion, which is of course my role here. I would like to add maybe two verbs to Paul's recommendation that could take care of perhaps both the patient's action and the institution's action.

Paul would add including specific subsets of that information --

DR. COHN: Could you read the whole paragraph?

DR. DEERING: Okay. PHR systems that are views into providers' electronic health records and that allow the patient to add information to the PHR should include functionality that provides the patient with the ability to control who accesses the patient entered information, including specific subsets of this information. Then I would modify Paul's clause to read, unless it has been submitted to and incorporated into the provider's EHR, just because it makes a more conscious effort.

DR. HOUSTON: I think of this a little bit differently. I think there needs to either be some understanding -- the patient has to either authorize or accept through some type of online terms and conditions which we described in number one, the fact that this information is going to be included in the EHR. I think that is the way we need to state this.

DR. COHN: I think that was already handled in the privacy section. I think that will be different from environment to environment. Some will do it with each piece of information, others will do it with use of the system, I would imagine.

DR. DEERING: I also have an alternate editorial recommendation which may or may not accomplish the same thing. It would be in this area number four. Instead of adding language, we would delete it. To say very simply, PHR systems should include functionality that providers a consumer with the ability to control who accesses the consumer's information within the PHR. This would include the ability for the consumer to provide access to specific subsets of information within the PHR, period.

Then, through terms and conditions of use, I would understand that I can in fact control whether or not somebody sees that information. How do I do that? I don't submit it to the EHR. Because the functionality is capable, I need to understand how to use the system. So it affects the same thing you were talking about. But what I don't want to do is bind us into hit enter and all of that. I think we go down a bad path. So that is my recommendation.

DR. COHN: Who has other comments?

MR. HUNGATE: I am troubled by this discussion. In the privacy hearings, I heard articulated the view that patients needed to be able to say to their personal physician, I don't want that information shared beyond my confidence with you, unless you tell me. That is something a patient would expect.

DR. TANG: That is an NHIN comment. They want to be able to opt out of sending it on.

MR. HUNGATE: Right. Now, it sounds to me in this context like we are saying that if it went into the PHR on mine and then move to the EHR, I lose that control. That is the interpretation I make on what we are saying.


DR. GREENBERG: That is not even being addressed here, I don't think.

MR. HUNGATE: Then I don't understand. I apologize for this.

DR. COHN: I am hearing two different ways of handling this. We may at some point decide to send this over to the NHII Work Group to come back with a recommendation. They are both attempts to get to the same end, I think.

MR. REYNOLDS: We have been talking about this in lots of the committees at great length. We have got to be careful. I hear what, Paul, as you say it, but you are assuming you are the only EHR that a patient would have. You are assuming that whatever they put in the PHR is only for use by you.

One of the things is that we have got to keep clear the structure of a PHR. PHR says part of it is mine, and we talk about views; a payor could do one, a stand-alone vendor could do one, a hospital or doctor could do one. So those are the three kinds of models that you have.

When you say PHR, if you are not going to let the patient have control over some piece of it, then don't call it a PHR. It is EHR in multiple places, with patient input. So that is the number one issue here, is, this is the personal health record.

We got into it in the privacy committees and everything else. The definition of these things just goes like this. Depending on who is looking at it, it puts them all in the middle. So all the discussion has been that the person in the PHR can have some segment to protect and decide what happens. They can then have, whether a payor gives them claims data, that could be one PHR, or whether it is connected to six of you in this room through your EHRs, the views come up and now they have got a complete thing when it turns to an NHIN. But the point is, let's don't morph PHR and EHR. If we do, then we will never be able to explain it to the general public, we will never explain it to anybody, and we are going to struggle mightily to decide what to recommend or not recommend.

DR. TANG: I think we agree on all the principles. What we are talking about is the sentence that starts out, for the PHRs that are views of an EHR. That is why I am saying, then when -- for those which are basically views into the EHR, if someone enters information it says they should be able to control access to a subset of the information. I am saying no, that is not what we are saying when it is part of an EHR, or has been submitted or accepted into an EHR.

