[This Transcript is Unedited]
Department of Health and Human Services
National Center for Health Statistics
National Committee on Vital and Health Statistics
Full Committee
September 13, 2017
Hubert H. Humphrey
200 Independence Avenue
Washington, D.C.
TABLE OF CONTENTS
- Call to Order, Roll Call, Review Agenda – William Stead, MD, Chair
- Welcome – Rebecca Hines, NCHS, Executive Secretary of NCVHS
- Brief Updates – Chair & Committee Members
- Predictability Roadmap – Alix Goss, Nick Coussoule, Co-chairs Standards Subcommittee
- Action Item: SSNRI/New Medicare Card Project – Nick Coussoule, Alix Goss
- NCVHS Strategic Plan and Project Selection Criteria – Chair and Full Committee
- Health Information Privacy and Security Beyond HIPAA
- Lind Kloss, Chair, Subcommittee on Privacy, Confidentiality & Security
- Stephanie Devaney, NIH
- Jeremy Epstein, NSF
- Nicole Gardner, IBM
- Fatemeh Khatibloo, Forrester Research
- Cora Han, FTC
- Jacki Monson, Member, NCVHS
- Follow Up on Next Generation Vital Statistics – Sept 11-12 Hearing – Bruce Cohen and David Ross, Population Health Subcommittee
P R O C E E D I N G S (8:45 a.m.)
Agenda Item: Call to Order, Roll Call, Review Agenda
DR. STEAD: I would like to call the meeting to order and start with our statutory responsibility to introduce first the committee members and then staff.
I am Bill Stead. Vanderbilt University. Chair of the National Committee, no conflicts.
DR. THORPE: I am Roland Thorpe. Johns Hopkin University faculty member. I have no conflicts.
DR. COHEN: Bruce Cohen. Member of the Full Committee, co-chair Population Health Subcommittee, Massachusetts, no conflicts.
DR. RIPPEN: Helga Rippen, Alertgy. Member of the Full Committee and member of Privacy and Population Subcommittees. I have no conflicts.
MS. MONSON: Jacki Monson, Sutter Health. Member of the Full Committee and Privacy Subcommittee and no conflicts.
MR. COUSSOULE: Nick Coussoule. BlueCross Blue Shield of Tennessee. Member of the Full Committee, co-chair of the Standards Subcommittee, member of the Privacy, Confidentiality and Security Subcommittee. I have no conflicts.
MS. GOSS: Good morning. Alix Goss, Imprado. I am a member of the Full Committee, co-chair of the Standards Subcommittee, and I have no conflicts.
DR. STEAD: Now members on the phone.
DR. CORNELIUS: Lee Cornelius. Member of the Full Committee, Population Health Subcommittee. University of Georgia. No conflicts.
MS. STRICKLAND: Deb Strickland. Member of the Full Committee and Standards Subcommittee. No conflicts.
MS. KLOSS: Linda Kloss. Member of the Full Committee, co-chair of the Privacy, Confidentiality and Security Subcommittee and member of the Standard Subcommittee. No conflicts.
DR. STEAD: Thank you. Now Rebecca.
MS. HINES: Good morning. Rebecca Hines. I am with NCHS and I am Executive Secretary and DFO for this committee. Welcome.
(Introduction of staff)
DR. STEAD: Thanks everyone. Let me just briefly review the agenda to orient us to the next two days. Most of us have been heavily at it for the last two days.
We are going to start with brief updates and then we are going to have Nick and Alix summarize where we are with the Predictability Roadmap and potential next steps.
Then we are going to attempt to take action on the Social Security Replacement Initiative or the New Medicare Card Project, as it is also known. The letter that you have from the agenda book on that.
Then we will revisit the brief one-page strategic plan and project selection criteria. It has evolved considerably based on the conversation at the June meeting and subsequent conversations at the Executive Committee. We will see if that is in a form that we are willing to adopt, at least for the next year, then break for lunch.
Then we are going to have a deep dive into the Environmental Scan for the Health Information Privacy and Security Beyond HIPAA. You have got the CV’s of the panel that Linda and the Privacy and Security Subcommittee staff have assembled to begin to do our environmental scan on that. Then an update from Bruce and Dave on the last two days of the Vital Statistics Hearing. Then break for the day.
In the morning, we are going to hear first from the Commission on Evidence-Based Policymaking. That Report is out. We have emailed the link to the Full Committee yesterday. If you have not had a chance to read it, I suggest that you try to do that if at all possible before tomorrow because our purpose in that block tomorrow is to understand the recommendations and to be in a position to ask questions that really help us know what the thinking of the Commission was as they put that together.
Then we have got a panel of updates from HHS Leadership. That will include Charlie Rothwell from NCHS. We have Elise Anthony from ONC, and Mona Siddiqui as the Office of the Chief Technology Officer. Rashida has not been able to be with us at the moment, so we will see who is going to cover ASPE at that juncture.
Then a short block on Health Terminologies and Vocabularies. Linda has given you, in the materials that you have, a PowerPoint that attempts to recast what we learned in June, plus additional information we have gotten since then, into, if you will, a first cut at the environmental scan and the key issues. We will work our way through that to identify next steps.
Then in the afternoon we are going to, in essence, work as a committee of the whole and hear initial thinking from the subcommittees about their candidate items for the workplan for 2018, so that we can have free discussion about the types of things the subcommittees are going to consider. We are not trying to make any decisions in that block because the subcommittees will then take that information and work it after this meeting and come back with an actual draft workplan.
Then after public comment we will adjourn. So that is our plan for the two days. Are there questions about that or suggestions for any revision?
We have a couple of members that have joined us. Denise and Vickie, would you like to introduce yourself for the record.
DR. MAYS: Vickie Mays, University of California, Los Angeles. Member of the Full, Pop and Privacy, and I have no conflicts.
MS. LOVE: Denise Love, National Association of Health Data Organizations and co-leader of All Payer Claims Database Council. Member of Pop and Standards Subcommittee. No conflicts.
DR. STEAD: Thanks, all. With that we will have Rebecca do the welcome from her perch.
MS. HINES: Good morning again. As you know, we have had three new members join us this year, Roland Thorpe, Deb Strickland and Jacki Monson. Jacki is here in person for this meeting, and I thought it would be lovely to take a moment, Jacki, if you want to just say a little bit about yourself now that we actually get to meet you in the flesh.
MS. MONSON: Sure. I am Jacki Monson. I am from Sutter Health. I currently am the Chief Privacy and Information Security Officer there. I have worked there for about four and one-half years and focus primarily on privacy and information security matters in the duration of my career. You might hear a little bit of a Minnesota accent; I am actually from Minnesota. I was previously at Mayo Clinic, prior to Sutter Health, in a privacy-focused role there.
MS. HINES: Welcome. I know Linda Kloss, who has been the solo chair of the Privacy Subcommittee, really appreciates your willingness to serve on the committee. It will be a huge benefit. Some of you might have looked at the agenda. Jacki will actually be presenting this afternoon as part of the Beyond HIPAA panel, because you served on the Cybersecurity Task Force, so she brings a huge amount of depth and expertise to that area. We are really grateful, thank you.
DR. STEAD: The next block is our brief updates. We emailed to you slides 9 through 13 from an intro presentation to the Board of Scientific Counselors to just give you the status of appointments to HHS leadership positions.
MS. HINES: Does everyone here know who the Board of Scientific Counselors is? NCHS — actually, this committee has run out of NCHS, and when this committee was given greater responsibility, especially around the time of HIPAA, NCHS’s director had the fortitude or the insight to say that this committee cannot do what it has been doing over the decades and take on that HIPAA responsibility.
So, the Board of Scientific Counselors is sort of your sibling FACA, but they focus exclusively on the National Center for Health Statistics. That is their purview. And you will notice that the slides that were emailed out yesterday really focus on NCHS — the budget, what’s happening with the surveys, in addition to an HHS update.
Just so you know, and I think we have mentioned this but just to refresh everyone, Bob Phillips is our liaison from this FACA to that FACA, and Mark Flotow — you probably remember him circulating here — has been the liaison from that board over to this FACA. He just from retired his service there. His time was up, so they are going to be looking at getting someone else to serve in that capacity. Basically, we have had two liaisons going bi-directionally to keep the two groups together and aligned, and they actually did a fairly lengthy presentation to the BSC last week about where there might be overlap. That is just to give you some context for this update that Bill is about to give.
DR. STEAD: From my perch, I think of the Board of Scientific Counselors as focusing predominantly on methodology. They are more into the methods of the statistics than we tend to be.
MS. HINES: They were also very interested in the NCVHS — I mean the Vital Statistics hearing — in a big way.
MS. LOVE: Does that methodology include de-identification methodologies? Because I know NCHS and some of the people worked on those methodologies along with the statistical methodologies.
DR. STEAD: I think they do not spend the energy on privacy and confidentiality that we do.
MS. LOVE: Like suppression and significance. I sat through some meetings some years ago with the people who were working on methodologies for NCHS.
MS. HINES: Talk to Bob because he actually has been going to those meetings to the greatest extent his calendar allows.
DR. STEAD: I just draw your attention to a few of the appointments. Stephen Parente has been nominated as the Assistant Secretary for Planning and Evaluation. That nomination is being considered by the Finance Committee. Jerome Adams was confirmed as Surgeon General, and we were fortunate that he was able to drop in yesterday, during the Vitals hearing to underscore from his perspective how important that work is.
The other person I would draw your attention to is Nancy Potok who was appointed Chief Statistician for the United States, and we think this is a great win.
We have the report that Bob and Mark put together. What they did was work together to identify the areas of intersection where there would be joint interests between the two FACAs. The points they highlighted were the next generation vital statistics, the Commission on Evidence-Based Policymaking, the 2020 Census revisions of race and ethnicity categories, the health data framework, our white paper, the Digital Bridge effort that is ongoing between the EMR vendors and providers and foundations. Those are the primary points of interest. Then he updated them on predominantly our pop health work.
From his notes that he gave us, things that he really highlighted were the points that Nancy Potok had made. She basically said that the federal system of surveys is unsustainable because the response rate is down and costs are up, and there needs to be a new approach. This has been a progressive theme over the last three or four years, so this is going to be something both FACAs are going to want to consider in the future.
Data accessibility she simply defined as a huge problem. Silos, real concerns about data safety, real resource issues in terms of staff data, lack of legal standards to cut across different government silos, et cetera. She also pointed out that research access was, in her words, kind of lumpy, and that the research data centers are hard to access, so that is continuing to bubble up.
Those are types of things that came forward at the intersections between the two committees.
MS. HINES: Nancy Potok, as Bill mentioned, is the new Chief Statistician, and I think she would be a wonderful asset to inform this group. She has some pretty out-of-the-box insights, and if our agenda allows it next time, I think it would make sense to have her here. She “left the BSC members breathless”, quote, unquote. They were really impressed with what she had to offer.
DR. STEAD: Alix, would you like to briefly mention your interaction with the NUCC?
MS. GOSS: Sure. The National Uniform Claims Committee is responsible for the 1500 paper claims for billing and healthcare. They are a member of the Designated Standards Maintenance Organization which has responsibilities under HIPAA. They meet on a regular basis and also in conjunction with the National Uniform Billing Committee. They invited me to present at their August meeting and it was a wonderful opportunity in several ways.
First, it was an opportunity to present an overview of the National Committee and our approach to our work and the items on our work plan, so it was a very educational session from that perspective. But it also provided for a really great dialogue around the Predictability Roadmap aspect, which they have a lot of interest in as being a data content committee that works very closely with the HIPAA transactions, especially the claims through the EDI transaction.
The several hours that they provided me really enabled us to have a very good exchange and actually resulted in several of the members pursuing a subsequent opportunity for promoting an awareness of NCVHS, and they have been asked to present at the upcoming WEDI conference, the Workgroup for Electronic Data Interchange, in December. This not only gives us the chance to help more people understand the phenomenal resources and work that we do here at NCVHS but it also gives us an opportunity to further engage with the industry around some of our current noodling on how to create more predictability in healthcare EDI transactions options.
DR. STEAD: Thank you. Bruce, would you like to comment on the public-private partnership with 100 Million Healthier Lives?
DR. COHEN: Thanks, Bill. As I’m sure many of you are aware, one of the outgrowths of our measurement framework activity was transferring continuing activity to essentially create a public-private partnership. Dr. Soma Stout, who is I think the Executive Director of 100 Million Lives, volunteered to lead this effort, and she has done a really wonderful job. Essentially, she has created a structure to move forward that includes three activities — a stewardship group which sort of is steering their effort and two subcommittees, one focused on implementation of the NCVHS recommendations around the framework, and the second group which is focusing on developing measures for the domains and sub-domains.
They have had two meetings. The first meeting was about implementation, and there are a bunch of organizations that have really picked up our work and are interested in implementing the framework. They include the Yale Shared Care Population Wellbeing studies, the Gallup Shared Care Wellbeing Index, U.S. News and World Reports, 100 Million Healthier Lives, Index. They are all looking to incorporate essential features of the domains and sub-domains in their activities. There was a wonderful meeting held on August 3rd getting together a star-studded case of players to discuss implementation.
Just last week there was a second meeting focusing on mapping measures and sources into the domains and sub-domains, and the key questions they are considering are — are there sub-domains that need to be added, what are the existing metrics that people have used and are well tested as measures for the sub-domains, do new measures need to be created, and what are the criteria for measurement.
One of the outcomes of that meeting was a desire for identifying resources for the partnership to really catalog what existing measures are for the domains and sub-domains, sort of building on the work of our environmental scan that Gib Parrish has done for us.
If any of you are interested in working in their activities, I’m sure they would welcome more input. Feel free to give me a contact.
DR. STEAD: Thanks, Bruce. One of my thoughts that I mentioned to Bob yesterday was it might be possible to take a Wiki-like approach to allow them, as people identify metrics that they’re working on in their relationship to domains,to have a way of reporting those linkages so it, in essence, becomes a community aggregate effort instead of a top-down cataloging effort. Because it’s hard for me to imagine at this juncture how a cataloging effort could go much beyond what we did with the environmental scan, which was just enormous.
You may want to discuss that within the Pop Health Subcommittee.
DR. COHEN: Thanks. I think that’s why Google Docs was invented.
DR. STEAD: Very good. Dave, would you like to introduce yourself?
DR. ROSS: Sure. Good morning. Dave Ross, Task Force for Global Health at Emery University, member of the full committee, member of the Population Health Subcommittee.
DR. STEAD: For the new members, we have this block where, as members of NCVHS, we want to do outreach to help the community at large understand the resources that have been developed either by us or in our partnership activities. So, if you receive invitations to speak on behalf of NCVHS, touch base with Rebecca and me, but mainly Rebecca, because —
MS. HINES: You cannot represent the committee except as a committee member, so we pay your travel even if they invited you, et cetera. We just want you to be clear that there are rules around representing the committee.
DR. STEAD: There are rules, but those rules are not intended to discourage it. We want to actively encourage outreach, because if you read our charter, it’s very clear that we are supposed to catalyze work in different organizations to further our mission. That is an explicit responsibility of ours, so, catalyzing is something we are supposed to do. We need to do it within the rules. And we use this block at the start of the meeting to report back so that the committee at large knows what we have done.
DR. RIPPEN: I think that, given that it is a role, we may want to incorporate that as part of an outreach strategy as we talk about each of the work activities that we are doing so that we can also have it from a strategic perspective how to get feedback and reach out.
DR. STEAD: Good point, thank you.
With that, we will move to the Predictability Roadmap, Nick and Alix.
Agenda Item: Predictability Roadmap
MS. GOSS: Thank you. Nick and I have a couple of agenda items this morning, the Roadmap and also the SSNRI letter, so I’m going to take the lead on this one but it is definitely a team effort. Lorraine is an instrumental part of our activities and she is going to advance the slides and also support the content we deliver.
A little bit of background information, especially for our new members. Some of you have probably heard this already, but for those who were not as intimately involved, let me give you some background.
For a number of years, NCVHS has been receiving feedback from the industry related to HIPAA, administrative simplification — and I should not be remiss of noting that HIPAA has now turned 21. We receive feedback from the industry that says we need greater predictability in understanding when we need to be making changes so that they can schedule resources and plan budgets, be engaged at the appropriate points in the development, as well as the adoption efforts to implement mandated transactions and operating rules. We very specifically focus on just transactions and operating rules as a part of this roadmap conversation.
With business models rapidly changing, we know that we need to have standards adopted more quickly, and we are not really sure what more quickly looks like and that is what this conversation is really about. So we want to clarify the challenges with the current process of updating and adopting standards and operating rules, and identify opportunities for improvements and develop a roadmap that we can then socialize, get feedback on and recommend ultimately to the Secretary to improve the process for development through implementation of operating rules and transactions.
MR. COUSSOULE: Just let me add one thing. Predictability we tend to think of as just so I know what’s coming and I can be prepared to better deal with it, but it also is, as the pace of change is happening faster, we can’t get the changes quickly enough. So there is also an element of this that gets into a pace question and not simply a manageability question.
MS. GOSS: That’s a really good point. For some background perspective, we chartered or scoped out this roadmap conversation a little over a year ago, enabling us to set forth on some information-gathering activities. We developed a set of questions for the SDOs, or standards developing organizations, and the operating rule authoring entities. We released those information-gathering questions to help us figure out the next step, so there is a very iterative approach to applying what we are learning as we’re gathering the information and then designing the next phase to be responsive to what we have learned.
Our information-gathering process did produce a pretty impressive grid. There is a big poster that has the results of that information and really reflects a number of questions regarding the attributes of the organizations, and the scope of the organizations include CAQH Core, HL-7, NACHA, NCPDP, X12 and Health and Human Services, the CMS regulator side of the house, and also included the Designated Standard Maintenance Organizations.
That kind of gives you the lay of the land in that information-gathering grid. We then supplemented the fact-finding instrument with actual conversations with each of the organizations, enabling us to fill out that grid and also get their feedback in finalizing that as sort of a baseline set of details.
The work in June and July of the information-gathering and discussions let up to a workshop on August 21st which was actually HIPAA’s birthday, not just the lunar eclipse.
MR. COUSSOULE: I would just add one thing. The grid is linked in the agenda. It is very difficult to read as projected on the screen. In fact, it would be impossible, which is why we are not projecting it on the screen. The document printed out on an 11 by 17 is readable, but there is just a lot of information. We believe it’s a good way to present it so it’s a useful document for you all to look at and reference, but it’s just difficult to see on the screen.
MS. DOO: It is also on the NCVHS website.
MS. GOSS: The length of time that we have spent talking about increasing predictability and reliability and the lifecycle of standards and operating rule adoptions goes back to when we first adopted HIPAA. Having sat on both sides of this table as a testifier and now as a member, I have been a part of that effort. The longstanding history has really enabled us to identify a number of issues and opportunities, but we also felt that it was time to say, okay, we collected what’s wrong with the system and what do we want to change and we needed to step into a conversation about what was the possibility in front of us.
So, on August 21st we had a workshop here at HHS. This was a workshop that was really supported extensively by Lorraine and all of her various talents including her ability to facilitate an appreciative inquiry session that was really something that was a different approach to how we can tackle what are the possibilities and how can we imagine a future that is different from today. Quite frankly, it brought a breath of fresh air into the conversation because it has just been so longstanding.
Do you want to cover what AI is really quickly, Lorraine?
MS. DOO: Briefly. Everyone has been through visioning exercises in their careers and change management attempting to address issues in their organizations when looking at making modifications or trying to do something new. Appreciative inquiry is simply one of those, but it looks at things from a positive perspective.
I don’t think we chose to use this particular slide, but the two words, appreciative inquiry, are critical in the methodology. Appreciate is you value what you have and you look at things from the positive perspective so you find the value in things, and inquiry is to question or to inquire what you have that you can incorporate into making positive change or what you can do to understand what the issues are and to explore what the next steps might be.
So, the cycle of appreciative inquiry is slightly different and it does take people through these four phases of the exploration, which is what is showing now, which is discovery of what we have been and what we like about what we have been and what are the best practices from any of the organizations or the individuals that are participating, and then dreaming about what could be and how it could be if we took those best practices and imagining what it could be.
It does take some commitment from everyone who is there to really participate in that way, which typically people are always willing to do.
Then, design it. What would it look like if we used those best practices? But, in the design phase you really go to the extreme, so you are also looking at a future — oftentimes 10, 15, 20 years into the future. So, if we really did it right, what would it look like?
And then you go into the destiny. If we make a commitment, what in those small incremental changes we need to make — what will it look like for how we would actually do this in our destiny? So that’s what we did, but we used tools that help also take people out of their comfort zone, so we used play dough, pipe cleaners and Legos and fidgets. And I don’t still understand fidgets and I still have two unopened boxes at home.
MS. GOSS: The next line is actually some of our themes that came out. This is a summary of the primary themes that we heard from the workshop. There was a lot of agreement that we do need to change the system. There are some parts that are really working but there are some things that are not working.
We will start with streamlining the process. Everyone agrees it’s time to make it work more efficiently. What I am going to cover is some of the highlights that went along with each of the themes, and there are six of them, as I noted.
For streamlining the process, a coordinating committee to review and test the standards and operating rules, or kick the tires, was proposed.
The need to align the adoption process with the development and update process. For those of you who may not be as intimate with the process flow, there are standards and operating rules development organizations that receive business requirements and data needs that result in the morphing of a baseline standard or implementation guide or operating rule, and once they develop the new specifications, they then go through a series of review gates to the point where they come ultimately here to NCVHS and then we recommend them to HHS so that CMS can then get a proposed rulemaking out. That then leads to a public comment period and a final rulemaking, and, thus, implementation commences. There are some duplicative steps across those big buckets which is what we have an opportunity to align and make more efficient.
The concept of how many changes do we really want to worry about adopting at one point, and do we want to wait for a big number of changes until we adopt something or should we do it in smaller incremental, more predictable updates, maybe annual updates — that really works with the rapid cycle development that is more of the norm today and was one of the highlights that came out of the session.
Feedback was that more frequent updates to the operating rules that are the business aspect of constraining those transactions to get more commonality about their usage and more benefit out of them might be beneficial.
I will keep going unless anyone has questions.
DR. ROSS: The last two bullets under Streamlining — I’m sorry I wasn’t able to be at the meeting. Smaller number of changes but then more frequent updates — are those in conflict?
MR. COUSSOULE: Let me comment on that. The idea is it is not the number of changes that get implemented in any given release or update, so the idea is do I wait and do 100 changes all at once every three years or do I try to do 10 a week, and where in between should that lie. That’s the idea behind it.
DR. STEAD: You might word that as frequent small changes.
MR. COUSSOULE: We can certainly clarify the wording.
MS. GOSS: I think there is also a distinction here between there’s a technical report or implementation guide that is the Uber set of rules, and the operating rules help constrain that and bring more of the efficiency through businesses and trading partners agreeing to say, okay, we might have this robust set of functionality but we’re going to play with this set, and we’re going to focus here and get more business value out of it. So think of there are two pieces that really work in tandem through the standards transactions and the operating rules.
I see part of that is the difference in the different technologies we’re using.
MS. LOVE: When you say changes, it’s the operating rules, not content. So, changes to the operating rules, small or large.
MS. GOSS: Smaller number of changes in — When I see that third bullet I’m thinking EDI transaction sets, whether it’s NCPP or X12. When I hear more frequent updates for the operating rules I’m thinking that’s the business content. It’s not changing the foundation of the transactions that were adopted; it is actually enabling business to morph the rules that they choose to apply in constraining the total functionality of the EDI transaction.
MS. LOVE: Okay. But not data element.
MS. GOSS: No. Operating rules — don’t monkey with that. They work within the framework.
MS. LOVE: Okay. That’s all I need to know.
MS. GOSS: The second theme was that there needed to be changes to the federal processes. The highlights were the federal adoption of a floor versus a ceiling for standards for standard compliance. Do you want to speak to that one?
MS. DOO: I thinkm in this case, what they were getting at was that the government would adopt a base of a standard and allow the industry more latitude in adopting a higher version if they wanted to between willing trading partners so that, if a new version came along and entities wanted to use that, they would be allowed to. That would also enable industry to move forward at a faster pace and they wouldn’t be constrained by the fact that a new regulation was not available.
So, here’s Version 3.0, but then the next year Version 3.1 is now available and they would be allowed to use that between willing trading partners. So it was not the top of something that was available and they were prohibited from using it and a complaint could be filed.
MS. GOSS: The idea also of enabling multiple versions to be supported and almost authorized for use was another concept that went along with setting the floor but not stifling innovation.
One of the things we heard was it’s about the data. It shouldn’t necessarily be about the transport or the structure, and that maybe we need to look at adopting transaction standards that are agnostic of format, which doesn’t necessarily make sense to some degree. But if you think more about the data content that we want to get moving across the pipelines to enable and business and clinical functions to occur, we don’t necessarily need to be specific to say it has to be this kind of technical format. Maybe we need to elevate our thinking to look more at the datasets that need to be shared, and that might enable us to keep better pace with the emerging technologies and the way we exchange information in today’s ecosystem.
The fourth theme was about sufficient representation and engagement of all stakeholders in the development of and updates to standards and operating rules. The reality is that a very small number of industry participants actually show up and actively participate in the development of the transaction standards or the operating rules, so there is a small number of people who are actually driving what the rest of the nation is going to end up adopting and implementing. If we could get better representation at the various points in the process, we might have — and, to some degree, even earlier in the process — we would have greater predictability and a better end product for adoption.
MS. KLOSS: Alix, can I just underscore that? I think the people who have to implement and people who are the process owners are not necessarily at the table because their organizations can’t send them off to multi-day standards meetings. It is just not possible. So there has always been this struggle — and it’s a struggle for the SDOs. They would want more front line people there, but it’s just a chronic issue.
MR. COUSSOULE: They also tie together with the idea of significant testing before they roll out, and if the standards are developed without the implementers involved the testing is going to find a lot more problems, which is going to increase the timeframes and make the releases slower. There’s a cascading negative effect on that. So trying to figure out a way to get all the involved parties and impacted parties earlier in the game is really the thought process there.
MS. GOSS: And this also goes along with the point about streamlining the process and some of the federal changes. A number of the players in the industry do not pay attention until the proposed rule for adopting the next version comes out, and, at that point, the standards development process and operating rules have really — they have moved on. They are like several versions from what’s being recommended.
So, people are not paying attention without the federal hammer but they’re missing the really important place to participate not only from a quality and preventing things from being discovered at the testing phase or implementation phase, but their voice is just missed. It’s a challenge because you need a lot of different players participating in the development discussions. But, to Linda’s very important point, businesses cannot afford to pay to participate, to send people to participate and take time away from their other business responsibilities to influence that development cycle, and it has been a huge challenge.
The fifth theme is about improvement in data cohesion. This is about a data dictionary to enable communication across all the standards and the operating rules, and discussion about creating a data coordinating committee to oversee the variety of projects including the ontology with UMLS.
We know that we have a learning health system that has a lot of different data needs, whether you’re in an administrative financial world or a clinical world, and we need to make sure that all of those pieces are fitting together and find a better way to manage that globally for all the various streams of business and data needs that we have.
MR. COUSSOULE: The only thing I would add to that is if we truly start thinking about interoperability and the merger of clinical and administrative transactions, this really becomes critical to being able to do that effectively.
MS. KLOSS: And just like the challenge in local groups who have EHRs and different definitions of things in different systems — the example that came out was how many times do we have to define sex across systems. Every SDO deals with these kinds of issues.
MS. GOSS: And how many code values do you have for that. And I think that the aspect of convergence is a really important one from our long-term visioning perspective, so I’m very excited to have some subsequent discussions here in the next day or two about the linkage across the various work efforts of NCVHS because it really needs to all come together to enable us to converge the various business, clinical and technical functions that we have in the healthcare system.
One of the challenges we have is that not everybody is obligated to play by the same set of EDI transactions and operating rule standards. The definition of a covered entity includes providers, payers and clearinghouses today and that leaves out vendors, practice management systems and vendors, and that is a challenge because not everybody is obligated to play by the same rules.
Next steps — The hearing on August 21st has given us a lot of food for thought. We need to continue with our review and analysis of the feedback that we received. We want to do more extensive outreach including to the users of standards and operating rules, and I think also we want to look to our clinical partners in the EHR world because I think if we are going to focus on the concept of convergence and bringing value and interoperability we need to factor some of those dynamics into our larger thinking for opportunities, options and impacts.
We want to certainly get validation from the workshop participants and, I think, all of the organizations that have been on this journey with us and all the additional attendees who thought the topic was interesting enough to come to D.C. and spend the day with us in the workshop.