DR. VIGILANTE: So once you hit the send button, you relinquish control, because it is there, it exists, you can't change it.

DR. GREENBERG: I'm with Harry, I think we are confusing two things. I don't fully understand all these models, but I think a patient inputting information to their EHR is a different thing than a PHR. So if you have a system that gives them a PHR which is a view into their EHR, but you call that a PHR, then obviously you have to explain to them, this is part of the terms. If they want to use this, you explain to them, this is your PHR, this is for your use. But if you say, submit to the EHR, then it becomes part of the EHR. They agree to that.

I assume you are not talking about a system that doesn't distinguish between the PHR and the EHR, or are you? Otherwise, that is just inputting personal information into the EHR.

DR. COHN: I think Paul is agreeing with you also. Gene, your comment, then I want to wrap this piece up.

DR. STEUERLE: I'm just wondering why in the end we need this entire sentence, why we just don't have something at the beginning, that statements in this document about PHR should not necessarily be interpreted to apply to EHRs, which we deal with elsewhere.

DR. HOUSTON: The problem is that the consumer doesn't necessarily understand architecturally what a provider decides to do in terms of the structure of the PHR and the EHR. A consumer when they sign up for PHR may say, this is great, it is freestanding, I can enter my own data and it is there and I have a little control over it, only to find out that it is part of a bigger EHR and all that data is going to be merged together, and they didn't realize it.

DR. COHN: As much as I love this particular conversation, I think we are all beginning to say the same thing over and over again.

What I hear is that we have two options of how we want to address this, which I think may get us to the same place, or may not quite. I need to see Carol's suggestion written down so we can look at it. I think the work group probably does. My sense though is that we are all saying the same thing.

We are all fundamentally agreeing with the distinction that Paul is making, which is that once something goes into an EHR, it is part of the EHR and follows the EHR rules.

DR. GREENBERG: It doesn't automatically go into the EHR.

DR. COHN: Exactly. I think we just need to see which way solves that better. I think we have talked this one to death. I don't want to vote on which wording is the right wording here, but I think the work group needs to look at them both, and maybe we can come up with our agreement and bring it back. Is everybody okay on that?

DR. GREENBERG: Anyone can come to the work group meeting.

DR. DEERING: I was just double tasking, so I'm not sure what --

DR. COHN: I heard your wording and I heard Carol's wording that got rid of a couple of sentences.

DR. DEERING: Carol's wording, if I understand correctly, would take out the last sentence.

MS. MC CALL: Take out the last sentence as well as the first two words of that first sentence, the words independently held. It doesn't draw a distinction between the types of systems. It is a principle. It says, regardless of system, a PHR is a PHR, and you have the ability to control who sees that, period.

Now, I also clarified to say, within terms and conditions, it would be vital that I would understand that one of the terms and conditions of use is, if I hit submit to an EHR, what it means for something to become incorporated into an EHR. But let's not try to mix these metaphors. I do believe we need to keep them very clean.

DR. GREENBERG: Would you get rid of that sentence also, that last sentence?

MS. MC CALL: I would dump the last sentence entirely, yes.

DR. TANG: I think the whole problem is with the last sentence, because it says for PHRs that are basically views of EHRs.

DR. GREENBERG: I don't think people know what that means, anyway.

DR. TANG: Right, so I think that would still help.

DR. COHN: So maybe we actually have come to a solution. Anything else on security?

PARTICIPANT: Interoperability.

DR. COHN: Move on to interoperability, okay. We have a number of recommendations. As I look through this, there are a couple of things that are probably going to have to be moved around. There is one sentence at the top of page 11 which I think is a good sentence but in the wrong place, which says, until PHR systems are capable of widespread exchange of information with EHRs and other sources of personal health record, their full potential may not be realized. Great sentence; I'm just not sure that it fits right where it is. But we will let Mary Jo look around, see what the right spot is.