We want to do some — we had thought about doing a hearing in November, but at this point I do not believe that we’re looking to do that. We will likely need to do some more engagement with the industry. But what we really need to do first is give the subcommittee some time to kick the tires on what we heard and come up with options related to these themes to come up with some very crisp recommendation or concept areas that can be vetted that will ultimately lead to us working with the full committee to advance recommendations to the Secretary.
Deb, you are on the phone and you were also in attendance at the workshop. Do you want to add anything?
DR. STRICKLAND: I think you have covered it well. It’s the same story we have heard over and over, as you said, for a decade or two. Things are broken, not working, and I think the group we had compiled was a good group. It was, of course, the same suspects that we always hear from, but I think we made good progress.
I love the concept of the AI and the brainstorming that we were able to do. We had a lot of really active and focused discussions. I think it was actually a really good outreach, and I think that was very valuable for both the committee as well as those that we invited. So I thought it was a really good experience.
MS. GOSS: Thank you. Bill, do you have a question?
DR. STEAD: For those of you who didn’t know, I participated as a generalist and I did find the process to be very effective. One of the key pieces was that each of the tables actually put together, if you will, people from different perspectives so that you really did have to use the exercises to try to get into each other’s head in a very useful way. You couldn’t make any progress sitting in a corner. I do think we have a pallet of good ideas.
The thing I would like to help us figure out collectively is how to turn this into a set of alternatives. For example, I would think we could now draw a picture of what might be an aligned development and adoption cycle. And maybe there are two alternatives, but that would be one picture.
Another picture of — We are, on one hand, increasing scope enormously by saying we want to work across clinical administration and saying we want to coordinate standards and operating rules. So, on one hand we’re increasing scope in an effort that is already struggling with scope. So we are then proposing ways to deal with that at scale, such as versioning, such as decoupling content and syntax. So I think we need to get some of those pictures that actually would create a straw person that would let us have the reaction.
I am in total agreement with you — we are not ready to go to a hearing at this juncture. I guess what I would encourage us to do is to be intentional in how we try to develop those straw person building blocks of what a predictable system at pace might look like.
One of the things we could consider — we have got the November time on our calendar, so we could think about how big a block of that time would Standards like to actually build these models, if you haven’t had time to build them before then. That could be something we could do.
MS. GOSS: Can I clarify? Are you indicating that we are having a face-to-face meeting in November?
DR. STEAD: No. What we attempted to do is to hold those two days on all of our calendars, so, in theory, we in fact have the time in a way — because calendaring is the biggest barrier to work.
One of the things we are going to want to do is strategically figure out how to use that time to the degree we have kept it free — probably virtual, not face to face but whatever blocks. We could do any number of things we want to do, but one opportunity would be to actually have a block of work to do this kind of thing.
MS. GOSS: I am hopeful that, through our subcommittee standing meetings every two weeks, we will be able to iterate through a brainstorming activity to come up with options for each one of these themes, including some additional outreach potentially to organizations if we need further input — maybe leading up to the November idea.
Are there any other questions?
DR. STEAD: Okay. Are people good with where we are and they feel they understand what we have learned to date?
MS. GOSS: I am good. The team is going to roll up their sleeves, dive deep into options and we will be back sometime the end of the year or beginning of next year with some core things for the full committee to help us further kick the tires on.
DR. STEAD: We may want to be intentional as we look at Beyond HIPAA, the part around covered entities. One of your pieces here is expanding the scope of covered entities.
MS. GOSS: And on that we have made recommendations to the Secretary already as a part of our review committee, so it would be further probably collaboration with our CMS partners on what they may be doing.
DR. STEAD: Right. But what we did with the review committee was state we had a problem. One alternative to that problem would be to expand covered entities. There could be other ways to achieve the same intent, and those other ways might connect to the Beyond HIPAA conversation. Expansion of covered entities may be a blunt instrument and one that is difficult to achieve; therefore, if in the Beyond HIPAA work we can figure out alternative instruments that would achieve the same effect but not be as difficult to do, there might be an opportunity there.
We are ahead of schedule, which is good. Do we want to move ahead to the discussion of the Social Security Number Replacement Initiative and new Medicare Card Replacement Project? Alix is saying yes. Okay.
MS. GOSS: I think this one is going to be hopefully pretty straightforward. We have gotten a lot of good feedback in iterating the letter already.
Agenda Item: Action Item: SSNRI/New Medicare Card Project
MR. COUSSOULE: You all have in your book and on the screen now the draft letter to the Secretary in regards to the committee’s feedback on the CMS transition from using social security numbers to a new Medicare beneficiary identifier. I am not going to read every line on this page but I will go section by section and ask for your feedback with a brief overview.
First, in lines 13 through 20 we basically introduced the committee and its role, as we do in all of our correspondence.
Line 21 starting the section with the SSNRI New Medicare Card Initiative, that tries to outline what is actually happening, the actual change that is being made by CMS. Any feedback on that section at all?
Okay. I will go on to the next section starting with line 28, which is that we had CMS come into the February meeting earlier this year and brief the committee regarding their plans. It outlines that as well as some concerns that we raised during that session. Any questions?
DR. RIPPEN: Actually, it’s not really with that section. I guess I’m used to people who have limited time, so I would just recommend, since you have such an amazingly brief and very succinct paragraph that describes what it is and that this is the recommendation, that you consider moving the recommendations right before that section. Because it’s a multiple page letter, so it’s just something for consideration. Afterwards, it’s more background. I’m just trying to cut to the chase. It’s a style thing.
MR. COUSSOULE: I understand. I just wanted to give people an opportunity to weigh in and make sure that the background and structure and what we have accomplished is clear.
DR. STEAD: Let’s work our way through the whole thing and make sure we like the content and text, and then let’s come back to Helga’s question at the end of whether we want to pull the recommendations forward so that the meat is on page 1.
MR. COUSSOULE: Then, starting on line 55, NCVHS Committee Assessment. This is as we listened to all that information and listened to our industry partners and friends as well as our own experiences, we basically made an assessment that although there is lots of good work being done we believe that there are still challenges inherent in the current process.
I will skip back from there to the recommendations. I will read those because I think that’s pretty important.
The first recommendation is the NCVHS recommends that CMS implement a more robust, amplified outreach and education effort regarding the SSNRI New Medicare Card transition, similar to what made the ICD-10 transition so successful. We encourage reaching out extensively and repeatedly to all parties impacted including beneficiaries, payers, providers, intermediaries, researchers, states and territories, software vendors and their relevant associations.
I will make a couple of brief comments about this. There is a reason that there are so many different parties listed in this. It’s because there are so many different parties potentially impacted by this, so we wanted to make clear not only that the outreach was extensive but, in fact, how complicated the outreach could be.
The second recommendation is that NCVHS also recommends that CMS provide online testing capabilities for all parties that transmit directly to or receive data directly from CMS. This will also provide an opportunity for operational workflow implications to be identified and addressed, for example, for use of the cross-walk lookup and support to beneficiaries. Again, similar to what made the ICD-10 transition so successful, this end-to-end testing helped to answer many questions and alleviate issues before they became live implementation problems and impacted individuals directly.
Then, to reiterate at the end — and I think this is important as well — we are impressed with CMS’s work, so we are by no means trying to indicate that there isn’t any good work happening here. There is a lot of very good work happening here, but we believe that there are still some challenges that they could improve with the recommendations stated above.
Sincerely, William W. Stead, M.D., Chairman.
MS. MONSON: I have a question. I am coming in at the tail end of this and you might have already contemplated this. But when I read this I think about the big picture of, okay, when we eliminate the use of social security numbers are we going to have any contemplation of what happens with all that data that’s sitting in those systems? If that is not part of what is addressed it’s going to continue to create significant risk to those patients.
MR. COUSSOULE: I guess from my perspective, I think that is a very good question. It really is not part of what we were considering in this exercise. It was more about how is this transition going to be successful as opposed to how to mitigate any kind of lingering or ongoing risk.
It is certainly an important other topic but it really wasn’t something we were trying to address.
MS. GOSS: This letter is actually in response to the June NCVHS meeting where we had a further update from the SSNRI folks, and it was felt that, although the efforts that CMS is putting forth are good, there was a lot of concern that people were not aware of the initiative and to think about those kinds of issues, the downstream implications of changing the SSN to a Medicare beneficiary identifier for use in Medicare, EDI transactions. So this was really geared towards responding to that need of wider awareness in the industry.
DR. COHEN: I really agree with your comments. I think another important recommendation would be considering, as implementation unfolds, the implications for a variety of systems that rely on the social security number and whether those systems are affected.
MS. GOSS: Are you talking about systems as it relates to Medicare’s scope of responsibility or the ancillary systems?
DR. COHEN: I don’t know whether if Medicare isn’t requiring social security card numbers, will social security cards be issued through the enumeration of birth process? Will they be used in NDI, and what the level of support will be for ongoing social security card use.
There might not be any impact because there are separate systems and we rely on social security cards for a variety of other uses, but there might be some impacts. We just don’t know. And I think it’s important for us to call out the fact that we need to follow carefully what the potential impact will be on the use and protection of social security card information.
DR. STEAD: Let me make a process suggestion and see if people are comfortable with it. Our objective with this letter is to raise awareness by the Secretary and within CMS of the need to make sure this really is on the radar screen of all the people that are going to be impacted by this change at the moment of the change.
Right now, we are trying to write a letter that is very time sensitive and trying to avoid potential unnecessary problems. Those of us who have asked questions of people — the lack of awareness of this in many organizations that are going to be impacted is extreme. From a process perspective, I would encourage us to try to keep this letter narrowly focused on that object.
What I am hearing both of you raise are important questions that are beyond what we are trying to do in this letter that we may need to get input before we comment on. The kind of questions you are raising might be ones we ought to address in a block of our November time if we could, for example.
I am just trying to suggest, if it’s okay, could we narrowly focus this letter on the head’s up that we are trying to give, because April is upon us, and then come back and work the other related issues, or is that unwise? I just put that out there.
DR. COHEN: I accede to your wishes, sir. I think that is a reasonable strategy, but it’s unclear what the ripple effects will be. At some point, somebody has got to be paying attention to that.
MS. GOSS: People can’t even think about the ripple effects if they don’t even realize this is happening, so we need to get that broader message out. At least in reading the transcript from the June meeting that I missed, we have responded very aggressively in trying to get this letter crafted, edited and ready to go to the Secretary because we want to get that drum beat louder so that people can actually start to have those conversations.
I think there is such a diversity of the impacts among trading partners. Until they start having conversations with each other we are not going to be able to get the arms around these important issues you bring up.
DR. STEAD: So far — and we can enumerate others that we want to come back to. So far I have heard two — the lingering risks of SSNs in databases that already have them, and the other is level support for the SSN number process, in essence, such as enumeration at birth. And maybe we want to list other things that are beyond this immediate head’s up.
DR. CORNELIUS: I have been reflecting on the conversation that has been taking place. I would say that from a consumer point of view, this whole issue about the social security number versus the Medicare card for beneficiary survey is a real big issue, and I am with Alix about how we need to get out in front of this in terms of creating a space so that we have as wide an input on this issue as possible.
DR. STEAD: Thank you, Lee.
MS. BEBEE: This is Susie Bebee with ASPE, and staff to the Subcommittee on Standards.
One thing that I think might be added to this letter is the time sensitivity of this. I don’t read within this letter any dates. When you look at when this needs to be done, it is not really conveying that dire message, so we might want to say something in 1 and/or 2 that this needs to be done because it is coming, and be specific to a date.
This is one of those things if you’re reading it and you don’t have much time, you go right to the recommendations. Let’s repeat it.
MS. GOSS: It would be most helpful if people could give us specific text that they suggest that maybe we would modify. I realize we’re doing this on the fly.
DR. STEAD: We have time because we have 10 more minutes before we take a break, and then we have another hour to get this right. So we have time.
MS. KLOSS: To Suzie’s point, I would perhaps go right up to line 15 and say this letter conveys urgent or time-sensitive recommendations.
MS. HINES: So, do we want to say urgent or time-sensitive?
(General agreement on time-sensitive)
MS. BEBEE: That is broad. Do we have the date?
MS. HINES: As of April 2018, at the end of line 18. Beginning in April 2018.
MS. BEBEE: I really don’t think it is unreasonable to repeat that. Repeat it down in the recommendations so if they don’t get it there they get —
MS. GOSS: I agree with Susie.
(General discussion.)
MS. KLOSS: What about putting in the first line, recommends that CMS implement an expedited and more robust…
DR. STEAD: How about, NCVHS recommends that CMS implement an immediate —
MS. DOO: Just FYI, I sit across from people working on this card so I have some information. They have begun this program. For this line, do you want to say well in advance of the implementation date, or immediately? This letter is going out, so do you want to say now, immediately, or — because they have already begun. They are on TV now. They are going to consumers, and we’re addressing communication to all parties.
MS. LOVE: I feel like if I were a CMS staff and I read that — I mean, we’re bombarding the air waves. More robust? What do they mean by more robust? I’m saying that there are targeted groups they aren’t reaching but they do have a robust —
MS. KLOSS: I think it is pretty subtle. I have been watching these ads about fraud and they’re combining it with that issue, and then at the end they’re saying new cards will be coming in April. If I weren’t attuned to this issue I would have missed that.
DR. STEAD: I know we are just one large health system and we are in the middle of implementing a largely used EHR, which is diverting our energy, but I basically have asked the people that should be responsible for responding to this and they’re basically saying we are assuming the EHR vendor will take care of it. And I say, what about the people, the patient service reps, in the clinic. There is no education planned for what this new card will look like and what to do with it.
As best I can tell, that is pretty common. Is Sutter in a different place?
MS. MONSON: No. That is exactly the place we are in, and had I not joined this committee, Sutter wouldn’t know anything about it.
DR. STEAD: I think that’s the problem we have, so let’s figure out what the right strong language is here. NCVHS recommends that CMS immediately implement —
MS. DOO: Can I say, an explicit and more robust, to address Denise’s?
DR. STEAD: Go up to line 77.
MS. LOVE: I had a problem with “more robust” because I just feel like that is judgmental.
(General discussion)
DR. STEAD: Do you want to say “an explicit and amplified” —
PARTICIPANT: They need to turn up the volume.
MS. DOO: It sounds like you’re looking for a more comprehensive — that you want more staff-based —
(General discussion)
MS. LOVE: The states are already having calls about this because they can still require a social security number in their laws, but will the providers say we can’t provide it because Medicare — It’s creating this ripple out into the community already and uncertainty.
So target it to the audiences.
MS. GOSS: I think we take out “robust.”
MS. HINES: Yes. Just say more comprehensive, amplified outreach.
DR. MAYS: Do we need to give them examples of who, because they think —
MR. COUSSOULE: It’s given in the next sentence. “… repeatedly to all parties affected including beneficiaries, payers, providers, intermediaries, researchers and territories.” It’s a very broad mix.
DR. STEAD: Do we dilute the thing by having “similar to ICD-10” in that sentence?
DR. RIPPEN: I think we take that out.
MS. KLOSS: I do think it dilutes it here, now that I read it, because that wasn’t exactly, in everybody’s mind, flawless.
MS. HINES: And it’s on line 48.
DR. STEAD: I think the people we have talked to said this is very different from ICD-10, so I think we’re talking about the wrong thing. I think taking that out actually —
MS. GOSS: However, it’s a workflow, internal staff aspect. It’s very similar to ICD-10. With ICD-10 the challenges of people figuring out what do I do with this, how does it impact what I do on a day-to-day basis —
(General discussion)
MR. COUSSOULE: I think we already covered that aspect earlier in the lead-up, so, leaving that out of the recommendation I don’t think is detracting. In fact, it makes it clearer.
DR. STRICKLAND: We say software vendors and relevant associations and stuff, but I think if we mean EHRs then we should say it. And if people are relying heavily on EHRs to disseminate information and we think that’s a problem, then we should say it specifically.
DR. STEAD: It’s not just EHRs.
DR. STRICKLAND: We’re saying all these things but they may actually miss the boat of what we’re trying to do.
DR. STEAD: Let me just try to drive for one second. Line 77, NCVHS recommends that CMS immediately implement a comprehensive — let’s delete the word “more”, and we can leave “amplified” — outreach and education effort regarding the transition.
Then let’s kill “similar to ICD-10” — and then I would say, specifically, the committee —
PARTICIPANT: Or CMS should —
DR. STEAD: Okay. I think the more specific we can be the better. Specifically, CMS should reach out extensively and repeatedly to all parties impacted including beneficiaries, payers, intermediaries, researchers, states, software vendors — do you want to put after “software vendors” paren, (electronic health records)?
MS. GOSS: I wonder if, with the removal of the ICD-10 aspect which was really a workflow dynamic, if we have an opportunity to address the comments from Jackie and Bruce earlier by adding a sentence at the end that speaks to, to promote their awareness of this and their ability to engage with their trading partners as maybe something a little bit more robust to try to force people to think about this is just not —
DR. STEAD: I think I’m hearing you say that should be a new next sentence.
PARTICIPANT: On the relevant associations, now with the ER it needs to go after “researchers, states, territories, relevant associations” and then the software vendors, because you broke up —
MS. DOO: Right. I thought relevant associations needed to go with providers.
PARTICIPANT: Oh no; it needs to go with states and territories, too.
MS. GOSS: It goes with all of it.
DR. STEAD: We have reached the time for our break and we are blessed because we got started earlier. Let’s take the 15-minute break and maybe toward the end of that we can try to cobble together the next sentence. We’re very close. We will take the break and reconvene at 10:30.
(Break)
DR. STEAD: We have now streamlined the first two sentences. We have not put in the details about the software but we can hold that. Do you now want to suggest the workflow sentence?
MS. GOSS: I have something to start with but it’s half-baked, but let’s start there. What I’m thinking is the key is we need people to start talking among themselves to figure out what does this mean in their environments and their systems. So, is it really that if you do more comprehensive amplified outreach and that you get to all these people, the end result will be — is sort of what I’m trying to get at. So, something like the result would enable entities and their trading partners to explore and address workflow, technical and operational issues resulting from SSNRI.
I am not happy with this sentence at all but at least it’s a starting point.
MS. KLOSS: I like the back half of it. Could you just say, these stakeholders must have time to —
MS. GOSS: Yes. These stakeholders must have time to explore the implications of this change.
MS. KLOSS: To plan and manage.
DR. STEAD: First, they actually need to understand that they have got to do this. These stakeholders must be made aware —
MR. COUSSOULE: Must be made aware of the change, understand the implications and prepare themselves.
MS. HINES: That’s perfect.
DR. STEAD: Let’s try to get that thought.
MR. COUSSOULE: — and implement the necessary changes.
DR. STEAD: What I was wondering is — understand the implications for workflow, operations and systems.
MS. LOVE: But, for public health it’s not even a workflow issue; it’s their whole infrastructure.
MS. HINES: So, workflow, operations, infrastructure?
MS. GOSS: We are not going to be able to cover every situation so we need to make this broad-brush stroke to force people to get into the conversation and figure out what it means to them.
DR. COHEN: Operations covers it because that’s how they do business.
MS. LOVE: I like just implications.
MS. GOSS: What about “and prepare”?
DR. STEAD: These stakeholders must first be made aware of this change and the implications for workflow, operations and systems. Second, they must have time to prepare for implementation.
MS. GOSS: I really feel like if we could say “The stakeholders must be made aware of the change to understand and respond to the implications” is probably enough.
DR. STEAD: That’s good.
MS. LOVE: That’s enough.
MS. GOSS: These stakeholders must be made aware of this change to understand and respond —
DR. COHEN: Why just “these”? Why don’t we make it “all”? I don’t want to limit it to the numerated stakeholders. Or just say “stakeholders.”
DR. STEAD: Stakeholders must be made aware of this change —
MS. HINES: Comma — you said, Alix, to understand and respond?
MS. GOSS: Stakeholders must be made aware of the change to enable them to understand and respond —
MS. HINES: To their internal workflow, operations —
MS. GOSS: I don’t want to narrow it to internal because it could be you have a business associate that has the data or the warehouse or the vendors or the software that you’re using that has an implication.
MS. KLOSS: You’re going to have to modify business associate agreements.
MR. COUSSOULE: I think it just simplifies it to say they must be made aware of this change with enough time to understand and respond — or, enough time to address or prepare their business for the changes, or something like that. It could be that simple.
The idea is we just want to make everybody aware so they have enough time to understand the implications and actually adjust.
MS. KLOSS: We could get rid of the “must be made aware of” and just say stakeholders need time.
MS. GOSS: Could you undo what you just did — because I think the understanding is important. I think we need to come to some philosophical agreement before we put you through typing hell.
MS. KLOSS: If we are looking for a little more simplicity, in order to respond to the implications you need to understand them. I think we could assume understanding if you’re modifying workflow, operations and systems, so I think you could simplify it. Stakeholders need time to prepare for workflow, operations and systems changes.
MS. GOSS: Messages are going out, especially in the Medicare arena, and the fact that two health systems had no concept, that they had been notified multiple times through the MLN system — they don’t even understand it. They are not paying attention,.
DR. STEAD: They don’t understand — The notice is not connecting that this is going to affect all your frontend workflow.
MS. GOSS: I think they maybe get it but they think it’s far enough out.
DR. STEAD: No. I can tell you the people I have talked to are not making the synapse of the impact of the changes. They don’t understand it. They think it’s just a thing in the system. The vendor will fix the system.
MS. KLOSS: We could add that phrase back in. Stakeholders must be made aware of this change and need time to address their internal and external workflow, operations and systems.
DR. STEAD: I think they could argue they have told the stakeholders of the change. What they have not done is communicate the implications.
MS. KLOSS: That’s true.
DR. STEAD: That’s what is missing.
MS. GOSS: And I struggle with that point because it is not CMS’s responsibility to tell each organization what this means to them. It is the organization’s responsibility to understand that Medicare, as a payer, is changing the use of their identifier, or their qualifier and identifier, and we then need to take the responsibility to figure it out. I have a hard time with that line of how far is CMS’s responsibility in this.
MS. KLOSS: I think it’s some of each.
DR. ROSS: I think as a committee we have almost a fiduciary responsibility to the Secretary to say there is an impending mess, and you have to be aware of it. The political consequence of this mess is grave. It really is. It just messes up everything.
Yes, while you would hope that CMS would raise the alarm, somebody has got to pull that chain on the train that slows things down.
MS. GOSS: I think it makes a lot of sense to toot the horn, but how far do they go with having to help organizations understand what this means to them internally?
MR. COUSSOULE: Well, it’s whether they go that far or they understand that it’s just not being —
DR. ROSS: We’re saying this is the state of the situation. People are not understanding the depth of what is going to have to happen. So, Secretary, take it upon yourself to figure out how much you have to communicate this beyond what is presently being done. Our wisdom, collectively, is to say a whole lot more.
MS. GOSS: I’m trying to figure out what that means to the recommendation text and if there’s something further we need to do with it, because it seems to me that we are wrapping up that paragraph about the implications.
MS. KLOSS: I think, not to lose the earlier thread, we could take that “must be made aware of this change” and drop it into this sentence. Stakeholders must be made aware of this change and need time to address their internal and external workflow, operations and systems.
MS. BEBEE: Linda, can I say that the understand piece I think needs to stay, from Bill’s perspective. We can hammer it away from a federal standpoint, but if they don’t understand it we’re still obligated to get them there.
DR. STEAD: That is my view and I think Alix is in a different corner.
MS. GOSS: I think that trumpeting that the change is coming and that you need to be thinking about it at a high level as something that you need to be thinking about and the conversation, and then what you should be doing to be in conversation at that high level I think is fine. My concern is about putting CMS on the hook at a lower level of trying to, by organization type, think about all the laundry list of stuff you’ve got to assess, and where that dividing line is.
So I think that with enough time to understand, I’m good with keeping that.
MS. KLOSS: Could we just add one more thing? Stakeholders must be made aware of this change and its implications and need time to address.
DR. MAYS: And I would say grave implications. To me, we’re not getting enough of somebody needs to do something; this can’t sit there for two months.
DR. STEAD: Stakeholders must be made aware of this change and its implications for internal and external workflow, operations and systems. Period.
MS. GOSS: Jackie, do we need to add the legal aspects if we’re going to have to do business associate agreement changes? Do we think that is good enough?
MS. MONSON: I think it is broad enough as written. We just need time to assess and address, when organizations don’t even know that this is coming down the pike or it’s not going to the right people.
MS. LOVE: How about the bodies of state law? That’s workflow, operations and systems and our legal reporting laws. I can’t tell you how many states have social security numbers embedded into their legal reporting.
MR. COUSSOULE: I think we’re getting a little — we need to be careful not to get caught up in broader implications in regards to SSNs generally. There are a lot of good points that have been made and that’s one of them, but it would be easy to cloud this issue with a whole bunch of other things that are systemic, longer-term, much broader issues than, by the way, we’re going to change the Medicare ID card and people aren’t going to get care or they’re not going to get billed or payments aren’t going to happen or all the other kind of things that we start looking at longitudinally aren’t going to happen.
I think it was Bill’s point earlier. It doesn’t mean those aren’t important, but they are really very different from the immediacy of this issue.
DR. STEAD: From my perch, the current text actually is pretty clean and I think gets the key pieces there.
DR. COHEN: The concept of giving them time to respond — don’t we want to include that as well? It has been eliminated from this text. That has to do with the urgency.
DR. ROSS: For those of you deeply involved in this, have there been even a few presentations or write-ups or examples of how this will ripple through — just a narrow thread, one or two examples — for a different kind of organization, for a health provider organization, for an intermediary organization of some type or whatever? Has such a thing been put out so that somebody could point to it and say this was made clear in this example that these kinds of effects will come as a result of this, and the following groups have to change? Just to make it clear and tangible to people what all is going to have to change.
MS. GOSS: I think part of the challenge here is that the concerns that I’m hearing from a number of members are ancillary downstream implications that are outside of the traditional provider-payer exchange aspect, which is that they are changing the use of the SSN as a qualifier in those transactions. A lot of the things are outside of that specific change of CMS. So I don’t know, if I’m hearing you correctly, that there is that expansive view which I think is at the crux of what people are really worried about.
DR. ROSS: That’s going to be the political fallout.
MS. GOSS: I think the fallout is when Grandma sees that card and pitches it.
DR. ROSS: This is a giant wrench in the spokes. How do you express that?
DR. STRICKLAND: Can I mention a couple things? I do know CMS has made a marked effort to try to communicate this to the industry and tried to vet out issues and concerns — entities that were not touched yet, what rocks do I need to turn and so forth. They have made presentations at WEDI on several occasions and I believe even X12 as well as the cooperative exchange. They have reached out to do Webinars and so forth just to try to communicate this information to as many entities as they possibly could.
The fact that we have large entities that have not heard this I think is of special note. Whether, Lorraine, you turn around and tell these people, hey, two big healthcare entities didn’t even know about this so we are not reaching the right people — maybe that’s the sentence that just needs to be said to these people.
But I know they have made huge efforts to try to get the message out, but, again, it’s to the usual suspects, it’s to the people who are at the gatherings that we even talk about as far as the standards stuff. It’s the usual suspects, the normal players. Maybe they’re not getting the information up through the walls of their organizations as they need to, but CMS has made efforts to do that.
I just want to make sure people are aware that they have tried to vet this at length with at least the standards folks.
MS. KLOSS: Then I think our recommendation for comprehensive and amplified is appropriate. We are not saying they haven’t done anything; we’re just saying it’s not enough.
DR. STEAD: Does anyone have a problem with Recommendation 1 as currently projected?
DR. COHEN: I just want to know whether we want to reinforce the organizations’ need to be given time to respond, or is that implicit in this? I like that language that was there before, but if folks are comfortable with this I’ll go along.
DR. ROSS: This recommendation is clear in that it’s saying there’s a need for immediate action.
MS. DOO: Debra, thank you for confirming the work that the new Medicare card group is doing at CMS, and just a confirmation for this group that you may want to go on that website to see what new information is there.
One recommendation is, since we know that there is work going on, maybe it could be to continue rather than immediately since we know they are doing work. Would it make any sense to continue or to increase — they are already doing the work. How would we say that they could do more of what they are doing? Or do you want to just continue as if this letter was sort of a new letter?
DR. STEAD: My guess is this is getting into the bottom of our organizations, to people who actually are not thinking about these broader constructs. It isn’t the kind of awareness — it’s not being broadcast to all levels of all organizations. And yes, I understand that our organizations should be smart enough to not have these problems, but that’s not going to avoid the problem. It doesn’t change the facts.
I think this is a pretty simple statement.
DR. RIPPEN: If I’m the Secretary and I’m reading this and it just says you need to implement this, and they go to CMS and they say they are implementing it — is there anything that would —
MR. COUSSOULE: We’ve got to be a little careful. We can only do what we can do. Our obligation here is based on what we have heard and seen to create awareness. We can’t force a change.