DR. TANG: I think we have moved that sentence several times.

DR. COHN: I think we have moved that sentence several times, but it just doesn't quite go with the rest of the paragraph any longer.

Recommendation ten. Be aware that we are also going to need to decide whether there are standards development organizations or standards groups or whatever, but we will clean up that language also. Recommendation ten. Standards development efforts should be expanded to take on issues related to authentication, identification of data sources, non-repudiation, communication to and from PHR systems, mapping to consumer oriented concepts and terms, and the enabling of consumer/patient controlled access.

Recommendation 11, which is HHS, should encourage standards development organizations to use standards accepted for EHRs for the PHR where the content or context is the same.

Recommendation 12. HHS should encourage standards development organizations to identify essential data sets for PHR systems using standards accepted for EHR systems whenever possible.

Recommendation 13. For any HHS sponsored pilot projects, any contractual relationships with CMS that any center undertakes with entities intending to use CMS data in PHR systems, HHS should require that PHR vendors and health care organizations adopt data content and exchange standards that are based upon standards accepted for EHRs as a way of improving interoperability of systems.

Recommendation 14. Private sector PHR vendors and health care organizations should voluntarily adopt data content and exchange standards that are based upon standards accepted for EHRs as a way of improving the interoperability of the systems.

I think all of this is okay, but it is very redundant. I am trying to think of some way to knock it down to two or three recommendations, but we don't necessarily need to handle that now. We could maybe handle that offline.

Yes, Marjorie?

DR. GREENBERG: As everyone knows, I am a great believer in standards. However, and I certainly understand the issues of interoperability. I have two questions. On the standards issue, are you really saying that the standards accepted for EHRs, at least in the federal enterprise, SNOMED CT, LOINC, HL-7, et cetera -- maybe it is covered by mapping to consumer oriented concepts, but would you really expect the patients to be entering information? If we say physicians should be entering information, textual information using SNOMED CT, are you saying that you would tell the patients to do the same thing?

We don't yet have evidence that physicians will enter SNOMED. It might need to be some interface, they put in text and then it maps. So aren't we really talking about mapping? I just can't imagine putting a terminology standard on patients that you might put in EHRs.

DR. HUFF: There are certainly reasons to have the consumer terminology. The thing you are trying to prevent here is that the code that represents blood pressure doesn't become one code in PHRs and a different code in EHRs.

DR. GREENBERG: I understand that.

DR. HUFF: Well, then I didn't understand what you said just before that. It sounded like you wanted patients to not just have synonyms, but a different terminology to represent their signs and symptoms, and it wouldn't have any mapping to any common standard that could be used for consumer terminology in EHRs.

DR. GREENBERG: You have to have the mapping, obviously. People know what the CHI standards are. I really think what you are talking about is, there has got to be some underlying mapping or checkoff boxes or something. You want the concept that it is interoperable, but how that -- you are dealing with a different thing with the PHR than the EHR, and how that comes about, I'm not sure.

DR. HUFF: Somewhere mixed in there is the idea that somehow we don't need consumer terminology in EHRs also.


DR. HUFF: I think you need them both places. If you need them both places, we want them to be the same, and that is what this says.

DR. GREENBERG: So you are saying you are going to have to add a lot of consumer terminology.

DR. HUFF: You need consumer terminology added, but if you add it, you want it to be used both in EHRs and PHRs.

DR. GREENBERG: I understand that, but the standards that have currently been accepted don't necessarily have that in them right now. So I don't know if people will make this connection between ten and 11, or if they will see this as, the standards have been accepted for EHRs, now they have to be -- without enhancement, make them make sense for consumers to be used for PHRs.

DR. STEINDEL: It is well acknowledged that we don't have a full set of standards for the EHR. CHI,in particular in their full reports have acknowledged many gaps in these standards that exist for use in EHRs themselves.

So I think Stan is perfectly correct; we want the standards to be the same when they are used for the same thing in the same context. If that means developing consumer oriented terminology, which it is acknowledged that we need to do in some areas for the EHR, so be it. We develop the new standards, the new terminologies that are needed, and they are going to be expressed in both places.

One of the keys here is, content and context is the same. When we are taking information -- when a patient is entering information about themselves or we are capturing what the patient says about themselves, that is a different context than when the physician is entering the information and translating it.

So 11 is a relatively key recommendation, in that it basically says when it is used for the same thing, it ought to be the same standard.

MS. MC CALL: I like the way that these are laid out. I guess I am not clear what concern you have.

DR. GREENBERG: I just think that the standards that have currently been accepted for EHRs are probably inadequate for PHR.

MS. MC CALL: I would agree.

DR. STEINDEL: And no place in this report do we say what the standards are that should be used.

MS. MC CALL: Or that what is good say for a clinical context is good for a consumer context. I don't see it saying that, because if that were the intent of these recommendations I would have a problem. But I don't think you guys are saying that.

DR. GREENBERG: All right, well, if nobody else has that problem, I did have a separate issue from that, if nobody else wants to discuss that one. I think there are some assumptions here, that's fine.

I am curious why -- not that I am against it, but why you are recommending in this letter to identify essential data sets for PHR systems when I am not sure that the same was recommended for EHR systems. You seem to have resisted it for the latter.

DR. COHN: I don't think I can speak to that, because I resisted it for the former, too. Do people have comments?

DR. HUFF: I thought we had killed it long ago.

DR. COHN: Well, it keeps coming back.

DR. DEERING: It is not a recommendation. I think we kept it in there, because what we said is, we have stated it as what we heard.

DR. COHN: It is a recommendation, too, recommendation 12.

DR. GREENBERG: No, it is a recommendation.

DR. HUFF: I thought we voted 12 out of existence. I thought it was redundant with 14.

DR. TANG: I have always felt that we should vote it out of existence, but we never did.

DR. COHN: Well, what is the sense of the group? Marjorie, thank you. Do we want to get rid of that recommendation?

DR. TANG: You are saying, get rid of the minimum data set?

DR. COHN: Yes, essential data set.

DR. TANG: We voted it out of existence.

DR. COHN: No, it is still here. We are actually talking about that right now, Paul.

DR. GREENBERG: Maybe I shouldn't have raised it, because I actually think there is some merit to it. But I was just saying, it is inconsistent.

DR. DEERING: All I can think of is, I certainly don't remember it being explicitly voted out, so it could be my mistake that it was.

DR. COHN: The recommendation was weakened, I think, time after time after time, but it survived as a recommendation. What would people like to see done with this particular recommendation? Paul, did you have a comment?

DR. TANG: I think the whole thing is very duplicative. And because I can't count past three, I am going to list three that may survive. Unfortunately, I thought 12 was one of them.

DR. COHN: We can't hear you.

DR. TANG: I was going to suggest something like keeping, in order, 12, 13, 10, because it follows a path. Establish minimum data set standards for PHRs that are consistent with EHRs, for anything where HHS has some authority over it, like funded projects, they can enforce this. Third, that we need to expand some of the standards that are developed to include things that impact the use of PHRs. That was number ten. The other two seem to be subsumed under those three.

DR. DEERING: I only want to point out that 13 and 14 are parallel to what we had in privacy. If we had headers, that might make a little bit of a difference. And 13 is specifically for HHS pilots and contracts, and then the other is --

DR. TANG: But wouldn't that be covered by 12?

DR. GREENBERG: I do think 12 is duplicative of 11, and it is better than 11.

DR. TANG: I am just trying to find ways to get rid of --

DR. COHN: It is better?

DR. GREENBERG: Yes, because it says whenever possible. This business about when the content or context is the same, I don't really know what is meant there. I think everybody could interpret that differently. But when you say, utilize standards accepted for EHRs whenever possible, then I am comfortable with that. It wouldn't be possible when there isn't good consumer terminology or something.