DR. RIPPEN: No. I’m just trying to highlight that if there are any words that would highlight it — sometimes there’s one word or two words.
DR. STRICKLAND: From hearing you, Nick, I think what we’re trying to say is the committee has heard of at least two large healthcare entities that have not heard of this, so maybe that’s what we’re trying to say. Somehow, they still missed it. Out of all the work they’re doing — they’re doing outreach to caregivers, to senior citizen centers, to all that kind of stuff, but somehow we still missed — and the committee knows about just two.
DR. STEAD: The thing they missed, Deb, was the implications. They actually knew that the change was going to take place. Much as the website — it actually gives you the impression that all the stuff is there you need. It’s not like — they’re not being given instructions for what the emergency kit is if you’re getting ready to evacuate for the hurricane.
DR. COHEN: So, is the focus on understanding the organizational implications? That’s what is not happening? And should that be explicit in this letter? The focus of the messaging needs to be on understanding the organizational implications rather than the fact that it’s happening.
MS. HINES: That is what that sentence now says. Stakeholders must be made aware —
MS. KLOSS: I also think the letter earlier on acknowledges what is being done. Our point is it’s just not adequate. It is all good, but it needs to be underscored that if this doesn’t get threaded through each of the organizations there could be severe disruption. And if we add anything I think that might be it, because that would be, okay, we don’t want this to be another Affordable Care Act sign-up website issue.
MS. GOSS: So we want the stakeholders to be aware of the implications to avoid disruption and impact to Grandma?
MS. HINES: Or implement a more comprehensive — Otherwise, it’s — if it’s inadequate what they’re doing now, the first sentence —
PARTICIPANT: We had “more” in; we took it out. We had more robust.
MS. HINES: So just change it to more comprehensive.
MS. GOSS: Are we good with Recommendation 1?
MS. KLOSS: I think we should not let the perfect be the enemy of the good.
MR. COUSSOULE: One thing that is a very minor thing to add is on 186 where it says that all parties that transmit — it should say “transmit data directly to or receive data directly from” just to be consist.
DR. STEAD: Have we now killed the word again since we have taken out the — we can just have “similar”?
PARTICIPANT: Yes.
DR. COUSSOULE: I think you’ve got to change the tense then — similar to what made the transition so successful, end-to-end testing will help answer many questions and alleviate issues.
MS. KLOSS: Maybe take out “so” — made the transition successful.
(General discussion)
MS. KLOSS: Do we want to soften the first sentence to reiterate — the committee is impressed with CMS’s work to ensure a smooth transition.
I would say we could just tweak the first sentence in the next paragraph. Line 92. The committee appreciates CMS’s work to ensure a smooth transition. Recognizes. And I just think what we’re saying is but more needs to be done.
DR. STEAD: The last sentence of Recommendation 2 sort of gets at the point that the risk is mucking up the works.
DR. COHEN: I think that’s a really strong sentence in line 92 to 93. I would eliminate that “will remain abreast of developments as they unfold.” I don’t really think that adds anything.
MS. GOSS: Bruce, you’re suggesting that we have it a stand-alone sentence? Okay. My question then to Bruce would be do you want to delete it altogether or would you like to move that sentence down into the next paragraph?
DR. COHEN: I think we will do what we do. I don’t think it’s important to the Secretary to focus on what we’re going to be doing in the future. Just it’s important that he knows that this is what our concerns are now.
MS. BEBEE: The end-to-end testing, please remind me and tell me if I’m wrong, but I thought CMS said they are doing that but it wasn’t going to be enough from our perspective.
DR. STEAD: They actually said it wasn’t necessary.
MS. BEBEE: There you go. So, what I’m getting from that is they aren’t doing any and we’re saying they should do it.
DR. STEAD: We actually suggested a specific type of testing in the online testing capability. That’s a limited form of end-to-end testing.
MS. BEBEE: So, are we getting the message —
MS. HINES: Does the Secretary know that it is not happening? Is that your point?
MS. BEBEE: Yes.
MS. HINES: Yes. NCVHS understands that no online testing has been put into place and we recommend that it be put into place.
MS. GOSS: Is it that NCVHS also recommends that CMS chose to — I think the point is that they hadn’t made the choice to do the end-to-end testing, so if we say CMS needs to elect or decide to initiate something — not just provide it.
MR. COUSSOULE: Do we say we recommend they provide testing capabilities, that the current lack of testing will have significant implications, and point that out? I’m trying to understand how we would frame that. Or do we say no testing with CMS and external parties exists now?
DR. STEAD: I don’t know that we know that.
MR. COUSSOULE: That’s my point. I’m trying to figure out what we’re trying to actually —
DR. RIPPEN: I think this says what we intend. Perhaps, to get at Susie’s point, if we thought we really need to reinforce it, it’s just saying the lack of current testing capabilities will not allow one to provide — you know, so it’s the negative as opposed to the positive. The line starting at 86. That would be the only way. We’re saying currently there is no effort so we won’t be able to do this.
DR. STEAD: I am hesitant for us to make statements that we don’t know are true.
DR. RIPPEN: Well, we should never do that if we can help it.
DR. STEAD: There’s a difference between we know they are false than that we don’t know they are true.
We can make the statement — we are on safe ground suggesting they provide. If they are already doing that, fine. I think what we might want to do is just take the three words end to end and replace them with this, because what we’re proposing is a particular testing capability that would be part of a larger end-to-end testing, and we are basically saying that’s probably the most important part and reasonably easy to provide.
So, if we just took end-to-end and made it this, would that be okay? Line 89. I would just say this testing will help answer —
MS. KLOSS: It seems to me that during the ICD-10 run-up we went from doing some testing to fuller end-to-end testing through a series of recommendations, so I just am raising the question is it better to specify this approach to testing here rather than having to circle back and say that is not an adequate testing plan.
DR. COHEN: Do we know whether CMS is providing any online testing? Maybe not end-to-end, but —
MS. GOSS: I honestly don’t think that the testing — the transactional aspects are not what I think are the biggest risk. I think it’s all the other stuff that is the biggest risk, and I have been struggling with how this end-to-end testing is really going to get to it, because, typically, end-to-end testing to me is that you do a systems flow — it’s all the workflow implications and the other aspects that I think are a bigger issue. So I’m struggling with this one.
MR. COUSSOULE: I think personally this is a useful note, but the more important one is the first part by a long shot. I think the folks that are sending data back and forth probably are already in the middle feeling that. It’s the implications of the folks — What happens when I get a new card and somebody shows up in the office? Those are much broader than the actual data flows back and forth. The data flows back and forth involve payment and there are lots of people very interested in getting paid.
The other folks who don’t understand that it’s beyond that I think is where the challenges are.
DR. STEAD: Therefore, are you suggesting that Recommendation 2 be deleted?
MR. COUSSOULE: No, I am not suggesting it be deleted. I’m just saying if I’m going to really focus on something, that’s why the first one is there first. I think it’s much more important.
DR. STEAD: Then are you suggesting dropping the last sentence from Recommendation 2?
MR. COUSSOULE: No. I think it is valid. If you haven’t tested and all of a sudden you go live, there are problems. They happen naturally. So this will help alleviate some of those transactional problems, but I think the first one is —
DR. STEAD: It is now narrower than end-to-end testing.
MR. COUSSOULE: Yes. It really is the data flows that go —
DR. STEAD: Have we talked ourselves into Recommendation 2 as worded? Deb or Lee, are you okay with it?
DR. STRICKLAND: Yes.
DR. CORNELIUS: The same here. I’m okay with it.
DR. STEAD: Do we want to go back to the top for just a second and look at where that landed?
MS. GOSS: I personally am struggling with moving up the recommendations because it was designed to kind of flow in setting it up. I get that we have only got so much time to get their attention, but I’m afraid that if we start to monkey with it then we’re going to have to create a whole bunch of other set-up, unless you have a quick, easy suggestion. I’m just not able to come up with anything.
DR. RIPPEN: I don’t think people — this is just one of many things — are going to read the details. Somebody on their staff will. I think it’s about the recommendations. Again, I’m an agnostic but I just know that. Usually, if it’s on the first page they might glance at it. That’s all.
MS. HINES: If they’re worth their salt they will go look at the recommendations and skip the preamble.
MR. COUSSOULE: I think in this one it really requires some lead-in.
MS. GOSS: A compromise would be — please go back up to line 19. We say that there are recommendations and what the topic is. If they have read the first paragraph they know that they are in there, so I’m hoping that lead-in says, hey, go read page 2.
DR. RIPPEN: Or you could actually provide just a line of the recommendation — you know, urgently do an outreach, and more details are — it’s just a suggestion. I can go either way.
DR. COHEN: I understand your concern. I don’t see why the recommendations wouldn’t fit right after line 27, after essentially we say MACRA is going to change; here are our recommendations. And then the transition seems to be pretty smooth to me after the recommendations. It’s just an option.
DR. RIPPEN: And you can even shorten the recommendations in the sense of just the first line of each recommendation, if you’re worried about verbosity.
MS. GOSS: What I’m worried about is that we have 15, 20 minutes left of this and I think we want to get it approved and out today, so really how the committee feels as a whole is how we will respond.
MR. COUSSOULE: If we are going to move it, we would just move the recommendations in their entirety and put them right there.
DR. COHEN: Yes. That is what I think. Just the recommendations as they stand and then the body of the text, and then that one-sentence paragraph is the closing.
MS. GOSS: Am I correctly inferring that you are suggesting the briefing and the committee assessment all be removed?
DR. COHEN: No, no. Follow the recommendations.
(General discussion)
MS. GOSS: I missed that part, sorry. To me at this point, I think the letter needs to get to CMS because they have a lot of work to do to help people not have a train wreck.
MS. KLOSS: I would like to move approval, and then use the 15 minutes to talk about the two issues that were raised, because those are time-sensitive, too, and maybe we can’t wait until November to air some of that. Maybe we can find some strategies to communicate in other ways.
DR. STEAD: Can I suggest a slight modification to the motion? Could you move approval subject to staff deciding whether it works to move the recommendations or not? We let staff clean things up anyway, so move to approve with staff making the decision if it works to simply pick the recommendations up as is and drop them there. Will the rest of the content work? If so, I would think we could do that. If not, I would leave it as is.
But if we could move approval and let staff do that then we would go on to the questions.
MS. GOSS: I think we’re blurring the line a little bit. Typically we don’t ask staff to make that sort of editorial choice; usually that’s our direction. So I think that if we want to do that, maybe it’s Nick and I with staff do that and not put it on their shoulders.
DR. COHEN: You two can decide. I am happy with you to decide where it flows best for the recommendations, but consider putting that up front.
MS. KLOSS: I will revise my motion to move approval of the letter subject to the co-chairs working with staff to finalize the final format.
DR. MAYS: Second.
DR. STEAD: Any discussion? All in favor?
(Chorus of Ayes)
DR. STEAD: Opposed? Any abstained?
(No response)
DR. STEAD: Congratulations. Now do we want to have the discussion?
MS. KLOSS: It would be great to frame both of those areas of concern and maybe we get some ideas about what could be done even now to communicate.
MS. GOSS: Are we talking about the business associate implication? I want to know what issues you’re talking about.
MS. KLOSS: First, Jackie raised the issue of what happens to the legacy data that has social security numbers in it, and it strikes me that that might be an area for not necessarily recommendations from CMS but for some industry guidance discussion. Maybe it’s the kind of task that WEDI would take up and do a white paper guidance for healthcare organizations. I think we could do some brainstorming around that issue and think about how to move it now rather than wait until November.
Bruce, your concern was quite different; it was more concerning the social security number more broadly as it relates to beneficiaries.
DR. COHEN: Yes.
MS. GOSS: It was a beneficiary or other —
DR. COHEN: Other uses.
I just realized this is a CMS change. Will it affect Medicaid? Will Medicaid use social security number and Medicare use the new beneficiary number?
DR. STRICKLAND: Yes, it is affecting them and they all had to put in their IAPDs for their funding as well.
DR. COHEN: So, Medicaid, all the state Medicaid offices are now switching. Yesterday we heard Medicaid is trying to link to public health datasets and the linkage variable that they use is social security number —
MS. GOSS: But keep in mind, just because the EDI transaction is changing from an SSN identifier to a Medicare beneficiary identifier, it is not precluding the ability for the SSN to exist in the dataset or be retained in the systems in other ways. So it’s not a complete wipe-out of the SSN, which makes this even more confusing.
DR. COHEN: Exactly.
MS. LOVE: But there needs to be clarity that it does not preclude the collection and reporting of SSN —
DR. COHEN: Why would Medicaid care about collecting social security numbers from its recipients if they are only concerned about the new beneficiary number for claims payment issues?
MS. GOSS: This is an exchange between a provider and a patient or with the clearinghouse in the middle.
DR. COHEN: Medicaid, another primary responsibility is to provide care and get reimbursed for it. The secondary uses of their data — I don’t see them spending a lot of time chasing down social security numbers if it’s not part of their business.
PARTICIPANT: We have already heard from providers and payers that they will no longer collect social security numbers; they legally cannot do that, which is wrong. But we have had several states have payers announce this.
DR. RIPPEN: I guess there are two systems — the electronic health record and the practice management system. With regard to collecting social security number for payment, you always have to put it in because they want to know who your employer is. You always put your address and things like that.
I think the question is really why are we trying to protect social security numbers, because there is a big problem. Again, I think the balance of theft, which we know there is no safety anywhere, even credit agencies and healthcare, that tends to be now the biggest target. So I think there are nuances of — well, information will be collected on the majority of Americans anyway just because it’s collected for different purposes. So I think we have to also consider that, too.
DR. MAYS: Also, my understanding is we had someone who came in and talked with us and I can’t remember who it was — This is not an unthought-about issue, so it may be that before we do a lot of speculation about what we think is going to happen, this would be a thing where can the staff make a phone call while we’re here and let us know, and then have the discussion.
My understanding from her presentation is — because we raised that question then. We kind of freaked out, and it was like oh no, no. We’re thinking about this. So, maybe what we can do is ask if you can just get some clarity.
MS. DOO: Yes, and this is specifically — The question you’re talking about was with respect to Medicaid and they have just had a big conversation with the state, so there’s going to be some information coming out for them on this very topic. There will be some clarification for the states, for those Medicaid beneficiaries that are going to be getting a Medicare card for the dual eligibles and that population.
DR. COHEN: The dual eligible.
DR. MAYS: I would add one more thing and that is to make sure that we are not losing any linkages of data. I think I would ask that and then, if you want, the specific question to Medicaid.
DR. COHEN: So, Medicaid is just the tip of the iceberg. It’s clearly the most immediate impact for CMS. But there are other organizations and data collection systems that rely on the social, and who knows what that impact is going to be.
Have we heard from the Social Security Administration about what they think the impact is going to be? It would be interesting to see if they think this is going to have an impact on their business flow and use of social security number information.
DR. RIPPEN: Why would you think that they would? Again, they provide the social security number and it’s more employment based, right?
DR. COHEN: It’s not necessarily employment based. They try to cover the entire population to receive it. Maybe they’ll say it is not going to have any impact on them. I don’t know.
DR. RIPPEN: I think that we just have to be honest about if we are covering and highlighting fraud, prevention of fraud, and that’s why we’re replacing it. Then I think if we’re not wanting to or actually collecting it, then we can’t really say that.
I think, again, if we are going to cover these topics we have to just make sure that we address all sides, including consumer.
MS. BEBEE: An example of the impact that’s even internal to the federal government is with the National Center for Health Statistics and the National Death Index. The death certificate has, for instance, the social security number, and as far as I knew, and then I pursued and asked, there is no plan for making changes. So they are going to be greatly impacted. I am working in that capacity to work with NCHS to explore what that impact is and what they need to do.
But that is an example of the awareness that needs to be made, and going beyond that for the impact and then the implementation. As you know maybe, death certificates are a process that is between the states and the national end, and so this is just a perfect example of work that needs to be done that is outside of the realm that we think of. This is a research type of perspective.
MS. KLOSS: I hate to do this, but would it be useful to consider a third recommendation that discusses the policy implications of this, clarifying the policy implications for ways that social security number is used in public health and vital statistics and other systems?
DR. STEAD: I would encourage us not to do that. I think, one, the letter is going to have a better — This is, in essence, a fire alarm letter. It’s going to be much more useful if we can keep it focused.
I think, second, the nature of this conversation suggests to me that we actually need additional conversation and input before we frame additional recommendations. I could see us, as we think through over the course of the rest of this meeting and then we build our plan for both how are we going to use the November time and in 2018, I think there is a set of pieces around this that we may want to get the input we need to say something. But I think we have got to be careful about not saying things before we have enough information.
DR. MAYS: Maybe what we can do between now and November is to determine the very simple thing of whether or not we can contact staff at certain places like CMS, Social Security, et cetera, with just a single question which asks them the extent to which the activity of the removal of the SSN by CMS will impact anything in their operations. Just real simple. We can have staff call and get just a working sense. Then we can determine whether or not it is big enough for us to be in the middle of and give it time or, if it’s something that we really say this should be done, send the information up to the Secretary to say there are many implications of this and we feel that we just wanted to bring this to your attention and here are some of the ways it may impact.
So I think we have to decide bandwidth — how much do we want to do an investigation or how much we want to be a bell-ringer, which is just awareness.
MS. GOSS: I also think that there are some considerations as to the domains that we are concerned about and narrowing those down. This is clearly an issue that spans our various domains, and I feel like we have left the land of standards to some degree and elevated this to a population health and privacy set of concerns. Standards is still involved, but I’m thinking — this is a committee of the whole kind of work because it keeps getting more sea legs.
DR. STEAD: And I agree with that, so I think we are going to have to — We are at the end of our time. I think we will need to figure out how to gather the information and the various committees can say what they want to say relative to the space tomorrow afternoon when we’re into potential planning topics, and then the Executive Committee can decide what we want to do, what in addition we may or may not want to do. I think that’s really where we are at this juncture. I think we need to get this letter out to get the immediate action underway if practical.
So, if people are accepting of that course, we will switch gears and go to the strategic planning discussion.
Agenda Item: NCVHS Strategic Plan and Project Selection Criteria
DR. STEAD: People will recall that at the June meeting we revisited the vision mission and strategic goals and objectives, and we got good input. That led to a couple of editing rounds with the Executive Committee, and you have all received the result of that in advance of this meeting. Let me walk you through the document as it is currently structured and remind you of the changes we have made.
The Vision we expanded to include the territories, and our focus is on improved health and wellbeing of the population of the U.S. and its territories through advances in health information and data policy.
Is that good with people?
(General agreement)
Let’s move on to Mission. Assist and advise the Secretary of HHS and Congress by convening stakeholders to identify and frame essential health information/data policy concerns and needs. The scope of the committee’s charter includes national health information policy, health data, vital and health statistics, standards, privacy, security and strategies to address these areas.
The committee’s recommendations shall inform decision-making about health information and data policy relevant to the states, local organizations and agencies and the private sector. I left out the word “also”.
So that block has been changed quite a lot to really streamline it and make the three key points.
DR. COHEN: I actually like it without the word “also”. I don’t know why we have the word “also”.
DR. STEAD: Well, because we’re advising the Secretary of HHS and Congress that we have our scope, and then our recommendations shall also inform in addition to the Secretary and Congress.
MS. HINES: I would say the Pop Health 100 Million falls into that sentence, because we have worked with the private sector and the foundations to get that done, which is very different than what HHS is doing in terms of follow-up on that measurement framework.
DR. COHEN: I know that we are doing things outside of that scope, but it’s one of our goals — It’s fine.
MS. GOSS: To me, it’s actually acknowledging that our primary audience and our responsibility is the Secretary. Everyone else is secondary — not to put them into second tier, but we circle the wagons on who our audience is and I think that helps clarify who is the primary audience.
DR. STEAD: For the new members this may sound like much ado about nothing, but there has actually been a lot of controversy about some of these points. So, trying to get them down concise and clear where we can keep them in front of us we hope will be helpful.
So, we’re good with Mission.
Then, we attempted to streamline the goals and objectives and take out repetitive words. We have a tendency to want to make sure that each of our favorite words is in each line. We attempted to strip all that out and to have all your favorite words in the right lines and we need to see whether we have in fact succeeded or not.
Strategic Goal 1 — Strengthen the data and analytic capabilities to sustain continuous improvement in health and wellbeing. Let’s walk through the four goals first and then come back to the objectives, because these work together. They are not independent.
Goal 2 — Accelerate the adoption of standards to achieve the purposes of safety, effectiveness, efficiency, privacy, security and interoperability of health data and systems.
Goal 3 — Increase access to and use of data while ensuring appropriate safeguards.
Goal 4, which has really challenged our wording — Improve health information data and policy by taking the long view.
And again for the new members, one of the things that distinguishes the National Committee from other FACAs is the fact that we are, by charter, to actually look out and make recommendations that are actionable in the near term but reflecting the longer-term trends and possibilities. That is a freedom that we have, or a responsibility we have, that not all the other FACAs have.
DR. COHEN: I have a question on Goal 3, Increase access and use of data. Should it be federal data, or is it all or any data? I don’t want folks to think we’re increasing access to private data.
DR. STEAD: In Objective 2 we say specifically, identify strategies to improve access to and use of federal data. I doubt we want to limit Objective 3 to federal data given our efforts to support communities as learning systems, but I don’t know. Let’s let other people comment.
You asked a question, Bruce, and I provided a clarification. Do you want a change given that clarification or are you good?
DR. COHEN: I have to really think about it. I’m curious what other folks have to say. I understand the uses.
DR. ROSS: Bruce, you want a qualifier to the word “data”, correct?
DR. COHEN: Yes. I’m just uncomfortable that someone will think we’re trying to insert ourselves —
DR. MAYS: I think you need to think about data in kind of its newness, data that’s derived from technology. There’s all kinds of ways in which we may want to be involved, especially because we’re talking about public-private partnerships.
Now, when you think about data, don’t think about just a survey, but it may be that we go to Google and ask Google something about — working with the data that’s behind that survey to help us do something. There are a lot of different ways in which — I don’t think we want to limit it.
I would prefer that if somebody came to us or to the Secretary and said, well, that committee should be doing X, that we would then say why we don’t do X. But I wouldn’t want somebody to come to us and say you shouldn’t be doing Y because it says in here only federal.
DR. COHEN: Yes, “federal” is the wrong word. I appreciate that, but I don’t know whether we need a modifier around “scope”.
DR. STEAD: Your question has been noted. Let’s go on around the table.
DR. RIPPEN: The only time that there is any highlight on security and privacy is only as it relates to standards in Goal 2. It appears that way just at a high level.
MS. HINES: Safeguards doesn’t —
DR. RIPPEN: Safeguards does, too. But I guess my question is, is it a core goal for us to ensure balance or whatever it is, or is it subsumed under each one as just a double-check. It goes to importance. Are we the keepers, thinking about it all the time, or is just like, oh well, and what about next Wednesday?
DR. STEAD: The question has been raised. Do you have a suggestion at this juncture or do we continue the conversation?
DR. ROSS: It may be a valid point, a good point. Is it possible in the preamble paragraph to the statement of the goals that that gets mentioned? It is in the mission.
DR. STEAD: We tried to put it in the mission, which is in fact the only preamble.
DR. ROSS: Okay.
DR. RIPPEN: It’s just how it’s put in some of the goals that just concerns —
DR. ROSS: If it was a goal unto itself, what would the goal be?
DR. RIPPEN: I understand the dilemma. If I’m reading this, what might I read into it or not or how do we serve it? I have to think about it.
MS. KLOSS: As I read these, I think it is part of 2, it’s part of 3 and it’s part of 4. Safeguards to me means privacy, security, accuracy, all of those things that safeguard data. I think we are trying not to be so specific. But, again, in 4 it comes back out in terms of data policy.
I guess I would have a concern if these were standing alone but I doubt that they stand alone apart from the mission.
DR. STEAD: As part of our streamlining we in fact tried to take out the redundancy. Particularly back then we got into criteria for selection and we just referred back to the mission, for example, and stopped repeating. This document will need to explicitly hang together the way we have tried to do it and not be picked apart.
MS. KLOSS: That I think gets at Bruce’s question, because in all of these cases you kind of want to add modifiers before “data” but we specifically did not because it flows from the mission.
DR. ROSS: Goal 1 — just indulge me for one minute on a sort of nit-picky editorial. I can see strengthening analytic capabilities, but how do you strengthen data? What about data are we doing there? We’re strengthening analytic capabilities for continuous improvement. I get that.
MS. HINES: I guess I assumed data was a qualifier for capabilities as well.
DR. STEAD: I would have thought our conversation around vitals yesterday was all around strengthening the data.
DR. ROSS: Improving data quality, precision and accuracy, timeliness — but just strengthening data? Just as an editor I’m looking.
MS. HINES: So you think data should be a qualifier for something —
DR. ROSS: Improving or expanding data needed for a learning health system and strengthening analytic capabilities is I think what we’re talking about. I have said my piece. I trust the wisdom of our Chair.
MS. KLOSS: To go back to yesterday, I think all of our discussion about improving the accuracy of the death certificate is strengthening data.
DR. STEAD: Could we say strengthen data resources and analytic capabilities? Would that work? Does that give anybody heartburn? I think your point is valid. I’m just trying to figure out how to scratch the itch.
DR. ROSS: Yes, I like that. Strengthen data resources.
DR. STEAD: Strengthening data resources is what we were talking about yesterday. The committee can make recommendations that will identify gaps in data resources that can be plugged.
MS. KLOSS: Resources give me a little heartburn. It feels to me like more data, I need more. And it’s not just that concept; it’s the usefulness of the data.
DR. STEAD: I think strengthening data sources probably addresses Rebecca’s concern. I don’t think it addresses Linda’s concern.
MS. RIPPEN: I think there may be a way to finesse it. For Goal 3, increase quality, access and use of data — that goes to our interpretation of strengthening data.
DR. MAYS: There’s a word that I’m going to propose in terms of 3, which is usability. There’s use and usability, and we do have a responsibility to think through about the data being able to have — not just count the number of people who use it but to change the ways that we’re doing it so that its usability is greater. That was part of what was in the workgroup’s charter and something it was supposed to do.
I am going to ask whether or not it is use and usability, which would go throughout, or if it’s only in Number 3.
DR. STEAD: I am not sure I understand what you’re proposing, Vickie.
MS. HINES: Are you proposing in No. 3 increased quality, access, use and usability of data?
DR. MAYS: Yes. What I am adding — Use is the actual application. You take the data and you do something with it. Usability says that before we put the data out there we think about the data being available in ways in which it’s going to get maximum use.
Part of what we have been struggling with is, for example, data being put in formats where it’s locked in — something as simple as — Are you getting it?
DR. STEAD: I think I’m getting it. Let me ask, then, because I do want to keep this from getting longer if I can. Increase usability and use of data — that would encompass, presumably, both quality and access. So the simpler thing might be increase usability and use.
DR. MAYS: And the question is, is it only — I spotted it in No. 3, but if you go back there are other places where “use” is and where it may be this phrase would also work.
DR. STEAD: Again, I think we dilute ourselves when we make the three read the same. We are actually targeting different things in the different goals, so Goal 3 is all around — usability, use and appropriate safety.
DR. MAYS: Okay. Yes.
MS. KLOSS: I think Goal 1 is about the quality of the data, the state of data. I think Goal 2 is about standards. Goal 3, the emphasis is really on access and use and safeguards and privacy. And Goal 4 is the policy. That’s how I have read it. So, if we are going to enhance our discussion about the state of data, I think it is in Goal 1.
MR. COUSSOULE: I would agree with that. I think the term strengthen is just a hard one because it’s really about how do I get more data faster and better. That’s a lot of the discussion we have had the last couple of days, which is about not only what data I get but how timely it is, how accurate it is, how I can make better use of it. If we’re trying to frame the goal around that, we have to say that without 300 words. To me, that’s the first goal as well. I just want to make sure we’re all talking about the same thing.
DR. ROSS: On Goal 1, I think of the data and analytics, two pieces. On data, it’s improving accuracy and timeliness of data and strengthening analytic capability. Those two things.
DR. THORPE: I have a slightly off-take of it. I see One and Three kind of being inter-dependent as the way we’re talking about them now. If you’re talking about strengthening data and making it better and in a timely fashion, you do want to have access, you do want to have quality at the same time. What I’m hearing and how I’m processing it is that we are trying to distinguish One from Three.
I think if we’re going to distinguish One from Three, then One should be about analytic capabilities, which is slightly different than quality and access to getting the data. But right now as it reads, I see them as being very inter-dependent based on the conversation we just had. Use, usability, access and quality — to me, that’s part of strengthening the data.