DR. COHN: So read how you would like to have 12.

DR. GREENBERG: I think 12 can replace 11.

DR. COHN: It talks about data sets, so I am just wondering --

MS. MC CALL: One seems to be more related to taxonomies vocabulary. Another one may seem to be about the actual data set itself or themselves. They are related, but they are distinct.

DR. COHN: Maybe it is essential standards.

PARTICIPANT: It is not the data sets. It is really the standard.

DR. COHN: If you change that, --

DR. GREENBERG: It includes the data sets.

DR. COHN: Well, that is arguable.

DR. STEINDEL: To me they are distinctly different recommendations. The main thing that 12 is calling for is the establishment as Paul said of minimum data sets for PHRs, and wherever possible, if we do establish one for PHRs, we should be looking at the same minimum data set that we are using for an EHR. Utilizing standards accepted for PHRs whenever possible.

I have problems with establishing minimum data sets and issuing a recommendation for that, because in all the years we have tried to establish minimum data sets, we have never gotten real consensus on what a minimum data set entails.

DR. GREENBERG: We have had a lot of success with it over the years. I disagree with that.

MS. MC CALL: It is a matter of interpretation of item 12. Clearly it is not well written. My understanding was, if you jump up to the paragraph, the last two sentences beginning on about line nine, we heard broad agreement that a core or limited set of data is important. We heard that from several speakers, although there was no consensus.

DR. COHN: Although there was no consensus.

MS. MC CALL: And that agreement can be useful. So the intention of 12, just to tell you why I think it survived, is that we are encouraging others to identify data sets. It is not that they should then impose that data set; it is that once they have identified the data set, the standards that underpin that particular data set should be used if they exist for EHRs.

DR. COHN: How would somebody like to handle it? We have heard the rationale. I feel funny myself making a motion on this one, but --

DR. HUFF: I saw the things that happened that are suggested in 12 as being an unnamed subset of things that we are encouraging in 11.

DR. GREENBERG: Yes, that is true.

DR. HUFF: I preferred to have it unnamed, so that people would have the freedom to establish whatever standards they wanted for data sets or for data exchange standards or whatever, without calling that particular item out.

My experience is the same as Steve's. We haven't been great at doing that. Even though people have called for it, I am personally not convinced that it is a good way to spend your time. So my preference is to keep 11, because I really like what it says about content and context and using things the same. It leaves what should be done to be the whole set of things, without naming individual parts. So that is why I liked 11 better than 12.

DR. GREENBERG: But to have that last sentence before the recommendations, or two sentences, and then say nothing about it to me is problematic.

DR. HUFF: I actually disagree with the sentence up there. I don't think we heard broad agreement. We heard some people who believed that firmly in their testimony. I think you could have talked to Clem McDonald and others who would have violently disagreed.

So the broad agreement, I don't think you can put that. You can say there were a set of people who really wanted that and that is certainly true, but I don't think broad agreement. It wouldn't have been broad enough to include me, let's put it that way.

DR. GREENBERG: I suggest this requires more discussion, because this is really a core issue when it comes to standards, and it requires more discussion than we can do in the context of this letter. So maybe the group can just pare this down to a few that capture what is here.

But those of you who say you are against core data sets also supported the populations report that says you should be collecting race and ethnicity. Core data sets are not minimum data sets. There are certain things you have got to collect, and this is the standard way to collect it, unless there is some overwhelming arguments for not collecting it.

That is what core data sets or minimum data sets do. They don't say this is all you can collect, but they assure that at least for a core of information, you have standardized data. I don't understand why -- I have had this argument with Don Dettmer, too; I just don't understand why people are against that. I know they are afraid that then people won't collect anything else. That is not the point. The point is that you can't establish standards for everything, but if you can at least for a core, you are ahead of where you were by establishing none.

DR. WARREN: I am coming down on the side of Stan. I think we have done a terrible thing of trying to identify minimum data sets. The first question I want to ask is, from whose perspective? So do we go around and we have 20 different minimum data sets that we use for PHRs, or are we only talking about one? And if we are only talking about one, who decides? Do we only put a couple of people to decide what that is? I think that is why we have never come to consensus on this. We haven't even talked about the purpose of the data set.

DR. STEINDEL: Marjorie, our big problem with core data sets, minimum data sets is, we have been reasonably good at getting agreement on name, rank and serial number, the basics, demographic information. But once we go beyond that and start asking for any type of clinical information, you don't get consensus. What people are asking for in the PHR is beyond the demographics.

DR. TANG: What about NEDS?

DR. STEINDEL: We are dictating there. This is where you get agreement. Paul, I am being very specific. This is where we have gotten agreement. Any type of minimum data sets that are proposed have come from organizations who have gone through a deliberative -- which NEDS has done -- a deliberative process with their partners. Once that deliberative process has finished, they have put out a specification and said, this is what we agree to in the core data set. You will find that pediatricians agree to a core data set.

DR. COHN: There are data sets, things like the billing forms, which have been very successful because you are requiring them.

What I want to do is let Mike talk. I guess I am hoping that we can come to some -- I don't know that we are going to be able to come to a conclusion here. This section may have to go back to the work group for some work. Clearly if we are going to get rid of 12 or do something to it, we need to modify the sentences above.

Mike, do you have a parting comment on this one?

DR. FITZMAURICE: Two items of suggestions. One of them is that on recommendation ten, where it says standards development efforts should be expanded to take on issues, I would suggest take out the take on and put in, address solutions to. Take on is too nebulous; it is address solutions to.

DR. GREENBERG: Yes, that is good.

DR. FITZMAURICE: The second suggestion I would make to the re-writers is, whenever you talk about utilizing standards accepted, accepted by whom? Are we talking about standards accepted by the Secretary for use of clinical information? Who is doing the accepting? You have got to address that.

DR. GREENBERG: Yes, that is where I started.


DR. COHN: Good point.

DR. GREENBERG: He just said it better.

DR. COHN: Would the work group like to take this back and see if we can clean this up and bring it back tomorrow?

DR. DEERING: We have an hour and 15 minutes, is all we have.

DR. COHN: I know.

DR. HUFF: We would be happy to.

DR. COHN: Should we move on to the remaining recommendations here? Federal roles in PHR systems, internal and external. On page 12 there is a sentence some people had a confusion about which I didn't even understand, lines 16, 17, 18, at least on mine, says, these systems can be successfully deployed in an environment of limited Internet connectivity through focused education and support functions.

Probably true. I just didn't know what that had to do with anything in relationship to all of this.

Recommendation 15. Federal agencies should assess how they can more fully explore and appropriately promote the benefit of PHR systems across their respective roles.

Recommendation 16. Insurers in the FEHVP should identify opportunities to offer interoperable PHR systems to their beneficiaries.

Recommendation 17. The federal government should identify and address issues related to information technology access and use, particularly by underserved populations, to limit the dissemination of PHR systems. HHS should also address health literacy requirements that could limit the use of PHR systems by the most vulnerable populations.

DR. STEUERLE: Can I just ask, when you say something like insurers in the federal health benefits plan should do something, we are writing a letter to the Secretary. Are we recommending the Secretary recommend to them? Is there a transmission process? There is no responsibility here.

DR. COHN: HHS should recommend to OPM that they. Are you talking about that?

DR. STEUERLE: You are asking the Secretary to recommend to?

DR. FITZMAURICE: The Secretary must be on a committee with OPM that oversees the federal health benefits program. There must be a group that provides advice to that program that includes HHS. So in advising the Secretary, the Secretary I'm sure has avenues for that.

DR. STEUERLE: I am just trying to get the responsibility lined down. We are making a recommendation. Who is going to make sure that recommendation gets to OPM?