DR. STEAD: First, they are inter-dependent; that is true. I actually like the idea — whether it might work — to make Goal 1 be around strengthening the analytic capabilities and then have Goal 3 be increase usability and use.
MS. LOVE: I was going to comment around Bruce’s original statement. I don’t even know if it’s relevant anymore. I was just thinking can we do a simple fix on Goal 3 and say “increase appropriate access and use of data while ensuring relevant safeguards”. Put usability in Goal 1 because it’s a data characteristic. Well, I say utility instead of usability.
I don’t know. Under One, this is capacity. Under Three it’s access. I have a lot of really talented researchers who cannot access data and they call me —
But appropriate access — I just was getting back to Bruce’s comment.
DR. MAYS: I am still lost as to where usability is going to have a home.
(General discussion)
DR. STEAD: Let’s try to come back and see if we can get high level agreement on the purpose of each goal, where Linda was trying to take us.
MS. LOVE: By the way, I think these are great and I wish we had had these two years ago.
DR. STEAD: This is hard work but it’s useful work. Is Goal 1 about data, whatever the right word is, and analytics, or is Goal 1 about analytic capability? Do we want both in Goal 1 or only one in Goal 1?
DR. COHEN: I think both. We need both.
DR. STEAD: So we want to keep both in Goal 1. Goal 2 I sense we are all okay with. What’s the purpose of Goal 3?
MS. LOVE: Access, use and safeguards, stewardship.
DR. COUSSOULE: Let me be clear on what I just heard. Goal 3 is to increase access while maintaining safeguards, right?
DR. STEAD: He’s saying access, use and safeguards, however we do the work. Does that mean usability goes in Goal 1?
MS. LOVE: Yes.
DR. STEAD: Okay. So Goal 1 is both data and analytics and Goal 1 is where we put usability.
Goal 3 is going to be access, use and safeguards. Do we have agreement on that?
DR. MAYS: I don’t want to be difficult, but what do you mean by safeguards?
MS. LOVE: Privacy, security, confidentiality and there’s a data quality dimension and de-identification, frameworks. It is the first question that Bruce led off with — is the privacy stuff strong enough.
DR. MAYS: So my question is — and we keep raising this question — do we need to do anything that makes it clearer that that is the ground that we cover? You have to then go to the subcommittees to see that we do that.
I’m just trying to make sure that the person outside reading it gets it —
DR. STEAD: Go back to the mission.
MS. LOVE: What Goal 3 is really getting at to me is analytic interoperability, but that’s a little out there. But I’m fine with the way it is.
DR. STEAD: We have attempted to make the mission up one level from the goal. I think we are okay with the mission. Let’s come back down. If we think we have got agreement on the purpose of the goals, let’s see if we can word them. Do you want to have strengthen —
DR. COHEN: I was going to say data usability. Is that okay with you, Vickie?
DR. MAYS: Yes. Thank you.
DR. STEAD: What do you want to do, strengthen or increase, improve?
PARTICIPANT: Strengthen.
DR. STEAD: Strengthen data usability and analytic capabilities to sustain —
DR. MAYS: I would say improve. Strengthen I don’t know. Improve is serious.
DR. STEAD: Improve data usability and analytic capabilities and sustain continuous improvement in health and wellbeing. Do we have that sold?
Okay. We are good on Goal 2. Now let’s come down to how do you want to word Goal 3. Linda?
MS. KLOSS: I’m good with it.
DR. COHEN: Again, there are appropriate safeguards but not appropriate access?
DR. STEAD: What somebody suggested was increase appropriate access and use of data while ensuring relevant safeguards.
DR. COUSSOULE: You could actually say expand instead of increase.
MS. HINES: Expand access and use.
DR. STEAD: Expand appropriate access and use of data while ensuring relevant safeguards.
MS. KLOSS: Very good.
DR. MAYS: Good.
DR. STEAD: Are we satisfied with the four goals? If so, we can begin to look back at the objectives under each goal.
DR. COUSSOULE: When I think of the first goal, one of the topics that we spent a lot of time talking about the last couple of days was making sure that we gather enough of the right data and it is of high quality. Is that reflected in that goal the way it’s framed?
DR. STEAD: Right now it needs to say strengthen data usability —
MS. HINES: I have it here.
DR. COUSSOULE: I just want to make sure that, as we talk about the data-gathering portion of this, making sure that we get the right data and it’s of the right quality. Is that encompassed in that goal? It should be.
MS. HINES: Goal 1, improve data usability and analytic capabilities to sustain continuous improvement in health and wellbeing.
DR. THORPE: I like that as a goal, and I think what you’re saying —
(General discussion)
DR. STEAD: I would like to see you build that into Objective 1.2 if possible. I think that’s where it belongs.
(General agreement)
MS. BEBEE: Nick, you are saying the collection piece hasn’t been captured?
DR. COUSSOULE: The idea of getting the right data in the first place.
(General discussion)
DR. STEAD: Let’s work on the objectives. They’re going to do a hand-shake to get us the current version. Objective 1.1 — Assess capacity of these data to improve health and wellbeing. That is the environmental scan, if you will.
Then, identify opportunities to enhance data and analytic resources. I presume we are going to put usability there.
DR. COHEN: I would say identify opportunities to enhance data collection. I’m trying to address Nick’s issue.
DR. STEAD: So, data collection —
DR. MAYS: There’s a statement I want to add that I think may help. One of the things that I would like to try and get into that first one is kind of an equity statement. Something that says for all. In the objective, the second one. If we say “for all” it begins to cover part of what Nick was saying. I think it kind of gets at that leaving populations out. It’s like you have to at least consider it.
DR. STEAD: I would prefer for you to think about whether that needs to be handled in the vision.
DR. MAYS: What I was going to say is it’s in the second one — identify opportunities to enhance data analytic resources, blah, blah, blah, and health and wellbeing for all. But if you think it needs to go up —
DR. STEAD: The vision has to be the most encompassing statement. We need to make sure it accommodates what you want. Once you get the vision right, then you may or may not also feel it’s important to do below. We use health and wellbeing several times I believe.
PARTICIPANT: Vision, it says, of the population. That’s plural.
DR. STEAD: We could do it there.
DR. MAYS: The population is the one that you conceptualize, but if it’s for all, then you have to say why you exclude something.
DR. STEAD: What she’s suggesting doing is putting it at the end of Goal 1 —
MS. HINES: So it applies to all the objectives. Improve data usability and analytic capabilities to sustain continuous improvement in health and wellbeing for all.
DR. ROSS: Yes, that’s a much better fix.
DR. MAYS: Yes. I can go for it. That’s your social determinants framework, so I was trying to get it in.
DR. COHEN: She’s right, it needs to be said.
DR. ROSS: It needs to be said.
DR. STEAD: And “of the population” actually gets us at the vision. Okay. I think we’ve got it.
Then, identify opportunities, enhance data and analytic — how do we want to reword that?
DR. COHEN: Data collection and usability — identify opportunities to enhance data collection — We’re on 1.2. I’m trying to get to the issue that Nick raised. When we talk about enhancing data what do we mean? We mean enhance the ability to collect it and to use it.
DR. STEAD: What do people think?
MS. GOSS: Vickie, I’m hearing your concern about the collection because we don’t always collect it, but I do think the collection part has an important part here because there are lots of implications related to that that we talk about on a regular basis, like SSNRI.
Could we do enhanced data, comma, its collection and related analytic resources — not mush it together, because I think you want to keep data separate but I get the point about adding collection.
DR. MAYS: Because there is some data that it isn’t about the collection. If it’s that, I’m fine.
MS. KLOSS: Could we think about the word “availability” rather than “collection”?
MS. GOSS: Okay.
DR. MAYS: And that would get —
DR. STEAD: Does that cover, Nick, your concerns?
DR. COUSSOULE: I think it would.
MS. HINES: So, are we saying identify opportunities to enhance data availability?
DR. STEAD: And usability. Usability has to be in there, or did we say that’s covered by being in the goal?
MS. HINES: It’s in the goal.
DR. STEAD: So we are okay?
MS. HINES: So, data availability and analytic resources, and reduce redundancy to accelerate —
DR. MAYS: I just don’t know now if enhance is the word, or whether it’s strengthen at this point.
MS. HINES: We used improvement in the goal. What is your philosophy on that, Bill — to be consistent?
DR. ROSS: Is it that we’re strengthening up to use data? Just to use the data?
DR. STEAD: No. This is capacity-building.
(General discussion)
You can say identify opportunities to improve data availability and analytic resources —
DR. ROSS: That lead to reduced redundancy?
DR. STEAD: Can we kill “and reduce redundancy” or do we want to keep that in?
DR. MAYS: We can get rid of that.
DR. STEAD: Okay. Identify opportunities to enhance data availability and analytic resources to accelerate improvement in health and wellbeing.
(General agreement)
DR. COHEN: So, are we good with objectives for Goal 1 now?
Goal 2 objectives.
DR. COHEN: Read 1.2 again.
MS. HINES: Identify opportunities to improve data availability and analytic resources to accelerate improvement in health and wellbeing.
DR. STEAD: Sold. We have been good with Goal 2. Are we good with Goal 2’s objectives?
MS. HINES: Goal 2 is updated on the screen.
PARTICIPANT: And we are good with Goal 2 objectives I think.
DR. STEAD: Okay, then, let’s look at Goal 3. We have rewritten it. Expand appropriate access and use of data while ensuring relevant safeguards. I think the objectives still work under that.
PARTICIPANT: They’re broad but they work.
DR. STEAD: People are good with them. Let’s go to Goal 4. To identify emerging trends, identify opportunities and threats from emerging trends, formulate agile, flexible converging recommendations and long-term strategies.
DR. ROSS: Bill, I have a question to the group. Whenever we say data/information, it’s data and information. But do we care?
MS. KLOSS: I think that’s a good point because we haven’t done that anywhere else in this, so why introduce that at this point.
DR. STEAD: We have health information and data policy in the mission, and we have health information policy and health data in the scope, so are you just saying wherever we have “information/slash”, make it “information and”?
DR. ROSS: I think so, because they are two different things.
DR. STEAD: Right. Good catch.
DR. MAYS: I just have one in 4.1 where we say “… and its business processes” and then we say “information technology”. We don’t say technology; we say information technology. I was just trying to figure out — like when you’ve got NCHS needing to re-engineer systems, there are certain things that really are technology-focused versus — and that brings innovation — versus the narrowness of information technology.
DR. STEAD: Good point. Anybody object to killing “information” and have it just plain “technology”? Okay.
Then, the selection criteria are now much simpler because we have basically taken advantage of the stuff we have above because these are now one document, not two. So — Be consistent with our mission and appropriately scaled; be mutually complementary and aligned with each other to advance the goals and objectives in the Strategic Plan; result in information or recommendations that are actionable by the Secretary in partnership with state and local organizations and agencies and/or the private sector as appropriate; fulfill mandated requirements and take into account resources available to ensure project completion.
We have taken out all the redundancy and in essence referenced back how we use the plan. Susie?
MS. BEBEE: Who is “each other” in 2?
DR. STEAD: The projects. “be mutually complementary and aligned with one another” — does that work?
PARTICIPANT: The title Project Selection Criteria — all of this applies to that.
DR. STEAD: One another I think is an improvement. Bruce?
DR. COHEN: Just as a criterion — and I haven’t really thought about how it fits into the goals or the mission — if an emergency issue comes up that we need to address, how does that —
DR. STEAD: Does that fit under “fulfill mandated requirements” if it’s an emergency issue that we need to address?
MS. KLOSS: We wouldn’t be tackling something that didn’t fit in our charge, so I think that could work. Fulfill mandated requirements.
MS. HINES: The idea there was, obviously, there are things that are not mandated that the committee does, but we do have to address those things that are mandated, like the review committee and the annual report to Congress.
DR. COHEN: I know we have to do those, but if there is an emergency issue, one of the criteria for selection would be if something bubbles to the top that is really important to address sooner rather than later. If you think it’s covered by the vague wording about mandate that’s fine, but —
DR. STEAD: I would think each of those things would either fall under Two or Four. I may be missing something.
MS. HINES: It’s not like this group can actually move on a dime, although the letter that we just did on SSNRI is I guess our record of, what, three, four months.
DR. COHEN: Yes. This is a perfect example.
MS. HINES: So we have broken a record. We have done something in three months.
MS. GOSS: It is not to become the norm. It was very disruptive, in my opinion. I know we want to be that responsive but sometimes — other things took a hit for that priority.
MS. KLOSS: What project selection criterion would that fall into? That’s the question. Consistent with our mission.
MS. HINES: Our mission isn’t to be a rapid response committee.
(General discussion)
DR. MAYS: But I think the committee with an activity would — there may be something in the disaster that we would end up wanting to have a quick turnaround on in terms of birth certificates or something.
MR. COUSSOULE: That first line is so broad that you could include lots of things in there without trying to get more granular about specifying. Frankly, if a fire drill comes up and it’s not consistent with the mission, we wouldn’t want to do it anyway. I would not get too caught up on that one because I think from a scale perspective that covers it. It guides you back to the mission to say we will accept or not accept for the committee to undertake.
DR. STEAD: You could say, take into account timeliness or time sensitivity. You might put something between “take into account” and “resources”. Take into account urgency and resources? Would that address it, Bruce?
DR. COHEN: That would be great.
DR. MAYS: Urgency or priority —
DR. STEAD: Except this whole thing is priority. Take into account urgency and resources available to ensure project completion. I think that’s good.
MR. COUSSOULE: Just one other comment. I look at the second bullet and it seems kind of redundant — mutually complementary is kind of redundant.
DR. STEAD: This is Bill Stead at his core and that doesn’t mean the committee needs to accept it, but I will explain it. I think that if you look at the leverage between our four big projects — If I have one project which is stand-alone and doesn’t complement other projects, I would not put that as high on the list as another project which is complementary to one we are doing. I think that is sort of how we ended up with terminology and vocabulary. Beyond HIPAA, Predictability Roadmap and Vitals — they all fit together.
So I think even though we work as subcommittees and so forth, paying attention to how these things come together is an important prioritization. That’s why it is there. If you think it shouldn’t be there, fine, or if you would like to reword it.
DR. COHEN: Is the adverb “mutually” needed?
DR. ROSS: This is Dr. Stead’s Sesame Street role — which of these does not look like the other?
(Laughter)
I am quite okay with the way it’s stated.
DR. COHEN: I think that’s what Nick was getting at.
MS. HINES: So take out “mutually” and just be complementary. We have redundancy cops in the room and we can’t have any redundancy.
DR. STEAD: Okay. Be complementary and aligned. Okay. Sold.
DR. MAYS: On Three, I worry about this issue of “are actionable by the Secretary.” “Result in information or recommendations.” Sometimes we deal with industry. We don’t really need the Secretary to always go and do something right away; we need it to come before the Secretary, and industry then sometimes will make a change.
PARTIICIPANT: It says “or.”
MS. GOSS: And/or the private sector as appropriate.
DR. MAYS: But before that, it seems like the criteria is “result in information or recommendations that are actionable…” It’s where the “actionable” is.
MS. GOSS: Right. And I think they were saying it’s actionable by the Secretary, the state and local and/or the private sector —
DR. MAYS: I was reading it that it has to be actionable by the Secretary –
DR. ROSS: You want it to say actionable by the Secretary and/or the private sector —
DR. MAYS: Right. Yes.
MS. HINES: So you just want to move that last clause, “and/or the private sector as appropriate”?
MS. KLOSS: The Secretary, the in partnership with state and local organizations and agencies —
DR. MAYS: To me, it currently reads that the Secretary has to take action, so I —
MS. HINES: So why don’t we then add the word “actionable” again to the second clause so then it’s clear, “and/or actionable by the private sector”
DR. MAYS: Yes, because it cannot be that it’s always an action. We do things to bring industry along sometimes, but the Secretary just receives the letter.
DR. ROSS: As I look at the English language, the way it was written, I thought it did say what you’re trying to get at.
DR. MAYS: Oh, I didn’t think it did.
DR. STEAD: I thought it did, too.
MS. KLOSS: Yes, I do, too.
DR. ROSS: The phrase about the Secretary in partnership with — you don’t want to break that part up. Something that has got to be actionable or relevant to the Secretary in partnership with what the Secretary does is with state and local agencies and/or with the private sector.
MS. KLOSS: So you could get rid of the “and slash.”
PARTICIPANT: Correct. That’s redundant.
(General discussion)
DR. STEAD: So is this sold? All right.
DR. RIPPEN: I thought that there are times that we may have recommendations that only are actionable by the Secretary as it relates to HHS, so what you’re implying here is that there never is a case and it’s only in partnership, which goes beyond potentially the Secretary’s scope of ability to act on. It may impact some of them.
I understand that it’s nice to be in partnership, but, again, the action recommendation is to the Secretary.
MS. HINES: Where appropriate?
DR. RIPPEN: Yes. That’s fine.
MS. GOSS: I would propose that you take “as appropriate” out at the end of that; just leave the state and local organizations and agencies when appropriate, comma, or actionable by the private sector.
DR. STEAD: Can we buy this for this year?
DR. MAYS: We should celebrate it, not just buy it.
(Applause)
DR. STEAD: Can we have a motion to accept the Strategic Plan?
MS. GOSS: I make a motion to accept this and move on.
DR. MAYS: I second that we accept and celebrate.
DR. STEAD: Any discussion? All in favor?
(Chorus of Ayes)
DR. STEAD: Any opposed? Okay.
Thank you. We can now celebrate by eating lunch. We will be back together at 1:15. Thank you. This has been a very useful conversation.
(Luncheon recess.)
A F T E R N O O N S E S S I O N (1:15 p.m.)
Agenda Item: Health Information Privacy and Security Beyond HIPAA
DR. STEAD: Welcome back. We will begin to start. Linda is going to drive this next block for us.
MS. KLOSS: Thank you. Welcome back. Welcome to the kickoff of our Beyond HIPAA Initiative Project. We will figure out how we frame it as we go along and learn. On behalf of the Privacy, Confidentiality and Security Subcommittee, I am going to make a few opening comments just to tee up our afternoon as we take a deep dive and begin our environmental scan of this exploring the issues beyond HIPAA.
I will introduce our panelists in just a few moments. I will thank Maya when she comes into the room, for all of the great work she did in helping. Thank you, Maya, for helping us to convene our panel, along with Rachel Seeger, who is our subject matter expert and helped the subcommittee in crafting this session.
We also have a new old face in the room helping us. I want to introduce to the committee Bob Gellman. Some of you know him. He actually will be under contract with us to help us chronicle what we are learning in this journey of beyond HIPAA. Bob is going to capture the discussion and the learnings and help us build a report of the environmental scene.
I will say a little bit about his background. Bob is Yale Law. He was a member of the National Committee on Vital and Health Statistics from 1996 to 2000. He sat in my chair from ’96 to ’98. A lot of the initial crafting of HIPAA and how we conformed and what the regulatory environment was came out of the work of the subcommittee at that time. Bob has a background that goes much further back. He worked on fair health information practices, so we are very fortunate to have Bob working with us with such a deep subject matter expert. Yes, make a comment.
MR. GELLMAN: I just wanted to suggest to anyone here, any of the witnesses, anybody on the committee, if you have any materials you think are relevant to this topic, send me a document, send me a link. I am Bob@BobGellman.com, two L’s in Gellman, at any time, anything you think might help, just send along. I will take a look at it and see what I can make of it.
MS. KLOSS: So, we are building on, going back, how we got to this. We have been dancing around this topic of Beyond HIPAA for some years now. Most recently, our committee did a project on de-identification of data. It certainly reminded us that de-identification of data is not assurance of protecting the identity of individuals.
We have looked at other reports in our charter. We have gone through really kind of all the background of things we did. We looked at a framework for community use of health data certainly outside the scope of HIPAA. We created a stewardship primer for those community uses of health data. The de-identification work and other work just kept coming back to what about all this space that is beyond HIPAA. That is, of course, where the name of this work initiative came from.
This area has been looked at by a number of other groups. The Federal Trade Commission Report on Big Data, a Tool for Inclusion or Exclusion was published in January of 2016. Cora Han will be here with us this afternoon to highlight those learnings and other work that FTC has done since then.
We saw several big data reports come out of the executive office of the president under the last administration. There has been a big data and privacy discussion by the Office of the National Coordinator. We are not in this space alone. But what we are trying to do specifically through our goals is to identify and describe the changing environment, and the risks to privacy and security, highlighting promising policies, practices and technologies. We will be updating some of that prior work and hopefully really looking forward. One of our goals as a committee is to always sort of be forward looking.
Try to lay out integrative models of how best to protect individual privacy and secure health data outside of the HIPAA protections. Formulate recommendations for the secretary, as is core to our charge as a committee and to other federal departments. We also always feel kind of an obligation to report out to anyone who is a health data steward. As we were talking before we began, that is just about everybody now one way or another. We know that this is a big charge, so we are taking it step by step. But we are really pleased with being able to kick off our discussions today.
The way we are going to work is we have four expert panelists who will give us little different glimpses into this elephant or begin at different points at this elephant. We will have their comments, and then we will open it up to the committee for discussion.
We will have a break. We will have two more panelists, Cora Han and our own Jacki Monson. We will open it up again. Then we will end the afternoon by talking about next steps and try to summarize lessons. Our goal isn’t to define the definitive model or formulate recommendations. Our goal is to learn and listen, discuss, provoke discussion, identify areas where we need to look further. You will find that our committee is a deliberative committee. We like to deliberate. I think everything we are going to hear is going to provoke some very fine discussion that I hope we will all enjoy.
We are going to start with Jeremy. You have got the bios. These are just kind of barely scratching the surface in terms of the rich backgrounds of our panelists. So feel free to say a word about your role. We will have to have you speak into microphones.
I was going to go through the order. Jeremy is going to go first. Stephanie is here in the building. She has got a very tight schedule this afternoon, so she is finishing up a conference call. She will be coming and will be able to stay with us until 2:30, so she is going to go second. Nicole, you are going to come third. You have a scheduling issue, too, and need to leave at 3:30, so we will be cognizant of that. Fatemeh, you will be fourth, and then we will have our discussion.
DR. EPSTEIN: Good afternoon. I am Jeremy Epstein. Thank you so much for having me here. You have got my bio if you are interested. Did anybody read the last sentence of my bio? That was a quiz.
I am currently the deputy division director for computer network systems at the National Science Foundation. I was told some years ago that in Washington, the shorter your title, the more important you are, so president is important. I rank somewhere below the janitor.
Before I took over running the CNS organization, I was also the lead program officer for Security and Trustworthy Cyberspace, or SaTC as it is known to its friends. That is a program that has about 800 current research projects in security and privacy. So I don’t know all of them. I am going to give you some samples of a few things that I think are relevant, but there are undoubtedly other areas, both within the SaTC program and within other programs at NSF, that are relevant.
I wanted to also mention, and this is a measure of whether you are a Washington insider, the NITRD NCO Privacy IWG, and the measure of being a Washingtonian is that I can tell you that that stands for Networking and Information Technology, Research and Development, National Coordinating Office, Privacy, Interagency Working Group. I don’t actually need to look at our notes to get that acronym.
So the NITRD DCO Privacy IWG, or just the privacy group, brings together all of the different funding agencies across Washington that fund research in privacy. NSF is the primary agency, but also NIST, DARPA, NIH, FTC, FDA, et cetera. It is a venue where we talk to each other. There may be opportunities. I am not sure if HHS is part of that interagency working group. But there would certainly be opportunities for folks from here to present what you are doing and get input from them.
I want to say that a lot of what I think about in the questions that we were asked is Internet of Things. I am going to assume that everyone has heard that buzzword, even if not everyone knows all the details of what it means, related to that, advanced biometrics.
So as an example, there is more going on to put a device on your phone or on your laptop that can authenticate who you are based on your unique heart rate. You don’t have to identify yourself, or you don’t have to provide a password or anything like that. Basically, your heart rate is enough. That is not what we typically think of as an authenticator. We typically think of passwords and fingerprints and stuff like that.
The more accurate that heart rate monitor is, and these are talking about using just an ordinary cell phone or similar device to be able to do that. The more accurate they are, the better they are from a security perspective, but the greater the risk from a privacy perspective. Similarly, people are doing things with brainwaves for authentication.
I am guessing people are familiar with the quantified self-movement. I learned about the quantified self-movement from a certain Daniel Epstein, who happens to be my son. He is a graduate student, and he taught me about all the cool things people measure about themselves. I have learned a lot. He recently wrote an award-winning paper where they looked at applications that women use to track their periods, and why they use them and how they use them and things like that.
To my great disappointment, he didn’t look at privacy as part of this study. But it doesn’t get much more personal that than in terms of personal health information. But the vendors who are capturing all this information aren’t treating it as PII.
Let’s see, there are certainly legal and ethical issues that I know you have touched on. I think it is important also to think about the accuracy of these smartphone diagnosis tools. There is a professor actually at the University of Washington who has built all sorts of tools for smartphones that can help with all sorts of diagnoses. One of them was in the news just the other day. You probably saw it. It was about some forms of cancer detection using just a smart phone. What are the accuracy issues? What are the privacy issues associated with those?
I guess my point is that there are a lot of these tools going on. It is really easy to get into the IOT business. There are thousands of companies from around the world that are building apps, that are building gizmos that plug into your phone. They are capturing all sorts of health information, and Lord only knows what they are doing with it. I guess that is what this is about. With that point, I will turn it over.
MS. KLOSS: Stephanie Devaney, Stephanie, thank you very much for joining us. I know you had to do some scheduling accommodations, but we are very grateful.
DR. DEVANEY: I am going to give a quick overview of the program that we are running at the National Institutes of Health called the All of Us Research Program. One of the things that we are really focused on is data. We are asking a lot of people, hopefully a million at least, to donate data about themselves, so that researchers can use it to answer all sorts of research questions across all human health and disease issues.
So we do spend a lot of time thinking about privacy and trust and other things that we really need to have in place in order for our participants to want to be engaged in our study. So I thought I would do a quick overview of the program, and then I am happy to talk more specifically about data privacy issues that we are dealing with.
So the All of Us Research Program is, as I mentioned, a program that was developed in FY16 with our first funding from Congress and FY16 under the Precision Medicine Initiative that was launched by President Obama in 2015. We have also funding in FY17 and are hopeful that everything will work out for FY18. So we will continue to build the program.
We were also fortunate enough to be given some funding through the Cures Act. We had about 1.5 billion authorized through the Cures Act, which is helpful and supportive of our programs. So we have been building ever since the infrastructure in order to enroll a million Americans from across the country of diverse backgrounds who we hope will stay involved in our program over time and offer a bunch of different types of data about themselves. I will talk a little bit about the different types of data that we will be collecting.
This slide just shows our mission. I don’t want to belabor this, but essentially it is to have a relationship with one million research participants across the country. This is no small feat. And then deliver the largest, richest biomedical dataset ever, so that researchers can use it to make important scientific discoveries in all aspects of human health. We, as the program at NIH, feel it is our responsibility to build the program, but not be the scientific gatekeeper. We really are interested in working with the scientific community to understand what types of data would be most useful for them, as well as our participants, so that they can ask the questions that are within their domains.
This is just our core values, which we go back to often, to make sure that we are being accountable to them. I will point out that a couple of them have to do with privacy and security and trust. We believe that engaging one million people and asking them to share so much data really will involve really smart security policies in an ongoing way, as well as thoughtful privacy policies and transparency, openness and trust building.
So I just want to give you really quickly a snapshot of what the program actually looks like, just to give you a sense of how we are building this. We have a data and research center that is made up of Vanderbilt, Broad and Verily as formerly Google Health. They will be holding all of the data in the cloud. The data will live there. Any researcher that wants to use it once we open up the researcher portal, which won’t be until late in 2018, will go to the data. There will be no downloading of the data. We right now are working on our data use framework and how we will give access to researchers, and in what situations we might cut off access if there was any sort of misuse.
So security of that system is really important to us. We have been working on that straight through and have gone through the whole ATO process, and are also being compliant with FISMA, even though within our program, we don’t necessarily have to. For ATO is the authority to operate. This is the designation that is given on the security side when we are building a platform like this.
MS. BERNSTEIN: And FISMA is the Federal Information Security Management Act.
DR. DEVANEY: That is right. I am so glad you knew that. And then we have the Mayo Clinic building the very large bio bank for us, which will be able to hold 35 million bio specimens at the start, and we are hoping to increase capacity over time.
We have in addition to that a participant center that is Scripps Research Institute is building. Just to stop here for a second and say that participants can enroll in our program in two ways. They can come in through a health care provider organizer, which is the box in the middle on the bottom in blue. And those are brick and mortar institutions, academic medical centers, federal-qualified health centers, the VA. They can enroll in person with our enrollment teams onsite in those locations.
Or they can come in through a digital platform, through an iPhone or through our website, as long as they can get access to the web. They can come in digitally, as well. That experience is something we are trying to build up that capacity, so that we can have really a national presence. And anyone from anywhere can enroll, even if they don’t live next to one of our health care provider organizations that is enrolling. Scripps is responsible for helping us build that capacity and working with Walgreens and other organizations that can help do the blood draw if somebody enrolls from a site that isn’t near one of our academic medical center partners.
And then we have the Participant Technology Systems Center, which is responsible for designing the participant portal. It will allow them to see their activity, and what they have done and haven’t done as part of the program. And then a communication and engagement arm that will help us in communicating with participants. And then finally as I mentioned before in the blue on the bottom, our health care provider organization partners that are helping us do the enrolling.
So let me just talk about the data we are collecting quickly, since I know this is highly relevant to this conversation. So at the outset, we have a core dataset that we are asking participants to provide to us as they are coming onboard now in the program. We have about 3000 participants who have enrolled already since the end of May. We are doing a very slow ramp of enrollment, opening up one site at a time, and building capacity and testing it, so that we can test all of our workflow and all of our digital, and the ability to get the bio samples to Mayo and all of that.
So those folks have agreed to answer questionnaires about themselves. They go through three surveys to begin with, and then we will give them more over time. They have authorized access to their electronic health record. In some cases, that is really simple because we have a direction relationship with the health care provider organization in the cases in which we are funding them. And in other cases, it will be more tricky if they come in through the digital platform. Getting access to their electronic health record will be trickier for us, given the state of EHRs.
Then they will undergo a baseline physical evaluation. They give us blood and urine samples. Those go to the Mayo and, over time, we will run more data. We will generate data from those bio specimens. Over time, we will do genomics. Pretty soon, that will probably be one of the first things we do out of the gate. And then we will figure out what other omics or assays we might run in those samples.
And then ultimately, we would like to incorporate, and these last two bullets are not incorporated in the sort of early data, the minimum dataset that we are collecting now. But we would like to incorporate mobile and wearable technologies, and geospatial and environmental data. Here, we get into a whole new set of privacy issues that we want to be pretty thoughtful about before we start incorporating data like those.
On the bottom is just a schematic of how our program thinks about the protocols. So version one of our platform is the stuff I just talked about. But we imagine this protocol not being static for the next 70 years, but really being a living document and changing with technology, and as we have new opportunities to pull in different data types, to expand. And so that is the visual on the bottom as we think about the different versions of our platform. Of course, each one is coming with a whole new set of security and privacy issues.
This slide just walks through the participant journey, which I am not sure I really need to go over. I would like to save some time for discussion. But we can come back to it if any of you have any questions about what it feels like for a participant to go through our program, to walk through our program. And then my last slide of all just gives you an update on where we are. We actually reached 3000 participants today across 11 sites, so that has already changed. And as I mentioned, we are doing a beta phase of enrollment and really doing this very slow over the next number of months, leading up to a national launch either late this year or early in 2018.
So sorry for flying through that. I am certainly happy to expand on anything I talked about. But I did want to save time for more discussion, while also giving you sort of the foundation of what our program is attempting to do.
MS. GARDNER: My name is Nicole Gardner. I am from IBM. I am vice president of our services group. Thank you, Maya, for the invitation to speak here. Bravo to the committee for starting to tackle what is becoming everyday a more and more complex question. I think the two speakers before me have presented you with some possible complexities. I will just add to the list here.
Just briefly, you have my bio, but I was the leader of our federal and state and local North American Health and Human Services Practice here from 2006 onwards. In 2010, I became the global leader of Health and Human Services for IBM. Now, I am back in the US. I was our federal health leader, and now I am a senior advisor and doing some additional things.
I am going to come at this from more of a data and technology perspective. That is where my home base is. Our CEO calls data the currency of the future. I just think that gives you an idea of how commercial entities think about data. I think that the nature and the dimensions and the nuances of data are getting more and more complicated every day. I hope I can give you some more provocative questions to think about.
Just a couple of quick things just about data in general. Data is a generic word. There are challenges around the volume of data. Ninety percent of the world’s data has been produced in the last two years, and the volume is accelerating. Eighty percent of that is unstructured data, meaning it doesn’t have a format. So HIPAA has some regulations about the transaction codes and the anti-standards. But most of the data that we are talking about here is not going to be structured, so that is the first complexity I think that really kind of causes people to have to stop and think.
Two and a half billion gigabytes of data is created every single day. That goes back to the volume piece. Even if you can get your hands on the data, what you are going to do with it remains kind of interesting. My theory is that even if you have it, you really can’t use much of it anyway. The question is what will it become? What will it turn into?
There are a lot of other questions about data because data is not actually a static thing. So when we talk about transactions, and we talk about transmitting information from one place to another in a kind of traditional way from one system to another over a third party telecommunications environment, we are talking about data that is generally at rest and in motion for just a little while.
But when you add in the Internet of Things, data all of a sudden becomes in motion most of the time. So there are no governance structures or policies or frameworks or agreements or legal boundaries or anything around data in motion. And the more that the volume increases, and the more we become living in a world of the Internet of Things, the more data in motion is going to become interesting and more of a challenge.
There are lots of questions about what is health data? So if 50 percent of our health is governed by the social determinants of health, which are not traditionally classified as health data, or live on a margin, things like nutrition, sleep, exercise, whether you smoke or not, whether you drink or not, how much you do those things, the people you hang with, the places you go, if geospatial data is going to be included. So the region you live, the regions you have traveled to, all of that complexity and that added information, that texture, in terms of how can you get your arms around that I think is a really important question.
So on the one hand, obviously you want to be able to provide the right level of privacy and security to that. I know we are going to talk more about that. But on the other hand, you don’t want to do too much because there are already lots of documented problems of the restrictions that HIPAA creates in terms of family members being able to get access to somebody’s records. Children who are in child welfare and foster care who can’t share their medical records and end up getting vaccinated multiple times.
There are all kinds of examples where constricting the flow of data is the problem and can create other problems that were unintended consequences. So the picture gets more and more complicated. So I think that the question of how to define what is health data is kind of an important part of your scan and ought to be a part of what you are thinking about.
When I was the state and local leader here, you see lots of different models. I know Fatemeh is going to talk a little bit about the European model. We think about state ownership of privacy in a certain way here. Consent management is not something that gets talked about a lot, but could add some interesting opportunities to at least make it a more deliberate decision.
So one of the issue with how people share data, and even unconsciously share data, so in the Internet of Things, for instance, if you are sharing data between your iPhone and your Fitbit, and you are allowing Fitbit to aggregate that data for you and do a challenge with a group, that is a very common thing in the Fitbit world. Number of miles run, sleep, all these things, so who owns any of that?
And are you aware when you sign the agreement? Most of us don’t think about the fact that when you Google something, you don’t own the fact that you did that. Google does and your whole search history and everything else. We operate in a world that is already dominated by technology. Almost every fabric of what we do, but we often don’t think about what each transaction or each step or each thing that we do creates information about us.
And we are excited when our Amazon account provokes us to say, oh, I would also like us to read that book, or oh, I didn’t know this product arrived. I didn’t know I could do this or I could do that. That seems sometimes to be very helpful.
But what you are not thinking about in the background is all the information that has been collected about you over the past months, days, years whatever that has allowed the algorithms to learn enough bout you that they know what your preferences are. In fact, sometimes they know what your preferences are better than you know what they are.
And you don’t really think about the fact that you don’t own that data. You don’t own that data. You don’t own your credit card data. You don’t own your phone usage data. So how do we now protect privacy around things that can be used as discriminators?
I know that there are plenty of legal frameworks that try to help to prevent employers and others, housing authorities and so on, from discriminating for a particular specific reason. But when data gets aggregated, and the sum of the digital self doesn’t conform to whatever an organization is looking to recruit, and decides not to include you, there is no precedent. There is no way to even maybe sometimes understand that that is what happened, whether it is age discrimination, whether it is health related in terms of actually what they think might happen later.
It is the total wild west out there. I think that is going to be that way for quite a while. I think it is great that this committee is starting to think about it because it is going to take a while to even become parallel to it. And as soon as you get parallel, it is going to move.
So what are some of the things in the practical world that people are doing that are relatively new around privacy and security. Well, first of all, in the world of cybersecurity, and I know we have experts here, it is as much about the physical limitations as it is about the governance of the processes that are put in place to protect. And the governance and the processes are often left sort of off to the side. People don’t pay nearly the amount of attention they need to in order to make sure that we really have a good protective shell around, so that is number one.
Number two, I don’t know how many people here have heard about Blockchain. Blockchain is not necessarily that new of a technology, but the application of Blockchain is starting to take off in all kinds of different sectors. I don’t know what you have looked at or thought about. Do you want me to say more about what Blockchain is? Okay.
Blockchain is basically a secure, visible, irrefutable ledger of transactions and ownership. It was derived from Bitcoin, sort of in a way. IBM thought it was so important, it actually formed an entire division around how Blockchain can be used in the world of security and privacy. So I would just encourage you as a committee to look at that technology to see whether you think there can be some application of it, and how it can help us to get a grip on what is happening.
There are all kinds of others. You just saw yesterday in the announcement from Apple, facial recognition. If you are a frequent traveler, TSA is looking at ticket list travelers. Facial recognition, biometric information is becoming more and more important. And so are those possibilities for helping us to start to put some governance around what we think of as health data. I think that is probably a big enough pile.
Oh, I want to add one more thing. I will say this because I think it is provocative, but I also happen to believe it is true. When we talk about health data, and this has already come up once, but I am sure it will come up more, electronic health records and electronic medical records are sort of the traditional and recognized form in which we think about health data.
But my proposition to you is I think that the life cycle of EHRs and EMRs is gone. I don’t think that it is going to exist as a framework for very much longer. The usefulness of the standard set of data elements in an EHR, the usefulness of it is in debate. The rigidity of the vendors and the products that live out there is also, I think, coming to an interesting point. I wouldn’t want you to count on the existence of a medical record as a point of reference for collecting or owning or governing or security health data any more beyond the next few years because I don’t think it is going to be here. I will sort of leave it there.
MS. KHATIBLOO: Thank you for having me. I am going to speak about Internet of Things and connected stuff. But as a researcher and an analyst at Forrester Research, I have the privilege of actually bringing the consumer perspective, the citizen perspective, to some of this conversation. So you have the statement that I prepared. It is in front of you. I am going to go a bit deeper into some of the findings that we made there.
This is a thermostat, right? This is a Google Nest Thermostat or is it? For a woman in menopause, it could also be health data. If she is having hot flashes, she is remotely changing the temperature in her home, in her bedroom. That is intrinsically health data.
This is a fitness tracker. They are ubiquitous. It seems innocuous enough. This health tracker happens to also be a blood glucose monitor. It is needleless. It goes just to the skin, but it continuously monitor’s a diabetic’s personal health and glucose levels.
Now, this product is a consumer electronics product. Therefore, it is not subject to HIPAA regulation and HIPAA protections. It is also being crowd funded by a company in Europe. Where is that data going? Who has the right to track and monitor that data?
And finally, the Amazon Echo, which is just a home automation device, isn’t it? Well, it is also connected to my calendar, where all of my doctor’s appointments sit. It has got all of my food and grocery and Amazon shopping recommendations on it. As my mother actually recently pointed out to me, she is a senior and she lives alone. It has become a great source of comfort for her.
We have set it up so that it alerts me if something has gone wrong with her, and she hasn’t checked in over some period of time. And she is asking me, well, why can’t I connect this so that I can actually make my doctor’s appointments through the Echo? Why can’t I have the Echo remind me I have got a doctor’s appointment, and call a Lyft or an Uber for me? We are seeing a huge shift in the way that these tools and technologies can enable and empower individuals with their health data.
And people understand the value in this. So this is a representative sample of US adults online. And 24 percent of people actually are really interested in the possibility of sharing or actively sharing their fitness-wearable data with their physicians. 55 percent are comfortable with the idea of it.
Now contrast that with the quarter or so who are not comfortable sharing the data with anyone. It is very complex. This is not a binary set of concerns. We also know that about half of US consumers are really worried about the privacy of their health care data when they use online health tools. Most people don’t think of their fitness wearable or their Amazon Echo or their Nest Thermostat as a health tool. So imagine the level of discomfort as people think through what that data might be, who it might be going to and how it might be classified.
So this is what we call at core a privacy and personalization paradox. We want all of this data to be made available for our benefit, for our value, and to empower and better our lives. We do not want that data left unprotected and unsecure.
Now, I have some verbatim from an online market research community that we run. I think they are extremely illustrative to some of the examples that I shared in my statement. A woman told us that while I think that HIPAA does help us somewhat, it actually doesn’t do anything to prevent hackers from getting my information. And that is certainly true. But there are few ways that we can control that data from a cybersecurity perspective, although it is something that we should be thinking about.
Another woman explained that she signed so many forms and releases that she doesn’t really understand it. It is too complicated. The forms and papers that she is signing in her doctor’s office while she is under stress, potentially under a medical emergency, she is signing reams and reams of forms, and doesn’t really understand what many of them mean.
And one gentleman told us that he wants to be in control of his own healthcare data. It is his data. He wants to decide who has access to it and who has control over it. And he realizes that fitness data, whether it is from a wearable or from an app, could also have inaccuracies that he would necessarily may not want his doctor to have access to.
We also then asked these individuals about compliance and whether they actually think that apps and tools should be HIPAA compliant. I thought this was really interesting. People have a very different set of understandings about what HIPAA is and what it protects them from. That is not very clear to them. So we got some really interesting things about how apps should expose the fact that they are HIPAA compliant or not. In fact, one woman said, they should just tell us. If they are HIPAA compliant, we might use them more. We might use them differently.
Many people don’t understand that the data from a Fitbit or other health wearable or health device can actually be sold and is, in fact, today being sold. It is being sold for behavioral analytics, for advertising targeting. People don’t understand that is happening.
And finally, I think this is a really terrific quote. I think it would be a good thing to require these apps and devices to become HIPAA compliant. People don’t understand the consequences of putting their health information out there. They need to be protected even if it means sometimes having fewer features. I thought that was such a beautifully summed up quote of what the consumer and citizen concerns are around this data.
Now, this is only going to get more complicated in the future. Who has familiarity with the case of a gentleman’s pacemaker actually being used to invite him for arson? Well, about six weeks ago, a judge decided that was admissible evidence in court. Here we have a situation where you may be sitting in a hospital bed talking to a cardiologist who says, you need a pacemaker to keep you alive. Except that data could be used against you in the future. What do you choose to do? It is not a fair question to ask of a patient.
So we think that there are six ways that we might think about HIPAA in the future. We think that the definition of protected health information should be expanded. It should be expanded to include wellness and behavior data.
But it should be defined by class and the potential for harm and the sensitivity of that data. We think that we should require proportionately appropriate protection and handling of each class of data, not one broad set of data. And we should be limiting the use of sensitive data irrespective of the provider or practitioner. This isn’t about these type of data or the covered entity. This is about the citizen’s rights to have protected data.
We think that all firms that are collecting this PHI and health data should be subject to the same privacy and security standards. Most importantly, we think that we should be providing meaningful control over health care data to the individual, to the person about whom it is related, to whom it is related. With that, I will turn it back over to Linda.
MS. KLOSS: Could you go back to that six points? I thought maybe it would be a very useful way to kick off some discussion and get others opinions about those as a launching pad, expanding the definition of PHI to include wellness and behavior data. How feasible is that?
DR. EPSTEIN: I guess I should emphasize that I am expressing my opinions and not necessarily those of the National Science Foundation in saying this. I spent of my career in the commercial world, not in government, building commercial software products and things like that. My concern about trying to define what the boundaries are may grow to suck in everything.
There is always this tradeoff between the protection, which I agree obviously is an important thing, and innovation, especially because it is sometimes hard to predict. Today’s really cool app is tomorrow’s PHI as we learn to use things in different ways. We need to be really careful not to try to suck too much in because we may end up sucking in everything.
If the game you are playing on your phone could be used to determine are you likely to come down with Alzheimer’s, even though it happens to be just a fun game, but suddenly because one of the side effects of the game is that it correlates with people who happen to come down with Alzheimer’s or Parkinson’s or whatever, then suddenly that game becomes PHI. It needs HIPAA approval and so on. We have to be cautious not to go too far down that path.
And actually unrelated to that, but I wanted to comment about Blockchain for a second, if I may. When all you have is a hammer, everything looks like a nail, and I think that is where we are at with Blockchain today. People are using Blockchain to solve all the world’s problems just because that is the hammer they have.
MS. KHATIBLOO: I think you make an excellent point about the ubiquity of what could be consider health care data. That having been said, I think that is even more reason for creating categories and classifications within the regulation, treating each of those classes of data slightly differently.
The European law that I was alluding to in sort of our earlier conversation is the new general data protection regulation. The GDPR is very different from the respective that it says, look, this is not about regulating companies. We consider a ton of information now to be PII. It is about regulating the use and the access to that information. And I think that is a fair way to think about ubiquitous health and wellness data.
MS. GARDNER: I agree with you. And I do think there is a balance. I think the idea that there are tiers or classes or categories of data is really helpful. You are also right. We could expand this to say pretty much everything you do in your life has to do with your health, so why wouldn’t you?
But the truth is we have to think about protecting our individual personalized data across the board anyway. I mean, the Equifax thing just shows us how vulnerable we are. Every single person sitting in this room is probably compromised. It is a combination of being educated and sort of understanding.
We are looking at a generation of people coming who are growing up, who generally put pretty much every person thing you could possibly imagine on Facebook, on Instagram, on Snapchat, on social media of some kind, without any regard to whether it has longevity or whether it is shared or whether there are any boundaries or ownership issues. I think educating people about how data can be used is a really important part of how we need to move forward. We are not going to be able to govern every contingency.
But I do think that there needs to be some framework of protection in terms of creating a profile of someone that could be used as a discriminator, which in the end was the purpose of the protection. I think thinking about data, so I don’t know if the climate control, that may be like at the bottom of the food chain.
Who would really care? So we are of a certain age, we don’t worry about our periods anymore. So who cares? Or maybe that is an ageism thing. Maybe it is. Maybe you look really great, and you have had a lot of Botox, and you wouldn’t know how old that person is. I do think some degree of reasonableness needs to be in there. I do think thinking about tiers of data and how it can be used is one way of starting to think about what is important to protect and what is less important.
DR. DEVANEY: I feel like I am bringing the perspective of an organization that is very clear on our intent in terms of the use of the data. So that is important to just acknowledge. Our intention is to use the data for research and to allow many to use the data for research. We are very clear with the folks that we are asking to share all this data that you are sharing. We are collecting it. We are putting it here. Here is the security around it. Here is the privacy protections. Here are the privacy gaps that we are looking into pretty closely.
But because we are doing that, we have the ability of having their consent. What we are running into is, first of all, the tension between privacy and access, and for us, access is really important, or else we are not going to learn. We are collecting all this data. It is almost unethical if we collect all this data, and no one can access it and we can’t use it. Then why are we holding it?
And then the tension between telling people what they need to know, but being so much that we are scaring them and/or they just can’t absorb it all. This is one of the issues that I think has come up out of this Equifax issue. Does anyone read the terms of use when they are signing up for products? In our case, the terms of use is a consent. Ours is very interactive. It is digital. I think it is a really nice consent. But we also could continue to add on more and more information until it becomes almost too much.
I realize that I am coming from the perspective of it is a very clearly defined use versus some of the other conversation here, which is about where is the data, and who is using it for what? That is a little more unclear to people. But it is an important consideration about this tension.
MS. KLOSS: We know have you with us just until 2:30. You referred to developing frameworks. I just wondered how you kind of went about that, how far along you are in that understanding it is a more controlled environment.
DR. DEVANEY: As I mentioned, the data will live in an enclave, so we have some control over that. The security around that is being developed and handled by security experts. I feel very comfortable that we have a secure environment, also understanding the limitations these days.
On the privacy front, this gets more into sort of my bailiwick. From the beginning, we have been thinking about privacy and in terms of policy, regulations and statutes. We got some important privacy protections from the Cures Act, which are incredibly important for us, especially as we try to get people to trust us. I am sorry, in the 21st Century Cures Act, there are two really important strong privacy provisions. One is the certificates of confidentiality. Should I explain what that is?
So the certificates of confidentiality was an authority that HHS has had in the past, but was optional. Essentially what it does is it prohibits researchers from handing over participant-level research data under any sort of legal plane. So any subpoena, it prohibits that. In the past, before the 21st Century Cures Act, the certificate was optional. It was up to the discretion of the researcher whether they wanted to hand over data under subpoena or not.
So we have now a very strong prohibition. Even if they choose to disobey and hand over the data, it is inadmissible in court. So that is a really strong protection for us that we can share with our research participants. It also allows for the exception of with consent. So if a participant consents to that disclosure, then it can be shared.
We got a similar exemption to FOIA. So any data that the government is holding, we have very similarly-worded protections about having to hand over that data. We feel that exemption will hold and we would not have to. So that is really important for us as we try to build trust with all of these participants.
MS. BERNSTEIN: I will be working with NIH in implementing the section of the 21st Century Cures Act having to do with certificates of confidentiality. I know that while it does protect from compulsory legal process, it has an exception for anything required by federal, state or local law. There is a big gap there. It doesn’t cover everything.
It is a stronger protection in some ways than it was before. You are required to get a certificate, and you are required to actually invoke it. But it doesn’t cover everything that we might like it to cover. Just to be clear about how much we are getting.
DR. DEVANEY: That is right. Some of that was because they wanted to be sure mandatory reporting for infectious disease and those sorts of things could be allowed. But you are right. There is a big sort of question mark there.
For us and some of the populations we are trying to engage the legal aspect, the subpoena aspect is important. But outside of those two provisions, we have done a pretty thorough analysis of what are the privacy protections that we have and what are the gaps. And we also think of, to Nicole’s point, about governance and how our governance and who controls what transparency and how clear we are with people about where their data is and who can access it and why, which is a really big thing for us. And not trying to stuff all of that in the consent, but putting some of that online.
We are right now working on a privacy and security page where we can be really clear, in clear language, who has access to your data and for what purposes. So getting beyond the statutes and the regulations, but really what we as a program can do as the data holders to protect the data.
MS. KLOSS: We have got some questions from the committee.
MR. COUSSOULE: I have a general question for all of the participants. How do you view sort of the whole concept of the expectation of privacy? A couple of you hinted at that a little earlier. I look at kids these days posting every second of every moment of their life as public. That is kind of the first question.
But the second is kind of a corollary to that. Laws are oftentimes built to protect people from others, but not to protect them from themselves. Some of this is are we trying to protect people from themselves as part of this? Anyway, I just wanted to toss that thought out there and see what your view is of the whole concept of privacy and how it is changing.
DR. DELANEY: I came from the great state of New Hampshire. We had a big issue with seatbelt laws for a long time. I feel you on this question.
MS. KHATIBLOO: I can speak a little bit to the sort of quote unquote millennial issue because we have actually done a lot of research on that. The perception that millennials and teenagers don’t care about their privacy is a very popular trope, but it does not obtain in reality.
What we know is that these kids, their reason for using Snapchat is that, in their perception, it is ephemeral. They don’t want to be on Facebook. They are on Facebook because their teachers tell them they have to be. But they are not actually interacting with friends on Facebook. They are creating very specific privacy settings and groups on Facebook to make sure that only the people that they want to see that thing that they are posting every minute of every day sees it. They have a far more nuanced idea about privacy than most of us do. They work really hard to actually do something about it.
Now, that having been said, they are sharing a lot more. There is no question about it. Their sort of tribe of 150 people is 1500 people and not the sort of small communities that we are used to. That changes when they have a major life stage event, like going out to try to acquire major credit for the first time or when they have a child. Their online behaviors change.
I would say to you part of it is a little bit of protecting people from themselves in some ways. We have to be cognizant of the fact that people’s privacy perceptions change over time. When we think about health care data, what does that mean to ensure that if via NHR, I have gotten a copy of my data, do I know how to protect it? Am I being given instructions about not saving it to Dropbox without a password or emailing it via my Gmail account to my friend? We do need some sort of education around that. I don’t think that is the stuff that gets regulated, though.
MS. GARDNER: I would just add that we could only think about protecting ourselves against ourselves to a certain point. I think it is more about understanding how data can be used for harm if it is aggregated and can be, in some way, turned against you. So used as a way of discriminating against being hired or being given a loan or being given an apartment or whatever it is. There are probably multiple layers and levels of harm.
But even as people’s own ideas about privacy evolve based on their life experience, really maybe we should be thinking about it from a regulatory perspective from what are the risks associated with specific types of data, and less worried about putting who cares what you ate and what it looked like. I am not sure why that is so much of a trend, but it seems like people taking pictures of their meals and what they are cooking. From a nutrition perspective, you know, you could even extrapolate and say that. But I think then we get to the point of the ridiculous. We can extrapolate to the end. I don’t know how useful that is.
I think it is back to the tiering of information. I do think it is about understanding classes of data and where does it become potentially, sorry for the use of the word, but a weapon that can be used against you versus just information about you that might give you the wrong recommendation to buy something. I think that is where you have to try and figure out where that line is.
MR. COUSSOULE: Part of the challenge in that is, in my mind, less a matter of the use case, but the intent. How do you qualify the intent to do harm versus, I think I am doing you good, you think I am doing you harm?
MS. GARDNER: That sounds like one of those universal questions. I wish I could give what I would call a good answer. I think that is what deliberation and public hearing and vetting and constant feedback is probably the shortest path to an answer to that. It is an important question.
MS. GOSS: I noticed that you used the word, Stephanie, clear language when you spoke about the consent. I have had a lot of experience with crafting messages to elderly populations, to managing statewide consent for release of health information. There are a lot of syllables in some of these words.
I am curious how you may be approaching that because I think it ties in with sort of the do people really understand how complex is it, the expectation level, the literacy level. When you said clear language, I thought that is a real challenge. Part of it is that we not only have the millennial issues, we also have the advanced age person’s perspective and everybody in between. They are going to constantly change.
I think your point about how far are we going to go with it, Nicole, is really important. But it starts with us understanding, like having a baseline and us understanding how we fit in with that kind of baseline. This has been a rapid development of use of technology. We haven’t really all caught up to this yet. We don’t have a commonality.
I think it is kind of interesting to hear you talk about wanting to create something in clear language for the precision medicine, and how that might be able to help them set. You are hitting a million people. I am curious on your thoughts about the challenges with clear language and how that might translate to a cultural shift and sort of leveling field and expectations.
DR. DEVANEY: Clearly, I am not the one writing the consent. As Maya has pointed out, I am not clear with my acronyms. Actually, we have taken this really seriously. Just to be frank, we have seen the challenge in making sure that the readability is there and that we have it at the right grade reading level. But also being able to provide information on complex topics.
MS. GOSS: So what do you think is the right reading?
DR. DEVANEY: Our consent is written at the fifth-grade reading level, which is probably still too high for some of the low-literacy populations that we really do want to engage.
MS. GOSS: So you don’t use the word information?
DR. DEVANEY: I don’t know off the top of my head.
MS. GOSS: It is really hard to try to narrow it down.
DR. DEVANEY: It really does read at the fifth-grade reading level. We have experts how have helped us develop that, and it has gone through our IRB. But I will also tell you it doesn’t read like a term of service. It doesn’t. It reads much more clearer than that. But honestly, it is then hard to always convey the complexity of the information that we want to convey.
So what we have started to do is we have a consent at the fifth-grade reading level, and we have also videos that you must watch. It is all digital. It is an e-consent. It has been designed by our team at Sage Bionetworks, and they do a beautiful job with the mobile technology. It is very minimal words, lots of icons. Then there are videos that you have to watch all the way through that convey information in a different way. It is the same information, but with a voiceover and a cartoon, and sort of showing what the process is going to be like for you as a participant. We have sort of multimedia ways of conveying it.
But what we are doing now is trying to then put more deep information on our website and make sure that we use that as a strong communication tool with our participants, as well, so that they can get more layered information if they want it at a higher reading level for those who want it.
I would be happy to share them. We might need to give you the password because we are not open nationally yet, but that is easy. I would be happy to share.
MS. GOSS: I think it is very interesting when you mention the term of use because if we can start to tackle consent, then we need to also tackle the what does it mean when I want to upgrade my iPhone? Who reads that stuff? Even if you try to spend the time to read that stuff, even if you can comprehend it, who has the time to read all those pages?
DR. MAYS: I want to continue on what you were talking about because it was kind of my original particularly in the NIH study. One of the issues, I was doing a presentation at the IRB group. One of the things people began to talk about is can you have the exact same consent form for everybody that participates?