DR. DEERING: Can I tell you why I think it says it exactly the way it says? We may not wish to stay with it, but the logic behind it was, remember, in both privacy and security we have made recommendations directly to industry. We call them voluntary. The prior NHII report made only a limited number of recommendations directly to the Secretary, and made numerous recommendations to other stakeholders.

So in the spirit of putting this directly in the hands of the insurers, that was the parallelism. We did talk about addressing this directly to the insurers, that not any federal agent. Now, we may not choose to go that path.

DR. STEUERLE: That is fine, but does that mean that we then transmit this letter to the insurers and circle it? I am just asking, who is transmitting the recommendation to the insurers?

DR. DEERING: We have got Blue Cross Blue Shield in the audience. They read them. The report goes out after it is disseminated.

DR. FITZMAURICE: My thinking is that most always, we are recommending that the Secretary do something for the Department, the Secretary acting for the Department. So it is requires working for another government agency, then the Secretary working with another government agency to help to bring something about.

MR. HITCHCOCK: I think it could be rephrased, actually. The principle of the thought is a good one, but it should say something like, HHS should explore avenues with OPM to carry out the rest of the recommendation.

DR. GREENBERG: You think it should say that?

MR. HITCHCOCK: It should say that, yes, words to that effect.

DR. FITZMAURICE: That's good.

DR. GREENBERG: I think it is a good idea. I agree with Mary Jo that the committee has a long history of making recommendations to the industry or others, and then we try to disseminate the reports. So I think that is a very good point Gene has made, too. In fact, we are now working on a dissemination strategy for the Populations report; the same thing needs to be done for this. Certainly all the people you want to have voluntary --

DR. COHN: So I think we are talking about rewording this one. Any other recommendations in this section?

The final one is on research and evaluation. We have, the Secretary shall request that all agencies review their research portfolios and program operations and report to the Secretary on the ways they could contribute to the research and evaluations of PHR systems.

Recommendation 19. HHS should collaborate with OPM to help implement pilot studies of PHR systems with payors and beneficiaries of the FEHBP.

Recommendation 20. AHRQ should expand its evolving health information technology research portfolio to include studies of PHR systems, especially in regards to health services research and metrics.

Recommendation 21. CMS should conduct pilot studies of PHR usage in the chronic disease community to evaluate the utility and the cost effectiveness for beneficiaries, providers and payors.

I think overall, the only question that I have is, 19 and 16 seem a little -- in one recommendation we say go off and do it, in the other one it says, pilot studies. So we have two different strengths of recommendations here. What would we like to see? Or are we comfortable leaving them both? Would you like to remove 16 then?

DR. GREENBERG: Because that would encourage them to offer interoperable PHR systems if you did the research.

DR. COHN: Are people comfortable with that? So we will remove 16 then.

DR. HUFF: Are we done?

DR. COHN: We have two other issues to talk about.

DR. ROTHSTEIN: I have a question about the text at the top of page 13. I'm not crazy about the very first item, which is called market research. I have a couple of problems with it.

Number one, market research is not something that is not usually undertaken by the Department or federal agencies. It implies seeing what the market is to buy new cars or a new brand of soap. We don't really talk about that in the recommendations, so I would recommend something like PHR adoption research or something along those lines, because that is what we are suggesting here.

PARTICIPANT: How about consumer research?

DR. ROTHSTEIN: Anything other than market research.

MS. MC CALL: That term is essentially taken and has meanings to different people that are completely different. So even PHR adoption research.

DR. ROTHSTEIN: The other recommendation that I would have is to consider deleting the third sentence, the one that begins with the word when. I don't know what that adds.

DR. FITZMAURICE: What line number is that?

DR. ROTHSTEIN: In my copy it is line six.

DR. DEERING: I think the goal there was to say we are going to have this taxonomy or matrix of different PHR systems and what they can do. Then you do this audience research about who wants or needs what, how would they be likely to use it, and you really need both pieces to most effectively both design good products and, from the federal government's point of view in particular, to decide what actions to take.