It may be that for this vulnerable population, it has to be verbal. They watch a video, and you are interactive. For this one, it is more culturally driven in the ways in which you ask about the participation.
So for the number of people that you are talking about bringing in, I already know that like one of the concerns has been the issue of the methods for racial ethnic minorities and the issue of benefit and harm. So the perception is already what am I going to get as a benefit, and feeling that as others who can really make use of this on behalf of certain populations who have greater access to care and et cetera, that giving this data, that they are going to be further left behind because it is going to be always the lowest result, the worst outcome, and that the benefit may go to others. It is an interesting conversation about this. I just want you to know.
I guess my question to you is in what ways are you all trying to develop best practices. Some of the money that has gone into the CTSIs, as well as to the NIMHD minority centers, we are testing this stuff out. But it doesn’t seem that it is getting to you all, to you. You paid for it.
DR. DEVANEY: No, it is. It definitely is. In fact, the CTSI, CTSA infrastructure that NCATs has developed, NCRR before that, has actually led to a lot of the awards.
MS. BERNSTEIN: At an office I used to work in, we had an acronym cup. If you used an acronym that someone in the room did not know and did not expand it within 15 seconds, you owed a quarter to the acronym cup.
DR. DEVANEY: That is terrible. I am a federal employee. I don’t have quarters to spare.
DR. MAYS: It is the Center for the Translation of Scientific Information are groups that were funded by NIH to actually go and try and improve research activities in broad populations that are vulnerable populations. They are approved data-collection methods.
So NIH has put a system in place to invest in an infrastructure to make the research better. NIMHD is the National Institute of Minority Health and Health Disparities, which was also designed at NIH to focus specifically on vulnerable populations. There has been a production of materials.
CTSI is a good example. I am not sure I would always put them at the top, but they are a good example of some of this. But I am trying to get a sense of how that is playing out because I am told there is going to be kind of this set of consents, and everybody is going to do it. It is not picking up on can you individualize a consent for here is the millennials? The domains are age, gender, sexual orientation and some racial ethnic groups that have special issues.
DR. DEVANEY: I will try to answer all those pieces, but I want to get to the most interesting piece, which really is this question of how are we communicating with individual populations. We think of this kind of like precision engagement. We are trying our best to turn what is supposed to be a very broad study on a million people across the country into something that also is cognizant of local context in specific populations.
We hired a chief engagement officer, Dara Richardson-Heron, who was previously the CEO of the YWCA. She has spent many years of her life thinking about how you run a national program with attention to local context. She has been doing a really incredible job working with all of our programs, so that they can apply what they know to our shared learnings.
I will say this. We are starting out with one consent. But we feel we have sort of two mandates that we take very seriously. One is that we are using public dollars, and so what we learn, we must share. We take that very seriously. And so anything that we learn about the consent and how well it is working or not is the thing that we will share back with the scientific community, whether through publications or blogs or whatever means we can.
The second one is that we need to learn as we go and iterate and evaluate. If we are not learning as we are going, then we are going to have ten years to some of these issues that are really important. So already we have enrolled 3000 people. We are doing cognitive testing of the consent as we go. We are supposed to see the first data on that in the next few weeks. We are really excited about that to even understand are the same words working with different communities?
I mean frankly, it is really hard for us to establish a consent that puts out the value proposition when we don’t really know what that is for different communities. What is compelling about being part of a study like this for American Indians and Alaskan Natives? And what is compelling about that for millennials? That is just something we don’t know yet. But we are learning from many in the field. We are really excited to learn from our direct participants as we go.
Let me just add one more thing, and then I will stop talking. We have also in place, in addition to doing that cognitive testing, which is sort of a controlled experiment, we are also making sure that we have all the means for participant feedback as we go. Little suggestion boxes on the counter, but also ways that they can give their feedback online digitally and then surveys that were given to our participants, so we can understand what it is that has motivated them to join the study, what they hated, what they loved, those sorts of things.
One more thing, the CTSA infrastructure, we have relied on that quite heavily actually. We have a great relationship with NCATs who funds that program. One of our very first HPO, Healthcare Provider Organization, to start enrolling people is the University of Pittsburgh. I think they largely got the award because of the capacity they had built through the CTSA award. They are really relying on a lot of the things that they have learned just running the CTSA and using that infrastructure to support our program, as well. It is a good opportunity. That is a good use of dollars well spent.
DR. ROSS: My question started kind of where both of you have come from. It is sort of maybe a comment, but a bit of a question, too. If we accept, which I do, Nicole’s statement that affectively we are moving to where data are in motion, it does change how you have to think about data security. I am an old programmer from the time computers started. You think it is databases that are both physically static. You can go put your hands on the disc pack. You wrote the code to put the data in there, to this notion that data are in motion. Inferences can be made from many different parts of interactions one has related to lots of different things.
It almost says that it is a hopeless task to try to start thinking about regulating or thinking about even classes of data to me. It speaks more to this issue of how well can a person know what they need to know, to know if they are making an informed choice. I thought as you were talking, I was writing down literacy. But it is cyber literacy conjoint with health literacy conjoint civic literacy.
Are we not now asking that the National Committee start making recommendations to the educational world that let’s produce citizens who are both literate about their health. Part of the challenge we have with health policy in this country is the vast majority of people are so uninformed about health that they are being asked to agree about health policy, and they make ridiculous choices.
Cyber literacy, what proportion of America do your surveys actually assess? The proportion of Americans who even know what those terms mean, let alone have any really glimmer of a sense. I have got a 98-year old mother who I thought was computer literate. But then she started worrying about where her data were going because she was doing all this stuff on Facebook. This is a crazy world we live in. I couldn’t convince her that she wasn’t at all that great of a risk. She is pretty concerned about it.
And civic literacy, so are we at a point where we are recommending that we change educational standards? I mean, you are trying to do research to understand what people make out of their consent, right? We need to do a lot of that kind of research. That is still kind of a static view of it.
It occurred to me, as you were talking, that this is much like being a pilot. It is one thing to learn what might happen and to have examples in your mind of certain situations. The other is to be flying the plane and deal with it as it happens. We are now moving to the dealing with it as it happens. To do that, you have got to be certified to be the pilot. Do we not need to have citizens who are at least prepared with the basic constructs of cyber literacy, health literacy, civic literacy, so they can put it together and actually make an informed choice. That is a question.
MS. KHATIBLOO: I think you are absolutely right. It is not just about health data. We know that our infrastructure is at risk when people use out of data software on their computers that allows back doors into cybersecurity systems.
We absolutely need more cyber education, cyber literacy education. But I think that in the absence of that, and before it can possibly be put into place, we still can do both education on the health care data side, and we can require the uses of certain kinds of data to be in the interest of the patient, as opposed to in the interest of some broader, and this goes back to intention.
But I think we can start to require more guard rails around the health data that is being protected before we have to create an entire cyber literacy campaign.
MS. KLOSS: I think what I would like to do is take the questions from Phil and from Bruce. Then we will just about your departure time. We will use that as a break time.
MS. GARDNER: I also think that there is a huge need for education in the medical community. So there is a generational shift that happens as younger people become doctors. But just the whole idea of how information can be integrated not care, let’s not even talk about harm. But the ability to aggregate all the information that is needed in order to really extend the care and prescribe an appropriate treatment plan, most people in the medical profession today don’t understand both how to get data, access it, check it.
It is not part of what they think about in terms of the tools that they have at their disposal. So there is a huge need from an educational perspective across the board in every domain of our lives. But in health care, it is really a sorely lacking situation. I think that would be an important part, as well, as what you suggested.
DR. STEAD: When you say expand the definition of PHI and then classes, and then require all firms collecting it to apply the same standards by classes, are you suggesting that we can deconstruct the concept of a covered entity in business associates, which in essence lump a lot of responsibility under those two labels, to where there is a more granular contractual relationship that would scale. I mean, is that part of this?
MS. KHATIBLOO: I think that is a great question and a great point. I do think so. I think that to date, covered entities and BAs have been so largely bucketed that there is very little distinction between the chiropractor and the acupuncturist and my actual primary care physician. And I think that distinction should exist. I think yes, absolutely, deconstruct that and actually look at the covered entities and the BAAs as a more granular set of entities, as well.
DR. COHEN: A couple of comments. I totally endorse Dave’s concern about population health literacy and cultural health literacy as broader issues than individual health literacy. I think that is really where we need to start as a society. A comment about active, knowledgeable consent, when I signed up for a health plan, I had to sign an agreement that my health plan could share the data with pretty much anybody they wanted to. Or else, they wouldn’t enroll me.
There are compelling reasons for people to actively consent in situations where part of it might not be in their best interest. I don’t know how we achieve the balance between requiring consent in those situations, so that people can get access to the goods and services they want, and maintain their protections of their information.
I think the information is broader than covered entities. There are a lot more uncovered entities, non-covered entities that deal with this information than covered entities. So even though the conversation might start with covered entities, it applies to much broader sectors of the interaction of individual data.
My final question has to do with this concept of classes or tiers of data versus focusing on permission-based access to information. I didn’t hear you talk about permission-based access to information as, I don’t know, a solution, but really a focus protecting individual privacy. I wonder what you thought about that strengthening or focusing on that as opposed to defining classes of information.
MS. KHATIBLOO: By permission based, do you mean the entity requesting the data to request permission on an ad hoc basis?
DR. COHEN: Role-based, I guess. I don’t know whether it is on an ad hoc basis or on a continuous basis as a way to protect individual data.
MS. KATIBLOO: I think that sort of falls into the proportionally appropriate protections. I think that there are very likely to be some examples of parties who would have completely legitimate use for some health data. But for whom any identifiable data should not be necessary. So to the extent that those entities should be able to get access to the data that they need, there should be a mechanism for stripping away the information that they don’t. I think we have the technical capabilities to do these things. We just haven’t implemented them. Does that answer the question?
DR. EPSTEIN: In the early days of iPhones, they would ask when you installed an app, they wouldn’t ask what permissions you wanted. But Android phones wouldn’t say it. And over time, there has been more of a transition. Now, both iPhones and Android phones ask you for permissions when they need it instead of a priori.
The theory is that instead of asking you at time of installation, when you don’t really know how you are going to use it, it is asking you when it actually needs it. On the other hand, that is usually when you are in a rush. I need to find that cup of coffee, but I can’t think about whether I really want to give it permission. It is not exactly the same thing you are asking, but I wonder whether the ability to give permissions dynamically is just too hard for people to understand.
MS. MONSON: I have two questions. The first is on I saw lots of head nods related to this data classification idea. As somebody that does this every day as my day job, I don’t know how we would do that. But my question to the group is the National Institute of Standards and Technology actually currently has some definitions, confidential, prohibited, et cetera. Is that potentially a starting point in your opinion? Or kind of what would your idea be around there?
And then my second question is related to Bill’s question around the deconstruction or reconstruction of covered entities and BAs. I would like to know specifically does that mean expanding it, or are you talking about narrowing it or what exactly is your idea around that?
MS. KHATIBLOO: As a non-expert on the covered entity and BA standards and definitions, I am going to defer on that one. With respect to the classes of data, I think the NIST starting point in classifications are certainly good ones. But I think we need something beyond that. Even within NIST, I think it defines a piece of data or a type of data.
I think when we talk about health data, we should be also thinking about, for example, conjoins of data. So we should be thinking about things like this specific piece of data on its own is not significant or potentially toxic or harmful. However, combined with another piece of data, it may be. I think it is a bit more nuanced than what NIST would have.
MS. GARDNER: I agree. I would only add in addition to the relationship of data, the context of it, so it is the connection and the context. I do think that it is a good starting point. I think it is a good starting point.
But the world is changing so quickly. Those rules are relatively, I don’t remember exactly when they were enacted, but it is a while ago. Thomas Friedman wrote a book last year, I think it was, called Thanks For Being Late. It talks about this place where we are, where we are behind our ability to absorb technology. And so we can’t possibly be all things to all people and protect ourselves from every situation.
But I do think we have to recognize that whatever was five years or more old is probably no longer adequate to deal with what we are dealing with. We just need to build on it. We need to use it as a starting point, but I don’t think it is going to be adequate. I don’t think anything is going to be adequate going into the future.
MS. KLOSS: Do we have any questions from our members on the phone before we adjourn for a break? Hearing none, just kind of this is like Rachel Maddow when she says, now, right after break, come back because we are just going to have a break. Then we are coming back. Cora Han and Jacki will tee up their remarks, and then we are going to continue this discussion with all who are able to stay with us until 4:30. I want you back at 3:00.
(Brief recess)
MS. KLOSS: I am pleased to welcome Cora Han who has been kind enough to be with us on many past occasions. We appreciate you being here to give us an update on federal trade commission and give us your thinking on health information privacy and security beyond HIPAA, so the floor is yours.
MS. HAN: Thank you for having me here today. This is a topic that is near and dear to my heart. It was my pleasure to be here. It has been an area also of FTC focus in past years.
So my name is Cora Han. I am an attorney in the Division of Privacy and Identity Protection in the Bureau of Consumer Protection at the Federal Trade Commission. Before I get started, I should say that the views that I am going to express here today are only my own and do not represent the views of the commission or any of the commissioners.
I thought I would give a very brief background of the FTC and then talk about some of our initiatives in this area. So with that, I will get started. So the FTC, as many of you know, is an independent law enforcement agency with the consumer protection and competition mandate. We are committed to protecting privacy and promoting data security practices in the commercial arena.
We do this through a variety of mechanisms through our law enforcement work, through policy initiatives, and those include reports, workshops and congressional testimony, and through consumer education and business outreach. I will talk briefly about all three of those things here today.
The area of consumer-generated information outside of HIPAA has certainly, as I mentioned at the beginning, been an area of FTC focus. For a number of years now, consumers have been taking a much more active role in managing their health data.
This slide just shows sort of one, two, three, four, five examples from apps that track diet and exercise, to wearable fitness devices to websites where consumers can research health conditions to social media platforms where consumers can discuss with others their conditions to smart watches, which include sort of all of the above. It is a robust marketplace that continues to develop. Some of these products are ones that consumers find directly and they use. Some are offered by providers, and some are suggested actually by people’s doctors, and then consumers will go on and use them themselves.
Since much of this activity takes place outside of a doctor’s office or other traditional health care context, it may not be provided by HIPAA. So that is one of the things that draws the FTC’s focus to this area. These products definitely offer numerous benefits to consumers in the form of increased consumer engagement in their health and fitness, reduced health care costs and improved outcomes. But they raise a number of privacy and security concerns.
So here are a couple of those concerns. First, I would like to talk about security. I think all of these are topics that probably have been touched on that we will continue to discuss later this afternoon. So certainly much of this information consumers consider highly sensitive and private. Data breaches and authorized disclosures can cause harm, including fraud and medical identity theft.
In addition, one of the things that is notable about this area is that data security vulnerabilities can in some circumstances cause physical safety risks. So at our workshop on the Internet of Things a few years ago, one of our participants described how he was able to hack remotely into actually his own insulin pump. Not on the spot, he showed how he did that in a different context, and changed settings, so that they no longer delivered medication.
Another risk is that I like to call the use and sharing of data in a way that consumers would not reasonably expect. So for example, here, you are using a consumer-facing app, we might not realize that if you are sharing your health information with that app, that it may not be protected in the same way that it would be if you shared that information directly with your doctor.
Yet another challenge is that of defining health data. I think this was sort of touched upon even as I walked into the room today. Not only is data information that is sort of in her health record, but it is also data that is collected by sensors, like your Fitbit for example. And it also may potentially be inferences that are made from other types of data that are collected about you.
So for example, your shopping habits, does that allow companies to make any inferences, for example, about what health conditions you might have or what sort of health services you might need. And the final one that I will mention here is the huge one of the challenge of providing notice and obtaining consent. So how do you do that when the screens that you have are either small, or they don’t exist at all? How do you provide clear disclosures to consumers and allow them, enable them to provide informed consent with these evolving products? I am sure that it is something that we will talk about more this afternoon.
So the FTC, we have a number of tools that we use to mitigate and address these challenges. I am going to start with our civil law enforcement. Our core enforcement statue is section five of the FTC Act, which broadly prohibits unfair or deceptive acts or practices in or affecting commerce.
So deception is a material representation or omission that is likely to mislead consumers, acting reasonably under the circumstances. So for example, if a company says we encrypt your information, and then they don’t, or the company says we won’t share your information with advertisers, and then they do, those are potential examples of deception.
Under the FTC act, we can also bring a cause of action for unfairness, which is a practice that causes or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition, and is not reasonably avoidable by consumers. So even in the absence of deception, we may still bring in action if an act of practice constitutes unfairness. And among other things, we have used our unfairness authority to bring a number of actions against companies for failing to have reasonable data security practices.
So our section five authority extends to both HIPAA and non-HIPAA covered entities. There is overlapping jurisdiction. We have, in fact, worked closely with OCR in our areas of concurrent jurisdiction where appropriate. The FTC Act, it is important to note, though, is currently primarily the federal statute that is applicable to the privacy and security practices of businesses that collect individually-identifiable health information where that health information is outside of HIPAA.
I will sort of close the loop here by saying that we do have limitations to our section five authority. Generally speaking, our jurisdiction does not apply to banks, savings and loan institutions, federal credit unions, common carriers, air carriers or packers and stockyard operators. More important, I think, for this audience, our section five authority also generally does not reach non-profit entities or practices that are considered the business of insurance to the extent that such business is regulated by state law. That is sort of a legal standard that has some nuance to it.
To give you a sense of how we have applied our section five authority, I have listed some of our recent settlements here that I thought I would just touch on. The first is our settlement with Henry Schein Practice Solutions Inc., a provider of office management software for dental practices that misrepresented that its software provided industry-standard encryption of sensitive patient information when it did not.
The second one here is Practice Fusion, an EHR provider that we allege in our complaint misled consumers by failing to disclose adequately that physician reviews would be publicly posted. One interesting thing about Practice Fusion is that Practice Fusion actually did have a box at the bottom of its user interface, which indicated that if you clicked this link, which you didn’t have to, but if you did, it would actually lead to a patient authorization that was HIPAA compliant. But because the overall user interface was deceptive and actually represented to consumers that they would be sharing information with their providers as opposed to populating a public website, this conduct ran afoul of the FTC Act.
And then the final case I wanted to mention is our recent settlement with Vizio, which actually does not involve health information. It is one of our series of settlements in the IOT area. I thought it would be worth mentioning.
Vizio is a maker of smart TVs that misled consumers about its tracking of their viewing histories, which they then would sell to third parties. It called this feature smart interactivity, but the way it described it made it sound like it was providing personalized suggestions as opposed to what it was actually doing in terms of tracking consumer viewing activity.
MS. BEBEE: Can you share what the pain was, any penalties of those?
MS. HAN: Yes, absolutely. Under our section five jurisdiction, we actually do not have civil penalty authority, although if we have an order, and there are violations of that order, then we do have penalties on the enforcement side for that. We are able to get equitable remedies, though.
So for example, in Henry Schein, the company had to pay $250,000 as an equitable remedy. In Vizio, that was a settlement that we actually brought together with the New Jersey’s AG office. So the order included a 1.5 million payment to the FTC and an additional civil penalty to New Jersey, for a total penalty of 2.2 million.
In our settlements, we commonly have injunctive relief that includes, for example, if a case is involving misrepresentations, prohibitions against misrepresentations and then tailored to the facts of the case as well. And then, addition injunctive relief that may be appropriate depending on the facts and circumstances of the case.
Another common provision that we have in our data security cases, for example, is the requirement that a company implement a data security program and have independent audits of that program every two years. We require on the privacy side of implementation often of a comprehensive privacy program. Both of those programs are things that, consistent with our overall approach to data security and privacy, are things that should tailor based on the type of information it is collecting, its size and the complexity of its business among other factors.
So in addition to our FTC Act jurisdiction, we also enforce a number of sector-specific rules and statutes in the privacy and data security area. Most important for the current circumstances is our health breach notification rule, which is sort of a sister rule to OCR’s rule. Our rule, the FTC’s rule, is fairly narrow and applies to three types of covered entities, vendors of personal health records, which are consumer-facing entities that collect and manage and store from a variety of different places, consumers health information, on behalf of that consumer.
PHR-related entities which are entities that interact with vendors, and third-party service providers essentially to PHR-related entities and to vendors. Our rule requires covered entities that suffered a breach to notify everyone whose information was breached, in some cases, notify the media and notify the commission.
Most notably, the FTC’s health breach notification rule does not apply to HIPAA-covered entities, or to those entities who are acting in their capacity of business associates to covered entities. So it is more narrow in scope there.
Switching gears a little bit, I wanted to turn to two of our education and outreach initiatives. I absolutely agree with the commentary that I heard in my sort of first few minutes in the room, where people were talking about the importance of consumer education and business outreach. It is something that we try to do quite a bit at the commission.
One of our significant data security initiatives recently is Start with Security. The centerpiece of our Start with Security campaign is our Start with Security guide for business. This guide really follows in the footsteps of other data security guidance we have done.
But what it does that is, I think, different is that it synthesizes the lessons that we have learned from our enforcement cases, so it takes all of our data security enforcement cases and distills them down to 10 lessons learned about vulnerabilities that might affect a company. And for each lesson, the guide then provides a few practical tips on how to reduce risks for businesses.
I will, in the interest of time, run through these, but very briefly. The first tip is Start with Security, which is the idea that security needs to be factored into the decision-making in every department of the business, and recognizing that it is not just an IT problem. It is a problem sort of for the entire company all the way up to the highest levels.
Number two, control access to data sensibly. If employees don’t need access to sensitive data as part of their job, then there is no reason to give them access to it. Three, require secure passwords and authentication, sensible password hygiene is, of course, essential to protecting a system.
Four, sensitive information security and protect it during transmission. Five, segment your network and protect particularly sensitive data by housing it in a separate secure place on your network. Six, secure remote access to your network. Certainly mobile workforces create additional security challenges. It is important to ensure that endpoint security is in place because your network security is only as strong as the weakest security on a computer with remote access to it.
Seven, apply sound security practices when developing new products. This includes not only having developers use secure coding practices, but also to make sure that companies should be testing their security features and not just their product functionality. That is definitely something that we have sort of had cases about.
Number eight, oversee service providers, which includes not only having written policies in place, but also sort of verifying compliance. Nine, keeping current, ten is remembering not to forget about the physical world, as well.
And let me say that we actually have followed up our start with security with a series of blog posts called Stick with Security. Stick with Security is a series of ten blog posts that we started to roll out during the summer. I think one a week, and I think number eight is coming up on Friday. They come out on Fridays.
What they basically are is a deeper dive into each of the ten lessons based not only what we have done in Start with Security, but also taking a look in terms of fielding questions that we have gotten from businesses. And also thinking about not just the cases that we have chosen to bring, but also the cases that we choose not to bring. And so, there are additional hypos and tips in each of those blog posts.
The second outreach initiative I wanted to mention is our guidance for mobile health app developers, which is really sort of in two parts. The first part is something that we produced in cooperation with OCR, ONC and FDA, and is an interactive tool to help health app developers, so particularly the smaller health app developers, get a sense of what laws might apply to their app, including the FTC act, our health breach notification rule, HIPAA and the FDNC act.
And the agencies did this together because all of were getting numerous questions about what laws might apply. Am I covered by HIPAA and the FTC act? I am a device manufacturer. Am I also covered by the FDNC act? So we put together a very sort of high-level tool, which is meant to be just a starting point for helping developers figure this out. What it is is a series of ten questions that a developer can sort of go through. It is like a choose your own adventure. If you answer yes or no, you will either be prompted to the next question, or it will tell you, well, you are likely covered, for example, by HIPAA. And then it will link out to a lot of resources on OCR’s website about compliance. So like I said, not meant to certainly answer all compliance questions, but meant to be a starting point for assessing these types of questions.
The second part is that I wanted to mention about our guidance for mobile health app developers is that for the FTC, what this tool ends up linking to is a set of best practices for mobile health app developers. So it is specifically tailored for mobile health app developers, both in the security and privacy side.
Then the third piece I wanted to mention here is our policy work. And here, I decided to mention and discuss our big data report, which was published at the beginning of 2016. It discusses the life cycle of big data, the benefits and risks, the potentially applicable laws and some research considerations. And again, I will run through this quickly in the interest of time.
But this report really focuses in terms of life cycles on use. So if you think about how data becomes big data, there is collection. There is aggregation. There is analysis. And all three of those things were discussed in our data broker report, and then you get to use. And what this report really does is it focuses on how to maximize the benefits of the use of big data, while minimizing the risks.
So here are the benefits. I will just mention the third and fourth one here. The third one is to provide health care tailored to individual patients’ characteristics. I think Stephanie probably covered the waterfront well here when she described the precision medicine initiative. And then the fourth one is to provide specialized health care to underserved communities. So if you are in an area, for example, where there may not be many specialty providers, big data can provide analysis that may be helpful.
But of course, big data analysis carries with it numerous risks. They are here on this slide. I won’t read through them. Instead, I will move onto the applicable laws and the research considerations. So there are a number of laws which have some applicability in the big data space, including the FCRA, the Equal Credit Opportunity Act and section five.
So to give an example from the section five context, we had a settlement a number of years ago where we included an allegation that although a credit card marketing company touted the ability of consumers to use the card for cash advances, it deceptively failed to disclose that based on a behavioral scoring model, consumer’s credit lines would be reduced if they used their cards for cash advances, or if they used their cards for certain types of transactions, including marriage counseling, pawn shops and night clubs. So the basic standard of deceptive and unfair practices can also be applicable in this area, as well, depending on the facts and circumstances.
And finally, the report addresses some research considerations for those companies engaging in big data analytics. There is the potential for incorporating errors and biases at every stage, from choosing the dataset to making predictions to defining the problems to be addressed to making decisions based on the results of big data analysis. So here are four questions to consider.
First, how representative is your dataset or does it, for example, miss info about certain populations, for example, those who may not have access to technology. Two, does your data model account for biases? Or does your model just reproduce existing patterns of discrimination?
Three, how accurate are your predictions? Just because big data has found a correlation, it does not necessarily mean that that correlation is meaningful. And then last, but certainly not least, does your reliance on big data raise ethical or fairness concerns? There certainly may be factors in algorithms that are useful. But it may not be ethical or fair to actually continue to use them in big data analytics.
We have a number of resources on our website, FTC.gov. Here are the ones that I discussed today. And because I know that this group also discussed consent earlier today, I wanted to highlight two also that were not on this list. The first is a reboot of our dot com disclosure report, also called dot com disclosures, which provides a lot of information about how best to disclose information clearly, conspicuously and concisely.
And the second is a short piece that we did in cooperation with OCR that has to do with if you are sharing health information, it is directed at businesses. Businesses should consider not just HIPAA, but also the FTC act. And with that, I will turn it over. Thank you.
MS. KLOSS: Thank you, Cora. We will pull up Jacki’s slides and hear about the cybersecurity taskforce.
MS. MONSON: When you talk about scary things, you include puppies and kids, so that it is not so scary. I am going to provide the background. I have the privilege of serving until June of this year on a HHS cybersecurity taskforce, focused specifically on health care.
So as you can imagine, for the last five years, cybersecurity in the health care space, specifically cyber-attacks that have been successful, has increased. Just this year, and we are not even through this year, a 500 percent increase has happened in cybersecurity attacks that have been successful.
And so as a result of that, the previous president and his staff created what they call the Cybersecurity Information Sharing Act of 2015. Specifically section 405 is relevant to this group, which is the one that required HHS to convene the subject matter experts as a part of this taskforce to look at cybersecurity in health care, identify the risks and figure out how we might actually solve it.
One of the things that we thought was really unique to health care is that we are focused on patients, and specifically the number one priority of health care is patient safety. But cybersecurity was never contemplated previous to probably the last couple of years as a patient safety issue. If you can’t protect the patient themselves who might have a pacemaker that could get hacked, or you can’t secure their information, you are not actually keeping them safe.
So this taskforce spent a year basically receiving and reviewing information from experts both in and outside health care, as well as the government, in order to establish recommendations and best practices. One of the things that I will just highlight is that this isn’t a government problem. Oftentimes when we were interviewing individuals, they often said that. It is actually an industry problem that was created that everybody needs to collectively work together to solve.
And so, our recommendations, which I will go through, really focus on that premise, that this isn’t just about what the government can do. This is also about what health care can do to solve it.
We use the term imperative. What imperative really means is a broad category by which we then underneath it have many recommendations. So I am just going to highlight the imperative, explain to you exactly what we are focused on, and highlight some of the key recommendations that I think are important. But that is no exception to actually reading the report, which has a lot of value and lots of recommendations.
So the very first one is to define and streamline leadership, governance and expectations for the health care industry related to cybersecurity. So what that actually means is stuff that we have talked about today, which is creating corporate governance structures for both industry and government at all levels that includes the creation of a cybersecurity leader role at HHS.
One of the things that we identified is that a lot of government agencies are busy trying to tackle cybersecurity, but there wasn’t one point of contact. And what is really important to that is having one point of contact for the public when we are trying to share information about what might be going on.
And then really to create a standard around cybersecurity framework. You heard me talk about NIST today. There are many other frameworks that could be used for information security. You heard her talk about what the FTC is recommending. What we are requesting is that we create one standard that everybody would have to follow that would allow everybody to be on the same page and the starting point as a minimum.
The last recommendation I will just mention is harmonization of laws. So I actually wrote that recommendation. When I was doing the research behind it, there were 2700 laws both at the federal and state level that applied to cybersecurity. As you can imagine, if health care has to comply with all of those laws, which I am sure many don’t even know that all those laws exist, it becomes really challenging to focus your resources on addressing the actual risk. So making sure that those laws and regulations are harmonized is really important.
So moving into increased cybersecurity and resilience of medical devices and health IT, I think we are all probably familiar with the fact that even five years ago, when we are adding new technology or making biomedical devices, we did not contemplate information security. We were interested in provide technology that met the needs of the patient and really, what the health care providers and others in this space want.
Now we are faced with this challenge of having to go backwards and back pedal and try to design information security. As you can imagine, you are building a house while you are living in it and it is very challenging. So basically that is really the focus of imperative, too, which is to create security by design I any new technology that comes forward, and figure out how we can actually address the medical devices in health IT.
Today, medical device manufacturers are often really challenging to work with to try to figure out whether you can apply a patch to a particular medical device, and that it is actually going to be safe when it is implanted in the patient. And with these recent cyber-attacks, I can tell you that we are actually, as health care providers, living this every day.
We are trying to figure out whether we can implement a patch on a pacemaker for a patient, and what kind of risk that is going to take. And oftentimes, what we are told by the biomedical providers is just go put a new pacemaker in or buy a new radiology imaging machine.
As you can imagine, health care already doesn’t have money. So that is really not the solution to this. So what this whole recommendation does is it focuses on potentially areas where we might subsidize the ability to actually replace these devices and/or come up with other mechanisms to solve the security issues within them.
So imperative three is one that we have heard a lot about today, which is developing a health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. So you may or may not know that when I talk about cybersecurity, I consider it a narrow topic within information security that only certain individuals have the ability to actually know and protect an organization against a cyber-attack.
This workforce is very rare and actually hard to maintain in a health care space because we are competing with people like Silicon Valley who can compensate these individuals for that challenge. Our non-profit mission in health care is not something that interests much of these individuals who are coming out of the military or are millennials.
The prediction is that by 2022, there will be about a 100 percent increase in the already deficit in trying to obtain the talent that we need to protect them. Imagine if you are a small provider, and you are looking for one person that you can afford to do information security. Your ability to get somebody who can do just cybersecurity is slim to none because you won’t be able to actually afford them or convince them to move to Bismarck, North Dakota or wherever your small or medium provider location is. And so what we are asking is that we actually had the ability to develop programs to build this workforce capacity because it is truly not something that you can just learn overnight.
And then the other area is really to just build awareness around cybersecurity. Today, I could have a phone call with a patient, and they are complaining to me about encryption because it takes too long for them to get this encrypted email. And so they essentially just want me to allow the provider to send them all their patient information without encrypting it.
Fortunately, I had a little chat with them and explained to them what risks that might be to their information. Suddenly, they have changed their minds about wanting to continue with the encryption and are okay with that gross inconvenience. But because we don’t actually explain that to patients in any regard, they have no idea what data might be at risk. They only know what they hear in the media. Today, as every day, it is all about convenience. If we are inconveniencing them, but we are not explaining why, it becomes challenging for them to actually appreciate that and help us.
So this imperative I won’t spend much time in because it is similar to the last one, which is to increase health care industry readiness through improved cybersecurity, awareness and education. It is much like the last one, which is empowering employees to understand what good cybersecurity hygiene is, helping them not click links in an email that might subject your entire organization to a cyber-attack, and suddenly your IT infrastructure disappeared. And also then the education to the patients.
Imperative five is to identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure. And this is actually how cyber-attacks originated in health care is they focused on pharmaceutical companies, or they might have focused on big research institutes where they knew that there was valuable data. So in some cases, the cyber-attacks aren’t necessarily just an inconvenience to obtain money. But they are actually interested in the intellectual property.
And so what has happened is these pharmaceutical companies who are an inch away from a formulary that could potentially solve a cure for something is that maybe the Chinese government shows up at the same formulary two weeks later because they cyber attacked that system and took that formulary. It is a very real issue for the pharmaceutical companies and for research. There is not really a good way today that even the frameworks that are available contemplate protecting research and intellectual property-type data. Yet, it is really important to health care and to our patients.
Imperative six, improve information-sharing of industry threats, risks and mitigation. So this goes back to imperative one where we talked about having essential point of contact at Health and Human Services to facilitate with industry. There hasn’t been a good mechanism to actually share data outside of the private sector where we might participate in data-sharing organizations.
Think about if you are a small or medium provider that doesn’t have the ability to subscribe to that data. Or if you do get that data, you have no idea what it means. You don’t even know where to start with, how I might implement a patch or how I might actually secure that biomedical device that might be at risk.
And so what we are recommending in this imperative is to figure out a way to do more information-sharing, allow the private sector to get some security clearance, so that we can get this threat data a lot quicker. There are a lot of mechanisms right now to get the data within the government, but there is not a lot of mechanisms to quickly share it.
Even seconds are really important in the cybersecurity attack to shutting it down and making sure that system isn’t impacted, which we learned from this summer with the non-Petya issues that we had for anybody that was in cybersecurity. If you were connected to one of those vendors or health care organizations that was impacted, if you don’t shut that link down very quickly, your technology and system could quickly also be impacted by that, so it has a domino effect. Interoperability is really important in health care. But with interoperability created this connection to all of health care. We are not protecting it in a way that we need to protect it. That creates risk. Really, we don’t even have the ability to truly mitigate it.
And then as I mentioned the small and rural organizations, we care about that and need to focus on them because, as I mentioned, if they are the ones that are subject to a cyber-attack, they might not even know today that they have had a cyber-attack. If they are connected to Sutter Health, that is going to be an issue for Sutter Health, as well. Obviously, the domino effect keeps going.
And so what we recommended within this imperative is that we find a way to not only get that intelligence data a lot quicker, but make it meaningful for these small and rural organizations, so that they can look at it and say, oh, I know exactly what I need to do with this. I can tell you today half the intelligence that my team gets, I look at it and I don’t have any idea what to do with it. Fortunately, I have experts that do. But we need to be able to distill that information to help these small and medium-sized organizations that don’t have the ability to hire those experts on the team.
At that is really it. That is the focus of the cybersecurity report. You heard many of the things that in what I just said from many of the individuals that were talking today as ways that we really need to solve it. As I mentioned before, this isn’t a government problem. This is the industry working together with government to try to solve it. Each one of these recommendations are important to being able to do that. Until we do that, we are going to continue to hear in the media about the latest cyber-attacks and how it actually impacts patients.
PARTICIPANT: What is happening with the recommendations from that report? Where do they? Who is charged with making it happen?
MS. MONSON: The report was given to the President and Congress. We haven’t seen a lot of focus honestly and movement in this area, mostly because they have been focused on health care reform. So there hasn’t been, in my opinion, enough attention around this.
I know that HHS is doing some things, and they are having some conversations about the head of security that would be in that department to pool all of the government agencies together. But beyond that, we haven’t had a lot of conversations with the government at all about this report from the taskforce perspective. We have only been conversations with the industry on how we might solve it. And as a result of that, it hasn’t gotten the attention that it needs.
DR. ROSS: Is that also tied or linked directly to a broader governmental cybersecurity effort that Homeland Security runs? Or are these completely separate disjointed efforts?
MS. MONSON: So there were many government agencies that were involved. That was one of the things that we identified is when we interviewed them, we asked them who is on first, as far as who is in charge in leading a cybersecurity attack. They all said, we are. So part of the challenge with that is that there really was nobody on first, which is back to that recommendation that Health and Human Services to add a cybersecurity head is that they are all doing great things.
But even between agencies, they are not sure what is going on. I experienced that just at a healthcare organization when we are reporting cyber-attacks to the FBI. Often they don’t even know what headquarters is doing. So part of that information sharing is really important to solving this broader cybersecurity issue.
DR. COHEN: Cora, what levers would you like to have that you do not have?
MS. HAN: I will say that the commission has long asked for baseline data security legislation across industries. Also, the commission has also, I think, numerous times asked for civil penalty authority. In addition, I think that in our Internet of Things report in our recommendations, the majority of commission also thought that baseline privacy legislation would be a good idea, not something that is Internet of Things specific, but actually something that creates a baseline.
DR. STEAD: In the taskforce, did they speculate on what the best effort achievable timeline might look like? This problem is big, and it is getting bigger. Did you think about what it would take to get to where the improvements would happen faster than the problem, than the gain in problems?
MS. MONSON: Yes, we absolutely did . With each recommendation, we advise them what needed to be done and how long we think it would actually take them. Like for example, the harmonization of laws, that is not going to happen tomorrow or any time soon, so that is something that we recommended they create a taskforce to actually focus specifically on that. Whereas other things like cyber hygiene and education to workforce is something that would be of higher priority. That is something that is actionable today.
DR. EPSTEIN: The only comment I wanted to offer is with respect to Jacki’s comments about training and workforce. There was an executive order, when was that about four months ago, something like that, on education workforce. I was part of the group that is responding to that. We have been discussing a lot about how to address the specific problem you identified, that a small organization in Fargo, North Dakota, can’t effectively lure a cybersecurity expert. How do we address that part of the cybersecurity challenge. I think a lot of people are thinking along the same lines as you are. None of these are easy problems to solve.
MR. COUSSOULE: The presentations were excellent. I have the good fortune or misfortune, depending on how you look at it, of also being responsible for the security function of my company. One of the challenges I think we have historically looked at security and cybersecurity as a pretty binary thing. Something is either good or bad. If it is good, you can do it. If it is bad, you can’t do it. it is not possible to view it that way.
It is really more of a risk management exercise and not a cybersecurity exercise from that perspective. And so, as you were going through the exercise, and most of your recommendations, they are scaling. They are not do this or don’t do this. They are binary. Even with some of the things you talked about from the FTC, it is how do you view and communicate that this is in fact a risk management exercise, and not necessarily a binary security good or bad exercise.
MS. HAN: That is a great question. As part of our Start with Security campaign, which was primarily aimed at small and medium sized businesses, we did also a series of workshops around the country. One of the workshops that I worked on was in Chicago. I worked on a panel about creating a culture of security. This was a sort of recurring theme.
The participants on my panel all strongly recommended having it be a sort of not an us versus them, not an IT versus employee, but something wanting companies to create a culture where people felt comfortable sort of raising concerns that they might have about security vulnerabilities or noticing issues that might exist in the company, and not feeling like that would either create stigma or that they would be considered bad for doing it. It definitely is something that is risk management, and it is helpful if sort of everyone in the company sort of treats it like that or recognizes, okay, just because I failed this training exercising, that doesn’t make me bad.
From an enforcement perspective, I think looking at that question, we definitely take the view at the FTC that just because you have had a breach, that doesn’t mean that you have faulty data security. Breaches definitely happen. What we are looking for is really like taking into consideration the size and complexity of your business and the type of information that you collect, you know, are your practices reasonable?
DR. EPSTEIN: A couple of years ago, I funded a project out of the University of Texas El Paso to study what small and medium businesses are actually doing for cybersecurity and how it is actually affecting what they do. The corner pizza parlor can’t afford to have a full-time cybersecurity person. They may not even know what a cybersecurity person is most likely.
And so addressing that issue is a big one because although pizza may not be a primary health care concern, unless you eat an awful lot of it, the mom and pop health care provider does exist in very much the same way. My dentist does not have the expertise to decide what a good, from a security and privacy perspective, provider is of medical records processing and insurance processing. They just have no idea of how to look at it. So someone has to give them the advice, or they will make a bad choice. They will hire the same guy as the pizza parlor.
MS. MONSON: So in the taskforce report, we actually did contemplate this. What we came to the conclusion about is there needed to be a baseline. You have got the dental practice who is not interested because they are just going to take the risk. Whether they even know they are taking that risk or not is a different question. The vendors are in that same space. We see them often taking all the risks. Part of that baseline is the cost of doing business in health care because we have to have minimum protections to patients.
And then from that, I think it goes up to the risk management, risk analysis approach to once you have the baseline, and how do you actually operate. What we found is that most of health care is so focused on all the regulations that they don’t even get to the risk management and risk analysis approach to things.
It is either they don’t have a baseline, and it is all or nothing, or when they get to that baseline, they are so worried about the reputational impact to the regulations, that is much of their focus, versus evaluating what is actually going to benefit protecting the patients and their data from a risk management and risk analysis standpoint. We all know that when everybody gets to baseline, you will have to have that conversation because we are never going to be in a position where we can 100 percent ever secure patient data, so that nothing can happen to it because there is nothing that is foolproof. And if that were to happen, health care would be completely broke even more so than now because it would cost hundreds and millions of dollars. Today, that technology doesn’t even exist.
MS. KHATIBLOO: Can I make one more point on that topic, which I think is relevant, and less about security and more about the sort of training, and how do we help the smaller providers and the smaller practitioners. We talked a bit about the sort of consumerization of health care, such that there are people posting in Facebook groups or tagging a medical practitioner’s office in a post about a complaint of an experience they had or a misdiagnosis, and being really furious that that health care practitioner won’t respond publicly.
That practitioner knows that they can’t and, in some cases, may not know and may respond. I think this is another layer to add to the challenge that we face is not only is it about the people, but it is about the training, and it is about helping the smaller practitioners understand that the rules really do apply to them. The rules are set up to protect people.
DR. RIPPEN: Many years ago, the issue of cybersecurity came up at a congressional level with representatives from all the different sectors and the vendor community, so it was power and chemical industry and energy and all the rest, and big businesses that were online, like Walmart and things like that. The big discussion about ultimate the cost of actually providing security, and the big question about who plays what role. We know especially with medical devices, that if you don’t design security with security in mind, your device or your software is probably going to be at more risk.
At that point, the software industry pushed back and said, well, it will be too expensive for us to build in security. So you have to all pay for it and do you own patches and everything else. So it has been a while ago. You were talking about the vendors were doing the heavy lift. So I guess has there been a change that vendors now are being more responsible in how they design? Or are we still at the same point, do we think, as it relates to the vendors?
MS. MONSON: I will give you an example. I am not going to name the big vendor. I had a vendor recently that I was in a conversation with. It was related to biomedical devices. They said we would like to remove this device from your cold dead hands because your organization has been using it for the last 25 years, and it is time. And I said, I can’t go to my CEO and ask for $200,000 to replace this because it doesn’t contemplate security. I need you to help me find a middle ground. There was absolutely no interest in doing that.
Now, that is not every biomed or every vendor by any regard. But I would say about 10 percent of the vendors in this space are great to work with and really cooperative. The rest of the 90 percent are things that I battle in my job every single day and having conversations to try to get to some middle ground of accountability. It is just not there. They really want to push that burden on health care providers. There is no money.
DR. RIPPEN: So are they using security enhancements as kind of the reason to push you to buy new product?
MS. MONSON: Yes.
DR. EPSTEIN: I think I would say from my experience that vendors are doing better than they used to, but the risks have also gotten worse. They are running faster, but they are not catching up.
MR. COUSSOULE: From my perspective, they are getting better certainly at the new things. The problem is there is a huge base of not new things that still exist and likely will for a long time.
DR. STEAD: I wanted to know whether sort of my worst fears in this space are reasonable. I grew up and was early in my medical career when what we now know as HIV began to emerge. We started having deaths that we didn’t understand. We began to identify populations. We eventually began to figure out the virus mechanism of action, ways to treat it.
My fear is that people think of cybersecurity as something we can recognize. The system goes down, we know it is down. It make take us a week to put it back up. But imagine that we begin to get epidemics of drug reactions and morbidity and mortality that actually result from malicious modification of information in subtle ways that are not observable. I think that is the real risk.
I am glad that the taskforce labeled this as a patient safety issue because the first time I actually heard that clear enunciated was two to three years ago in a National Academies workshop when we really began to say, this is how we need to be talking about it. It is really around this idea of unrecognized change in the information in a way that subtly begins to create epidemics of one sort or another.
If that is what we are facing, then I think we need to begin to figure out how to enunciate that and to begin to think about what are the interventions that, in fact, could be broadly applied. Frankly, the interventions that can be broadly applied are going to have to be technical. People are people. It will take too long. It gets at things like how we watermark, et cetera, key information.
I don’t know. I just wonder if I am right about what the 9/11 or the Katrina or the HIV epidemic in this space is going to be. But I think we need to think about realistically ways that we can address it, or might be able to address it, in time to make a difference. But maybe I am wrong about what the biggest concern is. But I think I would like to know what people think.
MS. MONSON: I think we are already in that space as far as the epidemic. I will give you an example. The largest transcription vendor in the country was impacted by a cyber-attack over the summer. The largest health care systems in the country, I think eight of the top ten, used that vendor because it is the only vendor in the space that can produce the level of transcription services that is needed by those large health care providers.
That cyber-attack took down the entire IT infrastructure for that particular company. So these hospitals and health care organizations were out of transcription service and trying to figure out plan B while they built their infrastructure. So as you can imagine, for patients that are transplant patients or patients that you immediately need that type of data to quickly be able to treat that patient, it wasn’t necessarily available.
A lot of the providers were so used to using dictation as the way to transcribe that they dint know how to go back to the old environment after we pushed all that technology on them. That is a huge patient safety risk. I know at some organizations, it actually did impact patient care because they didn’t have the right medication list at the time when the patient is being treated.
As you can imagine for transplant patients, every report, every hour is really important to providing the best care to them. When you are not getting those real-time because there is a lag time of weeks to get that data, and nobody knows how to write a note again, it is very challenging. That is what we have been living for the last eight or nine months, which to me is as serious as you can get. It was in the United States.
DR. STEAD: That is different. They were one of our vendors. We were able, in about eight hours, to persuade our other vendor to provide us real-time backups. We knew we were down, and we had a way to go after and fix it. We may have been more lucky than others in how to do that. That is different than malicious, surreptitious modification of information in ways that it is not observed. That is a system availability risk. I get how big that is, but we knew it. I am even more worried about things that begin, that in essence act if they were biological viruses.
MR. COUSSOULE: Again, I can’t give you an example specifically that is impacted directly to patient care. But if you think about even some of the breaches that have happened, some of the activities that have been recognized, in a lot of cases, the recognition is very long after the fact of the occurrence. I think that is the bigger risk. I think that is what you are getting into a little bit is a system down situation, those are very easy to understand. They may be complicated and difficult to fix. They may have an impact, but those are easy to recognize. The invidious ones that you don’t see for a long time, and don’t recognize, and we could make up any number of doomsday kind of scenarios.
I think there are probably a lot of them that are very real. I think that sometimes, you sit back and think of this catastrophe, everybody in the world dies. No, it is not about that, but it is something bad happening that could impact lots of people that you just don’t see until it is too late.
One of the challenges is we tend to focus oftentimes in the security realm on building the wall kind of bigger and higher and thicker, et cetera, to stop everybody from happening. We are spending more and more time, and I think this is industry wide now. We are spending more and more time on trying to identify when something bad happened as fast as you can to make sure you mitigate the risk and the downstream exposure to it.
So not only are we talking about the preventative side of the security and risk, but we now talk about the detective side to recognize when something, in fact, bad has happened. That is a very different way of looking at the world that way.
MS. MONSON: Your example is more likely to actually come from an insider, who has the privileged access to those accounts where you wouldn’t figure that out ever until something bad happened.
DR. RIPPEN: With regards to your point, as far as data access and manipulation, if you can access databases, some of the more sophisticated thing like encrypting an entire dataset, you could actually match it to if you can get to the encryption level. So I think that what we are talking about is a broad range of things, right?
One is the malicious that modifies, and you don’t know. But there could be the malicious that are waiting for an opportune time. There is denial service that you may not really know. Like you may have ordered a lab, and you don’t know what the lab is. You can shut down services, transcription. You can get rid of major databases. So there is a wide variety of things.
And now with consumers and all the devices, some of which are medical that people bring home, you are talking about even more challenges. Now treatment like the pumps and giving people shots, even though they may not have AFib, lots of really bad things.
MR. GELLMAN: I wanted to tell two quick Washington stories that may affect your deliberations just generically. One is 40 years ago, I was a House staffer working on a health privacy bill that ultimately never passed. I get a call from a Congressional office. The staffer says, my boss saw a TV show last night where an eight-year old girl hacked into a hospital computer and killed a patient. He wants to introduce a bill on that.
And I said, well, that is fine. I said, but that is not really a serious problem at the moment. There just wasn’t enough technology. It was a TV show. I said, here are a whole bunch of issues that are really current and really active. I said, does he want to deal with the fake thing that he saw on TV, or does he want to have a bill that deals with the reality of what is going on in the world? She calls me back the next day and says, no, she wants to deal with the TV show.
Second story, there have been bills floating around Capitol Hill for many years trying to set up a data breach standard for the country, for everybody. There are a lot of issues in that state preemption or whatever. While this has all been going on, 48 states have passed data breach laws. So why hasn’t the data breach, why couldn’t the feds ever do it? Because no committee was willing to give up enough jurisdiction to another committee to allow this to happen. So if you are looking for Congress to do something on cybersecurity, you have got a zillion committees involved. It is really hard to do.
On the other hand, this isn’t a Washington story. One of the things that has happened over the past 15 or 20 years is you look around, and there are an awful lot of chief privacy officers in companies. There is no law generally that says they have to do this. I mean, we do have this to a certain extent under HIPAA. But a lot of other companies are doing this. They just did this on their own because they saw a need for it.
And whether the CPO movement has really advanced privacy effectively or not is a different question. But it has certain taken steps in that direction. I am not sure what the bottom line here is. But getting solutions out of Washington can be really hard. That is not to say it is impossible, but it takes a long time. The stars have to be aligned. Sometimes solutions come from other places.
DR. EPSTEIN: If I could also comment sort of along the same lines, I have been involved in more meetings than I can count where somebody has said, we need a cyber NTSB, National Transportation Safety Board, or we need a cyber CDC, not Controlled Data Corporation, the other one. And the problem is nobody wants to pass legislation that would give the control to have those centralized investigations that are necessary.
Also worth noting, FBI stats show that a typical breach is found 90 to 180 days after it occurs. So by the time you know it, you are long gone.
MR. COUSSOULE: Is that found or reported?
DR. EPSTEIN: That is a good question. I think discovered.
MR. COUSSOULE: And reporting requirements is different based on what part of the world you live in, industry.
DR. ROSS: Just quickly to follow up, in these discussions, they raise the issue, you made the analogy to the Centers for Disease Control. We have there the EIS, the Epidemic Intelligence Service, to basically go out and investigate the outbreak, understand it. That was, you say, proposed and people shot it down. Nobody wanted to even say a group could be charged with.
Take the CDC. Maybe this is the reasonable analogy. You may not know. Because state law governs public health, the US CDC cannot go do an investigation unless the state asks them. But what they do have is the capability that when asked, which is now almost always, to go send people who are reasonably qualified, but they are trainees, learning the ropes, but supported by the entire agency when they go out and do these investigations to do them. Was that model really explored and just rejected?
DR. EPSTEIN: I would say it has been explored at a 30,000 foot level, but never really in more detail than that. It is one of those things that makes a good headline, but there would need to be some significant policy changes for it to actually happen. It wasn’t specific for health care security and privacy. This was more broadly across the economy.
MS. KLOSS: In this world of cybersecurity, you wouldn’t want it limited to health care. You would want it broad. That is an area where you would really need to depart from HIPAA.
DR. EPSTEIN: Industries are not that vertically separated anymore. A breach of health care might also be a breach of financial or a breach of manufacturing or whatever. You can’t say this is the scope. We are only going to do this part of the puzzle.
PARTICIPANT: Has OCR looked at that?
MS. GARDNER: I think that Jacki brought up a really good point earlier about the challenge of hiring and finding and recruiting good SiSoS. Really difficult for even us within OCR, to be able to hire in the type of people that we need to be able to provide subject matter expertise to our investigators, especially on these large-scale hacking ransom ware cases. You really need to have your pulse, the kind of security ecosystem. And very few people have that expertise in there and they are eaten up by Silicon Valley and other people who can better afford to pay them.
MS. KLOSS: Do we have any questions from the phone? If there are no other tent cards up, then I will make a couple of comments. In this environmental scan, we targeted six areas, big data and expanding uses and users, cybersecurity threats and approaches, personal devices in the Internet of Things, laws and other domains, evolving technologies for privacy and security, and evolving consumer attitudes. So we really have touched on I think five of the six.
We haven’t really talked about evolving technologies for privacy particularly. We have talked a little bit about security, but for privacy, you know, it seemed when we planned today, we said we could hold that back and focus on that as a next step. I put this question for the committee and our experts here. What else should we be learning about in these six areas? We are launching an environmental scan. We certainly will do a literature review and look at all of the good reports and recommendations that have been done in these areas. But where do we have a blind spot?
DR. ROSS: I haven’t heard the term today, and I don’t know whether everybody knows it, and therefore it wasn’t said. But are folks familiar with the term differential privacy? Yes? Okay.
MS. BERNSTEIN: We have talked about it in our de-identification hearings. We did have some people who came to talk to us. If you were participating in that, we sort of talked about the difference between the kind of traditional, I think of it is as the Census Bureau way, the statistical agency’s way of manipulating or perturbing is the right word data to protect de-identification, as opposed to the developing computer science I think of as sort of the computer science camp way of doing privacy.
And this committee made some recommendations about promoting the science of de-identification in different ways, and having people learn more about differential privacy. I think as you hear from those around the table, it is not something that is like engrained in us that we understand what that is, what it means, how it affects the landscape that we are talking about. What were you going to say about it?
DR. EPSTEIN: I don’t know how much of the concerns, I mean, much of the concerns that you are talking about here are protecting individual health care information. That I shouldn’t be able to see yours, and you shouldn’t be able to see mine. But differential privacy doesn’t really do any good for that.
What differential privacy does is it allows injecting carefully calibrated noise, such that you can get useful information, but without being able to figure out information about an individual from that statistical summary. I don’t know how much of that you consider within the scope of this committee. I think you already covered that through your de-identification committee.
MS. KLOSS: In the de-identification work, we certainly raised more questions than we answered.
DR. EPSTEIN: I would encourage you to consider inviting Simson Garfinkel from Census.
MS. BERNSTEIN: That is true. We were thinking in the same way that this committee is thinking, which is great to know that it sort of confirms that the committee has been on the right track.
DR. EPSTEIN: There is also a program that I ran for a year at DARPA called Brandeis named for the Supreme Court Justice obviously and privacy advocate that is developing technologies around not just the sort of things we are talking about, but I mean a wide range of privacy technologies. It might be worth inviting someone from DARPA to talk about the sorts of things they are doing. They are not applying it specifically to health care. They have a couple of other use cases, but it might be worth inviting them in.
The guy who started that program, who is no longer at DARPA, is named John Launchbury. John is extremely knowledgeable in this area. I don’t remember. For some reason, I am blanking the name of the guy who is running the program now.
MR. COUSSOULE: One of the things we haven’t really talked about as part of this, we talk about a number of different areas to be considered. But we really haven’t talked about kind of the response side of the security event. I don’t know if that is something we would want to look at at all. So what are best practices, capabilities, about responding to some kind of a discovered event. Not sure if that is something we would want to take, but it is something we might consider.
MR. GELLMAN: I just wanted to kind of reform your question, refocus your question a little. For those of you who are actively working in the health space, what do you hear from colleagues about what would be an easier way to do something? What can’t we do because of some restriction on HIPAA? Some kind of wish list that people may have developed, anything along those lines might be useful in this context? You either can respond here, or take that as homework and let us know later.
DR. RIPPEN: We are also going beyond the traditional datasets, right?
MR. GELLMAN: Understood, but I am just looking. It might be a symptom of something that we can deal with.
DR. ROSS: I work in global health, which means the US, but all over the place. One of the things we have been doing for the last few years is a partnership with Gates Foundation is working on child mortality surveillance. In the course of setting up the whole protocols for surveillance for child death and severe illness, we had to establish the information protocols. By accident, I have to admit, we relied upon our university, Emory University, systems which turned out to be all covered under HIPAA.