DR. ROTHSTEIN: I think the second sentence says that. Then the third one is superfluous.

DR. COHN: I think it makes sense to remove it. I'm not sure there is a value added there. Mark, other things?


DR. CARR: Simon, can I just one other thing? The one about metrics, that NCVHS concludes a series of metrics around PHR systems, usage, process outcomes and impact should be identified and tested, monitor validity and all that. Is that a secondary use? How are you going to measure the outcome if a person entered certain information into their PHR, how did they change the outcome, but you are going to have to know what they put in.

DR. COHN: That is Justine. You may be right, but we removed the word secondary. I think as part of the research agenda though, there needs to be some --

DR. CARR: It is part of research, but it does challenge that we are going to need to know the content to know how it turned out. That really is a research thing, it is not an ongoing metric.

DR. STEUERLE: If it just decides ex poste it is going to do a survey of PHRs and it goes around to vendors and you said up a requirement that says we can't tell you anything.

DR. COHN: I hear what you are saying. I don't think I have any comment other than thank you. I think it is fine as it is, but I do hear what you are saying.

DR. FITZMAURICE: I would suggest an amendment to recommendation number 20. It currently reads, AHRQ should expand its developing health and information technology research portfolio to include studies of PHR systems, especially in regards to health services research and metrics. I would change it to support health services research and the development of metrics to assess the impact of PHR systems on quality of care, patient safety and patient outcomes.

DR. COHN: Okay. Can you give that to Mary Jo?


DR. COHN: I think that is basically wordsmithing.

DR. FITZMAURICE: What the metrics are applied to.

DR. COHN: Exactly. Is everybody okay with that? I think that is fine.

So before we move on to the other two items that we need to talk about before we can take a break here, number one, we are going to come back with this tomorrow. What we will be doing is looking through the new sentences. We will give you a marked-up version, because I think that is probably the best way to handle it, so you can look at the changes. We will be focusing primarily on privacy and security, along with -- actually, security I think we handled, so privacy and then the interoperability piece, because most everything else I think there was pretty good agreement on. The NHII Work Group will focus predominantly on the new wording for the privacy as well as whatever we do with the interoperability recommendations, and come back with recommendations tomorrow.

I am hearing overall support for most of what we talked about. I think it is mostly wordsmithing, as well as some decisions on these recommendations.

Now, there are two other pieces that we need to review today. Hopefully they are relatively rapid items.

Agenda Items: 2003-2004 Report

One item is the 2003-2004 report. This is something that we all reviewed last time. It now has a forward, which I don't think you get to vote on, since it is from John and I. We now have a new looking ahead section that has replaced the research section.

Now, we will take comments. I personally think that this is pretty well done, and would certainly consider -- if you have no substantive comments, what I would suggest that we might want to do is to consider taking this on as an action item for today, with the ability of the executive committee and Chair to make some minor wordsmithing changes to it.

DR. ROTHSTEIN: So moved.

DR. HOUSTON: Second.

DR. COHN: Is there any comment about the changes?

DR. GREENBERG: My only comment is thanks to Sue.

DR. COHN: So all in favor then, aye?

(Chorus of Ayes.)

Agenda Item: HIPAA 7th Report to Congress

DR. COHN: Opposed? Abstentions? Our next item is the HIPAA report. This is marked draft. It is about 20 pages long, actually 23 pages long. I would ask if people have comments about the HIPAA report.

DR. TANG: Move acceptance.

DR. COHN: You move acceptance on that one. Any comments, any changes, modifications? Is there a second?


DR. COHN: All in favor, say Aye.

(Chorus of Ayes.)

DR. COHN: Opposed? We are running about ten minutes late. What we will do is adjourn, give everybody a break for about ten minutes, and then we will reconvene.

(Whereupon, the meeting was adjourned at 3:25 p.m.)