Long story short, it led to us having security and data access, data privacy protocols as the foundation for what became the technical architecture. We have now been thanked by multiple countries that we are giving them the benefit of control over how their countries’ data gets captured, stored, accessed, used. We never would have thought that HIPAA would have turned out to have a global benefit.
But we have actually stumbled not helping other places. We are talking about developing countries see that there is maybe a logical smart way forward in gathering data. That is the conclusion I did not think I would reach three years ago when I was horrified to learn that we had to do our global health project in accordance with HIPAA. I thought we were going to die when we heard that, but it has worked out actually to everybody’s benefit. So maybe the progress we are making here can actually have a spillover benefit in a lot of other countries. Just a comment.
MS. KLOSS: Well, it does underscore the recommendations we have heard as kind of building these things in at the front end. That is some of the problem we have is that we hobble these governance mechanisms onto the backend of endeavors.
DR. ROSS: We had the luxury of starting with what data you want, why, who controls it, all that, and building the architecture from that, rather than trying to reverse it.
MS. HINES: I am wondering whether we should capture your experience as a case study as part of that report. I don’t know. It actually seems pretty significant. It is just an idea.
MS. KLOSS: We feel so bad about what we have accomplished, how far we have got to go. We have got a lot in place.
DR. ROSS: That was the point. We accidentally brought very useful constructs to the visibility of multiple countries.
DR. STEAD: I think that was the key piece there. You brought that construct to your architecture. You didn’t add the construct afterward. I think the case would have two purposes.
MS. KHATIBLOO: There are two things I might sort of lob into the center of the conversation as you deliberate and discuss what the future HIPAA looks like or could look like. The first is I heard a lot of talk of consent and very little talk of choice. Cora, you brought the concept of choice to the table. I think it is a useful distinction and a useful way to think about uses of data, collection of data, not being purely a notice and consent mechanism, but a notice and choice mechanism. And this may be particularly useful as you think about the classification of data recommendation. So that is one thing I thought I would mention.
The other thing I thought I would mention in the context of big data and algorithms and machine learning and AI and all that stuff is the gaming aspect. I will give you an example that is not health care-related, but pretty fascinating. It turns out, according to one of the big three credit bureaus, that buying floor protector pads is an extraordinary predictor of credit worthiness. So you buy the pads that go underneath the furniture, and you live in a hardwood house, that single purchase is a strong correlation and strong predictor. They can use that information to give you more credit.
The same holds true, and the same examples can be made within the health care field. How can I game my data to make it look like I am having a better or a worse outcome. I would encourage you, as you think about big data and algorithms and these topics, to consider the inverse side where patients may actually be gaming their data, as well.
MS. GOSS: It is particularly relevant when you think about the whole wanting consumer-directed information. We have really put a big push on that as far as our quality payment programs and engaging the next wave is, okay, we have got the providers on board. We have got the IT infrastructures. You have got all the concepts we need to be living under.
How do we then get the consumers engaged in all of this? Ultimately, it is their health and well-being that has to be engaged. They have been a big missing part. And so now, that olive branch of give us your consumer-generated data is being advanced under federal programs.
MS. KLOSS: Would you recommend that we take a look outside the US for models? You mentioned the European privacy.
MS. KHATIBLOO: I do think the data protection regulation has some interesting things. You were talking about chief privacy officers. For example, that requires data protection officers. But it does things like protect against whistle-blower scenarios and provide for whistle-blower scenarios under data protection law. It requires that the data-protection officer be given actual enforcement authority within the organization, and not have conflicts of interest. I do think that is a really interesting place to look.
But broadly, most of the really innovative and interesting health care things that I have seen are happening in the really small countries, where they have got a single identity scheme, a digital identity scheme throughout the country that works really well, and people bought into it. We can all name off the Scandinavian countries where that is happening, right? I struggle to see a ton of great precedents or examples.
MS. KLOSS: Well, this has been a great launch. We have covered such a broad range of issues. You have just really helped us, all of you, the invited guests and our committee members for being so engaged. Thank you very much. I turn the podium back to our chair.
DR. STEAD: And a special thank you back to Linda and Maya and Rachel, the whole privacy and security co-conspirator group. Thank you very much. This is a job well done. Thank you to the panelists. It has been extraordinarily helpful. Bruce and Dave, do you want to bring us home with thoughts on next generation vitals?
Agenda Item: Follow Up on Next Generation Vital Statistics Sept 11-12 Hearing
DR. COHEN: It has been a long day. We will try to do this expeditiously. There were so many of us around this table that were at the last two days of hearings around vital statistics, so please chime in with your comments.
So first, I have got to thank Kate and Rebecca for getting together an incredibly extensive and broad array of experts who share their perspectives with us. It has been a phenomenal several days. The second piece for me is I really appreciated how many committee members came these last two days. It is an incredibly long week when we have four days. But your commitment really is what made the experience worthwhile for me and I think for everybody. Your different points of view really added to the discussions. So thank you all for coming.
The bottom line was I think it was an incredible learning experience for everybody, not only the committee members, but a variety of folks in the audience came up and said, I never really appreciated, and then fill in the blank. We covered a lot. There were lots of very thoughtful presentations and comments and interactions around these issues.
MS. HINES: For those who weren’t here, the Surgeon General even showed up when he found out this was going on, and he is in the building. That was really kind of cool. He had some interesting insights.
DR. COHEN: The objective was to identify the elements of vital stats, describe what the situation is, turning out to be a lot more complex than many of us realize not only around the collection, but understanding the uses of vital statistics. Assess its current status and consider where we need to go to protect and improve the system. Lots of folks there, our federal partners. We had a great representation of a variety of folks from the states, county registrars, hospital folks. I thought it was fantastic that we had medical examiners and coroners very active in the conversations. A lot of times, they are left out.
NAPHSIS, National Association for Public Health Statistics and Information Systems, NAME, National Association of Medical Examiners, International Coroners and Medical Examiners, National Funeral Directors, American Immunization Registries, AMCHP, the Association of Maternal and Child Health. We also had commercial users who added very much to the discussion. Robert Wood Johnson was there, over 40 presenters and a bunch of other folks in the audience, and the new Surgeon General.
So again, this is just a high-level summary. The findings were the incredible multiplicity of uses of individual birth and death certificates. We focused on that, although issues around fetals, marriage and divorce also came up. Birth certificates certainly populate a variety of public health and other data systems. They initiate enrollment. It was very interesting to hear from the Department of State around the importance of establishing and conforming identity.
The use of the death certificates and the significance and focus on identifying the fact of death rapidly when someone dies, it really surprised me how there was many of the presenters identified rapid identification of the fact of death is an issue for them, whether it was the research use or in the commercial use. Those were individual uses of vitals. Certainly the aggregate vitals data was described in a variety of manners, the mortality data and the birth data is extensively used for a variety of issues.
I wanted to focus more on this. We tried last night to brainstorm what we thought were some of the themes and some of the concerns. I want to run through these quickly and open it up for discussion for those folks who were there, if you feel that you want to add things that we need to consider. I want to end with a brief discussion. I want to hear from folks about where they think we should be going given the extensive two days of hearing.
So the general concerns were for timeliness, accuracy, completeness, the variability in data collection across states, and concerns about how vital statistics data get linked with other data sources, or births and deaths get linked for program planning, evaluation and epidemiologic research. I guess from the state perspective, it was really important to describe how complex the system is and how it relies on individuals who initially have very little training and are paid very poorly, who grow into this field.
The data that bubbles up is used by everyone relies on some very basic inputs and vital registry offices. I thought understanding the difference between vital records functions and customer service versus what we traditionally here are concerned with, which is vital statistics, was an important point that we need to consider as we move forward in making any recommendations.
A frequent issue was there are plusses and minuses to the federated system. The plusses are the folks on the ground know the data and work with folks, and can get the information best. But the minus is there are 57 different sets of regulations and state laws that affect the ability of the jurisdictions to provide those data in a consistent timely fashion to the feds for compiling the data that we need. Not only compiling the data, but state and local laws prohibit the use for many purposes that researchers and policymakers and commercial users would like to use the data for.
The other key issue was understanding the funding for these systems. It was clear both the jurisdictions and the feds recognize how these systems are really under-funded in a severe way. If we are concerned about the fragility and future of the system, this needs to be addressed. The states also talked about increasing demands and a lot of unfunded mandates that get put onto them without any expansion of funding for those unfunded mandates.
The loss of the Social Security Death Master File is a way to rapidly identify individuals who die is a real issue for researchers. The cost of the National Death Index is a real issue. Other issues that were identified. Certainly in this day and age, there are five jurisdictions that don’t even have electronic systems for submitting death data. A lot of the other systems are partially paper. We didn’t even get into that that.
The lack of ability to create these integrated systems and the constraints for connecting birth and death information to other systems was clearly noted as a concern by a variety of federal data users. It was the Census and SSA who were interested in not only birth and death data, but made compelling arguments for the need for other kinds of data around marriages and divorces.
So this is some of the bullets that we tried to put together from yesterday afternoon’s I thought very interesting conversations, both the panel and the round robin from committee members about some of the themes. Bill was a champion of thinking about decoupling the statistical information of the statistical and medical information from the legal data as a way to move forward to provide greater access. I mentioned marriage and divorces. Is it worth thinking about access and use of the data from the perspectives of access to individual records versus increasing access to aggregate data.
The birth and death systems are very different. The birth system is a lot more advanced in terms of electronic transmission and being hospital-based. The death system still relies on funeral directors as a key point of entry with supplemental information provided by physicians. Should we be thinking strategically about making recommendations or moving forward separately for births and deaths?
I thought John Lumpkin had some really interesting ideas. It was mentioned several times, thinking about vital statistics as part of a larger integrated health record, the first century in the book and the closing chapter.
And finally the vitals, what we have now is a system that is an electronic system that replicates our old paper data collection system. Is there a way to really reimagine vitals without thinking about it as an imaging system of paper? Those were the majors.
These were really important. Ursula, have we built a hose too large for the foundation? And that came I think from Dave’s insightful comment that health statistics is built on the foundation of birth and death information. And another nugget from Dave, you are special, but you are not that different. I am going to make a tee-shirt for that.
DR. ROSS: As one who has had to struggle with US public health for many years, it finally came to me, you guys think you are all different. You are not. We will just make you special.
It was a very nice summary. I think it was a very useful two days. I think all of us learned a bunch that we didn’t know. I was impressed at people, Bruce, like you who actually know this stuff didn’t know all this stuff. That just taught me in a nutshell how much we got to learn.
A couple of things to say, one is Chesley Richards’ attendance for two full days, he is deputy director over surveillance at CDC. It says to me that we have a chance that eVitals will become a priority of the new director. This hearing was really well-timed. I thank Kate and Rebecca and Bruce for all you did to put it together so comprehensively involving the sections of industry that I didn’t have any idea how they use this data. That is really important.
Incredible and so valuable because now there is this ability to say there are industries that hinge and use and benefit by this information and make money from it, and help the public at large, like the pension issue. I walked away feeling there is hope. I came into with it some of a sense of a tragedy of the common. What can we do when the benefits seem to accrue to the public, but there is no way to really pay for that. I think there are some options that have to be explored.
I think, Bruce, you mentioned it as sort of the free ride. But the idea that we do need to understanding clearly that these data get used for many national policies and purposes and businesses. It all rides on the backs of what are basically nickel and dime vital registrar operations that mostly pay their own way by selling birth and death certificates. So there is no wonder the idea of decoupling the information from that legal process is going to be frightening to them because it utterly challenges their business model. We are going to have to do some thinking.
DR. STEAD: Let me ask if that is actually true. What they need to provide is access to the legal record. If the legal record were much terser, it would still need to be provided. We might could get there. I think the flaw to what I was hoping we could do is I am afraid from the conversation I had with either you or Bruce this morning, the CDC is not a public health agency. Is that correct or incorrect? Covered entities can provide PHI to public health agencies. So we cannot report to the CDC unless the states request us to.
I still think the architectural solution, possible architectural solution, they could be non-disruptive. Suppose the 57 jurisdictions or whatever would ask the CDC to do the public health surveillance. Let’s start with just birth for a second. Suppose births were dual-reported. The legal component of birth was reported to the registration system in a way that made their life easier. They could continue to sell the legal record. At the same time, the initial page of the surveillance record could be reported to the CDC.
I think the key thing here would be to report the legal record to the state. Then access to that legal record continues to live under the legislatures. The business function of the registration office continues to work. But the surveillance things is reported to the CDC. And access to the surveillance thing could then be different. I am trying to think of some way, and that may not be the right one. We need something that allows us to break open the current conundrum.
DR. ROSS: I wholly support that you are saying. I have thought that for a long time. I just think to get there, we are going to first have to commission kind of an analysis of all the money flow, so we would actually know for a fact for certain what the impact would be. But if we could help them see, or if in fact it turned out to be the case, that they are not going to go out of business if that happened. Then we open up a new world. We stop carving everything in the book of life and death, and then trying to extract information from it.
DR. RIPPEN: There are different levels kind of to the point of the discussion of the purpose of the information. Are we saying that as far as HHS is concerned, that the big issue is that we just need to get things quicker, and we don’t want to get into the weeds of a formal record? We are doing surveillance, as opposed to the official record.
The official record, remember, is used by the Social Security, it is used by lots of other organizations as a formal kind of truth. It didn’t sound to me, just quickly, from NCHS’s perspective that they thought things were broken. They just were talking about the money. But I guess I could have been mistaken.
DR. ROSS: This is where we have to tease this problem apart. There is a lot for this committee, I think, to chew on as we think towards additional recommendations. But the process of getting to gold standard of the information — well, I mean, knowing that you have got complete accuracy on birth data or the death data. Part of that is for the legal certificate part. Part of it has to do with levels of precision one seeks out of the use of the data for national estimates and other things.
But what is left, what is missing and always has been is what is good enough for surveillance to propel a number of other actions forward. So as a result of holding onto it, until we get the perfect dataset, we had to create all sorts of workarounds and start up and pay for other systems to give that basic data that, for surveillance purposes, it doesn’t have to be absolutely perfect.
DR. RIPPEN: I totally can understand that. I guess the issue then becomes what is the purpose? What is it that we are focusing on? If we are saying our focus is to enable a surveillance system that is more timely and accurate, that is based on vital statistics data, that is one thing. If we are talking about the vital statistics system, that is different. I am just trying to figure out where we are going.
MS. HINES: And interoperability, I mean, that was really —
DR. COHEN: I am very anxious to hear what other folks have to say.
DR. MAYS: I saw the visioning. In the visioning, I think the concept of linkage should be kind of emphasized more than even things or places, EHR and all that kind of stuff. I think next steps are we are not ready right now for the next step. I think that we need to more fact finding. I am going to push that we take some of the November time before it gets taken by other people, that we take some of that time and figure out. We still need to educate ourselves about some things like the marriage, the death, where you live, housing and all that kind of stuff. I think we need to figure that out.
I think we also need to just have time for us and say, okay, this is what I think is short-term. This is what I think is medium, and this is what I think is a visioning. And we should do that before November, so that we know who we want to hear from. So that in the November time, we are then saying, oh, these are the things that we are not going to do. These are the things we are agreeing on. Here is what our next steps would be, which then we would be, I think was our next meeting is January? Oh, gosh, these times are short. That would be my suggestion. Let’s not make too many decisions today.
DR. COHEN: I don’t think we are going to make any decisions today. The question is where do we go from here and if there are things that we missed, so that was really helpful.
MS. KLOSS: Another thing I heard that seemed promising is the idea that we really needed to build a more compelling case, especially in light of things going on in the world now. There is some real urgency to having this data timely, accurate, at hand. We heard so many valuable purposes of this data, and getting that stakeholder and the case, building the case, it needs to be done.
MS. LOVE: There were a couple of things. I wanted to just raise, and I don’t really think this is a huge issue, and I don’t want to debate it right now, but be really sensitive about state reporting. We have some sensitivity about states sending data off to the national entities. There are some politics involve with that.
We just need to be aware as we navigate that terrain. Even some of my state laws on the hospital reporting cannot go to national, where it has to benefit the state. But there are some politics with epidemiologists at the local level. That is just a little aside.
I am going to say something that might get me in trouble, but so what? We are at the end of the day. I was just kind of surprised when I came in. I have a national meeting coming up, so I am in the hall on a conference call, that DHS has joined public health surveillance. That is all I am saying. It just kind of floored me. DHS is doing public health surveillance. I just was kind of stunned. That is my, as Steve Colbert says, midnight confessions or Friday night confessions. I was just kind of blown away by that. There is no comment that needs to be made. I was stunned.
DR. THORPE: I was going to raise that very same issue. I was going to pose it as a question, who does what?
DR. COHEN: One of the things that clearly I think is first steps is understanding all these uses a lot better. People came up and talked to us about I use it for this, I use it for that. Again, I think we need a map of the uses and where the data come from, and whether you pay, so that would really help begin to disentangle that piece of it. I think I have a much better understanding of how the data are collected, but still this soup of uses needs to be, I think, explicated more.
MS. HINES: When you say where the data come from, are the two options or what are the options?
DR. COHEN: They can come directly from the states. They can come from CMS. They can come from us SSA. They can come from NCHS. Those are generally the four possible places that I can think of offhand. I think those are the four.
MR. COUSSOULE: Not the source data, but where the individual user got —
DR. RIPPEN: Then I just wanted to add because they were talking about is there anything missing. The two things that I didn’t think, and maybe it is we don’t want to move forward, but there was this notion of a minimal set to kind of the core. There is all this other information we can get. Every state adds their own because they have their own little project. So is there a minimal set that might provide some guidance. Then the model law, as it relates to who gets to use it, so then there is more uniformity. Those were just two themes that I didn’t think were put on there.
DR. COHEN: The minimum set, so the question is how minimum the minimum set is. The minimum set for birth data is something required by NCHS that all jurisdictions meet.
DR. RIPPEN: People were adding stuff to it. That is all I am saying.
DR. COHEN: But it turns out that the minimum set is quite extensive. So that is a potential issue.
DR. ROSS: On the backs of the state, who we are layering this on top of. It is an unfair game because the people who have to collect it aren’t necessarily deriving the benefit —
DR. RIPPEN: I am assuming that the minimal set is coming from the states with regards to there is a requirement, right, that is brought down. But they may add other things.
DR. COHEN: The minimum set is prescribed by NCHS in order to be reimbursed through the vital statistics —
MS. KLOSS: That is the model of automating the paper system. People keep adding abstract —
DR. COHEN: The issue isn’t, I don’t think, for most jurisdictions the number of items they have added. It is collecting the expansive base for births. For deaths, there is a different set of issues.
So to get back to Bill’s idea of decoupling, the states wouldn’t have any problem sending de-identified surveillance data rapidly to NCHS. The issue is once you attach a name, which you need for a variety of reasons, then the transmission, once it becomes identified, it becomes a whole other ballgame around —
DR. STEAD: I wasn’t suggesting the states send CDC anything. I was suggesting that the states asked CDC to do public health surveillance.
DR. COHEN: I don’t think states would want to do that because the states are the biggest user of the data, despite what we heard. We didn’t have the MCH programs form the health departments. We didn’t have the enormity of local public health data users who, I think, if there was one hole in folks we invited, that would be it. The major use of the birth data, I think, is at the state and local level. A little less so for deaths, but all the programs in the state health department that get the data, some of which pay money in for linking the AIDS surveillance data, the death data.
DR. ROSS: I think you sent us down a little bit of a wrong track by saying to CDC. But it is basically, yes, to the states and to those who need the data for surveillance purposes. But it is to decouple those purposes. Ninety-nine percent of all kids are born in a hospital. If it was such that event of birth and some essential data around it was spawned off to the areas that need it, decoupled from the process of a certificate, all of a sudden, the immunization work, the MCH work, follow on newborn screening, all sorts of things are immediately empowered.
Whereas right now, they have their own system and processes that were laid on a bunch of folks that cost money. It is redundant and it is clunky. That could all be fixed. We have a chance to move to actually the electronic world in a smart way if we separate the notion of legal documentation from use of data, use of the information, so that we can start getting out of the old paper-based world, right? I think that was the driving theme, the reimagining. I think there is a lot of attraction. We saw all these commercial and public benefits that would happen if that were such.
Now, some of the commercial ones hinge on the absolute accuracy of the data. There are several streams of the processes that have to be really thought through if we are going to architect a new set of systems. I think the conclusion was we should do it. If the benefit is there, we are going to have to do it. I think there is a lot for us to chew on.
MS. LOVE: Some states are moving to subscribers and licensing of their public health data, where those power users pay a lot of money.
DR. MAYS: Also, let’s include in this conversation the notion of the bounds. One of the things you had talked about, it was like Linda reframed it, was the issues around quality, completeness. And you were kind of saying, well, maybe we will do that next. But it is part of the architecture. I want to make sure.
MS. KLOSS: Governance and organizational issues, either are designed to support good quality or get in the way. I think it is integral. Certainly, we had a lot of discussion about the cause of death issue, which is fundamental to the value of the data.
DR. COHEN: I think that was one of the biggest changes for me personally. I thought we could separate those out. But after yesterday, it became clear that they are intertwined. I don’t think we will get into the content per se. Maybe we will, who knows. Timeliness and quality are key components for reimagining whatever recommendations we have.
DR. MAYS: And then the other thing is I think that probably the same thing is true in terms of mortality. We put the National Violent Death reporting System kind of to the side. But if what we are going to do is consider mortality in general and making things better, I am not sure that that one should be put to the side. It probably needs to be a part of this, as well.
DR. COHEN: I think that one of the huge consensus points yesterday was we need to strengthen the medical examiner and coroner system. They need a system for reporting and integrating that information more rapidly and directly into death registration. That, I think, will accomplish some of those goals.
I talked earlier with Susie. Don’t mention yesterday, the notion of trying to figure out how to get more text, more literals on the certificate to be actively part of the database. Hopefully, they are going to get some funding to be able to do that. I think that will help address that.
DR. MAYS: That is the discussion I had with a couple of the people from the medical examiner’s office. That is the work that Michael Hogarth is doing. It is kind of like it should benefit both sides. The research is already going on from the narratives with NVDRS as to ways to use those that actually will help to enhance the overall record.
That is what I am saying. Let’s not artificially put that to the side, but I think we need to bring it in, in order to inform the other part that Dalton is talking about in terms of can we get language. And there are ways to do it, which is machine-learning language. There are a lot of different interventions out there right now that I think would be useful.
DR. COHEN: It is late, but one more question for the group. We will have to talk about what it will look like. Do we think there will be a recommendation letter to the secretary? Are we going to have one big report? Are we going to have a small report and a larger white paper? What products do we see from what we learned yesterday and the day before? Or is it too early to make that?
DR. STEAD: I think that what we learned is probably worth of a report. I think if you look back at the journey we went on toward the measurement framework of a report that summarizes what we found in the hearing, and that basically makes the statement that we need to do the things you are talking about as follow-up steps like a formal look at the uses and a formal look at how the money flows, which would, if you will, be analogous to the environmental scan that we did after at least one of the workshops.
And then it seems to me that once we get the results of that, we would be in a position to try to either draft recommendations or to draft recommendations that would be the subject of another hearing. I am not smart enough to know what that branch would be. But I would encourage you to capture what we have learned.
I think what we have got enough out of those two days, and the work you did running up to those two days, that it would be valuable to get that into the record quickly. While in parallel with pooling together the key things like the systematic look at uses, systematic funds flow.
MS. HINES: I think Susan has got a great track record for doing that. I think that is done. But I wanted to just throw out, at the risk of being a little bit pedantic, the vision statement and perhaps using that to guide our next steps. If you parse it out, it meets the nation’s need for timely and accurate information. So the assessment of who is using the data from what we heard, or are there other things? What do we know? What do we still need to know? We know the list of 22 federal, it was unbelievable. Get that nailed down.
Sustainable, what is needed for that? Secure, what is needed for that? Robust, what is needed for that? Infrastructure, actually take the vision statement and parse it out as to what have we learned and what do we still need to know to then help us figure out where to go next. I feel like this vision statement is really powerful. We should use it as our north star. But we need to then analyze everything we know or think we still need to know through those concepts.
DR. RIPPEN: I don’t know about the urgency of this one. I agree with what Bill said, except that I thought that it sounded like there was some urgency as it relates to the National Death Index, where people could actually use it from a research perspective and maybe it was at risk. I didn’t know that, but I got that impression.
DR. COHEN: It is not immediately at risk. It is just dissatisfaction with the pricing model.
DR. RIPPEN: Okay because otherwise I was going to say just do a quick letter saying that it is important, blah blah blah, but okay. I just wanted to make sure.
DR. COHEN: Vickie?
DR. MAYS: I think that if we want to play right now in some of the areas where they desperately need information, then it is a different story. If the case, if we wanted to do a letter that was the case about if you think you can pull the data off in terms of opioids, the disasters, and I think you should do it, so that you are really at the attention and those resources that are there.
I think one of the things, in terms of this area, it is really very under-funded. Part of it is the lack of appreciation of how it intersects with some very important areas. I think it is worth thinking about whether or not in terms of the disaster right now, and the recs that people need, and any kind of short-term recommendations that we could come up with, that would be a great fix.
There were some disagreements. I wasn’t on the side of the opioid, but some of the staff was. I will deal with the staff’s perspective that they have the data to present a compelling case. I think if we make a difference in terms of the resources that can be put into this area.
DR. COHEN: Any other thoughts about what are the next steps or where we go in terms of a report?
MR. COUSSOULE: There definitely seems to me to be enough information to provide value with that information. The question is, is that good by itself, or is it better to wait for more of a recommendation of what to do. I don’t know enough about the history of this one or what it is like taken up or taken up there.
One thing I think to think through is, is there enough value created by the publishing of the report, absent what is coming are recommendations because we know there are issues. I mean, the report can clearly say we know there are opportunities. We know there are issues. We have more work to do. Here is what we want to do.
DR. COHEN: So, the question is do we accompany the report with the letter?
DR. STEAD: It is just a packaging and timing thing. If you look at the time it is going to take for Susan to pull the report together, then we are hoping to have the research done on uses and funds flow. You can then put those together with a letter, which is what we did in the past. So in essence, you are breaking the work up into three pieces to get it done fairly quickly.
DR. RIPPEN: I was going to say add another piece, which actually goes to the, you know, for example, if it is opioid or whatever it is. And then say how the system could be leveraged, but these are the gaps. This is what needs to happen to get it to where you can leverage it to its potential. It could be wrapped up as —
MS. KLOSS: Could you call out those use cases in the report?
DR. COHEN: Maybe as part of this, so it will be a report of what happened, plus the use cases, plus whatever we learned in more detail about uses.
DR. STEAD: What we learned in more detail about the questions, and whether that ends up being one document or two is a matter of packaging.
DR. COHEN: So, those are the immediate needs, a report of what happened, a better understanding of uses, of funds flow and perhaps a use case.
DR. STEAD: And then based on that, pop health can say, okay, this looks like good recommendations. Then we can produce the letter that would transmit it all.
DR. COHEN: Thank you.
MS. GOSS: One of the points that I have been trying to make over the last couple of days, and I think you have already heard it, but I am going to say it again is this is a part of a larger conversation of this committee and our visioning work. If we are talking about next generation vital statistics standards, and we are talking about having predictability and the use of our standards as a nation, I think that there is an intersection.
I am really happy to hear the laundry list that you just listed and where we landed. I think that we want to get down to maybe some recommendations. I think the standard subcommittee has some work going. I think privacy has some work going. I think we may want to look at a larger vision, and then try to parse out a couple of very specific concrete, tangible actions that are likely to be well received, that can make that movement. To do it a couple here, a couple there, and kind of push in multiple ways, it kind of gets everybody cohesively moving in a very productive direction.
DR. COHEN: So, moving forward, integrating the next gen vital standards essentially with roadmap ideas about data systems?
MS. GOSS: I don’t have the answer. I think we need a little time from ultimately where this may go. I think this fits in ultimately with the work plan discussions we are going to have tomorrow and some subsequent executive discussion to kind of figure out, you know, take the committee’s input about where we need to be focused and how the pieces fit together, so we can use our criteria on the projects we pick, and we can meet our mission.
DR. STEAD: On that note, can we move adjournment?
MS. KLOSS: This report in this timeframe won’t explore how this should work in an electronic world. We need to at least acknowledge that there is a phase two development work.
DR. COHEN: We really focused, I think, on the short-term, but we should not overlook the longer term.
MS. KLOSS: Kind of like what we do in the Reports to Congress.
DR. STEAD: What I want us to do is to break this task up, so that we get something out reasonably quickly. Now can we move adjournment? Public comments is tomorrow. Adjourned.
(Whereupon, the meeting was adjourned at 5:20 p.m.)